Java SslProvider.JDK屬性代碼示例

private static SslProvider provider(NetworkSslConfig cfg) {
    switch (cfg.getProvider()) {
        case AUTO: {
            return OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK;
        }
        case JDK: {
            return SslProvider.JDK;
        }
        case OPEN_SSL: {
            return SslProvider.OPENSSL;
        }
        default: {
            throw new IllegalArgumentException("Unexpected SSL provider: " + cfg.getProvider());
        }
    }
}
 

/**
 * Creates a new SslContext object.
 *
 * @param cfg the cfg
 * @return the ssl context
 */
private synchronized SslContext createServerSslContext(IConfig cfg){
	SslContext ctx = null;
	try{
			SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;
			
			if(provider.equals(SslProvider.OPENSSL)){
				cfg.print("Using OpenSSL for network encryption.");
			}
			
			ctx = SslContextBuilder
					.forServer(new File(cfg.getCertFile()), new File(cfg.getKeyFile()), cfg.getKeyPassword())
					.sslProvider(provider)
					.build();
			
	}catch(Exception e){
		LOG.log(Level.SEVERE, null, e);
	}

	return ctx;
}
 

private SslContext getSslContext() {
    SslContext sslCtx = null;

    final SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;

    try {
        sslCtx = SslContextBuilder.forClient()
            .sslProvider(provider)
            .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .applicationProtocolConfig(new ApplicationProtocolConfig(
                Protocol.ALPN,
                SelectorFailureBehavior.NO_ADVERTISE,
                SelectedListenerFailureBehavior.ACCEPT,
                ApplicationProtocolNames.HTTP_2))
            .build();
    } catch(SSLException exception) {
        return null;
    }

    return sslCtx;
}
 

public SslContext getSslContext() throws UnRetriableException{


        try {

            File certificateChainFile = getCertificateChainFile();
            File certificateKeyFile = getCertificateKeyFile();
            String keyPassword = getKeyPassword();

            SslProvider sslProvider;
            if(OpenSsl.isAvailable()) {
                sslProvider  = SslProvider.OPENSSL;
            }else{
                sslProvider  = SslProvider.JDK;
            }

            return SslContext.newServerContext(sslProvider, certificateChainFile, certificateKeyFile, keyPassword  );

        }catch (Exception e){
            log.error(" getSSLEngine : problems when trying to initiate secure protocals", e);
            throw new UnRetriableException(e);
        }
    }
 

/**
 * This method will provide netty ssl context which supports HTTP2 over TLS using
 * Application Layer Protocol Negotiation (ALPN)
 *
 * @return instance of {@link SslContext}
 * @throws SSLException if any error occurred during building SSL context.
 */
public SslContext createHttp2TLSContext() throws SSLException {

    // If listener configuration does not include cipher suites , default ciphers required by the HTTP/2
    // specification will be added.
    List<String> ciphers = sslConfig.getCipherSuites() != null && sslConfig.getCipherSuites().length > 0 ? Arrays
            .asList(sslConfig.getCipherSuites()) : Http2SecurityUtil.CIPHERS;
    SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;
    return SslContextBuilder.forServer(this.getKeyManagerFactory())
            .trustManager(this.getTrustStoreFactory())
            .sslProvider(provider)
            .ciphers(ciphers,
                    SupportedCipherSuiteFilter.INSTANCE)
            .clientAuth(needClientAuth ? ClientAuth.REQUIRE : ClientAuth.NONE)
            .applicationProtocolConfig(new ApplicationProtocolConfig(
                    ApplicationProtocolConfig.Protocol.ALPN,
                    // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
                    ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                    // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
                    ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
                    ApplicationProtocolNames.HTTP_2,
                    ApplicationProtocolNames.HTTP_1_1)).build();
}
 

static SslContext build(final Config conf) throws IOException, CertificateException {
  String tmpdir = conf.getString("application.tmpdir");
  boolean http2 = conf.getBoolean("server.http2.enabled");
  File keyStoreCert = toFile(conf.getString("ssl.keystore.cert"), tmpdir);
  File keyStoreKey = toFile(conf.getString("ssl.keystore.key"), tmpdir);
  String keyStorePass = conf.hasPath("ssl.keystore.password")
      ? conf.getString("ssl.keystore.password") : null;
  SslContextBuilder scb = SslContextBuilder.forServer(keyStoreCert, keyStoreKey, keyStorePass);
  if (conf.hasPath("ssl.trust.cert")) {
    scb.trustManager(toFile(conf.getString("ssl.trust.cert"), tmpdir))
       .clientAuth(ClientAuth.REQUIRE);
  }
  if (http2) {
    SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;
    return scb.sslProvider(provider)
        .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
        .applicationProtocolConfig(new ApplicationProtocolConfig(
            Protocol.ALPN,
            SelectorFailureBehavior.NO_ADVERTISE,
            SelectedListenerFailureBehavior.ACCEPT,
            Arrays.asList(ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1)))
        .build();
  }
  return scb.build();
}
 

@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    SslProvider sslProvider = SslContext.defaultServerProvider();
    if (sslProvider == SslProvider.OPENSSL && !OpenSsl.isAlpnSupported()) {
      // OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
      // are forced to use Jetty ALPN for Netty instead of OpenSSL.
      sslProvider = SslProvider.JDK;
    }
    SslContextBuilder contextBuilder = SslContextBuilder
        .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
    GrpcSslContexts.configure(contextBuilder, sslProvider);
    contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(contextBuilder.build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 

@Before
public void setUp() throws NoSuchAlgorithmException {
  executor = Executors.newSingleThreadScheduledExecutor();
  if (sslProvider == SslProvider.OPENSSL) {
    Assume.assumeTrue(OpenSsl.isAvailable());
  }
  if (sslProvider == SslProvider.JDK) {
    Assume.assumeTrue(Arrays.asList(
        SSLContext.getDefault().getSupportedSSLParameters().getCipherSuites())
        .contains("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
    try {
      GrpcSslContexts.configure(SslContextBuilder.forClient(), SslProvider.JDK);
    } catch (IllegalArgumentException ex) {
      Assume.assumeNoException("Jetty ALPN does not seem available", ex);
    }
  }
  clientContextBuilder = GrpcSslContexts.configure(SslContextBuilder.forClient(), sslProvider);
}
 

/**
 * Selects an SSL provider based on the availability of of an ALPN-capable native provider.
 *
 * @return an ALPN-capable native SSL provider if available, or else the JDK SSL provider
 */
public static SslProvider getSslProvider() {
    final SslProvider sslProvider;

    if (OpenSsl.isAvailable()) {
        if (OpenSsl.isAlpnSupported()) {
            log.info("Native SSL provider is available and supports ALPN; will use native provider.");
            sslProvider = SslProvider.OPENSSL_REFCNT;
        } else {
            log.info("Native SSL provider is available, but does not support ALPN; will use JDK SSL provider.");
            sslProvider = SslProvider.JDK;
        }
    } else {
        log.info("Native SSL provider not available; will use JDK SSL provider.");
        sslProvider = SslProvider.JDK;
    }

    return sslProvider;
}
 

private static SslContext createServerSslContext() {
    final SslProvider provider = SslProvider.JDK;

    try {
        // this is not good for production - just testing
        final SelfSignedCertificate ssc = new SelfSignedCertificate();
        return SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()).sslProvider(provider).build();
    } catch (Exception ce) {
        throw new RuntimeException("Couldn't setup self-signed certificate for test");
    }
}
 

@Test
public void testSuccess_swappedInitializerWithSslHandler() throws Exception {
  SslClientInitializer<EmbeddedChannel> sslClientInitializer =
      new SslClientInitializer<>(SslProvider.JDK, (X509Certificate[]) null);
  EmbeddedChannel channel = new EmbeddedChannel();
  channel.attr(PROTOCOL_KEY).set(PROTOCOL);
  ChannelPipeline pipeline = channel.pipeline();
  pipeline.addLast(sslClientInitializer);
  ChannelHandler firstHandler = pipeline.first();
  assertThat(firstHandler.getClass()).isEqualTo(SslHandler.class);
  SslHandler sslHandler = (SslHandler) firstHandler;
  assertThat(sslHandler.engine().getPeerHost()).isEqualTo(SSL_HOST);
  assertThat(sslHandler.engine().getPeerPort()).isEqualTo(SSL_PORT);
  assertThat(channel.isActive()).isTrue();
}
 

@Test
public void testSuccess_protocolAttributeNotSet() {
  SslClientInitializer<EmbeddedChannel> sslClientInitializer =
      new SslClientInitializer<>(SslProvider.JDK, (X509Certificate[]) null);
  EmbeddedChannel channel = new EmbeddedChannel();
  ChannelPipeline pipeline = channel.pipeline();
  pipeline.addLast(sslClientInitializer);
  // Channel initializer swallows error thrown, and closes the connection.
  assertThat(channel.isActive()).isFalse();
}
 

@Test
public void testFailure_defaultTrustManager_rejectSelfSignedCert() throws Exception {
  SelfSignedCertificate ssc = new SelfSignedCertificate(SSL_HOST);
  LocalAddress localAddress = new LocalAddress("DEFAULT_TRUST_MANAGER_REJECT_SELF_SIGNED_CERT");
  Lock clientLock = new ReentrantLock();
  Lock serverLock = new ReentrantLock();
  ByteBuf buffer = Unpooled.buffer();
  Exception clientException = new Exception();
  Exception serverException = new Exception();
  EventLoopGroup eventLoopGroup =
      setUpServer(
          getServerInitializer(ssc.key(), ssc.cert(), serverLock, serverException), localAddress);
  SslClientInitializer<LocalChannel> sslClientInitializer =
      new SslClientInitializer<>(SslProvider.JDK, (X509Certificate[]) null);
  Channel channel =
      setUpClient(
          eventLoopGroup,
          getClientInitializer(sslClientInitializer, clientLock, buffer, clientException),
          localAddress,
          PROTOCOL);
  // Wait for handshake exception to throw.
  clientLock.lock();
  serverLock.lock();
  // The connection is now terminated, both the client side and the server side should get
  // exceptions (caught in the caughtException method in EchoHandler and DumpHandler,
  // respectively).
  assertThat(clientException).hasCauseThat().isInstanceOf(DecoderException.class);
  assertThat(clientException)
      .hasCauseThat()
      .hasCauseThat()
      .isInstanceOf(SSLHandshakeException.class);
  assertThat(serverException).hasCauseThat().isInstanceOf(DecoderException.class);
  assertThat(serverException).hasCauseThat().hasCauseThat().isInstanceOf(SSLException.class);
  assertThat(channel.isActive()).isFalse();

  Future<?> unusedFuture = eventLoopGroup.shutdownGracefully().syncUninterruptibly();
}
 

@Test
public void testSuccess_customTrustManager_acceptCertSignedByTrustedCa() throws Exception {
  LocalAddress localAddress =
      new LocalAddress("CUSTOM_TRUST_MANAGER_ACCEPT_CERT_SIGNED_BY_TRUSTED_CA");
  Lock clientLock = new ReentrantLock();
  Lock serverLock = new ReentrantLock();
  ByteBuf buffer = Unpooled.buffer();
  Exception clientException = new Exception();
  Exception serverException = new Exception();

  // Generate a new key pair.
  KeyPair keyPair = getKeyPair();

  // Generate a self signed certificate, and use it to sign the key pair.
  SelfSignedCertificate ssc = new SelfSignedCertificate();
  X509Certificate cert = signKeyPair(ssc, keyPair, SSL_HOST);

  // Set up the server to use the signed cert and private key to perform handshake;
  PrivateKey privateKey = keyPair.getPrivate();
  EventLoopGroup eventLoopGroup =
      setUpServer(
          getServerInitializer(privateKey, cert, serverLock, serverException), localAddress);

  // Set up the client to trust the self signed cert used to sign the cert that server provides.
  SslClientInitializer<LocalChannel> sslClientInitializer =
      new SslClientInitializer<>(SslProvider.JDK, ssc.cert());
  Channel channel =
      setUpClient(
          eventLoopGroup,
          getClientInitializer(sslClientInitializer, clientLock, buffer, clientException),
          localAddress,
          PROTOCOL);

  verifySslChannel(channel, ImmutableList.of(cert), clientLock, serverLock, buffer, SSL_HOST);

  Future<?> unusedFuture = eventLoopGroup.shutdownGracefully().syncUninterruptibly();
}
 

@Test
public void testSuccess_swappedInitializerWithSslHandler() throws Exception {
  SelfSignedCertificate ssc = new SelfSignedCertificate(SSL_HOST);
  SslServerInitializer<EmbeddedChannel> sslServerInitializer =
      new SslServerInitializer<>(SslProvider.JDK, ssc.key(), ssc.cert());
  EmbeddedChannel channel = new EmbeddedChannel();
  ChannelPipeline pipeline = channel.pipeline();
  pipeline.addLast(sslServerInitializer);
  ChannelHandler firstHandler = pipeline.first();
  assertThat(firstHandler.getClass()).isEqualTo(SslHandler.class);
  SslHandler sslHandler = (SslHandler) firstHandler;
  assertThat(sslHandler.engine().getNeedClientAuth()).isTrue();
  assertThat(channel.isActive()).isTrue();
}