All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.jboss.security.JBossJSSESecurityDomain Maven / Gradle / Ivy

There is a newer version: 5.1.0.Final
Show newest version
/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2011, Red Hat, Inc., and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */

package org.jboss.security;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Constructor;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Key;
import java.security.KeyStore;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.util.Properties;

import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;

import org.jboss.security.plugins.SecurityKeyManager;

/**
 * A security domain used to configure SSL.
 *
 * @author Marcus Moyses
 */
public class JBossJSSESecurityDomain implements JSSESecurityDomain
{

   private KeyStore keyStore;

   private KeyManagerFactory keyManagerFactory;
   
   private KeyManager[] keyManagers;

   private String keyStoreType = "JKS";

   private URL keyStoreURL;

   private char[] keyStorePassword;

   private String keyStoreProvider;
   
   private String keyStoreProviderArgument;

   private String keyManagerFactoryProvider;

   private String keyManagerFactoryAlgorithm;

   private KeyStore trustStore;

   private TrustManagerFactory trustManagerFactory;
   
   private TrustManager[] trustManagers;

   private String trustStoreType = "JKS";

   private URL trustStoreURL;

   private char[] trustStorePassword;

   private String trustStoreProvider;
   
   private String trustStoreProviderArgument;

   private String trustManagerFactoryProvider;

   private String trustManagerFactoryAlgorithm;

   private String clientAlias;
   
   private String serverAlias;

   private boolean clientAuth;

   private char[] serviceAuthToken;
   
   private String[] cipherSuites;
   
   private String[] protocols;
   
   private Properties additionalProperties;

   private String name;

   public JBossJSSESecurityDomain(String securityDomainName)
   {
      this.name = securityDomainName;
   }

   public String getKeyStoreType()
   {
      return keyStoreType;
   }

   public void setKeyStoreType(String keyStoreType)
   {
      this.keyStoreType = keyStoreType;
   }

   public String getKeyStoreURL()
   {
      String url = null;
      if (keyStoreURL != null)
         url = keyStoreURL.toExternalForm();
      return url;
   }

   public void setKeyStoreURL(String keyStoreURL) throws IOException
   {
      this.keyStoreURL = validateStoreURL(keyStoreURL);
   }

   public String getKeyStoreProvider()
   {
      return keyStoreProvider;
   }

   public void setKeyStoreProvider(String keyStoreProvider)
   {
      this.keyStoreProvider = keyStoreProvider;
   }

   public String getKeyManagerFactoryProvider()
   {
      return keyManagerFactoryProvider;
   }
   
   public String getKeyStoreProviderArgument()
   {
      return keyStoreProviderArgument;
   }

   public void setKeyStoreProviderArgument(String keyStoreProviderArgument)
   {
      this.keyStoreProviderArgument = keyStoreProviderArgument;
   }

   public void setKeyManagerFactoryProvider(String keyManagerFactoryProvider)
   {
      this.keyManagerFactoryProvider = keyManagerFactoryProvider;
   }

   public String getKeyManagerFactoryAlgorithm()
   {
      return keyManagerFactoryAlgorithm;
   }

   public void setKeyManagerFactoryAlgorithm(String keyManagerFactoryAlgorithm)
   {
      this.keyManagerFactoryAlgorithm = keyManagerFactoryAlgorithm;
   }

   public String getTrustStoreType()
   {
      return trustStoreType;
   }

   public void setTrustStoreType(String trustStoreType)
   {
      this.trustStoreType = trustStoreType;
   }

   public String getTrustStoreURL()
   {
      String url = null;
      if (trustStoreURL != null)
         url = trustStoreURL.toExternalForm();
      return url;
   }

   public void setTrustStoreURL(String trustStoreURL) throws IOException
   {
      this.trustStoreURL = validateStoreURL(trustStoreURL);
   }

   public String getTrustStoreProvider()
   {
      return trustStoreProvider;
   }

   public void setTrustStoreProvider(String trustStoreProvider)
   {
      this.trustStoreProvider = trustStoreProvider;
   }
   
   public String getTrustStoreProviderArgument()
   {
      return trustStoreProviderArgument;
   }

   public void setTrustStoreProviderArgument(String trustStoreProviderArgument)
   {
      this.trustStoreProviderArgument = trustStoreProviderArgument;
   }

   public String getTrustManagerFactoryProvider()
   {
      return trustManagerFactoryProvider;
   }

   public void setTrustManagerFactoryProvider(String trustManagerFactoryProvider)
   {
      this.trustManagerFactoryProvider = trustManagerFactoryProvider;
   }

   public String getTrustManagerFactoryAlgorithm()
   {
      return trustManagerFactoryAlgorithm;
   }

   public void setTrustManagerFactoryAlgorithm(String trustManagerFactoryAlgorithm)
   {
      this.trustManagerFactoryAlgorithm = trustManagerFactoryAlgorithm;
   }
 
   public String getClientAlias()
   {
      return clientAlias;
   }

   public void setClientAlias(String clientAlias)
   {
      this.clientAlias = clientAlias;
   }
 
   public String getServerAlias()
   {
      return serverAlias;
   }

   public void setServerAlias(String serverAlias)
   {
      this.serverAlias = serverAlias;
   }
 
   public boolean isClientAuth()
   {
      return clientAuth;
   }

   public void setClientAuth(boolean clientAuth)
   {
      this.clientAuth = clientAuth;
   }
 
   public KeyStore getKeyStore()
   {
      return keyStore;
   }
 
   public KeyStore getTrustStore()
   {
      return trustStore;
   }

   public void setKeyStorePassword(String keyStorePassword) throws Exception
   {
      this.keyStorePassword = Util.loadPassword(keyStorePassword);
   }

   public void setTrustStorePassword(String trustStorePassword) throws Exception
   {
      this.trustStorePassword = Util.loadPassword(trustStorePassword);
   }

   public void setServiceAuthToken(String serviceAuthToken) throws Exception
   {
      this.serviceAuthToken = Util.loadPassword(serviceAuthToken);
   }

   public KeyManager[] getKeyManagers() throws SecurityException
   {
      return keyManagers;
   }

   public TrustManager[] getTrustManagers() throws SecurityException
   {
      return trustManagers;
   }

   public String getSecurityDomain()
   {
      return name;
   }

   public Key getKey(String alias, String serviceAuthToken) throws Exception
   {
      PicketBoxLogger.LOGGER.traceJSSEDomainGetKey(alias);

      Key key = keyStore.getKey(alias, keyStorePassword);

      if (key == null || key instanceof PublicKey)
      {
         return key;
      }

      verifyServiceAuthToken(serviceAuthToken);

      return key;
   }

   public Certificate getCertificate(String alias) throws Exception
   {
      PicketBoxLogger.LOGGER.traceJSSEDomainGetCertificate(alias);
      return trustStore.getCertificate(alias);
   }

   public void reloadKeyAndTrustStore() throws Exception
   {
      loadKeyAndTrustStore();
   }
   
   public String[] getCipherSuites()
   {
      return cipherSuites;
   }
   
   public void setCipherSuites(String cipherSuites)
   {
      String[] cs = cipherSuites.split(",");
      this.cipherSuites = cs;
   }

    public String[] getProtocols()
   {
      return protocols;
   }
   
   public void setProtocols(String protocols)
   {
      String[] p = protocols.split(",");
      this.protocols = p;
   }
 
   public Properties getAdditionalProperties()
   {
      return additionalProperties;
   }
   
   public void setAdditionalProperties(Properties properties)
   {
      this.additionalProperties = properties;
   }

   private URL validateStoreURL(String storeURL) throws IOException
   {
      URL url = null;
      // First see if this is a URL
      try
      {
         url = new URL(storeURL);
      }
      catch (MalformedURLException e)
      {
         // Not a URL or a protocol without a handler
      }

      // Next try to locate this as file path
      if (url == null)
      {
         File tst = new File(storeURL);
         if (tst.exists())
            url = tst.toURI().toURL();
      }

      // Last try to locate this as a classpath resource
      if (url == null)
      {
         ClassLoader loader = SecurityActions.getContextClassLoader();
         if (loader != null)
            url = loader.getResource(storeURL);
      }

      // Fail if no valid key store was located
      if (url == null)
      {
         throw PicketBoxMessages.MESSAGES.failedToValidateURL(storeURL);
      }
      return url;
   }

   private void verifyServiceAuthToken(String serviceAuthToken) throws SecurityException
   {
      if (this.serviceAuthToken == null)
      {
         throw PicketBoxMessages.MESSAGES.missingServiceAuthToken(this.getSecurityDomain());
      }

      boolean verificationSuccessful = true;
      char[] ca = serviceAuthToken.toCharArray();

      if (this.serviceAuthToken.length == ca.length)
      {
         for (int i = 0; i < this.serviceAuthToken.length; i++)
         {
            if (this.serviceAuthToken[i] != ca[i])
            {
               verificationSuccessful = false;
               break;
            }
         }

         if (verificationSuccessful)
         {
            return;
         }
      }

      throw PicketBoxMessages.MESSAGES.failedToVerifyServiceAuthToken();
   }

   @SuppressWarnings({"rawtypes", "unchecked"})
   private void loadKeyAndTrustStore() throws Exception
   {
	  InputStream is = null;
      if (keyStorePassword != null)
      {
         if (keyStoreProvider != null)
         {
            if (keyStoreProviderArgument != null)
            {
               ClassLoader loader = SecurityActions.getContextClassLoader();
               Class clazz = loader.loadClass(keyStoreProvider);
               Class[] ctorSig = {String.class};
               Constructor ctor = clazz.getConstructor(ctorSig);
               Object[] ctorArgs = {keyStoreProviderArgument};
               Provider provider = (Provider) ctor.newInstance(ctorArgs);
               keyStore = KeyStore.getInstance(keyStoreType, provider);
            }
            else
               keyStore = KeyStore.getInstance(keyStoreType, keyStoreProvider);
         }
         else
            keyStore = KeyStore.getInstance(keyStoreType);
         is = null;
         try
         {
        	 if ((!"PKCS11".equalsIgnoreCase(keyStoreType) && !"PKCS11IMPLKS".equalsIgnoreCase(keyStoreType)))
             {
                 // not a PKCS11 keystore: we need a URL
                 if (keyStoreURL != null)
        		    is = keyStoreURL.openStream();
                 else
                     throw PicketBoxMessages.MESSAGES.invalidNullKeyStoreURL(keyStoreType);
        	 }

        	 keyStore.load(is, keyStorePassword);
         }
         finally
         {
        	 safeClose(is);
         }
         
         String algorithm = null;
         if (keyManagerFactoryAlgorithm != null)
            algorithm = keyManagerFactoryAlgorithm;
         else
            algorithm = KeyManagerFactory.getDefaultAlgorithm();
         if (keyManagerFactoryProvider != null)
            keyManagerFactory = KeyManagerFactory.getInstance(algorithm, keyManagerFactoryProvider);
         else
            keyManagerFactory = KeyManagerFactory.getInstance(algorithm);
         keyManagerFactory.init(keyStore, keyStorePassword);
         keyManagers = keyManagerFactory.getKeyManagers();
         for (int i = 0; i < keyManagers.length; i++)
         {
            keyManagers[i] = new SecurityKeyManager((X509KeyManager) keyManagers[i], serverAlias, clientAlias);
         }
      }
      if (trustStorePassword != null)
      {
         if (trustStoreProvider != null)
         {
            if (trustStoreProviderArgument != null)
            {
               ClassLoader loader = Thread.currentThread().getContextClassLoader();
               Class clazz = loader.loadClass(trustStoreProvider);
               Class[] ctorSig = {String.class};
               Constructor ctor = clazz.getConstructor(ctorSig);
               Object[] ctorArgs = {trustStoreProviderArgument};
               Provider provider = (Provider) ctor.newInstance(ctorArgs);
               trustStore = KeyStore.getInstance(trustStoreType, provider);
            }
            else
               trustStore = KeyStore.getInstance(trustStoreType, trustStoreProvider);
         }
         else
            trustStore = KeyStore.getInstance(trustStoreType);
         is = null;
         try
         {
        	 if ((!"PKCS11".equalsIgnoreCase(trustStoreType) && !"PKCS11IMPLKS".equalsIgnoreCase(trustStoreType)))
        	 {
                 // not a PKCS11 truststore: we need a URL
                 if (trustStoreURL != null)
        		    is = trustStoreURL.openStream();
                 else
                    throw PicketBoxMessages.MESSAGES.invalidNullKeyStoreURL(trustStoreType);
        	 }

        	 trustStore.load(is, trustStorePassword);
         }
         finally
         {
        	 safeClose(is);
         }
         String algorithm = null;
         if (trustManagerFactoryAlgorithm != null)
            algorithm = trustManagerFactoryAlgorithm;
         else
            algorithm = TrustManagerFactory.getDefaultAlgorithm();
         if (trustManagerFactoryProvider != null)
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm, trustManagerFactoryProvider);
         else
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm);
         trustManagerFactory.init(trustStore);
         trustManagers = trustManagerFactory.getTrustManagers();
      }
      else if (keyStore != null)
      {
         trustStore = keyStore;
         String algorithm = null;
         if (trustManagerFactoryAlgorithm != null)
            algorithm = trustManagerFactoryAlgorithm;
         else
            algorithm = TrustManagerFactory.getDefaultAlgorithm();
         trustManagerFactory = TrustManagerFactory.getInstance(algorithm);
         trustManagerFactory.init(trustStore);
         trustManagers = trustManagerFactory.getTrustManagers();
      }
   }

   private void safeClose(InputStream fis)
   {
      try
      {
         if(fis != null)
         {
            fis.close();
         }
      }
      catch(Exception e)
      {}
   }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy