You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by dr...@apache.org on 2015/01/25 09:46:48 UTC
[2/6] directory-kerberos git commit: Clean up not-commons-ssl library,
removing many unwanted and not much relevant
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Base64OutputStream.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Base64OutputStream.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Base64OutputStream.java
deleted file mode 100644
index a9cadde..0000000
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Base64OutputStream.java
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.commons.ssl;
-
-import java.io.FilterOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-
-/**
- * Provides Base64 encoding and decoding in a streaming fashion (unlimited size). When encoding the default lineLength
- * is 76 characters and the default lineEnding is CRLF, but these can be overridden by using the appropriate
- * constructor.
- * <p>
- * The default behaviour of the Base64OutputStream is to ENCODE, whereas the default behaviour of the Base64InputStream
- * is to DECODE. But this behaviour can be overridden by using a different constructor.
- * </p>
- * <p>
- * This class implements section <cite>6.8. Base64 Content-Transfer-Encoding</cite> from RFC 2045 <cite>Multipurpose
- * Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies</cite> by Freed and Borenstein.
- * </p>
- * <p>
- * Since this class operates directly on byte streams, and not character streams, it is hard-coded to only encode/decode
- * character encodings which are compatible with the lower 127 ASCII chart (ISO-8859-1, Windows-1252, UTF-8, etc).
- * </p>
- *
- * @author Apache Software Foundation
- * @version $Id$
- * @see <a href="http://www.ietf.org/rfc/rfc2045.txt">RFC 2045</a>
- * @since 1.4
- */
-public class Base64OutputStream extends FilterOutputStream {
- private final boolean doEncode;
-
- private final Base64 base64;
-
- private final byte[] singleByte = new byte[1];
-
- /**
- * Creates a Base64OutputStream such that all data written is Base64-encoded to the original provided OutputStream.
- *
- * @param out
- * OutputStream to wrap.
- */
- public Base64OutputStream(OutputStream out) {
- this(out, true);
- }
-
- /**
- * Creates a Base64OutputStream such that all data written is either Base64-encoded or Base64-decoded to the
- * original provided OutputStream.
- *
- * @param out
- * OutputStream to wrap.
- * @param doEncode
- * true if we should encode all data written to us, false if we should decode.
- */
- public Base64OutputStream(OutputStream out, boolean doEncode) {
- super(out);
- this.doEncode = doEncode;
- this.base64 = new Base64();
- }
-
- /**
- * Creates a Base64OutputStream such that all data written is either Base64-encoded or Base64-decoded to the
- * original provided OutputStream.
- *
- * @param out
- * OutputStream to wrap.
- * @param doEncode
- * true if we should encode all data written to us, false if we should decode.
- * @param lineLength
- * If doEncode is true, each line of encoded data will contain lineLength characters (rounded down to
- * nearest multiple of 4). If lineLength <=0, the encoded data is not divided into lines. If doEncode is
- * false, lineLength is ignored.
- * @param lineSeparator
- * If doEncode is true, each line of encoded data will be terminated with this byte sequence (e.g. \r\n).
- * If lineLength <= 0, the lineSeparator is not used. If doEncode is false lineSeparator is ignored.
- */
- public Base64OutputStream(OutputStream out, boolean doEncode, int lineLength, byte[] lineSeparator) {
- super(out);
- this.doEncode = doEncode;
- this.base64 = new Base64(lineLength, lineSeparator);
- }
-
- /**
- * Writes the specified <code>byte</code> to this output stream.
- *
- * @param i
- * source byte
- * @throws java.io.IOException
- * if an I/O error occurs.
- */
- public void write(int i) throws IOException {
- singleByte[0] = (byte) i;
- write(singleByte, 0, 1);
- }
-
- /**
- * Writes <code>len</code> bytes from the specified <code>b</code> array starting at <code>offset</code> to this
- * output stream.
- *
- * @param b
- * source byte array
- * @param offset
- * where to start reading the bytes
- * @param len
- * maximum number of bytes to write
- *
- * @throws java.io.IOException
- * if an I/O error occurs.
- * @throws NullPointerException
- * if the byte array parameter is null
- * @throws IndexOutOfBoundsException
- * if offset, len or buffer size are invalid
- */
- public void write(byte b[], int offset, int len) throws IOException {
- if (b == null) {
- throw new NullPointerException();
- } else if (offset < 0 || len < 0) {
- throw new IndexOutOfBoundsException();
- } else if (offset > b.length || offset + len > b.length) {
- throw new IndexOutOfBoundsException();
- } else if (len > 0) {
- if (doEncode) {
- base64.encode(b, offset, len);
- } else {
- base64.decode(b, offset, len);
- }
- flush(false);
- }
- }
-
- /**
- * Flushes this output stream and forces any buffered output bytes to be written out to the stream. If propogate is
- * true, the wrapped stream will also be flushed.
- *
- * @param propogate
- * boolean flag to indicate whether the wrapped OutputStream should also be flushed.
- * @throws java.io.IOException
- * if an I/O error occurs.
- */
- private void flush(boolean propogate) throws IOException {
- int avail = base64.avail();
- if (avail > 0) {
- byte[] buf = new byte[avail];
- int c = base64.readResults(buf, 0, avail);
- if (c > 0) {
- out.write(buf, 0, c);
- }
- }
- if (propogate) {
- out.flush();
- }
- }
-
- /**
- * Flushes this output stream and forces any buffered output bytes to be written out to the stream.
- *
- * @throws java.io.IOException
- * if an I/O error occurs.
- */
- public void flush() throws IOException {
- flush(true);
- }
-
- /**
- * Closes this output stream and releases any system resources associated with the stream.
- *
- * @throws java.io.IOException
- * if an I/O error occurs.
- */
- public void close() throws IOException {
- // Notify encoder of EOF (-1).
- if (doEncode) {
- base64.encode(singleByte, 0, -1);
- } else {
- base64.decode(singleByte, 0, -1);
- }
- flush();
- out.close();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Certificates.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Certificates.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Certificates.java
index 99259c8..b018834 100644
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Certificates.java
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Certificates.java
@@ -31,6 +31,8 @@
package org.apache.commons.ssl;
+import org.apache.kerby.util.Base64;
+
import javax.naming.InvalidNameException;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13.java
deleted file mode 100644
index 1a2fb47..0000000
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13.java
+++ /dev/null
@@ -1,303 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/Java13.java $
- * $Revision: 155 $
- * $Date: 2009-09-17 14:00:58 -0700 (Thu, 17 Sep 2009) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import com.sun.net.ssl.KeyManager;
-import com.sun.net.ssl.KeyManagerFactory;
-import com.sun.net.ssl.SSLContext;
-import com.sun.net.ssl.TrustManager;
-import com.sun.net.ssl.TrustManagerFactory;
-import com.sun.net.ssl.X509KeyManager;
-import com.sun.net.ssl.X509TrustManager;
-
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLServerSocket;
-import javax.net.ssl.SSLServerSocketFactory;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.lang.reflect.Method;
-import java.net.InetAddress;
-import java.net.Socket;
-import java.net.URL;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.Security;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
-/**
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 30-Jun-2006
- */
-public final class Java13 extends JavaImpl {
- private final static Java13 instance = new Java13();
-
- private Java13() {
- try {
- Class c = Class.forName("javax.crypto.Cipher");
- Class[] sig = {String.class};
- String[] args = {"DES/CBC/PKCS5Padding"};
- Method m = c.getMethod("getInstance", sig);
- m.invoke(null, (Object[]) args);
- }
- catch (Exception e) {
- try {
- Class c = Class.forName("com.sun.crypto.provider.SunJCE");
- Security.addProvider((Provider) c.newInstance());
- // System.out.println( "jce not loaded: " + e + " - loading SunJCE!" );
- //e.printStackTrace( System.out );
- }
- catch (Exception e2) {
- System.out.println("com.sun.crypto.provider.SunJCE unavailable: " + e2);
- // e2.printStackTrace( System.out );
- }
- }
- try {
- URL u = new URL("https://vancity.com/");
- u.openConnection();
- }
- catch (Exception e) {
- // System.out.println( "java.net.URL support of https not loaded: " + e + " - attempting to load com.sun.net.ssl.internal.ssl.Provider!" );
- Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
- System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
- }
- // System.out.println( "old HANDLER: " + HANDLER );
- }
-
- public static Java13 getInstance() {
- return instance;
- }
-
- public final String getVersion() {
- return "Java13";
- }
-
- protected final String retrieveSubjectX500(X509Certificate cert) {
- return cert.getSubjectDN().toString();
- }
-
- protected final String retrieveIssuerX500(X509Certificate cert) {
- return cert.getIssuerDN().toString();
- }
-
- protected final Certificate[] retrievePeerCerts(SSLSession sslSession)
- throws SSLPeerUnverifiedException {
- javax.security.cert.X509Certificate[] chain;
- chain = sslSession.getPeerCertificateChain();
- X509Certificate[] newChain = new X509Certificate[chain.length];
- try {
- for (int i = 0; i < chain.length; i++) {
- javax.security.cert.X509Certificate javaxCert = chain[i];
- byte[] encoded = javaxCert.getEncoded();
- ByteArrayInputStream in = new ByteArrayInputStream(encoded);
- synchronized (Certificates.CF) {
- Certificate c = Certificates.CF.generateCertificate(in);
- newChain[i] = (X509Certificate) c;
- }
- }
- }
- catch (Exception e) {
- throw buildRuntimeException(e);
- }
- return newChain;
- }
-
- protected final Object buildKeyManagerFactory(KeyStore ks, char[] password)
- throws NoSuchAlgorithmException, KeyStoreException,
- UnrecoverableKeyException {
- String alg = KeyManagerFactory.getDefaultAlgorithm();
- KeyManagerFactory kmf = KeyManagerFactory.getInstance(alg);
- kmf.init(ks, password);
- return kmf;
- }
-
- protected final Object buildTrustManagerFactory(KeyStore ks)
- throws NoSuchAlgorithmException, KeyStoreException {
- String alg = TrustManagerFactory.getDefaultAlgorithm();
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(alg);
- tmf.init(ks);
- return tmf;
- }
-
-
- protected final Object[] retrieveKeyManagers(Object keyManagerFactory) {
- KeyManagerFactory kmf = (KeyManagerFactory) keyManagerFactory;
- return kmf.getKeyManagers();
- }
-
- protected final Object[] retrieveTrustManagers(Object trustManagerFactory) {
- TrustManagerFactory tmf = (TrustManagerFactory) trustManagerFactory;
- return tmf.getTrustManagers();
- }
-
- protected final SSLSocketFactory buildSSLSocketFactory(Object ssl) {
- return ((SSLContext) ssl).getSocketFactory();
- }
-
- protected final SSLServerSocketFactory buildSSLServerSocketFactory(Object ssl) {
- return ((SSLContext) ssl).getServerSocketFactory();
- }
-
- protected final RuntimeException buildRuntimeException(Exception cause) {
- ByteArrayOutputStream byteOut = new ByteArrayOutputStream(512);
- PrintStream ps = new PrintStream(byteOut);
- ps.println(cause.toString());
- cause.printStackTrace(ps);
- ps.flush();
- String originalCause = byteOut.toString();
- return new RuntimeException(originalCause);
- }
-
- protected final SSLSocket buildSocket(SSL ssl) {
- // Not supported in Java 1.3.
- throw new UnsupportedOperationException();
- }
-
- protected final SSLSocket buildSocket(SSL ssl, String remoteHost,
- int remotePort, InetAddress localHost,
- int localPort, int connectTimeout)
- throws IOException {
- // Connect Timeout ignored for Java 1.3
- SSLSocketFactory sf = ssl.getSSLSocketFactory();
- SSLSocket s = (SSLSocket) connectSocket(
- null, sf, remoteHost, remotePort, localHost, localPort, -1, ssl
- );
- ssl.doPreConnectSocketStuff(s);
- ssl.doPostConnectSocketStuff(s, remoteHost);
- return s;
- }
-
- protected final Socket buildPlainSocket(
- SSL ssl, String remoteHost, int remotePort, InetAddress localHost, int localPort, int connectTimeout
- )
- throws IOException {
- // Connect Timeout ignored for Java 1.3
- SocketFactory sf = SocketFactory.getDefault();
- Socket s = connectSocket(
- null, sf, remoteHost, remotePort, localHost, localPort, -1, ssl
- );
- ssl.doPreConnectSocketStuff(s);
- ssl.doPostConnectSocketStuff(s, remoteHost);
- return s;
- }
-
- protected final Socket connectSocket(Socket s, SocketFactory sf,
- String remoteHost, int remotePort,
- InetAddress localHost, int localPort,
- int timeout, SSL ssl)
- throws IOException {
-
- remoteHost = ssl.dnsOverride(remoteHost);
-
- // Connect Timeout ignored for Java 1.3
- if (s == null) {
- if (sf == null) {
- s = new Socket(remoteHost, remotePort, localHost, localPort);
- } else {
- s = sf.createSocket(remoteHost, remotePort, localHost, localPort);
- }
- }
- return s;
- }
-
-
- protected final SSLServerSocket buildServerSocket(SSL ssl) {
- // Not supported in Java 1.3.
- throw new UnsupportedOperationException();
- }
-
- protected final void wantClientAuth(Object o, boolean wantClientAuth) {
- // Not supported in Java 1.3.
- }
-
- protected final void enabledProtocols(Object o, String[] enabledProtocols) {
- // Not supported in Java 1.3.
- }
-
- protected void checkTrusted(Object trustManager, X509Certificate[] chain,
- String authType)
- throws CertificateException {
- X509TrustManager tm = (X509TrustManager) trustManager;
- boolean result = tm.isServerTrusted(chain);
- if (!result) {
- throw new CertificateException("commons-ssl java13 mode: certificate chain not trusted");
- }
- }
-
-
- protected final Object initSSL(SSL ssl, TrustChain tc, KeyMaterial k)
- throws NoSuchAlgorithmException, KeyStoreException,
- CertificateException, KeyManagementException, IOException {
- SSLContext context = SSLContext.getInstance(ssl.getDefaultProtocol());
- TrustManager[] trustManagers = null;
- KeyManager[] keyManagers = null;
- if (tc != null) {
- trustManagers = (TrustManager[]) tc.getTrustManagers();
- }
- if (k != null) {
- keyManagers = (KeyManager[]) k.getKeyManagers();
- }
- if (keyManagers != null) {
- for (int i = 0; i < keyManagers.length; i++) {
- if (keyManagers[i] instanceof X509KeyManager) {
- X509KeyManager km = (X509KeyManager) keyManagers[i];
- keyManagers[i] = new Java13KeyManagerWrapper(km, k, ssl);
- }
- }
- }
- if (trustManagers != null) {
- for (int i = 0; i < trustManagers.length; i++) {
- if (trustManagers[i] instanceof X509TrustManager) {
- X509TrustManager tm = (X509TrustManager) trustManagers[i];
- trustManagers[i] = new Java13TrustManagerWrapper(tm, tc, ssl);
- }
- }
- }
- context.init(keyManagers, trustManagers, null);
- return context;
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13KeyManagerWrapper.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13KeyManagerWrapper.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13KeyManagerWrapper.java
deleted file mode 100644
index 81111b8..0000000
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13KeyManagerWrapper.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/Java13KeyManagerWrapper.java $
- * $Revision: 121 $
- * $Date: 2007-11-13 21:26:57 -0800 (Tue, 13 Nov 2007) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import com.sun.net.ssl.X509KeyManager;
-
-import java.security.Principal;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-
-/**
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 30-Jun-2006
- */
-public class Java13KeyManagerWrapper implements X509KeyManager {
-
- private final X509KeyManager keyManager;
- // private final KeyMaterial keyMaterial; <-- maybe use one day in the
- // private final SSL ssl; <-- in the future?
-
- public Java13KeyManagerWrapper(X509KeyManager m, KeyMaterial km, SSL h) {
- this.keyManager = m;
- // this.keyMaterial = km; <-- maybe use one day in the
- // this.ssl = h; <-- in the future?
- }
-
- public String chooseClientAlias(String keyType, Principal[] issuers) {
- return keyManager.chooseClientAlias(keyType, issuers);
- }
-
- public String chooseServerAlias(String keyType, Principal[] issuers) {
- return keyManager.chooseServerAlias(keyType, issuers);
- }
-
- public X509Certificate[] getCertificateChain(String alias) {
- return keyManager.getCertificateChain(alias);
- }
-
- public String[] getClientAliases(String keyType, Principal[] issuers) {
- return keyManager.getClientAliases(keyType, issuers);
- }
-
- public PrivateKey getPrivateKey(String alias) {
- return keyManager.getPrivateKey(alias);
- }
-
- public String[] getServerAliases(String keyType, Principal[] issuers) {
- return keyManager.getServerAliases(keyType, issuers);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13TrustManagerWrapper.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13TrustManagerWrapper.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13TrustManagerWrapper.java
deleted file mode 100644
index ad86ee9..0000000
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/Java13TrustManagerWrapper.java
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/Java13TrustManagerWrapper.java $
- * $Revision: 138 $
- * $Date: 2008-03-03 23:50:07 -0800 (Mon, 03 Mar 2008) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import com.sun.net.ssl.X509TrustManager;
-
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
-/**
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 30-Jun-2006
- */
-public class Java13TrustManagerWrapper implements X509TrustManager {
-
- private final X509TrustManager trustManager;
- private final TrustChain trustChain;
- private final SSL ssl;
-
- public Java13TrustManagerWrapper(X509TrustManager m, TrustChain tc, SSL h) {
- this.trustManager = m;
- this.trustChain = tc;
- this.ssl = h;
- }
-
- public boolean isClientTrusted(X509Certificate[] chain) {
- ssl.setCurrentClientChain(chain);
- boolean firstTest = trustManager.isClientTrusted(chain);
- return test(firstTest, chain);
- }
-
- public boolean isServerTrusted(X509Certificate[] chain) {
- ssl.setCurrentServerChain(chain);
- boolean firstTest = trustManager.isServerTrusted(chain);
- return test(firstTest, chain);
- }
-
- public X509Certificate[] getAcceptedIssuers() {
- if ( trustChain.containsTrustAll()) {
- // This means we accept all issuers.
- return new X509Certificate[0];
- } else {
- return trustManager.getAcceptedIssuers();
- }
- }
-
- private boolean test(boolean firstTest, X509Certificate[] chain) {
- // Even if the first test failed, we might still be okay as long as
- // this SSLServer or SSLClient is setup to trust all certificates.
- if (!firstTest) {
- if (!trustChain.contains(TrustMaterial.TRUST_ALL)) {
- return false;
- }
- }
- try {
- for (int i = 0; i < chain.length; i++) {
- X509Certificate c = chain[i];
- if (ssl.getCheckExpiry()) {
- c.checkValidity();
- }
- if (ssl.getCheckCRL()) {
- Certificates.checkCRL(c);
- }
- }
- return true;
- }
- catch (CertificateException ce) {
- return false;
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/JavaImpl.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/JavaImpl.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/JavaImpl.java
index 81d91a7..bc222a8 100644
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/JavaImpl.java
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/JavaImpl.java
@@ -61,35 +61,10 @@ public abstract class JavaImpl {
static {
JavaImpl h = null;
- try {
h = Java14.getInstance();
- }
- catch (Throwable t) {
- // System.out.println( t.toString() );
- System.out.println("commons-ssl reverting to: Java 1.3 + jsse.jar");
- }
- if (h == null) {
- h = Java13.getInstance();
- }
HANDLER = h;
}
- public static void downgrade() {
- if (HANDLER instanceof Java14) {
- HANDLER = Java13.getInstance();
- }
- }
-
- public static boolean isJava13() {
- return HANDLER instanceof Java13;
- }
-
- public static void uprade() {
- if (HANDLER instanceof Java13) {
- HANDLER = Java14.getInstance();
- }
- }
-
public abstract String getVersion();
protected abstract Object buildKeyManagerFactory(KeyStore ks, char[] pass)
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/LogHelper.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/LogHelper.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/LogHelper.java
deleted file mode 100644
index 7a0f090..0000000
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/LogHelper.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/LogHelper.java $
- * $Revision: 121 $
- * $Date: 2007-11-13 21:26:57 -0800 (Tue, 13 Nov 2007) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import org.apache.log4j.Logger;
-
-/**
- * <p/>
- * Wraps a Log4j Logger. This non-public class is the one actually interacting
- * with the log4j.jar library. That way LogWrapper can safely attempt to use
- * log4j.jar, but still degrade gracefully and provide logging via standard-out
- * even if log4j is unavailable.
- * <p/>
- * The interactions with log4j.jar could be done directly inside LogWrapper
- * as long as the Java code is compiled by Java 1.4 or greater (still works
- * at runtime in Java 1.3). The interactions with log4j.jar only need to be
- * pushed out into a separate class like this for people using a Java 1.3
- * compiler, which creates bytecode that is more strict with depedency
- * checking.
- *
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 3-Aug-2006
- */
-final class LogHelper {
- private final Logger l;
-
- LogHelper(Class c) { l = Logger.getLogger(c); }
-
- LogHelper(String s) { l = Logger.getLogger(s); }
-
- void debug(Object o) { l.debug(o); }
-
- void debug(Object o, Throwable t) { l.debug(o, t); }
-
- void info(Object o) { l.info(o); }
-
- void info(Object o, Throwable t) { l.info(o, t); }
-
- void warn(Object o) { l.warn(o); }
-
- void warn(Object o, Throwable t) { l.warn(o, t); }
-
- void error(Object o) { l.error(o); }
-
- void error(Object o, Throwable t) { l.error(o, t); }
-
- void fatal(Object o) { l.fatal(o); }
-
- void fatal(Object o, Throwable t) { l.fatal(o, t); }
-
- boolean isDebugEnabled() { return l.isDebugEnabled(); }
-
- boolean isInfoEnabled() { return l.isInfoEnabled(); }
-
- Object getLog4jLogger() { return l; }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/LogWrapper.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/LogWrapper.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/LogWrapper.java
deleted file mode 100644
index b2baeb9..0000000
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/LogWrapper.java
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/LogWrapper.java $
- * $Revision: 121 $
- * $Date: 2007-11-13 21:26:57 -0800 (Tue, 13 Nov 2007) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import java.io.BufferedOutputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.io.PrintStream;
-import java.text.DateFormat;
-import java.text.SimpleDateFormat;
-import java.util.Date;
-
-/**
- * <p/>
- * LogWrapper can be used for situations where log4j might not be available on
- * the classpath. It presents the most basic and critical components of the
- * log4j API, and passes all log calls through to log4j if possible. If log4j
- * is not available, logging is sent to standard-out by default.
- * <p/>
- * This default logging to standard-out (which only occurs if log4j is NOT
- * available) can be disabled or changed via the static setBackupStream() and
- * setBackupLogFile() methods.
- *
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 3-Aug-2006
- */
-public class LogWrapper {
-
- // final static String[] LEVELS = {"DEBUG", "INFO", "WARN", "ERROR", "FATAL"};
- final static String[] LEVELS = {"+", " ", "!", "*", "#"};
- final static String TIMESTAMP_PATTERN = "zzz:yyyy-MM-dd/HH:mm:ss.SSS";
- final static int TIMESTAMP_LENGTH = TIMESTAMP_PATTERN.length();
- final static String LINE_SEPARATOR = System.getProperty("line.separator");
- final static DateFormat DF = new SimpleDateFormat(TIMESTAMP_PATTERN);
-
- private final static LogWrapper NOOP = new LogWrapper();
-
- /** Should we print DEBUG statements if log4j is not available? */
- private final static boolean DEBUG = true;
-
- /** true if log4j is available */
- public final static boolean log4j;
-
- /**
- * OutputStream to log to if log4j is not available. Set it to null to
- * disable.
- */
- private static volatile OutputStream backup = System.out;
-
- /** The wrappingPrintStream is lazy-initted if we have to log a stacktrace. */
- private static volatile PrintStream wrappingPrintStream = null;
-
- private final LogHelper h;
-
- static {
- boolean avail = false;
- try {
- // LogHelper's constructor will blow up if log4j.jar isn't on the
- // classpath.
- LogHelper lh = new LogHelper(LogWrapper.class);
- lh.hashCode();
- avail = true;
- }
- catch (Throwable t) {
- avail = false;
- }
- finally {
- log4j = avail;
- }
- }
-
- public static boolean isLog4jAvailable() { return log4j; }
-
- public static LogWrapper getLogger(Class c) {
- return log4j ? new LogWrapper(c) : NOOP;
- }
-
- public static LogWrapper getLogger(String s) {
- return log4j ? new LogWrapper(s) : NOOP;
- }
-
- private LogWrapper() { this.h = null; }
-
- private LogWrapper(Class c) { this.h = new LogHelper(c); }
-
- private LogWrapper(String s) { this.h = new LogHelper(s); }
-
- public void debug(Object o) {
- if (t(0, o, null)) {
- h.debug(o);
- }
- }
-
- public void debug(Object o, Throwable t) {
- if (t(0, o, t)) {
- h.debug(o, t);
- }
- }
-
- public void info(Object o) {
- if (t(1, o, null)) {
- h.info(o);
- }
- }
-
- public void info(Object o, Throwable t) {
- if (t(1, o, t)) {
- h.info(o, t);
- }
- }
-
- public void warn(Object o) {
- if (t(2, o, null)) {
- h.warn(o);
- }
- }
-
- public void warn(Object o, Throwable t) {
- if (t(2, o, t)) {
- h.warn(o, t);
- }
- }
-
- public void error(Object o) {
- if (t(3, o, null)) {
- h.error(o);
- }
- }
-
- public void error(Object o, Throwable t) {
- if (t(3, o, t)) {
- h.error(o, t);
- }
- }
-
- public void fatal(Object o) {
- if (t(4, o, null)) {
- h.fatal(o);
- }
- }
-
- public void fatal(Object o, Throwable t) {
- if (t(4, o, t)) {
- h.fatal(o, t);
- }
- }
-
- public boolean isDebugEnabled() { return log4j ? h.isDebugEnabled() : DEBUG;}
-
- public boolean isInfoEnabled() { return !log4j || h.isInfoEnabled(); }
-
- public Object getLog4jLogger() { return log4j ? h.getLog4jLogger() : null; }
-
-
- /**
- * Tests if log4j is available. If not, logs to backup OutputStream (if
- * backup != null).
- *
- * @param level log4j logging level for this statement
- * @param o object to log
- * @param t throwable to log
- * @return true if log4j is available, false if log4j is not. If it returns
- * false, as a side-effect, it will also log the statement.
- */
- private boolean t(int level, Object o, Throwable t) {
- if (log4j) {
- return true;
- } else {
- // LogWrapper doesn't log debug statements if Log4j is not available
- // and DEBUG is false.
- if (backup != null && (DEBUG || level > 0)) {
- String s = ""; // log4j allows null
- if (o != null) {
- try {
- s = (String) o;
- }
- catch (ClassCastException cce) {
- s = o.toString();
- }
- }
- int len = s.length() + TIMESTAMP_LENGTH + 9;
- String timestamp = DF.format(new Date());
- StringBuffer buf = new StringBuffer(len);
- buf.append(timestamp);
- if (LEVELS[level].length() == 1) {
- buf.append(LEVELS[level]);
- } else {
- buf.append(' ');
- buf.append(LEVELS[level]);
- buf.append(' ');
- }
- buf.append(s);
- buf.append(LINE_SEPARATOR);
- s = buf.toString();
- byte[] logBytes = s.getBytes();
- try {
- if (t == null) {
- backup.write(logBytes);
- } else {
- synchronized (backup) {
- backup.write(logBytes);
- if (t != null) {
- if (wrappingPrintStream == null) {
- wrappingPrintStream = new PrintStream(backup, false);
- }
- t.printStackTrace(wrappingPrintStream);
- wrappingPrintStream.flush();
- }
- }
- }
- backup.flush(); // J2RE 1.5.0 IBM J9 2.3 Linux x86-32 needs this.
- }
- catch (IOException ioe) {
- throw new RuntimeException(ioe.toString());
- }
- }
- return false;
- }
- }
-
- /**
- * Set file to log to if log4j is not available.
- *
- * @param f path to use for backup log file (if log4j not available)
- * @throws java.io.IOException if we can't write to the given path
- */
- public static void setBackupLogFile(String f)
- throws IOException {
- if (!log4j) {
- OutputStream out = new FileOutputStream(f, true);
- out = new BufferedOutputStream(out);
- setBackupStream(out);
- }
- }
-
- /**
- * Set PrintStream to log to if log4j is not available. Set to null to
- * disable. Default value is System.out.
- *
- * @param os outputstream to use for backup logging (if log4j not available)
- */
- public static void setBackupStream(OutputStream os) {
- // synchronize on the old backup - don't want to pull the rug out from
- // under him if he's working on a big stacktrace or something like that.
- if (backup != null) {
- synchronized (backup) {
- wrappingPrintStream = null;
- backup = os;
- }
- } else {
- wrappingPrintStream = null;
- backup = os;
- }
- }
-
- /**
- * Get the PrintStream we're logging to if log4j is not available.
- *
- * @return OutputStream we're using as our log4j replacement.
- */
- public static OutputStream getBackupStream() { return backup; }
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/OpenSSL.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/OpenSSL.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/OpenSSL.java
index c4d3798..2990cda 100644
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/OpenSSL.java
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/OpenSSL.java
@@ -31,7 +31,9 @@
package org.apache.commons.ssl;
-import org.apache.commons.ssl.util.Hex;
+import org.apache.kerby.util.Base64;
+import org.apache.kerby.util.Base64InputStream;
+import org.apache.kerby.util.Hex;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMItem.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMItem.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMItem.java
index e0a9684..c935f39 100644
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMItem.java
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMItem.java
@@ -31,7 +31,7 @@
package org.apache.commons.ssl;
-import org.apache.commons.ssl.util.Hex;
+import org.apache.kerby.util.Hex;
import java.util.Collections;
import java.util.Map;
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMUtil.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMUtil.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMUtil.java
index c2a7099..2c60c5d 100644
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMUtil.java
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/PEMUtil.java
@@ -32,6 +32,7 @@
package org.apache.commons.ssl;
import org.apache.commons.ssl.util.ByteArrayReadLine;
+import org.apache.kerby.util.Base64;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/RMISocketFactoryImpl.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/RMISocketFactoryImpl.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/RMISocketFactoryImpl.java
deleted file mode 100644
index fcf7c5c..0000000
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/RMISocketFactoryImpl.java
+++ /dev/null
@@ -1,578 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/RMISocketFactoryImpl.java $
- * $Revision: 166 $
- * $Date: 2014-04-28 11:40:25 -0700 (Mon, 28 Apr 2014) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import javax.net.ServerSocketFactory;
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLProtocolException;
-import javax.net.ssl.SSLSocket;
-import java.io.EOFException;
-import java.io.IOException;
-import java.io.InterruptedIOException;
-import java.net.DatagramSocket;
-import java.net.InetAddress;
-import java.net.NetworkInterface;
-import java.net.ServerSocket;
-import java.net.Socket;
-import java.net.SocketException;
-import java.net.UnknownHostException;
-import java.rmi.server.RMISocketFactory;
-import java.security.GeneralSecurityException;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.Map;
-import java.util.Set;
-import java.util.SortedSet;
-import java.util.TreeMap;
-import java.util.TreeSet;
-
-
-/**
- * An RMISocketFactory ideal for using RMI over SSL. The server secures both
- * the registry and the remote objects. The client assumes that either both
- * the registry and the remote objects will use SSL, or both will use
- * plain-socket. The client is able to auto detect plain-socket registries
- * and downgrades itself to accomodate those.
- * <p/>
- * Unlike most existing RMI over SSL solutions in use (including Java 5's
- * javax.rmi.ssl.SslRMIClientSocketFactory), this one does proper SSL hostname
- * verification. From the client perspective this is straighforward. From
- * the server perspective we introduce a clever trick: we perform an initial
- * "hostname verification" by trying the current value of
- * "java.rmi.server.hostname" against our server certificate. If the
- * "java.rmi.server.hostname" System Property isn't set, we set it ourselves
- * using the CN value we extract from our server certificate! (Some
- * complications arise should a wildcard certificate show up, but we try our
- * best to deal with those).
- * <p/>
- * An SSL server cannot be started without a private key. We have defined some
- * default behaviour for trying to find a private key to use that we believe
- * is convenient and sensible:
- * <p/>
- * If running from inside Tomcat, we try to re-use Tomcat's private key and
- * certificate chain (assuming Tomcat-SSL on port 8443 is enabled). If this
- * isn't available, we look for the "javax.net.ssl.keyStore" System property.
- * Finally, if that isn't available, we look for "~/.keystore" and assume
- * a password of "changeit".
- * <p/>
- * If after all these attempts we still failed to find a private key, the
- * RMISocketFactoryImpl() constructor will throw an SSLException.
- *
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 22-Apr-2005
- */
-public class RMISocketFactoryImpl extends RMISocketFactory {
- public final static String RMI_HOSTNAME_KEY = "java.rmi.server.hostname";
- private final static LogWrapper log = LogWrapper.getLogger(RMISocketFactoryImpl.class);
-
- private volatile SocketFactory defaultClient;
- private volatile ServerSocketFactory sslServer;
- private volatile String localBindAddress = null;
- private volatile int anonymousPort = 31099;
- private Map clientMap = new TreeMap();
- private Map serverSockets = new HashMap();
- private final SocketFactory plainClient = SocketFactory.getDefault();
-
- public RMISocketFactoryImpl() throws GeneralSecurityException, IOException {
- this(true);
- }
-
- /**
- * @param createDefaultServer If false, then we only set the default
- * client, and the default server is set to null.
- * If true, then a default server is also created.
- * @throws java.security.GeneralSecurityException bad things
- * @throws java.io.IOException bad things
- */
- public RMISocketFactoryImpl(boolean createDefaultServer)
- throws GeneralSecurityException, IOException {
- SSLServer defaultServer = createDefaultServer ? new SSLServer() : null;
- SSLClient defaultClient = new SSLClient();
-
- // RMI calls to localhost will not check that host matches CN in
- // certificate. Hopefully this is acceptable. (The registry server
- // will followup the registry lookup with the proper DNS name to get
- // the remote object, anyway).
- HostnameVerifier verifier = HostnameVerifier.DEFAULT_AND_LOCALHOST;
- defaultClient.setHostnameVerifier(verifier);
- if (defaultServer != null) {
- defaultServer.setHostnameVerifier(verifier);
- // The RMI server will try to re-use Tomcat's "port 8443" SSL
- // Certificate if possible.
- defaultServer.useTomcatSSLMaterial();
- X509Certificate[] x509 = defaultServer.getAssociatedCertificateChain();
- if (x509 == null || x509.length < 1) {
- throw new SSLException("Cannot initialize RMI-SSL Server: no KeyMaterial!");
- }
- setServer(defaultServer);
- }
- setDefaultClient(defaultClient);
- }
-
- public void setServer(ServerSocketFactory f)
- throws GeneralSecurityException, IOException {
- this.sslServer = f;
- if (f instanceof SSLServer) {
- final HostnameVerifier VERIFIER;
- VERIFIER = HostnameVerifier.DEFAULT_AND_LOCALHOST;
-
- final SSLServer ssl = (SSLServer) f;
- final X509Certificate[] chain = ssl.getAssociatedCertificateChain();
- String[] cns = Certificates.getCNs(chain[0]);
- String[] subjectAlts = Certificates.getDNSSubjectAlts(chain[0]);
- LinkedList names = new LinkedList();
- if (cns != null && cns.length > 0) {
- // Only first CN is used. Not going to get into the IE6 nonsense
- // where all CN values are used.
- names.add(cns[0]);
- }
- if (subjectAlts != null && subjectAlts.length > 0) {
- names.addAll(Arrays.asList(subjectAlts));
- }
-
- String rmiHostName = System.getProperty(RMI_HOSTNAME_KEY);
- // If "java.rmi.server.hostname" is already set, don't mess with it.
- // But blowup if it's not going to work with our SSL Server
- // Certificate!
- if (rmiHostName != null) {
- try {
- VERIFIER.check(rmiHostName, cns, subjectAlts);
- }
- catch (SSLException ssle) {
- String s = ssle.toString();
- throw new SSLException(RMI_HOSTNAME_KEY + " of " + rmiHostName + " conflicts with SSL Server Certificate: " + s);
- }
- } else {
- // If SSL Cert only contains one non-wild name, just use that and
- // hope for the best.
- boolean hopingForBest = false;
- if (names.size() == 1) {
- String name = (String) names.get(0);
- if (!name.startsWith("*")) {
- System.setProperty(RMI_HOSTNAME_KEY, name);
- log.warn("commons-ssl '" + RMI_HOSTNAME_KEY + "' set to '" + name + "' as found in my SSL Server Certificate.");
- hopingForBest = true;
- }
- }
- if (!hopingForBest) {
- // Help me, Obi-Wan Kenobi; you're my only hope. All we can
- // do now is grab our internet-facing addresses, reverse-lookup
- // on them, and hope that one of them validates against our
- // server cert.
- Set s = getMyInternetFacingIPs();
- Iterator it = s.iterator();
- while (it.hasNext()) {
- String name = (String) it.next();
- try {
- VERIFIER.check(name, cns, subjectAlts);
- System.setProperty(RMI_HOSTNAME_KEY, name);
- log.warn("commons-ssl '" + RMI_HOSTNAME_KEY + "' set to '" + name + "' as found by reverse-dns against my own IP.");
- hopingForBest = true;
- break;
- }
- catch (SSLException ssle) {
- // next!
- }
- }
- }
- if (!hopingForBest) {
- throw new SSLException("'" + RMI_HOSTNAME_KEY + "' not present. Must work with my SSL Server Certificate's CN field: " + names);
- }
- }
- }
- trustOurself();
- }
-
- public void setLocalBindAddress(String localBindAddress) {
- this.localBindAddress = localBindAddress;
- }
-
- public void setAnonymousPort(int port) {
- this.anonymousPort = port;
- }
-
- public void setDefaultClient(SocketFactory f)
- throws GeneralSecurityException, IOException {
- this.defaultClient = f;
- trustOurself();
- }
-
- public void setClient(String host, SocketFactory f)
- throws GeneralSecurityException, IOException {
- if (f != null && sslServer != null) {
- boolean clientIsCommonsSSL = f instanceof SSLClient;
- boolean serverIsCommonsSSL = sslServer instanceof SSLServer;
- if (clientIsCommonsSSL && serverIsCommonsSSL) {
- SSLClient c = (SSLClient) f;
- SSLServer s = (SSLServer) sslServer;
- trustEachOther(c, s);
- }
- }
- Set names = hostnamePossibilities(host);
- Iterator it = names.iterator();
- synchronized (this) {
- while (it.hasNext()) {
- clientMap.put(it.next(), f);
- }
- }
- }
-
- public void removeClient(String host) {
- Set names = hostnamePossibilities(host);
- Iterator it = names.iterator();
- synchronized (this) {
- while (it.hasNext()) {
- clientMap.remove(it.next());
- }
- }
- }
-
- public synchronized void removeClient(SocketFactory sf) {
- Iterator it = clientMap.entrySet().iterator();
- while (it.hasNext()) {
- Map.Entry entry = (Map.Entry) it.next();
- Object o = entry.getValue();
- if (sf.equals(o)) {
- it.remove();
- }
- }
- }
-
- private Set hostnamePossibilities(String host) {
- host = host != null ? host.toLowerCase().trim() : "";
- if ("".equals(host)) {
- return Collections.EMPTY_SET;
- }
- TreeSet names = new TreeSet();
- names.add(host);
- InetAddress[] addresses;
- try {
- // If they gave us "hostname.com", this will give us the various
- // IP addresses:
- addresses = InetAddress.getAllByName(host);
- for (int i = 0; i < addresses.length; i++) {
- String name1 = addresses[i].getHostName();
- String name2 = addresses[i].getHostAddress();
- names.add(name1.trim().toLowerCase());
- names.add(name2.trim().toLowerCase());
- }
- }
- catch (UnknownHostException uhe) {
- /* oh well, nothing found, nothing to add for this client */
- }
-
- try {
- host = InetAddress.getByName(host).getHostAddress();
-
- // If they gave us "1.2.3.4", this will hopefully give us
- // "hostname.com" so that we can then try and find any other
- // IP addresses associated with that name.
- host = InetAddress.getByName(host).getHostName();
- names.add(host.trim().toLowerCase());
- addresses = InetAddress.getAllByName(host);
- for (int i = 0; i < addresses.length; i++) {
- String name1 = addresses[i].getHostName();
- String name2 = addresses[i].getHostAddress();
- names.add(name1.trim().toLowerCase());
- names.add(name2.trim().toLowerCase());
- }
- }
- catch (UnknownHostException uhe) {
- /* oh well, nothing found, nothing to add for this client */
- }
- return names;
- }
-
- private void trustOurself()
- throws GeneralSecurityException, IOException {
- if (defaultClient == null || sslServer == null) {
- return;
- }
- boolean clientIsCommonsSSL = defaultClient instanceof SSLClient;
- boolean serverIsCommonsSSL = sslServer instanceof SSLServer;
- if (clientIsCommonsSSL && serverIsCommonsSSL) {
- SSLClient c = (SSLClient) defaultClient;
- SSLServer s = (SSLServer) sslServer;
- trustEachOther(c, s);
- }
- }
-
- private void trustEachOther(SSLClient client, SSLServer server)
- throws GeneralSecurityException, IOException {
- if (client != null && server != null) {
- // Our own client should trust our own server.
- X509Certificate[] certs = server.getAssociatedCertificateChain();
- if (certs != null && certs[0] != null) {
- TrustMaterial tm = new TrustMaterial(certs[0]);
- client.addTrustMaterial(tm);
- }
-
- // Our own server should trust our own client.
- certs = client.getAssociatedCertificateChain();
- if (certs != null && certs[0] != null) {
- TrustMaterial tm = new TrustMaterial(certs[0]);
- server.addTrustMaterial(tm);
- }
- }
- }
-
- public ServerSocketFactory getServer() { return sslServer; }
-
- public SocketFactory getDefaultClient() { return defaultClient; }
-
- public synchronized SocketFactory getClient(String host) {
- host = host != null ? host.trim().toLowerCase() : "";
- return (SocketFactory) clientMap.get(host);
- }
-
- public synchronized ServerSocket createServerSocket(int port)
- throws IOException {
- // Re-use existing ServerSocket if possible.
- if (port == 0) {
- port = anonymousPort;
- }
- Integer key = new Integer(port);
- ServerSocket ss = (ServerSocket) serverSockets.get(key);
- if (ss == null || ss.isClosed()) {
- if (ss != null && ss.isClosed()) {
- System.out.println("found closed server on port: " + port);
- }
- log.debug("commons-ssl RMI server-socket: listening on port " + port);
- ss = sslServer.createServerSocket(port);
- serverSockets.put(key, ss);
- }
- return ss;
- }
-
- public Socket createSocket(String host, int port)
- throws IOException {
- host = host != null ? host.trim().toLowerCase() : "";
- InetAddress local = null;
- String bindAddress = localBindAddress;
- if (bindAddress == null) {
- bindAddress = System.getProperty(RMI_HOSTNAME_KEY);
- if (bindAddress != null) {
- local = InetAddress.getByName(bindAddress);
- if (!local.isLoopbackAddress()) {
- String ip = local.getHostAddress();
- Set myInternetIps = getMyInternetFacingIPs();
- if (!myInternetIps.contains(ip)) {
- log.warn("Cannot bind to " + ip + " since it doesn't exist on this machine.");
- // Not going to be able to bind as this. Our RMI_HOSTNAME_KEY
- // must be set to some kind of proxy in front of us. So we
- // still want to use it, but we can't bind to it.
- local = null;
- bindAddress = null;
- }
- }
- }
- }
- if (bindAddress == null) {
- // Our last resort - let's make sure we at least use something that's
- // internet facing!
- bindAddress = getMyDefaultIP();
- }
- if (local == null && bindAddress != null) {
- local = InetAddress.getByName(bindAddress);
- localBindAddress = local.getHostName();
- }
-
- SocketFactory sf;
- synchronized (this) {
- sf = (SocketFactory) clientMap.get(host);
- }
- if (sf == null) {
- sf = defaultClient;
- }
-
- Socket s = null;
- SSLSocket ssl = null;
- int soTimeout = Integer.MIN_VALUE;
- IOException reasonForPlainSocket = null;
- boolean tryPlain = false;
- try {
- s = sf.createSocket(host, port, local, 0);
- soTimeout = s.getSoTimeout();
- if (!(s instanceof SSLSocket)) {
- // Someone called setClient() or setDefaultClient() and passed in
- // a plain socket factory. Okay, nothing to see, move along.
- return s;
- } else {
- ssl = (SSLSocket) s;
- }
-
- // If we don't get the peer certs in 15 seconds, revert to plain
- // socket.
- ssl.setSoTimeout(15000);
- ssl.getSession().getPeerCertificates();
-
- // Everything worked out okay, so go back to original soTimeout.
- ssl.setSoTimeout(soTimeout);
- return ssl;
- }
- catch (IOException ioe) {
- // SSL didn't work. Let's analyze the IOException to see if maybe
- // we're accidentally attempting to talk to a plain-socket RMI
- // server.
- Throwable t = ioe;
- while (!tryPlain && t != null) {
- tryPlain = tryPlain || t instanceof EOFException;
- tryPlain = tryPlain || t instanceof InterruptedIOException;
- tryPlain = tryPlain || t instanceof SSLProtocolException;
- t = t.getCause();
- }
- if (!tryPlain && ioe instanceof SSLPeerUnverifiedException) {
- try {
- if (ssl != null) {
- ssl.startHandshake();
- }
- }
- catch (IOException ioe2) {
- // Stacktrace from startHandshake() will be more descriptive
- // then the one we got from getPeerCertificates().
- ioe = ioe2;
- t = ioe2;
- while (!tryPlain && t != null) {
- tryPlain = tryPlain || t instanceof EOFException;
- tryPlain = tryPlain || t instanceof InterruptedIOException;
- tryPlain = tryPlain || t instanceof SSLProtocolException;
- t = t.getCause();
- }
- }
- }
- if (!tryPlain) {
- log.debug("commons-ssl RMI-SSL failed: " + ioe);
- throw ioe;
- } else {
- reasonForPlainSocket = ioe;
- }
- }
- finally {
- // Some debug logging:
- boolean isPlain = tryPlain || (s != null && ssl == null);
- String socket = isPlain ? "RMI plain-socket " : "RMI ssl-socket ";
- String localIP = local != null ? local.getHostAddress() : "ANY";
- StringBuffer buf = new StringBuffer(64);
- buf.append(socket);
- buf.append(localIP);
- buf.append(" --> ");
- buf.append(host);
- buf.append(":");
- buf.append(port);
- log.debug(buf.toString());
- }
-
- // SSL didn't work. Remote server either timed out, or sent EOF, or
- // there was some kind of SSLProtocolException. (Any other problem
- // would have caused an IOException to be thrown, so execution wouldn't
- // have made it this far). Maybe plain socket will work in these three
- // cases.
- sf = plainClient;
- s = JavaImpl.connect(null, sf, host, port, local, 0, 15000, null);
- if (soTimeout != Integer.MIN_VALUE) {
- s.setSoTimeout(soTimeout);
- }
-
- try {
- // Plain socket worked! Let's remember that for next time an RMI call
- // against this host happens.
- setClient(host, plainClient);
- String msg = "RMI downgrading from SSL to plain-socket for " + host + " because of " + reasonForPlainSocket;
- log.warn(msg, reasonForPlainSocket);
- }
- catch (GeneralSecurityException gse) {
- throw new RuntimeException("can't happen because we're using plain socket", gse);
- // won't happen because we're using plain socket, not SSL.
- }
-
- return s;
- }
-
-
- public static String getMyDefaultIP() {
- String anInternetIP = "64.111.122.211";
- String ip = null;
- try {
- DatagramSocket dg = new DatagramSocket();
- dg.setSoTimeout(250);
- // 64.111.122.211 is juliusdavies.ca.
- // This code doesn't actually send any packets (so no firewalls can
- // get in the way). It's just a neat trick for getting our
- // internet-facing interface card.
- InetAddress addr = Util.toInetAddress(anInternetIP);
- dg.connect(addr, 12345);
- InetAddress localAddr = dg.getLocalAddress();
- ip = localAddr.getHostAddress();
- // log.debug( "Using bogus UDP socket (" + anInternetIP + ":12345), I think my IP address is: " + ip );
- dg.close();
- if (localAddr.isLoopbackAddress() || "0.0.0.0".equals(ip)) {
- ip = null;
- }
- }
- catch (IOException ioe) {
- log.debug("Bogus UDP didn't work: " + ioe);
- }
- return ip;
- }
-
- public static SortedSet getMyInternetFacingIPs() throws SocketException {
- TreeSet set = new TreeSet();
- Enumeration en = NetworkInterface.getNetworkInterfaces();
- while (en.hasMoreElements()) {
- NetworkInterface ni = (NetworkInterface) en.nextElement();
- Enumeration en2 = ni.getInetAddresses();
- while (en2.hasMoreElements()) {
- InetAddress addr = (InetAddress) en2.nextElement();
- if (!addr.isLoopbackAddress()) {
- String ip = addr.getHostAddress();
- String reverse = addr.getHostName();
- // IP:
- set.add(ip);
- // Reverse-Lookup:
- set.add(reverse);
-
- }
- }
- }
- return set;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSL.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSL.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSL.java
index 5f9f6dc..c4a5be3 100644
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSL.java
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSL.java
@@ -219,14 +219,6 @@ public class SSL {
{
Object obj = getSSLContextAsObject();
- if (JavaImpl.isJava13()) {
- try {
- return (SSLContext) obj;
- }
- catch (ClassCastException cce) {
- throw new ClassCastException("When using Java13 SSL, you must call SSL.getSSLContextAsObject() - " + cce);
- }
- }
return (SSLContext) obj;
}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServer.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServer.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServer.java
index 13472ed..4d58988 100644
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServer.java
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServer.java
@@ -71,40 +71,6 @@ public class SSLServer extends SSLServerSocketFactory {
}
}
- /**
- * Tries to extract the TrustMaterial and KeyMaterial being used by a Tomcat
- * SSL server (usually on 8443) by analyzing Tomcat's "server.xml" file. If
- * the extraction is successful, the TrustMaterial and KeyMaterial are
- * applied to this SSLServer.
- *
- * @return true if the operation was successful.
- * @throws java.security.GeneralSecurityException setKeyMaterial() failed
- * @throws java.io.IOException setKeyMaterial() failed
- */
- public boolean useTomcatSSLMaterial()
- throws GeneralSecurityException, IOException {
- // If running inside Tomcat, let's try to re-use Tomcat's SSL
- // certificate for our own stuff (e.g. RMI-SSL).
- Integer p8443 = Integer.valueOf(8443);
- KeyMaterial km;
- TrustMaterial tm;
- km = (KeyMaterial) TomcatServerXML.KEY_MATERIAL_BY_PORT.get(p8443);
- tm = (TrustMaterial) TomcatServerXML.TRUST_MATERIAL_BY_PORT.get(p8443);
-
- // If 8443 isn't set, let's take lowest secure port.
- km = km == null ? TomcatServerXML.KEY_MATERIAL : km;
- tm = tm == null ? TomcatServerXML.TRUST_MATERIAL : tm;
- boolean success = false;
- if (km != null) {
- setKeyMaterial(km);
- success = true;
- if (tm != null && !TrustMaterial.DEFAULT.equals(tm)) {
- setTrustMaterial(tm);
- }
- }
- return success;
- }
-
private boolean useDefaultKeyMaterial()
throws GeneralSecurityException, IOException {
// If we're not able to re-use Tomcat's SSLServerSocket configuration,
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLWrapperFactory.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLWrapperFactory.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLWrapperFactory.java
index c8fa432..3f15b83 100644
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLWrapperFactory.java
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLWrapperFactory.java
@@ -82,10 +82,7 @@ public interface SSLWrapperFactory {
// the accept() call.
public SSLServerSocket wrap(SSLServerSocket s, SSL ssl)
throws IOException {
- // Can't wrap with Java 1.3 because SSLServerSocket's constructor has
- // default access instead of protected access in Java 1.3.
- boolean java13 = JavaImpl.isJava13();
- return java13 ? s : new SSLServerSocketWrapper(s, ssl, this);
+ return new SSLServerSocketWrapper(s, ssl, this);
}
};
@@ -99,10 +96,7 @@ public interface SSLWrapperFactory {
public SSLServerSocket wrap(SSLServerSocket s, SSL ssl)
throws IOException {
- // Can't wrap with Java 1.3 because SSLServerSocket's constructor has
- // default access instead of protected access in Java 1.3.
- boolean java13 = JavaImpl.isJava13();
- return java13 ? s : new SSLServerSocketWrapper(s, ssl, this);
+ return new SSLServerSocketWrapper(s, ssl, this);
}
};
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/TomcatServerXML.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/TomcatServerXML.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/TomcatServerXML.java
deleted file mode 100644
index 382c9f0..0000000
--- a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/TomcatServerXML.java
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/TomcatServerXML.java $
- * $Revision: 121 $
- * $Date: 2007-11-13 21:26:57 -0800 (Tue, 13 Nov 2007) $
- *
- * ====================================================================
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- *
- */
-
-package org.apache.commons.ssl;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.NodeList;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.Collections;
-import java.util.Map;
-import java.util.SortedMap;
-import java.util.TreeMap;
-
-/**
- * @author Credit Union Central of British Columbia
- * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
- * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
- * @since 22-Feb-2007
- */
-public class TomcatServerXML {
- private final static LogWrapper log = LogWrapper.getLogger(TomcatServerXML.class);
-
- /**
- * KeyMaterial extracted from Tomcat's conf/server.xml. There might be
- * several KeyMaterials to extract if Tomcat has different SSL Certificates
- * listening on different ports. This particular KeyMaterial will come from
- * the lowest secure port that Tomcat is properly configured to open.
- */
- public final static KeyMaterial KEY_MATERIAL;
-
- /**
- * TrustMaterial extracted from Tomcat's conf/server.xml. There might be
- * several TrustMaterials to extract if Tomcat has different SSL Certificates
- * listening on different ports. This particular TrustMaterial will come
- * from the lowest secure port that Tomcat is properly configured to open.
- * </p><p>
- * There's a good chance this will be set to TrustMaterial.DEFAULT (which
- * use's the JVM's '$JAVA_HOME/jre/lib/security/cacerts' file).
- * </p><p>
- * Note: With SSLServerSockets, TrustMaterial only matters when the
- * incoming client socket (SSLSocket) presents a client certificate.
- * </p>
- */
- public final static TrustMaterial TRUST_MATERIAL;
-
- /**
- * new Integer( port ) --> KeyMaterial mapping of SSL Certificates found
- * inside Tomcat's conf/server.xml file.
- */
- public final static SortedMap KEY_MATERIAL_BY_PORT;
-
- /**
- * new Integer( port ) --> TrustMaterial mapping of SSL configuration
- * found inside Tomcat's conf/server.xml file.
- * </p><p>
- * Many of these will probably be TrustMaterial.DEFAULT (which uses the
- * JVM's '$JAVA_HOME/jre/lib/security/cacerts' file).
- * </p><p>
- * Note: With SSLServerSockets, TrustMaterial only matters when the
- * incoming client socket (SSLSocket) presents a client certificate.
- * </p>
- */
- public final static SortedMap TRUST_MATERIAL_BY_PORT;
-
- static {
- String tomcatHome = System.getProperty("catalina.home");
- String serverXML = tomcatHome + "/conf/server.xml";
- TreeMap keyMap = new TreeMap();
- TreeMap trustMap = new TreeMap();
- InputStream in = null;
- Document doc = null;
- try {
- if (tomcatHome != null) {
- File f = new File(serverXML);
- if (f.exists()) {
- try {
- in = new FileInputStream(serverXML);
- }
- catch (IOException ioe) {
- // oh well, no soup for us.
- log.warn("Commons-SSL failed to load Tomcat's [" + serverXML + "] " + ioe);
- }
- }
- }
- if (in != null) {
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
- try {
- DocumentBuilder db = dbf.newDocumentBuilder();
- doc = db.parse(in);
- }
- catch (Exception e) {
- log.warn("Commons-SSL failed to parse Tomcat's [" + serverXML + "] " + e);
- }
- }
- if (doc != null) {
- loadTomcatConfig(doc, keyMap, trustMap);
- }
- }
- finally {
- if (in != null) {
- try { in.close(); } catch (Exception e) { /* . */ }
- }
- }
- KEY_MATERIAL_BY_PORT = Collections.unmodifiableSortedMap(keyMap);
- TRUST_MATERIAL_BY_PORT = Collections.unmodifiableSortedMap(trustMap);
-
- KeyMaterial km = null;
- TrustMaterial tm = null;
- if (!keyMap.isEmpty()) {
- km = (KeyMaterial) keyMap.get(keyMap.firstKey());
- }
- if (!trustMap.isEmpty()) {
- tm = (TrustMaterial) trustMap.get(trustMap.firstKey());
- }
- KEY_MATERIAL = km;
- TRUST_MATERIAL = tm;
-
- }
-
- private static void loadTomcatConfig(Document d, Map keyMap, Map trustMap) {
- final String userHome = System.getProperty("user.home");
- NodeList nl = d.getElementsByTagName("Connector");
- for (int i = 0; i < nl.getLength(); i++) {
- KeyMaterial km = null;
- TrustMaterial tm = null;
-
- Element element = (Element) nl.item(i);
- String secure = element.getAttribute("secure");
- String portString = element.getAttribute("port");
- Integer port = null;
- String pass;
- try {
- portString = portString != null ? portString.trim() : "";
- port = new Integer(portString);
- }
- catch (NumberFormatException nfe) {
- // oh well
- }
- if (port != null && Util.isYes(secure)) {
- // Key Material
- String keystoreFile = element.getAttribute("keystoreFile");
- pass = element.getAttribute("keystorePass");
- if (!element.hasAttribute("keystoreFile")) {
- keystoreFile = userHome + "/.keystore";
- }
- if (!element.hasAttribute("keystorePass")) {
- pass = "changeit";
- }
- char[] keystorePass = pass != null ? pass.toCharArray() : null;
-
- // Trust Material
- String truststoreFile = element.getAttribute("truststoreFile");
- pass = element.getAttribute("truststorePass");
- if (!element.hasAttribute("truststoreFile")) {
- truststoreFile = null;
- }
- if (!element.hasAttribute("truststorePass")) {
- pass = null;
- }
- char[] truststorePass = pass != null ? pass.toCharArray() : null;
-
-
- if (keystoreFile == null) {
- km = null;
- } else {
- try {
- km = new KeyMaterial(keystoreFile, keystorePass);
- }
- catch (Exception e) {
- log.warn("Commons-SSL failed to load [" + keystoreFile + "] " + e);
- }
- }
- if (truststoreFile == null) {
- tm = TrustMaterial.DEFAULT;
- } else {
- try {
- tm = new TrustMaterial(truststoreFile, truststorePass);
- }
- catch (Exception e) {
- log.warn("Commons-SSL failed to load [" + truststoreFile + "] " + e);
- }
- }
-
- Object o = keyMap.put(port, km);
- if (o != null) {
- log.debug("Commons-SSL TomcatServerXML keyMap clobbered port: " + port);
- }
- o = trustMap.put(port, tm);
- if (o != null) {
- log.debug("Commons-SSL TomcatServerXML trustMap clobbered port: " + port);
- }
- }
- }
- }
-
-}