Author: bernt
Date: Wed Nov 21 00:31:37 2007
New Revision: 596983
URL: http://svn.apache.org/viewvc?rev=596983&view=rev
Log:
DERBY-3096 SSL handshake throws bad_certificate when server tries to authenticate client.
Modified:
db/derby/code/trunk/java/client/org/apache/derby/client/net/NaiveTrustManager.java
db/derby/code/trunk/java/client/org/apache/derby/client/net/OpenSocketAction.java
db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
Modified: db/derby/code/trunk/java/client/org/apache/derby/client/net/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/client/org/apache/derby/client/net/NaiveTrustManager.java?rev=596983&r1=596982&r2=596983&view=diff
==============================================================================
--- db/derby/code/trunk/java/client/org/apache/derby/client/net/NaiveTrustManager.java (original)
+++ db/derby/code/trunk/java/client/org/apache/derby/client/net/NaiveTrustManager.java Wed
Nov 21 00:31:37 2007
@@ -21,13 +21,17 @@
package org.apache.derby.client.net;
+import java.io.FileInputStream;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
+import javax.net.ssl.KeyManagerFactory;
+import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
+
/**
* This is a naive trust manager we use when we don't want server
* authentication. Any certificate will be accepted.
@@ -52,18 +56,53 @@
**/
public static SocketFactory getSocketFactory()
throws java.security.NoSuchAlgorithmException,
- java.security.KeyManagementException
+ java.security.KeyManagementException,
+ java.security.NoSuchProviderException,
+ java.security.KeyStoreException,
+ java.security.UnrecoverableKeyException,
+ java.security.cert.CertificateException,
+ java.io.IOException
{
if (thisManager == null) {
thisManager = new TrustManager [] {new NaiveTrustManager()};
}
-
+
SSLContext ctx = SSLContext.getInstance("SSL");
- ctx.init(null, // Use default key manager
- thisManager,
- null); // Use default random source
+
+ if (ctx.getProvider().getName().equals("SunJSSE") &&
+ (System.getProperty("javax.net.ssl.keyStore") != null) &&
+ (System.getProperty("javax.net.ssl.keyStorePassword") != null)) {
+
+ // SunJSSE does not give you a working default keystore
+ // when using your own trust manager. Since a keystore is
+ // needed on the client when the server does
+ // peerAuthentication, we have to provide one working the
+ // same way as the default one.
+
+ String keyStore =
+ System.getProperty("javax.net.ssl.keyStore");
+ String keyStorePassword =
+ System.getProperty("javax.net.ssl.keyStorePassword");
+
+ KeyStore ks = KeyStore.getInstance("JKS");
+ ks.load(new FileInputStream(keyStore),
+ keyStorePassword.toCharArray());
+
+ KeyManagerFactory kmf =
+ KeyManagerFactory.getInstance("SunX509", "SunJSSE");
+ kmf.init(ks, keyStorePassword.toCharArray());
+
+ ctx.init(kmf.getKeyManagers(),
+ thisManager,
+ null); // Use default random source
+ } else {
+ ctx.init(null, // Use default key manager
+ thisManager,
+ null); // Use default random source
+ }
+
return ctx.getSocketFactory();
- }
+ }
/**
* Checks wether the we trust the client. Since this trust manager
@@ -76,7 +115,7 @@
String authType)
throws CertificateException
{
- // Reject all attemtpts to truts a client. We should never end
+ // Reject all attemtpts to trust a client. We should never end
// up here.
throw new CertificateException();
}
Modified: db/derby/code/trunk/java/client/org/apache/derby/client/net/OpenSocketAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/client/org/apache/derby/client/net/OpenSocketAction.java?rev=596983&r1=596982&r2=596983&view=diff
==============================================================================
--- db/derby/code/trunk/java/client/org/apache/derby/client/net/OpenSocketAction.java (original)
+++ db/derby/code/trunk/java/client/org/apache/derby/client/net/OpenSocketAction.java Wed
Nov 21 00:31:37 2007
@@ -41,7 +41,12 @@
throws java.net.UnknownHostException,
java.io.IOException,
java.security.NoSuchAlgorithmException,
- java.security.KeyManagementException {
+ java.security.KeyManagementException,
+ java.security.NoSuchProviderException,
+ java.security.KeyStoreException,
+ java.security.UnrecoverableKeyException,
+ java.security.cert.CertificateException
+ {
SocketFactory sf;
switch (clientSSLMode_) {
Modified: db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java?rev=596983&r1=596982&r2=596983&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java (original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java Wed Nov
21 00:31:37 2007
@@ -21,12 +21,17 @@
package org.apache.derby.impl.drda;
+import java.io.FileInputStream;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
+import javax.net.ssl.KeyManagerFactory;
+import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
+import org.apache.derby.iapi.services.property.PropertyUtil;
+
/**
* This is a naive trust manager we use when we don't want server
@@ -52,16 +57,51 @@
**/
public static SocketFactory getSocketFactory()
throws java.security.NoSuchAlgorithmException,
- java.security.KeyManagementException
+ java.security.KeyManagementException,
+ java.security.NoSuchProviderException,
+ java.security.KeyStoreException,
+ java.security.UnrecoverableKeyException,
+ java.security.cert.CertificateException,
+ java.io.IOException
{
if (thisManager == null) {
thisManager = new TrustManager [] {new NaiveTrustManager()};
}
-
+
SSLContext ctx = SSLContext.getInstance("SSL");
- ctx.init(null, // Use default key manager
- thisManager,
- null); // Use default random source
+
+ if (ctx.getProvider().getName().equals("SunJSSE") &&
+ (PropertyUtil.getSystemProperty("javax.net.ssl.keyStore") != null) &&
+ (PropertyUtil.getSystemProperty("javax.net.ssl.keyStorePassword") != null)) {
+
+ // SunJSSE does not give you a working default keystore
+ // when using your own trust manager. Since a keystore is
+ // needed on the client when the server does
+ // peerAuthentication, we have to provide one working the
+ // same way as the default one.
+
+ String keyStore =
+ PropertyUtil.getSystemProperty("javax.net.ssl.keyStore");
+ String keyStorePassword =
+ PropertyUtil.getSystemProperty("javax.net.ssl.keyStorePassword");
+
+ KeyStore ks = KeyStore.getInstance("JKS");
+ ks.load(new FileInputStream(keyStore),
+ keyStorePassword.toCharArray());
+
+ KeyManagerFactory kmf =
+ KeyManagerFactory.getInstance("SunX509", "SunJSSE");
+ kmf.init(ks, keyStorePassword.toCharArray());
+
+ ctx.init(kmf.getKeyManagers(),
+ thisManager,
+ null); // Use default random source
+ } else {
+ ctx.init(null, // Use default key manager
+ thisManager,
+ null); // Use default random source
+ }
+
return ctx.getSocketFactory();
}
@@ -76,7 +116,7 @@
String authType)
throws CertificateException
{
- // Reject all attemtpts to truts a client. We should never end
+ // Reject all attemtpts to trust a client. We should never end
// up here.
throw new CertificateException();
}
Modified: db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java?rev=596983&r1=596982&r2=596983&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
(original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
Wed Nov 21 00:31:37 2007
@@ -2333,7 +2333,11 @@
throws UnknownHostException,
IOException,
java.security.NoSuchAlgorithmException,
- java.security.KeyManagementException
+ java.security.KeyManagementException,
+ java.security.NoSuchProviderException,
+ java.security.KeyStoreException,
+ java.security.UnrecoverableKeyException,
+ java.security.cert.CertificateException
{
if (hostAddress == null)
hostAddress = InetAddress.getByName(hostArg);
|