1. /*

  2.  * $Header: /home/cvs/jakarta-commons/httpclient/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java,v 1.2 2004/06/10 18:25:24 olegk Exp $

  3.  * $Revision: 1.2 $

  4.  * $Date: 2004/06/10 18:25:24 $

  5.  *

  6.  * ====================================================================

  7.  *

  8.  *  Copyright 2002-2004 The Apache Software Foundation

  9.  *

  10.  *  Licensed under the Apache License, Version 2.0 (the "License");

  11.  *  you may not use this file except in compliance with the License.

  12.  *  You may obtain a copy of the License at

  13.  *

  14.  *      http://www.apache.org/licenses/LICENSE-2.0

  15.  *

  16.  *  Unless required by applicable law or agreed to in writing, software

  17.  *  distributed under the License is distributed on an "AS IS" BASIS,

  18.  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  19.  *  See the License for the specific language governing permissions and

  20.  *  limitations under the License.

  21.  * ====================================================================

  22.  *

  23.  * This software consists of voluntary contributions made by many

  24.  * individuals on behalf of the Apache Software Foundation.  For more

  25.  * information on the Apache Software Foundation, please see

  26.  * <http://www.apache.org/>.

  27.  *

  28.  */

  29. 

  30. package org.apache.commons.httpclient.contrib.ssl;

  31. 

  32. import java.io.IOException;

  33. import java.net.InetAddress;

  34. import java.net.Socket;

  35. import java.net.URL;

  36. import java.net.UnknownHostException;

  37. import java.security.GeneralSecurityException;

  38. import java.security.KeyStore;

  39. import java.security.KeyStoreException;

  40. import java.security.NoSuchAlgorithmException;

  41. import java.security.UnrecoverableKeyException;

  42. import java.security.cert.Certificate;

  43. import java.security.cert.CertificateException;

  44. import java.security.cert.X509Certificate;

  45. import java.util.Enumeration;

  46. 

  47. import org.apache.commons.httpclient.ConnectTimeoutException;

  48. import org.apache.commons.httpclient.params.HttpConnectionParams;

  49. import org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory;

  50. import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;

  51. import org.apache.commons.logging.Log; 

  52. import org.apache.commons.logging.LogFactory;

  53. 

  54. import com.sun.net.ssl.KeyManager;

  55. import com.sun.net.ssl.KeyManagerFactory;

  56. import com.sun.net.ssl.SSLContext;

  57. import com.sun.net.ssl.TrustManager;

  58. import com.sun.net.ssl.TrustManagerFactory;

  59. import com.sun.net.ssl.X509TrustManager;

  60. 

  61. /**

  62.  * <p>

  63.  * AuthSSLProtocolSocketFactory can be used to validate the identity of the HTTPS 

  64.  * server against a list of trusted certificates and to authenticate to the HTTPS 

  65.  * server using a private key. 

  66.  * </p>

  67.  * 

  68.  * <p>

  69.  * AuthSSLProtocolSocketFactory will enable server authentication when supplied with

  70.  * a {@link KeyStore truststore} file containg one or several trusted certificates. 

  71.  * The client secure socket will reject the connection during the SSL session handshake 

  72.  * if the target HTTPS server attempts to authenticate itself with a non-trusted 

  73.  * certificate.

  74.  * </p>

  75.  * 

  76.  * <p>

  77.  * Use JDK keytool utility to import a trusted certificate and generate a truststore file:    

  78.  *    <pre>

  79.  *     keytool -import -alias "my server cert" -file server.crt -keystore my.truststore

  80.  *    </pre>

  81.  * </p>

  82.  * 

  83.  * <p>

  84.  * AuthSSLProtocolSocketFactory will enable client authentication when supplied with

  85.  * a {@link KeyStore keystore} file containg a private key/public certificate pair. 

  86.  * The client secure socket will use the private key to authenticate itself to the target 

  87.  * HTTPS server during the SSL session handshake if requested to do so by the server. 

  88.  * The target HTTPS server will in its turn verify the certificate presented by the client

  89.  * in order to establish client's authenticity

  90.  * </p>

  91.  * 

  92.  * <p>

  93.  * Use the following sequence of actions to generate a keystore file

  94.  * </p>

  95.  *   <ul>

  96.  *     <li>

  97.  *      <p>

  98.  *      Use JDK keytool utility to generate a new key

  99.  *      <pre>keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore</pre>

  100.  *      For simplicity use the same password for the key as that of the keystore

  101.  *      </p>

  102.  *     </li>

  103.  *     <li>

  104.  *      <p>

  105.  *      Issue a certificate signing request (CSR)

  106.  *      <pre>keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore</pre>

  107.  *     </p>

  108.  *     </li>

  109.  *     <li>

  110.  *      <p>

  111.  *      Send the certificate request to the trusted Certificate Authority for signature. 

  112.  *      One may choose to act as her own CA and sign the certificate request using a PKI 

  113.  *      tool, such as OpenSSL.

  114.  *      </p>

  115.  *     </li>

  116.  *     <li>

  117.  *      <p>

  118.  *       Import the trusted CA root certificate

  119.  *       <pre>keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore</pre> 

  120.  *      </p>

  121.  *     </li>

  122.  *     <li>

  123.  *      <p>

  124.  *       Import the PKCS#7 file containg the complete certificate chain

  125.  *       <pre>keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore</pre> 

  126.  *      </p>

  127.  *     </li>

  128.  *     <li>

  129.  *      <p>

  130.  *       Verify the content the resultant keystore file

  131.  *       <pre>keytool -list -v -keystore my.keystore</pre> 

  132.  *      </p>

  133.  *     </li>

  134.  *   </ul>

  135.  * <p>

  136.  * Example of using custom protocol socket factory for a specific host:

  137.  *     <pre>

  138.  *     Protocol authhttps = new Protocol("https",  

  139.  *          new AuthSSLProtocolSocketFactory(

  140.  *              new URL("file:my.keystore"), "mypassword",

  141.  *              new URL("file:my.truststore"), "mypassword"), 443); 

  142.  *

  143.  *     HttpClient client = new HttpClient();

  144.  *     client.getHostConfiguration().setHost("localhost", 443, authhttps);

  145.  *     // use relative url only

  146.  *     GetMethod httpget = new GetMethod("/");

  147.  *     client.executeMethod(httpget);

  148.  *     </pre>

  149.  * </p>

  150.  * <p>

  151.  * Example of using custom protocol socket factory per default instead of the standard one:

  152.  *     <pre>

  153.  *     Protocol authhttps = new Protocol("https",  

  154.  *          new AuthSSLProtocolSocketFactory(

  155.  *              new URL("file:my.keystore"), "mypassword",

  156.  *              new URL("file:my.truststore"), "mypassword"), 443); 

  157.  *     Protocol.registerProtocol("https", authhttps);

  158.  *

  159.  *     HttpClient client = new HttpClient();

  160.  *     GetMethod httpget = new GetMethod("https://localhost/");

  161.  *     client.executeMethod(httpget);

  162.  *     </pre>

  163.  * </p>

  164.  * @author <a href="mailto:oleg -at- ural.ru">Oleg Kalnichevski</a>

  165.  * 

  166.  * <p>

  167.  * DISCLAIMER: HttpClient developers DO NOT actively support this component.

  168.  * The component is provided as a reference material, which may be inappropriate

  169.  * to be used without additional customization.

  170.  * </p>

  171.  */

  172. 

  173. public class AuthSSLProtocolSocketFactory implements SecureProtocolSocketFactory {

  174. 

  175.     /** Log object for this class. */

  176.     private static final Log LOG = LogFactory.getLog(AuthSSLProtocolSocketFactory.class);

  177. 

  178.     private URL keystoreUrl = null;

  179.     private String keystorePassword = null;

  180.     private URL truststoreUrl = null;

  181.     private String truststorePassword = null;

  182.     private SSLContext sslcontext = null;

  183. 

  184.     /**

  185.      * Constructor for AuthSSLProtocolSocketFactory. Either a keystore or truststore file

  186.      * must be given. Otherwise SSL context initialization error will result.

  187.      * 

  188.      * @param keystoreUrl URL of the keystore file. May be <tt>null</tt> if HTTPS client

  189.      *        authentication is not to be used.

  190.      * @param keystorePassword Password to unlock the keystore. IMPORTANT: this implementation

  191.      *        assumes that the same password is used to protect the key and the keystore itself.

  192.      * @param truststoreUrl URL of the truststore file. May be <tt>null</tt> if HTTPS server

  193.      *        authentication is not to be used.

  194.      * @param truststorePassword Password to unlock the truststore.

  195.      */

  196.     public AuthSSLProtocolSocketFactory(

  197.         final URL keystoreUrl, final String keystorePassword, 

  198.         final URL truststoreUrl, final String truststorePassword)

  199.     {

  200.         super();

  201.         this.keystoreUrl = keystoreUrl;

  202.         this.keystorePassword = keystorePassword;

  203.         this.truststoreUrl = truststoreUrl;

  204.         this.truststorePassword = truststorePassword;

  205.     }

  206. 

  207.     private static KeyStore createKeyStore(final URL url, final String password) 

  208.         throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException

  209.     {

  210.         if (url == null) {

  211.             throw new IllegalArgumentException("Keystore url may not be null");

  212.         }

  213.         LOG.debug("Initializing key store");

  214.         KeyStore keystore  = KeyStore.getInstance("jks");

  215.         keystore.load(url.openStream(), password != null ? password.toCharArray(): null);

  216.         return keystore;

  217.     }

  218.     

  219.     private static KeyManager[] createKeyManagers(final KeyStore keystore, final String password)

  220.         throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException 

  221.     {

  222.         if (keystore == null) {

  223.             throw new IllegalArgumentException("Keystore may not be null");

  224.         }

  225.         LOG.debug("Initializing key manager");

  226.         KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(

  227.             KeyManagerFactory.getDefaultAlgorithm());

  228.         kmfactory.init(keystore, password != null ? password.toCharArray(): null);

  229.         return kmfactory.getKeyManagers(); 

  230.     }

  231. 

  232.     private static TrustManager[] createTrustManagers(final KeyStore keystore)

  233.         throws KeyStoreException, NoSuchAlgorithmException

  234.     { 

  235.         if (keystore == null) {

  236.             throw new IllegalArgumentException("Keystore may not be null");

  237.         }

  238.         LOG.debug("Initializing trust manager");

  239.         TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(

  240.             TrustManagerFactory.getDefaultAlgorithm());

  241.         tmfactory.init(keystore);

  242.         TrustManager[] trustmanagers = tmfactory.getTrustManagers();

  243.         for (int i = 0; i < trustmanagers.length; i++) {

  244.             if (trustmanagers[i] instanceof X509TrustManager) {

  245.                 trustmanagers[i] = new AuthSSLX509TrustManager(

  246.                     (X509TrustManager)trustmanagers[i]); 

  247.             }

  248.         }

  249.         return trustmanagers; 

  250.     }

  251. 

  252.     private SSLContext createSSLContext() {

  253.         try {

  254.             KeyManager[] keymanagers = null;

  255.             TrustManager[] trustmanagers = null;

  256.             if (this.keystoreUrl != null) {

  257.                 KeyStore keystore = createKeyStore(this.keystoreUrl, this.keystorePassword);

  258.                 if (LOG.isDebugEnabled()) {

  259.                     Enumeration aliases = keystore.aliases();

  260.                     while (aliases.hasMoreElements()) {

  261.                         String alias = (String)aliases.nextElement();                        

  262.                         Certificate[] certs = keystore.getCertificateChain(alias);

  263.                         if (certs != null) {

  264.                             LOG.debug("Certificate chain '" + alias + "':");

  265.                             for (int c = 0; c < certs.length; c++) {

  266.                                 if (certs[c] instanceof X509Certificate) {

  267.                                     X509Certificate cert = (X509Certificate)certs[c];

  268.                                     LOG.debug(" Certificate " + (c + 1) + ":");

  269.                                     LOG.debug("  Subject DN: " + cert.getSubjectDN());

  270.                                     LOG.debug("  Signature Algorithm: " + cert.getSigAlgName());

  271.                                     LOG.debug("  Valid from: " + cert.getNotBefore() );

  272.                                     LOG.debug("  Valid until: " + cert.getNotAfter());

  273.                                     LOG.debug("  Issuer: " + cert.getIssuerDN());

  274.                                 }

  275.                             }

  276.                         }

  277.                     }

  278.                 }

  279.                 keymanagers = createKeyManagers(keystore, this.keystorePassword);

  280.             }

  281.             if (this.truststoreUrl != null) {

  282.                 KeyStore keystore = createKeyStore(this.truststoreUrl, this.truststorePassword);

  283.                 if (LOG.isDebugEnabled()) {

  284.                     Enumeration aliases = keystore.aliases();

  285.                     while (aliases.hasMoreElements()) {

  286.                         String alias = (String)aliases.nextElement();

  287.                         LOG.debug("Trusted certificate '" + alias + "':");

  288.                         Certificate trustedcert = keystore.getCertificate(alias);

  289.                         if (trustedcert != null && trustedcert instanceof X509Certificate) {

  290.                             X509Certificate cert = (X509Certificate)trustedcert;

  291.                             LOG.debug("  Subject DN: " + cert.getSubjectDN());

  292.                             LOG.debug("  Signature Algorithm: " + cert.getSigAlgName());

  293.                             LOG.debug("  Valid from: " + cert.getNotBefore() );

  294.                             LOG.debug("  Valid until: " + cert.getNotAfter());

  295.                             LOG.debug("  Issuer: " + cert.getIssuerDN());

  296.                         }

  297.                     }

  298.                 }

  299.                 trustmanagers = createTrustManagers(keystore);

  300.             }

  301.             SSLContext sslcontext = SSLContext.getInstance("SSL");

  302.             sslcontext.init(keymanagers, trustmanagers, null);

  303.             return sslcontext;

  304.         } catch (NoSuchAlgorithmException e) {

  305.             LOG.error(e.getMessage(), e);

  306.             throw new AuthSSLInitializationError("Unsupported algorithm exception: " + e.getMessage());

  307.         } catch (KeyStoreException e) {

  308.             LOG.error(e.getMessage(), e);

  309.             throw new AuthSSLInitializationError("Keystore exception: " + e.getMessage());

  310.         } catch (GeneralSecurityException e) {

  311.             LOG.error(e.getMessage(), e);

  312.             throw new AuthSSLInitializationError("Key management exception: " + e.getMessage());

  313.         } catch (IOException e) {

  314.             LOG.error(e.getMessage(), e);

  315.             throw new AuthSSLInitializationError("I/O error reading keystore/truststore file: " + e.getMessage());

  316.         }

  317.     }

  318. 

  319.     private SSLContext getSSLContext() {

  320.         if (this.sslcontext == null) {

  321.             this.sslcontext = createSSLContext();

  322.         }

  323.         return this.sslcontext;

  324.     }

  325. 

  326.     /**

  327.      * Attempts to get a new socket connection to the given host within the given time limit.

  328.      * <p>

  329.      * To circumvent the limitations of older JREs that do not support connect timeout a 

  330.      * controller thread is executed. The controller thread attempts to create a new socket 

  331.      * within the given limit of time. If socket constructor does not return until the 

  332.      * timeout expires, the controller terminates and throws an {@link ConnectTimeoutException}

  333.      * </p>

  334.      *  

  335.      * @param host the host name/IP

  336.      * @param port the port on the host

  337.      * @param clientHost the local host name/IP to bind the socket to

  338.      * @param clientPort the port on the local machine

  339.      * @param params {@link HttpConnectionParams Http connection parameters}

  340.      * 

  341.      * @return Socket a new socket

  342.      * 

  343.      * @throws IOException if an I/O error occurs while creating the socket

  344.      * @throws UnknownHostException if the IP address of the host cannot be

  345.      * determined

  346.      */

  347.     public Socket createSocket(

  348.         final String host,

  349.         final int port,

  350.         final InetAddress localAddress,

  351.         final int localPort,

  352.         final HttpConnectionParams params

  353.     ) throws IOException, UnknownHostException, ConnectTimeoutException {

  354.         if (params == null) {

  355.             throw new IllegalArgumentException("Parameters may not be null");

  356.         }

  357.         int timeout = params.getConnectionTimeout();

  358.         if (timeout == 0) {

  359.             return createSocket(host, port, localAddress, localPort);

  360.         } else {

  361.             // To be eventually deprecated when migrated to Java 1.4 or above

  362.             return ControllerThreadSocketFactory.createSocket(

  363.                     this, host, port, localAddress, localPort, timeout);

  364.         }

  365.     }

  366. 

  367.     /**

  368.      * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)

  369.      */

  370.     public Socket createSocket(

  371.         String host,

  372.         int port,

  373.         InetAddress clientHost,

  374.         int clientPort)

  375.         throws IOException, UnknownHostException

  376.    {

  377.        return getSSLContext().getSocketFactory().createSocket(

  378.             host,

  379.             port,

  380.             clientHost,

  381.             clientPort

  382.         );

  383.     }

  384. 

  385.     /**

  386.      * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)

  387.      */

  388.     public Socket createSocket(String host, int port)

  389.         throws IOException, UnknownHostException

  390.     {

  391.         return getSSLContext().getSocketFactory().createSocket(

  392.             host,

  393.             port

  394.         );

  395.     }

  396. 

  397.     /**

  398.      * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)

  399.      */

  400.     public Socket createSocket(

  401.         Socket socket,

  402.         String host,

  403.         int port,

  404.         boolean autoClose)

  405.         throws IOException, UnknownHostException

  406.     {

  407.         return getSSLContext().getSocketFactory().createSocket(

  408.             socket,

  409.             host,

  410.             port,

  411.             autoClose

  412.         );

  413.     }

  414. }