io.vertx.core.net.TrustOptions Java Examples

public static Optional<TrustOptions> createTrustOptions(final String trustMode, final Path knownConnectionFile) {
  switch (trustMode) {
    case "whitelist":
      return Optional.of(VertxTrustOptions.whitelistClients(knownConnectionFile, false));
    case "ca":
      return Optional.empty();
    case "tofu":
    case "insecure-tofa":
      return Optional.of(VertxTrustOptions.trustClientOnFirstAccess(knownConnectionFile, false));
    case "insecure-no-validation":
    case "insecure-record":
      return Optional.of(VertxTrustOptions.recordClientFingerprints(knownConnectionFile, false));
    case "ca-or-tofu":
    case "insecure-ca-or-tofa":
      return Optional.of(VertxTrustOptions.trustClientOnFirstAccess(knownConnectionFile, true));
    case "ca-or-whitelist":
      return Optional.of(VertxTrustOptions.whitelistClients(knownConnectionFile, true));
    case "insecure-ca-or-record":
      return Optional.of(VertxTrustOptions.recordClientFingerprints(knownConnectionFile, true));
    default:
      throw new UnsupportedOperationException("\"" + trustMode + "\" option is not supported");
  }
}
 

private TrustOptions trustOptionsAdapter(Ssl ssl) {
    if ("JKS".equalsIgnoreCase(ssl.getTrustStoreType())) {
        return getJksOptions(ssl.getTrustStore(), ssl.getTrustStorePassword());
    } else if ("PKCS12".equalsIgnoreCase(ssl.getTrustStoreType())) {
        return getPfxOptions(ssl.getTrustStore(), ssl.getTrustStorePassword());
    }

    return null;
}
 

@Override
public TrustOptions clone() {
  return this;
}
 

@Override
public TrustOptions clone() {
  return new TrustManagerFactoryWrapper(trustManagerFactory);
}
 

@Override
public MSSQLConnectOptions setTrustOptions(TrustOptions options) {
  return (MSSQLConnectOptions) super.setTrustOptions(options);
}
 

@Override
public DB2ConnectOptions setTrustOptions(TrustOptions options) {
  return (DB2ConnectOptions) super.setTrustOptions(options);
}
 

@Override
public TrustOptions clone() {
  return this;
}
 

public MySQLConnectionFactory(ContextInternal context, MySQLConnectOptions options) {
  NetClientOptions netClientOptions = new NetClientOptions(options);

  this.context = context;
  this.host = options.getHost();
  this.port = options.getPort();
  this.username = options.getUser();
  this.password = options.getPassword();
  this.database = options.getDatabase();
  this.connectionAttributes = options.getProperties() == null ? null : Collections.unmodifiableMap(options.getProperties());
  MySQLCollation collation;
  if (options.getCollation() != null) {
    // override the collation if configured
    collation = MySQLCollation.valueOfName(options.getCollation());
    charsetEncoding = Charset.forName(collation.mappedJavaCharsetName());
  } else {
    String charset = options.getCharset();
    if (charset == null) {
      collation = MySQLCollation.DEFAULT_COLLATION;
    } else {
      collation = MySQLCollation.valueOfName(MySQLCollation.getDefaultCollationFromCharsetName(charset));
    }
    String characterEncoding = options.getCharacterEncoding();
    if (characterEncoding == null) {
      charsetEncoding = Charset.defaultCharset();
    } else {
      charsetEncoding = Charset.forName(options.getCharacterEncoding());
    }
  }
  this.collation = collation;
  this.useAffectedRows = options.isUseAffectedRows();
  this.sslMode = options.getSslMode();

  // server RSA public key
  Buffer serverRsaPublicKey = null;
  if (options.getServerRsaPublicKeyValue() != null) {
    serverRsaPublicKey = options.getServerRsaPublicKeyValue();
  } else {
    if (options.getServerRsaPublicKeyPath() != null) {
      serverRsaPublicKey = context.owner().fileSystem().readFileBlocking(options.getServerRsaPublicKeyPath());
    }
  }
  this.serverRsaPublicKey = serverRsaPublicKey;
  this.initialCapabilitiesFlags = initCapabilitiesFlags();

  // check the SSLMode here
  switch (sslMode) {
    case VERIFY_IDENTITY:
      String hostnameVerificationAlgorithm = netClientOptions.getHostnameVerificationAlgorithm();
      if (hostnameVerificationAlgorithm == null || hostnameVerificationAlgorithm.isEmpty()) {
        throw new IllegalArgumentException("Host verification algorithm must be specified under VERIFY_IDENTITY ssl-mode.");
      }
    case VERIFY_CA:
      TrustOptions trustOptions = netClientOptions.getTrustOptions();
      if (trustOptions == null) {
        throw new IllegalArgumentException("Trust options must be specified under " + sslMode.name() + " ssl-mode.");
      }
      break;
  }

  this.cachePreparedStatements = options.getCachePreparedStatements();
  this.preparedStatementCacheSize = options.getPreparedStatementCacheMaxSize();
  this.preparedStatementCacheSqlFilter = options.getPreparedStatementCacheSqlFilter();

  this.netClient = context.owner().createNetClient(netClientOptions);
}
 

@Substitute
static void setTrustOptions(TCPSSLOptions sslOptions, TrustOptions options) {
    throw new RuntimeException("Not Implemented");
}
 

@Override
public TrustOptions clone() {
  return new TrustManagerFactoryWrapper(trustManagerFactory);
}
 

/**
 * Require servers to present known certificates, or CA-signed certificates.
 *
 * <p>
 * If a certificate is not CA-signed, then its fingerprint must be present in the known servers file, associated with
 * the server (identified by host+port).
 *
 * @param repository The repository containing fingerprints by host.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions whitelistServers(FingerprintRepository repository) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.whitelistServers(repository));
}
 

/**
 * Accept CA-signed certificates, and otherwise trust client certificates on first access.
 *
 * <p>
 * Except when a client presents a CA-signed certificate, on first connection to this server the common name and
 * fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected
 * if the fingerprint has changed.
 *
 * <p>
 * <i>Note: unlike the seemingly equivalent {@link #trustServerOnFirstUse(Path)} method for authenticating servers,
 * this method for authenticating clients is <b>insecure</b> and <b>provides zero confidence in client identity</b>.
 * Unlike the server version, which bases the identity on the hostname and port the connection is being established
 * to, the client version only uses the common name of the certificate that the connecting client presents. Therefore,
 * clients can circumvent access control by using a different common name from any previously recorded client.</i>
 *
 * @param knownClientsFile The path to the file containing fingerprints by common name.
 * @param tmf A {@link TrustManagerFactory} for checking server certificates against a CA.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions trustClientOnFirstAccess(Path knownClientsFile, TrustManagerFactory tmf) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.trustClientOnFirstAccess(knownClientsFile, tmf));
}
 

/**
 * Require servers to present known certificates.
 *
 * <p>
 * The fingerprint for a server certificate must be present in the known servers file, associated with the server
 * (identified by host+port).
 *
 * @param knownServersFile The path to the file containing fingerprints by host.
 * @param acceptCASigned If {@code true}, CA-signed certificates will always be accepted.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions whitelistServers(Path knownServersFile, boolean acceptCASigned) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.whitelistServers(knownServersFile, acceptCASigned));
}
 

/**
 * Require servers to present known certificates.
 *
 * <p>
 * The fingerprint for a server certificate must be present in the known servers file, associated with the server
 * (identified by host+port).
 *
 * @param repository The repository containing fingerprints by host.
 * @param acceptCASigned If {@code true}, CA-signed certificates will always be accepted.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions whitelistServers(FingerprintRepository repository, boolean acceptCASigned) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.whitelistServers(repository, acceptCASigned));
}
 

/**
 * Require servers to present known certificates, or CA-signed certificates.
 *
 * <p>
 * If a certificate is not CA-signed, then its fingerprint must be present in the known servers file, associated with
 * the server (identified by host+port).
 *
 * @param knownServersFile The path to the file containing fingerprints by host.
 * @param tmf A {@link TrustManagerFactory} for checking server certificates against a CA.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions whitelistServers(Path knownServersFile, TrustManagerFactory tmf) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.whitelistServers(knownServersFile, tmf));
}
 

/**
 * Accept CA-signed certificates, and otherwise trust client certificates on first access.
 *
 * <p>
 * Except when a client presents a CA-signed certificate, on first connection to this server the common name and
 * fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected
 * if the fingerprint has changed.
 *
 * <p>
 * <i>Note: unlike the seemingly equivalent {@link #trustServerOnFirstUse(Path)} method for authenticating servers,
 * this method for authenticating clients is <b>insecure</b> and <b>provides zero confidence in client identity</b>.
 * Unlike the server version, which bases the identity on the hostname and port the connection is being established
 * to, the client version only uses the common name of the certificate that the connecting client presents. Therefore,
 * clients can circumvent access control by using a different common name from any previously recorded client.</i>
 *
 * @param repository The repository containing fingerprints by common name.
 * @param tmf A {@link TrustManagerFactory} for checking server certificates against a CA.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions trustClientOnFirstAccess(FingerprintRepository repository, TrustManagerFactory tmf) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.trustClientOnFirstAccess(repository, tmf));
}
 

/**
 * Require clients to present known certificates, or CA-signed certificates.
 *
 * <p>
 * If a certificate is not CA-signed, then its common name and fingerprint must be present in the
 * {@code knownClientsFile}.
 *
 * @param repository The repository containing fingerprints by common name.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions whitelistClients(FingerprintRepository repository) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.whitelistClients(repository));
}
 

/**
 * Require clients to present known certificates, or CA-signed certificates.
 *
 * <p>
 * If a certificate is not CA-signed, then its common name and fingerprint must be present in the
 * {@code knownClientsFile}.
 *
 * @param knownClientsFile The path to the file containing fingerprints by common name.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions whitelistClients(Path knownClientsFile) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.whitelistClients(knownClientsFile));
}
 

/**
 * Require clients to present known certificates.
 *
 * <p>
 * The common name and fingerprint for a client certificate must be present in {@code knownClientsFile}.
 *
 * @param knownClientsFile The path to the file containing fingerprints by common name.
 * @param acceptCASigned If {@code true}, CA-signed certificates will always be accepted.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions whitelistClients(Path knownClientsFile, boolean acceptCASigned) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.whitelistClients(knownClientsFile, acceptCASigned));
}
 

/**
 * Require servers to present known certificates, or CA-signed certificates.
 *
 * <p>
 * If a certificate is not CA-signed, then its fingerprint must be present in the known servers file, associated with
 * the server (identified by host+port).
 *
 * @param knownServersFile The path to the file containing fingerprints by host.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions whitelistServers(Path knownServersFile) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.whitelistServers(knownServersFile));
}
 

/**
 * Accept CA-signed certificates, and otherwise trust server certificates on first use.
 *
 * <p>
 * Except when a server presents a CA-signed certificate, on first connection to a server (identified by host+port)
 * the fingerprint of the presented certificate will be recorded. On subsequent connections, the presented certificate
 * will be matched to the stored fingerprint to ensure it has not changed.
 *
 * @param repository The repository containing fingerprints by host.
 * @param tmf A {@link TrustManagerFactory} for checking server certificates against a CA.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions trustServerOnFirstUse(FingerprintRepository repository, TrustManagerFactory tmf) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.trustServerOnFirstUse(repository, tmf));
}
 

/**
 * Accept CA-signed certificates, and otherwise trust server certificates on first use.
 *
 * <p>
 * Except when a server presents a CA-signed certificate, on first connection to a server (identified by host+port)
 * the fingerprint of the presented certificate will be recorded. On subsequent connections, the presented certificate
 * will be matched to the stored fingerprint to ensure it has not changed.
 *
 * @param knownServersFile The path to the file containing fingerprints by host.
 * @param tmf A {@link TrustManagerFactory} for checking server certificates against a CA.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions trustServerOnFirstUse(Path knownServersFile, TrustManagerFactory tmf) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.trustServerOnFirstUse(knownServersFile, tmf));
}
 

/**
 * Trust server certificates on first use.
 *
 * <p>
 * On first connection to a server (identified by host+port) the fingerprint of the presented certificate will be
 * recorded. On subsequent connections, the presented certificate will be matched to the stored fingerprint to ensure
 * it has not changed.
 *
 * @param repository The repository containing fingerprints by host.
 * @param acceptCASigned If {@code true}, CA-signed certificates will always be accepted (and the fingerprint will not
 *        be recorded).
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions trustServerOnFirstUse(FingerprintRepository repository, boolean acceptCASigned) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.trustServerOnFirstUse(repository, acceptCASigned));
}
 

/**
 * Trust server certificates on first use.
 *
 * <p>
 * On first connection to a server (identified by host+port) the fingerprint of the presented certificate will be
 * recorded. On subsequent connections, the presented certificate will be matched to the stored fingerprint to ensure
 * it has not changed.
 *
 * @param knownServersFile The path to the file containing fingerprints by host.
 * @param acceptCASigned If {@code true}, CA-signed certificates will always be accepted (and the fingerprint will not
 *        be recorded).
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions trustServerOnFirstUse(Path knownServersFile, boolean acceptCASigned) {
  return new TrustManagerFactoryWrapper(
      TrustManagerFactories.trustServerOnFirstUse(knownServersFile, acceptCASigned));
}
 

/**
 * Accept CA-signed certificates, and otherwise trust server certificates on first use.
 *
 * <p>
 * Except when a server presents a CA-signed certificate, on first connection to a server (identified by host+port)
 * the fingerprint of the presented certificate will be recorded. On subsequent connections, the presented certificate
 * will be matched to the stored fingerprint to ensure it has not changed.
 *
 * @param repository The repository containing fingerprints by host.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions trustServerOnFirstUse(FingerprintRepository repository) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.trustServerOnFirstUse(repository));
}
 

/**
 * Accept all server certificates, recording certificate fingerprints for those that are not CA-signed.
 *
 * <p>
 * Excepting when a server presents a CA-signed certificate, the server host+port and the certificate fingerprint will
 * be written to {@code knownServersFile}.
 *
 * <p>
 * Important: this provides no security as it is vulnerable to man-in-the-middle attacks.
 *
 * @param repository The repository in which to record fingerprints by host.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions recordServerFingerprints(FingerprintRepository repository) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.recordServerFingerprints(repository));
}
 

/**
 * Accept CA-signed certificates, and otherwise trust server certificates on first use.
 *
 * <p>
 * Except when a server presents a CA-signed certificate, on first connection to a server (identified by host+port)
 * the fingerprint of the presented certificate will be recorded. On subsequent connections, the presented certificate
 * will be matched to the stored fingerprint to ensure it has not changed.
 *
 * @param knownServersFile The path to the file containing fingerprints by host.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions trustServerOnFirstUse(Path knownServersFile) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.trustServerOnFirstUse(knownServersFile));
}
 

/**
 * Accept all server certificates, recording certificate fingerprints for those that are not CA-signed.
 *
 * <p>
 * Excepting when a server presents a CA-signed certificate, the server host+port and the certificate fingerprint will
 * be written to {@code knownServersFile}.
 *
 * <p>
 * Important: this provides no security as it is vulnerable to man-in-the-middle attacks.
 *
 * @param repository The repository in which to record fingerprints by host.
 * @param tmf A {@link TrustManagerFactory} for checking server certificates against a CA.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions recordServerFingerprints(FingerprintRepository repository, TrustManagerFactory tmf) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.recordServerFingerprints(repository, tmf));
}
 

/**
 * Accept all server certificates, recording certificate fingerprints for those that are not CA-signed.
 *
 * <p>
 * Excepting when a server presents a CA-signed certificate, the server host+port and the certificate fingerprint will
 * be written to {@code knownServersFile}.
 *
 * <p>
 * Important: this provides no security as it is vulnerable to man-in-the-middle attacks.
 *
 * @param knownServersFile The path to a file in which to record fingerprints by host.
 * @param tmf A {@link TrustManagerFactory} for checking server certificates against a CA.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions recordServerFingerprints(Path knownServersFile, TrustManagerFactory tmf) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.recordServerFingerprints(knownServersFile, tmf));
}
 

/**
 * Accept all client certificates, recording certificate fingerprints for those that are not CA-signed.
 *
 * <p>
 * Excepting when a client presents a CA-signed certificate, the certificate common name and fingerprint will be
 * written to {@code knownClientsFile}.
 *
 * <p>
 * Important: this provides no security as it is vulnerable to man-in-the-middle attacks.
 *
 * @param knownClientsFile The path to a file in which to record fingerprints by common name.
 * @return A Vert.x {@link TrustOptions}.
 */
public static TrustOptions recordClientFingerprints(Path knownClientsFile) {
  return new TrustManagerFactoryWrapper(TrustManagerFactories.recordClientFingerprints(knownClientsFile));
}