You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ra...@apache.org on 2010/03/13 05:01:51 UTC
svn commit: r922479 -
/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java
Author: rajith
Date: Sat Mar 13 04:01:50 2010
New Revision: 922479
URL: http://svn.apache.org/viewvc?rev=922479&view=rev
Log:
Added utility methods to be used in providing a solution for QPID-2445
Added:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java
Added: qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java?rev=922479&view=auto
==============================================================================
--- qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java (added)
+++ qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/ssl/SSLUtil.java Sat Mar 13 04:01:50 2010
@@ -0,0 +1,113 @@
+package org.apache.qpid.transport.network.ssl;
+
+import java.security.Principal;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLPeerUnverifiedException;
+
+import org.apache.qpid.ssl.SSLContextFactory;
+import org.apache.qpid.transport.ConnectionSettings;
+import org.apache.qpid.transport.TransportException;
+import org.apache.qpid.transport.util.Logger;
+
+public class SSLUtil
+{
+ private static final Logger log = Logger.get(SSLUtil.class);
+
+ public static void verifyHostname(SSLEngine engine,String hostnameExpected)
+ {
+ try
+ {
+ Certificate cert = engine.getSession().getPeerCertificates()[0];
+ Principal p = ((X509Certificate)cert).getSubjectDN();
+ String dn = p.getName();
+ String hostname = null;
+
+ if (dn.contains("CN="))
+ {
+ hostname = dn.substring(3, dn.indexOf(","));
+ }
+
+ if (log.isDebugEnabled())
+ {
+ log.debug("Hostname expected : " + hostnameExpected);
+ log.debug("Distinguished Name for server certificate : " + dn);
+ log.debug("Host Name obtained from DN : " + hostname);
+ }
+
+ if (hostname != null && hostname.equalsIgnoreCase(hostnameExpected))
+ {
+ throw new TransportException("SSL hostname verification failed." +
+ " Expected : " + hostnameExpected +
+ " Found in cert : " + hostname);
+ }
+
+ }
+ catch(SSLPeerUnverifiedException e)
+ {
+ log.warn("Exception received while trying to verify hostname",e);
+ // For some reason the SSL engine sets the handshake status to FINISH twice
+ // in succession. For some reason the first time the peer certificate
+ // info is not available. The second time it works !
+ // Therefore have no choice but to ignore the exception here.
+ }
+ }
+
+ public static String retriveIdentity(SSLEngine engine)
+ {
+ StringBuffer id = new StringBuffer();
+ try
+ {
+ Certificate cert = engine.getSession().getPeerCertificates()[0];
+ Principal p = ((X509Certificate)cert).getSubjectDN();
+ String dn = p.getName();
+
+ if (dn.contains("CN="))
+ {
+ id.append(dn.substring(3,
+ dn.indexOf(",") == -1? dn.length(): dn.indexOf(",")));
+ }
+
+ if (dn.contains("DC="))
+ {
+ id.append("@");
+ int c = 0;
+ for (String toks : dn.split(","))
+ {
+ if (toks.contains("DC"))
+ {
+ if (c > 0) {id.append(".");}
+ id.append(toks.substring(
+ toks.indexOf("=")+1,
+ toks.indexOf(",") == -1? toks.length(): toks.indexOf(",")));
+ c++;
+ }
+ }
+ }
+ }
+ catch(Exception e)
+ {
+ log.info("Exception received while trying to retrive client identity from SSL cert",e);
+ }
+
+ log.debug("Extracted Identity from client certificate : " + id);
+ return id.toString();
+ }
+
+ public static SSLContext createSSLContext(ConnectionSettings settings) throws Exception
+ {
+
+ SSLContextFactory sslContextFactory = new SSLContextFactory(settings.getTrustStorePath(),
+ settings.getTrustStorePassword(),
+ settings.getTrustStoreCertType(),
+ settings.getKeyStorePath(),
+ settings.getKeyStorePassword(),
+ settings.getKeyStoreCertType());
+
+ return sslContextFactory.buildServerContext();
+
+ }
+}
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org