Package org.opensaml.security.httpclient.impl

Class SecurityEnhancedTLSSocketFactory

java.lang.Object
org.opensaml.security.httpclient.impl.SecurityEnhancedTLSSocketFactory
All Implemented Interfaces:
org.apache.hc.client5.http.socket.ConnectionSocketFactory, org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory
public class SecurityEnhancedTLSSocketFactory extends Object implements org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory
An security-enhanced implementation of HttpClient's TLS-capable LayeredConnectionSocketFactory.

This implementation wraps an existing TLS socket factory instance, decorating it with additional support for:

The context keys used by this component are as follows, defined in HttpClientSecurityConstants:

Support for server TLS via trust engine evaluation requires use of a compatible TrustManager implementation configured in the SSLContext of the wrapped LayeredConnectionSocketFactory, such as ThreadLocalX509TrustManager.

Support for client TLS requires use of a compatible KeyManager implementation configured in the SSLContext of the wrapped LayeredConnectionSocketFactory, such as ThreadLocalX509CredentialKeyManager.

If the trust engine context attribute is not populated by the caller, then no server TLS thread-local data is populated. If the wrapped socket factory's X509TrustManager implementation requires this data (for example ThreadLocalX509TrustManager), then a fatal exception is expected to be thrown.

If the client TLS credential context attribute is not populated by the caller, then no client TLS thread-local data is populated, and client TLS will not be attempted.

  • Field Details

  • Constructor Details

    • SecurityEnhancedTLSSocketFactory

      public SecurityEnhancedTLSSocketFactory(@Nonnull org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory factory)
      Constructor.
      Parameters:
      factory - the underlying HttpClient socket factory wrapped by this implementation.

  • Method Details

    • createSocket

      public Socket createSocket(org.apache.hc.core5.http.protocol.HttpContext context) throws IOException
      Specified by:
      createSocket in interface org.apache.hc.client5.http.socket.ConnectionSocketFactory
      Throws:
      IOException

    • connectSocket

      public Socket connectSocket(org.apache.hc.core5.util.TimeValue connectTimeout, Socket sock, org.apache.hc.core5.http.HttpHost host, InetSocketAddress remoteAddress, InetSocketAddress localAddress, org.apache.hc.core5.http.protocol.HttpContext context) throws IOException
      Specified by:
      connectSocket in interface org.apache.hc.client5.http.socket.ConnectionSocketFactory
      Throws:
      IOException

    • createLayeredSocket

      public Socket createLayeredSocket(Socket socket, String target, int port, org.apache.hc.core5.http.protocol.HttpContext context) throws IOException
      Specified by:
      createLayeredSocket in interface org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory
      Throws:
      IOException

    • checkAndEvaluateServerTLS

      protected void checkAndEvaluateServerTLS(@Nonnull Socket socket) throws IOException
      Check that the evaluation of the socket certificate using the data in ThreadLocalX509TrustEngineContext has been performed, if applicable, and if not, evaluate it.

      This will usually be called only in the case of TLS session resumption, when the standard JSSE trust manager evaluation has not run.

      Parameters:
      socket - the current socket being evaluated
      Throws:
      IOException - if the certificate chain was not trusted by the supplied TrustEngine

    • setup

      protected void setup(@Nullable org.apache.hc.core5.http.protocol.HttpContext context, @Nonnull String hostname) throws SSLPeerUnverifiedException
      Setup calling execution environment for server TLS and client TLS based on information supplied in the HttpContext.
      Parameters:
      context - the HttpContext instance
      hostname - the hostname for the connection
      Throws:
      SSLPeerUnverifiedException - if required data is not available from the context

    • setupClientTLS

      protected void setupClientTLS(@Nonnull org.apache.hc.core5.http.protocol.HttpContext context)
      Setup thread-local data for server TLS and client TLS based on information supplied in the HttpContext.
      Parameters:
      context - the HttpContext instance

    • setupServerTLS

      protected void setupServerTLS(@Nonnull org.apache.hc.core5.http.protocol.HttpContext context, @Nonnull String hostname)
      Setup thread-local data for server TLS.
      Parameters:
      context - the HttpContext instance
      hostname - the hostname for the connection

    • teardown

      protected void teardown(@Nullable org.apache.hc.core5.http.protocol.HttpContext context)
      Schedule the deferred clearing of the ThreadLocalX509CredentialContext of the client TLS credential obtained from the HttpContext.
      Parameters:
      context - the HttpContext instance