/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at * trunk/opends/resource/legal-notices/OpenDS.LICENSE * or https://OpenDS.dev.java.net/OpenDS.LICENSE. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, * add the following below this CDDL HEADER, with the fields enclosed * by brackets "[]" replaced with your own identifying information: * Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END * * * Copyright 2008 Sun Microsystems, Inc. */ package org.opends.sdk.tools; import static com.sun.opends.sdk.util.Messages.*; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.Map; import java.util.logging.Level; import java.util.logging.Logger; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import org.opends.sdk.util.Validator; import com.sun.opends.sdk.util.Message; import com.sun.opends.sdk.util.MessageBuilder; /** * A trust manager which prompts the user for the length of time that * they would like to trust a server certificate. */ final class PromptingTrustManager implements X509TrustManager { static private final Logger LOG = Logger .getLogger(PromptingTrustManager.class.getName()); static private final String DEFAULT_PATH = System .getProperty("user.home") + File.separator + ".opends" + File.separator + "keystore"; static private final char[] DEFAULT_PASSWORD = "OpenDS".toCharArray(); /** * Enumeration description server certificate trust option. */ private static enum TrustOption { UNTRUSTED(1, INFO_LDAP_CONN_PROMPT_SECURITY_TRUST_OPTION_NO.get()), SESSION( 2, INFO_LDAP_CONN_PROMPT_SECURITY_TRUST_OPTION_SESSION.get()), PERMANENT( 3, INFO_LDAP_CONN_PROMPT_SECURITY_TRUST_OPTION_ALWAYS.get()), CERTIFICATE_DETAILS( 4, INFO_LDAP_CONN_PROMPT_SECURITY_CERTIFICATE_DETAILS.get()); private Integer choice; private Message msg; /** * Private constructor. * * @param i * the menu return value. * @param msg * the message message. */ private TrustOption(int i, Message msg) { choice = i; this.msg = msg; } /** * Returns the choice number. * * @return the attribute name. */ Integer getChoice() { return choice; } /** * Return the menu message. * * @return the menu message. */ Message getMenuMessage() { return msg; } } private final KeyStore inMemoryTrustStore; private final KeyStore onDiskTrustStore; private final X509TrustManager inMemoryTrustManager; private final X509TrustManager onDiskTrustManager; private final X509TrustManager nestedTrustManager; private final ConsoleApplication app; PromptingTrustManager(ConsoleApplication app, X509TrustManager sourceTrustManager) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { this(app, DEFAULT_PATH, sourceTrustManager); } PromptingTrustManager(ConsoleApplication app, String acceptedStorePath, X509TrustManager sourceTrustManager) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { Validator.ensureNotNull(app, acceptedStorePath); this.app = app; this.nestedTrustManager = sourceTrustManager; inMemoryTrustStore = KeyStore .getInstance(KeyStore.getDefaultType()); onDiskTrustStore = KeyStore.getInstance(KeyStore.getDefaultType()); File onDiskTrustStorePath = new File(acceptedStorePath); inMemoryTrustStore.load(null, null); if (!onDiskTrustStorePath.exists()) { onDiskTrustStore.load(null, null); } else { FileInputStream fos = new FileInputStream(onDiskTrustStorePath); onDiskTrustStore.load(fos, DEFAULT_PASSWORD); } TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(inMemoryTrustStore); X509TrustManager x509tm = null; for (TrustManager tm : tmf.getTrustManagers()) { if (tm instanceof X509TrustManager) { x509tm = (X509TrustManager) tm; break; } } if (x509tm == null) { throw new NoSuchAlgorithmException(); } this.inMemoryTrustManager = x509tm; tmf.init(onDiskTrustStore); x509tm = null; for (TrustManager tm : tmf.getTrustManagers()) { if (tm instanceof X509TrustManager) { x509tm = (X509TrustManager) tm; break; } } if (x509tm == null) { throw new NoSuchAlgorithmException(); } this.onDiskTrustManager = x509tm; } public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { try { inMemoryTrustManager.checkClientTrusted(x509Certificates, s); } catch (Exception ce1) { try { onDiskTrustManager.checkClientTrusted(x509Certificates, s); } catch (Exception ce2) { if (nestedTrustManager != null) { try { nestedTrustManager.checkClientTrusted(x509Certificates, s); } catch (Exception ce3) { checkManuallyTrusted(x509Certificates, ce3); } } else { checkManuallyTrusted(x509Certificates, ce1); } } } } public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { try { inMemoryTrustManager.checkServerTrusted(x509Certificates, s); } catch (Exception ce1) { try { onDiskTrustManager.checkServerTrusted(x509Certificates, s); } catch (Exception ce2) { if (nestedTrustManager != null) { try { nestedTrustManager.checkServerTrusted(x509Certificates, s); } catch (Exception ce3) { checkManuallyTrusted(x509Certificates, ce3); } } else { checkManuallyTrusted(x509Certificates, ce1); } } } } public X509Certificate[] getAcceptedIssuers() { if (nestedTrustManager != null) { return nestedTrustManager.getAcceptedIssuers(); } return new X509Certificate[0]; } /** * Indicate if the certificate chain can be trusted. * * @param chain * The certificate chain to validate certificate. */ private void checkManuallyTrusted(X509Certificate[] chain, Exception exception) throws CertificateException { app.println(); app .println(INFO_LDAP_CONN_PROMPT_SECURITY_SERVER_CERTIFICATE .get()); app.println(); for (int i = 0; i < chain.length; i++) { // Certificate DN app.println(INFO_LDAP_CONN_SECURITY_SERVER_CERTIFICATE_USER_DN .get(chain[i].getSubjectDN().toString())); // certificate validity app.println(INFO_LDAP_CONN_SECURITY_SERVER_CERTIFICATE_VALIDITY .get(chain[i].getNotBefore().toString(), chain[i] .getNotAfter().toString())); // certificate Issuer app.println(INFO_LDAP_CONN_SECURITY_SERVER_CERTIFICATE_ISSUER .get(chain[i].getIssuerDN().toString())); app.println(); app.println(); } app.println(); app.println(INFO_LDAP_CONN_PROMPT_SECURITY_TRUST_OPTION.get()); app.println(); Map menuOptions = new HashMap(); for (TrustOption t : TrustOption.values()) { menuOptions.put(t.getChoice().toString(), t); MessageBuilder builder = new MessageBuilder(); builder.append(t.getChoice()); builder.append(") "); builder.append(t.getMenuMessage()); app.println(builder.toMessage(), 2 /* Indent options */); } TrustOption defaultTrustMethod = TrustOption.SESSION; Message promptMsg = INFO_MENU_PROMPT_SINGLE_DEFAULT .get(defaultTrustMethod.getChoice().toString()); while (true) { app.println(); String choice; try { choice = app.readInput(promptMsg, defaultTrustMethod .getChoice().toString()); } catch (CLIException e) { // What can we do here? throw new CertificateException(exception); } finally { app.println(); } TrustOption option = menuOptions.get(choice.trim()); if (option == null) { app.println(ERR_MENU_BAD_CHOICE_SINGLE.get()); app.println(); continue; } switch (option) { case UNTRUSTED: if (exception instanceof CertificateException) { throw (CertificateException) exception; } else { throw new CertificateException(exception); } case CERTIFICATE_DETAILS: for (X509Certificate aChain : chain) { app.println(); app.println(INFO_LDAP_CONN_SECURITY_SERVER_CERTIFICATE .get(aChain.toString())); app.println(); } break; default: // SESSION / PERMANENT. // Update the trust manager with the new certificate acceptCertificate(chain, option == TrustOption.PERMANENT); return; } } } /** * This method is called when the user accepted a certificate. * * @param chain * the certificate chain accepted by the user. certificate. */ void acceptCertificate(X509Certificate[] chain, boolean permanent) { if (permanent) { LOG.log(Level.INFO, "Permanently accepting certificate chain to " + "truststore"); } else { LOG.log(Level.INFO, "Accepting certificate chain for this session"); } for (X509Certificate aChain : chain) { try { String alias = aChain.getSubjectDN().getName(); inMemoryTrustStore.setCertificateEntry(alias, aChain); if (permanent) { onDiskTrustStore.setCertificateEntry(alias, aChain); } } catch (Exception e) { LOG.log(Level.WARNING, "Error setting certificate to store: " + e + "\nCert: " + aChain.toString()); } } if (permanent) { try { File truststoreFile = new File(DEFAULT_PATH); if (!truststoreFile.exists()) { createFile(truststoreFile); } FileOutputStream fos = new FileOutputStream(truststoreFile); onDiskTrustStore.store(fos, DEFAULT_PASSWORD); fos.close(); } catch (Exception e) { LOG.log(Level.WARNING, "Error saving store to disk: " + e); } } } private boolean createFile(File f) throws IOException { boolean success = false; if (f != null) { File parent = f.getParentFile(); if (!parent.exists()) { parent.mkdirs(); } success = f.createNewFile(); } return success; } }