Skip to content

O
Openfire
Commit c4773fd9 authored by Guus der Kinderen's avatar Guus der Kinderen
Browse files
Options

Configuration representation should not include factory methods.

parent 3c1a4efd
Hide whitespace changes
Inline Side-by-side
Showing with 344 additions and 296 deletions
src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java
View file @ c4773fd9
......@@ -47,11 +47,11 @@ import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.eclipse.jetty.webapp.WebAppContext;
import org.jivesoftware.openfire.JMXManager;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.keystore.CertificateStoreManager;
import org.jivesoftware.openfire.keystore.IdentityStore;
import org.jivesoftware.openfire.spi.ConnectionConfiguration;
import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
import org.jivesoftware.openfire.spi.ConnectionType;
import org.jivesoftware.openfire.spi.EncryptionArtifactFactory;
import org.jivesoftware.util.CertificateEventListener;
import org.jivesoftware.util.CertificateManager;
import org.jivesoftware.util.JiveGlobals;
......@@ -157,7 +157,7 @@ public class AdminConsolePlugin implements Plugin {
final ConnectionManagerImpl connectionManager = ( (ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager() );
final ConnectionConfiguration configuration = connectionManager.getConfiguration( ConnectionType.WEBADMIN, true );
final SslContextFactory sslContextFactory = configuration.getSslContextFactory();
final SslContextFactory sslContextFactory = new EncryptionArtifactFactory( configuration ).getSslContextFactory();
final ServerConnector httpsConnector;
if ( "npn".equals( JiveGlobals.getXMLProperty( "spdy.protocol", "" ) ) )
......
src/java/org/jivesoftware/openfire/http/HttpBindManager.java
View file @ c4773fd9
......@@ -64,6 +64,7 @@ import org.jivesoftware.openfire.session.ConnectionSettings;
import org.jivesoftware.openfire.spi.ConnectionConfiguration;
import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
import org.jivesoftware.openfire.spi.ConnectionType;
import org.jivesoftware.openfire.spi.EncryptionArtifactFactory;
import org.jivesoftware.util.CertificateEventListener;
import org.jivesoftware.util.CertificateManager;
import org.jivesoftware.util.JiveGlobals;
......@@ -258,7 +259,7 @@ public final class HttpBindManager {
final ConnectionManagerImpl connectionManager = ((ConnectionManagerImpl) XMPPServer.getInstance().getConnectionManager());
final ConnectionConfiguration configuration = connectionManager.getConfiguration( ConnectionType.BOSH_C2S, true );
final SslContextFactory sslContextFactory = configuration.getSslContextFactory();
final SslContextFactory sslContextFactory = new EncryptionArtifactFactory(configuration).getSslContextFactory();
final HttpConfiguration httpsConfig = new HttpConfiguration();
httpsConfig.setSecureScheme("https");
......
src/java/org/jivesoftware/openfire/net/TLSWrapper.java
View file @ c4773fd9
......@@ -33,6 +33,7 @@ import javax.net.ssl.SSLEngineResult.Status;
import org.jivesoftware.openfire.Connection;
import org.jivesoftware.openfire.spi.ConnectionConfiguration;
import org.jivesoftware.openfire.spi.ConnectionType;
import org.jivesoftware.openfire.spi.EncryptionArtifactFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -75,14 +76,15 @@ public class TLSWrapper {
try
{
final EncryptionArtifactFactory factory = new EncryptionArtifactFactory( configuration );
final SSLEngine sslEngine;
if ( clientMode )
{
sslEngine = configuration.createClientModeSSLEngine();
sslEngine = factory.createClientModeSSLEngine();
}
else
{
sslEngine = configuration.createServerModeSSLEngine();
sslEngine = factory .createServerModeSSLEngine();
}
final SSLSession sslSession = sslEngine.getSession();
......
src/java/org/jivesoftware/openfire/nio/NIOConnection.java
View file @ c4773fd9
......@@ -54,6 +54,7 @@ import org.jivesoftware.openfire.session.LocalSession;
import org.jivesoftware.openfire.session.Session;
import org.jivesoftware.openfire.spi.ConnectionConfiguration;
import org.jivesoftware.openfire.spi.ConnectionType;
import org.jivesoftware.openfire.spi.EncryptionArtifactFactory;
import org.jivesoftware.util.XMLWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -373,14 +374,15 @@ public class NIOConnection implements Connection {
public void startTLS(boolean clientMode) throws Exception {
final EncryptionArtifactFactory factory = new EncryptionArtifactFactory( configuration );
final SslFilter filter;
if ( clientMode )
{
filter = configuration.createClientModeSslFilter();
filter = factory.createClientModeSslFilter();
}
else
{
filter = configuration.createServerModeSslFilter();
filter = factory.createServerModeSslFilter();
}
ioSession.getFilterChain().addBefore(EXECUTOR_FILTER_NAME, TLS_FILTER_NAME, filter);
......
src/java/org/jivesoftware/openfire/spi/ConnectionAcceptor.java
View file @ c4773fd9
......@@ -48,6 +48,8 @@ class ConnectionAcceptor
// Configuration
private final ConnectionConfiguration configuration;
private final EncryptionArtifactFactory encryptionArtifactFactory;
private NioSocketAcceptor socketAcceptor;
/**
......@@ -61,6 +63,7 @@ class ConnectionAcceptor
}
this.configuration = configuration;
this.encryptionArtifactFactory = new EncryptionArtifactFactory( configuration );
this.name = configuration.getType().toString().toLowerCase() + ( configuration.getTlsPolicy() == Connection.TLSPolicy.legacyMode ? "_ssl" : "" );
Log = LoggerFactory.getLogger( ConnectionAcceptor.class.getName() + "[" + name + "]" );
......@@ -132,7 +135,7 @@ class ConnectionAcceptor
// Ports can be configured to start connections in SSL (as opposed to upgrade a non-encrypted socket to an encrypted one, typically using StartTLS)
if ( configuration.getTlsPolicy() == Connection.TLSPolicy.legacyMode )
{
final SslFilter sslFilter = configuration.createServerModeSslFilter();
final SslFilter sslFilter = encryptionArtifactFactory.createServerModeSslFilter();
filterChain.addAfter( ConnectionManagerImpl.EXECUTOR_FILTER_NAME, ConnectionManagerImpl.TLS_FILTER_NAME, sslFilter );
}
......
src/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java
View file @ c4773fd9
......@@ -22,7 +22,6 @@ import java.util.*;
*/
public class ConnectionConfiguration
{
private final Logger Log;
private final boolean enabled;
private final ConnectionType type;
private final int maxThreadPoolSize;
......@@ -44,291 +43,6 @@ public class ConnectionConfiguration
private final IdentityStore identityStore;
private final TrustStore trustStore;
// derived & lazy loaded factory objects. These re-usable objects should be lazy loaded, preventing initialization in configurations where they're never going to be used.
private transient KeyManagerFactory keyManagerFactory;
private transient SSLContext sslContext;
private transient SslContextFactory sslContextFactory;
public synchronized KeyManager[] getKeyManagers() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException
{
try
{
if ( keyManagerFactory == null )
{
keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
keyManagerFactory.init( getIdentityStore().getStore(), identityStoreConfiguration.getPassword() );
}
return keyManagerFactory.getKeyManagers();
}
catch ( UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException | RuntimeException ex )
{
// Allow initialization to restart upon next iteration.
keyManagerFactory = null;
throw ex;
}
}
public synchronized TrustManager[] getTrustManagers() throws KeyStoreException, NoSuchAlgorithmException
{
return new TrustManager[] { new OpenfireX509TrustManager( trustStore.getStore(), isAcceptSelfSignedCertificates(), isVerifyCertificateValidity() ) };
}
public synchronized SSLContext getSSLContext( ) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
{
if ( sslContext == null )
{
sslContext = SSLContext.getInstance( "TLSv1" );
try
{
sslContext.init( getKeyManagers(), getTrustManagers(), new SecureRandom() );
}
catch ( UnrecoverableKeyException | RuntimeException ex )
{
// Allow initialization to restart upon next iteration.
sslContext = null;
throw ex;
}
}
return sslContext;
}
/**
* A utility method that implements the shared functionality of getClientModeSSLEngine and getServerModeSSLEngine.
*
* This method is used to initialize and pre-configure an instance of SSLEngine for a particular connection type.
* The returned value lacks further configuration. In most cases, developers will want to use getClientModeSSLEngine
* or getServerModeSSLEngine instead of this method.
*
* @return A new pre-configured SSLEngine instance (never null).
*/
private SSLEngine createSSLEngine( ) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException
{
final SSLContext sslContext = getSSLContext();
final SSLEngine sslEngine = sslContext.createSSLEngine();
// Configure protocol support.
final Set<String> protocolsEnabled = getEncryptionProtocolsEnabled();
if ( !protocolsEnabled.isEmpty() )
{
// When an explicit list of enabled protocols is defined, use only those.
sslEngine.setEnabledProtocols( protocolsEnabled.toArray( new String[ protocolsEnabled.size() ] ) );
}
else
{
// Otherwise, use all supported protocols (except for the ones that are explicitly disabled).
final Set<String> disabled = getEncryptionProtocolsDisabled();
final ArrayList<String> supported = new ArrayList<>();
for ( final String candidate : sslEngine.getSupportedProtocols() )
{
if ( !disabled.contains( candidate ) )
{
supported.add( candidate );
}
}
sslEngine.setEnabledProtocols( supported.toArray( new String[ supported.size()] ) );
}
// Configure cipher suite support.
final Set<String> cipherSuitesEnabled = getCipherSuitesEnabled();
if ( !cipherSuitesEnabled.isEmpty() )
{
// When an explicit list of enabled protocols is defined, use only those.
sslEngine.setEnabledCipherSuites( cipherSuitesEnabled.toArray( new String[ cipherSuitesEnabled.size() ] ) );
}
else
{
// Otherwise, use all supported cipher suites (except for the ones that are explicitly disabled).
final Set<String> disabled = getCipherSuitesDisabled();
final ArrayList<String> supported = new ArrayList<>();
for ( final String candidate : sslEngine.getSupportedCipherSuites() )
{
if ( !disabled.contains( candidate ) )
{
supported.add( candidate );
}
}
sslEngine.setEnabledCipherSuites( supported.toArray( new String[ supported.size() ] ) );
}
// TODO: Set policy for checking client certificates
return sslEngine;
}
/**
* Creates a new SSL Engine that is configured to use server mode when handshaking.
*
* For Openfire, an engine is of this mode used for most purposes (as Openfire is a server by nature).
*
* @return A new, initialized SSLEngine instance (never null).
*/
public SSLEngine createServerModeSSLEngine() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException
{
final SSLEngine sslEngine = createSSLEngine();
sslEngine.setUseClientMode( false );
switch ( getClientAuth() )
{
case needed:
sslEngine.setNeedClientAuth( true );
break;
case wanted:
sslEngine.setWantClientAuth( true );
break;
case disabled:
sslEngine.setWantClientAuth( false );
break;
}
return sslEngine;
}
/**
* Creates an SSL Engine that is configured to use client mode when handshaking.
*
* For Openfire, an engine of this mode is typically used when the server tries to connect to another server.
*
* @return An initialized SSLEngine instance (never null).
*/
public SSLEngine createClientModeSSLEngine( ) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException
{
final SSLEngine sslEngine = createSSLEngine();
sslEngine.setUseClientMode( true );
return sslEngine;
}
public synchronized SslContextFactory getSslContextFactory()
{
if ( sslContextFactory != null )
{
return sslContextFactory;
}
Log.info( "Creating new SslContextFactory instance" );
try
{
sslContextFactory = new SslContextFactory();
sslContextFactory.setTrustStore( trustStore.getStore() );
sslContextFactory.setTrustStorePassword( new String( trustStoreConfiguration.getPassword() ) );
sslContextFactory.setKeyStore( identityStore.getStore() );
sslContextFactory.setKeyStorePassword( new String( identityStoreConfiguration.getPassword() ) );
// Configure protocol support
if ( getEncryptionProtocolsEnabled() != null && !getEncryptionProtocolsEnabled().isEmpty() )
{
sslContextFactory.setIncludeProtocols( getEncryptionProtocolsEnabled().toArray( new String[ getEncryptionProtocolsEnabled().size() ] ) );
}
sslContextFactory.setExcludeProtocols( getEncryptionProtocolsDisabled().toArray( new String[ getEncryptionProtocolsDisabled().size() ] ) );
// Configure cipher suite support.
if ( getCipherSuitesEnabled() != null && !getCipherSuitesEnabled().isEmpty() )
{
sslContextFactory.setIncludeCipherSuites( getCipherSuitesEnabled().toArray( new String[ getCipherSuitesEnabled().size() ] ) );
}
sslContextFactory.setExcludeCipherSuites( getCipherSuitesDisabled().toArray( new String[ getCipherSuitesDisabled().size() ] ) );
//Set policy for checking client certificates
switch ( clientAuth )
{
case disabled:
sslContextFactory.setNeedClientAuth( false );
sslContextFactory.setWantClientAuth( false );
break;
case wanted:
sslContextFactory.setNeedClientAuth( false );
sslContextFactory.setWantClientAuth( true );
break;
case needed:
sslContextFactory.setNeedClientAuth( true );
break;
}
return sslContextFactory;
}
catch ( RuntimeException ex )
{
// Allow initialization to restart upon next iteration.
sslContextFactory = null;
throw ex;
}
}
/**
* Creates an Apache MINA SslFilter that is configured to use server mode when handshaking.
*
* For Openfire, an engine is of this mode used for most purposes (as Openfire is a server by nature).
*
* Instead of an SSLContext or SSLEngine, Apache MINA uses an SslFilter instance. It is generally not needed to
* create both SSLContext/SSLEngine as well as SslFilter instances.
*
* @return An initialized SslFilter instance (never null)
*/
public SslFilter createServerModeSslFilter() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException
{
final SSLContext sslContext = getSSLContext();
final SSLEngine sslEngine = createServerModeSSLEngine();
return createSslFilter( sslContext, sslEngine );
}
/**
* Creates an Apache MINA SslFilter that is configured to use client mode when handshaking.
*
* For Openfire, a filter of this mode is typically used when the server tries to connect to another server.
*
* Instead of an SSLContext or SSLEngine, Apache MINA uses an SslFilter instance. It is generally not needed to
* create both SSLContext/SSLEngine as well as SslFilter instances.
*
* @return An initialized SslFilter instance (never null)
*/
public SslFilter createClientModeSslFilter() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException
{
final SSLContext sslContext = getSSLContext();
final SSLEngine sslEngine = createClientModeSSLEngine();
return createSslFilter( sslContext, sslEngine );
}
/**
* A utility method that implements the shared functionality of getServerModeSslFilter and getClientModeSslFilter.
*
* This method is used to initialize and configure an instance of SslFilter for a particular pre-configured
* SSLContext and SSLEngine. In most cases, developers will want to use getServerModeSslFilter or
* getClientModeSslFilter instead of this method.
*
* @param sslContext a pre-configured SSL Context instance (cannot be null).
* @param sslEngine a pre-configured SSL Engine instance (cannot be null).
* @return A SslFilter instance (never null).
*/
private static SslFilter createSslFilter( SSLContext sslContext, SSLEngine sslEngine ) {
final SslFilter filter = new SslFilter( sslContext );
// Copy configuration from the SSL Engine into the filter.
filter.setUseClientMode( sslEngine.getUseClientMode() );
filter.setEnabledProtocols( sslEngine.getEnabledProtocols() );
filter.setEnabledCipherSuites( sslEngine.getEnabledCipherSuites() );
// Note that the setters for 'need' and 'want' influence each-other. Invoke only one of them!
if ( sslEngine.getNeedClientAuth() )
{
filter.setNeedClientAuth( true );
}
else if ( sslEngine.getWantClientAuth() )
{
filter.setWantClientAuth( true );
}
return filter;
}
/**
* @param type
* @param enabled
......@@ -379,8 +93,6 @@ public class ConnectionConfiguration
final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
this.identityStore = certificateStoreManager.getIdentityStore( type );
this.trustStore = certificateStoreManager.getTrustStore( type );
this.Log = LoggerFactory.getLogger( this.getClass().getName() + "["+port+"-"+type+"]" );
}
public Connection.TLSPolicy getTlsPolicy()
......
src/java/org/jivesoftware/openfire/spi/EncryptionArtifactFactory.java 0 → 100644
View file @ c4773fd9
package org.jivesoftware.openfire.spi;
import org.apache.mina.filter.ssl.SslFilter;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.jivesoftware.openfire.keystore.OpenfireX509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.net.ssl.*;
import java.security.*;
import java.util.ArrayList;
import java.util.Set;
/**
* Instances of this class will be able to generate various encryption-related artifacts based on a specific connection
* configuration.
*
* This implementation intends to centralize the implementation for generating the artifacts produced, which in earlier
* versions of the code-base was scattered (and duplicated) over various connection-type-specific implementations.
*
* @author Guus der Kinderen, guus.der.kinderen@gmail.com
*/
public class EncryptionArtifactFactory
{
private final Logger Log = LoggerFactory.getLogger( EncryptionArtifactFactory.class );
private final ConnectionConfiguration configuration;
// lazy loaded factory objects. These re-usable objects should be lazy loaded, preventing initialization in situations where they're never going to be used.
private transient KeyManagerFactory keyManagerFactory;
private transient SslContextFactory sslContextFactory;
/**
* Creates a new instance of the factory.
*
* @param configuration the configuration for which this factory generates artifacts (cannot be null).
*/
public EncryptionArtifactFactory( ConnectionConfiguration configuration )
{
if ( configuration == null ) {
throw new IllegalArgumentException( "Argument 'configuration' cannot be null" );
}
this.configuration = configuration;
}
/**
* Generates KeyManager instances suitable for connections that are created based on a particular configuration.
*
* @return KeyManagers applicable to a connection that is established using the provided configuration.
*/
public synchronized KeyManager[] getKeyManagers() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException
{
try
{
if ( keyManagerFactory == null )
{
keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
keyManagerFactory.init( configuration.getIdentityStore().getStore(), configuration.getIdentityStoreConfiguration().getPassword() );
}
return keyManagerFactory.getKeyManagers();
}
catch ( UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException | RuntimeException ex )
{
// Allow initialization to restart upon next iteration.
keyManagerFactory = null;
throw ex;
}
}
/**
* Generates KeyManager instances suitable for connections that are created based on a particular configuration.
*
* @return TrustManagers applicable to a connection that is established using the provided configuration.
*/
public synchronized TrustManager[] getTrustManagers() throws KeyStoreException, NoSuchAlgorithmException
{
return new TrustManager[] {
new OpenfireX509TrustManager( configuration.getTrustStore().getStore(), configuration.isAcceptSelfSignedCertificates(), configuration.isVerifyCertificateValidity() )
};
}
/**
* Generates a new, initialized SSLContext instance that is suitable for connections that are created based on a
* particular configuration.
*
* @return TrustManagers applicable to a connection that is established using the provided configuration.
*/
public synchronized SSLContext getSSLContext() throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
{
final SSLContext sslContext = SSLContext.getInstance( "TLSv1" );
sslContext.init( getKeyManagers(), getTrustManagers(), new SecureRandom() );
return sslContext;
}
/**
* A utility method that implements the shared functionality of getClientModeSSLEngine and getServerModeSSLEngine.
*
* This method is used to initialize and pre-configure an instance of SSLEngine for a particular connection type.
* The returned value lacks further configuration. In most cases, developers will want to use getClientModeSSLEngine
* or getServerModeSSLEngine instead of this method.
*
* @return A new pre-configured SSLEngine instance (never null).
*/
private SSLEngine createSSLEngine() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException
{
final SSLContext sslContext = getSSLContext();
final SSLEngine sslEngine = sslContext.createSSLEngine();
// Configure protocol support.
final Set<String> protocolsEnabled = configuration.getEncryptionProtocolsEnabled();
if ( !protocolsEnabled.isEmpty() )
{
// When an explicit list of enabled protocols is defined, use only those.
sslEngine.setEnabledProtocols( protocolsEnabled.toArray( new String[ protocolsEnabled.size() ] ) );
}
else
{
// Otherwise, use all supported protocols (except for the ones that are explicitly disabled).
final Set<String> disabled = configuration.getEncryptionProtocolsDisabled();
final ArrayList<String> supported = new ArrayList<>();
for ( final String candidate : sslEngine.getSupportedProtocols() )
{
if ( !disabled.contains( candidate ) )
{
supported.add( candidate );
}
}
sslEngine.setEnabledProtocols( supported.toArray( new String[ supported.size()] ) );
}
// Configure cipher suite support.
final Set<String> cipherSuitesEnabled = configuration.getCipherSuitesEnabled();
if ( !cipherSuitesEnabled.isEmpty() )
{
// When an explicit list of enabled protocols is defined, use only those.
sslEngine.setEnabledCipherSuites( cipherSuitesEnabled.toArray( new String[ cipherSuitesEnabled.size() ] ) );
}
else
{
// Otherwise, use all supported cipher suites (except for the ones that are explicitly disabled).
final Set<String> disabled = configuration.getCipherSuitesDisabled();
final ArrayList<String> supported = new ArrayList<>();
for ( final String candidate : sslEngine.getSupportedCipherSuites() )
{
if ( !disabled.contains( candidate ) )
{
supported.add( candidate );
}
}
sslEngine.setEnabledCipherSuites( supported.toArray( new String[ supported.size() ] ) );
}
return sslEngine;
}
/**
* Creates a new SSL Engine that is configured to use server mode when handshaking.
*
* For Openfire, an engine is of this mode used for most purposes (as Openfire is a server by nature).
*
* @return A new, initialized SSLEngine instance (never null).
*/
public SSLEngine createServerModeSSLEngine() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException
{
final SSLEngine sslEngine = createSSLEngine( );
sslEngine.setUseClientMode( false );
switch ( configuration.getClientAuth() )
{
case needed:
sslEngine.setNeedClientAuth( true );
break;
case wanted:
sslEngine.setWantClientAuth( true );
break;
case disabled:
sslEngine.setWantClientAuth( false );
break;
}
return sslEngine;
}
/**
* Creates an SSL Engine that is configured to use client mode when handshaking.
*
* For Openfire, an engine of this mode is typically used when the server tries to connect to another server.
*
* @return An initialized SSLEngine instance (never null).
*/
public SSLEngine createClientModeSSLEngine() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException
{
final SSLEngine sslEngine = createSSLEngine( );
sslEngine.setUseClientMode( true );
return sslEngine;
}
public synchronized SslContextFactory getSslContextFactory()
{
if ( sslContextFactory != null )
{
return sslContextFactory;
}
Log.info( "Creating new SslContextFactory instance" );
try
{
sslContextFactory = new SslContextFactory();
sslContextFactory.setTrustStore( configuration.getTrustStore().getStore() );
sslContextFactory.setTrustStorePassword( new String( configuration.getTrustStore().getConfiguration().getPassword() ) );
sslContextFactory.setKeyStore( configuration.getIdentityStore().getStore() );
sslContextFactory.setKeyStorePassword( new String( configuration.getIdentityStore().getConfiguration().getPassword() ) );
// Configure protocol support
if ( configuration.getEncryptionProtocolsEnabled() != null && !configuration.getEncryptionProtocolsEnabled().isEmpty() )
{
sslContextFactory.setIncludeProtocols( configuration.getEncryptionProtocolsEnabled().toArray( new String[ configuration.getEncryptionProtocolsEnabled().size() ] ) );
}
sslContextFactory.setExcludeProtocols( configuration.getEncryptionProtocolsDisabled().toArray( new String[ configuration.getEncryptionProtocolsDisabled().size() ] ) );
// Configure cipher suite support.
if ( configuration.getCipherSuitesEnabled() != null && !configuration.getCipherSuitesEnabled().isEmpty() )
{
sslContextFactory.setIncludeCipherSuites( configuration.getCipherSuitesEnabled().toArray( new String[ configuration.getCipherSuitesEnabled().size() ] ) );
}
sslContextFactory.setExcludeCipherSuites( configuration.getCipherSuitesDisabled().toArray( new String[ configuration.getCipherSuitesDisabled().size() ] ) );
//Set policy for checking client certificates
switch ( configuration.getClientAuth() )
{
case disabled:
sslContextFactory.setNeedClientAuth( false );
sslContextFactory.setWantClientAuth( false );
break;
case wanted:
sslContextFactory.setNeedClientAuth( false );
sslContextFactory.setWantClientAuth( true );
break;
case needed:
sslContextFactory.setNeedClientAuth( true );
break;
}
return sslContextFactory;
}
catch ( RuntimeException ex )
{
// Allow initialization to restart upon next iteration.
sslContextFactory = null;
throw ex;
}
}
/**
* Creates an Apache MINA SslFilter that is configured to use server mode when handshaking.
*
* For Openfire, an engine is of this mode used for most purposes (as Openfire is a server by nature).
*
* Instead of an SSLContext or SSLEngine, Apache MINA uses an SslFilter instance. It is generally not needed to
* create both SSLContext/SSLEngine as well as SslFilter instances.
*
* @return An initialized SslFilter instance (never null)
*/
public SslFilter createServerModeSslFilter() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException
{
final SSLContext sslContext = getSSLContext();
final SSLEngine sslEngine = createServerModeSSLEngine();
return createSslFilter( sslContext, sslEngine );
}
/**
* Creates an Apache MINA SslFilter that is configured to use client mode when handshaking.
*
* For Openfire, a filter of this mode is typically used when the server tries to connect to another server.
*
* Instead of an SSLContext or SSLEngine, Apache MINA uses an SslFilter instance. It is generally not needed to
* create both SSLContext/SSLEngine as well as SslFilter instances.
*
* @return An initialized SslFilter instance (never null)
*/
public SslFilter createClientModeSslFilter() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException
{
final SSLContext sslContext = getSSLContext();
final SSLEngine sslEngine = createClientModeSSLEngine();
return createSslFilter( sslContext, sslEngine );
}
/**
* A utility method that implements the shared functionality of getServerModeSslFilter and getClientModeSslFilter.
*
* This method is used to initialize and configure an instance of SslFilter for a particular pre-configured
* SSLContext and SSLEngine. In most cases, developers will want to use getServerModeSslFilter or
* getClientModeSslFilter instead of this method.
*
* @param sslContext a pre-configured SSL Context instance (cannot be null).
* @param sslEngine a pre-configured SSL Engine instance (cannot be null).
* @return A SslFilter instance (never null).
*/
private static SslFilter createSslFilter( SSLContext sslContext, SSLEngine sslEngine ) {
final SslFilter filter = new SslFilter( sslContext );
// Copy configuration from the SSL Engine into the filter.
filter.setUseClientMode( sslEngine.getUseClientMode() );
filter.setEnabledProtocols( sslEngine.getEnabledProtocols() );
filter.setEnabledCipherSuites( sslEngine.getEnabledCipherSuites() );
// Note that the setters for 'need' and 'want' influence each-other. Invoke only one of them!
if ( sslEngine.getNeedClientAuth() )
{
filter.setNeedClientAuth( true );
}
else if ( sslEngine.getWantClientAuth() )
{
filter.setWantClientAuth( true );
}
return filter;
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023