1 files changed, 91 insertions, 20 deletions

diff --git a/qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java b/qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
index b2967bb0bb..01381ad23f 100644
--- a/qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
+++ b/qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
@@ -21,6 +21,8 @@
 package org.apache.qpid.ssl;
 
 import org.apache.qpid.transport.network.security.ssl.QpidClientX509KeyManager;
+import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
+import org.apache.qpid.transport.network.security.ssl.QpidPeersOnlyTrustManager;
 import org.apache.qpid.transport.network.security.ssl.SSLUtil;
 
 import javax.net.ssl.KeyManager;
@@ -28,9 +30,16 @@ import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.X509Certificate;
+
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
 
 /**
  * Factory used to create SSLContexts. SSL needs to be configured
@@ -40,6 +49,26 @@ import java.security.KeyStore;
 public class SSLContextFactory
 {
     public static final String TRANSPORT_LAYER_SECURITY_CODE = "TLS";
+    
+    public static class TrustStoreWrapper
+    {
+        private final String trustStorePath;
+        private final String trustStorePassword;
+        private final String trustStoreType;
+        private final Boolean trustStorePeersOnly;
+        private String trustManagerFactoryAlgorithm;
+        
+        public TrustStoreWrapper(final String trustStorePath, final String trustStorePassword,
+                final String trustStoreType, final Boolean trustStorePeersOnly,
+                final String trustManagerFactoryAlgorithm)
+        {
+            this.trustStorePath = trustStorePath;
+            this.trustStorePassword = trustStorePassword;
+            this.trustStoreType = trustStoreType;
+            this.trustStorePeersOnly = trustStorePeersOnly;
+            this.trustManagerFactoryAlgorithm = trustManagerFactoryAlgorithm;
+        }
+    }
 
     private SSLContextFactory()
     {
@@ -51,25 +80,34 @@ public class SSLContextFactory
             final String keyManagerFactoryAlgorithm)
             throws GeneralSecurityException, IOException
     {
-        return buildContext(null, null, null, null, keyStorePath, keyStorePassword, keyStoreType,
-                keyManagerFactoryAlgorithm, null);
+        return buildContext(Collections.<TrustStoreWrapper>emptyList(), keyStorePath,
+                keyStorePassword, keyStoreType, keyManagerFactoryAlgorithm, null);
+    }
+    
+    public static SSLContext buildClientContext(Collection<TrustStoreWrapper> trustStores,
+            final String keyStorePath, final String keyStorePassword,
+            final String keyStoreType, final String keyManagerFactoryAlgorithm,
+            final String certAlias) throws GeneralSecurityException, IOException
+    {
+        return buildContext(trustStores, keyStorePath, keyStorePassword, keyStoreType,
+                            keyManagerFactoryAlgorithm, certAlias);
     }
 
     public static SSLContext buildClientContext(final String trustStorePath,
             final String trustStorePassword, final String trustStoreType,
-            final String trustManagerFactoryAlgorithm, final String keyStorePath, 
-            final String keyStorePassword, final String keyStoreType, 
+            final String trustManagerFactoryAlgorithm, final String keyStorePath,
+            final String keyStorePassword, final String keyStoreType,
             final String keyManagerFactoryAlgorithm, final String certAlias)
             throws GeneralSecurityException, IOException
     {
-        return buildContext(trustStorePath, trustStorePassword, trustStoreType,
-                trustManagerFactoryAlgorithm, keyStorePath, keyStorePassword, keyStoreType,
-                keyManagerFactoryAlgorithm, certAlias);
+        TrustStoreWrapper trstWrapper = new TrustStoreWrapper(trustStorePath, trustStorePassword,
+                                                              trustStoreType, Boolean.FALSE,
+                                                              trustManagerFactoryAlgorithm);
+        return buildContext(Collections.singletonList(trstWrapper), keyStorePath,
+                keyStorePassword, keyStoreType, keyManagerFactoryAlgorithm, certAlias);
     }
     
-    private static SSLContext buildContext(final String trustStorePath,
-            final String trustStorePassword, final String trustStoreType,
-            final String trustManagerFactoryAlgorithm,
+    private static SSLContext buildContext(final Collection<TrustStoreWrapper> trstWrappers,
             final String keyStorePath, final String keyStorePassword, 
             final String keyStoreType, final String keyManagerFactoryAlgorithm,
             final String certAlias)
@@ -81,21 +119,54 @@ public class SSLContextFactory
 
         final TrustManager[] trustManagers;
         final KeyManager[] keyManagers;
-
-        if (trustStorePath != null)
+        
+        final Collection<TrustManager> trustManagersCol = new ArrayList<TrustManager>();
+        final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
+        for (TrustStoreWrapper tsw : trstWrappers)
         {
-            final KeyStore ts = SSLUtil.getInitializedKeyStore(trustStorePath,
-                    trustStorePassword, trustStoreType);
-            final TrustManagerFactory tmf = TrustManagerFactory
-                    .getInstance(trustManagerFactoryAlgorithm);
-            tmf.init(ts);
-
-            trustManagers = tmf.getTrustManagers();
+            if (tsw.trustStorePath != null)
+            {
+                final KeyStore ts = SSLUtil.getInitializedKeyStore(tsw.trustStorePath,
+                        tsw.trustStorePassword, tsw.trustStoreType);
+                final TrustManagerFactory tmf = TrustManagerFactory
+                        .getInstance(tsw.trustManagerFactoryAlgorithm);
+                tmf.init(ts);
+                TrustManager[] delegateManagers = tmf.getTrustManagers();
+                for (TrustManager tm : delegateManagers)
+                {
+                    if (tm instanceof X509TrustManager)
+                    {
+                        if (Boolean.TRUE.equals(tsw.trustStorePeersOnly))
+                        {
+                            // truststore is supposed to trust only clients which peers certificates
+                            // are directly in the store. CA signing will not be considered.
+                            mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ts, (X509TrustManager) tm));
+                        }
+                        else
+                        {
+                            mulTrustManager.addTrustManager((X509TrustManager) tm);
+                        }
+                    }
+                    else
+                    {
+                        trustManagersCol.add(tm);
+                    }
+                }
+            }
         }
-        else
+        if (! mulTrustManager.isEmpty())
+        {
+            trustManagersCol.add(mulTrustManager);
+        }
+        
+        if (trustManagersCol.isEmpty())
         {
             trustManagers = null;
         }
+        else
+        {
+            trustManagers = trustManagersCol.toArray(new TrustManager[trustManagersCol.size()]);
+        }
 
         if (keyStorePath != null)
         {