SSL: client auth mode

jknack · jknack · commit e530a6513167 · 2020-06-23T20:03:42.000-03:00
- trust store support on SSLOptions
- implements client auth mode
diff --git a/jooby/src/main/java/io/jooby/SslOptions.java b/jooby/src/main/java/io/jooby/SslOptions.java
@@ -32,6 +32,26 @@
  * @since 2.3.0
  */
 public final class SslOptions {
+  /**
+   * The desired SSL client authentication mode for SSL channels in server mode.
+   */
+  public enum ClientAuth {
+    /**
+     * SSL client authentication is NOT requested.
+     */
+    NONE,
+
+    /**
+     * SSL client authentication is requested but not required.
+     */
+    REQUESTED,
+
+    /**
+     * SSL client authentication is required.
+     */
+    REQUIRED
+  }
+
   /** X509 constant. */
   public static final String X509 = "X509";
 
@@ -44,8 +64,14 @@ public final class SslOptions {
 
   private String cert;
 
+  private String trustCert;
+
+  private String trustPassword;
+
   private String privateKey;
 
+  private ClientAuth clientAuth = ClientAuth.NONE;
+
   /**
    * Certificate type. Default is {@link #PKCS12}.
    *
@@ -89,6 +115,50 @@ public String getType() {
     return this;
   }
 
+  /**
+   * A PKCS12 or X.509 certificate chain file in PEM format. It can be an absolute path or a
+   * classpath resource. Required for {@link ClientAuth#REQUIRED} or {@link ClientAuth#REQUESTED}.
+   *
+   * @return A PKCS12 or X.509 certificate chain file in PEM format. It can be an absolute path or
+   *     a classpath resource. Required for {@link ClientAuth#REQUIRED} or
+   *     {@link ClientAuth#REQUESTED}.
+   */
+  public @Nullable String getTrustCert() {
+    return trustCert;
+  }
+
+  /**
+   * Set certificate path. A PKCS12 or X.509 certificate chain file in PEM format.
+   * It can be an absolute path or a classpath resource. Required.
+   *
+   * @param trustCert Certificate path or location.
+   * @return Ssl options.
+   */
+  public @Nonnull SslOptions setTrustCert(@Nullable String trustCert) {
+    this.trustCert = trustCert;
+    return this;
+  }
+
+  /**
+   * Trust certificate password. Optional.
+   *
+   * @return Trust certificate password. Optional.
+   */
+  public @Nullable String getTrustPassword() {
+    return trustPassword;
+  }
+
+  /**
+   * Set trust certificate password.
+   *
+   * @param password Certificate password.
+   * @return SSL options.
+   */
+  public @Nonnull SslOptions setTrustPassword(@Nullable String password) {
+    this.trustPassword = password;
+    return this;
+  }
+
   /**
    * Private key file location. A PKCS#8 private key file in PEM format. It can be an absolute path
    * or a classpath resource. Required when using X.509 certificates.
@@ -161,6 +231,28 @@ public String getType() {
     return resource;
   }
 
+  /**
+   * The desired SSL client authentication mode for SSL channels in server mode.
+   *
+   * Default is: {@link ClientAuth#REQUESTED}.
+   *
+   * @return desired SSL client authentication mode for SSL channels in server mode.
+   */
+  public @Nonnull ClientAuth getClientAuth() {
+    return clientAuth;
+  }
+
+  /**
+   * Set desired SSL client authentication mode for SSL channels in server mode.
+   *
+   * @param clientAuth The desired SSL client authentication mode for SSL channels in server mode.
+   * @return This options.
+   */
+  public @Nonnull SslOptions setClientAuth(@Nonnull ClientAuth clientAuth) {
+    this.clientAuth = clientAuth;
+    return this;
+  }
+
   @Override public String toString() {
     return type;
   }
@@ -307,10 +399,11 @@ public static SslOptions selfSigned(final String type) {
           String type = conf.hasPath(path + ".type")
               ? conf.getString(path + ".type").toUpperCase()
               : PKCS12;
+          SslOptions options;
           if (type.equalsIgnoreCase("self-signed")) {
-            return SslOptions.selfSigned();
+            options = SslOptions.selfSigned();
           } else {
-            SslOptions options = new SslOptions();
+            options = new SslOptions();
             options.setType(type);
             if (X509.equalsIgnoreCase(type)) {
               options.setCert(conf.getString(path + ".cert"));
@@ -324,8 +417,18 @@ public static SslOptions selfSigned(final String type) {
             } else {
               throw new UnsupportedOperationException("SSL type: " + type);
             }
-            return options;
           }
+          if (conf.hasPath(path + ".clientAuth")) {
+            options.setClientAuth(ClientAuth.valueOf(conf.getString(path + ".clientAuth")
+                .toUpperCase()));
+          }
+          if (conf.hasPath(path + ".trust.cert")) {
+            options.setTrustCert(conf.getString(path + ".trust.cert"));
+          }
+          if (conf.hasPath(path + ".trust.password")) {
+            options.setTrustPassword(conf.getString(path + ".trust.password"));
+          }
+          return options;
         });
   }
 }
diff --git a/jooby/src/main/java/io/jooby/internal/SslPkcs12Provider.java b/jooby/src/main/java/io/jooby/internal/SslPkcs12Provider.java
@@ -5,12 +5,14 @@
  */
 package io.jooby.internal;
 
-import io.jooby.SslOptions;
 import io.jooby.SneakyThrows;
+import io.jooby.SslOptions;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
 import java.io.InputStream;
 import java.security.KeyStore;
 
@@ -21,18 +23,44 @@ public class SslPkcs12Provider implements SslContextProvider {
   }
 
   @Override public SSLContext create(ClassLoader loader, SslOptions options) {
-    try (InputStream crt = options.getResource(loader, options.getCert())) {
-      KeyStore store = KeyStore.getInstance(options.getType());
-      store.load(crt, options.getPassword().toCharArray());
+    try {
+      KeyStore store = keystore(options, loader, options.getCert(), options.getPassword());
       KeyManagerFactory kmf = KeyManagerFactory
           .getInstance(KeyManagerFactory.getDefaultAlgorithm());
-      kmf.init(store, options.getPassword().toCharArray());
+      kmf.init(store, toCharArray(options.getPassword()));
       KeyManager[] kms = kmf.getKeyManagers();
       SSLContext context = SSLContext.getInstance("TLS");
-      context.init(kms, null, null);
+
+      TrustManager[] tms;
+      if (options.getTrustCert() != null) {
+        KeyStore trustStore = keystore(options, loader, options.getTrustCert(),
+            options.getTrustPassword());
+
+        TrustManagerFactory tmf = TrustManagerFactory
+            .getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(trustStore);
+        tms = tmf.getTrustManagers();
+      } else {
+        tms = null;
+      }
+
+      context.init(kms, tms, null);
       return context;
     } catch (Exception x) {
       throw SneakyThrows.propagate(x);
     }
   }
+
+  private KeyStore keystore(SslOptions options, ClassLoader loader, String file, String password)
+      throws Exception {
+    try (InputStream crt = options.getResource(loader, file)) {
+      KeyStore store = KeyStore.getInstance(options.getType());
+      store.load(crt, toCharArray(password));
+      return store;
+    }
+  }
+
+  private char[] toCharArray(String password) {
+    return password == null ? null : password.toCharArray();
+  }
 }
diff --git a/jooby/src/main/java/io/jooby/internal/SslX509Provider.java b/jooby/src/main/java/io/jooby/internal/SslX509Provider.java
@@ -19,7 +19,12 @@ public class SslX509Provider implements SslContextProvider {
 
   @Override public SSLContext create(ClassLoader loader, SslOptions options) {
     try {
-      InputStream trustCert = null;
+      InputStream trustCert;
+      if (options.getTrustCert() == null) {
+        trustCert = null;
+      } else {
+        trustCert = options.getResource(loader, options.getTrustCert());
+      }
       InputStream keyStoreCert = options.getResource(loader, options.getCert());
       InputStream keyStoreKey = options.getResource(loader, options.getPrivateKey());
       String keyStorePass = null;
diff --git a/jooby/src/test/java/io/jooby/SslOptionsTest.java b/jooby/src/test/java/io/jooby/SslOptionsTest.java
@@ -44,12 +44,16 @@ public void shouldLoadPKCS12FromConfig() {
         .withValue("ssl.type", fromAnyRef("pkcs12"))
         .withValue("ssl.cert", fromAnyRef("ssl/test.p12"))
         .withValue("ssl.password", fromAnyRef("changeit"))
+        .withValue("ssl.trust.cert", fromAnyRef("ssl/trust.p12"))
+        .withValue("ssl.trust.password", fromAnyRef("pass"))
         .resolve();
 
     SslOptions options = SslOptions.from(config).get();
     assertEquals(SslOptions.PKCS12, options.getType());
     assertEquals("ssl/test.p12", options.getCert());
     assertEquals("changeit", options.getPassword());
+    assertEquals("ssl/trust.p12", options.getTrustCert());
+    assertEquals("pass", options.getTrustPassword());
   }
 
   @Test
diff --git a/modules/jooby-jetty/src/main/java/io/jooby/jetty/Jetty.java b/modules/jooby-jetty/src/main/java/io/jooby/jetty/Jetty.java
@@ -9,6 +9,7 @@
 import io.jooby.Jooby;
 import io.jooby.ServerOptions;
 import io.jooby.SneakyThrows;
+import io.jooby.SslOptions;
 import io.jooby.WebSocket;
 import io.jooby.internal.jetty.JettyHandler;
 import io.jooby.internal.jetty.JettyWebSocket;
@@ -32,6 +33,7 @@
 import java.net.BindException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
 /**
@@ -100,10 +102,19 @@ public class Jetty extends io.jooby.Server.Base {
       server.addConnector(http);
 
       if (options.isSSLEnabled()) {
-        SslContextFactory sslContextFactory = new SslContextFactory.Server();
+        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
         sslContextFactory
             .setSslContext(options.getSSLContext(application.getEnvironment().getClassLoader()));
 
+        SslOptions.ClientAuth clientAuth = Optional.ofNullable(options.getSsl())
+            .map(SslOptions::getClientAuth)
+            .orElse(SslOptions.ClientAuth.NONE);
+        if (clientAuth == SslOptions.ClientAuth.REQUESTED) {
+          sslContextFactory.setWantClientAuth(true);
+        } else if (clientAuth == SslOptions.ClientAuth.REQUIRED) {
+          sslContextFactory.setNeedClientAuth(true);
+        }
+
         HttpConfiguration httpsConf = new HttpConfiguration(httpConf);
         httpsConf.addCustomizer(new SecureRequestCustomizer());
 
diff --git a/modules/jooby-netty/src/main/java/io/jooby/netty/Netty.java b/modules/jooby-netty/src/main/java/io/jooby/netty/Netty.java
@@ -9,6 +9,7 @@
 import io.jooby.Server;
 import io.jooby.ServerOptions;
 import io.jooby.SneakyThrows;
+import io.jooby.SslOptions;
 import io.jooby.internal.netty.NettyPipeline;
 import io.jooby.internal.netty.NettyTransport;
 import io.netty.bootstrap.ServerBootstrap;
@@ -30,6 +31,7 @@
 import java.net.BindException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
@@ -109,8 +111,13 @@ public class Netty extends Server.Base {
       http.bind(options.getHost(), options.getPort()).get();
 
       if (options.isSSLEnabled()) {
+        SSLContext javaSslContext = options
+            .getSSLContext(application.getEnvironment().getClassLoader());
+        SslOptions.ClientAuth clientAuth = Optional.ofNullable(options.getSsl())
+            .map(SslOptions::getClientAuth)
+            .orElse(SslOptions.ClientAuth.NONE);
         ServerBootstrap https = transport.configure(acceptorloop, eventloop)
-            .childHandler(newPipeline(factory, options.getSSLContext(application.getEnvironment().getClassLoader())))
+            .childHandler(newPipeline(factory, wrap(javaSslContext, toClientAuth(clientAuth))))
             .childOption(ChannelOption.SO_REUSEADDR, true)
             .childOption(ChannelOption.TCP_NODELAY, true);
 
@@ -130,17 +137,28 @@ public class Netty extends Server.Base {
     return this;
   }
 
-  private NettyPipeline newPipeline(HttpDataFactory factory, SSLContext sslContext) {
+  private ClientAuth toClientAuth(SslOptions.ClientAuth clientAuth) {
+    switch (clientAuth) {
+      case REQUIRED:
+        return ClientAuth.REQUIRE;
+      case REQUESTED:
+        return ClientAuth.OPTIONAL;
+      default:
+        return ClientAuth.NONE;
+    }
+  }
+
+  private NettyPipeline newPipeline(HttpDataFactory factory, SslContext sslContext) {
     return new NettyPipeline(
-            acceptorloop.next(),
-            applications.get(0),
-            factory,
-            wrap(sslContext),
-            options.getDefaultHeaders(),
-            options.getCompressionLevel(),
-            options.getBufferSize(),
-            options.getMaxRequestSize()
-        );
+        acceptorloop.next(),
+        applications.get(0),
+        factory,
+        sslContext,
+        options.getDefaultHeaders(),
+        options.getCompressionLevel(),
+        options.getBufferSize(),
+        options.getMaxRequestSize()
+    );
   }
 
   @Nonnull @Override public synchronized Server stop() {
@@ -160,11 +178,8 @@ private NettyPipeline newPipeline(HttpDataFactory factory, SSLContext sslContext
     return this;
   }
 
-  private SslContext wrap(SSLContext sslContext) {
-    if (sslContext != null) {
-      return new JdkSslContext(sslContext, false, null, IdentityCipherSuiteFilter.INSTANCE,
-          ApplicationProtocolConfig.DISABLED, ClientAuth.NONE, null, false);
-    }
-    return null;
+  private SslContext wrap(SSLContext sslContext, ClientAuth clientAuth) {
+    return new JdkSslContext(sslContext, false, null, IdentityCipherSuiteFilter.INSTANCE,
+        ApplicationProtocolConfig.DISABLED, clientAuth, null, false);
   }
 }
diff --git a/modules/jooby-utow/src/main/java/io/jooby/utow/Utow.java b/modules/jooby-utow/src/main/java/io/jooby/utow/Utow.java
