[Beepcore-java-commits] CVS: beepcore-java/tls/org/beepcore/beep/profile/tls/ptls TLSProfilePureTLS.
Status: Beta
Brought to you by:
huston
Menu
▾
▴
[Beepcore-java-commits] CVS: beepcore-java/tls/org/beepcore/beep/profile/tls/ptls TLSProfilePureTLS.java,1.2,1.3 TLSProfilePureTLSPemInit.java,1.1,1.2
|
From: Huston F. <hu...@us...> - 2001-08-14 14:41:30
|
Update of /cvsroot/beepcore-java/beepcore-java/tls/org/beepcore/beep/profile/tls/ptls
In directory usw-pr-cvs1:/tmp/cvs-serv6581/org/beepcore/beep/profile/tls/ptls
Modified Files:
TLSProfilePureTLS.java TLSProfilePureTLSPemInit.java
Log Message:
Fix to terminate session if client authentication fails
Index: TLSProfilePureTLS.java
===================================================================
RCS file: /cvsroot/beepcore-java/beepcore-java/tls/org/beepcore/beep/profile/tls/ptls/TLSProfilePureTLS.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -r1.2 -r1.3
*** TLSProfilePureTLS.java 2001/07/12 07:09:10 1.2
--- TLSProfilePureTLS.java 2001/08/14 14:41:27 1.3
***************
*** 1,3 ****
-
/*
* TLSProfilePureTLS.java $Revision$ $Date$
--- 1,2 ----
***************
*** 37,40 ****
--- 36,40 ----
import java.io.FileInputStream;
import java.io.ByteArrayInputStream;
+ import java.io.IOException;
***************
*** 96,99 ****
--- 96,101 ----
// property names
// public static final String PROPERTY_PEER_AUTHENTICATION_REQUIRED = "Peer Authentication Required";
+ public static final String PROPERTY_CLIENT_AUTH_REQUIRED =
+ "Client Authenticaton Required";
public static final String PROPERTY_CIPHER_SUITE = "Cipher Suite";
public static final String PROPERTY_CERTIFICATES = "Certificates";
***************
*** 241,265 ****
policy.negotiateTLS(true); // we don't support SSL v3
! policy.acceptUnverifiableCertificates(false);
! policy.checkCertificateDates(true);
! policy.requireClientAuth(true);
! needPeerAuth = true;
context.setPolicy(policy);
- // set whether or not peer must send a certificate
- // @todo add support for anonymous but encrypted communication
- // if( config.get( PROPERTY_PEER_AUTHENTICATION_REQUIRED ) != null ) {
- // if( !config.get( PROPERTY_PEER_AUTHENTICATION_REQUIRED ).getClass().getName().equals( "Boolean" )) {
- // throw new BEEPException( "Configuration for " +
- // PROPERTY_PEER_AUTHENTICATION_REQUIRED +
- // " must be Boolean." );
- // }
- // needPeerAuth = ((Boolean) config.get( PROPERTY_PEER_AUTHENTICATION_REQUIRED )).booleanValue();
- // policy.requireClientAuth( needPeerAuth );
- // policy.acceptUnverifiableCertificates( true );
- // policy.checkCertificateDates( false );
- // }
// set the cipher suites
if (config.get(PROPERTY_CIPHER_SUITE) != null) {
--- 243,265 ----
policy.negotiateTLS(true); // we don't support SSL v3
!
! // set whether or not peer must send a certificate
! if (config.get(PROPERTY_CLIENT_AUTH_REQUIRED) instanceof String &&
! Boolean.valueOf((String) config.get(PROPERTY_CLIENT_AUTH_REQUIRED )).booleanValue() == false) {
! policy.acceptUnverifiableCertificates(true);
! policy.checkCertificateDates(false);
! policy.requireClientAuth(false);
!
! needPeerAuth = false;
! } else {
! policy.acceptUnverifiableCertificates(false);
! policy.checkCertificateDates(true);
! policy.requireClientAuth(true);
! needPeerAuth = true;
! }
context.setPolicy(policy);
// set the cipher suites
if (config.get(PROPERTY_CIPHER_SUITE) != null) {
***************
*** 359,364 ****
throws StartChannelException
{
! try {
! TCPSession oldSession = (TCPSession) channel.getSession();
// if the data is <ready/> then respond with <proceed/>
--- 359,363 ----
throws StartChannelException
{
! TCPSession oldSession = (TCPSession) channel.getSession();
// if the data is <ready/> then respond with <proceed/>
***************
*** 372,377 ****
}
! // Freeze this Peer
! // Send a profile back with data in the 3rd argument
this.begin(channel, URI, data);
--- 371,380 ----
}
! // Freeze this Peer
! // SSLDebug.setDebug( SSLDebug.DEBUG_ALL );
! SSLSocket newSocket = null;
! SessionCredential peerCred = null;
! try {
! // Send a profile back with dat "<proceed />"
this.begin(channel, URI, data);
***************
*** 379,390 ****
context.setPolicy(policy);
- SessionCredential peerCred = null;
Socket oldSocket = oldSession.getSocket();
! SSLSocket newSocket =
new SSLSocket(context, oldSocket.getInputStream(),
oldSocket.getOutputStream(),
oldSocket.getInetAddress().getHostName(),
oldSocket.getPort(), SSLSocket.SERVER);
// get the credentials of the peer
Vector cc = null;
--- 382,406 ----
context.setPolicy(policy);
Socket oldSocket = oldSession.getSocket();
! newSocket =
new SSLSocket(context, oldSocket.getInputStream(),
oldSocket.getOutputStream(),
oldSocket.getInetAddress().getHostName(),
oldSocket.getPort(), SSLSocket.SERVER);
+ } catch (BEEPException e) {
+ Log.logEntry(Log.SEV_ERROR, e.getMessage());
+ e.printStackTrace();
+ oldSession.terminate(e.getMessage());
+ } catch (SSLThrewAlertException e) {
+ Log.logEntry(Log.SEV_ERROR, e.getMessage());
+ e.printStackTrace();
+ oldSession.terminate(e.getMessage());
+ } catch (IOException e) {
+ Log.logEntry(Log.SEV_ERROR, e.getMessage());
+ e.printStackTrace();
+ oldSession.terminate(e.getMessage());
+ }
+ try {
// get the credentials of the peer
Vector cc = null;
***************
*** 392,395 ****
--- 408,430 ----
if (needPeerAuth) {
cc = newSocket.getCertificateChain();
+ if (cc == null) {
+ Log.logEntry(Log.SEV_DEBUG_VERBOSE,
+ "No certificate chain when there should " +
+ "be one. ");
+ throw new StartChannelException(550, "No certificate " +
+ "chain when there " +
+ "should be one. ");
+ }
+ Enumeration enum = cc.elements();
+ while (enum.hasMoreElements()) {
+ X509Cert cert = (X509Cert) enum.nextElement();
+ String subject = cert.getSubjectName().getNameString();
+ String issuer = cert.getIssuerName().getNameString();
+ Log.logEntry(Log.SEV_DEBUG_VERBOSE,
+ "Name = " + subject + " issued by " + issuer);
+ }
+ } else {
+ Log.logEntry(Log.SEV_DEBUG_VERBOSE,
+ "No peer authentication needed");
}
***************
*** 533,536 ****
--- 568,580 ----
oldSocket.getPort(), SSLSocket.CLIENT);
+ } catch (SSLThrewAlertException e) {
+ session.terminate(e.getMessage());
+ throw new BEEPException(e.getMessage());
+ } catch (IOException e) {
+ session.terminate(e.getMessage());
+ throw new BEEPException(e.getMessage());
+ }
+
+ try {
// get the credentials of the peer
Vector cc = null;
***************
*** 538,541 ****
--- 582,602 ----
if (needPeerAuth) {
cc = newSocket.getCertificateChain();
+ if (cc == null) {
+ Log.logEntry(Log.SEV_DEBUG_VERBOSE, "No certificate " +
+ "chain when there should be one. ");
+ throw new BEEPException("No certificate chain when " +
+ "there should be one. ");
+ }
+ Enumeration enum = cc.elements();
+ while (enum.hasMoreElements()) {
+ X509Cert cert = (X509Cert) enum.nextElement();
+ String subject = cert.getSubjectName().getNameString();
+ String issuer = cert.getIssuerName().getNameString();
+ Log.logEntry(Log.SEV_DEBUG_VERBOSE,
+ "Name = " + subject + " issued by " + issuer);
+ }
+ } else {
+ Log.logEntry(Log.SEV_DEBUG_VERBOSE,
+ "No peer authentication needed");
}
***************
*** 702,711 ****
/**
! * allows an initializer class to set the allowed ciphers for the profile.
! * The initializers are profile classes with a custom {@link init} method
! * that takes the array of ciphers as a <code>short []</code> from a given source, such as a
! * file or database and calls this method. The numbers in the array for
! * the ciphers are defined in the <a href="http://www.ietf.org/rfc/rfc2246.txt">TLS spec</a>
! * in Appendix A.
* @param ciphers
*/
--- 763,774 ----
/**
! * allows an initializer class to set the allowed ciphers for the
! * profile. The initializers are profile classes with a custom
! * {@link init} method that takes the array of ciphers as a
! * <code>short []</code> from a given source, such as a file or
! * database and calls this method. The numbers in the array for
! * the ciphers are defined in the
! * <a href="http://www.ietf.org/rfc/rfc2246.txt">TLS spec</a> in
! * Appendix A.
* @param ciphers
*/
***************
*** 726,743 ****
}
}
! // /**
! // * sets whether or not the the peer we're talking to must be authenticated
! // * @param needAuth
! // */
! // void setNeedPeerAuthentication( boolean needAuth ) {
! // needPeerAuth = needAuth;
! // policy.requireClientAuth( needPeerAuth );
! // }
! // SSLPolicyInt getPolicy() {
! // return policy;
! // }
! // SSLContext getContext() {
! // return context;
! // }
}
--- 789,812 ----
}
}
+
+ /**
+ * sets whether or not the the peer we're talking to must be authenticated
+ * @param needAuth
+ */
+ void setNeedPeerAuthentication( boolean needAuth ) {
+
+ if (needAuth == false) {
+ policy.acceptUnverifiableCertificates(true);
+ policy.checkCertificateDates(false);
+ policy.requireClientAuth(false);
! needPeerAuth = false;
! } else {
! policy.acceptUnverifiableCertificates(false);
! policy.checkCertificateDates(true);
! policy.requireClientAuth(true);
!
! needPeerAuth = true;
! }
! }
}
Index: TLSProfilePureTLSPemInit.java
===================================================================
RCS file: /cvsroot/beepcore-java/beepcore-java/tls/org/beepcore/beep/profile/tls/ptls/TLSProfilePureTLSPemInit.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** TLSProfilePureTLSPemInit.java 2001/07/09 05:57:05 1.1
--- TLSProfilePureTLSPemInit.java 2001/08/14 14:41:27 1.2
***************
*** 1,3 ****
-
/*
* TLSProfilePureTLSPemInit.java $Revision$ $Date$
--- 1,2 ----
***************
*** 55,58 ****
--- 54,59 ----
* @see #init
*/
+ public static final String PROPERTY_CLIENT_AUTH_REQUIRED =
+ "Client Authenticaton Required";
public static final String PROPERTY_CIPHER_SUITE = "Cipher Suite";
public static final String PROPERTY_CERTIFICATES = "Certificates";
***************
*** 114,125 ****
// set whether or not peer must send a certificate
! // if( config.get( PROPERTY_PEER_AUTHENTICATION_REQUIRED ) != null ) {
! // if( new Boolean( (String) config.get( PROPERTY_PEER_AUTHENTICATION_REQUIRED )).booleanValue() == true ) {
! // tlsp.setNeedPeerAuthentication( true );
! // }
! // else {
! // tlsp.setNeedPeerAuthentication( false );
! // }
! // }
// set the cipher suites
if (config.get(PROPERTY_CIPHER_SUITE) != null) {
--- 115,125 ----
// set whether or not peer must send a certificate
! if (config.get(PROPERTY_CLIENT_AUTH_REQUIRED) != null) {
! if (new Boolean((String) config.get(PROPERTY_CLIENT_AUTH_REQUIRED)).booleanValue() == true) {
! tlsp.setNeedPeerAuthentication(true);
! } else {
! tlsp.setNeedPeerAuthentication(false);
! }
! }
// set the cipher suites
if (config.get(PROPERTY_CIPHER_SUITE) != null) {
***************
*** 183,186 ****
--- 183,210 ----
// (client)
try {
+ // set the certificate(s) by which we are known. We can
+ // actually verify clients with several root certificates,
+ // but this is the certificates that we present according
+ // to the negotiated cipher suite. We assume that the
+ // peer has a root that is in common with us.
+ String certFile = (String) config.get(PROPERTY_CERTIFICATES);
+ BufferedReader certbr =
+ new BufferedReader(new FileReader(certFile));
+ StringBuffer certType = new StringBuffer();
+ Vector certs = new Vector();
+
+ while (true) {
+ byte[] cert = WrappedObject.loadObject(certbr, "CERTIFICATE",
+ certType);
+
+ if (cert == null) {
+ break;
+ }
+
+ certs.add(cert);
+ }
+
+ tlsp.setCertChain(certs);
+
String keyFile = (String) config.get(PROPERTY_PRIVATE_KEY);
BufferedReader keybr =
***************
*** 208,235 ****
tlsp.setPrivateKey(key);
-
- // set the certificate(s) by which we are known. We can
- // actually verify clients with several root certificates, but
- // this is the certificates that we present according to the negotiated
- // cipher suite. We assume that the peer has a root that is in common
- // with us.
- String certFile = (String) config.get(PROPERTY_CERTIFICATES);
- BufferedReader certbr =
- new BufferedReader(new FileReader(certFile));
- StringBuffer certType = new StringBuffer();
- Vector certs = new Vector();
-
- while (true) {
- byte[] cert = WrappedObject.loadObject(certbr, "CERTIFICATE",
- certType);
-
- if (cert == null) {
- break;
- }
-
- certs.add(cert);
- }
-
- tlsp.setCertChain(certs);
// verify that the object passed in is either a list or a String
--- 232,235 ----
|
