org.apache.tomcat.util.net.jsse: public class: JSSE14SocketFactory

org.apache.tomcat.util.net.jsse
public class: JSSE14SocketFactory [javadoc | source]

java.lang.Object
   org.apache.tomcat.util.net.ServerSocketFactory
      org.apache.tomcat.util.net.jsse.JSSESocketFactory
         org.apache.tomcat.util.net.jsse.JSSE14SocketFactory

All Implemented Interfaces:
Cloneable

Direct Known Subclasses:
JSSE15SocketFactory

SSL server socket factory. It _requires_ a valid RSA key and JSSE.

author: Harish - Prabandham

author: Costin - Manolache

author: Stefan - Freyr Stefansson

author: EKR - -- renamed to JSSESocketFactory

author: Jan - Luehe

Fields inherited from org.apache.tomcat.util.net.jsse.JSSESocketFactory:
defaultProtocol, defaultClientAuth, defaultKeystoreType, log, initialized, clientAuth, sslProxy, enabledCiphers, allowUnsafeLegacyRenegotiation, requireClientAuth, wantClientAuth

Fields inherited from org.apache.tomcat.util.net.ServerSocketFactory:
attributes

Constructor:
public JSSE14SocketFactory() { }

Method from org.apache.tomcat.util.net.jsse.JSSE14SocketFactory Summary:
getCRLs, getEnabledProtocols, getKeyManagers, getParameters, getTrustManagers, init, setEnabledProtocols

Methods from org.apache.tomcat.util.net.jsse.JSSESocketFactory:
acceptSocket, configureClientAuth, configureClientAuth, createSocket, createSocket, createSocket, getCRLs, getEnabledCiphers, getEnabledProtocols, getKeyManagers, getKeystore, getKeystorePassword, getParameters, getTrustManagers, getTrustStore, handshake, init, setEnabledProtocols

Methods from org.apache.tomcat.util.net.ServerSocketFactory:
acceptSocket, createSocket, createSocket, createSocket, getDefault, handshake, initSocket, setAttribute

Methods from java.lang.Object:
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from org.apache.tomcat.util.net.jsse.JSSE14SocketFactory Detail:
protected Collection<CRL> getCRLs(String crlf) throws IOException, CRLException, CertificateException { File crlFile = new File(crlf); if (!crlFile.isAbsolute()) { crlFile = new File(System.getProperty("catalina.base"), crlf); } Collection< ? extends CRL > crls = null; InputStream is = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); is = new FileInputStream(crlFile); crls = cf.generateCRLs(is); } catch(IOException iex) { throw iex; } catch(CRLException crle) { throw crle; } catch(CertificateException ce) { throw ce; } finally { if (is != null) { try { is.close(); } catch (Exception ex) { } } } return crls; } Load the collection of CRLs.
protected String[] getEnabledProtocols(SSLServerSocket socket, String requestedProtocols) { String[] supportedProtocols = socket.getSupportedProtocols(); String[] enabledProtocols = null; if (requestedProtocols != null) { Vector vec = null; String protocol = requestedProtocols; int index = requestedProtocols.indexOf(','); if (index != -1) { int fromIndex = 0; while (index != -1) { protocol = requestedProtocols.substring(fromIndex, index).trim(); if (protocol.length() > 0) { /* * Check to see if the requested protocol is among the * supported protocols, i.e., may be enabled / for (int i=0; supportedProtocols != null && i< supportedProtocols.length; i++) { if (supportedProtocols[i].equals(protocol)) { if (vec == null) { vec = new Vector(); } vec.addElement(protocol); break; } } } fromIndex = index+1; index = requestedProtocols.indexOf(',', fromIndex); } // while protocol = requestedProtocols.substring(fromIndex); } if (protocol != null) { protocol = protocol.trim(); if (protocol.length() > 0) { / * Check to see if the requested protocol is among the * supported protocols, i.e., may be enabled */ for (int i=0; supportedProtocols != null && i< supportedProtocols.length; i++) { if (supportedProtocols[i].equals(protocol)) { if (vec == null) { vec = new Vector(); } vec.addElement(protocol); break; } } } } if (vec != null) { enabledProtocols = new String[vec.size()]; vec.copyInto(enabledProtocols); } } return enabledProtocols; }
protected KeyManager[] getKeyManagers(String algorithm, String keyAlias) throws Exception { KeyManager[] kms = null; String keystorePass = getKeystorePassword(); KeyStore ks = getKeystore(keystorePass); if (keyAlias != null && !ks.isKeyEntry(keyAlias)) { throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias)); } KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm); kmf.init(ks, keystorePass.toCharArray()); kms = kmf.getKeyManagers(); if (keyAlias != null) { // START SJSAS 6266949 /* if (JSSESocketFactory.defaultKeystoreType.equals(keystoreType)) { keyAlias = keyAlias.toLowerCase(); } */ //END SJSAS 6266949 for(int i=0; i< kms.length; i++) { kms[i] = new JSSEKeyManager((X509KeyManager)kms[i], keyAlias); } } return kms; } Gets the initialized key managers.
protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = (String)attributes.get("trustMaxCertLength"); if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: " + trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: " + algorithm); } return params; } Return the initialization parameters for the TrustManager. Currently, only the default `PKIX` is supported.
protected TrustManager[] getTrustManagers(String algorithm) throws Exception { String crlf = (String) attributes.get("crlFile"); TrustManager[] tms = null; KeyStore trustStore = getTrustStore(); if (trustStore != null) { if (crlf == null) { TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); tmf.init(trustStore); tms = tmf.getTrustManagers(); } else { TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); CertPathParameters params = getParameters(algorithm, crlf, trustStore); ManagerFactoryParameters mfp = new CertPathTrustManagerParameters(params); tmf.init(mfp); tms = tmf.getTrustManagers(); } } return tms; } Gets the intialized trust managers.
public void init() throws IOException { // END SJSAS 6439313 try { String clientAuthStr = (String) attributes.get("clientauth"); if (clientAuthStr != null){ clientAuth = Boolean.valueOf(clientAuthStr).booleanValue(); } // SSL protocol variant (e.g., TLS, SSL v3, etc.) String protocol = (String) attributes.get("protocol"); if (protocol == null) { protocol = defaultProtocol; } // Certificate encoding algorithm (e.g., SunX509) String algorithm = (String) attributes.get("algorithm"); if (algorithm == null) { algorithm = defaultAlgorithm; } // Create and init SSLContext /* SJSAS 6439313 SSLContext context = SSLContext.getInstance(protocol); */ // START SJSAS 6439313 context = SSLContext.getInstance(protocol); // END SJSAS 6439313 // Configure SSL session timeout and cache size configureSSLSessionContext(context.getServerSessionContext()); String trustAlgorithm = (String)attributes.get("truststoreAlgorithm"); if (trustAlgorithm == null) { trustAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); } context.init(getKeyManagers(algorithm, (String) attributes.get("keyAlias")), getTrustManagers(trustAlgorithm), new SecureRandom()); // create proxy sslProxy = context.getServerSocketFactory(); // Determine which cipher suites to enable String requestedCiphers = (String)attributes.get("ciphers"); if (requestedCiphers != null) { enabledCiphers = getEnabledCiphers(requestedCiphers, sslProxy.getSupportedCipherSuites()); } } catch(Exception e) { if( e instanceof IOException ) throw (IOException)e; throw new IOException(e.getMessage()); } } Reads the keystore and initializes the SSL socket factory.
protected void setEnabledProtocols(SSLServerSocket socket, String[] protocols) { if (protocols != null) { socket.setEnabledProtocols(protocols); } }

Method from org.apache.tomcat.util.net.jsse.JSSE14SocketFactory Detail:

 protected Collection<CRL> getCRLs(String crlf) throws IOException, CRLException, CertificateException {
        File crlFile = new File(crlf);
        if (!crlFile.isAbsolute()) {
            crlFile = new File(System.getProperty("catalina.base"), crlf);
        }
        Collection< ? extends CRL > crls = null;
        InputStream is = null;
        try {
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            is = new FileInputStream(crlFile);
            crls = cf.generateCRLs(is);
        } catch(IOException iex) {
            throw iex;
        } catch(CRLException crle) {
            throw crle;
        } catch(CertificateException ce) {
            throw ce;
        } finally { 
            if (is != null) {
                try {
                    is.close();
                } catch (Exception ex) {
                }
            }
        }
        return crls;
}

Load the collection of CRLs.

 protected String[] getEnabledProtocols(SSLServerSocket socket,
    String requestedProtocols) {
        String[] supportedProtocols = socket.getSupportedProtocols();
        String[] enabledProtocols = null;
        if (requestedProtocols != null) {
            Vector vec = null;
            String protocol = requestedProtocols;
            int index = requestedProtocols.indexOf(',');
            if (index != -1) {
                int fromIndex = 0;
                while (index != -1) {
                    protocol = requestedProtocols.substring(fromIndex, index).trim();
                    if (protocol.length()  > 0) {
                        /*
                         * Check to see if the requested protocol is among the
                         * supported protocols, i.e., may be enabled
                         */
                        for (int i=0; supportedProtocols != null
                                     && i< supportedProtocols.length; i++) {
                            if (supportedProtocols[i].equals(protocol)) {
                                if (vec == null) {
                                    vec = new Vector();
                                }
                                vec.addElement(protocol);
                                break;
                            }
                        }
                    }
                    fromIndex = index+1;
                    index = requestedProtocols.indexOf(',', fromIndex);
                } // while
                protocol = requestedProtocols.substring(fromIndex);
            }
            if (protocol != null) {
                protocol = protocol.trim();
                if (protocol.length()  > 0) {
                    /*
                     * Check to see if the requested protocol is among the
                     * supported protocols, i.e., may be enabled
                     */
                    for (int i=0; supportedProtocols != null
                                 && i< supportedProtocols.length; i++) {
                        if (supportedProtocols[i].equals(protocol)) {
                            if (vec == null) {
                                vec = new Vector();
                            }
                            vec.addElement(protocol);
                            break;
                        }
                    }
                }
            }           
            if (vec != null) {
                enabledProtocols = new String[vec.size()];
                vec.copyInto(enabledProtocols);
            }
        }
        return enabledProtocols;
}

 protected KeyManager[] getKeyManagers(String algorithm,
    String keyAlias) throws Exception {
        KeyManager[] kms = null;
        String keystorePass = getKeystorePassword();
        KeyStore ks = getKeystore(keystorePass);
        if (keyAlias != null && !ks.isKeyEntry(keyAlias)) {
            throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias));
        }
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
        kmf.init(ks, keystorePass.toCharArray());
        kms = kmf.getKeyManagers();
        if (keyAlias != null) {
            // START SJSAS 6266949
            /*
            if (JSSESocketFactory.defaultKeystoreType.equals(keystoreType)) {
                keyAlias = keyAlias.toLowerCase();
            }
            */
            //END SJSAS 6266949
            for(int i=0; i< kms.length; i++) {
                kms[i] = new JSSEKeyManager((X509KeyManager)kms[i], keyAlias);
            }
        }
        return kms;
}

Gets the initialized key managers.

 protected CertPathParameters getParameters(String algorithm,
    String crlf,
    KeyStore trustStore) throws Exception {
        CertPathParameters params = null;
        if ("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams =
                new PKIXBuilderParameters(trustStore, 
                                          new X509CertSelector());
            Collection crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = (String)attributes.get("trustMaxCertLength");
            if (trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: " + trustLength);
                }
            }
            params = xparams;
        } else {
            throw new CRLException("CRLs not supported for type: "
                                   + algorithm);
        }
        return params;
}

PKIX

 protected TrustManager[] getTrustManagers(String algorithm) throws Exception {
        String crlf = (String) attributes.get("crlFile");
        TrustManager[] tms = null;
        KeyStore trustStore = getTrustStore();
        if (trustStore != null) {
            if (crlf == null) {
                TrustManagerFactory tmf =
                    TrustManagerFactory.getInstance(algorithm);
                tmf.init(trustStore);
                tms = tmf.getTrustManagers();
            } else {
                TrustManagerFactory tmf =
                    TrustManagerFactory.getInstance(algorithm);
                CertPathParameters params = getParameters(algorithm, crlf,
                                                          trustStore);
                ManagerFactoryParameters mfp = 
                    new CertPathTrustManagerParameters(params);
                tmf.init(mfp);
                tms = tmf.getTrustManagers();
            }
        }
        return tms;
}

Gets the intialized trust managers.

 public  void init() throws IOException {
    // END SJSAS 6439313
        try {
            String clientAuthStr = (String) attributes.get("clientauth");
            if (clientAuthStr != null){
                clientAuth = Boolean.valueOf(clientAuthStr).booleanValue();
            }
            // SSL protocol variant (e.g., TLS, SSL v3, etc.)
            String protocol = (String) attributes.get("protocol");
            if (protocol == null) {
                protocol = defaultProtocol;
            }
            // Certificate encoding algorithm (e.g., SunX509)
            String algorithm = (String) attributes.get("algorithm");
            if (algorithm == null) {
                algorithm = defaultAlgorithm;
            }
            // Create and init SSLContext
            /* SJSAS 6439313
            SSLContext context = SSLContext.getInstance(protocol);
             */
            // START SJSAS 6439313
            context = SSLContext.getInstance(protocol);
            // END SJSAS 6439313 
            // Configure SSL session timeout and cache size
            configureSSLSessionContext(context.getServerSessionContext());
            String trustAlgorithm = (String)attributes.get("truststoreAlgorithm");
            if (trustAlgorithm == null) {
                trustAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
            }
            context.init(getKeyManagers(algorithm,
                                        (String) attributes.get("keyAlias")),
                         getTrustManagers(trustAlgorithm),
                         new SecureRandom());
            // create proxy
            sslProxy = context.getServerSocketFactory();
            // Determine which cipher suites to enable
            String requestedCiphers = (String)attributes.get("ciphers");
            if (requestedCiphers != null) {
                enabledCiphers = getEnabledCiphers(requestedCiphers,
                                                   sslProxy.getSupportedCipherSuites());
            }
        } catch(Exception e) {
            if( e instanceof IOException )
                throw (IOException)e;
            throw new IOException(e.getMessage());
        }
}

Reads the keystore and initializes the SSL socket factory.

 protected  void setEnabledProtocols(SSLServerSocket socket,
    String[] protocols) {
        if (protocols != null) {
            socket.setEnabledProtocols(protocols);
        }
}