Fixes #327183 (Allow better configurability of HttpClient for TLS/SSL).

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@2329 7e9141cc-0065-0410-87d8-b60c137991c4

2 files changed, 89 insertions, 52 deletions

diff --git a/VERSION.txt b/VERSION.txt
index 638dc6521d..cd76a5318e 100644
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1,20 +1,21 @@
-jetty-7.2.0.RC1-SNAPSHOT 
+jetty-7.2.0.RC1-SNAPSHOT
  + 289540 added javadoc into distribution
  + 297154 add source distribution artifact
  + 323985 Xmlconfiguration pulls start.jar config properties
  + 326734 Configure Digest maxNonceAge with Security handler init param
  + 327109 Fixed AJP handling of empty packets
+ + 327183 Allow better configurability of HttpClient for TLS/SSL
 
 jetty-7.2.0.RC0 1 Oct 2010
  + 314087 Simplified SelectorManager
  + 319334 Concurrent, sharable ResourceCache
  + 319370 WebAppClassLoader.Context
- + 319444 Two nulls are appended to log statements from ContextHanler$Context 
+ + 319444 Two nulls are appended to log statements from ContextHanler$Context
  + 320073 Reconsile configuration mechanism
  + 320112 Websocket in aggregate jars
  + 320264 Removed duplicate mime.property entries
  + 320457 Added rfc2045 support to B64Code
- + 321232 BasicAuthenticator ignores bad Authorization header. 
+ + 321232 BasicAuthenticator ignores bad Authorization header.
  + 321307 HashSessionManager calls passivation listeners.
  + 321730 SelectChannelEndPoint prints to System.err
  + 321735 HttpClient onException called for buffer overflow.
@@ -67,8 +68,8 @@ jetty-7.2.0.RC0 1 Oct 2010
 
 jetty-7.1.6.v20100715
  + 319519 Warn about duplicate configuration files
- + 319655 Reset HEAD status 
- + JETTY-1247 synchronize recylcing of SSL NIO buffers 
+ + 319655 Reset HEAD status
+ + JETTY-1247 synchronize recylcing of SSL NIO buffers
  + JETTY-1248 fix parsing of bad multiparts
  + JETTY-1249 Apply max idle time to all connectors
  + JETTY-1251 Replace then close selector for JVM bugs
diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java
index aab4220beb..ea353db507 100644
--- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java
+++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java
@@ -25,11 +25,9 @@ import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
-import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
@@ -101,7 +99,6 @@ public class HttpClient extends HttpBuffers implements Attributes
     private int _maxRedirects = 20;
     private LinkedList<String> _registeredListeners;
 
-    // TODO clean up and add getters/setters to some of this maybe
     private String _keyStoreLocation;
     private String _keyStoreType = "JKS";
     private String _keyStorePassword;
@@ -111,13 +108,12 @@ public class HttpClient extends HttpBuffers implements Attributes
     private String _trustStoreType = "JKS";
     private String _trustStorePassword;
     private String _trustManagerAlgorithm = (Security.getProperty("ssl.TrustManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.TrustManagerFactory.algorithm"));
-
-    private SSLContext _sslContext;
-
     private String _protocol = "TLS";
     private String _provider;
     private String _secureRandomAlgorithm;
 
+    private SSLContext _sslContext;
+
     private RealmResolver _realmResolver;
 
     private AttributesMap _attributes=new AttributesMap();
@@ -242,7 +238,7 @@ public class HttpClient extends HttpBuffers implements Attributes
     {
         _timeoutQ.schedule(task);
     }
-    
+
     public void schedule(Timeout.Task task, long timeout)
     {
         _timeoutQ.schedule(task, timeout);
@@ -271,7 +267,7 @@ public class HttpClient extends HttpBuffers implements Attributes
 
     /* ------------------------------------------------------------ */
     /** Set a RealmResolver for client Authentication.
-     * If a realmResolver is set, then the HttpDestinations created by 
+     * If a realmResolver is set, then the HttpDestinations created by
      * this client will instantiate a {@link SecurityListener} so that
      * BASIC and DIGEST authentication can be performed.
      * @param resolver
@@ -318,7 +314,7 @@ public class HttpClient extends HttpBuffers implements Attributes
         }
         _registeredListeners.add(listenerClass);
     }
-    
+
     /* ------------------------------------------------------------ */
     public LinkedList<String> getRegisteredListeners()
     {
@@ -548,7 +544,6 @@ public class HttpClient extends HttpBuffers implements Attributes
 
     protected SSLContext getStrictSSLContext() throws IOException
     {
-
         try
         {
             if (_trustStoreLocation == null)
@@ -557,45 +552,36 @@ public class HttpClient extends HttpBuffers implements Attributes
                 _trustStoreType = _keyStoreType;
             }
 
-            KeyManager[] keyManagers = null;
-            InputStream keystoreInputStream = null;
-
-            keystoreInputStream = Resource.newResource(_keyStoreLocation).getInputStream();
+            InputStream keyStoreInputStream = Resource.newResource(_keyStoreLocation).getInputStream();
             KeyStore keyStore = KeyStore.getInstance(_keyStoreType);
-            keyStore.load(keystoreInputStream, _keyStorePassword == null ? null : _keyStorePassword.toString().toCharArray());
+            keyStore.load(keyStoreInputStream, _keyStorePassword == null ? null : _keyStorePassword.toCharArray());
 
             KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerAlgorithm);
-            keyManagerFactory.init(keyStore, _keyManagerPassword == null ? null : _keyManagerPassword.toString().toCharArray());
-            keyManagers = keyManagerFactory.getKeyManagers();
-
-            TrustManager[] trustManagers = null;
-            InputStream truststoreInputStream = null;
+            keyManagerFactory.init(keyStore, _keyManagerPassword == null ? null : _keyManagerPassword.toCharArray());
+            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
 
-            truststoreInputStream = Resource.newResource(_trustStoreLocation).getInputStream();
+            InputStream trustStoreInputStream = Resource.newResource(_trustStoreLocation).getInputStream();
             KeyStore trustStore = KeyStore.getInstance(_trustStoreType);
-            trustStore.load(truststoreInputStream, _trustStorePassword == null ? null : _trustStorePassword.toString().toCharArray());
+            trustStore.load(trustStoreInputStream, _trustStorePassword == null ? null : _trustStorePassword.toCharArray());
 
             TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerAlgorithm);
             trustManagerFactory.init(trustStore);
-            trustManagers = trustManagerFactory.getTrustManagers();
+            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
 
             SecureRandom secureRandom = _secureRandomAlgorithm == null ? null : SecureRandom.getInstance(_secureRandomAlgorithm);
             SSLContext context = _provider == null ? SSLContext.getInstance(_protocol) : SSLContext.getInstance(_protocol, _provider);
             context.init(keyManagers, trustManagers, secureRandom);
             return context;
         }
-        catch (Exception e)
+        catch (Exception x)
         {
-            e.printStackTrace();
-            throw new IOException("error generating ssl context for " + _keyStoreLocation + " " + e.getMessage());
+            throw (IOException)new IOException("Error generating SSLContext for keystore " + _keyStoreLocation).initCause(x);
         }
     }
 
     protected SSLContext getLooseSSLContext() throws IOException
     {
-
-        // Create a trust manager that does not validate certificate
-        // chains
+        // Create a trust manager that does not validate certificate chains
         TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager()
         {
             public java.security.cert.X509Certificate[] getAcceptedIssuers()
@@ -612,26 +598,16 @@ public class HttpClient extends HttpBuffers implements Attributes
             }
         }};
 
-        HostnameVerifier hostnameVerifier = new HostnameVerifier()
-        {
-            public boolean verify(String urlHostName, SSLSession session)
-            {
-                Log.warn("Warning: URL Host: " + urlHostName + " vs." + session.getPeerHost());
-                return true;
-            }
-        };
-
         // Install the all-trusting trust manager
         try
         {
-            // TODO real trust manager
-            SSLContext sslContext = SSLContext.getInstance("SSL");
-            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
+            SSLContext sslContext = SSLContext.getInstance(_protocol);
+            sslContext.init(null, trustAllCerts, null);
             return sslContext;
         }
-        catch (Exception e)
+        catch (Exception x)
         {
-            throw new IOException("issue ignoring certs");
+            throw (IOException)new IOException("Error generating loose SSLContext").initCause(x);
         }
     }
 
@@ -814,28 +790,88 @@ public class HttpClient extends HttpBuffers implements Attributes
     {
         this._trustStorePassword = new Password(trustStorePassword).toString();
     }
-    
+
     /* ------------------------------------------------------------ */
     public String getKeyStoreType()
     {
         return this._keyStoreType;
     }
-    
+
     /* ------------------------------------------------------------ */
     public void setKeyStoreType(String keyStoreType)
     {
         this._keyStoreType = keyStoreType;
     }
-    
+
     /* ------------------------------------------------------------ */
     public String getTrustStoreType()
     {
         return this._trustStoreType;
     }
-    
+
     /* ------------------------------------------------------------ */
     public void setTrustStoreType(String trustStoreType)
     {
         this._trustStoreType = trustStoreType;
     }
+
+    /* ------------------------------------------------------------ */
+    public String getKeyManagerAlgorithm()
+    {
+        return _keyManagerAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setKeyManagerAlgorithm(String keyManagerAlgorithm)
+    {
+        this._keyManagerAlgorithm = keyManagerAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public String getTrustManagerAlgorithm()
+    {
+        return _trustManagerAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setTrustManagerAlgorithm(String trustManagerAlgorithm)
+    {
+        this._trustManagerAlgorithm = trustManagerAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public String getProtocol()
+    {
+        return _protocol;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setProtocol(String protocol)
+    {
+        this._protocol = protocol;
+    }
+
+    /* ------------------------------------------------------------ */
+    public String getProvider()
+    {
+        return _provider;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setProvider(String provider)
+    {
+        this._provider = provider;
+    }
+
+    /* ------------------------------------------------------------ */
+    public String getSecureRandomAlgorithm()
+    {
+        return _secureRandomAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setSecureRandomAlgorithm(String secureRandomAlgorithm)
+    {
+        this._secureRandomAlgorithm = secureRandomAlgorithm;
+    }
 }