Skip to content

Commit

Permalink
Fix #74 and refactoring
Browse files Browse the repository at this point in the history
  • Loading branch information
@vroyer
vroyer committed Feb 15, 2017
1 parent 0f4b05c commit 543becd
Show file tree
Hide file tree
Showing 10 changed files with 206 additions and 194 deletions.
3 changes: 3 additions & 0 deletions CHANGES.txt
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
2.4.2-8 - 2017-02-15
* Fix support for uuid and timeuuid Cassandra Types #74

2.4.2-7 - 2017-02-09
* Enable support for multi-threading rebuild_index on Cassandra 3.
* Add new _meta fields in order to index static columns.
Expand Down
171 changes: 61 additions & 110 deletions ...apache/cassandra/security/SSLFactory.java → ...apache/cassandra/security/SSLFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
import java.util.Enumeration;
import java.util.List;

import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
Expand Down Expand Up @@ -57,152 +56,104 @@ public final class SSLFactory
public static final String[] ACCEPTED_PROTOCOLS = new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"};
private static boolean checkedExpiry = false;

private static SSLContext ctx;
private static TrustManager trustManagers[] = null;
private static KeyManager keyManagers[] = null;

public static SSLContext getSSLContext() {
return ctx;
}

public static TrustManager[] getTrustManagers() {
return trustManagers;
}

public static KeyManager[] getKetManagers() {
return keyManagers;
}

public static SSLServerSocket getServerSocket(EncryptionOptions options, InetAddress address, int port) throws IOException
{
SSLContext ctx = createSSLContext(options, true);
SSLServerSocket serverSocket = (SSLServerSocket) ctx.getServerSocketFactory().createServerSocket();
try
{
serverSocket.setReuseAddress(true);
String[] suites = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites);
serverSocket.setEnabledCipherSuites(suites);
serverSocket.setNeedClientAuth(options.require_client_auth);
serverSocket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
serverSocket.bind(new InetSocketAddress(address, port), 500);
return serverSocket;
}
catch (IllegalArgumentException | SecurityException | IOException e)
{
serverSocket.close();
throw e;
}
SSLServerSocket serverSocket = (SSLServerSocket)ctx.getServerSocketFactory().createServerSocket();
serverSocket.setReuseAddress(true);
String[] suites = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites);
serverSocket.setEnabledCipherSuites(suites);
serverSocket.setNeedClientAuth(options.require_client_auth);
serverSocket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
serverSocket.bind(new InetSocketAddress(address, port), 500);
return serverSocket;
}

/** Create a socket and connect */
public static SSLSocket getSocket(EncryptionOptions options, InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException
{
SSLContext ctx = createSSLContext(options, true);
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port, localAddress, localPort);
try
{
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suites);
socket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
return socket;
}
catch (IllegalArgumentException e)
{
socket.close();
throw e;
}
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suites);
socket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
return socket;
}

/** Create a socket and connect, using any local address */
public static SSLSocket getSocket(EncryptionOptions options, InetAddress address, int port) throws IOException
{
SSLContext ctx = createSSLContext(options, true);
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port);
try
{
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suites);
socket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
return socket;
}
catch (IllegalArgumentException e)
{
socket.close();
throw e;
}
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suites);
socket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
return socket;
}

/** Just create a socket */
public static SSLSocket getSocket(EncryptionOptions options) throws IOException
{
SSLContext ctx = createSSLContext(options, true);
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket();
try
{
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suites);
socket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
return socket;
}
catch (IllegalArgumentException e)
{
socket.close();
throw e;
}
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suites);
socket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
return socket;
}

@SuppressWarnings("resource")
public static SSLContext createSSLContext(EncryptionOptions options, boolean buildTruststore) throws IOException
{
FileInputStream tsf = null;
FileInputStream ksf = null;

if (ctx == null) {
try
SSLContext ctx;
try
{
ctx = SSLContext.getInstance(options.protocol);
TrustManager[] trustManagers = null;

if(buildTruststore)
{
ctx = SSLContext.getInstance(options.protocol);

if(buildTruststore)
{
tsf = new FileInputStream(options.truststore);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(options.algorithm);
KeyStore ts = KeyStore.getInstance(options.store_type);
ts.load(tsf, options.truststore_password.toCharArray());
tmf.init(ts);
trustManagers = tmf.getTrustManagers();
}

ksf = new FileInputStream(options.keystore);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(options.algorithm);
KeyStore ks = KeyStore.getInstance(options.store_type);
ks.load(ksf, options.keystore_password.toCharArray());
if (!checkedExpiry)
tsf = new FileInputStream(options.truststore);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(options.algorithm);
KeyStore ts = KeyStore.getInstance(options.store_type);
ts.load(tsf, options.truststore_password.toCharArray());
tmf.init(ts);
trustManagers = tmf.getTrustManagers();
}

ksf = new FileInputStream(options.keystore);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(options.algorithm);
KeyStore ks = KeyStore.getInstance(options.store_type);
ks.load(ksf, options.keystore_password.toCharArray());
if (!checkedExpiry)
{
for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements(); )
{
for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements(); )
String alias = aliases.nextElement();
if (ks.getCertificate(alias).getType().equals("X.509"))
{
String alias = aliases.nextElement();
if (ks.getCertificate(alias).getType().equals("X.509"))
{
Date expires = ((X509Certificate) ks.getCertificate(alias)).getNotAfter();
if (expires.before(new Date()))
logger.warn("Certificate for {} expired on {}", alias, expires);
}
Date expires = ((X509Certificate) ks.getCertificate(alias)).getNotAfter();
if (expires.before(new Date()))
logger.warn("Certificate for {} expired on {}", alias, expires);
}
checkedExpiry = true;
}
kmf.init(ks, options.keystore_password.toCharArray());
keyManagers = kmf.getKeyManagers();
ctx.init(kmf.getKeyManagers(), trustManagers, null);
}
catch (Exception e)
{
throw new IOException("Error creating the initializing the SSL Context", e);
}
finally
{
FileUtils.closeQuietly(tsf);
FileUtils.closeQuietly(ksf);
checkedExpiry = true;
}
kmf.init(ks, options.keystore_password.toCharArray());

ctx.init(kmf.getKeyManagers(), trustManagers, null);

}
catch (Exception e)
{
throw new IOException("Error creating the initializing the SSL Context", e);
}
finally
{
FileUtils.closeQuietly(tsf);
FileUtils.closeQuietly(ksf);
}
return ctx;
}
Expand Down
Loading

0 comments on commit 543becd

Please sign in to comment.