cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Some SSL refactoring
Date Fri, 12 Feb 2016 17:23:22 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 4660cd8ca -> 2e6ca288a


Some SSL refactoring


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2e6ca288
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2e6ca288
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2e6ca288

Branch: refs/heads/master
Commit: 2e6ca288a9b363f3cfe08afec071427a13a25ff3
Parents: 4660cd8
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Feb 12 17:23:14 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Feb 12 17:23:14 2016 +0000

----------------------------------------------------------------------
 .../apache/cxf/configuration/jsse/SSLUtils.java | 43 +++++++++++---------
 .../http/asyncclient/AsyncHTTPConduit.java      | 31 ++------------
 .../http_jetty/JettyHTTPServerEngine.java       | 20 ++-------
 .../https/HttpsURLConnectionFactory.java        | 42 +++----------------
 .../apache/cxf/transport/https/SSLUtils.java    | 22 ++++++----
 5 files changed, 51 insertions(+), 107 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
index b485f3e..4132b35 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -96,9 +96,9 @@ public final class SSLUtils {
         throws Exception {
         //TODO for performance reasons we should cache
         // the KeymanagerFactory and TrustManagerFactory 
-        if ((keyStorePassword != null)
-            && (keyPassword != null) 
-            && (!keyStorePassword.equals(keyPassword))) {
+        if (keyStorePassword != null
+            && keyPassword != null 
+            && !keyStorePassword.equals(keyPassword)) {
             LogUtils.log(log,
                          Level.WARNING,
                          "KEY_PASSWORD_NOT_SAME_KEYSTORE_PASSWORD");
@@ -111,30 +111,32 @@ public final class SSLUtils {
         if (keyStoreType.equalsIgnoreCase(PKCS12_TYPE)) {
             Path path = FileSystems.getDefault().getPath(keyStoreLocation);
             byte[] bytes = Files.readAllBytes(path);
-            ByteArrayInputStream bin = new ByteArrayInputStream(bytes);
+            try (ByteArrayInputStream bin = new ByteArrayInputStream(bytes)) {
             
-            if (keyStorePassword != null) {
-                keystoreManagers = loadKeyStore(kmf,
-                                                ks,
-                                                bin,
-                                                keyStoreLocation,
-                                                keyStorePassword,
-                                                log);
+                if (keyStorePassword != null) {
+                    keystoreManagers = loadKeyStore(kmf,
+                                                    ks,
+                                                    bin,
+                                                    keyStoreLocation,
+                                                    keyStorePassword,
+                                                    log);
+                }
             }
         } else {        
             byte[] sslCert = loadFile(keyStoreLocation);
             
             if (sslCert != null && sslCert.length > 0 && keyStorePassword
!= null) {
-                ByteArrayInputStream bin = new ByteArrayInputStream(sslCert);
-                keystoreManagers = loadKeyStore(kmf,
+                try (ByteArrayInputStream bin = new ByteArrayInputStream(sslCert)) {
+                    keystoreManagers = loadKeyStore(kmf,
                                                 ks,
                                                 bin,
                                                 keyStoreLocation,
                                                 keyStorePassword,
                                                 log);
+                }
             }  
         }
-        if ((keyStorePassword == null) && (keyStoreLocation != null)) {
+        if (keyStorePassword == null && keyStoreLocation != null) {
             LogUtils.log(log, Level.WARNING,
                          "FAILED_TO_LOAD_KEYSTORE_NULL_PASSWORD", 
                          keyStoreLocation);
@@ -151,6 +153,7 @@ public final class SSLUtils {
         }
         return defaultManagers;
     }
+    
     private static synchronized void loadDefaultKeyManagers(Logger log) {
         if (defaultManagers != null) {
             return;
@@ -233,10 +236,10 @@ public final class SSLUtils {
             byte[] caCert = loadFile(trustStoreLocation);
             try {
                 if (caCert != null) {
-                    ByteArrayInputStream cabin = new ByteArrayInputStream(caCert);
-                    X509Certificate cert = (X509Certificate)cf.generateCertificate(cabin);
-                    trustedCertStore.setCertificateEntry(cert.getIssuerDN().toString(), cert);
-                    cabin.close();
+                    try (ByteArrayInputStream cabin = new ByteArrayInputStream(caCert)) {
+                        X509Certificate cert = (X509Certificate)cf.generateCertificate(cabin);
+                        trustedCertStore.setCertificateEntry(cert.getIssuerDN().toString(),
cert);
+                    }
                 }
             } catch (Exception e) {
                 LogUtils.log(log, Level.WARNING, "FAILED_TO_LOAD_TRUST_STORE", 
@@ -284,6 +287,7 @@ public final class SSLUtils {
     public static String getKeystoreType(String keyStoreType, Logger log) {
         return getKeystoreType(keyStoreType, log, DEFAULT_KEYSTORE_TYPE);
     }
+    
     public static String getKeystoreType(String keyStoreType, Logger log, String def) {
         String logMsg = null;
         if (keyStoreType != null) {
@@ -299,7 +303,8 @@ public final class SSLUtils {
         }
         LogUtils.log(log, Level.FINE, logMsg, keyStoreType);
         return keyStoreType;
-    }  
+    }
+    
     public static String getKeystoreProvider(String keyStoreProvider, Logger log) {
         String logMsg = null;
         if (keyStoreProvider != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
index 8483631..a3421e3 100644
--- a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
+++ b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
@@ -47,7 +47,6 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSession;
-import javax.net.ssl.X509KeyManager;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.common.util.StringUtils;
@@ -65,7 +64,6 @@ import org.apache.cxf.transport.http.Address;
 import org.apache.cxf.transport.http.Headers;
 import org.apache.cxf.transport.http.URLConnectionHTTPConduit;
 import org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduitFactory.UseAsyncPolicy;
-import org.apache.cxf.transport.https.AliasedX509ExtendedKeyManager;
 import org.apache.cxf.transport.https.HttpsURLConnectionInfo;
 import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
 import org.apache.cxf.version.Version;
@@ -878,10 +876,11 @@ public class AsyncHTTPConduit extends URLConnectionHTTPConduit {
         SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext
             .getInstance(protocol, provider);
         ctx.getClientSessionContext().setSessionTimeout(tlsClientParameters.getSslCacheTimeout());
+        
         KeyManager[] keyManagers = tlsClientParameters.getKeyManagers();
-        if (tlsClientParameters.getCertAlias() != null) {
-            keyManagers = getKeyManagersWithCertAlias(tlsClientParameters, keyManagers);
-        }
+        org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
+            tlsClientParameters, keyManagers);
+
         ctx.init(keyManagers, tlsClientParameters.getTrustManagers(),
                  tlsClientParameters.getSecureRandom());
         
@@ -931,26 +930,4 @@ public class AsyncHTTPConduit extends URLConnectionHTTPConduit {
         return list.toArray(new String[list.size()]);
     }
 
-    protected static KeyManager[] getKeyManagersWithCertAlias(TLSClientParameters tlsClientParameters,
-                                                      KeyManager[] keyManagers) throws GeneralSecurityException
{
-        if (tlsClientParameters.getCertAlias() != null) {
-            KeyManager ret[] = new KeyManager[keyManagers.length];  
-            for (int idx = 0; idx < keyManagers.length; idx++) {
-                if (keyManagers[idx] instanceof X509KeyManager) {
-                    try {
-                        ret[idx] = new AliasedX509ExtendedKeyManager(tlsClientParameters.getCertAlias(),
-                                                                             (X509KeyManager)keyManagers[idx]);
-                    } catch (Exception e) {
-                        throw new GeneralSecurityException(e);
-                    }
-                } else {
-                    ret[idx] = keyManagers[idx]; 
-                }
-            }
-            return ret;
-        }
-        return keyManagers;
-    }
-
-
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index e6f0fed..67e960b 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -34,7 +34,6 @@ import java.util.logging.Logger;
 import javax.annotation.PostConstruct;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.X509KeyManager;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
@@ -52,7 +51,6 @@ import org.apache.cxf.configuration.jsse.TLSServerParameters;
 import org.apache.cxf.configuration.security.ClientAuthentication;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.transport.HttpUriMapper;
-import org.apache.cxf.transport.https.AliasedX509ExtendedKeyManager;
 import org.eclipse.jetty.http.HttpStatus;
 import org.eclipse.jetty.security.SecurityHandler;
 import org.eclipse.jetty.server.AbstractConnector;
@@ -729,9 +727,9 @@ public class JettyHTTPServerEngine implements ServerEngine {
                 : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider());
             
         KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
-        if (tlsServerParameters.getCertAlias() != null) {
-            keyManagers = getKeyManagersWithCertAlias(keyManagers);
-        }
+        org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
+            tlsServerParameters, keyManagers);
+        
         context.init(tlsServerParameters.getKeyManagers(), 
                      tlsServerParameters.getTrustManagers(),
                      tlsServerParameters.getSecureRandom());
@@ -760,17 +758,7 @@ public class JettyHTTPServerEngine implements ServerEngine {
         
         return context;
     }
-    protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception
{
-        if (tlsServerParameters.getCertAlias() != null) {
-            for (int idx = 0; idx < keyManagers.length; idx++) {
-                if (keyManagers[idx] instanceof X509KeyManager) {
-                    keyManagers[idx] = new AliasedX509ExtendedKeyManager(
-                        tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
-                }
-            }
-        }
-        return keyManagers;
-    }
+
     protected void setClientAuthentication(SslContextFactory con,
                                            ClientAuthentication clientAuth) {
         con.setWantClientAuth(true);

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
index f5d88de..0d02d6b 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
@@ -32,10 +32,8 @@ import java.util.logging.Logger;
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.X509KeyManager;
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.ReflectionInvokationHandler;
@@ -152,23 +150,8 @@ public class HttpsURLConnectionFactory {
             // ssl socket factory not yet instantiated, create a new one with tlsClientParameters's
Trust
             // Managers, Key Managers, etc
 
-            String provider = tlsClientParameters.getJsseProvider();
-
-            String protocol = tlsClientParameters.getSecureSocketProtocol() != null ? tlsClientParameters
-                .getSecureSocketProtocol() : "TLS";
-
-            SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext
-                .getInstance(protocol, provider);
-            ctx.getClientSessionContext().setSessionTimeout(tlsClientParameters.getSslCacheTimeout());
-            KeyManager[] keyManagers = tlsClientParameters.getKeyManagers();
-            if (keyManagers == null) {
-                keyManagers = SSLUtils.getDefaultKeyStoreManagers(LOG);
-            }
-            if (tlsClientParameters.getCertAlias() != null) {
-                getKeyManagersWithCertAlias(tlsClientParameters, keyManagers);
-            }
-            ctx.init(keyManagers, tlsClientParameters.getTrustManagers(),
-                     tlsClientParameters.getSecureRandom());
+            SSLContext ctx = 
+                org.apache.cxf.transport.https.SSLUtils.getSSLContext(tlsClientParameters);
 
             String[] cipherSuites = 
                 SSLUtils.getCiphersuitesToInclude(tlsClientParameters.getCipherSuites(),

@@ -178,9 +161,11 @@ public class HttpsURLConnectionFactory {
                                                   LOG);
             // The SSLSocketFactoryWrapper enables certain cipher suites
             // from the policy.
+            String protocol = tlsClientParameters.getSecureSocketProtocol() != null ? tlsClientParameters
+                .getSecureSocketProtocol() : "TLS";
             socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(), cipherSuites,
                                                         protocol);
-            //recalc the hashcode since somet of the above MAY have changed the tlsClientParameters

+            //recalc the hashcode since some of the above MAY have changed the tlsClientParameters

             lastTlsHash = tlsClientParameters.hashCode();
         } else {
            // ssl socket factory already initialized, reuse it to benefit of keep alive
@@ -259,23 +244,6 @@ public class HttpsURLConnectionFactory {
         LOG.addHandler(handler);
     }
     
-    protected void getKeyManagersWithCertAlias(TLSClientParameters tlsClientParameters,
-                                               KeyManager[] keyManagers) throws GeneralSecurityException
{
-        if (tlsClientParameters.getCertAlias() != null && keyManagers != null) {
-            for (int idx = 0; idx < keyManagers.length; idx++) {
-                if (keyManagers[idx] instanceof X509KeyManager
-                    && !(keyManagers[idx] instanceof AliasedX509ExtendedKeyManager))
{
-                    try {
-                        keyManagers[idx] = new AliasedX509ExtendedKeyManager(
-                            tlsClientParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
-                    } catch (Exception e) {
-                        throw new GeneralSecurityException(e);
-                    }
-                }
-            }
-        }
-    }
-
 }
 
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java
index 183f80e..11d8ddd 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.transport.https;
 
 import java.security.GeneralSecurityException;
+import java.util.logging.Logger;
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
@@ -27,6 +28,7 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509KeyManager;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.configuration.jsse.TLSClientParameters;
 import org.apache.cxf.configuration.jsse.TLSParameterBase;
 import org.apache.cxf.configuration.jsse.TLSServerParameters;
@@ -35,6 +37,9 @@ import org.apache.cxf.transport.https.httpclient.DefaultHostnameVerifier;
 import org.apache.cxf.transport.https.httpclient.PublicSuffixMatcherLoader;
 
 public final class SSLUtils {
+    
+    private static final Logger LOG = LogUtils.getL7dLogger(SSLUtils.class);
+                              
     private SSLUtils() {
         //Helper class
     }
@@ -54,7 +59,7 @@ public final class SSLUtils {
         return verifier;
     }
     
-    public static SSLContext getSSLContext(TLSParameterBase parameters) throws Exception
{
+    public static SSLContext getSSLContext(TLSParameterBase parameters) throws GeneralSecurityException
{
         // TODO do we need to cache the context
         String provider = parameters.getJsseProvider();
 
@@ -68,24 +73,25 @@ public final class SSLUtils {
             ctx.getClientSessionContext().setSessionTimeout(((TLSClientParameters)parameters).getSslCacheTimeout());
         }
         
-        // TODO setting on the server side
-        
         KeyManager[] keyManagers = parameters.getKeyManagers();
-        if (parameters.getCertAlias() != null) {
-            getKeyManagersWithCertAlias(parameters, keyManagers);
+        if (keyManagers == null && parameters instanceof TLSClientParameters) {
+            keyManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultKeyStoreManagers(LOG);
         }
+        configureKeyManagersWithCertAlias(parameters, keyManagers);
+        
         ctx.init(keyManagers, parameters.getTrustManagers(),
                  parameters.getSecureRandom());
         
         return ctx;
     }
         
-    protected static void getKeyManagersWithCertAlias(TLSParameterBase tlsParameters,
+    public static void configureKeyManagersWithCertAlias(TLSParameterBase tlsParameters,
                                                       KeyManager[] keyManagers)
         throws GeneralSecurityException {
-        if (tlsParameters.getCertAlias() != null) {
+        if (tlsParameters.getCertAlias() != null && keyManagers != null) {
             for (int idx = 0; idx < keyManagers.length; idx++) {
-                if (keyManagers[idx] instanceof X509KeyManager) {
+                if (keyManagers[idx] instanceof X509KeyManager
+                    && !(keyManagers[idx] instanceof AliasedX509ExtendedKeyManager))
{
                     try {
                         keyManagers[idx] = new AliasedX509ExtendedKeyManager(tlsParameters.getCertAlias(),
                                                                              (X509KeyManager)keyManagers[idx]);


Mime
View raw message