Mercurial Hosting > luan

comparison src/org/eclipse/jetty/util/ssl/SslContextFactory.java @ 1002:35d04ac3fd0b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
simplify ssl
author Franklin Schmidt <fschmidt@gmail.com>
date Sat, 22 Oct 2016 21:56:44 -0600
parents 8e9db0bbf4f9
children
comparison
equal deleted inserted replaced
1001:39154cfa58e4 1002:35d04ac3fd0b
71 * creates SSL context based on these parameters to be 71 * creates SSL context based on these parameters to be
72 * used by the SSL connectors. 72 * used by the SSL connectors.
73 */ 73 */
74 public class SslContextFactory extends AbstractLifeCycle 74 public class SslContextFactory extends AbstractLifeCycle
75 { 75 {
76 public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager() 76 public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager()
77 { 77 {
78 public java.security.cert.X509Certificate[] getAcceptedIssuers() 78 public java.security.cert.X509Certificate[] getAcceptedIssuers()
79 { 79 {
80 return new java.security.cert.X509Certificate[]{}; 80 return new java.security.cert.X509Certificate[]{};
81 } 81 }
82 82
83 public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) 83 public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
84 { 84 {
85 } 85 }
86 86
87 public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) 87 public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
88 { 88 {
89 } 89 }
90 }}; 90 }};
91 91
92 private static final Logger LOG = LoggerFactory.getLogger(SslContextFactory.class); 92 private static final Logger LOG = LoggerFactory.getLogger(SslContextFactory.class);
93 93
94 public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = 94 public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
95 (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? 95 (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
96 "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm")); 96 "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
97 public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = 97 public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
98 (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ? 98 (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ?
99 "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm")); 99 "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm"));
100 100
101 /** Default value for the keystore location path. */ 101 /** Default value for the keystore location path. */
102 public static final String DEFAULT_KEYSTORE_PATH = 102 public static final String DEFAULT_KEYSTORE_PATH =
103 System.getProperty("user.home") + File.separator + ".keystore"; 103 System.getProperty("user.home") + File.separator + ".keystore";
104 104
105 /** String name of key password property. */ 105 /** String name of key password property. */
106 public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword"; 106 public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
107 107
108 /** String name of keystore password property. */ 108 /** String name of keystore password property. */
109 public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password"; 109 public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
110 110
111 /** Excluded protocols. */ 111 /** Excluded protocols. */
112 private final Set<String> _excludeProtocols = new LinkedHashSet<String>(); 112 private final Set<String> _excludeProtocols = new LinkedHashSet<String>();
113 /** Included protocols. */ 113 /** Included protocols. */
114 private Set<String> _includeProtocols = null; 114 private Set<String> _includeProtocols = null;
115 115
116 /** Excluded cipher suites. */ 116 /** Excluded cipher suites. */
117 private final Set<String> _excludeCipherSuites = new LinkedHashSet<String>(); 117 private final Set<String> _excludeCipherSuites = new LinkedHashSet<String>();
118 /** Included cipher suites. */ 118 /** Included cipher suites. */
119 private Set<String> _includeCipherSuites = null; 119 private Set<String> _includeCipherSuites = null;
120 120
121 /** Keystore path. */ 121 /** Keystore path. */
122 private String _keyStorePath; 122 private String _keyStorePath;
123 /** Keystore provider name */ 123 /** Keystore provider name */
124 private String _keyStoreProvider; 124 private String _keyStoreProvider;
125 /** Keystore type */ 125 /** Keystore type */
126 private String _keyStoreType = "JKS"; 126 private String _keyStoreType = "JKS";
127 /** Keystore input stream */ 127 /** Keystore input stream */
128 private InputStream _keyStoreInputStream; 128 private InputStream _keyStoreInputStream;
129 129
130 /** SSL certificate alias */ 130 /** SSL certificate alias */
131 private String _certAlias; 131 private String _certAlias;
132 132
133 /** Truststore path */ 133 /** Truststore path */
134 private String _trustStorePath; 134 private String _trustStorePath;
135 /** Truststore provider name */ 135 /** Truststore provider name */
136 private String _trustStoreProvider; 136 private String _trustStoreProvider;
137 /** Truststore type */ 137 /** Truststore type */
138 private String _trustStoreType = "JKS"; 138 private String _trustStoreType = "JKS";
139 /** Truststore input stream */ 139 /** Truststore input stream */
140 private InputStream _trustStoreInputStream; 140 private InputStream _trustStoreInputStream;
141 141
142 /** Set to true if client certificate authentication is required */ 142 /** Set to true if client certificate authentication is required */
143 private boolean _needClientAuth = false; 143 private boolean _needClientAuth = false;
144 /** Set to true if client certificate authentication is desired */ 144 /** Set to true if client certificate authentication is desired */
145 private boolean _wantClientAuth = false; 145 private boolean _wantClientAuth = false;
146 146
147 /** Set to true if renegotiation is allowed */ 147 /** Set to true if renegotiation is allowed */
148 private boolean _allowRenegotiate = true; 148 private boolean _allowRenegotiate = true;
149 149
150 /** Keystore password */ 150 /** Keystore password */
151 private transient Password _keyStorePassword; 151 private transient Password _keyStorePassword;
152 /** Key manager password */ 152 /** Key manager password */
153 private transient Password _keyManagerPassword; 153 private transient Password _keyManagerPassword;
154 /** Truststore password */ 154 /** Truststore password */
155 private transient Password _trustStorePassword; 155 private transient Password _trustStorePassword;
156 156
157 /** SSL provider name */ 157 /** SSL provider name */
158 private String _sslProvider; 158 private String _sslProvider;
159 /** SSL protocol name */ 159 /** SSL protocol name */
160 private String _sslProtocol = "TLS"; 160 private String _sslProtocol = "TLS";
161 161
162 /** SecureRandom algorithm */ 162 /** SecureRandom algorithm */
163 private String _secureRandomAlgorithm; 163 private String _secureRandomAlgorithm;
164 /** KeyManager factory algorithm */ 164 /** KeyManager factory algorithm */
165 private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM; 165 private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
166 /** TrustManager factory algorithm */ 166 /** TrustManager factory algorithm */
167 private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM; 167 private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
168 168
169 /** Set to true if SSL certificate validation is required */ 169 /** Set to true if SSL certificate validation is required */
170 private boolean _validateCerts; 170 private boolean _validateCerts;
171 /** Set to true if SSL certificate of the peer validation is required */ 171 /** Set to true if SSL certificate of the peer validation is required */
172 private boolean _validatePeerCerts; 172 private boolean _validatePeerCerts;
173 /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */ 173 /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */
174 private int _maxCertPathLength = -1; 174 private int _maxCertPathLength = -1;
175 /** Path to file that contains Certificate Revocation List */ 175 /** Path to file that contains Certificate Revocation List */
176 private String _crlPath; 176 private String _crlPath;
177 /** Set to true to enable CRL Distribution Points (CRLDP) support */ 177 /** Set to true to enable CRL Distribution Points (CRLDP) support */
178 private boolean _enableCRLDP = false; 178 private boolean _enableCRLDP = false;
179 /** Set to true to enable On-Line Certificate Status Protocol (OCSP) support */ 179 /** Set to true to enable On-Line Certificate Status Protocol (OCSP) support */
180 private boolean _enableOCSP = false; 180 private boolean _enableOCSP = false;
181 /** Location of OCSP Responder */ 181 /** Location of OCSP Responder */
182 private String _ocspResponderURL; 182 private String _ocspResponderURL;
183 183
184 /** SSL keystore */ 184 /** SSL keystore */
185 private KeyStore _keyStore; 185 private KeyStore _keyStore;
186 /** SSL truststore */ 186 /** SSL truststore */
187 private KeyStore _trustStore; 187 private KeyStore _trustStore;
188 /** Set to true to enable SSL Session caching */ 188 /** Set to true to enable SSL Session caching */
189 private boolean _sessionCachingEnabled = true; 189 private boolean _sessionCachingEnabled = true;
190 /** SSL session cache size */ 190 /** SSL session cache size */
191 private int _sslSessionCacheSize; 191 private int _sslSessionCacheSize;
192 /** SSL session timeout */ 192 /** SSL session timeout */
193 private int _sslSessionTimeout; 193 private int _sslSessionTimeout;
194 194
195 /** SSL context */ 195 /** SSL context */
196 private SSLContext _context; 196 private SSLContext _context;
197 197
198 private boolean _trustAll; 198 private boolean _trustAll;
199 199
200 /* ------------------------------------------------------------ */ 200 /* ------------------------------------------------------------ */
201 /** 201 /**
202 * Construct an instance of SslContextFactory 202 * Construct an instance of SslContextFactory
203 * Default constructor for use in XmlConfiguration files 203 * Default constructor for use in XmlConfiguration files
204 */ 204 */
205 public SslContextFactory() 205 public SslContextFactory()
206 { 206 {
207 _trustAll=true; 207 _trustAll=true;
208 } 208 }
209 209
210 /* ------------------------------------------------------------ */ 210 /* ------------------------------------------------------------ */
211 /** 211 /**
212 * Construct an instance of SslContextFactory 212 * Construct an instance of SslContextFactory
213 * Default constructor for use in XmlConfiguration files 213 * Default constructor for use in XmlConfiguration files
214 * @param trustAll whether to blindly trust all certificates 214 * @param trustAll whether to blindly trust all certificates
215 * @see #setTrustAll(boolean) 215 * @see #setTrustAll(boolean)
216 */ 216 */
217 public SslContextFactory(boolean trustAll) 217 public SslContextFactory(boolean trustAll)
218 { 218 {
219 _trustAll=trustAll; 219 _trustAll=trustAll;
220 } 220 }
221 221
222 /* ------------------------------------------------------------ */ 222 /* ------------------------------------------------------------ */
223 /** 223 /**
224 * Construct an instance of SslContextFactory 224 * Construct an instance of SslContextFactory
225 * @param keyStorePath default keystore location 225 * @param keyStorePath default keystore location
226 */ 226 */
227 public SslContextFactory(String keyStorePath) 227 public SslContextFactory(String keyStorePath)
228 { 228 {
229 _keyStorePath = keyStorePath; 229 _keyStorePath = keyStorePath;
230 } 230 }
231 231
232 /* ------------------------------------------------------------ */ 232 /* ------------------------------------------------------------ */
233 /** 233 /**
234 * Create the SSLContext object and start the lifecycle 234 * Create the SSLContext object and start the lifecycle
235 * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart() 235 * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart()
236 */ 236 */
237 @Override 237 @Override
238 protected void doStart() throws Exception 238 protected void doStart() throws Exception
239 { 239 {
240 if (_context == null) 240 if (_context == null)
241 { 241 {
242 if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null && 242 if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null &&
243 _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null ) 243 _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null )
244 { 244 {
245 TrustManager[] trust_managers=null; 245 TrustManager[] trust_managers=null;
246 246
247 if (_trustAll) 247 if (_trustAll)
248 { 248 {
249 LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!"); 249 LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
250 // Create a trust manager that does not validate certificate chains 250 // Create a trust manager that does not validate certificate chains
251 trust_managers = TRUST_ALL_CERTS; 251 trust_managers = TRUST_ALL_CERTS;
252 } 252 }
253 253
254 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); 254 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
255 _context = SSLContext.getInstance(_sslProtocol); 255 _context = SSLContext.getInstance(_sslProtocol);
256 _context.init(null, trust_managers, secureRandom); 256 _context.init(null, trust_managers, secureRandom);
257 } 257 }
258 else 258 else
259 { 259 {
260 // verify that keystore and truststore 260 // verify that keystore and truststore
261 // parameters are set up correctly 261 // parameters are set up correctly
262 checkKeyStore(); 262 checkKeyStore();
263 263
264 KeyStore keyStore = loadKeyStore(); 264 KeyStore keyStore = loadKeyStore();
265 KeyStore trustStore = loadTrustStore(); 265 KeyStore trustStore = loadTrustStore();
266 266
267 Collection<? extends CRL> crls = loadCRL(_crlPath); 267 Collection<? extends CRL> crls = loadCRL(_crlPath);
268 268
269 if (_validateCerts && keyStore != null) 269 if (_validateCerts && keyStore != null)
270 { 270 {
271 if (_certAlias == null) 271 if (_certAlias == null)
272 { 272 {
273 List<String> aliases = Collections.list(keyStore.aliases()); 273 List<String> aliases = Collections.list(keyStore.aliases());
274 _certAlias = aliases.size() == 1 ? aliases.get(0) : null; 274 _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
275 } 275 }
276 276
277 Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias); 277 Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
278 if (cert == null) 278 if (cert == null)
279 { 279 {
280 throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias)); 280 throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
281 } 281 }
282 282
283 CertificateValidator validator = new CertificateValidator(trustStore, crls); 283 CertificateValidator validator = new CertificateValidator(trustStore, crls);
284 validator.setMaxCertPathLength(_maxCertPathLength); 284 validator.setMaxCertPathLength(_maxCertPathLength);
285 validator.setEnableCRLDP(_enableCRLDP); 285 validator.setEnableCRLDP(_enableCRLDP);
286 validator.setEnableOCSP(_enableOCSP); 286 validator.setEnableOCSP(_enableOCSP);
287 validator.setOcspResponderURL(_ocspResponderURL); 287 validator.setOcspResponderURL(_ocspResponderURL);
288 validator.validate(keyStore, cert); 288 validator.validate(keyStore, cert);
289 } 289 }
290 290
291 KeyManager[] keyManagers = getKeyManagers(keyStore); 291 KeyManager[] keyManagers = getKeyManagers(keyStore);
292 TrustManager[] trustManagers = getTrustManagers(trustStore,crls); 292 TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
293 293
294 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); 294 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
295 _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider); 295 _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
296 _context.init(keyManagers,trustManagers,secureRandom); 296 _context.init(keyManagers,trustManagers,secureRandom);
297 297
298 SSLEngine engine=newSslEngine(); 298 SSLEngine engine=newSslEngine();
299 299
300 LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols())); 300 LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
301 if (LOG.isDebugEnabled()) 301 if (LOG.isDebugEnabled())
302 LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites())); 302 LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
303 } 303 }
304 } 304 }
305 } 305 }
306 306
307 /* ------------------------------------------------------------ */ 307 /* ------------------------------------------------------------ */
308 /** 308 /**
309 * @return The array of protocol names to exclude from 309 * @return The array of protocol names to exclude from
310 * {@link SSLEngine#setEnabledProtocols(String[])} 310 * {@link SSLEngine#setEnabledProtocols(String[])}
311 */ 311 */
312 public String[] getExcludeProtocols() 312 public String[] getExcludeProtocols()
313 { 313 {
314 return _excludeProtocols.toArray(new String[_excludeProtocols.size()]); 314 return _excludeProtocols.toArray(new String[_excludeProtocols.size()]);
315 } 315 }
316 316
317 /* ------------------------------------------------------------ */ 317 /* ------------------------------------------------------------ */
318 /** 318 /**
319 * @param protocols 319 * @param protocols
320 * The array of protocol names to exclude from 320 * The array of protocol names to exclude from
321 * {@link SSLEngine#setEnabledProtocols(String[])} 321 * {@link SSLEngine#setEnabledProtocols(String[])}
322 */ 322 */
323 public void setExcludeProtocols(String... protocols) 323 public void setExcludeProtocols(String... protocols)
324 { 324 {
325 checkNotStarted(); 325 checkNotStarted();
326 326
327 _excludeProtocols.clear(); 327 _excludeProtocols.clear();
328 _excludeProtocols.addAll(Arrays.asList(protocols)); 328 _excludeProtocols.addAll(Arrays.asList(protocols));
329 } 329 }
330 330
331 /* ------------------------------------------------------------ */ 331 /* ------------------------------------------------------------ */
332 /** 332 /**
333 * @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])} 333 * @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])}
334 */ 334 */
335 public void addExcludeProtocols(String... protocol) 335 public void addExcludeProtocols(String... protocol)
336 { 336 {
337 checkNotStarted(); 337 checkNotStarted();
338 _excludeProtocols.addAll(Arrays.asList(protocol)); 338 _excludeProtocols.addAll(Arrays.asList(protocol));
339 } 339 }
340 340
341 /* ------------------------------------------------------------ */ 341 /* ------------------------------------------------------------ */
342 /** 342 /**
343 * @return The array of protocol names to include in 343 * @return The array of protocol names to include in
344 * {@link SSLEngine#setEnabledProtocols(String[])} 344 * {@link SSLEngine#setEnabledProtocols(String[])}
345 */ 345 */
346 public String[] getIncludeProtocols() 346 public String[] getIncludeProtocols()
347 { 347 {
348 return _includeProtocols.toArray(new String[_includeProtocols.size()]); 348 return _includeProtocols.toArray(new String[_includeProtocols.size()]);
349 } 349 }
350 350
351 /* ------------------------------------------------------------ */ 351 /* ------------------------------------------------------------ */
352 /** 352 /**
353 * @param protocols 353 * @param protocols
354 * The array of protocol names to include in 354 * The array of protocol names to include in
355 * {@link SSLEngine#setEnabledProtocols(String[])} 355 * {@link SSLEngine#setEnabledProtocols(String[])}
356 */ 356 */
357 public void setIncludeProtocols(String... protocols) 357 public void setIncludeProtocols(String... protocols)
358 { 358 {
359 checkNotStarted(); 359 checkNotStarted();
360 360
361 _includeProtocols = new LinkedHashSet<String>(Arrays.asList(protocols)); 361 _includeProtocols = new LinkedHashSet<String>(Arrays.asList(protocols));
362 } 362 }
363 363
364 /* ------------------------------------------------------------ */ 364 /* ------------------------------------------------------------ */
365 /** 365 /**
366 * @return The array of cipher suite names to exclude from 366 * @return The array of cipher suite names to exclude from
367 * {@link SSLEngine#setEnabledCipherSuites(String[])} 367 * {@link SSLEngine#setEnabledCipherSuites(String[])}
368 */ 368 */
369 public String[] getExcludeCipherSuites() 369 public String[] getExcludeCipherSuites()
370 { 370 {
371 return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]); 371 return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]);
372 } 372 }
373 373
374 /* ------------------------------------------------------------ */ 374 /* ------------------------------------------------------------ */
375 /** 375 /**
376 * @param cipherSuites 376 * @param cipherSuites
377 * The array of cipher suite names to exclude from 377 * The array of cipher suite names to exclude from
378 * {@link SSLEngine#setEnabledCipherSuites(String[])} 378 * {@link SSLEngine#setEnabledCipherSuites(String[])}
379 */ 379 */
380 public void setExcludeCipherSuites(String... cipherSuites) 380 public void setExcludeCipherSuites(String... cipherSuites)
381 { 381 {
382 checkNotStarted(); 382 checkNotStarted();
383 _excludeCipherSuites.clear(); 383 _excludeCipherSuites.clear();
384 _excludeCipherSuites.addAll(Arrays.asList(cipherSuites)); 384 _excludeCipherSuites.addAll(Arrays.asList(cipherSuites));
385 } 385 }
386 386
387 /* ------------------------------------------------------------ */ 387 /* ------------------------------------------------------------ */
388 /** 388 /**
389 * @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])} 389 * @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])}
390 */ 390 */
391 public void addExcludeCipherSuites(String... cipher) 391 public void addExcludeCipherSuites(String... cipher)
392 { 392 {
393 checkNotStarted(); 393 checkNotStarted();
394 _excludeCipherSuites.addAll(Arrays.asList(cipher)); 394 _excludeCipherSuites.addAll(Arrays.asList(cipher));
395 } 395 }
396 396
397 /* ------------------------------------------------------------ */ 397 /* ------------------------------------------------------------ */
398 /** 398 /**
399 * @return The array of cipher suite names to include in 399 * @return The array of cipher suite names to include in
400 * {@link SSLEngine#setEnabledCipherSuites(String[])} 400 * {@link SSLEngine#setEnabledCipherSuites(String[])}
401 */ 401 */
402 public String[] getIncludeCipherSuites() 402 public String[] getIncludeCipherSuites()
403 { 403 {
404 return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]); 404 return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]);
405 } 405 }
406 406
407 /* ------------------------------------------------------------ */ 407 /* ------------------------------------------------------------ */
408 /** 408 /**
409 * @param cipherSuites 409 * @param cipherSuites
410 * The array of cipher suite names to include in 410 * The array of cipher suite names to include in
411 * {@link SSLEngine#setEnabledCipherSuites(String[])} 411 * {@link SSLEngine#setEnabledCipherSuites(String[])}
412 */ 412 */
413 public void setIncludeCipherSuites(String... cipherSuites) 413 public void setIncludeCipherSuites(String... cipherSuites)
414 { 414 {
415 checkNotStarted(); 415 checkNotStarted();
416 416
417 _includeCipherSuites = new LinkedHashSet<String>(Arrays.asList(cipherSuites)); 417 _includeCipherSuites = new LinkedHashSet<String>(Arrays.asList(cipherSuites));
418 } 418 }
419 419
420 /* ------------------------------------------------------------ */ 420 /* ------------------------------------------------------------ */
421 /** 421 /**
422 * @return The file or URL of the SSL Key store. 422 * @return The file or URL of the SSL Key store.
423 */ 423 */
424 public String getKeyStorePath() 424 public String getKeyStorePath()
425 { 425 {
426 return _keyStorePath; 426 return _keyStorePath;
427 } 427 }
428 428
429 /* ------------------------------------------------------------ */ 429 /* ------------------------------------------------------------ */
430 @Deprecated 430 @Deprecated
431 public String getKeyStore() 431 public String getKeyStore()
432 { 432 {
433 return _keyStorePath; 433 return _keyStorePath;
434 } 434 }
435 435
436 /* ------------------------------------------------------------ */ 436 /* ------------------------------------------------------------ */
437 /** 437 /**
438 * @param keyStorePath 438 * @param keyStorePath
439 * The file or URL of the SSL Key store. 439 * The file or URL of the SSL Key store.
440 */ 440 */
441 public void setKeyStorePath(String keyStorePath) 441 public void setKeyStorePath(String keyStorePath)
442 { 442 {
443 checkNotStarted(); 443 checkNotStarted();
444 444
445 _keyStorePath = keyStorePath; 445 _keyStorePath = keyStorePath;
446 } 446 }
447 447
448 /* ------------------------------------------------------------ */ 448 /* ------------------------------------------------------------ */
449 /** 449 /**
450 * @param keyStorePath the file system path or URL of the keystore 450 * @param keyStorePath the file system path or URL of the keystore
451 * @deprecated Use {@link #setKeyStorePath(String)} 451 * @deprecated Use {@link #setKeyStorePath(String)}
452 */ 452 */
453 @Deprecated 453 @Deprecated
454 public void setKeyStore(String keyStorePath) 454 public void setKeyStore(String keyStorePath)
455 { 455 {
456 checkNotStarted(); 456 checkNotStarted();
457 457
458 _keyStorePath = keyStorePath; 458 _keyStorePath = keyStorePath;
459 } 459 }
460 460
461 /* ------------------------------------------------------------ */ 461 /* ------------------------------------------------------------ */
462 /** 462 /**
463 * @return The provider of the key store 463 * @return The provider of the key store
464 */ 464 */
465 public String getKeyStoreProvider() 465 public String getKeyStoreProvider()
466 { 466 {
467 return _keyStoreProvider; 467 return _keyStoreProvider;
468 } 468 }
469 469
470 /* ------------------------------------------------------------ */ 470 /* ------------------------------------------------------------ */
471 /** 471 /**
472 * @param keyStoreProvider 472 * @param keyStoreProvider
473 * The provider of the key store 473 * The provider of the key store
474 */ 474 */
475 public void setKeyStoreProvider(String keyStoreProvider) 475 public void setKeyStoreProvider(String keyStoreProvider)
476 { 476 {
477 checkNotStarted(); 477 checkNotStarted();
478 478
479 _keyStoreProvider = keyStoreProvider; 479 _keyStoreProvider = keyStoreProvider;
480 } 480 }
481 481
482 /* ------------------------------------------------------------ */ 482 /* ------------------------------------------------------------ */
483 /** 483 /**
484 * @return The type of the key store (default "JKS") 484 * @return The type of the key store (default "JKS")
485 */ 485 */
486 public String getKeyStoreType() 486 public String getKeyStoreType()
487 { 487 {
488 return (_keyStoreType); 488 return (_keyStoreType);
489 } 489 }
490 490
491 /* ------------------------------------------------------------ */ 491 /* ------------------------------------------------------------ */
492 /** 492 /**
493 * @param keyStoreType 493 * @param keyStoreType
494 * The type of the key store (default "JKS") 494 * The type of the key store (default "JKS")
495 */ 495 */
496 public void setKeyStoreType(String keyStoreType) 496 public void setKeyStoreType(String keyStoreType)
497 { 497 {
498 checkNotStarted(); 498 checkNotStarted();
499 499
500 _keyStoreType = keyStoreType; 500 _keyStoreType = keyStoreType;
501 } 501 }
502 502
503 /* ------------------------------------------------------------ */ 503 /* ------------------------------------------------------------ */
504 /** Get the _keyStoreInputStream. 504 /** Get the _keyStoreInputStream.
505 * @return the _keyStoreInputStream 505 * @return the _keyStoreInputStream
506 * 506 *
507 * @deprecated 507 * @deprecated
508 */ 508 */
509 @Deprecated 509 @Deprecated
510 public InputStream getKeyStoreInputStream() 510 public InputStream getKeyStoreInputStream()
511 { 511 {
512 checkKeyStore(); 512 checkKeyStore();
513 513
514 return _keyStoreInputStream; 514 return _keyStoreInputStream;
515 } 515 }
516 516
517 /* ------------------------------------------------------------ */ 517 /* ------------------------------------------------------------ */
518 /** Set the keyStoreInputStream. 518 /** Set the keyStoreInputStream.
519 * @param keyStoreInputStream the InputStream to the KeyStore 519 * @param keyStoreInputStream the InputStream to the KeyStore
520 * 520 *
521 * @deprecated Use {@link #setKeyStore(KeyStore)} 521 * @deprecated Use {@link #setKeyStore(KeyStore)}
522 */ 522 */
523 @Deprecated 523 @Deprecated
524 public void setKeyStoreInputStream(InputStream keyStoreInputStream) 524 public void setKeyStoreInputStream(InputStream keyStoreInputStream)
525 { 525 {
526 checkNotStarted(); 526 checkNotStarted();
527 527
528 _keyStoreInputStream = keyStoreInputStream; 528 _keyStoreInputStream = keyStoreInputStream;
529 } 529 }
530 530
531 /* ------------------------------------------------------------ */ 531 /* ------------------------------------------------------------ */
532 /** 532 /**
533 * @return Alias of SSL certificate for the connector 533 * @return Alias of SSL certificate for the connector
534 */ 534 */
535 public String getCertAlias() 535 public String getCertAlias()
536 { 536 {
537 return _certAlias; 537 return _certAlias;
538 } 538 }
539 539
540 /* ------------------------------------------------------------ */ 540 /* ------------------------------------------------------------ */
541 /** 541 /**
542 * @param certAlias 542 * @param certAlias
543 * Alias of SSL certificate for the connector 543 * Alias of SSL certificate for the connector
544 */ 544 */
545 public void setCertAlias(String certAlias) 545 public void setCertAlias(String certAlias)
546 { 546 {
547 checkNotStarted(); 547 checkNotStarted();
548 548
549 _certAlias = certAlias; 549 _certAlias = certAlias;
550 } 550 }
551 551
552 /* ------------------------------------------------------------ */ 552 /* ------------------------------------------------------------ */
553 /** 553 /**
554 * @return The file name or URL of the trust store location 554 * @return The file name or URL of the trust store location
555 */ 555 */
556 public String getTrustStore() 556 public String getTrustStore()
557 { 557 {
558 return _trustStorePath; 558 return _trustStorePath;
559 } 559 }
560 560
561 /* ------------------------------------------------------------ */ 561 /* ------------------------------------------------------------ */
562 /** 562 /**
563 * @param trustStorePath 563 * @param trustStorePath
564 * The file name or URL of the trust store location 564 * The file name or URL of the trust store location
565 */ 565 */
566 public void setTrustStore(String trustStorePath) 566 public void setTrustStore(String trustStorePath)
567 { 567 {
568 checkNotStarted(); 568 checkNotStarted();
569 569
570 _trustStorePath = trustStorePath; 570 _trustStorePath = trustStorePath;
571 } 571 }
572 572
573 /* ------------------------------------------------------------ */ 573 /* ------------------------------------------------------------ */
574 /** 574 /**
575 * @return The provider of the trust store 575 * @return The provider of the trust store
576 */ 576 */
577 public String getTrustStoreProvider() 577 public String getTrustStoreProvider()
578 { 578 {
579 return _trustStoreProvider; 579 return _trustStoreProvider;
580 } 580 }
581 581
582 /* ------------------------------------------------------------ */ 582 /* ------------------------------------------------------------ */
583 /** 583 /**
584 * @param trustStoreProvider 584 * @param trustStoreProvider
585 * The provider of the trust store 585 * The provider of the trust store
586 */ 586 */
587 public void setTrustStoreProvider(String trustStoreProvider) 587 public void setTrustStoreProvider(String trustStoreProvider)
588 { 588 {
589 checkNotStarted(); 589 checkNotStarted();
590 590
591 _trustStoreProvider = trustStoreProvider; 591 _trustStoreProvider = trustStoreProvider;
592 } 592 }
593 593
594 /* ------------------------------------------------------------ */ 594 /* ------------------------------------------------------------ */
595 /** 595 /**
596 * @return The type of the trust store (default "JKS") 596 * @return The type of the trust store (default "JKS")
597 */ 597 */
598 public String getTrustStoreType() 598 public String getTrustStoreType()
599 { 599 {
600 return _trustStoreType; 600 return _trustStoreType;
601 } 601 }
602 602
603 /* ------------------------------------------------------------ */ 603 /* ------------------------------------------------------------ */
604 /** 604 /**
605 * @param trustStoreType 605 * @param trustStoreType
606 * The type of the trust store (default "JKS") 606 * The type of the trust store (default "JKS")
607 */ 607 */
608 public void setTrustStoreType(String trustStoreType) 608 public void setTrustStoreType(String trustStoreType)
609 { 609 {
610 checkNotStarted(); 610 checkNotStarted();
611 611
612 _trustStoreType = trustStoreType; 612 _trustStoreType = trustStoreType;
613 } 613 }
614 614
615 /* ------------------------------------------------------------ */ 615 /* ------------------------------------------------------------ */
616 /** Get the _trustStoreInputStream. 616 /** Get the _trustStoreInputStream.
617 * @return the _trustStoreInputStream 617 * @return the _trustStoreInputStream
618 * 618 *
619 * @deprecated 619 * @deprecated
620 */ 620 */
621 @Deprecated 621 @Deprecated
622 public InputStream getTrustStoreInputStream() 622 public InputStream getTrustStoreInputStream()
623 { 623 {
624 checkKeyStore(); 624 checkKeyStore();
625 625
626 return _trustStoreInputStream; 626 return _trustStoreInputStream;
627 } 627 }
628 628
629 /* ------------------------------------------------------------ */ 629 /* ------------------------------------------------------------ */
630 /** Set the _trustStoreInputStream. 630 /** Set the _trustStoreInputStream.
631 * @param trustStoreInputStream the InputStream to the TrustStore 631 * @param trustStoreInputStream the InputStream to the TrustStore
632 * 632 *
633 * @deprecated 633 * @deprecated
634 */ 634 */
635 @Deprecated 635 @Deprecated
636 public void setTrustStoreInputStream(InputStream trustStoreInputStream) 636 public void setTrustStoreInputStream(InputStream trustStoreInputStream)
637 { 637 {
638 checkNotStarted(); 638 checkNotStarted();
639 639
640 _trustStoreInputStream = trustStoreInputStream; 640 _trustStoreInputStream = trustStoreInputStream;
641 } 641 }
642 642
643 /* ------------------------------------------------------------ */ 643 /* ------------------------------------------------------------ */
644 /** 644 /**
645 * @return True if SSL needs client authentication. 645 * @return True if SSL needs client authentication.
646 * @see SSLEngine#getNeedClientAuth() 646 * @see SSLEngine#getNeedClientAuth()
647 */ 647 */
648 public boolean getNeedClientAuth() 648 public boolean getNeedClientAuth()
649 { 649 {
650 return _needClientAuth; 650 return _needClientAuth;
651 } 651 }
652 652
653 /* ------------------------------------------------------------ */ 653 /* ------------------------------------------------------------ */
654 /** 654 /**
655 * @param needClientAuth 655 * @param needClientAuth
656 * True if SSL needs client authentication. 656 * True if SSL needs client authentication.
657 * @see SSLEngine#getNeedClientAuth() 657 * @see SSLEngine#getNeedClientAuth()
658 */ 658 */
659 public void setNeedClientAuth(boolean needClientAuth) 659 public void setNeedClientAuth(boolean needClientAuth)
660 { 660 {
661 checkNotStarted(); 661 checkNotStarted();
662 662
663 _needClientAuth = needClientAuth; 663 _needClientAuth = needClientAuth;
664 } 664 }
665 665
666 /* ------------------------------------------------------------ */ 666 /* ------------------------------------------------------------ */
667 /** 667 /**
668 * @return True if SSL wants client authentication. 668 * @return True if SSL wants client authentication.
669 * @see SSLEngine#getWantClientAuth() 669 * @see SSLEngine#getWantClientAuth()
670 */ 670 */
671 public boolean getWantClientAuth() 671 public boolean getWantClientAuth()
672 { 672 {
673 return _wantClientAuth; 673 return _wantClientAuth;
674 } 674 }
675 675
676 /* ------------------------------------------------------------ */ 676 /* ------------------------------------------------------------ */
677 /** 677 /**
678 * @param wantClientAuth 678 * @param wantClientAuth
679 * True if SSL wants client authentication. 679 * True if SSL wants client authentication.
680 * @see SSLEngine#getWantClientAuth() 680 * @see SSLEngine#getWantClientAuth()
681 */ 681 */
682 public void setWantClientAuth(boolean wantClientAuth) 682 public void setWantClientAuth(boolean wantClientAuth)
683 { 683 {
684 checkNotStarted(); 684 checkNotStarted();
685 685
686 _wantClientAuth = wantClientAuth; 686 _wantClientAuth = wantClientAuth;
687 } 687 }
688 688
689 /* ------------------------------------------------------------ */ 689 /* ------------------------------------------------------------ */
690 /** 690 /**
691 * @return true if SSL certificate has to be validated 691 * @return true if SSL certificate has to be validated
692 * @deprecated 692 * @deprecated
693 */ 693 */
694 @Deprecated 694 @Deprecated
695 public boolean getValidateCerts() 695 public boolean getValidateCerts()
696 { 696 {
697 return _validateCerts; 697 return _validateCerts;
698 } 698 }
699 699
700 /* ------------------------------------------------------------ */ 700 /* ------------------------------------------------------------ */
701 /** 701 /**
702 * @return true if SSL certificate has to be validated 702 * @return true if SSL certificate has to be validated
703 */ 703 */
704 public boolean isValidateCerts() 704 public boolean isValidateCerts()
705 { 705 {
706 return _validateCerts; 706 return _validateCerts;
707 } 707 }
708 708
709 /* ------------------------------------------------------------ */ 709 /* ------------------------------------------------------------ */
710 /** 710 /**
711 * @param validateCerts 711 * @param validateCerts
712 * true if SSL certificates have to be validated 712 * true if SSL certificates have to be validated
713 */ 713 */
714 public void setValidateCerts(boolean validateCerts) 714 public void setValidateCerts(boolean validateCerts)
715 { 715 {
716 checkNotStarted(); 716 checkNotStarted();
717 717
718 _validateCerts = validateCerts; 718 _validateCerts = validateCerts;
719 } 719 }
720 720
721 /* ------------------------------------------------------------ */ 721 /* ------------------------------------------------------------ */
722 /** 722 /**
723 * @return true if SSL certificates of the peer have to be validated 723 * @return true if SSL certificates of the peer have to be validated
724 */ 724 */
725 public boolean isValidatePeerCerts() 725 public boolean isValidatePeerCerts()
726 { 726 {
727 return _validatePeerCerts; 727 return _validatePeerCerts;
728 } 728 }
729 729
730 /* ------------------------------------------------------------ */ 730 /* ------------------------------------------------------------ */
731 /** 731 /**
732 * @param validatePeerCerts 732 * @param validatePeerCerts
733 * true if SSL certificates of the peer have to be validated 733 * true if SSL certificates of the peer have to be validated
734 */ 734 */
735 public void setValidatePeerCerts(boolean validatePeerCerts) 735 public void setValidatePeerCerts(boolean validatePeerCerts)
736 { 736 {
737 checkNotStarted(); 737 checkNotStarted();
738 738
739 _validatePeerCerts = validatePeerCerts; 739 _validatePeerCerts = validatePeerCerts;
740 } 740 }
741 741
742 /* ------------------------------------------------------------ */ 742 /* ------------------------------------------------------------ */
743 /** 743 /**
744 * @return True if SSL re-negotiation is allowed (default false) 744 * @return True if SSL re-negotiation is allowed (default false)
745 */ 745 */
746 public boolean isAllowRenegotiate() 746 public boolean isAllowRenegotiate()
747 { 747 {
748 return _allowRenegotiate; 748 return _allowRenegotiate;
749 } 749 }
750 750
751 /* ------------------------------------------------------------ */ 751 /* ------------------------------------------------------------ */
752 /** 752 /**
753 * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered 753 * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
754 * a vulnerability in SSL/TLS with re-negotiation. If your JVM 754 * a vulnerability in SSL/TLS with re-negotiation. If your JVM
755 * does not have CVE-2009-3555 fixed, then re-negotiation should 755 * does not have CVE-2009-3555 fixed, then re-negotiation should
756 * not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban 756 * not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban
757 * of renegotiates in u19 and with RFC5746 in u22. 757 * of renegotiates in u19 and with RFC5746 in u22.
758 * 758 *
759 * @param allowRenegotiate 759 * @param allowRenegotiate
760 * true if re-negotiation is allowed (default false) 760 * true if re-negotiation is allowed (default false)
761 */ 761 */
762 public void setAllowRenegotiate(boolean allowRenegotiate) 762 public void setAllowRenegotiate(boolean allowRenegotiate)
763 { 763 {
764 checkNotStarted(); 764 checkNotStarted();
765 765
766 _allowRenegotiate = allowRenegotiate; 766 _allowRenegotiate = allowRenegotiate;
767 } 767 }
768 768
769 /* ------------------------------------------------------------ */ 769 /* ------------------------------------------------------------ */
770 /** 770 /**
771 * @param password 771 * @param password
772 * The password for the key store 772 * The password for the key store
773 */ 773 */
774 public void setKeyStorePassword(String password) 774 public void setKeyStorePassword(String password)
775 { 775 {
776 checkNotStarted(); 776 checkNotStarted();
777 777
778 _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); 778 _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
779 } 779 }
780 780
781 /* ------------------------------------------------------------ */ 781 /* ------------------------------------------------------------ */
782 /** 782 /**
783 * @param password 783 * @param password
784 * The password (if any) for the specific key within the key store 784 * The password (if any) for the specific key within the key store
785 */ 785 */
786 public void setKeyManagerPassword(String password) 786 public void setKeyManagerPassword(String password)
787 { 787 {
788 checkNotStarted(); 788 checkNotStarted();
789 789
790 _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null); 790 _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
791 } 791 }
792 792
793 /* ------------------------------------------------------------ */ 793 /* ------------------------------------------------------------ */
794 /** 794 /**
795 * @param password 795 * @param password
796 * The password for the trust store 796 * The password for the trust store
797 */ 797 */
798 public void setTrustStorePassword(String password) 798 public void setTrustStorePassword(String password)
799 { 799 {
800 checkNotStarted(); 800 checkNotStarted();
801 801
802 _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); 802 _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
803 } 803 }
804 804
805 /* ------------------------------------------------------------ */ 805 /* ------------------------------------------------------------ */
806 /** 806 /**
807 * @return The SSL provider name, which if set is passed to 807 * @return The SSL provider name, which if set is passed to
808 * {@link SSLContext#getInstance(String, String)} 808 * {@link SSLContext#getInstance(String, String)}
809 */ 809 */
810 public String getProvider() 810 public String getProvider()
811 { 811 {
812 return _sslProvider; 812 return _sslProvider;
813 } 813 }
814 814
815 /* ------------------------------------------------------------ */ 815 /* ------------------------------------------------------------ */
816 /** 816 /**
817 * @param provider 817 * @param provider
818 * The SSL provider name, which if set is passed to 818 * The SSL provider name, which if set is passed to
819 * {@link SSLContext#getInstance(String, String)} 819 * {@link SSLContext#getInstance(String, String)}
820 */ 820 */
821 public void setProvider(String provider) 821 public void setProvider(String provider)
822 { 822 {
823 checkNotStarted(); 823 checkNotStarted();
824 824
825 _sslProvider = provider; 825 _sslProvider = provider;
826 } 826 }
827 827
828 /* ------------------------------------------------------------ */ 828 /* ------------------------------------------------------------ */
829 /** 829 /**
830 * @return The SSL protocol (default "TLS") passed to 830 * @return The SSL protocol (default "TLS") passed to
831 * {@link SSLContext#getInstance(String, String)} 831 * {@link SSLContext#getInstance(String, String)}
832 */ 832 */
833 public String getProtocol() 833 public String getProtocol()
834 { 834 {
835 return _sslProtocol; 835 return _sslProtocol;
836 } 836 }
837 837
838 /* ------------------------------------------------------------ */ 838 /* ------------------------------------------------------------ */
839 /** 839 /**
840 * @param protocol 840 * @param protocol
841 * The SSL protocol (default "TLS") passed to 841 * The SSL protocol (default "TLS") passed to
842 * {@link SSLContext#getInstance(String, String)} 842 * {@link SSLContext#getInstance(String, String)}
843 */ 843 */
844 public void setProtocol(String protocol) 844 public void setProtocol(String protocol)
845 { 845 {
846 checkNotStarted(); 846 checkNotStarted();
847 847
848 _sslProtocol = protocol; 848 _sslProtocol = protocol;
849 } 849 }
850 850
851 /* ------------------------------------------------------------ */ 851 /* ------------------------------------------------------------ */
852 /** 852 /**
853 * @return The algorithm name, which if set is passed to 853 * @return The algorithm name, which if set is passed to
854 * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to 854 * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to
855 * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} 855 * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
856 */ 856 */
857 public String getSecureRandomAlgorithm() 857 public String getSecureRandomAlgorithm()
858 { 858 {
859 return _secureRandomAlgorithm; 859 return _secureRandomAlgorithm;
860 } 860 }
861 861
862 /* ------------------------------------------------------------ */ 862 /* ------------------------------------------------------------ */
863 /** 863 /**
864 * @param algorithm 864 * @param algorithm
865 * The algorithm name, which if set is passed to 865 * The algorithm name, which if set is passed to
866 * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to 866 * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to
867 * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} 867 * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
868 */ 868 */
869 public void setSecureRandomAlgorithm(String algorithm) 869 public void setSecureRandomAlgorithm(String algorithm)
870 { 870 {
871 checkNotStarted(); 871 checkNotStarted();
872 872
873 _secureRandomAlgorithm = algorithm; 873 _secureRandomAlgorithm = algorithm;
874 } 874 }
875 875
876 /* ------------------------------------------------------------ */ 876 /* ------------------------------------------------------------ */
877 /** 877 /**
878 * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} 878 * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory}
879 */ 879 */
880 public String getSslKeyManagerFactoryAlgorithm() 880 public String getSslKeyManagerFactoryAlgorithm()
881 { 881 {
882 return (_keyManagerFactoryAlgorithm); 882 return (_keyManagerFactoryAlgorithm);
883 } 883 }
884 884
885 /* ------------------------------------------------------------ */ 885 /* ------------------------------------------------------------ */
886 /** 886 /**
887 * @param algorithm 887 * @param algorithm
888 * The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} 888 * The algorithm name (default "SunX509") used by the {@link KeyManagerFactory}
889 */ 889 */
890 public void setSslKeyManagerFactoryAlgorithm(String algorithm) 890 public void setSslKeyManagerFactoryAlgorithm(String algorithm)
891 { 891 {
892 checkNotStarted(); 892 checkNotStarted();
893 893
894 _keyManagerFactoryAlgorithm = algorithm; 894 _keyManagerFactoryAlgorithm = algorithm;
895 } 895 }
896 896
897 /* ------------------------------------------------------------ */ 897 /* ------------------------------------------------------------ */
898 /** 898 /**
899 * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} 899 * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
900 */ 900 */
901 public String getTrustManagerFactoryAlgorithm() 901 public String getTrustManagerFactoryAlgorithm()
902 { 902 {
903 return (_trustManagerFactoryAlgorithm); 903 return (_trustManagerFactoryAlgorithm);
904 } 904 }
905 905
906 /* ------------------------------------------------------------ */ 906 /* ------------------------------------------------------------ */
907 /** 907 /**
908 * @return True if all certificates should be trusted if there is no KeyStore or TrustStore 908 * @return True if all certificates should be trusted if there is no KeyStore or TrustStore
909 */ 909 */
910 public boolean isTrustAll() 910 public boolean isTrustAll()
911 { 911 {
912 return _trustAll; 912 return _trustAll;
913 } 913 }
914 914
915 /* ------------------------------------------------------------ */ 915 /* ------------------------------------------------------------ */
916 /** 916 /**
917 * @param trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore 917 * @param trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore
918 */ 918 */
919 public void setTrustAll(boolean trustAll) 919 public void setTrustAll(boolean trustAll)
920 { 920 {
921 _trustAll = trustAll; 921 _trustAll = trustAll;
922 } 922 }
923 923
924 /* ------------------------------------------------------------ */ 924 /* ------------------------------------------------------------ */
925 /** 925 /**
926 * @param algorithm 926 * @param algorithm
927 * The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} 927 * The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
928 * Use the string "TrustAll" to install a trust manager that trusts all. 928 * Use the string "TrustAll" to install a trust manager that trusts all.
929 */ 929 */
930 public void setTrustManagerFactoryAlgorithm(String algorithm) 930 public void setTrustManagerFactoryAlgorithm(String algorithm)
931 { 931 {
932 checkNotStarted(); 932 checkNotStarted();
933 933
934 _trustManagerFactoryAlgorithm = algorithm; 934 _trustManagerFactoryAlgorithm = algorithm;
935 } 935 }
936 936
937 /* ------------------------------------------------------------ */ 937 /* ------------------------------------------------------------ */
938 /** 938 /**
939 * @return Path to file that contains Certificate Revocation List 939 * @return Path to file that contains Certificate Revocation List
940 */ 940 */
941 public String getCrlPath() 941 public String getCrlPath()
942 { 942 {
943 return _crlPath; 943 return _crlPath;
944 } 944 }
945 945
946 /* ------------------------------------------------------------ */ 946 /* ------------------------------------------------------------ */
947 /** 947 /**
948 * @param crlPath 948 * @param crlPath
949 * Path to file that contains Certificate Revocation List 949 * Path to file that contains Certificate Revocation List
950 */ 950 */
951 public void setCrlPath(String crlPath) 951 public void setCrlPath(String crlPath)
952 { 952 {
953 checkNotStarted(); 953 checkNotStarted();
954 954
955 _crlPath = crlPath; 955 _crlPath = crlPath;
956 } 956 }
957 957
958 /* ------------------------------------------------------------ */ 958 /* ------------------------------------------------------------ */
959 /** 959 /**
960 * @return Maximum number of intermediate certificates in 960 * @return Maximum number of intermediate certificates in
961 * the certification path (-1 for unlimited) 961 * the certification path (-1 for unlimited)
962 */ 962 */
963 public int getMaxCertPathLength() 963 public int getMaxCertPathLength()
964 { 964 {
965 return _maxCertPathLength; 965 return _maxCertPathLength;
966 } 966 }
967 967
968 /* ------------------------------------------------------------ */ 968 /* ------------------------------------------------------------ */
969 /** 969 /**
970 * @param maxCertPathLength 970 * @param maxCertPathLength
971 * maximum number of intermediate certificates in 971 * maximum number of intermediate certificates in
972 * the certification path (-1 for unlimited) 972 * the certification path (-1 for unlimited)
973 */ 973 */
974 public void setMaxCertPathLength(int maxCertPathLength) 974 public void setMaxCertPathLength(int maxCertPathLength)
975 { 975 {
976 checkNotStarted(); 976 checkNotStarted();
977 977
978 _maxCertPathLength = maxCertPathLength; 978 _maxCertPathLength = maxCertPathLength;
979 } 979 }
980 980
981 /* ------------------------------------------------------------ */ 981 /* ------------------------------------------------------------ */
982 /** 982 /**
983 * @return The SSLContext 983 * @return The SSLContext
984 */ 984 */
985 public SSLContext getSslContext() 985 public SSLContext getSslContext()
986 { 986 {
987 if (!isStarted()) 987 if (!isStarted())
988 throw new IllegalStateException(getState()); 988 throw new IllegalStateException(getState());
989 return _context; 989 return _context;
990 } 990 }
991 991
992 /* ------------------------------------------------------------ */ 992 /* ------------------------------------------------------------ */
993 /** 993 /**
994 * @param sslContext 994 * @param sslContext
995 * Set a preconfigured SSLContext 995 * Set a preconfigured SSLContext
996 */ 996 */
997 public void setSslContext(SSLContext sslContext) 997 public void setSslContext(SSLContext sslContext)
998 { 998 {
999 checkNotStarted(); 999 checkNotStarted();
1000 1000
1001 _context = sslContext; 1001 _context = sslContext;
1002 } 1002 }
1003 1003
1004 /* ------------------------------------------------------------ */ 1004 /* ------------------------------------------------------------ */
1005 /** 1005 /**
1006 * Override this method to provide alternate way to load a keystore. 1006 * Override this method to provide alternate way to load a keystore.
1007 * 1007 *
1008 * @return the key store instance 1008 * @return the key store instance
1009 * @throws Exception if the keystore cannot be loaded 1009 * @throws Exception if the keystore cannot be loaded
1010 */ 1010 */
1011 protected KeyStore loadKeyStore() throws Exception 1011 protected KeyStore loadKeyStore() throws Exception
1012 { 1012 {
1013 return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream, 1013 return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream,
1014 _keyStorePath, _keyStoreType, _keyStoreProvider, 1014 _keyStorePath, _keyStoreType, _keyStoreProvider,
1015 _keyStorePassword==null? null: _keyStorePassword.toString()); 1015 _keyStorePassword==null? null: _keyStorePassword.toString());
1016 } 1016 }
1017 1017
1018 /* ------------------------------------------------------------ */ 1018 /* ------------------------------------------------------------ */
1019 /** 1019 /**
1020 * Override this method to provide alternate way to load a truststore. 1020 * Override this method to provide alternate way to load a truststore.
1021 * 1021 *
1022 * @return the key store instance 1022 * @return the key store instance
1023 * @throws Exception if the truststore cannot be loaded 1023 * @throws Exception if the truststore cannot be loaded
1024 */ 1024 */
1025 protected KeyStore loadTrustStore() throws Exception 1025 protected KeyStore loadTrustStore() throws Exception
1026 { 1026 {
1027 return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream, 1027 return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream,
1028 _trustStorePath, _trustStoreType, _trustStoreProvider, 1028 _trustStorePath, _trustStoreType, _trustStoreProvider,
1029 _trustStorePassword==null? null: _trustStorePassword.toString()); 1029 _trustStorePassword==null? null: _trustStorePassword.toString());
1030 } 1030 }
1031 1031
1032 /* ------------------------------------------------------------ */ 1032 /* ------------------------------------------------------------ */
1033 /** 1033 /**
1034 * Loads keystore using an input stream or a file path in the same 1034 * Loads keystore using an input stream or a file path in the same
1035 * order of precedence. 1035 * order of precedence.
1036 * 1036 *
1037 * Required for integrations to be able to override the mechanism 1037 * Required for integrations to be able to override the mechanism
1038 * used to load a keystore in order to provide their own implementation. 1038 * used to load a keystore in order to provide their own implementation.
1039 * 1039 *
1040 * @param storeStream keystore input stream 1040 * @param storeStream keystore input stream
1041 * @param storePath path of keystore file 1041 * @param storePath path of keystore file
1042 * @param storeType keystore type 1042 * @param storeType keystore type
1043 * @param storeProvider keystore provider 1043 * @param storeProvider keystore provider
1044 * @param storePassword keystore password 1044 * @param storePassword keystore password
1045 * @return created keystore 1045 * @return created keystore
1046 * @throws Exception if the keystore cannot be obtained 1046 * @throws Exception if the keystore cannot be obtained
1047 * 1047 *
1048 * @deprecated 1048 * @deprecated
1049 */ 1049 */
1050 @Deprecated 1050 @Deprecated
1051 protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception 1051 protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception
1052 { 1052 {
1053 return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword); 1053 return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword);
1054 } 1054 }
1055 1055
1056 /* ------------------------------------------------------------ */ 1056 /* ------------------------------------------------------------ */
1057 /** 1057 /**
1058 * Loads certificate revocation list (CRL) from a file. 1058 * Loads certificate revocation list (CRL) from a file.
1059 * 1059 *
1060 * Required for integrations to be able to override the mechanism used to 1060 * Required for integrations to be able to override the mechanism used to
1061 * load CRL in order to provide their own implementation. 1061 * load CRL in order to provide their own implementation.
1062 * 1062 *
1063 * @param crlPath path of certificate revocation list file 1063 * @param crlPath path of certificate revocation list file
1064 * @return Collection of CRL's 1064 * @return Collection of CRL's
1065 * @throws Exception if the certificate revocation list cannot be loaded 1065 * @throws Exception if the certificate revocation list cannot be loaded
1066 */ 1066 */
1067 protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception 1067 protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
1068 { 1068 {
1069 return CertificateUtils.loadCRL(crlPath); 1069 return CertificateUtils.loadCRL(crlPath);
1070 } 1070 }
1071 1071
1072 /* ------------------------------------------------------------ */ 1072 /* ------------------------------------------------------------ */
1073 protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception 1073 protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
1074 { 1074 {
1075 KeyManager[] managers = null; 1075 KeyManager[] managers = null;
1076 1076
1077 if (keyStore != null) 1077 if (keyStore != null)
1078 { 1078 {
1079 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm); 1079 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
1080 keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray()); 1080 keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray());
1081 managers = keyManagerFactory.getKeyManagers(); 1081 managers = keyManagerFactory.getKeyManagers();
1082 1082
1083 if (_certAlias != null) 1083 if (_certAlias != null)
1084 { 1084 {
1085 for (int idx = 0; idx < managers.length; idx++) 1085 for (int idx = 0; idx < managers.length; idx++)
1086 { 1086 {
1087 if (managers[idx] instanceof X509KeyManager) 1087 if (managers[idx] instanceof X509KeyManager)
1088 { 1088 {
1089 managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]); 1089 managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]);
1090 } 1090 }
1091 } 1091 }
1092 } 1092 }
1093 } 1093 }
1094 1094
1095 return managers; 1095 return managers;
1096 } 1096 }
1097 1097
1098 /* ------------------------------------------------------------ */ 1098 /* ------------------------------------------------------------ */
1099 protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception 1099 protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
1100 { 1100 {
1101 TrustManager[] managers = null; 1101 TrustManager[] managers = null;
1102 if (trustStore != null) 1102 if (trustStore != null)
1103 { 1103 {
1104 // Revocation checking is only supported for PKIX algorithm 1104 // Revocation checking is only supported for PKIX algorithm
1105 if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX")) 1105 if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
1106 { 1106 {
1107 PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector()); 1107 PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector());
1108 1108
1109 // Set maximum certification path length 1109 // Set maximum certification path length
1110 pbParams.setMaxPathLength(_maxCertPathLength); 1110 pbParams.setMaxPathLength(_maxCertPathLength);
1111 1111
1112 // Make sure revocation checking is enabled 1112 // Make sure revocation checking is enabled
1113 pbParams.setRevocationEnabled(true); 1113 pbParams.setRevocationEnabled(true);
1114 1114
1115 if (crls != null && !crls.isEmpty()) 1115 if (crls != null && !crls.isEmpty())
1116 { 1116 {
1117 pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls))); 1117 pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls)));
1118 } 1118 }
1119 1119
1120 if (_enableCRLDP) 1120 if (_enableCRLDP)
1121 { 1121 {
1122 // Enable Certificate Revocation List Distribution Points (CRLDP) support 1122 // Enable Certificate Revocation List Distribution Points (CRLDP) support
1123 System.setProperty("com.sun.security.enableCRLDP","true"); 1123 System.setProperty("com.sun.security.enableCRLDP","true");
1124 } 1124 }
1125 1125
1126 if (_enableOCSP) 1126 if (_enableOCSP)
1127 { 1127 {
1128 // Enable On-Line Certificate Status Protocol (OCSP) support 1128 // Enable On-Line Certificate Status Protocol (OCSP) support
1129 Security.setProperty("ocsp.enable","true"); 1129 Security.setProperty("ocsp.enable","true");
1130 1130
1131 if (_ocspResponderURL != null) 1131 if (_ocspResponderURL != null)
1132 { 1132 {
1133 // Override location of OCSP Responder 1133 // Override location of OCSP Responder
1134 Security.setProperty("ocsp.responderURL", _ocspResponderURL); 1134 Security.setProperty("ocsp.responderURL", _ocspResponderURL);
1135 } 1135 }
1136 } 1136 }
1137 1137
1138 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); 1138 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1139 trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams)); 1139 trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
1140 1140
1141 managers = trustManagerFactory.getTrustManagers(); 1141 managers = trustManagerFactory.getTrustManagers();
1142 } 1142 }
1143 else 1143 else
1144 { 1144 {
1145 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); 1145 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1146 trustManagerFactory.init(trustStore); 1146 trustManagerFactory.init(trustStore);
1147 1147
1148 managers = trustManagerFactory.getTrustManagers(); 1148 managers = trustManagerFactory.getTrustManagers();
1149 } 1149 }
1150 } 1150 }
1151 1151
1152 return managers; 1152 return managers;
1153 } 1153 }
1154 1154
1155 /* ------------------------------------------------------------ */ 1155 /* ------------------------------------------------------------ */
1156 /** 1156 /**
1157 * Check KeyStore Configuration. Ensures that if keystore has been 1157 * Check KeyStore Configuration. Ensures that if keystore has been
1158 * configured but there's no truststore, that keystore is 1158 * configured but there's no truststore, that keystore is
1159 * used as truststore. 1159 * used as truststore.
1160 * @throws IllegalStateException if SslContextFactory configuration can't be used. 1160 * @throws IllegalStateException if SslContextFactory configuration can't be used.
1161 */ 1161 */
1162 public void checkKeyStore() 1162 public void checkKeyStore()
1163 { 1163 {
1164 if (_context != null) 1164 if (_context != null)
1165 return; //nothing to check if using preconfigured context 1165 return; //nothing to check if using preconfigured context
1166 1166
1167 1167
1168 if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null) 1168 if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null)
1169 throw new IllegalStateException("SSL doesn't have a valid keystore"); 1169 throw new IllegalStateException("SSL doesn't have a valid keystore");
1170 1170
1171 // if the keystore has been configured but there is no 1171 // if the keystore has been configured but there is no
1172 // truststore configured, use the keystore as the truststore 1172 // truststore configured, use the keystore as the truststore
1173 if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null) 1173 if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
1174 { 1174 {
1175 _trustStore = _keyStore; 1175 _trustStore = _keyStore;
1176 _trustStorePath = _keyStorePath; 1176 _trustStorePath = _keyStorePath;
1177 _trustStoreInputStream = _keyStoreInputStream; 1177 _trustStoreInputStream = _keyStoreInputStream;
1178 _trustStoreType = _keyStoreType; 1178 _trustStoreType = _keyStoreType;
1179 _trustStoreProvider = _keyStoreProvider; 1179 _trustStoreProvider = _keyStoreProvider;
1180 _trustStorePassword = _keyStorePassword; 1180 _trustStorePassword = _keyStorePassword;
1181 _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm; 1181 _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
1182 } 1182 }
1183 1183
1184 // It's the same stream we cannot read it twice, so read it once in memory 1184 // It's the same stream we cannot read it twice, so read it once in memory
1185 if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream) 1185 if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream)
1186 { 1186 {
1187 try 1187 try
1188 { 1188 {
1189 ByteArrayOutputStream baos = new ByteArrayOutputStream(); 1189 ByteArrayOutputStream baos = new ByteArrayOutputStream();
1190 IO.copy(_keyStoreInputStream, baos); 1190 IO.copy(_keyStoreInputStream, baos);
1191 _keyStoreInputStream.close(); 1191 _keyStoreInputStream.close();
1192 1192
1193 _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); 1193 _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1194 _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); 1194 _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1195 } 1195 }
1196 catch (Exception ex) 1196 catch (Exception ex)
1197 { 1197 {
1198 throw new IllegalStateException(ex); 1198 throw new IllegalStateException(ex);
1199 } 1199 }
1200 } 1200 }
1201 } 1201 }
1202 1202
1203 /* ------------------------------------------------------------ */ 1203 /* ------------------------------------------------------------ */
1204 /** 1204 /**
1205 * Select protocols to be used by the connector 1205 * Select protocols to be used by the connector
1206 * based on configured inclusion and exclusion lists 1206 * based on configured inclusion and exclusion lists
1207 * as well as enabled and supported protocols. 1207 * as well as enabled and supported protocols.
1208 * @param enabledProtocols Array of enabled protocols 1208 * @param enabledProtocols Array of enabled protocols
1209 * @param supportedProtocols Array of supported protocols 1209 * @param supportedProtocols Array of supported protocols
1210 * @return Array of protocols to enable 1210 * @return Array of protocols to enable
1211 */ 1211 */
1212 public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols) 1212 public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
1213 { 1213 {
1214 Set<String> selected_protocols = new LinkedHashSet<String>(); 1214 Set<String> selected_protocols = new LinkedHashSet<String>();
1215 1215
1216 // Set the starting protocols - either from the included or enabled list 1216 // Set the starting protocols - either from the included or enabled list
1217 if (_includeProtocols!=null) 1217 if (_includeProtocols!=null)
1218 { 1218 {
1219 // Use only the supported included protocols 1219 // Use only the supported included protocols
1220 for (String protocol : _includeProtocols) 1220 for (String protocol : _includeProtocols)
1221 if(Arrays.asList(supportedProtocols).contains(protocol)) 1221 if(Arrays.asList(supportedProtocols).contains(protocol))
1222 selected_protocols.add(protocol); 1222 selected_protocols.add(protocol);
1223 } 1223 }
1224 else 1224 else
1225 selected_protocols.addAll(Arrays.asList(enabledProtocols)); 1225 selected_protocols.addAll(Arrays.asList(enabledProtocols));
1226 1226
1227 1227
1228 // Remove any excluded protocols 1228 // Remove any excluded protocols
1229 if (_excludeProtocols != null) 1229 if (_excludeProtocols != null)
1230 selected_protocols.removeAll(_excludeProtocols); 1230 selected_protocols.removeAll(_excludeProtocols);
1231 1231
1232 return selected_protocols.toArray(new String[selected_protocols.size()]); 1232 return selected_protocols.toArray(new String[selected_protocols.size()]);
1233 } 1233 }
1234 1234
1235 /* ------------------------------------------------------------ */ 1235 /* ------------------------------------------------------------ */
1236 /** 1236 /**
1237 * Select cipher suites to be used by the connector 1237 * Select cipher suites to be used by the connector
1238 * based on configured inclusion and exclusion lists 1238 * based on configured inclusion and exclusion lists
1239 * as well as enabled and supported cipher suite lists. 1239 * as well as enabled and supported cipher suite lists.
1240 * @param enabledCipherSuites Array of enabled cipher suites 1240 * @param enabledCipherSuites Array of enabled cipher suites
1241 * @param supportedCipherSuites Array of supported cipher suites 1241 * @param supportedCipherSuites Array of supported cipher suites
1242 * @return Array of cipher suites to enable 1242 * @return Array of cipher suites to enable
1243 */ 1243 */
1244 public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites) 1244 public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
1245 { 1245 {
1246 Set<String> selected_ciphers = new LinkedHashSet<String>(); 1246 Set<String> selected_ciphers = new LinkedHashSet<String>();
1247 1247
1248 // Set the starting ciphers - either from the included or enabled list 1248 // Set the starting ciphers - either from the included or enabled list
1249 if (_includeCipherSuites!=null) 1249 if (_includeCipherSuites!=null)
1250 { 1250 {
1251 // Use only the supported included ciphers 1251 // Use only the supported included ciphers
1252 for (String cipherSuite : _includeCipherSuites) 1252 for (String cipherSuite : _includeCipherSuites)
1253 if(Arrays.asList(supportedCipherSuites).contains(cipherSuite)) 1253 if(Arrays.asList(supportedCipherSuites).contains(cipherSuite))
1254 selected_ciphers.add(cipherSuite); 1254 selected_ciphers.add(cipherSuite);
1255 } 1255 }
1256 else 1256 else
1257 selected_ciphers.addAll(Arrays.asList(enabledCipherSuites)); 1257 selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
1258 1258
1259 1259
1260 // Remove any excluded ciphers 1260 // Remove any excluded ciphers
1261 if (_excludeCipherSuites != null) 1261 if (_excludeCipherSuites != null)
1262 selected_ciphers.removeAll(_excludeCipherSuites); 1262 selected_ciphers.removeAll(_excludeCipherSuites);
1263 return selected_ciphers.toArray(new String[selected_ciphers.size()]); 1263 return selected_ciphers.toArray(new String[selected_ciphers.size()]);
1264 } 1264 }
1265 1265
1266 /* ------------------------------------------------------------ */ 1266 /* ------------------------------------------------------------ */
1267 /** 1267 /**
1268 * Check if the lifecycle has been started and throw runtime exception 1268 * Check if the lifecycle has been started and throw runtime exception
1269 */ 1269 */
1270 protected void checkNotStarted() 1270 protected void checkNotStarted()
1271 { 1271 {
1272 if (isStarted()) 1272 if (isStarted())
1273 throw new IllegalStateException("Cannot modify configuration when "+getState()); 1273 throw new IllegalStateException("Cannot modify configuration when "+getState());
1274 } 1274 }
1275 1275
1276 /* ------------------------------------------------------------ */ 1276 /* ------------------------------------------------------------ */
1277 /** 1277 /**
1278 * @return true if CRL Distribution Points support is enabled 1278 * @return true if CRL Distribution Points support is enabled
1279 */ 1279 */
1280 public boolean isEnableCRLDP() 1280 public boolean isEnableCRLDP()
1281 { 1281 {
1282 return _enableCRLDP; 1282 return _enableCRLDP;
1283 } 1283 }
1284 1284
1285 /* ------------------------------------------------------------ */ 1285 /* ------------------------------------------------------------ */
1286 /** Enables CRL Distribution Points Support 1286 /** Enables CRL Distribution Points Support
1287 * @param enableCRLDP true - turn on, false - turns off 1287 * @param enableCRLDP true - turn on, false - turns off
1288 */ 1288 */
1289 public void setEnableCRLDP(boolean enableCRLDP) 1289 public void setEnableCRLDP(boolean enableCRLDP)
1290 { 1290 {
1291 checkNotStarted(); 1291 checkNotStarted();
1292 1292
1293 _enableCRLDP = enableCRLDP; 1293 _enableCRLDP = enableCRLDP;
1294 } 1294 }
1295 1295
1296 /* ------------------------------------------------------------ */ 1296 /* ------------------------------------------------------------ */
1297 /** 1297 /**
1298 * @return true if On-Line Certificate Status Protocol support is enabled 1298 * @return true if On-Line Certificate Status Protocol support is enabled
1299 */ 1299 */
1300 public boolean isEnableOCSP() 1300 public boolean isEnableOCSP()
1301 { 1301 {
1302 return _enableOCSP; 1302 return _enableOCSP;
1303 } 1303 }
1304 1304
1305 /* ------------------------------------------------------------ */ 1305 /* ------------------------------------------------------------ */
1306 /** Enables On-Line Certificate Status Protocol support 1306 /** Enables On-Line Certificate Status Protocol support
1307 * @param enableOCSP true - turn on, false - turn off 1307 * @param enableOCSP true - turn on, false - turn off
1308 */ 1308 */
1309 public void setEnableOCSP(boolean enableOCSP) 1309 public void setEnableOCSP(boolean enableOCSP)
1310 { 1310 {
1311 checkNotStarted(); 1311 checkNotStarted();
1312 1312
1313 _enableOCSP = enableOCSP; 1313 _enableOCSP = enableOCSP;
1314 } 1314 }
1315 1315
1316 /* ------------------------------------------------------------ */ 1316 /* ------------------------------------------------------------ */
1317 /** 1317 /**
1318 * @return Location of the OCSP Responder 1318 * @return Location of the OCSP Responder
1319 */ 1319 */
1320 public String getOcspResponderURL() 1320 public String getOcspResponderURL()
1321 { 1321 {
1322 return _ocspResponderURL; 1322 return _ocspResponderURL;
1323 } 1323 }
1324 1324
1325 /* ------------------------------------------------------------ */ 1325 /* ------------------------------------------------------------ */
1326 /** Set the location of the OCSP Responder. 1326 /** Set the location of the OCSP Responder.
1327 * @param ocspResponderURL location of the OCSP Responder 1327 * @param ocspResponderURL location of the OCSP Responder
1328 */ 1328 */
1329 public void setOcspResponderURL(String ocspResponderURL) 1329 public void setOcspResponderURL(String ocspResponderURL)
1330 { 1330 {
1331 checkNotStarted(); 1331 checkNotStarted();
1332 1332
1333 _ocspResponderURL = ocspResponderURL; 1333 _ocspResponderURL = ocspResponderURL;
1334 } 1334 }
1335 1335
1336 /* ------------------------------------------------------------ */ 1336 /* ------------------------------------------------------------ */
1337 /** Set the key store. 1337 /** Set the key store.
1338 * @param keyStore the key store to set 1338 * @param keyStore the key store to set
1339 */ 1339 */
1340 public void setKeyStore(KeyStore keyStore) 1340 public void setKeyStore(KeyStore keyStore)
1341 { 1341 {
1342 checkNotStarted(); 1342 checkNotStarted();
1343 1343
1344 _keyStore = keyStore; 1344 _keyStore = keyStore;
1345 } 1345 }
1346 1346
1347 /* ------------------------------------------------------------ */ 1347 /* ------------------------------------------------------------ */
1348 /** Set the trust store. 1348 /** Set the trust store.
1349 * @param trustStore the trust store to set 1349 * @param trustStore the trust store to set
1350 */ 1350 */
1351 public void setTrustStore(KeyStore trustStore) 1351 public void setTrustStore(KeyStore trustStore)
1352 { 1352 {
1353 checkNotStarted(); 1353 checkNotStarted();
1354 1354
1355 _trustStore = trustStore; 1355 _trustStore = trustStore;
1356 } 1356 }
1357 1357
1358 /* ------------------------------------------------------------ */ 1358 /* ------------------------------------------------------------ */
1359 /** Set the key store resource. 1359 /** Set the key store resource.
1360 * @param resource the key store resource to set 1360 * @param resource the key store resource to set
1361 */ 1361 */
1362 public void setKeyStoreResource(Resource resource) 1362 public void setKeyStoreResource(Resource resource)
1363 { 1363 {
1364 checkNotStarted(); 1364 checkNotStarted();
1365 1365
1366 try 1366 try
1367 { 1367 {
1368 _keyStoreInputStream = resource.getInputStream(); 1368 _keyStoreInputStream = resource.getInputStream();
1369 } 1369 }
1370 catch (IOException e) 1370 catch (IOException e)
1371 { 1371 {
1372 throw new InvalidParameterException("Unable to get resource "+ 1372 throw new InvalidParameterException("Unable to get resource "+
1373 "input stream for resource "+resource.toString()); 1373 "input stream for resource "+resource.toString());
1374 } 1374 }
1375 } 1375 }
1376 1376
1377 /* ------------------------------------------------------------ */ 1377 /* ------------------------------------------------------------ */
1378 /** Set the trust store resource. 1378 /** Set the trust store resource.
1379 * @param resource the trust store resource to set 1379 * @param resource the trust store resource to set
1380 */ 1380 */
1381 public void setTrustStoreResource(Resource resource) 1381 public void setTrustStoreResource(Resource resource)
1382 { 1382 {
1383 checkNotStarted(); 1383 checkNotStarted();
1384 1384
1385 try 1385 try
1386 { 1386 {
1387 _trustStoreInputStream = resource.getInputStream(); 1387 _trustStoreInputStream = resource.getInputStream();
1388 } 1388 }
1389 catch (IOException e) 1389 catch (IOException e)
1390 { 1390 {
1391 throw new InvalidParameterException("Unable to get resource "+ 1391 throw new InvalidParameterException("Unable to get resource "+
1392 "input stream for resource "+resource.toString()); 1392 "input stream for resource "+resource.toString());
1393 } 1393 }
1394 } 1394 }
1395 1395
1396 /* ------------------------------------------------------------ */ 1396 /* ------------------------------------------------------------ */
1397 /** 1397 /**
1398 * @return true if SSL Session caching is enabled 1398 * @return true if SSL Session caching is enabled
1399 */ 1399 */
1400 public boolean isSessionCachingEnabled() 1400 public boolean isSessionCachingEnabled()
1401 { 1401 {
1402 return _sessionCachingEnabled; 1402 return _sessionCachingEnabled;
1403 } 1403 }
1404 1404
1405 /* ------------------------------------------------------------ */ 1405 /* ------------------------------------------------------------ */
1406 /** Set the flag to enable SSL Session caching. 1406 /** Set the flag to enable SSL Session caching.
1407 * @param enableSessionCaching the value of the flag 1407 * @param enableSessionCaching the value of the flag
1408 */ 1408 */
1409 public void setSessionCachingEnabled(boolean enableSessionCaching) 1409 public void setSessionCachingEnabled(boolean enableSessionCaching)
1410 { 1410 {
1411 _sessionCachingEnabled = enableSessionCaching; 1411 _sessionCachingEnabled = enableSessionCaching;
1412 } 1412 }
1413 1413
1414 /* ------------------------------------------------------------ */ 1414 /* ------------------------------------------------------------ */
1415 /** Get SSL session cache size. 1415 /** Get SSL session cache size.
1416 * @return SSL session cache size 1416 * @return SSL session cache size
1417 */ 1417 */
1418 public int getSslSessionCacheSize() 1418 public int getSslSessionCacheSize()
1419 { 1419 {
1420 return _sslSessionCacheSize; 1420 return _sslSessionCacheSize;
1421 } 1421 }
1422 1422
1423 /* ------------------------------------------------------------ */ 1423 /* ------------------------------------------------------------ */
1424 /** SEt SSL session cache size. 1424 /** SEt SSL session cache size.
1425 * @param sslSessionCacheSize SSL session cache size to set 1425 * @param sslSessionCacheSize SSL session cache size to set
1426 */ 1426 */
1427 public void setSslSessionCacheSize(int sslSessionCacheSize) 1427 public void setSslSessionCacheSize(int sslSessionCacheSize)
1428 { 1428 {
1429 _sslSessionCacheSize = sslSessionCacheSize; 1429 _sslSessionCacheSize = sslSessionCacheSize;
1430 } 1430 }
1431 1431
1432 /* ------------------------------------------------------------ */ 1432 /* ------------------------------------------------------------ */
1433 /** Get SSL session timeout. 1433 /** Get SSL session timeout.
1434 * @return SSL session timeout 1434 * @return SSL session timeout
1435 */ 1435 */
1436 public int getSslSessionTimeout() 1436 public int getSslSessionTimeout()
1437 { 1437 {
1438 return _sslSessionTimeout; 1438 return _sslSessionTimeout;
1439 } 1439 }
1440 1440
1441 /* ------------------------------------------------------------ */ 1441 /* ------------------------------------------------------------ */
1442 /** Set SSL session timeout. 1442 /** Set SSL session timeout.
1443 * @param sslSessionTimeout SSL session timeout to set 1443 * @param sslSessionTimeout SSL session timeout to set
1444 */ 1444 */
1445 public void setSslSessionTimeout(int sslSessionTimeout) 1445 public void setSslSessionTimeout(int sslSessionTimeout)
1446 { 1446 {
1447 _sslSessionTimeout = sslSessionTimeout; 1447 _sslSessionTimeout = sslSessionTimeout;
1448 } 1448 }
1449 1449
1450 1450
1451 /* ------------------------------------------------------------ */ 1451 /* ------------------------------------------------------------ */
1452 public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException 1452 public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
1453 { 1453 {
1454 SSLServerSocketFactory factory = _context.getServerSocketFactory(); 1454 SSLServerSocketFactory factory = _context.getServerSocketFactory();
1455 1455
1456 SSLServerSocket socket = 1456 SSLServerSocket socket =
1457 (SSLServerSocket) (host==null ? 1457 (SSLServerSocket) (host==null ?
1458 factory.createServerSocket(port,backlog): 1458 factory.createServerSocket(port,backlog):
1459 factory.createServerSocket(port,backlog,InetAddress.getByName(host))); 1459 factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
1460 1460
1461 if (getWantClientAuth()) 1461 if (getWantClientAuth())
1462 socket.setWantClientAuth(getWantClientAuth()); 1462 socket.setWantClientAuth(getWantClientAuth());
1463 if (getNeedClientAuth()) 1463 if (getNeedClientAuth())
1464 socket.setNeedClientAuth(getNeedClientAuth()); 1464 socket.setNeedClientAuth(getNeedClientAuth());
1465 1465
1466 socket.setEnabledCipherSuites(selectCipherSuites( 1466 socket.setEnabledCipherSuites(selectCipherSuites(
1467 socket.getEnabledCipherSuites(), 1467 socket.getEnabledCipherSuites(),
1468 socket.getSupportedCipherSuites())); 1468 socket.getSupportedCipherSuites()));
1469 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); 1469 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1470 1470
1471 return socket; 1471 return socket;
1472 } 1472 }
1473 1473
1474 /* ------------------------------------------------------------ */ 1474 /* ------------------------------------------------------------ */
1475 public SSLSocket newSslSocket() throws IOException 1475 public SSLSocket newSslSocket() throws IOException
1476 { 1476 {
1477 SSLSocketFactory factory = _context.getSocketFactory(); 1477 SSLSocketFactory factory = _context.getSocketFactory();
1478 1478
1479 SSLSocket socket = (SSLSocket)factory.createSocket(); 1479 SSLSocket socket = (SSLSocket)factory.createSocket();
1480 1480
1481 if (getWantClientAuth()) 1481 if (getWantClientAuth())
1482 socket.setWantClientAuth(getWantClientAuth()); 1482 socket.setWantClientAuth(getWantClientAuth());
1483 if (getNeedClientAuth()) 1483 if (getNeedClientAuth())
1484 socket.setNeedClientAuth(getNeedClientAuth()); 1484 socket.setNeedClientAuth(getNeedClientAuth());
1485 1485
1486 socket.setEnabledCipherSuites(selectCipherSuites( 1486 socket.setEnabledCipherSuites(selectCipherSuites(
1487 socket.getEnabledCipherSuites(), 1487 socket.getEnabledCipherSuites(),
1488 socket.getSupportedCipherSuites())); 1488 socket.getSupportedCipherSuites()));
1489 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); 1489 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1490 1490
1491 return socket; 1491 return socket;
1492 } 1492 }
1493 1493
1494 /* ------------------------------------------------------------ */ 1494 /* ------------------------------------------------------------ */
1495 public SSLEngine newSslEngine(String host,int port) 1495 public SSLEngine newSslEngine(String host,int port)
1496 { 1496 {
1497 SSLEngine sslEngine=isSessionCachingEnabled() 1497 SSLEngine sslEngine=isSessionCachingEnabled()
1498 ?_context.createSSLEngine(host, port) 1498 ?_context.createSSLEngine(host, port)
1499 :_context.createSSLEngine(); 1499 :_context.createSSLEngine();
1500 1500
1501 customize(sslEngine); 1501 customize(sslEngine);
1502 return sslEngine; 1502 return sslEngine;
1503 } 1503 }
1504 1504
1505 /* ------------------------------------------------------------ */ 1505 /* ------------------------------------------------------------ */
1506 public SSLEngine newSslEngine() 1506 public SSLEngine newSslEngine()
1507 { 1507 {
1508 SSLEngine sslEngine=_context.createSSLEngine(); 1508 SSLEngine sslEngine=_context.createSSLEngine();
1509 customize(sslEngine); 1509 customize(sslEngine);
1510 return sslEngine; 1510 return sslEngine;
1511 } 1511 }
1512 1512
1513 /* ------------------------------------------------------------ */ 1513 /* ------------------------------------------------------------ */
1514 public void customize(SSLEngine sslEngine) 1514 public void customize(SSLEngine sslEngine)
1515 { 1515 {
1516 if (getWantClientAuth()) 1516 if (getWantClientAuth())
1517 sslEngine.setWantClientAuth(getWantClientAuth()); 1517 sslEngine.setWantClientAuth(getWantClientAuth());
1518 if (getNeedClientAuth()) 1518 if (getNeedClientAuth())
1519 sslEngine.setNeedClientAuth(getNeedClientAuth()); 1519 sslEngine.setNeedClientAuth(getNeedClientAuth());
1520 1520
1521 sslEngine.setEnabledCipherSuites(selectCipherSuites( 1521 sslEngine.setEnabledCipherSuites(selectCipherSuites(
1522 sslEngine.getEnabledCipherSuites(), 1522 sslEngine.getEnabledCipherSuites(),
1523 sslEngine.getSupportedCipherSuites())); 1523 sslEngine.getSupportedCipherSuites()));
1524 1524
1525 sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols())); 1525 sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()));
1526 } 1526 }
1527 1527
1528 /* ------------------------------------------------------------ */ 1528 /* ------------------------------------------------------------ */
1529 public String toString() 1529 public String toString()
1530 { 1530 {
1531 return String.format("%s@%x(%s,%s)", 1531 return String.format("%s@%x(%s,%s)",
1532 getClass().getSimpleName(), 1532 getClass().getSimpleName(),
1533 hashCode(), 1533 hashCode(),
1534 _keyStorePath, 1534 _keyStorePath,
1535 _trustStorePath); 1535 _trustStorePath);
1536 } 1536 }
1537 } 1537 }