You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2012/12/14 11:06:23 UTC
svn commit: r1421778 -
/qpid/proton/trunk/proton-j/proton/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java
Author: kwall
Date: Fri Dec 14 10:06:22 2012
New Revision: 1421778
URL: http://svn.apache.org/viewvc?rev=1421778&view=rev
Log:
PROTON-187: Proton-j SSL implementation should accept client certificate from a private key of a keypair
Modified:
qpid/proton/trunk/proton-j/proton/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java
Modified: qpid/proton/trunk/proton-j/proton/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/proton-j/proton/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java?rev=1421778&r1=1421777&r2=1421778&view=diff
==============================================================================
--- qpid/proton/trunk/proton-j/proton/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java (original)
+++ qpid/proton/trunk/proton-j/proton/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java Fri Dec 14 10:06:22 2012
@@ -23,11 +23,12 @@ package org.apache.qpid.proton.engine.im
import java.io.FileReader;
import java.io.IOException;
import java.io.Reader;
-import java.security.Key;
import java.security.KeyManagementException;
+import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
@@ -176,7 +177,7 @@ public class SslEngineFacadeFactory
{
_logger.log(Level.FINE, "_sslParams.getTrustedCaDb() : " + sslConfiguration.getTrustedCaDb());
}
- Certificate trustedCaCert = (Certificate) readPemObject(sslConfiguration.getTrustedCaDb());
+ Certificate trustedCaCert = (Certificate) readPemObject(sslConfiguration.getTrustedCaDb(), null, Certificate.class);
keystore.setCertificateEntry(caCertAlias, trustedCaCert);
}
@@ -184,10 +185,25 @@ public class SslEngineFacadeFactory
&& sslConfiguration.getPrivateKeyFile() != null)
{
String clientPrivateKeyAlias = "clientPrivateKey";
- Certificate clientCertificate = (Certificate) readPemObject(sslConfiguration.getCertificateFile());
- Key clientPrivateKey = (Key) readPemObject(
+ Certificate clientCertificate = (Certificate) readPemObject(sslConfiguration.getCertificateFile(), null, Certificate.class);
+ Object keyOrKeyPair = readPemObject(
sslConfiguration.getPrivateKeyFile(),
- sslConfiguration.getPrivateKeyPassword());
+ sslConfiguration.getPrivateKeyPassword(), PrivateKey.class, KeyPair.class);
+
+ final PrivateKey clientPrivateKey;
+ if (keyOrKeyPair instanceof PrivateKey)
+ {
+ clientPrivateKey = (PrivateKey)keyOrKeyPair;
+ }
+ else if (keyOrKeyPair instanceof KeyPair)
+ {
+ clientPrivateKey = ((KeyPair)keyOrKeyPair).getPrivate();
+ }
+ else
+ {
+ // Should not happen - readPemObject will have already verified key type
+ throw new IllegalStateException("Unexpected key type " + keyOrKeyPair);
+ }
keystore.setKeyEntry(clientPrivateKeyAlias, clientPrivateKey,
dummyPassword, new Certificate[] { clientCertificate });
@@ -245,31 +261,40 @@ public class SslEngineFacadeFactory
return newEnabled;
}
- private Object readPemObject(String pemFile, final String privateKeyPassword)
+ private Object readPemObject(String pemFile, String keyPassword, @SuppressWarnings("rawtypes") Class... expectedInterfaces)
{
- PasswordFinder passwordFinder = new PasswordFinder()
+ final PasswordFinder passwordFinder;
+ if (keyPassword != null)
{
- @Override
- public char[] getPassword()
- {
- return privateKeyPassword.toCharArray();
- }
- };
+ passwordFinder = getPasswordFinderFor(keyPassword);
+ }
+ else
+ {
+ passwordFinder = null;
+ }
Reader reader = null;
try
{
reader = new FileReader(pemFile);
- return new PEMReader(reader, privateKeyPassword == null ? null : passwordFinder).readObject();
+ PEMReader pemReader = new PEMReader(reader, passwordFinder);
+ Object pemObject = pemReader.readObject();
+ if (!checkPemObjectIsOfAllowedTypes(pemObject, expectedInterfaces))
+ {
+ throw new IllegalStateException("File " + pemFile + " does not provide a object of the required type."
+ + " Read an object of class " + pemObject.getClass().getName()
+ + " whilst expecting an implementation of one of the following : " + Arrays.asList(expectedInterfaces));
+ }
+ return pemObject;
}
catch(PEMException e)
{
_logger.log(Level.SEVERE, "Unable to read PEM object. Perhaps you need the unlimited strength libraries in <java-home>/jre/lib/security/ ?", e);
- throw new RuntimeException(e);
+ throw new IllegalStateException("Unable to read PEM object from file " + pemFile, e);
}
catch (IOException e)
{
- throw new RuntimeException(e);
+ throw new RuntimeException("Unable to read PEM object from file " + pemFile, e);
}
finally
{
@@ -287,9 +312,35 @@ public class SslEngineFacadeFactory
}
}
- private Object readPemObject(String pemFile)
+ @SuppressWarnings("rawtypes")
+ private boolean checkPemObjectIsOfAllowedTypes(Object pemObject, Class... expectedInterfaces)
+ {
+ if (expectedInterfaces.length == 0)
+ {
+ throw new IllegalArgumentException("Must be at least one expectedKeyTypes");
+ }
+
+ for (Class keyInterface : expectedInterfaces)
+ {
+ if (keyInterface.isInstance(pemObject))
+ {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private PasswordFinder getPasswordFinderFor(final String keyPassword)
{
- return readPemObject(pemFile, null);
+ PasswordFinder passwordFinder = new PasswordFinder()
+ {
+ @Override
+ public char[] getPassword()
+ {
+ return keyPassword.toCharArray();
+ }
+ };
+ return passwordFinder;
}
private final class AlwaysTrustingTrustManager implements X509TrustManager
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org