Java Code Examples for io.netty.handler.ssl.ClientAuth#REQUIRE

The following examples show how to use io.netty.handler.ssl.ClientAuth#REQUIRE . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ArmeriaReactiveWebServerFactory.java    From armeria with Apache License 2.0 5 votes vote down vote up 
private static com.linecorp.armeria.spring.Ssl toArmeriaSslConfiguration(Ssl ssl) {
    if (!ssl.isEnabled()) {
        return new com.linecorp.armeria.spring.Ssl();
    }

    ClientAuth clientAuth = null;
    if (ssl.getClientAuth() != null) {
        switch (ssl.getClientAuth()) {
            case NEED:
                clientAuth = ClientAuth.REQUIRE;
                break;
            case WANT:
                clientAuth = ClientAuth.OPTIONAL;
                break;
        }
    }
    return new com.linecorp.armeria.spring.Ssl()
            .setEnabled(ssl.isEnabled())
            .setClientAuth(clientAuth)
            .setCiphers(ssl.getCiphers() != null ? ImmutableList.copyOf(ssl.getCiphers()) : null)
            .setEnabledProtocols(ssl.getEnabledProtocols() != null ? ImmutableList.copyOf(
                    ssl.getEnabledProtocols()) : null)
            .setKeyAlias(ssl.getKeyAlias())
            .setKeyPassword(ssl.getKeyPassword())
            .setKeyStore(ssl.getKeyStore())
            .setKeyStorePassword(ssl.getKeyStorePassword())
            .setKeyStoreType(ssl.getKeyStoreType())
            .setKeyStoreProvider(ssl.getKeyStoreProvider())
            .setTrustStore(ssl.getTrustStore())
            .setTrustStorePassword(ssl.getTrustStorePassword())
            .setTrustStoreType(ssl.getTrustStoreType())
            .setTrustStoreProvider(ssl.getTrustStoreProvider());
}
Example 2
Source File: NettySslFactory.java    From ambry with Apache License 2.0 5 votes vote down vote up 
/**
 * @param config the {@link SSLConfig}.
 * @return the {@link ClientAuth} setting.
 */
static ClientAuth getClientAuth(SSLConfig config) {
  switch (config.sslClientAuthentication) {
    case "required":
      return ClientAuth.REQUIRE;
    case "requested":
      return ClientAuth.OPTIONAL;
    default:
      return ClientAuth.NONE;
  }
}
Example 3
Source File: BaseSslContextFactory.java    From zuul with Apache License 2.0 5 votes vote down vote up 
protected ArrayList<X509Certificate> getTrustedX509Certificates() throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
    ArrayList<X509Certificate> trustedCerts = new ArrayList<>();

    // Add the certificates from the JKS truststore - ie. the CA's of the client cert that peer Zuul's will use.
    if (serverSslConfig.getClientAuth() == ClientAuth.REQUIRE || serverSslConfig.getClientAuth() == ClientAuth.OPTIONAL) {
        // Get the encrypted bytes of the truststore password.
        byte[] trustStorePwdBytes;
        if (serverSslConfig.getClientAuthTrustStorePassword() != null) {
            trustStorePwdBytes = Base64.getDecoder().decode(serverSslConfig.getClientAuthTrustStorePassword());
        }
        else if (serverSslConfig.getClientAuthTrustStorePasswordFile() != null) {
            trustStorePwdBytes = Files.readAllBytes(serverSslConfig.getClientAuthTrustStorePasswordFile().toPath());
        }
        else {
            throw new IllegalArgumentException("Must specify either ClientAuthTrustStorePassword or ClientAuthTrustStorePasswordFile!");
        }

        // Decrypt the truststore password.
        String trustStorePassword = getTruststorePassword(trustStorePwdBytes);

        boolean dumpDecryptedTrustStorePassword = false;
        if (dumpDecryptedTrustStorePassword) {
            LOG.debug("X509Cert Trust Store Password " + trustStorePassword);
        }

        final KeyStore trustStore = KeyStore.getInstance("JKS");
        trustStore.load(new FileInputStream(serverSslConfig.getClientAuthTrustStoreFile()),
                trustStorePassword.toCharArray());

        Enumeration<String> aliases = trustStore.aliases();
        while (aliases.hasMoreElements()) {
            X509Certificate cert = (X509Certificate) trustStore.getCertificate(aliases.nextElement());
            trustedCerts.add(cert);
        }
    }

    return trustedCerts;
}
Example 4
Source File: SslHandshakeInfoHandler.java    From zuul with Apache License 2.0 5 votes vote down vote up 
private ClientAuth whichClientAuthEnum(SslHandler sslhandler)
{
    ClientAuth clientAuth;
    if (sslhandler.engine().getNeedClientAuth()) {
        clientAuth = ClientAuth.REQUIRE;
    }
    else if (sslhandler.engine().getWantClientAuth()) {
        clientAuth = ClientAuth.OPTIONAL;
    }
    else {
        clientAuth = ClientAuth.NONE;
    }
    return clientAuth;
}
Example 5
Source File: StripUntrustedProxyHeadersHandler.java    From zuul with Apache License 2.0 5 votes vote down vote up 
@VisibleForTesting
boolean connectionIsUsingMutualSSLWithAuthEnforced(Channel ch)
{
    boolean is = false;
    SslHandshakeInfo sslHandshakeInfo = ch.attr(SslHandshakeInfoHandler.ATTR_SSL_INFO).get();
    if (sslHandshakeInfo != null) {
        if (sslHandshakeInfo.getClientAuthRequirement() == ClientAuth.REQUIRE) {
            is = true;
        }
    }
    return is;
}
Example 6
Source File: GremlinServerSslIntegrateTest.java    From tinkerpop with Apache License 2.0 4 votes vote down vote up 
/**
 * Configure specific Gremlin Server settings for specific tests.
 */
@Override
public Settings overrideSettings(final Settings settings) {
    final String nameOfTest = name.getMethodName();
    switch (nameOfTest) {
        case "shouldEnableSsl":
        case "shouldEnableSslButFailIfClientConnectsWithoutIt":
            settings.ssl = new Settings.SslSettings();
            settings.ssl.enabled = true;
            settings.ssl.keyStore = JKS_SERVER_KEY;
            settings.ssl.keyStorePassword = KEY_PASS;
            settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
            break;
        case "shouldEnableSslWithSslContextProgrammaticallySpecified":
            settings.ssl = new Settings.SslSettings();
            settings.ssl.enabled = true;
            settings.ssl.overrideSslContext(createServerSslContext());
            break;
        case "shouldEnableSslAndClientCertificateAuthWithPkcs12":
            settings.ssl = new Settings.SslSettings();
            settings.ssl.enabled = true;
            settings.ssl.needClientAuth = ClientAuth.REQUIRE;
            settings.ssl.keyStore = P12_SERVER_KEY;
            settings.ssl.keyStorePassword = KEY_PASS;
            settings.ssl.keyStoreType = KEYSTORE_TYPE_PKCS12;
            settings.ssl.trustStore = P12_SERVER_TRUST;
            settings.ssl.trustStorePassword = KEY_PASS;
            break;
        case "shouldEnableSslAndClientCertificateAuth":
        case "shouldEnableSslAndClientCertificateAuthAndFailWithoutCert":
            settings.ssl = new Settings.SslSettings();
            settings.ssl.enabled = true;
            settings.ssl.needClientAuth = ClientAuth.REQUIRE;
            settings.ssl.keyStore = JKS_SERVER_KEY;
            settings.ssl.keyStorePassword = KEY_PASS;
            settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
            settings.ssl.trustStore = JKS_SERVER_TRUST;
            settings.ssl.trustStorePassword = KEY_PASS;
            break;
        case "shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCert":
            settings.ssl = new Settings.SslSettings();
            settings.ssl.enabled = true;
            settings.ssl.needClientAuth = ClientAuth.REQUIRE;
            settings.ssl.keyStore = JKS_SERVER_KEY;
            settings.ssl.keyStorePassword = KEY_PASS;
            settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
            break;
        case "shouldEnableSslAndFailIfProtocolsDontMatch":
            settings.ssl = new Settings.SslSettings();
            settings.ssl.enabled = true;
            settings.ssl.keyStore = JKS_SERVER_KEY;
            settings.ssl.keyStorePassword = KEY_PASS;
            settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
            settings.ssl.sslEnabledProtocols = Collections.singletonList("TLSv1.1");
            break;
        case "shouldEnableSslAndFailIfCiphersDontMatch":
            settings.ssl = new Settings.SslSettings();
            settings.ssl.enabled = true;
            settings.ssl.keyStore = JKS_SERVER_KEY;
            settings.ssl.keyStorePassword = KEY_PASS;
            settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
            settings.ssl.sslCipherSuites = Collections.singletonList("TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
            break;
        case "shouldEnableSslAndClientCertificateAuthWithDifferentStoreType":
        case "shouldEnableSslAndClientCertificateAuthAndFailWithIncorrectKeyStoreType":
        case "shouldEnableSslAndClientCertificateAuthAndFailWithIncorrectTrustStoreType":
            settings.ssl = new Settings.SslSettings();
            settings.ssl.enabled = true;
            settings.ssl.needClientAuth = ClientAuth.REQUIRE;
            settings.ssl.keyStore = JKS_SERVER_KEY;
            settings.ssl.keyStorePassword = KEY_PASS;
            settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
            settings.ssl.trustStore = P12_SERVER_TRUST;
            settings.ssl.trustStorePassword = KEY_PASS;
            settings.ssl.trustStoreType = TRUSTSTORE_TYPE_PKCS12;
            break;
    }

    return settings;
}
Example 7
Source File: NettySSLOptionsFactory.java    From dropwizard-cassandra with Apache License 2.0 4 votes vote down vote up 
@ValidationMethod(message = "must define keyManager when clientAuth is REQUIRE")
public boolean isClientAuthConfigValid() {
    return clientAuth != ClientAuth.REQUIRE || keyManager != null;
}