directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kayyag...@apache.org
Subject svn commit: r1006040 - in /directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication: ReplicationTrustManager.java SyncReplConsumer.java SyncreplConfiguration.java
Date Fri, 08 Oct 2010 21:53:41 GMT
Author: kayyagari
Date: Fri Oct  8 21:53:40 2010
New Revision: 1006040

URL: http://svn.apache.org/viewvc?rev=1006040&view=rev
Log:
o added TLS related configuration support
o added a new X509TrustManager to validate the replica peers' certificates 

Added:
    directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/ReplicationTrustManager.java
Modified:
    directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncReplConsumer.java
    directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncreplConfiguration.java

Added: directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/ReplicationTrustManager.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/ReplicationTrustManager.java?rev=1006040&view=auto
==============================================================================
--- directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/ReplicationTrustManager.java
(added)
+++ directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/ReplicationTrustManager.java
Fri Oct  8 21:53:40 2010
@@ -0,0 +1,161 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+
+package org.apache.directory.server.ldap.replication;
+
+
+import java.security.KeyStore;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+
+import org.apache.activemq.util.ByteArrayInputStream;
+import org.bouncycastle.jce.provider.X509CertParser;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+/**
+ * TODO ReplicationTrustManager.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class ReplicationTrustManager implements X509TrustManager
+{
+    private static final Logger LOG = LoggerFactory.getLogger( ReplicationTrustManager.class
);
+
+    /** the internal trust manager used for verifying the certificates */
+    private static X509TrustManager trustManager = null;
+
+    /** the in-memory keystore in JKS format */
+    private static KeyStore ks;
+
+    /** flag used for marking the intialization phase status */
+    private static boolean initialized;
+
+    /** the singleton instance of this trust manager */
+    private static ReplicationTrustManager INSTANCE = new ReplicationTrustManager();
+
+
+    private ReplicationTrustManager()
+    {
+        try
+        {
+            ks = KeyStore.getInstance( "JKS" );
+            ks.load( null, null ); // initiate with null stream and password, this keystore
resides in-memory only
+        }
+        catch ( Exception e )
+        {
+            LOG.error( "failed to initiate the keystore", e );
+            throw new RuntimeException( e );
+        }
+    }
+
+
+    /**
+     * loads the given map of [alias-name, certificate-data] entries into the keystore
+     * to be used by the trust manager
+     *
+     * @param aliasCertMap the map of [alias-name, certificate-data] entries
+     * @throws Exception in case of any issues related to certificate data parsing or finding
SunX509 TrustManagerFactory implementation
+     */
+    public static void init( Map<String, byte[]> aliasCertMap ) throws Exception
+    {
+        if ( initialized )
+        {
+            LOG.warn( "ReplicationTrustManager was already initialized, ignoring call to
init" );
+            return;
+        }
+
+        X509CertParser parser = new X509CertParser();
+
+        for ( Map.Entry<String, byte[]> entry : aliasCertMap.entrySet() )
+        {
+            try
+            {
+                parser.engineInit( new ByteArrayInputStream( entry.getValue() ) );
+
+                X509Certificate cert = ( X509Certificate ) parser.engineRead();
+
+                ks.setCertificateEntry( entry.getKey(), cert );
+            }
+            catch ( Exception ex )
+            {
+                LOG.warn( "failed to load the certificate associated with the alias {}",
entry.getKey(), ex );
+            }
+        }
+
+        TrustManagerFactory tmFactory = TrustManagerFactory.getInstance( "SunX509" );
+        tmFactory.init( ks );
+
+        TrustManager trustManagers[] = tmFactory.getTrustManagers();
+
+        for ( int i = 0; i < trustManagers.length; i++ )
+        {
+            if ( trustManagers[i] instanceof X509TrustManager )
+            {
+                trustManager = ( X509TrustManager ) trustManagers[i];
+                LOG.debug( "found X509TrustManager {}", trustManager );
+                break;
+            }
+        }
+
+        if ( trustManager == null )
+        {
+            throw new Exception( "no X509TrustManagerS were found" );
+        }
+
+        initialized = true;
+    }
+
+
+    /**
+     * returns the singleton instance of ReplicationTrustManager, note that this
+     * return instance can only be used after calling the {@link #init(Map)} method 
+     * 
+     * @return the instance of the ReplicationTrustManager
+     */
+    public static ReplicationTrustManager getInstance()
+    {
+        return INSTANCE;
+    }
+
+
+    public void checkClientTrusted( X509Certificate[] chain, String authType ) throws CertificateException
+    {
+        trustManager.checkClientTrusted( chain, authType );
+    }
+
+
+    public void checkServerTrusted( X509Certificate[] chain, String authType ) throws CertificateException
+    {
+        trustManager.checkServerTrusted( chain, authType );
+    }
+
+
+    public X509Certificate[] getAcceptedIssuers()
+    {
+        return trustManager.getAcceptedIssuers();
+    }
+}

Modified: directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncReplConsumer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncReplConsumer.java?rev=1006040&r1=1006039&r2=1006040&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncReplConsumer.java
(original)
+++ directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncReplConsumer.java
Fri Oct  8 21:53:40 2010
@@ -33,6 +33,7 @@ import java.util.Map;
 import java.util.Set;
 
 import org.apache.directory.ldap.client.api.ConnectionClosedEventListener;
+import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
 import org.apache.directory.ldap.client.api.LdapNetworkConnection;
 import org.apache.directory.ldap.client.api.future.SearchFuture;
 import org.apache.directory.server.core.CoreSession;
@@ -212,21 +213,28 @@ public class SyncReplConsumer implements
         {
             String providerHost = config.getProviderHost();
             int port = config.getPort();
-
+            
             // Create a connection
             if ( connection == null )
             {
                 connection = new LdapNetworkConnection( providerHost, port );
+                
+                if( config.isUseTls() )
+                {
+                    connection.getConfig().setTrustManagers( config.getTrustManager() );
+                    connection.startTls();
+                }
+                
                 connection.addConnectionClosedEventListener( this );
             }
 
             // Do a bind
             BindResponse bindResponse = connection.bind( config.getReplUserDn(), config.getReplUserPassword()
);
 
-            // Check that it' not null and valid
+            // Check that it is not null and valid
             if ( bindResponse == null )
             {
-                LOG.error( "Failed to bind with the given bindDN and credentials", bindResponse
);
+                LOG.error( "Failed to bind with the given bindDN and credentials" );
                 return false;
             }
 

Modified: directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncreplConfiguration.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncreplConfiguration.java?rev=1006040&r1=1006039&r2=1006040&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncreplConfiguration.java
(original)
+++ directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/SyncreplConfiguration.java
Fri Oct  8 21:53:40 2010
@@ -23,11 +23,14 @@ package org.apache.directory.server.ldap
 import java.util.HashSet;
 import java.util.Set;
 
+import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
 import org.apache.directory.shared.ldap.constants.SchemaConstants;
 import org.apache.directory.shared.ldap.filter.SearchScope;
 import org.apache.directory.shared.ldap.message.AliasDerefMode;
 import org.apache.directory.shared.ldap.util.StringTools;
 
+import javax.net.ssl.X509TrustManager;
+
 
 /**
  * 
@@ -96,6 +99,15 @@ public class SyncreplConfiguration
     /** flag to indicate whether to chase referrals or not, default is false hence passes
ManageDsaITControl with syncsearch request*/
     private boolean chaseReferrals = false;
 
+    /** flag to indicate the use of TLS, default is true */
+    private boolean useTls = true;
+
+    /** flag to indicate the use of strict certificate verification, default is true */
+    private boolean strictCertVerification = true;
+
+    /** the X509 certificate trust manager used, default value set to {@link NoVerificationTrustManager}
*/
+    private X509TrustManager trustManager = new NoVerificationTrustManager();
+
 
     public SyncreplConfiguration()
     {
@@ -286,11 +298,11 @@ public class SyncreplConfiguration
 
         // if user specified some attributes then remove the * from attributes
         // NOTE: if the user specifies * in the given array that eventually gets added later
-        if( attr.length > 0 )
+        if ( attr.length > 0 )
         {
             attributes.remove( SchemaConstants.ALL_USER_ATTRIBUTES );
         }
-        
+
         for ( String at : attr )
         {
             at = at.trim();
@@ -317,11 +329,11 @@ public class SyncreplConfiguration
      */
     public void setSearchSizeLimit( int searchSizeLimit )
     {
-        if( searchTimeout < 0 )
+        if ( searchTimeout < 0 )
         {
             throw new IllegalArgumentException( "search size limit value cannot be negative
" + searchSizeLimit );
         }
-        
+
         this.searchSizeLimit = searchSizeLimit;
     }
 
@@ -340,11 +352,11 @@ public class SyncreplConfiguration
      */
     public void setSearchTimeout( int searchTimeout )
     {
-        if( searchTimeout < 0 )
+        if ( searchTimeout < 0 )
         {
             throw new IllegalArgumentException( "search timeout value cannot be negative
" + searchTimeout );
         }
-        
+
         this.searchTimeout = searchTimeout;
     }
 
@@ -450,4 +462,52 @@ public class SyncreplConfiguration
         return "ads-dsReplicaId=" + replicaId + "," + REPL_CONFIG_AREA;
     }
 
+
+    public boolean isUseTls()
+    {
+        return useTls;
+    }
+
+
+    /**
+     * set the option to turn on/off use of TLS
+     * 
+     * @param useTls
+     */
+    public void setUseTls( boolean useTls )
+    {
+        this.useTls = useTls;
+    }
+
+
+    public boolean isStrictCertVerification()
+    {
+        return strictCertVerification;
+    }
+
+
+    /**
+     * set the strict certificate verification
+     * 
+     * @param strictCertVerification
+     */
+    public void setStrictCertVerification( boolean strictCertVerification )
+    {
+        if ( strictCertVerification )
+        {
+            trustManager = ReplicationTrustManager.getInstance();
+        }
+        else
+        {
+            trustManager = new NoVerificationTrustManager();
+        }
+
+        this.strictCertVerification = strictCertVerification;
+    }
+
+
+    public X509TrustManager getTrustManager()
+    {
+        return trustManager;
+    }
 }



Mime
View raw message