OFBiz › OFBiz - Commits

svn commit: r535056 - in /ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util: KeyStoreUtil.java MultiTrustManager.java SSLUtil.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jaz-3

svn commit: r535056 - in /ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util: KeyStoreUtil.java MultiTrustManager.java SSLUtil.java

Author: jaz
Date: Thu May 3 18:50:13 2007
New Revision: 535056

URL: http://svn.apache.org/viewvc?view=rev&rev=535056
Log:
turns out that only one trust manager is used; so to handle multiple trust stores, a new MultiTrustManager has been implemented; the system trust store now tries to load from all possible locations

Added:
ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java (with props)
Modified:
ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java
ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java

Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java?view=diff&rev=535056&r1=535055&r2=535056
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java Thu May 3 18:50:13 2007
@@ -72,17 +72,30 @@
}

public static KeyStore getSystemTrustStore() throws IOException, GeneralSecurityException {
+ String javaHome = System.getProperty("java.home");
String fileName = System.getProperty("javax.net.ssl.trustStore");
String password = System.getProperty("javax.net.ssl.trustStorePassword");
- if (fileName != null && password != null) {
- File file = new File(fileName);
- if (file.exists() && file.canRead()) {
- KeyStore ks = KeyStore.getInstance("jks");
- ks.load(new FileInputStream(file), password.toCharArray());
- return ks;
+ if (password == null) {
+ password = "changeit";
+ }
+
+ KeyStore ks = KeyStore.getInstance("jks");
+ File keyFile = null;
+ if (fileName != null) {
+ keyFile = new File(fileName);
+ } else {
+ keyFile = new File(javaHome + "/lib/security/jssecacerts");
+ if (!keyFile.exists() || !keyFile.canRead()) {
+ keyFile = new File(javaHome + "/lib/security/cacerts");
}
}
- return null;
+
+ if (keyFile.exists() && keyFile.canRead()) {
+ ks.load(new FileInputStream(keyFile), password.toCharArray());
+ } else {
+ ks.load(null, "changeit".toCharArray());
+ }
+ return ks;
}

public static X509Certificate readCertificate(byte[] certChain) throws CertificateException {

Added: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java?view=auto&rev=535056
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java (added)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java Thu May 3 18:50:13 2007
@@ -0,0 +1,124 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+ */
+
+package org.ofbiz.base.util;
+
+import javolution.util.FastList;
+
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.Certificate;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.util.List;
+import java.util.Iterator;
+import java.util.Enumeration;
+
+/**
+ * MultiTrustManager
+ */
+public class MultiTrustManager implements X509TrustManager {
+
+ public static final String module = MultiTrustManager.class.getName();
+
+ protected List keystores;
+
+ public MultiTrustManager(KeyStore ks) {
+ this();
+ keystores.add(ks);
+ }
+
+ public MultiTrustManager() {
+ keystores = FastList.newInstance();
+ }
+
+ public void add(KeyStore ks) {
+ if (ks != null) {
+ keystores.add(ks);
+ }
+ }
+
+ public void checkClientTrusted(X509Certificate[] certs, String alg) throws CertificateException {
+ if (!isTrusted(certs)) {
+ throw new CertificateException("No trusted certificate found");
+ }
+ }
+
+ public void checkServerTrusted(X509Certificate[] certs, String alg) throws CertificateException {
+ if (!isTrusted(certs)) {
+ throw new CertificateException("No trusted certificate found");
+ }
+ }
+
+ public X509Certificate[] getAcceptedIssuers() {
+ List certs = FastList.newInstance();
+ Iterator i = keystores.iterator();
+ while (i.hasNext()) {
+ KeyStore k = (KeyStore) i.next();
+ try {
+ Enumeration e = k.aliases();
+ while (e.hasMoreElements()) {
+ String alias = (String) e.nextElement();
+ Certificate[] cert = k.getCertificateChain(alias);
+ if (cert != null) {
+ for (int x = 0; x < cert.length; x++) {
+ if (cert[x] instanceof X509Certificate) {
+ if (Debug.verboseOn())
+ Debug.log("Read certificate (chain) : " + ((X509Certificate) cert[x]).getSubjectX500Principal().getName(), module);
+ certs.add(cert[x]);
+ }
+ }
+ } else {
+ Certificate c = k.getCertificate(alias);
+ if (c != null && c instanceof X509Certificate) {
+ if (Debug.verboseOn())
+ Debug.log("Read certificate : " + ((X509Certificate) c).getSubjectX500Principal().getName(), module);
+ certs.add(c);
+ }
+ }
+ }
+ } catch (KeyStoreException e) {
+ Debug.logError(e, module);
+ }
+ }
+
+ return (X509Certificate[]) certs.toArray(new X509Certificate[certs.size()]);
+ }
+
+ protected boolean isTrusted(X509Certificate[] cert) {
+ if (cert != null) {
+ X509Certificate[] certs = this.getAcceptedIssuers();
+ if (certs != null) {
+ for (int i = 0; i < certs.length; i++) {
+ for (int x = 0; x < cert.length; x++) {
+ if (Debug.verboseOn())
+ Debug.log("--- Checking cert: " + certs[i].getSubjectX500Principal() + " vs " + cert[x].getSubjectX500Principal(), module);
+ if (certs[i].equals(cert[x])) {
+ if (Debug.verboseOn())
+ Debug.log("--- Found trusted cert: " + certs[i].getSerialNumber().toString(16) + " : " + certs[i].getSubjectX500Principal(), module);
+ return true;
+ }
+ }
+ }
+ }
+ }
+ return false;
+ }
+}

Propchange: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java
------------------------------------------------------------------------------
svn:eol-style = native

Propchange: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java
------------------------------------------------------------------------------
svn:keywords = "Date Rev Author URL Id"

Propchange: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/MultiTrustManager.java
------------------------------------------------------------------------------
svn:mime-type = text/plain

Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java?view=diff&rev=535056&r1=535055&r2=535056
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java Thu May 3 18:50:13 2007
@@ -102,9 +102,8 @@
}

public static TrustManager[] getTrustManagers() throws IOException, GeneralSecurityException, GenericConfigException {
- KeyStore trustStore = KeyStoreUtil.getSystemTrustStore();
- List trustMgrs = FastList.newInstance();
- trustMgrs.addAll(Arrays.asList(getTrustManagers(trustStore)));
+ MultiTrustManager tm = new MultiTrustManager();
+ tm.add(KeyStoreUtil.getSystemTrustStore());

Iterator i = ComponentConfig.getAllKeystoreInfos().iterator();
while (i.hasNext()) {
@@ -112,14 +111,14 @@
if (ksi.isTrustStore()) {
KeyStore ks = ksi.getKeyStore();
if (ks != null) {
- trustMgrs.addAll(Arrays.asList(getTrustManagers(ks)));
+ tm.add(ks);
} else {
throw new IOException("Unable to load keystore: " + ksi.createResourceHandler().getFullLocation());
}
}
}

- return (TrustManager[]) trustMgrs.toArray(new TrustManager[trustMgrs.size()]);
+ return new TrustManager[] { tm };
}

public static KeyManager[] getKeyManagers(KeyStore ks, String password, String alias) throws GeneralSecurityException {
@@ -137,9 +136,7 @@
}

public static TrustManager[] getTrustManagers(KeyStore ks) throws GeneralSecurityException {
- TrustManagerFactory factory = TrustManagerFactory.getInstance("SunX509");
- factory.init(ks);
- return factory.getTrustManagers();
+ return new TrustManager[] { new MultiTrustManager(ks) };
}

public static SSLSocketFactory getSSLSocketFactory(KeyStore ks, String password, String alias) throws IOException, GeneralSecurityException, GenericConfigException {
@@ -186,8 +183,7 @@
switch(level) {
case HOSTCERT_MIN_CHECK:
return new HostnameVerifier() {
- public boolean verify(String hostname, SSLSession session) {
- Debug.log("Checking: " + hostname + " :: " + session.getPeerHost(), module);
+ public boolean verify(String hostname, SSLSession session) {
javax.security.cert.X509Certificate[] peerCerts;
try {
peerCerts = session.getPeerCertificateChain();