1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package io.netty.handler.ssl;
18
19 import io.netty.handler.ssl.util.KeyManagerFactoryWrapper;
20 import io.netty.handler.ssl.util.TrustManagerFactoryWrapper;
21 import io.netty.util.internal.UnstableApi;
22
23 import javax.net.ssl.KeyManager;
24 import javax.net.ssl.KeyManagerFactory;
25 import javax.net.ssl.SSLEngine;
26 import javax.net.ssl.SSLException;
27 import javax.net.ssl.TrustManager;
28 import javax.net.ssl.TrustManagerFactory;
29 import java.io.File;
30 import java.io.InputStream;
31 import java.security.KeyStore;
32 import java.security.PrivateKey;
33 import java.security.Provider;
34 import java.security.SecureRandom;
35 import java.security.cert.X509Certificate;
36 import java.util.ArrayList;
37 import java.util.HashMap;
38 import java.util.List;
39 import java.util.Map;
40
41 import static io.netty.util.internal.EmptyArrays.EMPTY_STRINGS;
42 import static io.netty.util.internal.EmptyArrays.EMPTY_X509_CERTIFICATES;
43 import static io.netty.util.internal.ObjectUtil.checkNotNull;
44 import static io.netty.util.internal.ObjectUtil.checkNotNullWithIAE;
45 import static io.netty.util.internal.ObjectUtil.checkNonEmpty;
46
47
48
49
50 public final class SslContextBuilder {
51 @SuppressWarnings("rawtypes")
52 private static final Map.Entry[] EMPTY_ENTRIES = new Map.Entry[0];
53
54
55
56
57 public static SslContextBuilder forClient() {
58 return new SslContextBuilder(false);
59 }
60
61
62
63
64
65
66
67
68 public static SslContextBuilder forServer(File keyCertChainFile, File keyFile) {
69 return new SslContextBuilder(true).keyManager(keyCertChainFile, keyFile);
70 }
71
72
73
74
75
76
77
78
79
80
81
82
83
84 public static SslContextBuilder forServer(InputStream keyCertChainInputStream, InputStream keyInputStream) {
85 return new SslContextBuilder(true).keyManager(keyCertChainInputStream, keyInputStream);
86 }
87
88
89
90
91
92
93
94
95 public static SslContextBuilder forServer(PrivateKey key, X509Certificate... keyCertChain) {
96 return new SslContextBuilder(true).keyManager(key, keyCertChain);
97 }
98
99
100
101
102
103
104
105
106 public static SslContextBuilder forServer(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
107 return forServer(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
108 }
109
110
111
112
113
114
115
116
117
118
119 public static SslContextBuilder forServer(
120 File keyCertChainFile, File keyFile, String keyPassword) {
121 return new SslContextBuilder(true).keyManager(keyCertChainFile, keyFile, keyPassword);
122 }
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137 public static SslContextBuilder forServer(
138 InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) {
139 return new SslContextBuilder(true).keyManager(keyCertChainInputStream, keyInputStream, keyPassword);
140 }
141
142
143
144
145
146
147
148
149
150
151 public static SslContextBuilder forServer(
152 PrivateKey key, String keyPassword, X509Certificate... keyCertChain) {
153 return new SslContextBuilder(true).keyManager(key, keyPassword, keyCertChain);
154 }
155
156
157
158
159
160
161
162
163
164
165 public static SslContextBuilder forServer(
166 PrivateKey key, String keyPassword, Iterable<? extends X509Certificate> keyCertChain) {
167 return forServer(key, keyPassword, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
168 }
169
170
171
172
173
174
175
176
177
178
179 public static SslContextBuilder forServer(KeyManagerFactory keyManagerFactory) {
180 return new SslContextBuilder(true).keyManager(keyManagerFactory);
181 }
182
183
184
185
186
187
188 public static SslContextBuilder forServer(KeyManager keyManager) {
189 return new SslContextBuilder(true).keyManager(keyManager);
190 }
191
192 private final boolean forServer;
193 private SslProvider provider;
194 private Provider sslContextProvider;
195 private X509Certificate[] trustCertCollection;
196 private TrustManagerFactory trustManagerFactory;
197 private X509Certificate[] keyCertChain;
198 private PrivateKey key;
199 private String keyPassword;
200 private KeyManagerFactory keyManagerFactory;
201 private Iterable<String> ciphers;
202 private CipherSuiteFilter cipherFilter = IdentityCipherSuiteFilter.INSTANCE;
203 private ApplicationProtocolConfig apn;
204 private long sessionCacheSize;
205 private long sessionTimeout;
206 private ClientAuth clientAuth = ClientAuth.NONE;
207 private String[] protocols;
208 private boolean startTls;
209 private boolean enableOcsp;
210 private SecureRandom secureRandom;
211 private String keyStoreType = KeyStore.getDefaultType();
212 private String endpointIdentificationAlgorithm;
213 private final Map<SslContextOption<?>, Object> options = new HashMap<SslContextOption<?>, Object>();
214
215 private SslContextBuilder(boolean forServer) {
216 this.forServer = forServer;
217 if (!forServer) {
218 endpointIdentificationAlgorithm = "HTTPS";
219 }
220 }
221
222
223
224
225 public <T> SslContextBuilder option(SslContextOption<T> option, T value) {
226 if (value == null) {
227 options.remove(option);
228 } else {
229 options.put(option, value);
230 }
231 return this;
232 }
233
234
235
236
237 public SslContextBuilder sslProvider(SslProvider provider) {
238 this.provider = provider;
239 return this;
240 }
241
242
243
244
245 public SslContextBuilder keyStoreType(String keyStoreType) {
246 this.keyStoreType = keyStoreType;
247 return this;
248 }
249
250
251
252
253
254 public SslContextBuilder sslContextProvider(Provider sslContextProvider) {
255 this.sslContextProvider = sslContextProvider;
256 return this;
257 }
258
259
260
261
262
263 public SslContextBuilder trustManager(File trustCertCollectionFile) {
264 try {
265 return trustManager(SslContext.toX509Certificates(trustCertCollectionFile));
266 } catch (Exception e) {
267 throw new IllegalArgumentException("File does not contain valid certificates: "
268 + trustCertCollectionFile, e);
269 }
270 }
271
272
273
274
275
276
277
278 public SslContextBuilder trustManager(InputStream trustCertCollectionInputStream) {
279 try {
280 return trustManager(SslContext.toX509Certificates(trustCertCollectionInputStream));
281 } catch (Exception e) {
282 throw new IllegalArgumentException("Input stream does not contain valid certificates.", e);
283 }
284 }
285
286
287
288
289 public SslContextBuilder trustManager(X509Certificate... trustCertCollection) {
290 this.trustCertCollection = trustCertCollection != null ? trustCertCollection.clone() : null;
291 trustManagerFactory = null;
292 return this;
293 }
294
295
296
297
298 public SslContextBuilder trustManager(Iterable<? extends X509Certificate> trustCertCollection) {
299 return trustManager(toArray(trustCertCollection, EMPTY_X509_CERTIFICATES));
300 }
301
302
303
304
305 public SslContextBuilder trustManager(TrustManagerFactory trustManagerFactory) {
306 trustCertCollection = null;
307 this.trustManagerFactory = trustManagerFactory;
308 return this;
309 }
310
311
312
313
314
315
316
317
318 public SslContextBuilder trustManager(TrustManager trustManager) {
319 if (trustManager != null) {
320 this.trustManagerFactory = new TrustManagerFactoryWrapper(trustManager);
321 } else {
322 this.trustManagerFactory = null;
323 }
324 trustCertCollection = null;
325 return this;
326 }
327
328
329
330
331
332
333
334
335 public SslContextBuilder keyManager(File keyCertChainFile, File keyFile) {
336 return keyManager(keyCertChainFile, keyFile, null);
337 }
338
339
340
341
342
343
344
345
346
347
348
349
350 public SslContextBuilder keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream) {
351 return keyManager(keyCertChainInputStream, keyInputStream, null);
352 }
353
354
355
356
357
358
359
360
361 public SslContextBuilder keyManager(PrivateKey key, X509Certificate... keyCertChain) {
362 return keyManager(key, null, keyCertChain);
363 }
364
365
366
367
368
369
370
371
372 public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
373 return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
374 }
375
376
377
378
379
380
381
382
383
384
385 public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
386 X509Certificate[] keyCertChain;
387 PrivateKey key;
388 try {
389 keyCertChain = SslContext.toX509Certificates(keyCertChainFile);
390 } catch (Exception e) {
391 throw new IllegalArgumentException("File does not contain valid certificates: " + keyCertChainFile, e);
392 }
393 try {
394 key = SslContext.toPrivateKey(keyFile, keyPassword);
395 } catch (Exception e) {
396 throw new IllegalArgumentException("File does not contain valid private key: " + keyFile, e);
397 }
398 return keyManager(key, keyPassword, keyCertChain);
399 }
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414 public SslContextBuilder keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream,
415 String keyPassword) {
416 X509Certificate[] keyCertChain;
417 PrivateKey key;
418 try {
419 keyCertChain = SslContext.toX509Certificates(keyCertChainInputStream);
420 } catch (Exception e) {
421 throw new IllegalArgumentException("Input stream not contain valid certificates.", e);
422 }
423 try {
424 key = SslContext.toPrivateKey(keyInputStream, keyPassword);
425 } catch (Exception e) {
426 throw new IllegalArgumentException("Input stream does not contain valid private key.", e);
427 }
428 return keyManager(key, keyPassword, keyCertChain);
429 }
430
431
432
433
434
435
436
437
438
439
440 public SslContextBuilder keyManager(PrivateKey key, String keyPassword, X509Certificate... keyCertChain) {
441 if (forServer) {
442 checkNonEmpty(keyCertChain, "keyCertChain");
443 checkNotNull(key, "key required for servers");
444 }
445 if (keyCertChain == null || keyCertChain.length == 0) {
446 this.keyCertChain = null;
447 } else {
448 for (X509Certificate cert: keyCertChain) {
449 checkNotNullWithIAE(cert, "cert");
450 }
451 this.keyCertChain = keyCertChain.clone();
452 }
453 this.key = key;
454 this.keyPassword = keyPassword;
455 keyManagerFactory = null;
456 return this;
457 }
458
459
460
461
462
463
464
465
466
467
468 public SslContextBuilder keyManager(PrivateKey key, String keyPassword,
469 Iterable<? extends X509Certificate> keyCertChain) {
470 return keyManager(key, keyPassword, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
471 }
472
473
474
475
476
477
478
479
480
481
482
483
484 public SslContextBuilder keyManager(KeyManagerFactory keyManagerFactory) {
485 if (forServer) {
486 checkNotNull(keyManagerFactory, "keyManagerFactory required for servers");
487 }
488 keyCertChain = null;
489 key = null;
490 keyPassword = null;
491 this.keyManagerFactory = keyManagerFactory;
492 return this;
493 }
494
495
496
497
498
499
500
501
502 public SslContextBuilder keyManager(KeyManager keyManager) {
503 if (forServer) {
504 checkNotNull(keyManager, "keyManager required for servers");
505 }
506 if (keyManager != null) {
507 this.keyManagerFactory = new KeyManagerFactoryWrapper(keyManager);
508 } else {
509 this.keyManagerFactory = null;
510 }
511 keyCertChain = null;
512 key = null;
513 keyPassword = null;
514 return this;
515 }
516
517
518
519
520
521 public SslContextBuilder ciphers(Iterable<String> ciphers) {
522 return ciphers(ciphers, IdentityCipherSuiteFilter.INSTANCE);
523 }
524
525
526
527
528
529
530 public SslContextBuilder ciphers(Iterable<String> ciphers, CipherSuiteFilter cipherFilter) {
531 this.cipherFilter = checkNotNull(cipherFilter, "cipherFilter");
532 this.ciphers = ciphers;
533 return this;
534 }
535
536
537
538
539 public SslContextBuilder applicationProtocolConfig(ApplicationProtocolConfig apn) {
540 this.apn = apn;
541 return this;
542 }
543
544
545
546
547
548 public SslContextBuilder sessionCacheSize(long sessionCacheSize) {
549 this.sessionCacheSize = sessionCacheSize;
550 return this;
551 }
552
553
554
555
556
557 public SslContextBuilder sessionTimeout(long sessionTimeout) {
558 this.sessionTimeout = sessionTimeout;
559 return this;
560 }
561
562
563
564
565 public SslContextBuilder clientAuth(ClientAuth clientAuth) {
566 this.clientAuth = checkNotNull(clientAuth, "clientAuth");
567 return this;
568 }
569
570
571
572
573
574
575 public SslContextBuilder protocols(String... protocols) {
576 this.protocols = protocols == null ? null : protocols.clone();
577 return this;
578 }
579
580
581
582
583
584
585 public SslContextBuilder protocols(Iterable<String> protocols) {
586 return protocols(toArray(protocols, EMPTY_STRINGS));
587 }
588
589
590
591
592 public SslContextBuilder startTls(boolean startTls) {
593 this.startTls = startTls;
594 return this;
595 }
596
597
598
599
600
601
602
603 @UnstableApi
604 public SslContextBuilder enableOcsp(boolean enableOcsp) {
605 this.enableOcsp = enableOcsp;
606 return this;
607 }
608
609
610
611
612
613
614
615
616
617
618
619 public SslContextBuilder secureRandom(SecureRandom secureRandom) {
620 this.secureRandom = secureRandom;
621 return this;
622 }
623
624
625
626
627
628
629
630
631
632
633
634 public SslContextBuilder endpointIdentificationAlgorithm(String algorithm) {
635 endpointIdentificationAlgorithm = algorithm;
636 return this;
637 }
638
639
640
641
642
643
644 public SslContext build() throws SSLException {
645 if (forServer) {
646 return SslContext.newServerContextInternal(provider, sslContextProvider, trustCertCollection,
647 trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory,
648 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, clientAuth, protocols, startTls,
649 enableOcsp, secureRandom, keyStoreType, toArray(options.entrySet(), EMPTY_ENTRIES));
650 } else {
651 return SslContext.newClientContextInternal(provider, sslContextProvider, trustCertCollection,
652 trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory,
653 ciphers, cipherFilter, apn, protocols, sessionCacheSize,
654 sessionTimeout, enableOcsp, secureRandom, keyStoreType, endpointIdentificationAlgorithm,
655 toArray(options.entrySet(), EMPTY_ENTRIES));
656 }
657 }
658
659 private static <T> T[] toArray(Iterable<? extends T> iterable, T[] prototype) {
660 if (iterable == null) {
661 return null;
662 }
663 final List<T> list = new ArrayList<T>();
664 for (T element : iterable) {
665 list.add(element);
666 }
667 return list.toArray(prototype);
668 }
669 }