From: <bsc...@us...> - 2009-12-18 09:06:37
|
Revision: 5958 http://unicore.svn.sourceforge.net/unicore/?rev=5958&view=rev Author: bschuller Date: 2009-12-18 09:06:26 +0000 (Fri, 18 Dec 2009) Log Message: ----------- allow to directly load pem files as trusted certs (instead of a jks truststore) Modified Paths: -------------- gateway/trunk/Changes.txt gateway/trunk/src/main/java/eu/unicore/gateway/base/CustomSslSocketConnector.java Added Paths: ----------- gateway/trunk/src/test/java/eu/unicore/gateway/base/ gateway/trunk/src/test/java/eu/unicore/gateway/base/TestReadCerts.java gateway/trunk/src/test/resources/certs/twocerts.pem Modified: gateway/trunk/Changes.txt =================================================================== --- gateway/trunk/Changes.txt 2009-12-17 15:11:37 UTC (rev 5957) +++ gateway/trunk/Changes.txt 2009-12-18 09:06:26 UTC (rev 5958) @@ -18,7 +18,8 @@ - update to Jetty 6.1.22 - put client name and IP into Log4j diagnostic context. This allows to add client info to all the log messages by using %X{clientName} and %X{clientIP} in the log pattern - + - new truststore types "file" and "directory", allowing to directly load pem files as trusted certs. + The "truststore" parameter is interpreted as the file/directory path. 6.2.2 - allow to configure HTTP protocol details ("connection: close" and Modified: gateway/trunk/src/main/java/eu/unicore/gateway/base/CustomSslSocketConnector.java =================================================================== --- gateway/trunk/src/main/java/eu/unicore/gateway/base/CustomSslSocketConnector.java 2009-12-17 15:11:37 UTC (rev 5957) +++ gateway/trunk/src/main/java/eu/unicore/gateway/base/CustomSslSocketConnector.java 2009-12-18 09:06:26 UTC (rev 5958) @@ -31,6 +31,10 @@ ********************************************************************************/ package eu.unicore.gateway.base; +import java.io.BufferedInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FilenameFilter; import java.io.IOException; import java.net.InetSocketAddress; import java.net.Socket; @@ -39,6 +43,8 @@ import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; import javax.net.ssl.HandshakeCompletedEvent; import javax.net.ssl.HandshakeCompletedListener; @@ -72,14 +78,14 @@ */ public class CustomSslSocketConnector extends SslSocketConnector { - + private final static Logger log=LogUtil.getLogger(LogUtil.CONNECTIONS,CustomSslSocketConnector.class); - + private transient Password password; private transient Password keyPassword; private transient Password trustPassword; private GatewayProperties gwProps; - + public CustomSslSocketConnector(GatewayProperties gwProps) { super(); @@ -104,18 +110,18 @@ } log.debug("SSL connection to <"+msg+"> established."); } - + }); } } super.configure(socket); } - + @Override protected HttpConnection newHttpConnection(EndPoint endpoint){ return new CustomHttpConnection(this, endpoint, getServer(), gwProps); } - + public void setPassword(String password){ this.password=Password.getPassword(PASSWORD_PROPERTY,password,null); super.setPassword(password); @@ -130,69 +136,128 @@ keyPassword=Password.getPassword(KEYPASSWORD_PROPERTY,password,null); super.setKeyPassword(password); } - - protected SSLServerSocketFactory createFactory() throws Exception { - if (password==null) - password=new Password(""); - if (keyPassword==null) - keyPassword=password; - if (trustPassword==null) - trustPassword=password; - - if (getTruststore()==null) + protected SSLServerSocketFactory createFactory() throws Exception { + if (password==null) + password=new Password(""); + if (keyPassword==null) + keyPassword=password; + if (trustPassword==null) + trustPassword=password; + + + if (getTruststore()==null) { setTruststore(getKeystore()); setTruststoreType(getKeystoreType()); } - KeyManager[] keyManagers = null; - if (getKeystore()!= null) - { - KeyStore keyStore = KeyStore.getInstance(getKeystoreType()); - if (password == null) - throw new SSLException("password is not set"); - keyStore.load(Resource.newResource(getKeystore()).getInputStream(), password.toString().toCharArray()); - - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(getSslKeyManagerFactoryAlgorithm()); - if (keyPassword == null) - throw new SSLException("keypassword is not set"); - keyManagerFactory.init(keyStore,keyPassword.toString().toCharArray()); - keyManagers = keyManagerFactory.getKeyManagers(); - } + KeyManager[] keyManagers = null; + if (getKeystore()!= null) + { + KeyStore keyStore = KeyStore.getInstance(getKeystoreType()); + if (password == null) + throw new SSLException("password is not set"); + keyStore.load(Resource.newResource(getKeystore()).getInputStream(), password.toString().toCharArray()); - TrustManager[] trustManagers = getTrustManagers(); + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(getSslKeyManagerFactoryAlgorithm()); + if (keyPassword == null) + throw new SSLException("keypassword is not set"); + keyManagerFactory.init(keyStore,keyPassword.toString().toCharArray()); + keyManagers = keyManagerFactory.getKeyManagers(); + } - SecureRandom secureRandom = getSecureRandomAlgorithm()==null?null:SecureRandom.getInstance(getSecureRandomAlgorithm()); + TrustManager[] trustManagers = getTrustManagers(); - SSLContext context = getProvider()==null?SSLContext.getInstance(getProtocol()):SSLContext.getInstance(getProtocol(), getProvider()); + SecureRandom secureRandom = getSecureRandomAlgorithm()==null?null:SecureRandom.getInstance(getSecureRandomAlgorithm()); - context.init(keyManagers, trustManagers, secureRandom); + SSLContext context = getProvider()==null?SSLContext.getInstance(getProtocol()):SSLContext.getInstance(getProtocol(), getProvider()); - return context.getServerSocketFactory(); - } + context.init(keyManagers, trustManagers, secureRandom); + return context.getServerSocketFactory(); + } - protected TrustManager[] getTrustManagers()throws IOException,NoSuchAlgorithmException,CertificateException,KeyStoreException{ - TrustManager[] trustManagers = null; - if (getTruststore()!= null) - { - KeyStore trustStore = KeyStore.getInstance(getTruststoreType()); - trustStore.load(Resource.newResource(getTruststore()).getInputStream(), trustPassword.toString().toCharArray()); - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(getSslTrustManagerFactoryAlgorithm()); - trustManagerFactory.init(trustStore); - trustManagers = trustManagerFactory.getTrustManagers(); - } - TrustManager[] res=new X509TrustManager[trustManagers.length]; - for(int i=0;i<res.length;i++){ - res[i]=decorate(trustManagers[i]); - } - return res; - } - - protected TrustManager decorate(TrustManager tm){ - return tm instanceof X509TrustManager ? - new AuthSSLX509TrustManager((X509TrustManager)tm, gwProps): tm ; - } - -} + protected TrustManager[] getTrustManagers()throws IOException,NoSuchAlgorithmException,CertificateException,KeyStoreException{ + TrustManager[] trustManagers = null; + if (getTruststore()!= null) + { + KeyStore trustStore =loadTruststore(); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(getSslTrustManagerFactoryAlgorithm()); + trustManagerFactory.init(trustStore); + trustManagers = trustManagerFactory.getTrustManagers(); + } + TrustManager[] res=new X509TrustManager[trustManagers.length]; + for(int i=0;i<res.length;i++){ + res[i]=decorate(trustManagers[i]); + } + return res; + } + + protected TrustManager decorate(TrustManager tm){ + return tm instanceof X509TrustManager ? + new AuthSSLX509TrustManager((X509TrustManager)tm, gwProps): tm ; + } + + int counter=0; + + protected KeyStore loadTruststore()throws IOException,NoSuchAlgorithmException,CertificateException,KeyStoreException { + KeyStore trustStore=null; + if("file".equalsIgnoreCase(getTruststoreType())){ + return loadTruststoreFromPemFile(); + } + else if(getTruststoreType().startsWith("dir")){ + return loadTruststoreFromDirectory(); + } + else{ + trustStore= KeyStore.getInstance(getTruststoreType()); + trustStore.load(Resource.newResource(getTruststore()).getInputStream(), trustPassword.toString().toCharArray()); + } + return trustStore; + } + + protected KeyStore loadTruststoreFromPemFile() throws IOException,NoSuchAlgorithmException,CertificateException,KeyStoreException { + KeyStore trustStore= KeyStore.getInstance("jks"); + trustStore.load(null, "unicore".toCharArray()); + loadPemFile(getTruststore(),trustStore); + return trustStore; + } + + + protected KeyStore loadTruststoreFromDirectory() throws IOException,NoSuchAlgorithmException,CertificateException,KeyStoreException { + KeyStore trustStore= KeyStore.getInstance("jks"); + trustStore.load(null, "unicore".toCharArray()); + File directory=new File(getTruststore()); + File[] pems=directory.listFiles(new FilenameFilter(){ + public boolean accept(File f, String name){ + return name.endsWith(".pem") || name.endsWith(".cert"); + } + }); + for(File pem: pems){ + loadPemFile(pem.getAbsolutePath(),trustStore); + } + return trustStore; + } + + //load all the certs from the given pem file and put them as trusted certs into the keystore + private void loadPemFile(String name, KeyStore ks)throws IOException, KeyStoreException, CertificateException{ + CertificateFactory cf=CertificateFactory.getInstance("X.509"); + BufferedInputStream bis=new BufferedInputStream(new FileInputStream(name)); + try{ + while(true){ + X509Certificate cert=(X509Certificate)cf.generateCertificate(bis); + String dn=cert.getSubjectX500Principal().toString(); + ks.setCertificateEntry("trusted-"+counter, cert); + log.info("Added trusted certificate: "+dn+" loaded from file <"+name+">"); + //check if we have more data... + bis.mark(1); + if(bis.read()==-1)break; + bis.reset(); + counter++; + } + } + finally{ + try{bis.close();}catch(IOException io){}; + } + } +} \ No newline at end of file Added: gateway/trunk/src/test/java/eu/unicore/gateway/base/TestReadCerts.java =================================================================== --- gateway/trunk/src/test/java/eu/unicore/gateway/base/TestReadCerts.java (rev 0) +++ gateway/trunk/src/test/java/eu/unicore/gateway/base/TestReadCerts.java 2009-12-18 09:06:26 UTC (rev 5958) @@ -0,0 +1,43 @@ +package eu.unicore.gateway.base; + +import java.io.File; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.util.Enumeration; + +import junit.framework.TestCase; +import eu.unicore.gateway.properties.GatewayProperties; + +public class TestReadCerts extends TestCase { + + public void testReadFromFile()throws Exception{ + GatewayProperties p=new GatewayProperties(new File("src/test/resources/gateway.properties")); + CustomSslSocketConnector ssl=new CustomSslSocketConnector(p); + ssl.setTruststore("src/test/resources/certs/twocerts.pem"); + ssl.setTruststoreType("file"); + KeyStore ks=ssl.loadTruststore(); + assertNotNull(ks); + Enumeration<String>i=ks.aliases(); + while(i.hasMoreElements()){ + String alias=i.nextElement(); + X509Certificate c=(X509Certificate)ks.getCertificate(alias); + assertNotNull(c); + System.out.println(alias+" : "+c.getSubjectDN().getName()); + } + } + public void testReadFromDir()throws Exception{ + GatewayProperties p=new GatewayProperties(new File("src/test/resources/gateway.properties")); + CustomSslSocketConnector ssl=new CustomSslSocketConnector(p); + ssl.setTruststore("src/test/resources/certs"); + ssl.setTruststoreType("directory"); + KeyStore ks=ssl.loadTruststore(); + assertNotNull(ks); + Enumeration<String>i=ks.aliases(); + while(i.hasMoreElements()){ + String alias=i.nextElement(); + X509Certificate c=(X509Certificate)ks.getCertificate(alias); + assertNotNull(c); + } + + } +} Property changes on: gateway/trunk/src/test/java/eu/unicore/gateway/base/TestReadCerts.java ___________________________________________________________________ Added: svn:mime-type + text/plain Added: gateway/trunk/src/test/resources/certs/twocerts.pem =================================================================== --- gateway/trunk/src/test/resources/certs/twocerts.pem (rev 0) +++ gateway/trunk/src/test/resources/certs/twocerts.pem 2009-12-18 09:06:26 UTC (rev 5958) @@ -0,0 +1,27 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIICAjCCAawCCQCJHt4GAm55ATANBgkqhkiG9w0BAQQFADCBhzELMAkGA1UEBhMC +REUxDDAKBgNVBAgTA05SVzEQMA4GA1UEBxMHSnVlbGljaDEMMAoGA1UEChMDRlpK +MQwwCgYDVQQLEwNaQU0xFTATBgNVBAMTDHJvZ2VyIG1lbmRheTElMCMGCSqGSIb3 +DQEJARYWci5tZW5kYXlAZnotanVlbGljaC5kZTAeFw0wNjAzMjAxMTQwNTdaFw0x +MTA5MTAxMTQwNTdaMIGHMQswCQYDVQQGEwJERTEMMAoGA1UECBMDTlJXMRAwDgYD +VQQHEwdKdWVsaWNoMQwwCgYDVQQKEwNGWkoxDDAKBgNVBAsTA1pBTTEVMBMGA1UE +AxMMcm9nZXIgbWVuZGF5MSUwIwYJKoZIhvcNAQkBFhZyLm1lbmRheUBmei1qdWVs +aWNoLmRlMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL2pmnPWXs4QcT7jtFF8a48Q +NEbnRzn6VFL87H78hBudG+7y1jvZCygla0nTrzrY6uFTTYklI0qi7fPoHdCQg6kC +AwEAATANBgkqhkiG9w0BAQQFAANBAFaxlLmfKh28SLlSI7YBpXm3GItfwQ1KImHz +qBQeoTstzzXCA3b8daLYHAp92CaN1etjsczeCIywQ+rUqiLMzHk= +-----END TRUSTED CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICETCCAbsCAQUwDQYJKoZIhvcNAQEEBQAwgYcxCzAJBgNVBAYTAkRFMQwwCgYD +VQQIEwNOUlcxEDAOBgNVBAcTB0p1ZWxpY2gxDDAKBgNVBAoTA0ZaSjEMMAoGA1UE +CxMDWkFNMRUwEwYDVQQDEwxyb2dlciBtZW5kYXkxJTAjBgkqhkiG9w0BCQEWFnIu +bWVuZGF5QGZ6LWp1ZWxpY2guZGUwHhcNMDYwMzIwMTE0NTUzWhcNMTEwOTEwMTE0 +NTUzWjBbMQswCQYDVQQGEwJERTEMMAoGA1UECBMDTlJXMRAwDgYDVQQHEwdKdWVs +aWNoMQwwCgYDVQQKEwNGWkoxDDAKBgNVBAsTA1pBTTEQMA4GA1UEAxMHc2VydmVy +MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqmJ8K42JJA1yZEBSuZAz31h1 +XhWVP9tPclD1leso1OANKW1AO1zxeXKfjuvmlycVpBqeVetQaFTPusoofNrh451Q +NrbzqPUGcNd6fai6hsCubXMp0az7Nej6u/4kf+zptM6rbPnbm99BuFCDBo13EJlj +dcDRj/tbwycWGU//RwkCAwEAATANBgkqhkiG9w0BAQQFAANBABLgG3fhw0ZNpJJg +rN3GWheDKntGTQ3/iqw2i/xIhMIw0hbJ68oa8l8IczpWE9HGTqM6/5is2p/Oeqmm +3G5w1fI= +-----END CERTIFICATE----- \ No newline at end of file This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |