Changeset 7309

Timestamp:

10/08/10 11:30:17 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 12: ESG Yadis identity service discovery

• keystore settings can now be made in properties file for DN whitelist trust manager.
• YadisRetrieval? class now has constructor to support input from this properties file.

Location:

TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security

Files:

• DnWhitelistX509TrustMgr.java (modified) (8 diffs)
• DnWhitelistX509TrustMgr.properties (modified) (1 diff)
• yadis/YadisRetrieval.java (modified) (6 diffs)

TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/DnWhitelistX509TrustMgr.java

@@ -48 +48 @@
 public class DnWhitelistX509TrustMgr implements X509TrustManager {
 
+        protected static String KEYSTORE_FILEPATH_PROP_NAME = 
+                DnWhitelistX509TrustMgr.class.getName() + ".keyStoreFilePath";
+        protected static String KEYSTORE_PASSPHRASE_PROP_NAME = 
+                DnWhitelistX509TrustMgr.class.getName() + ".keyStorePassphrase";
+        protected static String DN_PROP_NAME = DnWhitelistX509TrustMgr.class.getName() + ".dn";
+        
         protected static String BASE_TRUST_MGR_ID = "PKIX";
         protected static String KEYSTORE_TYPE = "JKS";
-        protected static String DN_PROP_NAME = DnWhitelistX509TrustMgr.class + "dn";
         
         /**
@@ -77 +82 @@
     public DnWhitelistX509TrustMgr(String keyStoreFilePath,
                 String keyStorePassphrase) throws DnWhitelistX509TrustMgrInitException {
-
         certificateDnWhiteList = null;
+        _init(keyStoreFilePath, keyStorePassphrase);
+    }
+    
+    /**
+     * Initialise key store and default trust manager which is wrapped by this
+     * class
+     * 
+     * @param keyStoreFilePath
+     * @param keyStorePassphrase
+     * @throws DnWhitelistX509TrustMgrInitException 
+     */
+    protected void _init(String keyStoreFilePath, String keyStorePassphrase) 
+                throws DnWhitelistX509TrustMgrInitException {
         TrustManagerFactory tmf = null;
                 try {
@@ -159 +176 @@
      * Instantiate based on property file settings
      * 
-     * @param keyStoreFilePath key store file path
-     * @param keyStorePassphrase pass-phrase for this key store - use null if
-     * none set
      * @param propertiesFile properties file enables static setting of DN 
      * whitelist - the list of peer certificate distinguished 
@@ -168 +182 @@
      * getting default trust manager
      */
-    public DnWhitelistX509TrustMgr(String keyStoreFilePath,
-                String keyStorePassphrase,
-                InputStream propertiesFile) throws 
+    public DnWhitelistX509TrustMgr(InputStream propertiesFile) throws 
                         DnWhitelistX509TrustMgrInitException {
-        this(keyStoreFilePath, keyStorePassphrase);
 
         // create application properties with default
@@ -184 +195 @@
                 }
                 
-                // DN values are stored in the property file as e.g.
-                //
-                // DnWhitelistX509TrustMgr.dn0 = ...
-                // DnWhitelistX509TrustMgr.dn1 = ...
-                // DnWhitelistX509TrustMgr.dn2 = ... 
-                //
-                // ... etc. 
+                // Key store file may be null in which case standard locations are
+                // searched instead
+                String keyStoreFilePath = applicationProps.getProperty(
+                        KEYSTORE_FILEPATH_PROP_NAME, null);
+                
+                String keyStorePassphrase = applicationProps.getProperty(
+                                KEYSTORE_PASSPHRASE_PROP_NAME, null);
+                
+                /* 
+                 * DN values are stored in the property file as e.g.
+                 *
+                 * DnWhitelistX509TrustMgr.dn0 = ...
+                 * DnWhitelistX509TrustMgr.dn1 = ...
+                 * DnWhitelistX509TrustMgr.dn2 = ... 
+                 *
+                 * ... etc. 
+                 */
                 String dnValue = null;
                 this.certificateDnWhiteList = new HashSet();
@@ -200 +221 @@
                         this.certificateDnWhiteList.add(new X500Principal(dnValue));
                 }
+                
+        _init(keyStoreFilePath, keyStorePassphrase);
     }
     
@@ -272 +295 @@
                 X500Principal peerCertDN = null;
                 
-                if (certificateDnWhiteList == null)
+                if (certificateDnWhiteList == null || certificateDnWhiteList.isEmpty())
                         return;
                 
@@ -283 +306 @@
                                         return;
                 }
-                throw new CertificateException("No match for peer certificate " + 
-                                peerCertDN + "against Certificate DN whitelist");
+                throw new CertificateException("No match for peer certificate \"" + 
+                                peerCertDN + "\" against Certificate DN whitelist");
         }
 

TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/DnWhitelistX509TrustMgr.properties

@@ -14 +14 @@
 # @author pjkersha
 # @version $Revision$
-DnWhitelistX509TrustMgr.dn0 = CN=ceda.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB
-DnWhitelistX509TrustMgr.dn1 = CN=localhost, OU=Test, O=Test Org
+org.earthsystemgrid.security.DnWhitelistX509TrustMgr.dn0 = CN=ceda.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB
+org.earthsystemgrid.security.DnWhitelistX509TrustMgr.dn1 = CN=localhost, OU=Test, O=Test Org

TI12-security/trunk/EsgYadisParser/src/org/earthsystemgrid/security/yadis/YadisRetrieval.java

@@ -37 +37 @@
 public class YadisRetrieval
 {       
-        public static String retrieve(URL yadisURL) throws YadisRetrievalException 
-        {
-                // Experimenting with Trust Manager for whitelisting
-                X509TrustManager xtm;
-
-//              X500Principal [] whitelist = {
-//                              new X500Principal("CN=ceda.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB")
-//              };
+        // Trust Manager enables DN whitelisting
+        protected X509TrustManager x509TrustMgr;
+        
+        /**
+         * Initialise SSL connection properties
+         * 
+         * @param propertiesFile input stream for properties file
+         * @throws YadisRetrievalException 
+         */
+        public YadisRetrieval(InputStream propertiesFile) throws YadisRetrievalException {
                 
-                InputStream propertiesFile = 
-                        DnWhitelistX509TrustMgr.class.getResourceAsStream(
-                                                                        "DnWhitelistX509TrustMgr.properties");
-                
-                // Create trust manager with given whitelist and default keystore
+                // Create trust manager with given whitelist and keystore settings
+                // read from properties file
                 try {
-                        xtm = new DnWhitelistX509TrustMgr(null, null, propertiesFile);
+                        x509TrustMgr = new DnWhitelistX509TrustMgr(propertiesFile);
+                        
                 } catch (DnWhitelistX509TrustMgrInitException e) {
                         throw new YadisRetrievalException("Creating trust manager", e);
                 }
-                
-                X509TrustManager tm[] = {xtm};
+        }
+        
+        /**
+         * Retrieve XRD document from Yadis endpoint
+         * 
+         * @param yadisURL URL to retrieve content from
+         * @return string containing the XRD document at the given URL
+         * @throws YadisRetrievalException
+         */
+        public String retrieve(URL yadisURL) throws YadisRetrievalException 
+        {               
                 SSLContext ctx = null;
                 try {
@@ -66 +75 @@
                 }
                 
+                X509TrustManager tm[] = {x509TrustMgr};
                 try {
                         ctx.init(null, tm, null);
@@ -73 +83 @@
                 
                 SSLSocketFactory socketFactory = ctx.getSocketFactory();
-
                 HttpsURLConnection connection = null;
                 try {
@@ -107 +116 @@
         }
         
-        // Retrieve and parse Yadis document returning the services it references
+        /**
+         *  Retrieve and parse Yadis document returning the services it references
+         *  
+         * @param yadisURL URL to retrieve content from
+         * @param targetTypes retrieve only this subset of target (service types).
+         * See to null to retrieve all types.
+         * @return list of services for this Yadis endpoint
+         * @throws XrdsParseException error parsing XRD document
+         * @throws YadisRetrievalException error GETing the content
+         */
         public List retrieveAndParse(URL yadisURL, Set targetTypes) throws 
                 XrdsParseException, YadisRetrievalException
@@ -121 +139 @@
         public static void main(String[] args) throws IOException
         {
-                YadisRetrieval yadis = new YadisRetrieval();
+                // Input Whitelist DNs as a string array
+                //      X500Principal [] whitelist = {
+                //      new X500Principal("CN=ceda.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB")
+                //};
+                
+                // Input DNs from a file
+                InputStream propertiesFile = 
+                        DnWhitelistX509TrustMgr.class.getResourceAsStream(
+                                                                "DnWhitelistX509TrustMgr.properties");
+
+                YadisRetrieval yadis = null;
+                try {
+                        yadis = new YadisRetrieval(propertiesFile);
+                } catch (YadisRetrievalException e) {
+                        // TODO Auto-generated catch block
+                        e.printStackTrace();
+                }
                 
                 URL yadisURL = new URL("https://ceda.ac.uk/openid/Philip.Kershaw");
 //              URL yadisURL = new URL("https://localhost:7443/openid/PJKershaw");
+                
+                // 1) Retrieve as string content
                 String content = null;
                 try {
-                        content = YadisRetrieval.retrieve(yadisURL);
+                        content = yadis.retrieve(yadisURL);
+                        
                 } catch (YadisRetrievalException e) {
                         // TODO Auto-generated catch block
@@ -135 +172 @@
                 System.out.println("Yadis content = " + content);
                 
+                // 2) Retrieve as list of services
                 List<XrdsServiceElem> serviceElems = null;
+                
+                // Retrieve only services matching these type(s)
                 String elem [] = {"urn:esg:security:attribute-service"};
                 Set<String> targetTypes = new HashSet(Arrays.asList(elem));