/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* or http://forgerock.org/license/CDDLv1.0.html.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006-2008 Sun Microsystems, Inc.
* Portions Copyright 2013-2015 ForgeRock AS
*/
package org.opends.server.tools;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.opends.server.extensions.BlindTrustManagerProvider;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.opends.server.util.CollectionUtils;
import org.opends.server.util.ExpirationCheckTrustManager;
import org.opends.server.util.SelectableCertificateKeyManager;
import static org.opends.messages.ToolMessages.*;
/**
* This class provides SSL connection related utility functions.
*/
public class SSLConnectionFactory
{
private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
private SSLSocketFactory sslSocketFactory;
/**
* Constructor for the SSL connection factory.
*/
public SSLConnectionFactory()
{
}
/**
* Initialize the connection factory by creating the key and
* trust managers for the SSL connection.
*
* @param trustAll Indicates whether to blindly trust all
* certificates.
* @param keyStorePath The path to the key store file.
* @param keyStorePassword The PIN to use to access the key store
* contents.
* @param clientAlias The alias to use for the client certificate.
* @param trustStorePath The path to the trust store file.
* @param trustStorePassword The PIN to use to access the trust store
* contents.
*
* @throws SSLConnectionException If a problem occurs while initializing the
* connection factory.
*/
public void init(boolean trustAll, String keyStorePath,
String keyStorePassword, String clientAlias,
String trustStorePath, String trustStorePassword)
throws SSLConnectionException
{
try
{
SSLContext ctx = SSLContext.getInstance("TLS");
KeyManager[] keyManagers = null;
TrustManager[] trustManagers = null;
if(trustAll)
{
BlindTrustManagerProvider blindTrustProvider =
new BlindTrustManagerProvider();
trustManagers = blindTrustProvider.getTrustManagers();
} else if (trustStorePath == null) {
trustManagers = PromptTrustManager.getTrustManagers();
} else
{
TrustManager[] tmpTrustManagers =
getTrustManagers(KeyStore.getDefaultType(), null, trustStorePath,
trustStorePassword);
trustManagers = new TrustManager[tmpTrustManagers.length];
for (int i=0; i < trustManagers.length; i++)
{
trustManagers[i] =
new ExpirationCheckTrustManager((X509TrustManager)
tmpTrustManagers[i]);
}
}
if(keyStorePath != null)
{
keyManagers = getKeyManagers(KeyStore.getDefaultType(), null,
keyStorePath, keyStorePassword);
if (clientAlias != null)
{
keyManagers = SelectableCertificateKeyManager.wrap(keyManagers, CollectionUtils.newTreeSet(clientAlias));
}
}
ctx.init(keyManagers, trustManagers, new java.security.SecureRandom());
sslSocketFactory = ctx.getSocketFactory();
} catch(Exception e)
{
throw new SSLConnectionException(
ERR_TOOLS_CANNOT_CREATE_SSL_CONNECTION.get(e.getMessage()), e);
}
}
/**
* Create the SSL socket connection to the specified host.
*
* @param hostName The address of the system to which the connection
* should be established.
* @param portNumber The port number to which the connection should be
* established.
*
* @return The SSL socket established to the specified host.
*
* @throws SSLConnectionException If a problem occurs while performing SSL
* negotiation.
*
* @throws IOException If a problem occurs while attempting to communicate
* with the server.
*/
public Socket createSocket(String hostName, int portNumber)
throws SSLConnectionException, IOException
{
if(sslSocketFactory == null)
{
throw new SSLConnectionException(
ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED.get());
}
return sslSocketFactory.createSocket(hostName, portNumber);
}
/**
* Create the SSL socket connection to the specified host.
*
* @param host
* The address of the system to which the connection should be
* established.
* @param portNumber
* The port number to which the connection should be established.
* @return The SSL socket established to the specified host.
* @throws SSLConnectionException
* If a problem occurs while performing SSL negotiation.
* @throws IOException
* If a problem occurs while attempting to communicate with the
* server.
*/
public Socket createSocket(InetAddress host, int portNumber)
throws SSLConnectionException, IOException
{
if (sslSocketFactory == null)
{
throw new SSLConnectionException(ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED
.get());
}
return sslSocketFactory.createSocket(host, portNumber);
}
/**
* Create the SSL socket connection to the specified host layered over
* an existing socket.
*
* @param s The socket to use for the existing connection.
* @param hostName The address of the system to which the connection
* should be established.
* @param portNumber The port number to which the connection should be
* established.
* @param autoClose Indicates whether the underlying connection should be
* automatically closed when the SSL session is ended.
*
* @return The SSL socket established to the specified host.
*
* @throws SSLConnectionException If a problem occurs while performing SSL
* negotiation.
*
* @throws IOException If a problem occurs while attempting to communicate
* with the server.
*/
public Socket createSocket(Socket s, String hostName, int portNumber,
boolean autoClose)
throws SSLConnectionException, IOException
{
if(sslSocketFactory == null)
{
throw new SSLConnectionException(
ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED.get());
}
return sslSocketFactory.createSocket(s, hostName, portNumber, autoClose);
}
/**
* Retrieves a set of <CODE>KeyManager</CODE> objects that may be used for
* interactions requiring access to a key manager.
*
* @param keyStoreType The key store type to use with the specified file.
* @param provider The provider to use when accessing the key store.
* @param keyStoreFile The path to the file containing the key store data.
* @param keyStorePass The PIN needed to access the key store contents.
*
* @return A set of <CODE>KeyManager</CODE> objects that may be used for
* interactions requiring access to a key manager.
*
* @throws KeyStoreException If a problem occurs while interacting with the
* key store.
*
* @throws SSLConnectionException If a problem occurs while trying to load
* key store file.
*/
private KeyManager[] getKeyManagers(String keyStoreType,
Provider provider,
String keyStoreFile,
String keyStorePass)
throws KeyStoreException, SSLConnectionException
{
if(keyStoreFile == null)
{
// Lookup the file name through the JDK property.
keyStoreFile = getKeyStore();
}
if(keyStorePass == null)
{
// Lookup the keystore PIN through the JDK property.
keyStorePass = getKeyStorePIN();
}
KeyStore ks = null;
if(provider != null)
{
ks = KeyStore.getInstance(keyStoreType, provider);
} else
{
ks = KeyStore.getInstance(keyStoreType);
}
char[] keyStorePIN = null;
if(keyStorePass != null)
{
keyStorePIN = keyStorePass.toCharArray();
}
try
{
FileInputStream inputStream = new FileInputStream(keyStoreFile);
ks.load(inputStream, keyStorePIN);
inputStream.close();
} catch(Exception e)
{
logger.traceException(e);
throw new SSLConnectionException(
ERR_TOOLS_CANNOT_LOAD_KEYSTORE_FILE.get(keyStoreFile), e);
}
try
{
String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(keyManagerAlgorithm);
keyManagerFactory.init(ks, keyStorePIN);
return keyManagerFactory.getKeyManagers();
} catch(Exception ke)
{
logger.traceException(ke);
throw new SSLConnectionException(
ERR_TOOLS_CANNOT_INIT_KEYMANAGER.get(keyStoreFile), ke);
}
}
/**
* Retrieves a set of <CODE>TrustManager</CODE> objects that may be used for
* interactions requiring access to a trust manager.
*
* @param trustStoreType The trust store type to use with the specified
* file.
* @param provider The provider to use when accessing the trust store.
* @param trustStoreFile The path to the file containing the trust store
* data.
* @param trustStorePass The PIN needed to access the trust store contents.
*
* @return A set of <CODE>TrustManager</CODE> objects that may be used for
* interactions requiring access to a trust manager.
*
* @throws KeyStoreException If a problem occurs while interacting with the
* trust store.
*
* @throws SSLConnectionException If a problem occurs while trying to load
* trust store file.
*/
private TrustManager[] getTrustManagers(String trustStoreType,
Provider provider,
String trustStoreFile,
String trustStorePass)
throws KeyStoreException, SSLConnectionException
{
if(trustStoreFile == null)
{
trustStoreFile = getTrustStore();
// No trust store file available.
if(trustStoreFile == null)
{
return null;
}
}
if(trustStorePass == null)
{
trustStorePass = getTrustStorePIN();
}
KeyStore trustStore = null;
if(provider != null)
{
trustStore = KeyStore.getInstance(trustStoreType, provider);
} else
{
trustStore = KeyStore.getInstance(trustStoreType);
}
char[] trustStorePIN = null;
if(trustStorePass != null)
{
trustStorePIN = trustStorePass.toCharArray();
}
try
{
FileInputStream inputStream = new FileInputStream(trustStoreFile);
trustStore.load(inputStream, trustStorePIN);
inputStream.close();
} catch(Exception e)
{
logger.traceException(e);
throw new SSLConnectionException(
ERR_TOOLS_CANNOT_LOAD_TRUSTSTORE_FILE.get(trustStoreFile), e);
}
try
{
String trustManagerAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(trustManagerAlgorithm);
trustManagerFactory.init(trustStore);
return trustManagerFactory.getTrustManagers();
} catch(Exception ke)
{
logger.traceException(ke);
throw new SSLConnectionException(
ERR_TOOLS_CANNOT_INIT_TRUSTMANAGER.get(trustStoreFile), ke);
}
}
/**
* Read the KeyStore PIN from the JSSE system property.
*
* @return The PIN that should be used to access the key store.
*/
private String getKeyStorePIN()
{
return System.getProperty("javax.net.ssl.keyStorePassword");
}
/**
* Read the TrustStore PIN from the JSSE system property.
*
* @return The PIN that should be used to access the trust store.
*/
private String getTrustStorePIN()
{
return System.getProperty("javax.net.ssl.trustStorePassword");
}
/**
* Read the KeyStore from the JSSE system property.
*
* @return The path to the key store file.
*/
private String getKeyStore()
{
return System.getProperty("javax.net.ssl.keyStore");
}
/**
* Read the TrustStore from the JSSE system property.
*
* @return The path to the trust store file.
*/
private String getTrustStore()
{
return System.getProperty("javax.net.ssl.trustStore");
}
}