ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapClientTrustStoreManager.java - directory-ldap-api - Git at Google

 /*
  *   Licensed to the Apache Software Foundation (ASF) under one
  *   or more contributor license agreements.  See the NOTICE file
  *   distributed with this work for additional information
  *   regarding copyright ownership.  The ASF licenses this file
  *   to you under the Apache License, Version 2.0 (the
  *   "License"); you may not use this file except in compliance
  *   with the License.  You may obtain a copy of the License at
  *
  *     https://www.apache.org/licenses/LICENSE-2.0
  *
  *   Unless required by applicable law or agreed to in writing,
  *   software distributed under the License is distributed on an
  *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *   KIND, either express or implied.  See the License for the
  *   specific language governing permissions and limitations
  *   under the License.
  *
  */
 package org.apache.directory.ldap.client.api;


 import org.apache.directory.api.i18n.I18n;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;

 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.Serializable;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;


 /**
  * Implement the X509TrustManager interface which will be used during JSSE truststore manager initialisation for LDAP
  * client-to-server communications over TLS/SSL.
  * It is used during certificate validation operations within JSSE.
  *
  * Note: This class allows self-signed certificates to pass the validation checks.
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
 public final class LdapClientTrustStoreManager implements X509TrustManager, Serializable
 {
     /** Default serialVersionUID */
     private static final long serialVersionUID = 1L;

     // Logging
     private static final String CLS_NM = LdapClientTrustStoreManager.class.getName();
     private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );

     // Config variables
     private boolean isExamineValidityDates;
     private char[] trustStorePw;

     // This is found on the classpath if trust.store.onclasspath = true (default), otherwise must include exact location on filepath:
     private String trustStoreFile;
     private String trustStoreFormat;

     private X509TrustManager[] x509TrustManagers;


     /**
      * Constructor used by connection configuration utility to load trust store manager.
      *
      * @param trustStoreFile    contains name of trust store file.
      * @param trustStorePw      contains the password for trust store
      * @param trustStoreFormat  contains the format for trust store
      * @param isExamineValidity boolean var determines if certificate will be examined for valid dates on load.
      */
     public LdapClientTrustStoreManager( String trustStoreFile, char[] trustStorePw,
         String trustStoreFormat, boolean isExamineValidity )
     {
         if ( trustStoreFile == null )
         {
             // Cannot continue, throw an unchecked exception:
             throw new RuntimeException( I18n.err( I18n.ERR_04174_INPUT_FILE_NAME_NULL ) );
         }

         // contains the file name of a valid JSSE TrustStore found on classpath:
         this.trustStoreFile = trustStoreFile;

         // the password to the JSSE TrustStore:
         this.trustStorePw = trustStorePw.clone();

         // If true, verify the current date is within the validity period for every certificate in the TrustStore:
         this.isExamineValidityDates = isExamineValidity;

         if ( trustStoreFormat == null )
         {
             this.trustStoreFormat = KeyStore.getDefaultType();
         }
         else
         {
             this.trustStoreFormat = trustStoreFormat;
         }
     }


     /**
      * Determine if client certificate is to be trusted.
      *
      * @param x509Chain The certificate chain
      * @param authNType The key exchange algorithm being used
      * @throws CertificateException If the trustManager cannot be found
      */
     public synchronized void checkClientTrusted( X509Certificate[] x509Chain, String authNType ) throws CertificateException
     {
         // For each certificate in the chain, check validity:
         for ( X509TrustManager trustMgr : getTrustManagers( x509Chain ) )
         {
             trustMgr.checkClientTrusted( x509Chain, authNType );
         }
     }


     /**
      * Determine if server certificate is to be trusted.
      *
      * @param x509Chain The certificate chain
      * @param authNType The key exchange algorithm being used
      * @throws CertificateException If the trustManager cannot be found
      */
     public synchronized void checkServerTrusted( X509Certificate[] x509Chain, String authNType ) throws
         CertificateException
     {
         for ( X509TrustManager trustManager : getTrustManagers( x509Chain ) )
         {
             trustManager.checkServerTrusted( x509Chain, authNType );
         }
     }


     /**
      * Return the list of accepted issuers for this trust manager.
      *
      * @return array of accepted issuers
      */
     public synchronized X509Certificate[] getAcceptedIssuers()
     {
         List<X509Certificate> certificates = new ArrayList<>();

         for ( X509TrustManager trustManager : x509TrustManagers )
         {
             for ( X509Certificate certificate : trustManager.getAcceptedIssuers() )
             {
                 certificates.add( certificate );
             }
         }

         return certificates.toArray( new X509Certificate[]{} );
     }


     /**
      * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
      *
      * @param x509Chain contains input X.509 certificate chain.
      * @return array of X.509 trust managers.
      * @throws CertificateException if trustStoreFile instance variable is null.
      */
     private synchronized X509TrustManager[] getTrustManagers( X509Certificate[] x509Chain ) throws
         CertificateException
     {
         if ( LOG.isInfoEnabled() )
         {
             LOG.info( I18n.msg( I18n.MSG_04176_TRUST_MANAGER_ON_CLASSPATH, CLS_NM ) );
         }

         return getTrustManagersOnClasspath( x509Chain );
     }


     /**
      * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
      *
      * @param x509Chain contains input X.509 certificate chain.
      * @return array of X.509 trust managers.
      * @throws CertificateException if trustStoreFile instance variable is null.
      */
     private synchronized X509TrustManager[] getTrustManagersOnClasspath( X509Certificate[] x509Chain ) throws
         CertificateException
     {
         // If true, verify the current date is within each certificates validity period.
         if ( isExamineValidityDates )
         {
             Date currentDate = new Date();

             for ( X509Certificate x509Cert : x509Chain )
             {
                 x509Cert.checkValidity( currentDate );
             }
         }

         InputStream trustStoreInputStream;

         if ( trustStoreFile != null )
         {
             try
             {
                 trustStoreInputStream = new FileInputStream( trustStoreFile );
             }
             catch ( IOException ioe )
             {
                 throw new CertificateException( I18n.err( I18n.ERR_04175_TRUST_STORE_FILE_NULL ) );
             }
         }
         else
         {
             trustStoreInputStream = getTrustStoreInputStream();
         }

         if ( trustStoreInputStream == null )
         {
             throw new CertificateException( I18n.err( I18n.ERR_04176_TRUST_MANAGER_NOT_FOUND ) );
         }
         try
         {
             trustStoreInputStream.close();
         }
         catch ( IOException e )
         {
             // Eat this ioexception because it shouldn't be a problem, but log just in case:
             LOG.warn( I18n.msg( I18n.MSG_04175_TRUST_MANAGER_IO_EXCEPTION, e.getMessage() ) );
         }

         return loadTrustManagers( getTrustStore() );
     }


     /**
      * Return an array of X.509 TrustManagers.
      *
      * @param trustStore handle to input trustStore
      * @return array of trust managers
      * @throws CertificateException if problem occurs during TrustManager initialization.
      */
     private X509TrustManager[] loadTrustManagers( KeyStore trustStore ) throws CertificateException
     {
         try
         {
             TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory
                 .getDefaultAlgorithm() );
             trustManagerFactory.init( trustStore );
             TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
             x509TrustManagers = new X509TrustManager[trustManagers.length];

             for ( int i = 0; i < trustManagers.length; i++ )
             {
                 x509TrustManagers[i] = ( X509TrustManager ) trustManagers[i];
             }
         }
         catch ( NoSuchAlgorithmException e )
         {
             throw new CertificateException( I18n.err( I18n.ERR_04177_NO_SUCH_ALGORITHM ), e );
         }
         catch ( KeyStoreException e )
         {
             throw new CertificateException( I18n.err( I18n.ERR_04178_CANT_LOAD_KEY_STORE ), e );
         }

         return x509TrustManagers;
     }


     /**
      * Load the TrustStore file into JSSE KeyStore instance.
      *
      * @return instance of JSSE KeyStore containing the LDAP Client's TrustStore file info.     *
      * @throws CertificateException if cannot process file load.
      */
     private KeyStore getTrustStore() throws CertificateException
     {
         KeyStore trustStore;

         try
         {
             trustStore = KeyStore.getInstance( trustStoreFormat );
         }
         catch ( KeyStoreException e )
         {
             throw new CertificateException( I18n.err( I18n.ERR_04178_CANT_LOAD_KEY_STORE ), e );
         }

         InputStream trustStoreInputStream = null;

         try
         {
             if ( trustStoreFile != null )
             {
                 trustStoreInputStream = new FileInputStream( trustStoreFile );
             }
             else
             {
                 trustStoreInputStream = getTrustStoreInputStream();
             }

             trustStore.load( trustStoreInputStream, trustStorePw );
         }
         catch ( NoSuchAlgorithmException e )
         {
             throw new CertificateException( I18n.err( I18n.ERR_04177_NO_SUCH_ALGORITHM ), e );
         }
         catch ( IOException e )
         {
             throw new CertificateException( I18n.err( I18n.ERR_04178_CANT_LOAD_KEY_STORE ), e );
         }
         finally
         {
             // Close the input stream.
             if ( trustStoreInputStream != null )
             {
                 try
                 {
                     trustStoreInputStream.close();
                 }
                 catch ( IOException e )
                 {
                     // Eat this ioexception because it shouldn't be a problem, but log just in case:
                     LOG.warn( I18n.err( I18n.ERR_04179_TRUST_STORE_CANT_BE_READ, e.getMessage() ) );
                 }
             }
         }

         return trustStore;
     }


     /**
      * Read the trust store off the classpath.
      *
      * @return handle to inputStream containing the trust store
      * @throws CertificateException If the file cannot be found
      */
     private InputStream getTrustStoreInputStream() throws CertificateException
     {
         ClassLoader classloader = Thread.currentThread().getContextClassLoader();
         InputStream result = classloader.getResourceAsStream( trustStoreFile );

         if ( null == result )
         {
             throw new CertificateException( I18n.err( I18n.ERR_04180_FILE_DOES_NOT_EXIST_ON_CLASSPATH ) );
         }

         return result;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* https://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*/
	package org.apache.directory.ldap.client.api;


	import org.apache.directory.api.i18n.I18n;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import javax.net.ssl.TrustManager;
	import javax.net.ssl.TrustManagerFactory;
	import javax.net.ssl.X509TrustManager;

	import java.io.FileInputStream;
	import java.io.IOException;
	import java.io.InputStream;
	import java.io.Serializable;
	import java.security.KeyStore;
	import java.security.KeyStoreException;
	import java.security.NoSuchAlgorithmException;
	import java.security.cert.CertificateException;
	import java.security.cert.X509Certificate;
	import java.util.ArrayList;
	import java.util.Date;
	import java.util.List;


	/**
	* Implement the X509TrustManager interface which will be used during JSSE truststore manager initialisation for LDAP
	* client-to-server communications over TLS/SSL.
	* It is used during certificate validation operations within JSSE.
	*
	* Note: This class allows self-signed certificates to pass the validation checks.
	*
	* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
	*/
	public final class LdapClientTrustStoreManager implements X509TrustManager, Serializable
	{
	/** Default serialVersionUID */
	private static final long serialVersionUID = 1L;

	// Logging
	private static final String CLS_NM = LdapClientTrustStoreManager.class.getName();
	private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );

	// Config variables
	private boolean isExamineValidityDates;
	private char[] trustStorePw;

	// This is found on the classpath if trust.store.onclasspath = true (default), otherwise must include exact location on filepath:
	private String trustStoreFile;
	private String trustStoreFormat;

	private X509TrustManager[] x509TrustManagers;


	/**
	* Constructor used by connection configuration utility to load trust store manager.
	*
	* @param trustStoreFile contains name of trust store file.
	* @param trustStorePw contains the password for trust store
	* @param trustStoreFormat contains the format for trust store
	* @param isExamineValidity boolean var determines if certificate will be examined for valid dates on load.
	*/
	public LdapClientTrustStoreManager( String trustStoreFile, char[] trustStorePw,
	String trustStoreFormat, boolean isExamineValidity )
	{
	if ( trustStoreFile == null )
	{
	// Cannot continue, throw an unchecked exception:
	throw new RuntimeException( I18n.err( I18n.ERR_04174_INPUT_FILE_NAME_NULL ) );
	}

	// contains the file name of a valid JSSE TrustStore found on classpath:
	this.trustStoreFile = trustStoreFile;

	// the password to the JSSE TrustStore:
	this.trustStorePw = trustStorePw.clone();

	// If true, verify the current date is within the validity period for every certificate in the TrustStore:
	this.isExamineValidityDates = isExamineValidity;

	if ( trustStoreFormat == null )
	{
	this.trustStoreFormat = KeyStore.getDefaultType();
	}
	else
	{
	this.trustStoreFormat = trustStoreFormat;
	}
	}


	/**
	* Determine if client certificate is to be trusted.
	*
	* @param x509Chain The certificate chain
	* @param authNType The key exchange algorithm being used
	* @throws CertificateException If the trustManager cannot be found
	*/
	public synchronized void checkClientTrusted( X509Certificate[] x509Chain, String authNType ) throws CertificateException
	{
	// For each certificate in the chain, check validity:
	for ( X509TrustManager trustMgr : getTrustManagers( x509Chain ) )
	{
	trustMgr.checkClientTrusted( x509Chain, authNType );
	}
	}


	/**
	* Determine if server certificate is to be trusted.
	*
	* @param x509Chain The certificate chain
	* @param authNType The key exchange algorithm being used
	* @throws CertificateException If the trustManager cannot be found
	*/
	public synchronized void checkServerTrusted( X509Certificate[] x509Chain, String authNType ) throws
	CertificateException
	{
	for ( X509TrustManager trustManager : getTrustManagers( x509Chain ) )
	{
	trustManager.checkServerTrusted( x509Chain, authNType );
	}
	}


	/**
	* Return the list of accepted issuers for this trust manager.
	*
	* @return array of accepted issuers
	*/
	public synchronized X509Certificate[] getAcceptedIssuers()
	{
	List<X509Certificate> certificates = new ArrayList<>();

	for ( X509TrustManager trustManager : x509TrustManagers )
	{
	for ( X509Certificate certificate : trustManager.getAcceptedIssuers() )
	{
	certificates.add( certificate );
	}
	}

	return certificates.toArray( new X509Certificate[]{} );
	}


	/**
	* Return array of trust managers to caller. Will verify that current date is within certs validity period.
	*
	* @param x509Chain contains input X.509 certificate chain.
	* @return array of X.509 trust managers.
	* @throws CertificateException if trustStoreFile instance variable is null.
	*/
	private synchronized X509TrustManager[] getTrustManagers( X509Certificate[] x509Chain ) throws
	CertificateException
	{
	if ( LOG.isInfoEnabled() )
	{
	LOG.info( I18n.msg( I18n.MSG_04176_TRUST_MANAGER_ON_CLASSPATH, CLS_NM ) );
	}

	return getTrustManagersOnClasspath( x509Chain );
	}


	/**
	* Return array of trust managers to caller. Will verify that current date is within certs validity period.
	*
	* @param x509Chain contains input X.509 certificate chain.
	* @return array of X.509 trust managers.
	* @throws CertificateException if trustStoreFile instance variable is null.
	*/
	private synchronized X509TrustManager[] getTrustManagersOnClasspath( X509Certificate[] x509Chain ) throws
	CertificateException
	{
	// If true, verify the current date is within each certificates validity period.
	if ( isExamineValidityDates )
	{
	Date currentDate = new Date();

	for ( X509Certificate x509Cert : x509Chain )
	{
	x509Cert.checkValidity( currentDate );
	}
	}

	InputStream trustStoreInputStream;

	if ( trustStoreFile != null )
	{
	try
	{
	trustStoreInputStream = new FileInputStream( trustStoreFile );
	}
	catch ( IOException ioe )
	{
	throw new CertificateException( I18n.err( I18n.ERR_04175_TRUST_STORE_FILE_NULL ) );
	}
	}
	else
	{
	trustStoreInputStream = getTrustStoreInputStream();
	}

	if ( trustStoreInputStream == null )
	{
	throw new CertificateException( I18n.err( I18n.ERR_04176_TRUST_MANAGER_NOT_FOUND ) );
	}
	try
	{
	trustStoreInputStream.close();
	}
	catch ( IOException e )
	{
	// Eat this ioexception because it shouldn't be a problem, but log just in case:
	LOG.warn( I18n.msg( I18n.MSG_04175_TRUST_MANAGER_IO_EXCEPTION, e.getMessage() ) );
	}

	return loadTrustManagers( getTrustStore() );
	}


	/**
	* Return an array of X.509 TrustManagers.
	*
	* @param trustStore handle to input trustStore
	* @return array of trust managers
	* @throws CertificateException if problem occurs during TrustManager initialization.
	*/
	private X509TrustManager[] loadTrustManagers( KeyStore trustStore ) throws CertificateException
	{
	try
	{
	TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory
	.getDefaultAlgorithm() );
	trustManagerFactory.init( trustStore );
	TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
	x509TrustManagers = new X509TrustManager[trustManagers.length];

	for ( int i = 0; i < trustManagers.length; i++ )
	{
	x509TrustManagers[i] = ( X509TrustManager ) trustManagers[i];
	}
	}
	catch ( NoSuchAlgorithmException e )
	{
	throw new CertificateException( I18n.err( I18n.ERR_04177_NO_SUCH_ALGORITHM ), e );
	}
	catch ( KeyStoreException e )
	{
	throw new CertificateException( I18n.err( I18n.ERR_04178_CANT_LOAD_KEY_STORE ), e );
	}

	return x509TrustManagers;
	}


	/**
	* Load the TrustStore file into JSSE KeyStore instance.
	*
	* @return instance of JSSE KeyStore containing the LDAP Client's TrustStore file info. *
	* @throws CertificateException if cannot process file load.
	*/
	private KeyStore getTrustStore() throws CertificateException
	{
	KeyStore trustStore;

	try
	{
	trustStore = KeyStore.getInstance( trustStoreFormat );
	}
	catch ( KeyStoreException e )
	{
	throw new CertificateException( I18n.err( I18n.ERR_04178_CANT_LOAD_KEY_STORE ), e );
	}

	InputStream trustStoreInputStream = null;

	try
	{
	if ( trustStoreFile != null )
	{
	trustStoreInputStream = new FileInputStream( trustStoreFile );
	}
	else
	{
	trustStoreInputStream = getTrustStoreInputStream();
	}

	trustStore.load( trustStoreInputStream, trustStorePw );
	}
	catch ( NoSuchAlgorithmException e )
	{
	throw new CertificateException( I18n.err( I18n.ERR_04177_NO_SUCH_ALGORITHM ), e );
	}
	catch ( IOException e )
	{
	throw new CertificateException( I18n.err( I18n.ERR_04178_CANT_LOAD_KEY_STORE ), e );
	}
	finally
	{
	// Close the input stream.
	if ( trustStoreInputStream != null )
	{
	try
	{
	trustStoreInputStream.close();
	}
	catch ( IOException e )
	{
	// Eat this ioexception because it shouldn't be a problem, but log just in case:
	LOG.warn( I18n.err( I18n.ERR_04179_TRUST_STORE_CANT_BE_READ, e.getMessage() ) );
	}
	}
	}

	return trustStore;
	}


	/**
	* Read the trust store off the classpath.
	*
	* @return handle to inputStream containing the trust store
	* @throws CertificateException If the file cannot be found
	*/
	private InputStream getTrustStoreInputStream() throws CertificateException
	{
	ClassLoader classloader = Thread.currentThread().getContextClassLoader();
	InputStream result = classloader.getResourceAsStream( trustStoreFile );

	if ( null == result )
	{
	throw new CertificateException( I18n.err( I18n.ERR_04180_FILE_DOES_NOT_EXIST_ON_CLASSPATH ) );
	}

	return result;
	}
	}