org.opensaml.security.httpclient.impl

Class TrustEngineTLSSocketFactory

java.lang.Object

org.opensaml.security.httpclient.impl.TrustEngineTLSSocketFactory

All Implemented Interfaces:

org.apache.http.conn.socket.ConnectionSocketFactory, org.apache.http.conn.socket.LayeredConnectionSocketFactory

public class TrustEngineTLSSocketFactory
extends java.lang.Object
implements org.apache.http.conn.socket.LayeredConnectionSocketFactory

An implementation of HttpClient's LayeredConnectionSocketFactory, which supports verifying the server TLS certificate and chain via a TrustEngine and CriteriaSet supplied by the HttpClient caller via the HttpContext.

The context keys used by this component are as follows, defined in HttpClientSecurityConstants:

• HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE: The trust engine instance used. Supplied by the HttpClient caller. Must be an instance of TrustEngine.
• HttpClientSecurityConstants.CONTEXT_KEY_CRITERIA_SET: The criteria set instance used. Supplied by the HttpClient caller. Must be an instance of CriteriaSet.
• HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED: The result of the trust evaluation, if it was performed. Populated by this component. Will be a Boolean, where true means the server TLS was evaluated as trusted, false means the credential was evaluated as untrusted. A null or missing value means that trust engine evaluation was not performed.

If the trust engine context attribute is not populated by the caller, then no trust evaluation is performed. This allows use of this implementation with use cases where, given a particular HttpClient instance, sometimes trust engine evaluation is to be performed, and sometimes not.

Since this implementation may typically be used with and wrap a "no trust" SSL socket factory, an optional instance of X509HostnameVerifier may also be supplied. If supplied, hostname verification will be performed against the new SSLSocket via X509HostnameVerifier.verify(String, SSLSocket).

Field Summary

Fields

Modifier and Type	Field and Description
private org.apache.http.conn.ssl.X509HostnameVerifier	hostnameVerifier The hostname verifier evaluated by this implementation.
private org.slf4j.Logger	log Logger.
private org.apache.http.conn.socket.LayeredConnectionSocketFactory	wrappedFactory The HttpClient socket factory instance wrapped by this implementation.

Constructor Summary

Constructors

Constructor and Description
TrustEngineTLSSocketFactory(org.apache.http.conn.socket.LayeredConnectionSocketFactory factory, org.apache.http.conn.ssl.X509HostnameVerifier verifier) Constructor.

Method Summary

Modifier and Type	Method and Description
java.net.Socket	connectSocket(int connectTimeout, java.net.Socket sock, org.apache.http.HttpHost host, java.net.InetSocketAddress remoteAddress, java.net.InetSocketAddress localAddress, org.apache.http.protocol.HttpContext context)
java.net.Socket	createLayeredSocket(java.net.Socket socket, java.lang.String target, int port, org.apache.http.protocol.HttpContext context)
java.net.Socket	createSocket(org.apache.http.protocol.HttpContext context)
protected X509Credential	extractCredential(javax.net.ssl.SSLSocket sslSocket) Extract the server TLS X509Credential from the supplied SSLSocket.
protected void	performHostnameVerification(java.net.Socket socket, java.lang.String hostname, org.apache.http.protocol.HttpContext context) Perform hostname verification on the connection represented by the supplied socket.
protected void	performTrustEval(java.net.Socket socket, org.apache.http.protocol.HttpContext context) Perform trust evaluation by extracting the server TLS X509Credential from the SSLSession and evaluating it via a TrustEngine and CriteriaSet supplied by the caller via the HttpContext.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private final org.slf4j.Logger log

Logger.

wrappedFactory

@Nonnull
private org.apache.http.conn.socket.LayeredConnectionSocketFactory wrappedFactory

The HttpClient socket factory instance wrapped by this implementation.

hostnameVerifier

@Nullable
private org.apache.http.conn.ssl.X509HostnameVerifier hostnameVerifier

The hostname verifier evaluated by this implementation.

Constructor Detail

TrustEngineTLSSocketFactory

public TrustEngineTLSSocketFactory(org.apache.http.conn.socket.LayeredConnectionSocketFactory factory,
                                   org.apache.http.conn.ssl.X509HostnameVerifier verifier)

Constructor.

Parameters:

factory - the underlying HttpClient socket factory wrapped by this implementation.

verifier - the hostname verifier evaluated by this implementation

Method Detail

createSocket

public java.net.Socket createSocket(org.apache.http.protocol.HttpContext context)
                             throws java.io.IOException

Specified by:

createSocket in interface org.apache.http.conn.socket.ConnectionSocketFactory

Throws:

java.io.IOException

connectSocket

public java.net.Socket connectSocket(int connectTimeout,
                                     java.net.Socket sock,
                                     org.apache.http.HttpHost host,
                                     java.net.InetSocketAddress remoteAddress,
                                     java.net.InetSocketAddress localAddress,
                                     org.apache.http.protocol.HttpContext context)
                              throws java.io.IOException

Specified by:

connectSocket in interface org.apache.http.conn.socket.ConnectionSocketFactory

Throws:

java.io.IOException

createLayeredSocket

public java.net.Socket createLayeredSocket(java.net.Socket socket,
                                           java.lang.String target,
                                           int port,
                                           org.apache.http.protocol.HttpContext context)
                                    throws java.io.IOException

Specified by:

createLayeredSocket in interface org.apache.http.conn.socket.LayeredConnectionSocketFactory

Throws:

java.io.IOException

performTrustEval

protected void performTrustEval(@Nonnull
                                java.net.Socket socket,
                                @Nonnull
                                org.apache.http.protocol.HttpContext context)
                         throws java.io.IOException

Perform trust evaluation by extracting the server TLS X509Credential from the SSLSession and evaluating it via a TrustEngine and CriteriaSet supplied by the caller via the HttpContext.

Parameters:

socket - the socket instance being processed

context - the HttpClient context being processed

Throws:

java.io.IOException - if the server TLS credential is untrusted, or if there is a fatal error attempting trust evaluation.

extractCredential

@Nonnull
protected X509Credential extractCredential(@Nonnull
                                                    javax.net.ssl.SSLSocket sslSocket)
                                             throws java.io.IOException

Extract the server TLS X509Credential from the supplied SSLSocket.

Parameters:

sslSocket - the SSL socket instance to process

Returns:

an X509Credential representing the server TLS entity certificate as well as the supplied supporting intermediate certificate chain (if any)

Throws:

java.io.IOException - if credential data can not be extracted from the socket

performHostnameVerification

protected void performHostnameVerification(java.net.Socket socket,
                                           java.lang.String hostname,
                                           org.apache.http.protocol.HttpContext context)
                                    throws java.io.IOException

Perform hostname verification on the connection represented by the supplied socket.

Parameters:

socket - the socket instance being processed

hostname - the hostname against which to verify

context - the current HttpClient context instance

Throws:

java.io.IOException - if an I/O error occurs or the verification process fails