Mercurial Hosting > luan
changeset 1002:35d04ac3fd0b
simplify ssl
author | Franklin Schmidt <fschmidt@gmail.com> |
---|---|
date | Sat, 22 Oct 2016 21:56:44 -0600 (2016-10-23) |
parents | 39154cfa58e4 |
children | 21910079096e |
files | src/org/eclipse/jetty/http/HttpParser.java src/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java src/org/eclipse/jetty/io/nio/SslConnection.java src/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java src/org/eclipse/jetty/util/ssl/SslContextFactory.java |
diffstat | 5 files changed, 1279 insertions(+), 1695 deletions(-) [+] |
line wrap: on
line diff
--- a/src/org/eclipse/jetty/http/HttpParser.java Sat Oct 22 20:56:41 2016 -0600 +++ b/src/org/eclipse/jetty/http/HttpParser.java Sat Oct 22 21:56:44 2016 -0600 @@ -950,7 +950,7 @@ _buffer.clear(); throw new HttpException(HttpStatus.REQUEST_ENTITY_TOO_LARGE_413, "Request Entity Too Large: "+(_buffer==_body?"body":"head")); } - +/* why? try { int filled = _endp.fill(_buffer); @@ -961,6 +961,8 @@ LOG.debug("",e); throw (e instanceof EofException) ? e:new EofException(e); } +*/ + return _endp.fill(_buffer); } public void reset()
--- a/src/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java Sat Oct 22 20:56:41 2016 -0600 +++ b/src/org/eclipse/jetty/io/nio/SelectChannelEndPoint.java Sat Oct 22 21:56:44 2016 -0600 @@ -336,17 +336,20 @@ } catch (ClosedChannelException e) { - LOG.trace("",e); + LOG.warn("",e); +// LOG.trace("",e); } catch (EofException e) { - LOG.debug("EOF", e); + LOG.warn("EOF", e); +// LOG.debug("EOF", e); try{close();} catch(IOException e2){LOG.trace("",e2);} } catch (IOException e) { - LOG.warn(e.toString()); + LOG.warn("",e); +// LOG.warn(e.toString()); try{close();} catch(IOException e2){LOG.trace("",e2);} }
--- a/src/org/eclipse/jetty/io/nio/SslConnection.java Sat Oct 22 20:56:41 2016 -0600 +++ b/src/org/eclipse/jetty/io/nio/SslConnection.java Sat Oct 22 21:56:44 2016 -0600 @@ -49,7 +49,7 @@ { private final Logger _logger = LoggerFactory.getLogger("org.eclipse.jetty.io.nio.ssl"); - private static final NIOBuffer __ZERO_BUFFER=new IndirectNIOBuffer(0); + private static final NIOBuffer __ZERO_BUFFER = new IndirectNIOBuffer(0); private static final ThreadLocal<SslBuffers> __buffers = new ThreadLocal<SslBuffers>(); private final SSLEngine _engine; @@ -62,7 +62,7 @@ private NIOBuffer _unwrapBuf; private NIOBuffer _outbound; private final AsyncEndPoint _aEndp; - private boolean _allowRenegotiate=true; + private boolean _allowRenegotiate = true; private boolean _handshook; private boolean _ishut; private boolean _oshut; @@ -88,23 +88,14 @@ public SslConnection(SSLEngine engine,AsyncEndPoint endp) { super(endp); - _engine=engine; - _session=_engine.getSession(); - _aEndp=endp; + _engine = engine; + _session = _engine.getSession(); + _aEndp = endp; _sslEndPoint = new SslEndPoint(); } /* ------------------------------------------------------------ */ /** - * @return True if SSL re-negotiation is allowed (default false) - */ - public boolean isAllowRenegotiate() - { - return _allowRenegotiate; - } - - /* ------------------------------------------------------------ */ - /** * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered * a vulnerability in SSL/TLS with re-negotiation. If your JVM * does not have CVE-2009-3555 fixed, then re-negotiation should @@ -119,7 +110,6 @@ _allowRenegotiate = allowRenegotiate; } - /* ------------------------------------------------------------ */ private void allocateBuffers() { synchronized (this) @@ -140,7 +130,6 @@ } } - /* ------------------------------------------------------------ */ private void releaseBuffers() { synchronized (this) @@ -207,14 +196,15 @@ } } + @Override public boolean isSuspended() { return false; } + @Override public void onInputShutdown() throws IOException { - } private synchronized boolean process(Buffer toFill, Buffer toFlush) throws IOException @@ -261,7 +251,7 @@ // If we have no data to flush, flush the empty buffer if (toFlush==null) - toFlush=__ZERO_BUFFER; + toFlush = __ZERO_BUFFER; // While we are making progress processing SSL engine boolean progress=true;
--- a/src/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java Sat Oct 22 20:56:41 2016 -0600 +++ b/src/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java Sat Oct 22 21:56:44 2016 -0600 @@ -49,7 +49,7 @@ * * @org.apache.xbean.XBean element="sslConnector" description="Creates an NIO ssl connector" */ -public class SslSelectChannelConnector extends SelectChannelConnector +public final class SslSelectChannelConnector extends SelectChannelConnector { private final SslContextFactory _sslContextFactory; private Buffers _sslBuffers; @@ -116,400 +116,6 @@ /* ------------------------------------------------------------ */ /** - * @return True if SSL re-negotiation is allowed (default false) - * @deprecated - */ - @Deprecated - public boolean isAllowRenegotiate() - { - return _sslContextFactory.isAllowRenegotiate(); - } - - /* ------------------------------------------------------------ */ - /** - * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered - * a vulnerability in SSL/TLS with re-negotiation. If your JVM - * does not have CVE-2009-3555 fixed, then re-negotiation should - * not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban - * of renegotiate in u19 and with RFC5746 in u22. - * @param allowRenegotiate true if re-negotiation is allowed (default false) - * @deprecated - */ - @Deprecated - public void setAllowRenegotiate(boolean allowRenegotiate) - { - _sslContextFactory.setAllowRenegotiate(allowRenegotiate); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites() - * @deprecated - */ - @Deprecated - public String[] getExcludeCipherSuites() - { - return _sslContextFactory.getExcludeCipherSuites(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[]) - * @deprecated - */ - @Deprecated - public void setExcludeCipherSuites(String[] cipherSuites) - { - _sslContextFactory.setExcludeCipherSuites(cipherSuites); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites() - * @deprecated - */ - @Deprecated - public String[] getIncludeCipherSuites() - { - return _sslContextFactory.getIncludeCipherSuites(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[]) - * @deprecated - */ - @Deprecated - public void setIncludeCipherSuites(String[] cipherSuites) - { - _sslContextFactory.setIncludeCipherSuites(cipherSuites); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String) - * @deprecated - */ - @Deprecated - public void setPassword(String password) - { - _sslContextFactory.setKeyStorePassword(password); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String) - * @deprecated - */ - @Deprecated - public void setTrustPassword(String password) - { - _sslContextFactory.setTrustStorePassword(password); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String) - * @deprecated - */ - @Deprecated - public void setKeyPassword(String password) - { - _sslContextFactory.setKeyManagerPassword(password); - } - - /* ------------------------------------------------------------ */ - /** - * Unsupported. - * - * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past) - * @deprecated - */ - @Deprecated - public String getAlgorithm() - { - throw new UnsupportedOperationException(); - } - - /* ------------------------------------------------------------ */ - /** - * Unsupported. - * - * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past) - * @deprecated - */ - @Deprecated - public void setAlgorithm(String algorithm) - { - throw new UnsupportedOperationException(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol() - * @deprecated - */ - @Deprecated - public String getProtocol() - { - return _sslContextFactory.getProtocol(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String) - * @deprecated - */ - @Deprecated - public void setProtocol(String protocol) - { - _sslContextFactory.setProtocol(protocol); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String) - * @deprecated - */ - @Deprecated - public void setKeystore(String keystore) - { - _sslContextFactory.setKeyStorePath(keystore); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore() - * @deprecated - */ - @Deprecated - public String getKeystore() - { - return _sslContextFactory.getKeyStorePath(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType() - * @deprecated - */ - @Deprecated - public String getKeystoreType() - { - return _sslContextFactory.getKeyStoreType(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth() - * @deprecated - */ - @Deprecated - public boolean getNeedClientAuth() - { - return _sslContextFactory.getNeedClientAuth(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth() - * @deprecated - */ - @Deprecated - public boolean getWantClientAuth() - { - return _sslContextFactory.getWantClientAuth(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean) - * @deprecated - */ - @Deprecated - public void setNeedClientAuth(boolean needClientAuth) - { - _sslContextFactory.setNeedClientAuth(needClientAuth); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean) - * @deprecated - */ - @Deprecated - public void setWantClientAuth(boolean wantClientAuth) - { - _sslContextFactory.setWantClientAuth(wantClientAuth); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String) - * @deprecated - */ - @Deprecated - public void setKeystoreType(String keystoreType) - { - _sslContextFactory.setKeyStoreType(keystoreType); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getProvider() - * @deprecated - */ - @Deprecated - public String getProvider() - { - return _sslContextFactory.getProvider(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm() - * @deprecated - */ - @Deprecated - public String getSecureRandomAlgorithm() - { - return _sslContextFactory.getSecureRandomAlgorithm(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm() - * @deprecated - */ - @Deprecated - public String getSslKeyManagerFactoryAlgorithm() - { - return _sslContextFactory.getSslKeyManagerFactoryAlgorithm(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm() - * @deprecated - */ - @Deprecated - public String getSslTrustManagerFactoryAlgorithm() - { - return _sslContextFactory.getTrustManagerFactoryAlgorithm(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore() - * @deprecated - */ - @Deprecated - public String getTruststore() - { - return _sslContextFactory.getTrustStore(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType() - * @deprecated - */ - @Deprecated - public String getTruststoreType() - { - return _sslContextFactory.getTrustStoreType(); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String) - * @deprecated - */ - @Deprecated - public void setProvider(String provider) - { - _sslContextFactory.setProvider(provider); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String) - * @deprecated - */ - @Deprecated - public void setSecureRandomAlgorithm(String algorithm) - { - _sslContextFactory.setSecureRandomAlgorithm(algorithm); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String) - * @deprecated - */ - @Deprecated - public void setSslKeyManagerFactoryAlgorithm(String algorithm) - { - _sslContextFactory.setSslKeyManagerFactoryAlgorithm(algorithm); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String) - * @deprecated - */ - @Deprecated - public void setSslTrustManagerFactoryAlgorithm(String algorithm) - { - _sslContextFactory.setTrustManagerFactoryAlgorithm(algorithm); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String) - * @deprecated - */ - @Deprecated - public void setTruststore(String truststore) - { - _sslContextFactory.setTrustStore(truststore); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String) - * @deprecated - */ - @Deprecated - public void setTruststoreType(String truststoreType) - { - _sslContextFactory.setTrustStoreType(truststoreType); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext) - * @deprecated - */ - @Deprecated - public void setSslContext(SSLContext sslContext) - { - _sslContextFactory.setSslContext(sslContext); - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext) - * @deprecated - */ - @Deprecated - public SSLContext getSslContext() - { - return _sslContextFactory.getSslContext(); - } - - /* ------------------------------------------------------------ */ - /** * @see org.eclipse.jetty.server.ssl.SslConnector#getSslContextFactory() */ public SslContextFactory getSslContextFactory() @@ -557,20 +163,11 @@ * @return A SSLEngine for a new or cached SSL Session * @throws IOException if the SSLEngine cannot be created */ - protected SSLEngine createSSLEngine(SocketChannel channel) throws IOException + private SSLEngine createSSLEngine(SocketChannel channel) throws IOException { - SSLEngine engine; - if (channel != null) - { - String peerHost = channel.socket().getInetAddress().getHostAddress(); - int peerPort = channel.socket().getPort(); - engine = _sslContextFactory.newSslEngine(peerHost, peerPort); - } - else - { - engine = _sslContextFactory.newSslEngine(); - } - + String peerHost = channel.socket().getInetAddress().getHostAddress(); + int peerPort = channel.socket().getPort(); + SSLEngine engine = _sslContextFactory.newSslEngine(peerHost, peerPort); engine.setUseClientMode(false); return engine; } @@ -612,16 +209,8 @@ @Override protected void doStop() throws Exception { - _sslBuffers=null; + _sslBuffers = null; super.doStop(); } - /* ------------------------------------------------------------ */ - /** - * @return SSL buffers - */ - public Buffers getSslBuffers() - { - return _sslBuffers; - } }
--- a/src/org/eclipse/jetty/util/ssl/SslContextFactory.java Sat Oct 22 20:56:41 2016 -0600 +++ b/src/org/eclipse/jetty/util/ssl/SslContextFactory.java Sat Oct 22 21:56:44 2016 -0600 @@ -73,1465 +73,1465 @@ */ public class SslContextFactory extends AbstractLifeCycle { - public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager() - { - public java.security.cert.X509Certificate[] getAcceptedIssuers() - { - return new java.security.cert.X509Certificate[]{}; - } + public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager() + { + public java.security.cert.X509Certificate[] getAcceptedIssuers() + { + return new java.security.cert.X509Certificate[]{}; + } - public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) - { - } + public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) + { + } - public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) - { - } - }}; + public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) + { + } + }}; - private static final Logger LOG = LoggerFactory.getLogger(SslContextFactory.class); + private static final Logger LOG = LoggerFactory.getLogger(SslContextFactory.class); - public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = - (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? - "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm")); - public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = - (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ? - "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm")); + public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = + (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? + "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm")); + public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = + (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ? + "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm")); - /** Default value for the keystore location path. */ - public static final String DEFAULT_KEYSTORE_PATH = - System.getProperty("user.home") + File.separator + ".keystore"; + /** Default value for the keystore location path. */ + public static final String DEFAULT_KEYSTORE_PATH = + System.getProperty("user.home") + File.separator + ".keystore"; - /** String name of key password property. */ - public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword"; + /** String name of key password property. */ + public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword"; - /** String name of keystore password property. */ - public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password"; + /** String name of keystore password property. */ + public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password"; - /** Excluded protocols. */ - private final Set<String> _excludeProtocols = new LinkedHashSet<String>(); - /** Included protocols. */ - private Set<String> _includeProtocols = null; + /** Excluded protocols. */ + private final Set<String> _excludeProtocols = new LinkedHashSet<String>(); + /** Included protocols. */ + private Set<String> _includeProtocols = null; - /** Excluded cipher suites. */ - private final Set<String> _excludeCipherSuites = new LinkedHashSet<String>(); - /** Included cipher suites. */ - private Set<String> _includeCipherSuites = null; + /** Excluded cipher suites. */ + private final Set<String> _excludeCipherSuites = new LinkedHashSet<String>(); + /** Included cipher suites. */ + private Set<String> _includeCipherSuites = null; - /** Keystore path. */ - private String _keyStorePath; - /** Keystore provider name */ - private String _keyStoreProvider; - /** Keystore type */ - private String _keyStoreType = "JKS"; - /** Keystore input stream */ - private InputStream _keyStoreInputStream; + /** Keystore path. */ + private String _keyStorePath; + /** Keystore provider name */ + private String _keyStoreProvider; + /** Keystore type */ + private String _keyStoreType = "JKS"; + /** Keystore input stream */ + private InputStream _keyStoreInputStream; - /** SSL certificate alias */ - private String _certAlias; + /** SSL certificate alias */ + private String _certAlias; - /** Truststore path */ - private String _trustStorePath; - /** Truststore provider name */ - private String _trustStoreProvider; - /** Truststore type */ - private String _trustStoreType = "JKS"; - /** Truststore input stream */ - private InputStream _trustStoreInputStream; + /** Truststore path */ + private String _trustStorePath; + /** Truststore provider name */ + private String _trustStoreProvider; + /** Truststore type */ + private String _trustStoreType = "JKS"; + /** Truststore input stream */ + private InputStream _trustStoreInputStream; - /** Set to true if client certificate authentication is required */ - private boolean _needClientAuth = false; - /** Set to true if client certificate authentication is desired */ - private boolean _wantClientAuth = false; + /** Set to true if client certificate authentication is required */ + private boolean _needClientAuth = false; + /** Set to true if client certificate authentication is desired */ + private boolean _wantClientAuth = false; - /** Set to true if renegotiation is allowed */ - private boolean _allowRenegotiate = true; + /** Set to true if renegotiation is allowed */ + private boolean _allowRenegotiate = true; - /** Keystore password */ - private transient Password _keyStorePassword; - /** Key manager password */ - private transient Password _keyManagerPassword; - /** Truststore password */ - private transient Password _trustStorePassword; + /** Keystore password */ + private transient Password _keyStorePassword; + /** Key manager password */ + private transient Password _keyManagerPassword; + /** Truststore password */ + private transient Password _trustStorePassword; - /** SSL provider name */ - private String _sslProvider; - /** SSL protocol name */ - private String _sslProtocol = "TLS"; + /** SSL provider name */ + private String _sslProvider; + /** SSL protocol name */ + private String _sslProtocol = "TLS"; - /** SecureRandom algorithm */ - private String _secureRandomAlgorithm; - /** KeyManager factory algorithm */ - private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM; - /** TrustManager factory algorithm */ - private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM; + /** SecureRandom algorithm */ + private String _secureRandomAlgorithm; + /** KeyManager factory algorithm */ + private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM; + /** TrustManager factory algorithm */ + private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM; - /** Set to true if SSL certificate validation is required */ - private boolean _validateCerts; - /** Set to true if SSL certificate of the peer validation is required */ - private boolean _validatePeerCerts; - /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */ - private int _maxCertPathLength = -1; - /** Path to file that contains Certificate Revocation List */ - private String _crlPath; - /** Set to true to enable CRL Distribution Points (CRLDP) support */ - private boolean _enableCRLDP = false; - /** Set to true to enable On-Line Certificate Status Protocol (OCSP) support */ - private boolean _enableOCSP = false; - /** Location of OCSP Responder */ - private String _ocspResponderURL; + /** Set to true if SSL certificate validation is required */ + private boolean _validateCerts; + /** Set to true if SSL certificate of the peer validation is required */ + private boolean _validatePeerCerts; + /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */ + private int _maxCertPathLength = -1; + /** Path to file that contains Certificate Revocation List */ + private String _crlPath; + /** Set to true to enable CRL Distribution Points (CRLDP) support */ + private boolean _enableCRLDP = false; + /** Set to true to enable On-Line Certificate Status Protocol (OCSP) support */ + private boolean _enableOCSP = false; + /** Location of OCSP Responder */ + private String _ocspResponderURL; - /** SSL keystore */ - private KeyStore _keyStore; - /** SSL truststore */ - private KeyStore _trustStore; - /** Set to true to enable SSL Session caching */ - private boolean _sessionCachingEnabled = true; - /** SSL session cache size */ - private int _sslSessionCacheSize; - /** SSL session timeout */ - private int _sslSessionTimeout; + /** SSL keystore */ + private KeyStore _keyStore; + /** SSL truststore */ + private KeyStore _trustStore; + /** Set to true to enable SSL Session caching */ + private boolean _sessionCachingEnabled = true; + /** SSL session cache size */ + private int _sslSessionCacheSize; + /** SSL session timeout */ + private int _sslSessionTimeout; - /** SSL context */ - private SSLContext _context; + /** SSL context */ + private SSLContext _context; - private boolean _trustAll; + private boolean _trustAll; - /* ------------------------------------------------------------ */ - /** - * Construct an instance of SslContextFactory - * Default constructor for use in XmlConfiguration files - */ - public SslContextFactory() - { - _trustAll=true; - } + /* ------------------------------------------------------------ */ + /** + * Construct an instance of SslContextFactory + * Default constructor for use in XmlConfiguration files + */ + public SslContextFactory() + { + _trustAll=true; + } - /* ------------------------------------------------------------ */ - /** - * Construct an instance of SslContextFactory - * Default constructor for use in XmlConfiguration files - * @param trustAll whether to blindly trust all certificates - * @see #setTrustAll(boolean) - */ - public SslContextFactory(boolean trustAll) - { - _trustAll=trustAll; - } + /* ------------------------------------------------------------ */ + /** + * Construct an instance of SslContextFactory + * Default constructor for use in XmlConfiguration files + * @param trustAll whether to blindly trust all certificates + * @see #setTrustAll(boolean) + */ + public SslContextFactory(boolean trustAll) + { + _trustAll=trustAll; + } - /* ------------------------------------------------------------ */ - /** - * Construct an instance of SslContextFactory - * @param keyStorePath default keystore location - */ - public SslContextFactory(String keyStorePath) - { - _keyStorePath = keyStorePath; - } + /* ------------------------------------------------------------ */ + /** + * Construct an instance of SslContextFactory + * @param keyStorePath default keystore location + */ + public SslContextFactory(String keyStorePath) + { + _keyStorePath = keyStorePath; + } - /* ------------------------------------------------------------ */ - /** - * Create the SSLContext object and start the lifecycle - * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart() - */ - @Override - protected void doStart() throws Exception - { - if (_context == null) - { - if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null && - _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null ) - { - TrustManager[] trust_managers=null; + /* ------------------------------------------------------------ */ + /** + * Create the SSLContext object and start the lifecycle + * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart() + */ + @Override + protected void doStart() throws Exception + { + if (_context == null) + { + if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null && + _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null ) + { + TrustManager[] trust_managers=null; - if (_trustAll) - { - LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!"); - // Create a trust manager that does not validate certificate chains - trust_managers = TRUST_ALL_CERTS; - } + if (_trustAll) + { + LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!"); + // Create a trust manager that does not validate certificate chains + trust_managers = TRUST_ALL_CERTS; + } - SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); - _context = SSLContext.getInstance(_sslProtocol); - _context.init(null, trust_managers, secureRandom); - } - else - { - // verify that keystore and truststore - // parameters are set up correctly - checkKeyStore(); + SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); + _context = SSLContext.getInstance(_sslProtocol); + _context.init(null, trust_managers, secureRandom); + } + else + { + // verify that keystore and truststore + // parameters are set up correctly + checkKeyStore(); - KeyStore keyStore = loadKeyStore(); - KeyStore trustStore = loadTrustStore(); + KeyStore keyStore = loadKeyStore(); + KeyStore trustStore = loadTrustStore(); - Collection<? extends CRL> crls = loadCRL(_crlPath); + Collection<? extends CRL> crls = loadCRL(_crlPath); - if (_validateCerts && keyStore != null) - { - if (_certAlias == null) - { - List<String> aliases = Collections.list(keyStore.aliases()); - _certAlias = aliases.size() == 1 ? aliases.get(0) : null; - } + if (_validateCerts && keyStore != null) + { + if (_certAlias == null) + { + List<String> aliases = Collections.list(keyStore.aliases()); + _certAlias = aliases.size() == 1 ? aliases.get(0) : null; + } - Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias); - if (cert == null) - { - throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias)); - } + Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias); + if (cert == null) + { + throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias)); + } - CertificateValidator validator = new CertificateValidator(trustStore, crls); - validator.setMaxCertPathLength(_maxCertPathLength); - validator.setEnableCRLDP(_enableCRLDP); - validator.setEnableOCSP(_enableOCSP); - validator.setOcspResponderURL(_ocspResponderURL); - validator.validate(keyStore, cert); - } + CertificateValidator validator = new CertificateValidator(trustStore, crls); + validator.setMaxCertPathLength(_maxCertPathLength); + validator.setEnableCRLDP(_enableCRLDP); + validator.setEnableOCSP(_enableOCSP); + validator.setOcspResponderURL(_ocspResponderURL); + validator.validate(keyStore, cert); + } - KeyManager[] keyManagers = getKeyManagers(keyStore); - TrustManager[] trustManagers = getTrustManagers(trustStore,crls); + KeyManager[] keyManagers = getKeyManagers(keyStore); + TrustManager[] trustManagers = getTrustManagers(trustStore,crls); - SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); - _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider); - _context.init(keyManagers,trustManagers,secureRandom); + SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); + _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider); + _context.init(keyManagers,trustManagers,secureRandom); - SSLEngine engine=newSslEngine(); + SSLEngine engine=newSslEngine(); - LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols())); - if (LOG.isDebugEnabled()) - LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites())); - } - } - } + LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols())); + if (LOG.isDebugEnabled()) + LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites())); + } + } + } - /* ------------------------------------------------------------ */ - /** - * @return The array of protocol names to exclude from - * {@link SSLEngine#setEnabledProtocols(String[])} - */ - public String[] getExcludeProtocols() - { - return _excludeProtocols.toArray(new String[_excludeProtocols.size()]); - } + /* ------------------------------------------------------------ */ + /** + * @return The array of protocol names to exclude from + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public String[] getExcludeProtocols() + { + return _excludeProtocols.toArray(new String[_excludeProtocols.size()]); + } - /* ------------------------------------------------------------ */ - /** - * @param protocols - * The array of protocol names to exclude from - * {@link SSLEngine#setEnabledProtocols(String[])} - */ - public void setExcludeProtocols(String... protocols) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param protocols + * The array of protocol names to exclude from + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public void setExcludeProtocols(String... protocols) + { + checkNotStarted(); - _excludeProtocols.clear(); - _excludeProtocols.addAll(Arrays.asList(protocols)); - } + _excludeProtocols.clear(); + _excludeProtocols.addAll(Arrays.asList(protocols)); + } - /* ------------------------------------------------------------ */ - /** - * @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])} - */ - public void addExcludeProtocols(String... protocol) - { - checkNotStarted(); - _excludeProtocols.addAll(Arrays.asList(protocol)); - } + /* ------------------------------------------------------------ */ + /** + * @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])} + */ + public void addExcludeProtocols(String... protocol) + { + checkNotStarted(); + _excludeProtocols.addAll(Arrays.asList(protocol)); + } - /* ------------------------------------------------------------ */ - /** - * @return The array of protocol names to include in - * {@link SSLEngine#setEnabledProtocols(String[])} - */ - public String[] getIncludeProtocols() - { - return _includeProtocols.toArray(new String[_includeProtocols.size()]); - } + /* ------------------------------------------------------------ */ + /** + * @return The array of protocol names to include in + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public String[] getIncludeProtocols() + { + return _includeProtocols.toArray(new String[_includeProtocols.size()]); + } - /* ------------------------------------------------------------ */ - /** - * @param protocols - * The array of protocol names to include in - * {@link SSLEngine#setEnabledProtocols(String[])} - */ - public void setIncludeProtocols(String... protocols) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param protocols + * The array of protocol names to include in + * {@link SSLEngine#setEnabledProtocols(String[])} + */ + public void setIncludeProtocols(String... protocols) + { + checkNotStarted(); - _includeProtocols = new LinkedHashSet<String>(Arrays.asList(protocols)); - } + _includeProtocols = new LinkedHashSet<String>(Arrays.asList(protocols)); + } - /* ------------------------------------------------------------ */ - /** - * @return The array of cipher suite names to exclude from - * {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public String[] getExcludeCipherSuites() - { - return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]); - } + /* ------------------------------------------------------------ */ + /** + * @return The array of cipher suite names to exclude from + * {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public String[] getExcludeCipherSuites() + { + return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]); + } - /* ------------------------------------------------------------ */ - /** - * @param cipherSuites - * The array of cipher suite names to exclude from - * {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public void setExcludeCipherSuites(String... cipherSuites) - { - checkNotStarted(); - _excludeCipherSuites.clear(); - _excludeCipherSuites.addAll(Arrays.asList(cipherSuites)); - } + /* ------------------------------------------------------------ */ + /** + * @param cipherSuites + * The array of cipher suite names to exclude from + * {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public void setExcludeCipherSuites(String... cipherSuites) + { + checkNotStarted(); + _excludeCipherSuites.clear(); + _excludeCipherSuites.addAll(Arrays.asList(cipherSuites)); + } - /* ------------------------------------------------------------ */ - /** - * @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public void addExcludeCipherSuites(String... cipher) - { - checkNotStarted(); - _excludeCipherSuites.addAll(Arrays.asList(cipher)); - } + /* ------------------------------------------------------------ */ + /** + * @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public void addExcludeCipherSuites(String... cipher) + { + checkNotStarted(); + _excludeCipherSuites.addAll(Arrays.asList(cipher)); + } - /* ------------------------------------------------------------ */ - /** - * @return The array of cipher suite names to include in - * {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public String[] getIncludeCipherSuites() - { - return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]); - } + /* ------------------------------------------------------------ */ + /** + * @return The array of cipher suite names to include in + * {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public String[] getIncludeCipherSuites() + { + return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]); + } - /* ------------------------------------------------------------ */ - /** - * @param cipherSuites - * The array of cipher suite names to include in - * {@link SSLEngine#setEnabledCipherSuites(String[])} - */ - public void setIncludeCipherSuites(String... cipherSuites) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param cipherSuites + * The array of cipher suite names to include in + * {@link SSLEngine#setEnabledCipherSuites(String[])} + */ + public void setIncludeCipherSuites(String... cipherSuites) + { + checkNotStarted(); - _includeCipherSuites = new LinkedHashSet<String>(Arrays.asList(cipherSuites)); - } + _includeCipherSuites = new LinkedHashSet<String>(Arrays.asList(cipherSuites)); + } - /* ------------------------------------------------------------ */ - /** - * @return The file or URL of the SSL Key store. - */ - public String getKeyStorePath() - { - return _keyStorePath; - } + /* ------------------------------------------------------------ */ + /** + * @return The file or URL of the SSL Key store. + */ + public String getKeyStorePath() + { + return _keyStorePath; + } - /* ------------------------------------------------------------ */ - @Deprecated - public String getKeyStore() - { - return _keyStorePath; - } + /* ------------------------------------------------------------ */ + @Deprecated + public String getKeyStore() + { + return _keyStorePath; + } - /* ------------------------------------------------------------ */ - /** - * @param keyStorePath - * The file or URL of the SSL Key store. - */ - public void setKeyStorePath(String keyStorePath) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param keyStorePath + * The file or URL of the SSL Key store. + */ + public void setKeyStorePath(String keyStorePath) + { + checkNotStarted(); - _keyStorePath = keyStorePath; - } + _keyStorePath = keyStorePath; + } - /* ------------------------------------------------------------ */ - /** - * @param keyStorePath the file system path or URL of the keystore - * @deprecated Use {@link #setKeyStorePath(String)} - */ - @Deprecated - public void setKeyStore(String keyStorePath) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param keyStorePath the file system path or URL of the keystore + * @deprecated Use {@link #setKeyStorePath(String)} + */ + @Deprecated + public void setKeyStore(String keyStorePath) + { + checkNotStarted(); - _keyStorePath = keyStorePath; - } + _keyStorePath = keyStorePath; + } - /* ------------------------------------------------------------ */ - /** - * @return The provider of the key store - */ - public String getKeyStoreProvider() - { - return _keyStoreProvider; - } + /* ------------------------------------------------------------ */ + /** + * @return The provider of the key store + */ + public String getKeyStoreProvider() + { + return _keyStoreProvider; + } - /* ------------------------------------------------------------ */ - /** - * @param keyStoreProvider - * The provider of the key store - */ - public void setKeyStoreProvider(String keyStoreProvider) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param keyStoreProvider + * The provider of the key store + */ + public void setKeyStoreProvider(String keyStoreProvider) + { + checkNotStarted(); - _keyStoreProvider = keyStoreProvider; - } + _keyStoreProvider = keyStoreProvider; + } - /* ------------------------------------------------------------ */ - /** - * @return The type of the key store (default "JKS") - */ - public String getKeyStoreType() - { - return (_keyStoreType); - } + /* ------------------------------------------------------------ */ + /** + * @return The type of the key store (default "JKS") + */ + public String getKeyStoreType() + { + return (_keyStoreType); + } - /* ------------------------------------------------------------ */ - /** - * @param keyStoreType - * The type of the key store (default "JKS") - */ - public void setKeyStoreType(String keyStoreType) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param keyStoreType + * The type of the key store (default "JKS") + */ + public void setKeyStoreType(String keyStoreType) + { + checkNotStarted(); - _keyStoreType = keyStoreType; - } + _keyStoreType = keyStoreType; + } - /* ------------------------------------------------------------ */ - /** Get the _keyStoreInputStream. - * @return the _keyStoreInputStream - * - * @deprecated - */ - @Deprecated - public InputStream getKeyStoreInputStream() - { - checkKeyStore(); + /* ------------------------------------------------------------ */ + /** Get the _keyStoreInputStream. + * @return the _keyStoreInputStream + * + * @deprecated + */ + @Deprecated + public InputStream getKeyStoreInputStream() + { + checkKeyStore(); - return _keyStoreInputStream; - } + return _keyStoreInputStream; + } - /* ------------------------------------------------------------ */ - /** Set the keyStoreInputStream. - * @param keyStoreInputStream the InputStream to the KeyStore - * - * @deprecated Use {@link #setKeyStore(KeyStore)} - */ - @Deprecated - public void setKeyStoreInputStream(InputStream keyStoreInputStream) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** Set the keyStoreInputStream. + * @param keyStoreInputStream the InputStream to the KeyStore + * + * @deprecated Use {@link #setKeyStore(KeyStore)} + */ + @Deprecated + public void setKeyStoreInputStream(InputStream keyStoreInputStream) + { + checkNotStarted(); - _keyStoreInputStream = keyStoreInputStream; - } + _keyStoreInputStream = keyStoreInputStream; + } - /* ------------------------------------------------------------ */ - /** - * @return Alias of SSL certificate for the connector - */ - public String getCertAlias() - { - return _certAlias; - } + /* ------------------------------------------------------------ */ + /** + * @return Alias of SSL certificate for the connector + */ + public String getCertAlias() + { + return _certAlias; + } - /* ------------------------------------------------------------ */ - /** - * @param certAlias - * Alias of SSL certificate for the connector - */ - public void setCertAlias(String certAlias) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param certAlias + * Alias of SSL certificate for the connector + */ + public void setCertAlias(String certAlias) + { + checkNotStarted(); - _certAlias = certAlias; - } + _certAlias = certAlias; + } - /* ------------------------------------------------------------ */ - /** - * @return The file name or URL of the trust store location - */ - public String getTrustStore() - { - return _trustStorePath; - } + /* ------------------------------------------------------------ */ + /** + * @return The file name or URL of the trust store location + */ + public String getTrustStore() + { + return _trustStorePath; + } - /* ------------------------------------------------------------ */ - /** - * @param trustStorePath - * The file name or URL of the trust store location - */ - public void setTrustStore(String trustStorePath) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param trustStorePath + * The file name or URL of the trust store location + */ + public void setTrustStore(String trustStorePath) + { + checkNotStarted(); - _trustStorePath = trustStorePath; - } + _trustStorePath = trustStorePath; + } - /* ------------------------------------------------------------ */ - /** - * @return The provider of the trust store - */ - public String getTrustStoreProvider() - { - return _trustStoreProvider; - } + /* ------------------------------------------------------------ */ + /** + * @return The provider of the trust store + */ + public String getTrustStoreProvider() + { + return _trustStoreProvider; + } - /* ------------------------------------------------------------ */ - /** - * @param trustStoreProvider - * The provider of the trust store - */ - public void setTrustStoreProvider(String trustStoreProvider) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param trustStoreProvider + * The provider of the trust store + */ + public void setTrustStoreProvider(String trustStoreProvider) + { + checkNotStarted(); - _trustStoreProvider = trustStoreProvider; - } + _trustStoreProvider = trustStoreProvider; + } - /* ------------------------------------------------------------ */ - /** - * @return The type of the trust store (default "JKS") - */ - public String getTrustStoreType() - { - return _trustStoreType; - } + /* ------------------------------------------------------------ */ + /** + * @return The type of the trust store (default "JKS") + */ + public String getTrustStoreType() + { + return _trustStoreType; + } - /* ------------------------------------------------------------ */ - /** - * @param trustStoreType - * The type of the trust store (default "JKS") - */ - public void setTrustStoreType(String trustStoreType) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param trustStoreType + * The type of the trust store (default "JKS") + */ + public void setTrustStoreType(String trustStoreType) + { + checkNotStarted(); - _trustStoreType = trustStoreType; - } + _trustStoreType = trustStoreType; + } - /* ------------------------------------------------------------ */ - /** Get the _trustStoreInputStream. - * @return the _trustStoreInputStream - * - * @deprecated - */ - @Deprecated - public InputStream getTrustStoreInputStream() - { - checkKeyStore(); + /* ------------------------------------------------------------ */ + /** Get the _trustStoreInputStream. + * @return the _trustStoreInputStream + * + * @deprecated + */ + @Deprecated + public InputStream getTrustStoreInputStream() + { + checkKeyStore(); - return _trustStoreInputStream; - } + return _trustStoreInputStream; + } - /* ------------------------------------------------------------ */ - /** Set the _trustStoreInputStream. - * @param trustStoreInputStream the InputStream to the TrustStore - * - * @deprecated - */ - @Deprecated - public void setTrustStoreInputStream(InputStream trustStoreInputStream) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** Set the _trustStoreInputStream. + * @param trustStoreInputStream the InputStream to the TrustStore + * + * @deprecated + */ + @Deprecated + public void setTrustStoreInputStream(InputStream trustStoreInputStream) + { + checkNotStarted(); - _trustStoreInputStream = trustStoreInputStream; - } + _trustStoreInputStream = trustStoreInputStream; + } - /* ------------------------------------------------------------ */ - /** - * @return True if SSL needs client authentication. - * @see SSLEngine#getNeedClientAuth() - */ - public boolean getNeedClientAuth() - { - return _needClientAuth; - } + /* ------------------------------------------------------------ */ + /** + * @return True if SSL needs client authentication. + * @see SSLEngine#getNeedClientAuth() + */ + public boolean getNeedClientAuth() + { + return _needClientAuth; + } - /* ------------------------------------------------------------ */ - /** - * @param needClientAuth - * True if SSL needs client authentication. - * @see SSLEngine#getNeedClientAuth() - */ - public void setNeedClientAuth(boolean needClientAuth) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param needClientAuth + * True if SSL needs client authentication. + * @see SSLEngine#getNeedClientAuth() + */ + public void setNeedClientAuth(boolean needClientAuth) + { + checkNotStarted(); - _needClientAuth = needClientAuth; - } + _needClientAuth = needClientAuth; + } - /* ------------------------------------------------------------ */ - /** - * @return True if SSL wants client authentication. - * @see SSLEngine#getWantClientAuth() - */ - public boolean getWantClientAuth() - { - return _wantClientAuth; - } + /* ------------------------------------------------------------ */ + /** + * @return True if SSL wants client authentication. + * @see SSLEngine#getWantClientAuth() + */ + public boolean getWantClientAuth() + { + return _wantClientAuth; + } - /* ------------------------------------------------------------ */ - /** - * @param wantClientAuth - * True if SSL wants client authentication. - * @see SSLEngine#getWantClientAuth() - */ - public void setWantClientAuth(boolean wantClientAuth) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param wantClientAuth + * True if SSL wants client authentication. + * @see SSLEngine#getWantClientAuth() + */ + public void setWantClientAuth(boolean wantClientAuth) + { + checkNotStarted(); - _wantClientAuth = wantClientAuth; - } + _wantClientAuth = wantClientAuth; + } - /* ------------------------------------------------------------ */ - /** - * @return true if SSL certificate has to be validated - * @deprecated - */ - @Deprecated - public boolean getValidateCerts() - { - return _validateCerts; - } + /* ------------------------------------------------------------ */ + /** + * @return true if SSL certificate has to be validated + * @deprecated + */ + @Deprecated + public boolean getValidateCerts() + { + return _validateCerts; + } - /* ------------------------------------------------------------ */ - /** - * @return true if SSL certificate has to be validated - */ - public boolean isValidateCerts() - { - return _validateCerts; - } + /* ------------------------------------------------------------ */ + /** + * @return true if SSL certificate has to be validated + */ + public boolean isValidateCerts() + { + return _validateCerts; + } - /* ------------------------------------------------------------ */ - /** - * @param validateCerts - * true if SSL certificates have to be validated - */ - public void setValidateCerts(boolean validateCerts) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param validateCerts + * true if SSL certificates have to be validated + */ + public void setValidateCerts(boolean validateCerts) + { + checkNotStarted(); - _validateCerts = validateCerts; - } + _validateCerts = validateCerts; + } - /* ------------------------------------------------------------ */ - /** - * @return true if SSL certificates of the peer have to be validated - */ - public boolean isValidatePeerCerts() - { - return _validatePeerCerts; - } + /* ------------------------------------------------------------ */ + /** + * @return true if SSL certificates of the peer have to be validated + */ + public boolean isValidatePeerCerts() + { + return _validatePeerCerts; + } - /* ------------------------------------------------------------ */ - /** - * @param validatePeerCerts - * true if SSL certificates of the peer have to be validated - */ - public void setValidatePeerCerts(boolean validatePeerCerts) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param validatePeerCerts + * true if SSL certificates of the peer have to be validated + */ + public void setValidatePeerCerts(boolean validatePeerCerts) + { + checkNotStarted(); - _validatePeerCerts = validatePeerCerts; - } + _validatePeerCerts = validatePeerCerts; + } - /* ------------------------------------------------------------ */ - /** - * @return True if SSL re-negotiation is allowed (default false) - */ - public boolean isAllowRenegotiate() - { - return _allowRenegotiate; - } + /* ------------------------------------------------------------ */ + /** + * @return True if SSL re-negotiation is allowed (default false) + */ + public boolean isAllowRenegotiate() + { + return _allowRenegotiate; + } - /* ------------------------------------------------------------ */ - /** - * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered - * a vulnerability in SSL/TLS with re-negotiation. If your JVM - * does not have CVE-2009-3555 fixed, then re-negotiation should - * not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban - * of renegotiates in u19 and with RFC5746 in u22. - * - * @param allowRenegotiate - * true if re-negotiation is allowed (default false) - */ - public void setAllowRenegotiate(boolean allowRenegotiate) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered + * a vulnerability in SSL/TLS with re-negotiation. If your JVM + * does not have CVE-2009-3555 fixed, then re-negotiation should + * not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban + * of renegotiates in u19 and with RFC5746 in u22. + * + * @param allowRenegotiate + * true if re-negotiation is allowed (default false) + */ + public void setAllowRenegotiate(boolean allowRenegotiate) + { + checkNotStarted(); - _allowRenegotiate = allowRenegotiate; - } + _allowRenegotiate = allowRenegotiate; + } - /* ------------------------------------------------------------ */ - /** - * @param password - * The password for the key store - */ - public void setKeyStorePassword(String password) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param password + * The password for the key store + */ + public void setKeyStorePassword(String password) + { + checkNotStarted(); - _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); - } + _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); + } - /* ------------------------------------------------------------ */ - /** - * @param password - * The password (if any) for the specific key within the key store - */ - public void setKeyManagerPassword(String password) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param password + * The password (if any) for the specific key within the key store + */ + public void setKeyManagerPassword(String password) + { + checkNotStarted(); - _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null); - } + _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null); + } - /* ------------------------------------------------------------ */ - /** - * @param password - * The password for the trust store - */ - public void setTrustStorePassword(String password) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param password + * The password for the trust store + */ + public void setTrustStorePassword(String password) + { + checkNotStarted(); - _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); - } + _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); + } - /* ------------------------------------------------------------ */ - /** - * @return The SSL provider name, which if set is passed to - * {@link SSLContext#getInstance(String, String)} - */ - public String getProvider() - { - return _sslProvider; - } + /* ------------------------------------------------------------ */ + /** + * @return The SSL provider name, which if set is passed to + * {@link SSLContext#getInstance(String, String)} + */ + public String getProvider() + { + return _sslProvider; + } - /* ------------------------------------------------------------ */ - /** - * @param provider - * The SSL provider name, which if set is passed to - * {@link SSLContext#getInstance(String, String)} - */ - public void setProvider(String provider) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param provider + * The SSL provider name, which if set is passed to + * {@link SSLContext#getInstance(String, String)} + */ + public void setProvider(String provider) + { + checkNotStarted(); - _sslProvider = provider; - } + _sslProvider = provider; + } - /* ------------------------------------------------------------ */ - /** - * @return The SSL protocol (default "TLS") passed to - * {@link SSLContext#getInstance(String, String)} - */ - public String getProtocol() - { - return _sslProtocol; - } + /* ------------------------------------------------------------ */ + /** + * @return The SSL protocol (default "TLS") passed to + * {@link SSLContext#getInstance(String, String)} + */ + public String getProtocol() + { + return _sslProtocol; + } - /* ------------------------------------------------------------ */ - /** - * @param protocol - * The SSL protocol (default "TLS") passed to - * {@link SSLContext#getInstance(String, String)} - */ - public void setProtocol(String protocol) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param protocol + * The SSL protocol (default "TLS") passed to + * {@link SSLContext#getInstance(String, String)} + */ + public void setProtocol(String protocol) + { + checkNotStarted(); - _sslProtocol = protocol; - } + _sslProtocol = protocol; + } - /* ------------------------------------------------------------ */ - /** - * @return The algorithm name, which if set is passed to - * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to - * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} - */ - public String getSecureRandomAlgorithm() - { - return _secureRandomAlgorithm; - } + /* ------------------------------------------------------------ */ + /** + * @return The algorithm name, which if set is passed to + * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to + * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} + */ + public String getSecureRandomAlgorithm() + { + return _secureRandomAlgorithm; + } - /* ------------------------------------------------------------ */ - /** - * @param algorithm - * The algorithm name, which if set is passed to - * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to - * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} - */ - public void setSecureRandomAlgorithm(String algorithm) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param algorithm + * The algorithm name, which if set is passed to + * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to + * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} + */ + public void setSecureRandomAlgorithm(String algorithm) + { + checkNotStarted(); - _secureRandomAlgorithm = algorithm; - } + _secureRandomAlgorithm = algorithm; + } - /* ------------------------------------------------------------ */ - /** - * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} - */ - public String getSslKeyManagerFactoryAlgorithm() - { - return (_keyManagerFactoryAlgorithm); - } + /* ------------------------------------------------------------ */ + /** + * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} + */ + public String getSslKeyManagerFactoryAlgorithm() + { + return (_keyManagerFactoryAlgorithm); + } - /* ------------------------------------------------------------ */ - /** - * @param algorithm - * The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} - */ - public void setSslKeyManagerFactoryAlgorithm(String algorithm) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param algorithm + * The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} + */ + public void setSslKeyManagerFactoryAlgorithm(String algorithm) + { + checkNotStarted(); - _keyManagerFactoryAlgorithm = algorithm; - } + _keyManagerFactoryAlgorithm = algorithm; + } - /* ------------------------------------------------------------ */ - /** - * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} - */ - public String getTrustManagerFactoryAlgorithm() - { - return (_trustManagerFactoryAlgorithm); - } + /* ------------------------------------------------------------ */ + /** + * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} + */ + public String getTrustManagerFactoryAlgorithm() + { + return (_trustManagerFactoryAlgorithm); + } - /* ------------------------------------------------------------ */ - /** - * @return True if all certificates should be trusted if there is no KeyStore or TrustStore - */ - public boolean isTrustAll() - { - return _trustAll; - } + /* ------------------------------------------------------------ */ + /** + * @return True if all certificates should be trusted if there is no KeyStore or TrustStore + */ + public boolean isTrustAll() + { + return _trustAll; + } - /* ------------------------------------------------------------ */ - /** - * @param trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore - */ - public void setTrustAll(boolean trustAll) - { - _trustAll = trustAll; - } + /* ------------------------------------------------------------ */ + /** + * @param trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore + */ + public void setTrustAll(boolean trustAll) + { + _trustAll = trustAll; + } - /* ------------------------------------------------------------ */ - /** - * @param algorithm - * The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} - * Use the string "TrustAll" to install a trust manager that trusts all. - */ - public void setTrustManagerFactoryAlgorithm(String algorithm) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param algorithm + * The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} + * Use the string "TrustAll" to install a trust manager that trusts all. + */ + public void setTrustManagerFactoryAlgorithm(String algorithm) + { + checkNotStarted(); - _trustManagerFactoryAlgorithm = algorithm; - } + _trustManagerFactoryAlgorithm = algorithm; + } - /* ------------------------------------------------------------ */ - /** - * @return Path to file that contains Certificate Revocation List - */ - public String getCrlPath() - { - return _crlPath; - } + /* ------------------------------------------------------------ */ + /** + * @return Path to file that contains Certificate Revocation List + */ + public String getCrlPath() + { + return _crlPath; + } - /* ------------------------------------------------------------ */ - /** - * @param crlPath - * Path to file that contains Certificate Revocation List - */ - public void setCrlPath(String crlPath) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param crlPath + * Path to file that contains Certificate Revocation List + */ + public void setCrlPath(String crlPath) + { + checkNotStarted(); - _crlPath = crlPath; - } + _crlPath = crlPath; + } - /* ------------------------------------------------------------ */ - /** - * @return Maximum number of intermediate certificates in - * the certification path (-1 for unlimited) - */ - public int getMaxCertPathLength() - { - return _maxCertPathLength; - } + /* ------------------------------------------------------------ */ + /** + * @return Maximum number of intermediate certificates in + * the certification path (-1 for unlimited) + */ + public int getMaxCertPathLength() + { + return _maxCertPathLength; + } - /* ------------------------------------------------------------ */ - /** - * @param maxCertPathLength - * maximum number of intermediate certificates in - * the certification path (-1 for unlimited) - */ - public void setMaxCertPathLength(int maxCertPathLength) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param maxCertPathLength + * maximum number of intermediate certificates in + * the certification path (-1 for unlimited) + */ + public void setMaxCertPathLength(int maxCertPathLength) + { + checkNotStarted(); - _maxCertPathLength = maxCertPathLength; - } + _maxCertPathLength = maxCertPathLength; + } - /* ------------------------------------------------------------ */ - /** - * @return The SSLContext - */ - public SSLContext getSslContext() - { - if (!isStarted()) - throw new IllegalStateException(getState()); - return _context; - } + /* ------------------------------------------------------------ */ + /** + * @return The SSLContext + */ + public SSLContext getSslContext() + { + if (!isStarted()) + throw new IllegalStateException(getState()); + return _context; + } - /* ------------------------------------------------------------ */ - /** - * @param sslContext - * Set a preconfigured SSLContext - */ - public void setSslContext(SSLContext sslContext) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** + * @param sslContext + * Set a preconfigured SSLContext + */ + public void setSslContext(SSLContext sslContext) + { + checkNotStarted(); - _context = sslContext; - } + _context = sslContext; + } - /* ------------------------------------------------------------ */ - /** - * Override this method to provide alternate way to load a keystore. - * - * @return the key store instance - * @throws Exception if the keystore cannot be loaded - */ - protected KeyStore loadKeyStore() throws Exception - { - return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream, - _keyStorePath, _keyStoreType, _keyStoreProvider, - _keyStorePassword==null? null: _keyStorePassword.toString()); - } + /* ------------------------------------------------------------ */ + /** + * Override this method to provide alternate way to load a keystore. + * + * @return the key store instance + * @throws Exception if the keystore cannot be loaded + */ + protected KeyStore loadKeyStore() throws Exception + { + return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream, + _keyStorePath, _keyStoreType, _keyStoreProvider, + _keyStorePassword==null? null: _keyStorePassword.toString()); + } - /* ------------------------------------------------------------ */ - /** - * Override this method to provide alternate way to load a truststore. - * - * @return the key store instance - * @throws Exception if the truststore cannot be loaded - */ - protected KeyStore loadTrustStore() throws Exception - { - return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream, - _trustStorePath, _trustStoreType, _trustStoreProvider, - _trustStorePassword==null? null: _trustStorePassword.toString()); - } + /* ------------------------------------------------------------ */ + /** + * Override this method to provide alternate way to load a truststore. + * + * @return the key store instance + * @throws Exception if the truststore cannot be loaded + */ + protected KeyStore loadTrustStore() throws Exception + { + return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream, + _trustStorePath, _trustStoreType, _trustStoreProvider, + _trustStorePassword==null? null: _trustStorePassword.toString()); + } - /* ------------------------------------------------------------ */ - /** - * Loads keystore using an input stream or a file path in the same - * order of precedence. - * - * Required for integrations to be able to override the mechanism - * used to load a keystore in order to provide their own implementation. - * - * @param storeStream keystore input stream - * @param storePath path of keystore file - * @param storeType keystore type - * @param storeProvider keystore provider - * @param storePassword keystore password - * @return created keystore - * @throws Exception if the keystore cannot be obtained - * - * @deprecated - */ - @Deprecated - protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception - { - return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword); - } + /* ------------------------------------------------------------ */ + /** + * Loads keystore using an input stream or a file path in the same + * order of precedence. + * + * Required for integrations to be able to override the mechanism + * used to load a keystore in order to provide their own implementation. + * + * @param storeStream keystore input stream + * @param storePath path of keystore file + * @param storeType keystore type + * @param storeProvider keystore provider + * @param storePassword keystore password + * @return created keystore + * @throws Exception if the keystore cannot be obtained + * + * @deprecated + */ + @Deprecated + protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception + { + return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword); + } - /* ------------------------------------------------------------ */ - /** - * Loads certificate revocation list (CRL) from a file. - * - * Required for integrations to be able to override the mechanism used to - * load CRL in order to provide their own implementation. - * - * @param crlPath path of certificate revocation list file - * @return Collection of CRL's - * @throws Exception if the certificate revocation list cannot be loaded - */ - protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception - { - return CertificateUtils.loadCRL(crlPath); - } + /* ------------------------------------------------------------ */ + /** + * Loads certificate revocation list (CRL) from a file. + * + * Required for integrations to be able to override the mechanism used to + * load CRL in order to provide their own implementation. + * + * @param crlPath path of certificate revocation list file + * @return Collection of CRL's + * @throws Exception if the certificate revocation list cannot be loaded + */ + protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception + { + return CertificateUtils.loadCRL(crlPath); + } - /* ------------------------------------------------------------ */ - protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception - { - KeyManager[] managers = null; + /* ------------------------------------------------------------ */ + protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception + { + KeyManager[] managers = null; - if (keyStore != null) - { - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm); - keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray()); - managers = keyManagerFactory.getKeyManagers(); + if (keyStore != null) + { + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm); + keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray()); + managers = keyManagerFactory.getKeyManagers(); - if (_certAlias != null) - { - for (int idx = 0; idx < managers.length; idx++) - { - if (managers[idx] instanceof X509KeyManager) - { - managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]); - } - } - } - } + if (_certAlias != null) + { + for (int idx = 0; idx < managers.length; idx++) + { + if (managers[idx] instanceof X509KeyManager) + { + managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]); + } + } + } + } - return managers; - } + return managers; + } - /* ------------------------------------------------------------ */ - protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception - { - TrustManager[] managers = null; - if (trustStore != null) - { - // Revocation checking is only supported for PKIX algorithm - if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX")) - { - PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector()); + /* ------------------------------------------------------------ */ + protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception + { + TrustManager[] managers = null; + if (trustStore != null) + { + // Revocation checking is only supported for PKIX algorithm + if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX")) + { + PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector()); - // Set maximum certification path length - pbParams.setMaxPathLength(_maxCertPathLength); + // Set maximum certification path length + pbParams.setMaxPathLength(_maxCertPathLength); - // Make sure revocation checking is enabled - pbParams.setRevocationEnabled(true); + // Make sure revocation checking is enabled + pbParams.setRevocationEnabled(true); - if (crls != null && !crls.isEmpty()) - { - pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls))); - } + if (crls != null && !crls.isEmpty()) + { + pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls))); + } - if (_enableCRLDP) - { - // Enable Certificate Revocation List Distribution Points (CRLDP) support - System.setProperty("com.sun.security.enableCRLDP","true"); - } + if (_enableCRLDP) + { + // Enable Certificate Revocation List Distribution Points (CRLDP) support + System.setProperty("com.sun.security.enableCRLDP","true"); + } - if (_enableOCSP) - { - // Enable On-Line Certificate Status Protocol (OCSP) support - Security.setProperty("ocsp.enable","true"); + if (_enableOCSP) + { + // Enable On-Line Certificate Status Protocol (OCSP) support + Security.setProperty("ocsp.enable","true"); - if (_ocspResponderURL != null) - { - // Override location of OCSP Responder - Security.setProperty("ocsp.responderURL", _ocspResponderURL); - } - } + if (_ocspResponderURL != null) + { + // Override location of OCSP Responder + Security.setProperty("ocsp.responderURL", _ocspResponderURL); + } + } - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); - trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams)); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); + trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams)); - managers = trustManagerFactory.getTrustManagers(); - } - else - { - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); - trustManagerFactory.init(trustStore); + managers = trustManagerFactory.getTrustManagers(); + } + else + { + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); + trustManagerFactory.init(trustStore); - managers = trustManagerFactory.getTrustManagers(); - } - } + managers = trustManagerFactory.getTrustManagers(); + } + } - return managers; - } + return managers; + } - /* ------------------------------------------------------------ */ - /** - * Check KeyStore Configuration. Ensures that if keystore has been - * configured but there's no truststore, that keystore is - * used as truststore. - * @throws IllegalStateException if SslContextFactory configuration can't be used. - */ - public void checkKeyStore() - { - if (_context != null) - return; //nothing to check if using preconfigured context + /* ------------------------------------------------------------ */ + /** + * Check KeyStore Configuration. Ensures that if keystore has been + * configured but there's no truststore, that keystore is + * used as truststore. + * @throws IllegalStateException if SslContextFactory configuration can't be used. + */ + public void checkKeyStore() + { + if (_context != null) + return; //nothing to check if using preconfigured context - if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null) - throw new IllegalStateException("SSL doesn't have a valid keystore"); + if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null) + throw new IllegalStateException("SSL doesn't have a valid keystore"); - // if the keystore has been configured but there is no - // truststore configured, use the keystore as the truststore - if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null) - { - _trustStore = _keyStore; - _trustStorePath = _keyStorePath; - _trustStoreInputStream = _keyStoreInputStream; - _trustStoreType = _keyStoreType; - _trustStoreProvider = _keyStoreProvider; - _trustStorePassword = _keyStorePassword; - _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm; - } + // if the keystore has been configured but there is no + // truststore configured, use the keystore as the truststore + if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null) + { + _trustStore = _keyStore; + _trustStorePath = _keyStorePath; + _trustStoreInputStream = _keyStoreInputStream; + _trustStoreType = _keyStoreType; + _trustStoreProvider = _keyStoreProvider; + _trustStorePassword = _keyStorePassword; + _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm; + } - // It's the same stream we cannot read it twice, so read it once in memory - if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream) - { - try - { - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - IO.copy(_keyStoreInputStream, baos); - _keyStoreInputStream.close(); + // It's the same stream we cannot read it twice, so read it once in memory + if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream) + { + try + { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + IO.copy(_keyStoreInputStream, baos); + _keyStoreInputStream.close(); - _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); - _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); - } - catch (Exception ex) - { - throw new IllegalStateException(ex); - } - } - } + _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); + _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); + } + catch (Exception ex) + { + throw new IllegalStateException(ex); + } + } + } - /* ------------------------------------------------------------ */ - /** - * Select protocols to be used by the connector - * based on configured inclusion and exclusion lists - * as well as enabled and supported protocols. - * @param enabledProtocols Array of enabled protocols - * @param supportedProtocols Array of supported protocols - * @return Array of protocols to enable - */ - public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols) - { - Set<String> selected_protocols = new LinkedHashSet<String>(); + /* ------------------------------------------------------------ */ + /** + * Select protocols to be used by the connector + * based on configured inclusion and exclusion lists + * as well as enabled and supported protocols. + * @param enabledProtocols Array of enabled protocols + * @param supportedProtocols Array of supported protocols + * @return Array of protocols to enable + */ + public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols) + { + Set<String> selected_protocols = new LinkedHashSet<String>(); - // Set the starting protocols - either from the included or enabled list - if (_includeProtocols!=null) - { - // Use only the supported included protocols - for (String protocol : _includeProtocols) - if(Arrays.asList(supportedProtocols).contains(protocol)) - selected_protocols.add(protocol); - } - else - selected_protocols.addAll(Arrays.asList(enabledProtocols)); + // Set the starting protocols - either from the included or enabled list + if (_includeProtocols!=null) + { + // Use only the supported included protocols + for (String protocol : _includeProtocols) + if(Arrays.asList(supportedProtocols).contains(protocol)) + selected_protocols.add(protocol); + } + else + selected_protocols.addAll(Arrays.asList(enabledProtocols)); - // Remove any excluded protocols - if (_excludeProtocols != null) - selected_protocols.removeAll(_excludeProtocols); + // Remove any excluded protocols + if (_excludeProtocols != null) + selected_protocols.removeAll(_excludeProtocols); - return selected_protocols.toArray(new String[selected_protocols.size()]); - } + return selected_protocols.toArray(new String[selected_protocols.size()]); + } - /* ------------------------------------------------------------ */ - /** - * Select cipher suites to be used by the connector - * based on configured inclusion and exclusion lists - * as well as enabled and supported cipher suite lists. - * @param enabledCipherSuites Array of enabled cipher suites - * @param supportedCipherSuites Array of supported cipher suites - * @return Array of cipher suites to enable - */ - public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites) - { - Set<String> selected_ciphers = new LinkedHashSet<String>(); + /* ------------------------------------------------------------ */ + /** + * Select cipher suites to be used by the connector + * based on configured inclusion and exclusion lists + * as well as enabled and supported cipher suite lists. + * @param enabledCipherSuites Array of enabled cipher suites + * @param supportedCipherSuites Array of supported cipher suites + * @return Array of cipher suites to enable + */ + public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites) + { + Set<String> selected_ciphers = new LinkedHashSet<String>(); - // Set the starting ciphers - either from the included or enabled list - if (_includeCipherSuites!=null) - { - // Use only the supported included ciphers - for (String cipherSuite : _includeCipherSuites) - if(Arrays.asList(supportedCipherSuites).contains(cipherSuite)) - selected_ciphers.add(cipherSuite); - } - else - selected_ciphers.addAll(Arrays.asList(enabledCipherSuites)); + // Set the starting ciphers - either from the included or enabled list + if (_includeCipherSuites!=null) + { + // Use only the supported included ciphers + for (String cipherSuite : _includeCipherSuites) + if(Arrays.asList(supportedCipherSuites).contains(cipherSuite)) + selected_ciphers.add(cipherSuite); + } + else + selected_ciphers.addAll(Arrays.asList(enabledCipherSuites)); - // Remove any excluded ciphers - if (_excludeCipherSuites != null) - selected_ciphers.removeAll(_excludeCipherSuites); - return selected_ciphers.toArray(new String[selected_ciphers.size()]); - } + // Remove any excluded ciphers + if (_excludeCipherSuites != null) + selected_ciphers.removeAll(_excludeCipherSuites); + return selected_ciphers.toArray(new String[selected_ciphers.size()]); + } - /* ------------------------------------------------------------ */ - /** - * Check if the lifecycle has been started and throw runtime exception - */ - protected void checkNotStarted() - { - if (isStarted()) - throw new IllegalStateException("Cannot modify configuration when "+getState()); - } + /* ------------------------------------------------------------ */ + /** + * Check if the lifecycle has been started and throw runtime exception + */ + protected void checkNotStarted() + { + if (isStarted()) + throw new IllegalStateException("Cannot modify configuration when "+getState()); + } - /* ------------------------------------------------------------ */ - /** - * @return true if CRL Distribution Points support is enabled - */ - public boolean isEnableCRLDP() - { - return _enableCRLDP; - } + /* ------------------------------------------------------------ */ + /** + * @return true if CRL Distribution Points support is enabled + */ + public boolean isEnableCRLDP() + { + return _enableCRLDP; + } - /* ------------------------------------------------------------ */ - /** Enables CRL Distribution Points Support - * @param enableCRLDP true - turn on, false - turns off - */ - public void setEnableCRLDP(boolean enableCRLDP) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** Enables CRL Distribution Points Support + * @param enableCRLDP true - turn on, false - turns off + */ + public void setEnableCRLDP(boolean enableCRLDP) + { + checkNotStarted(); - _enableCRLDP = enableCRLDP; - } + _enableCRLDP = enableCRLDP; + } - /* ------------------------------------------------------------ */ - /** - * @return true if On-Line Certificate Status Protocol support is enabled - */ - public boolean isEnableOCSP() - { - return _enableOCSP; - } + /* ------------------------------------------------------------ */ + /** + * @return true if On-Line Certificate Status Protocol support is enabled + */ + public boolean isEnableOCSP() + { + return _enableOCSP; + } - /* ------------------------------------------------------------ */ - /** Enables On-Line Certificate Status Protocol support - * @param enableOCSP true - turn on, false - turn off - */ - public void setEnableOCSP(boolean enableOCSP) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** Enables On-Line Certificate Status Protocol support + * @param enableOCSP true - turn on, false - turn off + */ + public void setEnableOCSP(boolean enableOCSP) + { + checkNotStarted(); - _enableOCSP = enableOCSP; - } + _enableOCSP = enableOCSP; + } - /* ------------------------------------------------------------ */ - /** - * @return Location of the OCSP Responder - */ - public String getOcspResponderURL() - { - return _ocspResponderURL; - } + /* ------------------------------------------------------------ */ + /** + * @return Location of the OCSP Responder + */ + public String getOcspResponderURL() + { + return _ocspResponderURL; + } - /* ------------------------------------------------------------ */ - /** Set the location of the OCSP Responder. - * @param ocspResponderURL location of the OCSP Responder - */ - public void setOcspResponderURL(String ocspResponderURL) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** Set the location of the OCSP Responder. + * @param ocspResponderURL location of the OCSP Responder + */ + public void setOcspResponderURL(String ocspResponderURL) + { + checkNotStarted(); - _ocspResponderURL = ocspResponderURL; - } + _ocspResponderURL = ocspResponderURL; + } - /* ------------------------------------------------------------ */ - /** Set the key store. - * @param keyStore the key store to set - */ - public void setKeyStore(KeyStore keyStore) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** Set the key store. + * @param keyStore the key store to set + */ + public void setKeyStore(KeyStore keyStore) + { + checkNotStarted(); - _keyStore = keyStore; - } + _keyStore = keyStore; + } - /* ------------------------------------------------------------ */ - /** Set the trust store. - * @param trustStore the trust store to set - */ - public void setTrustStore(KeyStore trustStore) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** Set the trust store. + * @param trustStore the trust store to set + */ + public void setTrustStore(KeyStore trustStore) + { + checkNotStarted(); - _trustStore = trustStore; - } + _trustStore = trustStore; + } - /* ------------------------------------------------------------ */ - /** Set the key store resource. - * @param resource the key store resource to set - */ - public void setKeyStoreResource(Resource resource) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** Set the key store resource. + * @param resource the key store resource to set + */ + public void setKeyStoreResource(Resource resource) + { + checkNotStarted(); - try - { - _keyStoreInputStream = resource.getInputStream(); - } - catch (IOException e) - { - throw new InvalidParameterException("Unable to get resource "+ - "input stream for resource "+resource.toString()); - } - } + try + { + _keyStoreInputStream = resource.getInputStream(); + } + catch (IOException e) + { + throw new InvalidParameterException("Unable to get resource "+ + "input stream for resource "+resource.toString()); + } + } - /* ------------------------------------------------------------ */ - /** Set the trust store resource. - * @param resource the trust store resource to set - */ - public void setTrustStoreResource(Resource resource) - { - checkNotStarted(); + /* ------------------------------------------------------------ */ + /** Set the trust store resource. + * @param resource the trust store resource to set + */ + public void setTrustStoreResource(Resource resource) + { + checkNotStarted(); - try - { - _trustStoreInputStream = resource.getInputStream(); - } - catch (IOException e) - { - throw new InvalidParameterException("Unable to get resource "+ - "input stream for resource "+resource.toString()); - } - } + try + { + _trustStoreInputStream = resource.getInputStream(); + } + catch (IOException e) + { + throw new InvalidParameterException("Unable to get resource "+ + "input stream for resource "+resource.toString()); + } + } - /* ------------------------------------------------------------ */ - /** - * @return true if SSL Session caching is enabled - */ - public boolean isSessionCachingEnabled() - { - return _sessionCachingEnabled; - } + /* ------------------------------------------------------------ */ + /** + * @return true if SSL Session caching is enabled + */ + public boolean isSessionCachingEnabled() + { + return _sessionCachingEnabled; + } - /* ------------------------------------------------------------ */ - /** Set the flag to enable SSL Session caching. - * @param enableSessionCaching the value of the flag - */ - public void setSessionCachingEnabled(boolean enableSessionCaching) - { - _sessionCachingEnabled = enableSessionCaching; - } + /* ------------------------------------------------------------ */ + /** Set the flag to enable SSL Session caching. + * @param enableSessionCaching the value of the flag + */ + public void setSessionCachingEnabled(boolean enableSessionCaching) + { + _sessionCachingEnabled = enableSessionCaching; + } - /* ------------------------------------------------------------ */ - /** Get SSL session cache size. - * @return SSL session cache size - */ - public int getSslSessionCacheSize() - { - return _sslSessionCacheSize; - } + /* ------------------------------------------------------------ */ + /** Get SSL session cache size. + * @return SSL session cache size + */ + public int getSslSessionCacheSize() + { + return _sslSessionCacheSize; + } - /* ------------------------------------------------------------ */ - /** SEt SSL session cache size. - * @param sslSessionCacheSize SSL session cache size to set - */ - public void setSslSessionCacheSize(int sslSessionCacheSize) - { - _sslSessionCacheSize = sslSessionCacheSize; - } + /* ------------------------------------------------------------ */ + /** SEt SSL session cache size. + * @param sslSessionCacheSize SSL session cache size to set + */ + public void setSslSessionCacheSize(int sslSessionCacheSize) + { + _sslSessionCacheSize = sslSessionCacheSize; + } - /* ------------------------------------------------------------ */ - /** Get SSL session timeout. - * @return SSL session timeout - */ - public int getSslSessionTimeout() - { - return _sslSessionTimeout; - } + /* ------------------------------------------------------------ */ + /** Get SSL session timeout. + * @return SSL session timeout + */ + public int getSslSessionTimeout() + { + return _sslSessionTimeout; + } - /* ------------------------------------------------------------ */ - /** Set SSL session timeout. - * @param sslSessionTimeout SSL session timeout to set - */ - public void setSslSessionTimeout(int sslSessionTimeout) - { - _sslSessionTimeout = sslSessionTimeout; - } + /* ------------------------------------------------------------ */ + /** Set SSL session timeout. + * @param sslSessionTimeout SSL session timeout to set + */ + public void setSslSessionTimeout(int sslSessionTimeout) + { + _sslSessionTimeout = sslSessionTimeout; + } - /* ------------------------------------------------------------ */ - public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException - { - SSLServerSocketFactory factory = _context.getServerSocketFactory(); + /* ------------------------------------------------------------ */ + public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException + { + SSLServerSocketFactory factory = _context.getServerSocketFactory(); - SSLServerSocket socket = - (SSLServerSocket) (host==null ? - factory.createServerSocket(port,backlog): - factory.createServerSocket(port,backlog,InetAddress.getByName(host))); + SSLServerSocket socket = + (SSLServerSocket) (host==null ? + factory.createServerSocket(port,backlog): + factory.createServerSocket(port,backlog,InetAddress.getByName(host))); - if (getWantClientAuth()) - socket.setWantClientAuth(getWantClientAuth()); - if (getNeedClientAuth()) - socket.setNeedClientAuth(getNeedClientAuth()); + if (getWantClientAuth()) + socket.setWantClientAuth(getWantClientAuth()); + if (getNeedClientAuth()) + socket.setNeedClientAuth(getNeedClientAuth()); - socket.setEnabledCipherSuites(selectCipherSuites( - socket.getEnabledCipherSuites(), - socket.getSupportedCipherSuites())); - socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); + socket.setEnabledCipherSuites(selectCipherSuites( + socket.getEnabledCipherSuites(), + socket.getSupportedCipherSuites())); + socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); - return socket; - } + return socket; + } - /* ------------------------------------------------------------ */ - public SSLSocket newSslSocket() throws IOException - { - SSLSocketFactory factory = _context.getSocketFactory(); + /* ------------------------------------------------------------ */ + public SSLSocket newSslSocket() throws IOException + { + SSLSocketFactory factory = _context.getSocketFactory(); - SSLSocket socket = (SSLSocket)factory.createSocket(); + SSLSocket socket = (SSLSocket)factory.createSocket(); - if (getWantClientAuth()) - socket.setWantClientAuth(getWantClientAuth()); - if (getNeedClientAuth()) - socket.setNeedClientAuth(getNeedClientAuth()); + if (getWantClientAuth()) + socket.setWantClientAuth(getWantClientAuth()); + if (getNeedClientAuth()) + socket.setNeedClientAuth(getNeedClientAuth()); - socket.setEnabledCipherSuites(selectCipherSuites( - socket.getEnabledCipherSuites(), - socket.getSupportedCipherSuites())); - socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); + socket.setEnabledCipherSuites(selectCipherSuites( + socket.getEnabledCipherSuites(), + socket.getSupportedCipherSuites())); + socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); - return socket; - } + return socket; + } - /* ------------------------------------------------------------ */ - public SSLEngine newSslEngine(String host,int port) - { - SSLEngine sslEngine=isSessionCachingEnabled() - ?_context.createSSLEngine(host, port) - :_context.createSSLEngine(); + /* ------------------------------------------------------------ */ + public SSLEngine newSslEngine(String host,int port) + { + SSLEngine sslEngine=isSessionCachingEnabled() + ?_context.createSSLEngine(host, port) + :_context.createSSLEngine(); - customize(sslEngine); - return sslEngine; - } + customize(sslEngine); + return sslEngine; + } - /* ------------------------------------------------------------ */ - public SSLEngine newSslEngine() - { - SSLEngine sslEngine=_context.createSSLEngine(); - customize(sslEngine); - return sslEngine; - } + /* ------------------------------------------------------------ */ + public SSLEngine newSslEngine() + { + SSLEngine sslEngine=_context.createSSLEngine(); + customize(sslEngine); + return sslEngine; + } - /* ------------------------------------------------------------ */ - public void customize(SSLEngine sslEngine) - { - if (getWantClientAuth()) - sslEngine.setWantClientAuth(getWantClientAuth()); - if (getNeedClientAuth()) - sslEngine.setNeedClientAuth(getNeedClientAuth()); + /* ------------------------------------------------------------ */ + public void customize(SSLEngine sslEngine) + { + if (getWantClientAuth()) + sslEngine.setWantClientAuth(getWantClientAuth()); + if (getNeedClientAuth()) + sslEngine.setNeedClientAuth(getNeedClientAuth()); - sslEngine.setEnabledCipherSuites(selectCipherSuites( - sslEngine.getEnabledCipherSuites(), - sslEngine.getSupportedCipherSuites())); + sslEngine.setEnabledCipherSuites(selectCipherSuites( + sslEngine.getEnabledCipherSuites(), + sslEngine.getSupportedCipherSuites())); - sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols())); - } + sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols())); + } - /* ------------------------------------------------------------ */ - public String toString() - { - return String.format("%s@%x(%s,%s)", - getClass().getSimpleName(), - hashCode(), - _keyStorePath, - _trustStorePath); - } + /* ------------------------------------------------------------ */ + public String toString() + { + return String.format("%s@%x(%s,%s)", + getClass().getSimpleName(), + hashCode(), + _keyStorePath, + _trustStorePath); + } }