Return-Path: Delivered-To: apmail-activemq-commits-archive@www.apache.org Received: (qmail 55377 invoked from network); 31 Mar 2010 21:25:28 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 31 Mar 2010 21:25:28 -0000 Received: (qmail 48328 invoked by uid 500); 31 Mar 2010 21:25:28 -0000 Delivered-To: apmail-activemq-commits-archive@activemq.apache.org Received: (qmail 48301 invoked by uid 500); 31 Mar 2010 21:25:28 -0000 Mailing-List: contact commits-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list commits@activemq.apache.org Received: (qmail 48294 invoked by uid 99); 31 Mar 2010 21:25:28 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Mar 2010 21:25:28 +0000 X-ASF-Spam-Status: No, hits=-1193.0 required=10.0 tests=ALL_TRUSTED,AWL X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Mar 2010 21:25:27 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id F2FFF238897F; Wed, 31 Mar 2010 21:25:06 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r929720 - in /activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp: SslTransport.cs SslTransportFactory.cs Date: Wed, 31 Mar 2010 21:25:06 -0000 To: commits@activemq.apache.org From: tabish@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20100331212506.F2FFF238897F@eris.apache.org> Author: tabish Date: Wed Mar 31 21:25:06 2010 New Revision: 929720 URL: http://svn.apache.org/viewvc?rev=929720&view=rev Log: http://issues.apache.org/activemq/browse/AMQNET-239 Updates to better support client authentication when required by the server. Modified: activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs Modified: activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs URL: http://svn.apache.org/viewvc/activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs?rev=929720&r1=929719&r2=929720&view=diff ============================================================================== --- activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs (original) +++ activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs Wed Mar 31 21:25:06 2010 @@ -29,7 +29,9 @@ namespace Apache.NMS.Stomp.Transport.Tcp { public class SslTransport : TcpTransport { - private string clientCertLocation; + private string serverName; + private string clientCertSubject; + private string clientCertFilename; private string clientCertPassword; private bool acceptInvalidBrokerCert = false; @@ -47,14 +49,31 @@ namespace Apache.NMS.Stomp.Transport.Tcp } /// + /// Indicates the name of the Server's Certificate. By default the Host name + /// of the remote server is used, however if this doesn't match the name of the + /// Server's certificate then this option can be set to override the default. + /// + public string ServerName + { + get { return this.serverName; } + set { this.serverName = value; } + } + + public string ClientCertSubject + { + get { return this.clientCertSubject; } + set { this.clientCertSubject = value; } + } + + /// /// Indicates the location of the Client Certificate to use when the Broker /// is configured for Client Auth (not common). The SslTransport will supply /// this certificate to the SslStream via the SelectLocalCertificate method. /// - public string ClientCertLocation + public string ClientCertFilename { - get { return this.clientCertLocation; } - set { this.clientCertLocation = value; } + get { return this.clientCertFilename; } + set { this.clientCertFilename = value; } } /// @@ -83,24 +102,19 @@ namespace Apache.NMS.Stomp.Transport.Tcp { return this.sslStream; } - - LocalCertificateSelectionCallback clientCertSelect = null; - - if(this.clientCertLocation != null ) - { - clientCertSelect = new LocalCertificateSelectionCallback(SelectLocalCertificate); - } this.sslStream = new SslStream( new NetworkStream(this.socket), false, new RemoteCertificateValidationCallback(ValidateServerCertificate), - clientCertSelect ); + new LocalCertificateSelectionCallback(SelectLocalCertificate) ); try { - Tracer.Debug("Authorizing as Client for Server: " + this.RemoteAddress.Host); - sslStream.AuthenticateAsClient(this.RemoteAddress.Host); + + string remoteCertName = this.serverName ?? this.RemoteAddress.Host; + Tracer.Debug("Authorizing as Client for Server: " + remoteCertName); + sslStream.AuthenticateAsClient(remoteCertName, LoadCertificates(), SslProtocols.Default, false); Tracer.Debug("Server is Authenticated = " + sslStream.IsAuthenticated); Tracer.Debug("Server is Encrypted = " + sslStream.IsEncrypted); } @@ -159,14 +173,53 @@ namespace Apache.NMS.Stomp.Transport.Tcp X509Certificate remoteCertificate, string[] acceptableIssuers) { - Tracer.Debug("Client is selecting a local certificate."); - - X509Certificate2 certificate = new X509Certificate2( clientCertLocation, clientCertPassword ); - - return certificate; + Tracer.DebugFormat("Client is selecting a local certificate from {0} possibilities.", localCertificates.Count); + + if(localCertificates.Count == 1) + { + Tracer.Debug("Client has selected certificate with Subject = " + localCertificates[0].Subject); + return localCertificates[0]; + } + else if(localCertificates.Count > 1 && this.clientCertSubject != null) + { + foreach(X509Certificate2 certificate in localCertificates) + { + Tracer.Debug("Checking Client Certificate := " + certificate.ToString()); + if(String.Compare(certificate.Subject, this.clientCertSubject, true) == 0) + { + Tracer.Debug("Client has selected certificate with Subject = " + certificate.Subject); + return certificate; + } + } + } + + Tracer.Debug("Client did not select a Certificate, returning null."); + return null; + } + + private X509Certificate2Collection LoadCertificates() + { + X509Certificate2Collection collection = new X509Certificate2Collection(); + + if(!String.IsNullOrEmpty(this.clientCertFilename)) + { + Tracer.Debug("Attempting to load Client Certificate from file := " + this.clientCertFilename); + X509Certificate2 certificate = new X509Certificate2(this.clientCertFilename, this.clientCertPassword); + Tracer.Debug("Loaded Client Certificate := " + certificate.ToString()); + + collection.Add(certificate); + } + else + { + X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); + + collection = store.Certificates; + } + + return collection; } } } -#endif +#endif \ No newline at end of file Modified: activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs URL: http://svn.apache.org/viewvc/activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs?rev=929720&r1=929719&r2=929720&view=diff ============================================================================== --- activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs (original) +++ activemq/activemq-dotnet/Apache.NMS.Stomp/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs Wed Mar 31 21:25:06 2010 @@ -23,7 +23,9 @@ namespace Apache.NMS.Stomp.Transport.Tcp { public class SslTransportFactory : TcpTransportFactory { - private string clientCertLocation; + private string serverName; + private string clientCertSubject; + private string clientCertFilename; private string clientCertPassword; private bool acceptInvalidBrokerCert = false; @@ -31,10 +33,22 @@ namespace Apache.NMS.Stomp.Transport.Tcp { } - public string ClientCertLocation + public string ServerName { - get { return this.clientCertLocation; } - set { this.clientCertLocation = value; } + get { return this.serverName; } + set { this.serverName = value; } + } + + public string ClientCertSubject + { + get { return this.clientCertSubject; } + set { this.clientCertSubject = value; } + } + + public string ClientCertFilename + { + get { return this.clientCertFilename; } + set { this.clientCertFilename = value; } } public string ClientCertPassword @@ -55,9 +69,11 @@ namespace Apache.NMS.Stomp.Transport.Tcp #if !NETCF SslTransport transport = new SslTransport(location, socket, wireFormat); - transport.ClientCertLocation = ClientCertLocation; - transport.ClientCertPassword = ClientCertPassword; - transport.AcceptInvalidBrokerCert = AcceptInvalidBrokerCert; + transport.ClientCertSubject = this.clientCertSubject; + transport.ClientCertFilename = this.clientCertFilename; + transport.ClientCertPassword = this.clientCertPassword; + transport.ServerName = this.serverName; + transport.AcceptInvalidBrokerCert = this.acceptInvalidBrokerCert; return transport; #else