/* * The contents of this file are subject to the terms of the Common Development and * Distribution License (the License). You may not use this file except in compliance with the * License. * * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the * specific language governing permission and limitations under the License. * * When distributing Covered Software, include this CDDL Header Notice in each file and include * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL * Header, with the fields enclosed by brackets [] replaced by your own identifying * information: "Portions Copyright [year] [name of copyright owner]". * * Copyright 2006-2010 Sun Microsystems, Inc. * Portions Copyright 2014-2016 ForgeRock AS. */ package org.opends.server.extensions; import org.forgerock.i18n.LocalizableMessage; import java.io.File; import java.io.FileInputStream; import java.security.KeyStore; import java.security.KeyStoreException; import java.util.List; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import org.forgerock.opendj.config.server.ConfigurationChangeListener; import org.forgerock.opendj.server.config.server.TrustManagerProviderCfg; import org.forgerock.opendj.server.config.server.FileBasedTrustManagerProviderCfg; import org.opends.server.api.TrustManagerProvider; import org.forgerock.opendj.config.server.ConfigException; import org.opends.server.core.DirectoryServer; import org.forgerock.opendj.config.server.ConfigChangeResult; import org.opends.server.types.DirectoryException; import org.opends.server.types.InitializationException; import org.forgerock.opendj.ldap.ResultCode; import org.opends.server.util.ExpirationCheckTrustManager; import org.forgerock.i18n.slf4j.LocalizedLogger; import static org.opends.messages.ExtensionMessages.*; import static org.opends.server.extensions.FileBasedKeyManagerProvider.getKeyStorePIN; import static org.opends.server.util.StaticUtils.*; import static com.forgerock.opendj.util.FipsStaticUtils.isFips; /** * This class defines a trust manager provider that will reference certificates * stored in a file located on the Directory Server filesystem. */ public class FileBasedTrustManagerProvider extends TrustManagerProvider implements ConfigurationChangeListener { private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass(); /** The PIN needed to access the trust store. */ private char[] trustStorePIN; /** The handle to the configuration for this trust manager. */ private FileBasedTrustManagerProviderCfg currentConfig; /** The path to the trust store backing file. */ private String trustStoreFile; /** The trust store type to use. */ private String trustStoreType; /** * Creates a new instance of this file-based trust manager provider. The * initializeTrustManagerProvider method must be called on the * resulting object before it may be used. */ public FileBasedTrustManagerProvider() { // No implementation is required. } @Override public void initializeTrustManagerProvider(FileBasedTrustManagerProviderCfg cfg) throws ConfigException, InitializationException { final ConfigChangeResult ccr = new ConfigChangeResult(); currentConfig = cfg; trustStoreFile = getTrustStoreFile(cfg, ccr); trustStoreType = getTrustStoreType(cfg, ccr); trustStorePIN = getTrustStorePIN(cfg, ccr); if (!ccr.getMessages().isEmpty()) { throw new InitializationException(ccr.getMessages().get(0)); } cfg.addFileBasedChangeListener(this); } @Override public void finalizeTrustManagerProvider() { currentConfig.removeFileBasedChangeListener(this); } @Override public TrustManager[] getTrustManagers() throws DirectoryException { KeyStore trustStore; try (FileInputStream inputStream = new FileInputStream(getFileForPath(trustStoreFile))) { trustStore = KeyStore.getInstance(trustStoreType); trustStore.load(inputStream, trustStorePIN); } catch (Exception e) { logger.traceException(e); LocalizableMessage message = ERR_FILE_TRUSTMANAGER_CANNOT_LOAD.get(trustStoreFile, getExceptionMessage(e)); throw new DirectoryException(DirectoryServer.getCoreConfigManager().getServerErrorResultCode(), message, e); } try { String trustManagerAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(trustManagerAlgorithm); trustManagerFactory.init(trustStore); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); TrustManager[] newTrustManagers = new TrustManager[trustManagers.length]; if (isFips()) { newTrustManagers = trustManagers; } else { for (int i=0; i < trustManagers.length; i++) { newTrustManagers[i] = new ExpirationCheckTrustManager((X509TrustManager) trustManagers[i]); } } return newTrustManagers; } catch (Exception e) { logger.traceException(e); LocalizableMessage message = ERR_FILE_TRUSTMANAGER_CANNOT_CREATE_FACTORY.get(trustStoreFile, getExceptionMessage(e)); throw new DirectoryException(DirectoryServer.getCoreConfigManager().getServerErrorResultCode(), message, e); } } @Override public boolean isConfigurationAcceptable(TrustManagerProviderCfg cfg, List unacceptableReasons) { FileBasedTrustManagerProviderCfg config = (FileBasedTrustManagerProviderCfg) cfg; return isConfigurationChangeAcceptable(config, unacceptableReasons); } @Override public boolean isConfigurationChangeAcceptable(FileBasedTrustManagerProviderCfg cfg, List unacceptableReasons) { int startSize = unacceptableReasons.size(); final ConfigChangeResult ccr = new ConfigChangeResult(); getTrustStoreFile(cfg, ccr); getTrustStoreType(cfg, ccr); getTrustStorePIN(cfg, ccr); unacceptableReasons.addAll(ccr.getMessages()); return startSize == unacceptableReasons.size(); } @Override public ConfigChangeResult applyConfigurationChange(FileBasedTrustManagerProviderCfg cfg) { final ConfigChangeResult ccr = new ConfigChangeResult(); String newTrustStoreFile = getTrustStoreFile(cfg, ccr); String newTrustStoreType = getTrustStoreType(cfg, ccr); char[] newPIN = getTrustStorePIN(cfg, ccr); if (ccr.getResultCode() == ResultCode.SUCCESS) { currentConfig = cfg; trustStorePIN = newPIN; trustStoreFile = newTrustStoreFile; trustStoreType = newTrustStoreType; } return ccr; } /** Get the path to the key store file. */ private String getTrustStoreFile(FileBasedTrustManagerProviderCfg cfg, ConfigChangeResult ccr) { final String keyStoreFile = cfg.getTrustStoreFile(); final File f = getFileForPath(keyStoreFile); if (!f.exists() || !f.isFile()) { ccr.setResultCode(DirectoryServer.getCoreConfigManager().getServerErrorResultCode()); ccr.addMessage(ERR_FILE_TRUSTMANAGER_NO_SUCH_FILE.get(keyStoreFile, cfg.dn())); } return keyStoreFile; } /** Get the keystore type. If none is specified, then use the default type. */ private String getTrustStoreType(FileBasedTrustManagerProviderCfg cfg, ConfigChangeResult ccr) { final String trustStoreType = cfg.getTrustStoreType(); if (trustStoreType != null) { try { KeyStore.getInstance(trustStoreType); return trustStoreType; } catch (KeyStoreException e) { logger.traceException(e); ccr.setResultCode(DirectoryServer.getCoreConfigManager().getServerErrorResultCode()); ccr.addMessage(ERR_FILE_TRUSTMANAGER_INVALID_TYPE.get(trustStoreType, cfg.dn(), getExceptionMessage(e))); } } return KeyStore.getDefaultType(); } private char[] getTrustStorePIN(FileBasedTrustManagerProviderCfg cfg, ConfigChangeResult ccr) { try { return getKeyStorePIN(cfg.getTrustStorePinProperty(), cfg.getTrustStorePinEnvironmentVariable(), cfg.getTrustStorePinFile(), cfg.getTrustStorePin(), cfg.dn(), ERR_FILE_TRUSTMANAGER_PIN_PROPERTY_NOT_SET, ERR_FILE_TRUSTMANAGER_PIN_ENVAR_NOT_SET, ERR_FILE_TRUSTMANAGER_PIN_NO_SUCH_FILE, ERR_FILE_TRUSTMANAGER_PIN_FILE_CANNOT_READ, ERR_FILE_TRUSTMANAGER_PIN_FILE_EMPTY); } catch (InitializationException e) { ccr.setResultCode(DirectoryServer.getCoreConfigManager().getServerErrorResultCode()); ccr.addMessage(e.getMessageObject()); return null; } } }