public abstract class X509Util extends Object implements Closeable, AutoCloseable
Modifier and Type | Class and Description |
---|---|
static class |
X509Util.ClientAuth
Enum specifying the client auth requirement of server-side TLS sockets created by this X509Util.
|
Modifier and Type | Field and Description |
---|---|
static int |
DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS |
static String |
DEFAULT_PROTOCOL |
Modifier and Type | Method and Description |
---|---|
void |
close()
Disables automatic reloading of the trust store and key store files when they change on disk.
|
static X509KeyManager |
createKeyManager(String keyStoreLocation,
String keyStorePassword,
String keyStoreTypeProp)
Creates a key manager by loading the key store from the given file of
the given type, optionally decrypting it using the given password.
|
SSLContext |
createSSLContext(ZKConfig config) |
SSLContextAndOptions |
createSSLContextAndOptions(ZKConfig config) |
SSLContextAndOptions |
createSSLContextAndOptionsFromConfig(ZKConfig config) |
SSLServerSocket |
createSSLServerSocket() |
SSLServerSocket |
createSSLServerSocket(int port) |
SSLSocket |
createSSLSocket() |
SSLSocket |
createSSLSocket(Socket socket,
byte[] pushbackBytes) |
static X509TrustManager |
createTrustManager(String trustStoreLocation,
String trustStorePassword,
String trustStoreTypeProp,
boolean crlEnabled,
boolean ocspEnabled,
boolean serverHostnameVerificationEnabled,
boolean clientHostnameVerificationEnabled)
Creates a trust manager by loading the trust store from the given file
of the given type, optionally decrypting it using the given password.
|
void |
enableCertFileReloading()
Enables automatic reloading of the trust store and key store files when they change on disk.
|
String |
getCipherSuitesProperty() |
protected abstract String |
getConfigPrefix() |
SSLContext |
getDefaultSSLContext() |
SSLContextAndOptions |
getDefaultSSLContextAndOptions() |
String |
getSslCipherSuitesProperty() |
String |
getSslClientAuthProperty() |
String |
getSslContextSupplierClassProperty() |
String |
getSslCrlEnabledProperty() |
String |
getSslEnabledProtocolsProperty() |
String |
getSslHandshakeDetectionTimeoutMillisProperty()
Returns the config property key that controls the amount of time, in milliseconds, that the first
UnifiedServerSocket read operation will block for when trying to detect the client mode (TLS or PLAINTEXT).
|
int |
getSslHandshakeTimeoutMillis()
Returns the max amount of time, in milliseconds, that the first UnifiedServerSocket read() operation should
block for when trying to detect the client mode (TLS or PLAINTEXT).
|
String |
getSslHostnameVerificationEnabledProperty() |
String |
getSslKeystoreLocationProperty() |
String |
getSslKeystorePasswdProperty() |
String |
getSslKeystoreTypeProperty() |
String |
getSslOcspEnabledProperty() |
String |
getSslProtocolProperty() |
String |
getSslTruststoreLocationProperty() |
String |
getSslTruststorePasswdProperty() |
String |
getSslTruststoreTypeProperty() |
static KeyStore |
loadKeyStore(String keyStoreLocation,
String keyStorePassword,
String keyStoreTypeProp) |
static KeyStore |
loadTrustStore(String trustStoreLocation,
String trustStorePassword,
String trustStoreTypeProp) |
protected abstract boolean |
shouldVerifyClientHostname() |
public static final String DEFAULT_PROTOCOL
public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
public X509Util()
public X509Util(ZKConfig zkConfig)
protected abstract String getConfigPrefix()
protected abstract boolean shouldVerifyClientHostname()
public String getSslProtocolProperty()
public String getSslEnabledProtocolsProperty()
public String getCipherSuitesProperty()
public String getSslKeystoreLocationProperty()
public String getSslCipherSuitesProperty()
public String getSslKeystorePasswdProperty()
public String getSslKeystoreTypeProperty()
public String getSslTruststoreLocationProperty()
public String getSslTruststorePasswdProperty()
public String getSslTruststoreTypeProperty()
public String getSslContextSupplierClassProperty()
public String getSslHostnameVerificationEnabledProperty()
public String getSslCrlEnabledProperty()
public String getSslOcspEnabledProperty()
public String getSslClientAuthProperty()
public String getSslHandshakeDetectionTimeoutMillisProperty()
public SSLContext getDefaultSSLContext() throws X509Exception.SSLContextException
public SSLContext createSSLContext(ZKConfig config) throws X509Exception.SSLContextException
public SSLContextAndOptions getDefaultSSLContextAndOptions() throws X509Exception.SSLContextException
public int getSslHandshakeTimeoutMillis()
DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
.public SSLContextAndOptions createSSLContextAndOptions(ZKConfig config) throws X509Exception.SSLContextException
public SSLContextAndOptions createSSLContextAndOptionsFromConfig(ZKConfig config) throws X509Exception.SSLContextException
public static KeyStore loadKeyStore(String keyStoreLocation, String keyStorePassword, String keyStoreTypeProp) throws IOException, GeneralSecurityException
IOException
GeneralSecurityException
public static KeyStore loadTrustStore(String trustStoreLocation, String trustStorePassword, String trustStoreTypeProp) throws IOException, GeneralSecurityException
IOException
GeneralSecurityException
public static X509KeyManager createKeyManager(String keyStoreLocation, String keyStorePassword, String keyStoreTypeProp) throws X509Exception.KeyManagerException
keyStoreLocation
- the location of the key store file.keyStorePassword
- optional password to decrypt the key store. If
empty, assumes the key store is not encrypted.keyStoreTypeProp
- must be JKS, PEM, PKCS12, BCFKS or null. If null,
attempts to autodetect the key store type from
the file extension (e.g. .jks / .pem).X509Exception.KeyManagerException
- if something goes wrong.public static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword, String trustStoreTypeProp, boolean crlEnabled, boolean ocspEnabled, boolean serverHostnameVerificationEnabled, boolean clientHostnameVerificationEnabled) throws X509Exception.TrustManagerException
trustStoreLocation
- the location of the trust store file.trustStorePassword
- optional password to decrypt the trust store
(only applies to JKS trust stores). If empty,
assumes the trust store is not encrypted.trustStoreTypeProp
- must be JKS, PEM, PKCS12, BCFKS or null. If
null, attempts to autodetect the trust store
type from the file extension (e.g. .jks / .pem).crlEnabled
- enable CRL (certificate revocation list) checks.ocspEnabled
- enable OCSP (online certificate status protocol)
checks.serverHostnameVerificationEnabled
- if true, verify hostnames of
remote servers that client
sockets created by this
X509Util connect to.clientHostnameVerificationEnabled
- if true, verify hostnames of
remote clients that server
sockets created by this
X509Util accept connections
from.X509Exception.TrustManagerException
- if something goes wrong.public SSLSocket createSSLSocket() throws X509Exception, IOException
X509Exception
IOException
public SSLSocket createSSLSocket(Socket socket, byte[] pushbackBytes) throws X509Exception, IOException
X509Exception
IOException
public SSLServerSocket createSSLServerSocket() throws X509Exception, IOException
X509Exception
IOException
public SSLServerSocket createSSLServerSocket(int port) throws X509Exception, IOException
X509Exception
IOException
public void enableCertFileReloading() throws IOException
IOException
- if creating the FileChangeWatcher objects fails.public void close()
close
in interface Closeable
close
in interface AutoCloseable
Copyright © 2008–2021 The Apache Software Foundation. All rights reserved.