You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2020/09/10 10:05:32 UTC
[directory-server] branch DIRSERVER-2330 created (now b88281e)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch DIRSERVER-2330
in repository https://gitbox.apache.org/repos/asf/directory-server.git.
at b88281e DIRSERVER-2330 - StartTlsHandler and LdapsInitializer use NoVerificationTrustManager
This branch includes the following new commits:
new b88281e DIRSERVER-2330 - StartTlsHandler and LdapsInitializer use NoVerificationTrustManager
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[directory-server] 01/01: DIRSERVER-2330 - StartTlsHandler and
LdapsInitializer use NoVerificationTrustManager
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch DIRSERVER-2330
in repository https://gitbox.apache.org/repos/asf/directory-server.git
commit b88281eca3fe9b76a03709d55a10588714798159
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Sep 10 11:05:04 2020 +0100
DIRSERVER-2330 - StartTlsHandler and LdapsInitializer use NoVerificationTrustManager
---
.../org/apache/directory/server/i18n/I18n.java | 3 ++-
.../apache/directory/server/i18n/errors.properties | 1 +
.../apache/directory/server/ldap/LdapServer.java | 25 +++++++++++++++++++++-
.../ldap/handlers/extended/StartTlsHandler.java | 6 ++----
.../server/ldap/handlers/ssl/LdapsInitializer.java | 6 ++----
.../server/annotations/CreateLdapServer.java | 7 ++++++
.../server/factory/ServerAnnotationProcessor.java | 19 ++++++++++++++++
.../ClientCertificateAuthenticationIT.java | 4 ++++
8 files changed, 61 insertions(+), 10 deletions(-)
diff --git a/i18n/src/main/java/org/apache/directory/server/i18n/I18n.java b/i18n/src/main/java/org/apache/directory/server/i18n/I18n.java
index 4aecef6..8cf3b4d 100644
--- a/i18n/src/main/java/org/apache/directory/server/i18n/I18n.java
+++ b/i18n/src/main/java/org/apache/directory/server/i18n/I18n.java
@@ -784,7 +784,8 @@ public enum I18n
ERR_747("ERR_747"),
ERR_748("ERR_748"),
ERR_749("ERR_749"),
- ERR_750("ERR_750");
+ ERR_750("ERR_750"),
+ ERR_751("ERR_751");
private static final ResourceBundle ERR_BUNDLE = ResourceBundle
.getBundle( "org.apache.directory.server.i18n.errors", Locale.ROOT );
diff --git a/i18n/src/main/resources/org/apache/directory/server/i18n/errors.properties b/i18n/src/main/resources/org/apache/directory/server/i18n/errors.properties
index 1f96c7e..70959b2 100644
--- a/i18n/src/main/resources/org/apache/directory/server/i18n/errors.properties
+++ b/i18n/src/main/resources/org/apache/directory/server/i18n/errors.properties
@@ -772,3 +772,4 @@ ERR_747=Not a valid log file offset {0}
ERR_748=Invalid log file bufferSize/ max size is sepcified bufferSize {0} logFileSize {0}
ERR_749=Log Scanner is already closed
ERR_750=Log content is invalid
+ERR_751=Invalid TrustManager Class {0}
diff --git a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
index df5323e..97d4891 100644
--- a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
+++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
@@ -21,6 +21,7 @@ package org.apache.directory.server.ldap;
import java.io.IOException;
+import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
@@ -31,6 +32,8 @@ import java.util.Map;
import java.util.Set;
import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
import org.apache.directory.api.ldap.codec.api.LdapApiServiceFactory;
import org.apache.directory.api.ldap.model.constants.Loggers;
@@ -247,6 +250,7 @@ public class LdapServer extends DirectoryBackedService
private List<ReplicationConsumer> replConsumers;
private KeyManagerFactory keyManagerFactory;
+ private TrustManager[] trustManagers;
/** the time interval between subsequent pings to each replication provider */
private int pingerSleepTime;
@@ -355,7 +359,7 @@ public class LdapServer extends DirectoryBackedService
* with a new SslFilter after reloading the keystore.
*
* Note: should be called to reload the keystore after changing the digital certificate.
- * @throws Exception If teh SSLContext can't be reloaded
+ * @throws Exception If the SSLContext can't be reloaded
*/
public void reloadSslContext() throws Exception
{
@@ -420,6 +424,13 @@ public class LdapServer extends DirectoryBackedService
keyManagerFactory = CertificateUtil.loadKeyStore( keystoreFile, certificatePassword );
+ if ( trustManagers == null )
+ {
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
+ trustManagerFactory.init( ( KeyStore ) null );
+ trustManagers = trustManagerFactory.getTrustManagers();
+ }
+
/*
* The server is now initialized, we can
* install the default requests handlers, which need
@@ -1649,6 +1660,18 @@ public class LdapServer extends DirectoryBackedService
return keyManagerFactory;
}
+ /**
+ * @return the trust managers of the server
+ */
+ public TrustManager[] getTrustManagers()
+ {
+ return trustManagers;
+ }
+
+ public void setTrustManagers( TrustManager[] trustManagers )
+ {
+ this.trustManagers = trustManagers;
+ }
/**
* @return The maximum allowed size for an incoming PDU
diff --git a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
index e2d01fd..003a74b 100644
--- a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
+++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
@@ -29,7 +29,6 @@ import java.util.List;
import java.util.Set;
import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
import org.apache.directory.api.ldap.extras.extended.startTls.StartTlsRequest;
import org.apache.directory.api.ldap.extras.extended.startTls.StartTlsResponse;
@@ -38,7 +37,6 @@ import org.apache.directory.api.ldap.model.message.ExtendedRequest;
import org.apache.directory.api.ldap.model.message.ExtendedResponse;
import org.apache.directory.api.ldap.model.message.LdapResult;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
-import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.server.ldap.ExtendedOperationHandler;
import org.apache.directory.server.ldap.LdapServer;
@@ -181,8 +179,8 @@ public class StartTlsHandler implements ExtendedOperationHandler<ExtendedRequest
try
{
- sslContext.init( ldapServer.getKeyManagerFactory().getKeyManagers(), new TrustManager[]
- { new NoVerificationTrustManager() }, new SecureRandom() );
+ sslContext.init( ldapServer.getKeyManagerFactory().getKeyManagers(),
+ ldapServer.getTrustManagers(), new SecureRandom() );
}
catch ( Exception e )
{
diff --git a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java
index 26938c2..44134f8 100644
--- a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java
+++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java
@@ -24,10 +24,8 @@ import java.security.SecureRandom;
import java.util.List;
import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.server.ldap.LdapServer;
import org.apache.directory.server.protocol.shared.transport.TcpTransport;
@@ -66,8 +64,8 @@ public final class LdapsInitializer
{
// Initialize the SSLContext to work with our key managers.
sslCtx = SSLContext.getInstance( "TLS" );
- sslCtx.init( ldapServer.getKeyManagerFactory().getKeyManagers(), new TrustManager[]
- { new NoVerificationTrustManager() }, new SecureRandom() );
+ sslCtx.init( ldapServer.getKeyManagerFactory().getKeyManagers(),
+ ldapServer.getTrustManagers(), new SecureRandom() );
}
catch ( Exception e )
{
diff --git a/server-annotations/src/main/java/org/apache/directory/server/annotations/CreateLdapServer.java b/server-annotations/src/main/java/org/apache/directory/server/annotations/CreateLdapServer.java
index bd167c9..2492190 100644
--- a/server-annotations/src/main/java/org/apache/directory/server/annotations/CreateLdapServer.java
+++ b/server-annotations/src/main/java/org/apache/directory/server/annotations/CreateLdapServer.java
@@ -106,4 +106,11 @@ public @interface CreateLdapServer
/** @return The service principal, used by GSSAPI. */
String saslPrincipal() default "ldap/ldap.example.com@EXAMPLE.COM";
+
+ /**
+ * The X509 certificate trust managers used
+ *
+ * @return The trust manager classes
+ */
+ Class<?>[] trustManagers() default {};
}
\ No newline at end of file
diff --git a/server-annotations/src/main/java/org/apache/directory/server/factory/ServerAnnotationProcessor.java b/server-annotations/src/main/java/org/apache/directory/server/factory/ServerAnnotationProcessor.java
index 70f736e..3c87915 100644
--- a/server-annotations/src/main/java/org/apache/directory/server/factory/ServerAnnotationProcessor.java
+++ b/server-annotations/src/main/java/org/apache/directory/server/factory/ServerAnnotationProcessor.java
@@ -28,6 +28,8 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
+import javax.net.ssl.TrustManager;
+
import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
import org.apache.directory.api.util.Network;
import org.apache.directory.api.util.Strings;
@@ -220,6 +222,23 @@ public final class ServerAnnotationProcessor
ldapServer.setSaslRealms( realms );
+ if ( createLdapServer.trustManagers() != null && createLdapServer.trustManagers().length > 0 )
+ {
+ TrustManager[] trustManagers = new TrustManager[createLdapServer.trustManagers().length];
+ for ( int i = 0; i < createLdapServer.trustManagers().length; i++ )
+ {
+ try
+ {
+ trustManagers[i] = ( TrustManager ) createLdapServer.trustManagers()[i].newInstance();
+ }
+ catch ( InstantiationException | IllegalAccessException e )
+ {
+ throw new RuntimeException( I18n.err( I18n.ERR_751, createLdapServer.trustManagers()[i].getName() ), e );
+ }
+ }
+ ldapServer.setTrustManagers( trustManagers );
+ }
+
return ldapServer;
}
else
diff --git a/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java b/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
index 90143e9..843d31a 100644
--- a/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
+++ b/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
@@ -92,6 +92,10 @@ import static org.junit.Assert.assertTrue;
saslMechanisms =
{
@SaslMechanism(name = SupportedSaslMechanisms.EXTERNAL, implClass = CertificateMechanismHandler.class)
+ },
+ trustManagers =
+ {
+ org.apache.directory.ldap.client.api.NoVerificationTrustManager.class
})
@ApplyLdifs(
{