You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by as...@apache.org on 2014/07/23 14:03:12 UTC
git commit: Backported [CXF-5652]
Repository: cxf
Updated Branches:
refs/heads/2.7.x-fixes 4d7fc38d6 -> 10199c1e3
Backported [CXF-5652]
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/10199c1e
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/10199c1e
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/10199c1e
Branch: refs/heads/2.7.x-fixes
Commit: 10199c1e35b9e286ce63631a0aeff63a8bc6abf2
Parents: 4d7fc38
Author: Andrei Shakirin <an...@gmail.com>
Authored: Wed Jul 23 14:02:59 2014 +0200
Committer: Andrei Shakirin <an...@gmail.com>
Committed: Wed Jul 23 14:02:59 2014 +0200
----------------------------------------------------------------------
.../apache/cxf/configuration/jsse/SSLUtils.java | 126 +++++++++++++------
.../https/HttpsURLConnectionFactory.java | 3 +
2 files changed, 90 insertions(+), 39 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/10199c1e/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
----------------------------------------------------------------------
diff --git a/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
index aaa58f3..2918cec 100644
--- a/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
+++ b/api/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -61,6 +61,8 @@ public final class SSLUtils {
private static final String DEFAULT_TRUST_STORE_TYPE = "JKS";
private static final String DEFAULT_SECURE_SOCKET_PROTOCOL = "TLSv1";
private static final String CERTIFICATE_FACTORY_TYPE = "X.509";
+
+ private static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
private static final boolean DEFAULT_REQUIRE_CLIENT_AUTHENTICATION = false;
private static final boolean DEFAULT_WANT_CLIENT_AUTHENTICATION = true;
@@ -144,6 +146,35 @@ public final class SSLUtils {
return keystoreManagers;
}
+ public static KeyManager[] getDefaultKeyStoreManagers(Logger log) {
+ String location = getKeystore(null, log);
+ String keyStorePassword = getKeystorePassword(null, log);
+ String keyPassword = getKeyPassword(null, log);
+ FileInputStream fis = null;
+
+ try {
+ KeyManagerFactory kmf =
+ KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+
+ fis = new FileInputStream(location);
+ ks.load(fis, (keyStorePassword != null) ? keyStorePassword.toCharArray() : null);
+ kmf.init(ks, (keyPassword != null) ? keyPassword.toCharArray() : null);
+ return kmf.getKeyManagers();
+ } catch (Exception e) {
+ log.warning("Default key managers cannot be initialized: " + e.getMessage());
+ return null;
+ } finally {
+ if (fis != null) {
+ try {
+ fis.close();
+ } catch (IOException e) {
+ log.warning("Keystore stream cannot be closed: " + e.getMessage());
+ }
+ }
+ }
+ }
+
public static KeyManager[] loadKeyStore(KeyManagerFactory kmf,
KeyStore ks,
ByteArrayInputStream bin,
@@ -402,53 +433,70 @@ public final class SSLUtils {
String[] cipherSuites = null;
if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) {
cipherSuites = getCiphersFromList(cipherSuitesList, log, exclude);
- } else {
- LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET");
- if (filters == null) {
- LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET");
+ return cipherSuites;
+ }
+ if (!exclude) {
+ cipherSuites = getSystemCiphersuites(log);
+ if (cipherSuites != null) {
+ return cipherSuites;
}
- List<String> filteredCipherSuites = new ArrayList<String>();
- List<String> excludedCipherSuites = new ArrayList<String>();
- List<Pattern> includes =
- filters != null
+ }
+ LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET");
+ if (filters == null) {
+ LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET");
+ }
+ List<String> filteredCipherSuites = new ArrayList<String>();
+ List<String> excludedCipherSuites = new ArrayList<String>();
+ List<Pattern> includes =
+ filters != null
? compileRegexPatterns(filters.getInclude(), true, log)
: compileRegexPatterns(DEFAULT_CIPHERSUITE_FILTERS_INCLUDE, true, log);
- List<Pattern> excludes =
- filters != null
+ List<Pattern> excludes =
+ filters != null
? compileRegexPatterns(filters.getExclude(), false, log)
: compileRegexPatterns(DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE, true, log);
- for (int i = 0; i < supportedCipherSuites.length; i++) {
- if (matchesOneOf(supportedCipherSuites[i], includes)
- && !matchesOneOf(supportedCipherSuites[i], excludes)) {
- LogUtils.log(log,
- Level.FINE,
- "CIPHERSUITE_INCLUDED",
- supportedCipherSuites[i]);
- filteredCipherSuites.add(supportedCipherSuites[i]);
- } else {
- LogUtils.log(log,
- Level.FINE,
- "CIPHERSUITE_EXCLUDED",
- supportedCipherSuites[i]);
- excludedCipherSuites.add(supportedCipherSuites[i]);
- }
- }
- LogUtils.log(log,
- Level.FINE,
- "CIPHERSUITES_FILTERED",
- filteredCipherSuites);
- LogUtils.log(log,
- Level.FINE,
- "CIPHERSUITES_EXCLUDED",
- excludedCipherSuites);
- if (exclude) {
- cipherSuites = getCiphersFromList(excludedCipherSuites, log, exclude);
+ for (int i = 0; i < supportedCipherSuites.length; i++) {
+ if (matchesOneOf(supportedCipherSuites[i], includes)
+ && !matchesOneOf(supportedCipherSuites[i], excludes)) {
+ LogUtils.log(log,
+ Level.FINE,
+ "CIPHERSUITE_INCLUDED",
+ supportedCipherSuites[i]);
+ filteredCipherSuites.add(supportedCipherSuites[i]);
} else {
- cipherSuites = getCiphersFromList(filteredCipherSuites, log, exclude);
+ LogUtils.log(log,
+ Level.FINE,
+ "CIPHERSUITE_EXCLUDED",
+ supportedCipherSuites[i]);
+ excludedCipherSuites.add(supportedCipherSuites[i]);
}
- }
+ }
+ LogUtils.log(log,
+ Level.FINE,
+ "CIPHERSUITES_FILTERED",
+ filteredCipherSuites);
+ LogUtils.log(log,
+ Level.FINE,
+ "CIPHERSUITES_EXCLUDED",
+ excludedCipherSuites);
+ if (exclude) {
+ cipherSuites = getCiphersFromList(excludedCipherSuites, log, exclude);
+ } else {
+ cipherSuites = getCiphersFromList(filteredCipherSuites, log, exclude);
+ }
return cipherSuites;
- }
+ }
+
+ private static String[] getSystemCiphersuites(Logger log) {
+ String jvmCipherSuites = System.getProperty(HTTPS_CIPHER_SUITES);
+ if ((jvmCipherSuites != null) && (!jvmCipherSuites.isEmpty())) {
+ LogUtils.log(log, Level.FINE, "CIPHERSUITES_SYSTEM_PROPERTY_SET", jvmCipherSuites);
+ return jvmCipherSuites.split(",");
+ } else {
+ return null;
+ }
+
+ }
private static List<Pattern> compileRegexPatterns(List<String> regexes,
boolean include,
http://git-wip-us.apache.org/repos/asf/cxf/blob/10199c1e/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
index d8b9001..ac8f90d 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
@@ -164,6 +164,9 @@ public class HttpsURLConnectionFactory {
if (tlsClientParameters.getCertAlias() != null) {
getKeyManagersWithCertAlias(tlsClientParameters, keyManagers);
}
+ if (keyManagers == null) {
+ keyManagers = SSLUtils.getDefaultKeyStoreManagers(LOG);
+ }
ctx.init(keyManagers, tlsClientParameters.getTrustManagers(),
tlsClientParameters.getSecureRandom());