Added utility methods to be used in providing a solution for QPID-2445

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@922479 13f79535-47bb-0310-9956-ffa450edef68
author: Rajith Muditha Attapattu <rajith@apache.org> 2010-03-13 04:01:50 +0000
committer: Rajith Muditha Attapattu <rajith@apache.org> 2010-03-13 04:01:50 +0000
commit: 8be215a44e237bf28e8d4a772bed8a6b5a4d05d9 (patch)
tree: 742e3387978d5a8f2f629157b3060928cfc274bc /java
parent: 65565d86ede11c781f6faf1b8b7a705452e25dff (diff)
download: qpid-python-8be215a44e237bf28e8d4a772bed8a6b5a4d05d9.tar.gz
1 files changed, 113 insertions, 0 deletions
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java b/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java
new file mode 100644
index 0000000000..044f8fb464
--- /dev/null
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java
@@ -0,0 +1,113 @@
+package org.apache.qpid.transport.network.ssl;
+
+import java.security.Principal;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLPeerUnverifiedException;
+
+import org.apache.qpid.ssl.SSLContextFactory;
+import org.apache.qpid.transport.ConnectionSettings;
+import org.apache.qpid.transport.TransportException;
+import org.apache.qpid.transport.util.Logger;
+
+public class SSLUtil
+{
+    private static final Logger log = Logger.get(SSLUtil.class);
+    
+    public static void verifyHostname(SSLEngine engine,String hostnameExpected)
+    {
+        try
+        {
+          Certificate cert = engine.getSession().getPeerCertificates()[0];
+          Principal p = ((X509Certificate)cert).getSubjectDN();
+          String dn = p.getName();
+          String hostname = null; 
+          
+          if (dn.contains("CN="))
+          {
+              hostname = dn.substring(3, dn.indexOf(","));
+          }   
+          
+          if (log.isDebugEnabled())
+          {
+              log.debug("Hostname expected : " + hostnameExpected);
+              log.debug("Distinguished Name for server certificate : " + dn);
+              log.debug("Host Name obtained from DN : " + hostname);
+          }
+          
+          if (hostname != null && hostname.equalsIgnoreCase(hostnameExpected))
+          {
+              throw new TransportException("SSL hostname verification failed." +
+                                           " Expected : " + hostnameExpected +
+                                           " Found in cert : " + hostname);
+          }
+          
+        }
+        catch(SSLPeerUnverifiedException e)
+        {
+            log.warn("Exception received while trying to verify hostname",e);
+            // For some reason the SSL engine sets the handshake status to FINISH twice
+            // in succession. For some reason the first time the peer certificate 
+            // info is not available. The second time it works !
+            // Therefore have no choice but to ignore the exception here.
+        }
+    }
+    
+    public static String retriveIdentity(SSLEngine engine)
+    {
+        StringBuffer id = new StringBuffer(); 
+        try
+        {
+          Certificate cert = engine.getSession().getPeerCertificates()[0];
+          Principal p = ((X509Certificate)cert).getSubjectDN();
+          String dn = p.getName();
+                    
+          if (dn.contains("CN="))
+          {
+              id.append(dn.substring(3,
+                      dn.indexOf(",") == -1? dn.length(): dn.indexOf(",")));
+          } 
+          
+          if (dn.contains("DC="))
+          {
+              id.append("@");
+              int c = 0;
+              for (String toks : dn.split(","))
+              {
+                  if (toks.contains("DC"))
+                  {
+                     if (c > 0) {id.append(".");}                         
+                     id.append(toks.substring(
+                             toks.indexOf("=")+1, 
+                             toks.indexOf(",") == -1? toks.length(): toks.indexOf(",")));
+                     c++;
+                  }
+              }
+          }
+        }
+        catch(Exception e)
+        {
+            log.info("Exception received while trying to retrive client identity from SSL cert",e);
+        }
+        
+        log.debug("Extracted Identity from client certificate : " + id);
+        return id.toString();
+    }
+    
+    public static SSLContext createSSLContext(ConnectionSettings settings) throws Exception
+    {
+        
+        SSLContextFactory sslContextFactory = new SSLContextFactory(settings.getTrustStorePath(),
+                                                                    settings.getTrustStorePassword(),
+                                                                    settings.getTrustStoreCertType(),
+                                                                    settings.getKeyStorePath(),
+                                                                    settings.getKeyStorePassword(),
+                                                                    settings.getKeyStoreCertType());
+        
+        return sslContextFactory.buildServerContext();
+        
+    }
+}
author	Rajith Muditha Attapattu <rajith@apache.org>	2010-03-13 04:01:50 +0000
committer	Rajith Muditha Attapattu <rajith@apache.org>	2010-03-13 04:01:50 +0000
commit	8be215a44e237bf28e8d4a772bed8a6b5a4d05d9 (patch)
tree	742e3387978d5a8f2f629157b3060928cfc274bc /java
parent	65565d86ede11c781f6faf1b8b7a705452e25dff (diff)
download	qpid-python-8be215a44e237bf28e8d4a772bed8a6b5a4d05d9.tar.gz