You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2020/09/10 10:05:33 UTC

[directory-server] 01/01: DIRSERVER-2330 - StartTlsHandler and LdapsInitializer use NoVerificationTrustManager

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch DIRSERVER-2330
in repository https://gitbox.apache.org/repos/asf/directory-server.git

commit b88281eca3fe9b76a03709d55a10588714798159
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Sep 10 11:05:04 2020 +0100

    DIRSERVER-2330 - StartTlsHandler and LdapsInitializer use NoVerificationTrustManager
---
 .../org/apache/directory/server/i18n/I18n.java     |  3 ++-
 .../apache/directory/server/i18n/errors.properties |  1 +
 .../apache/directory/server/ldap/LdapServer.java   | 25 +++++++++++++++++++++-
 .../ldap/handlers/extended/StartTlsHandler.java    |  6 ++----
 .../server/ldap/handlers/ssl/LdapsInitializer.java |  6 ++----
 .../server/annotations/CreateLdapServer.java       |  7 ++++++
 .../server/factory/ServerAnnotationProcessor.java  | 19 ++++++++++++++++
 .../ClientCertificateAuthenticationIT.java         |  4 ++++
 8 files changed, 61 insertions(+), 10 deletions(-)

diff --git a/i18n/src/main/java/org/apache/directory/server/i18n/I18n.java b/i18n/src/main/java/org/apache/directory/server/i18n/I18n.java
index 4aecef6..8cf3b4d 100644
--- a/i18n/src/main/java/org/apache/directory/server/i18n/I18n.java
+++ b/i18n/src/main/java/org/apache/directory/server/i18n/I18n.java
@@ -784,7 +784,8 @@ public enum I18n
     ERR_747("ERR_747"),
     ERR_748("ERR_748"),
     ERR_749("ERR_749"),
-    ERR_750("ERR_750");
+    ERR_750("ERR_750"),
+    ERR_751("ERR_751");
 
     private static final ResourceBundle ERR_BUNDLE = ResourceBundle
         .getBundle( "org.apache.directory.server.i18n.errors", Locale.ROOT );
diff --git a/i18n/src/main/resources/org/apache/directory/server/i18n/errors.properties b/i18n/src/main/resources/org/apache/directory/server/i18n/errors.properties
index 1f96c7e..70959b2 100644
--- a/i18n/src/main/resources/org/apache/directory/server/i18n/errors.properties
+++ b/i18n/src/main/resources/org/apache/directory/server/i18n/errors.properties
@@ -772,3 +772,4 @@ ERR_747=Not a valid log file offset  {0}
 ERR_748=Invalid log file bufferSize/ max size is sepcified bufferSize {0} logFileSize {0}
 ERR_749=Log Scanner is already closed
 ERR_750=Log content is invalid
+ERR_751=Invalid TrustManager Class {0}
diff --git a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
index df5323e..97d4891 100644
--- a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
+++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapServer.java
@@ -21,6 +21,7 @@ package org.apache.directory.server.ldap;
 
 
 import java.io.IOException;
+import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
@@ -31,6 +32,8 @@ import java.util.Map;
 import java.util.Set;
 
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
 
 import org.apache.directory.api.ldap.codec.api.LdapApiServiceFactory;
 import org.apache.directory.api.ldap.model.constants.Loggers;
@@ -247,6 +250,7 @@ public class LdapServer extends DirectoryBackedService
     private List<ReplicationConsumer> replConsumers;
 
     private KeyManagerFactory keyManagerFactory;
+    private TrustManager[] trustManagers;
 
     /** the time interval between subsequent pings to each replication provider */
     private int pingerSleepTime;
@@ -355,7 +359,7 @@ public class LdapServer extends DirectoryBackedService
      * with a new SslFilter after reloading the keystore.
      *
      * Note: should be called to reload the keystore after changing the digital certificate.
-     * @throws Exception If teh SSLContext can't be reloaded
+     * @throws Exception If the SSLContext can't be reloaded
      */
     public void reloadSslContext() throws Exception
     {
@@ -420,6 +424,13 @@ public class LdapServer extends DirectoryBackedService
 
         keyManagerFactory = CertificateUtil.loadKeyStore( keystoreFile, certificatePassword );
 
+        if ( trustManagers == null )
+        {
+            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
+            trustManagerFactory.init( ( KeyStore ) null );
+            trustManagers = trustManagerFactory.getTrustManagers();
+        }
+
         /*
          * The server is now initialized, we can
          * install the default requests handlers, which need
@@ -1649,6 +1660,18 @@ public class LdapServer extends DirectoryBackedService
         return keyManagerFactory;
     }
 
+    /**
+     * @return the trust managers of the server
+     */
+    public TrustManager[] getTrustManagers()
+    {
+        return trustManagers;
+    }
+
+    public void setTrustManagers( TrustManager[] trustManagers )
+    {
+        this.trustManagers = trustManagers;
+    }
 
     /**
      * @return The maximum allowed size for an incoming PDU
diff --git a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
index e2d01fd..003a74b 100644
--- a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
+++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java
@@ -29,7 +29,6 @@ import java.util.List;
 import java.util.Set;
 
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
 
 import org.apache.directory.api.ldap.extras.extended.startTls.StartTlsRequest;
 import org.apache.directory.api.ldap.extras.extended.startTls.StartTlsResponse;
@@ -38,7 +37,6 @@ import org.apache.directory.api.ldap.model.message.ExtendedRequest;
 import org.apache.directory.api.ldap.model.message.ExtendedResponse;
 import org.apache.directory.api.ldap.model.message.LdapResult;
 import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
-import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.server.ldap.ExtendedOperationHandler;
 import org.apache.directory.server.ldap.LdapServer;
@@ -181,8 +179,8 @@ public class StartTlsHandler implements ExtendedOperationHandler<ExtendedRequest
 
         try
         {
-            sslContext.init( ldapServer.getKeyManagerFactory().getKeyManagers(), new TrustManager[]
-                { new NoVerificationTrustManager() }, new SecureRandom() );
+            sslContext.init( ldapServer.getKeyManagerFactory().getKeyManagers(),
+                    ldapServer.getTrustManagers(), new SecureRandom() );
         }
         catch ( Exception e )
         {
diff --git a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java
index 26938c2..44134f8 100644
--- a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java
+++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/ssl/LdapsInitializer.java
@@ -24,10 +24,8 @@ import java.security.SecureRandom;
 import java.util.List;
 
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
 
 import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.server.ldap.LdapServer;
 import org.apache.directory.server.protocol.shared.transport.TcpTransport;
@@ -66,8 +64,8 @@ public final class LdapsInitializer
         {
             // Initialize the SSLContext to work with our key managers.
             sslCtx = SSLContext.getInstance( "TLS" );
-            sslCtx.init( ldapServer.getKeyManagerFactory().getKeyManagers(), new TrustManager[]
-                { new NoVerificationTrustManager() }, new SecureRandom() );
+            sslCtx.init( ldapServer.getKeyManagerFactory().getKeyManagers(),
+                    ldapServer.getTrustManagers(), new SecureRandom() );
         }
         catch ( Exception e )
         {
diff --git a/server-annotations/src/main/java/org/apache/directory/server/annotations/CreateLdapServer.java b/server-annotations/src/main/java/org/apache/directory/server/annotations/CreateLdapServer.java
index bd167c9..2492190 100644
--- a/server-annotations/src/main/java/org/apache/directory/server/annotations/CreateLdapServer.java
+++ b/server-annotations/src/main/java/org/apache/directory/server/annotations/CreateLdapServer.java
@@ -106,4 +106,11 @@ public @interface CreateLdapServer
     
     /** @return The service principal, used by GSSAPI. */
     String saslPrincipal() default "ldap/ldap.example.com@EXAMPLE.COM";
+
+    /**
+     * The X509 certificate trust managers used
+     *
+     *  @return The trust manager classes
+     */
+    Class<?>[] trustManagers() default {};
 }
\ No newline at end of file
diff --git a/server-annotations/src/main/java/org/apache/directory/server/factory/ServerAnnotationProcessor.java b/server-annotations/src/main/java/org/apache/directory/server/factory/ServerAnnotationProcessor.java
index 70f736e..3c87915 100644
--- a/server-annotations/src/main/java/org/apache/directory/server/factory/ServerAnnotationProcessor.java
+++ b/server-annotations/src/main/java/org/apache/directory/server/factory/ServerAnnotationProcessor.java
@@ -28,6 +28,8 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 
+import javax.net.ssl.TrustManager;
+
 import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
 import org.apache.directory.api.util.Network;
 import org.apache.directory.api.util.Strings;
@@ -220,6 +222,23 @@ public final class ServerAnnotationProcessor
 
             ldapServer.setSaslRealms( realms );
 
+            if ( createLdapServer.trustManagers() != null && createLdapServer.trustManagers().length > 0 )
+            {
+                TrustManager[] trustManagers = new TrustManager[createLdapServer.trustManagers().length];
+                for ( int i = 0; i < createLdapServer.trustManagers().length; i++ )
+                {
+                    try
+                    {
+                        trustManagers[i] = ( TrustManager ) createLdapServer.trustManagers()[i].newInstance();
+                    }
+                    catch ( InstantiationException | IllegalAccessException e )
+                    {
+                        throw new RuntimeException( I18n.err( I18n.ERR_751, createLdapServer.trustManagers()[i].getName() ), e );
+                    }
+                }
+                ldapServer.setTrustManagers( trustManagers );
+            }
+
             return ldapServer;
         }
         else
diff --git a/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java b/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
index 90143e9..843d31a 100644
--- a/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
+++ b/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
@@ -92,6 +92,10 @@ import static org.junit.Assert.assertTrue;
         saslMechanisms =
                 {
                         @SaslMechanism(name = SupportedSaslMechanisms.EXTERNAL, implClass = CertificateMechanismHandler.class)
+                },
+        trustManagers =
+                {
+                        org.apache.directory.ldap.client.api.NoVerificationTrustManager.class
                 })
 @ApplyLdifs(
         {