public Object buildSslContextFactory()

in gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java [136:237]


  public Object buildSslContextFactory(GatewayConfig config) throws AliasServiceException {
    String identityKeystorePath = config.getIdentityKeystorePath();
    String identityKeystoreType = config.getIdentityKeystoreType();
    String identityKeyAlias = config.getIdentityKeyAlias();

    SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
    sslContextFactory.setCertAlias( identityKeyAlias );
    sslContextFactory.setKeyStoreType(identityKeystoreType);
    sslContextFactory.setKeyStorePath(identityKeystorePath );

    char[] keystorePasswordChars;
    try {
      keystorePasswordChars = aliasService.getGatewayIdentityKeystorePassword();
    } catch (AliasServiceException e) {
      log.failedToGetPasswordForGatewayIdentityKeystore(e);
      throw e;
    }
    if(keystorePasswordChars != null) {
      sslContextFactory.setKeyStorePassword(new String(keystorePasswordChars));
    }

    char[] keypass;
    try {
      keypass = aliasService.getGatewayIdentityPassphrase();
    } catch (AliasServiceException e) {
      log.failedToGetPassphraseForGatewayIdentityKey(e);
      throw e;
    }
    if(keypass != null) {
      sslContextFactory.setKeyManagerPassword(new String(keypass));
    }

    boolean clientAuthNeeded = config.isClientAuthNeeded();
    boolean clientAuthWanted = config.isClientAuthWanted();
    if (clientAuthNeeded || clientAuthWanted) {
      String truststorePath = config.getTruststorePath();
      String trustStoreType;
      char[] truststorePassword;

      if (truststorePath != null) {
        String trustStorePasswordAlias = config.getTruststorePasswordAlias();
        trustStoreType = config.getTruststoreType();

        try {
          truststorePassword = aliasService.getPasswordFromAliasForGateway(trustStorePasswordAlias);
        } catch (AliasServiceException e) {
          log.failedToGetPasswordForGatewayTruststore(trustStorePasswordAlias, e);
          throw e;
        }
      }
      else {
        // when clientAuthIsNeeded but no truststore provided
        // default to the server's keystore and details
        truststorePath = identityKeystorePath;
        trustStoreType = identityKeystoreType;

        try {
          truststorePassword = aliasService.getGatewayIdentityKeystorePassword();
        } catch (AliasServiceException e) {
          log.failedToGetPasswordForGatewayTruststore(config.getIdentityKeystorePasswordAlias(), e);
          throw e;
        }
      }

      sslContextFactory.setTrustStorePath(truststorePath);
      if(truststorePassword != null) {
        sslContextFactory.setTrustStorePassword(new String(truststorePassword));
      }
      sslContextFactory.setTrustStoreType(trustStoreType);
    }
    if (clientAuthNeeded) {
      sslContextFactory.setNeedClientAuth( clientAuthNeeded );
    }
    else {
      sslContextFactory.setWantClientAuth( clientAuthWanted );
    }

    sslContextFactory.setTrustAll( config.getTrustAllCerts() );

    List<String> sslIncludeCiphers = config.getIncludedSSLCiphers();
    if (sslIncludeCiphers != null && !sslIncludeCiphers.isEmpty()) {
      sslContextFactory.setIncludeCipherSuites( sslIncludeCiphers.toArray(new String[0]) );
    }

    List<String> sslExcludeCiphers = config.getExcludedSSLCiphers();
    if (sslExcludeCiphers != null && !sslExcludeCiphers.isEmpty()) {
      sslContextFactory.setExcludeCipherSuites( sslExcludeCiphers.toArray(new String[0]) );
    }

    List<String> sslExcludeProtocols = config.getExcludedSSLProtocols();
    if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) {
      sslContextFactory.setExcludeProtocols( sslExcludeProtocols.toArray(new String[0]) );
    }

    final Set<String> sslIncludeProtocols = config.getIncludedSSLProtocols();
    if (sslIncludeProtocols != null && sslIncludeProtocols.isEmpty()) {
      sslContextFactory.setIncludeProtocols(sslIncludeProtocols.toArray(new String[0]));
    }

    sslContextFactory.setRenegotiationAllowed(config.isSSLRenegotiationAllowed());
    return sslContextFactory;
  }