src/main/java/org/apache/directory/fortress/core/ldap/LdapClientTrustStoreManager.java - directory-fortress-core - Git at Google

 /*
  *   Licensed to the Apache Software Foundation (ASF) under one
  *   or more contributor license agreements.  See the NOTICE file
  *   distributed with this work for additional information
  *   regarding copyright ownership.  The ASF licenses this file
  *   to you under the Apache License, Version 2.0 (the
  *   "License"); you may not use this file except in compliance
  *   with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  *   Unless required by applicable law or agreed to in writing,
  *   software distributed under the License is distributed on an
  *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *   KIND, either express or implied.  See the License for the
  *   specific language governing permissions and limitations
  *   under the License.
  *
  */
 package org.apache.directory.fortress.core.ldap;


 import org.apache.directory.fortress.core.CfgRuntimeException;
 import org.apache.directory.fortress.core.GlobalErrIds;
 import org.apache.directory.fortress.core.GlobalIds;
 import org.apache.directory.fortress.core.util.Config;
 import org.apache.directory.fortress.core.util.ResourceUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.Serializable;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Date;


 /**
  * Implement the X509TrustManager interface which will be used during JSSE truststore manager initialization for LDAP
  * client-to-server communications over TLS/SSL.
  * It is used during certificate validation operations within JSSE.
  * <p>
  * There are the controlling fortress.properties:
  * <ul>
  *     <li>trust.store : contains the name of the truststore (must be fully qualified iff trust.store.onclasspath=false</li>
  *     <li>trust.store.password : contains the pw for the specified truststore</li>
  *     <li>trust.onclasspath : if false name must be fully qualified, otherwise file must be on classpath as named</li>
  * </ul>
  *
  * Note: This class allows self-signed certificates to pass the validation checks, if its root certificate is found in the truststore.
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
 public final class LdapClientTrustStoreManager implements X509TrustManager, Serializable
 {
     /** Default serialVersionUID */
     private static final long serialVersionUID = 1L;
     // Logging
     private static final String CLS_NM = LdapClientTrustStoreManager.class.getName();
     private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );

     // Config variables
     private final boolean isExamineValidityDates;
     private final char[] trustStorePw;
     // This is found on the classpath if trust.store.onclasspath = true (default), otherwise must include exact location on filepath:
     private final String trustStoreFile;
     private final String trustStoreFormat;


     /**
      * Constructor used by connection configuration utility to load trust store manager.
      *
      * @param trustStoreFile    contains name of trust store file.
      * @param trustStorePw      contains the password for trust store
      * @param trustStoreFormat  contains the format for trust store
      * @param isExamineValidity boolean var determines if certificate will be examined for valid dates on load.
      */
     public LdapClientTrustStoreManager( final String trustStoreFile, final char[] trustStorePw,
         final String trustStoreFormat, final boolean isExamineValidity )
     {
         if ( trustStoreFile == null )
         {
             // Cannot continue, throw an unchecked exception:
             throw new CfgRuntimeException( GlobalErrIds.FT_CONFIG_JSSE_TRUSTSTORE_NULL,
                 "LdapClientTrustStoreManager constructor : input file name is null" );
         }
         // contains the file name of a valid JSSE TrustStore found on classpath:
         this.trustStoreFile = trustStoreFile;
         // the password to the JSSE TrustStore:
         this.trustStorePw = trustStorePw.clone();
         // If true, verify the current date is within the validity period for every certificate in the TrustStore:
         this.isExamineValidityDates = isExamineValidity;
         if ( trustStoreFormat == null )
         {
             this.trustStoreFormat = KeyStore.getDefaultType();
         }
         else
         {
             this.trustStoreFormat = trustStoreFormat;
         }
     }


     /**
      * Determine if client certificate is to be trusted.
      *
      * @param x509Chain
      * @param authNType
      * @throws CertificateException
      */
     public synchronized void checkClientTrusted( final X509Certificate[] x509Chain,
         final String authNType ) throws CertificateException
     {
         // For each certificate in the chain, check validity:
         for ( final X509TrustManager trustMgr : getTrustManagers( x509Chain ) )
         {
             trustMgr.checkClientTrusted( x509Chain, authNType );
         }
     }


     /**
      * Determine if server certificate is to be trusted.
      *
      * @param x509Chain
      * @param authNType
      * @throws CertificateException
      */
     public synchronized void checkServerTrusted( final X509Certificate[] x509Chain, final String authNType ) throws
         CertificateException
     {
         for ( final X509TrustManager trustManager : getTrustManagers( x509Chain ) )
         {
             trustManager.checkServerTrusted( x509Chain, authNType );
         }
     }


     /**
      * Return the list of accepted issuers for this trust manager.
      *
      * @return array of accepted issuers
      */
     public synchronized X509Certificate[] getAcceptedIssuers()
     {
         return new X509Certificate[0];
     }


     /**
      * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
      *
      * @param x509Chain contains input X.509 certificate chain.
      * @return array of X.509 trust managers.
      * @throws CertificateException if trustStoreFile instance variable is null.
      */
     private synchronized X509TrustManager[] getTrustManagers( final X509Certificate[] x509Chain ) throws
         CertificateException
     {
         String szTrustStoreOnClasspath = Config.getInstance().getProperty( GlobalIds.TRUST_STORE_ON_CLASSPATH );

         // If false or null, read the truststore from a fully qualified filename.
         if( szTrustStoreOnClasspath != null && szTrustStoreOnClasspath.equalsIgnoreCase( "false" ))
         {
             LOG.info( CLS_NM + ".getTrustManagers on filepath" );
             return getTrustManagersOnFilepath( x509Chain );
         }
         // Get it off the classpath
         else
         {
             LOG.info( CLS_NM + ".getTrustManagers on classpath" );
             return getTrustManagersOnClasspath( x509Chain );
         }
     }


     /**
      * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
      *
      * @param x509Chain contains input X.509 certificate chain.
      * @return array of X.509 trust managers.
      * @throws CertificateException if trustStoreFile instance variable is null.
      */
     private synchronized X509TrustManager[] getTrustManagersOnClasspath( final X509Certificate[] x509Chain ) throws
         CertificateException
     {
         // If true, verify the current date is within each certificates validity period.
         if ( isExamineValidityDates )
         {
             final Date currentDate = new Date();
             for ( final X509Certificate x509Cert : x509Chain )
             {
                 x509Cert.checkValidity( currentDate );
             }
         }
         InputStream trustStoreInputStream = getTrustStoreInputStream();
         if (trustStoreInputStream == null)
         {
             throw new CertificateException("LdapClientTrustStoreManager.getTrustManagers : file not found");
         }
         try
         {
             trustStoreInputStream.close();
         }
         catch (IOException e)
         {
             // Eat this ioexception because it shouldn't be a problem, but log just in case:
             LOG.warn("LdapClientTrustStoreManager.getTrustManagers on input stream close " +
                     "operation caught IOException={}", e.getMessage());
         }
         return loadTrustManagers( getTrustStore() );
     }


     /**
      * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
      *
      * @param x509Chain contains input X.509 certificate chain.
      * @return array of X.509 trust managers.
      * @throws CertificateException if trustStoreFile instance variable is null.
      */
     private synchronized X509TrustManager[] getTrustManagersOnFilepath( final X509Certificate[] x509Chain ) throws
         CertificateException
     {
         // If true, verify the current date is within each certificates validity period.
         if ( isExamineValidityDates )
         {
             final Date currentDate = new Date();
             for ( final X509Certificate x509Cert : x509Chain )
             {
                 x509Cert.checkValidity( currentDate );
             }
         }
         // The trustStoreFile should contain the fully-qualified name of a Java TrustStore on local file system.
         final File trustStoreFile = new File( this.trustStoreFile );
         if ( !trustStoreFile.exists() )
         {
             throw new CertificateException( "FortressTrustStoreManager.getTrustManagers : file not found" );
         }
         return loadTrustManagers( getTrustStore() );
     }


     /**
      * Return an array of X.509 TrustManagers.
      *
      * @param trustStore handle to input trustStore
      * @return array of trust managers
      * @throws CertificateException if problem occurs during TrustManager initialization.
      */
     private X509TrustManager[] loadTrustManagers( final KeyStore trustStore ) throws CertificateException
     {
         final X509TrustManager[] x509TrustManagers;
         try
         {
             final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory
                 .getDefaultAlgorithm() );
             trustManagerFactory.init( trustStore );
             final TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
             x509TrustManagers = new X509TrustManager[trustManagers.length];
             for ( int i = 0; i < trustManagers.length; i++ )
             {
                 x509TrustManagers[i] = ( X509TrustManager ) trustManagers[i];
             }
         }
         catch ( NoSuchAlgorithmException e )
         {
             throw new CertificateException( "LdapClientTrustStoreManager.loadTrustManagers caught " +
                 "NoSuchAlgorithmException", e );
         }
         catch ( KeyStoreException e )
         {
             throw new CertificateException( "LdapClientTrustStoreManager.loadTrustManagers caught KeyStoreException", e );
         }
         return x509TrustManagers;
     }


     /**
      * Load the TrustStore file into JSSE KeyStore instance.
      *
      * @return instance of JSSE KeyStore containing the LDAP Client's TrustStore file info.     *
      * @throws CertificateException if cannot process file load.
      */
     private KeyStore getTrustStore() throws CertificateException
     {
         final KeyStore trustStore;
         try
         {
             trustStore = KeyStore.getInstance( trustStoreFormat );
         }
         catch ( KeyStoreException e )
         {
             throw new CertificateException( "LdapClientTrustStoreManager.getTrustManagers caught KeyStoreException", e );
         }
         InputStream trustStoreInputStream = null;
         try
         {
             trustStoreInputStream = getTrustStoreInputStream();
             trustStore.load( trustStoreInputStream, trustStorePw );
         }
         catch ( NoSuchAlgorithmException e )
         {
             throw new CertificateException( "LdapClientTrustStoreManager.getTrustManagers caught " +
                 "NoSuchAlgorithmException", e );
         }
         catch ( IOException e )
         {
             throw new CertificateException( "LdapClientTrustStoreManager.getTrustManagers caught KeyStoreException", e );
         }
         finally
         {
             // Close the input stream.
             if ( trustStoreInputStream != null )
             {
                 try
                 {
                     trustStoreInputStream.close();
                 }
                 catch ( IOException e )
                 {
                     // Eat this ioexception because it shouldn't be a problem, but log just in case:
                     LOG.warn( "LdapClientTrustStoreManager.getTrustStore finally block on input stream close " +
                         "operation caught IOException={}", e.getMessage() );
                 }
             }
         }
         return trustStore;
     }


     /**
      * Read the trust store off the classpath.
      *
      * @return handle to inputStream containing the trust store
      * @throws CertificateException
      */
     private InputStream getTrustStoreInputStream() throws CertificateException
     {
         InputStream result = ResourceUtil.getInputStream(trustStoreFile);
         if (null == result)
         {
             throw new CertificateException("LdapClientTrustStoreManager.getTrustStoreInputStream file does not exist on fortress classpath" );
         }
         return result;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*/
	package org.apache.directory.fortress.core.ldap;


	import org.apache.directory.fortress.core.CfgRuntimeException;
	import org.apache.directory.fortress.core.GlobalErrIds;
	import org.apache.directory.fortress.core.GlobalIds;
	import org.apache.directory.fortress.core.util.Config;
	import org.apache.directory.fortress.core.util.ResourceUtil;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import javax.net.ssl.TrustManager;
	import javax.net.ssl.TrustManagerFactory;
	import javax.net.ssl.X509TrustManager;
	import java.io.File;
	import java.io.IOException;
	import java.io.InputStream;
	import java.io.Serializable;
	import java.security.KeyStore;
	import java.security.KeyStoreException;
	import java.security.NoSuchAlgorithmException;
	import java.security.cert.CertificateException;
	import java.security.cert.X509Certificate;
	import java.util.Date;


	/**
	* Implement the X509TrustManager interface which will be used during JSSE truststore manager initialization for LDAP
	* client-to-server communications over TLS/SSL.
	* It is used during certificate validation operations within JSSE.
	* <p>
	* There are the controlling fortress.properties:
	* <ul>
	* <li>trust.store : contains the name of the truststore (must be fully qualified iff trust.store.onclasspath=false</li>
	* <li>trust.store.password : contains the pw for the specified truststore</li>
	* <li>trust.onclasspath : if false name must be fully qualified, otherwise file must be on classpath as named</li>
	* </ul>
	*
	* Note: This class allows self-signed certificates to pass the validation checks, if its root certificate is found in the truststore.
	*
	* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
	*/
	public final class LdapClientTrustStoreManager implements X509TrustManager, Serializable
	{
	/** Default serialVersionUID */
	private static final long serialVersionUID = 1L;
	// Logging
	private static final String CLS_NM = LdapClientTrustStoreManager.class.getName();
	private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );

	// Config variables
	private final boolean isExamineValidityDates;
	private final char[] trustStorePw;
	// This is found on the classpath if trust.store.onclasspath = true (default), otherwise must include exact location on filepath:
	private final String trustStoreFile;
	private final String trustStoreFormat;


	/**
	* Constructor used by connection configuration utility to load trust store manager.
	*
	* @param trustStoreFile contains name of trust store file.
	* @param trustStorePw contains the password for trust store
	* @param trustStoreFormat contains the format for trust store
	* @param isExamineValidity boolean var determines if certificate will be examined for valid dates on load.
	*/
	public LdapClientTrustStoreManager( final String trustStoreFile, final char[] trustStorePw,
	final String trustStoreFormat, final boolean isExamineValidity )
	{
	if ( trustStoreFile == null )
	{
	// Cannot continue, throw an unchecked exception:
	throw new CfgRuntimeException( GlobalErrIds.FT_CONFIG_JSSE_TRUSTSTORE_NULL,
	"LdapClientTrustStoreManager constructor : input file name is null" );
	}
	// contains the file name of a valid JSSE TrustStore found on classpath:
	this.trustStoreFile = trustStoreFile;
	// the password to the JSSE TrustStore:
	this.trustStorePw = trustStorePw.clone();
	// If true, verify the current date is within the validity period for every certificate in the TrustStore:
	this.isExamineValidityDates = isExamineValidity;
	if ( trustStoreFormat == null )
	{
	this.trustStoreFormat = KeyStore.getDefaultType();
	}
	else
	{
	this.trustStoreFormat = trustStoreFormat;
	}
	}


	/**
	* Determine if client certificate is to be trusted.
	*
	* @param x509Chain
	* @param authNType
	* @throws CertificateException
	*/
	public synchronized void checkClientTrusted( final X509Certificate[] x509Chain,
	final String authNType ) throws CertificateException
	{
	// For each certificate in the chain, check validity:
	for ( final X509TrustManager trustMgr : getTrustManagers( x509Chain ) )
	{
	trustMgr.checkClientTrusted( x509Chain, authNType );
	}
	}


	/**
	* Determine if server certificate is to be trusted.
	*
	* @param x509Chain
	* @param authNType
	* @throws CertificateException
	*/
	public synchronized void checkServerTrusted( final X509Certificate[] x509Chain, final String authNType ) throws
	CertificateException
	{
	for ( final X509TrustManager trustManager : getTrustManagers( x509Chain ) )
	{
	trustManager.checkServerTrusted( x509Chain, authNType );
	}
	}


	/**
	* Return the list of accepted issuers for this trust manager.
	*
	* @return array of accepted issuers
	*/
	public synchronized X509Certificate[] getAcceptedIssuers()
	{
	return new X509Certificate[0];
	}


	/**
	* Return array of trust managers to caller. Will verify that current date is within certs validity period.
	*
	* @param x509Chain contains input X.509 certificate chain.
	* @return array of X.509 trust managers.
	* @throws CertificateException if trustStoreFile instance variable is null.
	*/
	private synchronized X509TrustManager[] getTrustManagers( final X509Certificate[] x509Chain ) throws
	CertificateException
	{
	String szTrustStoreOnClasspath = Config.getInstance().getProperty( GlobalIds.TRUST_STORE_ON_CLASSPATH );

	// If false or null, read the truststore from a fully qualified filename.
	if( szTrustStoreOnClasspath != null && szTrustStoreOnClasspath.equalsIgnoreCase( "false" ))
	{
	LOG.info( CLS_NM + ".getTrustManagers on filepath" );
	return getTrustManagersOnFilepath( x509Chain );
	}
	// Get it off the classpath
	else
	{
	LOG.info( CLS_NM + ".getTrustManagers on classpath" );
	return getTrustManagersOnClasspath( x509Chain );
	}
	}


	/**
	* Return array of trust managers to caller. Will verify that current date is within certs validity period.
	*
	* @param x509Chain contains input X.509 certificate chain.
	* @return array of X.509 trust managers.
	* @throws CertificateException if trustStoreFile instance variable is null.
	*/
	private synchronized X509TrustManager[] getTrustManagersOnClasspath( final X509Certificate[] x509Chain ) throws
	CertificateException
	{
	// If true, verify the current date is within each certificates validity period.
	if ( isExamineValidityDates )
	{
	final Date currentDate = new Date();
	for ( final X509Certificate x509Cert : x509Chain )
	{
	x509Cert.checkValidity( currentDate );
	}
	}
	InputStream trustStoreInputStream = getTrustStoreInputStream();
	if (trustStoreInputStream == null)
	{
	throw new CertificateException("LdapClientTrustStoreManager.getTrustManagers : file not found");
	}
	try
	{
	trustStoreInputStream.close();
	}
	catch (IOException e)
	{
	// Eat this ioexception because it shouldn't be a problem, but log just in case:
	LOG.warn("LdapClientTrustStoreManager.getTrustManagers on input stream close " +
	"operation caught IOException={}", e.getMessage());
	}
	return loadTrustManagers( getTrustStore() );
	}


	/**
	* Return array of trust managers to caller. Will verify that current date is within certs validity period.
	*
	* @param x509Chain contains input X.509 certificate chain.
	* @return array of X.509 trust managers.
	* @throws CertificateException if trustStoreFile instance variable is null.
	*/
	private synchronized X509TrustManager[] getTrustManagersOnFilepath( final X509Certificate[] x509Chain ) throws
	CertificateException
	{
	// If true, verify the current date is within each certificates validity period.
	if ( isExamineValidityDates )
	{
	final Date currentDate = new Date();
	for ( final X509Certificate x509Cert : x509Chain )
	{
	x509Cert.checkValidity( currentDate );
	}
	}
	// The trustStoreFile should contain the fully-qualified name of a Java TrustStore on local file system.
	final File trustStoreFile = new File( this.trustStoreFile );
	if ( !trustStoreFile.exists() )
	{
	throw new CertificateException( "FortressTrustStoreManager.getTrustManagers : file not found" );
	}
	return loadTrustManagers( getTrustStore() );
	}


	/**
	* Return an array of X.509 TrustManagers.
	*
	* @param trustStore handle to input trustStore
	* @return array of trust managers
	* @throws CertificateException if problem occurs during TrustManager initialization.
	*/
	private X509TrustManager[] loadTrustManagers( final KeyStore trustStore ) throws CertificateException
	{
	final X509TrustManager[] x509TrustManagers;
	try
	{
	final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory
	.getDefaultAlgorithm() );
	trustManagerFactory.init( trustStore );
	final TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
	x509TrustManagers = new X509TrustManager[trustManagers.length];
	for ( int i = 0; i < trustManagers.length; i++ )
	{
	x509TrustManagers[i] = ( X509TrustManager ) trustManagers[i];
	}
	}
	catch ( NoSuchAlgorithmException e )
	{
	throw new CertificateException( "LdapClientTrustStoreManager.loadTrustManagers caught " +
	"NoSuchAlgorithmException", e );
	}
	catch ( KeyStoreException e )
	{
	throw new CertificateException( "LdapClientTrustStoreManager.loadTrustManagers caught KeyStoreException", e );
	}
	return x509TrustManagers;
	}


	/**
	* Load the TrustStore file into JSSE KeyStore instance.
	*
	* @return instance of JSSE KeyStore containing the LDAP Client's TrustStore file info. *
	* @throws CertificateException if cannot process file load.
	*/
	private KeyStore getTrustStore() throws CertificateException
	{
	final KeyStore trustStore;
	try
	{
	trustStore = KeyStore.getInstance( trustStoreFormat );
	}
	catch ( KeyStoreException e )
	{
	throw new CertificateException( "LdapClientTrustStoreManager.getTrustManagers caught KeyStoreException", e );
	}
	InputStream trustStoreInputStream = null;
	try
	{
	trustStoreInputStream = getTrustStoreInputStream();
	trustStore.load( trustStoreInputStream, trustStorePw );
	}
	catch ( NoSuchAlgorithmException e )
	{
	throw new CertificateException( "LdapClientTrustStoreManager.getTrustManagers caught " +
	"NoSuchAlgorithmException", e );
	}
	catch ( IOException e )
	{
	throw new CertificateException( "LdapClientTrustStoreManager.getTrustManagers caught KeyStoreException", e );
	}
	finally
	{
	// Close the input stream.
	if ( trustStoreInputStream != null )
	{
	try
	{
	trustStoreInputStream.close();
	}
	catch ( IOException e )
	{
	// Eat this ioexception because it shouldn't be a problem, but log just in case:
	LOG.warn( "LdapClientTrustStoreManager.getTrustStore finally block on input stream close " +
	"operation caught IOException={}", e.getMessage() );
	}
	}
	}
	return trustStore;
	}


	/**
	* Read the trust store off the classpath.
	*
	* @return handle to inputStream containing the trust store
	* @throws CertificateException
	*/
	private InputStream getTrustStoreInputStream() throws CertificateException
	{
	InputStream result = ResourceUtil.getInputStream(trustStoreFile);
	if (null == result)
	{
	throw new CertificateException("LdapClientTrustStoreManager.getTrustStoreInputStream file does not exist on fortress classpath" );
	}
	return result;
	}
	}