directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kayyag...@apache.org
Subject svn commit: r1403624 - in /directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap: LdapServer.java handlers/extended/StartTlsHandler.java handlers/ssl/LdapsInitializer.java
Date Tue, 30 Oct 2012 06:13:14 GMT
Author: kayyagari
Date: Tue Oct 30 06:13:13 2012
New Revision: 1403624

URL: http://svn.apache.org/viewvc?rev=1403624&view=rev
Log:
o removed the duplicate code related to initializing SSL context in LDAPS and StartTLS handlers
o removed hard coded supported control OIDs (now they are taken from the codec service)

Modified:
    directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
    directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
    directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java

Modified: directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java?rev=1403624&r1=1403623&r2=1403624&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
(original)
+++ directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
Tue Oct 30 06:13:13 2012
@@ -23,7 +23,6 @@ package org.apache.directory.server.ldap
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.security.KeyStore;
-import java.security.KeyStoreSpi;
 import java.security.Provider;
 import java.security.Security;
 import java.util.ArrayList;
@@ -35,6 +34,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import javax.net.ssl.KeyManagerFactory;
+
 import org.apache.directory.server.core.api.DirectoryService;
 import org.apache.directory.server.core.api.partition.PartitionNexus;
 import org.apache.directory.server.core.security.CoreKeyStoreSpi;
@@ -60,10 +61,6 @@ import org.apache.directory.server.proto
 import org.apache.directory.server.protocol.shared.transport.Transport;
 import org.apache.directory.server.protocol.shared.transport.UdpTransport;
 import org.apache.directory.shared.ldap.codec.api.LdapApiServiceFactory;
-import org.apache.directory.shared.ldap.extras.controls.SyncDoneValue;
-import org.apache.directory.shared.ldap.extras.controls.SyncInfoValue;
-import org.apache.directory.shared.ldap.extras.controls.SyncRequestValue;
-import org.apache.directory.shared.ldap.extras.controls.SyncStateValue;
 import org.apache.directory.shared.ldap.model.constants.SaslQoP;
 import org.apache.directory.shared.ldap.model.exception.LdapConfigurationException;
 import org.apache.directory.shared.ldap.model.message.AbandonRequest;
@@ -77,12 +74,6 @@ import org.apache.directory.shared.ldap.
 import org.apache.directory.shared.ldap.model.message.ModifyRequest;
 import org.apache.directory.shared.ldap.model.message.SearchRequest;
 import org.apache.directory.shared.ldap.model.message.UnbindRequest;
-import org.apache.directory.shared.ldap.model.message.controls.Cascade;
-import org.apache.directory.shared.ldap.model.message.controls.EntryChange;
-import org.apache.directory.shared.ldap.model.message.controls.ManageDsaIT;
-import org.apache.directory.shared.ldap.model.message.controls.PagedResults;
-import org.apache.directory.shared.ldap.model.message.controls.PersistentSearch;
-import org.apache.directory.shared.ldap.model.message.controls.Subentries;
 import org.apache.directory.shared.ldap.model.message.extended.NoticeOfDisconnect;
 import org.apache.directory.shared.util.Strings;
 import org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder;
@@ -214,7 +205,8 @@ public class LdapServer extends Director
 
     private List<ReplicationConsumer> replConsumers;
 
-
+    private KeyManagerFactory keyManagerFactory;
+    
     /**
      * Creates an LDAP protocol provider.
      */
@@ -235,17 +227,6 @@ public class LdapServer extends Director
         saslRealms.add( "example.com" );
 
         this.supportedControls = new HashSet<String>();
-        this.supportedControls.add( PersistentSearch.OID );
-        this.supportedControls.add( EntryChange.OID );
-        this.supportedControls.add( Subentries.OID );
-        this.supportedControls.add( ManageDsaIT.OID );
-        this.supportedControls.add( Cascade.OID );
-        this.supportedControls.add( PagedResults.OID );
-        // Replication controls
-        this.supportedControls.add( SyncDoneValue.OID );
-        this.supportedControls.add( SyncInfoValue.OID );
-        this.supportedControls.add( SyncRequestValue.OID );
-        this.supportedControls.add( SyncStateValue.OID );
     }
 
 
@@ -307,21 +288,13 @@ public class LdapServer extends Director
         }
     }
 
-    private static class AdsKeyStore extends KeyStore
-    {
-        public AdsKeyStore( KeyStoreSpi keyStoreSpi, Provider provider, String type )
-        {
-            super( keyStoreSpi, provider, type );
-        }
-    }
-
 
     /**
      * loads the digital certificate either from a keystore file or from the admin entry
in DIT
      */
     // This will suppress PMD.EmptyCatchBlock warnings in this method
     @SuppressWarnings("PMD.EmptyCatchBlock")
-    private void loadKeyStore() throws Exception
+    public void loadKeyStore() throws Exception
     {
         if ( Strings.isEmpty( keystoreFile ) )
         {
@@ -358,6 +331,25 @@ public class LdapServer extends Director
                 }
             }
         }
+        
+        // Set up key manager factory to use our key store
+        String algorithm = Security.getProperty( "ssl.KeyManagerFactory.algorithm" );
+
+        if ( algorithm == null )
+        {
+            algorithm = KeyManagerFactory.getDefaultAlgorithm();
+        }
+        
+        keyManagerFactory = KeyManagerFactory.getInstance( algorithm );
+        
+        if ( Strings.isEmpty( certificatePassword ) )
+        {
+            keyManagerFactory.init( keyStore, null );
+        }
+        else
+        {
+            keyManagerFactory.init( keyStore, certificatePassword.toCharArray() );
+        }
     }
 
 
@@ -384,8 +376,7 @@ public class LdapServer extends Director
             DefaultIoFilterChainBuilder dfcb = ( ( DefaultIoFilterChainBuilder ) chainBuilder
);
             if ( dfcb.contains( sslFilterName ) )
             {
-                DefaultIoFilterChainBuilder newChain = ( DefaultIoFilterChainBuilder ) LdapsInitializer.init(
keyStore,
-                    certificatePassword );
+                DefaultIoFilterChainBuilder newChain = ( DefaultIoFilterChainBuilder ) LdapsInitializer.init(
keyManagerFactory );
                 dfcb.replace( sslFilterName, newChain.get( sslFilterName ) );
                 newChain = null;
             }
@@ -394,9 +385,6 @@ public class LdapServer extends Director
         StartTlsHandler handler = ( StartTlsHandler ) getExtendedOperationHandler( StartTlsHandler.EXTENSION_OID
);
         if ( handler != null )
         {
-            //FIXME dirty hack. IMO StartTlsHandler's code requires a cleanup
-            // cause the keystore loading and sslcontext creation code is duplicated
-            // both in the LdapService as well as StatTlsHandler
             handler.setLdapServer( this );
         }
 
@@ -415,6 +403,8 @@ public class LdapServer extends Director
             return;
         }
 
+        loadKeyStore();
+        
         for ( Transport transport : transports )
         {
             if ( !( transport instanceof TcpTransport ) )
@@ -424,11 +414,10 @@ public class LdapServer extends Director
             }
 
             IoFilterChainBuilder chain;
-
+            
             if ( transport.isSSLEnabled() )
             {
-                loadKeyStore();
-                chain = LdapsInitializer.init( keyStore, certificatePassword );
+                chain = LdapsInitializer.init( keyManagerFactory );
             }
             else
             {
@@ -1022,6 +1011,11 @@ public class LdapServer extends Director
     public void setDirectoryService( DirectoryService directoryService )
     {
         super.setDirectoryService( directoryService );
+        Iterator<String> itr = directoryService.getLdapCodecService().registeredControls();
+        while( itr.hasNext() )
+        {
+            supportedControls.add( itr.next() );
+        }
     }
 
 
@@ -1031,14 +1025,6 @@ public class LdapServer extends Director
     }
 
 
-    /**
-     */
-    public void setSupportedControls( Set<String> supportedControls )
-    {
-        this.supportedControls = supportedControls;
-    }
-
-
     public MessageHandler<AbandonRequest> getAbandonHandler()
     {
         return abandonHandler;
@@ -1343,6 +1329,15 @@ public class LdapServer extends Director
 
 
     /**
+     * @return the key manager factory of the server keystore
+     */
+    public KeyManagerFactory getKeyManagerFactory()
+    {
+        return keyManagerFactory;
+    }
+
+
+    /**
      * @see Object#toString()
      */
     public String toString()

Modified: directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java?rev=1403624&r1=1403623&r2=1403624&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
(original)
+++ directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
Tue Oct 30 06:13:13 2012
@@ -20,24 +20,17 @@
 package org.apache.directory.server.ldap.handlers.extended;
 
 
-import java.io.File;
-import java.io.FileInputStream;
-import java.security.KeyStore;
 import java.security.Provider;
 import java.security.SecureRandom;
 import java.security.Security;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
-import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
 
-import org.apache.directory.server.core.security.CoreKeyStoreSpi;
+import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.server.ldap.ExtendedOperationHandler;
 import org.apache.directory.server.ldap.LdapServer;
@@ -95,7 +88,7 @@ public class StartTlsHandler implements 
             sslFilter.startSsl( session.getIoSession() );
         }
 
-        ExtendedResponseDecorator<ExtendedResponse> res = new ExtendedResponseDecorator<ExtendedResponse>(
+        ExtendedResponseDecorator<ExtendedResponse> res = new ExtendedResponseDecorator<ExtendedResponse>(

             LdapApiServiceFactory.getSingleton(), new ExtendedResponseImpl( req.getMessageId()
) );
         LdapResult result = res.getLdapResult();
         result.setResultCode( ResultCodeEnum.SUCCESS );
@@ -107,27 +100,6 @@ public class StartTlsHandler implements 
         session.getIoSession().write( res );
     }
 
-    static class ServerX509TrustManager implements X509TrustManager
-    {
-        public void checkClientTrusted( X509Certificate[] chain, String authType ) throws
CertificateException
-        {
-            LOG.debug( "checkClientTrusted() called" );
-        }
-
-
-        public void checkServerTrusted( X509Certificate[] chain, String authType ) throws
CertificateException
-        {
-            LOG.debug( "checkServerTrusted() called" );
-        }
-
-
-        public X509Certificate[] getAcceptedIssuers()
-        {
-            LOG.debug( "getAcceptedIssuers() called" );
-            return new X509Certificate[0];
-        }
-    }
-
 
     public final Set<String> getExtensionOids()
     {
@@ -147,56 +119,6 @@ public class StartTlsHandler implements 
         Provider provider = Security.getProvider( "SUN" );
         LOG.debug( "provider = {}", provider );
 
-        KeyStore keyStore = null;
-
-        try
-        {
-            if ( ldapServer.getKeystoreFile() == null )
-            {
-                CoreKeyStoreSpi coreKeyStoreSpi = new CoreKeyStoreSpi( ldapServer.getDirectoryService()
);
-                keyStore = new KeyStore( coreKeyStoreSpi, provider, "JKS" )
-                {
-                };
-
-                keyStore.load( null, null );
-            }
-            else
-            {
-                keyStore = KeyStore.getInstance( "JKS" );
-                keyStore.load( new FileInputStream( new File( ldapServer.getKeystoreFile()
) ), null );
-            }
-        }
-        catch ( Exception e1 )
-        {
-            throw new RuntimeException( I18n.err( I18n.ERR_678 ) );
-        }
-
-        KeyManagerFactory keyManagerFactory = null;
-        try
-        {
-            keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()
);
-        }
-        catch ( Exception e )
-        {
-            throw new RuntimeException( I18n.err( I18n.ERR_679 ), e );
-        }
-
-        try
-        {
-            char[] password = null;
-
-            if ( ldapServer.getKeystoreFile() != null )
-            {
-                password = ldapServer.getCertificatePassword().toCharArray();
-            }
-
-            keyManagerFactory.init( keyStore, password );
-        }
-        catch ( Exception e )
-        {
-            throw new RuntimeException( I18n.err( I18n.ERR_680 ), e );
-        }
-
         try
         {
             sslContext = SSLContext.getInstance( "TLS" );
@@ -208,8 +130,8 @@ public class StartTlsHandler implements 
 
         try
         {
-            sslContext.init( keyManagerFactory.getKeyManagers(), new TrustManager[]
-                { new ServerX509TrustManager() }, new SecureRandom() );
+            sslContext.init( ldapServer.getKeyManagerFactory().getKeyManagers(), new TrustManager[]
+                { new NoVerificationTrustManager() }, new SecureRandom() );
         }
         catch ( Exception e )
         {

Modified: directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java?rev=1403624&r1=1403623&r2=1403624&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java
(original)
+++ directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java
Tue Oct 30 06:13:13 2012
@@ -20,17 +20,16 @@
 package org.apache.directory.server.ldap.handlers.ssl;
 
 
-import java.security.KeyStore;
 import java.security.SecureRandom;
-import java.security.Security;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
+import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.shared.ldap.model.exception.LdapException;
-import org.apache.directory.shared.util.Strings;
 import org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder;
 import org.apache.mina.core.filterchain.IoFilterChainBuilder;
 import org.apache.mina.filter.ssl.SslFilter;
@@ -45,34 +44,15 @@ import org.apache.mina.filter.ssl.SslFil
  */
 public class LdapsInitializer
 {
-    public static IoFilterChainBuilder init( KeyStore ks, String certificatePassord ) throws
LdapException
+    public static IoFilterChainBuilder init( KeyManagerFactory kmf ) throws LdapException
     {
         SSLContext sslCtx;
         try
         {
-            // Set up key manager factory to use our key store
-            String algorithm = Security.getProperty( "ssl.KeyManagerFactory.algorithm" );
-
-            if ( algorithm == null )
-            {
-                algorithm = KeyManagerFactory.getDefaultAlgorithm();
-            }
-
-            KeyManagerFactory kmf = KeyManagerFactory.getInstance( algorithm );
-
-            if ( Strings.isEmpty( certificatePassord ) )
-            {
-                kmf.init( ks, null );
-            }
-            else
-            {
-                kmf.init( ks, certificatePassord.toCharArray() );
-            }
-
             // Initialize the SSLContext to work with our key managers.
             sslCtx = SSLContext.getInstance( "TLS" );
             sslCtx.init( kmf.getKeyManagers(), new TrustManager[]
-                { new ServerX509TrustManager() }, new SecureRandom() );
+                { new NoVerificationTrustManager() }, new SecureRandom() );
         }
         catch ( Exception e )
         {
@@ -80,7 +60,9 @@ public class LdapsInitializer
         }
 
         DefaultIoFilterChainBuilder chain = new DefaultIoFilterChainBuilder();
-        chain.addLast( "sslFilter", new SslFilter( sslCtx ) );
+        SslFilter sslFilter = new SslFilter( sslCtx );
+        sslFilter.setWantClientAuth( true );
+        chain.addLast( "sslFilter", sslFilter );
         return chain;
     }
 }



Mime
View raw message