1 /*
2 * Copyright 1999-2004 The Apache Software Foundation
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 package org.apache.tomcat.util.net.jsse;
18
19 import java.io.IOException;
20 import java.io.File;
21 import java.io.FileInputStream;
22 import java.io.InputStream;
23 import java.util.Collection;
24 import java.security.KeyStore;
25 import java.security.cert.PKIXBuilderParameters;
26 import java.security.cert.X509CertSelector;
27 import java.security.cert.CRL;
28 import java.security.cert.CollectionCertStoreParameters;
29 import java.security.cert.CertStoreParameters;
30 import java.security.cert.CertPathParameters;
31 import java.security.cert.CertStore;
32 import java.security.cert.CertificateFactory;
33 import java.security.cert.CRLException;
34 import java.security.cert.CertificateException;
35
36 import javax.net.ssl.TrustManager;
37 import javax.net.ssl.TrustManagerFactory;
38 import javax.net.ssl.X509KeyManager;
39 import javax.net.ssl.ManagerFactoryParameters;
40 import javax.net.ssl.CertPathTrustManagerParameters;
41
42 /**
43 * SSL Socket Factory for JDK 1.5
44 *
45 * @author Bill Barker
46 */
47 public class JSSE15SocketFactory extends JSSE14SocketFactory {
48
49 private static org.apache.commons.logging.Log log =
50 org.apache.commons.logging.LogFactory.getLog(JSSE15SocketFactory.class);
51
52 public JSSE15SocketFactory() {
53 super();
54 }
55
56
57 /**
58 * Gets the intialized trust managers.
59 */
60 protected TrustManager[] getTrustManagers(String keystoreType, String algorithm)
61 throws Exception {
62 if(attributes.get("truststoreAlgorithm") == null) {
63 // in 1.5, the Trust default isn't the same as the Key default.
64 algorithm = TrustManagerFactory.getDefaultAlgorithm();
65 }
66 String crlf = (String)attributes.get("crlFile");
67 if(crlf == null) {
68 return super.getTrustManagers(keystoreType, algorithm);
69 }
70
71 TrustManager[] tms = null;
72
73 String truststoreType = (String)attributes.get("truststoreType");
74 if(truststoreType == null) {
75 truststoreType = keystoreType;
76 }
77 KeyStore trustStore = getTrustStore(truststoreType);
78 if (trustStore != null) {
79 TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
80 CertPathParameters params = getParameters(algorithm, crlf, trustStore);
81 ManagerFactoryParameters mfp = new CertPathTrustManagerParameters(params);
82 tmf.init(mfp);
83 tms = tmf.getTrustManagers();
84 }
85
86 return tms;
87 }
88
89
90 /**
91 * Return the initialization parameters for the TrustManager.
92 * Currently, only the default <code>PKIX</code> is supported.
93 *
94 * @param algorithm The algorithm to get parameters for.
95 * @param crlf The path to the CRL file.
96 * @param trustStore The configured TrustStore.
97 * @return The parameters including the CRLs and TrustStore.
98 */
99 protected CertPathParameters getParameters(String algorithm,
100 String crlf,
101 KeyStore trustStore)
102 throws Exception {
103 CertPathParameters params = null;
104 if("PKIX".equalsIgnoreCase(algorithm)) {
105 PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore,
106 new X509CertSelector());
107 Collection crls = getCRLs(crlf);
108 CertStoreParameters csp = new CollectionCertStoreParameters(crls);
109 CertStore store = CertStore.getInstance("Collection", csp);
110 xparams.addCertStore(store);
111 xparams.setRevocationEnabled(true);
112 String trustLength = (String)attributes.get("trustMaxCertLength");
113 if(trustLength != null) {
114 try {
115 xparams.setMaxPathLength(Integer.parseInt(trustLength));
116 } catch(Exception ex) {
117 log.warn("Bad maxCertLength: "+trustLength);
118 }
119 }
120
121 params = xparams;
122 } else {
123 throw new CRLException("CRLs not supported for type: "+algorithm);
124 }
125 return params;
126 }
127
128
129 /**
130 * Load the collection of CRLs.
131 *
132 */
133 protected Collection<? extends CRL> getCRLs(String crlf)
134 throws IOException, CRLException, CertificateException {
135
136 File crlFile = new File(crlf);
137 if( !crlFile.isAbsolute() ) {
138 crlFile = new File(System.getProperty("catalina.base"), crlf);
139 }
140 Collection<? extends CRL> crls = null;
141 InputStream is = null;
142 try {
143 CertificateFactory cf = CertificateFactory.getInstance("X.509");
144 is = new FileInputStream(crlFile);
145 crls = cf.generateCRLs(is);
146 } catch(IOException iex) {
147 throw iex;
148 } catch(CRLException crle) {
149 throw crle;
150 } catch(CertificateException ce) {
151 throw ce;
152 } finally {
153 if(is != null) {
154 try{
155 is.close();
156 } catch(Exception ex) {
157 }
158 }
159 }
160 return crls;
161 }
162
163 }