|
1 | 1 | /*
|
2 |
| - * Copyright 2012-2020 the original author or authors. |
| 2 | + * Copyright 2012-2022 the original author or authors. |
3 | 3 | *
|
4 | 4 | * Licensed under the Apache License, Version 2.0 (the "License");
|
5 | 5 | * you may not use this file except in compliance with the License.
|
|
19 | 19 | import java.io.FileNotFoundException;
|
20 | 20 |
|
21 | 21 | import org.apache.catalina.connector.Connector;
|
22 |
| -import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory; |
23 | 22 | import org.apache.coyote.ProtocolHandler;
|
24 | 23 | import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
|
25 | 24 | import org.apache.coyote.http11.Http11NioProtocol;
|
26 | 25 | import org.apache.tomcat.util.net.SSLHostConfig;
|
| 26 | +import org.apache.tomcat.util.net.SSLHostConfigCertificate; |
| 27 | +import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type; |
27 | 28 |
|
28 | 29 | import org.springframework.boot.web.server.Ssl;
|
29 | 30 | import org.springframework.boot.web.server.SslStoreProvider;
|
|
36 | 37 | * {@link TomcatConnectorCustomizer} that configures SSL support on the given connector.
|
37 | 38 | *
|
38 | 39 | * @author Brian Clozel
|
| 40 | + * @author Andy Wilkinson |
| 41 | + * @author Scott Frederick |
39 | 42 | */
|
40 | 43 | class SslConnectorCustomizer implements TomcatConnectorCustomizer {
|
41 | 44 |
|
@@ -67,95 +70,102 @@ public void customize(Connector connector) {
|
67 | 70 | */
|
68 | 71 | protected void configureSsl(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl, SslStoreProvider sslStoreProvider) {
|
69 | 72 | protocol.setSSLEnabled(true);
|
70 |
| - protocol.setSslProtocol(ssl.getProtocol()); |
71 |
| - configureSslClientAuth(protocol, ssl); |
| 73 | + SSLHostConfig sslHostConfig = new SSLHostConfig(); |
| 74 | + sslHostConfig.setHostName(protocol.getDefaultSSLHostConfigName()); |
| 75 | + sslHostConfig.setSslProtocol(ssl.getProtocol()); |
| 76 | + protocol.addSslHostConfig(sslHostConfig); |
| 77 | + configureSslClientAuth(sslHostConfig, ssl); |
| 78 | + SSLHostConfigCertificate certificate = new SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED); |
72 | 79 | if (ssl.getKeyStorePassword() != null) {
|
73 |
| - protocol.setKeystorePass(ssl.getKeyStorePassword()); |
| 80 | + certificate.setCertificateKeystorePassword(ssl.getKeyStorePassword()); |
74 | 81 | }
|
75 | 82 | if (ssl.getKeyPassword() != null) {
|
76 |
| - protocol.setKeyPass(ssl.getKeyPassword()); |
| 83 | + certificate.setCertificateKeyPassword(ssl.getKeyPassword()); |
77 | 84 | }
|
78 |
| - protocol.setKeyAlias(ssl.getKeyAlias()); |
| 85 | + if (ssl.getKeyAlias() != null) { |
| 86 | + certificate.setCertificateKeyAlias(ssl.getKeyAlias()); |
| 87 | + } |
| 88 | + sslHostConfig.addCertificate(certificate); |
79 | 89 | String ciphers = StringUtils.arrayToCommaDelimitedString(ssl.getCiphers());
|
80 | 90 | if (StringUtils.hasText(ciphers)) {
|
81 |
| - protocol.setCiphers(ciphers); |
| 91 | + sslHostConfig.setCiphers(ciphers); |
| 92 | + } |
| 93 | + configureEnabledProtocols(protocol, ssl); |
| 94 | + if (sslStoreProvider != null) { |
| 95 | + configureSslStoreProvider(protocol, sslHostConfig, certificate, sslStoreProvider); |
82 | 96 | }
|
| 97 | + else { |
| 98 | + configureSslKeyStore(certificate, ssl); |
| 99 | + configureSslTrustStore(sslHostConfig, ssl); |
| 100 | + } |
| 101 | + } |
| 102 | + |
| 103 | + private void configureEnabledProtocols(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) { |
83 | 104 | if (ssl.getEnabledProtocols() != null) {
|
84 | 105 | for (SSLHostConfig sslHostConfig : protocol.findSslHostConfigs()) {
|
85 | 106 | sslHostConfig.setProtocols(StringUtils.arrayToCommaDelimitedString(ssl.getEnabledProtocols()));
|
86 | 107 | }
|
87 | 108 | }
|
88 |
| - if (sslStoreProvider != null) { |
89 |
| - configureSslStoreProvider(protocol, sslStoreProvider); |
90 |
| - } |
91 |
| - else { |
92 |
| - configureSslKeyStore(protocol, ssl); |
93 |
| - configureSslTrustStore(protocol, ssl); |
94 |
| - } |
95 | 109 | }
|
96 | 110 |
|
97 |
| - private void configureSslClientAuth(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) { |
| 111 | + private void configureSslClientAuth(SSLHostConfig config, Ssl ssl) { |
98 | 112 | if (ssl.getClientAuth() == Ssl.ClientAuth.NEED) {
|
99 |
| - protocol.setClientAuth(Boolean.TRUE.toString()); |
| 113 | + config.setCertificateVerification("required"); |
100 | 114 | }
|
101 | 115 | else if (ssl.getClientAuth() == Ssl.ClientAuth.WANT) {
|
102 |
| - protocol.setClientAuth("want"); |
| 116 | + config.setCertificateVerification("optional"); |
103 | 117 | }
|
104 | 118 | }
|
105 | 119 |
|
106 |
| - protected void configureSslStoreProvider(AbstractHttp11JsseProtocol<?> protocol, |
107 |
| - SslStoreProvider sslStoreProvider) { |
| 120 | + protected void configureSslStoreProvider(AbstractHttp11JsseProtocol<?> protocol, SSLHostConfig sslHostConfig, |
| 121 | + SSLHostConfigCertificate certificate, SslStoreProvider sslStoreProvider) { |
108 | 122 | Assert.isInstanceOf(Http11NioProtocol.class, protocol,
|
109 | 123 | "SslStoreProvider can only be used with Http11NioProtocol");
|
110 |
| - TomcatURLStreamHandlerFactory instance = TomcatURLStreamHandlerFactory.getInstance(); |
111 |
| - instance.addUserFactory(new SslStoreProviderUrlStreamHandlerFactory(sslStoreProvider)); |
112 | 124 | try {
|
113 | 125 | if (sslStoreProvider.getKeyStore() != null) {
|
114 |
| - protocol.setKeystorePass(""); |
115 |
| - protocol.setKeystoreFile(SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL); |
| 126 | + certificate.setCertificateKeystore(sslStoreProvider.getKeyStore()); |
116 | 127 | }
|
117 | 128 | if (sslStoreProvider.getTrustStore() != null) {
|
118 |
| - protocol.setTruststorePass(""); |
119 |
| - protocol.setTruststoreFile(SslStoreProviderUrlStreamHandlerFactory.TRUST_STORE_URL); |
| 129 | + sslHostConfig.setTrustStore(sslStoreProvider.getTrustStore()); |
120 | 130 | }
|
121 | 131 | }
|
122 | 132 | catch (Exception ex) {
|
123 | 133 | throw new WebServerException("Could not load store: " + ex.getMessage(), ex);
|
124 | 134 | }
|
125 | 135 | }
|
126 | 136 |
|
127 |
| - private void configureSslKeyStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) { |
| 137 | + private void configureSslKeyStore(SSLHostConfigCertificate certificate, Ssl ssl) { |
128 | 138 | try {
|
129 |
| - protocol.setKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString()); |
| 139 | + certificate.setCertificateKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString()); |
130 | 140 | }
|
131 | 141 | catch (Exception ex) {
|
132 | 142 | throw new WebServerException("Could not load key store '" + ssl.getKeyStore() + "'", ex);
|
133 | 143 | }
|
134 | 144 | if (ssl.getKeyStoreType() != null) {
|
135 |
| - protocol.setKeystoreType(ssl.getKeyStoreType()); |
| 145 | + certificate.setCertificateKeystoreType(ssl.getKeyStoreType()); |
136 | 146 | }
|
137 | 147 | if (ssl.getKeyStoreProvider() != null) {
|
138 |
| - protocol.setKeystoreProvider(ssl.getKeyStoreProvider()); |
| 148 | + certificate.setCertificateKeystoreProvider(ssl.getKeyStoreProvider()); |
139 | 149 | }
|
140 | 150 | }
|
141 | 151 |
|
142 |
| - private void configureSslTrustStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) { |
| 152 | + private void configureSslTrustStore(SSLHostConfig sslHostConfig, Ssl ssl) { |
143 | 153 | if (ssl.getTrustStore() != null) {
|
144 | 154 | try {
|
145 |
| - protocol.setTruststoreFile(ResourceUtils.getURL(ssl.getTrustStore()).toString()); |
| 155 | + sslHostConfig.setTruststoreFile(ResourceUtils.getURL(ssl.getTrustStore()).toString()); |
146 | 156 | }
|
147 | 157 | catch (FileNotFoundException ex) {
|
148 | 158 | throw new WebServerException("Could not load trust store: " + ex.getMessage(), ex);
|
149 | 159 | }
|
150 | 160 | }
|
151 | 161 | if (ssl.getTrustStorePassword() != null) {
|
152 |
| - protocol.setTruststorePass(ssl.getTrustStorePassword()); |
| 162 | + sslHostConfig.setTruststorePassword(ssl.getTrustStorePassword()); |
153 | 163 | }
|
154 | 164 | if (ssl.getTrustStoreType() != null) {
|
155 |
| - protocol.setTruststoreType(ssl.getTrustStoreType()); |
| 165 | + sslHostConfig.setTruststoreType(ssl.getTrustStoreType()); |
156 | 166 | }
|
157 | 167 | if (ssl.getTrustStoreProvider() != null) {
|
158 |
| - protocol.setTruststoreProvider(ssl.getTrustStoreProvider()); |
| 168 | + sslHostConfig.setTruststoreProvider(ssl.getTrustStoreProvider()); |
159 | 169 | }
|
160 | 170 | }
|
161 | 171 |
|
|
0 commit comments