ofbiz-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r535056 - in /ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util: KeyStoreUtil.java MultiTrustManager.java SSLUtil.java
Date Fri, 04 May 2007 01:50:14 GMT
Author: jaz
Date: Thu May  3 18:50:13 2007
New Revision: 535056

URL: http://svn.apache.org/viewvc?view=rev&rev=535056
Log:
turns out that only one trust manager is used; so to handle multiple trust stores, a new MultiTrustManager
has been implemented; the system trust store now tries to load from all possible locations

Added:
    ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java   (with
props)
Modified:
    ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java
    ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java

Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java?view=diff&rev=535056&r1=535055&r2=535056
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java Thu May  3 18:50:13
2007
@@ -72,17 +72,30 @@
     }
 
     public static KeyStore getSystemTrustStore() throws IOException, GeneralSecurityException
{
+        String javaHome = System.getProperty("java.home");
         String fileName = System.getProperty("javax.net.ssl.trustStore");
         String password = System.getProperty("javax.net.ssl.trustStorePassword");
-        if (fileName != null && password != null) {
-            File file = new File(fileName);
-            if (file.exists() && file.canRead()) {
-                KeyStore ks = KeyStore.getInstance("jks");
-                ks.load(new FileInputStream(file), password.toCharArray());
-                return ks;
+        if (password == null) {
+            password = "changeit";
+        }
+        
+        KeyStore ks = KeyStore.getInstance("jks");
+        File keyFile = null;
+        if (fileName != null) {
+            keyFile = new File(fileName);
+        } else {
+            keyFile = new File(javaHome + "/lib/security/jssecacerts");
+            if (!keyFile.exists() || !keyFile.canRead()) {
+                keyFile = new File(javaHome + "/lib/security/cacerts");
             }
         }
-        return null;
+
+        if (keyFile.exists() && keyFile.canRead()) {
+            ks.load(new FileInputStream(keyFile), password.toCharArray());
+        } else {
+            ks.load(null, "changeit".toCharArray());
+        }
+        return ks;        
     }
 
     public static X509Certificate readCertificate(byte[] certChain) throws CertificateException
{

Added: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java?view=auto&rev=535056
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java (added)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java Thu May
 3 18:50:13 2007
@@ -0,0 +1,124 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+ */
+
+package org.ofbiz.base.util;
+
+import javolution.util.FastList;
+
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.Certificate;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.util.List;
+import java.util.Iterator;
+import java.util.Enumeration;
+
+/**
+ * MultiTrustManager
+ */
+public class MultiTrustManager implements X509TrustManager {
+
+    public static final String module = MultiTrustManager.class.getName();
+
+    protected List keystores;
+
+    public MultiTrustManager(KeyStore ks) {
+        this();
+        keystores.add(ks);
+    }
+
+    public MultiTrustManager() {
+        keystores = FastList.newInstance();
+    }
+
+    public void add(KeyStore ks) {        
+        if (ks != null) {
+            keystores.add(ks);
+        }
+    }
+
+    public void checkClientTrusted(X509Certificate[] certs, String alg) throws CertificateException
{
+        if (!isTrusted(certs)) {
+            throw new CertificateException("No trusted certificate found");
+        }
+    }
+
+    public void checkServerTrusted(X509Certificate[] certs, String alg) throws CertificateException
{
+        if (!isTrusted(certs)) {
+            throw new CertificateException("No trusted certificate found");
+        }
+    }
+
+    public X509Certificate[] getAcceptedIssuers() {
+        List certs = FastList.newInstance();
+        Iterator i = keystores.iterator();
+        while (i.hasNext()) {
+            KeyStore k = (KeyStore) i.next();
+            try {
+                Enumeration e = k.aliases();
+                while (e.hasMoreElements()) {
+                    String alias = (String) e.nextElement();
+                    Certificate[] cert = k.getCertificateChain(alias);
+                    if (cert != null) {
+                        for (int x = 0; x < cert.length; x++) {
+                            if (cert[x] instanceof X509Certificate) {
+                                if (Debug.verboseOn())
+                                    Debug.log("Read certificate (chain) : " + ((X509Certificate)
cert[x]).getSubjectX500Principal().getName(), module);
+                                certs.add(cert[x]);
+                            }
+                        }
+                    } else {
+                        Certificate c = k.getCertificate(alias);
+                        if (c != null && c instanceof X509Certificate) {
+                            if (Debug.verboseOn())
+                                Debug.log("Read certificate : " + ((X509Certificate) c).getSubjectX500Principal().getName(),
module);
+                            certs.add(c);
+                        }
+                    }
+                }
+            } catch (KeyStoreException e) {
+                Debug.logError(e, module);
+            }
+        }
+
+        return (X509Certificate[]) certs.toArray(new X509Certificate[certs.size()]);
+    }
+
+    protected boolean isTrusted(X509Certificate[] cert) {
+        if (cert != null) {
+            X509Certificate[] certs = this.getAcceptedIssuers();
+            if (certs != null) {
+                for (int i = 0; i < certs.length; i++) {
+                    for (int x = 0; x < cert.length; x++) {
+                        if (Debug.verboseOn())
+                            Debug.log("--- Checking cert: " + certs[i].getSubjectX500Principal()
+ " vs " + cert[x].getSubjectX500Principal(), module);
+                        if (certs[i].equals(cert[x])) {
+                            if (Debug.verboseOn())
+                                Debug.log("--- Found trusted cert: " + certs[i].getSerialNumber().toString(16)
+ " : " + certs[i].getSubjectX500Principal(), module);
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+        return false;
+    }
+}

Propchange: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java
------------------------------------------------------------------------------
    svn:keywords = "Date Rev Author URL Id"

Propchange: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java?view=diff&rev=535056&r1=535055&r2=535056
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java Thu May  3 18:50:13
2007
@@ -102,9 +102,8 @@
     }
 
     public static TrustManager[] getTrustManagers() throws IOException, GeneralSecurityException,
GenericConfigException {
-        KeyStore trustStore = KeyStoreUtil.getSystemTrustStore();
-        List trustMgrs = FastList.newInstance();
-        trustMgrs.addAll(Arrays.asList(getTrustManagers(trustStore)));
+        MultiTrustManager tm = new MultiTrustManager();
+        tm.add(KeyStoreUtil.getSystemTrustStore());
 
         Iterator i = ComponentConfig.getAllKeystoreInfos().iterator();
         while (i.hasNext()) {
@@ -112,14 +111,14 @@
             if (ksi.isTrustStore()) {
                 KeyStore ks = ksi.getKeyStore();
                 if (ks != null) {
-                    trustMgrs.addAll(Arrays.asList(getTrustManagers(ks)));
+                    tm.add(ks);
                 } else {
                     throw new IOException("Unable to load keystore: " + ksi.createResourceHandler().getFullLocation());
                 }
             }
         }
 
-        return (TrustManager[]) trustMgrs.toArray(new TrustManager[trustMgrs.size()]);
+        return new TrustManager[] { tm };
     }
 
     public static KeyManager[] getKeyManagers(KeyStore ks, String password, String alias)
throws GeneralSecurityException {
@@ -137,9 +136,7 @@
     }
 
     public static TrustManager[] getTrustManagers(KeyStore ks) throws GeneralSecurityException
{
-        TrustManagerFactory factory = TrustManagerFactory.getInstance("SunX509");
-        factory.init(ks);
-        return factory.getTrustManagers();
+        return new TrustManager[] { new MultiTrustManager(ks) };        
     }
 
     public static SSLSocketFactory getSSLSocketFactory(KeyStore ks, String password, String
alias) throws IOException, GeneralSecurityException, GenericConfigException {
@@ -186,8 +183,7 @@
         switch(level) {           
             case HOSTCERT_MIN_CHECK:
                 return new HostnameVerifier() {
-                    public boolean verify(String hostname, SSLSession session) {
-                        Debug.log("Checking: " + hostname + " :: " + session.getPeerHost(),
module);
+                    public boolean verify(String hostname, SSLSession session) {        
               
                         javax.security.cert.X509Certificate[] peerCerts;
                         try {
                             peerCerts = session.getPeerCertificateChain();



Mime
View raw message