in ch-commons-ssl/src/main/java/com/cloudhopper/commons/ssl/SslContextFactory.java [93:168]
private void init() throws Exception {
if (sslContext == null) {
if (keyStoreInputStream == null && sslConfig.getKeyStorePath() == null &&
trustStoreInputStream == null && sslConfig.getTrustStorePath() == null) {
TrustManager[] trust_managers = null;
if (sslConfig.isTrustAll()) {
logger.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
// Create a trust manager that does not validate certificate chains
TrustManager trustAllCerts = new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
};
trust_managers = new TrustManager[] { trustAllCerts };
}
SecureRandom secureRandom = (sslConfig.getSecureRandomAlgorithm() == null)?null:
SecureRandom.getInstance(sslConfig.getSecureRandomAlgorithm());
sslContext = SSLContext.getInstance(sslConfig.getProtocol());
sslContext.init(null, trust_managers, secureRandom);
} else {
// verify that keystore and truststore
// parameters are set up correctly
checkKeyStore();
KeyStore keyStore = loadKeyStore();
KeyStore trustStore = loadTrustStore();
Collection<? extends CRL> crls = loadCRL(sslConfig.getCrlPath());
if (sslConfig.isValidateCerts() && keyStore != null) {
if (sslConfig.getCertAlias() == null) {
List<String> aliases = Collections.list(keyStore.aliases());
sslConfig.setCertAlias(aliases.size() == 1 ? aliases.get(0) : null);
}
Certificate cert = sslConfig.getCertAlias() == null?null:
keyStore.getCertificate(sslConfig.getCertAlias());
if (cert == null) {
throw new Exception("No certificate found in the keystore" + (sslConfig.getCertAlias() == null ? "":" for alias " + sslConfig.getCertAlias()));
}
CertificateValidator validator = new CertificateValidator(trustStore, crls);
validator.setMaxCertPathLength(sslConfig.getMaxCertPathLength());
validator.setEnableCRLDP(sslConfig.isEnableCRLDP());
validator.setEnableOCSP(sslConfig.isEnableOCSP());
validator.setOcspResponderURL(sslConfig.getOcspResponderURL());
validator.validate(keyStore, cert);
}
KeyManager[] keyManagers = getKeyManagers(keyStore);
TrustManager[] trustManagers = getTrustManagers(trustStore, crls);
SecureRandom secureRandom = (sslConfig.getSecureRandomAlgorithm() == null)?null:
SecureRandom.getInstance(sslConfig.getSecureRandomAlgorithm());
sslContext = (sslConfig.getProvider() == null)?
SSLContext.getInstance(sslConfig.getProtocol()):
SSLContext.getInstance(sslConfig.getProtocol(), sslConfig.getProvider());
sslContext.init(keyManagers, trustManagers, secureRandom);
SSLEngine engine = newSslEngine();
logger.info("Enabled Protocols {} of {}",
Arrays.asList(engine.getEnabledProtocols()),
Arrays.asList(engine.getSupportedProtocols()));
logger.debug("Enabled Ciphers {} of {}",
Arrays.asList(engine.getEnabledCipherSuites()),
Arrays.asList(engine.getSupportedCipherSuites()));
}
}
}