[jsslutils commit] r82 - Reverted to 0.5.x wrappers and added test when no trust store is set.
codesite...@google.com
Date: Sat Apr 18 06:54:57 2009
New Revision: 82
Added:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509KeyManagerWrapper.java
- copied, changed from r81,
/trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/TrustAllClientsWrappingTrustManager.java
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509TrustManagerWrapper.java
- copied, changed from r81,
/trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509WrappingTrustManager.java
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/keymanagers/FixedServerAliasKeyManager.java
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/NoTrustStoreTest.java
- copied, changed from r81,
/trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTestNoCrl.java
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/TrustAllClientsServer.java
- copied, changed from r81,
/trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/TrustAllClientsServerTest.java
Removed:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509WrappingTrustManager.java
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/TrustAllClientsServerTest.java
Modified:
trunk/extra/apachetomcat6/src/main/java/org/jsslutils/extra/apachetomcat6/JSSLutilsJSSESocketFactory.java
trunk/jsslutils/src/main/java/org/jsslutils/keystores/KeyStoreLoader.java
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/DefaultSSLContextFactory.java
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/PKIXSSLContextFactory.java
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/SSLContextFactory.java
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509SSLContextFactory.java
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/GsiWrappingTrustManager.java
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/TrustAllClientsWrappingTrustManager.java
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/DefaultStoreTest.java
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTest.java
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTestNoCrl.java
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/SimpleX509Test.java
trunk/testhelpers/src/main/java/org/jsslutils/sslcontext/test/MiniSslClientServer.java
Log:
Reverted to 0.5.x wrappers and added test when no trust store is set.
Modified:
trunk/extra/apachetomcat6/src/main/java/org/jsslutils/extra/apachetomcat6/JSSLutilsJSSESocketFactory.java
==============================================================================
---
trunk/extra/apachetomcat6/src/main/java/org/jsslutils/extra/apachetomcat6/JSSLutilsJSSESocketFactory.java
(original)
+++
trunk/extra/apachetomcat6/src/main/java/org/jsslutils/extra/apachetomcat6/JSSLutilsJSSESocketFactory.java
Sat Apr 18 06:54:57 2009
@@ -290,14 +290,14 @@
if ("true".equalsIgnoreCase(acceptAnyCert)
|| "yes".equalsIgnoreCase(acceptAnyCert)) {
sslContextFactory
- .setTrustManagerWrapper(TrustAllClientsWrappingTrustManager.class);
+ .setTrustManagerWrapper(new
TrustAllClientsWrappingTrustManager.Wrapper());
} else {
String acceptProxyCertsAttr = (String) attributes
.get("acceptProxyCerts");
if ("true".equalsIgnoreCase(acceptProxyCertsAttr)
|| "yes".equalsIgnoreCase(acceptProxyCertsAttr)) {
sslContextFactory
- .setTrustManagerWrapper(GsiWrappingTrustManager.class);
+ .setTrustManagerWrapper(new GsiWrappingTrustManager.Wrapper());
}
}
Modified:
trunk/jsslutils/src/main/java/org/jsslutils/keystores/KeyStoreLoader.java
==============================================================================
---
trunk/jsslutils/src/main/java/org/jsslutils/keystores/KeyStoreLoader.java
(original)
+++
trunk/jsslutils/src/main/java/org/jsslutils/keystores/KeyStoreLoader.java
Sat Apr 18 06:54:57 2009
@@ -156,10 +156,7 @@
NoSuchProviderException, IOException, NoSuchAlgorithmException,
CertificateException, UnsupportedCallbackException {
KeyStore keyStore = null;
- if ((password != null) || (this.keyStorePassword != null)
- || (this.keyStoreProvider != null)
- || (this.keyStorePath != null) || (this.keyStoreType != null)) {
-
+ if (this.keyStorePath != null) {
if (this.keyStoreProvider != null) {
keyStore = KeyStore.getInstance(
this.keyStoreType != null ? this.keyStoreType
@@ -172,9 +169,9 @@
}
InputStream keyStoreInputStream = this.keyStoreInputStream;
try {
- keyStoreInputStream = ((this.keyStorePath != null) && (!"NONE"
- .equals(this.keyStorePath))) ? new FileInputStream(
- this.keyStorePath) : null;
+ keyStoreInputStream = (!"NONE".equals(this.keyStorePath)) ? new
FileInputStream(
+ this.keyStorePath)
+ : null;
if (password == null) {
password = this.keyStorePassword;
}
Modified:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/DefaultSSLContextFactory.java
==============================================================================
---
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/DefaultSSLContextFactory.java
(original)
+++
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/DefaultSSLContextFactory.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -63,7 +63,7 @@
public final static String SECURERANDOM_PROVIDER_NAME_PROP
= "org.jsslutils.prop.secureRandomProvider";
public final static String SECURERANDOM_ALGORITHM_PROP
= "org.jsslutils.prop.secureRandomAlgorithm";
- private String contextProtocol = "SSLv3";
+ private String contextProtocol = "TLS";
private Provider contextProvider = null;
private Provider secureRandomProvider = null;
private String defaultSecureRandomAlgorithm = null;
@@ -102,7 +102,7 @@
if (contextProtocol != null) {
this.contextProtocol = contextProtocol;
} else {
- this.contextProtocol = "SSLv3";
+ this.contextProtocol = "TLS";
}
}
Modified:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/PKIXSSLContextFactory.java
==============================================================================
---
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/PKIXSSLContextFactory.java
(original)
+++
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/PKIXSSLContextFactory.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/SSLContextFactory.java
==============================================================================
---
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/SSLContextFactory.java
(original)
+++
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/SSLContextFactory.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Copied:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509KeyManagerWrapper.java
(from r81,
/trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/TrustAllClientsWrappingTrustManager.java)
==============================================================================
---
/trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/TrustAllClientsWrappingTrustManager.java
(original)
+++
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509KeyManagerWrapper.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -33,43 +33,28 @@
-----------------------------------------------------------------------*/
-package org.jsslutils.sslcontext.trustmanagers;
+package org.jsslutils.sslcontext;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
-import javax.net.ssl.X509TrustManager;
-
-import org.jsslutils.sslcontext.X509WrappingTrustManager;
+import javax.net.ssl.X509KeyManager;
/**
- * TrustManager that accepts all client certificates as trusted.
+ * This interface represents a wrapper for an X509KeyManager. This is
intended
+ * to provide a way to customize KeyManagers in the X509SSLContextFactory
(or
+ * subclasses). On potential use would be to build X509ExtendedKeyManagers
that
+ * delegate the defaulf behaviour to the wrapped X609KeyManager but
implement
+ * the methods that choose the alias of the certificate to provide when
+ * establishing the connection.
*
* @author Bruno Harbulot.
+ * @see javax.net.ssl.X509ExtendedKeyManager
*/
-public class TrustAllClientsWrappingTrustManager extends
- X509WrappingTrustManager {
+public interface X509KeyManagerWrapper {
/**
- * Creates a new instance from an existing X509TrustManager.
+ * Builds an X509KeyManager from another X509KeyManager.
*
- * @param trustManager
- * X509TrustManager to wrap.
- */
- public TrustAllClientsWrappingTrustManager(X509TrustManager trustManager)
{
- super(trustManager);
- }
-
- /**
- * Checks that the client is trusted; in this case, it accepts anything.
- */
- public void checkClientTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- }
-
- /**
- * Returns the accepted issuers; in this case, it's an empty array.
+ * @param keyManager
+ * original X509KeyManager.
+ * @return wrapped X509KeyManager.
*/
- public X509Certificate[] getAcceptedIssuers() {
- return new X509Certificate[0];
- }
-}
\ No newline at end of file
+ public X509KeyManager wrapKeyManager(X509KeyManager keyManager);
+}
Modified:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509SSLContextFactory.java
==============================================================================
---
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509SSLContextFactory.java
(original)
+++
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509SSLContextFactory.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -36,8 +36,6 @@
package org.jsslutils.sslcontext;
import java.io.IOException;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.InvocationTargetException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
@@ -52,6 +50,7 @@
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
@@ -94,7 +93,8 @@
private CallbackHandler keyStorePasswordCallbackHandler;
private CallbackHandler trustStorePasswordCallbackHandler;
- private Class<? extends X509WrappingTrustManager> trustManagerWrapper;
+ private X509KeyManagerWrapper keyManagerWrapper;
+ private X509TrustManagerWrapper trustManagerWrapper;
/**
* Builds an SSLContextFactory using the SunX509 algorithm in the
@@ -146,50 +146,31 @@
super.configure(properties);
try {
if (getKeyStore() == null) {
- String keyStorePath = properties
- .getProperty(KEYSTORE_FILE_PROP);
- String keyStoreType = properties
- .getProperty(KEYSTORE_TYPE_PROP);
- String keyStoreProvider = properties
- .getProperty(KEYSTORE_PROVIDER_PROP);
- String keyStorePassword = properties
- .getProperty(KEYSTORE_PASSWORD_PROP);
- if ((keyStorePath != null) || (keyStoreType != null)
- || (keyStoreProvider != null)
- || (keyStorePassword != null)) {
- KeyStoreLoader ksl = new KeyStoreLoader();
- ksl.setKeyStorePath(keyStorePath);
- ksl.setKeyStoreType(keyStoreType);
- ksl.setKeyStoreProvider(keyStoreProvider);
- ksl.setKeyStorePassword(keyStorePassword);
- ksl
-
.setKeyStorePasswordCallbackHandler(this.keyStorePasswordCallbackHandler);
- this.keyStore = ksl.loadKeyStore();
- }
+ KeyStoreLoader ksl = new KeyStoreLoader();
+ ksl.setKeyStorePath(properties.getProperty(KEYSTORE_FILE_PROP));
+ ksl.setKeyStoreType(properties.getProperty(KEYSTORE_TYPE_PROP));
+ ksl.setKeyStoreProvider(properties
+ .getProperty(KEYSTORE_PROVIDER_PROP));
+ ksl.setKeyStorePassword(properties
+ .getProperty(KEYSTORE_PASSWORD_PROP));
+ ksl
+
.setKeyStorePasswordCallbackHandler(this.keyStorePasswordCallbackHandler);
+ this.keyStore = ksl.loadKeyStore();
}
if (getTrustStore() == null) {
- String trustStorePath = properties
- .getProperty(TRUSTSTORE_FILE_PROP);
- String trustStoreType = properties
- .getProperty(TRUSTSTORE_TYPE_PROP);
- String trustStoreProvider = properties
- .getProperty(TRUSTSTORE_PROVIDER_PROP);
- String trustStorePassword = properties
- .getProperty(TRUSTSTORE_PASSWORD_PROP);
-
- if ((trustStorePath != null) || (trustStoreType != null)
- || (trustStoreProvider != null)
- || (trustStorePassword != null)) {
- KeyStoreLoader ksl = new KeyStoreLoader();
- ksl.setKeyStorePath(trustStorePath);
- ksl.setKeyStoreType(trustStoreType);
- ksl.setKeyStoreProvider(trustStoreProvider);
- ksl.setKeyStorePassword(trustStorePassword);
- ksl
-
.setKeyStorePasswordCallbackHandler(this.trustStorePasswordCallbackHandler);
- this.trustStore = ksl.loadKeyStore();
- }
+ KeyStoreLoader ksl = new KeyStoreLoader();
+ ksl.setKeyStorePath(properties
+ .getProperty(TRUSTSTORE_FILE_PROP));
+ ksl.setKeyStoreType(properties
+ .getProperty(TRUSTSTORE_TYPE_PROP));
+ ksl.setKeyStoreProvider(properties
+ .getProperty(TRUSTSTORE_PROVIDER_PROP));
+ ksl.setKeyStorePassword(properties
+ .getProperty(TRUSTSTORE_PASSWORD_PROP));
+ ksl
+
.setKeyStorePasswordCallbackHandler(this.trustStorePasswordCallbackHandler);
+ this.trustStore = ksl.loadKeyStore();
}
} catch (KeyStoreException e) {
throw new SSLContextFactoryException(e);
@@ -295,8 +276,8 @@
*
* @return Key managers corresponding to the key store.
*/
- @Override
- public KeyManager[] getKeyManagers() throws SSLContextFactoryException {
+ protected KeyManager[] getRawKeyManagers()
+ throws SSLContextFactoryException {
if (this.keyStore != null) {
try {
KeyManagerFactory kmf = KeyManagerFactory
@@ -335,6 +316,49 @@
}
/**
+ * Sets the key manager wrapper.
+ *
+ * @param keyManagerWrapper
+ */
+ public void setKeyManagerWrapper(X509KeyManagerWrapper keyManagerWrapper)
{
+ this.keyManagerWrapper = keyManagerWrapper;
+ }
+
+ /**
+ * Gets the trust managers. If a trust manager wrapper has been set, the
+ * "raw" trust managers will be wrapped.
+ *
+ * @return trust managers.
+ */
+ @Override
+ public KeyManager[] getKeyManagers() throws SSLContextFactoryException {
+ KeyManager[] keyManagers = getRawKeyManagers();
+ X509KeyManagerWrapper wrapper = this.keyManagerWrapper;
+ if ((wrapper != null) && (keyManagers != null)) {
+ try {
+ for (int i = 0; i < keyManagers.length; i++) {
+ if (keyManagers[i] instanceof X509KeyManager)
+ keyManagers[i] = wrapper
+ .wrapKeyManager((X509KeyManager) keyManagers[i]);
+ }
+ } catch (SecurityException e) {
+ LOGGER
+ .log(
+ Level.WARNING,
+ "Error when instantiating the wrapping trust manager. Falling back
to unwrapped manager.",
+ e);
+ } catch (IllegalArgumentException e) {
+ LOGGER
+ .log(
+ Level.WARNING,
+ "Error when instantiating the wrapping trust manager. Falling back
to unwrapped manager.",
+ e);
+ }
+ }
+ return keyManagers;
+ }
+
+ /**
* Builds TrustManagers from the trust store provided in the constructor,
* using a SunX509 TrustManagerFactory.
*
@@ -364,7 +388,7 @@
* @param trustManagerWrapper
*/
public void setTrustManagerWrapper(
- Class<? extends X509WrappingTrustManager> trustManagerWrapper) {
+ X509TrustManagerWrapper trustManagerWrapper) {
this.trustManagerWrapper = trustManagerWrapper;
}
@@ -377,13 +401,13 @@
@Override
public TrustManager[] getTrustManagers() throws
SSLContextFactoryException {
TrustManager[] trustManagers = getRawTrustManagers();
- if (this.trustManagerWrapper != null) {
+ X509TrustManagerWrapper wrapper = this.trustManagerWrapper;
+ if ((wrapper != null) && (trustManagers != null)) {
try {
- Constructor<? extends X509WrappingTrustManager> constructor =
this.trustManagerWrapper
- .getConstructor(X509TrustManager.class);
for (int i = 0; i < trustManagers.length; i++) {
- trustManagers[i] = constructor
- .newInstance(trustManagers[i]);
+ if (trustManagers[i] instanceof X509TrustManager)
+ trustManagers[i] = wrapper
+ .wrapTrustManager((X509TrustManager) trustManagers[i]);
}
} catch (SecurityException e) {
LOGGER
@@ -392,30 +416,6 @@
"Error when instantiating the wrapping trust manager. Falling back
to unwrapped manager.",
e);
} catch (IllegalArgumentException e) {
- LOGGER
- .log(
- Level.WARNING,
- "Error when instantiating the wrapping trust manager. Falling back
to unwrapped manager.",
- e);
- } catch (NoSuchMethodException e) {
- LOGGER
- .log(
- Level.WARNING,
- "Error when instantiating the wrapping trust manager. Falling back
to unwrapped manager.",
- e);
- } catch (InstantiationException e) {
- LOGGER
- .log(
- Level.WARNING,
- "Error when instantiating the wrapping trust manager. Falling back
to unwrapped manager.",
- e);
- } catch (IllegalAccessException e) {
- LOGGER
- .log(
- Level.WARNING,
- "Error when instantiating the wrapping trust manager. Falling back
to unwrapped manager.",
- e);
- } catch (InvocationTargetException e) {
LOGGER
.log(
Level.WARNING,
Copied:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509TrustManagerWrapper.java
(from r81,
/trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509WrappingTrustManager.java)
==============================================================================
---
/trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509WrappingTrustManager.java
(original)
+++
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/X509TrustManagerWrapper.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -35,49 +35,22 @@
package org.jsslutils.sslcontext;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
import javax.net.ssl.X509TrustManager;
/**
- * Abstract Trust Manager that wraps another one.
+ * This interface represents a wrapper for an X509TrustManager. This is
intended
+ * to provide a way to customize TrustManagers in the
X509SSLContextFactory (or
+ * subclasses).
*
* @author Bruno Harbulot.
*/
-public abstract class X509WrappingTrustManager implements X509TrustManager
{
- protected final X509TrustManager trustManager;
-
+public interface X509TrustManagerWrapper {
/**
- * Creates a new instance from an existing X509TrustManager.
+ * Builds an X509TrustManager from another X509TrustManager.
*
* @param trustManager
- * X509TrustManager to wrap.
- */
- public X509WrappingTrustManager(X509TrustManager trustManager) {
- this.trustManager = trustManager;
- }
-
- /**
- * Delegates call to wrapped X509TrustManager.
- */
- public void checkClientTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- this.trustManager.checkClientTrusted(chain, authType);
- }
-
- /**
- * Delegates call to wrapped X509TrustManager.
- */
- public void checkServerTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- this.trustManager.checkServerTrusted(chain, authType);
- }
-
- /**
- * Delegates call to wrapped X509TrustManager.
+ * original X509TrustManager.
+ * @return wrapped X509TrustManager.
*/
- public X509Certificate[] getAcceptedIssuers() {
- return this.trustManager.getAcceptedIssuers();
- }
-}
\ No newline at end of file
+ public X509TrustManager wrapTrustManager(X509TrustManager trustManager);
+}
Added:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/keymanagers/FixedServerAliasKeyManager.java
==============================================================================
--- (empty file)
+++
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/keymanagers/FixedServerAliasKeyManager.java
Sat Apr 18 06:54:57 2009
@@ -0,0 +1,163 @@
+/*-----------------------------------------------------------------------
+
+ This file is part of the jSSLutils library.
+
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the The University of Manchester nor the names of
+ its contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+ Author........: Bruno Harbulot
+
+-----------------------------------------------------------------------*/
+
+package org.jsslutils.sslcontext.keymanagers;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.X509KeyManager;
+
+import org.jsslutils.sslcontext.X509KeyManagerWrapper;
+
+/**
+ * This is an X509KeyManager that will always choose the server alias name
it
+ * has been constructed with.
+ *
+ * @author Bruno Harbulot.
+ */
+public class FixedServerAliasKeyManager implements X509KeyManager {
+ private final X509KeyManager keyManager;
+ private final String alias;
+
+ /**
+ * Creates a new instance from an existing X509KeyManager.
+ *
+ * @param keyManager
+ * X509KeyManager to wrap.
+ * @param alias
+ * alias to use to choose a key for the server sockets.
+ */
+ public FixedServerAliasKeyManager(X509KeyManager keyManager, String
alias) {
+ this.keyManager = keyManager;
+ this.alias = alias;
+ }
+
+ /**
+ * Relays the call to the wrapped X509KeyManager.
+ *
+ * @see javax.net.ssl.X509KeyManager#chooseClientAlias(java.lang.String[],
+ * java.security.Principal[], java.net.Socket)
+ */
+ public String chooseClientAlias(String[] keyType, Principal[] issuers,
+ Socket socket) {
+ return this.keyManager.chooseClientAlias(keyType, issuers, socket);
+ }
+
+ /**
+ * Returns the alias this instance has been constructed with, regardless
of
+ * any other parameters.
+ *
+ * @return The alias passed to the constructor.
+ * @see javax.net.ssl.X509KeyManager#chooseServerAlias(java.lang.String,
+ * java.security.Principal[], java.net.Socket)
+ */
+ public String chooseServerAlias(String keyType, Principal[] issuers,
+ Socket socket) {
+ return this.alias;
+ }
+
+ /**
+ * Relays the call to the wrapped X509KeyManager.
+ *
+ * @see javax.net.ssl.X509KeyManager#getCertificateChain(java.lang.String)
+ */
+ public X509Certificate[] getCertificateChain(String alias) {
+ return this.keyManager.getCertificateChain(alias);
+ }
+
+ /**
+ * Relays the call to the wrapped X509KeyManager.
+ *
+ * @see javax.net.ssl.X509KeyManager#getClientAliases(java.lang.String,
+ * java.security.Principal[])
+ */
+ public String[] getClientAliases(String keyType, Principal[] issuers) {
+ return this.keyManager.getClientAliases(keyType, issuers);
+ }
+
+ /**
+ * Relays the call to the wrapped X509KeyManager.
+ *
+ * @see javax.net.ssl.X509KeyManager#getPrivateKey(java.lang.String)
+ */
+ public PrivateKey getPrivateKey(String alias) {
+ return this.keyManager.getPrivateKey(alias);
+ }
+
+ /**
+ * Relays the call to the wrapped X509KeyManager.
+ *
+ * @see javax.net.ssl.X509KeyManager#getServerAliases(java.lang.String,
+ * java.security.Principal[])
+ */
+ public String[] getServerAliases(String keyType, Principal[] issuers) {
+ return this.keyManager.getServerAliases(keyType, issuers);
+ }
+
+ /**
+ * Wrapper factory class that wraps existing X509KeyManagers into
+ * FixedServerAliasKeyManager, with the alias passed to the constructor.
+ *
+ * @author Bruno Harbulot.
+ */
+ public static class Wrapper implements X509KeyManagerWrapper {
+ private String alias;
+
+ /**
+ * Creates a new FixedServerAliasKeyManager wrapper, using the alias
+ * passed to this constructor.
+ *
+ * @param alias
+ * alias to choose for the server socket.
+ */
+ public Wrapper(String alias) {
+ this.alias = alias;
+ }
+
+ /**
+ * Builds an X509KeyManager from another X509KeyManager.
+ *
+ * @param keyManager
+ * original X509KeyManager.
+ * @return wrapped X509KeyManager.
+ */
+ public X509KeyManager wrapKeyManager(X509KeyManager keyManager) {
+ return new FixedServerAliasKeyManager(keyManager, alias);
+ }
+ }
+}
Modified:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/GsiWrappingTrustManager.java
==============================================================================
---
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/GsiWrappingTrustManager.java
(original)
+++
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/GsiWrappingTrustManager.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -45,7 +45,7 @@
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
-import org.jsslutils.sslcontext.X509WrappingTrustManager;
+import org.jsslutils.sslcontext.X509TrustManagerWrapper;
/**
* TrustManager that accepts GSI proxy certificates (clients). The aim is
to
@@ -53,7 +53,9 @@
*
* @author Bruno Harbulot.
*/
-public class GsiWrappingTrustManager extends X509WrappingTrustManager {
+public class GsiWrappingTrustManager implements X509TrustManager {
+ private final X509TrustManager trustManager;
+
/**
* Creates a new instance from an existing X509TrustManager.
*
@@ -61,7 +63,7 @@
* X509TrustManager to wrap.
*/
public GsiWrappingTrustManager(X509TrustManager trustManager) {
- super(trustManager);
+ this.trustManager = trustManager;
}
/**
@@ -88,7 +90,7 @@
for (int i = nonCACertIndex; i < chain.length; i++) {
normalChain[i - nonCACertIndex] = chain[i];
}
- this.trustManager.checkClientTrusted(normalChain, authType);
+ trustManager.checkClientTrusted(normalChain, authType);
/*
* Walk through the rest of the chain to check that the subsequent
@@ -177,6 +179,42 @@
if (subjectDN.startsWith("CN=limited proxy")) {
prevIsLimited = true;
}
+ }
+ }
+
+ /**
+ * Checks that the server is trusted; in this case, it delegates this
check
+ * to the trust manager it wraps.
+ */
+ public void checkServerTrusted(X509Certificate[] chain, String authType)
+ throws CertificateException {
+ this.trustManager.checkServerTrusted(chain, authType);
+ }
+
+ /**
+ * Returns the accepted issuers; in this case, it delegates this to the
+ * trust manager it wraps.
+ */
+ public X509Certificate[] getAcceptedIssuers() {
+ return this.trustManager.getAcceptedIssuers();
+ }
+
+ /**
+ * Wrapper factory class that wraps existing X509TrustManagers into
+ * GsiWrappingTrustManagers.
+ *
+ * @author Bruno Harbulot.
+ */
+ public static class Wrapper implements X509TrustManagerWrapper {
+ /**
+ * Builds an X509TrustManager from another X509TrustManager.
+ *
+ * @param trustManager
+ * original X509TrustManager.
+ * @return wrapped X509TrustManager.
+ */
+ public X509TrustManager wrapTrustManager(X509TrustManager trustManager) {
+ return new GsiWrappingTrustManager((X509TrustManager) trustManager);
}
}
}
Modified:
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/TrustAllClientsWrappingTrustManager.java
==============================================================================
---
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/TrustAllClientsWrappingTrustManager.java
(original)
+++
trunk/jsslutils/src/main/java/org/jsslutils/sslcontext/trustmanagers/TrustAllClientsWrappingTrustManager.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -40,15 +40,16 @@
import javax.net.ssl.X509TrustManager;
-import org.jsslutils.sslcontext.X509WrappingTrustManager;
+import org.jsslutils.sslcontext.X509TrustManagerWrapper;
/**
* TrustManager that accepts all client certificates as trusted.
*
* @author Bruno Harbulot.
*/
-public class TrustAllClientsWrappingTrustManager extends
- X509WrappingTrustManager {
+public class TrustAllClientsWrappingTrustManager implements
X509TrustManager {
+ private final X509TrustManager trustManager;
+
/**
* Creates a new instance from an existing X509TrustManager.
*
@@ -56,7 +57,7 @@
* X509TrustManager to wrap.
*/
public TrustAllClientsWrappingTrustManager(X509TrustManager trustManager)
{
- super(trustManager);
+ this.trustManager = trustManager;
}
/**
@@ -67,9 +68,38 @@
}
/**
+ * Checks that the server is trusted; in this case, it delegates this
check
+ * to the trust manager it wraps.
+ */
+ public void checkServerTrusted(X509Certificate[] chain, String authType)
+ throws CertificateException {
+ this.trustManager.checkServerTrusted(chain, authType);
+ }
+
+ /**
* Returns the accepted issuers; in this case, it's an empty array.
*/
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
+ }
+
+ /**
+ * Wrapper factory class that wraps existing X509TrustManagers into
+ * X509TrustManagers that trust any clients.
+ *
+ * @author Bruno Harbulot.
+ */
+ public static class Wrapper implements X509TrustManagerWrapper {
+ /**
+ * Builds an X509TrustManager from another X509TrustManager.
+ *
+ * @param trustManager
+ * original X509TrustManager.
+ * @return wrapped X509TrustManager.
+ */
+ public X509TrustManager wrapTrustManager(X509TrustManager trustManager) {
+ return new TrustAllClientsWrappingTrustManager(
+ (X509TrustManager) trustManager);
+ }
}
}
Modified:
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/DefaultStoreTest.java
==============================================================================
---
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/DefaultStoreTest.java
(original)
+++
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/DefaultStoreTest.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Copied:
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/NoTrustStoreTest.java
(from r81,
/trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTestNoCrl.java)
==============================================================================
---
/trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTestNoCrl.java
(original)
+++
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/NoTrustStoreTest.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -32,48 +32,57 @@
Author........: Bruno Harbulot
-----------------------------------------------------------------------*/
-
package org.jsslutils.sslcontext.test;
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Properties;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
import org.jsslutils.sslcontext.PKIXSSLContextFactory;
-import org.jsslutils.sslcontext.test.MiniSslClientServer;
+import org.jsslutils.sslcontext.SSLContextFactory;
import org.junit.Test;
/**
- * Tests the SSLContext configured for PKIX with CRLs. It should accept the
- * "good" certificate but reject the "bad" certificate because it has been
- * revoked.
*
- * @author Bruno Harbulot.
+ * @author Bruno Harbulot
*
*/
-public class PKIXTestNoCrl extends SimpleX509Test {
- @Override
+public class NoTrustStoreTest extends MiniSslClientServer {
+ protected KeyStore clientStore = null;
+ protected SSLContextFactory clientSSLContextFactory;
+ protected SSLContextFactory serverSSLContextFactory;
+
public boolean prepareSSLContextFactories() throws Exception {
PKIXSSLContextFactory clientSSLContextFactory = new
PKIXSSLContextFactory(
- this.clientStore, MiniSslClientServer.KEYSTORE_PASSWORD,
- getCaKeyStore());
+ null, (String) null, getCaKeyStore());
this.clientSSLContextFactory = clientSSLContextFactory;
+
PKIXSSLContextFactory serverSSLContextFactory = new
PKIXSSLContextFactory(
getServerCertKeyStore(), MiniSslClientServer.KEYSTORE_PASSWORD,
- getCaKeyStore());
-
+ null);
this.serverSSLContextFactory = serverSSLContextFactory;
+
return true;
}
- @Test
- public void testGoodClient() throws Exception {
- this.clientStore = getGoodClientCertKeyStore();
- assertTrue("Loaded keystore", true);
- assertTrue(runTest());
+ public boolean runTest() throws Exception {
+ assertTrue(prepareSSLContextFactories());
+ return runTest(clientSSLContextFactory.buildSSLContext(),
+ serverSSLContextFactory.buildSSLContext());
}
@Test
- public void testBadClient() throws Exception {
- this.clientStore = getBadClientCertKeyStore();
+ public void testNonAuthenticatedClient() throws Exception {
+ this.clientStore = null;
assertTrue("Loaded keystore", true);
assertTrue(runTest());
}
Modified:
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTest.java
==============================================================================
---
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTest.java
(original)
+++
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTest.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified:
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTestNoCrl.java
==============================================================================
---
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTestNoCrl.java
(original)
+++
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/PKIXTestNoCrl.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -59,7 +59,7 @@
PKIXSSLContextFactory serverSSLContextFactory = new
PKIXSSLContextFactory(
getServerCertKeyStore(), MiniSslClientServer.KEYSTORE_PASSWORD,
getCaKeyStore());
-
+
this.serverSSLContextFactory = serverSSLContextFactory;
return true;
}
Modified:
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/SimpleX509Test.java
==============================================================================
---
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/SimpleX509Test.java
(original)
+++
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/SimpleX509Test.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Copied:
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/TrustAllClientsServer.java
(from r81,
/trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/TrustAllClientsServerTest.java)
==============================================================================
---
/trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/TrustAllClientsServerTest.java
(original)
+++
trunk/jsslutils/src/test/java/org/jsslutils/sslcontext/test/TrustAllClientsServer.java
Sat Apr 18 06:54:57 2009
@@ -2,7 +2,7 @@
This file is part of the jSSLutils library.
-Copyright (c) 2008, The University of Manchester, United Kingdom.
+Copyright (c) 2008-2009, The University of Manchester, United Kingdom.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -46,13 +46,13 @@
*
* @author Bruno Harbulot
*/
-public class TrustAllClientsServerTest extends MiniSslClientServer {
+public class TrustAllClientsServer extends MiniSslClientServer {
public void run() throws Exception {
X509SSLContextFactory sslContextFactory = new X509SSLContextFactory(
getServerCertKeyStore(), MiniSslClientServer.KEYSTORE_PASSWORD,
getCaKeyStore());
sslContextFactory
- .setTrustManagerWrapper(TrustAllClientsWrappingTrustManager.class);
+ .setTrustManagerWrapper(new
TrustAllClientsWrappingTrustManager.Wrapper());
SSLServerSocket socket = prepareServerSocket(sslContextFactory
.buildSSLContext());
System.out
@@ -62,7 +62,7 @@
}
public static void main(String[] args) throws Exception {
- TrustAllClientsServerTest test = new TrustAllClientsServerTest();
+ TrustAllClientsServer test = new TrustAllClientsServer();
test.run();
}
}
Modified:
trunk/testhelpers/src/main/java/org/jsslutils/sslcontext/test/MiniSslClientServer.java
==============================================================================
---
trunk/testhelpers/src/main/java/org/jsslutils/sslcontext/test/MiniSslClientServer.java
(original)
+++
trunk/testhelpers/src/main/java/org/jsslutils/sslcontext/test/MiniSslClientServer.java
Sat Apr 18 06:54:57 2009
@@ -63,6 +63,7 @@
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSession;
@@ -247,7 +248,6 @@
null);
result = (cause == null)
|| !(cause instanceof CertPathValidatorException);
- assertNotNull(cause);
if (result == true) {
throw new RuntimeException(sslException);
}
@@ -421,12 +421,18 @@
+ sslSession.getCipherSuite() + "\r\n";
theOutput += "Client certificates: \r\n";
- X509Certificate[] certs = (X509Certificate[]) sslSession
- .getPeerCertificates();
- for (X509Certificate cert : certs) {
- theOutput += " - "
- + cert.getSubjectX500Principal().getName()
- + "\r\n";
+ X509Certificate[] certs = null;
+ try {
+ certs = (X509Certificate[]) sslSession
+ .getPeerCertificates();
+ } catch (SSLPeerUnverifiedException e) {
+ }
+ if (certs != null) {
+ for (X509Certificate cert : certs) {
+ theOutput += " - "
+ + cert.getSubjectX500Principal()
+ .getName() + "\r\n";
+ }
}
}
}