76 lines
2.8 KiB
Java
76 lines
2.8 KiB
Java
package spiffe.provider.examples.mtls;
|
|
|
|
import lombok.val;
|
|
import spiffe.exception.SocketEndpointAddressException;
|
|
import spiffe.exception.X509SourceException;
|
|
import spiffe.provider.SpiffeProviderException;
|
|
import spiffe.provider.SpiffeSslContextFactory;
|
|
import spiffe.provider.SpiffeSslContextFactory.SslContextOptions;
|
|
import spiffe.provider.X509SourceManager;
|
|
import spiffe.workloadapi.X509Source;
|
|
|
|
import javax.net.ssl.SSLContext;
|
|
import javax.net.ssl.SSLServerSocket;
|
|
import javax.net.ssl.SSLServerSocketFactory;
|
|
import javax.net.ssl.SSLSocket;
|
|
import java.io.IOException;
|
|
import java.security.KeyManagementException;
|
|
import java.security.NoSuchAlgorithmException;
|
|
|
|
/**
|
|
* Example of a simple HTTPS Server backed by the Workload API to get the X.509 certificates
|
|
* and trusted bundles.
|
|
* <p>
|
|
* The purpose of this class is to show the use of the {@link SpiffeSslContextFactory} to create
|
|
* a {@link SSLContext} that uses X.509-SVID provided by a Workload API. The SSLContext uses the
|
|
* {@link spiffe.provider.SpiffeKeyManager} and {@link spiffe.provider.SpiffeTrustManager} for
|
|
* providing certificates and doing chain and SPIFFE ID validation.
|
|
* To run this example, Spire should be running, SPIFFE_ENDPOINT_SOCKET env variable should be
|
|
* defined, and a property ssl.spiffe.accept should be defined in the java.security having a
|
|
* spiffe id from a client workload.
|
|
*/
|
|
public class HttpsServer {
|
|
|
|
int port;
|
|
|
|
public static void main(String[] args) {
|
|
HttpsServer httpsServer = new HttpsServer(4000);
|
|
try {
|
|
httpsServer.run();
|
|
} catch (IOException | KeyManagementException | NoSuchAlgorithmException e) {
|
|
throw new RuntimeException("Error starting HttpsServer");
|
|
}
|
|
}
|
|
|
|
HttpsServer(int port ) {
|
|
this.port = port;
|
|
}
|
|
|
|
void run() throws IOException, KeyManagementException, NoSuchAlgorithmException {
|
|
X509Source x509Source = null;
|
|
try {
|
|
x509Source = X509SourceManager.getX509Source();
|
|
} catch (SocketEndpointAddressException | X509SourceException e) {
|
|
throw new SpiffeProviderException(e);
|
|
}
|
|
|
|
val sslContextOptions = SslContextOptions
|
|
.builder()
|
|
.x509Source(x509Source)
|
|
.build();
|
|
SSLContext sslContext = SpiffeSslContextFactory.getSslContext(sslContextOptions);
|
|
|
|
SSLServerSocketFactory sslServerSocketFactory = sslContext.getServerSocketFactory();
|
|
|
|
try (SSLServerSocket sslServerSocket = (SSLServerSocket) sslServerSocketFactory.createServerSocket(port)) {
|
|
// Server will validate Client chain and SPIFFE ID
|
|
sslServerSocket.setNeedClientAuth(true);
|
|
|
|
SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
|
|
new WorkloadThread(sslSocket, x509Source).start();
|
|
}
|
|
}
|
|
}
|
|
|
|
|