in src/main/core-impl/java/com/mysql/cj/protocol/ExportControlled.java [469:617]
public SSLContext build() {
KeyManagerFactory kmf = null;
KeyManager[] kms = null;
TrustManagerFactory tmf = null;
TrustManager[] tms = new TrustManager[0];
try {
kmf = StringUtils.isNullOrEmpty(this.KeyManagerFactoryProvider) ? KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
: KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm(), this.KeyManagerFactoryProvider);
tmf = StringUtils.isNullOrEmpty(this.trustManagerFactoryProvider) ? TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
: TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm(), this.trustManagerFactoryProvider);
} catch (NoSuchAlgorithmException e) {
throw ExceptionFactory.createException(SSLParamsException.class,
"Default algorithm for TrustManager or KeyManager is invalid. Check java security properties file.", e, this.exceptionInterceptor);
} catch (NoSuchProviderException e) {
throw ExceptionFactory.createException(SSLParamsException.class,
"Specified TrustManager or KeyManager Provider is invalid. Ensure it is property registered.", e, this.exceptionInterceptor);
}
if (!StringUtils.isNullOrEmpty(this.keyStoreSettings.keyStoreUrl)) {
InputStream ksIS = null;
try {
if (!StringUtils.isNullOrEmpty(this.keyStoreSettings.keyStoreType)) {
KeyStore clientKeyStore = StringUtils.isNullOrEmpty(this.keyStoreProvider) ? KeyStore.getInstance(this.keyStoreSettings.keyStoreType)
: KeyStore.getInstance(this.keyStoreSettings.keyStoreType, this.keyStoreProvider);
URL ksURL = new URL(this.keyStoreSettings.keyStoreUrl);
char[] password = this.keyStoreSettings.keyStorePassword == null ? new char[0] : this.keyStoreSettings.keyStorePassword.toCharArray();
ksIS = ksURL.openStream();
clientKeyStore.load(ksIS, password);
kmf.init(clientKeyStore, password);
kms = kmf.getKeyManagers();
}
} catch (UnrecoverableKeyException e) {
throw ExceptionFactory.createException(SSLParamsException.class, "Could not recover keys from client keystore. Check password?", e,
this.exceptionInterceptor);
} catch (NoSuchAlgorithmException e) {
throw ExceptionFactory.createException(SSLParamsException.class, "Unsupported keystore algorithm [" + e.getMessage() + "]", e,
this.exceptionInterceptor);
} catch (NoSuchProviderException e) {
throw ExceptionFactory.createException(SSLParamsException.class,
"Specified KeyStore Provider is invalid. Ensure it is property registered.", e, this.exceptionInterceptor);
} catch (KeyStoreException e) {
throw ExceptionFactory.createException(SSLParamsException.class, "Could not create KeyStore instance [" + e.getMessage() + "]", e,
this.exceptionInterceptor);
} catch (CertificateException e) {
throw ExceptionFactory.createException(SSLParamsException.class,
"Could not load client" + this.keyStoreSettings.keyStoreType + " keystore from " + this.keyStoreSettings.keyStoreUrl, e,
this.exceptionInterceptor);
} catch (MalformedURLException e) {
throw ExceptionFactory.createException(SSLParamsException.class, this.keyStoreSettings.keyStoreUrl + " does not appear to be a valid URL.",
e, this.exceptionInterceptor);
} catch (IOException e) {
throw ExceptionFactory.createException(SSLParamsException.class,
"Cannot open " + this.keyStoreSettings.keyStoreUrl + " [" + e.getMessage() + "]", e, this.exceptionInterceptor);
} finally {
if (ksIS != null) {
try {
ksIS.close();
} catch (IOException e) {
// Can't close input stream, but the keystore can be properly initialized so there's no need to throw this exception.
}
}
}
}
InputStream trustStoreIS = null;
boolean x509TrustManagerFound = false;
try {
if (this.verifyServerCertificate) {
KeyStore trustKeyStore = null;
if (!StringUtils.isNullOrEmpty(this.trustStoreSettings.keyStoreUrl) && !StringUtils.isNullOrEmpty(this.trustStoreSettings.keyStoreType)) {
char[] trustStorePassword = this.trustStoreSettings.keyStorePassword == null ? null
: this.trustStoreSettings.keyStorePassword.toCharArray();
trustStoreIS = new URL(this.trustStoreSettings.keyStoreUrl).openStream();
trustKeyStore = StringUtils.isNullOrEmpty(this.keyStoreProvider) ? KeyStore.getInstance(this.trustStoreSettings.keyStoreType)
: KeyStore.getInstance(this.trustStoreSettings.keyStoreType, this.keyStoreProvider);
trustKeyStore.load(trustStoreIS, trustStorePassword);
}
if (trustKeyStore != null || this.fallbackToSystemTrustStore) {
tmf.init(trustKeyStore); // If trustKeyStore == null then the TrustManagerFactory is initialized with the system-wide truststore.
tms = tmf.getTrustManagers();
// Check if there are any X509TrustManagers and wrap original if not operating in FIPS compliant mode.
for (int i = 0; i < tms.length; i++) {
if (tms[i] instanceof X509TrustManager) {
x509TrustManagerFound = true;
if (!this.fipsCompliantJsse) {
tms[i] = new X509TrustManagerWrapper((X509TrustManager) tms[i]);
}
}
}
}
}
// If no other TrustManagers were found then add a single X509TrustManagerWrapper that just takes care of certificate expiration check.
if (tms.length == 0 && !this.fipsCompliantJsse) {
tms = new TrustManager[] { new X509TrustManagerWrapper() };
}
} catch (MalformedURLException e) {
throw ExceptionFactory.createException(SSLParamsException.class, this.trustStoreSettings.keyStoreUrl + " does not appear to be a valid URL.", e,
this.exceptionInterceptor);
} catch (NoSuchAlgorithmException e) {
throw ExceptionFactory.createException(SSLParamsException.class, "Unsupported keystore algorithm [" + e.getMessage() + "]", e,
this.exceptionInterceptor);
} catch (NoSuchProviderException e) {
throw ExceptionFactory.createException(SSLParamsException.class, "Specified KeyStore Provider is invalid. Ensure it is property registered.", e,
this.exceptionInterceptor);
} catch (KeyStoreException e) {
throw ExceptionFactory.createException(SSLParamsException.class, "Could not create KeyStore instance [" + e.getMessage() + "]", e,
this.exceptionInterceptor);
} catch (CertificateException e) {
throw ExceptionFactory.createException(SSLParamsException.class,
"Could not load trust" + this.trustStoreSettings.keyStoreType + " keystore from " + this.trustStoreSettings.keyStoreUrl, e,
this.exceptionInterceptor);
} catch (IOException e) {
throw ExceptionFactory.createException(SSLParamsException.class,
"Cannot open " + this.trustStoreSettings.keyStoreUrl + " [" + e.getMessage() + "]", e, this.exceptionInterceptor);
} finally {
if (trustStoreIS != null) {
try {
trustStoreIS.close();
} catch (IOException e) {
// Can't close input stream, but the keystore can be properly initialized so there's no need to throw this exception.
}
}
}
if (this.verifyServerCertificate && !x509TrustManagerFound) {
throw ExceptionFactory.createException(SSLParamsException.class,
"Failed setting up server certificate validation because no X.509 Trust Manager was found.", this.exceptionInterceptor);
}
try {
SSLContext sslContext = StringUtils.isNullOrEmpty(this.sslContextProvider) ? SSLContext.getInstance(SSL_CONTEXT_PROTOCOL)
: SSLContext.getInstance(SSL_CONTEXT_PROTOCOL, this.sslContextProvider);
sslContext.init(kms, tms, null);
return sslContext;
} catch (NoSuchAlgorithmException nsae) {
throw new SSLParamsException(SSL_CONTEXT_PROTOCOL + " is not a valid protocol.", nsae);
} catch (NoSuchProviderException e) {
throw ExceptionFactory.createException(SSLParamsException.class, "Specified SSLContext Provider is invalid. Ensure it is property registered.",
e, this.exceptionInterceptor);
} catch (KeyManagementException kme) {
throw new SSLParamsException("KeyManagementException: " + kme.getMessage(), kme);
}
}