Java Code Examples for io.vertx.reactivex.core.http.HttpServerRequest#sslSession()

The following examples show how to use io.vertx.reactivex.core.http.HttpServerRequest#sslSession() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ClientCertificateAuthProvider.java    From graviteeio-access-management with Apache License 2.0 6 votes vote down vote up 
@Override
public void handle(Client client, HttpServerRequest request, Handler<AsyncResult<Client>> handler) {
    // We ensure that the authentication is done over TLS thanks to the canHandle method which checks for an SSL
    // session
    SSLSession sslSession = request.sslSession();

    try {
        Certificate[] peerCertificates = sslSession.getPeerCertificates();
        X509Certificate peerCertificate = (X509Certificate) peerCertificates[0];

        if ((client.getTlsClientAuthSubjectDn() != null && validateSubjectDn(client, peerCertificate)) ||
                (client.getTlsClientAuthSanDns() != null && validateSAN(peerCertificate, GeneralName.dNSName, client.getTlsClientAuthSanDns())) ||
                (client.getTlsClientAuthSanEmail() != null && validateSAN(peerCertificate, GeneralName.rfc822Name, client.getTlsClientAuthSanEmail())) ||
                (client.getTlsClientAuthSanIp() != null && validateSAN(peerCertificate, GeneralName.iPAddress, client.getTlsClientAuthSanIp())) ||
                (client.getTlsClientAuthSanUri() != null && validateSAN(peerCertificate, GeneralName.uniformResourceIdentifier, client.getTlsClientAuthSanUri()))) {
            handler.handle(Future.succeededFuture(client));
        } else {
            handler.handle(Future.failedFuture(new InvalidClientException("Invalid client: missing TLS configuration")));
        }
    } catch (SSLPeerUnverifiedException | CertificateParsingException ce) {
        handler.handle(Future.failedFuture(new InvalidClientException("Invalid client: missing or unsupported certificate")));
    }
}
Example 2
Source File: ClientSelfSignedAuthProvider.java    From graviteeio-access-management with Apache License 2.0 5 votes vote down vote up 
@Override
public boolean canHandle(Client client, HttpServerRequest request) {
    // client_id is a required parameter for tls_client_auth so we are sure to have a client here
    return client != null
            && request.sslSession() != null
            && ClientAuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH.equals(client.getTokenEndpointAuthMethod());
}
Example 3
Source File: ClientSelfSignedAuthProvider.java    From graviteeio-access-management with Apache License 2.0 5 votes vote down vote up 
@Override
public void handle(Client client, HttpServerRequest request, Handler<AsyncResult<Client>> handler) {
    // We ensure that the authentication is done over TLS thanks to the canHandle method which checks for an SSL
    // session
    SSLSession sslSession = request.sslSession();

    try {
        Certificate[] peerCertificates = sslSession.getPeerCertificates();
        X509Certificate peerCertificate = (X509Certificate) peerCertificates[0];
        String thumbprint = getThumbprint(peerCertificate, "SHA-1");
        String thumbprint256 = getThumbprint(peerCertificate, "SHA-256");
        jwkService.getKeys(client)
                .subscribe(
                        jwkSet -> {
                            boolean match = jwkSet.getKeys()
                                    .stream()
                                    .anyMatch(jwk -> thumbprint256.equals(jwk.getX5tS256()) || thumbprint.equals(jwk.getX5t()));
                            if (match) {
                                handler.handle(Future.succeededFuture(client));
                            } else {
                                handler.handle(Future.failedFuture(new InvalidClientException("Invalid client: invalid self-signed certificate")));
                            }
                        },
                        throwable -> handler.handle(Future.failedFuture(new InvalidClientException("Invalid client: invalid self-signed certificate"))),
                        () -> handler.handle(Future.failedFuture(new InvalidClientException("Invalid client: missing or unsupported JWK Set"))));
    } catch (Exception ex) {
        handler.handle(Future.failedFuture(new InvalidClientException("Invalid client: missing or unsupported self-signed certificate")));
    }
}
Example 4
Source File: ClientCertificateAuthProvider.java    From graviteeio-access-management with Apache License 2.0 5 votes vote down vote up 
@Override
public boolean canHandle(Client client, HttpServerRequest request) {
    // client_id is a required parameter for tls_client_auth so we are sure to have a client here
    return client != null
            && request.sslSession() != null
            && ClientAuthenticationMethod.TLS_CLIENT_AUTH.equals(client.getTokenEndpointAuthMethod());
}