modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/HttpCoreNIOSSLSender.java [106:334]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @Override protected SSLSetupHandler getSSLSetupHandler(TransportOutDescription transportOut) throws AxisFault { Parameter hostnameVerifier = transportOut.getParameter("HostnameVerifier"); String hostnameVerifierValue = hostnameVerifier != null ? hostnameVerifier.getValue().toString() : null; Parameter revocationVerifierParam = transportOut.getParameter("CertificateRevocationVerifier"); CertificateVerificationConfig cvConfig = revocationVerifierParam != null ? new CertificateVerificationConfig(revocationVerifierParam) : null; return createSSLSetupHandler(hostnameVerifierValue, cvConfig); } /** * Looks for a transport parameter named customSSLProfiles and initializes zero or more * custom SSLContext instances. The syntax for defining custom SSL profiles is as follows. * * contextMap = new HashMap(); while (profiles.hasNext()) { OMElement profile = (OMElement) profiles.next(); OMElement serversElt = profile.getFirstChildWithName(new QName("servers")); if (serversElt == null || serversElt.getText() == null) { String msg = "Each custom SSL profile must define at least one host:port " + "pair under the servers element"; log.error(msg); throw new AxisFault(msg); } String[] servers = serversElt.getText().split(","); OMElement ksElt = profile.getFirstChildWithName(new QName("KeyStore")); OMElement trElt = profile.getFirstChildWithName(new QName("TrustStore")); String noValCert = profile.getAttributeValue(new QName("novalidatecert")); boolean novalidatecert = "true".equals(noValCert); SSLContext sslContext = createSSLContext(ksElt, trElt, novalidatecert); for (String server : servers) { server = server.trim(); if (!contextMap.containsKey(server)) { contextMap.put(server, sslContext); } else { log.warn("Multiple SSL profiles were found for the server : " + server + ". " + "Ignoring the excessive profiles."); } } } if (contextMap.size() > 0) { log.info("Custom SSL profiles initialized for " + contextMap.size() + " servers"); return contextMap; } return null; } private SSLContext createSSLContext(OMElement keyStoreElt, OMElement trustStoreElt, boolean novalidatecert) throws AxisFault { KeyManager[] keymanagers = null; TrustManager[] trustManagers = null; if (keyStoreElt != null) { String location = keyStoreElt.getFirstChildWithName(new QName("Location")).getText(); String type = keyStoreElt.getFirstChildWithName(new QName("Type")).getText(); String storePassword = keyStoreElt.getFirstChildWithName(new QName("Password")).getText(); String keyPassword = keyStoreElt.getFirstChildWithName(new QName("KeyPassword")).getText(); FileInputStream fis = null; try { KeyStore keyStore = KeyStore.getInstance(type); fis = new FileInputStream(location); log.info("Loading Identity Keystore from : " + location); keyStore.load(fis, storePassword.toCharArray()); KeyManagerFactory kmfactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); kmfactory.init(keyStore, keyPassword.toCharArray()); keymanagers = kmfactory.getKeyManagers(); } catch (GeneralSecurityException gse) { log.error("Error loading Keystore : " + location, gse); throw new AxisFault("Error loading Keystore : " + location, gse); } catch (IOException ioe) { log.error("Error opening Keystore : " + location, ioe); throw new AxisFault("Error opening Keystore : " + location, ioe); } finally { if (fis != null) { try { fis.close(); } catch (IOException ignore) {} } } } if (trustStoreElt != null) { if (novalidatecert) { log.warn("Ignoring novalidatecert parameter since a truststore has been specified"); } String location = trustStoreElt.getFirstChildWithName(new QName("Location")).getText(); String type = trustStoreElt.getFirstChildWithName(new QName("Type")).getText(); String storePassword = trustStoreElt.getFirstChildWithName(new QName("Password")).getText(); FileInputStream fis = null; try { KeyStore trustStore = KeyStore.getInstance(type); fis = new FileInputStream(location); log.info("Loading Trust Keystore from : " + location); trustStore.load(fis, storePassword.toCharArray()); TrustManagerFactory trustManagerfactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); trustManagerfactory.init(trustStore); trustManagers = trustManagerfactory.getTrustManagers(); } catch (GeneralSecurityException gse) { log.error("Error loading Key store : " + location, gse); throw new AxisFault("Error loading Key store : " + location, gse); } catch (IOException ioe) { log.error("Error opening Key store : " + location, ioe); throw new AxisFault("Error opening Key store : " + location, ioe); } finally { if (fis != null) { try { fis.close(); } catch (IOException ignore) {} } } } else if (novalidatecert) { log.warn("Server certificate validation (trust) has been disabled. " + "DO NOT USE IN PRODUCTION!"); trustManagers = new TrustManager[] { new NoValidateCertTrustManager() }; } try { SSLContext sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(keymanagers, trustManagers, null); return sslcontext; } catch (GeneralSecurityException gse) { log.error("Unable to create SSL context with the given configuration", gse); throw new AxisFault("Unable to create SSL context with the given configuration", gse); } } private SSLSetupHandler createSSLSetupHandler(final String hostnameVerifier, final CertificateVerificationConfig cvConfig) throws AxisFault { return new SSLSetupHandler() { @Override public void initalize(SSLEngine sslengine) { } @Override public void verify(IOSession ioSession, SSLSession session) throws SSLException { SocketAddress remoteAddress = ioSession.getRemoteAddress(); String address; if (remoteAddress instanceof InetSocketAddress) { address = ((InetSocketAddress) remoteAddress).getHostName(); } else { address = remoteAddress.toString(); } boolean valid = false; //Do HostName verification. if (hostnameVerifier != null) { if ("Strict".equals(hostnameVerifier)) { valid = HostnameVerifier.STRICT.verify(address, session); } else if ("AllowAll".equals(hostnameVerifier)) { valid = HostnameVerifier.ALLOW_ALL.verify(address, session); } else if ("DefaultAndLocalhost".equals(hostnameVerifier)) { valid = HostnameVerifier.DEFAULT_AND_LOCALHOST.verify(address, session); } } else { valid = HostnameVerifier.DEFAULT.verify(address, session); } if (!valid) { throw new SSLException("Host name verification failed for host : " + address); } if (cvConfig != null) { try { ocspCrl.verifyRevocationStatus(session.getPeerCertificateChain(), cvConfig.getCacheSize(), cvConfig.getCacheDuration()); } catch (CertificateVerificationException e) { throw new SSLException("Certificate chain validation failed for host : " + address, e); } } } }; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/passthru/PassThroughHttpSSLSender.java [108:337]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @Override protected SSLSetupHandler getSSLSetupHandler(TransportOutDescription transportOut) throws AxisFault { Parameter hostnameVerifier = transportOut.getParameter("HostnameVerifier"); String hostnameVerifierValue = hostnameVerifier != null ? hostnameVerifier.getValue().toString() : null; Parameter revocationVerifierParam = transportOut.getParameter("CertificateRevocationVerifier"); CertificateVerificationConfig cvConfig = revocationVerifierParam != null ? new CertificateVerificationConfig(revocationVerifierParam) : null; return createSSLSetupHandler(hostnameVerifierValue, cvConfig); } /** * Looks for a transport parameter named customSSLProfiles and initializes zero or more * custom SSLContext instances. The syntax for defining custom SSL profiles is as follows. * * contextMap = new HashMap(); while (profiles.hasNext()) { OMElement profile = (OMElement) profiles.next(); OMElement serversElt = profile.getFirstChildWithName(new QName("servers")); if (serversElt == null || serversElt.getText() == null) { String msg = "Each custom SSL profile must define at least one host:port " + "pair under the servers element"; log.error(msg); throw new AxisFault(msg); } String[] servers = serversElt.getText().split(","); OMElement ksElt = profile.getFirstChildWithName(new QName("KeyStore")); OMElement trElt = profile.getFirstChildWithName(new QName("TrustStore")); String noValCert = profile.getAttributeValue(new QName("novalidatecert")); boolean novalidatecert = "true".equals(noValCert); SSLContext sslContext = createSSLContext(ksElt, trElt, novalidatecert); for (String server : servers) { server = server.trim(); if (!contextMap.containsKey(server)) { contextMap.put(server, sslContext); } else { log.warn("Multiple SSL profiles were found for the server : " + server + ". " + "Ignoring the excessive profiles."); } } } if (contextMap.size() > 0) { log.info("Custom SSL profiles initialized for " + contextMap.size() + " servers"); return contextMap; } return null; } private SSLContext createSSLContext(OMElement keyStoreElt, OMElement trustStoreElt, boolean novalidatecert) throws AxisFault { KeyManager[] keymanagers = null; TrustManager[] trustManagers = null; if (keyStoreElt != null) { String location = keyStoreElt.getFirstChildWithName(new QName("Location")).getText(); String type = keyStoreElt.getFirstChildWithName(new QName("Type")).getText(); String storePassword = keyStoreElt.getFirstChildWithName(new QName("Password")).getText(); String keyPassword = keyStoreElt.getFirstChildWithName(new QName("KeyPassword")).getText(); FileInputStream fis = null; try { KeyStore keyStore = KeyStore.getInstance(type); fis = new FileInputStream(location); log.info("Loading Identity Keystore from : " + location); keyStore.load(fis, storePassword.toCharArray()); KeyManagerFactory kmfactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); kmfactory.init(keyStore, keyPassword.toCharArray()); keymanagers = kmfactory.getKeyManagers(); } catch (GeneralSecurityException gse) { log.error("Error loading Keystore : " + location, gse); throw new AxisFault("Error loading Keystore : " + location, gse); } catch (IOException ioe) { log.error("Error opening Keystore : " + location, ioe); throw new AxisFault("Error opening Keystore : " + location, ioe); } finally { if (fis != null) { try { fis.close(); } catch (IOException ignore) {} } } } if (trustStoreElt != null) { if (novalidatecert) { log.warn("Ignoring novalidatecert parameter since a truststore has been specified"); } String location = trustStoreElt.getFirstChildWithName(new QName("Location")).getText(); String type = trustStoreElt.getFirstChildWithName(new QName("Type")).getText(); String storePassword = trustStoreElt.getFirstChildWithName(new QName("Password")).getText(); FileInputStream fis = null; try { KeyStore trustStore = KeyStore.getInstance(type); fis = new FileInputStream(location); log.info("Loading Trust Keystore from : " + location); trustStore.load(fis, storePassword.toCharArray()); TrustManagerFactory trustManagerfactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); trustManagerfactory.init(trustStore); trustManagers = trustManagerfactory.getTrustManagers(); } catch (GeneralSecurityException gse) { log.error("Error loading Key store : " + location, gse); throw new AxisFault("Error loading Key store : " + location, gse); } catch (IOException ioe) { log.error("Error opening Key store : " + location, ioe); throw new AxisFault("Error opening Key store : " + location, ioe); } finally { if (fis != null) { try { fis.close(); } catch (IOException ignore) {} } } } else if (novalidatecert) { log.warn("Server certificate validation (trust) has been disabled. " + "DO NOT USE IN PRODUCTION!"); trustManagers = new TrustManager[] { new NoValidateCertTrustManager() }; } try { SSLContext sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(keymanagers, trustManagers, null); return sslcontext; } catch (GeneralSecurityException gse) { log.error("Unable to create SSL context with the given configuration", gse); throw new AxisFault("Unable to create SSL context with the given configuration", gse); } } private SSLSetupHandler createSSLSetupHandler(final String hostnameVerifier, final CertificateVerificationConfig cvConfig) throws AxisFault { return new SSLSetupHandler() { @Override public void initalize(SSLEngine sslengine) { } @Override public void verify(IOSession ioSession, SSLSession session) throws SSLException { SocketAddress remoteAddress = ioSession.getRemoteAddress(); String address; if (remoteAddress instanceof InetSocketAddress) { address = ((InetSocketAddress) remoteAddress).getHostName(); } else { address = remoteAddress.toString(); } boolean valid = false; //Do HostName verification. if (hostnameVerifier != null) { if ("Strict".equals(hostnameVerifier)) { valid = HostnameVerifier.STRICT.verify(address, session); } else if ("AllowAll".equals(hostnameVerifier)) { valid = HostnameVerifier.ALLOW_ALL.verify(address, session); } else if ("DefaultAndLocalhost".equals(hostnameVerifier)) { valid = HostnameVerifier.DEFAULT_AND_LOCALHOST.verify(address, session); } } else { valid = HostnameVerifier.DEFAULT.verify(address, session); } if (!valid) { throw new SSLException("Host name verification failed for host : " + address); } if (cvConfig != null) { //Do revocation verification of Certificates try { ocspCrl.verifyRevocationStatus(session.getPeerCertificateChain(), cvConfig.getCacheSize(), cvConfig.getCacheDuration()); } catch (CertificateVerificationException e) { throw new SSLException("Certificate chain validation failed for host : " + address, e); } } } }; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -