/**
 * Adds TLS key & certificate configuration to a given set of server options.
 * <p>
 * If <em>config</em> contains key &amp; certificate configuration it is added to
 * the given server options and the <em>ssl</em> flag is set to {@code true}.
 * <p>
 * If the server option's ssl flag is set, then the protocols from the <em>disabledTlsVersions</em>
 * configuration property are removed from the options (and thus disabled).
 * <p>
 * Finally, if a working instance of Netty's <em>tcnative</em> library is found, then
 * it is used instead of the JDK's default SSL engine.
 *
 * @param serverOptions The options to add configuration to.
 */
protected final void addTlsKeyCertOptions(final NetServerOptions serverOptions) {

    final KeyCertOptions keyCertOptions = getConfig().getKeyCertOptions();

    if (keyCertOptions != null) {
        serverOptions.setSsl(true).setKeyCertOptions(keyCertOptions);
    }

    if (serverOptions.isSsl()) {

        final boolean isOpenSslAvailable = OpenSsl.isAvailable();
        final boolean supportsKeyManagerFactory =  OpenSsl.supportsKeyManagerFactory();
        final boolean useOpenSsl =
                getConfig().isNativeTlsRequired() || (isOpenSslAvailable && supportsKeyManagerFactory);

        log.debug("OpenSSL [available: {}, supports KeyManagerFactory: {}]",
                isOpenSslAvailable, supportsKeyManagerFactory);

        if (useOpenSsl) {
            log.info("using OpenSSL [version: {}] instead of JDK's default SSL engine",
                    OpenSsl.versionString());
            serverOptions.setSslEngineOptions(new OpenSSLEngineOptions());
        } else {
            log.info("using JDK's default SSL engine");
        }

        serverOptions.getEnabledSecureTransportProtocols()
            .forEach(protocol -> serverOptions.removeEnabledSecureTransportProtocol(protocol));
        getConfig().getSecureProtocols().forEach(protocol -> {
            log.info("enabling secure protocol [{}]", protocol);
            serverOptions.addEnabledSecureTransportProtocol(protocol);
        });

        serverOptions.setSni(getConfig().isSni());
        log.info("Service supports TLS ServerNameIndication: {}", getConfig().isSni());
    }
}
 

@Bean
public HttpClientOptionsCustomizer clientOpenSslEngineOptionsCustomizer() {
    return options -> options.setSslEngineOptions(new OpenSSLEngineOptions());
}
 

@Bean
public HttpServerOptionsCustomizer serverOpenSslEngineOptionsCustomizer() {
    return options -> options.setSslEngineOptions(new OpenSSLEngineOptions());
}
 

private static TCPSSLOptions buildTCPSSLOptions(SSLOption sslOption, SSLCustom sslCustom,
    TCPSSLOptions tcpClientOptions) {
  tcpClientOptions.setSsl(true);

  if (sslOption.getEngine().equalsIgnoreCase("openssl")) {
    OpenSSLEngineOptions options = new OpenSSLEngineOptions();
    options.setSessionCacheEnabled(true);
    tcpClientOptions.setOpenSslEngineOptions(new OpenSSLEngineOptions());
  }
  String fullKeyStore = sslCustom.getFullPath(sslOption.getKeyStore());
  if (isFileExists(fullKeyStore)) {
    if (STORE_PKCS12.equalsIgnoreCase(sslOption.getKeyStoreType())) {
      PfxOptions keyPfxOptions = new PfxOptions();
      keyPfxOptions.setPath(sslCustom.getFullPath(sslOption.getKeyStore()));
      keyPfxOptions.setPassword(new String(sslCustom.decode(sslOption.getKeyStoreValue().toCharArray())));
      tcpClientOptions.setPfxKeyCertOptions(keyPfxOptions);
    } else if (STORE_JKS.equalsIgnoreCase(sslOption.getKeyStoreType())) {
      JksOptions keyJksOptions = new JksOptions();
      keyJksOptions.setPath(sslCustom.getFullPath(sslOption.getKeyStore()));
      keyJksOptions.setPassword(new String(sslCustom.decode(sslOption.getKeyStoreValue().toCharArray())));
      tcpClientOptions.setKeyStoreOptions(keyJksOptions);
    } else {
      throw new IllegalArgumentException("invalid key store type.");
    }
  } else {
    LOGGER.warn("keyStore [" + fullKeyStore + "] file not exist, please check!");
  }
  String fullTrustStore = sslCustom.getFullPath(sslOption.getTrustStore());
  if (isFileExists(fullTrustStore)) {
    if (STORE_PKCS12.equalsIgnoreCase(sslOption.getTrustStoreType())) {
      PfxOptions trustPfxOptions = new PfxOptions();
      trustPfxOptions.setPath(sslCustom.getFullPath(sslOption.getTrustStore()));
      trustPfxOptions
          .setPassword(new String(sslCustom.decode(sslOption.getTrustStoreValue().toCharArray())));
      tcpClientOptions.setPfxTrustOptions(trustPfxOptions);
    } else if (STORE_JKS.equalsIgnoreCase(sslOption.getTrustStoreType())) {
      JksOptions trustJksOptions = new JksOptions();
      trustJksOptions.setPath(sslCustom.getFullPath(sslOption.getTrustStore()));
      trustJksOptions
          .setPassword(new String(sslCustom.decode(sslOption.getTrustStoreValue().toCharArray())));
      tcpClientOptions.setTrustStoreOptions(trustJksOptions);
    } else {
      throw new IllegalArgumentException("invalid trust store type.");
    }
  } else {
    LOGGER.warn("trustStore [" + fullTrustStore + "] file not exist, please check!");
  }

  tcpClientOptions
      .setEnabledSecureTransportProtocols(new HashSet<String>(Arrays.asList(sslOption.getProtocols().split(","))));

  for (String cipher : SSLManager.getEnalbedCiphers(sslOption.getCiphers())) {
    tcpClientOptions.addEnabledCipherSuite(cipher);
  }

  if (isFileExists(sslCustom.getFullPath(sslOption.getCrl()))) {
    tcpClientOptions.addCrlPath(sslCustom.getFullPath(sslOption.getCrl()));
  }
  return tcpClientOptions;
}
 

@Override
public DB2ConnectOptions setOpenSslEngineOptions(OpenSSLEngineOptions sslEngineOptions) {
  return (DB2ConnectOptions) super.setOpenSslEngineOptions(sslEngineOptions);
}
 

@Override
public MSSQLConnectOptions setOpenSslEngineOptions(OpenSSLEngineOptions sslEngineOptions) {
  return (MSSQLConnectOptions) super.setOpenSslEngineOptions(sslEngineOptions);
}
 

PostgresHandle(Vertx vertx, JsonObject conf) {
  String val;

  connectOptions = new PgConnectOptions();
  val = Config.getSysConf("postgres_host", null, conf);
  if (val != null) {
    connectOptions.setHost(val);
  }
  val = Config.getSysConf("postgres_port", null, conf);
  Logger logger = OkapiLogger.get();
  if (val != null) {
    try {
      connectOptions.setPort(Integer.parseInt(val));
    } catch (NumberFormatException e) {
      logger.warn("Bad postgres_port value: {}: {}", val, e.getMessage());
    }
  }

  // postgres_user is supported for system configuration (-D option) only and is deprecated
  connectOptions.setUser(Config.getSysConf("postgres_username",
      Config.getSysConf("postgres_user", "okapi", new JsonObject()), conf));
  connectOptions.setPassword(Config.getSysConf("postgres_password", "okapi25", conf));
  connectOptions.setDatabase(Config.getSysConf("postgres_database", "okapi", conf));
  String serverPem = Config.getSysConf("postgres_server_pem", null, conf);
  if (serverPem != null) {
    logger.debug("Enforcing SSL encryption for PostgreSQL connections, "
        + "requiring TLSv1.3 with server name certificate");
    connectOptions.setSslMode(SslMode.VERIFY_FULL);
    connectOptions.setHostnameVerificationAlgorithm("HTTPS");
    connectOptions.setPemTrustOptions(
        new PemTrustOptions().addCertValue(Buffer.buffer(serverPem)));
    connectOptions.setEnabledSecureTransportProtocols(Collections.singleton("TLSv1.3"));
    connectOptions.setOpenSslEngineOptions(new OpenSSLEngineOptions());
  }

  PoolOptions poolOptions = new PoolOptions();
  poolOptions.setMaxSize(5);

  pool = PgPool.pool(vertx, connectOptions, poolOptions);
  logger.debug("created");
}
 

@Override
public S3ClientOptions setOpenSslEngineOptions(final OpenSSLEngineOptions sslEngineOptions) {
    super.setOpenSslEngineOptions(sslEngineOptions);
    return this;
}
 

private void addTlsTrustOptions(final ProtonClientOptions clientOptions) {

        if (config.isTlsEnabled()) {
            clientOptions.setSsl(true);
        }

        if (clientOptions.getTrustOptions() == null) {
            final TrustOptions trustOptions = config.getTrustOptions();
            if (trustOptions != null) {
                clientOptions.setSsl(true).setTrustOptions(trustOptions);
            }
        }

        if (clientOptions.isSsl()) {

            final boolean isOpenSslAvailable = OpenSsl.isAvailable();
            final boolean supportsKeyManagerFactory =  OpenSsl.supportsKeyManagerFactory();
            final boolean useOpenSsl = isOpenSslAvailable && supportsKeyManagerFactory;

            logger.debug("OpenSSL [available: {}, supports KeyManagerFactory: {}]",
                    isOpenSslAvailable, supportsKeyManagerFactory);

            if (useOpenSsl) {
                logger.debug("using OpenSSL [version: {}] instead of JDK's default SSL engine",
                        OpenSsl.versionString());
                clientOptions.setSslEngineOptions(new OpenSSLEngineOptions());
            } else {
                logger.debug("using JDK's default SSL engine");
            }

            if (config.isHostnameVerificationRequired()) {
                clientOptions.setHostnameVerificationAlgorithm("HTTPS");
            } else {
                clientOptions.setHostnameVerificationAlgorithm("");
            }
            clientOptions.getEnabledSecureTransportProtocols()
                .forEach(protocol -> clientOptions.removeEnabledSecureTransportProtocol(protocol));
            config.getSecureProtocols().forEach(protocol -> {
                logger.debug("enabling secure protocol [{}]", protocol);
                clientOptions.addEnabledSecureTransportProtocol(protocol);
            });
        }
    }
 

public MailConfig setOpenSslEngineOptions(OpenSSLEngineOptions sslEngineOptions) {
  super.setOpenSslEngineOptions(sslEngineOptions);
  return this;
}
 

@Override
public ProtonServerOptions setOpenSslEngineOptions(OpenSSLEngineOptions sslEngineOptions) {
  super.setOpenSslEngineOptions(sslEngineOptions);
  return this;
}
 

@Override
public ProtonClientOptions setOpenSslEngineOptions(OpenSSLEngineOptions sslEngineOptions) {
  super.setOpenSslEngineOptions(sslEngineOptions);
  return this;
}