2
* $Header: /home/cvs/jakarta-commons/httpclient/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java,v 1.1.2.1 2004/06/09 21:07:41 olegk Exp $
4
* $Date: 2004/06/09 21:07:41 $
6
* ====================================================================
8
* Copyright 2002-2004 The Apache Software Foundation
10
* Licensed under the Apache License, Version 2.0 (the "License");
11
* you may not use this file except in compliance with the License.
12
* You may obtain a copy of the License at
14
* http://www.apache.org/licenses/LICENSE-2.0
16
* Unless required by applicable law or agreed to in writing, software
17
* distributed under the License is distributed on an "AS IS" BASIS,
18
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19
* See the License for the specific language governing permissions and
20
* limitations under the License.
21
* ====================================================================
23
* This software consists of voluntary contributions made by many
24
* individuals on behalf of the Apache Software Foundation. For more
25
* information on the Apache Software Foundation, please see
26
* <http://www.apache.org/>.
30
package org.apache.commons.httpclient.contrib.ssl;
32
import java.io.IOException;
33
import java.net.InetAddress;
34
import java.net.Socket;
36
import java.net.UnknownHostException;
37
import java.security.GeneralSecurityException;
38
import java.security.KeyStore;
39
import java.security.KeyStoreException;
40
import java.security.NoSuchAlgorithmException;
41
import java.security.UnrecoverableKeyException;
42
import java.security.cert.Certificate;
43
import java.security.cert.CertificateException;
44
import java.security.cert.X509Certificate;
45
import java.util.Enumeration;
47
import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
48
import org.apache.commons.logging.Log;
49
import org.apache.commons.logging.LogFactory;
51
import com.sun.net.ssl.KeyManager;
52
import com.sun.net.ssl.KeyManagerFactory;
53
import com.sun.net.ssl.SSLContext;
54
import com.sun.net.ssl.TrustManager;
55
import com.sun.net.ssl.TrustManagerFactory;
56
import com.sun.net.ssl.X509TrustManager;
60
* AuthSSLProtocolSocketFactory can be used to validate the identity of the HTTPS
61
* server against a list of trusted certificates and to authenticate to the HTTPS
62
* server using a private key.
66
* AuthSSLProtocolSocketFactory will enable server authentication when supplied with
67
* a {@link KeyStore truststore} file containg one or several trusted certificates.
68
* The client secure socket will reject the connection during the SSL session handshake
69
* if the target HTTPS server attempts to authenticate itself with a non-trusted
74
* Use JDK keytool utility to import a trusted certificate and generate a truststore file:
76
* keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
81
* AuthSSLProtocolSocketFactory will enable client authentication when supplied with
82
* a {@link KeyStore keystore} file containg a private key/public certificate pair.
83
* The client secure socket will use the private key to authenticate itself to the target
84
* HTTPS server during the SSL session handshake if requested to do so by the server.
85
* The target HTTPS server will in its turn verify the certificate presented by the client
86
* in order to establish client's authenticity
90
* Use the following sequence of actions to generate a keystore file
95
* Use JDK keytool utility to generate a new key
96
* <pre>keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore</pre>
97
* For simplicity use the same password for the key as that of the keystore
102
* Issue a certificate signing request (CSR)
103
* <pre>keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore</pre>
108
* Send the certificate request to the trusted Certificate Authority for signature.
109
* One may choose to act as her own CA and sign the certificate request using a PKI
110
* tool, such as OpenSSL.
115
* Import the trusted CA root certificate
116
* <pre>keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore</pre>
121
* Import the PKCS#7 file containg the complete certificate chain
122
* <pre>keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore</pre>
127
* Verify the content the resultant keystore file
128
* <pre>keytool -list -v -keystore my.keystore</pre>
133
* Example of using custom protocol socket factory for a specific host:
135
* Protocol authhttps = new Protocol("https",
136
* new AuthSSLProtocolSocketFactory(
137
* new URL("file:my.keystore"), "mypassword",
138
* new URL("file:my.truststore"), "mypassword"), 443);
140
* HttpClient client = new HttpClient();
141
* client.getHostConfiguration().setHost("localhost", 443, authhttps);
142
* // use relative url only
143
* GetMethod httpget = new GetMethod("/");
144
* client.executeMethod(httpget);
148
* Example of using custom protocol socket factory per default instead of the standard one:
150
* Protocol authhttps = new Protocol("https",
151
* new AuthSSLProtocolSocketFactory(
152
* new URL("file:my.keystore"), "mypassword",
153
* new URL("file:my.truststore"), "mypassword"), 443);
154
* Protocol.registerProtocol("https", authhttps);
156
* HttpClient client = new HttpClient();
157
* GetMethod httpget = new GetMethod("https://localhost/");
158
* client.executeMethod(httpget);
161
* @author <a href="mailto:oleg -at- ural.ru">Oleg Kalnichevski</a>
164
* DISCLAIMER: HttpClient developers DO NOT actively support this component.
165
* The component is provided as a reference material, which may be inappropriate
166
* to be used without additional customization.
170
public class AuthSSLProtocolSocketFactory implements SecureProtocolSocketFactory {
172
/** Log object for this class. */
173
private static final Log LOG = LogFactory.getLog(AuthSSLProtocolSocketFactory.class);
175
private URL keystoreUrl = null;
176
private String keystorePassword = null;
177
private URL truststoreUrl = null;
178
private String truststorePassword = null;
179
private SSLContext sslcontext = null;
182
* Constructor for AuthSSLProtocolSocketFactory. Either a keystore or truststore file
183
* must be given. Otherwise SSL context initialization error will result.
185
* @param keystoreUrl URL of the keystore file. May be <tt>null</tt> if HTTPS client
186
* authentication is not to be used.
187
* @param keystorePassword Password to unlock the keystore. IMPORTANT: this implementation
188
* assumes that the same password is used to protect the key and the keystore itself.
189
* @param truststoreUrl URL of the truststore file. May be <tt>null</tt> if HTTPS server
190
* authentication is not to be used.
191
* @param truststorePassword Password to unlock the truststore.
193
public AuthSSLProtocolSocketFactory(
194
final URL keystoreUrl, final String keystorePassword,
195
final URL truststoreUrl, final String truststorePassword)
198
this.keystoreUrl = keystoreUrl;
199
this.keystorePassword = keystorePassword;
200
this.truststoreUrl = truststoreUrl;
201
this.truststorePassword = truststorePassword;
204
private static KeyStore createKeyStore(final URL url, final String password)
205
throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException
208
throw new IllegalArgumentException("Keystore url may not be null");
210
LOG.debug("Initializing key store");
211
KeyStore keystore = KeyStore.getInstance("jks");
212
keystore.load(url.openStream(), password != null ? password.toCharArray(): null);
216
private static KeyManager[] createKeyManagers(final KeyStore keystore, final String password)
217
throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException
219
if (keystore == null) {
220
throw new IllegalArgumentException("Keystore may not be null");
222
LOG.debug("Initializing key manager");
223
KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(
224
KeyManagerFactory.getDefaultAlgorithm());
225
kmfactory.init(keystore, password != null ? password.toCharArray(): null);
226
return kmfactory.getKeyManagers();
229
private static TrustManager[] createTrustManagers(final KeyStore keystore)
230
throws KeyStoreException, NoSuchAlgorithmException
232
if (keystore == null) {
233
throw new IllegalArgumentException("Keystore may not be null");
235
LOG.debug("Initializing trust manager");
236
TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(
237
TrustManagerFactory.getDefaultAlgorithm());
238
tmfactory.init(keystore);
239
TrustManager[] trustmanagers = tmfactory.getTrustManagers();
240
for (int i = 0; i < trustmanagers.length; i++) {
241
if (trustmanagers[i] instanceof X509TrustManager) {
242
trustmanagers[i] = new AuthSSLX509TrustManager(
243
(X509TrustManager)trustmanagers[i]);
246
return trustmanagers;
249
private SSLContext createSSLContext() {
251
KeyManager[] keymanagers = null;
252
TrustManager[] trustmanagers = null;
253
if (this.keystoreUrl != null) {
254
KeyStore keystore = createKeyStore(this.keystoreUrl, this.keystorePassword);
255
if (LOG.isDebugEnabled()) {
256
Enumeration aliases = keystore.aliases();
257
while (aliases.hasMoreElements()) {
258
String alias = (String)aliases.nextElement();
259
Certificate[] certs = keystore.getCertificateChain(alias);
261
LOG.debug("Certificate chain '" + alias + "':");
262
for (int c = 0; c < certs.length; c++) {
263
if (certs[c] instanceof X509Certificate) {
264
X509Certificate cert = (X509Certificate)certs[c];
265
LOG.debug(" Certificate " + (c + 1) + ":");
266
LOG.debug(" Subject DN: " + cert.getSubjectDN());
267
LOG.debug(" Signature Algorithm: " + cert.getSigAlgName());
268
LOG.debug(" Valid from: " + cert.getNotBefore() );
269
LOG.debug(" Valid until: " + cert.getNotAfter());
270
LOG.debug(" Issuer: " + cert.getIssuerDN());
276
keymanagers = createKeyManagers(keystore, this.keystorePassword);
278
if (this.truststoreUrl != null) {
279
KeyStore keystore = createKeyStore(this.truststoreUrl, this.truststorePassword);
280
if (LOG.isDebugEnabled()) {
281
Enumeration aliases = keystore.aliases();
282
while (aliases.hasMoreElements()) {
283
String alias = (String)aliases.nextElement();
284
LOG.debug("Trusted certificate '" + alias + "':");
285
Certificate trustedcert = keystore.getCertificate(alias);
286
if (trustedcert != null && trustedcert instanceof X509Certificate) {
287
X509Certificate cert = (X509Certificate)trustedcert;
288
LOG.debug(" Subject DN: " + cert.getSubjectDN());
289
LOG.debug(" Signature Algorithm: " + cert.getSigAlgName());
290
LOG.debug(" Valid from: " + cert.getNotBefore() );
291
LOG.debug(" Valid until: " + cert.getNotAfter());
292
LOG.debug(" Issuer: " + cert.getIssuerDN());
296
trustmanagers = createTrustManagers(keystore);
298
SSLContext sslcontext = SSLContext.getInstance("SSL");
299
sslcontext.init(keymanagers, trustmanagers, null);
301
} catch (NoSuchAlgorithmException e) {
302
LOG.error(e.getMessage(), e);
303
throw new AuthSSLInitializationError("Unsupported algorithm exception: " + e.getMessage());
304
} catch (KeyStoreException e) {
305
LOG.error(e.getMessage(), e);
306
throw new AuthSSLInitializationError("Keystore exception: " + e.getMessage());
307
} catch (GeneralSecurityException e) {
308
LOG.error(e.getMessage(), e);
309
throw new AuthSSLInitializationError("Key management exception: " + e.getMessage());
310
} catch (IOException e) {
311
LOG.error(e.getMessage(), e);
312
throw new AuthSSLInitializationError("I/O error reading keystore/truststore file: " + e.getMessage());
316
private SSLContext getSSLContext() {
317
if (this.sslcontext == null) {
318
this.sslcontext = createSSLContext();
320
return this.sslcontext;
324
* @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
326
public Socket createSocket(
329
InetAddress clientHost,
331
throws IOException, UnknownHostException
333
return getSSLContext().getSocketFactory().createSocket(
342
* @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)
344
public Socket createSocket(String host, int port)
345
throws IOException, UnknownHostException
347
return getSSLContext().getSocketFactory().createSocket(
354
* @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)
356
public Socket createSocket(
361
throws IOException, UnknownHostException
363
return getSSLContext().getSocketFactory().createSocket(