JAVA-2434: Add support for custom cipher suites and host name validation to ProgrammaticSslEngineFactory (apache#1347)

adutra · web-flow · commit cf82b59f9377 · 2019-10-21T12:57:16.000+03:00
diff --git a/changelog/README.md b/changelog/README.md
@@ -4,6 +4,7 @@
 
 ### 4.3.0 (in progress)
 
+- [improvement] JAVA-2434: Add support for custom cipher suites and host name validation to ProgrammaticSslEngineFactory
 - [improvement] JAVA-2480: Upgrade Jackson to 2.10.0
 - [documentation] JAVA-2505: Annotate Node.getHostId() as nullable
 - [improvement] JAVA-1708: Support DSE "everywhere" replication strategy
diff --git a/core/revapi.json b/core/revapi.json
@@ -4830,6 +4830,13 @@
         "new": "method java.util.UUID com.datastax.oss.driver.api.core.metadata.Node::getHostId()",
         "annotation": "@edu.umd.cs.findbugs.annotations.Nullable",
         "justification": "JAVA-2505: Annotate Node.getHostId() as nullable"
+      },
+      {
+        "code": "java.annotation.added",
+        "old": "parameter void com.datastax.oss.driver.api.core.ssl.ProgrammaticSslEngineFactory::<init>(===javax.net.ssl.SSLContext===)",
+        "new": "parameter void com.datastax.oss.driver.api.core.ssl.ProgrammaticSslEngineFactory::<init>(===javax.net.ssl.SSLContext===)",
+        "annotation": "@edu.umd.cs.findbugs.annotations.NonNull",
+        "justification": "JAVA-2434: added @NonNull to ProgrammaticSslEngineFactory(SSLContext) constructor"
       }
     ]
   }
diff --git a/core/src/main/java/com/datastax/oss/driver/api/core/session/SessionBuilder.java b/core/src/main/java/com/datastax/oss/driver/api/core/session/SessionBuilder.java
@@ -261,6 +261,8 @@ public SelfT withAuthCredentials(@NonNull String username, @NonNull String passw
    *
    * <p>If the factory is provided programmatically with this method, it overrides the configuration
    * (that is, the {@code advanced.ssl-engine-factory} option will be ignored).
+   *
+   * @see ProgrammaticSslEngineFactory
    */
   @NonNull
   public SelfT withSslEngineFactory(@Nullable SslEngineFactory sslEngineFactory) {
@@ -276,9 +278,12 @@ public SelfT withSslEngineFactory(@Nullable SslEngineFactory sslEngineFactory) {
    * #withSslEngineFactory(SslEngineFactory)}.
    *
    * <p>If you use this method, there is no way to customize cipher suites, or turn on host name
-   * validation. Also, note that SSL engines will be created with advisory peer information ({@link
-   * SSLContext#createSSLEngine(String, int)}) whenever possible. If you need finer control, write
-   * your own factory.
+   * validation. If you need finer control, use {@link #withSslEngineFactory(SslEngineFactory)}
+   * directly and pass either your own implementation of {@link SslEngineFactory}, or a {@link
+   * ProgrammaticSslEngineFactory} created with custom cipher suites and/or host name validation.
+   *
+   * <p>Also, note that SSL engines will be created with advisory peer information ({@link
+   * SSLContext#createSSLEngine(String, int)}) whenever possible.
    */
   @NonNull
   public SelfT withSslContext(@Nullable SSLContext sslContext) {
diff --git a/core/src/main/java/com/datastax/oss/driver/api/core/ssl/ProgrammaticSslEngineFactory.java b/core/src/main/java/com/datastax/oss/driver/api/core/ssl/ProgrammaticSslEngineFactory.java
@@ -18,18 +18,19 @@
 import com.datastax.oss.driver.api.core.metadata.EndPoint;
 import com.datastax.oss.driver.api.core.session.SessionBuilder;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.Nullable;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
 
 /**
  * An SSL engine factory that allows you to configure the driver programmatically, by passing your
  * own {@link SSLContext}.
  *
- * <p>Unlike the configuration-based approach, this class does not allow you to customize cipher
- * suites, or turn on host name validation. Also, note that it will create SSL engines with advisory
- * peer information ({@link SSLContext#createSSLEngine(String, int)}) whenever possible.
+ * <p>Note that this class will create SSL engines with advisory peer information ({@link
+ * SSLContext#createSSLEngine(String, int)}) whenever possible.
  *
  * <p>If those defaults do not work for you, it should be pretty straightforward to write your own
  * implementation by extending or duplicating this class.
@@ -40,9 +41,46 @@
 public class ProgrammaticSslEngineFactory implements SslEngineFactory {
 
   protected final SSLContext sslContext;
+  protected final String[] cipherSuites;
+  protected final boolean requireHostnameValidation;
 
-  public ProgrammaticSslEngineFactory(SSLContext sslContext) {
+  /**
+   * Creates an instance with the given {@link SSLContext}, default cipher suites and no host name
+   * validation.
+   *
+   * @param sslContext the {@link SSLContext} to use.
+   */
+  public ProgrammaticSslEngineFactory(@NonNull SSLContext sslContext) {
+    this(sslContext, null);
+  }
+
+  /**
+   * Creates an instance with the given {@link SSLContext} and cipher suites, and no host name
+   * validation.
+   *
+   * @param sslContext the {@link SSLContext} to use.
+   * @param cipherSuites the cipher suites to use, or null to use the default ones.
+   */
+  public ProgrammaticSslEngineFactory(
+      @NonNull SSLContext sslContext, @Nullable String[] cipherSuites) {
+    this(sslContext, cipherSuites, false);
+  }
+
+  /**
+   * Creates an instance with the given {@link SSLContext}, cipher suites and host name validation.
+   *
+   * @param sslContext the {@link SSLContext} to use.
+   * @param cipherSuites the cipher suites to use, or null to use the default ones.
+   * @param requireHostnameValidation whether to enable host name validation. If enabled, host name
+   *     validation will be done using HTTPS algorithm.
+   */
+  public ProgrammaticSslEngineFactory(
+      @NonNull SSLContext sslContext,
+      @Nullable String[] cipherSuites,
+      boolean requireHostnameValidation) {
     this.sslContext = sslContext;
+    this.cipherSuites = cipherSuites;
+    this.requireHostnameValidation = requireHostnameValidation;
   }
 
   @NonNull
@@ -57,6 +95,14 @@ public SSLEngine newSslEngine(@NonNull EndPoint remoteEndpoint) {
       engine = sslContext.createSSLEngine();
     }
     engine.setUseClientMode(true);
+    if (cipherSuites != null) {
+      engine.setEnabledCipherSuites(cipherSuites);
+    }
+    if (requireHostnameValidation) {
+      SSLParameters parameters = engine.getSSLParameters();
+      parameters.setEndpointIdentificationAlgorithm("HTTPS");
+      engine.setSSLParameters(parameters);
+    }
     return engine;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -4830,6 +4830,13 @@`
`4830`	`4830`	`"new": "method java.util.UUID com.datastax.oss.driver.api.core.metadata.Node::getHostId()",`
`4831`	`4831`	`"annotation": "@edu.umd.cs.findbugs.annotations.Nullable",`
`4832`	`4832`	`"justification": "JAVA-2505: Annotate Node.getHostId() as nullable"`
	`4833`	`+ },`
	`4834`	`+ {`
	`4835`	`+ "code": "java.annotation.added",`
	`4836`	`+ "old": "parameter void com.datastax.oss.driver.api.core.ssl.ProgrammaticSslEngineFactory::<init>(===javax.net.ssl.SSLContext===)",`
	`4837`	`+ "new": "parameter void com.datastax.oss.driver.api.core.ssl.ProgrammaticSslEngineFactory::<init>(===javax.net.ssl.SSLContext===)",`
	`4838`	`+ "annotation": "@edu.umd.cs.findbugs.annotations.NonNull",`
	`4839`	`+ "justification": "JAVA-2434: added @NonNull to ProgrammaticSslEngineFactory(SSLContext) constructor"`
`4833`	`4840`	`}`
`4834`	`4841`	`]`
`4835`	`4842`	`}`