📄 sslsocketfactory.java
字号:
/* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * <http://www.apache.org/>. * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.tomcat.net;import java.io.*;import java.net.*;import java.security.KeyStore;import java.security.Security;import javax.net.ServerSocketFactory;import javax.net.ssl.SSLServerSocket;import javax.net.ssl.SSLSocket;import javax.net.ssl.SSLServerSocketFactory;import javax.net.ssl.HandshakeCompletedListener;import javax.net.ssl.HandshakeCompletedEvent;/* 1. Add Jsse's jars into jre/lib/ext 2. Edit java.security, add security.provider.2=com.sun.net.ssl.internal.ssl.Provider 3. keytool -genkey -alias tomcat -keyalg RSA Use "changeit" as password ( this is the default we use ) *//** * SSL server socket factory. It _requires_ a valid RSA key and * JSSE. * * @author Harish Prabandham * @author Costin Manolache * @author Stefan Freyr Stefansson */public class SSLSocketFactory extends org.apache.tomcat.net.ServerSocketFactory{ private boolean clientAuth = false; private SSLServerSocketFactory sslProxy = null; // defaults static String defaultKeystoreFile=System.getProperty("user.home") + File.separator + ".keystore"; static String defaultKeyPass="changeit"; public SSLSocketFactory () { } public ServerSocket createSocket (int port) throws IOException { if( sslProxy == null ) initProxy(); ServerSocket socket = sslProxy.createServerSocket(port); initServerSocket(socket); return socket; } public ServerSocket createSocket (int port, int backlog) throws IOException { if( sslProxy == null ) initProxy(); ServerSocket socket = sslProxy.createServerSocket(port, backlog); initServerSocket(socket); return socket; } public ServerSocket createSocket (int port, int backlog, InetAddress ifAddress) throws IOException { if( sslProxy == null ) initProxy(); ServerSocket socket = sslProxy.createServerSocket(port, backlog, ifAddress); initServerSocket(socket); return socket; } // -------------------- Internal methods /** Read the keystore, init the SSL socket factory */ private void initProxy() throws IOException { try { /** Should client authentication be performed? */ clientAuth = "true".equals(attributes.get("clientAuth")); /** You should have this in java.security, but can't hurt to double check */ Security.addProvider (new sun.security.provider.Sun()); Security.addProvider (new com.sun.net.ssl.internal.ssl.Provider()); String keystoreFile=(String)attributes.get("keystore"); if( keystoreFile==null) keystoreFile=defaultKeystoreFile; String keyPass=(String)attributes.get("keypass"); if( keyPass==null) keyPass=defaultKeyPass; // You can't use ssl without a server certificate. // Create a KeyStore ( to get server certs ) KeyStore kstore = initKeyStore( keystoreFile, keyPass ); // Create a SSLContext ( to create the ssl factory ) // This is the only way to use server sockets with JSSE 1.0.1 com.sun.net.ssl.SSLContext context = com.sun.net.ssl.SSLContext.getInstance("TLS"); //SSL // Key manager will extract the server key com.sun.net.ssl.KeyManagerFactory kmf = com.sun.net.ssl.KeyManagerFactory.getInstance("SunX509"); kmf.init( kstore, keyPass.toCharArray()); // If client authentication is needed, set up TrustManager com.sun.net.ssl.TrustManager[] tm = null; if( clientAuth) { com.sun.net.ssl.TrustManagerFactory tmf = com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509"); tmf.init(kstore); tm = tmf.getTrustManagers(); } // init context with the key managers context.init(kmf.getKeyManagers(), tm, null); // create proxy sslProxy = context.getServerSocketFactory(); return; } catch(Exception e) { if( e instanceof IOException ) throw (IOException)e; throw new IOException(e.getMessage()); } } /** Set server socket properties ( accepted cipher suites, etc) */ private void initServerSocket(ServerSocket ssocket) { SSLServerSocket socket=(SSLServerSocket)ssocket; // We enable all cipher suites when the socket is // connected - XXX make this configurable String cipherSuites[] = socket.getSupportedCipherSuites(); socket.setEnabledCipherSuites(cipherSuites);// if(clientAuth) {// } // we don't know if client auth is needed - // after parsing the request we may re-handshake socket.setNeedClientAuth(clientAuth); } private KeyStore initKeyStore( String keystoreFile, String keyPass) throws IOException { InputStream istream = null; try { KeyStore kstore=KeyStore.getInstance( "JKS" ); istream = new FileInputStream(keystoreFile); kstore.load(istream, keyPass.toCharArray()); return kstore; } catch (FileNotFoundException fnfe) { throw fnfe; } catch (IOException ioe) { throw ioe; } catch(Exception ex) { throw new IOException( "Exception trying to load keystore " + keystoreFile + ": " + ex.getMessage() ); } } /** 3.2-specific hack - allow the socket factory to manipulate the request. This will be replaced with a clean, interceptor based mechanism in 3.3 */ public void preProcessRequest( Socket socket, org.apache.tomcat.core.Request reqA ) { try { //Set the client certificate attribute if appropriate javax.net.ssl.SSLSocket sslSocket = (javax.net.ssl.SSLSocket)socket; javax.security.cert.X509Certificate[] certChain = sslSocket. getSession().getPeerCertificateChain(); if( certChain != null && certChain.length > 0 ) { reqA.setAttribute("tomcat.request.X509CertificateChain", certChain); reqA.setAttribute("javax.servlet.request.X509Certificate", certChain[0]); } } catch( Exception ex ) { } // this is a ssl socket reqA.setScheme( "https" ); }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -