Apache CXF example source code file (SSLUtils.java)
The Apache CXF SSLUtils.java source code/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.cxf.transport.https;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.lang.reflect.Method;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.servlet.http.HttpServletRequest;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.configuration.security.FiltersType;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
/**
* Holder for utility methods related to manipulating SSL settings, common
* to the connection and listener factories (previously duplicated).
*/
public final class SSLUtils {
static final String PKCS12_TYPE = "PKCS12";
private static final String DEFAULT_KEYSTORE_TYPE = "PKCS12";
private static final String DEFAULT_TRUST_STORE_TYPE = "JKS";
private static final String DEFAULT_SECURE_SOCKET_PROTOCOL = "TLSv1";
private static final String CERTIFICATE_FACTORY_TYPE = "X.509";
private static final String SSL_CIPHER_SUITE_ATTRIBUTE = "javax.servlet.request.cipher_suite";
private static final String SSL_PEER_CERT_CHAIN_ATTRIBUTE = "javax.servlet.request.X509Certificate";
private static final boolean DEFAULT_REQUIRE_CLIENT_AUTHENTICATION = false;
private static final boolean DEFAULT_WANT_CLIENT_AUTHENTICATION = true;
/**
* By default, only include export-compatible ciphersuites.
*/
private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_INCLUDE =
Arrays.asList(new String[] {".*"});
private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE =
Arrays.asList(new String[] {".*_NULL_.*",
".*_anon_.*"});
private SSLUtils() {
}
public static KeyManager[] getKeyStoreManagers(
String keyStoreLocation,
String keyStoreType,
String keyStorePassword,
String keyPassword,
String keyStoreMgrFactoryAlgorithm,
String secureSocketProtocol,
Logger log)
throws Exception {
//TODO for performance reasons we should cache
// the KeymanagerFactory and TrustManagerFactory
if ((keyStorePassword != null)
&& (keyPassword != null)
&& (!keyStorePassword.equals(keyPassword))) {
LogUtils.log(log,
Level.WARNING,
"KEY_PASSWORD_NOT_SAME_KEYSTORE_PASSWORD");
}
KeyManager[] keystoreManagers = null;
KeyManagerFactory kmf =
KeyManagerFactory.getInstance(keyStoreMgrFactoryAlgorithm);
KeyStore ks = KeyStore.getInstance(keyStoreType);
if (keyStoreType.equalsIgnoreCase(PKCS12_TYPE)) {
FileInputStream fis = new FileInputStream(keyStoreLocation);
DataInputStream dis = new DataInputStream(fis);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
ByteArrayInputStream bin = new ByteArrayInputStream(bytes);
if (keyStorePassword != null) {
keystoreManagers = loadKeyStore(kmf,
ks,
bin,
keyStoreLocation,
keyStorePassword,
log);
}
} else {
byte[] sslCert = loadClientCredential(keyStoreLocation);
if (sslCert != null && sslCert.length > 0 && keyStorePassword != null) {
ByteArrayInputStream bin = new ByteArrayInputStream(sslCert);
keystoreManagers = loadKeyStore(kmf,
ks,
bin,
keyStoreLocation,
keyStorePassword,
log);
}
}
if ((keyStorePassword == null) && (keyStoreLocation != null)) {
LogUtils.log(log, Level.WARNING,
"FAILED_TO_LOAD_KEYSTORE_NULL_PASSWORD",
keyStoreLocation);
}
return keystoreManagers;
}
public static KeyManager[] loadKeyStore(KeyManagerFactory kmf,
KeyStore ks,
ByteArrayInputStream bin,
String keyStoreLocation,
String keyStorePassword,
Logger log) {
KeyManager[] keystoreManagers = null;
try {
ks.load(bin, keyStorePassword.toCharArray());
kmf.init(ks, keyStorePassword.toCharArray());
keystoreManagers = kmf.getKeyManagers();
LogUtils.log(log,
Level.FINE,
"LOADED_KEYSTORE",
keyStoreLocation);
} catch (Exception e) {
LogUtils.log(log,
Level.WARNING,
"FAILED_TO_LOAD_KEYSTORE",
new Object[]{keyStoreLocation, e.getMessage()});
}
return keystoreManagers;
}
public static TrustManager[] getTrustStoreManagers(
boolean pkcs12,
String trustStoreType,
String trustStoreLocation,
String trustStoreMgrFactoryAlgorithm,
Logger log)
throws Exception {
// ********************** Load Trusted CA file **********************
TrustManager[] trustStoreManagers = null;
KeyStore trustedCertStore = KeyStore.getInstance(trustStoreType);
if (pkcs12) {
//TODO could support multiple trust cas
trustStoreManagers = new TrustManager[1];
trustedCertStore.load(null, "".toCharArray());
CertificateFactory cf = CertificateFactory.getInstance(CERTIFICATE_FACTORY_TYPE);
byte[] caCert = loadCACert(trustStoreLocation);
try {
if (caCert != null) {
ByteArrayInputStream cabin = new ByteArrayInputStream(caCert);
X509Certificate cert = (X509Certificate)cf.generateCertificate(cabin);
trustedCertStore.setCertificateEntry(cert.getIssuerDN().toString(), cert);
cabin.close();
}
} catch (Exception e) {
LogUtils.log(log, Level.WARNING, "FAILED_TO_LOAD_TRUST_STORE",
new Object[]{trustStoreLocation, e.getMessage()});
}
} else {
trustedCertStore.load(new FileInputStream(trustStoreLocation), null);
}
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(trustStoreMgrFactoryAlgorithm);
tmf.init(trustedCertStore);
LogUtils.log(log, Level.FINE, "LOADED_TRUST_STORE", trustStoreLocation);
trustStoreManagers = tmf.getTrustManagers();
return trustStoreManagers;
}
protected static byte[] loadClientCredential(String fileName) throws IOException {
if (fileName == null) {
return null;
}
FileInputStream in = new FileInputStream(fileName);
ByteArrayOutputStream out = new ByteArrayOutputStream();
byte[] buf = new byte[512];
int i = in.read(buf);
while (i > 0) {
out.write(buf, 0, i);
i = in.read(buf);
}
in.close();
return out.toByteArray();
}
protected static byte[] loadCACert(String fileName) throws IOException {
if (fileName == null) {
return null;
}
FileInputStream in = new FileInputStream(fileName);
ByteArrayOutputStream out = new ByteArrayOutputStream();
byte[] buf = new byte[512];
int i = in.read(buf);
while (i > 0) {
out.write(buf, 0, i);
i = in.read(buf);
}
in.close();
return out.toByteArray();
}
public static String getKeystore(String keyStoreLocation, Logger log) {
String logMsg = null;
if (keyStoreLocation != null) {
logMsg = "KEY_STORE_SET";
} else {
keyStoreLocation = System.getProperty("javax.net.ssl.keyStore");
if (keyStoreLocation != null) {
logMsg = "KEY_STORE_SYSTEM_PROPERTY_SET";
} else {
keyStoreLocation =
System.getProperty("user.home") + "/.keystore";
logMsg = "KEY_STORE_NOT_SET";
}
}
LogUtils.log(log, Level.FINE, logMsg, keyStoreLocation);
return keyStoreLocation;
}
public static String getKeystoreType(String keyStoreType, Logger log) {
String logMsg = null;
if (keyStoreType != null) {
logMsg = "KEY_STORE_TYPE_SET";
} else {
keyStoreType = DEFAULT_KEYSTORE_TYPE;
logMsg = "KEY_STORE_TYPE_NOT_SET";
}
LogUtils.log(log, Level.FINE, logMsg, keyStoreType);
return keyStoreType;
}
public static String getKeystorePassword(String keyStorePassword,
Logger log) {
String logMsg = null;
if (keyStorePassword != null) {
logMsg = "KEY_STORE_PASSWORD_SET";
} else {
keyStorePassword =
System.getProperty("javax.net.ssl.keyStorePassword");
logMsg = keyStorePassword != null
? "KEY_STORE_PASSWORD_SYSTEM_PROPERTY_SET"
: "KEY_STORE_PASSWORD_NOT_SET";
}
LogUtils.log(log, Level.FINE, logMsg);
return keyStorePassword;
}
public static String getKeyPassword(String keyPassword, Logger log) {
String logMsg = null;
if (keyPassword != null) {
logMsg = "KEY_PASSWORD_SET";
} else {
keyPassword =
System.getProperty("javax.net.ssl.keyStorePassword");
logMsg = keyPassword != null
? "KEY_PASSWORD_SYSTEM_PROPERTY_SET"
: "KEY_PASSWORD_NOT_SET";
}
LogUtils.log(log, Level.FINE, logMsg);
return keyPassword;
}
public static String getKeystoreAlgorithm(
String keyStoreMgrFactoryAlgorithm,
Logger log) {
String logMsg = null;
if (keyStoreMgrFactoryAlgorithm != null) {
logMsg = "KEY_STORE_ALGORITHM_SET";
} else {
keyStoreMgrFactoryAlgorithm =
KeyManagerFactory.getDefaultAlgorithm();
logMsg = "KEY_STORE_ALGORITHM_NOT_SET";
}
LogUtils.log(log, Level.FINE, logMsg, keyStoreMgrFactoryAlgorithm);
return keyStoreMgrFactoryAlgorithm;
}
public static String getTrustStoreAlgorithm(
String trustStoreMgrFactoryAlgorithm,
Logger log) {
String logMsg = null;
if (trustStoreMgrFactoryAlgorithm != null) {
logMsg = "TRUST_STORE_ALGORITHM_SET";
} else {
trustStoreMgrFactoryAlgorithm =
TrustManagerFactory.getDefaultAlgorithm();
logMsg = "TRUST_STORE_ALGORITHM_NOT_SET";
}
LogUtils.log(log, Level.FINE, logMsg, trustStoreMgrFactoryAlgorithm);
return trustStoreMgrFactoryAlgorithm;
}
public static SSLContext getSSLContext(String protocol,
KeyManager[] keyStoreManagers,
TrustManager[] trustStoreManagers)
throws NoSuchAlgorithmException, KeyManagementException {
SSLContext ctx = SSLContext.getInstance(protocol);
ctx.init(keyStoreManagers, trustStoreManagers, null);
return ctx;
}
public static String[] getSupportedCipherSuites(SSLContext context) {
return context.getSocketFactory().getSupportedCipherSuites();
}
public static String[] getServerSupportedCipherSuites(SSLContext context) {
return context.getServerSocketFactory().getSupportedCipherSuites();
}
public static String[] getCiphersuites(List<String> cipherSuitesList,
String[] supportedCipherSuites,
FiltersType filters,
Logger log, boolean exclude) {
String[] cipherSuites = null;
if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) {
cipherSuites = getCiphersFromList(cipherSuitesList, log, exclude);
} else {
LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET");
if (filters == null) {
LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET");
}
List<String> filteredCipherSuites = new ArrayList
Other Apache CXF examples (source code examples)Here is a short list of links related to this Apache CXF SSLUtils.java source code file: |
The search page
Other Apache CXF source code examples at this package level
Click here to learn more about this project
