diff options
Diffstat (limited to 'qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java')
-rw-r--r-- | qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java | 111 |
1 files changed, 91 insertions, 20 deletions
diff --git a/qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java b/qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java index b2967bb0bb..01381ad23f 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java @@ -21,6 +21,8 @@ package org.apache.qpid.ssl; import org.apache.qpid.transport.network.security.ssl.QpidClientX509KeyManager; +import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager; +import org.apache.qpid.transport.network.security.ssl.QpidPeersOnlyTrustManager; import org.apache.qpid.transport.network.security.ssl.SSLUtil; import javax.net.ssl.KeyManager; @@ -28,9 +30,16 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; +import java.security.cert.X509Certificate; + import java.io.IOException; import java.security.GeneralSecurityException; import java.security.KeyStore; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.List; /** * Factory used to create SSLContexts. SSL needs to be configured @@ -40,6 +49,26 @@ import java.security.KeyStore; public class SSLContextFactory { public static final String TRANSPORT_LAYER_SECURITY_CODE = "TLS"; + + public static class TrustStoreWrapper + { + private final String trustStorePath; + private final String trustStorePassword; + private final String trustStoreType; + private final Boolean trustStorePeersOnly; + private String trustManagerFactoryAlgorithm; + + public TrustStoreWrapper(final String trustStorePath, final String trustStorePassword, + final String trustStoreType, final Boolean trustStorePeersOnly, + final String trustManagerFactoryAlgorithm) + { + this.trustStorePath = trustStorePath; + this.trustStorePassword = trustStorePassword; + this.trustStoreType = trustStoreType; + this.trustStorePeersOnly = trustStorePeersOnly; + this.trustManagerFactoryAlgorithm = trustManagerFactoryAlgorithm; + } + } private SSLContextFactory() { @@ -51,25 +80,34 @@ public class SSLContextFactory final String keyManagerFactoryAlgorithm) throws GeneralSecurityException, IOException { - return buildContext(null, null, null, null, keyStorePath, keyStorePassword, keyStoreType, - keyManagerFactoryAlgorithm, null); + return buildContext(Collections.<TrustStoreWrapper>emptyList(), keyStorePath, + keyStorePassword, keyStoreType, keyManagerFactoryAlgorithm, null); + } + + public static SSLContext buildClientContext(Collection<TrustStoreWrapper> trustStores, + final String keyStorePath, final String keyStorePassword, + final String keyStoreType, final String keyManagerFactoryAlgorithm, + final String certAlias) throws GeneralSecurityException, IOException + { + return buildContext(trustStores, keyStorePath, keyStorePassword, keyStoreType, + keyManagerFactoryAlgorithm, certAlias); } public static SSLContext buildClientContext(final String trustStorePath, final String trustStorePassword, final String trustStoreType, - final String trustManagerFactoryAlgorithm, final String keyStorePath, - final String keyStorePassword, final String keyStoreType, + final String trustManagerFactoryAlgorithm, final String keyStorePath, + final String keyStorePassword, final String keyStoreType, final String keyManagerFactoryAlgorithm, final String certAlias) throws GeneralSecurityException, IOException { - return buildContext(trustStorePath, trustStorePassword, trustStoreType, - trustManagerFactoryAlgorithm, keyStorePath, keyStorePassword, keyStoreType, - keyManagerFactoryAlgorithm, certAlias); + TrustStoreWrapper trstWrapper = new TrustStoreWrapper(trustStorePath, trustStorePassword, + trustStoreType, Boolean.FALSE, + trustManagerFactoryAlgorithm); + return buildContext(Collections.singletonList(trstWrapper), keyStorePath, + keyStorePassword, keyStoreType, keyManagerFactoryAlgorithm, certAlias); } - private static SSLContext buildContext(final String trustStorePath, - final String trustStorePassword, final String trustStoreType, - final String trustManagerFactoryAlgorithm, + private static SSLContext buildContext(final Collection<TrustStoreWrapper> trstWrappers, final String keyStorePath, final String keyStorePassword, final String keyStoreType, final String keyManagerFactoryAlgorithm, final String certAlias) @@ -81,21 +119,54 @@ public class SSLContextFactory final TrustManager[] trustManagers; final KeyManager[] keyManagers; - - if (trustStorePath != null) + + final Collection<TrustManager> trustManagersCol = new ArrayList<TrustManager>(); + final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager(); + for (TrustStoreWrapper tsw : trstWrappers) { - final KeyStore ts = SSLUtil.getInitializedKeyStore(trustStorePath, - trustStorePassword, trustStoreType); - final TrustManagerFactory tmf = TrustManagerFactory - .getInstance(trustManagerFactoryAlgorithm); - tmf.init(ts); - - trustManagers = tmf.getTrustManagers(); + if (tsw.trustStorePath != null) + { + final KeyStore ts = SSLUtil.getInitializedKeyStore(tsw.trustStorePath, + tsw.trustStorePassword, tsw.trustStoreType); + final TrustManagerFactory tmf = TrustManagerFactory + .getInstance(tsw.trustManagerFactoryAlgorithm); + tmf.init(ts); + TrustManager[] delegateManagers = tmf.getTrustManagers(); + for (TrustManager tm : delegateManagers) + { + if (tm instanceof X509TrustManager) + { + if (Boolean.TRUE.equals(tsw.trustStorePeersOnly)) + { + // truststore is supposed to trust only clients which peers certificates + // are directly in the store. CA signing will not be considered. + mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ts, (X509TrustManager) tm)); + } + else + { + mulTrustManager.addTrustManager((X509TrustManager) tm); + } + } + else + { + trustManagersCol.add(tm); + } + } + } } - else + if (! mulTrustManager.isEmpty()) + { + trustManagersCol.add(mulTrustManager); + } + + if (trustManagersCol.isEmpty()) { trustManagers = null; } + else + { + trustManagers = trustManagersCol.toArray(new TrustManager[trustManagersCol.size()]); + } if (keyStorePath != null) { |