forked from spiffe/java-spiffe
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathHttpsServer.java
77 lines (64 loc) · 2.92 KB
/
HttpsServer.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package io.spiffe.provider.examples.mtls;
import io.spiffe.exception.SocketEndpointAddressException;
import io.spiffe.exception.X509SourceException;
import io.spiffe.provider.SpiffeKeyManager;
import io.spiffe.provider.SpiffeSslContextFactory;
import io.spiffe.provider.SpiffeSslContextFactory.SslContextOptions;
import io.spiffe.provider.SpiffeTrustManager;
import io.spiffe.provider.X509SourceManager;
import io.spiffe.provider.exception.SpiffeProviderException;
import io.spiffe.workloadapi.X509Source;
import lombok.val;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
/**
* Example of a simple HTTPS Server backed by the Workload API to get the X.509 certificates
* and trusted bundles.
* <p>
* The purpose of this class is to show the use of the {@link SpiffeSslContextFactory} to create
* a {@link SSLContext} that uses X.509-SVID provided by a Workload API. The SSLContext uses the
* {@link SpiffeKeyManager} and {@link SpiffeTrustManager} for
* providing certificates and doing chain and SPIFFE ID validation.
* To run this example, Spire should be running, SPIFFE_ENDPOINT_SOCKET env variable should be
* defined, and a property ssl.spiffe.accept should be defined in the java.security having a
* spiffe id from a client workload.
*/
public class HttpsServer {
int port;
public static void main(String[] args) {
HttpsServer httpsServer = new HttpsServer(4000);
try {
httpsServer.run();
} catch (IOException | KeyManagementException | NoSuchAlgorithmException e) {
throw new RuntimeException("Error starting HttpsServer", e);
}
}
HttpsServer(int port ) {
this.port = port;
}
void run() throws IOException, KeyManagementException, NoSuchAlgorithmException {
X509Source x509Source;
try {
x509Source = X509SourceManager.getX509Source();
} catch (SocketEndpointAddressException | X509SourceException e) {
throw new SpiffeProviderException("Error at getting the X509Source instance", e);
}
val sslContextOptions = SslContextOptions
.builder()
.x509Source(x509Source)
.build();
SSLContext sslContext = SpiffeSslContextFactory.getSslContext(sslContextOptions);
SSLServerSocketFactory sslServerSocketFactory = sslContext.getServerSocketFactory();
try (SSLServerSocket sslServerSocket = (SSLServerSocket) sslServerSocketFactory.createServerSocket(port)) {
// Server will validate Client chain and SPIFFE ID
sslServerSocket.setNeedClientAuth(true);
SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
new WorkloadThread(sslSocket, x509Source).start();
}
}
}