Java Code Examples for org.eclipse.jetty.util.ssl.SslContextFactory#setTrustStoreType()

/**
 * Configures TrustStore related settings in SslContextFactory.
 */
protected static void configureSslContextFactoryTrustStore(SslContextFactory ssl,
                                                           Map<String, Object> sslConfigValues) {
    ssl.setTrustStoreType(
        (String) getOrDefault(
            sslConfigValues,
            SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG,
            SslConfigs.DEFAULT_SSL_TRUSTSTORE_TYPE));

    String sslTruststoreLocation = (String) sslConfigValues.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG);
    if (sslTruststoreLocation != null) {
        ssl.setTrustStorePath(sslTruststoreLocation);
    }

    Password sslTruststorePassword =
        new Password((String) sslConfigValues.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
    if (sslTruststorePassword != null) {
        ssl.setTrustStorePassword(sslTruststorePassword.value());
    }
}
 

protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 

private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 

protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth, final String endpointIdentificationAlgorithm) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    // Need to set SslContextFactory's endpointIdentificationAlgorithm.
    // For clients, hostname verification should be enabled.
    // For servers, hostname verification should be disabled.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    sslFactory.setEndpointIdentificationAlgorithm(endpointIdentificationAlgorithm);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 

@Bean
public SslContextFactory jettySslContextFactory() {
    SslContextFactory sslContextFactory = new SslContextFactory(SecurityUtils.replaceFourSlashes(keyStore));
    sslContextFactory.setProtocol(protocol);
    sslContextFactory.setKeyStorePassword(keyStorePassword);
    sslContextFactory.setKeyStoreType(keyStoreType);
    sslContextFactory.setCertAlias(keyAlias);

    if (trustStore != null) {
        sslContextFactory.setTrustStorePath(SecurityUtils.replaceFourSlashes(trustStore));
        sslContextFactory.setTrustStoreType(trustStoreType);
        sslContextFactory.setTrustStorePassword(trustStorePassword);
    }
    log.debug("jettySslContextFactory: {}", sslContextFactory.dump());

    if (!verifySslCertificatesOfServices) {
        sslContextFactory.setTrustAll(true);
    }

    return sslContextFactory;
}
 

public SslContextFactory getSslContextFactory() throws GeneralSecurityException, IOException {
    SslContextFactory sslContextFactory = new SslContextFactory();
    KeyStore keyStore = KeyStore.getInstance(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE));
    Path keyStorePath = Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE)).toAbsolutePath();
    logger.debug("keystore path: " + keyStorePath);
    try (InputStream inputStream = Files.newInputStream(keyStorePath)) {
        keyStore.load(inputStream, properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray());
    }
    sslContextFactory.setKeyStore(keyStore);
    sslContextFactory.setKeyManagerPassword(properties.getProperty(MINIFI_C2_SERVER_KEY_PASSWD));
    sslContextFactory.setWantClientAuth(true);

    String trustStorePath = Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE)).toAbsolutePath().toFile().getAbsolutePath();
    logger.debug("truststore path: " + trustStorePath);
    sslContextFactory.setTrustStorePath(trustStorePath);
    sslContextFactory.setTrustStoreType(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE));
    sslContextFactory.setTrustStorePassword(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD));
    try {
        sslContextFactory.start();
    } catch (Exception e) {
        throw new IOException(e);
    }
    return sslContextFactory;
}
 

private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
    final SslContextFactory sslFactory = new SslContextFactory();

    sslFactory.setNeedClientAuth(needClientAuth);
    sslFactory.setWantClientAuth(wantClientAuth);

    sslFactory.setProtocol(sslService.getSslAlgorithm());

    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null.
    sslFactory.setEndpointIdentificationAlgorithm(null);

    if (sslService.isKeyStoreConfigured()) {
        sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
        sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());
        sslFactory.setKeyStoreType(sslService.getKeyStoreType());
    }

    if (sslService.isTrustStoreConfigured()) {
        sslFactory.setTrustStorePath(sslService.getTrustStoreFile());
        sslFactory.setTrustStorePassword(sslService.getTrustStorePassword());
        sslFactory.setTrustStoreType(sslService.getTrustStoreType());
    }

    return sslFactory;
}
 

private void createSecureConnector(final Map<String, String> sslProperties) {
    SslContextFactory ssl = new SslContextFactory();

    if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
        ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
        ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName()));
        ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName()));
    }

    if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) {
        ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()));
        ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName()));
        ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName()));
    }

    final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);
    if (clientAuth == null) {
        ssl.setNeedClientAuth(true);
    } else {
        ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
    }

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(0);
    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    // mark secure as enabled
    secure = true;
}
 

private void createSecureConnector(final Map<String, String> sslProperties) {
    SslContextFactory ssl = new SslContextFactory();

    if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
        ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
        ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName()));
        ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName()));
    }

    if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) {
        ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()));
        ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName()));
        ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName()));
    }

    final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);
    if (clientAuth == null) {
        ssl.setNeedClientAuth(true);
    } else {
        ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
    }

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(0);
    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    // mark secure as enabled
    secure = true;
}
 

private void createSecureConnector(Properties properties) {
    SslContextFactory ssl = new SslContextFactory();

    if (properties.getProperty(KEYSTORE_LOCATION_KEY) != null) {
        ssl.setKeyStorePath(properties.getProperty(KEYSTORE_LOCATION_KEY));
        ssl.setKeyStorePassword(properties.getProperty(KEYSTORE_PASSWORD_KEY));
        ssl.setKeyStoreType(properties.getProperty(KEYSTORE_TYPE_KEY));
    }

    if (properties.getProperty(TRUSTSTORE_LOCATION_KEY) != null) {
        ssl.setTrustStorePath(properties.getProperty(TRUSTSTORE_LOCATION_KEY));
        ssl.setTrustStorePassword(properties.getProperty(TRUSTSTORE_PASSWORD_KEY));
        ssl.setTrustStoreType(properties.getProperty(TRUSTSTORE_TYPE_KEY));
        ssl.setNeedClientAuth(Boolean.parseBoolean(properties.getProperty(NEED_CLIENT_AUTH_KEY, "true")));
    }

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(Integer.parseInt(properties.getProperty(PORT_KEY, "0")));
    https.setHost(properties.getProperty(HOST_KEY, "localhost"));

    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    logger.info("Added an https connector on the host '{}' and port '{}'", new Object[]{https.getHost(), https.getPort()});
}
 

protected static void configureSslContextFactory(SslContextFactory contextFactory, NiFiProperties props) {
    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    contextFactory.setEndpointIdentificationAlgorithm(null);

    // Explicitly exclude legacy TLS protocol versions
    // contextFactory.setProtocol(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion());
    contextFactory.setIncludeProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions());
    contextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3");

    // require client auth when not supporting login, Kerberos service, or anonymous access
    if (props.isClientAuthRequiredForRestApi()) {
        contextFactory.setNeedClientAuth(true);
    } else {
        contextFactory.setWantClientAuth(true);
    }

    /* below code sets JSSE system properties when values are provided */
    // keystore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_KEYSTORE))) {
        contextFactory.setKeyStorePath(props.getProperty(NiFiProperties.SECURITY_KEYSTORE));
    }
    String keyStoreType = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE);
    if (StringUtils.isNotBlank(keyStoreType)) {
        contextFactory.setKeyStoreType(keyStoreType);
        String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(keyStoreType);
        if (StringUtils.isNoneEmpty(keyStoreProvider)) {
            contextFactory.setKeyStoreProvider(keyStoreProvider);
        }
    }
    final String keystorePassword = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD);
    final String keyPassword = props.getProperty(NiFiProperties.SECURITY_KEY_PASSWD);
    if (StringUtils.isNotBlank(keystorePassword)) {
        // if no key password was provided, then assume the keystore password is the same as the key password.
        final String defaultKeyPassword = (StringUtils.isBlank(keyPassword)) ? keystorePassword : keyPassword;
        contextFactory.setKeyStorePassword(keystorePassword);
        contextFactory.setKeyManagerPassword(defaultKeyPassword);
    } else if (StringUtils.isNotBlank(keyPassword)) {
        // since no keystore password was provided, there will be no keystore integrity check
        contextFactory.setKeyManagerPassword(keyPassword);
    }

    // truststore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE))) {
        contextFactory.setTrustStorePath(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE));
    }
    String trustStoreType = props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE);
    if (StringUtils.isNotBlank(trustStoreType)) {
        contextFactory.setTrustStoreType(trustStoreType);
        String trustStoreProvider = KeyStoreUtils.getKeyStoreProvider(trustStoreType);
        if (StringUtils.isNoneEmpty(trustStoreProvider)) {
            contextFactory.setTrustStoreProvider(trustStoreProvider);
        }
    }
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD))) {
        contextFactory.setTrustStorePassword(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD));
    }
}
 

public void initialiseConnectors() throws Exception {
    threadPool = new QueuedThreadPool();
    threadPool.setMaxThreads(maxThreads);
    threadPool.setMinThreads(minThreads);
    threadPool.setName("JettyThread");
    jettyServer = new Server(threadPool);

    jettyServer.setStopAtShutdown(true);

    MBeanContainer container = new MBeanContainer(mbeanServer);
    jettyServer.addBean(container);

    LowResourceMonitor lowResourcesMonitor = new LowResourceMonitor(jettyServer);
    lowResourcesMonitor.setPeriod(lowResourcesPeriod);
    lowResourcesMonitor.setLowResourcesIdleTimeout(lowResourcesIdleTime);
    lowResourcesMonitor.setMonitorThreads(lowResourcesMonitorThreads);
    lowResourcesMonitor.setMaxConnections(lowResourcesMaxConnections);
    lowResourcesMonitor.setMaxMemory(lowResourcesMaxMemory);
    lowResourcesMonitor.setMaxLowResourcesTime(lowResourcesMaxTime);
    jettyServer.addBean(lowResourcesMonitor);

    // US24803 - Needed for preventing Hashtable key collision DoS CVE-2012-2739
    jettyServer.setAttribute("org.eclipse.jetty.server.Request.maxFormContentSize", maxFormContentSize);

    List<Connector> connectors = new ArrayList<Connector>();

    if (httpPort != -1) {
        httpConfiguration = createHttpConfiguration();
        setBufferSizes(httpConfiguration);
        if (httpForwarded) {
            httpConfiguration.addCustomizer(new ForwardedRequestCustomizer());
        }
        httpConnector = createHttpConnector(jettyServer, httpConfiguration, httpAcceptors, httpSelectors);
        httpConnector.setPort(httpPort);
        httpConnector.setReuseAddress(httpReuseAddress);
        httpConnector.setIdleTimeout(httpMaxIdle);
        httpConnector.setAcceptQueueSize(httpAcceptQueueSize);
        httpConnector.addBean(new ConnectorStatistics());

        connectors.add(httpConnector);
    }

    if (httpsPort != -1) {
        SslContextFactory sslContextFactory = new SslContextFactory();
        sslContextFactory.setKeyStorePath(httpsKeystore.getFile().getCanonicalPath());
        sslContextFactory.setKeyStoreType(httpsKeystoreType);
        sslContextFactory.setKeyStorePassword(httpsKeyPassword);
        if (StringUtils.isNotBlank(httpsCertAlias)) {
            sslContextFactory.setCertAlias(httpsCertAlias);
        }
        sslContextFactory.setKeyManagerPassword(httpsKeyPassword);
        // if you need it then you defo want it
        sslContextFactory.setWantClientAuth(httpsNeedClientAuth || httpsWantClientAuth);
        sslContextFactory.setNeedClientAuth(httpsNeedClientAuth);
        sslContextFactory.setRenegotiationAllowed(httpsAllowRenegotiate);

        httpsConfiguration = createHttpConfiguration();
        setBufferSizes(httpsConfiguration);
        if (httpsForwarded) {
            httpsConfiguration.addCustomizer(new ForwardedRequestCustomizer());
        }

        httpsConnector = createHttpsConnector(jettyServer, httpsConfiguration, httpsAcceptors, httpsSelectors, sslContextFactory);
        httpsConnector.setPort(httpsPort);
        httpsConnector.setReuseAddress(httpsReuseAddress);
        httpsConnector.setIdleTimeout(httpsMaxIdle);
        httpsConnector.setAcceptQueueSize(httpsAcceptQueueSize);
        httpsConnector.addBean(new ConnectorStatistics());

        mbeanServer.registerMBean(getKeystoreCertificateChains(), new ObjectName("CoUGAR.https:name=keyStore"));
        // truststore is not required if we don't want client auth
        if (httpsWantClientAuth) {
            sslContextFactory.setTrustStorePath(httpsTruststore.getFile().getCanonicalPath());
            sslContextFactory.setTrustStoreType(httpsTruststoreType);
            sslContextFactory.setTrustStorePassword(httpsTrustPassword);
            mbeanServer.registerMBean(getTruststoreCertificateChains(), new ObjectName("CoUGAR.https:name=trustStore"));
        }
        connectors.add(httpsConnector);
    }

    if (connectors.size() == 0) {
        throw new IllegalStateException("HTTP transport requires at least one port enabled to function correctly.");
    }

    jettyServer.setConnectors(connectors.toArray(new Connector[connectors.size()]));
}
 

public static WebSocketClient createWebSocketClient(String resourceUrl, TlsConfigBean tlsConf) {
  try {
    resourceUrl = resourceUrl.toLowerCase();
    if (resourceUrl.startsWith("wss")) {
      SslContextFactory sslContextFactory = new SslContextFactory();
      if (tlsConf != null && tlsConf.isEnabled() && tlsConf.isInitialized()) {
        if (tlsConf.getKeyStore() != null) {
          sslContextFactory.setKeyStore(tlsConf.getKeyStore());
        } else {
          if (tlsConf.keyStoreFilePath != null) {
            sslContextFactory.setKeyStorePath(tlsConf.keyStoreFilePath);
          }
          if (tlsConf.keyStoreType != null) {
            sslContextFactory.setKeyStoreType(tlsConf.keyStoreType.getJavaValue());
          }
        }
        if (tlsConf.keyStorePassword != null) {
          sslContextFactory.setKeyStorePassword(tlsConf.keyStorePassword.get());
        }
        if (tlsConf.getTrustStore() != null) {
          sslContextFactory.setTrustStore(tlsConf.getTrustStore());
        } else {
          if (tlsConf.trustStoreFilePath != null) {
            sslContextFactory.setTrustStorePath(tlsConf.trustStoreFilePath);
          }
          if (tlsConf.trustStoreType != null) {
            sslContextFactory.setTrustStoreType(tlsConf.trustStoreType.getJavaValue());
          }
        }
        if (tlsConf.trustStorePassword != null) {
          sslContextFactory.setTrustStorePassword(tlsConf.trustStorePassword.get());
        }

        sslContextFactory.setSslContext(tlsConf.getSslContext());
        sslContextFactory.setIncludeCipherSuites(tlsConf.getFinalCipherSuites());
        sslContextFactory.setIncludeProtocols(tlsConf.getFinalProtocols());
      }
      return new WebSocketClient(sslContextFactory);
    } else {
     return new WebSocketClient();
    }
  } catch (Exception e) {
    throw new IllegalArgumentException(resourceUrl, e);
  }
}
 

@Override
public Server getObject() throws Exception {

    // Setup ThreadPool
    QueuedThreadPool threadPool = new QueuedThreadPool(
            jettyConfiguration.getPoolMaxThreads(),
            jettyConfiguration.getPoolMinThreads(),
            jettyConfiguration.getPoolIdleTimeout(),
            new ArrayBlockingQueue<Runnable>(jettyConfiguration.getPoolQueueSize())
    );
    threadPool.setName("gravitee-listener");

    Server server = new Server(threadPool);

    // Extra options
    server.setDumpAfterStart(false);
    server.setDumpBeforeStop(false);
    server.setStopAtShutdown(true);

    // Setup JMX
    if (jettyConfiguration.isJmxEnabled()) {
        MBeanContainer mbContainer = new MBeanContainer(
                ManagementFactory.getPlatformMBeanServer());
        server.addBean(mbContainer);
    }

    // HTTP Configuration
    HttpConfiguration httpConfig = new HttpConfiguration();
    httpConfig.setOutputBufferSize(32768);
    httpConfig.setRequestHeaderSize(8192);
    httpConfig.setResponseHeaderSize(8192);
    httpConfig.setSendServerVersion(false);
    httpConfig.setSendDateHeader(false);

    // Setup Jetty HTTP or HTTPS Connector
    if (jettyConfiguration.isSecured()) {
        httpConfig.setSecureScheme("https");
        httpConfig.setSecurePort(jettyConfiguration.getHttpPort());

        // SSL Context Factory
        SslContextFactory sslContextFactory = new SslContextFactory.Server();

        if (jettyConfiguration.getKeyStorePath() != null) {
            sslContextFactory.setKeyStorePath(jettyConfiguration.getKeyStorePath());
            sslContextFactory.setKeyStorePassword(jettyConfiguration.getKeyStorePassword());

            if (KEYSTORE_TYPE_PKCS12.equalsIgnoreCase(jettyConfiguration.getKeyStoreType())) {
                sslContextFactory.setKeyStoreType(KEYSTORE_TYPE_PKCS12);
            }
        }

        if (jettyConfiguration.getTrustStorePath() != null) {
            sslContextFactory.setTrustStorePath(jettyConfiguration.getTrustStorePath());
            sslContextFactory.setTrustStorePassword(jettyConfiguration.getTrustStorePassword());

            if (KEYSTORE_TYPE_PKCS12.equalsIgnoreCase(jettyConfiguration.getTrustStoreType())) {
                sslContextFactory.setTrustStoreType(KEYSTORE_TYPE_PKCS12);
            }
        }

        HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
        httpsConfig.addCustomizer(new SecureRequestCustomizer());

        ServerConnector https = new ServerConnector(server,
                new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
                new HttpConnectionFactory(httpsConfig));
        https.setHost(jettyConfiguration.getHttpHost());
        https.setPort(jettyConfiguration.getHttpPort());
        server.addConnector(https);
    } else {
        ServerConnector http = new ServerConnector(server,
                jettyConfiguration.getAcceptors(),
                jettyConfiguration.getSelectors(),
                new HttpConnectionFactory(httpConfig));
        http.setHost(jettyConfiguration.getHttpHost());
        http.setPort(jettyConfiguration.getHttpPort());
        http.setIdleTimeout(jettyConfiguration.getIdleTimeout());

        server.addConnector(http);
    }

    // Setup Jetty statistics
    if (jettyConfiguration.isStatisticsEnabled()) {
        StatisticsHandler stats = new StatisticsHandler();
        stats.setHandler(server.getHandler());
        server.setHandler(stats);
    }

    if (jettyConfiguration.isAccessLogEnabled()) {
        CustomRequestLog requestLog = new CustomRequestLog(
                new AsyncRequestLogWriter(jettyConfiguration.getAccessLogPath()),
                CustomRequestLog.EXTENDED_NCSA_FORMAT);

        server.setRequestLog(requestLog);
    }

    return server;
}
 

public static SslContextFactory createSSLContextObject(final String[] clientProtocols,
        final PrivateKeyStore privateKeyStore) {
    
    String keyStorePath = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PATH);
    String keyStorePasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD_APPNAME);
    String keyStorePassword = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD);
    String keyStoreType = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_TYPE, "PKCS12");
    String keyManagerPassword = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD);
    String keyManagerPasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD_APPNAME);

    String trustStorePath = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PATH);
    String trustStorePassword = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD);
    String trustStorePasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD_APPNAME);

    String trustStoreType = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_TYPE, "PKCS12");
    String excludedCipherSuites = System.getProperty(ZTSConsts.ZTS_PROP_EXCLUDED_CIPHER_SUITES,
            ZTS_DEFAULT_EXCLUDED_CIPHER_SUITES);
    String excludedProtocols = System.getProperty(ZTSConsts.ZTS_PROP_EXCLUDED_PROTOCOLS,
            ZTS_DEFAULT_EXCLUDED_PROTOCOLS);
    boolean wantClientAuth = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_WANT_CLIENT_CERT, "false"));
    
    SslContextFactory sslContextFactory = new SslContextFactory();
    if (keyStorePath != null) {
        LOGGER.info("createSSLContextObject: using SSL KeyStore path: " + keyStorePath);
        sslContextFactory.setKeyStorePath(keyStorePath);
    }
    
    if (keyStorePassword != null) {
        keyStorePassword = getApplicationSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword);
        sslContextFactory.setKeyStorePassword(keyStorePassword);
    }
    sslContextFactory.setKeyStoreType(keyStoreType);

    if (keyManagerPassword != null) {
        keyManagerPassword = getApplicationSecret(privateKeyStore, keyManagerPasswordAppName, keyManagerPassword);
        sslContextFactory.setKeyManagerPassword(keyManagerPassword);
    }
    
    if (trustStorePath != null) {
        LOGGER.info("createSSLContextObject: using SSL TrustStore path: " + trustStorePath);
        sslContextFactory.setTrustStorePath(trustStorePath);
    }
    if (trustStorePassword != null) {
        trustStorePassword = getApplicationSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword);
        sslContextFactory.setTrustStorePassword(trustStorePassword);
    }
    sslContextFactory.setTrustStoreType(trustStoreType);

    sslContextFactory.setExcludeCipherSuites(excludedCipherSuites.split(","));
    sslContextFactory.setExcludeProtocols(excludedProtocols.split(","));

    sslContextFactory.setWantClientAuth(wantClientAuth);
    if (clientProtocols != null) {
        sslContextFactory.setIncludeProtocols(clientProtocols);
    }

    return sslContextFactory;
}
 

private static JettyServer createHttpsJettyServer(boolean clientAuth) throws IOException {
    Server server = new Server();
    HttpConfiguration https_config = new HttpConfiguration();
    https_config.setSecureScheme("https");
    int port;
    try (ServerSocket socket = new ServerSocket(0)) {
        port = socket.getLocalPort();
    }
    https_config.setSecurePort(port);
    https_config.setOutputBufferSize(32768);

    SslContextFactory sslContextFactory = new SslContextFactory();
    File keystoreFile = new File(DEFAULT_SERVER_KEY_STORE);
    if (!keystoreFile.exists()) {
        throw new FileNotFoundException();
    }

    String trustStorePath = DEFAULT_CA_TRUST_STORE;
    File trustStoreFile = new File(trustStorePath);
    if (!trustStoreFile.exists()) {
        throw new FileNotFoundException();
    }

    sslContextFactory.setEndpointIdentificationAlgorithm(null);

    sslContextFactory.setTrustStorePath(trustStorePath);
    sslContextFactory.setTrustStoreType(DEFAULT_SSL_STORE_TYPE);
    sslContextFactory.setTrustStorePassword(DEFAULT_CERT_PWD);

    sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath());
    sslContextFactory.setKeyStoreType(DEFAULT_SSL_STORE_TYPE);
    sslContextFactory.setKeyStorePassword(DEFAULT_CERT_PWD);

    sslContextFactory.setProtocol(DEFAULT_SSL_PROTOCOL);
    sslContextFactory.setNeedClientAuth(clientAuth);

    ServerConnector https = new ServerConnector(server,
            new SslConnectionFactory(sslContextFactory,HttpVersion.HTTP_1_1.asString()),
            new HttpConnectionFactory(https_config));
    https.setPort(port);
    https.setIdleTimeout(500000);
    server.setConnectors(new Connector[] { https });
    HandlerList handlers = new HandlerList();
    ResourceHandler resourceHandler = new ResourceHandler();
    resourceHandler.setBaseResource(Resource.newResource("."));
    handlers.setHandlers(new Handler[]
            { resourceHandler, new DefaultHandler() });
    server.setHandler(handlers);
    return new JettyServer(server, port);
}
 

@Signature
public void listen(Memory value, ArrayMemory sslSettings) {
    ServerConnector connector;

    if (sslSettings != null) {
        SslContextFactory contextFactory = new SslContextFactory();

        // key store
        if (sslSettings.containsKey("keyStorePath"))
            contextFactory.setKeyStorePath(sslSettings.valueOfIndex("keyStorePath").toString());

        if (sslSettings.containsKey("keyStorePassword"))
            contextFactory.setKeyStoreType(sslSettings.valueOfIndex("keyStorePassword").toString());

        if (sslSettings.containsKey("keyStoreType"))
            contextFactory.setKeyStoreType(sslSettings.valueOfIndex("keyStoreType").toString());

        if (sslSettings.containsKey("keyStoreProvider"))
            contextFactory.setKeyStoreProvider(sslSettings.valueOfIndex("keyStoreProvider").toString());

        // trust store
        if (sslSettings.containsKey("trustStorePath"))
            contextFactory.setTrustStorePath(sslSettings.valueOfIndex("trustStorePath").toString());

        if (sslSettings.containsKey("trustStorePassword"))
            contextFactory.setTrustStoreType(sslSettings.valueOfIndex("trustStorePassword").toString());

        if (sslSettings.containsKey("trustStoreType"))
            contextFactory.setTrustStoreType(sslSettings.valueOfIndex("trustStoreType").toString());

        if (sslSettings.containsKey("trustStoreProvider"))
            contextFactory.setTrustStoreProvider(sslSettings.valueOfIndex("trustStoreProvider").toString());

        if (sslSettings.containsKey("trustAll"))
            contextFactory.setTrustAll(sslSettings.valueOfIndex("trustAll").toBoolean());

        if (sslSettings.containsKey("trustManagerFactoryAlgorithm"))
            contextFactory.setTrustManagerFactoryAlgorithm(sslSettings.valueOfIndex("trustManagerFactoryAlgorithm").toString());

        // key manager
        if (sslSettings.containsKey("keyManagerFactoryAlgorithm"))
            contextFactory.setKeyManagerFactoryAlgorithm(sslSettings.valueOfIndex("keyManagerFactoryAlgorithm").toString());

        if (sslSettings.containsKey("keyManagerPassword"))
            contextFactory.setKeyManagerPassword(sslSettings.valueOfIndex("keyManagerPassword").toString());

        // other
        if (sslSettings.containsKey("certAlias"))
            contextFactory.setCertAlias(sslSettings.valueOfIndex("certAlias").toString());

        if (sslSettings.containsKey("protocol"))
            contextFactory.setProtocol(sslSettings.valueOfIndex("protocol").toString());

        if (sslSettings.containsKey("provider"))
            contextFactory.setProvider(sslSettings.valueOfIndex("provider").toString());

        if (sslSettings.containsKey("validateCerts"))
            contextFactory.setValidateCerts(sslSettings.valueOfIndex("validateCerts").toBoolean());

        connector = new ServerConnector(server, contextFactory);
    } else {
        connector = new ServerConnector(server);
    }

    if (value.isNumber()) {
        connector.setName("0.0.0.0:" + value.toInteger());
        connector.setPort(value.toInteger());
    } else {
        String[] strings = value.toString().split("\\:");

        if (strings.length < 2) {
            throw new IllegalArgumentException("Invalid listen value: " + value);
        }

        connector.setHost(strings[0]);
        connector.setPort(Integer.parseInt(strings[1]));
        connector.setName(strings[0] + ":" + strings[1]);
    }

    server.addConnector(connector);
}
 

protected static void configureSslContextFactory(SslContextFactory contextFactory, NiFiProperties props) {
    // require client auth when not supporting login, Kerberos service, or anonymous access
    if (props.isClientAuthRequiredForRestApi()) {
        contextFactory.setNeedClientAuth(true);
    } else {
        contextFactory.setWantClientAuth(true);
    }

    /* below code sets JSSE system properties when values are provided */
    // keystore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_KEYSTORE))) {
        contextFactory.setKeyStorePath(props.getProperty(NiFiProperties.SECURITY_KEYSTORE));
    }
    String keyStoreType = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE);
    if (StringUtils.isNotBlank(keyStoreType)) {
        contextFactory.setKeyStoreType(keyStoreType);
        String keyStoreProvider = KeyStoreUtils.getKeyStoreProvider(keyStoreType);
        if (StringUtils.isNoneEmpty(keyStoreProvider)) {
            contextFactory.setKeyStoreProvider(keyStoreProvider);
        }
    }
    final String keystorePassword = props.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD);
    final String keyPassword = props.getProperty(NiFiProperties.SECURITY_KEY_PASSWD);
    if (StringUtils.isNotBlank(keystorePassword)) {
        // if no key password was provided, then assume the keystore password is the same as the key password.
        final String defaultKeyPassword = (StringUtils.isBlank(keyPassword)) ? keystorePassword : keyPassword;
        contextFactory.setKeyStorePassword(keystorePassword);
        contextFactory.setKeyManagerPassword(defaultKeyPassword);
    } else if (StringUtils.isNotBlank(keyPassword)) {
        // since no keystore password was provided, there will be no keystore integrity check
        contextFactory.setKeyManagerPassword(keyPassword);
    }

    // truststore properties
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE))) {
        contextFactory.setTrustStorePath(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE));
    }
    String trustStoreType = props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE);
    if (StringUtils.isNotBlank(trustStoreType)) {
        contextFactory.setTrustStoreType(trustStoreType);
        String trustStoreProvider = KeyStoreUtils.getKeyStoreProvider(trustStoreType);
        if (StringUtils.isNoneEmpty(trustStoreProvider)) {
            contextFactory.setTrustStoreProvider(trustStoreProvider);
        }
    }
    if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD))) {
        contextFactory.setTrustStorePassword(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD));
    }
}
 

private void createSecureConnector(final Map<String, String> sslProperties) {
    SslContextFactory ssl = new SslContextFactory();

    if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
        ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
        ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName()));
        ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName()));
    }

    if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) {
        ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()));
        ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName()));
        ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName()));
    }

    final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);
    if (clientAuth == null) {
        ssl.setNeedClientAuth(true);
    } else {
        ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
    }

    // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
    // not a client.  Server does not need to perform hostname verification on the client.
    // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
    ssl.setEndpointIdentificationAlgorithm(null);

    // build the connector
    final ServerConnector https = new ServerConnector(jetty, ssl);

    // set host and port
    https.setPort(0);
    // Severely taxed environments may have significant delays when executing.
    https.setIdleTimeout(30000L);

    // add the connector
    jetty.addConnector(https);

    // mark secure as enabled
    secure = true;
}
 

private static SslContextFactory createSslContextFactory(KarelDbConfig config) {
    SslContextFactory sslContextFactory = new SslContextFactory();
    if (!config.getString(KarelDbConfig.SSL_KEYSTORE_LOCATION_CONFIG).isEmpty()) {
        sslContextFactory.setKeyStorePath(
            config.getString(KarelDbConfig.SSL_KEYSTORE_LOCATION_CONFIG)
        );
        sslContextFactory.setKeyStorePassword(
            config.getPassword(KarelDbConfig.SSL_KEYSTORE_PASSWORD_CONFIG).value()
        );
        sslContextFactory.setKeyManagerPassword(
            config.getPassword(KarelDbConfig.SSL_KEY_PASSWORD_CONFIG).value()
        );
        sslContextFactory.setKeyStoreType(
            config.getString(KarelDbConfig.SSL_KEYSTORE_TYPE_CONFIG)
        );

        if (!config.getString(KarelDbConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG).isEmpty()) {
            sslContextFactory.setKeyManagerFactoryAlgorithm(
                config.getString(KarelDbConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG));
        }
    }

    configureClientAuth(config, sslContextFactory);

    List<String> enabledProtocols = config.getList(KarelDbConfig.SSL_ENABLED_PROTOCOLS_CONFIG);
    if (!enabledProtocols.isEmpty()) {
        sslContextFactory.setIncludeProtocols(enabledProtocols.toArray(new String[0]));
    }

    List<String> cipherSuites = config.getList(KarelDbConfig.SSL_CIPHER_SUITES_CONFIG);
    if (!cipherSuites.isEmpty()) {
        sslContextFactory.setIncludeCipherSuites(cipherSuites.toArray(new String[0]));
    }

    sslContextFactory.setEndpointIdentificationAlgorithm(
        config.getString(KarelDbConfig.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG));

    if (!config.getString(KarelDbConfig.SSL_TRUSTSTORE_LOCATION_CONFIG).isEmpty()) {
        sslContextFactory.setTrustStorePath(
            config.getString(KarelDbConfig.SSL_TRUSTSTORE_LOCATION_CONFIG)
        );
        sslContextFactory.setTrustStorePassword(
            config.getPassword(KarelDbConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG).value()
        );
        sslContextFactory.setTrustStoreType(
            config.getString(KarelDbConfig.SSL_TRUSTSTORE_TYPE_CONFIG)
        );

        if (!config.getString(KarelDbConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG).isEmpty()) {
            sslContextFactory.setTrustManagerFactoryAlgorithm(
                config.getString(KarelDbConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG)
            );
        }
    }

    sslContextFactory.setProtocol(config.getString(KarelDbConfig.SSL_PROTOCOL_CONFIG));
    if (!config.getString(KarelDbConfig.SSL_PROVIDER_CONFIG).isEmpty()) {
        sslContextFactory.setProtocol(config.getString(KarelDbConfig.SSL_PROVIDER_CONFIG));
    }

    sslContextFactory.setRenegotiationAllowed(false);

    return sslContextFactory;
}