This is an automated email from the ASF dual-hosted git repository. rcordier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit c198f468ea8178f40b040e9b012963718fd734ba Author: Benoit TELLIER <[email protected]> AuthorDate: Sat Mar 28 19:09:21 2026 +0100 JAMES-4193 Provide TCNativeEncryptionFactory --- .../james/modules/TCNativeEncryptionModule.java | 35 ++++++ .../protocols/lib/TCNativeEncryptionFactory.java | 139 +++++++++++++++++++++ 2 files changed, 174 insertions(+) diff --git a/server/container/guice/common/src/main/java/org/apache/james/modules/TCNativeEncryptionModule.java b/server/container/guice/common/src/main/java/org/apache/james/modules/TCNativeEncryptionModule.java new file mode 100644 index 0000000000..a6f3c09beb --- /dev/null +++ b/server/container/guice/common/src/main/java/org/apache/james/modules/TCNativeEncryptionModule.java @@ -0,0 +1,35 @@ +/**************************************************************** + * Licensed to the Apache Software Foundation (ASF) under one * + * or more contributor license agreements. See the NOTICE file * + * distributed with this work for additional information * + * regarding copyright ownership. The ASF licenses this file * + * to you under the Apache License, Version 2.0 (the * + * "License"); you may not use this file except in compliance * + * with the License. You may obtain a copy of the License at * + * * + * http://www.apache.org/licenses/LICENSE-2.0 * + * * + * Unless required by applicable law or agreed to in writing, * + * software distributed under the License is distributed on an * + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * + * KIND, either express or implied. See the License for the * + * specific language governing permissions and limitations * + * under the License. * + ****************************************************************/ + +package org.apache.james.modules; + +import org.apache.james.protocols.lib.LegacyJavaEncryptionFactory; +import org.apache.james.protocols.lib.TCNativeEncryptionFactory; +import org.apache.james.protocols.netty.Encryption; + +import com.google.inject.AbstractModule; +import com.google.inject.Scopes; + +public class TCNativeEncryptionModule extends AbstractModule { + @Override + protected void configure() { + bind(LegacyJavaEncryptionFactory.class).in(Scopes.SINGLETON); + bind(Encryption.Factory.class).to(TCNativeEncryptionFactory.class).in(Scopes.SINGLETON); + } +} diff --git a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/TCNativeEncryptionFactory.java b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/TCNativeEncryptionFactory.java new file mode 100644 index 0000000000..87a60738e5 --- /dev/null +++ b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/TCNativeEncryptionFactory.java @@ -0,0 +1,139 @@ +/**************************************************************** + * Licensed to the Apache Software Foundation (ASF) under one * + * or more contributor license agreements. See the NOTICE file * + * distributed with this work for additional information * + * regarding copyright ownership. The ASF licenses this file * + * to you under the Apache License, Version 2.0 (the * + * "License"); you may not use this file except in compliance * + * with the License. You may obtain a copy of the License at * + * * + * http://www.apache.org/licenses/LICENSE-2.0 * + * * + * Unless required by applicable law or agreed to in writing, * + * software distributed under the License is distributed on an * + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * + * KIND, either express or implied. See the License for the * + * specific language governing permissions and limitations * + * under the License. * + ****************************************************************/ + +package org.apache.james.protocols.lib; + +import java.time.Duration; +import java.util.Arrays; + +import jakarta.inject.Inject; + +import org.apache.james.filesystem.api.FileSystem; +import org.apache.james.protocols.api.ClientAuth; +import org.apache.james.protocols.netty.Encryption; +import org.apache.james.protocols.netty.SslConfig; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import io.netty.buffer.ByteBufAllocator; +import io.netty.handler.ssl.SslContext; +import io.netty.handler.ssl.SslContextBuilder; +import io.netty.handler.ssl.SslHandler; +import io.netty.handler.ssl.SslProvider; + +/** + * {@link Encryption.Factory} that delegates to BoringSSL via Netty's tcnative for raw TLS connections + * (PEM-based, no clientAuth, no STARTTLS). + * + * <p>Falls back to {@link LegacyJavaEncryptionFactory} when any of the following apply: + * <ul> + * <li>Client certificate authentication is required</li> + * <li>A keystore (JKS/PKCS12) is used instead of PEM files</li> + * </ul> + * + * <p>Requires {@code netty-tcnative-boringssl-static} on the runtime classpath. + */ +public class TCNativeEncryptionFactory implements Encryption.Factory { + private static final Logger LOGGER = LoggerFactory.getLogger(TCNativeEncryptionFactory.class); + + private final FileSystem fileSystem; + private final LegacyJavaEncryptionFactory legacyFactory; + + @Inject + public TCNativeEncryptionFactory(FileSystem fileSystem, LegacyJavaEncryptionFactory legacyFactory) { + this.fileSystem = fileSystem; + this.legacyFactory = legacyFactory; + } + + @Override + public Encryption create(SslConfig conf) throws Exception { + if (shouldDelegate(conf)) { + LOGGER.debug("TCNative: delegating to legacy JCA (clientAuth={}, keystore={})", + conf.getClientAuth(), conf.getKeystore() != null); + return legacyFactory.create(conf); + } + LOGGER.debug("TCNative: using BoringSSL for raw TLS with PEM certs"); + return createNative(conf); + } + + private boolean shouldDelegate(SslConfig conf) { + return conf.getClientAuth() != ClientAuth.NONE + || conf.getKeystore() != null + || conf.getTruststore() != null; + } + + private Encryption createNative(SslConfig conf) throws Exception { + SslContextBuilder builder = SslContextBuilder.forServer( + fileSystem.getResource(conf.getCertificates()), + fileSystem.getResource(conf.getPrivateKey()), + conf.getSecret()) + .sslProvider(SslProvider.OPENSSL); + + if (conf.getEnabledCipherSuites() != null && conf.getEnabledCipherSuites().length > 0) { + builder.ciphers(Arrays.asList(conf.getEnabledCipherSuites())); + } + if (conf.getEnabledProtocols() != null && conf.getEnabledProtocols().length > 0) { + builder.protocols(conf.getEnabledProtocols()); + } + conf.getSessionCacheSize().ifPresent(builder::sessionCacheSize); + conf.getSessionCacheTimeout() + .map(Duration::getSeconds) + .map(Math::toIntExact) + .ifPresent(builder::sessionTimeout); + + return new NettySslContextEncryption(builder.build(), conf.useStartTLS(), conf.getEnabledCipherSuites()); + } + + private static class NettySslContextEncryption implements Encryption { + private final SslContext sslContext; + private final boolean startTLS; + private final String[] enabledCipherSuites; + + private NettySslContextEncryption(SslContext sslContext, boolean startTLS, String[] enabledCipherSuites) { + this.sslContext = sslContext; + this.startTLS = startTLS; + this.enabledCipherSuites = enabledCipherSuites; + } + + @Override + public boolean isStartTLS() { + return startTLS; + } + + @Override + public boolean supportsEncryption() { + return true; + } + + @Override + public String[] getEnabledCipherSuites() { + return enabledCipherSuites; + } + + @Override + public ClientAuth getClientAuth() { + return ClientAuth.NONE; + } + + @Override + public SslHandler sslHandler() { + return sslContext.newHandler(ByteBufAllocator.DEFAULT); + } + } +} --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
