Use SSLContextBuilder provided by HttpClient to create custom SSL contexts
Project: http://git-wip-us.apache.org/repos/asf/maven-wagon/repo Commit: http://git-wip-us.apache.org/repos/asf/maven-wagon/commit/008accb6 Tree: http://git-wip-us.apache.org/repos/asf/maven-wagon/tree/008accb6 Diff: http://git-wip-us.apache.org/repos/asf/maven-wagon/diff/008accb6 Branch: refs/heads/master Commit: 008accb65f4c49d20c9ca2117ad9a71e4eb3d2a6 Parents: dc8f00e Author: Oleg Kalnichevski <ol...@apache.org> Authored: Tue Sep 24 14:55:23 2013 +0200 Committer: Oleg Kalnichevski <ol...@apache.org> Committed: Tue Sep 24 14:55:23 2013 +0200 ---------------------------------------------------------------------- .../providers/http/AbstractHttpClientWagon.java | 26 +++- .../providers/http/RelaxedTrustStrategy.java | 85 ++++++++++++ .../providers/http/RelaxedX509TrustManager.java | 132 ------------------- 3 files changed, 106 insertions(+), 137 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/maven-wagon/blob/008accb6/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/AbstractHttpClientWagon.java ---------------------------------------------------------------------- diff --git a/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/AbstractHttpClientWagon.java b/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/AbstractHttpClientWagon.java index 0b683ae..0fd7ada 100755 --- a/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/AbstractHttpClientWagon.java +++ b/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/AbstractHttpClientWagon.java @@ -28,6 +28,9 @@ import java.io.InputStream; import java.io.OutputStream; import java.net.URLEncoder; import java.nio.ByteBuffer; +import java.security.KeyManagementException; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; import java.text.SimpleDateFormat; import java.util.Date; import java.util.Locale; @@ -37,6 +40,7 @@ import java.util.TimeZone; import java.util.concurrent.TimeUnit; import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; import org.apache.http.Header; import org.apache.http.HttpEntity; @@ -63,6 +67,8 @@ import org.apache.http.config.RegistryBuilder; import org.apache.http.conn.socket.ConnectionSocketFactory; import org.apache.http.conn.socket.PlainConnectionSocketFactory; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.conn.ssl.SSLContextBuilder; +import org.apache.http.conn.ssl.SSLInitializationException; import org.apache.http.entity.AbstractHttpEntity; import org.apache.http.impl.auth.BasicScheme; import org.apache.http.impl.client.BasicAuthCache; @@ -281,11 +287,21 @@ public abstract class AbstractHttpClientWagon SSLConnectionSocketFactory sslConnectionSocketFactory; if ( SSL_INSECURE ) { - sslConnectionSocketFactory = new SSLConnectionSocketFactory( - RelaxedX509TrustManager.createRelaxedSSLContext(IGNORE_SSL_VALIDITY_DATES), - sslProtocols, - cipherSuites, - SSL_ALLOW_ALL ? SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER : SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER ); + try { + SSLContext sslContext = new SSLContextBuilder() + .useSSL() + .loadTrustMaterial(null, new RelaxedTrustStrategy(IGNORE_SSL_VALIDITY_DATES)) + .build(); + sslConnectionSocketFactory = new SSLConnectionSocketFactory( + sslContext, + sslProtocols, + cipherSuites, + SSL_ALLOW_ALL ? SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER : SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER ); + } + catch (Exception ex) + { + throw new SSLInitializationException(ex.getMessage(), ex); + } } else { http://git-wip-us.apache.org/repos/asf/maven-wagon/blob/008accb6/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/RelaxedTrustStrategy.java ---------------------------------------------------------------------- diff --git a/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/RelaxedTrustStrategy.java b/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/RelaxedTrustStrategy.java new file mode 100644 index 0000000..c700218 --- /dev/null +++ b/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/RelaxedTrustStrategy.java @@ -0,0 +1,85 @@ +package org.apache.maven.wagon.providers.http; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import org.apache.http.conn.ssl.SSLInitializationException; +import org.apache.http.conn.ssl.TrustStrategy; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; + +/** + * Relaxed X509 certificate trust manager: can ignore invalid certificate date. + * + * @author Olivier Lamy + * @since 2.0 + */ +public class RelaxedTrustStrategy + implements TrustStrategy +{ + private final boolean ignoreSSLValidityDates; + + public RelaxedTrustStrategy(boolean ignoreSSLValidityDates) + { + this.ignoreSSLValidityDates = ignoreSSLValidityDates; + } + + public boolean isTrusted(X509Certificate[] certificates, String authType) + throws CertificateException + { + if ( ( certificates != null ) && ( certificates.length == 1 ) ) + { + try + { + certificates[0].checkValidity(); + } + catch ( CertificateExpiredException e ) + { + if ( !ignoreSSLValidityDates ) + { + throw e; + } + } + catch ( CertificateNotYetValidException e ) + { + if ( !ignoreSSLValidityDates ) + { + throw e; + } + } + return true; + } + else + { + return false; + } + } + +} http://git-wip-us.apache.org/repos/asf/maven-wagon/blob/008accb6/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/RelaxedX509TrustManager.java ---------------------------------------------------------------------- diff --git a/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/RelaxedX509TrustManager.java b/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/RelaxedX509TrustManager.java deleted file mode 100644 index 6d54059..0000000 --- a/wagon-providers/wagon-http/src/main/java/org/apache/maven/wagon/providers/http/RelaxedX509TrustManager.java +++ /dev/null @@ -1,132 +0,0 @@ -package org.apache.maven.wagon.providers.http; - -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -import org.apache.http.conn.ssl.SSLInitializationException; - -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509TrustManager; -import java.io.IOException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateNotYetValidException; -import java.security.cert.X509Certificate; - -/** - * Relaxed X509 certificate trust manager: can ignore invalid certificate date. - * - * @author Olivier Lamy - * @since 2.0 - */ -public class RelaxedX509TrustManager - implements X509TrustManager -{ - private final X509TrustManager standardTrustManager; - private final boolean ignoreSSLValidityDates; - - public static SSLContext createRelaxedSSLContext( boolean ignoreSSLValidityDates ) - { - try - { - SSLContext context = SSLContext.getInstance( "SSL" ); - context.init( null, new TrustManager[]{ - new RelaxedX509TrustManager( null, ignoreSSLValidityDates ) }, null ); - return context; - } - catch ( Exception e ) - { - throw new SSLInitializationException(e.getMessage(), e); - } - } - - /** - * Constructor for EasyX509TrustManager. - */ - public RelaxedX509TrustManager( KeyStore keystore, boolean ignoreSSLValidityDates ) - throws NoSuchAlgorithmException, KeyStoreException - { - super(); - TrustManagerFactory factory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() ); - factory.init( keystore ); - TrustManager[] trustmanagers = factory.getTrustManagers(); - if ( trustmanagers.length == 0 ) - { - throw new NoSuchAlgorithmException( "no trust manager found" ); - } - this.standardTrustManager = (X509TrustManager) trustmanagers[0]; - this.ignoreSSLValidityDates = ignoreSSLValidityDates; - } - - /** - * @see javax.net.ssl.X509TrustManager#checkClientTrusted(X509Certificate[], String authType) - */ - public void checkClientTrusted( X509Certificate[] certificates, String authType ) - throws CertificateException - { - standardTrustManager.checkClientTrusted( certificates, authType ); - } - - /** - * @see javax.net.ssl.X509TrustManager#checkServerTrusted(X509Certificate[], String authType) - */ - public void checkServerTrusted( X509Certificate[] certificates, String authType ) - throws CertificateException - { - - if ( ( certificates != null ) && ( certificates.length == 1 ) ) - { - try - { - certificates[0].checkValidity(); - } - catch ( CertificateExpiredException e ) - { - if ( !ignoreSSLValidityDates ) - { - throw e; - } - } - catch ( CertificateNotYetValidException e ) - { - if ( !ignoreSSLValidityDates ) - { - throw e; - } - } - } - else - { - standardTrustManager.checkServerTrusted( certificates, authType ); - } - } - - /** - * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers() - */ - public X509Certificate[] getAcceptedIssuers() - { - return this.standardTrustManager.getAcceptedIssuers(); - } -}
