Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
   //
   //  ========================================================================
   //  Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
   //  ------------------------------------------------------------------------
   //  All rights reserved. This program and the accompanying materials
   //  are made available under the terms of the Eclipse Public License v1.0
   //  and Apache License v2.0 which accompanies this distribution.
   //
   //      The Eclipse Public License is available at
  //      http://www.eclipse.org/legal/epl-v10.html
  //
  //      The Apache License v2.0 is available at
  //      http://www.opensource.org/licenses/apache2.0.php
  //
  //  You may elect to redistribute this code under either of these licenses.
  //  ========================================================================
  //
  
  package org.eclipse.jetty.util.ssl;
  
  import java.io.File;
  import java.util.Arrays;
  import java.util.List;
  import java.util.Set;
  
  
  
  /* ------------------------------------------------------------ */
SslContextFactory is used to configure SSL connectors as well as HttpClient. It holds all SSL parameters and creates SSL context based on these parameters to be used by the SSL connectors.
  
  public class SslContextFactory extends AbstractLifeCycle
  {
      public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager()
      {
          public java.security.cert.X509Certificate[] getAcceptedIssuers()
          {
              return new java.security.cert.X509Certificate[]{};
          }
  
          public void checkClientTrusted(java.security.cert.X509Certificate[] certsString authType)
          {
          }
  
          public void checkServerTrusted(java.security.cert.X509Certificate[] certsString authType)
          {
          }
      }};
  
      private static final Logger LOG = Log.getLogger(SslContextFactory.class);
  
      public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
          (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
                  "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
      public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
          (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ?
                  "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm"));

    
Default value for the keystore location path.
 
     public static final String DEFAULT_KEYSTORE_PATH =
         System.getProperty("user.home") + . + ".keystore";

    
String name of key password property.
 
     public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";

    
String name of keystore password property.
 
     public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";

    
Excluded protocols.
 
     private final Set<String_excludeProtocols = new LinkedHashSet<String>();
    
Included protocols.
 
     private Set<String_includeProtocols = null;

    
Excluded cipher suites.
 
     private final Set<String_excludeCipherSuites = new LinkedHashSet<String>();
    
Included cipher suites.
 
     private Set<String_includeCipherSuites = null;

    
Keystore path.
 
     private String _keyStorePath;
    
Keystore provider name
 
     private String _keyStoreProvider;
    
Keystore type
 
     private String _keyStoreType = "JKS";
    
Keystore input stream
 
     private InputStream _keyStoreInputStream;

    
SSL certificate alias
 
     private String _certAlias;

    
Truststore path
 
     private String _trustStorePath;
    
Truststore provider name
 
     private String _trustStoreProvider;
    
Truststore type
 
     private String _trustStoreType = "JKS";
    
Truststore input stream
 
     private InputStream _trustStoreInputStream;

    
Set to true if client certificate authentication is required
 
     private boolean _needClientAuth = false;
    
Set to true if client certificate authentication is desired
 
     private boolean _wantClientAuth = false;

    
Set to true if renegotiation is allowed
 
     private boolean _allowRenegotiate = true;

    
Keystore password
 
     private transient Password _keyStorePassword;
    
Key manager password
 
     private transient Password _keyManagerPassword;
    
Truststore password
 
     private transient Password _trustStorePassword;

    
SSL provider name
 
     private String _sslProvider;
    
SSL protocol name
 
     private String _sslProtocol = "TLS";

    
SecureRandom algorithm
 
     private String _secureRandomAlgorithm;
    
KeyManager factory algorithm
 
TrustManager factory algorithm
 
Set to true if SSL certificate validation is required
 
     private boolean _validateCerts;
    
Set to true if SSL certificate of the peer validation is required
 
     private boolean _validatePeerCerts;
    
Maximum certification path length (n - number of intermediate certs, -1 for unlimited)
 
     private int _maxCertPathLength = -1;
    
Path to file that contains Certificate Revocation List
 
     private String _crlPath;
    
Set to true to enable CRL Distribution Points (CRLDP) support
 
     private boolean _enableCRLDP = false;
    
Set to true to enable On-Line Certificate Status Protocol (OCSP) support
 
     private boolean _enableOCSP = false;
    
Location of OCSP Responder
 
     private String _ocspResponderURL;

    
SSL keystore
 
     private KeyStore _keyStore;
    
SSL truststore
 
     private KeyStore _trustStore;
    
Set to true to enable SSL Session caching
 
     private boolean _sessionCachingEnabled = true;
    
SSL session cache size
 
     private int _sslSessionCacheSize;
    
SSL session timeout
 
     private int _sslSessionTimeout;

    
SSL context
 
     private SSLContext _context;
 
     private boolean _trustAll;
 
     /* ------------------------------------------------------------ */
    
Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files
 
     public SslContextFactory()
     {
         =true;
     }
 
     /* ------------------------------------------------------------ */
    
Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files

Parameters:
trustAll whether to blindly trust all certificates
See also:
setTrustAll(boolean)
 
     public SslContextFactory(boolean trustAll)
     {
         =trustAll;
     }
 
     /* ------------------------------------------------------------ */
    
Construct an instance of SslContextFactory

Parameters:
keyStorePath default keystore location
 
     public SslContextFactory(String keyStorePath)
     {
          = keyStorePath;
     }
 
     /* ------------------------------------------------------------ */
    
Create the SSLContext object and start the lifecycle

 
     @Override
     protected void doStart() throws Exception
     {
         if ( == null)
         {
             if (==null &&  == null &&  == null &&
                 ==null &&  == null &&  == null )
             {
                 TrustManager[] trust_managers=null;
 
                 if ()
                 {
                     .debug("No keystore or trust store configured.  ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
                     // Create a trust manager that does not validate certificate chains
                     trust_managers = ;
                 }
 
                 SecureRandom secureRandom = ( == null)?null:SecureRandom.getInstance();
                  = SSLContext.getInstance();
                 .init(nulltrust_managerssecureRandom);
             }
             else
             {
                 // verify that keystore and truststore
                 // parameters are set up correctly
                 checkKeyStore();
 
                 KeyStore keyStore = loadKeyStore();
                 KeyStore trustStore = loadTrustStore();
 
                 Collection<? extends CRLcrls = loadCRL();
 
                 if ( && keyStore != null)
                 {
                     if ( == null)
                     {
                         List<Stringaliases = Collections.list(keyStore.aliases());
                          = aliases.size() == 1 ? aliases.get(0) : null;
                     }
 
                     Certificate cert =  == null?null:keyStore.getCertificate();
                     if (cert == null)
                     {
                         throw new Exception("No certificate found in the keystore" + (==null ? "":" for alias " + ));
                     }
 
                     CertificateValidator validator = new CertificateValidator(trustStorecrls);
                     validator.setMaxCertPathLength();
                     validator.setEnableCRLDP();
                     validator.setEnableOCSP();
                     validator.setOcspResponderURL();
                     validator.validate(keyStorecert);
                 }
 
                 KeyManager[] keyManagers = getKeyManagers(keyStore);
                 TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
 
                 SecureRandom secureRandom = ( == null)?null:SecureRandom.getInstance();
                  = ( == null)?SSLContext.getInstance():SSLContext.getInstance(,);
                 .init(keyManagers,trustManagers,secureRandom);
 
                 SSLEngine engine=newSslEngine();
 
                 .info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
                 if (.isDebugEnabled())
                     .debug("Enabled Ciphers   {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
             }
         }
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The array of protocol names to exclude from javax.net.ssl.SSLEngine.setEnabledProtocols(java.lang.String[])
 
     public String[] getExcludeProtocols()
     {
         return .toArray(new String[.size()]);
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
protocols The array of protocol names to exclude from javax.net.ssl.SSLEngine.setEnabledProtocols(java.lang.String[])
 
     public void setExcludeProtocols(String... protocols)
     {
         checkNotStarted();
 
         .clear();
         .addAll(Arrays.asList(protocols));
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
protocol Protocol names to add to javax.net.ssl.SSLEngine.setEnabledProtocols(java.lang.String[])
 
     public void addExcludeProtocols(String... protocol)
     {
         checkNotStarted();
         .addAll(Arrays.asList(protocol));
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The array of protocol names to include in javax.net.ssl.SSLEngine.setEnabledProtocols(java.lang.String[])
 
     public String[] getIncludeProtocols()
     {
         return .toArray(new String[.size()]);
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
protocols The array of protocol names to include in javax.net.ssl.SSLEngine.setEnabledProtocols(java.lang.String[])
 
     public void setIncludeProtocols(String... protocols)
     {
         checkNotStarted();
 
          = new LinkedHashSet<String>(Arrays.asList(protocols));
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The array of cipher suite names to exclude from javax.net.ssl.SSLEngine.setEnabledCipherSuites(java.lang.String[])
 
     public String[] getExcludeCipherSuites()
     {
         return .toArray(new String[.size()]);
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
cipherSuites The array of cipher suite names to exclude from javax.net.ssl.SSLEngine.setEnabledCipherSuites(java.lang.String[])
 
     public void setExcludeCipherSuites(String... cipherSuites)
     {
         checkNotStarted();
         .clear();
         .addAll(Arrays.asList(cipherSuites));
     }
 
     /* ------------------------------------------------------------ */
    
 
     public void addExcludeCipherSuites(String... cipher)
     {
         checkNotStarted();
         .addAll(Arrays.asList(cipher));
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The array of cipher suite names to include in javax.net.ssl.SSLEngine.setEnabledCipherSuites(java.lang.String[])
 
     public String[] getIncludeCipherSuites()
     {
         return .toArray(new String[.size()]);
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
cipherSuites The array of cipher suite names to include in javax.net.ssl.SSLEngine.setEnabledCipherSuites(java.lang.String[])
 
     public void setIncludeCipherSuites(String... cipherSuites)
     {
         checkNotStarted();
 
          = new LinkedHashSet<String>(Arrays.asList(cipherSuites));
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The file or URL of the SSL Key store.
 
     public String getKeyStorePath()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
     @Deprecated
     public String getKeyStore()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
keyStorePath The file or URL of the SSL Key store.
 
     public void setKeyStorePath(String keyStorePath)
     {
         checkNotStarted();
 
          = keyStorePath;
     }
 
     /* ------------------------------------------------------------ */
    

Deprecated:
Use setKeyStorePath(java.lang.String)
Parameters:
keyStorePath the file system path or URL of the keystore
 
     @Deprecated
     public void setKeyStore(String keyStorePath)
     {
         checkNotStarted();
 
          = keyStorePath;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The provider of the key store
 
     public String getKeyStoreProvider()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
keyStoreProvider The provider of the key store
 
     public void setKeyStoreProvider(String keyStoreProvider)
     {
         checkNotStarted();
 
          = keyStoreProvider;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The type of the key store (default "JKS")
 
     public String getKeyStoreType()
     {
         return ();
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
keyStoreType The type of the key store (default "JKS")
 
     public void setKeyStoreType(String keyStoreType)
     {
         checkNotStarted();
 
          = keyStoreType;
     }
 
     /* ------------------------------------------------------------ */
    
Get the _keyStoreInputStream.

Deprecated:
Returns:
the _keyStoreInputStream
 
     @Deprecated
     {
         checkKeyStore();
 
         return ;
     }
 
     /* ------------------------------------------------------------ */
    
Set the keyStoreInputStream.

Deprecated:
Use setKeyStore(java.security.KeyStore)
Parameters:
keyStoreInputStream the InputStream to the KeyStore
 
     @Deprecated
     public void setKeyStoreInputStream(InputStream keyStoreInputStream)
     {
         checkNotStarted();
 
          = keyStoreInputStream;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
Alias of SSL certificate for the connector
 
     public String getCertAlias()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
certAlias Alias of SSL certificate for the connector
 
     public void setCertAlias(String certAlias)
     {
         checkNotStarted();
 
          = certAlias;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The file name or URL of the trust store location
 
     public String getTrustStore()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
trustStorePath The file name or URL of the trust store location
 
     public void setTrustStore(String trustStorePath)
     {
         checkNotStarted();
 
          = trustStorePath;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The provider of the trust store
 
     public String getTrustStoreProvider()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
trustStoreProvider The provider of the trust store
 
     public void setTrustStoreProvider(String trustStoreProvider)
     {
         checkNotStarted();
 
          = trustStoreProvider;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The type of the trust store (default "JKS")
 
     public String getTrustStoreType()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
trustStoreType The type of the trust store (default "JKS")
 
     public void setTrustStoreType(String trustStoreType)
     {
         checkNotStarted();
 
          = trustStoreType;
     }
 
     /* ------------------------------------------------------------ */
    
Get the _trustStoreInputStream.

Deprecated:
Returns:
the _trustStoreInputStream
 
     @Deprecated
     {
         checkKeyStore();
 
         return ;
     }
 
     /* ------------------------------------------------------------ */
    
Set the _trustStoreInputStream.

Deprecated:
Parameters:
trustStoreInputStream the InputStream to the TrustStore
 
     @Deprecated
     public void setTrustStoreInputStream(InputStream trustStoreInputStream)
     {
         checkNotStarted();
 
          = trustStoreInputStream;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
True if SSL needs client authentication.
See also:
javax.net.ssl.SSLEngine.getNeedClientAuth()
 
     public boolean getNeedClientAuth()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
needClientAuth True if SSL needs client authentication.
See also:
javax.net.ssl.SSLEngine.getNeedClientAuth()
 
     public void setNeedClientAuth(boolean needClientAuth)
     {
         checkNotStarted();
 
          = needClientAuth;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
True if SSL wants client authentication.
See also:
javax.net.ssl.SSLEngine.getWantClientAuth()
 
     public boolean getWantClientAuth()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
wantClientAuth True if SSL wants client authentication.
See also:
javax.net.ssl.SSLEngine.getWantClientAuth()
 
     public void setWantClientAuth(boolean wantClientAuth)
     {
         checkNotStarted();
 
          = wantClientAuth;
     }
 
     /* ------------------------------------------------------------ */
    

Deprecated:
Returns:
true if SSL certificate has to be validated
 
     @Deprecated
     public boolean getValidateCerts()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
true if SSL certificate has to be validated
 
     public boolean isValidateCerts()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
validateCerts true if SSL certificates have to be validated
 
     public void setValidateCerts(boolean validateCerts)
     {
         checkNotStarted();
 
          = validateCerts;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
true if SSL certificates of the peer have to be validated
 
     public boolean isValidatePeerCerts()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
validatePeerCerts true if SSL certificates of the peer have to be validated
 
     public void setValidatePeerCerts(boolean validatePeerCerts)
     {
         checkNotStarted();
 
          = validatePeerCerts;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
True if SSL re-negotiation is allowed (default false)
 
     public boolean isAllowRenegotiate()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    
Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered a vulnerability in SSL/TLS with re-negotiation. If your JVM does not have CVE-2009-3555 fixed, then re-negotiation should not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban of renegotiates in u19 and with RFC5746 in u22.

Parameters:
allowRenegotiate true if re-negotiation is allowed (default false)
 
     public void setAllowRenegotiate(boolean allowRenegotiate)
     {
         checkNotStarted();
 
          = allowRenegotiate;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
password The password for the key store
 
     public void setKeyStorePassword(String password)
     {
         checkNotStarted();
 
          = Password.getPassword(,password,null);
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
password The password (if any) for the specific key within the key store
 
     public void setKeyManagerPassword(String password)
     {
         checkNotStarted();
 
          = Password.getPassword(,password,null);
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
password The password for the trust store
 
     public void setTrustStorePassword(String password)
     {
         checkNotStarted();
 
          = Password.getPassword(,password,null);
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The SSL provider name, which if set is passed to javax.net.ssl.SSLContext.getInstance(java.lang.String,java.lang.String)
 
     public String getProvider()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
provider The SSL provider name, which if set is passed to javax.net.ssl.SSLContext.getInstance(java.lang.String,java.lang.String)
 
     public void setProvider(String provider)
     {
         checkNotStarted();
 
          = provider;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The SSL protocol (default "TLS") passed to javax.net.ssl.SSLContext.getInstance(java.lang.String,java.lang.String)
 
     public String getProtocol()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
protocol The SSL protocol (default "TLS") passed to javax.net.ssl.SSLContext.getInstance(java.lang.String,java.lang.String)
 
     public void setProtocol(String protocol)
     {
         checkNotStarted();
 
          = protocol;
     }
 
     /* ------------------------------------------------------------ */
    
 
     public String getSecureRandomAlgorithm()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    
 
     public void setSecureRandomAlgorithm(String algorithm)
     {
         checkNotStarted();
 
          = algorithm;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The algorithm name (default "SunX509") used by the javax.net.ssl.KeyManagerFactory
 
     {
         return ();
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
algorithm The algorithm name (default "SunX509") used by the javax.net.ssl.KeyManagerFactory
 
     public void setSslKeyManagerFactoryAlgorithm(String algorithm)
     {
         checkNotStarted();
 
          = algorithm;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The algorithm name (default "SunX509") used by the javax.net.ssl.TrustManagerFactory
 
     {
         return ();
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
True if all certificates should be trusted if there is no KeyStore or TrustStore
 
     public boolean isTrustAll()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore
 
     public void setTrustAll(boolean trustAll)
     {
          = trustAll;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
algorithm The algorithm name (default "SunX509") used by the javax.net.ssl.TrustManagerFactory Use the string "TrustAll" to install a trust manager that trusts all.
 
     public void setTrustManagerFactoryAlgorithm(String algorithm)
     {
         checkNotStarted();
 
          = algorithm;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
Path to file that contains Certificate Revocation List
 
     public String getCrlPath()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
crlPath Path to file that contains Certificate Revocation List
 
     public void setCrlPath(String crlPath)
     {
         checkNotStarted();
 
          = crlPath;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
Maximum number of intermediate certificates in the certification path (-1 for unlimited)
 
     public int getMaxCertPathLength()
     {
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
maxCertPathLength maximum number of intermediate certificates in the certification path (-1 for unlimited)
 
     public void setMaxCertPathLength(int maxCertPathLength)
     {
         checkNotStarted();
 
          = maxCertPathLength;
     }
 
     /* ------------------------------------------------------------ */
    

Returns:
The SSLContext
 
     public SSLContext getSslContext()
     {
         if (!isStarted())
             throw new IllegalStateException(getState());
         return ;
     }
 
     /* ------------------------------------------------------------ */
    

Parameters:
sslContext Set a preconfigured SSLContext
 
     public void setSslContext(SSLContext sslContext)
     {
         checkNotStarted();
         = sslContext;
    }
    /* ------------------------------------------------------------ */
    
Override this method to provide alternate way to load a keystore.

Returns:
the key store instance
Throws:
java.lang.Exception if the keystore cannot be loaded
    protected KeyStore loadKeyStore() throws Exception
    {
        return  != null ?  : getKeyStore(,
                ,
                ==nullnull.toString());
    }
    /* ------------------------------------------------------------ */
    
Override this method to provide alternate way to load a truststore.

Returns:
the key store instance
Throws:
java.lang.Exception if the truststore cannot be loaded
    protected KeyStore loadTrustStore() throws Exception
    {
        return  != null ?  : getKeyStore(,
                ,  ,
                ==nullnull.toString());
    }
    /* ------------------------------------------------------------ */
    
Loads keystore using an input stream or a file path in the same order of precedence. Required for integrations to be able to override the mechanism used to load a keystore in order to provide their own implementation.

Deprecated:
Parameters:
storeStream keystore input stream
storePath path of keystore file
storeType keystore type
storeProvider keystore provider
storePassword keystore password
Returns:
created keystore
Throws:
java.lang.Exception if the keystore cannot be obtained
    protected KeyStore getKeyStore(InputStream storeStreamString storePathString storeTypeString storeProviderString storePasswordthrows Exception
    {
        return CertificateUtils.getKeyStore(storeStreamstorePathstoreTypestoreProviderstorePassword);
    }
    /* ------------------------------------------------------------ */
    
Loads certificate revocation list (CRL) from a file. Required for integrations to be able to override the mechanism used to load CRL in order to provide their own implementation.

Parameters:
crlPath path of certificate revocation list file
Returns:
Collection of CRL's
Throws:
java.lang.Exception if the certificate revocation list cannot be loaded
    protected Collection<? extends CRLloadCRL(String crlPaththrows Exception
    {
        return CertificateUtils.loadCRL(crlPath);
    }
    /* ------------------------------------------------------------ */
    protected KeyManager[] getKeyManagers(KeyStore keyStorethrows Exception
    {
        KeyManager[] managers = null;
        if (keyStore != null)
        {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance();
            keyManagerFactory.init(keyStore, == null?( == null?null:.toString().toCharArray()):.toString().toCharArray());
            managers = keyManagerFactory.getKeyManagers();
            if ( != null)
            {
                for (int idx = 0; idx < managers.lengthidx++)
                {
                    if (managers[idxinstanceof X509KeyManager)
                    {
                        managers[idx] = new AliasedX509ExtendedKeyManager(,(X509KeyManager)managers[idx]);
                    }
                }
            }
        }
        return managers;
    }
    /* ------------------------------------------------------------ */
    protected TrustManager[] getTrustManagers(KeyStore trustStoreCollection<? extends CRLcrlsthrows Exception
    {
        TrustManager[] managers = null;
        if (trustStore != null)
        {
            // Revocation checking is only supported for PKIX algorithm
            if ( && .equalsIgnoreCase("PKIX"))
            {
                PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector());
                // Set maximum certification path length
                pbParams.setMaxPathLength();
                // Make sure revocation checking is enabled
                pbParams.setRevocationEnabled(true);
                if (crls != null && !crls.isEmpty())
                {
                    pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls)));
                }
                if ()
                {
                    // Enable Certificate Revocation List Distribution Points (CRLDP) support
                    System.setProperty("com.sun.security.enableCRLDP","true");
                }
                if ()
                {
                    // Enable On-Line Certificate Status Protocol (OCSP) support
                    Security.setProperty("ocsp.enable","true");
                    if ( != null)
                    {
                        // Override location of OCSP Responder
                        Security.setProperty("ocsp.responderURL");
                    }
                }
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance();
                trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
                managers = trustManagerFactory.getTrustManagers();
            }
            else
            {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance();
                trustManagerFactory.init(trustStore);
                managers = trustManagerFactory.getTrustManagers();
            }
        }
        return managers;
    }
    /* ------------------------------------------------------------ */
    
Check KeyStore Configuration. Ensures that if keystore has been configured but there's no truststore, that keystore is used as truststore.

Throws:
java.lang.IllegalStateException if SslContextFactory configuration can't be used.
    public void checkKeyStore()
    {
        if ( != null)
            return//nothing to check if using preconfigured context
        if ( == null &&  == null &&  == null)
            throw new IllegalStateException("SSL doesn't have a valid keystore");
        // if the keystore has been configured but there is no
        // truststore configured, use the keystore as the truststore
        if ( == null &&  == null &&  == null)
        {
             = ;
             = ;
             = ;
             = ;
             = ;
        }
        // It's the same stream we cannot read it twice, so read it once in memory
        if ( != null &&  == )
        {
            try
            {
                ByteArrayOutputStream baos = new ByteArrayOutputStream();
                IO.copy(baos);
                .close();
                 = new ByteArrayInputStream(baos.toByteArray());
                 = new ByteArrayInputStream(baos.toByteArray());
            }
            catch (Exception ex)
            {
                throw new IllegalStateException(ex);
            }
        }
    }
    /* ------------------------------------------------------------ */
    
Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.

Parameters:
enabledProtocols Array of enabled protocols
supportedProtocols Array of supported protocols
Returns:
Array of protocols to enable
    public String[] selectProtocols(String[] enabledProtocolsString[] supportedProtocols)
    {
        Set<Stringselected_protocols = new LinkedHashSet<String>();
        // Set the starting protocols - either from the included or enabled list
        if (!=null)
        {
            // Use only the supported included protocols
            for (String protocol : )
                if(Arrays.asList(supportedProtocols).contains(protocol))
                    selected_protocols.add(protocol);
        }
        else
            selected_protocols.addAll(Arrays.asList(enabledProtocols));
        // Remove any excluded protocols
        if ( != null)
            selected_protocols.removeAll();
        return selected_protocols.toArray(new String[selected_protocols.size()]);
    }
    /* ------------------------------------------------------------ */
    
Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.

Parameters:
enabledCipherSuites Array of enabled cipher suites
supportedCipherSuites Array of supported cipher suites
Returns:
Array of cipher suites to enable
    public String[] selectCipherSuites(String[] enabledCipherSuitesString[] supportedCipherSuites)
    {
        Set<Stringselected_ciphers = new LinkedHashSet<String>();
        // Set the starting ciphers - either from the included or enabled list
        if (!=null)
        {
            // Use only the supported included ciphers
            for (String cipherSuite : )
                if(Arrays.asList(supportedCipherSuites).contains(cipherSuite))
                    selected_ciphers.add(cipherSuite);
        }
        else
            selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
        // Remove any excluded ciphers
        if ( != null)
            selected_ciphers.removeAll();
        return selected_ciphers.toArray(new String[selected_ciphers.size()]);
    }
    /* ------------------------------------------------------------ */
    
Check if the lifecycle has been started and throw runtime exception
    protected void checkNotStarted()
    {
        if (isStarted())
            throw new IllegalStateException("Cannot modify configuration when "+getState());
    }
    /* ------------------------------------------------------------ */
    

Returns:
true if CRL Distribution Points support is enabled
    public boolean isEnableCRLDP()
    {
        return ;
    }
    /* ------------------------------------------------------------ */
    
Enables CRL Distribution Points Support

Parameters:
enableCRLDP true - turn on, false - turns off
    public void setEnableCRLDP(boolean enableCRLDP)
    {
        checkNotStarted();
         = enableCRLDP;
    }
    /* ------------------------------------------------------------ */
    

Returns:
true if On-Line Certificate Status Protocol support is enabled
    public boolean isEnableOCSP()
    {
        return ;
    }
    /* ------------------------------------------------------------ */
    
Enables On-Line Certificate Status Protocol support

Parameters:
enableOCSP true - turn on, false - turn off
    public void setEnableOCSP(boolean enableOCSP)
    {
        checkNotStarted();
         = enableOCSP;
    }
    /* ------------------------------------------------------------ */
    

Returns:
Location of the OCSP Responder
    public String getOcspResponderURL()
    {
        return ;
    }
    /* ------------------------------------------------------------ */
    
Set the location of the OCSP Responder.

Parameters:
ocspResponderURL location of the OCSP Responder
    public void setOcspResponderURL(String ocspResponderURL)
    {
        checkNotStarted();
         = ocspResponderURL;
    }
    /* ------------------------------------------------------------ */
    
Set the key store.

Parameters:
keyStore the key store to set
    public void setKeyStore(KeyStore keyStore)
    {
        checkNotStarted();
         = keyStore;
    }
    /* ------------------------------------------------------------ */
    
Set the trust store.

Parameters:
trustStore the trust store to set
    public void setTrustStore(KeyStore trustStore)
    {
        checkNotStarted();
         = trustStore;
    }
    /* ------------------------------------------------------------ */
    
Set the key store resource.

Parameters:
resource the key store resource to set
    public void setKeyStoreResource(Resource resource)
    {
        checkNotStarted();
        try
        {
             = resource.getInputStream();
        }
        catch (IOException e)
        {
             throw new InvalidParameterException("Unable to get resource "+
                     "input stream for resource "+resource.toString());
        }
    }
    /* ------------------------------------------------------------ */
    
Set the trust store resource.

Parameters:
resource the trust store resource to set
    public void setTrustStoreResource(Resource resource)
    {
        checkNotStarted();
        try
        {
             = resource.getInputStream();
        }
        catch (IOException e)
        {
             throw new InvalidParameterException("Unable to get resource "+
                     "input stream for resource "+resource.toString());
        }
    }
    /* ------------------------------------------------------------ */
    

Returns:
true if SSL Session caching is enabled
    public boolean isSessionCachingEnabled()
    {
        return ;
    }
    /* ------------------------------------------------------------ */
    
Set the flag to enable SSL Session caching.

Parameters:
enableSessionCaching the value of the flag
    public void setSessionCachingEnabled(boolean enableSessionCaching)
    {
         = enableSessionCaching;
    }
    /* ------------------------------------------------------------ */
    
Get SSL session cache size.

Returns:
SSL session cache size
    public int getSslSessionCacheSize()
    {
        return ;
    }