Changeset 7307


Ignore:
Timestamp:
10/08/10 10:16:35 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 12: ESG Yadis identity service discovery

  • added documentation for Trust Manager and refined property file interface.
Location:
TI12-security/trunk/EsgYadisParser
Files:
1 added
27 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/EsgYadisParser/.classpath

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/.project

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/.settings/org.eclipse.ltk.core.refactoring.prefs

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/data/yadis.xml

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/lib/commons-codec-1.3.jar

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/lib/commons-httpclient-3.0.1.jar

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/lib/commons-logging-1.03.jar

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/lib/mailapi.jar

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/lib/nekohtml-1.9.7.jar

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/lib/openid4java-0.9.5.jar

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/lib/xercesImpl-2.8.1.jar

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/DnWhitelistX509TrustMgr.java

    • Property svn:keywords set to Revision
    r7306 r7307  
     1/** 
     2 * Support tool for SSL based authentication for ESG Security web services 
     3 *  
     4 * Earth System Grid/CMIP5 
     5 * 
     6 * Date: 09/08/10 
     7 *  
     8 * Copyright: (C) 2010 Science and Technology Facilities Council 
     9 *  
     10 * Licence: BSD 
     11 *  
     12 * $Id$ 
     13 *  
     14 * @author pjkersha 
     15 * @version $Revision$ 
     16 */ 
    117package org.earthsystemgrid.security; 
    218 
     
    420import java.io.FileNotFoundException; 
    521import java.io.IOException; 
     22import java.io.InputStream; 
    623import java.security.KeyStore; 
    724import java.security.KeyStoreException; 
     
    1128import java.security.cert.X509Certificate; 
    1229import java.util.Enumeration; 
     30import java.util.HashSet; 
     31import java.util.Properties; 
     32import java.util.Set; 
    1333 
    1434import javax.net.ssl.TrustManager; 
     
    2040 
    2141 
     42/** 
     43 * Extend PKIX X.509 Trust Manager to support whitelisting of peer certificate 
     44 * Distinguished Names 
     45 *  
     46 * @author pjkersha 
     47 */ 
    2248public class DnWhitelistX509TrustMgr implements X509TrustManager { 
    2349 
    24         protected X500Principal [] certificateDnWhiteList; 
    25          
    26     /* 
    27      * The default PKIX X509TrustManager9.  We'll delegate 
    28      * decisions to it, and fall back to the logic in this class if the 
    29      * default X509TrustManager doesn't trust it. 
     50        protected static String BASE_TRUST_MGR_ID = "PKIX"; 
     51        protected static String KEYSTORE_TYPE = "JKS"; 
     52        protected static String DN_PROP_NAME = DnWhitelistX509TrustMgr.class + "dn"; 
     53         
     54        /** 
     55         * list of peer certificate distinguished names that are acceptable to 
     56         * the client in SSL connections 
     57         */ 
     58        protected Set<X500Principal> certificateDnWhiteList; 
     59         
     60    /** 
     61     * The default PKIX X509TrustManager9.  Delegate decisions to it, and fall  
     62     * back to the logic in this class if the default X509TrustManager doesn't  
     63     * trust it. 
    3064     */ 
    3165    X509TrustManager pkixTrustManager; 
    32  
    33     public DnWhitelistX509TrustMgr(X500Principal[] certificateDnWhiteList, 
    34                 String keyStoreFilePath, 
     66         
     67    /** 
     68     * Load default trust manager and key store if set 
     69     *  
     70     * @param keyStoreFilePath key store file path 
     71     * @param keyStorePassphrase pass-phrase for this key store - use null if 
     72     * none set 
     73     * @param keyStoreFilePath key store file path 
     74     * @param keyStorePassphrase pass-phrase for this key store - use null if 
     75     * none set 
     76     */ 
     77    public DnWhitelistX509TrustMgr(String keyStoreFilePath, 
    3578                String keyStorePassphrase) throws DnWhitelistX509TrustMgrInitException { 
    3679 
    37                 this.certificateDnWhiteList = certificateDnWhiteList; 
    38          
     80        certificateDnWhiteList = null; 
    3981        TrustManagerFactory tmf = null; 
    4082                try { 
    41                         tmf = TrustManagerFactory.getInstance("PKIX"); 
     83                        tmf = TrustManagerFactory.getInstance(BASE_TRUST_MGR_ID); 
    4284                         
    4385                } catch (NoSuchAlgorithmException e) { 
    4486                        throw new DnWhitelistX509TrustMgrInitException("Instantiating "+ 
    45                                         "\"PKIX\" trust manager", e); 
     87                                        "\"" + BASE_TRUST_MGR_ID + "\" trust manager", e); 
    4688                } 
    4789                 
     
    62104                        // Create a "default" JSSE X509TrustManager. 
    63105                        try { 
    64                                 ks = KeyStore.getInstance("JKS"); 
     106                                ks = KeyStore.getInstance(KEYSTORE_TYPE); 
    65107                                 
    66108                        } catch (KeyStoreException e) { 
     
    91133                } catch (KeyStoreException e) { 
    92134                        throw new DnWhitelistX509TrustMgrInitException("Initialising "+ 
    93                                         "\"PKIX\" trust manager", e); 
     135                                        "\"" + BASE_TRUST_MGR_ID + "\" trust manager", e); 
    94136                } 
    95137                 
     
    97139 
    98140        /* 
    99          * Iterate over the returned trustmanagers, look for an instance of  
    100          * X509TrustManager.  If found, use that as our "default" trust manager. 
     141         * Iterate over the returned trust managers, look for an instance of  
     142         * X509TrustManager.  If found, use that as "default" trust manager. 
    101143         */ 
    102144        for (Object tm : tms) { 
     
    113155                        "found in trust manager factory instance"); 
    114156    } 
    115  
    116     /* 
    117      * Delegate to the default trust manager. 
     157     
     158    /** 
     159     * Instantiate based on property file settings 
     160     *  
     161     * @param keyStoreFilePath key store file path 
     162     * @param keyStorePassphrase pass-phrase for this key store - use null if 
     163     * none set 
     164     * @param propertiesFile properties file enables static setting of DN  
     165     * whitelist - the list of peer certificate distinguished  
     166     * names that are acceptable to the client in SSL connections 
     167     * @throws DnWhitelistX509TrustMgrInitException invalid keystore or error 
     168     * getting default trust manager 
     169     */ 
     170    public DnWhitelistX509TrustMgr(String keyStoreFilePath, 
     171                String keyStorePassphrase, 
     172                InputStream propertiesFile) throws  
     173                        DnWhitelistX509TrustMgrInitException { 
     174        this(keyStoreFilePath, keyStorePassphrase); 
     175 
     176        // create application properties with default 
     177        Properties applicationProps = new Properties(); 
     178         
     179        try { 
     180                        applicationProps.load(propertiesFile); 
     181                } catch (IOException e) { 
     182                        throw new DnWhitelistX509TrustMgrInitException("Error loading " + 
     183                                        "properties file \"" + propertiesFile + "\"", e); 
     184                } 
     185                 
     186                // DN values are stored in the property file as e.g. 
     187                // 
     188                // DnWhitelistX509TrustMgr.dn0 = ... 
     189                // DnWhitelistX509TrustMgr.dn1 = ... 
     190                // DnWhitelistX509TrustMgr.dn2 = ...  
     191                // 
     192                // ... etc.  
     193                String dnValue = null; 
     194                this.certificateDnWhiteList = new HashSet(); 
     195                for (int i=0; i < applicationProps.size(); i++) { 
     196                        dnValue = applicationProps.getProperty(DN_PROP_NAME+i, null); 
     197                        if (dnValue == null) 
     198                                continue; 
     199                         
     200                        this.certificateDnWhiteList.add(new X500Principal(dnValue)); 
     201                } 
     202    } 
     203     
     204    /** 
     205     * Instantiate from a given certificate DN whitelist 
     206     *  
     207     * @param keyStoreFilePath key store file path 
     208     * @param keyStorePassphrase pass-phrase for this key store - use null if 
     209     * none set 
     210     * @param certificateDnWhiteList list of peer certificate distinguished  
     211     * names that are acceptable to the client in SSL connections 
     212     * @throws DnWhitelistX509TrustMgrInitException invalid keystore or error 
     213     * getting default trust manager 
     214     */ 
     215    public DnWhitelistX509TrustMgr(String keyStoreFilePath, 
     216                String keyStorePassphrase, 
     217                X500Principal[] certificateDnWhiteList) throws  
     218        DnWhitelistX509TrustMgrInitException { 
     219         
     220        this(keyStoreFilePath, keyStorePassphrase); 
     221                 
     222        if (certificateDnWhiteList != null) 
     223                for (X500Principal dn : certificateDnWhiteList) 
     224                        this.certificateDnWhiteList.add(dn);                     
     225    } 
     226     
     227    /** 
     228     * SSL Client certificate authentication 
     229     *  
     230     * Delegate to the default trust manager but also includes DN whitelist  
     231     * checking 
    118232     */ 
    119233    @Override 
     
    121235                throws CertificateException { 
    122236        pkixTrustManager.checkClientTrusted(chain, authType); 
    123     } 
    124  
    125     /* 
    126      * Delegate to the default trust manager but append DN whitelist checking 
    127      */ 
    128     @Override 
    129     public void checkServerTrusted(X509Certificate[] certList, String authType) 
    130                 throws CertificateException { 
    131          
    132         // Default trust manager may throw a certificate exception 
    133         pkixTrustManager.checkServerTrusted(certList, authType); 
    134237         
    135238                // If chain is OK following previous check, then execute whitelisting of  
     
    140243                        return; 
    141244                 
    142                 for (X509Certificate cert : certList) 
     245                for (X509Certificate cert : chain) 
    143246                { 
    144247                        peerCertDN = cert.getSubjectX500Principal(); 
     
    150253                throw new CertificateException("No match for peer certificate " +  
    151254                                peerCertDN + "against Certificate DN whitelist"); 
     255    } 
     256 
     257    /** 
     258     * SSL Server certificate authentication 
     259     *  
     260     * Delegate to the default trust manager but also includes DN whitelist  
     261     * checking 
     262     */ 
     263    @Override 
     264    public void checkServerTrusted(X509Certificate[] chain, String authType) 
     265                throws CertificateException { 
     266         
     267        // Default trust manager may throw a certificate exception 
     268        pkixTrustManager.checkServerTrusted(chain, authType); 
     269         
     270                // If chain is OK following previous check, then execute whitelisting of  
     271        // DN 
     272                X500Principal peerCertDN = null; 
     273                 
     274                if (certificateDnWhiteList == null) 
     275                        return; 
     276                 
     277                for (X509Certificate cert : chain) 
     278                { 
     279                        peerCertDN = cert.getSubjectX500Principal(); 
     280                         
     281                        for (Principal dn : certificateDnWhiteList) 
     282                                if (peerCertDN.equals(dn)) 
     283                                        return; 
     284                } 
     285                throw new CertificateException("No match for peer certificate " +  
     286                                peerCertDN + "against Certificate DN whitelist"); 
    152287        } 
    153288 
    154  
    155     /* 
     289    /** 
    156290     * Merely pass this through. 
    157291     */ 
     
    160294        return pkixTrustManager.getAcceptedIssuers(); 
    161295    } 
     296 
    162297} 
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/exceptions/DnWhitelistX509TrustMgrInitException.java

    • Property svn:keywords set to Revision
    r7305 r7307  
     1/** 
     2 * Support tool for SSL based authentication for ESG Security web services 
     3 *  
     4 * Earth System Grid/CMIP5 
     5 * 
     6 * Date: 09/08/10 
     7 *  
     8 * Copyright: (C) 2010 Science and Technology Facilities Council 
     9 *  
     10 * Licence: BSD 
     11 *  
     12 * $Id$ 
     13 *  
     14 * @author pjkersha 
     15 * @version $Revision$ 
     16 */ 
    117package org.earthsystemgrid.security.exceptions; 
    218 
     19 
     20/** 
     21 * Initialisation exception for Certificate DN Whitelist based X.509 Trust  
     22 * Manager 
     23 *  
     24 * @author pjkersha 
     25 * 
     26 */ 
    327public class DnWhitelistX509TrustMgrInitException extends Exception { 
    428        public DnWhitelistX509TrustMgrInitException(String message) { 
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/openid2emailresolution/OpenId2EmailAddrResolution.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/openid2emailresolution/exceptions/AttributeServiceQueryException.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/openid2emailresolution/exceptions/NoMatchingXrdsServiceException.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/openid2emailresolution/exceptions/OpenId2EmailAddrResolutionException.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/ErrorHandler.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/XrdsDoc.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/XrdsServiceElem.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/YadisParserErrorHandler.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/YadisRetrieval.java

    • Property svn:keywords set to Revision
    r7306 r7307  
    4242                X509TrustManager xtm; 
    4343 
    44                 X500Principal [] whitelist = { 
    45                                 new X500Principal("CN=ceda.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB") 
    46                 }; 
     44//              X500Principal [] whitelist = { 
     45//                              new X500Principal("CN=ceda.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB") 
     46//              }; 
     47                 
     48                InputStream propertiesFile =  
     49                        DnWhitelistX509TrustMgr.class.getResourceAsStream( 
     50                                                                        "DnWhitelistX509TrustMgr.properties"); 
    4751                 
    4852                // Create trust manager with given whitelist and default keystore 
    4953                try { 
    50                         xtm = new DnWhitelistX509TrustMgr(whitelist, null, null); 
     54                        xtm = new DnWhitelistX509TrustMgr(null, null, propertiesFile); 
    5155                } catch (DnWhitelistX509TrustMgrInitException e) { 
    5256                        throw new YadisRetrievalException("Creating trust manager", e); 
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/exception/XrdsException.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/exception/XrdsParseException.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/exception/YadisRetrievalException.java

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/xrd.xsd

    • Property svn:keywords set to Revision
  • TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/xrds.xsd

    • Property svn:keywords set to Revision
Note: See TracChangeset for help on using the changeset viewer.