You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/02/12 18:23:22 UTC
cxf git commit: Some SSL refactoring
Repository: cxf
Updated Branches:
refs/heads/master 4660cd8ca -> 2e6ca288a
Some SSL refactoring
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2e6ca288
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2e6ca288
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2e6ca288
Branch: refs/heads/master
Commit: 2e6ca288a9b363f3cfe08afec071427a13a25ff3
Parents: 4660cd8
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Feb 12 17:23:14 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Feb 12 17:23:14 2016 +0000
----------------------------------------------------------------------
.../apache/cxf/configuration/jsse/SSLUtils.java | 43 +++++++++++---------
.../http/asyncclient/AsyncHTTPConduit.java | 31 ++------------
.../http_jetty/JettyHTTPServerEngine.java | 20 ++-------
.../https/HttpsURLConnectionFactory.java | 42 +++----------------
.../apache/cxf/transport/https/SSLUtils.java | 22 ++++++----
5 files changed, 51 insertions(+), 107 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
index b485f3e..4132b35 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -96,9 +96,9 @@ public final class SSLUtils {
throws Exception {
//TODO for performance reasons we should cache
// the KeymanagerFactory and TrustManagerFactory
- if ((keyStorePassword != null)
- && (keyPassword != null)
- && (!keyStorePassword.equals(keyPassword))) {
+ if (keyStorePassword != null
+ && keyPassword != null
+ && !keyStorePassword.equals(keyPassword)) {
LogUtils.log(log,
Level.WARNING,
"KEY_PASSWORD_NOT_SAME_KEYSTORE_PASSWORD");
@@ -111,30 +111,32 @@ public final class SSLUtils {
if (keyStoreType.equalsIgnoreCase(PKCS12_TYPE)) {
Path path = FileSystems.getDefault().getPath(keyStoreLocation);
byte[] bytes = Files.readAllBytes(path);
- ByteArrayInputStream bin = new ByteArrayInputStream(bytes);
+ try (ByteArrayInputStream bin = new ByteArrayInputStream(bytes)) {
- if (keyStorePassword != null) {
- keystoreManagers = loadKeyStore(kmf,
- ks,
- bin,
- keyStoreLocation,
- keyStorePassword,
- log);
+ if (keyStorePassword != null) {
+ keystoreManagers = loadKeyStore(kmf,
+ ks,
+ bin,
+ keyStoreLocation,
+ keyStorePassword,
+ log);
+ }
}
} else {
byte[] sslCert = loadFile(keyStoreLocation);
if (sslCert != null && sslCert.length > 0 && keyStorePassword != null) {
- ByteArrayInputStream bin = new ByteArrayInputStream(sslCert);
- keystoreManagers = loadKeyStore(kmf,
+ try (ByteArrayInputStream bin = new ByteArrayInputStream(sslCert)) {
+ keystoreManagers = loadKeyStore(kmf,
ks,
bin,
keyStoreLocation,
keyStorePassword,
log);
+ }
}
}
- if ((keyStorePassword == null) && (keyStoreLocation != null)) {
+ if (keyStorePassword == null && keyStoreLocation != null) {
LogUtils.log(log, Level.WARNING,
"FAILED_TO_LOAD_KEYSTORE_NULL_PASSWORD",
keyStoreLocation);
@@ -151,6 +153,7 @@ public final class SSLUtils {
}
return defaultManagers;
}
+
private static synchronized void loadDefaultKeyManagers(Logger log) {
if (defaultManagers != null) {
return;
@@ -233,10 +236,10 @@ public final class SSLUtils {
byte[] caCert = loadFile(trustStoreLocation);
try {
if (caCert != null) {
- ByteArrayInputStream cabin = new ByteArrayInputStream(caCert);
- X509Certificate cert = (X509Certificate)cf.generateCertificate(cabin);
- trustedCertStore.setCertificateEntry(cert.getIssuerDN().toString(), cert);
- cabin.close();
+ try (ByteArrayInputStream cabin = new ByteArrayInputStream(caCert)) {
+ X509Certificate cert = (X509Certificate)cf.generateCertificate(cabin);
+ trustedCertStore.setCertificateEntry(cert.getIssuerDN().toString(), cert);
+ }
}
} catch (Exception e) {
LogUtils.log(log, Level.WARNING, "FAILED_TO_LOAD_TRUST_STORE",
@@ -284,6 +287,7 @@ public final class SSLUtils {
public static String getKeystoreType(String keyStoreType, Logger log) {
return getKeystoreType(keyStoreType, log, DEFAULT_KEYSTORE_TYPE);
}
+
public static String getKeystoreType(String keyStoreType, Logger log, String def) {
String logMsg = null;
if (keyStoreType != null) {
@@ -299,7 +303,8 @@ public final class SSLUtils {
}
LogUtils.log(log, Level.FINE, logMsg, keyStoreType);
return keyStoreType;
- }
+ }
+
public static String getKeystoreProvider(String keyStoreProvider, Logger log) {
String logMsg = null;
if (keyStoreProvider != null) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
index 8483631..a3421e3 100644
--- a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
+++ b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
@@ -47,7 +47,6 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
-import javax.net.ssl.X509KeyManager;
import org.apache.cxf.Bus;
import org.apache.cxf.common.util.StringUtils;
@@ -65,7 +64,6 @@ import org.apache.cxf.transport.http.Address;
import org.apache.cxf.transport.http.Headers;
import org.apache.cxf.transport.http.URLConnectionHTTPConduit;
import org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduitFactory.UseAsyncPolicy;
-import org.apache.cxf.transport.https.AliasedX509ExtendedKeyManager;
import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
import org.apache.cxf.version.Version;
@@ -878,10 +876,11 @@ public class AsyncHTTPConduit extends URLConnectionHTTPConduit {
SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext
.getInstance(protocol, provider);
ctx.getClientSessionContext().setSessionTimeout(tlsClientParameters.getSslCacheTimeout());
+
KeyManager[] keyManagers = tlsClientParameters.getKeyManagers();
- if (tlsClientParameters.getCertAlias() != null) {
- keyManagers = getKeyManagersWithCertAlias(tlsClientParameters, keyManagers);
- }
+ org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
+ tlsClientParameters, keyManagers);
+
ctx.init(keyManagers, tlsClientParameters.getTrustManagers(),
tlsClientParameters.getSecureRandom());
@@ -931,26 +930,4 @@ public class AsyncHTTPConduit extends URLConnectionHTTPConduit {
return list.toArray(new String[list.size()]);
}
- protected static KeyManager[] getKeyManagersWithCertAlias(TLSClientParameters tlsClientParameters,
- KeyManager[] keyManagers) throws GeneralSecurityException {
- if (tlsClientParameters.getCertAlias() != null) {
- KeyManager ret[] = new KeyManager[keyManagers.length];
- for (int idx = 0; idx < keyManagers.length; idx++) {
- if (keyManagers[idx] instanceof X509KeyManager) {
- try {
- ret[idx] = new AliasedX509ExtendedKeyManager(tlsClientParameters.getCertAlias(),
- (X509KeyManager)keyManagers[idx]);
- } catch (Exception e) {
- throw new GeneralSecurityException(e);
- }
- } else {
- ret[idx] = keyManagers[idx];
- }
- }
- return ret;
- }
- return keyManagers;
- }
-
-
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index e6f0fed..67e960b 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -34,7 +34,6 @@ import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
-import javax.net.ssl.X509KeyManager;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
@@ -52,7 +51,6 @@ import org.apache.cxf.configuration.jsse.TLSServerParameters;
import org.apache.cxf.configuration.security.ClientAuthentication;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.transport.HttpUriMapper;
-import org.apache.cxf.transport.https.AliasedX509ExtendedKeyManager;
import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.server.AbstractConnector;
@@ -729,9 +727,9 @@ public class JettyHTTPServerEngine implements ServerEngine {
: SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider());
KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
- if (tlsServerParameters.getCertAlias() != null) {
- keyManagers = getKeyManagersWithCertAlias(keyManagers);
- }
+ org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
+ tlsServerParameters, keyManagers);
+
context.init(tlsServerParameters.getKeyManagers(),
tlsServerParameters.getTrustManagers(),
tlsServerParameters.getSecureRandom());
@@ -760,17 +758,7 @@ public class JettyHTTPServerEngine implements ServerEngine {
return context;
}
- protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception {
- if (tlsServerParameters.getCertAlias() != null) {
- for (int idx = 0; idx < keyManagers.length; idx++) {
- if (keyManagers[idx] instanceof X509KeyManager) {
- keyManagers[idx] = new AliasedX509ExtendedKeyManager(
- tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
- }
- }
- }
- return keyManagers;
- }
+
protected void setClientAuthentication(SslContextFactory con,
ClientAuthentication clientAuth) {
con.setWantClientAuth(true);
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
index f5d88de..0d02d6b 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
@@ -32,10 +32,8 @@ import java.util.logging.Logger;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.X509KeyManager;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.ReflectionInvokationHandler;
@@ -152,23 +150,8 @@ public class HttpsURLConnectionFactory {
// ssl socket factory not yet instantiated, create a new one with tlsClientParameters's Trust
// Managers, Key Managers, etc
- String provider = tlsClientParameters.getJsseProvider();
-
- String protocol = tlsClientParameters.getSecureSocketProtocol() != null ? tlsClientParameters
- .getSecureSocketProtocol() : "TLS";
-
- SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext
- .getInstance(protocol, provider);
- ctx.getClientSessionContext().setSessionTimeout(tlsClientParameters.getSslCacheTimeout());
- KeyManager[] keyManagers = tlsClientParameters.getKeyManagers();
- if (keyManagers == null) {
- keyManagers = SSLUtils.getDefaultKeyStoreManagers(LOG);
- }
- if (tlsClientParameters.getCertAlias() != null) {
- getKeyManagersWithCertAlias(tlsClientParameters, keyManagers);
- }
- ctx.init(keyManagers, tlsClientParameters.getTrustManagers(),
- tlsClientParameters.getSecureRandom());
+ SSLContext ctx =
+ org.apache.cxf.transport.https.SSLUtils.getSSLContext(tlsClientParameters);
String[] cipherSuites =
SSLUtils.getCiphersuitesToInclude(tlsClientParameters.getCipherSuites(),
@@ -178,9 +161,11 @@ public class HttpsURLConnectionFactory {
LOG);
// The SSLSocketFactoryWrapper enables certain cipher suites
// from the policy.
+ String protocol = tlsClientParameters.getSecureSocketProtocol() != null ? tlsClientParameters
+ .getSecureSocketProtocol() : "TLS";
socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(), cipherSuites,
protocol);
- //recalc the hashcode since somet of the above MAY have changed the tlsClientParameters
+ //recalc the hashcode since some of the above MAY have changed the tlsClientParameters
lastTlsHash = tlsClientParameters.hashCode();
} else {
// ssl socket factory already initialized, reuse it to benefit of keep alive
@@ -259,23 +244,6 @@ public class HttpsURLConnectionFactory {
LOG.addHandler(handler);
}
- protected void getKeyManagersWithCertAlias(TLSClientParameters tlsClientParameters,
- KeyManager[] keyManagers) throws GeneralSecurityException {
- if (tlsClientParameters.getCertAlias() != null && keyManagers != null) {
- for (int idx = 0; idx < keyManagers.length; idx++) {
- if (keyManagers[idx] instanceof X509KeyManager
- && !(keyManagers[idx] instanceof AliasedX509ExtendedKeyManager)) {
- try {
- keyManagers[idx] = new AliasedX509ExtendedKeyManager(
- tlsClientParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
- } catch (Exception e) {
- throw new GeneralSecurityException(e);
- }
- }
- }
- }
- }
-
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java
index 183f80e..11d8ddd 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java
@@ -19,6 +19,7 @@
package org.apache.cxf.transport.https;
import java.security.GeneralSecurityException;
+import java.util.logging.Logger;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
@@ -27,6 +28,7 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509KeyManager;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.configuration.jsse.TLSParameterBase;
import org.apache.cxf.configuration.jsse.TLSServerParameters;
@@ -35,6 +37,9 @@ import org.apache.cxf.transport.https.httpclient.DefaultHostnameVerifier;
import org.apache.cxf.transport.https.httpclient.PublicSuffixMatcherLoader;
public final class SSLUtils {
+
+ private static final Logger LOG = LogUtils.getL7dLogger(SSLUtils.class);
+
private SSLUtils() {
//Helper class
}
@@ -54,7 +59,7 @@ public final class SSLUtils {
return verifier;
}
- public static SSLContext getSSLContext(TLSParameterBase parameters) throws Exception {
+ public static SSLContext getSSLContext(TLSParameterBase parameters) throws GeneralSecurityException {
// TODO do we need to cache the context
String provider = parameters.getJsseProvider();
@@ -68,24 +73,25 @@ public final class SSLUtils {
ctx.getClientSessionContext().setSessionTimeout(((TLSClientParameters)parameters).getSslCacheTimeout());
}
- // TODO setting on the server side
-
KeyManager[] keyManagers = parameters.getKeyManagers();
- if (parameters.getCertAlias() != null) {
- getKeyManagersWithCertAlias(parameters, keyManagers);
+ if (keyManagers == null && parameters instanceof TLSClientParameters) {
+ keyManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultKeyStoreManagers(LOG);
}
+ configureKeyManagersWithCertAlias(parameters, keyManagers);
+
ctx.init(keyManagers, parameters.getTrustManagers(),
parameters.getSecureRandom());
return ctx;
}
- protected static void getKeyManagersWithCertAlias(TLSParameterBase tlsParameters,
+ public static void configureKeyManagersWithCertAlias(TLSParameterBase tlsParameters,
KeyManager[] keyManagers)
throws GeneralSecurityException {
- if (tlsParameters.getCertAlias() != null) {
+ if (tlsParameters.getCertAlias() != null && keyManagers != null) {
for (int idx = 0; idx < keyManagers.length; idx++) {
- if (keyManagers[idx] instanceof X509KeyManager) {
+ if (keyManagers[idx] instanceof X509KeyManager
+ && !(keyManagers[idx] instanceof AliasedX509ExtendedKeyManager)) {
try {
keyManagers[idx] = new AliasedX509ExtendedKeyManager(tlsParameters.getCertAlias(),
(X509KeyManager)keyManagers[idx]);