SSLSocketFactory


1   package org.jacorb.security.ssl.iaik;
2   
3   /*
4    *        JacORB - a free Java ORB
5    *
6    *   Copyright (C) 2000-2004 Gerald Brose
7    *
8    *   This library is free software; you can redistribute it and/or
9    *   modify it under the terms of the GNU Library General Public
10   *   License as published by the Free Software Foundation; either
11   *   version 2 of the License, or (at your option) any later version.
12   *
13   *   This library is distributed in the hope that it will be useful,
14   *   but WITHOUT ANY WARRANTY; without even the implied warranty of
15   *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16   *   Library General Public License for more details.
17   *
18   *   You should have received a copy of the GNU Library General Public
19   *   License along with this library; if not, write to the Free
20   *   Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21   */
22  
23  
24  import org.apache.avalon.framework.logger.Logger;
25  import org.apache.avalon.framework.configuration.*;
26  
27  import org.jacorb.security.level2.*;
28  import org.jacorb.security.util.*;
29  
30  import iaik.security.ssl.*;
31  
32  import java.util.*;
33  import java.net.*;
34  import java.io.IOException  ;
35  import java.security.ProviderException  ;
36  import java.security.cert.X509Certificate  ;
37  
38  
39  /**
40   * @author Andr'e Benvenuti, Gerald Brose.
41   * @version $Id: SSLSocketFactory.java,v 1.12 2004/05/06 09:51:52 nicolas Exp $
42   *
43   * We follow the design of socket factories in package javax.net
44   * and javax.net.ssl.* Because this package doesn't exist in the JDK yet we
45   * don't extend its classes, but we are fully compatible.
46   *
47   * The basic idea is to provide one extra constructor that sets up
48   * a default SSL configuration that is implicitly used by all other
49   * constructors. The default SSL credentials can also be changed by
50   * calling setDefaultSSLContext().
51   *
52   * After creating a new SSL socket, this factory swaps roles for
53   * the SSL handshake, i.e. any client socket created takes the
54   * server role in the handshake, so the actual server need not
55   * authenticate.
56   */
57  
58  public class SSLSocketFactory
59      implements org.jacorb.orb.factory.SocketFactory, Configurable
60  {
61      private String  [] default_cs = null;
62      private CurrentImpl securityCurrent = null;
63      private org.jacorb.orb.ORB orb = null;
64      private SSLContext default_context = null;
65      private short clientRequirededOptions = 0;
66      private short clientSupportedOptions = 0;
67      private boolean iaikDebug = false;
68      private List trusteeFileNames;
69      private Logger logger;
70  
71      public SSLSocketFactory( org.jacorb.orb.ORB orb )
72          throws ConfigurationException
73      {
74          this.orb = orb;
75          CipherSuite[] cs = SSLSetup.getCipherSuites();
76          default_cs = new String  [ cs.length ];
77          for ( int i = 0; i < cs.length; i++ )
78          {
79              default_cs[ i ] = cs[ i ].toString();
80          }
81          configure( orb.getConfiguration());
82      }
83  
84  
85      public void configure(Configuration configuration)
86          throws ConfigurationException
87      {
88          logger = 
89              ((org.jacorb.config.Configuration)configuration).getNamedLogger("jacorb.security.jsse");
90  
91          clientRequirededOptions = 
92              Short.parseShort(
93                  configuration.getAttribute("jacorb.security.ssl.client.required_options","0"),
94                  16);
95  
96          clientSupportedOptions = 
97              Short.parseShort(
98                  configuration.getAttribute("jacorb.security.ssl.client.supported_options","0"),
99                  16);
100 
101         trusteeFileNames =
102             ((org.jacorb.config.Configuration)configuration).getAttributeList("jacorb.security.trustees");
103 
104         if( trusteeFileNames.isEmpty())
105         {
106             logger.warn("No trusted certificates specified. This will accept all peer certificate chains!");
107         }
108         iaikDebug = 
109             configuration.getAttributeAsBoolean("jacorb.security.iaik_debug",false);
110     }
111 
112 
113     public Socket createSocket( String   host,  int port )
114         throws IOException  , UnknownHostException
115     {
116         SSLSocket sock = null;
117         try
118         {
119             sock = new SSLSocket( host, port, getDefaultContext() );
120         }
121         catch( java.security.GeneralSecurityException   g)
122         {
123             if (logger.isWarnEnabled())
124                 logger.warn("GeneralSecurityException", g);
125             throw new IOException  (g.getMessage());
126         }
127 
128         return sock;
129     }
130 
131     private org.jacorb.security.level2.KeyAndCert[] getSSLCredentials()
132     {
133         CurrentImpl securityCurrent = null;
134         try
135         {
136             securityCurrent = 
137                 (CurrentImpl)orb.resolve_initial_references("SecurityCurrent");
138         }
139         catch ( org.omg.CORBA.ORBPackage.InvalidName   in )
140         {
141             throw new ProviderException  ("Unable to obtain Security Current.");
142         }
143 
144         return securityCurrent.getSSLCredentials();
145     }
146 
147     private SSLContext getDefaultContext()
148         throws iaik.x509.X509ExtensionException, java.security.cert.CertificateException  , 
149         java.security.NoSuchAlgorithmException  , java.security.InvalidKeyException  ,
150         java.security.NoSuchProviderException  , java.io.IOException  
151     {
152         if( default_context != null )
153         {
154             return default_context;
155         }
156 
157         SSLClientContext ctx = new SSLClientContext();
158 
159         //only add own credentials, if establish trust in client
160         //is supported
161         if((clientSupportedOptions & 0x40) != 0 )
162         {
163             org.jacorb.security.level2.KeyAndCert[] kac =
164                 getSSLCredentials();
165 
166             for( int i = 0; i < kac.length; i++ )
167             {
168                 ctx .addClientCredentials( (X509Certificate  []) kac[i].chain,
169                                            kac[i].key );
170             }
171         }
172 
173         //always adding trusted certificates, since in SSL, the
174         //server must always authenticate
175 
176         if (!trusteeFileNames.isEmpty())
177         {
178             for( Iterator iter = trusteeFileNames.iterator(); iter.hasNext(); )
179             {
180                 String   fName = (String  )iter.next();
181                 ctx.addTrustedCertificate( CertUtils.readCertificate(fName));
182             }
183         }
184         default_context = ctx;
185     
186         if( iaikDebug )
187         {
188             default_context.setDebugStream( System.out );
189         }
190 
191         return default_context;
192     }
193 
194     /**
195      * Returns the list of cipher suites which are enabled by
196      * default. Unless a different list is enabled, handshaking
197      * on an SSL connection will use one of these cipher suites.
198      * The minimum quality of service for these defaults requires
199      * confidentiality protection and server authentication.
200      *
201      * @return array of the cipher suites enabled by default
202      */
203 
204     public String  [] getDefaultCipherSuites()
205     {
206         return default_cs;
207     }
208 
209     /**
210      * Returns the names of the cipher suites which could be enabled
211      * for use on an SSL connection.
212      * Normally, only a subset of these will actually be enabled by
213      * default, since this list may include
214      * cipher suites which do not meet quality of service
215      * requirements for those defaults.
216      * Such cipher suites are useful in specialized applications.
217      *
218      * @return an array of cipher suite names
219      */
220     public String  [] getSupportedCipherSuites()
221     {
222         CipherSuite [] suites = CipherSuite.getDefault();
223         java.lang.String   lst [] = new String  [ suites.length ];
224         for ( int i = 0; i < lst.length; i++ )
225             lst [ i ] = suites[ i ].toString ();
226         return lst;
227     }
228 
229     public boolean isSSL ( Socket s )
230     {
231         return ( s instanceof SSLSocket);
232     }
233 }
234
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags