Module de.cuioss.http
Package de.cuioss.http.client.handler

Record Class SecureSSLContextProvider

java.lang.Object
java.lang.Record
de.cuioss.http.client.handler.SecureSSLContextProvider
Record Components:
minimumTlsVersion - The minimum TLS version that is considered secure for this instance.
public record SecureSSLContextProvider(String minimumTlsVersion) extends Record
Provider for secure SSL contexts used in HTTPS communications.

This class enforces secure TLS versions when establishing connections to JWKS endpoints and other services. It ensures that only modern, secure TLS protocols are used:

  • TLS 1.2 - Minimum recommended version
  • TLS 1.3 - Preferred when available

The class prevents the use of insecure, deprecated protocols:

  • TLS 1.0 - Deprecated due to security vulnerabilities
  • TLS 1.1 - Deprecated due to security vulnerabilities
  • SSL 3.0 - Deprecated due to security vulnerabilities (POODLE attack)

For more details on the security aspects, see the Security Specification

Since:
1.0
Author:
Oliver Wolff

  • Field Details

  • Constructor Details

    • SecureSSLContextProvider

      public SecureSSLContextProvider()
      Creates a new SecureSSLContextProvider instance with the default minimum TLS version (TLS 1.2).

    • SecureSSLContextProvider

      public SecureSSLContextProvider(String minimumTlsVersion)
      Creates a new SecureSSLContextProvider instance with the specified minimum TLS version.
      Parameters:
      minimumTlsVersion - the minimum TLS version to consider secure
      Throws:
      IllegalArgumentException - if the specified version is not in the allowed set

  • Method Details

    • isSecureTlsVersion

      public boolean isSecureTlsVersion(@Nullable String protocol)
      Checks if the given protocol is a secure TLS version according to the minimum version set for this instance.

      For TLS_V1_2 and TLS_V1_3, the comparison is based on the version number. For TLS (generic), it's considered secure if it's in the allowed versions set.

      Parameters:
      protocol - the protocol to check
      Returns:
      true if the protocol is a secure TLS version, false otherwise

    • createSecureSSLContext

      public SSLContext createSecureSSLContext() throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException
      Creates a secure SSLContext configured with the minimum TLS version set for this instance.

      This method:

      1. Creates an SSLContext instance with the secure protocol version
      2. Initializes a TrustManagerFactory with the default algorithm
      3. Configures the TrustManagerFactory to use the default trust store
      4. Initializes the SSLContext with the trust managers and a secure random source

      The resulting SSLContext is configured to trust the certificates in the JVM's default trust store and does not perform client authentication (no KeyManager is provided).

      Returns:
      a configured SSLContext that uses a secure TLS protocol version
      Throws:
      NoSuchAlgorithmException - if the specified protocol or trust manager algorithm is not available
      KeyStoreException - if there's an issue accessing the default trust store
      KeyManagementException - if there's an issue initializing the SSLContext

    • getOrCreateSecureSSLContext

      public SSLContext getOrCreateSecureSSLContext(@Nullable SSLContext sslContext)
      Validates the provided SSLContext and returns a secure SSLContext.

      This method:

      1. If the provided SSLContext is null, creates a new secure SSLContext
      2. If the provided SSLContext is not null, checks if its protocol is secure
      3. If the protocol is secure, returns the provided SSLContext
      4. If the protocol is not secure, creates a new secure SSLContext
      5. If an exception occurs during validation or creation, falls back to the provided SSLContext or the default SSLContext
      Parameters:
      sslContext - the SSLContext to validate, may be null
      Returns:
      a secure SSLContext, either the validated input or a newly created one (never null)

    • toString

      public final String toString()
      Returns a string representation of this record class. The representation contains the name of the class, followed by the name and value of each of the record components.
      Specified by:
      toString in class Record
      Returns:
      a string representation of this object

    • hashCode

      public final int hashCode()
      Returns a hash code value for this object. The value is derived from the hash code of each of the record components.
      Specified by:
      hashCode in class Record
      Returns:
      a hash code value for this object

    • equals

      public final boolean equals(Object o)
      Indicates whether some other object is "equal to" this one. The objects are equal if the other object is of the same class and if all the record components are equal. All components in this record class are compared with Objects::equals(Object,Object).
      Specified by:
      equals in class Record
      Parameters:
      o - the object with which to compare
      Returns:
      true if this object is the same as the o argument; false otherwise.

    • minimumTlsVersion

      public String minimumTlsVersion()
      Returns the value of the minimumTlsVersion record component.
      Returns:
      the value of the minimumTlsVersion record component