All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.wildfly.security.ssl.X509RevocationTrustManager Maven / Gradle / Ivy

There is a newer version: 2.6.0.Final
Show newest version
/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2019 Red Hat, Inc., and individual contributors
 * as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */

package org.wildfly.security.ssl;


import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;

import java.io.InputStream;
import java.net.Socket;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreParameters;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.EnumSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;

import static org.wildfly.common.Assert.checkNotNullParam;

/**
 * Extension to the {@link X509TrustManager} interface to support OCSP and CRL verification.
 *
 * @author Martin Mazanek
 */
public class X509RevocationTrustManager extends X509ExtendedTrustManager {

    private static final int DEFAULT_MAX_CERT_PATH_LENGTH = 5;

    private X509Certificate[] acceptedIssuers;
    private final X509TrustManager trustManager;

    private X509RevocationTrustManager(Builder builder) {

        try {
            PKIXBuilderParameters params = new PKIXBuilderParameters(builder.trustStore, new X509CertSelector());

            if (builder.crlStreams != null && ! builder.crlStreams.isEmpty()) {
                CertStoreParameters csp = new CollectionCertStoreParameters(getCRLs(builder.crlStreams));
                CertStore store = CertStore.getInstance("Collection", csp);
                params.addCertStore(store);
            }

            CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
            PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();

            if (builder.ocspResponderCert != null) {
                rc.setOcspResponderCert(builder.ocspResponderCert);
            }

            EnumSet options = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
            if (builder.onlyEndEntity) {
                options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            }
            if (builder.preferCrls) {
                options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            }
            if (builder.softFail) {
                options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
            }
            if (builder.noFallback) {
                options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            }

            rc.setOptions(options);
            rc.setOcspResponder(builder.responderUri);
            params.setRevocationEnabled(true);
            params.addCertPathChecker(rc);

            PKIXCertPathChecker maxPathLengthChecker = new MaxPathLengthChecker(builder.maxCertPath);
            params.addCertPathChecker(maxPathLengthChecker);
            params.setMaxPathLength(builder.maxCertPath);

            builder.trustManagerFactory.init(new CertPathTrustManagerParameters(params));

            X509TrustManager[] trustManagers = Stream.of(builder.trustManagerFactory.getTrustManagers()).map(trustManager -> trustManager instanceof X509TrustManager ? (X509TrustManager) trustManager : null).filter(Objects::nonNull).toArray(X509TrustManager[]::new);

            if (trustManagers.length == 0) {
                throw ElytronMessages.log.noDefaultTrustManager();
            }

            this.trustManager = trustManagers[0];
        } catch(GeneralSecurityException e) {
            throw ElytronMessages.log.sslErrorCreatingRevocationTrustManager(builder.trustManagerFactory.getAlgorithm(), e);
        }

        if (builder.acceptedIssuers != null) {
            this.acceptedIssuers = builder.acceptedIssuers;
        }
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        trustManager.checkClientTrusted(chain, authType);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        trustManager.checkServerTrusted(chain, authType);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
        trustManager.checkClientTrusted(chain, authType);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
        trustManager.checkServerTrusted(chain, authType);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
        trustManager.checkClientTrusted(chain, authType);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
        trustManager.checkServerTrusted(chain, authType);
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        if (acceptedIssuers != null) {
            return acceptedIssuers;
        } else {
            return this.trustManager.getAcceptedIssuers();
        }
    }

    private Collection getCRLs(List crlStreams) throws GeneralSecurityException {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        Collection crls = new ArrayList<>();
        try {
            for (InputStream stream : crlStreams) {
                crls.addAll(cf.generateCRLs(stream));
            }
            return crls;
        } finally {
                for (InputStream stream : crlStreams) {
                    try {
                        stream.close();
                    } catch (Exception ignore) {}
                }
        }
    }

    public static class Builder {
        private X509Certificate[] acceptedIssuers = null;
        private KeyStore trustStore = null;
        private TrustManagerFactory trustManagerFactory = null;
        private URI responderUri = null;
        private List crlStreams = null;
        private X509Certificate ocspResponderCert = null;
        private int maxCertPath = DEFAULT_MAX_CERT_PATH_LENGTH;
        private boolean preferCrls = false;
        private boolean onlyEndEntity = false;
        private boolean softFail = false;
        private boolean noFallback = false;


        private Builder() {}

        /**
         * Set an array of certificate authority certificates which are trusted for authenticating peers (may be {@code null})
         *
         * @param acceptedIssuers array of accepted issuers
         * @return this Builder for subsequent changes
         * @deprecated accepted issuers are automatically set when creating the trust manager
         */
        @Deprecated
        public Builder setAcceptedIssuers(X509Certificate[] acceptedIssuers) {
            this.acceptedIssuers = acceptedIssuers;
            return this;
        }

        /**
         * Set a {@link KeyStore} with the trusted certificates (must not be {@code null})
         *
         * @param trustStore keystore with trusted certificates
         * @return this Builder for subsequent changes
         */
        public Builder setTrustStore(KeyStore trustStore) {
            this.trustStore = trustStore;
            return this;
        }

        /**
         * Set a {@link TrustManagerFactory}
         *
         * @param trustManagerFactory the trust manager factory
         * @return this Builder for subsequent changes
         */
        public Builder setTrustManagerFactory(TrustManagerFactory trustManagerFactory) {
            this.trustManagerFactory = trustManagerFactory;
            return this;
        }

        /**
         * Set an OCSP Responder {@link URI} to override those extracted from certificates.
         *
         * @param responderURI the responder URI
         * @return this Builder for subsequent changes
         */
        public Builder setResponderURI(URI responderURI) {
            this.responderUri = responderURI;
            return this;
        }

        /**
         * Set the input stream pointing to a certificate revocation list (may be {@code null}). The stream will be automatically closed after the invocation
         *
         * @param crlStream the input stream
         * @return this Builder for subsequent changes
         */
        public Builder setCrlStream(InputStream crlStream) {
            List crlStreams = new ArrayList();
            crlStreams.add(crlStream);
            this.crlStreams = crlStreams;
            return this;
        }

        /**
         * Set the input streams pointing to certificate revocation lists (may be an empty list). The streams will be
         * automatically closed after the invocation
         *
         * @param crlStreams the input streams
         * @return this Builder for subsequent changes
         */
        public Builder setCrlStreams(List crlStreams) {
            this.crlStreams = crlStreams;
            return this;
        }

        /**
         * Set the maximum number of non-self-issued intermediate certificates that may exist in a certification path. The value must be equal or greater than 1.
         *
         * @param maxCertPath the maximum cert path
         * @return this Builder for subsequent changes
         */
        public Builder setMaxCertPath(int maxCertPath) {
            this.maxCertPath = maxCertPath;
            return this;
        }

        /**
         * Set if CRL revocation should be executed before OCSP. Default false
         *
         * @param preferCrls true if CRLs should be preferred
         * @return this Builder for subsequent changes
         */
        public Builder setPreferCrls(boolean preferCrls) {
            this.preferCrls = preferCrls;
            return this;
        }

        /**
         * Set if only leaf certificate revocation should be checked. Default false
         *
         * @param onlyEndEntity true if only leaf certificate should be checked
         * @return this Builder for subsequent changes
         */
        public Builder setOnlyEndEntity(boolean onlyEndEntity) {
            this.onlyEndEntity = onlyEndEntity;
            return this;
        }

        /**
         * Set if certificate should be allowed in case the revocation status cannot be obtained. Default false
         *
         * @param softFail true if unknown revocation status is accepted
         * @return this Builder for subsequent changes
         */
        public Builder setSoftFail(boolean softFail) {
            this.softFail = softFail;
            return this;
        }

        /**
         * Set if only one method of obtaining revocation status should be used. Default false
         *
         * @param noFallback true if only one method of obtaining revocation status should be used
         * @return this Builder for subsequent changes
         */
        public Builder setNoFallback(boolean noFallback) {
            this.noFallback = noFallback;
            return this;
        }

        /**
         * Set OCSP responder's certificate. By default issuer certificate of certificate being validated is used.
         *
         * @param ocspResponderCert OCSP responder certificate
         * @return this Builder for subsequent changes
         */
        public Builder setOcspResponderCert(X509Certificate ocspResponderCert) {
            this.ocspResponderCert = ocspResponderCert;
            return this;
        }

        public X509RevocationTrustManager build() {
            checkNotNullParam("trustStore", trustStore);
            checkNotNullParam("trustManagerFactory", trustManagerFactory);

            return new X509RevocationTrustManager(this);
        }
    }

    /**
     * Create new X509RevocationTtustManager.Builder instance
     * @return new Builder instance
     */
    public static Builder builder() {
        return new Builder();
    }


    /**
     * PKIXCertPathChecker to check if a cert path being validated is longer than maxPathLength specified
     */

    private class MaxPathLengthChecker extends PKIXCertPathChecker {
        private int maxPathLength;
        private int i;

        MaxPathLengthChecker(int maxPathLength) {
            this.maxPathLength = maxPathLength;
        }

        /*
         * Initialize checker
         */
        public void init(boolean forward) {
            i = 0;
        }

        @Override
        public boolean isForwardCheckingSupported() {
            return false;
        }

        @Override
        public Set getSupportedExtensions() {
            return null;
        }

        public void check(Certificate cert, Collection unresolvedCritExts)
                throws CertPathValidatorException {
            X509Certificate currCert = (X509Certificate) cert;
            i++;
            checkCertPathLength(currCert);
        }

        private void checkCertPathLength(X509Certificate currCert) throws CertPathValidatorException {
            X500Principal subject = currCert.getSubjectX500Principal();
            X500Principal issuer = currCert.getIssuerX500Principal();

            int pathLenConstraint = -1;
            if (currCert.getVersion() < 3) { // version 1 or version 2
                if (i == 1 && subject.equals(issuer)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            } else {
                pathLenConstraint = currCert.getBasicConstraints();
            }

            if (pathLenConstraint == -1) {
                pathLenConstraint = maxPathLength;
            }

            if (!subject.equals(issuer) && pathLenConstraint < i) {
                throw new CertPathValidatorException
                        ("check failed: pathLenConstraint violated - "
                                + "this cert must be the last cert in the "
                                + "certification path", null, null, -1,
                                PKIXReason.PATH_TOO_LONG);
            }

            if (pathLenConstraint < maxPathLength)
                maxPathLength = pathLenConstraint;
        }
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy