Allow to use custom TrustManagerFactory for JdkSslServerContent and OpenSslServerContext
Motivation: When using client auth it is sometimes needed to use a custom TrustManagerFactory. Modifications: Allow to pass in TrustManagerFactory Result: It's now possible to use custom TrustManagerFactories for JdkSslServerContext and OpenSslServerContext
This commit is contained in:
Norman Maurer
Norman Maurer
parent
8eddeb1ddd
commit
0f152cfbc4
@ -67,7 +67,8 @@ public final class OpenSslServerContext extends OpenSslContext {
|
|||||||
* {@code null} if it's not password-protected.
|
* {@code null} if it's not password-protected.
|
||||||
*/
|
*/
|
||||||
public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
|
public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
|
||||||
this(certChainFile, keyFile, keyPassword, null, OpenSslDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
|
this(certChainFile, keyFile, keyPassword, null, null,
|
||||||
|
OpenSslDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -89,7 +90,8 @@ public final class OpenSslServerContext extends OpenSslContext {
|
|||||||
File certChainFile, File keyFile, String keyPassword,
|
File certChainFile, File keyFile, String keyPassword,
|
||||||
Iterable<String> ciphers, ApplicationProtocolConfig apn,
|
Iterable<String> ciphers, ApplicationProtocolConfig apn,
|
||||||
long sessionCacheSize, long sessionTimeout) throws SSLException {
|
long sessionCacheSize, long sessionTimeout) throws SSLException {
|
||||||
this(certChainFile, keyFile, keyPassword, ciphers, toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
|
this(certChainFile, keyFile, keyPassword, null, ciphers,
|
||||||
|
toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -108,12 +110,12 @@ public final class OpenSslServerContext extends OpenSslContext {
|
|||||||
* {@code 0} to use the default value.
|
* {@code 0} to use the default value.
|
||||||
*/
|
*/
|
||||||
public OpenSslServerContext(
|
public OpenSslServerContext(
|
||||||
File certChainFile, File keyFile, String keyPassword,
|
File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
|
||||||
Iterable<String> ciphers, OpenSslApplicationProtocolNegotiator apn,
|
Iterable<String> ciphers, OpenSslApplicationProtocolNegotiator apn,
|
||||||
long sessionCacheSize, long sessionTimeout) throws SSLException {
|
long sessionCacheSize, long sessionTimeout) throws SSLException {
|
||||||
|
|
||||||
super(ciphers, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_SERVER);
|
super(ciphers, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_SERVER);
|
||||||
OpenSsl.ensureAvailability();
|
OpenSsl.ensureAvailability();
|
||||||
|
|
||||||
checkNotNull(certChainFile, "certChainFile");
|
checkNotNull(certChainFile, "certChainFile");
|
||||||
if (!certChainFile.isFile()) {
|
if (!certChainFile.isFile()) {
|
||||||
@ -190,11 +192,16 @@ public final class OpenSslServerContext extends OpenSslContext {
|
|||||||
|
|
||||||
ks.setKeyEntry("key", key, keyPasswordChars, certChain.toArray(new Certificate[certChain.size()]));
|
ks.setKeyEntry("key", key, keyPasswordChars, certChain.toArray(new Certificate[certChain.size()]));
|
||||||
|
|
||||||
// This mimics the behavior of using SSLContext.init(...);
|
if (trustManagerFactory == null) {
|
||||||
TrustManagerFactory factory = TrustManagerFactory.getInstance(
|
// Mimic the way SSLContext.getInstance(KeyManager[], null, null) works
|
||||||
TrustManagerFactory.getDefaultAlgorithm());
|
trustManagerFactory = TrustManagerFactory.getInstance(
|
||||||
factory.init((KeyStore) null);
|
TrustManagerFactory.getDefaultAlgorithm());
|
||||||
final X509TrustManager manager = chooseTrustManager(factory.getTrustManagers());
|
trustManagerFactory.init((KeyStore) null);
|
||||||
|
} else {
|
||||||
|
trustManagerFactory.init(ks);
|
||||||
|
}
|
||||||
|
|
||||||
|
final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
|
||||||
SSLContext.setCertVerifyCallback(ctx, new CertificateVerifier() {
|
SSLContext.setCertVerifyCallback(ctx, new CertificateVerifier() {
|
||||||
@Override
|
@Override
|
||||||
public boolean verify(long ssl, byte[][] chain, String auth) {
|
public boolean verify(long ssl, byte[][] chain, String auth) {
|
||||||
|
|||||||
@ -16,9 +16,7 @@
|
|||||||
|
|
||||||
package io.netty.handler.ssl;
|
package io.netty.handler.ssl;
|
||||||
|
|
||||||
import io.netty.buffer.ByteBuf;
|
|
||||||
import io.netty.buffer.ByteBufAllocator;
|
import io.netty.buffer.ByteBufAllocator;
|
||||||
import io.netty.buffer.ByteBufInputStream;
|
|
||||||
import io.netty.channel.ChannelInitializer;
|
import io.netty.channel.ChannelInitializer;
|
||||||
import io.netty.channel.ChannelPipeline;
|
import io.netty.channel.ChannelPipeline;
|
||||||
|
|
||||||
@ -35,17 +33,13 @@ import javax.net.ssl.SSLEngine;
|
|||||||
import javax.net.ssl.SSLException;
|
import javax.net.ssl.SSLException;
|
||||||
import javax.net.ssl.TrustManager;
|
import javax.net.ssl.TrustManager;
|
||||||
import javax.net.ssl.TrustManagerFactory;
|
import javax.net.ssl.TrustManagerFactory;
|
||||||
import javax.security.auth.x500.X500Principal;
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.security.InvalidAlgorithmParameterException;
|
import java.security.InvalidAlgorithmParameterException;
|
||||||
import java.security.InvalidKeyException;
|
import java.security.InvalidKeyException;
|
||||||
import java.security.KeyStore;
|
|
||||||
import java.security.KeyStoreException;
|
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.cert.CertificateException;
|
import java.security.cert.CertificateException;
|
||||||
import java.security.cert.CertificateFactory;
|
import java.security.cert.CertificateFactory;
|
||||||
import java.security.cert.X509Certificate;
|
|
||||||
import java.security.spec.InvalidKeySpecException;
|
import java.security.spec.InvalidKeySpecException;
|
||||||
import java.security.spec.PKCS8EncodedKeySpec;
|
import java.security.spec.PKCS8EncodedKeySpec;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
@ -256,19 +250,16 @@ public abstract class SslContext {
|
|||||||
}
|
}
|
||||||
|
|
||||||
switch (provider) {
|
switch (provider) {
|
||||||
case JDK:
|
case JDK:
|
||||||
return new JdkSslServerContext(
|
return new JdkSslServerContext(
|
||||||
trustCertChainFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword,
|
trustCertChainFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword,
|
||||||
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
|
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
|
||||||
case OPENSSL:
|
case OPENSSL:
|
||||||
if (trustCertChainFile != null) {
|
return new OpenSslServerContext(
|
||||||
throw new UnsupportedOperationException("OpenSSL provider does not support mutual authentication");
|
keyCertChainFile, keyFile, keyPassword,
|
||||||
}
|
ciphers, apn, sessionCacheSize, sessionTimeout);
|
||||||
return new OpenSslServerContext(
|
default:
|
||||||
keyCertChainFile, keyFile, keyPassword,
|
throw new Error(provider.toString());
|
||||||
ciphers, apn, sessionCacheSize, sessionTimeout);
|
|
||||||
default:
|
|
||||||
throw new Error(provider.toString());
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user