protonj2-client/src/main/java/org/apache/qpid/protonj2/client/transport/netty4/SslSupport.java [257:445]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSLEngine engine = null; if (allocator == null) { throw new IllegalArgumentException("OpenSSL engine requires a valid ByteBufAllocator to operate"); } if (host == null || host.isEmpty()) { engine = context.newEngine(allocator); } else { engine = context.newEngine(allocator, host, port); } engine.setEnabledProtocols(buildEnabledProtocols(engine, options)); engine.setEnabledCipherSuites(buildEnabledCipherSuites(engine, options)); engine.setUseClientMode(true); if (options.verifyHost()) { SSLParameters sslParameters = engine.getSSLParameters(); sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); engine.setSSLParameters(sslParameters); } return engine; } //----- Internal support methods -----------------------------------------// private static String[] buildEnabledProtocols(SSLEngine engine, SslOptions options) { List enabledProtocols = new ArrayList(); if (options.enabledProtocols() != null) { List configuredProtocols = Arrays.asList(options.enabledProtocols()); LOG.trace("Configured protocols from transport options: {}", configuredProtocols); enabledProtocols.addAll(configuredProtocols); } else { List engineProtocols = Arrays.asList(engine.getEnabledProtocols()); LOG.trace("Default protocols from the SSLEngine: {}", engineProtocols); enabledProtocols.addAll(engineProtocols); } String[] disabledProtocols = options.disabledProtocols(); if (disabledProtocols != null) { List disabled = Arrays.asList(disabledProtocols); LOG.trace("Disabled protocols: {}", disabled); enabledProtocols.removeAll(disabled); } LOG.trace("Enabled protocols: {}", enabledProtocols); return enabledProtocols.toArray(new String[0]); } private static String[] buildEnabledCipherSuites(SSLEngine engine, SslOptions options) { List enabledCipherSuites = new ArrayList(); if (options.enabledCipherSuites() != null) { List configuredCipherSuites = Arrays.asList(options.enabledCipherSuites()); LOG.trace("Configured cipher suites from transport options: {}", configuredCipherSuites); enabledCipherSuites.addAll(configuredCipherSuites); } else { List engineCipherSuites = Arrays.asList(engine.getEnabledCipherSuites()); LOG.trace("Default cipher suites from the SSLEngine: {}", engineCipherSuites); enabledCipherSuites.addAll(engineCipherSuites); } String[] disabledCipherSuites = options.disabledCipherSuites(); if (disabledCipherSuites != null) { List disabled = Arrays.asList(disabledCipherSuites); LOG.trace("Disabled cipher suites: {}", disabled); enabledCipherSuites.removeAll(disabled); } LOG.trace("Enabled cipher suites: {}", enabledCipherSuites); return enabledCipherSuites.toArray(new String[0]); } private static TrustManager[] loadTrustManagers(SslOptions options) throws Exception { TrustManagerFactory factory = loadTrustManagerFactory(options); if (factory != null) { return factory.getTrustManagers(); } else { return null; } } private static TrustManagerFactory loadTrustManagerFactory(SslOptions options) throws Exception { if (options.trustAll()) { return InsecureTrustManagerFactory.INSTANCE; } if (options.trustStoreLocation() == null) { return null; } TrustManagerFactory fact = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); String storeLocation = options.trustStoreLocation(); String storePassword = options.trustStorePassword(); String storeType = options.trustStoreType(); LOG.trace("Attempt to load TrustStore from location {} of type {}", storeLocation, storeType); KeyStore trustStore = loadStore(storeLocation, storePassword, storeType); fact.init(trustStore); return fact; } private static KeyManager[] loadKeyManagers(SslOptions options) throws Exception { if (options.keyStoreLocation() == null) { return null; } KeyManagerFactory fact = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); String storeLocation = options.keyStoreLocation(); String storePassword = options.keyStorePassword(); String storeType = options.keyStoreType(); String alias = options.keyAlias(); LOG.trace("Attempt to load KeyStore from location {} of type {}", storeLocation, storeType); KeyStore keyStore = loadStore(storeLocation, storePassword, storeType); fact.init(keyStore, storePassword != null ? storePassword.toCharArray() : null); if (alias == null) { return fact.getKeyManagers(); } else { validateAlias(keyStore, alias); return wrapKeyManagers(alias, fact.getKeyManagers()); } } private static KeyManagerFactory loadKeyManagerFactory(SslOptions options, SslProvider provider) throws Exception { if (options.keyStoreLocation() == null) { return null; } final KeyManagerFactory factory; if (provider.equals(SslProvider.JDK)) { factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); } else { factory = new OpenSslX509KeyManagerFactory(); } String storeLocation = options.keyStoreLocation(); String storePassword = options.keyStorePassword(); String storeType = options.keyStoreType(); LOG.trace("Attempt to load KeyStore from location {} of type {}", storeLocation, storeType); KeyStore keyStore = loadStore(storeLocation, storePassword, storeType); factory.init(keyStore, storePassword != null ? storePassword.toCharArray() : null); return factory; } private static KeyManager[] wrapKeyManagers(String alias, KeyManager[] origKeyManagers) { KeyManager[] keyManagers = new KeyManager[origKeyManagers.length]; for (int i = 0; i < origKeyManagers.length; i++) { KeyManager km = origKeyManagers[i]; if (km instanceof X509ExtendedKeyManager) { km = new X509AliasKeyManager(alias, (X509ExtendedKeyManager) km); } keyManagers[i] = km; } return keyManagers; } private static void validateAlias(KeyStore store, String alias) throws IllegalArgumentException, KeyStoreException { if (!store.containsAlias(alias)) { throw new IllegalArgumentException("The alias '" + alias + "' doesn't exist in the key store"); } if (!store.isKeyEntry(alias)) { throw new IllegalArgumentException("The alias '" + alias + "' in the keystore doesn't represent a key entry"); } } private static KeyStore loadStore(String storePath, final String password, String storeType) throws Exception { KeyStore store = KeyStore.getInstance(storeType); try (InputStream in = new FileInputStream(new File(storePath));) { store.load(in, password != null ? password.toCharArray() : null); } return store; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - protonj2-client/src/main/java/org/apache/qpid/protonj2/client/transport/netty5/SslSupport.java [257:445]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSLEngine engine = null; if (allocator == null) { throw new IllegalArgumentException("OpenSSL engine requires a valid ByteBufAllocator to operate"); } if (host == null || host.isEmpty()) { engine = context.newEngine(allocator); } else { engine = context.newEngine(allocator, host, port); } engine.setEnabledProtocols(buildEnabledProtocols(engine, options)); engine.setEnabledCipherSuites(buildEnabledCipherSuites(engine, options)); engine.setUseClientMode(true); if (options.verifyHost()) { SSLParameters sslParameters = engine.getSSLParameters(); sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); engine.setSSLParameters(sslParameters); } return engine; } //----- Internal support methods -----------------------------------------// private static String[] buildEnabledProtocols(SSLEngine engine, SslOptions options) { List enabledProtocols = new ArrayList(); if (options.enabledProtocols() != null) { List configuredProtocols = Arrays.asList(options.enabledProtocols()); LOG.trace("Configured protocols from transport options: {}", configuredProtocols); enabledProtocols.addAll(configuredProtocols); } else { List engineProtocols = Arrays.asList(engine.getEnabledProtocols()); LOG.trace("Default protocols from the SSLEngine: {}", engineProtocols); enabledProtocols.addAll(engineProtocols); } String[] disabledProtocols = options.disabledProtocols(); if (disabledProtocols != null) { List disabled = Arrays.asList(disabledProtocols); LOG.trace("Disabled protocols: {}", disabled); enabledProtocols.removeAll(disabled); } LOG.trace("Enabled protocols: {}", enabledProtocols); return enabledProtocols.toArray(new String[0]); } private static String[] buildEnabledCipherSuites(SSLEngine engine, SslOptions options) { List enabledCipherSuites = new ArrayList(); if (options.enabledCipherSuites() != null) { List configuredCipherSuites = Arrays.asList(options.enabledCipherSuites()); LOG.trace("Configured cipher suites from transport options: {}", configuredCipherSuites); enabledCipherSuites.addAll(configuredCipherSuites); } else { List engineCipherSuites = Arrays.asList(engine.getEnabledCipherSuites()); LOG.trace("Default cipher suites from the SSLEngine: {}", engineCipherSuites); enabledCipherSuites.addAll(engineCipherSuites); } String[] disabledCipherSuites = options.disabledCipherSuites(); if (disabledCipherSuites != null) { List disabled = Arrays.asList(disabledCipherSuites); LOG.trace("Disabled cipher suites: {}", disabled); enabledCipherSuites.removeAll(disabled); } LOG.trace("Enabled cipher suites: {}", enabledCipherSuites); return enabledCipherSuites.toArray(new String[0]); } private static TrustManager[] loadTrustManagers(SslOptions options) throws Exception { TrustManagerFactory factory = loadTrustManagerFactory(options); if (factory != null) { return factory.getTrustManagers(); } else { return null; } } private static TrustManagerFactory loadTrustManagerFactory(SslOptions options) throws Exception { if (options.trustAll()) { return InsecureTrustManagerFactory.INSTANCE; } if (options.trustStoreLocation() == null) { return null; } TrustManagerFactory fact = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); String storeLocation = options.trustStoreLocation(); String storePassword = options.trustStorePassword(); String storeType = options.trustStoreType(); LOG.trace("Attempt to load TrustStore from location {} of type {}", storeLocation, storeType); KeyStore trustStore = loadStore(storeLocation, storePassword, storeType); fact.init(trustStore); return fact; } private static KeyManager[] loadKeyManagers(SslOptions options) throws Exception { if (options.keyStoreLocation() == null) { return null; } KeyManagerFactory fact = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); String storeLocation = options.keyStoreLocation(); String storePassword = options.keyStorePassword(); String storeType = options.keyStoreType(); String alias = options.keyAlias(); LOG.trace("Attempt to load KeyStore from location {} of type {}", storeLocation, storeType); KeyStore keyStore = loadStore(storeLocation, storePassword, storeType); fact.init(keyStore, storePassword != null ? storePassword.toCharArray() : null); if (alias == null) { return fact.getKeyManagers(); } else { validateAlias(keyStore, alias); return wrapKeyManagers(alias, fact.getKeyManagers()); } } private static KeyManagerFactory loadKeyManagerFactory(SslOptions options, SslProvider provider) throws Exception { if (options.keyStoreLocation() == null) { return null; } final KeyManagerFactory factory; if (provider.equals(SslProvider.JDK)) { factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); } else { factory = new OpenSslX509KeyManagerFactory(); } String storeLocation = options.keyStoreLocation(); String storePassword = options.keyStorePassword(); String storeType = options.keyStoreType(); LOG.trace("Attempt to load KeyStore from location {} of type {}", storeLocation, storeType); KeyStore keyStore = loadStore(storeLocation, storePassword, storeType); factory.init(keyStore, storePassword != null ? storePassword.toCharArray() : null); return factory; } private static KeyManager[] wrapKeyManagers(String alias, KeyManager[] origKeyManagers) { KeyManager[] keyManagers = new KeyManager[origKeyManagers.length]; for (int i = 0; i < origKeyManagers.length; i++) { KeyManager km = origKeyManagers[i]; if (km instanceof X509ExtendedKeyManager) { km = new X509AliasKeyManager(alias, (X509ExtendedKeyManager) km); } keyManagers[i] = km; } return keyManagers; } private static void validateAlias(KeyStore store, String alias) throws IllegalArgumentException, KeyStoreException { if (!store.containsAlias(alias)) { throw new IllegalArgumentException("The alias '" + alias + "' doesn't exist in the key store"); } if (!store.isKeyEntry(alias)) { throw new IllegalArgumentException("The alias '" + alias + "' in the keystore doesn't represent a key entry"); } } private static KeyStore loadStore(String storePath, final String password, String storeType) throws Exception { KeyStore store = KeyStore.getInstance(storeType); try (InputStream in = new FileInputStream(new File(storePath));) { store.load(in, password != null ? password.toCharArray() : null); } return store; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -