diff options
author | Rajith Muditha Attapattu <rajith@apache.org> | 2011-05-27 15:44:23 +0000 |
---|---|---|
committer | Rajith Muditha Attapattu <rajith@apache.org> | 2011-05-27 15:44:23 +0000 |
commit | 66765100f4257159622cefe57bed50125a5ad017 (patch) | |
tree | a88ee23bb194eb91f0ebb2d9b23ff423e3ea8e37 /qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java | |
parent | 1aeaa7b16e5ce54f10c901d75c4d40f9f88b9db6 (diff) | |
parent | 88b98b2f4152ef59a671fad55a0d08338b6b78ca (diff) | |
download | qpid-python-66765100f4257159622cefe57bed50125a5ad017.tar.gz |
Creating a branch for experimenting with some ideas for JMS client.rajith_jms_client
git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/rajith_jms_client@1128369 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java')
-rw-r--r-- | qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java | 197 |
1 files changed, 197 insertions, 0 deletions
diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java new file mode 100644 index 0000000000..fd73915b65 --- /dev/null +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java @@ -0,0 +1,197 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.transport.network.security.ssl; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.Principal; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLPeerUnverifiedException; + +import org.apache.qpid.ssl.SSLContextFactory; +import org.apache.qpid.transport.ConnectionSettings; +import org.apache.qpid.transport.TransportException; +import org.apache.qpid.transport.util.Logger; + +public class SSLUtil +{ + private static final Logger log = Logger.get(SSLUtil.class); + + public static void verifyHostname(SSLEngine engine,String hostnameExpected) + { + try + { + Certificate cert = engine.getSession().getPeerCertificates()[0]; + Principal p = ((X509Certificate)cert).getSubjectDN(); + String dn = p.getName(); + String hostname = null; + + if (dn.contains("CN=")) + { + hostname = dn.substring(3, + dn.indexOf(",") == -1? dn.length(): dn.indexOf(",")); + } + + if (log.isDebugEnabled()) + { + log.debug("Hostname expected : " + hostnameExpected); + log.debug("Distinguished Name for server certificate : " + dn); + log.debug("Host Name obtained from DN : " + hostname); + } + + if (hostname != null && !(hostname.equalsIgnoreCase(hostnameExpected) || + hostname.equalsIgnoreCase(hostnameExpected + ".localdomain"))) + { + throw new TransportException("SSL hostname verification failed." + + " Expected : " + hostnameExpected + + " Found in cert : " + hostname); + } + + } + catch(SSLPeerUnverifiedException e) + { + log.warn("Exception received while trying to verify hostname",e); + // For some reason the SSL engine sets the handshake status to FINISH twice + // in succession. The first time the peer certificate + // info is not available. The second time it works ! + // Therefore have no choice but to ignore the exception here. + } + } + + public static String retriveIdentity(SSLEngine engine) + { + StringBuffer id = new StringBuffer(); + try + { + Certificate cert = engine.getSession().getLocalCertificates()[0]; + Principal p = ((X509Certificate)cert).getSubjectDN(); + String dn = p.getName(); + + if (dn.contains("CN=")) + { + id.append(dn.substring(3, + dn.indexOf(",") == -1? dn.length(): dn.indexOf(","))); + } + + if (dn.contains("DC=")) + { + id.append("@"); + int c = 0; + for (String toks : dn.split(",")) + { + if (toks.contains("DC")) + { + if (c > 0) {id.append(".");} + id.append(toks.substring( + toks.indexOf("=")+1, + toks.indexOf(",") == -1? toks.length(): toks.indexOf(","))); + c++; + } + } + } + } + catch(Exception e) + { + log.info("Exception received while trying to retrive client identity from SSL cert",e); + } + + log.debug("Extracted Identity from client certificate : " + id); + return id.toString(); + } + + public static SSLContext createSSLContext(ConnectionSettings settings) throws Exception + { + SSLContextFactory sslContextFactory; + + if (settings.getCertAlias() == null) + { + sslContextFactory = + new SSLContextFactory(settings.getTrustStorePath(), + settings.getTrustStorePassword(), + settings.getTrustStoreCertType(), + settings.getKeyStorePath(), + settings.getKeyStorePassword(), + settings.getKeyStoreCertType()); + + } else + { + sslContextFactory = + new SSLContextFactory(settings.getTrustStorePath(), + settings.getTrustStorePassword(), + settings.getTrustStoreCertType(), + new QpidClientX509KeyManager(settings.getCertAlias(), + settings.getKeyStorePath(), + settings.getKeyStorePassword(), + settings.getKeyStoreCertType())); + + log.debug("Using custom key manager"); + } + + return sslContextFactory.buildServerContext(); + + } + + public static KeyStore getInitializedKeyStore(String storePath, String storePassword) throws GeneralSecurityException, IOException + { + KeyStore ks = KeyStore.getInstance("JKS"); + InputStream in = null; + try + { + File f = new File(storePath); + if (f.exists()) + { + in = new FileInputStream(f); + } + else + { + in = Thread.currentThread().getContextClassLoader().getResourceAsStream(storePath); + } + if (in == null) + { + throw new IOException("Unable to load keystore resource: " + storePath); + } + ks.load(in, storePassword.toCharArray()); + } + finally + { + if (in != null) + { + //noinspection EmptyCatchBlock + try + { + in.close(); + } + catch (IOException ignored) + { + } + } + } + return ks; + } +} |