in gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java [136:237]
public Object buildSslContextFactory(GatewayConfig config) throws AliasServiceException {
String identityKeystorePath = config.getIdentityKeystorePath();
String identityKeystoreType = config.getIdentityKeystoreType();
String identityKeyAlias = config.getIdentityKeyAlias();
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setCertAlias( identityKeyAlias );
sslContextFactory.setKeyStoreType(identityKeystoreType);
sslContextFactory.setKeyStorePath(identityKeystorePath );
char[] keystorePasswordChars;
try {
keystorePasswordChars = aliasService.getGatewayIdentityKeystorePassword();
} catch (AliasServiceException e) {
log.failedToGetPasswordForGatewayIdentityKeystore(e);
throw e;
}
if(keystorePasswordChars != null) {
sslContextFactory.setKeyStorePassword(new String(keystorePasswordChars));
}
char[] keypass;
try {
keypass = aliasService.getGatewayIdentityPassphrase();
} catch (AliasServiceException e) {
log.failedToGetPassphraseForGatewayIdentityKey(e);
throw e;
}
if(keypass != null) {
sslContextFactory.setKeyManagerPassword(new String(keypass));
}
boolean clientAuthNeeded = config.isClientAuthNeeded();
boolean clientAuthWanted = config.isClientAuthWanted();
if (clientAuthNeeded || clientAuthWanted) {
String truststorePath = config.getTruststorePath();
String trustStoreType;
char[] truststorePassword;
if (truststorePath != null) {
String trustStorePasswordAlias = config.getTruststorePasswordAlias();
trustStoreType = config.getTruststoreType();
try {
truststorePassword = aliasService.getPasswordFromAliasForGateway(trustStorePasswordAlias);
} catch (AliasServiceException e) {
log.failedToGetPasswordForGatewayTruststore(trustStorePasswordAlias, e);
throw e;
}
}
else {
// when clientAuthIsNeeded but no truststore provided
// default to the server's keystore and details
truststorePath = identityKeystorePath;
trustStoreType = identityKeystoreType;
try {
truststorePassword = aliasService.getGatewayIdentityKeystorePassword();
} catch (AliasServiceException e) {
log.failedToGetPasswordForGatewayTruststore(config.getIdentityKeystorePasswordAlias(), e);
throw e;
}
}
sslContextFactory.setTrustStorePath(truststorePath);
if(truststorePassword != null) {
sslContextFactory.setTrustStorePassword(new String(truststorePassword));
}
sslContextFactory.setTrustStoreType(trustStoreType);
}
if (clientAuthNeeded) {
sslContextFactory.setNeedClientAuth( clientAuthNeeded );
}
else {
sslContextFactory.setWantClientAuth( clientAuthWanted );
}
sslContextFactory.setTrustAll( config.getTrustAllCerts() );
List<String> sslIncludeCiphers = config.getIncludedSSLCiphers();
if (sslIncludeCiphers != null && !sslIncludeCiphers.isEmpty()) {
sslContextFactory.setIncludeCipherSuites( sslIncludeCiphers.toArray(new String[0]) );
}
List<String> sslExcludeCiphers = config.getExcludedSSLCiphers();
if (sslExcludeCiphers != null && !sslExcludeCiphers.isEmpty()) {
sslContextFactory.setExcludeCipherSuites( sslExcludeCiphers.toArray(new String[0]) );
}
List<String> sslExcludeProtocols = config.getExcludedSSLProtocols();
if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) {
sslContextFactory.setExcludeProtocols( sslExcludeProtocols.toArray(new String[0]) );
}
final Set<String> sslIncludeProtocols = config.getIncludedSSLProtocols();
if (sslIncludeProtocols != null && sslIncludeProtocols.isEmpty()) {
sslContextFactory.setIncludeProtocols(sslIncludeProtocols.toArray(new String[0]));
}
sslContextFactory.setRenegotiationAllowed(config.isSSLRenegotiationAllowed());
return sslContextFactory;
}