From eedffbd6752463d2b9bd6ef1a00945b952be2415 Mon Sep 17 00:00:00 2001 From: Rajith Muditha Attapattu Date: Mon, 15 Mar 2010 20:50:57 +0000 Subject: Moved the SSL code under the security package. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@923433 13f79535-47bb-0310-9956-ffa450edef68 --- .../network/security/ssl/SSLReceiver.java | 184 +++++++++++++++ .../transport/network/security/ssl/SSLSender.java | 255 +++++++++++++++++++++ .../transport/network/security/ssl/SSLUtil.java | 113 +++++++++ .../qpid/transport/network/ssl/SSLReceiver.java | 184 --------------- .../qpid/transport/network/ssl/SSLSender.java | 255 --------------------- .../apache/qpid/transport/network/ssl/SSLUtil.java | 113 --------- 6 files changed, 552 insertions(+), 552 deletions(-) create mode 100644 qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java create mode 100644 qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java create mode 100644 qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java delete mode 100644 qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLReceiver.java delete mode 100644 qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLSender.java delete mode 100644 qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java (limited to 'qpid/java/common/src') diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java new file mode 100644 index 0000000000..73b2fcb731 --- /dev/null +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLReceiver.java @@ -0,0 +1,184 @@ +/* +* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.transport.network.security.ssl; + +import java.nio.ByteBuffer; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLEngineResult; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLEngineResult.HandshakeStatus; +import javax.net.ssl.SSLEngineResult.Status; + +import org.apache.qpid.transport.Receiver; +import org.apache.qpid.transport.TransportException; +import org.apache.qpid.transport.util.Logger; + +public class SSLReceiver implements Receiver +{ + private Receiver delegate; + private SSLEngine engine; + private SSLSender sender; + private int sslBufSize; + private ByteBuffer appData; + private ByteBuffer localBuffer; + private boolean dataCached = false; + private final Object notificationToken; + + private static final Logger log = Logger.get(SSLReceiver.class); + + public SSLReceiver(SSLEngine engine, Receiver delegate,SSLSender sender) + { + this.engine = engine; + this.delegate = delegate; + this.sender = sender; + this.sslBufSize = engine.getSession().getApplicationBufferSize(); + appData = ByteBuffer.allocate(sslBufSize); + localBuffer = ByteBuffer.allocate(sslBufSize); + notificationToken = sender.getNotificationToken(); + } + + public void closed() + { + delegate.closed(); + } + + public void exception(Throwable t) + { + delegate.exception(t); + } + + private ByteBuffer addPreviouslyUnreadData(ByteBuffer buf) + { + if (dataCached) + { + ByteBuffer b = ByteBuffer.allocate(localBuffer.remaining() + buf.remaining()); + b.put(localBuffer); + b.put(buf); + b.flip(); + dataCached = false; + return b; + } + else + { + return buf; + } + } + + public void received(ByteBuffer buf) + { + ByteBuffer netData = addPreviouslyUnreadData(buf); + + HandshakeStatus handshakeStatus; + Status status; + + while (netData.hasRemaining()) + { + try + { + SSLEngineResult result = engine.unwrap(netData, appData); + synchronized (notificationToken) + { + notificationToken.notifyAll(); + } + + int read = result.bytesProduced(); + status = result.getStatus(); + handshakeStatus = result.getHandshakeStatus(); + + if (read > 0) + { + int limit = appData.limit(); + appData.limit(appData.position()); + appData.position(appData.position() - read); + + ByteBuffer data = appData.slice(); + + appData.limit(limit); + appData.position(appData.position() + read); + + delegate.received(data); + } + + + switch(status) + { + case CLOSED: + synchronized(notificationToken) + { + notificationToken.notifyAll(); + } + return; + + case BUFFER_OVERFLOW: + appData = ByteBuffer.allocate(sslBufSize); + continue; + + case BUFFER_UNDERFLOW: + localBuffer.clear(); + localBuffer.put(netData); + localBuffer.flip(); + dataCached = true; + break; + + case OK: + break; // do nothing + + default: + throw new IllegalStateException("SSLReceiver: Invalid State " + status); + } + + switch (handshakeStatus) + { + case NEED_UNWRAP: + if (netData.hasRemaining()) + { + continue; + } + break; + + case NEED_TASK: + sender.doTasks(); + handshakeStatus = engine.getHandshakeStatus(); + + case NEED_WRAP: + case FINISHED: + case NOT_HANDSHAKING: + synchronized(notificationToken) + { + notificationToken.notifyAll(); + } + break; + + default: + throw new IllegalStateException("SSLReceiver: Invalid State " + status); + } + + + } + catch(SSLException e) + { + throw new TransportException("Error in SSLReceiver",e); + } + + } + } +} diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java new file mode 100644 index 0000000000..bc1bee1e5d --- /dev/null +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLSender.java @@ -0,0 +1,255 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.transport.network.security.ssl; + +import java.nio.ByteBuffer; +import java.util.concurrent.atomic.AtomicBoolean; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLEngineResult; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLEngineResult.HandshakeStatus; +import javax.net.ssl.SSLEngineResult.Status; + +import org.apache.qpid.transport.Sender; +import org.apache.qpid.transport.SenderException; +import org.apache.qpid.transport.util.Logger; + +public class SSLSender implements Sender +{ + private Sender delegate; + private SSLEngine engine; + private int sslBufSize; + private ByteBuffer netData; + private long timeout = 30000; + + private final Object engineState = new Object(); + private final AtomicBoolean closed = new AtomicBoolean(false); + + private static final Logger log = Logger.get(SSLSender.class); + + public SSLSender(SSLEngine engine, Sender delegate) + { + this.engine = engine; + this.delegate = delegate; + sslBufSize = engine.getSession().getPacketBufferSize(); + netData = ByteBuffer.allocate(sslBufSize); + timeout = Long.getLong("qpid.ssl_timeout", 60000); + } + + public void close() + { + if (!closed.getAndSet(true)) + { + if (engine.isOutboundDone()) + { + return; + } + log.debug("Closing SSL connection"); + engine.closeOutbound(); + try + { + tearDownSSLConnection(); + } + catch(Exception e) + { + throw new SenderException("Error closing SSL connection",e); + } + + while (!engine.isOutboundDone()) + { + synchronized(engineState) + { + try + { + engineState.wait(); + } + catch(InterruptedException e) + { + // pass + } + } + } + delegate.close(); + } + } + + private void tearDownSSLConnection() throws Exception + { + SSLEngineResult result = engine.wrap(ByteBuffer.allocate(0), netData); + Status status = result.getStatus(); + int read = result.bytesProduced(); + while (status != Status.CLOSED) + { + if (status == Status.BUFFER_OVERFLOW) + { + netData.clear(); + } + if(read > 0) + { + int limit = netData.limit(); + netData.limit(netData.position()); + netData.position(netData.position() - read); + + ByteBuffer data = netData.slice(); + + netData.limit(limit); + netData.position(netData.position() + read); + + delegate.send(data); + flush(); + } + result = engine.wrap(ByteBuffer.allocate(0), netData); + status = result.getStatus(); + read = result.bytesProduced(); + } + } + + public void flush() + { + delegate.flush(); + } + + public void send(ByteBuffer appData) + { + if (closed.get()) + { + throw new SenderException("SSL Sender is closed"); + } + + HandshakeStatus handshakeStatus; + Status status; + + while(appData.hasRemaining()) + { + + int read = 0; + try + { + SSLEngineResult result = engine.wrap(appData, netData); + read = result.bytesProduced(); + status = result.getStatus(); + handshakeStatus = result.getHandshakeStatus(); + + } + catch(SSLException e) + { + throw new SenderException("SSL, Error occurred while encrypting data",e); + } + + if(read > 0) + { + int limit = netData.limit(); + netData.limit(netData.position()); + netData.position(netData.position() - read); + + ByteBuffer data = netData.slice(); + + netData.limit(limit); + netData.position(netData.position() + read); + + delegate.send(data); + } + + switch(status) + { + case CLOSED: + throw new SenderException("SSLEngine is closed"); + + case BUFFER_OVERFLOW: + netData.clear(); + continue; + + case OK: + break; // do nothing + + default: + throw new IllegalStateException("SSLReceiver: Invalid State " + status); + } + + switch (handshakeStatus) + { + case NEED_WRAP: + if (netData.hasRemaining()) + { + continue; + } + + case NEED_TASK: + doTasks(); + break; + + case NEED_UNWRAP: + flush(); + synchronized(engineState) + { + switch (engine.getHandshakeStatus()) + { + case NEED_UNWRAP: + long start = System.currentTimeMillis(); + try + { + engineState.wait(timeout); + } + catch(InterruptedException e) + { + // pass + } + + if (System.currentTimeMillis()- start >= timeout) + { + throw new SenderException( + "SSL Engine timed out waiting for a response." + + "To get more info,run with -Djavax.net.debug=ssl"); + } + break; + } + } + break; + + case FINISHED: + case NOT_HANDSHAKING: + break; //do nothing + + default: + throw new IllegalStateException("SSLReceiver: Invalid State " + status); + } + + } + } + + public void doTasks() + { + Runnable runnable; + while ((runnable = engine.getDelegatedTask()) != null) { + runnable.run(); + } + } + + public Object getNotificationToken() + { + return engineState; + } + + public void setIdleTimeout(int i) + { + delegate.setIdleTimeout(i); + } +} diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java new file mode 100644 index 0000000000..f74a6ecae4 --- /dev/null +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java @@ -0,0 +1,113 @@ +package org.apache.qpid.transport.network.security.ssl; + +import java.security.Principal; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLPeerUnverifiedException; + +import org.apache.qpid.ssl.SSLContextFactory; +import org.apache.qpid.transport.ConnectionSettings; +import org.apache.qpid.transport.TransportException; +import org.apache.qpid.transport.util.Logger; + +public class SSLUtil +{ + private static final Logger log = Logger.get(SSLUtil.class); + + public static void verifyHostname(SSLEngine engine,String hostnameExpected) + { + try + { + Certificate cert = engine.getSession().getPeerCertificates()[0]; + Principal p = ((X509Certificate)cert).getSubjectDN(); + String dn = p.getName(); + String hostname = null; + + if (dn.contains("CN=")) + { + hostname = dn.substring(3, dn.indexOf(",")); + } + + if (log.isDebugEnabled()) + { + log.debug("Hostname expected : " + hostnameExpected); + log.debug("Distinguished Name for server certificate : " + dn); + log.debug("Host Name obtained from DN : " + hostname); + } + + if (hostname != null && hostname.equalsIgnoreCase(hostnameExpected)) + { + throw new TransportException("SSL hostname verification failed." + + " Expected : " + hostnameExpected + + " Found in cert : " + hostname); + } + + } + catch(SSLPeerUnverifiedException e) + { + log.warn("Exception received while trying to verify hostname",e); + // For some reason the SSL engine sets the handshake status to FINISH twice + // in succession. For some reason the first time the peer certificate + // info is not available. The second time it works ! + // Therefore have no choice but to ignore the exception here. + } + } + + public static String retriveIdentity(SSLEngine engine) + { + StringBuffer id = new StringBuffer(); + try + { + Certificate cert = engine.getSession().getPeerCertificates()[0]; + Principal p = ((X509Certificate)cert).getSubjectDN(); + String dn = p.getName(); + + if (dn.contains("CN=")) + { + id.append(dn.substring(3, + dn.indexOf(",") == -1? dn.length(): dn.indexOf(","))); + } + + if (dn.contains("DC=")) + { + id.append("@"); + int c = 0; + for (String toks : dn.split(",")) + { + if (toks.contains("DC")) + { + if (c > 0) {id.append(".");} + id.append(toks.substring( + toks.indexOf("=")+1, + toks.indexOf(",") == -1? toks.length(): toks.indexOf(","))); + c++; + } + } + } + } + catch(Exception e) + { + log.info("Exception received while trying to retrive client identity from SSL cert",e); + } + + log.debug("Extracted Identity from client certificate : " + id); + return id.toString(); + } + + public static SSLContext createSSLContext(ConnectionSettings settings) throws Exception + { + + SSLContextFactory sslContextFactory = new SSLContextFactory(settings.getTrustStorePath(), + settings.getTrustStorePassword(), + settings.getTrustStoreCertType(), + settings.getKeyStorePath(), + settings.getKeyStorePassword(), + settings.getKeyStoreCertType()); + + return sslContextFactory.buildServerContext(); + + } +} diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLReceiver.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLReceiver.java deleted file mode 100644 index e6e6c5f791..0000000000 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLReceiver.java +++ /dev/null @@ -1,184 +0,0 @@ -/* -* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ -package org.apache.qpid.transport.network.ssl; - -import java.nio.ByteBuffer; - -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLEngineResult; -import javax.net.ssl.SSLException; -import javax.net.ssl.SSLEngineResult.HandshakeStatus; -import javax.net.ssl.SSLEngineResult.Status; - -import org.apache.qpid.transport.Receiver; -import org.apache.qpid.transport.TransportException; -import org.apache.qpid.transport.util.Logger; - -public class SSLReceiver implements Receiver -{ - private Receiver delegate; - private SSLEngine engine; - private SSLSender sender; - private int sslBufSize; - private ByteBuffer appData; - private ByteBuffer localBuffer; - private boolean dataCached = false; - private final Object notificationToken; - - private static final Logger log = Logger.get(SSLReceiver.class); - - public SSLReceiver(SSLEngine engine, Receiver delegate,SSLSender sender) - { - this.engine = engine; - this.delegate = delegate; - this.sender = sender; - this.sslBufSize = engine.getSession().getApplicationBufferSize(); - appData = ByteBuffer.allocate(sslBufSize); - localBuffer = ByteBuffer.allocate(sslBufSize); - notificationToken = sender.getNotificationToken(); - } - - public void closed() - { - delegate.closed(); - } - - public void exception(Throwable t) - { - delegate.exception(t); - } - - private ByteBuffer addPreviouslyUnreadData(ByteBuffer buf) - { - if (dataCached) - { - ByteBuffer b = ByteBuffer.allocate(localBuffer.remaining() + buf.remaining()); - b.put(localBuffer); - b.put(buf); - b.flip(); - dataCached = false; - return b; - } - else - { - return buf; - } - } - - public void received(ByteBuffer buf) - { - ByteBuffer netData = addPreviouslyUnreadData(buf); - - HandshakeStatus handshakeStatus; - Status status; - - while (netData.hasRemaining()) - { - try - { - SSLEngineResult result = engine.unwrap(netData, appData); - synchronized (notificationToken) - { - notificationToken.notifyAll(); - } - - int read = result.bytesProduced(); - status = result.getStatus(); - handshakeStatus = result.getHandshakeStatus(); - - if (read > 0) - { - int limit = appData.limit(); - appData.limit(appData.position()); - appData.position(appData.position() - read); - - ByteBuffer data = appData.slice(); - - appData.limit(limit); - appData.position(appData.position() + read); - - delegate.received(data); - } - - - switch(status) - { - case CLOSED: - synchronized(notificationToken) - { - notificationToken.notifyAll(); - } - return; - - case BUFFER_OVERFLOW: - appData = ByteBuffer.allocate(sslBufSize); - continue; - - case BUFFER_UNDERFLOW: - localBuffer.clear(); - localBuffer.put(netData); - localBuffer.flip(); - dataCached = true; - break; - - case OK: - break; // do nothing - - default: - throw new IllegalStateException("SSLReceiver: Invalid State " + status); - } - - switch (handshakeStatus) - { - case NEED_UNWRAP: - if (netData.hasRemaining()) - { - continue; - } - break; - - case NEED_TASK: - sender.doTasks(); - handshakeStatus = engine.getHandshakeStatus(); - - case NEED_WRAP: - case FINISHED: - case NOT_HANDSHAKING: - synchronized(notificationToken) - { - notificationToken.notifyAll(); - } - break; - - default: - throw new IllegalStateException("SSLReceiver: Invalid State " + status); - } - - - } - catch(SSLException e) - { - throw new TransportException("Error in SSLReceiver",e); - } - - } - } -} diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLSender.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLSender.java deleted file mode 100644 index bd5662a5fb..0000000000 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLSender.java +++ /dev/null @@ -1,255 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ -package org.apache.qpid.transport.network.ssl; - -import java.nio.ByteBuffer; -import java.util.concurrent.atomic.AtomicBoolean; - -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLEngineResult; -import javax.net.ssl.SSLException; -import javax.net.ssl.SSLEngineResult.HandshakeStatus; -import javax.net.ssl.SSLEngineResult.Status; - -import org.apache.qpid.transport.Sender; -import org.apache.qpid.transport.SenderException; -import org.apache.qpid.transport.util.Logger; - -public class SSLSender implements Sender -{ - private Sender delegate; - private SSLEngine engine; - private int sslBufSize; - private ByteBuffer netData; - private long timeout = 30000; - - private final Object engineState = new Object(); - private final AtomicBoolean closed = new AtomicBoolean(false); - - private static final Logger log = Logger.get(SSLSender.class); - - public SSLSender(SSLEngine engine, Sender delegate) - { - this.engine = engine; - this.delegate = delegate; - sslBufSize = engine.getSession().getPacketBufferSize(); - netData = ByteBuffer.allocate(sslBufSize); - timeout = Long.getLong("qpid.ssl_timeout", 60000); - } - - public void close() - { - if (!closed.getAndSet(true)) - { - if (engine.isOutboundDone()) - { - return; - } - log.debug("Closing SSL connection"); - engine.closeOutbound(); - try - { - tearDownSSLConnection(); - } - catch(Exception e) - { - throw new SenderException("Error closing SSL connection",e); - } - - while (!engine.isOutboundDone()) - { - synchronized(engineState) - { - try - { - engineState.wait(); - } - catch(InterruptedException e) - { - // pass - } - } - } - delegate.close(); - } - } - - private void tearDownSSLConnection() throws Exception - { - SSLEngineResult result = engine.wrap(ByteBuffer.allocate(0), netData); - Status status = result.getStatus(); - int read = result.bytesProduced(); - while (status != Status.CLOSED) - { - if (status == Status.BUFFER_OVERFLOW) - { - netData.clear(); - } - if(read > 0) - { - int limit = netData.limit(); - netData.limit(netData.position()); - netData.position(netData.position() - read); - - ByteBuffer data = netData.slice(); - - netData.limit(limit); - netData.position(netData.position() + read); - - delegate.send(data); - flush(); - } - result = engine.wrap(ByteBuffer.allocate(0), netData); - status = result.getStatus(); - read = result.bytesProduced(); - } - } - - public void flush() - { - delegate.flush(); - } - - public void send(ByteBuffer appData) - { - if (closed.get()) - { - throw new SenderException("SSL Sender is closed"); - } - - HandshakeStatus handshakeStatus; - Status status; - - while(appData.hasRemaining()) - { - - int read = 0; - try - { - SSLEngineResult result = engine.wrap(appData, netData); - read = result.bytesProduced(); - status = result.getStatus(); - handshakeStatus = result.getHandshakeStatus(); - - } - catch(SSLException e) - { - throw new SenderException("SSL, Error occurred while encrypting data",e); - } - - if(read > 0) - { - int limit = netData.limit(); - netData.limit(netData.position()); - netData.position(netData.position() - read); - - ByteBuffer data = netData.slice(); - - netData.limit(limit); - netData.position(netData.position() + read); - - delegate.send(data); - } - - switch(status) - { - case CLOSED: - throw new SenderException("SSLEngine is closed"); - - case BUFFER_OVERFLOW: - netData.clear(); - continue; - - case OK: - break; // do nothing - - default: - throw new IllegalStateException("SSLReceiver: Invalid State " + status); - } - - switch (handshakeStatus) - { - case NEED_WRAP: - if (netData.hasRemaining()) - { - continue; - } - - case NEED_TASK: - doTasks(); - break; - - case NEED_UNWRAP: - flush(); - synchronized(engineState) - { - switch (engine.getHandshakeStatus()) - { - case NEED_UNWRAP: - long start = System.currentTimeMillis(); - try - { - engineState.wait(timeout); - } - catch(InterruptedException e) - { - // pass - } - - if (System.currentTimeMillis()- start >= timeout) - { - throw new SenderException( - "SSL Engine timed out waiting for a response." + - "To get more info,run with -Djavax.net.debug=ssl"); - } - break; - } - } - break; - - case FINISHED: - case NOT_HANDSHAKING: - break; //do nothing - - default: - throw new IllegalStateException("SSLReceiver: Invalid State " + status); - } - - } - } - - public void doTasks() - { - Runnable runnable; - while ((runnable = engine.getDelegatedTask()) != null) { - runnable.run(); - } - } - - public Object getNotificationToken() - { - return engineState; - } - - public void setIdleTimeout(int i) - { - delegate.setIdleTimeout(i); - } -} diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java deleted file mode 100644 index 044f8fb464..0000000000 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java +++ /dev/null @@ -1,113 +0,0 @@ -package org.apache.qpid.transport.network.ssl; - -import java.security.Principal; -import java.security.cert.Certificate; -import java.security.cert.X509Certificate; - -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLPeerUnverifiedException; - -import org.apache.qpid.ssl.SSLContextFactory; -import org.apache.qpid.transport.ConnectionSettings; -import org.apache.qpid.transport.TransportException; -import org.apache.qpid.transport.util.Logger; - -public class SSLUtil -{ - private static final Logger log = Logger.get(SSLUtil.class); - - public static void verifyHostname(SSLEngine engine,String hostnameExpected) - { - try - { - Certificate cert = engine.getSession().getPeerCertificates()[0]; - Principal p = ((X509Certificate)cert).getSubjectDN(); - String dn = p.getName(); - String hostname = null; - - if (dn.contains("CN=")) - { - hostname = dn.substring(3, dn.indexOf(",")); - } - - if (log.isDebugEnabled()) - { - log.debug("Hostname expected : " + hostnameExpected); - log.debug("Distinguished Name for server certificate : " + dn); - log.debug("Host Name obtained from DN : " + hostname); - } - - if (hostname != null && hostname.equalsIgnoreCase(hostnameExpected)) - { - throw new TransportException("SSL hostname verification failed." + - " Expected : " + hostnameExpected + - " Found in cert : " + hostname); - } - - } - catch(SSLPeerUnverifiedException e) - { - log.warn("Exception received while trying to verify hostname",e); - // For some reason the SSL engine sets the handshake status to FINISH twice - // in succession. For some reason the first time the peer certificate - // info is not available. The second time it works ! - // Therefore have no choice but to ignore the exception here. - } - } - - public static String retriveIdentity(SSLEngine engine) - { - StringBuffer id = new StringBuffer(); - try - { - Certificate cert = engine.getSession().getPeerCertificates()[0]; - Principal p = ((X509Certificate)cert).getSubjectDN(); - String dn = p.getName(); - - if (dn.contains("CN=")) - { - id.append(dn.substring(3, - dn.indexOf(",") == -1? dn.length(): dn.indexOf(","))); - } - - if (dn.contains("DC=")) - { - id.append("@"); - int c = 0; - for (String toks : dn.split(",")) - { - if (toks.contains("DC")) - { - if (c > 0) {id.append(".");} - id.append(toks.substring( - toks.indexOf("=")+1, - toks.indexOf(",") == -1? toks.length(): toks.indexOf(","))); - c++; - } - } - } - } - catch(Exception e) - { - log.info("Exception received while trying to retrive client identity from SSL cert",e); - } - - log.debug("Extracted Identity from client certificate : " + id); - return id.toString(); - } - - public static SSLContext createSSLContext(ConnectionSettings settings) throws Exception - { - - SSLContextFactory sslContextFactory = new SSLContextFactory(settings.getTrustStorePath(), - settings.getTrustStorePassword(), - settings.getTrustStoreCertType(), - settings.getKeyStorePath(), - settings.getKeyStorePassword(), - settings.getKeyStoreCertType()); - - return sslContextFactory.buildServerContext(); - - } -} -- cgit v1.2.1