diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPMetadataResolver2.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPMetadataResolver.java similarity index 93% rename from src/main/java/com/amazon/dlic/auth/http/saml/HTTPMetadataResolver2.java rename to src/main/java/com/amazon/dlic/auth/http/saml/HTTPMetadataResolver.java index ec338e0082..47c491ab59 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPMetadataResolver2.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPMetadataResolver.java @@ -28,19 +28,19 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class HTTPMetadataResolver2 extends AbstractReloadingMetadataResolver { - private final Logger log = LoggerFactory.getLogger(HTTPMetadataResolver2.class); +public class HTTPMetadataResolver extends AbstractReloadingMetadataResolver { + private final Logger log = LoggerFactory.getLogger(HTTPMetadataResolver.class); private HttpClient httpClient; private URI metadataURI; private String cachedMetadataETag; private String cachedMetadataLastModified; - public HTTPMetadataResolver2(final HttpClient client, final String metadataURL) throws ResolverException { + public HTTPMetadataResolver(final HttpClient client, final String metadataURL) throws ResolverException { this(null, client, metadataURL); } - public HTTPMetadataResolver2(final Timer backgroundTaskTimer, final HttpClient client, final String metadataURL) - throws ResolverException { + public HTTPMetadataResolver(final Timer backgroundTaskTimer, final HttpClient client, final String metadataURL) + throws ResolverException { super(backgroundTaskTimer); if (client == null) { diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java index e8a2d1548e..ae3d1c9128 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java @@ -28,7 +28,7 @@ import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Strings; import org.apache.commons.lang3.StringEscapeUtils; -import org.apache.hc.core5.http.HttpStatus; +import org.apache.http.HttpStatus; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -333,7 +333,7 @@ private MetadataResolver createMetadataResolver(final Settings settings, final P final String idpMetadataFile = settings.get(IDP_METADATA_FILE); final String idpMetadataBody = settings.get(IDP_METADATA_CONTENT); if (idpMetadataUrl != null) { - metadataResolver = new SamlHTTPMetadataResolver2(idpMetadataUrl, settings, configPath); + metadataResolver = new SamlHTTPMetadataResolver(idpMetadataUrl, settings, configPath); } else if (idpMetadataFile != null) { metadataResolver = new SamlFilesystemMetadataResolver(idpMetadataFile, settings, configPath); } else if (idpMetadataBody != null) { diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java index d3e5571ece..13a615fb6c 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java @@ -17,16 +17,21 @@ import java.security.PrivilegedExceptionAction; import java.time.Duration; -import org.apache.http.client.HttpClient; -import org.apache.http.impl.client.HttpClientBuilder; -import org.apache.http.impl.client.HttpClients; +import org.apache.hc.client5.http.classic.HttpClient; +import org.apache.hc.client5.http.impl.classic.HttpClientBuilder; +import org.apache.hc.client5.http.impl.classic.HttpClients; +import org.apache.hc.client5.http.impl.io.BasicHttpClientConnectionManager; +import org.apache.hc.client5.http.socket.ConnectionSocketFactory; +import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory; +import org.apache.hc.core5.http.URIScheme; +import org.apache.hc.core5.http.config.Registry; +import org.apache.hc.core5.http.config.RegistryBuilder; import org.opensearch.SpecialPermission; import org.opensearch.common.settings.Settings; -import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV4; +import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV5; import net.shibboleth.utilities.java.support.resolver.ResolverException; -import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver; public class SamlHTTPMetadataResolver extends HTTPMetadataResolver { @@ -38,10 +43,9 @@ public class SamlHTTPMetadataResolver extends HTTPMetadataResolver { } @Override - @SuppressWarnings("removal") protected byte[] fetchMetadata() throws ResolverException { try { - return AccessController.doPrivileged((PrivilegedExceptionAction) () -> SamlHTTPMetadataResolver.super.fetchMetadata()); + return AccessController.doPrivileged((PrivilegedExceptionAction) SamlHTTPMetadataResolver.super::fetchMetadata); } catch (PrivilegedActionException e) { if (e.getCause() instanceof ResolverException) { @@ -52,11 +56,10 @@ protected byte[] fetchMetadata() throws ResolverException { } } - private static SettingsBasedSSLConfiguratorV4.SSLConfig getSSLConfig(Settings settings, Path configPath) throws Exception { - return new SettingsBasedSSLConfiguratorV4(settings, configPath, "idp").buildSSLConfig(); + private static SettingsBasedSSLConfiguratorV5.SSLConfig getSSLConfig(Settings settings, Path configPath) throws Exception { + return new SettingsBasedSSLConfiguratorV5(settings, configPath, "idp").buildSSLConfig(); } - @SuppressWarnings("removal") private static HttpClient createHttpClient(Settings settings, Path configPath) throws Exception { try { final SecurityManager sm = System.getSecurityManager(); @@ -86,10 +89,16 @@ private static HttpClient createHttpClient0(Settings settings, Path configPath) builder.useSystemProperties(); - SettingsBasedSSLConfiguratorV4.SSLConfig sslConfig = getSSLConfig(settings, configPath); + SettingsBasedSSLConfiguratorV5.SSLConfig sslConfig = getSSLConfig(settings, configPath); if (sslConfig != null) { - builder.setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()); + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); + builder.setConnectionManager(connectionManager); } return builder.build(); diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver2.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver2.java deleted file mode 100644 index 6007269d4d..0000000000 --- a/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver2.java +++ /dev/null @@ -1,107 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package com.amazon.dlic.auth.http.saml; - -import java.nio.file.Path; -import java.security.AccessController; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; -import java.time.Duration; - -import org.apache.hc.client5.http.classic.HttpClient; -import org.apache.hc.client5.http.impl.classic.HttpClientBuilder; -import org.apache.hc.client5.http.impl.classic.HttpClients; -import org.apache.hc.client5.http.impl.io.BasicHttpClientConnectionManager; -import org.apache.hc.client5.http.socket.ConnectionSocketFactory; -import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory; -import org.apache.hc.core5.http.URIScheme; -import org.apache.hc.core5.http.config.Registry; -import org.apache.hc.core5.http.config.RegistryBuilder; - -import org.opensearch.SpecialPermission; -import org.opensearch.common.settings.Settings; - -import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV5; -import net.shibboleth.utilities.java.support.resolver.ResolverException; - -public class SamlHTTPMetadataResolver2 extends HTTPMetadataResolver2 { - - SamlHTTPMetadataResolver2(String idpMetadataUrl, Settings opensearchSettings, Path configPath) throws Exception { - super(createHttpClient(opensearchSettings, configPath), idpMetadataUrl); - setMinRefreshDelay(Duration.ofMillis(opensearchSettings.getAsLong("idp.min_refresh_delay", 60L * 1000L))); - setMaxRefreshDelay(Duration.ofMillis(opensearchSettings.getAsLong("idp.max_refresh_delay", 14400000L))); - setRefreshDelayFactor(opensearchSettings.getAsFloat("idp.refresh_delay_factor", 0.75f)); - } - - @Override - protected byte[] fetchMetadata() throws ResolverException { - try { - return AccessController.doPrivileged((PrivilegedExceptionAction) SamlHTTPMetadataResolver2.super::fetchMetadata); - } catch (PrivilegedActionException e) { - - if (e.getCause() instanceof ResolverException) { - throw (ResolverException) e.getCause(); - } else { - throw new RuntimeException(e); - } - } - } - - private static SettingsBasedSSLConfiguratorV5.SSLConfig getSSLConfig(Settings settings, Path configPath) throws Exception { - return new SettingsBasedSSLConfiguratorV5(settings, configPath, "idp").buildSSLConfig(); - } - - private static HttpClient createHttpClient(Settings settings, Path configPath) throws Exception { - try { - final SecurityManager sm = System.getSecurityManager(); - - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } - - return AccessController.doPrivileged(new PrivilegedExceptionAction() { - @Override - public HttpClient run() throws Exception { - return createHttpClient0(settings, configPath); - } - }); - } catch (PrivilegedActionException e) { - if (e.getCause() instanceof Exception) { - throw (Exception) e.getCause(); - } else { - throw new RuntimeException(e); - } - } - } - - private static HttpClient createHttpClient0(Settings settings, Path configPath) throws Exception { - - HttpClientBuilder builder = HttpClients.custom(); - - builder.useSystemProperties(); - - SettingsBasedSSLConfiguratorV5.SSLConfig sslConfig = getSSLConfig(settings, configPath); - - if (sslConfig != null) { - SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); - Registry socketFactoryRegistry = RegistryBuilder.create() - .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) - .build(); - - BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); - builder.setConnectionManager(connectionManager); - } - - return builder.build(); - } - -} diff --git a/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java b/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java deleted file mode 100644 index 9c273a14a4..0000000000 --- a/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java +++ /dev/null @@ -1,619 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package com.amazon.dlic.util; - -import java.net.Socket; -import java.nio.file.Path; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.SecureRandom; -import java.security.UnrecoverableKeyException; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.Arrays; -import java.util.Collection; -import java.util.List; -import java.util.Map; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.KeyManager; -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; - -import com.google.common.collect.ImmutableList; -import org.apache.http.conn.ssl.DefaultHostnameVerifier; -import org.apache.http.conn.ssl.NoopHostnameVerifier; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; -import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy; -import org.apache.http.ssl.PrivateKeyDetails; -import org.apache.http.ssl.PrivateKeyStrategy; -import org.apache.http.ssl.SSLContextBuilder; -import org.apache.http.ssl.SSLContexts; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; - -import org.opensearch.common.settings.Settings; -import org.opensearch.security.ssl.util.SSLConfigConstants; -import org.opensearch.security.support.PemKeyReader; - -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD; -import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; - -public class SettingsBasedSSLConfiguratorV4 { - private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class); - - public static final String CERT_ALIAS = "cert_alias"; - public static final String CA_ALIAS = "ca_alias"; - public static final String ENABLE_SSL = "enable_ssl"; - - /** - * Shall STARTTLS shall be used? - *

- * NOTE: The setting of this option is only reflected by the startTlsEnabled - * attribute of the returned SSLConfig object. Clients of this class need to - * take further measures to enable STARTTLS. It does not affect the - * SSLIOSessionStrategy and SSLConnectionSocketFactory objects returned from - * this class. - */ - public static final String ENABLE_START_TLS = "enable_start_tls"; - public static final String ENABLE_SSL_CLIENT_AUTH = "enable_ssl_client_auth"; - public static final String PEMKEY_FILEPATH = "pemkey_filepath"; - public static final String PEMKEY_CONTENT = "pemkey_content"; - public static final String PEMKEY_PASSWORD = "pemkey_password"; - public static final String PEMCERT_FILEPATH = "pemcert_filepath"; - public static final String PEMCERT_CONTENT = "pemcert_content"; - public static final String PEMTRUSTEDCAS_CONTENT = "pemtrustedcas_content"; - public static final String PEMTRUSTEDCAS_FILEPATH = "pemtrustedcas_filepath"; - public static final String VERIFY_HOSTNAMES = "verify_hostnames"; - public static final String TRUST_ALL = "trust_all"; - - private static final List DEFAULT_TLS_PROTOCOLS = ImmutableList.of("TLSv1.2", "TLSv1.1"); - - private SSLContextBuilder sslContextBuilder; - private final Settings settings; - private final String settingsKeyPrefix; - private final Path configPath; - private final String clientName; - - private boolean enabled; - private boolean enableSslClientAuth; - private KeyStore effectiveTruststore; - private KeyStore effectiveKeystore; - private char[] effectiveKeyPassword; - private String effectiveKeyAlias; - private List effectiveTruststoreAliases; - - public SettingsBasedSSLConfiguratorV4(Settings settings, Path configPath, String settingsKeyPrefix, String clientName) { - this.settings = settings; - this.configPath = configPath; - this.settingsKeyPrefix = normalizeSettingsKeyPrefix(settingsKeyPrefix); - this.clientName = clientName != null ? clientName : this.settingsKeyPrefix; - } - - public SettingsBasedSSLConfiguratorV4(Settings settings, Path configPath, String settingsKeyPrefix) { - this(settings, configPath, settingsKeyPrefix, null); - } - - SSLContext buildSSLContext() throws SSLConfigException { - try { - if (isTrustAllEnabled()) { - sslContextBuilder = new OverlyTrustfulSSLContextBuilder(); - } else { - sslContextBuilder = SSLContexts.custom(); - } - - configureWithSettings(); - - if (!this.enabled) { - return null; - } - - return sslContextBuilder.build(); - - } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) { - throw new SSLConfigException("Error while initializing SSL configuration for " + this.clientName, e); - } - } - - public SSLConfig buildSSLConfig() throws SSLConfigException { - SSLContext sslContext = buildSSLContext(); - - if (sslContext == null) { - // disabled - return null; - } - - return new SSLConfig( - sslContext, - getSupportedProtocols(), - getSupportedCipherSuites(), - getHostnameVerifier(), - isHostnameVerificationEnabled(), - isTrustAllEnabled(), - isStartTlsEnabled(), - this.effectiveTruststore, - this.effectiveTruststoreAliases, - this.effectiveKeystore, - this.effectiveKeyPassword, - this.effectiveKeyAlias - ); - } - - private boolean isHostnameVerificationEnabled() { - return getSettingAsBoolean(VERIFY_HOSTNAMES, true) && !isTrustAllEnabled(); - } - - private HostnameVerifier getHostnameVerifier() { - if (isHostnameVerificationEnabled()) { - return new DefaultHostnameVerifier(); - } else { - return NoopHostnameVerifier.INSTANCE; - } - } - - private String[] getSupportedProtocols() { - return getSettingAsArray("enabled_ssl_protocols", DEFAULT_TLS_PROTOCOLS); - } - - private String[] getSupportedCipherSuites() { - return getSettingAsArray("enabled_ssl_ciphers", null); - - } - - private boolean isStartTlsEnabled() { - return getSettingAsBoolean(ENABLE_START_TLS, false); - } - - private boolean isTrustAllEnabled() { - return getSettingAsBoolean(TRUST_ALL, false); - } - - private void configureWithSettings() throws SSLConfigException, NoSuchAlgorithmException, KeyStoreException { - this.enabled = getSettingAsBoolean(ENABLE_SSL, false); - - if (!this.enabled) { - return; - } - - this.enableSslClientAuth = getSettingAsBoolean(ENABLE_SSL_CLIENT_AUTH, false); - - if (settings.get(settingsKeyPrefix + PEMTRUSTEDCAS_FILEPATH, null) != null - || settings.get(settingsKeyPrefix + PEMTRUSTEDCAS_CONTENT, null) != null) { - initFromPem(); - } else { - initFromKeyStore(); - } - - if (effectiveTruststore != null) { - sslContextBuilder.loadTrustMaterial(effectiveTruststore, null); - } - - if (enableSslClientAuth) { - if (effectiveKeystore != null) { - try { - sslContextBuilder.loadKeyMaterial(effectiveKeystore, effectiveKeyPassword, new PrivateKeyStrategy() { - - @Override - public String chooseAlias(Map aliases, Socket socket) { - if (aliases == null || aliases.isEmpty()) { - return effectiveKeyAlias; - } - - if (effectiveKeyAlias == null || effectiveKeyAlias.isEmpty()) { - return aliases.keySet().iterator().next(); - } - - return effectiveKeyAlias; - } - }); - } catch (UnrecoverableKeyException e) { - throw new RuntimeException(e); - } - } - } - - } - - private void initFromPem() throws SSLConfigException { - X509Certificate[] trustCertificates; - - try { - trustCertificates = PemKeyReader.loadCertificatesFromStream( - PemKeyReader.resolveStream(settingsKeyPrefix + PEMTRUSTEDCAS_CONTENT, settings) - ); - } catch (Exception e) { - throw new SSLConfigException( - "Error loading PEM from " + settingsKeyPrefix + PEMTRUSTEDCAS_CONTENT + " for " + this.clientName, - e - ); - } - - if (trustCertificates == null) { - String path = PemKeyReader.resolve(settingsKeyPrefix + PEMTRUSTEDCAS_FILEPATH, settings, configPath, !isTrustAllEnabled()); - - try { - trustCertificates = PemKeyReader.loadCertificatesFromFile(path); - } catch (Exception e) { - throw new SSLConfigException( - "Error loading PEM from " + path + " (" + settingsKeyPrefix + PEMTRUSTEDCAS_FILEPATH + ") for " + this.clientName, - e - ); - } - } - - // for client authentication - X509Certificate[] authenticationCertificate; - - try { - authenticationCertificate = PemKeyReader.loadCertificatesFromStream( - PemKeyReader.resolveStream(settingsKeyPrefix + PEMCERT_CONTENT, settings) - ); - } catch (Exception e) { - throw new SSLConfigException("Error loading PEM from " + settingsKeyPrefix + PEMCERT_CONTENT + " for " + this.clientName, e); - } - - if (authenticationCertificate == null) { - String path = PemKeyReader.resolve(settingsKeyPrefix + PEMCERT_FILEPATH, settings, configPath, enableSslClientAuth); - - try { - authenticationCertificate = PemKeyReader.loadCertificatesFromFile(path); - } catch (Exception e) { - throw new SSLConfigException( - "Error loading PEM from " + path + " (" + settingsKeyPrefix + PEMCERT_FILEPATH + ") for " + this.clientName, - e - ); - } - - } - - PrivateKey authenticationKey; - - try { - authenticationKey = PemKeyReader.loadKeyFromStream( - getSetting(PEMKEY_PASSWORD), - PemKeyReader.resolveStream(settingsKeyPrefix + PEMKEY_CONTENT, settings) - ); - } catch (Exception e) { - throw new SSLConfigException("Error loading PEM from " + settingsKeyPrefix + PEMKEY_CONTENT + " for " + this.clientName, e); - } - - if (authenticationKey == null) { - String path = PemKeyReader.resolve(settingsKeyPrefix + PEMKEY_FILEPATH, settings, configPath, enableSslClientAuth); - - try { - authenticationKey = PemKeyReader.loadKeyFromFile(getSetting(PEMKEY_PASSWORD), path); - } catch (Exception e) { - throw new SSLConfigException( - "Error loading PEM from " + path + " (" + settingsKeyPrefix + PEMKEY_FILEPATH + ") for " + this.clientName, - e - ); - } - } - - try { - effectiveKeyPassword = PemKeyReader.randomChars(12); - effectiveKeyAlias = "al"; - effectiveTruststore = PemKeyReader.toTruststore(effectiveKeyAlias, trustCertificates); - effectiveKeystore = PemKeyReader.toKeystore( - effectiveKeyAlias, - effectiveKeyPassword, - authenticationCertificate, - authenticationKey - ); - } catch (Exception e) { - throw new SSLConfigException("Error initializing SSLConfig for " + this.clientName, e); - } - - } - - private void initFromKeyStore() throws SSLConfigException { - KeyStore trustStore; - KeyStore keyStore; - - try { - trustStore = PemKeyReader.loadKeyStore( - PemKeyReader.resolve( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, - settings, - configPath, - !isTrustAllEnabled() - ), - SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings), - settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE) - ); - } catch (Exception e) { - throw new SSLConfigException( - "Error loading trust store from " + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH), - e - ); - } - - effectiveTruststoreAliases = getSettingAsList(CA_ALIAS, null); - - // for client authentication - - try { - keyStore = PemKeyReader.loadKeyStore( - PemKeyReader.resolve( - SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, - settings, - configPath, - enableSslClientAuth - ), - SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD), - settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE) - ); - } catch (Exception e) { - throw new SSLConfigException( - "Error loading key store from " + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), - e - ); - } - - String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD); - effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null : keyStorePassword.toCharArray(); - effectiveKeyAlias = getSetting(CERT_ALIAS); - - if (enableSslClientAuth && effectiveKeyAlias == null) { - throw new IllegalArgumentException(settingsKeyPrefix + CERT_ALIAS + " not given"); - } - - effectiveTruststore = trustStore; - effectiveKeystore = keyStore; - - } - - private String getSetting(String key) { - return settings.get(settingsKeyPrefix + key); - } - - private Boolean getSettingAsBoolean(String key, Boolean defaultValue) { - return settings.getAsBoolean(settingsKeyPrefix + key, defaultValue); - } - - private List getSettingAsList(String key, List defaultValue) { - return settings.getAsList(settingsKeyPrefix + key, defaultValue); - } - - private String[] getSettingAsArray(String key, List defaultValue) { - List list = getSettingAsList(key, defaultValue); - - if (list == null) { - return null; - } - - return list.toArray(new String[list.size()]); - } - - private static String normalizeSettingsKeyPrefix(String settingsKeyPrefix) { - if (settingsKeyPrefix == null || settingsKeyPrefix.length() == 0) { - return ""; - } else if (!settingsKeyPrefix.endsWith(".")) { - return settingsKeyPrefix + "."; - } else { - return settingsKeyPrefix; - } - } - - public static class SSLConfig { - - private final SSLContext sslContext; - private final String[] supportedProtocols; - private final String[] supportedCipherSuites; - private final HostnameVerifier hostnameVerifier; - private final boolean startTlsEnabled; - private final boolean hostnameVerificationEnabled; - private final boolean trustAll; - private final KeyStore effectiveTruststore; - private final List effectiveTruststoreAliases; - private final KeyStore effectiveKeystore; - private final char[] effectiveKeyPassword; - private final String effectiveKeyAlias; - - public SSLConfig( - SSLContext sslContext, - String[] supportedProtocols, - String[] supportedCipherSuites, - HostnameVerifier hostnameVerifier, - boolean hostnameVerificationEnabled, - boolean trustAll, - boolean startTlsEnabled, - KeyStore effectiveTruststore, - List effectiveTruststoreAliases, - KeyStore effectiveKeystore, - char[] effectiveKeyPassword, - String effectiveKeyAlias - ) { - this.sslContext = sslContext; - this.supportedProtocols = supportedProtocols; - this.supportedCipherSuites = supportedCipherSuites; - this.hostnameVerifier = hostnameVerifier; - this.hostnameVerificationEnabled = hostnameVerificationEnabled; - this.trustAll = trustAll; - this.startTlsEnabled = startTlsEnabled; - this.effectiveTruststore = effectiveTruststore; - this.effectiveTruststoreAliases = effectiveTruststoreAliases; - this.effectiveKeystore = effectiveKeystore; - this.effectiveKeyPassword = effectiveKeyPassword; - this.effectiveKeyAlias = effectiveKeyAlias; - - if (log.isDebugEnabled()) { - log.debug("Created SSLConfig: {}", this); - } - } - - public SSLContext getSslContext() { - return sslContext; - } - - public String[] getSupportedProtocols() { - return supportedProtocols; - } - - public String[] getSupportedCipherSuites() { - return supportedCipherSuites; - } - - public HostnameVerifier getHostnameVerifier() { - return hostnameVerifier; - } - - public SSLIOSessionStrategy toSSLIOSessionStrategy() { - return new SSLIOSessionStrategy(sslContext, supportedProtocols, supportedCipherSuites, hostnameVerifier); - } - - public SSLConnectionSocketFactory toSSLConnectionSocketFactory() { - return new SSLConnectionSocketFactory(sslContext, supportedProtocols, supportedCipherSuites, hostnameVerifier); - } - - public boolean isStartTlsEnabled() { - return startTlsEnabled; - } - - public boolean isHostnameVerificationEnabled() { - return hostnameVerificationEnabled; - } - - public KeyStore getEffectiveTruststore() { - return effectiveTruststore; - } - - public KeyStore getEffectiveKeystore() { - return effectiveKeystore; - } - - public char[] getEffectiveKeyPassword() { - return effectiveKeyPassword; - } - - public String getEffectiveKeyPasswordString() { - if (this.effectiveKeyPassword == null) { - return null; - } else { - return new String(this.effectiveKeyPassword); - } - } - - public String getEffectiveKeyAlias() { - return effectiveKeyAlias; - } - - public List getEffectiveTruststoreAliases() { - return effectiveTruststoreAliases; - } - - public String[] getEffectiveTruststoreAliasesArray() { - if (this.effectiveTruststoreAliases == null) { - return null; - } else { - return this.effectiveTruststoreAliases.toArray(new String[this.effectiveTruststoreAliases.size()]); - } - } - - public String[] getEffectiveKeyAliasesArray() { - if (this.effectiveKeyAlias == null) { - return null; - } else { - return new String[] { this.effectiveKeyAlias }; - } - } - - @Override - public String toString() { - return "SSLConfig [sslContext=" - + sslContext - + ", supportedProtocols=" - + Arrays.toString(supportedProtocols) - + ", supportedCipherSuites=" - + Arrays.toString(supportedCipherSuites) - + ", hostnameVerifier=" - + hostnameVerifier - + ", startTlsEnabled=" - + startTlsEnabled - + ", hostnameVerificationEnabled=" - + hostnameVerificationEnabled - + ", trustAll=" - + trustAll - + ", effectiveTruststore=" - + effectiveTruststore - + ", effectiveTruststoreAliases=" - + effectiveTruststoreAliases - + ", effectiveKeystore=" - + effectiveKeystore - + ", effectiveKeyAlias=" - + effectiveKeyAlias - + "]"; - } - - public boolean isTrustAllEnabled() { - return trustAll; - } - } - - public static class SSLConfigException extends Exception { - - private static final long serialVersionUID = 5827273100470174111L; - - public SSLConfigException() { - super(); - } - - public SSLConfigException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) { - super(message, cause, enableSuppression, writableStackTrace); - } - - public SSLConfigException(String message, Throwable cause) { - super(message, cause); - } - - public SSLConfigException(String message) { - super(message); - } - - public SSLConfigException(Throwable cause) { - super(cause); - } - - } - - private static class OverlyTrustfulSSLContextBuilder extends SSLContextBuilder { - @Override - protected void initSSLContext( - SSLContext sslContext, - Collection keyManagers, - Collection trustManagers, - SecureRandom secureRandom - ) throws KeyManagementException { - sslContext.init( - !keyManagers.isEmpty() ? keyManagers.toArray(new KeyManager[keyManagers.size()]) : null, - new TrustManager[] { new OverlyTrustfulTrustManager() }, - secureRandom - ); - } - } - - private static class OverlyTrustfulTrustManager implements X509TrustManager { - @Override - public void checkClientTrusted(final X509Certificate[] chain, final String authType) throws CertificateException {} - - @Override - public void checkServerTrusted(final X509Certificate[] chain, final String authType) throws CertificateException {} - - @Override - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[0]; - } - } -} diff --git a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV5Test.java similarity index 64% rename from src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java rename to src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV5Test.java index e1e3d979fd..ae56e7ca6e 100644 --- a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4Test.java +++ b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV5Test.java @@ -22,41 +22,45 @@ import java.nio.file.Path; import java.security.GeneralSecurityException; import java.security.KeyStore; -import java.security.cert.Certificate; import java.util.Map; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; +import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLPeerUnverifiedException; -import javax.net.ssl.SSLServerSocket; -import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManagerFactory; -import org.apache.http.HttpConnectionFactory; -import org.apache.http.HttpException; -import org.apache.http.HttpRequest; -import org.apache.http.HttpResponse; -import org.apache.http.client.methods.CloseableHttpResponse; -import org.apache.http.client.methods.HttpGet; -import org.apache.http.config.ConnectionConfig; -import org.apache.http.config.MessageConstraints; -import org.apache.http.entity.ContentLengthStrategy; -import org.apache.http.impl.ConnSupport; -import org.apache.http.impl.DefaultBHttpServerConnection; -import org.apache.http.impl.bootstrap.HttpServer; -import org.apache.http.impl.bootstrap.SSLServerSetupHandler; -import org.apache.http.impl.bootstrap.ServerBootstrap; -import org.apache.http.impl.client.CloseableHttpClient; -import org.apache.http.impl.client.HttpClients; -import org.apache.http.io.HttpMessageParserFactory; -import org.apache.http.io.HttpMessageWriterFactory; -import org.apache.http.protocol.HttpContext; -import org.apache.http.protocol.HttpRequestHandler; -import org.apache.http.ssl.PrivateKeyDetails; -import org.apache.http.ssl.PrivateKeyStrategy; -import org.apache.http.ssl.SSLContextBuilder; -import org.apache.http.ssl.SSLContexts; +import org.apache.hc.client5.http.classic.methods.HttpGet; +import org.apache.hc.client5.http.config.ConnectionConfig; +import org.apache.hc.client5.http.impl.classic.CloseableHttpClient; +import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse; +import org.apache.hc.client5.http.impl.classic.HttpClients; +import org.apache.hc.client5.http.impl.io.BasicHttpClientConnectionManager; +import org.apache.hc.client5.http.socket.ConnectionSocketFactory; +import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory; +import org.apache.hc.core5.function.Callback; +import org.apache.hc.core5.http.ClassicHttpRequest; +import org.apache.hc.core5.http.ClassicHttpResponse; +import org.apache.hc.core5.http.ContentLengthStrategy; +import org.apache.hc.core5.http.URIScheme; +import org.apache.hc.core5.http.config.Http1Config; +import org.apache.hc.core5.http.config.Registry; +import org.apache.hc.core5.http.config.RegistryBuilder; +import org.apache.hc.core5.http.impl.DefaultContentLengthStrategy; +import org.apache.hc.core5.http.impl.bootstrap.HttpServer; +import org.apache.hc.core5.http.impl.bootstrap.ServerBootstrap; +import org.apache.hc.core5.http.impl.io.DefaultBHttpServerConnection; +import org.apache.hc.core5.http.impl.io.DefaultHttpRequestParserFactory; +import org.apache.hc.core5.http.impl.io.DefaultHttpResponseWriterFactory; +import org.apache.hc.core5.http.io.HttpConnectionFactory; +import org.apache.hc.core5.http.io.HttpMessageParserFactory; +import org.apache.hc.core5.http.io.HttpMessageWriterFactory; +import org.apache.hc.core5.io.CloseMode; +import org.apache.hc.core5.ssl.PrivateKeyDetails; +import org.apache.hc.core5.ssl.PrivateKeyStrategy; +import org.apache.hc.core5.ssl.SSLContextBuilder; +import org.apache.hc.core5.ssl.SSLContexts; import org.junit.Assert; import org.junit.Rule; import org.junit.Test; @@ -68,14 +72,14 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.network.SocketUtils; -import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV4; -import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV4.SSLConfig; +import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV5; +import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV5.SSLConfig; import static org.hamcrest.CoreMatchers.either; import static org.hamcrest.CoreMatchers.instanceOf; import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD; -public class SettingsBasedSSLConfiguratorV4Test { +public class SettingsBasedSSLConfiguratorV5Test { @Rule public ExpectedException thrown = ExpectedException.none(); @@ -102,13 +106,16 @@ public void testPemTrust() throws Exception { .build(); Path configPath = rootCaPemPath.getParent(); - SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); + SettingsBasedSSLConfiguratorV5 sbsc = new SettingsBasedSSLConfiguratorV5(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); - try ( - CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() - ) { + try (CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connectionManager).build();) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -138,13 +145,16 @@ public void testPemWrongTrust() throws Exception { .build(); Path configPath = rootCaPemPath.getParent(); - SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); + SettingsBasedSSLConfiguratorV5 sbsc = new SettingsBasedSSLConfiguratorV5(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); - try ( - CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() - ) { + try (CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connectionManager).build()) { thrown.expect(SSLHandshakeException.class); @@ -180,13 +190,16 @@ public void testPemClientAuth() throws Exception { .build(); Path configPath = rootCaPemPath.getParent(); - SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); + SettingsBasedSSLConfiguratorV5 sbsc = new SettingsBasedSSLConfiguratorV5(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); - try ( - CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() - ) { + try (CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connectionManager).build()) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -220,22 +233,24 @@ public void testPemClientAuthFailure() throws Exception { .build(); Path configPath = rootCaPemPath.getParent(); - SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); + SettingsBasedSSLConfiguratorV5 sbsc = new SettingsBasedSSLConfiguratorV5(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - - try ( - CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() - ) { + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); + try (CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connectionManager).build()) { // Due to some race condition in Java's internal network stack, this can be one // of the following exceptions thrown.expect( either(instanceOf(SocketException.class)).or(instanceOf(SSLHandshakeException.class)).or(instanceOf(SSLException.class)) // Java - // 11: - // javax.net.ssl.SSLException: - // readHandshakeRecord + // 11: + // javax.net.ssl.SSLException: + // readHandshakeRecord ); try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { @@ -266,13 +281,15 @@ public void testPemHostnameVerificationFailure() throws Exception { .build(); Path configPath = rootCaPemPath.getParent(); - SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); + SettingsBasedSSLConfiguratorV5 sbsc = new SettingsBasedSSLConfiguratorV5(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - - try ( - CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() - ) { + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); + try (CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connectionManager).build()) { thrown.expect(SSLPeerUnverifiedException.class); @@ -304,13 +321,15 @@ public void testPemHostnameVerificationOff() throws Exception { .build(); Path configPath = rootCaPemPath.getParent(); - SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); + SettingsBasedSSLConfiguratorV5 sbsc = new SettingsBasedSSLConfiguratorV5(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - - try ( - CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() - ) { + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); + try (CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connectionManager).build()) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -342,13 +361,15 @@ public void testJksTrust() throws Exception { .build(); Path configPath = rootCaJksPath.getParent(); - SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); + SettingsBasedSSLConfiguratorV5 sbsc = new SettingsBasedSSLConfiguratorV5(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - - try ( - CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() - ) { + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); + try (CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connectionManager).build()) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -381,13 +402,15 @@ public void testJksWrongTrust() throws Exception { .build(); Path configPath = rootCaJksPath.getParent(); - SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); + SettingsBasedSSLConfiguratorV5 sbsc = new SettingsBasedSSLConfiguratorV5(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - - try ( - CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() - ) { + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); + try (CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connectionManager).build()) { thrown.expect(SSLHandshakeException.class); @@ -417,13 +440,15 @@ public void testTrustAll() throws Exception { .build(); Path configPath = rootCaJksPath.getParent(); - SettingsBasedSSLConfiguratorV4 sbsc = new SettingsBasedSSLConfiguratorV4(settings, configPath, "prefix"); + SettingsBasedSSLConfiguratorV5 sbsc = new SettingsBasedSSLConfiguratorV5(settings, configPath, "prefix"); SSLConfig sslConfig = sbsc.buildSSLConfig(); - - try ( - CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()).build() - ) { + SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory(); + Registry socketFactoryRegistry = RegistryBuilder.create() + .register(URIScheme.HTTPS.id, sslConnectionSocketFactory) + .build(); + BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry); + try (CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connectionManager).build()) { try (CloseableHttpResponse response = httpClient.execute(new HttpGet(testServer.getUri()))) { // Success @@ -449,21 +474,12 @@ private void createHttpServer(String trustStore, String keyStore, String passwor ServerBootstrap serverBootstrap = ServerBootstrap.bootstrap() .setListenerPort(port) - .registerHandler("test", new HttpRequestHandler() { - + .setSslContext(createSSLContext(trustStore, keyStore, password)) + .setSslSetupHandler(new Callback() { @Override - public void handle(HttpRequest request, HttpResponse response, HttpContext context) throws HttpException, IOException { - - } - }); - - serverBootstrap = serverBootstrap.setSslContext(createSSLContext(trustStore, keyStore, password)) - .setSslSetupHandler(new SSLServerSetupHandler() { - - @Override - public void initialize(SSLServerSocket socket) throws SSLException { + public void execute(SSLParameters object) { if (clientAuth) { - socket.setNeedClientAuth(true); + object.setNeedClientAuth(true); } } }) @@ -474,15 +490,14 @@ public void initialize(SSLServerSocket socket) throws SSLException { @Override public DefaultBHttpServerConnection createConnection(final Socket socket) throws IOException { final SSLTestHttpServerConnection conn = new SSLTestHttpServerConnection( - this.cconfig.getBufferSize(), - this.cconfig.getFragmentSizeHint(), - ConnSupport.createDecoder(this.cconfig), - ConnSupport.createEncoder(this.cconfig), - this.cconfig.getMessageConstraints(), - null, + "http", + Http1Config.DEFAULT, null, null, - null + DefaultContentLengthStrategy.INSTANCE, + DefaultContentLengthStrategy.INSTANCE, + DefaultHttpRequestParserFactory.INSTANCE, + DefaultHttpResponseWriterFactory.INSTANCE ); conn.bind(socket); return conn; @@ -497,7 +512,7 @@ public DefaultBHttpServerConnection createConnection(final Socket socket) throws @Override public void close() throws IOException { if (this.httpServer != null) { - this.httpServer.shutdown(0, null); + this.httpServer.close(CloseMode.IMMEDIATE); } } @@ -531,7 +546,7 @@ private SSLContext createSSLContext(String trustStorePath, String keyStorePath, sslContextBuilder.loadKeyMaterial(keyStore, password.toCharArray(), new PrivateKeyStrategy() { @Override - public String chooseAlias(Map aliases, Socket socket) { + public String chooseAlias(Map aliases, SSLParameters sslParameters) { return "node1"; } }); @@ -544,32 +559,26 @@ public String chooseAlias(Map aliases, Socket socket) static class SSLTestHttpServerConnection extends DefaultBHttpServerConnection { public SSLTestHttpServerConnection( - final int buffersize, - final int fragmentSizeHint, + final String scheme, + final Http1Config http1Config, final CharsetDecoder chardecoder, final CharsetEncoder charencoder, - final MessageConstraints constraints, final ContentLengthStrategy incomingContentStrategy, final ContentLengthStrategy outgoingContentStrategy, - final HttpMessageParserFactory requestParserFactory, - final HttpMessageWriterFactory responseWriterFactory + final HttpMessageParserFactory requestParserFactory, + final HttpMessageWriterFactory responseWriterFactory ) { super( - buffersize, - fragmentSizeHint, + scheme, + http1Config, chardecoder, charencoder, - constraints, incomingContentStrategy, outgoingContentStrategy, requestParserFactory, responseWriterFactory ); } - - public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { - return ((SSLSocket) getSocket()).getSession().getPeerCertificates(); - } } } }