directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dran...@apache.org
Subject [15/16] directory-kerby git commit: Clean up for RC2, removing commons-ssl codes
Date Sun, 03 Jan 2016 12:39:17 GMT
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/63dcb1a5/kerby-pkix/src/main/java/org/apache/commons/ssl/Certificates.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/main/java/org/apache/commons/ssl/Certificates.java b/kerby-pkix/src/main/java/org/apache/commons/ssl/Certificates.java
deleted file mode 100644
index 5efc15a..0000000
--- a/kerby-pkix/src/main/java/org/apache/commons/ssl/Certificates.java
+++ /dev/null
@@ -1,618 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/Certificates.java $
- * $Revision: 180 $
- * $Date: 2014-09-23 11:33:47 -0700 (Tue, 23 Sep 2014) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation.  For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import org.apache.kerby.util.Base64;
-import org.apache.kerby.util.Util;
-
-import javax.naming.InvalidNameException;
-import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
-import javax.naming.ldap.LdapName;
-import javax.naming.ldap.Rdn;
-import javax.security.auth.x500.X500Principal;
-import java.io.BufferedInputStream;
-import java.io.BufferedOutputStream;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.Serializable;
-import java.io.UnsupportedEncodingException;
-import java.lang.reflect.Method;
-import java.math.BigInteger;
-import java.net.HttpURLConnection;
-import java.net.URL;
-import java.net.URLConnection;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CRL;
-import java.security.cert.CRLException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.X509Certificate;
-import java.security.cert.X509Extension;
-import java.text.DateFormat;
-import java.text.SimpleDateFormat;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Comparator;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.NoSuchElementException;
-import java.util.Set;
-
-/**
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 19-Aug-2005
- */
-@SuppressWarnings("PMD.AvoidUsingHardCodedIP")
-public class Certificates {
-
-    public static final CertificateFactory CF;
-    public static final String LINE_ENDING = System.getProperty("line.separator");
-
-    private static final HashMap CRL_CACHE = new HashMap();
-
-    public static final String CRL_EXTENSION = "2.5.29.31";
-    public static final String OCSP_EXTENSION = "1.3.6.1.5.5.7.1.1";
-    private static final DateFormat DF = new SimpleDateFormat("yyyy/MMM/dd");
-
-    public interface SerializableComparator extends Comparator, Serializable {
-    }
-
-    public static final SerializableComparator COMPARE_BY_EXPIRY =
-        new SerializableComparator() {
-            public int compare(Object o1, Object o2) {
-                X509Certificate c1 = (X509Certificate) o1;
-                X509Certificate c2 = (X509Certificate) o2;
-                // this deals with case where both are null
-                if (c1 == c2) {
-                    return 0;
-                }
-                // non-null is always bigger than null
-                if (c1 == null) {
-                    return -1;
-                }
-                if (c2 == null) {
-                    return 1;
-                }
-                if (c1.equals(c2)) {
-                    return 0;
-                }
-                Date d1 = c1.getNotAfter();
-                Date d2 = c2.getNotAfter();
-                int c = d1.compareTo(d2);
-                if (c == 0) {
-                    String s1 = c1.getSubjectX500Principal().toString();
-                    String s2 = c2.getSubjectX500Principal().toString();
-                    c = s1.compareTo(s2);
-                    if (c == 0) {
-                        s1 = c1.getIssuerX500Principal().toString();
-                        s2 = c2.getIssuerX500Principal().toString();
-                        c = s1.compareTo(s2);
-                        if (c == 0) {
-                            BigInteger big1 = c1.getSerialNumber();
-                            BigInteger big2 = c2.getSerialNumber();
-                            c = big1.compareTo(big2);
-                            if (c == 0) {
-                                try {
-                                    byte[] b1 = c1.getEncoded();
-                                    byte[] b2 = c2.getEncoded();
-                                    int len1 = b1.length;
-                                    int len2 = b2.length;
-                                    int i = 0;
-                                    for (; i < len1 && i < len2; i++) {
-                                        c = ((int) b1[i]) - ((int) b2[i]);
-                                        if (c != 0) {
-                                            break;
-                                        }
-                                    }
-                                    if (c == 0) {
-                                        c = b1.length - b2.length;
-                                    }
-                                } catch (CertificateEncodingException cee) {
-                                    // I give up.  They can be equal if they
-                                    // really want to be this badly.
-                                    c = 0;
-                                }
-                            }
-                        }
-                    }
-                }
-                return c;
-            }
-        };
-
-    static {
-        CertificateFactory cf = null;
-        try {
-            cf = CertificateFactory.getInstance("X.509");
-        } catch (CertificateException ce) {
-            ce.printStackTrace(System.out);
-        } finally {
-            CF = cf;
-        }
-    }
-
-    public static String toPEMString(X509Certificate cert)
-        throws CertificateEncodingException {
-        return toString(cert.getEncoded());
-    }
-
-    public static String toString(byte[] x509Encoded) {
-        byte[] encoded = Base64.encodeBase64(x509Encoded);
-        StringBuffer buf = new StringBuffer(encoded.length + 100);
-        buf.append("-----BEGIN CERTIFICATE-----\n");
-        for (int i = 0; i < encoded.length; i += 64) {
-            if (encoded.length - i >= 64) {
-                buf.append(new String(encoded, i, 64));
-            } else {
-                buf.append(new String(encoded, i, encoded.length - i));
-            }
-            buf.append(LINE_ENDING);
-        }
-        buf.append("-----END CERTIFICATE-----");
-        buf.append(LINE_ENDING);
-        return buf.toString();
-    }
-
-    public static String toString(X509Certificate cert) {
-        return toString(cert, false);
-    }
-
-    public static String toString(X509Certificate cert, boolean htmlStyle) {
-        String cn = getCN(cert);
-        String startStart = DF.format(cert.getNotBefore());
-        String endDate = DF.format(cert.getNotAfter());
-        String subject = cert.getSubjectX500Principal().toString();
-        String issuer = cert.getIssuerX500Principal().toString();
-        Iterator crls = getCRLs(cert).iterator();
-        if (subject.equals(issuer)) {
-            issuer = "self-signed";
-        }
-        StringBuffer buf = new StringBuffer(128);
-        if (htmlStyle) {
-            buf.append("<strong class=\"cn\">");
-        }
-        buf.append(cn);
-        if (htmlStyle) {
-            buf.append("</strong>");
-        }
-        buf.append(LINE_ENDING);
-        buf.append("Valid: ");
-        buf.append(startStart);
-        buf.append(" - ");
-        buf.append(endDate);
-        buf.append(LINE_ENDING);
-        buf.append("s: ");
-        buf.append(subject);
-        buf.append(LINE_ENDING);
-        buf.append("i: ");
-        buf.append(issuer);
-        while (crls.hasNext()) {
-            buf.append(LINE_ENDING);
-            buf.append("CRL: ");
-            buf.append((String) crls.next());
-        }
-        buf.append(LINE_ENDING);
-        return buf.toString();
-    }
-
-    public static List getCRLs(X509Extension cert) {
-        // What follows is a poor man's CRL extractor, for those lacking
-        // a BouncyCastle "bcprov.jar" in their classpath.
-
-        // It's a very basic state-machine:  look for a standard URL scheme
-        // (such as http), and then start looking for a terminator.  After
-        // running hexdump a few times on these things, it looks to me like
-        // the UTF-8 value "65533" seems to happen near where these things
-        // terminate.  (Of course this stuff is ASN.1 and not UTF-8, but
-        // I happen to like some of the functions available to the String
-        // object).    - juliusdavies@cucbc.com, May 10th, 2006
-        byte[] bytes = cert.getExtensionValue(CRL_EXTENSION);
-        LinkedList httpCRLS = new LinkedList();
-        LinkedList ftpCRLS = new LinkedList();
-        LinkedList otherCRLS = new LinkedList();
-        if (bytes == null) {
-            // just return empty list
-            return httpCRLS;
-        } else {
-            String s;
-            try {
-                s = new String(bytes, "UTF-8");
-            } catch (UnsupportedEncodingException uee) {
-                // We're screwed if this thing has more than one CRL, because
-                // the "indeOf( (char) 65533 )" below isn't going to work.
-                s = new String(bytes);
-            }
-            int pos = 0;
-            while (pos >= 0) {
-                int x = -1, y;
-                int[] indexes = new int[4];
-                indexes[0] = s.indexOf("http", pos);
-                indexes[1] = s.indexOf("ldap", pos);
-                indexes[2] = s.indexOf("file", pos);
-                indexes[3] = s.indexOf("ftp", pos);
-                Arrays.sort(indexes);
-                for (int i = 0; i < indexes.length; i++) {
-                    if (indexes[i] >= 0) {
-                        x = indexes[i];
-                        break;
-                    }
-                }
-                if (x >= 0) {
-                    y = s.indexOf((char) 65533, x);
-                    String crl = y > x ? s.substring(x, y - 1) : s.substring(x);
-                    if (y > x && crl.endsWith("0")) {
-                        crl = crl.substring(0, crl.length() - 1);
-                    }
-                    String crlTest = crl.trim().toLowerCase();
-                    if (crlTest.startsWith("http")) {
-                        httpCRLS.add(crl);
-                    } else if (crlTest.startsWith("ftp")) {
-                        ftpCRLS.add(crl);
-                    } else {
-                        otherCRLS.add(crl);
-                    }
-                    pos = y;
-                } else {
-                    pos = -1;
-                }
-            }
-        }
-
-        httpCRLS.addAll(ftpCRLS);
-        httpCRLS.addAll(otherCRLS);
-        return httpCRLS;
-    }
-
-    public static void checkCRL(X509Certificate cert)
-        throws CertificateException {
-        // String name = cert.getSubjectX500Principal().toString();
-        byte[] bytes = cert.getExtensionValue("2.5.29.31");
-        if (bytes == null) {
-            // log.warn( "Cert doesn't contain X509v3 CRL Distribution Points (2.5.29.31): " + name );
-            System.err.println("Cert doesn't contain X509v3 CRL Distribution Points (2.5.29.31)");
-        } else {
-            List crlList = getCRLs(cert);
-            Iterator it = crlList.iterator();
-            while (it.hasNext()) {
-                String url = (String) it.next();
-                CRLHolder holder = (CRLHolder) CRL_CACHE.get(url);
-                if (holder == null) {
-                    holder = new CRLHolder(url);
-                    CRL_CACHE.put(url, holder);
-                }
-                // success == false means we couldn't actually load the CRL
-                // (probably due to an IOException), so let's try the next one in
-                // our list.
-                boolean success = holder.checkCRL(cert);
-                if (success) {
-                    break;
-                }
-            }
-        }
-    }
-
-    public static BigInteger getFingerprint(X509Certificate x509)
-        throws CertificateEncodingException {
-        return getFingerprint(x509.getEncoded());
-    }
-
-    public static BigInteger getFingerprint(byte[] x509)
-        throws CertificateEncodingException {
-        MessageDigest sha1;
-        try {
-            sha1 = MessageDigest.getInstance("SHA1");
-        } catch (NoSuchAlgorithmException nsae) {
-            throw new RuntimeException(nsae);
-        }
-
-        sha1.reset();
-        byte[] result = sha1.digest(x509);
-        return new BigInteger(result);
-    }
-
-    private static class CRLHolder {
-        private final String urlString;
-
-        private File tempCRLFile;
-        private long creationTime;
-        private Set passedTest = new HashSet();
-        private Set failedTest = new HashSet();
-
-        CRLHolder(String urlString) {
-            if (urlString == null) {
-                throw new NullPointerException("urlString can't be null");
-            }
-            this.urlString = urlString;
-        }
-
-        public synchronized boolean checkCRL(X509Certificate cert)
-            throws CertificateException {
-            CRL crl = null;
-            long now = System.currentTimeMillis();
-            if (now - creationTime > 24 * 60 * 60 * 1000) {
-                // Expire cache every 24 hours
-                if (tempCRLFile != null && tempCRLFile.exists()) {
-                    tempCRLFile.delete();
-                }
-                tempCRLFile = null;
-                passedTest.clear();
-
-                /*
-                      Note:  if any certificate ever fails the check, we will
-                      remember that fact.
-
-                      This breaks with temporary "holds" that CRL's can issue.
-                      Apparently a certificate can have a temporary "hold" on its
-                      validity, but I'm not interested in supporting that.  If a "held"
-                      certificate is suddenly "unheld", you're just going to need
-                      to restart your JVM.
-                    */
-                // failedTest.clear();  <-- DO NOT UNCOMMENT!
-            }
-
-            BigInteger fingerprint = getFingerprint(cert);
-            if (failedTest.contains(fingerprint)) {
-                throw new CertificateException("Revoked by CRL (cached response)");
-            }
-            if (passedTest.contains(fingerprint)) {
-                return true;
-            }
-
-            if (tempCRLFile == null) {
-                try {
-                    // log.info( "Trying to load CRL [" + urlString + "]" );
-
-                    // java.net.URL blocks forever by default, so CRL-checking
-                    // is freezing some systems.  Below we go to great pains
-                    // to enforce timeouts for CRL-checking (5 seconds).
-                    URL url = new URL(urlString);
-                    URLConnection urlConn = url.openConnection();
-                    //if (urlConn instanceof HttpsURLConnection) {
-
-                        // HTTPS sites will use special CRLSocket.getInstance() SocketFactory
-                        // that is configured to timeout after 5 seconds:
-                        //HttpsURLConnection httpsConn = (HttpsURLConnection) urlConn;
-                        //httpsConn.setSSLSocketFactory(CRLSocket.getSecureInstance());
-
-                    //} else
-                    if (urlConn instanceof HttpURLConnection) {
-
-                        // HTTP timeouts can only be set on Java 1.5 and up.  :-(
-                        // The code required to set it for Java 1.4 and Java 1.3 is just too painful.
-                        HttpURLConnection httpConn = (HttpURLConnection) urlConn;
-                        try {
-                            // Java 1.5 and up support these, so using reflection.  UGH!!!
-                            Class c = httpConn.getClass();
-                            Method setConnTimeOut = c.getDeclaredMethod("setConnectTimeout", new Class[]{Integer.TYPE});
-                            Method setReadTimeout = c.getDeclaredMethod("setReadTimeout", new Class[]{Integer.TYPE});
-                            setConnTimeOut.invoke(httpConn, Integer.valueOf(5000));
-                            setReadTimeout.invoke(httpConn, Integer.valueOf(5000));
-                        } catch (NoSuchMethodException nsme) {
-                            // oh well, java 1.4 users can suffer.
-                            System.err.println(nsme);
-                        } catch (Exception e) {
-                            throw new RuntimeException("can't set timeout", e);
-                        }
-                    }
-
-                    File tempFile = File.createTempFile("crl", ".tmp");
-                    tempFile.deleteOnExit();
-
-                    OutputStream out = new FileOutputStream(tempFile);
-                    out = new BufferedOutputStream(out);
-                    InputStream in = new BufferedInputStream(urlConn.getInputStream());
-                    try {
-                        Util.pipeStream(in, out);
-                    } catch (IOException ioe) {
-                        // better luck next time
-                        tempFile.delete();
-                        throw ioe;
-                    }
-                    this.tempCRLFile = tempFile;
-                    this.creationTime = System.currentTimeMillis();
-                } catch (IOException ioe) {
-                    // log.warn( "Cannot check CRL: " + e );
-                    System.err.println(ioe);
-                }
-            }
-
-            if (tempCRLFile != null && tempCRLFile.exists()) {
-                try {
-                    InputStream in = new FileInputStream(tempCRLFile);
-                    in = new BufferedInputStream(in);
-                    synchronized (CF) {
-                        crl = CF.generateCRL(in);
-                    }
-                    in.close();
-                    if (crl.isRevoked(cert)) {
-                        // log.warn( "Revoked by CRL [" + urlString + "]: " + name );
-                        passedTest.remove(fingerprint);
-                        failedTest.add(fingerprint);
-                        throw new CertificateException("Revoked by CRL");
-                    } else {
-                        passedTest.add(fingerprint);
-                    }
-                } catch (IOException ioe) {
-                    // couldn't load CRL that's supposed to be stored in Temp file.
-                    // log.warn(  );
-                    System.err.println(ioe);
-                } catch (CRLException crle) {
-                    // something is wrong with the CRL
-                    // log.warn(  );
-                    System.err.println(crle);
-                }
-            }
-            return crl != null;
-        }
-    }
-
-    public static String getCN(X509Certificate cert) {
-        String[] cns = getCNs(cert);
-        boolean foundSomeCNs = cns != null && cns.length >= 1;
-        return foundSomeCNs ? cns[0] : null;
-    }
-
-    public static String[] getCNs(X509Certificate cert) {
-        try {
-            final String subjectPrincipal = cert.getSubjectX500Principal().getName(X500Principal.RFC2253);
-            final LinkedList<String> cnList = new LinkedList<String>();
-            final LdapName subjectDN = new LdapName(subjectPrincipal);
-            for (final Rdn rds : subjectDN.getRdns()) {
-                final Attributes attributes = rds.toAttributes();
-                final Attribute cn = attributes.get("cn");
-                if (cn != null) {
-                    try {
-                        final Object value = cn.get();
-                        if (value != null) {
-                            cnList.add(value.toString());
-                        }
-                    } catch (NoSuchElementException ignore) {
-                        System.err.println(ignore);
-                    } catch (NamingException ignore) {
-                        System.err.println(ignore);
-                    }
-                }
-            }
-            if (!cnList.isEmpty()) {
-                return cnList.toArray(new String[cnList.size()]);
-            }
-        } catch (InvalidNameException ignore) {
-            System.err.println(ignore);
-        }
-        return null;
-    }
-
-    /**
-     * Extracts the array of SubjectAlt DNS names from an X509Certificate.
-     * Returns null if there aren't any.
-     * <p/>
-     * Note:  Java doesn't appear able to extract international characters
-     * from the SubjectAlts.  It can only extract international characters
-     * from the CN field.
-     * <p/>
-     * (Or maybe the version of OpenSSL I'm using to test isn't storing the
-     * international characters correctly in the SubjectAlts?).
-     *
-     * @param cert X509Certificate
-     * @return Array of SubjectALT DNS names stored in the certificate.
-     */
-    public static String[] getDNSSubjectAlts(X509Certificate cert) {
-        LinkedList subjectAltList = new LinkedList();
-        Collection c = null;
-        try {
-            c = cert.getSubjectAlternativeNames();
-        } catch (CertificateParsingException cpe) {
-            // Should probably log.debug() this?
-            cpe.printStackTrace();
-        }
-        if (c != null) {
-            Iterator it = c.iterator();
-            while (it.hasNext()) {
-                List list = (List) it.next();
-                int type = ((Integer) list.get(0)).intValue();
-                // If type is 2, then we've got a dNSName
-                if (type == 2) {
-                    String s = (String) list.get(1);
-                    subjectAltList.add(s);
-                }
-            }
-        }
-        if (!subjectAltList.isEmpty()) {
-            String[] subjectAlts = new String[subjectAltList.size()];
-            subjectAltList.toArray(subjectAlts);
-            return subjectAlts;
-        } else {
-            return null;
-        }
-    }
-
-    /**
-     * Trims off any null entries on the array.  Returns a shrunk array.
-     *
-     * @param chain X509Certificate[] chain to trim
-     * @return Shrunk array with all trailing null entries removed.
-     */
-    public static Certificate[] trimChain(Certificate[] chain) {
-        for (int i = 0; i < chain.length; i++) {
-            if (chain[i] == null) {
-                X509Certificate[] newChain = new X509Certificate[i];
-                System.arraycopy(chain, 0, newChain, 0, i);
-                return newChain;
-            }
-        }
-        return chain;
-    }
-
-    /**
-     * Returns a chain of type X509Certificate[].
-     *
-     * @param chain Certificate[] chain to cast to X509Certificate[]
-     * @return chain of type X509Certificate[].
-     */
-    public static X509Certificate[] x509ifyChain(Certificate[] chain) {
-        if (chain instanceof X509Certificate[]) {
-            return (X509Certificate[]) chain;
-        } else {
-            X509Certificate[] x509Chain = new X509Certificate[chain.length];
-            System.arraycopy(chain, 0, x509Chain, 0, chain.length);
-            return x509Chain;
-        }
-    }
-
-    public static void main(String[] args) throws Exception {
-        for (int i = 0; i < args.length; i++) {
-            FileInputStream in = new FileInputStream(args[i]);
-            TrustMaterial tm = new TrustMaterial(in);
-            Iterator it = tm.getCertificates().iterator();
-            while (it.hasNext()) {
-                X509Certificate x509 = (X509Certificate) it.next();
-                System.out.println(toString(x509));
-            }
-        }
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/63dcb1a5/kerby-pkix/src/main/java/org/apache/commons/ssl/ComboInputStream.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/main/java/org/apache/commons/ssl/ComboInputStream.java b/kerby-pkix/src/main/java/org/apache/commons/ssl/ComboInputStream.java
deleted file mode 100644
index 83a3077..0000000
--- a/kerby-pkix/src/main/java/org/apache/commons/ssl/ComboInputStream.java
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/ComboInputStream.java $
- * $Revision: 121 $
- * $Date: 2007-11-13 21:26:57 -0800 (Tue, 13 Nov 2007) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation.  For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-/**
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 22-Feb-2007
- */
-public class ComboInputStream extends InputStream {
-    private boolean headDone;
-    private InputStream head;
-    private InputStream tail;
-
-    public ComboInputStream(InputStream head, InputStream tail) {
-        this.head = head != null ? head : tail;
-        this.tail = tail != null ? tail : head;
-    }
-
-    public int read() throws IOException {
-        int c;
-        if (headDone) {
-            c = tail.read();
-        } else {
-            c = head.read();
-            if (c == -1) {
-                headDone = true;
-                c = tail.read();
-            }
-        }
-        return c;
-    }
-
-    public int available() throws IOException {
-        return tail.available() + head.available();
-    }
-
-    public void close() throws IOException {
-        try {
-            head.close();
-        } finally {
-            if (head != tail) {
-                tail.close();
-            }
-        }
-    }
-
-    public int read(byte[] b, int off, int len) throws IOException {
-        int c;
-        if (headDone) {
-            c = tail.read(b, off, len);
-        } else {
-            c = head.read(b, off, len);
-            if (c == -1) {
-                headDone = true;
-                c = tail.read(b, off, len);
-            }
-        }
-        return c;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/63dcb1a5/kerby-pkix/src/main/java/org/apache/commons/ssl/DerivedKey.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/main/java/org/apache/commons/ssl/DerivedKey.java b/kerby-pkix/src/main/java/org/apache/commons/ssl/DerivedKey.java
deleted file mode 100644
index 7005187..0000000
--- a/kerby-pkix/src/main/java/org/apache/commons/ssl/DerivedKey.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/DerivedKey.java $
- * $Revision: 121 $
- * $Date: 2007-11-13 21:26:57 -0800 (Tue, 13 Nov 2007) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation.  For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-/**
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 7-Nov-2006
- */
-public class DerivedKey {
-    public final byte[] key;
-    public final byte[] iv;
-
-    DerivedKey(byte[] key, byte[] iv) {
-        this.key = key;
-        this.iv = iv;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/63dcb1a5/kerby-pkix/src/main/java/org/apache/commons/ssl/HostnameVerifier.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/main/java/org/apache/commons/ssl/HostnameVerifier.java b/kerby-pkix/src/main/java/org/apache/commons/ssl/HostnameVerifier.java
deleted file mode 100644
index 86681b4..0000000
--- a/kerby-pkix/src/main/java/org/apache/commons/ssl/HostnameVerifier.java
+++ /dev/null
@@ -1,491 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/HostnameVerifier.java $
- * $Revision: 121 $
- * $Date: 2007-11-13 21:26:57 -0800 (Tue, 13 Nov 2007) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation.  For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.Iterator;
-import java.util.TreeSet;
-
-/**
- * Interface for checking if a hostname matches the names stored inside the
- * server's X.509 certificate.  Correctly implements
- * javax.net.ssl.HostnameVerifier, but that interface is not recommended.
- * Instead we added several check() methods that take SSLSocket,
- * or X509Certificate, or ultimately (they all end up calling this one),
- * String.  (It's easier to supply JUnit with Strings instead of mock
- * SSLSession objects!)
- * </p><p>Our check() methods throw exceptions if the name is
- * invalid, whereas javax.net.ssl.HostnameVerifier just returns true/false.
- * <p/>
- * We provide the HostnameVerifier.DEFAULT, HostnameVerifier.STRICT, and
- * HostnameVerifier.ALLOW_ALL implementations.  We also provide the more
- * specialized HostnameVerifier.DEFAULT_AND_LOCALHOST, as well as
- * HostnameVerifier.STRICT_IE6.  But feel free to define your own
- * implementations!
- * <p/>
- * Inspired by Sebastian Hauer's original StrictSSLProtocolSocketFactory in the
- * HttpClient "contrib" repository.
- *
- * @author Julius Davies
- * @author <a href="mailto:hauer@psicode.com">Sebastian Hauer</a>
- * @since 8-Dec-2006
- */
-public interface HostnameVerifier extends javax.net.ssl.HostnameVerifier {
-
-    boolean verify(String host, SSLSession session);
-
-    void check(String host, SSLSocket ssl) throws IOException;
-
-    void check(String host, X509Certificate cert) throws SSLException;
-
-    void check(String host, String[] cns, String[] subjectAlts)
-        throws SSLException;
-
-    void check(String[] hosts, SSLSocket ssl) throws IOException;
-
-    void check(String[] hosts, X509Certificate cert) throws SSLException;
-
-
-    /**
-     * Checks to see if the supplied hostname matches any of the supplied CNs
-     * or "DNS" Subject-Alts.  Most implementations only look at the first CN,
-     * and ignore any additional CNs.  Most implementations do look at all of
-     * the "DNS" Subject-Alts. The CNs or Subject-Alts may contain wildcards
-     * according to RFC 2818.
-     *
-     * @param cns         CN fields, in order, as extracted from the X.509
-     *                    certificate.
-     * @param subjectAlts Subject-Alt fields of type 2 ("DNS"), as extracted
-     *                    from the X.509 certificate.
-     * @param hosts       The array of hostnames to verify.
-     * @throws javax.net.ssl.SSLException If verification failed.
-     */
-    void check(String[] hosts, String[] cns, String[] subjectAlts)
-        throws SSLException;
-
-
-    /**
-     * The DEFAULT HostnameVerifier works the same way as Curl and Firefox.
-     * <p/>
-     * The hostname must match either the first CN, or any of the subject-alts.
-     * A wildcard can occur in the CN, and in any of the subject-alts.
-     * <p/>
-     * The only difference between DEFAULT and STRICT is that a wildcard (such
-     * as "*.foo.com") with DEFAULT matches all subdomains, including
-     * "a.b.foo.com".
-     */
-    HostnameVerifier DEFAULT =
-        new AbstractVerifier() {
-            public final void check(final String[] hosts, final String[] cns,
-                                    final String[] subjectAlts)
-                throws SSLException {
-                check(hosts, cns, subjectAlts, false, false);
-            }
-
-            public final String toString() {
-                return "DEFAULT";
-            }
-        };
-
-
-    /**
-     * The DEFAULT_AND_LOCALHOST HostnameVerifier works like the DEFAULT
-     * one with one additional relaxation:  a host of "localhost",
-     * "localhost.localdomain", "127.0.0.1", "::1" will always pass, no matter
-     * what is in the server's certificate.
-     */
-    HostnameVerifier DEFAULT_AND_LOCALHOST =
-        new AbstractVerifier() {
-            public final void check(final String[] hosts, final String[] cns,
-                                    final String[] subjectAlts)
-                throws SSLException {
-                if (isLocalhost(hosts[0])) {
-                    return;
-                }
-                check(hosts, cns, subjectAlts, false, false);
-            }
-
-            public final String toString() {
-                return "DEFAULT_AND_LOCALHOST";
-            }
-        };
-
-    /**
-     * The STRICT HostnameVerifier works the same way as java.net.URL in Sun
-     * Java 1.4, Sun Java 5, Sun Java 6.  It's also pretty close to IE6.
-     * This implementation appears to be compliant with RFC 2818 for dealing
-     * with wildcards.
-     * <p/>
-     * The hostname must match either the first CN, or any of the subject-alts.
-     * A wildcard can occur in the CN, and in any of the subject-alts.  The
-     * one divergence from IE6 is how we only check the first CN.  IE6 allows
-     * a match against any of the CNs present.  We decided to follow in
-     * Sun Java 1.4's footsteps and only check the first CN.
-     * <p/>
-     * A wildcard such as "*.foo.com" matches only subdomains in the same
-     * level, for example "a.foo.com".  It does not match deeper subdomains
-     * such as "a.b.foo.com".
-     */
-    HostnameVerifier STRICT =
-        new AbstractVerifier() {
-            public final void check(final String[] host, final String[] cns,
-                                    final String[] subjectAlts)
-                throws SSLException {
-                check(host, cns, subjectAlts, false, true);
-            }
-
-            public final String toString() {
-                return "STRICT";
-            }
-        };
-
-    /**
-     * The STRICT_IE6 HostnameVerifier works just like the STRICT one with one
-     * minor variation:  the hostname can match against any of the CN's in the
-     * server's certificate, not just the first one.  This behaviour is
-     * identical to IE6's behaviour.
-     */
-    HostnameVerifier STRICT_IE6 =
-        new AbstractVerifier() {
-            public final void check(final String[] host, final String[] cns,
-                                    final String[] subjectAlts)
-                throws SSLException {
-                check(host, cns, subjectAlts, true, true);
-            }
-
-            public final String toString() {
-                return "STRICT_IE6";
-            }
-        };
-
-    /**
-     * The ALLOW_ALL HostnameVerifier essentially turns hostname verification
-     * off.  This implementation is a no-op, and never throws the SSLException.
-     */
-    HostnameVerifier ALLOW_ALL =
-        new AbstractVerifier() {
-            public final void check(final String[] host, final String[] cns,
-                                    final String[] subjectAlts) {
-                // Allow everything - so never blowup.
-            }
-
-            public final String toString() {
-                return "ALLOW_ALL";
-            }
-        };
-
-    @SuppressWarnings("PMD.AvoidUsingHardCodedIP")
-    abstract class AbstractVerifier implements HostnameVerifier {
-
-        /**
-         * This contains a list of 2nd-level domains that aren't allowed to
-         * have wildcards when combined with country-codes.
-         * For example: [*.co.uk].
-         * <p/>
-         * The [*.co.uk] problem is an interesting one.  Should we just hope
-         * that CA's would never foolishly allow such a certificate to happen?
-         * Looks like we're the only implementation guarding against this.
-         * Firefox, Curl, Sun Java 1.4, 5, 6 don't bother with this check.
-         */
-        private static final String[] BAD_COUNTRY_2LDS =
-            {"ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info",
-                "lg", "ne", "net", "or", "org"};
-
-        private static final String[] LOCALHOSTS = {"::1", "127.0.0.1",
-            "localhost",
-            "localhost.localdomain"};
-
-
-        static {
-            // Just in case developer forgot to manually sort the array.  :-)
-            Arrays.sort(BAD_COUNTRY_2LDS);
-            Arrays.sort(LOCALHOSTS);
-        }
-
-        protected AbstractVerifier() {
-        }
-
-        /**
-         * The javax.net.ssl.HostnameVerifier contract.
-         *
-         * @param host    'hostname' we used to create our socket
-         * @param session SSLSession with the remote server
-         * @return true if the host matched the one in the certificate.
-         */
-        public boolean verify(String host, SSLSession session) {
-            try {
-                Certificate[] certs = session.getPeerCertificates();
-                X509Certificate x509 = (X509Certificate) certs[0];
-                check(new String[]{host}, x509);
-                return true;
-            } catch (SSLException e) {
-                return false;
-            }
-        }
-
-        public void check(String host, SSLSocket ssl) throws IOException {
-            check(new String[]{host}, ssl);
-        }
-
-        public void check(String host, X509Certificate cert)
-            throws SSLException {
-            check(new String[]{host}, cert);
-        }
-
-        public void check(String host, String[] cns, String[] subjectAlts)
-            throws SSLException {
-            check(new String[]{host}, cns, subjectAlts);
-        }
-
-        public void check(String[] host, SSLSocket ssl)
-            throws IOException {
-            if (host == null) {
-                throw new NullPointerException("host to verify is null");
-            }
-
-            SSLSession session = ssl.getSession();
-            if (session == null) {
-                // In our experience this only happens under IBM 1.4.x when
-                // spurious (unrelated) certificates show up in the server'
-                // chain.  Hopefully this will unearth the real problem:
-                InputStream in = ssl.getInputStream();
-                in.available();
-                /*
-                  If you're looking at the 2 lines of code above because
-                  you're running into a problem, you probably have two
-                  options:
-
-                    #1.  Clean up the certificate chain that your server
-                         is presenting (e.g. edit "/etc/apache2/server.crt"
-                         or wherever it is your server's certificate chain
-                         is defined).
-
-                                               OR
-
-                    #2.   Upgrade to an IBM 1.5.x or greater JVM, or switch
-                          to a non-IBM JVM.
-                */
-
-                // If ssl.getInputStream().available() didn't cause an
-                // exception, maybe at least now the session is available?
-                session = ssl.getSession();
-                if (session == null) {
-                    // If it's still null, probably a startHandshake() will
-                    // unearth the real problem.
-                    ssl.startHandshake();
-
-                    // Okay, if we still haven't managed to cause an exception,
-                    // might as well go for the NPE.  Or maybe we're okay now?
-                    session = ssl.getSession();
-                }
-            }
-            Certificate[] certs;
-            try {
-                certs = session.getPeerCertificates();
-            } catch (SSLPeerUnverifiedException spue) {
-                InputStream in = ssl.getInputStream();
-                in.available();
-                // Didn't trigger anything interesting?  Okay, just throw
-                // original.
-                throw spue;
-            }
-            X509Certificate x509 = (X509Certificate) certs[0];
-            check(host, x509);
-        }
-
-        public void check(String[] host, X509Certificate cert)
-            throws SSLException {
-            String[] cns = Certificates.getCNs(cert);
-            String[] subjectAlts = Certificates.getDNSSubjectAlts(cert);
-            check(host, cns, subjectAlts);
-        }
-
-        public void check(final String[] hosts, final String[] cns,
-                          final String[] subjectAlts, final boolean ie6,
-                          final boolean strictWithSubDomains)
-            throws SSLException {
-            // Build up lists of allowed hosts For logging/debugging purposes.
-            StringBuffer buf = new StringBuffer(32);
-            buf.append('<');
-            for (int i = 0; i < hosts.length; i++) {
-                String h = hosts[i];
-                h = h != null ? h.trim().toLowerCase() : "";
-                hosts[i] = h;
-                if (i > 0) {
-                    buf.append('/');
-                }
-                buf.append(h);
-            }
-            buf.append('>');
-            String hostnames = buf.toString();
-            // Build the list of names we're going to check.  Our DEFAULT and
-            // STRICT implementations of the HostnameVerifier only use the
-            // first CN provided.  All other CNs are ignored.
-            // (Firefox, wget, curl, Sun Java 1.4, 5, 6 all work this way).
-            TreeSet names = new TreeSet();
-            if (cns != null && cns.length > 0 && cns[0] != null) {
-                names.add(cns[0]);
-                if (ie6) {
-                    for (int i = 1; i < cns.length; i++) {
-                        names.add(cns[i]);
-                    }
-                }
-            }
-            if (subjectAlts != null) {
-                for (int i = 0; i < subjectAlts.length; i++) {
-                    if (subjectAlts[i] != null) {
-                        names.add(subjectAlts[i]);
-                    }
-                }
-            }
-            if (names.isEmpty()) {
-                String msg = "Certificate for " + hosts[0] + " doesn't contain CN or DNS subjectAlt";
-                throw new SSLException(msg);
-            }
-
-            // StringBuffer for building the error message.
-            buf = new StringBuffer();
-
-            boolean match = false;
-            out:
-            for (Iterator it = names.iterator(); it.hasNext();) {
-                // Don't trim the CN, though!
-                String cn = (String) it.next();
-                cn = cn.toLowerCase();
-                // Store CN in StringBuffer in case we need to report an error.
-                buf.append(" <");
-                buf.append(cn);
-                buf.append('>');
-                if (it.hasNext()) {
-                    buf.append(" OR");
-                }
-
-                // The CN better have at least two dots if it wants wildcard
-                // action.  It also can't be [*.co.uk] or [*.co.jp] or
-                // [*.org.uk], etc...
-                boolean doWildcard = cn.startsWith("*.")
-                                     && cn.lastIndexOf('.') >= 0
-                                     && !isIP4Address(cn)
-                                     && acceptableCountryWildcard(cn);
-
-                for (int i = 0; i < hosts.length; i++) {
-                    final String hostName = hosts[i].trim().toLowerCase();
-                    if (doWildcard) {
-                        match = hostName.endsWith(cn.substring(1));
-                        if (match && strictWithSubDomains) {
-                            // If we're in strict mode, then [*.foo.com] is not
-                            // allowed to match [a.b.foo.com]
-                            match = countDots(hostName) == countDots(cn);
-                        }
-                    } else {
-                        match = hostName.equals(cn);
-                    }
-                    if (match) {
-                        break out;
-                    }
-                }
-            }
-            if (!match) {
-                throw new SSLException("hostname in certificate didn't match: " + hostnames + " !=" + buf);
-            }
-        }
-
-        public static boolean isIP4Address(final String cn) {
-            boolean isIP4 = true;
-            String tld = cn;
-            int x = cn.lastIndexOf('.');
-            // We only bother analyzing the characters after the final dot
-            // in the name.
-            if (x >= 0 && x + 1 < cn.length()) {
-                tld = cn.substring(x + 1);
-            }
-            for (int i = 0; i < tld.length(); i++) {
-                if (!Character.isDigit(tld.charAt(0))) {
-                    isIP4 = false;
-                    break;
-                }
-            }
-            return isIP4;
-        }
-
-        public static boolean acceptableCountryWildcard(final String cn) {
-            int cnLen = cn.length();
-            if (cnLen >= 7 && cnLen <= 9 && cn.charAt(cnLen - 3) == '.') {
-                // Look for the '.' in the 3rd-last position:
-                // Trim off the [*.] and the [.XX].
-                String s = cn.substring(2, cnLen - 3);
-                // And test against the sorted array of bad 2lds:
-                int x = Arrays.binarySearch(BAD_COUNTRY_2LDS, s);
-                return x < 0;
-
-            }
-            return true;
-        }
-
-        public static boolean isLocalhost(String host) {
-            host = host != null ? host.trim().toLowerCase() : "";
-            if (host.startsWith("::1")) {
-                int x = host.lastIndexOf('%');
-                if (x >= 0) {
-                    host = host.substring(0, x);
-                }
-            }
-            int x = Arrays.binarySearch(LOCALHOSTS, host);
-            return x >= 0;
-        }
-
-        /**
-         * Counts the number of dots "." in a string.
-         *
-         * @param s string to count dots from
-         * @return number of dots
-         */
-        public static int countDots(final String s) {
-            int count = 0;
-            for (int i = 0; i < s.length(); i++) {
-                if (s.charAt(i) == '.') {
-                    count++;
-                }
-            }
-            return count;
-        }
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/63dcb1a5/kerby-pkix/src/main/java/org/apache/commons/ssl/KeyMaterial.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/main/java/org/apache/commons/ssl/KeyMaterial.java b/kerby-pkix/src/main/java/org/apache/commons/ssl/KeyMaterial.java
deleted file mode 100644
index 350ccd5..0000000
--- a/kerby-pkix/src/main/java/org/apache/commons/ssl/KeyMaterial.java
+++ /dev/null
@@ -1,286 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/KeyMaterial.java $
- * $Revision: 138 $
- * $Date: 2008-03-03 23:50:07 -0800 (Mon, 03 Mar 2008) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation.  For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import org.apache.kerby.util.Util;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URL;
-import java.security.GeneralSecurityException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-
-/**
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 27-Feb-2006
- */
-public class KeyMaterial extends TrustMaterial {
-    //private final Object keyManagerFactory;
-    private final List aliases;
-    private final List associatedChains;
-
-    public KeyMaterial(InputStream jks, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(Util.streamToBytes(jks), password);
-    }
-
-    public KeyMaterial(InputStream jks, char[] jksPass, char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        this(Util.streamToBytes(jks), jksPass, keyPass);
-    }
-
-    public KeyMaterial(InputStream jks, InputStream key, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(jks != null ? Util.streamToBytes(jks) : null,
-            key != null ? Util.streamToBytes(key) : null,
-            password);
-    }
-
-    public KeyMaterial(InputStream jks, InputStream key, char[] jksPass,
-                       char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        this(jks != null ? Util.streamToBytes(jks) : null,
-            key != null ? Util.streamToBytes(key) : null,
-            jksPass, keyPass);
-    }
-
-    public KeyMaterial(String pathToJksFile, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(new File(pathToJksFile), password);
-    }
-
-    public KeyMaterial(String pathToJksFile, char[] jksPass, char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        this(new File(pathToJksFile), jksPass, keyPass);
-    }
-
-    public KeyMaterial(String pathToCerts, String pathToKey, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(pathToCerts != null ? new File(pathToCerts) : null,
-            pathToKey != null ? new File(pathToKey) : null,
-            password);
-    }
-
-    public KeyMaterial(String pathToCerts, String pathToKey, char[] jksPass,
-                       char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        this(pathToCerts != null ? new File(pathToCerts) : null,
-            pathToKey != null ? new File(pathToKey) : null,
-            jksPass, keyPass);
-    }
-
-    public KeyMaterial(File jksFile, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(new FileInputStream(jksFile), password);
-    }
-
-    public KeyMaterial(File jksFile, char[] jksPass, char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        this(new FileInputStream(jksFile), jksPass, keyPass);
-    }
-
-    public KeyMaterial(File certsFile, File keyFile, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(certsFile != null ? new FileInputStream(certsFile) : null,
-            keyFile != null ? new FileInputStream(keyFile) : null,
-            password);
-    }
-
-    public KeyMaterial(File certsFile, File keyFile, char[] jksPass,
-                       char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        this(certsFile != null ? new FileInputStream(certsFile) : null,
-            keyFile != null ? new FileInputStream(keyFile) : null,
-            jksPass, keyPass);
-    }
-
-    public KeyMaterial(URL urlToJKS, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(urlToJKS.openStream(), password);
-    }
-
-    public KeyMaterial(URL urlToJKS, char[] jksPass, char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        this(urlToJKS.openStream(), jksPass, keyPass);
-    }
-
-    public KeyMaterial(URL urlToCerts, URL urlToKey, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(urlToCerts.openStream(), urlToKey.openStream(), password);
-    }
-
-    public KeyMaterial(URL urlToCerts, URL urlToKey, char[] jksPass,
-                       char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        this(urlToCerts.openStream(), urlToKey.openStream(), jksPass, keyPass);
-    }
-
-    public KeyMaterial(byte[] jks, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(jks, (byte[]) null, password);
-    }
-
-    public KeyMaterial(byte[] jks, char[] jksPass, char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        this(jks, null, jksPass, keyPass);
-    }
-
-    public KeyMaterial(byte[] jksOrCerts, byte[] key, char[] password)
-        throws GeneralSecurityException, IOException {
-        this(jksOrCerts, key, password, password);
-    }
-
-
-    public KeyMaterial(byte[] jksOrCerts, byte[] key, char[] jksPass,
-                       char[] keyPass)
-        throws GeneralSecurityException, IOException {
-        // We're not a simple trust type, so set "simpleTrustType" value to 0.
-        // Only TRUST_ALL and TRUST_THIS_JVM are simple trust types.
-        super(KeyStoreBuilder.build(jksOrCerts, key, jksPass, keyPass), 0);
-        KeyStore ks = getKeyStore();
-        Enumeration en = ks.aliases();
-        List myAliases = new LinkedList();
-        List myChains = new LinkedList();
-        while (en.hasMoreElements()) {
-            X509Certificate[] c; // chain
-            String alias = (String) en.nextElement();
-            if (ks.isKeyEntry(alias)) {
-                try {
-                    ks.getKey(alias, keyPass);
-                    // No Exception thrown, so we're good!
-                    myAliases.add(alias);
-                    Certificate[] chain = ks.getCertificateChain(alias);
-                    if (chain != null) {
-                        c = Certificates.x509ifyChain(chain);
-                        // Cleanup chain to remove any spurious entries.
-                        if (c != null) {
-                            X509Certificate l = c[0]; // The leaf node.
-                            c = X509CertificateChainBuilder.buildPath(l, c);
-                        }
-                        myChains.add(c);
-                    } else {
-                        throw new KeyStoreException("Could not find KeyMaterial's"
-                            + " associated certificate chain with alis=[" + alias + "]");
-                    }
-
-                } catch (GeneralSecurityException gse) {
-                    // oh well, we can't use that KeyStore alias.
-                    System.err.println(gse);
-                }
-            }
-        }
-        if (myAliases.isEmpty()) {
-            throw new KeyStoreException("KeyMaterial provided does not contain any keys!");
-        }
-        this.aliases = Collections.unmodifiableList(myAliases);
-        this.associatedChains = Collections.unmodifiableList(myChains);
-        //this.keyManagerFactory = JavaImpl.newKeyManagerFactory(ks, keyPass);
-    }
-
-    public List getAssociatedCertificateChains() {
-        return associatedChains;
-    }
-
-    public List getAliases() {
-        return aliases;
-    }
-
-    public static void main(String[] args) throws Exception {
-        if (args.length < 2) {
-            System.out.println("Usage1:"
-                + " java org.apache.commons.ssl.KeyMaterial [password] [pkcs12 or jks]");
-            System.out.println("Usage2:"
-                + " java org.apache.commons.ssl.KeyMaterial [password] [private-key] [cert-chain]");
-            System.exit(1);
-        }
-        char[] jksPass = args[0].toCharArray();
-        char[] keyPass = jksPass;
-        String path1 = args[1];
-        String path2 = null;
-        if (args.length >= 3) {
-            path2 = args[2];
-        }
-        if (args.length >= 4) {
-            keyPass = args[3].toCharArray();
-        } else if (path2 != null) {
-            File f = new File(path2);
-            if (!f.exists()) {
-                // Hmmm... maybe it's a password.
-                keyPass = path2.toCharArray();
-                path2 = null;
-            }
-        }
-
-        KeyMaterial km = new KeyMaterial(path1, path2, jksPass, keyPass);
-        System.out.println(km);
-    }
-
-    public String toString() {
-        List chains = getAssociatedCertificateChains();
-        List aliases = getAliases();
-        Iterator it = chains.iterator();
-        Iterator aliasesIt = aliases.iterator();
-        StringBuffer buf = new StringBuffer(8192);
-        while (it.hasNext()) {
-            X509Certificate[] certs = (X509Certificate[]) it.next();
-            String alias = (String) aliasesIt.next();
-            buf.append("Alias: ");
-            buf.append(alias);
-            buf.append('\n');
-            if (certs != null) {
-                for (int i = 0; i < certs.length; i++) {
-                    buf.append(Certificates.toString(certs[i]));
-                    try {
-                        buf.append(Certificates.toPEMString(certs[i]));
-                    } catch (CertificateEncodingException cee) {
-                        buf.append(cee.toString());
-                        buf.append('\n');
-                    }
-                }
-            }
-        }
-        return buf.toString();
-    }
-}


Mime
View raw message