You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by ja...@apache.org on 2007/04/22 22:57:01 UTC
svn commit: r531272 - in /ofbiz/trunk/framework: base/config/ base/dtd/
base/src/base/org/ofbiz/base/component/ base/src/base/org/ofbiz/base/util/
catalina/src/org/ofbiz/catalina/container/ security/entitydef/
service/src/org/ofbiz/service/rmi/ service...
Author: jaz
Date: Sun Apr 22 13:56:58 2007
New Revision: 531272
URL: http://svn.apache.org/viewvc?view=rev&rev=531272
Log:
refactored x509 implementations; now it will use the certificate to determine the userlogin; tomcat changed to ignore cert files (just pass through) so all checking can be handled by ofbiz; login worker updated to use new method of cert checking; added isser entity to configure what issuers are allowed to sign login certs (the certificate must also be included in a trust store) new component based trust/cert stores configured in ofbiz-component.xml
Added:
ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/SSLImpl.java (with props)
Modified:
ofbiz/trunk/framework/base/config/jetty-containers.xml
ofbiz/trunk/framework/base/config/limited-containers.xml
ofbiz/trunk/framework/base/config/ofbiz-containers.xml
ofbiz/trunk/framework/base/config/rmi-containers.xml
ofbiz/trunk/framework/base/config/test-containers.xml
ofbiz/trunk/framework/base/dtd/ofbiz-component.xsd
ofbiz/trunk/framework/base/src/base/org/ofbiz/base/component/ComponentConfig.java
ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java
ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java
ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/URLConnector.java
ofbiz/trunk/framework/security/entitydef/entitygroup.xml
ofbiz/trunk/framework/security/entitydef/entitymodel.xml
ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/RmiServiceContainer.java
ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLClientSocketFactory.java
ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLServerSocketFactory.java
ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java
Modified: ofbiz/trunk/framework/base/config/jetty-containers.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/jetty-containers.xml?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/config/jetty-containers.xml (original)
+++ ofbiz/trunk/framework/base/config/jetty-containers.xml Sun Apr 22 13:56:58 2007
@@ -39,6 +39,10 @@
<property name="delegator-name" value="default"/>
<property name="client-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory"/>
<property name="server-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory"/>
+ <property name="ssl-keystore" value="framework/base/config/ofbizrmi.jks"/>
+ <property name="ssl-keystore-type" value="JKS"/>
+ <property name="ssl-keystore-pass" value="changeit"/>
+ <property name="ssl-keystore-alias" value="rmissl"/>
<property name="ssl-client-auth" value="true"/>
</container>
Modified: ofbiz/trunk/framework/base/config/limited-containers.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/limited-containers.xml?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/config/limited-containers.xml (original)
+++ ofbiz/trunk/framework/base/config/limited-containers.xml Sun Apr 22 13:56:58 2007
@@ -35,6 +35,10 @@
<property name="delegator-name" value="default"/>
<property name="client-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory"/>
<property name="server-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory"/>
+ <property name="ssl-keystore" value="framework/base/config/ofbizrmi.jks"/>
+ <property name="ssl-keystore-type" value="JKS"/>
+ <property name="ssl-keystore-pass" value="changeit"/>
+ <property name="ssl-keystore-alias" value="rmissl"/>
<property name="ssl-client-auth" value="true"/>
</container>
Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original)
+++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Sun Apr 22 13:56:58 2007
@@ -45,6 +45,10 @@
<property name="delegator-name" value="default"/>
<property name="client-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory"/>
<property name="server-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory"/>
+ <property name="ssl-keystore" value="framework/base/config/ofbizrmi.jks"/>
+ <property name="ssl-keystore-type" value="JKS"/>
+ <property name="ssl-keystore-pass" value="changeit"/>
+ <property name="ssl-keystore-alias" value="rmissl"/>
<property name="ssl-client-auth" value="true"/>
</container>
@@ -227,7 +231,8 @@
<property name="strategy" value="lf"/>
<property name="tcpNoDelay" value="true"/>
<property name="threadPriority" value="java.lang.Thread#NORM_PRIORITY"/>
- <!-- SSL connector attributes -->
+ <!-- SSL connector attributes -->
+ <property name="sSLImplementation" value="org.ofbiz.catalina.container.SSLImpl"/>
<property name="algorithm" value="SunX509"/>
<property name="clientAuth" value="want"/>
<property name="keystoreFile" value="framework/base/config/ofbizssl.jks"/>
Modified: ofbiz/trunk/framework/base/config/rmi-containers.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/rmi-containers.xml?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/config/rmi-containers.xml (original)
+++ ofbiz/trunk/framework/base/config/rmi-containers.xml Sun Apr 22 13:56:58 2007
@@ -39,6 +39,10 @@
<property name="delegator-name" value="default"/>
<property name="client-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory"/>
<property name="server-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory"/>
+ <property name="ssl-keystore" value="framework/base/config/ofbizrmi.jks"/>
+ <property name="ssl-keystore-type" value="JKS"/>
+ <property name="ssl-keystore-pass" value="changeit"/>
+ <property name="ssl-keystore-alias" value="rmissl"/>
<property name="ssl-client-auth" value="true"/>
</container>
Modified: ofbiz/trunk/framework/base/config/test-containers.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/test-containers.xml?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/config/test-containers.xml (original)
+++ ofbiz/trunk/framework/base/config/test-containers.xml Sun Apr 22 13:56:58 2007
@@ -39,7 +39,11 @@
<property name="delegator-name" value="test"/>
<property name="client-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory"/>
<property name="server-factory" value="org.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory"/>
- <property name="ssl-client-auth" value="false"/>
+ <property name="ssl-keystore" value="framework/base/config/ofbizrmi.jks"/>
+ <property name="ssl-keystore-type" value="JKS"/>
+ <property name="ssl-keystore-pass" value="changeit"/>
+ <property name="ssl-keystore-alias" value="rmissl"/>
+ <property name="ssl-client-auth" value="true"/>
</container>
<!-- load Shark Workflow Engine -->
Modified: ofbiz/trunk/framework/base/dtd/ofbiz-component.xsd
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/dtd/ofbiz-component.xsd?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/dtd/ofbiz-component.xsd (original)
+++ ofbiz/trunk/framework/base/dtd/ofbiz-component.xsd Sun Apr 22 13:56:58 2007
@@ -128,6 +128,40 @@
<xs:attribute type="xs:string" name="loader" use="required"/>
<xs:attribute type="xs:string" name="location" use="required"/>
</xs:attributeGroup>
+ <xs:element name="keystore">
+ <xs:complexType>
+ <xs:attributeGroup ref="attlist.keystore"/>
+ </xs:complexType>
+ </xs:element>
+ <xs:attributeGroup name="attlist.keystore">
+ <xs:attribute name="name" type="xs:string" use="required"/>
+ <xs:attribute name="type" use="required">
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="jks"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ <xs:attribute name="password" type="xs:string" use="required"/>
+ <xs:attribute name="is-truststore" use="required">
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="true"/>
+ <xs:enumeration value="false"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ <xs:attribute name="is-certstore" use="required">
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="true"/>
+ <xs:enumeration value="false"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ <xs:attribute type="xs:string" name="loader" use="required"/>
+ <xs:attribute type="xs:string" name="location" use="required"/>
+ </xs:attributeGroup>
<xs:element name="webapp">
<xs:complexType>
<xs:sequence>
Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/component/ComponentConfig.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/component/ComponentConfig.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/component/ComponentConfig.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/component/ComponentConfig.java Sun Apr 22 13:56:58 2007
@@ -180,18 +180,56 @@
}
}
return testSuiteInfos;
+ }
+
+ public static List getAllKeystoreInfos() {
+ return getAllKeystoreInfos(null);
+ }
+ public static List getAllKeystoreInfos(String componentName) {
+ List keystoreInfos = FastList.newInstance();
+ Iterator i = getAllComponents().iterator();
+ while (i.hasNext()) {
+ ComponentConfig cc = (ComponentConfig) i.next();
+ if (componentName == null || componentName.equals(cc.getComponentName())) {
+ keystoreInfos.addAll(cc.getKeystoreInfos());
+ }
+ }
+ return keystoreInfos;
+ }
+
+ public static KeystoreInfo getKeystoreInfo(String componentName, String keystoreName) {
+ Iterator i = getAllComponents().iterator();
+ while (i.hasNext()) {
+ ComponentConfig cc = (ComponentConfig) i.next();
+ if (componentName != null && componentName.equals(cc.getComponentName())) {
+ Iterator ki = cc.getKeystoreInfos().iterator();
+ while (ki.hasNext()) {
+ KeystoreInfo ks = (KeystoreInfo) ki.next();
+ if (keystoreName != null && keystoreName.equals(ks.getName())) {
+ return ks;
+ }
+ }
+ }
+ }
+
+ return null;
}
public static List getAllWebappResourceInfos() {
+ return getAllWebappResourceInfos(null);
+ }
+
+ public static List getAllWebappResourceInfos(String componentName) {
List webappInfos = FastList.newInstance();
Iterator i = getAllComponents().iterator();
while (i.hasNext()) {
ComponentConfig cc = (ComponentConfig) i.next();
- webappInfos.addAll(cc.getWebappInfos());
+ if (componentName == null || componentName.equals(cc.getComponentName())) {
+ webappInfos.addAll(cc.getWebappInfos());
+ }
}
return webappInfos;
-
}
public static boolean isFileResourceLoader(String componentName, String resourceLoaderName) throws ComponentException {
@@ -304,6 +342,7 @@
protected List entityResourceInfos = FastList.newInstance();
protected List serviceResourceInfos = FastList.newInstance();
protected List testSuiteInfos = FastList.newInstance();
+ protected List keystoreInfos = FastList.newInstance();
protected List webappInfos = FastList.newInstance();
protected ComponentConfig() {}
@@ -388,6 +427,14 @@
this.testSuiteInfos.add(testSuiteInfo);
}
+ // keystore - (cert/trust store infos)
+ elementIter = UtilXml.childElementList(ofbizComponentElement, "keystore").iterator();
+ while (elementIter.hasNext()) {
+ Element curElement = (Element) elementIter.next();
+ KeystoreInfo keystoreInfo = new KeystoreInfo(this, curElement);
+ this.keystoreInfos.add(keystoreInfo);
+ }
+
// webapp - webappInfos
elementIter = UtilXml.childElementList(ofbizComponentElement, "webapp").iterator();
while (elementIter.hasNext()) {
@@ -517,6 +564,10 @@
return this.testSuiteInfos;
}
+ public List getKeystoreInfos() {
+ return this.keystoreInfos;
+ }
+
public List getWebappInfos() {
return this.webappInfos;
}
@@ -590,6 +641,44 @@
public static class TestSuiteInfo extends ResourceInfo {
public TestSuiteInfo(ComponentConfig componentConfig, Element element) {
super(componentConfig, element);
+ }
+ }
+
+ public static class KeystoreInfo extends ResourceInfo {
+ public ComponentConfig componentConfig;
+ public String name;
+ public String type;
+ public String password;
+ public boolean isCertStore;
+ public boolean isTrustStore;
+
+ public KeystoreInfo(ComponentConfig componentConfig, Element element) {
+ super(componentConfig, element);
+ this.name = element.getAttribute("name");
+ this.type = element.getAttribute("type");
+ this.password = element.getAttribute("password");
+ this.isCertStore = "true".equalsIgnoreCase(element.getAttribute("is-certstore"));
+ this.isTrustStore = "true".equalsIgnoreCase(element.getAttribute("is-truststore"));
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public String getType() {
+ return type;
+ }
+
+ public String getPassword() {
+ return password;
+ }
+
+ public boolean isCertStore() {
+ return isCertStore;
+ }
+
+ public boolean isTrustStore() {
+ return isTrustStore;
}
}
Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java Sun Apr 22 13:56:58 2007
@@ -18,35 +18,20 @@
*******************************************************************************/
package org.ofbiz.base.util;
+import org.apache.commons.codec.binary.Base64;
+import org.ofbiz.base.component.ComponentConfig;
+import org.ofbiz.base.config.GenericConfigException;
+
import java.io.*;
-import java.security.AlgorithmParameterGenerator;
-import java.security.AlgorithmParameters;
-import java.security.GeneralSecurityException;
-import java.security.Key;
-import java.security.KeyFactory;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.UnrecoverableKeyException;
+import java.net.URL;
+import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
-import java.security.spec.X509EncodedKeySpec;
import java.util.Collection;
-import java.net.URL;
-
-import javax.crypto.KeyAgreement;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.DHParameterSpec;
-
-import org.apache.commons.codec.binary.Base64;
/**
* KeyStoreUtil - Utilities for getting KeyManagers and TrustManagers
@@ -56,28 +41,9 @@
public static final String module = KeyStoreUtil.class.getName();
- public static String getKeyStoreFileName() {
- return UtilProperties.getPropertyValue("jsse.properties", "ofbiz.client.keyStore", null);
- }
-
- public static String getKeyStorePassword() {
- return UtilProperties.getPropertyValue("jsse.properties", "ofbiz.client.keyStore.password", null);
- }
-
- public static String getKeyStoreType() {
- return UtilProperties.getPropertyValue("jsse.properties", "ofbiz.client.keyStore.type", "jks");
- }
-
- public static String getTrustStoreFileName() {
- return UtilProperties.getPropertyValue("jsse.properties", "ofbiz.trustStore", null);
- }
-
- public static String getTrustStorePassword() {
- return UtilProperties.getPropertyValue("jsse.properties", "ofbiz.trustStore.password", null);
- }
-
- public static String getTrustStoreType() {
- return UtilProperties.getPropertyValue("jsse.properties", "ofbiz.trustStore.type", "jks");
+ public static KeyStore getComponentKeyStore(String componentName, String keyStoreName) throws IOException, GeneralSecurityException, GenericConfigException {
+ ComponentConfig.KeystoreInfo ks = ComponentConfig.getKeystoreInfo(componentName, keyStoreName);
+ return getStore(ks.createResourceHandler().getURL(), ks.getType(), ks.getPassword());
}
public static KeyStore getStore(URL url, String password) throws IOException, GeneralSecurityException {
@@ -93,70 +59,18 @@
return ks;
}
- public static KeyStore getKeyStore() throws IOException, GeneralSecurityException {
- if (getKeyStoreFileName() != null && !keyStoreExists(getKeyStoreFileName())) {
- return null;
- }
- FileInputStream fis = new FileInputStream(getKeyStoreFileName());
- KeyStore ks = KeyStore.getInstance(getKeyStoreType());
- ks.load(fis, getKeyStorePassword().toCharArray());
- fis.close();
- return ks;
- }
-
- public static void saveKeyStore(KeyStore ks) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
- ks.store(new FileOutputStream(getKeyStoreFileName()), getKeyStorePassword().toCharArray());
- }
-
- public static KeyStore getTrustStore() throws IOException, GeneralSecurityException {
- if (getTrustStoreFileName() != null && !keyStoreExists(getTrustStoreFileName())) {
- return null;
- }
- FileInputStream fis = new FileInputStream(getTrustStoreFileName());
- KeyStore ks = KeyStore.getInstance(getTrustStoreType());
- ks.load(fis, getTrustStorePassword().toCharArray());
- fis.close();
- return ks;
- }
-
- public static void saveTrustStore(KeyStore ks) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
- ks.store(new FileOutputStream(getTrustStoreFileName()), getTrustStorePassword().toCharArray());
- }
-
- public static boolean keyStoreExists(String fileName) {
- File keyFile = new File(fileName);
- return keyFile.exists();
- }
-
- public static KeyStore createKeyStore(String fileName, String password) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
- KeyStore ks = null;
- ks = KeyStore.getInstance("jks");
- ks.load(null, password.toCharArray());
- ks.store(new FileOutputStream(fileName), password.toCharArray());
- ks.load(new FileInputStream(fileName), password.toCharArray());
- return ks;
- }
-
- public static void renameKeyStoreEntry(String fromAlias, String toAlias) throws GeneralSecurityException, IOException {
- KeyStore ks = getKeyStore();
- String pass = getKeyStorePassword();
- renameEntry(ks, pass, fromAlias, toAlias);
- saveKeyStore(ks);
- }
-
- private static void renameEntry(KeyStore ks, String pass, String fromAlias, String toAlias) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {
- if (ks.isKeyEntry(fromAlias)) {
- Key fromKey = ks.getKey(fromAlias, pass.toCharArray());
- if (fromKey instanceof PrivateKey) {
- Certificate[] certs = ks.getCertificateChain(fromAlias);
- ks.deleteEntry(fromAlias);
- ks.setKeyEntry(toAlias, fromKey, pass.toCharArray(), certs);
+ public static KeyStore getSystemTrustStore() throws IOException, GeneralSecurityException {
+ String fileName = System.getProperty("javax.net.ssl.trustStore");
+ String password = System.getProperty("javax.net.ssl.trustStorePassword");
+ if (fileName != null && password != null) {
+ File file = new File(fileName);
+ if (file.exists() && file.canRead()) {
+ KeyStore ks = KeyStore.getInstance("jks");
+ ks.load(new FileInputStream(file), password.toCharArray());
+ return ks;
}
- } else if (ks.isCertificateEntry(fromAlias)) {
- Certificate cert = ks.getCertificate(fromAlias);
- ks.deleteEntry(fromAlias);
- ks.setCertificateEntry(toAlias, cert);
}
+ return null;
}
public static void importPKCS8CertChain(KeyStore ks, String alias, byte[] keyBytes, String keyPass, byte[] certChain) throws InvalidKeySpecException, NoSuchAlgorithmException, CertificateException, KeyStoreException {
@@ -184,50 +98,6 @@
ks.setKeyEntry(alias, pk, keyPass.toCharArray(), certs);
}
- // key pair generation methods
- public static KeyPair createDHKeyPair() throws Exception {
- AlgorithmParameterGenerator apGen = AlgorithmParameterGenerator.getInstance("DH");
- apGen.init(1024);
-
- AlgorithmParameters algParams = apGen.generateParameters();
- DHParameterSpec dhParamSpec = (DHParameterSpec) algParams.getParameterSpec(DHParameterSpec.class);
-
- KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DH");
- keyGen.initialize(dhParamSpec);
-
- KeyPair keypair = keyGen.generateKeyPair();
- return keypair;
- }
-
- public static KeyPair getKeyPair(String alias, String password) throws Exception {
- KeyStore ks = getKeyStore();
- Key key = ks.getKey(alias, password.toCharArray());
- if (key instanceof PrivateKey) {
- Certificate cert = ks.getCertificate(alias);
- PublicKey publicKey = cert.getPublicKey();
- return new KeyPair(publicKey, (PrivateKey) key);
- } else {
- Debug.logError("Key is not an instance of PrivateKey", module);
- }
- return null;
- }
-
- public static void storeCertificate(String alias, Certificate cert) throws Exception {
- KeyStore ks = getKeyStore();
- ks.setCertificateEntry(alias, cert);
- ks.store(new FileOutputStream(getKeyStoreFileName()), getKeyStorePassword().toCharArray());
- }
-
- public static void storeKeyPair(KeyPair keyPair, String alias, String password) throws Exception {
- KeyStore ks = getKeyStore();
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- PrivateKey privateKey = keyPair.getPrivate();
- PublicKey publicKey = keyPair.getPublic();
- // not sure what to do here. Do we need to create a cert to assoc with the private key?
- // cannot find methods for just setting the private/public key; missing something
- ks.store(new FileOutputStream(getKeyStoreFileName()), getKeyStorePassword().toCharArray());
- }
-
public static String certToString(Certificate cert) throws CertificateEncodingException {
byte[] certBuf = cert.getEncoded();
StringBuffer buf = new StringBuffer();
@@ -261,7 +131,6 @@
// ignore up to the header
while ((line = reader.readLine()) != null && !line.equals(header)) {
- continue;
}
// no header found
@@ -292,24 +161,4 @@
Certificate cert = pemToCert(certString);
return StringUtil.toHexString(cert.getPublicKey().getEncoded());
}
-
- public static SecretKey generateSecretKey(PrivateKey ourKey, PublicKey theirKey) throws Exception {
- KeyAgreement ka = KeyAgreement.getInstance("DH");
- ka.init(ourKey);
- ka.doPhase(theirKey, true);
- return ka.generateSecret("TripleDES");
- }
-
- public static PublicKey readDHPublicKey(byte[] keyBytes) throws NoSuchAlgorithmException, InvalidKeySpecException {
- X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
- KeyFactory keyFactory = KeyFactory.getInstance("DH");
- return keyFactory.generatePublic(x509KeySpec);
- }
-
- public static PrivateKey readDHPrivateKey(byte[] keyBytes) throws NoSuchAlgorithmException, InvalidKeySpecException {
- X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
- KeyFactory keyFactory = KeyFactory.getInstance("DH");
- return keyFactory.generatePrivate(x509KeySpec);
- }
-
}
Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/SSLUtil.java Sun Apr 22 13:56:58 2007
@@ -18,15 +18,21 @@
*******************************************************************************/
package org.ofbiz.base.util;
+import org.ofbiz.base.config.GenericConfigException;
+import org.ofbiz.base.component.ComponentConfig;
+
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.SecureRandom;
-import java.util.Map;
-import java.util.HashMap;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+import java.util.*;
import javax.net.ssl.*;
+import javolution.util.FastList;
+
/**
* KeyStoreUtil - Utilities for setting up SSL connections with specific client certificates
*
@@ -45,6 +51,76 @@
SSLUtil.loadJsseProperties();
}
+ public static boolean isClientTrusted(X509Certificate[] chain, String authType) {
+ TrustManager[] mgrs = new TrustManager[0];
+ try {
+ mgrs = SSLUtil.getTrustManagers();
+ } catch (IOException e) {
+ Debug.logError(e, module);
+ } catch (GeneralSecurityException e) {
+ Debug.logError(e, module);
+ } catch (GenericConfigException e) {
+ Debug.logError(e, module);
+ }
+
+ if (mgrs != null) {
+ for (int i = 0; i < mgrs.length; i++) {
+ if (mgrs[i] instanceof X509TrustManager) {
+ try {
+ ((X509TrustManager) mgrs[i]).checkClientTrusted(chain, authType);
+ return true;
+ } catch (CertificateException e) {
+ // do nothing; just loop
+ }
+ }
+ }
+ }
+ return false;
+ }
+
+ public static KeyManager[] getKeyManagers(String alias) throws IOException, GeneralSecurityException, GenericConfigException {
+ Iterator i = ComponentConfig.getAllKeystoreInfos().iterator();
+ List keyMgrs = FastList.newInstance();
+ while (i.hasNext()) {
+ ComponentConfig.KeystoreInfo ksi = (ComponentConfig.KeystoreInfo) i.next();
+ if (ksi.isCertStore()) {
+ KeyStore ks = KeyStoreUtil.getComponentKeyStore(ksi.componentConfig.getComponentName(), ksi.getName());
+ keyMgrs.addAll(Arrays.asList(getKeyManagers(ks, ksi.getPassword(), alias)));
+ }
+ }
+
+ KeyManager[] arr = new KeyManager[keyMgrs.size()];
+ for (int x = 0; x < arr.length; x++) {
+ arr[x] = (KeyManager) keyMgrs.get(x);
+ }
+ return arr;
+ }
+
+ public static KeyManager[] getKeyManagers() throws IOException, GeneralSecurityException, GenericConfigException {
+ return getKeyManagers(null);
+ }
+
+ public static TrustManager[] getTrustManagers() throws IOException, GeneralSecurityException, GenericConfigException {
+ KeyStore trustStore = KeyStoreUtil.getSystemTrustStore();
+ List trustMgrs = FastList.newInstance();
+ trustMgrs.addAll(Arrays.asList(getTrustManagers(trustStore)));
+
+ Iterator i = ComponentConfig.getAllKeystoreInfos().iterator();
+ while (i.hasNext()) {
+ ComponentConfig.KeystoreInfo ksi = (ComponentConfig.KeystoreInfo) i.next();
+ if (ksi.isCertStore()) {
+ KeyStore ks = KeyStoreUtil.getComponentKeyStore(ksi.componentConfig.getComponentName(), ksi.getName());
+ trustMgrs.addAll(Arrays.asList(getTrustManagers(ks)));
+ }
+ }
+
+ TrustManager[] arr = new TrustManager[trustMgrs.size()];
+ for (int x = 0; x < arr.length; x++) {
+ arr[x] = (TrustManager) trustMgrs.get(x);
+ }
+ return arr;
+ }
+
public static KeyManager[] getKeyManagers(KeyStore ks, String password, String alias) throws GeneralSecurityException {
KeyManagerFactory factory = KeyManagerFactory.getInstance("SunX509");
factory.init(ks, password.toCharArray());
@@ -65,28 +141,41 @@
return factory.getTrustManagers();
}
- public static SSLSocketFactory getSSLSocketFactory(KeyStore ks, String password, String alias) throws IOException, GeneralSecurityException {
- KeyStore trustStore = KeyStoreUtil.getTrustStore();
- TrustManager[] tm = getTrustManagers(trustStore);
- KeyManager[] km = getKeyManagers(ks, password, alias);
+ public static SSLSocketFactory getSSLSocketFactory(KeyStore ks, String password, String alias) throws IOException, GeneralSecurityException, GenericConfigException {
+ KeyManager[] km = SSLUtil.getKeyManagers(ks, password, alias);
+ TrustManager[] tm = SSLUtil.getTrustManagers();
SSLContext context = SSLContext.getInstance("SSL");
context.init(km, tm, new SecureRandom());
return context.getSocketFactory();
}
- public static SSLSocketFactory getSSLSocketFactory(String alias) throws IOException, GeneralSecurityException {
- return getSSLSocketFactory(KeyStoreUtil.getKeyStore(), KeyStoreUtil.getKeyStorePassword(), alias);
+ public static SSLSocketFactory getSSLSocketFactory(String alias) throws IOException, GeneralSecurityException, GenericConfigException {
+ KeyManager[] km = SSLUtil.getKeyManagers(alias);
+ TrustManager[] tm = SSLUtil.getTrustManagers();
+
+ SSLContext context = SSLContext.getInstance("SSL");
+ context.init(km, tm, new SecureRandom());
+ return context.getSocketFactory();
}
- public static SSLSocketFactory getSSLSocketFactory() throws IOException, GeneralSecurityException {
+ public static SSLSocketFactory getSSLSocketFactory() throws IOException, GeneralSecurityException, GenericConfigException {
+
return getSSLSocketFactory(null);
}
- public static SSLServerSocketFactory getSSLServerSocketFactory(KeyStore ks, String password, String alias) throws IOException, GeneralSecurityException {
- KeyStore trustStore = KeyStoreUtil.getTrustStore();
- TrustManager[] tm = getTrustManagers(trustStore);
- KeyManager[] km = getKeyManagers(ks, password, alias);
+ public static SSLServerSocketFactory getSSLServerSocketFactory(KeyStore ks, String password, String alias) throws IOException, GeneralSecurityException, GenericConfigException {
+ TrustManager[] tm = SSLUtil.getTrustManagers();
+ KeyManager[] km = SSLUtil.getKeyManagers(ks, password, alias);
+
+ SSLContext context = SSLContext.getInstance("SSL");
+ context.init(km, tm, null);
+ return context.getServerSocketFactory();
+ }
+
+ public static SSLServerSocketFactory getSSLServerSocketFactory(String alias) throws IOException, GeneralSecurityException, GenericConfigException {
+ TrustManager[] tm = SSLUtil.getTrustManagers();
+ KeyManager[] km = SSLUtil.getKeyManagers(alias);
SSLContext context = SSLContext.getInstance("SSL");
context.init(km, tm, null);
@@ -164,11 +253,6 @@
System.setProperty("https.cipherSuites", cypher);
}
- // set up the keystore properties
- System.setProperty("javax.net.ssl.keyStore", KeyStoreUtil.getKeyStoreFileName());
- System.setProperty("javax.net.ssl.keyStorePassword", KeyStoreUtil.getKeyStorePassword());
- System.setProperty("javax.net.ssl.trustStore", KeyStoreUtil.getTrustStoreFileName());
- System.setProperty("javax.net.ssl.trustStorePassword", KeyStoreUtil.getTrustStorePassword());
if (debug) {
System.setProperty("javax.net.debug","ssl:handshake");
}
Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/URLConnector.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/URLConnector.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/URLConnector.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/URLConnector.java Sun Apr 22 13:56:58 2007
@@ -18,6 +18,8 @@
*******************************************************************************/
package org.ofbiz.base.util;
+import org.ofbiz.base.config.GenericConfigException;
+
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
@@ -101,8 +103,10 @@
if (hv != null) {
scon.setHostnameVerifier(hv);
}
- } catch (GeneralSecurityException gse) {
- Debug.logError(gse, module);
+ } catch (GeneralSecurityException e) {
+ Debug.logError(e, module);
+ } catch (GenericConfigException e) {
+ Debug.logError(e, module);
}
}
} catch (IOException e) {
Added: ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/SSLImpl.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/SSLImpl.java?view=auto&rev=531272
==============================================================================
--- ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/SSLImpl.java (added)
+++ ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/SSLImpl.java Sun Apr 22 13:56:58 2007
@@ -0,0 +1,84 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+ */
+
+package org.ofbiz.catalina.container;
+
+import org.apache.tomcat.util.net.ServerSocketFactory;
+import org.apache.tomcat.util.net.jsse.JSSE14SocketFactory;
+import org.apache.tomcat.util.net.jsse.JSSEImplementation;
+import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.SSLUtil;
+import org.ofbiz.base.config.GenericConfigException;
+
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+import java.security.GeneralSecurityException;
+import java.io.IOException;
+
+/**
+ * SSLImpl
+ */
+public class SSLImpl extends JSSEImplementation {
+
+ public static final String module = SSLImpl.class.getName();
+ protected ServerSocketFactory ssFactory = null;
+ protected TrustManager[] allow;
+
+ public SSLImpl() throws ClassNotFoundException {
+ super();
+ this.ssFactory = new ExtTomcatServerSocketFactory();
+ this.allow = new TrustManager[] { new AllowTrustManager() };
+ Debug.log("SSLImpl loaded; using custom ServerSocketFactory", module);
+ }
+
+ public ServerSocketFactory getServerSocketFactory() {
+ return ssFactory;
+ }
+
+ class ExtTomcatServerSocketFactory extends JSSE14SocketFactory {
+ protected TrustManager[] getTrustManagers(String keystoreType, String algorithm) throws Exception {
+ return allow;
+ }
+ }
+
+ class AllowTrustManager implements X509TrustManager {
+
+ private TrustManager[] tm;
+
+ public AllowTrustManager() throws ClassNotFoundException {
+ try {
+ tm = SSLUtil.getTrustManagers();
+ } catch (Exception e) {
+ throw new ClassNotFoundException(e.getMessage());
+ }
+ }
+
+ public void checkClientTrusted(X509Certificate[] x509Certificates, String string) throws CertificateException {
+ }
+
+ public void checkServerTrusted(X509Certificate[] x509Certificates, String string) throws CertificateException {
+ }
+
+ public X509Certificate[] getAcceptedIssuers() {
+ return ((X509TrustManager) tm[0]).getAcceptedIssuers();
+ }
+ }
+}
Propchange: ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/SSLImpl.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/SSLImpl.java
------------------------------------------------------------------------------
svn:keywords = "Date Rev Author URL Id"
Propchange: ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/SSLImpl.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: ofbiz/trunk/framework/security/entitydef/entitygroup.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/entitydef/entitygroup.xml?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/security/entitydef/entitygroup.xml (original)
+++ ofbiz/trunk/framework/security/entitydef/entitygroup.xml Sun Apr 22 13:56:58 2007
@@ -22,6 +22,12 @@
xsi:noNamespaceSchemaLocation="http://www.ofbiz.org/dtds/entitygroup.xsd">
<!-- ========================================================= -->
+ <!-- org.ofbiz.security.cert -->
+ <!-- ========================================================= -->
+
+ <entity-group group="org.ofbiz" entity="X509IssuerProvision" />
+
+ <!-- ========================================================= -->
<!-- org.ofbiz.security.login -->
<!-- ========================================================= -->
Modified: ofbiz/trunk/framework/security/entitydef/entitymodel.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/entitydef/entitymodel.xml?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/security/entitydef/entitymodel.xml (original)
+++ ofbiz/trunk/framework/security/entitydef/entitymodel.xml Sun Apr 22 13:56:58 2007
@@ -32,12 +32,30 @@
<!-- ========================================================= -->
<!-- ======================== Data Model ===================== -->
<!-- The modules in this file are as follows: -->
- <!-- - org.ofbiz.security.login -->
- <!-- - org.ofbiz.security.securitygroup -->
+ <!-- - org.ofbiz.security.cert -->
+ <!-- - org.ofbiz.security.login -->
+ <!-- - org.ofbiz.security.securitygroup -->
<!-- ========================================================= -->
<!-- ========================================================= -->
+ <!-- org.ofbiz.security.cert -->
+ <!-- ========================================================= -->
+ <entity entity-name="X509IssuerProvision"
+ package-name="org.ofbiz.security.cert"
+ never-cache="true"
+ title="Valid issuer data for authentication of x.509 certificates">
+ <field name="certProvisionId" type="id-ne"></field>
+ <field name="commonName" type="value"></field>
+ <field name="organizationalUnit" type="value"></field>
+ <field name="organizationName" type="value"></field>
+ <field name="cityLocality" type="value"></field>
+ <field name="stateProvince" type="value"></field>
+ <field name="country" type="value"></field>
+ <prim-key field="certProvisionId"/>
+ </entity>
+
+ <!-- ========================================================= -->
<!-- org.ofbiz.security.login -->
<!-- ========================================================= -->
@@ -54,9 +72,7 @@
<field name="lastLocale" type="very-short"></field>
<field name="disabledDateTime" type="date-time"></field>
<field name="successiveFailedLogins" type="numeric"></field>
- <field name="x509CertKey" type="very-long"></field>
- <field name="x509CertSn" type="long-varchar"></field>
- <prim-key field="userLoginId"/>
+ <prim-key field="userLoginId"/>
</entity>
<entity entity-name="UserLoginHistory"
package-name="org.ofbiz.security.login"
Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/RmiServiceContainer.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/RmiServiceContainer.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/RmiServiceContainer.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/RmiServiceContainer.java Sun Apr 22 13:56:58 2007
@@ -79,6 +79,10 @@
String useCtx = initialCtxProp == null || initialCtxProp.value == null ? "false" : initialCtxProp.value;
String host = lookupHostProp == null || lookupHostProp.value == null ? "localhost" : lookupHostProp.value;
String port = lookupPortProp == null || lookupPortProp.value == null ? "1099" : lookupPortProp.value;
+ String keystore = ContainerConfig.getPropertyValue(cfg, "ssl-keystore", null);
+ String ksType = ContainerConfig.getPropertyValue(cfg, "ssl-keystore-type", "JKS");
+ String ksPass = ContainerConfig.getPropertyValue(cfg, "ssl-keystore-pass", null);
+ String ksAlias = ContainerConfig.getPropertyValue(cfg, "ssl-keystore-alias", null);
boolean clientAuth = ContainerConfig.getPropertyValue(cfg, "ssl-client-auth", false);
// setup the factories
@@ -109,6 +113,10 @@
// set the client auth flag on our custom SSL socket factory
if (ssf != null && ssf instanceof org.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory) {
((org.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory) ssf).setNeedClientAuth(clientAuth);
+ ((org.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory) ssf).setKeyStoreAlias(ksAlias);
+ if (keystore != null) {
+ ((org.ofbiz.service.rmi.socket.ssl.SSLServerSocketFactory) ssf).setKeyStore(keystore, ksType, ksPass);
+ }
}
// get the delegator for this container
Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLClientSocketFactory.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLClientSocketFactory.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLClientSocketFactory.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLClientSocketFactory.java Sun Apr 22 13:56:58 2007
@@ -28,6 +28,7 @@
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.SSLUtil;
+import org.ofbiz.base.config.GenericConfigException;
/**
* RMI SSL Client Socket Factory
@@ -42,6 +43,8 @@
return factory.createSocket(host, port);
} catch (GeneralSecurityException e) {
Debug.logError(e, module);
+ throw new IOException(e.getMessage());
+ } catch (GenericConfigException e) {
throw new IOException(e.getMessage());
}
}
Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLServerSocketFactory.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLServerSocketFactory.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLServerSocketFactory.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/rmi/socket/ssl/SSLServerSocketFactory.java Sun Apr 22 13:56:58 2007
@@ -34,6 +34,7 @@
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.SSLUtil;
import org.ofbiz.base.util.UtilProperties;
+import org.ofbiz.base.config.GenericConfigException;
/**
* RMI SSL Server Socket Factory
@@ -42,47 +43,65 @@
public static final String module = SSLServerSocketFactory.class.getName();
protected boolean clientAuth = false;
+ protected String keystore = null;
+ protected String ksType = null;
+ protected String ksPass = null;
+ protected String alias = null;
public void setNeedClientAuth(boolean clientAuth) {
this.clientAuth = clientAuth;
}
+ public void setKeyStore(String location, String type, String password) {
+ this.keystore = location;
+ this.ksType = type;
+ this.ksPass = password;
+ this.alias = alias;
+ }
+
+ public void setKeyStoreAlias(String alias) {
+ this.alias = alias;
+ }
+
public ServerSocket createServerSocket(int port) throws IOException {
- String storeType = UtilProperties.getPropertyValue("jsse.properties", "ofbiz.rmi.keyStore.type", "jks");
- String storeFile = UtilProperties.getPropertyValue("jsse.properties", "ofbiz.rmi.keyStore", null);
- String storeAlias = UtilProperties.getPropertyValue("jsse.properties", "ofbiz.rmi.keyStore.alias", null);
- String storePass = UtilProperties.getPropertyValue("jsse.properties", "ofbiz.rmi.keyStore.password", null);
char[] passphrase = null;
- if (storePass != null) {
- passphrase = storePass.toCharArray();
+ if (ksPass != null) {
+ passphrase = ksPass.toCharArray();
}
KeyStore ks = null;
- try {
- ks = KeyStore.getInstance(storeType);
- ks.load(new FileInputStream(storeFile), passphrase);
- } catch (NoSuchAlgorithmException e) {
- Debug.logError(e, module);
- throw new IOException(e.getMessage());
- } catch (CertificateException e) {
- Debug.logError(e, module);
- throw new IOException(e.getMessage());
- } catch (KeyStoreException e) {
- Debug.logError(e, module);
- throw new IOException(e.getMessage());
+ if (keystore != null) {
+ try {
+ ks = KeyStore.getInstance(ksType);
+ ks.load(new FileInputStream(keystore), passphrase);
+ } catch (NoSuchAlgorithmException e) {
+ Debug.logError(e, module);
+ throw new IOException(e.getMessage());
+ } catch (CertificateException e) {
+ Debug.logError(e, module);
+ throw new IOException(e.getMessage());
+ } catch (KeyStoreException e) {
+ Debug.logError(e, module);
+ throw new IOException(e.getMessage());
+ }
}
- if (ks == null) {
- throw new IOException("Unable to load KeyStore containing Service Engine RMI SSL certificate");
+ if (alias == null) {
+ throw new IOException("SSL certificate alias cannot be null; MUST be set for SSLServerSocketFactory!");
}
-
-
+
javax.net.ssl.SSLServerSocketFactory factory = null;
try {
- factory = SSLUtil.getSSLServerSocketFactory(ks, storePass, storeAlias);
+ if (ks != null) {
+ factory = SSLUtil.getSSLServerSocketFactory(ks, ksPass, alias);
+ } else {
+ factory = SSLUtil.getSSLServerSocketFactory(alias);
+ }
} catch (GeneralSecurityException e) {
Debug.logError(e, "Error getting javax.net.ssl.SSLServerSocketFactory instance for Service Engine RMI calls: " + e.toString(), module);
throw new IOException(e.toString());
+ } catch (GenericConfigException e) {
+ Debug.logError(e, "Error getting javax.net.ssl.SSLServerSocketFactory instance for Service Engine RMI calls: " + e.toString(), module);
}
if (factory == null) {
Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original)
+++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Sun Apr 22 13:56:58 2007
@@ -161,15 +161,14 @@
</xs:restriction>
</xs:simpleType>
</xs:attribute>
- <xs:attribute name="x509" default="false">
+ <xs:attribute name="cert" default="false">
<xs:simpleType>
<xs:restriction base="xs:token">
<xs:enumeration value="true"/>
<xs:enumeration value="false"/>
</xs:restriction>
</xs:simpleType>
- </xs:attribute>
- <xs:attribute name="keystore" type="xs:string" use="optional"/>
+ </xs:attribute>
<xs:attribute name="external-view" default="true">
<xs:simpleType>
<xs:restriction base="xs:token">
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java Sun Apr 22 13:56:58 2007
@@ -107,8 +107,7 @@
public static final String SECURITY = "security";
public static final String SECURITY_HTTPS = "https";
public static final String SECURITY_AUTH = "auth";
- public static final String SECURITY_CERT = "x509";
- public static final String SECURITY_KEYSTORE = "keystore";
+ public static final String SECURITY_CERT = "cert";
public static final String SECURITY_EXTVIEW = "external-view";
public static final String SECURITY_DIRECT = "direct-request";
@@ -210,7 +209,6 @@
String securityHttps = securityElement.getAttribute(SECURITY_HTTPS);
String securityAuth = securityElement.getAttribute(SECURITY_AUTH);
String securityCert = securityElement.getAttribute(SECURITY_CERT);
- String securityKeystore = securityElement.getAttribute(SECURITY_KEYSTORE);
String securityExtView = securityElement.getAttribute(SECURITY_EXTVIEW);
String securityDirectRequest = securityElement.getAttribute(SECURITY_DIRECT);
@@ -221,8 +219,7 @@
uriMap.put(SECURITY_HTTPS, securityHttps);
uriMap.put(SECURITY_AUTH, securityAuth);
- uriMap.put(SECURITY_CERT, securityCert);
- uriMap.put(SECURITY_KEYSTORE, securityKeystore);
+ uriMap.put(SECURITY_CERT, securityCert);
uriMap.put(SECURITY_EXTVIEW, securityExtView);
uriMap.put(SECURITY_DIRECT, securityDirectRequest);
}
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Sun Apr 22 13:56:58 2007
@@ -29,14 +29,19 @@
import javax.servlet.http.HttpSession;
import javax.servlet.jsp.PageContext;
import javax.transaction.Transaction;
+import javax.security.auth.x500.X500Principal;
import javolution.util.FastList;
+import javolution.util.FastMap;
import org.ofbiz.base.component.ComponentConfig;
import org.ofbiz.base.util.*;
import org.ofbiz.entity.GenericDelegator;
import org.ofbiz.entity.GenericEntityException;
import org.ofbiz.entity.GenericValue;
+import org.ofbiz.entity.condition.EntityExpr;
+import org.ofbiz.entity.condition.EntityOperator;
+import org.ofbiz.entity.condition.EntityConditionList;
import org.ofbiz.entity.model.ModelEntity;
import org.ofbiz.entity.transaction.GenericTransactionException;
import org.ofbiz.entity.transaction.TransactionUtil;
@@ -532,40 +537,81 @@
}
if (clientCerts != null) {
+ String userLoginId = null;
+
for (int i = 0; i < clientCerts.length; i++) {
- String certKeyHex = StringUtil.toHexString(clientCerts[i].getPublicKey().getEncoded());
- String certSn = clientCerts[i].getSerialNumber().toString(16);
- List userLogins = null;
- try {
- userLogins = delegator.findByAnd("UserLogin", UtilMisc.toMap("x509CertSn", certSn));
- } catch (GenericEntityException e) {
- Debug.logError(e, module);
+ X500Principal x500 = clientCerts[i].getSubjectX500Principal();
+ Debug.log("Checking client certification for authentication: " + x500.getName(), module);
+
+ Map x500Map = FastMap.newInstance();
+ String[] x500Opts = x500.getName().split("\\,");
+ for (int x = 0; x < x500Opts.length; x++) {
+ String[] nv = x500Opts[x].split("\\=");
+ x500Map.put(nv[0], nv[1]);
+ }
+ if (i == 0) {
+ userLoginId = (String) x500Map.get("CN");
}
- if (userLogins != null && userLogins.size() > 0) {
- Iterator it = userLogins.iterator();
- while (it.hasNext()) {
- GenericValue ul = (GenericValue) it.next();
- String certKey = ul.getString("x509CertKey");
- String enabled = ul.getString("enabled");
-
- if ((enabled == null || "Y".equals(enabled)) && certKey.equals(certKeyHex)) {
- ul.set("hasLoggedOut", "N");
- try {
- ul.store();
- } catch (GenericEntityException e) {
- Debug.logWarning(e, module);
+ try {
+ // check for a valid issuer (or generated cert data)
+ if (LoginWorker.checkValidIssuer(delegator, x500Map)) {
+ Debug.log("Looking up userLogin from CN: " + userLoginId, module);
+
+ // CN should match the userLoginId
+ GenericValue userLogin = delegator.findByPrimaryKey("UserLogin", UtilMisc.toMap("userLoginId", userLoginId));
+ if (userLogin != null) {
+ String enabled = userLogin.getString("enabled");
+ if (enabled == null || "Y".equals(enabled)) {
+ userLogin.set("hasLoggedOut", "N");
+ userLogin.store();
+
+ // login the user
+ Map ulSessionMap = LoginServices.getUserLoginSession(userLogin);
+ return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
}
- Map ulSessionMap = LoginServices.getUserLoginSession(ul);
- return doMainLogin(request, response, ul, ulSessionMap); // doing the main login
}
}
+ } catch (GeneralException e) {
+ Debug.logError(e, module);
}
}
}
}
return "success";
+ }
+
+ protected static boolean checkValidIssuer(GenericDelegator delegator, Map x500Map) throws GeneralException {
+ List conds = FastList.newInstance();
+ conds.add(new EntityConditionList(UtilMisc.toList(new EntityExpr("commonName", EntityOperator.EQUALS, x500Map.get("CN")),
+ new EntityExpr("commonName", EntityOperator.EQUALS, null),
+ new EntityExpr("commonName", EntityOperator.EQUALS, "")), EntityOperator.OR));
+
+ conds.add(new EntityConditionList(UtilMisc.toList(new EntityExpr("organizationalUnit", EntityOperator.EQUALS, x500Map.get("OU")),
+ new EntityExpr("organizationalUnit", EntityOperator.EQUALS, null),
+ new EntityExpr("organizationalUnit", EntityOperator.EQUALS, "")), EntityOperator.OR));
+
+ conds.add(new EntityConditionList(UtilMisc.toList(new EntityExpr("organizationName", EntityOperator.EQUALS, x500Map.get("O")),
+ new EntityExpr("organizationName", EntityOperator.EQUALS, null),
+ new EntityExpr("organizationName", EntityOperator.EQUALS, "")), EntityOperator.OR));
+
+ conds.add(new EntityConditionList(UtilMisc.toList(new EntityExpr("cityLocality", EntityOperator.EQUALS, x500Map.get("L")),
+ new EntityExpr("cityLocality", EntityOperator.EQUALS, null),
+ new EntityExpr("cityLocality", EntityOperator.EQUALS, "")), EntityOperator.OR));
+
+ conds.add(new EntityConditionList(UtilMisc.toList(new EntityExpr("stateProvince", EntityOperator.EQUALS, x500Map.get("ST")),
+ new EntityExpr("stateProvince", EntityOperator.EQUALS, null),
+ new EntityExpr("stateProvince", EntityOperator.EQUALS, "")), EntityOperator.OR));
+
+ conds.add(new EntityConditionList(UtilMisc.toList(new EntityExpr("country", EntityOperator.EQUALS, x500Map.get("C")),
+ new EntityExpr("country", EntityOperator.EQUALS, null),
+ new EntityExpr("country", EntityOperator.EQUALS, "")), EntityOperator.OR));
+
+ EntityConditionList condition = new EntityConditionList(conds, EntityOperator.AND);
+ Debug.log("Doing issuer lookup: " + condition.toString(), module);
+ long count = delegator.findCountByCondition("X509IssuerProvision", condition, null, null);
+ return count > 0;
}
public static String checkExternalLoginKey(HttpServletRequest request, HttpServletResponse response) {
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sun Apr 22 13:56:58 2007
@@ -151,53 +151,23 @@
}
// check if the client has a valid certificate (in our db store)
- String keyStorePass = requestManager.get509CertKeyStorePass(requestUri);
- URL keyStoreUrl = requestManager.get509CertKeyStore(requestUri);
- boolean foundValidCert = false;
+ boolean foundTrustedCert = false;
if (clientCerts == null) {
throw new RequestHandlerException("Unknown request [" + requestUri + "]; this request does not exist or cannot be called directly.");
} else {
- // load the trust store
- KeyStore keyStore;
- try {
- keyStore = KeyStoreUtil.getStore(keyStoreUrl, keyStorePass);
- } catch (IOException e) {
- throw new RequestHandlerException("Unable to open keystore", e);
- } catch (GeneralSecurityException e) {
- throw new RequestHandlerException("Keystore security problem", e);
+ for (int i = 0; i < clientCerts.length; i++) {
+ Debug.log(clientCerts[i].getSubjectX500Principal().getName(), module);
}
-
- // get all cert aliases
- Enumeration en;
- try {
- en = keyStore.aliases();
- } catch (KeyStoreException e) {
- throw new RequestHandlerException("Unable to read keystore aliases", e);
- }
-
- // check for valid client cert
- while (en.hasMoreElements() && !foundValidCert) {
- String alias = (String) en.nextElement();
- X509Certificate trustedCert;
- try {
- trustedCert = (X509Certificate) keyStore.getCertificate(alias);
- } catch (KeyStoreException e) {
- throw new RequestHandlerException("Unable to read certificate from keystore", e);
- }
-
- for (int ci = 0; ci < clientCerts.length; ci++) {
- if (!foundValidCert && trustedCert.equals(clientCerts[ci])) {
- Debug.log("Found valid certificate for request; allowing: " + clientCerts[ci].getSerialNumber().toString(16), module);
- foundValidCert = true;
- break;
- }
- }
+
+ // check if this is a trusted cert
+ if (SSLUtil.isClientTrusted(clientCerts, null)) {
+ foundTrustedCert = true;
}
}
- if (!foundValidCert) {
- Debug.logWarning("No client certification found for request [" + requestUri + "] : " + keyStoreUrl.toExternalForm(), module);
+ if (!foundTrustedCert) {
+ Debug.logWarning("No trusted certificate found for request [" + requestUri + "]", module);
throw new RequestHandlerException("Unknown request [" + requestUri + "]; this request does not exist or cannot be called directly.");
}
}
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java?view=diff&rev=531272&r1=531271&r2=531272
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java Sun Apr 22 13:56:58 2007
@@ -29,7 +29,6 @@
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.UtilValidate;
-import org.ofbiz.base.util.KeyStoreUtil;
/**
* RequestManager - Manages request, config and view mappings.
@@ -314,53 +313,7 @@
return false;
}
-
- public URL get509CertKeyStore(String uriStr) {
- String defaultTrustStore = "file://" + KeyStoreUtil.getTrustStoreFileName();
- Map uri = getRequestMapMap(uriStr);
-
- if (uri != null) {
- String value = (String) uri.get(ConfigXMLReader.SECURITY_KEYSTORE);
- if (UtilValidate.isNotEmpty(value)) {
- if (value.indexOf(";") > -1) {
- value = value.substring(0, value.indexOf(";"));
- }
- if (value.indexOf(".") == -1) {
- value = value + ".jks"; // append .jks if no extension is set
- }
-
- try {
- return new URL(webInfUrl.toExternalForm() + "/" + value);
- } catch (MalformedURLException e) {
- Debug.logError(e, module);
- }
- }
- }
-
- // make a url from the default
- URL url = null;
- try {
- url = new URL(defaultTrustStore);
- } catch (MalformedURLException e) {
- Debug.logError(e, module);
- }
-
- return url;
- }
-
- public String get509CertKeyStorePass(String uriStr) {
- Map uri = getRequestMapMap(uriStr);
-
- if (uri != null) {
- String value = (String) uri.get(ConfigXMLReader.SECURITY_KEYSTORE);
- if (value != null && value.indexOf(";") > -1) {
- return value.substring(value.indexOf(";") + 1);
- }
- }
-
- return KeyStoreUtil.getTrustStorePassword();
- }
-
+
public boolean allowExtView(String uriStr) {
Map uri = getRequestMapMap(uriStr);