Java Code Examples for org.eclipse.jetty.util.ssl.SslContextFactory#setKeyStoreType()

/**
 * Configures KeyStore related settings in SslContextFactory.
 */
protected static void configureSslContextFactoryKeyStore(SslContextFactory ssl,
                                                         Map<String, Object> sslConfigValues) {
    ssl.setKeyStoreType((String)
        getOrDefault(sslConfigValues, SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, SslConfigs.DEFAULT_SSL_KEYSTORE_TYPE));

    String sslKeystoreLocation = (String) sslConfigValues.get(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG);
    if (sslKeystoreLocation != null) {
        ssl.setKeyStorePath(sslKeystoreLocation);
    }

    Password sslKeystorePassword =
        new Password((String) sslConfigValues.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG));
    if (sslKeystorePassword != null) {
        ssl.setKeyStorePassword(sslKeystorePassword.value());
    }

    Password sslKeyPassword =
        new Password((String) sslConfigValues.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG));
    if (sslKeyPassword != null) {
        ssl.setKeyManagerPassword(sslKeyPassword.value());
    }
}
 

private ServerConnector getConnector() {
  if ( sslConfig != null ) {
    log.logBasic( BaseMessages.getString( PKG, "WebServer.Log.SslModeUsing" ) );
    SslConnectionFactory connector = new SslConnectionFactory();

    SslContextFactory contextFactory = new SslContextFactory();
    contextFactory.setKeyStoreResource( new PathResource( new File( sslConfig.getKeyStore() ) ) );
    contextFactory.setKeyStorePassword( sslConfig.getKeyStorePassword() );
    contextFactory.setKeyManagerPassword( sslConfig.getKeyPassword() );
    contextFactory.setKeyStoreType( sslConfig.getKeyStoreType() );
    return new ServerConnector( server, connector );
  } else {
    return new ServerConnector( server );
  }

}
 

protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth, final String endpointIdentificationAlgorithm) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    // Need to set SslContextFactory's endpointIdentificationAlgorithm.
    // For clients, hostname verification should be enabled.
    // For servers, hostname verification should be disabled.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    sslFactory.setEndpointIdentificationAlgorithm(endpointIdentificationAlgorithm);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 

private SslContextFactory createSslFactory(final SSLContextService sslService, boolean needClientAuth, boolean wantClientAuth) {
    SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);
    sslFactory.setProtocol(sslService.getSslAlgorithm());

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 

protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 

private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 

@Bean
public SslContextFactory jettySslContextFactory() {
    SslContextFactory sslContextFactory = new SslContextFactory(SecurityUtils.replaceFourSlashes(keyStore));
    sslContextFactory.setProtocol(protocol);
    sslContextFactory.setKeyStorePassword(keyStorePassword);
    sslContextFactory.setKeyStoreType(keyStoreType);
    sslContextFactory.setCertAlias(keyAlias);

    if (trustStore != null) {
        sslContextFactory.setTrustStorePath(SecurityUtils.replaceFourSlashes(trustStore));
        sslContextFactory.setTrustStoreType(trustStoreType);
        sslContextFactory.setTrustStorePassword(trustStorePassword);
    }
    log.debug("jettySslContextFactory: {}", sslContextFactory.dump());

    if (!verifySslCertificatesOfServices) {
        sslContextFactory.setTrustAll(true);
    }

    return sslContextFactory;
}
 

private void createSecureConnector(final Map<String, String> sslProperties) {
    SslContextFactory ssl = new SslContextFactory();

    if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
        ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
        ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName()));
        ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName()));
    }

    if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) {
        ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()));
        ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName()));
        ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName()));
    }

    final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);
    if (clientAuth == null) {
        ssl.setNeedClientAuth(true);
    } else {
        ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
    }

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(0);
    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    // mark secure as enabled
    secure = true;
}
 

private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    sslFactory.setProtocol(sslService.getSslAlgorithm());

    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null.
    sslFactory.setEndpointIdentificationAlgorithm(null);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 

@Override
protected ConnectionFactory[] getConnectionFactorys() throws URISyntaxException {
	@SuppressWarnings("deprecation")
	SslContextFactory sslContextFactory = new SslContextFactory();
	String path = get(HttpPlugin.KEY_STORE_PATH);
	File keystoreFile = FileUtil.file(path);
	if (!keystoreFile.exists()) {
		String msg = path + " is not exist";
		Logs.http().error(msg);
		SumkException.throwException(-2345345, msg);
	}
	sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath());
	sslContextFactory.setKeyStorePassword(get("sumk.jetty.ssl.storePassword"));
	sslContextFactory.setKeyManagerPassword(get("sumk.jetty.ssl.managerPassword"));
	sslContextFactory.setCertAlias(get("sumk.jetty.ssl.alias"));

	String v = AppInfo.get("sumk.jetty.ssl.storeType", null);
	if (v != null) {
		sslContextFactory.setKeyStoreType(v);
	}

	sslContextFactory.setTrustAll(AppInfo.getBoolean("sumk.jetty.ssl.trustAll", false));

	Logs.http().info("using https");
	return new ConnectionFactory[] { new SslConnectionFactory(sslContextFactory, "http/1.1"),
			new HttpConnectionFactory() };
}
 

private void createSecureConnector(Properties properties) {
    SslContextFactory ssl = new SslContextFactory();

    if (properties.getProperty(KEYSTORE_LOCATION_KEY) != null) {
        ssl.setKeyStorePath(properties.getProperty(KEYSTORE_LOCATION_KEY));
        ssl.setKeyStorePassword(properties.getProperty(KEYSTORE_PASSWORD_KEY));
        ssl.setKeyStoreType(properties.getProperty(KEYSTORE_TYPE_KEY));
    }

    if (properties.getProperty(TRUSTSTORE_LOCATION_KEY) != null) {
        ssl.setTrustStorePath(properties.getProperty(TRUSTSTORE_LOCATION_KEY));
        ssl.setTrustStorePassword(properties.getProperty(TRUSTSTORE_PASSWORD_KEY));
        ssl.setTrustStoreType(properties.getProperty(TRUSTSTORE_TYPE_KEY));
        ssl.setNeedClientAuth(Boolean.parseBoolean(properties.getProperty(NEED_CLIENT_AUTH_KEY, "true")));
    }

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(Integer.parseInt(properties.getProperty(PORT_KEY, "0")));
    https.setHost(properties.getProperty(HOST_KEY, "localhost"));

    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    logger.info("Added an https connector on the host '{}' and port '{}'", new Object[]{https.getHost(), https.getPort()});
}
 

private void createSecureConnector(final Map<String, String> sslProperties) {
    SslContextFactory ssl = new SslContextFactory();

    if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
        ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
        ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName()));
        ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName()));
    }

    if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) {
        ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()));
        ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName()));
        ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName()));
    }

    final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);
    if (clientAuth == null) {
        ssl.setNeedClientAuth(true);
    } else {
        ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
    }

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(0);
    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    // mark secure as enabled
    secure = true;
}
 

protected static void configureSslContextFactory(SslContextFactory contextFactory, NiFiProperties props) {
    // require client auth when not supporting login, Kerberos service, or anonymous access
    if (props.isClientAuthRequiredForRestApi()) {
        contextFactory.setNeedClientAuth(true);
    } else {
        contextFactory.setWantClientAuth(true);
    }

    /* below code sets JSSE system properties when values are provided */
    // keystore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_KEYSTORE))) {
        contextFactory.setKeyStorePath(props.getProperty(NiFiProperties.SECURITY_KEYSTORE));
    }
    String keyStoreType = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE);
    if (StringUtils.isNotBlank(keyStoreType)) {
        contextFactory.setKeyStoreType(keyStoreType);
        String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(keyStoreType);
        if (StringUtils.isNoneEmpty(keyStoreProvider)) {
            contextFactory.setKeyStoreProvider(keyStoreProvider);
        }
    }
    final String keystorePassword = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD);
    final String keyPassword = props.getProperty(NiFiProperties.SECURITY_KEY_PASSWD);
    if (StringUtils.isNotBlank(keystorePassword)) {
        // if no key password was provided, then assume the keystore password is the same as the key password.
        final String defaultKeyPassword = (StringUtils.isBlank(keyPassword)) ? keystorePassword : keyPassword;
        contextFactory.setKeyStorePassword(keystorePassword);
        contextFactory.setKeyManagerPassword(defaultKeyPassword);
    } else if (StringUtils.isNotBlank(keyPassword)) {
        // since no keystore password was provided, there will be no keystore integrity check
        contextFactory.setKeyManagerPassword(keyPassword);
    }

    // truststore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE))) {
        contextFactory.setTrustStorePath(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE));
    }
    String trustStoreType = props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE);
    if (StringUtils.isNotBlank(trustStoreType)) {
        contextFactory.setTrustStoreType(trustStoreType);
        String trustStoreProvider = KeyStoreUtils.getKeyStoreProvider(trustStoreType);
        if (StringUtils.isNoneEmpty(trustStoreProvider)) {
            contextFactory.setTrustStoreProvider(trustStoreProvider);
        }
    }
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD))) {
        contextFactory.setTrustStorePassword(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD));
    }
}
 

protected static void configureSslContextFactory(SslContextFactory contextFactory, NiFiProperties props) {
    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    contextFactory.setEndpointIdentificationAlgorithm(null);

    // Explicitly exclude legacy TLS protocol versions
    // contextFactory.setProtocol(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion());
    contextFactory.setIncludeProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions());
    contextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3");

    // require client auth when not supporting login, Kerberos service, or anonymous access
    if (props.isClientAuthRequiredForRestApi()) {
        contextFactory.setNeedClientAuth(true);
    } else {
        contextFactory.setWantClientAuth(true);
    }

    /* below code sets JSSE system properties when values are provided */
    // keystore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_KEYSTORE))) {
        contextFactory.setKeyStorePath(props.getProperty(NiFiProperties.SECURITY_KEYSTORE));
    }
    String keyStoreType = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE);
    if (StringUtils.isNotBlank(keyStoreType)) {
        contextFactory.setKeyStoreType(keyStoreType);
        String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(keyStoreType);
        if (StringUtils.isNoneEmpty(keyStoreProvider)) {
            contextFactory.setKeyStoreProvider(keyStoreProvider);
        }
    }
    final String keystorePassword = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD);
    final String keyPassword = props.getProperty(NiFiProperties.SECURITY_KEY_PASSWD);
    if (StringUtils.isNotBlank(keystorePassword)) {
        // if no key password was provided, then assume the keystore password is the same as the key password.
        final String defaultKeyPassword = (StringUtils.isBlank(keyPassword)) ? keystorePassword : keyPassword;
        contextFactory.setKeyStorePassword(keystorePassword);
        contextFactory.setKeyManagerPassword(defaultKeyPassword);
    } else if (StringUtils.isNotBlank(keyPassword)) {
        // since no keystore password was provided, there will be no keystore integrity check
        contextFactory.setKeyManagerPassword(keyPassword);
    }

    // truststore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE))) {
        contextFactory.setTrustStorePath(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE));
    }
    String trustStoreType = props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE);
    if (StringUtils.isNotBlank(trustStoreType)) {
        contextFactory.setTrustStoreType(trustStoreType);
        String trustStoreProvider = KeyStoreUtils.getKeyStoreProvider(trustStoreType);
        if (StringUtils.isNoneEmpty(trustStoreProvider)) {
            contextFactory.setTrustStoreProvider(trustStoreProvider);
        }
    }
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD))) {
        contextFactory.setTrustStorePassword(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD));
    }
}
 

private SslContextFactory createSslContextFactory(RestConfig config) {
  SslContextFactory sslContextFactory = new SslContextFactory.Server();
  if (!config.getString(RestConfig.SSL_KEYSTORE_LOCATION_CONFIG).isEmpty()) {
    sslContextFactory.setKeyStorePath(
            config.getString(RestConfig.SSL_KEYSTORE_LOCATION_CONFIG)
    );
    sslContextFactory.setKeyStorePassword(
            config.getPassword(RestConfig.SSL_KEYSTORE_PASSWORD_CONFIG).value()
    );
    sslContextFactory.setKeyManagerPassword(
            config.getPassword(RestConfig.SSL_KEY_PASSWORD_CONFIG).value()
    );
    sslContextFactory.setKeyStoreType(
            config.getString(RestConfig.SSL_KEYSTORE_TYPE_CONFIG)
    );

    if (!config.getString(RestConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG).isEmpty()) {
      sslContextFactory.setKeyManagerFactoryAlgorithm(
              config.getString(RestConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG));
    }

    if (config.getBoolean(RestConfig.SSL_KEYSTORE_RELOAD_CONFIG)) {
      Path watchLocation = getWatchLocation(config);
      try {
        FileWatcher.onFileChange(watchLocation, () -> {
              // Need to reset the key store path for symbolic link case
              sslContextFactory.setKeyStorePath(
                  config.getString(RestConfig.SSL_KEYSTORE_LOCATION_CONFIG)
              );
              sslContextFactory.reload(scf -> log.info("Reloaded SSL cert"));
            }
        );
        log.info("Enabled SSL cert auto reload for: " + watchLocation);
      } catch (java.io.IOException e) {
        log.error("Can not enabled SSL cert auto reload", e);
      }
    }
  }

  configureClientAuth(sslContextFactory, config);

  List<String> enabledProtocols = config.getList(RestConfig.SSL_ENABLED_PROTOCOLS_CONFIG);
  if (!enabledProtocols.isEmpty()) {
    sslContextFactory.setIncludeProtocols(enabledProtocols.toArray(new String[0]));
  }

  List<String> cipherSuites = config.getList(RestConfig.SSL_CIPHER_SUITES_CONFIG);
  if (!cipherSuites.isEmpty()) {
    sslContextFactory.setIncludeCipherSuites(cipherSuites.toArray(new String[0]));
  }

  sslContextFactory.setEndpointIdentificationAlgorithm(
          config.getString(RestConfig.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG));

  if (!config.getString(RestConfig.SSL_TRUSTSTORE_LOCATION_CONFIG).isEmpty()) {
    sslContextFactory.setTrustStorePath(
            config.getString(RestConfig.SSL_TRUSTSTORE_LOCATION_CONFIG)
    );
    sslContextFactory.setTrustStorePassword(
            config.getPassword(RestConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG).value()
    );
    sslContextFactory.setTrustStoreType(
            config.getString(RestConfig.SSL_TRUSTSTORE_TYPE_CONFIG)
    );

    if (!config.getString(RestConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG).isEmpty()) {
      sslContextFactory.setTrustManagerFactoryAlgorithm(
              config.getString(RestConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG)
      );
    }
  }

  sslContextFactory.setProtocol(config.getString(RestConfig.SSL_PROTOCOL_CONFIG));
  if (!config.getString(RestConfig.SSL_PROVIDER_CONFIG).isEmpty()) {
    sslContextFactory.setProtocol(config.getString(RestConfig.SSL_PROVIDER_CONFIG));
  }

  sslContextFactory.setRenegotiationAllowed(false);

  return sslContextFactory;
}
 

private static JettyServer createHttpsJettyServer(boolean clientAuth) throws IOException {
    Server server = new Server();
    HttpConfiguration https_config = new HttpConfiguration();
    https_config.setSecureScheme("https");
    int port;
    try (ServerSocket socket = new ServerSocket(0)) {
        port = socket.getLocalPort();
    }
    https_config.setSecurePort(port);
    https_config.setOutputBufferSize(32768);

    SslContextFactory sslContextFactory = new SslContextFactory();
    File keystoreFile = new File(DEFAULT_SERVER_KEY_STORE);
    if (!keystoreFile.exists()) {
        throw new FileNotFoundException();
    }

    String trustStorePath = DEFAULT_CA_TRUST_STORE;
    File trustStoreFile = new File(trustStorePath);
    if (!trustStoreFile.exists()) {
        throw new FileNotFoundException();
    }

    sslContextFactory.setEndpointIdentificationAlgorithm(null);

    sslContextFactory.setTrustStorePath(trustStorePath);
    sslContextFactory.setTrustStoreType(DEFAULT_SSL_STORE_TYPE);
    sslContextFactory.setTrustStorePassword(DEFAULT_CERT_PWD);

    sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath());
    sslContextFactory.setKeyStoreType(DEFAULT_SSL_STORE_TYPE);
    sslContextFactory.setKeyStorePassword(DEFAULT_CERT_PWD);

    sslContextFactory.setProtocol(DEFAULT_SSL_PROTOCOL);
    sslContextFactory.setNeedClientAuth(clientAuth);

    ServerConnector https = new ServerConnector(server,
            new SslConnectionFactory(sslContextFactory,HttpVersion.HTTP_1_1.asString()),
            new HttpConnectionFactory(https_config));
    https.setPort(port);
    https.setIdleTimeout(500000);
    server.setConnectors(new Connector[] { https });
    HandlerList handlers = new HandlerList();
    ResourceHandler resourceHandler = new ResourceHandler();
    resourceHandler.setBaseResource(Resource.newResource("."));
    handlers.setHandlers(new Handler[]
            { resourceHandler, new DefaultHandler() });
    server.setHandler(handlers);
    return new JettyServer(server, port);
}
 

@Signature
public void listen(Memory value, ArrayMemory sslSettings) {
    ServerConnector connector;

    if (sslSettings != null) {
        SslContextFactory contextFactory = new SslContextFactory();

        // key store
        if (sslSettings.containsKey("keyStorePath"))
            contextFactory.setKeyStorePath(sslSettings.valueOfIndex("keyStorePath").toString());

        if (sslSettings.containsKey("keyStorePassword"))
            contextFactory.setKeyStoreType(sslSettings.valueOfIndex("keyStorePassword").toString());

        if (sslSettings.containsKey("keyStoreType"))
            contextFactory.setKeyStoreType(sslSettings.valueOfIndex("keyStoreType").toString());

        if (sslSettings.containsKey("keyStoreProvider"))
            contextFactory.setKeyStoreProvider(sslSettings.valueOfIndex("keyStoreProvider").toString());

        // trust store
        if (sslSettings.containsKey("trustStorePath"))
            contextFactory.setTrustStorePath(sslSettings.valueOfIndex("trustStorePath").toString());

        if (sslSettings.containsKey("trustStorePassword"))
            contextFactory.setTrustStoreType(sslSettings.valueOfIndex("trustStorePassword").toString());

        if (sslSettings.containsKey("trustStoreType"))
            contextFactory.setTrustStoreType(sslSettings.valueOfIndex("trustStoreType").toString());

        if (sslSettings.containsKey("trustStoreProvider"))
            contextFactory.setTrustStoreProvider(sslSettings.valueOfIndex("trustStoreProvider").toString());

        if (sslSettings.containsKey("trustAll"))
            contextFactory.setTrustAll(sslSettings.valueOfIndex("trustAll").toBoolean());

        if (sslSettings.containsKey("trustManagerFactoryAlgorithm"))
            contextFactory.setTrustManagerFactoryAlgorithm(sslSettings.valueOfIndex("trustManagerFactoryAlgorithm").toString());

        // key manager
        if (sslSettings.containsKey("keyManagerFactoryAlgorithm"))
            contextFactory.setKeyManagerFactoryAlgorithm(sslSettings.valueOfIndex("keyManagerFactoryAlgorithm").toString());

        if (sslSettings.containsKey("keyManagerPassword"))
            contextFactory.setKeyManagerPassword(sslSettings.valueOfIndex("keyManagerPassword").toString());

        // other
        if (sslSettings.containsKey("certAlias"))
            contextFactory.setCertAlias(sslSettings.valueOfIndex("certAlias").toString());

        if (sslSettings.containsKey("protocol"))
            contextFactory.setProtocol(sslSettings.valueOfIndex("protocol").toString());

        if (sslSettings.containsKey("provider"))
            contextFactory.setProvider(sslSettings.valueOfIndex("provider").toString());

        if (sslSettings.containsKey("validateCerts"))
            contextFactory.setValidateCerts(sslSettings.valueOfIndex("validateCerts").toBoolean());

        connector = new ServerConnector(server, contextFactory);
    } else {
        connector = new ServerConnector(server);
    }

    if (value.isNumber()) {
        connector.setName("0.0.0.0:" + value.toInteger());
        connector.setPort(value.toInteger());
    } else {
        String[] strings = value.toString().split("\\:");

        if (strings.length < 2) {
            throw new IllegalArgumentException("Invalid listen value: " + value);
        }

        connector.setHost(strings[0]);
        connector.setPort(Integer.parseInt(strings[1]));
        connector.setName(strings[0] + ":" + strings[1]);
    }

    server.addConnector(connector);
}
 

private void createSecureConnector(final Map<String, String> sslProperties) {
    SslContextFactory ssl = new SslContextFactory();

    if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
        ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
        ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName()));
        ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName()));
    }

    if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) {
        ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()));
        ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName()));
        ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName()));
    }

    final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);
    if (clientAuth == null) {
        ssl.setNeedClientAuth(true);
    } else {
        ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
    }

    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    ssl.setEndpointIdentificationAlgorithm(null);

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(0);
    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    // mark secure as enabled
    secure = true;
}
 

private static SslContextFactory createSslContextFactory(KarelDbConfig config) {
    SslContextFactory sslContextFactory = new SslContextFactory();
    if (!config.getString(KarelDbConfig.SSL_KEYSTORE_LOCATION_CONFIG).isEmpty()) {
        sslContextFactory.setKeyStorePath(
            config.getString(KarelDbConfig.SSL_KEYSTORE_LOCATION_CONFIG)
        );
        sslContextFactory.setKeyStorePassword(
            config.getPassword(KarelDbConfig.SSL_KEYSTORE_PASSWORD_CONFIG).value()
        );
        sslContextFactory.setKeyManagerPassword(
            config.getPassword(KarelDbConfig.SSL_KEY_PASSWORD_CONFIG).value()
        );
        sslContextFactory.setKeyStoreType(
            config.getString(KarelDbConfig.SSL_KEYSTORE_TYPE_CONFIG)
        );

        if (!config.getString(KarelDbConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG).isEmpty()) {
            sslContextFactory.setKeyManagerFactoryAlgorithm(
                config.getString(KarelDbConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG));
        }
    }

    configureClientAuth(config, sslContextFactory);

    List<String> enabledProtocols = config.getList(KarelDbConfig.SSL_ENABLED_PROTOCOLS_CONFIG);
    if (!enabledProtocols.isEmpty()) {
        sslContextFactory.setIncludeProtocols(enabledProtocols.toArray(new String[0]));
    }

    List<String> cipherSuites = config.getList(KarelDbConfig.SSL_CIPHER_SUITES_CONFIG);
    if (!cipherSuites.isEmpty()) {
        sslContextFactory.setIncludeCipherSuites(cipherSuites.toArray(new String[0]));
    }

    sslContextFactory.setEndpointIdentificationAlgorithm(
        config.getString(KarelDbConfig.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG));

    if (!config.getString(KarelDbConfig.SSL_TRUSTSTORE_LOCATION_CONFIG).isEmpty()) {
        sslContextFactory.setTrustStorePath(
            config.getString(KarelDbConfig.SSL_TRUSTSTORE_LOCATION_CONFIG)
        );
        sslContextFactory.setTrustStorePassword(
            config.getPassword(KarelDbConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG).value()
        );
        sslContextFactory.setTrustStoreType(
            config.getString(KarelDbConfig.SSL_TRUSTSTORE_TYPE_CONFIG)
        );

        if (!config.getString(KarelDbConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG).isEmpty()) {
            sslContextFactory.setTrustManagerFactoryAlgorithm(
                config.getString(KarelDbConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG)
            );
        }
    }

    sslContextFactory.setProtocol(config.getString(KarelDbConfig.SSL_PROTOCOL_CONFIG));
    if (!config.getString(KarelDbConfig.SSL_PROVIDER_CONFIG).isEmpty()) {
        sslContextFactory.setProtocol(config.getString(KarelDbConfig.SSL_PROVIDER_CONFIG));
    }

    sslContextFactory.setRenegotiationAllowed(false);

    return sslContextFactory;
}
 

@BeforeClass
public static void setup() throws Exception {
    server = new Server(0);

    final ContextHandlerCollection handlerCollection = new ContextHandlerCollection();

    final ServletContextHandler contextHandler = new ServletContextHandler();
    servletHandler = new ServletHandler();
    contextHandler.insertHandler(servletHandler);

    handlerCollection.setHandlers(new Handler[]{contextHandler});

    server.setHandler(handlerCollection);

    httpConnector = new ServerConnector(server);
    httpConnector.setPort(50010);

    final SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
    sslContextFactory.setKeyStorePassword("passwordpassword");
    sslContextFactory.setKeyStoreType("JKS");

    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    sslContextFactory.setEndpointIdentificationAlgorithm(null);

    final HttpConfiguration https = new HttpConfiguration();
    https.addCustomizer(new SecureRequestCustomizer());
    sslConnector = new ServerConnector(server,
            new SslConnectionFactory(sslContextFactory, "http/1.1"),
            new HttpConnectionFactory(https));
    sslConnector.setPort(50011);


    server.setConnectors(new Connector[]{httpConnector, sslConnector});

    servletHolder = servletHandler.addServletWithMapping(WSServlet.class, "/test");
    servletHolder = servletHandler.addServletWithMapping(ConnectionCheckServlet.class, "/check");

    server.start();

    logger.info("Starting server on port {} for HTTP, and {} for HTTPS", httpConnector.getLocalPort(), sslConnector.getLocalPort());


}