Package org.kiwiproject.config

Class TlsContextConfiguration

java.lang.Object
org.kiwiproject.config.TlsContextConfiguration
All Implemented Interfaces:
KeyAndTrustStoreConfigProvider, TrustStoreConfigProvider
public class TlsContextConfiguration extends Object implements KeyAndTrustStoreConfigProvider
Configuration for standard/common properties required for secure TLS connections.

As this is a configuration class that supports population from external configuration, it is mutable

NOTE: This requires dropwizard-client as a dependency.

  • Constructor Details

    • TlsContextConfiguration

      public TlsContextConfiguration()

  • Method Details

    • fromDropwizardTlsConfiguration

      public static TlsContextConfiguration fromDropwizardTlsConfiguration(io.dropwizard.client.ssl.TlsConfiguration tlsConfig)
      Given a Dropwizard TlsConfiguration, create a new TlsContextConfiguration.

      Even though TlsContextConfiguration does not permit null trust store properties (per the validation annotations), the TlsConfiguration does. If we encounter this situation, we will be lenient; even though this could possibly cause downstream problems, we will just assume the caller knows what it is doing.

      The Dropwizard TlsConfiguration class does not contain a disableSniHostCheck property, so it cannot transfer and is therefore ignored during conversions. Also note that it is set to false in the returned TlsContextConfiguration since that is the more secure option.

      Parameters:
      tlsConfig - the Dropwizard TlsConfiguration from which to pull information
      Returns:
      a new TlsContextConfiguration instance
      Implementation Note:
      Currently we do not support supportedCiphers or certAlias, which Dropwizard does.

    • toDropwizardTlsConfiguration

      public io.dropwizard.client.ssl.TlsConfiguration toDropwizardTlsConfiguration()
      Convert this TlsContextConfiguration into a Dropwizard TlsConfiguration object. Assumes that this object is valid.

      The Dropwizard TlsConfiguration class does not contain a disableSniHostCheck property, so it cannot transfer and is therefore ignored during conversions.

      Returns:
      a new Dropwizard TlsConfiguration instance
      Implementation Note:
      Requires dropwizard-client as a dependency

    • toSslContextConfiguration

      public SSLContextConfiguration toSslContextConfiguration()
      Convert this configuration into a SSLContextConfiguration.

      Note that SSLContextConfiguration does not have provider, keyStoreProvider, trustStoreProvider, trustSelfSignedCertificates, supportedProtocols, supportedCiphers, or certAlias. As a result, this is a "lossy" conversion since it loses these values.

      Returns:
      the new SSLContextConfiguration instance

    • builder

      public static TlsContextConfiguration.TlsContextConfigurationBuilder builder()

    • getProtocol

      public String getProtocol()
      The TLS/SSL protocol to use. Default is SSLContextProtocol.TLS_1_2.
      Specified by:
      getProtocol in interface TrustStoreConfigProvider
      Returns:
      protocol
      See Also:

    • getProvider

      public String getProvider()
      The name of the JCE (Java Cryptography Extension) provider to use on the client side for cryptographic support (for example, SunJCE, Conscrypt, BC, etc.).

      For more details, see the "Java Cryptography Architecture (JCA) Reference Guide" section of the Java Security Developer’s Guide.

    • getKeyStorePath

      public String getKeyStorePath()
      Absolute path to the key store.
      Specified by:
      getKeyStorePath in interface KeyAndTrustStoreConfigProvider
      Returns:
      key store path

    • getKeyStorePassword

      public String getKeyStorePassword()
      Key store password.
      Specified by:
      getKeyStorePassword in interface KeyAndTrustStoreConfigProvider
      Returns:
      key store password

    • getKeyStoreType

      public String getKeyStoreType()
      Key store type. Defaults to KeyStoreType.JKS.
      Specified by:
      getKeyStoreType in interface KeyAndTrustStoreConfigProvider
      Returns:
      key store type
      See Also:

    • getKeyStoreProvider

      public String getKeyStoreProvider()
      The name of the provider for the key store, i.e., the value of provider to use when getting the KeyStore instance for the key store.

      For more details, see the "Java Cryptography Architecture (JCA) Reference Guide" section of the Java Security Developer’s Guide.

      See Also:

    • getTrustStorePath

      public String getTrustStorePath()
      Absolute path to the trust store.
      Specified by:
      getTrustStorePath in interface TrustStoreConfigProvider
      Returns:
      path to trust store

    • getTrustStorePassword

      public String getTrustStorePassword()
      Trust store password.
      Specified by:
      getTrustStorePassword in interface TrustStoreConfigProvider
      Returns:
      trust store password

    • getTrustStoreType

      public String getTrustStoreType()
      Trust store type. Defaults to KeyStoreType.JKS.
      Specified by:
      getTrustStoreType in interface TrustStoreConfigProvider
      Returns:
      trust store type
      See Also:

    • getTrustStoreProvider

      public String getTrustStoreProvider()
      The name of the provider for the trust store, i.e., the value of provider to use when getting the KeyStore instance for the trust store.

      For more details, see the "Java Cryptography Architecture (JCA) Reference Guide" section of the Java Security Developer’s Guide.

      See Also:

    • isTrustSelfSignedCertificates

      public boolean isTrustSelfSignedCertificates()
      Whether self-signed certificates should be trusted. Default is false.

    • isVerifyHostname

      public boolean isVerifyHostname()
      Should host names be verified when establishing secure connections? Default is true.
      Specified by:
      isVerifyHostname in interface TrustStoreConfigProvider
      Returns:
      true if hostname verification should be performed

    • isDisableSniHostCheck

      public boolean isDisableSniHostCheck()
      Whether the SNI (Server Name Indication) host check is disabled. Default is false
      See Also:

    • getSupportedProtocols

      public List<String> getSupportedProtocols()
      List of supported protocols. It can be null. See the implementation note for why.
      Implementation Note:
      Yes, this is null by default. This is due to the Dropwizard TlsConfiguration which has this same property null by default; I suspect this is ultimately due to the (unfortunate) way in which Apache HttpClient's SSLConnectionSocketFactory accepts supportedProtocols in its constructors as arrays that are supposed to be null if you aren't specifying a specific list of them. The HttpClient code does an explicit null check on the supportedProtocols in SSLConnectionSocketFactory.createLayeredSocket(Socket, String, int, org.apache.hc.core5.http.protocol.HttpContext). You will need to look at the source code, as the JavaDoc doesn't mention this tidbit, nor do the constructors since they don't have any documentation regarding their arguments. If you don't like reading source code of the open-source tools you rely on, then please close this file, log out, and change careers.

    • getSupportedCiphers

      public List<String> getSupportedCiphers()
      A list of cipher suites (e.g., TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) which are supported. All other cipher suites will be refused.

      Note that this can be null for similar reason as supportedProtocols. See the implementation note on supportedProtocols.

    • getCertAlias

      public String getCertAlias()
      The alias of a specific client certificate to present when authenticating. Use this when the specified keystore has multiple certificates to force use of a non-default certificate.

    • setProtocol

      public void setProtocol(String protocol)
      The TLS/SSL protocol to use. Default is SSLContextProtocol.TLS_1_2.
      See Also:

    • setProvider

      public void setProvider(String provider)
      The name of the JCE (Java Cryptography Extension) provider to use on the client side for cryptographic support (for example, SunJCE, Conscrypt, BC, etc.).

      For more details, see the "Java Cryptography Architecture (JCA) Reference Guide" section of the Java Security Developer’s Guide.

    • setKeyStorePath

      public void setKeyStorePath(String keyStorePath)
      Absolute path to the key store.

    • setKeyStorePassword

      public void setKeyStorePassword(String keyStorePassword)
      Key store password.

    • setKeyStoreType

      public void setKeyStoreType(String keyStoreType)
      Key store type. Defaults to KeyStoreType.JKS.
      See Also:

    • setKeyStoreProvider

      public void setKeyStoreProvider(String keyStoreProvider)
      The name of the provider for the key store, i.e., the value of provider to use when getting the KeyStore instance for the key store.

      For more details, see the "Java Cryptography Architecture (JCA) Reference Guide" section of the Java Security Developer’s Guide.

      See Also:

    • setTrustStorePath

      public void setTrustStorePath(String trustStorePath)
      Absolute path to the trust store.

    • setTrustStorePassword

      public void setTrustStorePassword(String trustStorePassword)
      Trust store password.

    • setTrustStoreType

      public void setTrustStoreType(String trustStoreType)
      Trust store type. Defaults to KeyStoreType.JKS.
      See Also:

    • setTrustStoreProvider

      public void setTrustStoreProvider(String trustStoreProvider)
      The name of the provider for the trust store, i.e., the value of provider to use when getting the KeyStore instance for the trust store.

      For more details, see the "Java Cryptography Architecture (JCA) Reference Guide" section of the Java Security Developer’s Guide.

      See Also:

    • setTrustSelfSignedCertificates

      public void setTrustSelfSignedCertificates(boolean trustSelfSignedCertificates)
      Whether self-signed certificates should be trusted. Default is false.

    • setVerifyHostname

      public void setVerifyHostname(boolean verifyHostname)
      Should host names be verified when establishing secure connections? Default is true.

    • setDisableSniHostCheck

      public void setDisableSniHostCheck(boolean disableSniHostCheck)
      Whether the SNI (Server Name Indication) host check is disabled. Default is false
      See Also:

    • setSupportedProtocols

      public void setSupportedProtocols(List<String> supportedProtocols)
      List of supported protocols. It can be null. See the implementation note for why.
      Implementation Note:
      Yes, this is null by default. This is due to the Dropwizard TlsConfiguration which has this same property null by default; I suspect this is ultimately due to the (unfortunate) way in which Apache HttpClient's SSLConnectionSocketFactory accepts supportedProtocols in its constructors as arrays that are supposed to be null if you aren't specifying a specific list of them. The HttpClient code does an explicit null check on the supportedProtocols in SSLConnectionSocketFactory.createLayeredSocket(Socket, String, int, org.apache.hc.core5.http.protocol.HttpContext). You will need to look at the source code, as the JavaDoc doesn't mention this tidbit, nor do the constructors since they don't have any documentation regarding their arguments. If you don't like reading source code of the open-source tools you rely on, then please close this file, log out, and change careers.

    • setSupportedCiphers

      public void setSupportedCiphers(List<String> supportedCiphers)
      A list of cipher suites (e.g., TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) which are supported. All other cipher suites will be refused.

      Note that this can be null for similar reason as supportedProtocols. See the implementation note on supportedProtocols.

    • setCertAlias

      public void setCertAlias(String certAlias)
      The alias of a specific client certificate to present when authenticating. Use this when the specified keystore has multiple certificates to force use of a non-default certificate.

    • toString

      public String toString()
      Overrides:
      toString in class Object