You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by dr...@apache.org on 2015/01/10 14:31:06 UTC
[22/42] directory-kerberos git commit: Initially import Haox codebase
(https://github.com/drankye/haox)
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/23c1fd12/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/RMISocketFactoryImpl.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/RMISocketFactoryImpl.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/RMISocketFactoryImpl.java
new file mode 100644
index 0000000..fcf7c5c
--- /dev/null
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/RMISocketFactoryImpl.java
@@ -0,0 +1,578 @@
+/*
+ * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/RMISocketFactoryImpl.java $
+ * $Revision: 166 $
+ * $Date: 2014-04-28 11:40:25 -0700 (Mon, 28 Apr 2014) $
+ *
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.commons.ssl;
+
+import javax.net.ServerSocketFactory;
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLProtocolException;
+import javax.net.ssl.SSLSocket;
+import java.io.EOFException;
+import java.io.IOException;
+import java.io.InterruptedIOException;
+import java.net.DatagramSocket;
+import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.SocketException;
+import java.net.UnknownHostException;
+import java.rmi.server.RMISocketFactory;
+import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.Map;
+import java.util.Set;
+import java.util.SortedSet;
+import java.util.TreeMap;
+import java.util.TreeSet;
+
+
+/**
+ * An RMISocketFactory ideal for using RMI over SSL. The server secures both
+ * the registry and the remote objects. The client assumes that either both
+ * the registry and the remote objects will use SSL, or both will use
+ * plain-socket. The client is able to auto detect plain-socket registries
+ * and downgrades itself to accomodate those.
+ * <p/>
+ * Unlike most existing RMI over SSL solutions in use (including Java 5's
+ * javax.rmi.ssl.SslRMIClientSocketFactory), this one does proper SSL hostname
+ * verification. From the client perspective this is straighforward. From
+ * the server perspective we introduce a clever trick: we perform an initial
+ * "hostname verification" by trying the current value of
+ * "java.rmi.server.hostname" against our server certificate. If the
+ * "java.rmi.server.hostname" System Property isn't set, we set it ourselves
+ * using the CN value we extract from our server certificate! (Some
+ * complications arise should a wildcard certificate show up, but we try our
+ * best to deal with those).
+ * <p/>
+ * An SSL server cannot be started without a private key. We have defined some
+ * default behaviour for trying to find a private key to use that we believe
+ * is convenient and sensible:
+ * <p/>
+ * If running from inside Tomcat, we try to re-use Tomcat's private key and
+ * certificate chain (assuming Tomcat-SSL on port 8443 is enabled). If this
+ * isn't available, we look for the "javax.net.ssl.keyStore" System property.
+ * Finally, if that isn't available, we look for "~/.keystore" and assume
+ * a password of "changeit".
+ * <p/>
+ * If after all these attempts we still failed to find a private key, the
+ * RMISocketFactoryImpl() constructor will throw an SSLException.
+ *
+ * @author Credit Union Central of British Columbia
+ * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
+ * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
+ * @since 22-Apr-2005
+ */
+public class RMISocketFactoryImpl extends RMISocketFactory {
+ public final static String RMI_HOSTNAME_KEY = "java.rmi.server.hostname";
+ private final static LogWrapper log = LogWrapper.getLogger(RMISocketFactoryImpl.class);
+
+ private volatile SocketFactory defaultClient;
+ private volatile ServerSocketFactory sslServer;
+ private volatile String localBindAddress = null;
+ private volatile int anonymousPort = 31099;
+ private Map clientMap = new TreeMap();
+ private Map serverSockets = new HashMap();
+ private final SocketFactory plainClient = SocketFactory.getDefault();
+
+ public RMISocketFactoryImpl() throws GeneralSecurityException, IOException {
+ this(true);
+ }
+
+ /**
+ * @param createDefaultServer If false, then we only set the default
+ * client, and the default server is set to null.
+ * If true, then a default server is also created.
+ * @throws java.security.GeneralSecurityException bad things
+ * @throws java.io.IOException bad things
+ */
+ public RMISocketFactoryImpl(boolean createDefaultServer)
+ throws GeneralSecurityException, IOException {
+ SSLServer defaultServer = createDefaultServer ? new SSLServer() : null;
+ SSLClient defaultClient = new SSLClient();
+
+ // RMI calls to localhost will not check that host matches CN in
+ // certificate. Hopefully this is acceptable. (The registry server
+ // will followup the registry lookup with the proper DNS name to get
+ // the remote object, anyway).
+ HostnameVerifier verifier = HostnameVerifier.DEFAULT_AND_LOCALHOST;
+ defaultClient.setHostnameVerifier(verifier);
+ if (defaultServer != null) {
+ defaultServer.setHostnameVerifier(verifier);
+ // The RMI server will try to re-use Tomcat's "port 8443" SSL
+ // Certificate if possible.
+ defaultServer.useTomcatSSLMaterial();
+ X509Certificate[] x509 = defaultServer.getAssociatedCertificateChain();
+ if (x509 == null || x509.length < 1) {
+ throw new SSLException("Cannot initialize RMI-SSL Server: no KeyMaterial!");
+ }
+ setServer(defaultServer);
+ }
+ setDefaultClient(defaultClient);
+ }
+
+ public void setServer(ServerSocketFactory f)
+ throws GeneralSecurityException, IOException {
+ this.sslServer = f;
+ if (f instanceof SSLServer) {
+ final HostnameVerifier VERIFIER;
+ VERIFIER = HostnameVerifier.DEFAULT_AND_LOCALHOST;
+
+ final SSLServer ssl = (SSLServer) f;
+ final X509Certificate[] chain = ssl.getAssociatedCertificateChain();
+ String[] cns = Certificates.getCNs(chain[0]);
+ String[] subjectAlts = Certificates.getDNSSubjectAlts(chain[0]);
+ LinkedList names = new LinkedList();
+ if (cns != null && cns.length > 0) {
+ // Only first CN is used. Not going to get into the IE6 nonsense
+ // where all CN values are used.
+ names.add(cns[0]);
+ }
+ if (subjectAlts != null && subjectAlts.length > 0) {
+ names.addAll(Arrays.asList(subjectAlts));
+ }
+
+ String rmiHostName = System.getProperty(RMI_HOSTNAME_KEY);
+ // If "java.rmi.server.hostname" is already set, don't mess with it.
+ // But blowup if it's not going to work with our SSL Server
+ // Certificate!
+ if (rmiHostName != null) {
+ try {
+ VERIFIER.check(rmiHostName, cns, subjectAlts);
+ }
+ catch (SSLException ssle) {
+ String s = ssle.toString();
+ throw new SSLException(RMI_HOSTNAME_KEY + " of " + rmiHostName + " conflicts with SSL Server Certificate: " + s);
+ }
+ } else {
+ // If SSL Cert only contains one non-wild name, just use that and
+ // hope for the best.
+ boolean hopingForBest = false;
+ if (names.size() == 1) {
+ String name = (String) names.get(0);
+ if (!name.startsWith("*")) {
+ System.setProperty(RMI_HOSTNAME_KEY, name);
+ log.warn("commons-ssl '" + RMI_HOSTNAME_KEY + "' set to '" + name + "' as found in my SSL Server Certificate.");
+ hopingForBest = true;
+ }
+ }
+ if (!hopingForBest) {
+ // Help me, Obi-Wan Kenobi; you're my only hope. All we can
+ // do now is grab our internet-facing addresses, reverse-lookup
+ // on them, and hope that one of them validates against our
+ // server cert.
+ Set s = getMyInternetFacingIPs();
+ Iterator it = s.iterator();
+ while (it.hasNext()) {
+ String name = (String) it.next();
+ try {
+ VERIFIER.check(name, cns, subjectAlts);
+ System.setProperty(RMI_HOSTNAME_KEY, name);
+ log.warn("commons-ssl '" + RMI_HOSTNAME_KEY + "' set to '" + name + "' as found by reverse-dns against my own IP.");
+ hopingForBest = true;
+ break;
+ }
+ catch (SSLException ssle) {
+ // next!
+ }
+ }
+ }
+ if (!hopingForBest) {
+ throw new SSLException("'" + RMI_HOSTNAME_KEY + "' not present. Must work with my SSL Server Certificate's CN field: " + names);
+ }
+ }
+ }
+ trustOurself();
+ }
+
+ public void setLocalBindAddress(String localBindAddress) {
+ this.localBindAddress = localBindAddress;
+ }
+
+ public void setAnonymousPort(int port) {
+ this.anonymousPort = port;
+ }
+
+ public void setDefaultClient(SocketFactory f)
+ throws GeneralSecurityException, IOException {
+ this.defaultClient = f;
+ trustOurself();
+ }
+
+ public void setClient(String host, SocketFactory f)
+ throws GeneralSecurityException, IOException {
+ if (f != null && sslServer != null) {
+ boolean clientIsCommonsSSL = f instanceof SSLClient;
+ boolean serverIsCommonsSSL = sslServer instanceof SSLServer;
+ if (clientIsCommonsSSL && serverIsCommonsSSL) {
+ SSLClient c = (SSLClient) f;
+ SSLServer s = (SSLServer) sslServer;
+ trustEachOther(c, s);
+ }
+ }
+ Set names = hostnamePossibilities(host);
+ Iterator it = names.iterator();
+ synchronized (this) {
+ while (it.hasNext()) {
+ clientMap.put(it.next(), f);
+ }
+ }
+ }
+
+ public void removeClient(String host) {
+ Set names = hostnamePossibilities(host);
+ Iterator it = names.iterator();
+ synchronized (this) {
+ while (it.hasNext()) {
+ clientMap.remove(it.next());
+ }
+ }
+ }
+
+ public synchronized void removeClient(SocketFactory sf) {
+ Iterator it = clientMap.entrySet().iterator();
+ while (it.hasNext()) {
+ Map.Entry entry = (Map.Entry) it.next();
+ Object o = entry.getValue();
+ if (sf.equals(o)) {
+ it.remove();
+ }
+ }
+ }
+
+ private Set hostnamePossibilities(String host) {
+ host = host != null ? host.toLowerCase().trim() : "";
+ if ("".equals(host)) {
+ return Collections.EMPTY_SET;
+ }
+ TreeSet names = new TreeSet();
+ names.add(host);
+ InetAddress[] addresses;
+ try {
+ // If they gave us "hostname.com", this will give us the various
+ // IP addresses:
+ addresses = InetAddress.getAllByName(host);
+ for (int i = 0; i < addresses.length; i++) {
+ String name1 = addresses[i].getHostName();
+ String name2 = addresses[i].getHostAddress();
+ names.add(name1.trim().toLowerCase());
+ names.add(name2.trim().toLowerCase());
+ }
+ }
+ catch (UnknownHostException uhe) {
+ /* oh well, nothing found, nothing to add for this client */
+ }
+
+ try {
+ host = InetAddress.getByName(host).getHostAddress();
+
+ // If they gave us "1.2.3.4", this will hopefully give us
+ // "hostname.com" so that we can then try and find any other
+ // IP addresses associated with that name.
+ host = InetAddress.getByName(host).getHostName();
+ names.add(host.trim().toLowerCase());
+ addresses = InetAddress.getAllByName(host);
+ for (int i = 0; i < addresses.length; i++) {
+ String name1 = addresses[i].getHostName();
+ String name2 = addresses[i].getHostAddress();
+ names.add(name1.trim().toLowerCase());
+ names.add(name2.trim().toLowerCase());
+ }
+ }
+ catch (UnknownHostException uhe) {
+ /* oh well, nothing found, nothing to add for this client */
+ }
+ return names;
+ }
+
+ private void trustOurself()
+ throws GeneralSecurityException, IOException {
+ if (defaultClient == null || sslServer == null) {
+ return;
+ }
+ boolean clientIsCommonsSSL = defaultClient instanceof SSLClient;
+ boolean serverIsCommonsSSL = sslServer instanceof SSLServer;
+ if (clientIsCommonsSSL && serverIsCommonsSSL) {
+ SSLClient c = (SSLClient) defaultClient;
+ SSLServer s = (SSLServer) sslServer;
+ trustEachOther(c, s);
+ }
+ }
+
+ private void trustEachOther(SSLClient client, SSLServer server)
+ throws GeneralSecurityException, IOException {
+ if (client != null && server != null) {
+ // Our own client should trust our own server.
+ X509Certificate[] certs = server.getAssociatedCertificateChain();
+ if (certs != null && certs[0] != null) {
+ TrustMaterial tm = new TrustMaterial(certs[0]);
+ client.addTrustMaterial(tm);
+ }
+
+ // Our own server should trust our own client.
+ certs = client.getAssociatedCertificateChain();
+ if (certs != null && certs[0] != null) {
+ TrustMaterial tm = new TrustMaterial(certs[0]);
+ server.addTrustMaterial(tm);
+ }
+ }
+ }
+
+ public ServerSocketFactory getServer() { return sslServer; }
+
+ public SocketFactory getDefaultClient() { return defaultClient; }
+
+ public synchronized SocketFactory getClient(String host) {
+ host = host != null ? host.trim().toLowerCase() : "";
+ return (SocketFactory) clientMap.get(host);
+ }
+
+ public synchronized ServerSocket createServerSocket(int port)
+ throws IOException {
+ // Re-use existing ServerSocket if possible.
+ if (port == 0) {
+ port = anonymousPort;
+ }
+ Integer key = new Integer(port);
+ ServerSocket ss = (ServerSocket) serverSockets.get(key);
+ if (ss == null || ss.isClosed()) {
+ if (ss != null && ss.isClosed()) {
+ System.out.println("found closed server on port: " + port);
+ }
+ log.debug("commons-ssl RMI server-socket: listening on port " + port);
+ ss = sslServer.createServerSocket(port);
+ serverSockets.put(key, ss);
+ }
+ return ss;
+ }
+
+ public Socket createSocket(String host, int port)
+ throws IOException {
+ host = host != null ? host.trim().toLowerCase() : "";
+ InetAddress local = null;
+ String bindAddress = localBindAddress;
+ if (bindAddress == null) {
+ bindAddress = System.getProperty(RMI_HOSTNAME_KEY);
+ if (bindAddress != null) {
+ local = InetAddress.getByName(bindAddress);
+ if (!local.isLoopbackAddress()) {
+ String ip = local.getHostAddress();
+ Set myInternetIps = getMyInternetFacingIPs();
+ if (!myInternetIps.contains(ip)) {
+ log.warn("Cannot bind to " + ip + " since it doesn't exist on this machine.");
+ // Not going to be able to bind as this. Our RMI_HOSTNAME_KEY
+ // must be set to some kind of proxy in front of us. So we
+ // still want to use it, but we can't bind to it.
+ local = null;
+ bindAddress = null;
+ }
+ }
+ }
+ }
+ if (bindAddress == null) {
+ // Our last resort - let's make sure we at least use something that's
+ // internet facing!
+ bindAddress = getMyDefaultIP();
+ }
+ if (local == null && bindAddress != null) {
+ local = InetAddress.getByName(bindAddress);
+ localBindAddress = local.getHostName();
+ }
+
+ SocketFactory sf;
+ synchronized (this) {
+ sf = (SocketFactory) clientMap.get(host);
+ }
+ if (sf == null) {
+ sf = defaultClient;
+ }
+
+ Socket s = null;
+ SSLSocket ssl = null;
+ int soTimeout = Integer.MIN_VALUE;
+ IOException reasonForPlainSocket = null;
+ boolean tryPlain = false;
+ try {
+ s = sf.createSocket(host, port, local, 0);
+ soTimeout = s.getSoTimeout();
+ if (!(s instanceof SSLSocket)) {
+ // Someone called setClient() or setDefaultClient() and passed in
+ // a plain socket factory. Okay, nothing to see, move along.
+ return s;
+ } else {
+ ssl = (SSLSocket) s;
+ }
+
+ // If we don't get the peer certs in 15 seconds, revert to plain
+ // socket.
+ ssl.setSoTimeout(15000);
+ ssl.getSession().getPeerCertificates();
+
+ // Everything worked out okay, so go back to original soTimeout.
+ ssl.setSoTimeout(soTimeout);
+ return ssl;
+ }
+ catch (IOException ioe) {
+ // SSL didn't work. Let's analyze the IOException to see if maybe
+ // we're accidentally attempting to talk to a plain-socket RMI
+ // server.
+ Throwable t = ioe;
+ while (!tryPlain && t != null) {
+ tryPlain = tryPlain || t instanceof EOFException;
+ tryPlain = tryPlain || t instanceof InterruptedIOException;
+ tryPlain = tryPlain || t instanceof SSLProtocolException;
+ t = t.getCause();
+ }
+ if (!tryPlain && ioe instanceof SSLPeerUnverifiedException) {
+ try {
+ if (ssl != null) {
+ ssl.startHandshake();
+ }
+ }
+ catch (IOException ioe2) {
+ // Stacktrace from startHandshake() will be more descriptive
+ // then the one we got from getPeerCertificates().
+ ioe = ioe2;
+ t = ioe2;
+ while (!tryPlain && t != null) {
+ tryPlain = tryPlain || t instanceof EOFException;
+ tryPlain = tryPlain || t instanceof InterruptedIOException;
+ tryPlain = tryPlain || t instanceof SSLProtocolException;
+ t = t.getCause();
+ }
+ }
+ }
+ if (!tryPlain) {
+ log.debug("commons-ssl RMI-SSL failed: " + ioe);
+ throw ioe;
+ } else {
+ reasonForPlainSocket = ioe;
+ }
+ }
+ finally {
+ // Some debug logging:
+ boolean isPlain = tryPlain || (s != null && ssl == null);
+ String socket = isPlain ? "RMI plain-socket " : "RMI ssl-socket ";
+ String localIP = local != null ? local.getHostAddress() : "ANY";
+ StringBuffer buf = new StringBuffer(64);
+ buf.append(socket);
+ buf.append(localIP);
+ buf.append(" --> ");
+ buf.append(host);
+ buf.append(":");
+ buf.append(port);
+ log.debug(buf.toString());
+ }
+
+ // SSL didn't work. Remote server either timed out, or sent EOF, or
+ // there was some kind of SSLProtocolException. (Any other problem
+ // would have caused an IOException to be thrown, so execution wouldn't
+ // have made it this far). Maybe plain socket will work in these three
+ // cases.
+ sf = plainClient;
+ s = JavaImpl.connect(null, sf, host, port, local, 0, 15000, null);
+ if (soTimeout != Integer.MIN_VALUE) {
+ s.setSoTimeout(soTimeout);
+ }
+
+ try {
+ // Plain socket worked! Let's remember that for next time an RMI call
+ // against this host happens.
+ setClient(host, plainClient);
+ String msg = "RMI downgrading from SSL to plain-socket for " + host + " because of " + reasonForPlainSocket;
+ log.warn(msg, reasonForPlainSocket);
+ }
+ catch (GeneralSecurityException gse) {
+ throw new RuntimeException("can't happen because we're using plain socket", gse);
+ // won't happen because we're using plain socket, not SSL.
+ }
+
+ return s;
+ }
+
+
+ public static String getMyDefaultIP() {
+ String anInternetIP = "64.111.122.211";
+ String ip = null;
+ try {
+ DatagramSocket dg = new DatagramSocket();
+ dg.setSoTimeout(250);
+ // 64.111.122.211 is juliusdavies.ca.
+ // This code doesn't actually send any packets (so no firewalls can
+ // get in the way). It's just a neat trick for getting our
+ // internet-facing interface card.
+ InetAddress addr = Util.toInetAddress(anInternetIP);
+ dg.connect(addr, 12345);
+ InetAddress localAddr = dg.getLocalAddress();
+ ip = localAddr.getHostAddress();
+ // log.debug( "Using bogus UDP socket (" + anInternetIP + ":12345), I think my IP address is: " + ip );
+ dg.close();
+ if (localAddr.isLoopbackAddress() || "0.0.0.0".equals(ip)) {
+ ip = null;
+ }
+ }
+ catch (IOException ioe) {
+ log.debug("Bogus UDP didn't work: " + ioe);
+ }
+ return ip;
+ }
+
+ public static SortedSet getMyInternetFacingIPs() throws SocketException {
+ TreeSet set = new TreeSet();
+ Enumeration en = NetworkInterface.getNetworkInterfaces();
+ while (en.hasMoreElements()) {
+ NetworkInterface ni = (NetworkInterface) en.nextElement();
+ Enumeration en2 = ni.getInetAddresses();
+ while (en2.hasMoreElements()) {
+ InetAddress addr = (InetAddress) en2.nextElement();
+ if (!addr.isLoopbackAddress()) {
+ String ip = addr.getHostAddress();
+ String reverse = addr.getHostName();
+ // IP:
+ set.add(ip);
+ // Reverse-Lookup:
+ set.add(reverse);
+
+ }
+ }
+ }
+ return set;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/23c1fd12/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSL.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSL.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSL.java
new file mode 100644
index 0000000..5f9f6dc
--- /dev/null
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSL.java
@@ -0,0 +1,612 @@
+/*
+ * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/SSL.java $
+ * $Revision: 180 $
+ * $Date: 2014-09-23 11:33:47 -0700 (Tue, 23 Sep 2014) $
+ *
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.commons.ssl;
+
+import javax.net.SocketFactory;
+import javax.net.ssl.*;
+import java.io.File;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.*;
+
+/**
+ * Not thread-safe. (But who would ever share this thing across multiple
+ * threads???)
+ *
+ * @author Credit Union Central of British Columbia
+ * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
+ * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
+ * @since May 1, 2006
+ */
+public class SSL {
+ private final static String[] KNOWN_PROTOCOLS =
+ {"TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3", "SSLv2", "SSLv2Hello"};
+
+ // SUPPORTED_CIPHERS_ARRAY is initialized in the static constructor.
+ private final static String[] SUPPORTED_CIPHERS;
+
+ public final static SortedSet KNOWN_PROTOCOLS_SET;
+ public final static SortedSet SUPPORTED_CIPHERS_SET;
+
+ static {
+ TreeSet<String> ts = new TreeSet<String>(Collections.reverseOrder());
+ ts.addAll(Arrays.asList(KNOWN_PROTOCOLS));
+ KNOWN_PROTOCOLS_SET = Collections.unmodifiableSortedSet(ts);
+
+ // SSLSocketFactory.getDefault() sometimes blocks on FileInputStream
+ // reads of "/dev/random" (Linux only?). You might find you system
+ // stuck here. Move the mouse around a little!
+ SSLSocketFactory s = (SSLSocketFactory) SSLSocketFactory.getDefault();
+ ts = new TreeSet<String>();
+ SUPPORTED_CIPHERS = s.getSupportedCipherSuites();
+ Arrays.sort(SUPPORTED_CIPHERS);
+ ts.addAll(Arrays.asList(SUPPORTED_CIPHERS));
+ SUPPORTED_CIPHERS_SET = Collections.unmodifiableSortedSet(ts);
+ }
+
+ private Object sslContext = null;
+ private int initCount = 0;
+ private SSLSocketFactory socketFactory = null;
+ private SSLServerSocketFactory serverSocketFactory = null;
+ private HostnameVerifier hostnameVerifier = HostnameVerifier.DEFAULT;
+ private boolean isSecure = true; // if false, the client-style operations only create plain sockets.
+ private boolean checkHostname = true;
+ private boolean checkCRL = true;
+ private boolean checkExpiry = true;
+ private boolean useClientMode = false;
+ private boolean useClientModeDefault = true;
+ private int soTimeout = 24 * 60 * 60 * 1000; // default: one day
+ private int connectTimeout = 60 * 60 * 1000; // default: one hour
+ private TrustChain trustChain = null;
+ private KeyMaterial keyMaterial = null;
+ private String[] enabledCiphers = null;
+ private String[] enabledProtocols = null;
+ private String defaultProtocol = "TLS";
+ private X509Certificate[] currentServerChain;
+ private X509Certificate[] currentClientChain;
+ private boolean wantClientAuth = true;
+ private boolean needClientAuth = false;
+ private SSLWrapperFactory sslWrapperFactory = SSLWrapperFactory.NO_WRAP;
+ private Map dnsOverride;
+
+ protected final boolean usingSystemProperties;
+
+ public SSL()
+ throws GeneralSecurityException, IOException {
+ boolean usingSysProps = false;
+ Properties props = System.getProperties();
+ boolean ksSet = props.containsKey("javax.net.ssl.keyStore");
+ boolean tsSet = props.containsKey("javax.net.ssl.trustStore");
+ if (ksSet) {
+ String path = System.getProperty("javax.net.ssl.keyStore");
+ String pwd = System.getProperty("javax.net.ssl.keyStorePassword");
+ pwd = pwd != null ? pwd : ""; // JSSE default is "".
+ File f = new File(path);
+ if (f.exists()) {
+ KeyMaterial km = new KeyMaterial(path, pwd.toCharArray());
+ setKeyMaterial(km);
+ usingSysProps = true;
+ }
+ }
+ boolean trustMaterialSet = false;
+ if (tsSet) {
+ String path = System.getProperty("javax.net.ssl.trustStore");
+ String pwd = System.getProperty("javax.net.ssl.trustStorePassword");
+ boolean pwdWasNull = pwd == null;
+ pwd = pwdWasNull ? "" : pwd; // JSSE default is "".
+ File f = new File(path);
+ if (f.exists()) {
+ TrustMaterial tm;
+ try {
+ tm = new TrustMaterial(path, pwd.toCharArray());
+ }
+ catch (GeneralSecurityException gse) {
+ // Probably a bad password. If we're using the default password,
+ // let's try and survive this setback.
+ if (pwdWasNull) {
+ tm = new TrustMaterial(path);
+ } else {
+ throw gse;
+ }
+ }
+
+ setTrustMaterial(tm);
+ usingSysProps = true;
+ trustMaterialSet = true;
+ }
+ }
+
+ /*
+ No default trust material was set. We'll use the JSSE standard way
+ where we test for "JSSE_CACERTS" first, and then fall back on
+ "CACERTS". We could just leave TrustMaterial null, but then our
+ setCheckCRL() and setCheckExpiry() features won't work. We need a
+ non-null TrustMaterial object in order to intercept and decorate
+ the JVM's default TrustManager.
+ */
+ if (!trustMaterialSet) {
+ setTrustMaterial(TrustMaterial.DEFAULT);
+ }
+ this.usingSystemProperties = usingSysProps;
+ dirtyAndReloadIfYoung();
+ }
+
+ private void dirty() {
+ this.sslContext = null;
+ this.socketFactory = null;
+ this.serverSocketFactory = null;
+ }
+
+ private void dirtyAndReloadIfYoung()
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ dirty();
+ if (initCount >= 0 && initCount <= 5) {
+ // The first five init's we do early (before any sockets are
+ // created) in the hope that will trigger any explosions nice
+ // and early, with the correct exception type.
+
+ // After the first five init's, we revert to a regular
+ // dirty / init pattern, and the "init" happens very late:
+ // just before the socket is created. If badness happens, a
+ // wrapping RuntimeException will be thrown.
+ init();
+ }
+ }
+
+ String dnsOverride(String host) {
+ if (dnsOverride != null && dnsOverride.containsKey(host)) {
+ String override = (String) dnsOverride.get(host);
+ if (override != null && !"".equals(override.trim())) {
+ return override;
+ }
+ }
+ return host;
+ }
+
+ public void setDnsOverride(Map m) {
+ this.dnsOverride = m;
+ }
+
+ public void setIsSecure(boolean b) {
+ this.isSecure = b;
+ }
+
+ public boolean isSecure() {
+ return isSecure;
+ }
+
+ public SSLContext getSSLContext()
+ throws GeneralSecurityException, IOException
+
+ {
+ Object obj = getSSLContextAsObject();
+ if (JavaImpl.isJava13()) {
+ try {
+ return (SSLContext) obj;
+ }
+ catch (ClassCastException cce) {
+ throw new ClassCastException("When using Java13 SSL, you must call SSL.getSSLContextAsObject() - " + cce);
+ }
+ }
+ return (SSLContext) obj;
+ }
+
+ /**
+ * @return com.sun.net.ssl.SSLContext or javax.net.ssl.SSLContext depending
+ * on the JSSE implementation we're using.
+ * @throws java.security.GeneralSecurityException problem creating SSLContext
+ * @throws java.io.IOException problem creating SSLContext
+ */
+ public Object getSSLContextAsObject()
+ throws GeneralSecurityException, IOException
+
+ {
+ if (sslContext == null) {
+ init();
+ }
+ return sslContext;
+ }
+
+ public void addTrustMaterial(TrustChain trustChain)
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ if (this.trustChain == null || trustChain == TrustMaterial.TRUST_ALL) {
+ this.trustChain = trustChain;
+ } else {
+ this.trustChain.addTrustMaterial(trustChain);
+ }
+ dirtyAndReloadIfYoung();
+ }
+
+ public void setTrustMaterial(TrustChain trustChain)
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ this.trustChain = trustChain;
+ dirtyAndReloadIfYoung();
+ }
+
+ public void setKeyMaterial(KeyMaterial keyMaterial)
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ this.keyMaterial = keyMaterial;
+ dirtyAndReloadIfYoung();
+ }
+
+ public X509Certificate[] getAssociatedCertificateChain() {
+ if (keyMaterial != null) {
+ List list = keyMaterial.getAssociatedCertificateChains();
+ return (X509Certificate[]) list.get(0);
+ } else {
+ return null;
+ }
+ }
+
+ public String[] getEnabledCiphers() {
+ return enabledCiphers != null ? enabledCiphers : getDefaultCipherSuites();
+ }
+
+ public void setEnabledCiphers(String[] ciphers) {
+ HashSet<String> desired = new HashSet<String>(Arrays.asList(ciphers));
+ desired.removeAll(SUPPORTED_CIPHERS_SET);
+ if (!desired.isEmpty()) {
+ throw new IllegalArgumentException("following ciphers not supported: " + desired);
+ }
+ this.enabledCiphers = ciphers;
+ }
+
+ public String[] getEnabledProtocols() {
+ return enabledProtocols;
+ }
+
+ public void setEnabledProtocols(String[] protocols) {
+ this.enabledProtocols = protocols;
+ }
+
+ public String getDefaultProtocol() {
+ return defaultProtocol;
+ }
+
+ public void setDefaultProtocol(String protocol) {
+ this.defaultProtocol = protocol;
+ dirty();
+ }
+
+ public boolean getCheckHostname() {
+ return checkHostname;
+ }
+
+ public void setCheckHostname(boolean checkHostname) {
+ this.checkHostname = checkHostname;
+ }
+
+ public void setHostnameVerifier(HostnameVerifier verifier) {
+ if (verifier == null) {
+ verifier = HostnameVerifier.DEFAULT;
+ }
+ this.hostnameVerifier = verifier;
+ }
+
+ public HostnameVerifier getHostnameVerifier() {
+ return hostnameVerifier;
+ }
+
+ public boolean getCheckCRL() {
+ return checkCRL;
+ }
+
+ public void setCheckCRL(boolean checkCRL) {
+ this.checkCRL = checkCRL;
+ }
+
+ public boolean getCheckExpiry() {
+ return checkExpiry;
+ }
+
+ public void setCheckExpiry(boolean checkExpiry) {
+ this.checkExpiry = checkExpiry;
+ }
+
+ public void setSoTimeout(int soTimeout) {
+ if (soTimeout < 0) {
+ throw new IllegalArgumentException("soTimeout must not be negative");
+ }
+ this.soTimeout = soTimeout;
+ }
+
+ public int getSoTimeout() {
+ return soTimeout;
+ }
+
+ public void setConnectTimeout(int connectTimeout) {
+ if (connectTimeout < 0) {
+ throw new IllegalArgumentException("connectTimeout must not be negative");
+ }
+ this.connectTimeout = connectTimeout;
+ }
+
+ public void setUseClientMode(boolean useClientMode) {
+ this.useClientModeDefault = false;
+ this.useClientMode = useClientMode;
+ }
+
+ public boolean getUseClientModeDefault() {
+ return useClientModeDefault;
+ }
+
+ public boolean getUseClientMode() {
+ return useClientMode;
+ }
+
+ public void setWantClientAuth(boolean wantClientAuth) {
+ this.wantClientAuth = wantClientAuth;
+ }
+
+ public void setNeedClientAuth(boolean needClientAuth) {
+ this.needClientAuth = needClientAuth;
+ }
+
+ public boolean getWantClientAuth() {
+ return wantClientAuth;
+ }
+
+ public boolean getNeedClientAuth() {
+ return needClientAuth;
+ }
+
+ public SSLWrapperFactory getSSLWrapperFactory() {
+ return this.sslWrapperFactory;
+ }
+
+ public void setSSLWrapperFactory(SSLWrapperFactory wf) {
+ this.sslWrapperFactory = wf;
+ }
+
+ private void initThrowRuntime() {
+ try {
+ init();
+ }
+ catch (GeneralSecurityException gse) {
+ throw JavaImpl.newRuntimeException(gse);
+ }
+ catch (IOException ioe) {
+ throw JavaImpl.newRuntimeException(ioe);
+ }
+ }
+
+ private void init()
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ socketFactory = null;
+ serverSocketFactory = null;
+ this.sslContext = JavaImpl.init(this, trustChain, keyMaterial);
+ initCount++;
+ }
+
+ public void doPreConnectSocketStuff(Socket s) throws IOException {
+ if (s instanceof SSLSocket && !useClientModeDefault) {
+ ((SSLSocket) s).setUseClientMode(useClientMode);
+ }
+ if (soTimeout > 0) {
+ s.setSoTimeout(soTimeout);
+ }
+ if (s instanceof SSLSocket) {
+ if (enabledProtocols != null) {
+ JavaImpl.setEnabledProtocols(s, enabledProtocols);
+ }
+ if (enabledCiphers != null) {
+ ((SSLSocket) s).setEnabledCipherSuites(enabledCiphers);
+ }
+ }
+ }
+
+ public void doPostConnectSocketStuff(Socket s, String host)
+ throws IOException {
+ if (checkHostname && s instanceof SSLSocket) {
+ hostnameVerifier.check(host, (SSLSocket) s);
+ }
+ }
+
+ public Socket createSocket() throws IOException {
+ if (isSecure) {
+ return sslWrapperFactory.wrap(JavaImpl.createSocket(this));
+ } else {
+ Socket s = SocketFactory.getDefault().createSocket();
+ doPreConnectSocketStuff(s);
+ return s;
+ }
+ }
+
+ /**
+ * Attempts to get a new socket connection to the given host within the
+ * given time limit.
+ *
+ * @param remoteHost the host name/IP
+ * @param remotePort the port on the host
+ * @param localHost the local host name/IP to bind the socket to
+ * @param localPort the port on the local machine
+ * @param timeout the connection timeout (0==infinite)
+ * @return Socket a new socket
+ * @throws java.io.IOException if an I/O error occurs while creating the socket
+ * @throws java.net.UnknownHostException if the IP address of the host cannot be
+ * determined
+ */
+ public Socket createSocket(
+ String remoteHost, int remotePort, InetAddress localHost, int localPort, int timeout
+ ) throws IOException {
+ // Only use our factory-wide connectTimeout if this method was passed
+ // in a timeout of 0 (infinite).
+ int factoryTimeout = getConnectTimeout();
+ int connectTimeout = timeout == 0 ? factoryTimeout : timeout;
+ Socket s;
+ if (isSecure) {
+ s = JavaImpl.createSocket(
+ this, remoteHost, remotePort, localHost, localPort, connectTimeout
+ );
+ } else {
+ s = JavaImpl.createPlainSocket(
+ this, remoteHost, remotePort, localHost, localPort, connectTimeout
+ );
+ }
+ return sslWrapperFactory.wrap(s);
+ }
+
+ public Socket createSocket(
+ Socket s, String remoteHost, int remotePort, boolean autoClose
+ ) throws IOException {
+ SSLSocketFactory sf = getSSLSocketFactory();
+ s = sf.createSocket(s, remoteHost, remotePort, autoClose);
+ doPreConnectSocketStuff(s);
+ doPostConnectSocketStuff(s, remoteHost);
+ return sslWrapperFactory.wrap(s);
+ }
+
+ public ServerSocket createServerSocket() throws IOException {
+ SSLServerSocket ss = JavaImpl.createServerSocket(this);
+ return getSSLWrapperFactory().wrap(ss, this);
+ }
+
+ /**
+ * Attempts to get a new socket connection to the given host within the
+ * given time limit.
+ *
+ * @param localHost the local host name/IP to bind against (null == ANY)
+ * @param port the port to listen on
+ * @param backlog number of connections allowed to queue up for accept().
+ * @return SSLServerSocket a new server socket
+ * @throws java.io.IOException if an I/O error occurs while creating thesocket
+ */
+ public ServerSocket createServerSocket(int port, int backlog,
+ InetAddress localHost)
+ throws IOException {
+ SSLServerSocketFactory f = getSSLServerSocketFactory();
+ ServerSocket ss = f.createServerSocket(port, backlog, localHost);
+ SSLServerSocket s = (SSLServerSocket) ss;
+ doPreConnectServerSocketStuff(s);
+ return getSSLWrapperFactory().wrap(s, this);
+ }
+
+ public void doPreConnectServerSocketStuff(SSLServerSocket s)
+ throws IOException {
+ if (soTimeout > 0) {
+ s.setSoTimeout(soTimeout);
+ }
+ if (enabledProtocols != null) {
+ JavaImpl.setEnabledProtocols(s, enabledProtocols);
+ }
+ if (enabledCiphers != null) {
+ s.setEnabledCipherSuites(enabledCiphers);
+ }
+
+ /*
+ setNeedClientAuth( false ) has an annoying side effect: it seems to
+ reset setWantClient( true ) back to to false. So I do things this
+ way to make sure setting things "true" happens after setting things
+ "false" - giving "true" priority.
+ */
+ if (!wantClientAuth) {
+ JavaImpl.setWantClientAuth(s, false);
+ }
+ if (!needClientAuth) {
+ s.setNeedClientAuth(false);
+ }
+ if (wantClientAuth) {
+ JavaImpl.setWantClientAuth(s, true);
+ }
+ if (needClientAuth) {
+ s.setNeedClientAuth(true);
+ }
+ }
+
+ public SSLSocketFactory getSSLSocketFactory() {
+ if (sslContext == null) {
+ initThrowRuntime();
+ }
+ if (socketFactory == null) {
+ socketFactory = JavaImpl.getSSLSocketFactory(sslContext);
+ }
+ return socketFactory;
+ }
+
+ public SSLServerSocketFactory getSSLServerSocketFactory() {
+ if (sslContext == null) {
+ initThrowRuntime();
+ }
+ if (serverSocketFactory == null) {
+ serverSocketFactory = JavaImpl.getSSLServerSocketFactory(sslContext);
+ }
+ return serverSocketFactory;
+ }
+
+ public int getConnectTimeout() {
+ return connectTimeout;
+ }
+
+ public String[] getDefaultCipherSuites() {
+ return getSSLSocketFactory().getDefaultCipherSuites();
+ }
+
+ public String[] getSupportedCipherSuites() {
+ String[] s = new String[SUPPORTED_CIPHERS.length];
+ System.arraycopy(SUPPORTED_CIPHERS, 0, s, 0, s.length);
+ return s;
+ }
+
+ public TrustChain getTrustChain() {
+ return trustChain;
+ }
+
+ public void setCurrentServerChain(X509Certificate[] chain) {
+ this.currentServerChain = chain;
+ }
+
+ public void setCurrentClientChain(X509Certificate[] chain) {
+ this.currentClientChain = chain;
+ }
+
+ public X509Certificate[] getCurrentServerChain() {
+ return currentServerChain;
+ }
+
+ public X509Certificate[] getCurrentClientChain() {
+ return currentClientChain;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/23c1fd12/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLClient.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLClient.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLClient.java
new file mode 100644
index 0000000..4bc9156
--- /dev/null
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLClient.java
@@ -0,0 +1,226 @@
+/*
+ * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/SSLClient.java $
+ * $Revision: 180 $
+ * $Date: 2014-09-23 11:33:47 -0700 (Tue, 23 Sep 2014) $
+ *
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.commons.ssl;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+
+/**
+ * @author Credit Union Central of British Columbia
+ * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
+ * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
+ * @since 27-Feb-2006
+ */
+public class SSLClient extends SSLSocketFactory {
+ private final SSL ssl;
+
+ public SSLClient()
+ throws GeneralSecurityException, IOException {
+ this.ssl = new SSL();
+ }
+
+ public void addTrustMaterial(TrustChain trustChain)
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ ssl.addTrustMaterial(trustChain);
+ }
+
+ public void setTrustMaterial(TrustChain trustChain)
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ ssl.setTrustMaterial(trustChain);
+ }
+
+ public void setKeyMaterial(KeyMaterial keyMaterial)
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ ssl.setKeyMaterial(keyMaterial);
+ }
+
+ public void setIsSecure(boolean b) { ssl.setIsSecure(b); }
+
+ public void setDnsOverride(Map m) { ssl.setDnsOverride(m); }
+
+ public void setCheckCRL(boolean b) { ssl.setCheckCRL(b); }
+
+ public void setCheckExpiry(boolean b) { ssl.setCheckExpiry(b); }
+
+ public void setCheckHostname(boolean b) { ssl.setCheckHostname(b); }
+
+ public void setConnectTimeout(int i) { ssl.setConnectTimeout(i); }
+
+ public void setDefaultProtocol(String s) { ssl.setDefaultProtocol(s); }
+
+ public void setEnabledCiphers(String[] ciphers) {
+ ssl.setEnabledCiphers(ciphers);
+ }
+
+ public void setEnabledProtocols(String[] protocols) {
+ ssl.setEnabledProtocols(protocols);
+ }
+
+ public void setHostnameVerifier(HostnameVerifier verifier) {
+ ssl.setHostnameVerifier(verifier);
+ }
+
+ public void setSoTimeout(int soTimeout) { ssl.setSoTimeout(soTimeout); }
+
+ public void setSSLWrapperFactory(SSLWrapperFactory wf) {
+ ssl.setSSLWrapperFactory(wf);
+ }
+
+ public void setNeedClientAuth(boolean b) { ssl.setNeedClientAuth(b); }
+
+ public void setWantClientAuth(boolean b) { ssl.setWantClientAuth(b); }
+
+ public void setUseClientMode(boolean b) { ssl.setUseClientMode(b); }
+
+ public boolean isSecure() { return ssl.isSecure(); }
+
+ public X509Certificate[] getAssociatedCertificateChain() {
+ return ssl.getAssociatedCertificateChain();
+ }
+
+ public boolean getCheckCRL() { return ssl.getCheckCRL(); }
+
+ public boolean getCheckExpiry() { return ssl.getCheckExpiry(); }
+
+ public boolean getCheckHostname() { return ssl.getCheckHostname(); }
+
+ public int getConnectTimeout() { return ssl.getConnectTimeout(); }
+
+ public String getDefaultProtocol() { return ssl.getDefaultProtocol(); }
+
+ public String[] getEnabledCiphers() { return ssl.getEnabledCiphers(); }
+
+ public String[] getEnabledProtocols() { return ssl.getEnabledProtocols(); }
+
+ public HostnameVerifier getHostnameVerifier() {
+ return ssl.getHostnameVerifier();
+ }
+
+ public int getSoTimeout() { return ssl.getSoTimeout(); }
+
+ public SSLWrapperFactory getSSLWrapperFactory() {
+ return ssl.getSSLWrapperFactory();
+ }
+
+ public boolean getNeedClientAuth() { return ssl.getNeedClientAuth(); }
+
+ public boolean getWantClientAuth() { return ssl.getWantClientAuth(); }
+
+ public boolean getUseClientMode() { /* SSLClient's default is true. */
+ return ssl.getUseClientModeDefault() || ssl.getUseClientMode();
+ }
+
+ public SSLContext getSSLContext() throws GeneralSecurityException, IOException {
+ return ssl.getSSLContext();
+ }
+
+ public TrustChain getTrustChain() { return ssl.getTrustChain(); }
+
+ public X509Certificate[] getCurrentServerChain() {
+ return ssl.getCurrentServerChain();
+ }
+
+ public String[] getDefaultCipherSuites() {
+ return ssl.getDefaultCipherSuites();
+ }
+
+ public String[] getSupportedCipherSuites() {
+ return ssl.getSupportedCipherSuites();
+ }
+
+ public Socket createSocket() throws IOException {
+ return ssl.createSocket();
+ }
+
+ public Socket createSocket(String host, int port)
+ throws IOException {
+ return createSocket(host, port, null, 0);
+ }
+
+ public Socket createSocket(InetAddress host, int port)
+ throws IOException {
+ return createSocket(host.getHostName(), port);
+ }
+
+ public Socket createSocket(InetAddress host, int port,
+ InetAddress localHost, int localPort)
+ throws IOException {
+ return createSocket(host.getHostName(), port, localHost, localPort);
+ }
+
+ public Socket createSocket(String host, int port,
+ InetAddress localHost, int localPort)
+ throws IOException {
+ return createSocket(host, port, localHost, localPort, 0);
+ }
+
+ /**
+ * Attempts to get a new socket connection to the given host within the
+ * given time limit.
+ *
+ * @param host the host name/IP
+ * @param port the port on the host
+ * @param localHost the local host name/IP to bind the socket to
+ * @param localPort the port on the local machine
+ * @param timeout the connection timeout (0==infinite)
+ * @return Socket a new socket
+ * @throws java.io.IOException if an I/O error occurs while creating thesocket
+ * @throws java.net.UnknownHostException if the IP address of the host cannot be
+ * determined
+ */
+ public Socket createSocket(String host, int port, InetAddress localHost,
+ int localPort, int timeout)
+ throws IOException {
+ return ssl.createSocket(host, port, localHost, localPort, timeout);
+ }
+
+ public Socket createSocket(Socket s, String remoteHost, int remotePort,
+ boolean autoClose)
+ throws IOException {
+ return ssl.createSocket(s, remoteHost, remotePort, autoClose);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/23c1fd12/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLEchoServer.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLEchoServer.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLEchoServer.java
new file mode 100644
index 0000000..7bf6941
--- /dev/null
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLEchoServer.java
@@ -0,0 +1,149 @@
+/*
+ * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/SSLEchoServer.java $
+ * $Revision: 180 $
+ * $Date: 2014-09-23 11:33:47 -0700 (Tue, 23 Sep 2014) $
+ *
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.commons.ssl;
+
+import org.apache.commons.ssl.util.ReadLine;
+
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InterruptedIOException;
+import java.io.OutputStream;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+
+/**
+ * @author Credit Union Central of British Columbia
+ * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
+ * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
+ * @since 2-May-2006
+ */
+public class SSLEchoServer {
+
+ public static void main(String[] args) throws Exception {
+ int port = 7443;
+ if (args.length >= 1) {
+ port = Integer.parseInt(args[0]);
+ }
+
+ SSLServer ssl = new SSLServer();
+ ssl.setTrustMaterial(TrustMaterial.TRUST_ALL);
+ ssl.setCheckExpiry(false);
+ ssl.setCheckCRL(false);
+ ssl.setCheckHostname(false);
+ ssl.setWantClientAuth(true);
+
+ SSLServerSocket ss = (SSLServerSocket) ssl.createServerSocket(port, 3);
+ System.out.println("SSL Echo server listening on port: " + port);
+ while (true) {
+ SSLSocket s = (SSLSocket) ss.accept();
+ s.setSoTimeout(30000);
+ EchoRunnable r = new EchoRunnable(s);
+ new Thread(r).start();
+ }
+
+ }
+
+ public static class EchoRunnable implements Runnable {
+ private SSLSocket s;
+
+ public EchoRunnable(SSLSocket s) {
+ this.s = s;
+ }
+
+ public void run() {
+ InputStream in = null;
+ OutputStream out = null;
+ System.out.println("Socket accepted!");
+ try {
+ SSLSession session = s.getSession();
+
+ try {
+ Certificate[] certs = JavaImpl.getPeerCertificates(session);
+ if (certs != null) {
+ for (int i = 0; i < certs.length; i++) {
+ // log client cert info
+ X509Certificate cert = (X509Certificate) certs[i];
+ String s = "client cert " + i + ":";
+ s += JavaImpl.getSubjectX500(cert);
+ System.out.println(s);
+ System.out.println(Certificates.toString(cert));
+ }
+ }
+ }
+ catch (SSLPeerUnverifiedException sslpue) {
+ // oh well, no client cert for us
+ System.out.println(sslpue);
+ }
+
+ in = s.getInputStream();
+ out = s.getOutputStream();
+ ReadLine readLine = new ReadLine(in);
+ String line = readLine.next();
+ if (line != null && line.indexOf("HTTP") > 0) {
+ out.write("HTTP/1.1 200 OK\r\n\r\n".getBytes());
+ out.flush();
+ }
+ while (line != null) {
+ String echo = "ECHO:>" + line + "\n";
+ out.write(echo.getBytes());
+ out.flush();
+ line = readLine.next();
+ }
+ }
+ catch (IOException ioe) {
+ try {
+ if (out != null) {
+ out.close();
+ }
+ if (in != null) {
+ in.close();
+ }
+ s.close();
+ }
+ catch (Exception e) {
+ }
+
+ if (ioe instanceof InterruptedIOException) {
+ System.out.println("Socket closed after 30 second timeout.");
+ } else {
+ ioe.printStackTrace();
+ }
+
+ }
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/23c1fd12/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLProxyServer.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLProxyServer.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLProxyServer.java
new file mode 100644
index 0000000..795dc88
--- /dev/null
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLProxyServer.java
@@ -0,0 +1,196 @@
+/*
+ * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/SSLProxyServer.java $
+ * $Revision: 132 $
+ * $Date: 2008-01-11 21:20:26 -0800 (Fri, 11 Jan 2008) $
+ *
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.commons.ssl;
+
+import org.apache.commons.ssl.util.ReadLine;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InterruptedIOException;
+import java.io.OutputStream;
+import java.net.InetSocketAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+
+/**
+ * @author Credit Union Central of British Columbia
+ * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
+ * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
+ * @since 5-May-2006
+ */
+public class SSLProxyServer {
+
+ public static void main(String[] args) throws Exception {
+ int port = 7444;
+ if (args.length >= 1) {
+ port = Integer.parseInt(args[0]);
+ }
+
+ ServerSocket ss = new ServerSocket(port);
+
+ System.out.println("SSL Proxy server listening on port: " + port);
+ while (true) {
+ Socket s = ss.accept();
+ s.setSoTimeout(10000);
+ ProxyRunnable r = new ProxyRunnable(s);
+ new Thread(r).start();
+ }
+
+ }
+
+ public static class ProxyRunnable implements Runnable {
+ private Socket s;
+
+ public ProxyRunnable(Socket s) {
+ this.s = s;
+ }
+
+ public void run() {
+ InputStream in = null;
+ OutputStream out = null;
+ InputStream newIn = null;
+ OutputStream newOut = null;
+ Socket newSocket = new Socket();
+ System.out.println("Socket accepted!");
+ try {
+ in = s.getInputStream();
+ out = s.getOutputStream();
+ ReadLine readLine = new ReadLine(in);
+ String line = readLine.next();
+ line = line.trim();
+ String connect = line.substring(0, "CONNECT".length());
+ InetSocketAddress addr = null;
+ if ("CONNECT".equalsIgnoreCase(connect)) {
+ line = line.substring("CONNECT".length()).trim();
+ line = line.substring(0, line.length() - "HTTP/1.1".length()).trim();
+ HostPort hostPort = Util.toAddress(line, 443);
+ addr = new InetSocketAddress(hostPort.host, hostPort.port);
+ System.out.println("Attempting to proxy to: " + line);
+ } else {
+ throw new IOException("not a proxy request: " + line);
+ }
+
+ int avail = in.available();
+ in.skip(avail);
+ Thread.yield();
+ avail = in.available();
+ while (avail != 0) {
+ in.skip(avail);
+ Thread.yield();
+ avail = in.available();
+ }
+
+ InetSocketAddress local = new InetSocketAddress(0);
+ newSocket.setSoTimeout(10000);
+ newSocket.bind(local);
+ newSocket.connect(addr, 5000);
+ newIn = newSocket.getInputStream();
+ newOut = newSocket.getOutputStream();
+
+ out.write("HTTP/1.1 200 OKAY\r\n\r\n".getBytes());
+ out.flush();
+
+ final IOException[] e = new IOException[1];
+ final InputStream rIn = in;
+ final OutputStream rNewOut = newOut;
+ Runnable r = new Runnable() {
+ public void run() {
+ try {
+ byte[] buf = new byte[4096];
+ int read = rIn.read(buf);
+ while (read >= 0) {
+ if (read > 0) {
+ rNewOut.write(buf, 0, read);
+ rNewOut.flush();
+ }
+ read = rIn.read(buf);
+ }
+ }
+ catch (IOException ioe) {
+ e[0] = ioe;
+ }
+ }
+ };
+ new Thread(r).start();
+
+ byte[] buf = new byte[4096];
+ int read = newIn.read(buf);
+ while (read >= 0) {
+ if (read > 0) {
+ out.write(buf, 0, read);
+ out.flush();
+ }
+ if (e[0] != null) {
+ throw e[0];
+ }
+ read = newIn.read(buf);
+ }
+
+
+ }
+ catch (IOException ioe) {
+ try {
+ if (out != null) {
+ out.close();
+ }
+ if (in != null) {
+ in.close();
+ }
+ s.close();
+ }
+ catch (Exception e) {
+ }
+
+ try {
+ if (newOut != null) {
+ newOut.close();
+ }
+ if (newIn != null) {
+ newIn.close();
+ }
+ newSocket.close();
+ }
+ catch (Exception e) {
+ }
+
+
+ if (ioe instanceof InterruptedIOException) {
+ System.out.println("Socket closed after 10 second timeout.");
+ } else {
+ ioe.printStackTrace();
+ }
+
+ }
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/23c1fd12/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServer.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServer.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServer.java
new file mode 100644
index 0000000..13472ed
--- /dev/null
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServer.java
@@ -0,0 +1,284 @@
+/*
+ * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/SSLServer.java $
+ * $Revision: 180 $
+ * $Date: 2014-09-23 11:33:47 -0700 (Tue, 23 Sep 2014) $
+ *
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.commons.ssl;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocketFactory;
+import java.io.File;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+import java.util.Properties;
+
+/**
+ * @author Credit Union Central of British Columbia
+ * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
+ * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
+ * @since May 1, 2006
+ */
+public class SSLServer extends SSLServerSocketFactory {
+ protected final SSL ssl;
+
+ public SSLServer()
+ throws GeneralSecurityException, IOException {
+ this.ssl = new SSL();
+ // client certs aren't usually tied down to a single host (and who knows
+ // if the DNS reverse-lookup will work!).
+ setCheckHostname(false);
+
+ // If "javax.net.ssl.keyStore" is set, then we won't bother with this
+ // silly SSLServer default behaviour.
+ if (!ssl.usingSystemProperties) {
+ // commons-ssl default KeyMaterial will be
+ // ~/.keystore with a password of "changeit".
+ useDefaultKeyMaterial();
+ }
+ }
+
+ /**
+ * Tries to extract the TrustMaterial and KeyMaterial being used by a Tomcat
+ * SSL server (usually on 8443) by analyzing Tomcat's "server.xml" file. If
+ * the extraction is successful, the TrustMaterial and KeyMaterial are
+ * applied to this SSLServer.
+ *
+ * @return true if the operation was successful.
+ * @throws java.security.GeneralSecurityException setKeyMaterial() failed
+ * @throws java.io.IOException setKeyMaterial() failed
+ */
+ public boolean useTomcatSSLMaterial()
+ throws GeneralSecurityException, IOException {
+ // If running inside Tomcat, let's try to re-use Tomcat's SSL
+ // certificate for our own stuff (e.g. RMI-SSL).
+ Integer p8443 = Integer.valueOf(8443);
+ KeyMaterial km;
+ TrustMaterial tm;
+ km = (KeyMaterial) TomcatServerXML.KEY_MATERIAL_BY_PORT.get(p8443);
+ tm = (TrustMaterial) TomcatServerXML.TRUST_MATERIAL_BY_PORT.get(p8443);
+
+ // If 8443 isn't set, let's take lowest secure port.
+ km = km == null ? TomcatServerXML.KEY_MATERIAL : km;
+ tm = tm == null ? TomcatServerXML.TRUST_MATERIAL : tm;
+ boolean success = false;
+ if (km != null) {
+ setKeyMaterial(km);
+ success = true;
+ if (tm != null && !TrustMaterial.DEFAULT.equals(tm)) {
+ setTrustMaterial(tm);
+ }
+ }
+ return success;
+ }
+
+ private boolean useDefaultKeyMaterial()
+ throws GeneralSecurityException, IOException {
+ // If we're not able to re-use Tomcat's SSLServerSocket configuration,
+ // commons-ssl default KeyMaterial will be ~/.keystore with a password
+ // of "changeit".
+ Properties props = System.getProperties();
+ boolean pwdSet = props.containsKey("javax.net.ssl.keyStorePassword");
+ String pwd = props.getProperty("javax.net.ssl.keyStorePassword");
+ pwd = pwdSet ? pwd : "changeit";
+
+ String userHome = System.getProperty("user.home");
+ String path = userHome + "/.keystore";
+ File f = new File(path);
+ boolean success = false;
+ if (f.exists()) {
+ KeyMaterial km = null;
+ try {
+ km = new KeyMaterial(path, pwd.toCharArray());
+ }
+ catch (Exception e) {
+ // Don't want to blowup just because this silly default
+ // behaviour didn't work out.
+ if (pwdSet) {
+ // Buf if the user has specified a non-standard password for
+ // "javax.net.ssl.keyStorePassword", then we will warn them
+ // that things didn't work out.
+ System.err.println("commons-ssl automatic loading of [" + path + "] failed. ");
+ System.err.println(e);
+ }
+ }
+ if (km != null) {
+ setKeyMaterial(km);
+ success = true;
+ }
+ }
+ return success;
+ }
+
+ public void setDnsOverride(Map m) { ssl.setDnsOverride(m); }
+
+ public void addTrustMaterial(TrustChain trustChain)
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ ssl.addTrustMaterial(trustChain);
+ }
+
+ public void setTrustMaterial(TrustChain trustChain)
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ ssl.setTrustMaterial(trustChain);
+ }
+
+ public void setKeyMaterial(KeyMaterial keyMaterial)
+ throws NoSuchAlgorithmException, KeyStoreException,
+ KeyManagementException, IOException, CertificateException {
+ ssl.setKeyMaterial(keyMaterial);
+ }
+
+ public void setCheckCRL(boolean b) { ssl.setCheckCRL(b); }
+
+ public void setCheckExpiry(boolean b) { ssl.setCheckExpiry(b); }
+
+ public void setCheckHostname(boolean b) { ssl.setCheckHostname(b); }
+
+ public void setConnectTimeout(int i) { ssl.setConnectTimeout(i); }
+
+ public void setDefaultProtocol(String s) { ssl.setDefaultProtocol(s); }
+
+ public void setEnabledCiphers(String[] ciphers) {
+ ssl.setEnabledCiphers(ciphers);
+ }
+
+ public void setEnabledProtocols(String[] protocols) {
+ ssl.setEnabledProtocols(protocols);
+ }
+
+ public void setHostnameVerifier(HostnameVerifier verifier) {
+ ssl.setHostnameVerifier(verifier);
+ }
+
+ public void setSoTimeout(int soTimeout) { ssl.setSoTimeout(soTimeout); }
+
+ public void setSSLWrapperFactory(SSLWrapperFactory wf) {
+ ssl.setSSLWrapperFactory(wf);
+ }
+
+ public void setNeedClientAuth(boolean b) { ssl.setNeedClientAuth(b); }
+
+ public void setWantClientAuth(boolean b) { ssl.setWantClientAuth(b); }
+
+ public void setUseClientMode(boolean b) { ssl.setUseClientMode(b); }
+
+ public X509Certificate[] getAssociatedCertificateChain() {
+ return ssl.getAssociatedCertificateChain();
+ }
+
+ public boolean getCheckCRL() { return ssl.getCheckCRL(); }
+
+ public boolean getCheckExpiry() { return ssl.getCheckExpiry(); }
+
+ public boolean getCheckHostname() { return ssl.getCheckHostname(); }
+
+ public int getConnectTimeout() { return ssl.getConnectTimeout(); }
+
+ public String getDefaultProtocol() { return ssl.getDefaultProtocol(); }
+
+ public String[] getEnabledCiphers() { return ssl.getEnabledCiphers(); }
+
+ public String[] getEnabledProtocols() { return ssl.getEnabledProtocols(); }
+
+ public HostnameVerifier getHostnameVerifier() {
+ return ssl.getHostnameVerifier();
+ }
+
+ public int getSoTimeout() { return ssl.getSoTimeout(); }
+
+ public SSLWrapperFactory getSSLWrapperFactory() {
+ return ssl.getSSLWrapperFactory();
+ }
+
+ public boolean getNeedClientAuth() { return ssl.getNeedClientAuth(); }
+
+ public boolean getWantClientAuth() { return ssl.getWantClientAuth(); }
+
+ public boolean getUseClientMode() { /* SSLServer's default is false. */
+ return !ssl.getUseClientModeDefault() && ssl.getUseClientMode();
+ }
+
+ public SSLContext getSSLContext() throws GeneralSecurityException, IOException {
+ return ssl.getSSLContext();
+ }
+
+ public TrustChain getTrustChain() { return ssl.getTrustChain(); }
+
+ public X509Certificate[] getCurrentClientChain() {
+ return ssl.getCurrentClientChain();
+ }
+
+ public String[] getDefaultCipherSuites() {
+ return ssl.getDefaultCipherSuites();
+ }
+
+ public String[] getSupportedCipherSuites() {
+ return ssl.getSupportedCipherSuites();
+ }
+
+ public ServerSocket createServerSocket() throws IOException {
+ return ssl.createServerSocket();
+ }
+
+ public ServerSocket createServerSocket(int port)
+ throws IOException {
+ return createServerSocket(port, 50);
+ }
+
+ public ServerSocket createServerSocket(int port, int backlog)
+ throws IOException {
+ return createServerSocket(port, backlog, null);
+ }
+
+ /**
+ * Attempts to get a new socket connection to the given host within the
+ * given time limit.
+ *
+ * @param localHost the local host name/IP to bind against (null == ANY)
+ * @param port the port to listen on
+ * @param backlog number of connections allowed to queue up for accept().
+ * @return SSLServerSocket a new server socket
+ * @throws java.io.IOException if an I/O error occurs while creating thesocket
+ */
+ public ServerSocket createServerSocket(int port, int backlog,
+ InetAddress localHost)
+ throws IOException {
+ return ssl.createServerSocket(port, backlog, localHost);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/23c1fd12/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServerSocketWrapper.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServerSocketWrapper.java b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServerSocketWrapper.java
new file mode 100644
index 0000000..c5d24d9
--- /dev/null
+++ b/3rdparty/not-yet-commons-ssl/src/main/java/org/apache/commons/ssl/SSLServerSocketWrapper.java
@@ -0,0 +1,182 @@
+/*
+ * $HeadURL: http://juliusdavies.ca/svn/not-yet-commons-ssl/tags/commons-ssl-0.3.16/src/java/org/apache/commons/ssl/SSLServerSocketWrapper.java $
+ * $Revision: 121 $
+ * $Date: 2007-11-13 21:26:57 -0800 (Tue, 13 Nov 2007) $
+ *
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.commons.ssl;
+
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLSocket;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.SocketAddress;
+import java.net.SocketException;
+import java.nio.channels.ServerSocketChannel;
+
+/**
+ * Wraps an SSLServerSocket - NOTE that the accept() method applies a number of
+ * important common-ssl settings before returning the SSLSocket!
+ *
+ * @author Credit Union Central of British Columbia
+ * @author <a href="http://www.cucbc.com/">www.cucbc.com</a>
+ * @author <a href="mailto:juliusdavies@cucbc.com">juliusdavies@cucbc.com</a>
+ * @since 20-Nov-2006
+ */
+public class SSLServerSocketWrapper extends SSLServerSocket {
+ protected SSLServerSocket s;
+ protected SSL ssl;
+ protected SSLWrapperFactory wf;
+
+ public SSLServerSocketWrapper(SSLServerSocket s, SSL ssl,
+ SSLWrapperFactory wf)
+ throws IOException {
+ super();
+ this.s = s;
+ this.ssl = ssl;
+ this.wf = wf;
+ }
+
+ /* javax.net.ssl.SSLServerSocket */
+
+ public Socket accept() throws IOException {
+ SSLSocket secureSocket = (SSLSocket) s.accept();
+
+ // Do the commons-ssl usual housekeeping for every socket:
+ ssl.doPreConnectSocketStuff(secureSocket);
+ InetAddress addr = secureSocket.getInetAddress();
+ String hostName = addr.getHostName();
+ ssl.doPostConnectSocketStuff(secureSocket, hostName);
+
+ return wf.wrap(secureSocket);
+ }
+
+ public String[] getEnabledCipherSuites() {
+ return s.getEnabledCipherSuites();
+ }
+
+ public String[] getEnabledProtocols() { return s.getEnabledProtocols(); }
+
+ public boolean getEnableSessionCreation() {
+ return s.getEnableSessionCreation();
+ }
+
+ public boolean getNeedClientAuth() { return s.getNeedClientAuth(); }
+
+ public String[] getSupportedCipherSuites() {
+ return s.getSupportedCipherSuites();
+ }
+
+ public String[] getSupportedProtocols() { return s.getSupportedProtocols(); }
+
+ public boolean getUseClientMode() { return s.getUseClientMode(); }
+
+ public boolean getWantClientAuth() { return s.getWantClientAuth(); }
+
+ public void setEnabledCipherSuites(String[] suites) {
+ s.setEnabledCipherSuites(suites);
+ }
+
+ public void setEnabledProtocols(String[] protocols) {
+ s.setEnabledProtocols(protocols);
+ }
+
+ public void setEnableSessionCreation(boolean flag) {
+ s.setEnableSessionCreation(flag);
+ }
+
+ public void setNeedClientAuth(boolean need) {
+ s.setNeedClientAuth(need);
+ }
+
+ public void setUseClientMode(boolean use) { s.setUseClientMode(use); }
+
+ public void setWantClientAuth(boolean want) {
+ s.setWantClientAuth(want);
+ }
+
+ /* java.net.Socket */
+
+ public void bind(SocketAddress endpoint) throws IOException {
+ s.bind(endpoint);
+ }
+
+ public void bind(SocketAddress ep, int bl) throws IOException {
+ s.bind(ep, bl);
+ }
+
+ public void close() throws IOException { s.close(); }
+
+ public ServerSocketChannel getChannel() { return s.getChannel(); }
+
+ public InetAddress getInetAddress() { return s.getInetAddress(); }
+
+ public int getLocalPort() { return s.getLocalPort(); }
+
+ public SocketAddress getLocalSocketAddress() {
+ return s.getLocalSocketAddress();
+ }
+
+ public int getReceiveBufferSize() throws SocketException {
+ return s.getReceiveBufferSize();
+ }
+
+ public boolean getReuseAddress() throws SocketException {
+ return s.getReuseAddress();
+ }
+
+ public int getSoTimeout() throws IOException { return s.getSoTimeout(); }
+
+ public boolean isBound() { return s.isBound(); }
+
+ public boolean isClosed() { return s.isClosed(); }
+
+ public void setReceiveBufferSize(int size) throws SocketException {
+ s.setReceiveBufferSize(size);
+ }
+
+ public void setReuseAddress(boolean on) throws SocketException {
+ s.setReuseAddress(on);
+ }
+
+ public void setSoTimeout(int timeout) throws SocketException {
+ s.setSoTimeout(timeout);
+ }
+
+ public String toString() { return s.toString(); }
+
+ /* Java 1.5
+ public void setPerformancePreferences(int connectionTime, int latency, int bandwidth)
+ {
+ s.setPerformancePreferences( connectionTime, latency, bandwidth );
+ }
+ */
+
+
+}