From dcf0dfc0bc35896fe670d7a94685d227f45618d2 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Sat, 07 Jul 2007 21:50:13 +0000
Subject: [PATCH] Update the file-based trust manager provider so that it will reject client certificates that are expired or not yet valid. Also update the SSL connection factory used by the client tools so that if an explicit trust store is provided, the validity of the server certificate will also be checked.
---
opends/src/server/org/opends/server/extensions/FileBasedTrustManagerProvider.java | 11 ++
opends/src/server/org/opends/server/messages/UtilityMessages.java | 58 +++++++++++
opends/src/server/org/opends/server/tools/SSLConnectionFactory.java | 14 ++
opends/src/server/org/opends/server/util/ExpirationCheckTrustManager.java | 184 ++++++++++++++++++++++++++++++++++++
4 files changed, 264 insertions(+), 3 deletions(-)
diff --git a/opends/src/server/org/opends/server/extensions/FileBasedTrustManagerProvider.java b/opends/src/server/org/opends/server/extensions/FileBasedTrustManagerProvider.java
index b3d710e..c6e73e6 100644
--- a/opends/src/server/org/opends/server/extensions/FileBasedTrustManagerProvider.java
+++ b/opends/src/server/org/opends/server/extensions/FileBasedTrustManagerProvider.java
@@ -38,6 +38,7 @@
import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.server.FileBasedTrustManagerCfg;
@@ -49,6 +50,7 @@
import org.opends.server.types.DN;
import org.opends.server.types.InitializationException;
import org.opends.server.types.ResultCode;
+import org.opends.server.util.ExpirationCheckTrustManager;
import static org.opends.server.loggers.debug.DebugLogger.*;
import org.opends.server.loggers.debug.DebugTracer;
@@ -326,7 +328,14 @@
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(trustManagerAlgorithm);
trustManagerFactory.init(trustStore);
- return trustManagerFactory.getTrustManagers();
+ TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+ TrustManager[] newTrustManagers = new TrustManager[trustManagers.length];
+ for (int i=0; i < trustManagers.length; i++)
+ {
+ newTrustManagers[i] = new ExpirationCheckTrustManager(
+ (X509TrustManager) trustManagers[i]);
+ }
+ return newTrustManagers;
}
catch (Exception e)
{
diff --git a/opends/src/server/org/opends/server/messages/UtilityMessages.java b/opends/src/server/org/opends/server/messages/UtilityMessages.java
index da43bc9..c5554c6 100644
--- a/opends/src/server/org/opends/server/messages/UtilityMessages.java
+++ b/opends/src/server/org/opends/server/messages/UtilityMessages.java
@@ -1668,6 +1668,51 @@
CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 158;
+
+ /**
+ * The message ID for the message that will be used if a client certificate is
+ * rejected because it is expired. This takes two arguments, which are the
+ * subject DN of the certificate and a string representation of the notAfter
+ * date.
+ */
+ public static final int MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_EXPIRED =
+ CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 159;
+
+
+
+ /**
+ * The message ID for the message that will be used if a client certificate is
+ * rejected because it is not yet valid. This takes two arguments, which are
+ * the subject DN of the certificate and a string representation of the
+ * notBefore date.
+ */
+ public static final int MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_NOT_YET_VALID =
+ CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 160;
+
+
+
+ /**
+ * The message ID for the message that will be used if a server certificate is
+ * rejected because it is expired. This takes two arguments, which are the
+ * subject DN of the certificate and a string representation of the notAfter
+ * date.
+ */
+ public static final int MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_EXPIRED =
+ CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 161;
+
+
+
+ /**
+ * The message ID for the message that will be used if a server certificate is
+ * rejected because it is not yet valid. This takes two arguments, which are
+ * the subject DN of the certificate and a string representation of the
+ * notBefore date.
+ */
+ public static final int MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_NOT_YET_VALID =
+ CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 162;
+
+
+
/**
* Associates a set of generic messages with the message IDs defined in this
* class.
@@ -2222,6 +2267,19 @@
registerMessage(MSGID_RENAMEFILE_CANNOT_RENAME,
"Failed to rename file %s to %s");
+
+ registerMessage(MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_EXPIRED,
+ "Refusing to trust client or issuer certificate '%s' " +
+ "because it expired on %s");
+ registerMessage(MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_NOT_YET_VALID,
+ "Refusing to trust client or issuer certificate '%s' " +
+ "because it is not valid until %s");
+ registerMessage(MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_EXPIRED,
+ "Refusing to trust server or issuer certificate '%s' " +
+ "because it expired on %s");
+ registerMessage(MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_NOT_YET_VALID,
+ "Refusing to trust server or issuer certificate '%s' " +
+ "because it is not valid until %s");
}
}
diff --git a/opends/src/server/org/opends/server/tools/SSLConnectionFactory.java b/opends/src/server/org/opends/server/tools/SSLConnectionFactory.java
index 146c6be..57f0dbc 100644
--- a/opends/src/server/org/opends/server/tools/SSLConnectionFactory.java
+++ b/opends/src/server/org/opends/server/tools/SSLConnectionFactory.java
@@ -39,8 +39,10 @@
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
import org.opends.server.extensions.BlindTrustManagerProvider;
+import org.opends.server.util.ExpirationCheckTrustManager;
import org.opends.server.util.SelectableCertificateKeyManager;
import static org.opends.server.messages.ToolMessages.*;
@@ -107,8 +109,16 @@
trustManagers = PromptTrustManager.getTrustManagers();
} else
{
- trustManagers = getTrustManagers(KeyStore.getDefaultType(),
- null, trustStorePath, trustStorePassword);
+ TrustManager[] tmpTrustManagers =
+ getTrustManagers(KeyStore.getDefaultType(), null, trustStorePath,
+ trustStorePassword);
+ trustManagers = new TrustManager[tmpTrustManagers.length];
+ for (int i=0; i < trustManagers.length; i++)
+ {
+ trustManagers[i] =
+ new ExpirationCheckTrustManager((X509TrustManager)
+ tmpTrustManagers[i]);
+ }
}
if(keyStorePath != null)
{
diff --git a/opends/src/server/org/opends/server/util/ExpirationCheckTrustManager.java b/opends/src/server/org/opends/server/util/ExpirationCheckTrustManager.java
new file mode 100644
index 0000000..efb439e
--- /dev/null
+++ b/opends/src/server/org/opends/server/util/ExpirationCheckTrustManager.java
@@ -0,0 +1,184 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License"). You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at
+ * trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at
+ * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ * add the following below this CDDL HEADER, with the fields enclosed
+ * by brackets "[]" replaced with your own identifying information:
+ * Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ *
+ *
+ * Portions Copyright 2007 Sun Microsystems, Inc.
+ */
+package org.opends.server.util;
+
+
+
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import javax.net.ssl.X509TrustManager;
+
+import org.opends.server.types.ErrorLogCategory;
+import org.opends.server.types.ErrorLogSeverity;
+
+import static org.opends.server.loggers.ErrorLogger.*;
+import static org.opends.server.messages.MessageHandler.*;
+import static org.opends.server.messages.UtilityMessages.*;
+
+
+
+/**
+ * This class implements an X.509 trust manager that will be used to wrap an
+ * existing trust manager and makes it possible to reject a presented
+ * certificate if that certificate is outside the validity window.
+ */
+public class ExpirationCheckTrustManager
+ implements X509TrustManager
+{
+ // The trust manager that is wrapped by this trust manager.
+ private X509TrustManager trustManager;
+
+
+
+ /**
+ * Creates a new instance of this trust manager that will wrap the provided
+ * trust manager.
+ *
+ * @param trustManager The trust manager to be wrapped by this trust
+ * manager.
+ */
+ public ExpirationCheckTrustManager(X509TrustManager trustManager)
+ {
+ this.trustManager = trustManager;
+ }
+
+
+
+ /**
+ * Determines whether to trust the peer based on the provided certificate
+ * chain. In this case, the peer will only be trusted if all certificates in
+ * the chain are within the validity window and the parent trust manager also
+ * accepts the certificate.
+ *
+ * @param chain The peer certificate chain.
+ * @param authType The authentication type based on the client certificate.
+ *
+ * @throws CertificateException If the client certificate chain is not
+ * trusted.
+ */
+ public void checkClientTrusted(X509Certificate[] chain, String authType)
+ throws CertificateException
+ {
+ Date currentDate = new Date();
+ for (X509Certificate c : chain)
+ {
+ try
+ {
+ c.checkValidity(currentDate);
+ }
+ catch (CertificateExpiredException cee)
+ {
+ int msgID = MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_EXPIRED;
+ String message = getMessage(msgID, c.getSubjectDN().getName(),
+ String.valueOf(c.getNotAfter()));
+ logError(ErrorLogCategory.CONNECTION_HANDLING,
+ ErrorLogSeverity.SEVERE_WARNING, message, msgID);
+
+ throw cee;
+ }
+ catch (CertificateNotYetValidException cnyve)
+ {
+ int msgID = MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_NOT_YET_VALID;
+ String message = getMessage(msgID, c.getSubjectDN().getName(),
+ String.valueOf(c.getNotBefore()));
+ logError(ErrorLogCategory.CONNECTION_HANDLING,
+ ErrorLogSeverity.SEVERE_WARNING, message, msgID);
+
+ throw cnyve;
+ }
+ }
+
+ trustManager.checkClientTrusted(chain, authType);
+ }
+
+
+
+ /**
+ * Determines whether to trust the peer based on the provided certificate
+ * chain. In this case, the peer will only be trusted if all certificates in
+ * the chain are within the validity window and the parent trust manager also
+ * accepts the certificate.
+ *
+ * @param chain The peer certificate chain.
+ * @param authType The key exchange algorithm used.
+ *
+ * @throws CertificateException If the server certificate chain is not
+ * trusted.
+ */
+ public void checkServerTrusted(X509Certificate[] chain, String authType)
+ throws CertificateException
+ {
+ Date currentDate = new Date();
+ for (X509Certificate c : chain)
+ {
+ try
+ {
+ c.checkValidity(currentDate);
+ }
+ catch (CertificateExpiredException cee)
+ {
+ int msgID = MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_EXPIRED;
+ String message = getMessage(msgID, c.getSubjectDN().getName(),
+ String.valueOf(c.getNotAfter()));
+ logError(ErrorLogCategory.CONNECTION_HANDLING,
+ ErrorLogSeverity.SEVERE_WARNING, message, msgID);
+
+ throw cee;
+ }
+ catch (CertificateNotYetValidException cnyve)
+ {
+ int msgID = MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_NOT_YET_VALID;
+ String message = getMessage(msgID, c.getSubjectDN().getName(),
+ String.valueOf(c.getNotBefore()));
+ logError(ErrorLogCategory.CONNECTION_HANDLING,
+ ErrorLogSeverity.SEVERE_WARNING, message, msgID);
+
+ throw cnyve;
+ }
+ }
+
+ trustManager.checkServerTrusted(chain, authType);
+ }
+
+
+
+ /**
+ * Retrieves the set of CA certificates which are trusted for authenticating
+ * peers. This will be taken from the parent trust manager.
+ *
+ * @return A non-null (possibly empty) array of acceptable CA issuer
+ * certificates.
+ */
+ public X509Certificate[] getAcceptedIssuers()
+ {
+ return trustManager.getAcceptedIssuers();
+ }
+}
+
--
Gitblit v1.10.0