Changeset 7305


Ignore:
Timestamp:
09/08/10 13:09:51 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 12: ESG Yadis identity service discovery

  • Implementing trust manager class for DN whitelisting.
Location:
TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security
Files:
2 added
1 edited
1 moved

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/DnWhiteListBasedX509TrustManager.java

    r7304 r7305  
    1717 
    1818 
    19 class YadisTrustManager implements X509TrustManager { 
     19public class DnWhiteListBasedX509TrustManager implements X509TrustManager { 
    2020 
    2121        protected Principal [] certificateDnWhiteList; 
     
    2828    X509TrustManager pkixTrustManager; 
    2929 
    30     YadisTrustManager(Principal[] certificateDnWhiteList) throws Exception { 
     30    public DnWhiteListBasedX509TrustManager(Principal[] certificateDnWhiteList, 
     31                String keyStoreFilePath, 
     32                String keyStorePassphrase) throws Exception { 
    3133 
    3234                this.certificateDnWhiteList = certificateDnWhiteList; 
    3335                 
     36                FileInputStream kis = null; 
     37                 
     38                if (keyStoreFilePath == null) 
     39                        kis = new FileInputStream("trustedCerts"); 
     40                else 
     41                        kis = new FileInputStream(keyStoreFilePath); 
     42                 
    3443                // create a "default" JSSE X509TrustManager. 
    35  
    3644        KeyStore ks = KeyStore.getInstance("JKS"); 
    37         ks.load(new FileInputStream("trustedCerts"), 
    38             "passphrase".toCharArray()); 
     45        ks.load(kis,  
     46                        keyStorePassphrase == null ?  
     47                                        null : keyStorePassphrase.toCharArray()); 
    3948 
    4049        TrustManagerFactory tmf = 
     
    6978    public void checkClientTrusted(X509Certificate[] chain, String authType) 
    7079                throws CertificateException { 
    71         try { 
    72             pkixTrustManager.checkClientTrusted(chain, authType); 
    73         } catch (CertificateException excep) { 
    74             // do any special handling here, or rethrow exception. 
    75         } 
     80        pkixTrustManager.checkClientTrusted(chain, authType); 
    7681    } 
    7782 
     
    8287    public void checkServerTrusted(X509Certificate[] certList, String authType) 
    8388                throws CertificateException { 
    84         try { 
    85             pkixTrustManager.checkServerTrusted(certList, authType); 
    86         } catch (CertificateException excep) { 
    87             /* 
    88              * Possibly pop up a dialog box asking whether to trust the 
    89              * cert chain. 
    90              */ 
    91         } 
     89         
     90        // Default trust manager may throw a certificate exception 
     91        pkixTrustManager.checkServerTrusted(certList, authType); 
    9292         
    93                 // Whitelisting of DNs 
     93                // If chain is OK following previous check, then execute whitelisting of  
     94        // DN 
    9495                Principal subject = null; 
    9596                 
    9697                if (certificateDnWhiteList == null) 
     98                        return; 
     99                 
     100                for (X509Certificate cert : certList) 
    97101                { 
    98                         return; 
    99                 } 
    100                  
    101                 for (int i=0; i < certList.length; i++) 
    102                 { 
    103                         X509Certificate cert = certList[i]; 
    104102                        subject = cert.getSubjectDN(); 
    105103                         
    106                         for (int j=0; j < certificateDnWhiteList.length; j++) 
    107                         { 
    108                                 if (subject == certificateDnWhiteList[j]) 
     104                        for (Principal dn : certificateDnWhiteList) 
     105                                if (subject == dn) 
    109106                                        return; 
    110                         } 
    111107                } 
    112108                throw new CertificateException("No match for peer certificate " +  
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/YadisRetrieval.java

    r7304 r7305  
    2020import javax.net.ssl.X509TrustManager; 
    2121 
    22 import org.earthsystemgrid.security.YadisTrustManager; 
     22import org.earthsystemgrid.security.DnWhiteListBasedX509TrustManager; 
    2323import org.earthsystemgrid.security.yadis.exception.XrdsParseException; 
    2424import org.earthsystemgrid.security.yadis.exception.YadisRetrievalException; 
     
    4040        { 
    4141                // Experimenting with Trust Manager for whitelisting 
    42                 X509TrustManager xtm = new YadisTrustManager(null, null, null); 
     42                X509TrustManager xtm = new DnWhiteListBasedX509TrustManager(null, null, null); 
    4343                X509TrustManager tm[] = {xtm}; 
    4444                SSLContext ctx = SSLContext.getInstance("SSL"); 
Note: See TracChangeset for help on using the changeset viewer.