List of usage examples for javax.net.ssl TrustManagerFactory getTrustManagers
public final TrustManager[] getTrustManagers()
From source file:com.bytelightning.opensource.pokerface.PokerFace.java
/** * Configures all the needed components, but does not actually start the server. * @param config Contains all information needed to fully wire up the http, https, and httpclient components of this reverse proxy. * @throws Exception Yeah, a lot can go wrong here, but at least it will be caught immediately :-) *//*from ww w . j av a 2 s . c om*/ public void config(HierarchicalConfiguration config) throws Exception { List<HierarchicalConfiguration> lconf; HttpAsyncRequester executor = null; BasicNIOConnPool connPool = null; ObjectPool<ByteBuffer> byteBufferPool = null; LinkedHashMap<String, TargetDescriptor> mappings = null; ConcurrentMap<String, HttpHost> hosts = null; handlerRegistry = new UriHttpAsyncRequestHandlerMapper(); // Initialize the keystore (if one was specified) KeyStore keystore = null; char[] keypass = null; String keystoreUri = config.getString("keystore"); if ((keystoreUri != null) && (keystoreUri.trim().length() > 0)) { Path keystorePath = Utils.MakePath(keystoreUri); if (!Files.exists(keystorePath)) throw new ConfigurationException("Keystore does not exist."); if (Files.isDirectory(keystorePath)) throw new ConfigurationException("Keystore is not a file"); String storepass = config.getString("storepass"); if ((storepass != null) && "null".equals(storepass)) storepass = null; keystore = KeyStore.getInstance(KeyStore.getDefaultType()); try (InputStream keyStoreStream = Files.newInputStream(keystorePath)) { keystore.load(keyStoreStream, storepass == null ? null : storepass.trim().toCharArray()); } catch (IOException ex) { Logger.error("Unable to load https server keystore from " + keystoreUri); return; } keypass = config.getString("keypass").trim().toCharArray(); } // Wire up the listening reactor lconf = config.configurationsAt("server"); if ((lconf == null) || (lconf.size() != 1)) throw new ConfigurationException("One (and only one) server configuration element is allowed."); else { Builder builder = IOReactorConfig.custom(); builder.setIoThreadCount(ComputeReactorProcessors(config.getDouble("server[@cpu]", 0.667))); builder.setSoTimeout(config.getInt("server[@soTimeout]", 0)); builder.setSoLinger(config.getInt("server[@soLinger]", -1)); builder.setSoReuseAddress(true); builder.setTcpNoDelay(false); builder.setSelectInterval(100); IOReactorConfig rconfig = builder.build(); Logger.info("Configuring server with options: " + rconfig.toString()); listeningReactor = new DefaultListeningIOReactor(rconfig); lconf = config.configurationsAt("server.listen"); InetSocketAddress addr; boolean hasNonWildcardSecure = false; LinkedHashMap<SocketAddress, SSLContext> addrSSLContext = new LinkedHashMap<SocketAddress, SSLContext>(); if ((lconf == null) || (lconf.size() == 0)) { addr = new InetSocketAddress("127.0.0.1", 8080); ListenerEndpoint ep = listeningReactor.listen(addr); Logger.warn("Configured " + ep.getAddress()); } else { TrustManager[] trustManagers = null; KeyManagerFactory kmf = null; // Create all the specified listeners. for (HierarchicalConfiguration hc : lconf) { String addrStr = hc.getString("[@address]"); if ((addrStr == null) || (addrStr.length() == 0)) addrStr = "0.0.0.0"; String alias = hc.getString("[@alias]"); int port = hc.getInt("[@port]", alias != null ? 443 : 80); addr = new InetSocketAddress(addrStr, port); ListenerEndpoint ep = listeningReactor.listen(addr); String protocol = hc.containsKey("[@protocol]") ? hc.getString("[@protocol]") : null; Boolean secure = hc.containsKey("[@secure]") ? hc.getBoolean("[@secure]") : null; if ((alias != null) && (secure == null)) secure = true; if ((protocol != null) && (secure == null)) secure = true; if ((secure != null) && secure) { if (protocol == null) protocol = "TLS"; if (keystore == null) throw new ConfigurationException( "An https listening socket was requested, but no keystore was specified."); if (kmf == null) { kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(keystore, keypass); } // Are we going to trust all clients or just specific ones? if (hc.getBoolean("[@trustAny]", true)) trustManagers = new TrustManager[] { new X509TrustAllManager() }; else { TrustManagerFactory instance = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); instance.init(keystore); trustManagers = instance.getTrustManagers(); } KeyManager[] keyManagers = kmf.getKeyManagers(); if (alias != null) for (int i = 0; i < keyManagers.length; i++) { if (keyManagers[i] instanceof X509ExtendedKeyManager) keyManagers[i] = new PokerFaceKeyManager(alias, (X509ExtendedKeyManager) keyManagers[i]); } SSLContext sslCtx = SSLContext.getInstance(protocol); sslCtx.init(keyManagers, trustManagers, new SecureRandom()); if (addr.getAddress().isAnyLocalAddress()) { // This little optimization helps us respond faster for every connection as we don't have to extrapolate a local connection address to wild card. for (Enumeration<NetworkInterface> en = NetworkInterface.getNetworkInterfaces(); en .hasMoreElements();) { NetworkInterface intf = en.nextElement(); for (Enumeration<InetAddress> enumIpAddr = intf.getInetAddresses(); enumIpAddr .hasMoreElements();) { addr = new InetSocketAddress(enumIpAddr.nextElement(), port); addrSSLContext.put(addr, sslCtx); } } } else { addrSSLContext.put(addr, sslCtx); hasNonWildcardSecure = true; } } Logger.warn("Configured " + (alias == null ? "" : (protocol + " on")) + ep.getAddress()); } } // We will need an HTTP protocol processor for the incoming connections String serverAgent = config.getString("server.serverAgent", "PokerFace/" + Utils.Version); HttpProcessor inhttpproc = new ImmutableHttpProcessor( new HttpResponseInterceptor[] { new ResponseDateInterceptor(), new ResponseServer(serverAgent), new ResponseContent(), new ResponseConnControl() }); HttpAsyncService serviceHandler = new HttpAsyncService(inhttpproc, new DefaultConnectionReuseStrategy(), null, handlerRegistry, null) { public void exception(final NHttpServerConnection conn, final Exception cause) { Logger.warn(cause.getMessage()); super.exception(conn, cause); } }; if (addrSSLContext.size() > 0) { final SSLContext defaultCtx = addrSSLContext.values().iterator().next(); final Map<SocketAddress, SSLContext> sslMap; if ((!hasNonWildcardSecure) || (addrSSLContext.size() == 1)) sslMap = null; else sslMap = addrSSLContext; listeningDispatcher = new DefaultHttpServerIODispatch(serviceHandler, new SSLNHttpServerConnectionFactory(defaultCtx, null, ConnectionConfig.DEFAULT) { protected SSLIOSession createSSLIOSession(IOSession iosession, SSLContext sslcontext, SSLSetupHandler sslHandler) { SSLIOSession retVal; SSLContext sktCtx = sslcontext; if (sslMap != null) { SocketAddress la = iosession.getLocalAddress(); if (la != null) { sktCtx = sslMap.get(la); if (sktCtx == null) sktCtx = sslcontext; } retVal = new SSLIOSession(iosession, SSLMode.SERVER, sktCtx, sslHandler); } else retVal = super.createSSLIOSession(iosession, sktCtx, sslHandler); if (sktCtx != null) retVal.setAttribute("com.bytelightning.opensource.pokerface.secure", true); return retVal; } }); } else listeningDispatcher = new DefaultHttpServerIODispatch(serviceHandler, ConnectionConfig.DEFAULT); } // Configure the httpclient reactor that will be used to do reverse proxing to the specified targets. lconf = config.configurationsAt("targets"); if ((lconf != null) && (lconf.size() > 0)) { HierarchicalConfiguration conf = lconf.get(0); Builder builder = IOReactorConfig.custom(); builder.setIoThreadCount(ComputeReactorProcessors(config.getDouble("targets[@cpu]", 0.667))); builder.setSoTimeout(conf.getInt("targets[@soTimeout]", 0)); builder.setSoLinger(config.getInt("targets[@soLinger]", -1)); builder.setConnectTimeout(conf.getInt("targets[@connectTimeout]", 0)); builder.setSoReuseAddress(true); builder.setTcpNoDelay(false); connectingReactor = new DefaultConnectingIOReactor(builder.build()); final int bufferSize = conf.getInt("targets[@bufferSize]", 1024) * 1024; byteBufferPool = new SoftReferenceObjectPool<ByteBuffer>(new BasePooledObjectFactory<ByteBuffer>() { @Override public ByteBuffer create() throws Exception { return ByteBuffer.allocateDirect(bufferSize); } @Override public PooledObject<ByteBuffer> wrap(ByteBuffer buffer) { return new DefaultPooledObject<ByteBuffer>(buffer); } }); KeyManager[] keyManagers = null; TrustManager[] trustManagers = null; if (keystore != null) { KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(keystore, keypass); keyManagers = kmf.getKeyManagers(); } // Will the httpclient's trust any remote target, or only specific ones. if (conf.getBoolean("targets[@trustAny]", false)) trustManagers = new TrustManager[] { new X509TrustAllManager() }; else if (keystore != null) { TrustManagerFactory instance = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); instance.init(keystore); trustManagers = instance.getTrustManagers(); } SSLContext clientSSLContext = SSLContext.getInstance(conf.getString("targets[@protocol]", "TLS")); clientSSLContext.init(keyManagers, trustManagers, new SecureRandom()); // Setup an SSL capable connection pool for the httpclients. connPool = new BasicNIOConnPool(connectingReactor, new BasicNIOConnFactory(clientSSLContext, null, ConnectionConfig.DEFAULT), conf.getInt("targets[@connectTimeout]", 0)); connPool.setMaxTotal(conf.getInt("targets[@connMaxTotal]", 1023)); connPool.setDefaultMaxPerRoute(conf.getInt("targets[@connMaxPerRoute]", 1023)); // Set up HTTP protocol processor for outgoing connections String userAgent = conf.getString("targets.userAgent", "PokerFace/" + Utils.Version); HttpProcessor outhttpproc = new ImmutableHttpProcessor(new HttpRequestInterceptor[] { new RequestContent(), new RequestTargetHost(), new RequestConnControl(), new RequestUserAgent(userAgent), new RequestExpectContinue(true) }); executor = new HttpAsyncRequester(outhttpproc, new DefaultConnectionReuseStrategy()); // Now set up all the configured targets. mappings = new LinkedHashMap<String, TargetDescriptor>(); hosts = new ConcurrentHashMap<String, HttpHost>(); String[] scheme = { null }; String[] host = { null }; int[] port = { 0 }; String[] path = { null }; int[] stripPrefixCount = { 0 }; for (HierarchicalConfiguration targetConfig : conf.configurationsAt("target")) { String match = targetConfig.getString("[@pattern]"); if ((match == null) || (match.trim().length() < 1)) { Logger.error("Unable to configure target; Invalid url match pattern"); continue; } String key = RequestForTargetConsumer.UriToTargetKey(targetConfig.getString("[@url]"), scheme, host, port, path, stripPrefixCount); if (key == null) { Logger.error("Unable to configure target"); continue; } HttpHost targetHost = hosts.get(key); if (targetHost == null) { targetHost = new HttpHost(host[0], port[0], scheme[0]); hosts.put(key, targetHost); } TargetDescriptor desc = new TargetDescriptor(targetHost, path[0], stripPrefixCount[0]); mappings.put(match, desc); } connectionDispatcher = new DefaultHttpClientIODispatch(new HttpAsyncRequestExecutor(), ConnectionConfig.DEFAULT); } // Allocate the script map which will be populated by it's own executor thread. if (config.containsKey("scripts.rootDirectory")) { Path tmp = Utils.MakePath(config.getProperty("scripts.rootDirectory")); if (!Files.exists(tmp)) throw new FileNotFoundException("Scripts directory does not exist."); if (!Files.isDirectory(tmp)) throw new FileNotFoundException("'scripts' path is not a directory."); scripts = new ConcurrentSkipListMap<String, ScriptObjectMirror>(); boolean watch = config.getBoolean("scripts.dynamicWatch", false); List<Path> jsLibs; Object prop = config.getProperty("scripts.library"); if (prop != null) { jsLibs = new ArrayList<Path>(); if (prop instanceof Collection<?>) { @SuppressWarnings("unchecked") Collection<Object> oprop = (Collection<Object>) prop; for (Object obj : oprop) jsLibs.add(Utils.MakePath(obj)); } else { jsLibs.add(Utils.MakePath(prop)); } } else jsLibs = null; lconf = config.configurationsAt("scripts.scriptConfig"); if (lconf != null) { if (lconf.size() > 1) throw new ConfigurationException("Only one scriptConfig element is allowed."); if (lconf.size() == 0) lconf = null; } HierarchicalConfiguration scriptConfig; if (lconf == null) scriptConfig = new HierarchicalConfiguration(); else scriptConfig = lconf.get(0); scriptConfig.setProperty("pokerface.scripts.rootDirectory", tmp.toString()); configureScripts(jsLibs, scriptConfig, tmp, watch); if (watch) ScriptDirectoryWatcher = new DirectoryWatchService(); } // Configure the static file directory (if any) Path staticFilesPath = null; if (config.containsKey("files.rootDirectory")) { Path tmp = Utils.MakePath(config.getProperty("files.rootDirectory")); if (!Files.exists(tmp)) throw new FileNotFoundException("Files directory does not exist."); if (!Files.isDirectory(tmp)) throw new FileNotFoundException("'files' path is not a directory."); staticFilesPath = tmp; List<HierarchicalConfiguration> mimeEntries = config.configurationsAt("files.mime-entry"); if (mimeEntries != null) { for (HierarchicalConfiguration entry : mimeEntries) { entry.setDelimiterParsingDisabled(true); String type = entry.getString("[@type]", "").trim(); if (type.length() == 0) throw new ConfigurationException("Invalid mime type entry"); String extensions = entry.getString("[@extensions]", "").trim(); if (extensions.length() == 0) throw new ConfigurationException("Invalid mime extensions for: " + type); ScriptHelperImpl.AddMimeEntry(type, extensions); } } } handlerRegistry.register("/*", new RequestHandler(executor, connPool, byteBufferPool, staticFilesPath, mappings, scripts != null ? Collections.unmodifiableNavigableMap(scripts) : null, config.getBoolean("scripts.allowScriptsToSpecifyDynamicHosts", false) ? hosts : null)); }
From source file:com.alliander.osgp.shared.usermanagement.UserManagementClient.java
/** * Construct a UserManagementClient instance. * * @param keystoreLocation/*from ww w . jav a 2 s.c o m*/ * The location of the key store. * @param keystorePassword * The password for the key store. * @param keystoreType * The type of the key store. * @param baseAddress * The base address or URL for the UserManagementClient. * * @throws UserManagementClientException * In case the construction fails, a * UserManagmentClientException will be thrown. */ public UserManagementClient(final String keystoreLocation, final String keystorePassword, final String keystoreType, final String baseAddress) throws UserManagementClientException { InputStream stream = null; boolean isClosed = false; Exception exception = null; try { // Create the KeyStore. final KeyStore keystore = KeyStore.getInstance(keystoreType.toUpperCase()); stream = new FileInputStream(keystoreLocation); keystore.load(stream, keystorePassword.toCharArray()); // Create TrustManagerFactory and initialize it using the KeyStore. final TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(keystore); // Create Apache CXF WebClient with JSON provider. final List<Object> providers = new ArrayList<Object>(); providers.add(new JacksonJaxbJsonProvider()); this.webClient = WebClient.create(baseAddress, providers); if (this.webClient == null) { throw new UserManagementClientException("webclient is null"); } // Set up the HTTP Conduit to use the TrustManagers. final ClientConfiguration config = WebClient.getConfig(this.webClient); final HTTPConduit conduit = config.getHttpConduit(); conduit.setTlsClientParameters(new TLSClientParameters()); conduit.getTlsClientParameters().setTrustManagers(tmf.getTrustManagers()); } catch (final Exception e) { LOGGER.error(CONSTRUCTION_FAILED, e); throw new UserManagementClientException(CONSTRUCTION_FAILED, e); } finally { try { stream.close(); isClosed = true; } catch (final Exception streamCloseException) { LOGGER.error(CONSTRUCTION_FAILED, streamCloseException); exception = streamCloseException; } } if (!isClosed) { throw new UserManagementClientException(CONSTRUCTION_FAILED, exception); } }
From source file:com.alliander.osgp.shared.usermanagement.KeycloakClient.java
/** * Construct an AuthenticationClient instance. * * @param keyStoreSettings/*from w w w . jav a2 s . c o m*/ * Settings to determine a KeyStore and TrustManagerFactory. * @param KeycloakApiSettings * Settings used accessing the Keycloak API. * @param loginClient * The keycloak client used for application logins. * @param realm * The keycloak realm with clients and users for external logins. * * @throws KeycloakClientException * In case the construction fails. */ public KeycloakClient(final KeyStoreSettings keyStoreSettings, final KeycloakApiSettings keycloakApiSettings, final String loginClient, final String realm) throws KeycloakClientException { this.apiClient = keycloakApiSettings.getApiClient(); this.apiClientSecret = keycloakApiSettings.getApiClientSecret(); this.apiUser = keycloakApiSettings.getApiUser(); this.apiPassword = keycloakApiSettings.getApiPassword(); this.loginClient = loginClient; this.realm = realm; this.tokenPath = TOKEN_PATH_TEMPLATE.replace(PATH_ELEMENT_REALM, realm); this.usersPath = USERS_PATH_TEMPLATE.replace(PATH_ELEMENT_REALM, realm); this.userPath = USER_PATH_TEMPLATE.replace(PATH_ELEMENT_REALM, realm); this.userSessionsPath = USER_SESSIONS_PATH_TEMPLATE.replace(PATH_ELEMENT_REALM, realm); this.sessionPath = SESSION_PATH_TEMPLATE.replace(PATH_ELEMENT_REALM, realm); try { final TrustManagerFactory tmf = keyStoreSettings.getTrustManagerFactory(); final List<Object> providers = new ArrayList<Object>(); providers.add(new JacksonJaxbJsonProvider()); this.webClient = WebClient.create(keycloakApiSettings.getBaseAddress(), providers, true); if (this.webClient == null) { throw new IllegalStateException("webclient is null"); } final ClientConfiguration config = WebClient.getConfig(this.webClient); final HTTPConduit conduit = config.getHttpConduit(); conduit.setTlsClientParameters(new TLSClientParameters()); conduit.getTlsClientParameters().setTrustManagers(tmf.getTrustManagers()); this.jacksonObjectMapper = new ObjectMapper(); } catch (final Exception e) { LOGGER.error(CONSTRUCTION_FAILED, e); throw new KeycloakClientException(CONSTRUCTION_FAILED, e); } }
From source file:com.amazon.alexa.avs.auth.companionservice.CompanionServiceClient.java
/** * Loads the CA certificate into an in-memory keystore and creates an {@link SSLSocketFactory}. * * @return SSLSocketFactory// w ww .j a va 2 s. c o m */ public SSLSocketFactory getPinnedSSLSocketFactory() { InputStream caCertInputStream = null; InputStream clientKeyPair = null; try { // Load the CA certificate into memory CertificateFactory cf = CertificateFactory.getInstance("X.509"); caCertInputStream = new FileInputStream(deviceConfig.getCompanionServiceInfo().getSslCaCert()); Certificate caCert = cf.generateCertificate(caCertInputStream); // Load the CA certificate into the trusted KeyStore KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null, null); trustStore.setCertificateEntry("myca", caCert); // Create a TrustManagerFactory with the trusted KeyStore TrustManagerFactory trustManagerFactory = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); // Load the client certificate and private key into another KeyStore KeyStore keyStore = KeyStore.getInstance("PKCS12"); clientKeyPair = new FileInputStream(deviceConfig.getCompanionServiceInfo().getSslClientKeyStore()); keyStore.load(clientKeyPair, deviceConfig.getCompanionServiceInfo().getSslClientKeyStorePassphrase().toCharArray()); // Create a TrustManagerFactory with the client key pair KeyStore KeyManagerFactory keyManagerFactory = KeyManagerFactory .getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, deviceConfig.getCompanionServiceInfo().getSslClientKeyStorePassphrase().toCharArray()); // Initialize the SSLContext and return an SSLSocketFactory; SSLContext sc = SSLContext.getInstance("TLS"); sc.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); return sc.getSocketFactory(); } catch (CertificateException | KeyStoreException | UnrecoverableKeyException | NoSuchAlgorithmException | IOException | KeyManagementException e) { throw new RuntimeException("The KeyStore for contacting the Companion Service could not be loaded.", e); } finally { IOUtils.closeQuietly(caCertInputStream); IOUtils.closeQuietly(clientKeyPair); } }
From source file:me.mneri.rice.Connection.java
public void start() { if (mState != State.CLOSED) return;/*w w w. j ava2s .c om*/ mState = State.STARTED; emit(new Event(START, this)); new Thread(() -> { try { if (mSecure) { SSLContext sslContext = SSLContext.getInstance("TLS"); String algorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(algorithm); tmFactory.init((KeyStore) null); sslContext.init(null, tmFactory.getTrustManagers(), null); SSLSocketFactory sslFactory = sslContext.getSocketFactory(); SSLSocket sslSocket = (SSLSocket) sslFactory.createSocket(mHost, mPort); sslSocket.startHandshake(); mSocket = sslSocket; } else { mSocket = new Socket(mHost, mPort); } mSocket.setSoTimeout(mSoTimeout); mInputThread = new InputThread(mSocket.getInputStream(), mEncoding, new InputThreadObserver()); mInputThread.start(); OutputInterfaceFactory outFactory = OutputInterfaceFactory.instance(); OutputStreamWriter outWriter = new OutputStreamWriter(mSocket.getOutputStream(), mEncoding); mOutputInterface = outFactory.createInterface(outWriter); mState = State.CONNECTED; emit(new Event(CONNECT, this)); cap("LS"); if (!TextUtils.isEmpty(mPass)) pass(mPass); nick(mWantedNick); user(mUser, mLoginMode, "*", mReal); } catch (Exception e) { onDisconnection(); } }).start(); }
From source file:edu.washington.shibboleth.attribute.resolver.provider.dataConnector.RwsDataConnector.java
/** * This sets the trust managers that will be used for all TLS and SSL connections to the ldap. This method will * remove any cached results and initialize the connection manager. * /* w w w . j ava 2s .c o m*/ * @see #clearCache() * @see #setSslSocketFactory(SSLSocketFactory) * * @param tc <code>X509Credential</code> to create TrustManagers with */ public void setSslTrustManagers(X509Credential tc) { if (tc != null) { try { TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(null, null); for (X509Certificate c : tc.getEntityCertificateChain()) { keystore.setCertificateEntry("ldap_tls_trust_" + c.getSerialNumber(), c); } tmf.init(keystore); sslTrustManagers = tmf.getTrustManagers(); } catch (GeneralSecurityException e) { log.error("Error initializing trust managers", e); } catch (IOException e) { log.error("Error initializing trust managers", e); } } }
From source file:edu.washington.shibboleth.attribute.resolver.dc.rws.HttpDataSource.java
/** * Generate a socket factory using supplied key and trust stores */// w w w . ja va 2 s . com protected SSLConnectionSocketFactory getSocketFactory() throws IOException { TrustManager[] trustManagers = null; KeyManager[] keyManagers = null; try { /* trust managers */ if (caCertificateFile != null) { KeyStore trustStore; int cn = 0; log.info("Setting x509 trust from " + caCertificateFile); TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); CertificateFactory cf = CertificateFactory.getInstance("X.509"); FileInputStream in = new FileInputStream(caCertificateFile); Collection certs = cf.generateCertificates(in); trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null, null); Iterator cit = certs.iterator(); while (cit.hasNext()) { X509Certificate cert = (X509Certificate) cit.next(); log.info(" adding " + cert.getSubjectX500Principal().toString()); System.out.println(" adding " + cert.getSubjectX500Principal().toString()); trustStore.setCertificateEntry("CACERT" + cn, cert); cn += 1; } tmf.init(trustStore); trustManagers = tmf.getTrustManagers(); } else { // no verification trustManagers = new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { return; } public void checkServerTrusted(X509Certificate[] certs, String authType) { return; } } }; } /* key manager */ if (certificateFile != null && keyFile != null) { KeyStore keyStore; KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, null); FileInputStream in = new FileInputStream(certificateFile); CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate) cf.generateCertificate(in); PKCS1 pkcs = new PKCS1(); log.info("reading key file: " + keyFile); PrivateKey key = pkcs.readKey(keyFile); X509Certificate[] chain = new X509Certificate[1]; chain[0] = cert; keyStore.setKeyEntry("CERT", (Key) key, "pw".toCharArray(), chain); kmf.init(keyStore, "pw".toCharArray()); keyManagers = kmf.getKeyManagers(); } /* socket factory */ SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(keyManagers, trustManagers, null); return new SSLConnectionSocketFactory(ctx); } catch (IOException e) { log.error("error reading cert or key error: " + e); } catch (KeyStoreException e) { log.error("keystore error: " + e); } catch (NoSuchAlgorithmException e) { log.error("sf error: " + e); } catch (KeyManagementException e) { log.error("sf error: " + e); } catch (CertificateException e) { log.error("sf error: " + e); } catch (UnrecoverableKeyException e) { log.error("sf error: " + e); } return null; }
From source file:org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.java
private void doConnect(final StudioProgressMonitor monitor) throws Exception { ldapConnection = null;//from w w w . ja v a 2 s . c o m isConnected = true; ldapConnectionConfig = new LdapConnectionConfig(); ldapConnectionConfig.setLdapHost(connection.getHost()); ldapConnectionConfig.setLdapPort(connection.getPort()); long timeout = connection.getTimeout(); if (timeout < 0) { timeout = 30000L; } ldapConnectionConfig.setTimeout(timeout); binaryAttributeDetector = new DefaultConfigurableBinaryAttributeDetector(); ldapConnectionConfig.setBinaryAttributeDetector(binaryAttributeDetector); if ((connection.getEncryptionMethod() == EncryptionMethod.LDAPS) || (connection.getEncryptionMethod() == EncryptionMethod.START_TLS)) { ldapConnectionConfig.setUseSsl(connection.getEncryptionMethod() == EncryptionMethod.LDAPS); ldapConnectionConfig.setUseTls(connection.getEncryptionMethod() == EncryptionMethod.START_TLS); try { // get default trust managers (using JVM "cacerts" key store) TrustManagerFactory factory = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); factory.init((KeyStore) null); TrustManager[] defaultTrustManagers = factory.getTrustManagers(); // create wrappers around the trust managers StudioTrustManager[] trustManagers = new StudioTrustManager[defaultTrustManagers.length]; for (int i = 0; i < defaultTrustManagers.length; i++) { trustManagers[i] = new StudioTrustManager((X509TrustManager) defaultTrustManagers[i]); trustManagers[i].setHost(connection.getHost()); } ldapConnectionConfig.setTrustManagers(trustManagers); } catch (Exception e) { e.printStackTrace(); throw new RuntimeException(e); } } InnerRunnable runnable = new InnerRunnable() { public void run() { try { // Set lower timeout for connecting long oldTimeout = ldapConnectionConfig.getTimeout(); ldapConnectionConfig.setTimeout(Math.min(oldTimeout, 5000L)); // Connecting ldapConnection = new LdapNetworkConnection(ldapConnectionConfig); boolean connected = ldapConnection.connect(); if (!connected) { throw new Exception(Messages.DirectoryApiConnectionWrapper_UnableToConnect); } // Set old timeout again ldapConnectionConfig.setTimeout(oldTimeout); } catch (Exception e) { exception = e; try { if (ldapConnection != null) { ldapConnection.close(); } } catch (Exception exception) { // Nothing to do } finally { ldapConnection = null; binaryAttributeDetector = null; } } } }; runAndMonitor(runnable, monitor); if (runnable.getException() != null) { throw runnable.getException(); } }
From source file:org.apache.geode.internal.net.SocketCreator.java
private TrustManager[] getTrustManagers() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { TrustManager[] trustManagers = null; GfeConsoleReader consoleReader = GfeConsoleReaderFactory.getDefaultConsoleReader(); String trustStoreType = sslConfig.getTruststoreType(); if (StringUtils.isEmpty(trustStoreType)) { // read from console, default on empty if (consoleReader.isSupported()) { trustStoreType = consoleReader .readLine("Please enter the trustStoreType (javax.net.ssl.trustStoreType) : "); } else {/* w ww. j a va2s . c o m*/ trustStoreType = KeyStore.getDefaultType(); } } KeyStore ts = KeyStore.getInstance(trustStoreType); String trustStorePath = sslConfig.getTruststore(); if (StringUtils.isEmpty(trustStorePath)) { if (consoleReader.isSupported()) { trustStorePath = consoleReader .readLine("Please enter the trustStore location (javax.net.ssl.trustStore) : "); } } FileInputStream fis = new FileInputStream(trustStorePath); String passwordString = sslConfig.getTruststorePassword(); char[] password = null; if (passwordString != null) { if (passwordString.trim().equals("")) { if (!StringUtils.isEmpty(passwordString)) { String toDecrypt = "encrypted(" + passwordString + ")"; passwordString = PasswordUtil.decrypt(toDecrypt); password = passwordString.toCharArray(); } // read from the console if (StringUtils.isEmpty(passwordString) && consoleReader.isSupported()) { password = consoleReader.readPassword( "Please enter password for trustStore (javax.net.ssl.trustStorePassword) : "); } } else { password = passwordString.toCharArray(); } } ts.load(fis, password); // default algorithm can be changed by setting property "ssl.TrustManagerFactory.algorithm" in // security properties TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ts); trustManagers = tmf.getTrustManagers(); // follow the security tip in java doc if (password != null) { java.util.Arrays.fill(password, ' '); } return trustManagers; }
From source file:com.cisco.oss.foundation.http.netlifx.apache.ApacheNetflixHttpClient.java
protected void configureClient() { clientConfig = new DefaultClientConfigImpl(); clientConfig.loadProperties(getApiName()); setLoadBalancer(loadBalancer);/*ww w .jav a 2 s . c o m*/ // clientConfig.set(CommonClientConfigKey.NIWSServerListClassName, DiscoveryEnabledNIWSServerList.class.getName()); // clientConfig.set(IClientConfigKey.Keys.DeploymentContextBasedVipAddresses, metadata.getServiceName()); // clientConfig.set(CommonClientConfigKey.NFLoadBalancerRuleClassName, RoundRobinRule.class.getName()); // clientConfig.set(CommonClientConfigKey.NFLoadBalancerPingClassName, NIWSDiscoveryPing.class.getName()); // clientConfig.set(CommonClientConfigKey.VipAddressResolverClassName, SimpleVipAddressResolver.class.getName()); if (DiscoveryManager.getInstance().getDiscoveryClient() == null && startEurekaClient) { EurekaInstanceConfig eurekaInstanceConfig = new MyDataCenterInstanceConfig(getApiName()); EurekaClientConfig eurekaClientConfig = new DefaultEurekaClientConfig(getApiName() + "."); DiscoveryManager.getInstance().initComponent(eurekaInstanceConfig, eurekaClientConfig); } loadBalancer.initWithNiwsConfig(clientConfig); // if (HystrixPlugins.getInstance().getMetricsPublisher() == null) { // HystrixPlugins.getInstance().registerMetricsPublisher(HystrixMetricsPublisherDefault.getInstance()); // } RequestConfig.Builder requestBuilder = RequestConfig.custom(); requestBuilder = requestBuilder.setConnectTimeout(metadata.getConnectTimeout()); requestBuilder = requestBuilder.setSocketTimeout(metadata.getReadTimeout()); requestBuilder = requestBuilder.setStaleConnectionCheckEnabled(metadata.isStaleConnectionCheckEnabled()); RequestConfig requestConfig = requestBuilder.build(); boolean addSslSupport = StringUtils.isNotEmpty(metadata.getKeyStorePath()) && StringUtils.isNotEmpty(metadata.getKeyStorePassword()); boolean addTrustSupport = StringUtils.isNotEmpty(metadata.getTrustStorePath()) && StringUtils.isNotEmpty(metadata.getTrustStorePassword()); autoCloseable = metadata.isAutoCloseable(); autoEncodeUri = metadata.isAutoEncodeUri(); followRedirects = metadata.isFollowRedirects(); HttpClientBuilder httpClientBuilder = HttpClientBuilder.create(); SSLContext sslContext = null; try { String keystoreType = "JKS"; if (addSslSupport && addTrustSupport) { KeyStore keyStore = KeyStore.getInstance(keystoreType); keyStore.load(new FileInputStream(metadata.getKeyStorePath()), metadata.getKeyStorePassword().toCharArray()); KeyStore trustStore = KeyStore.getInstance(keystoreType); trustStore.load(new FileInputStream(metadata.getTrustStorePath()), metadata.getTrustStorePassword().toCharArray()); sslContext = SSLContexts.custom().useProtocol("TLS") .loadKeyMaterial(keyStore, metadata.getKeyStorePassword().toCharArray()) .loadTrustMaterial(trustStore, null).build(); } else if (addSslSupport) { TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); KeyStore keyStore = KeyStore.getInstance(keystoreType); keyStore.load(new FileInputStream(metadata.getKeyStorePath()), metadata.getKeyStorePassword().toCharArray()); tmf.init(keyStore); sslContext = SSLContexts.custom().useProtocol("SSL") .loadKeyMaterial(keyStore, metadata.getKeyStorePassword().toCharArray()).build(); sslContext.init(null, tmf.getTrustManagers(), null); SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(sslContext, hostnameVerifier); httpClientBuilder.setSSLSocketFactory(sf); } else if (addTrustSupport) { KeyStore trustStore = KeyStore.getInstance(keystoreType); trustStore.load(new FileInputStream(metadata.getTrustStorePath()), metadata.getTrustStorePassword().toCharArray()); sslContext = SSLContexts.custom().useProtocol("TLS").loadTrustMaterial(trustStore, null).build(); } if (addSslSupport | addTrustSupport) { SSLContext.setDefault(sslContext); httpClientBuilder.setSslcontext(sslContext); } } catch (Exception e) { LOGGER.error("can't set TLS Support. Error is: {}", e, e); } httpClientBuilder.setMaxConnPerRoute(metadata.getMaxConnectionsPerAddress()) .setMaxConnTotal(metadata.getMaxConnectionsTotal()).setDefaultRequestConfig(requestConfig) .evictExpiredConnections().evictIdleConnections(metadata.getIdleTimeout(), TimeUnit.MILLISECONDS) .setKeepAliveStrategy(new InfraConnectionKeepAliveStrategy(metadata.getIdleTimeout())); HttpAsyncClientBuilder httpAsyncClientBuilder = HttpAsyncClients.custom(); httpAsyncClientBuilder.setDefaultRequestConfig(requestConfig) .setMaxConnPerRoute(metadata.getMaxConnectionsPerAddress()) .setMaxConnTotal(metadata.getMaxConnectionsTotal()) .setKeepAliveStrategy(new InfraConnectionKeepAliveStrategy(metadata.getIdleTimeout())) .setSSLContext(sslContext); if (metadata.isDisableCookies()) { httpClientBuilder.disableCookieManagement(); httpAsyncClientBuilder.disableCookieManagement(); } if (hostnameVerifier != null) { httpClientBuilder.setSSLHostnameVerifier(hostnameVerifier); httpAsyncClientBuilder.setSSLHostnameVerifier(hostnameVerifier); } if (!followRedirects) { httpClientBuilder.disableRedirectHandling(); } httpClient = httpClientBuilder.build(); httpAsyncClient = httpAsyncClientBuilder.build(); httpAsyncClient.start(); }