You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by ga...@apache.org on 2012/12/11 21:38:56 UTC
svn commit: r1420389 - in /geronimo/bundles/trunk/commons-httpclient: ./
src/main/java/org/apache/commons/httpclient/protocol/
Author: gawor
Date: Tue Dec 11 20:38:52 2012
New Revision: 1420389
URL: http://svn.apache.org/viewvc?rev=1420389&view=rev
Log:
GERONIMO-6406: Fix commons-httpclient SSL issue
Added:
geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/
geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/AbstractVerifier.java (with props)
geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.java (with props)
geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/InetAddressUtils.java (with props)
geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java (with props)
geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/X509HostnameVerifier.java (with props)
Modified:
geronimo/bundles/trunk/commons-httpclient/pom.xml
Modified: geronimo/bundles/trunk/commons-httpclient/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/bundles/trunk/commons-httpclient/pom.xml?rev=1420389&r1=1420388&r2=1420389&view=diff
==============================================================================
--- geronimo/bundles/trunk/commons-httpclient/pom.xml (original)
+++ geronimo/bundles/trunk/commons-httpclient/pom.xml Tue Dec 11 20:38:52 2012
@@ -70,6 +70,11 @@
{maven-resources},
org/apache/commons/httpclient/params/HttpConnectionParams.class=target/classes/org/apache/commons/httpclient/params/HttpConnectionParams.class,
org/apache/commons/httpclient/HttpParser.class=target/classes/org/apache/commons/httpclient/HttpParser.class,
+ org/apache/commons/httpclient/protocol/AbstractVerifier.class=target/classes/org/apache/commons/httpclient/protocol/AbstractVerifier.class,
+ org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.class=target/classes/org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.class,
+ org/apache/commons/httpclient/protocol/InetAddressUtils.class=target/classes/org/apache/commons/httpclient/protocol/InetAddressUtils.class,
+ org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.class=target/classes/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.class,
+ org/apache/commons/httpclient/protocol/X509HostnameVerifier.class=target/classes/org/apache/commons/httpclient/protocol/X509HostnameVerifier.class
</Include-Resource>
</instructions>
</configuration>
Added: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/AbstractVerifier.java
URL: http://svn.apache.org/viewvc/geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/AbstractVerifier.java?rev=1420389&view=auto
==============================================================================
--- geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/AbstractVerifier.java (added)
+++ geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/AbstractVerifier.java Tue Dec 11 20:38:52 2012
@@ -0,0 +1,335 @@
+package org.apache.commons.httpclient.protocol;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.logging.Logger;
+import java.util.logging.Level;
+
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+
+/**
+ * Abstract base class for all standard {@link X509HostnameVerifier}
+ * implementations.
+ *
+ * @since 4.0
+ */
+public abstract class AbstractVerifier implements X509HostnameVerifier {
+
+ /**
+ * This contains a list of 2nd-level domains that aren't allowed to
+ * have wildcards when combined with country-codes.
+ * For example: [*.co.uk].
+ * <p/>
+ * The [*.co.uk] problem is an interesting one. Should we just hope
+ * that CA's would never foolishly allow such a certificate to happen?
+ * Looks like we're the only implementation guarding against this.
+ * Firefox, Curl, Sun Java 1.4, 5, 6 don't bother with this check.
+ */
+ private final static String[] BAD_COUNTRY_2LDS =
+ { "ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info",
+ "lg", "ne", "net", "or", "org" };
+
+ static {
+ // Just in case developer forgot to manually sort the array. :-)
+ Arrays.sort(BAD_COUNTRY_2LDS);
+ }
+
+ public AbstractVerifier() {
+ super();
+ }
+
+ public final void verify(String host, SSLSocket ssl)
+ throws IOException {
+ if(host == null) {
+ throw new NullPointerException("host to verify is null");
+ }
+
+ SSLSession session = ssl.getSession();
+ if(session == null) {
+ // In our experience this only happens under IBM 1.4.x when
+ // spurious (unrelated) certificates show up in the server'
+ // chain. Hopefully this will unearth the real problem:
+ InputStream in = ssl.getInputStream();
+ in.available();
+ /*
+ If you're looking at the 2 lines of code above because
+ you're running into a problem, you probably have two
+ options:
+
+ #1. Clean up the certificate chain that your server
+ is presenting (e.g. edit "/etc/apache2/server.crt"
+ or wherever it is your server's certificate chain
+ is defined).
+
+ OR
+
+ #2. Upgrade to an IBM 1.5.x or greater JVM, or switch
+ to a non-IBM JVM.
+ */
+
+ // If ssl.getInputStream().available() didn't cause an
+ // exception, maybe at least now the session is available?
+ session = ssl.getSession();
+ if(session == null) {
+ // If it's still null, probably a startHandshake() will
+ // unearth the real problem.
+ ssl.startHandshake();
+
+ // Okay, if we still haven't managed to cause an exception,
+ // might as well go for the NPE. Or maybe we're okay now?
+ session = ssl.getSession();
+ }
+ }
+
+ Certificate[] certs = session.getPeerCertificates();
+ X509Certificate x509 = (X509Certificate) certs[0];
+ verify(host, x509);
+ }
+
+ public final boolean verify(String host, SSLSession session) {
+ try {
+ Certificate[] certs = session.getPeerCertificates();
+ X509Certificate x509 = (X509Certificate) certs[0];
+ verify(host, x509);
+ return true;
+ }
+ catch(SSLException e) {
+ return false;
+ }
+ }
+
+ public final void verify(String host, X509Certificate cert)
+ throws SSLException {
+ String[] cns = getCNs(cert);
+ String[] subjectAlts = getSubjectAlts(cert, host);
+ verify(host, cns, subjectAlts);
+ }
+
+ public final void verify(final String host, final String[] cns,
+ final String[] subjectAlts,
+ final boolean strictWithSubDomains)
+ throws SSLException {
+
+ // Build the list of names we're going to check. Our DEFAULT and
+ // STRICT implementations of the HostnameVerifier only use the
+ // first CN provided. All other CNs are ignored.
+ // (Firefox, wget, curl, Sun Java 1.4, 5, 6 all work this way).
+ LinkedList<String> names = new LinkedList<String>();
+ if(cns != null && cns.length > 0 && cns[0] != null) {
+ names.add(cns[0]);
+ }
+ if(subjectAlts != null) {
+ for (String subjectAlt : subjectAlts) {
+ if (subjectAlt != null) {
+ names.add(subjectAlt);
+ }
+ }
+ }
+
+ if(names.isEmpty()) {
+ String msg = "Certificate for <" + host + "> doesn't contain CN or DNS subjectAlt";
+ throw new SSLException(msg);
+ }
+
+ // StringBuilder for building the error message.
+ StringBuilder buf = new StringBuilder();
+
+ // We're can be case-insensitive when comparing the host we used to
+ // establish the socket to the hostname in the certificate.
+ String hostName = host.trim().toLowerCase(Locale.ENGLISH);
+ boolean match = false;
+ for(Iterator<String> it = names.iterator(); it.hasNext();) {
+ // Don't trim the CN, though!
+ String cn = it.next();
+ cn = cn.toLowerCase(Locale.ENGLISH);
+ // Store CN in StringBuilder in case we need to report an error.
+ buf.append(" <");
+ buf.append(cn);
+ buf.append('>');
+ if(it.hasNext()) {
+ buf.append(" OR");
+ }
+
+ // The CN better have at least two dots if it wants wildcard
+ // action. It also can't be [*.co.uk] or [*.co.jp] or
+ // [*.org.uk], etc...
+ String parts[] = cn.split("\\.");
+ boolean doWildcard = parts.length >= 3 &&
+ parts[0].endsWith("*") &&
+ acceptableCountryWildcard(cn) &&
+ !isIPAddress(host);
+
+ if(doWildcard) {
+ if (parts[0].length() > 1) { // e.g. server*
+ String prefix = parts[0].substring(0, parts[0].length() - 1); // e.g. server
+ String suffix = cn.substring(parts[0].length()); // skip wildcard part from cn
+ String hostSuffix = hostName.substring(prefix.length()); // skip wildcard part from host
+ match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
+ } else {
+ match = hostName.endsWith(cn.substring(1));
+ }
+ if(match && strictWithSubDomains) {
+ // If we're in strict mode, then [*.foo.com] is not
+ // allowed to match [a.b.foo.com]
+ match = countDots(hostName) == countDots(cn);
+ }
+ } else {
+ match = hostName.equals(cn);
+ }
+ if(match) {
+ break;
+ }
+ }
+ if(!match) {
+ throw new SSLException("hostname in certificate didn't match: <" + host + "> !=" + buf);
+ }
+ }
+
+ public static boolean acceptableCountryWildcard(String cn) {
+ String parts[] = cn.split("\\.");
+ if (parts.length != 3 || parts[2].length() != 2) {
+ return true; // it's not an attempt to wildcard a 2TLD within a country code
+ }
+ return Arrays.binarySearch(BAD_COUNTRY_2LDS, parts[1]) < 0;
+ }
+
+ public static String[] getCNs(X509Certificate cert) {
+ LinkedList<String> cnList = new LinkedList<String>();
+ /*
+ Sebastian Hauer's original StrictSSLProtocolSocketFactory used
+ getName() and had the following comment:
+
+ Parses a X.500 distinguished name for the value of the
+ "Common Name" field. This is done a bit sloppy right
+ now and should probably be done a bit more according to
+ <code>RFC 2253</code>.
+
+ I've noticed that toString() seems to do a better job than
+ getName() on these X500Principal objects, so I'm hoping that
+ addresses Sebastian's concern.
+
+ For example, getName() gives me this:
+ 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+
+ whereas toString() gives me this:
+ EMAILADDRESS=juliusdavies@cucbc.com
+
+ Looks like toString() even works with non-ascii domain names!
+ I tested it with "花子.co.jp" and it worked fine.
+ */
+ String subjectPrincipal = cert.getSubjectX500Principal().toString();
+ StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+ while(st.hasMoreTokens()) {
+ String tok = st.nextToken();
+ int x = tok.indexOf("CN=");
+ if(x >= 0) {
+ cnList.add(tok.substring(x + 3));
+ }
+ }
+ if(!cnList.isEmpty()) {
+ String[] cns = new String[cnList.size()];
+ cnList.toArray(cns);
+ return cns;
+ } else {
+ return null;
+ }
+ }
+
+ /**
+ * Extracts the array of SubjectAlt DNS or IP names from an X509Certificate.
+ * Returns null if there aren't any.
+ *
+ * @param cert X509Certificate
+ * @param hostname
+ * @return Array of SubjectALT DNS or IP names stored in the certificate.
+ */
+ private static String[] getSubjectAlts(
+ final X509Certificate cert, final String hostname) {
+ int subjectType;
+ if (isIPAddress(hostname)) {
+ subjectType = 7;
+ } else {
+ subjectType = 2;
+ }
+
+ LinkedList<String> subjectAltList = new LinkedList<String>();
+ Collection<List<?>> c = null;
+ try {
+ c = cert.getSubjectAlternativeNames();
+ }
+ catch(CertificateParsingException cpe) {
+ Logger.getLogger(AbstractVerifier.class.getName())
+ .log(Level.FINE, "Error parsing certificate.", cpe);
+ }
+ if(c != null) {
+ for (List<?> aC : c) {
+ List<?> list = aC;
+ int type = ((Integer) list.get(0)).intValue();
+ if (type == subjectType) {
+ String s = (String) list.get(1);
+ subjectAltList.add(s);
+ }
+ }
+ }
+ if(!subjectAltList.isEmpty()) {
+ String[] subjectAlts = new String[subjectAltList.size()];
+ subjectAltList.toArray(subjectAlts);
+ return subjectAlts;
+ } else {
+ return null;
+ }
+ }
+
+ /**
+ * Extracts the array of SubjectAlt DNS names from an X509Certificate.
+ * Returns null if there aren't any.
+ * <p/>
+ * Note: Java doesn't appear able to extract international characters
+ * from the SubjectAlts. It can only extract international characters
+ * from the CN field.
+ * <p/>
+ * (Or maybe the version of OpenSSL I'm using to test isn't storing the
+ * international characters correctly in the SubjectAlts?).
+ *
+ * @param cert X509Certificate
+ * @return Array of SubjectALT DNS names stored in the certificate.
+ */
+ public static String[] getDNSSubjectAlts(X509Certificate cert) {
+ return getSubjectAlts(cert, null);
+ }
+
+ /**
+ * Counts the number of dots "." in a string.
+ * @param s string to count dots from
+ * @return number of dots
+ */
+ public static int countDots(final String s) {
+ int count = 0;
+ for(int i = 0; i < s.length(); i++) {
+ if(s.charAt(i) == '.') {
+ count++;
+ }
+ }
+ return count;
+ }
+
+ private static boolean isIPAddress(final String hostname) {
+ return hostname != null &&
+ (InetAddressUtils.isIPv4Address(hostname) ||
+ InetAddressUtils.isIPv6Address(hostname));
+ }
+
+}
+
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/AbstractVerifier.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/AbstractVerifier.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/AbstractVerifier.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.java
URL: http://svn.apache.org/viewvc/geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.java?rev=1420389&view=auto
==============================================================================
--- geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.java (added)
+++ geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.java Tue Dec 11 20:38:52 2012
@@ -0,0 +1,32 @@
+package org.apache.commons.httpclient.protocol;
+
+import javax.net.ssl.SSLException;
+
+/**
+ * The HostnameVerifier that works the same way as Curl and Firefox.
+ * <p/>
+ * The hostname must match either the first CN, or any of the subject-alts.
+ * A wildcard can occur in the CN, and in any of the subject-alts.
+ * <p/>
+ * The only difference between BROWSER_COMPATIBLE and STRICT is that a wildcard
+ * (such as "*.foo.com") with BROWSER_COMPATIBLE matches all subdomains,
+ * including "a.b.foo.com".
+ *
+ *
+ * @since 4.0
+ */
+public class BrowserCompatHostnameVerifier extends AbstractVerifier {
+
+ public final void verify(
+ final String host,
+ final String[] cns,
+ final String[] subjectAlts) throws SSLException {
+ verify(host, cns, subjectAlts, false);
+ }
+
+ @Override
+ public final String toString() {
+ return "BROWSER_COMPATIBLE";
+ }
+
+}
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/BrowserCompatHostnameVerifier.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/InetAddressUtils.java
URL: http://svn.apache.org/viewvc/geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/InetAddressUtils.java?rev=1420389&view=auto
==============================================================================
--- geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/InetAddressUtils.java (added)
+++ geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/InetAddressUtils.java Tue Dec 11 20:38:52 2012
@@ -0,0 +1,45 @@
+package org.apache.commons.httpclient.protocol;
+
+import java.util.regex.Pattern;
+
+/**
+ * A collection of utilities relating to InetAddresses.
+ *
+ * @since 4.0
+ */
+
+public class InetAddressUtils {
+
+ private InetAddressUtils() {
+ }
+
+ private static final Pattern IPV4_PATTERN =
+ Pattern.compile(
+ "^(25[0-5]|2[0-4]\\d|\\d|[1-9]\\d|1\\d\\d)(\\.(25[0-5]|2[0-4]\\d|\\d|[1-9]\\d|1\\d\\d)){3}$");
+
+ private static final Pattern IPV6_STD_PATTERN =
+ Pattern.compile(
+ "^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$");
+
+ private static final Pattern IPV6_HEX_COMPRESSED_PATTERN =
+ Pattern.compile(
+ "^((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)$");
+
+ public static boolean isIPv4Address(final String input) {
+ return IPV4_PATTERN.matcher(input).matches();
+ }
+
+ public static boolean isIPv6StdAddress(final String input) {
+ return IPV6_STD_PATTERN.matcher(input).matches();
+ }
+
+ public static boolean isIPv6HexCompressedAddress(final String input) {
+ return IPV6_HEX_COMPRESSED_PATTERN.matcher(input).matches();
+ }
+
+ public static boolean isIPv6Address(final String input) {
+ return isIPv6StdAddress(input) || isIPv6HexCompressedAddress(input);
+ }
+
+}
+
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/InetAddressUtils.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/InetAddressUtils.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/InetAddressUtils.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
URL: http://svn.apache.org/viewvc/geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java?rev=1420389&view=auto
==============================================================================
--- geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java (added)
+++ geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java Tue Dec 11 20:38:52 2012
@@ -0,0 +1,192 @@
+/*
+ * $Header: /home/jerenkrantz/tmp/commons/commons-convert/cvs/home/cvs/jakarta-commons//httpclient/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java,v 1.10 2004/05/13 04:01:22 mbecke Exp $
+ * $Revision$
+ * $Date$
+ *
+ * ====================================================================
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.commons.httpclient.protocol;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import org.apache.commons.httpclient.ConnectTimeoutException;
+import org.apache.commons.httpclient.params.HttpConnectionParams;
+import org.apache.commons.logging.LogFactory;
+import org.apache.commons.logging.Log;
+
+
+/**
+ * A SecureProtocolSocketFactory that uses JSSE to create sockets.
+ *
+ * @author Michael Becke
+ * @author <a href="mailto:mbowler@GargoyleSoftware.com">Mike Bowler</a>
+ *
+ * @since 2.0
+ */
+public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ private static final Log LOG = LogFactory.getLog(SSLProtocolSocketFactory.class);
+
+ private static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER = new BrowserCompatHostnameVerifier();
+
+ /*
+ * Not setting hostnameVerifier directly to BROWSER_COMPATIBLE_HOSTNAME_VERIFIER in case we need to
+ * add more implementations.
+ */
+ private final X509HostnameVerifier hostnameVerifier;
+
+ /**
+ * The factory singleton.
+ */
+ private static final SSLProtocolSocketFactory factory = new SSLProtocolSocketFactory();
+
+ /**
+ * Gets an singleton instance of the SSLProtocolSocketFactory.
+ * @return a SSLProtocolSocketFactory
+ */
+ static SSLProtocolSocketFactory getSocketFactory() {
+ return factory;
+ }
+
+ /**
+ * Constructor for SSLProtocolSocketFactory.
+ */
+ public SSLProtocolSocketFactory() {
+ super();
+ hostnameVerifier = BROWSER_COMPATIBLE_HOSTNAME_VERIFIER;
+ }
+
+ /**
+ * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
+ */
+ public Socket createSocket(String host, int port, InetAddress clientHost,
+ int clientPort) throws IOException, UnknownHostException {
+ SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
+ SSLSocket sslSocket = (SSLSocket) sf.createSocket(host, port,
+ clientHost, clientPort);
+ hostnameVerifier.verify(host, sslSocket);
+
+ return sslSocket;
+ }
+
+ /**
+ * Attempts to get a new socket connection to the given host within the given time limit.
+ * <p>
+ * This method employs several techniques to circumvent the limitations of older JREs that
+ * do not support connect timeout. When running in JRE 1.4 or above reflection is used to
+ * call Socket#connect(SocketAddress endpoint, int timeout) method. When executing in older
+ * JREs a controller thread is executed. The controller thread attempts to create a new socket
+ * within the given limit of time. If socket constructor does not return until the timeout
+ * expires, the controller terminates and throws an {@link ConnectTimeoutException}
+ * </p>
+ *
+ * @param host the host name/IP
+ * @param port the port on the host
+ * @param localAddress the local host name/IP to bind the socket to
+ * @param localPort the port on the local machine
+ * @param params {@link HttpConnectionParams Http connection parameters}
+ *
+ * @return Socket a new socket
+ *
+ * @throws IOException if an I/O error occurs while creating the socket
+ * @throws UnknownHostException if the IP address of the host cannot be
+ * determined
+ *
+ * @since 3.0
+ */
+ public Socket createSocket(
+ final String host,
+ final int port,
+ final InetAddress localAddress,
+ final int localPort,
+ final HttpConnectionParams params
+ ) throws IOException, UnknownHostException, ConnectTimeoutException {
+ if (params == null) {
+ throw new IllegalArgumentException("Parameters may not be null");
+ }
+ int timeout = params.getConnectionTimeout();
+ if (timeout == 0) {
+ // hostnameVerifier.verify() occurs inside the createSocket() call
+ return createSocket(host, port, localAddress, localPort);
+ } else {
+ // To be eventually deprecated when migrated to Java 1.4 or above
+ Socket socket = ReflectionSocketFactory.createSocket(
+ "javax.net.ssl.SSLSocketFactory", host, port, localAddress, localPort, timeout);
+ if (socket == null) {
+ socket = ControllerThreadSocketFactory.createSocket(
+ this, host, port, localAddress, localPort, timeout);
+ }
+ hostnameVerifier.verify(host, (SSLSocket)socket);
+
+ return socket;
+ }
+ }
+
+ /**
+ * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)
+ */
+ public Socket createSocket(String host, int port)
+ throws IOException, UnknownHostException {
+ SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
+ SSLSocket sslSocket = (SSLSocket) sf.createSocket(host, port);
+ hostnameVerifier.verify(host, sslSocket);
+
+ return sslSocket;
+ }
+
+ /**
+ * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)
+ */
+ public Socket createSocket(Socket socket, String host, int port,
+ boolean autoClose)
+ throws IOException, UnknownHostException {
+ SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
+ SSLSocket sslSocket = (SSLSocket) sf.createSocket(socket, host,
+ port, autoClose);
+ hostnameVerifier.verify(host, sslSocket);
+
+ return sslSocket;
+ }
+
+ /**
+ * All instances of SSLProtocolSocketFactory are the same.
+ */
+ public boolean equals(Object obj) {
+ return ((obj != null) && obj.getClass().equals(getClass()));
+ }
+
+ /**
+ * All instances of SSLProtocolSocketFactory have the same hash code.
+ */
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+}
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/X509HostnameVerifier.java
URL: http://svn.apache.org/viewvc/geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/X509HostnameVerifier.java?rev=1420389&view=auto
==============================================================================
--- geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/X509HostnameVerifier.java (added)
+++ geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/X509HostnameVerifier.java Tue Dec 11 20:38:52 2012
@@ -0,0 +1,57 @@
+package org.apache.commons.httpclient.protocol;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSocket;
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+
+/**
+ * Interface for checking if a hostname matches the names stored inside the
+ * server's X.509 certificate. This interface extends
+ * {@link javax.net.ssl.HostnameVerifier}, but it is recommended to use
+ * methods added by X509HostnameVerifier.
+ *
+ * @since 4.0
+ */
+public interface X509HostnameVerifier extends HostnameVerifier {
+
+ /**
+ * Verifies that the host name is an acceptable match with the server's
+ * authentication scheme based on the given {@link SSLSocket}.
+ *
+ * @param host the host.
+ * @param ssl the SSL socket.
+ * @throws IOException if an I/O error occurs or the verification process
+ * fails.
+ */
+ void verify(String host, SSLSocket ssl) throws IOException;
+
+ /**
+ * Verifies that the host name is an acceptable match with the server's
+ * authentication scheme based on the given {@link X509Certificate}.
+ *
+ * @param host the host.
+ * @param cert the certificate.
+ * @throws SSLException if the verification process fails.
+ */
+ void verify(String host, X509Certificate cert) throws SSLException;
+
+ /**
+ * Checks to see if the supplied hostname matches any of the supplied CNs
+ * or "DNS" Subject-Alts. Most implementations only look at the first CN,
+ * and ignore any additional CNs. Most implementations do look at all of
+ * the "DNS" Subject-Alts. The CNs or Subject-Alts may contain wildcards
+ * according to RFC 2818.
+ *
+ * @param cns CN fields, in order, as extracted from the X.509
+ * certificate.
+ * @param subjectAlts Subject-Alt fields of type 2 ("DNS"), as extracted
+ * from the X.509 certificate.
+ * @param host The hostname to verify.
+ * @throws SSLException if the verification process fails.
+ */
+ void verify(String host, String[] cns, String[] subjectAlts)
+ throws SSLException;
+
+}
\ No newline at end of file
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/X509HostnameVerifier.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/X509HostnameVerifier.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/bundles/trunk/commons-httpclient/src/main/java/org/apache/commons/httpclient/protocol/X509HostnameVerifier.java
------------------------------------------------------------------------------
svn:mime-type = text/plain