activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tab...@apache.org
Subject svn commit: r1565480 - in /activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp: SslTransport.cs SslTransportFactory.cs
Date Thu, 06 Feb 2014 23:32:05 GMT
Author: tabish
Date: Thu Feb  6 23:32:04 2014
New Revision: 1565480

URL: http://svn.apache.org/r1565480
Log:
https://issues.apache.org/jira/browse/AMQNET-469

Allow more flexibility for self-signed certificates when using the SSL transport.

Modified:
    activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
    activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs

Modified: activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
URL: http://svn.apache.org/viewvc/activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs?rev=1565480&r1=1565479&r2=1565480&view=diff
==============================================================================
--- activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
(original)
+++ activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
Thu Feb  6 23:32:04 2014
@@ -30,6 +30,7 @@ namespace Apache.NMS.ActiveMQ.Transport.
         private string clientCertSubject;
         private string clientCertFilename;
         private string clientCertPassword;
+        private string brokerCertFilename;
         private string keyStoreName;
         private string keyStoreLocation;
         private bool acceptInvalidBrokerCert = false;
@@ -84,6 +85,16 @@ namespace Apache.NMS.ActiveMQ.Transport.
         }
 
         /// <summary>
+        /// Indicates the location of the Broker Certificate to use when the Broker
+        /// is using a self-signed certificate.
+        /// </summary>
+        public string BrokerCertFilename
+        {
+            get { return this.brokerCertFilename; }
+            set { this.brokerCertFilename = value; }
+        }
+
+        /// <summary>
         /// Indicates if the SslTransport should ignore any errors in the supplied Broker
         /// certificate and connect anyway, this is useful in testing with a default AMQ
         /// broker certificate that is self signed.
@@ -113,18 +124,22 @@ namespace Apache.NMS.ActiveMQ.Transport.
                 return this.sslStream;
             }
 
+            var remoteCertificateValidationCallback =
+                String.IsNullOrEmpty(this.brokerCertFilename) ?
+                    new RemoteCertificateValidationCallback(ValidateServerCertificate) :
+                    new RemoteCertificateValidationCallback(ValidateSelfSignedServerCertificate);
+
             this.sslStream = new SslStream(
                 new NetworkStream(this.socket),
                 false,
-                new RemoteCertificateValidationCallback(ValidateServerCertificate),
-                new LocalCertificateSelectionCallback(SelectLocalCertificate) );
+                remoteCertificateValidationCallback,
+                SelectLocalCertificate);
 
             try
             {
-
                 string remoteCertName = this.serverName ?? this.RemoteAddress.Host;
                 Tracer.Debug("Authorizing as Client for Server: " + remoteCertName);
-                sslStream.AuthenticateAsClient(remoteCertName, LoadCertificates(), SslProtocols.Default,
false);
+                sslStream.AuthenticateAsClient(remoteCertName, LoadClientCertificates(),
SslProtocols.Default, false);
                 Tracer.Debug("Server is Authenticated = " + sslStream.IsAuthenticated);
                 Tracer.Debug("Server is Encrypted = " + sslStream.IsEncrypted);
             }
@@ -177,6 +192,55 @@ namespace Apache.NMS.ActiveMQ.Transport.
             return AcceptInvalidBrokerCert;
         }
 
+        private bool ValidateSelfSignedServerCertificate(object sender,
+                                                         X509Certificate certificate,
+                                                         X509Chain chain,
+                                                         SslPolicyErrors sslPolicyErrors)
+        {
+            Tracer.DebugFormat("ValidateSelfSignedServerCertificate: Issued By {0}", certificate.Issuer);
+
+            // We ignore SslPolicyErrors because we do our own checks.
+
+            if (chain.ChainElements.Count != 1 || !chain.ChainElements[0].Certificate.Equals(certificate))
+            {
+                Tracer.Error("Received unexpected certificate chain from server");
+                return false;
+            }
+
+            if (CorrectSelfSignedCertificate(certificate)) 
+            {
+                return true;
+            }
+
+            Tracer.Error("Server doesn't have the expected self-signed certificate");
+
+            // Configuration may or may not allow us to connect with an invalid broker cert.
+            return AcceptInvalidBrokerCert;
+        }
+
+        private bool CorrectSelfSignedCertificate(X509Certificate receivedCertificate)
+        {
+            X509Certificate2 expectedCertificate = new X509Certificate2(this.brokerCertFilename);
+
+            byte[] receivedBytes = receivedCertificate.GetRawCertData();
+            byte[] expectedBytes = expectedCertificate.GetRawCertData();
+
+            if (receivedBytes.Length != expectedBytes.Length) 
+            {
+                return false;
+            }
+
+            for (int i = 0; i < receivedBytes.Length; i++)
+            {
+                if (receivedBytes[i] != expectedBytes[i])
+                {
+                    return false;
+                }
+            }
+
+            return true;
+        }
+
         private X509Certificate SelectLocalCertificate(object sender,
                                                        string targetHost,
                                                        X509CertificateCollection localCertificates,
@@ -207,7 +271,7 @@ namespace Apache.NMS.ActiveMQ.Transport.
             return null;
         }
 
-        private X509Certificate2Collection LoadCertificates()
+        private X509Certificate2Collection LoadClientCertificates()
         {
             X509Certificate2Collection collection = new X509Certificate2Collection();
 

Modified: activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
URL: http://svn.apache.org/viewvc/activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs?rev=1565480&r1=1565479&r2=1565480&view=diff
==============================================================================
--- activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
(original)
+++ activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
Thu Feb  6 23:32:04 2014
@@ -28,6 +28,7 @@ namespace Apache.NMS.ActiveMQ.Transport.
         private string clientCertSubject;
         private string clientCertFilename;
         private string clientCertPassword;
+        private string brokerCertFilename;
         private string keyStoreName;
         private string keyStoreLocation;
         private bool acceptInvalidBrokerCert = false;
@@ -60,6 +61,12 @@ namespace Apache.NMS.ActiveMQ.Transport.
             set { this.clientCertPassword = value; }
         }        
 
+        public string BrokerCertFilename
+        {
+            get { return this.brokerCertFilename; }
+            set { this.brokerCertFilename = value; }
+        }
+
         public bool AcceptInvalidBrokerCert
         {
             get { return this.acceptInvalidBrokerCert; }
@@ -86,6 +93,7 @@ namespace Apache.NMS.ActiveMQ.Transport.
             transport.ClientCertSubject = HttpUtility.UrlDecode(this.clientCertSubject);
             transport.ClientCertFilename = this.clientCertFilename;
             transport.ClientCertPassword = this.clientCertPassword;
+            transport.BrokerCertFilename = this.brokerCertFilename;
             transport.ServerName = this.serverName;
             transport.KeyStoreLocation = this.keyStoreLocation;
             transport.KeyStoreName = this.keyStoreName;



Mime
View raw message