Merge pull request #476 from TharmiganK/ssl-context

Initialise SSL context in the client initialisation

Author: Bhashinee

components/org.wso2.transport.http.netty/src/main/java/org/wso2/transport/http/netty/contract/HttpClientConnector.java

@@ -93,4 +93,11 @@ public interface HttpClientConnector {
      * @return returns the status of the asynchronous push response fetch action
      */
     HttpResponseFuture getPushResponse(Http2PushPromise pushPromise);
+
+    /**
+     * Initialize the SSL context.
+     *
+     * @throws Exception if an error occurs while initializing the SSL context.
+     */
+    void initializeSSLContext() throws Exception;
 }

components/org.wso2.transport.http.netty/src/main/java/org/wso2/transport/http/netty/contract/HttpWsConnectorFactory.java

@@ -53,6 +53,17 @@ ServerConnector createServerConnector(ServerBootstrapConfiguration serverBootstr
     HttpClientConnector createHttpClientConnector(Map<String, Object> transportProperties,
             SenderConfiguration senderConfiguration);
 
+    /**
+     * This method can be used to get http client connectors with SSL context initialized.
+     *
+     * @param transportProperties configTargetHandler stuff like global timeout, number of outbound connections, etc.
+     * @param senderConfiguration contains SSL configuration and endpoint details.
+     * @throws Exception if the connector creation fails.
+     * @return HttpClientConnector.
+     */
+    HttpClientConnector createHttpsClientConnector(Map<String, Object> transportProperties,
+                                                   SenderConfiguration senderConfiguration) throws Exception;
+
     /**
      * Creates a client connector with a given connection manager.
      *
@@ -62,7 +73,21 @@ HttpClientConnector createHttpClientConnector(Map<String, Object> transportPrope
      * @return the HttpClientConnector
      */
     HttpClientConnector createHttpClientConnector(Map<String, Object> transportProperties,
-        SenderConfiguration senderConfiguration, ConnectionManager connectionManager);
+                                                  SenderConfiguration senderConfiguration,
+                                                  ConnectionManager connectionManager);
+
+    /**
+     * Creates a client connector with a given connection manager and SSL context.
+     *
+     * @param transportProperties Represents the configurations related to HTTP client
+     * @param senderConfiguration Represents the configurations related to client channel creation
+     * @param connectionManager   Manages the client pool
+     * @throws Exception if the connector creation fails.
+     * @return the HttpClientConnector
+     */
+    HttpClientConnector createHttpsClientConnector(Map<String, Object> transportProperties,
+                                                   SenderConfiguration senderConfiguration,
+                                                   ConnectionManager connectionManager) throws Exception;
 
     /**
      * Creates a client connector with given client bootstrap configuration and connection manager.
@@ -76,6 +101,19 @@ HttpClientConnector createHttpClientConnector(BootstrapConfiguration bootstrapCo
                                                   SenderConfiguration senderConfiguration,
                                                   ConnectionManager connectionManager);
 
+    /**
+     * Creates a client connector with given client bootstrap configuration, connection manager and SSL context.
+     *
+     * @param bootstrapConfiguration Represents the client bootstrap configurations.
+     * @param senderConfiguration    Represents the configurations related to client channel creation
+     * @param connectionManager      Manages the client pool
+     * @throws Exception if the connector creation fails.
+     * @return the HttpClientConnector
+     */
+    HttpClientConnector createHttpsClientConnector(BootstrapConfiguration bootstrapConfiguration,
+                                                   SenderConfiguration senderConfiguration,
+                                                   ConnectionManager connectionManager) throws Exception;
+
     /**
      * This method is used to get WebSocket client connector.
      *
@@ -84,6 +122,17 @@ HttpClientConnector createHttpClientConnector(BootstrapConfiguration bootstrapCo
      */
     WebSocketClientConnector createWsClientConnector(WebSocketClientConnectorConfig clientConnectorConfig);
 
+
+    /**
+     * This method is used to get WebSocket client connector with SSL context initialized.
+     *
+     * @param clientConnectorConfig Properties to create a client connector.
+     * @throws Exception if the connector creation fails.
+     * @return WebSocketClientConnector.
+     */
+    WebSocketClientConnector createWsClientConnectorWithSSL(WebSocketClientConnectorConfig clientConnectorConfig)
+            throws Exception;
+
     /**
      * Shutdown all the server channels and the accepted channels. It also shutdown all the eventloop groups.
      * @throws InterruptedException when interrupted by some other event

components/org.wso2.transport.http.netty/src/main/java/org/wso2/transport/http/netty/contract/websocket/WebSocketClientConnector.java

@@ -30,4 +30,11 @@ public interface WebSocketClientConnector {
      * @return ClientHandshakeFuture for the newly created connection.
      */
     ClientHandshakeFuture connect();
+
+    /**
+     * Initialize the SSL context.
+     *
+     * @throws Exception if an error occurs while initializing the SSL context.
+     */
+    void initializeSSLContext() throws Exception;
 }

components/org.wso2.transport.http.netty/src/main/java/org/wso2/transport/http/netty/contractimpl/DefaultHttpClientConnector.java

@@ -58,6 +58,7 @@
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.util.NoSuchElementException;
+import java.util.Objects;
 
 import static org.wso2.transport.http.netty.contract.Constants.REMOTE_SERVER_CLOSED_BEFORE_INITIATING_OUTBOUND_REQUEST;
 
@@ -363,4 +364,10 @@ private void initTargetChannelProperties(SenderConfiguration senderConfiguration
         this.sslConfig = senderConfiguration.getClientSSLConfig();
         this.forwardedExtensionConfig = senderConfiguration.getForwardedExtensionConfig();
     }
+
+    public void initializeSSLContext() throws Exception {
+        if (Objects.nonNull(sslConfig)) {
+            sslConfig.initializeSSLContext(isHttp2);
+        }
+    }
 }

components/org.wso2.transport.http.netty/src/main/java/org/wso2/transport/http/netty/contractimpl/DefaultHttpWsConnectorFactory.java

@@ -147,26 +147,66 @@ public HttpClientConnector createHttpClientConnector(
     }
 
     @Override
-    public HttpClientConnector createHttpClientConnector(
-        Map<String, Object> transportProperties, SenderConfiguration senderConfiguration,
-        ConnectionManager connectionManager) {
+    public HttpClientConnector createHttpsClientConnector(Map<String, Object> transportProperties,
+                                                          SenderConfiguration senderConfiguration) throws Exception {
+        BootstrapConfiguration bootstrapConfig = new BootstrapConfiguration(transportProperties);
+        ConnectionManager connectionManager = new ConnectionManager(senderConfiguration.getPoolConfiguration());
+        HttpClientConnector httpClientConnector = new DefaultHttpClientConnector(connectionManager,
+                senderConfiguration, bootstrapConfig, clientGroup);
+        httpClientConnector.initializeSSLContext();
+        return httpClientConnector;
+    }
+
+    @Override
+    public HttpClientConnector createHttpClientConnector(Map<String, Object> transportProperties,
+                                                         SenderConfiguration senderConfiguration,
+                                                         ConnectionManager connectionManager) {
         BootstrapConfiguration bootstrapConfig = new BootstrapConfiguration(transportProperties);
         return new DefaultHttpClientConnector(connectionManager, senderConfiguration, bootstrapConfig, clientGroup);
     }
 
+    @Override
+    public HttpClientConnector createHttpsClientConnector(Map<String, Object> transportProperties,
+                                                          SenderConfiguration senderConfiguration,
+                                                          ConnectionManager connectionManager) throws Exception {
+        BootstrapConfiguration bootstrapConfig = new BootstrapConfiguration(transportProperties);
+        HttpClientConnector httpClientConnector = new DefaultHttpClientConnector(connectionManager,
+                senderConfiguration, bootstrapConfig, clientGroup);
+        httpClientConnector.initializeSSLContext();
+        return httpClientConnector;
+    }
+
     @Override
     public HttpClientConnector createHttpClientConnector(BootstrapConfiguration bootstrapConfig,
                                                          SenderConfiguration senderConfiguration,
                                                          ConnectionManager connectionManager) {
-
         return new DefaultHttpClientConnector(connectionManager, senderConfiguration, bootstrapConfig, clientGroup);
     }
 
+    @Override
+    public HttpClientConnector createHttpsClientConnector(BootstrapConfiguration bootstrapConfig,
+                                                          SenderConfiguration senderConfiguration,
+                                                          ConnectionManager connectionManager) throws Exception {
+        HttpClientConnector httpClientConnector = new DefaultHttpClientConnector(connectionManager,
+                senderConfiguration, bootstrapConfig, clientGroup);
+        httpClientConnector.initializeSSLContext();
+        return httpClientConnector;
+    }
+
     @Override
     public WebSocketClientConnector createWsClientConnector(WebSocketClientConnectorConfig clientConnectorConfig) {
         return new DefaultWebSocketClientConnector(clientConnectorConfig, clientGroup);
     }
 
+    @Override
+    public WebSocketClientConnector createWsClientConnectorWithSSL(
+            WebSocketClientConnectorConfig clientConnectorConfig) throws Exception {
+        WebSocketClientConnector webSocketClientConnector = new DefaultWebSocketClientConnector(clientConnectorConfig,
+                clientGroup);
+        webSocketClientConnector.initializeSSLContext();
+        return webSocketClientConnector;
+    }
+
     @Override
     public void shutdown() throws InterruptedException {
         allChannels.close().sync();

components/org.wso2.transport.http.netty/src/main/java/org/wso2/transport/http/netty/contractimpl/common/Util.java

@@ -359,19 +359,16 @@ public static boolean shouldEnforceChunkingforHttpOneZero(ChunkConfig chunkConfi
      * @param host          host of the connection
      * @param port          port of the connection
      * @return the {@link SSLEngine} which enables secure communication
-     * @throws SSLException if any error occurs in the SSL connection
      */
     public static SSLEngine configureHttpPipelineForSSL(SocketChannel socketChannel, String host, int port,
-                                                        SSLConfig sslConfig) throws SSLException {
+                                                        SSLConfig sslConfig) {
         LOG.debug("adding ssl handler");
         SSLEngine sslEngine = null;
         SslHandler sslHandler;
         ChannelPipeline pipeline = socketChannel.pipeline();
-        SSLHandlerFactory sslHandlerFactory = new SSLHandlerFactory(sslConfig);
         if (sslConfig.isOcspStaplingEnabled()) {
-            sslHandlerFactory.createSSLContextFromKeystores(false);
-            ReferenceCountedOpenSslContext referenceCountedOpenSslContext = sslHandlerFactory
-                    .buildClientReferenceCountedOpenSslContext();
+            ReferenceCountedOpenSslContext referenceCountedOpenSslContext =
+                    sslConfig.getReferenceCountedOpenSslContext();
 
             if (referenceCountedOpenSslContext != null) {
                 sslHandler = referenceCountedOpenSslContext.newHandler(socketChannel.alloc());
@@ -382,14 +379,12 @@ public static SSLEngine configureHttpPipelineForSSL(SocketChannel socketChannel,
             }
         } else {
             if (sslConfig.isDisableSsl()) {
-                sslEngine = createInsecureSslEngine(socketChannel, host, port);
+                sslEngine = createInsecureSslEngine(socketChannel, host, port, sslConfig.getSslContext());
             } else {
                 if (sslConfig.getTrustStore() != null) {
-                    sslHandlerFactory.createSSLContextFromKeystores(false);
-                    sslEngine = instantiateAndConfigSSL(sslConfig, host, port,
-                            sslConfig.isHostNameVerificationEnabled(), sslHandlerFactory);
+                    sslEngine = instantiateAndConfigSSL(sslConfig, host, port);
                 } else {
-                    sslEngine = getSslEngineForCerts(socketChannel, host, port, sslConfig, sslHandlerFactory);
+                    sslEngine = getSslEngineForCerts(socketChannel, host, port, sslConfig);
                 }
             }
             sslHandler = new SslHandler(sslEngine);
@@ -404,8 +399,9 @@ public static SSLEngine configureHttpPipelineForSSL(SocketChannel socketChannel,
     }
 
     private static SSLEngine getSslEngineForCerts(SocketChannel socketChannel, String host, int port,
-            SSLConfig sslConfig, SSLHandlerFactory sslHandlerFactory) throws SSLException {
-        SslContext sslContext = sslHandlerFactory.createHttpTLSContextForClient();
+                                                  SSLConfig sslConfig) {
+        SSLHandlerFactory sslHandlerFactory = sslConfig.getSslHandlerFactory();
+        SslContext sslContext = sslConfig.getSslContext();
         SslHandler sslHandler = sslContext.newHandler(socketChannel.alloc(), host, port);
         SSLEngine sslEngine = sslHandler.engine();
         sslHandlerFactory.addCommonConfigs(sslEngine);
@@ -416,10 +412,8 @@ private static SSLEngine getSslEngineForCerts(SocketChannel socketChannel, Strin
         return sslEngine;
     }
 
-    private static SSLEngine createInsecureSslEngine(SocketChannel socketChannel, String host, int port)
-            throws SSLException {
-        SslContext sslContext = SslContextBuilder.forClient().sslProvider(SslProvider.JDK)
-                .trustManager(InsecureTrustManagerFactory.INSTANCE).build();
+    private static SSLEngine createInsecureSslEngine(SocketChannel socketChannel, String host, int port,
+                                                     SslContext sslContext) {
         SslHandler sslHandler = sslContext.newHandler(socketChannel.alloc(), host, port);
         return sslHandler.engine();
     }
@@ -447,21 +441,17 @@ public static SslContext createInsecureSslEngineForHttp2() throws SSLException {
      * @param sslConfig ssl related configurations
      * @param host host of the connection
      * @param port port of the connection
-     * @param hostNameVerificationEnabled true if host name verification is enabled
-     * @param sslHandlerFactory an instance of sslHandlerFactory
      * @return ssl engine
      */
-    private static SSLEngine instantiateAndConfigSSL(SSLConfig sslConfig, String host, int port,
-            boolean hostNameVerificationEnabled, SSLHandlerFactory sslHandlerFactory) {
+    private static SSLEngine instantiateAndConfigSSL(SSLConfig sslConfig, String host, int port) {
         // set the pipeline factory, which creates the pipeline for each newly created channels
-        SSLEngine sslEngine = null;
-        if (sslConfig != null) {
-            sslEngine = sslHandlerFactory.buildClientSSLEngine(host, port);
-            sslEngine.setUseClientMode(true);
-            sslHandlerFactory.setSNIServerNames(sslEngine, host);
-            if (hostNameVerificationEnabled) {
-                sslHandlerFactory.setHostNameVerfication(sslEngine);
-            }
+        SSLHandlerFactory sslHandlerFactory = sslConfig.getSslHandlerFactory();
+        boolean hostNameVerificationEnabled = sslConfig.isHostNameVerificationEnabled();
+        SSLEngine sslEngine = sslHandlerFactory.buildClientSSLEngine(host, port);
+        sslEngine.setUseClientMode(true);
+        sslHandlerFactory.setSNIServerNames(sslEngine, host);
+        if (hostNameVerificationEnabled) {
+            sslHandlerFactory.setHostNameVerfication(sslEngine);
         }
         return sslEngine;
     }

components/org.wso2.transport.http.netty/src/main/java/org/wso2/transport/http/netty/contractimpl/common/ssl/SSLConfig.java

@@ -18,10 +18,17 @@
  */
 package org.wso2.transport.http.netty.contractimpl.common.ssl;
 
+import io.netty.handler.ssl.ReferenceCountedOpenSslContext;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.wso2.transport.http.netty.contractimpl.common.Util;
 
 import java.io.File;
+import java.util.Objects;
 
 /**
  * A class that encapsulates SSLContext configuration.
@@ -65,6 +72,9 @@ public class SSLConfig {
     private long handshakeTimeOut;
     private boolean disableSsl = false;
     private boolean useJavaDefaults = false;
+    private ReferenceCountedOpenSslContext referenceCountedOpenSslContext;
+    private SslContext sslContext;
+    private SSLHandlerFactory sslHandlerFactory;
 
     public SSLConfig() {}
 
@@ -353,4 +363,62 @@ public boolean useJavaDefaults() {
     public void setUseJavaDefaults() {
         this.useJavaDefaults = true;
     }
+
+    public SslContext getSslContext() {
+        return sslContext;
+    }
+
+    public ReferenceCountedOpenSslContext getReferenceCountedOpenSslContext() {
+        return referenceCountedOpenSslContext;
+    }
+
+    public SSLHandlerFactory getSslHandlerFactory() {
+        return sslHandlerFactory;
+    }
+
+    public void initializeSSLContext(boolean isHttp2) throws Exception {
+        if (isHttp2) {
+            initializeSSLContextForHTTP2();
+        } else {
+            initializeSSLContextForHTTP();
+        }
+    }
+
+    private void initializeSSLContextForHTTP() throws Exception {
+        sslHandlerFactory = new SSLHandlerFactory(this);
+        if (isOcspStaplingEnabled()) {
+            sslHandlerFactory.createSSLContextFromKeystores(false);
+            referenceCountedOpenSslContext = sslHandlerFactory.buildClientReferenceCountedOpenSslContext();
+        } else {
+            if (disableSsl) {
+                sslContext = SslContextBuilder.forClient()
+                        .sslProvider(SslProvider.JDK)
+                        .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                        .build();
+            } else {
+                if (getTrustStore() != null) {
+                    sslHandlerFactory.createSSLContextFromKeystores(false);
+                } else {
+                    sslContext = sslHandlerFactory.createHttpTLSContextForClient();
+                }
+            }
+        }
+    }
+
+    private void initializeSSLContextForHTTP2() throws Exception {
+        sslHandlerFactory = new SSLHandlerFactory(this);
+        if (isOcspStaplingEnabled()) {
+            referenceCountedOpenSslContext = (ReferenceCountedOpenSslContext) sslHandlerFactory
+                    .createHttp2TLSContextForClient(isOcspStaplingEnabled());
+        } else if (isDisableSsl()) {
+            sslContext = Util.createInsecureSslEngineForHttp2();
+        } else {
+            sslHandlerFactory.createSSLContextFromKeystores(false);
+            sslContext = sslHandlerFactory.createHttp2TLSContextForClient(false);
+        }
+    }
+
+    public boolean hasSslCtxInitialized() {
+        return Objects.nonNull(sslHandlerFactory);
+    }
 }