From fb8225f1f805c0d9066f50fb7eb0dcaeef35be61 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ale=C5=A1=20K=C5=99enek?= <ljocha@ics.muni.cz>
Date: Wed, 3 Jun 2009 08:39:06 +0000
Subject: [PATCH] switch to trustmanager, builds, not tested

---
 .../src/org/glite/lb/LBCredentials.java            |  89 ++++++--
 org.glite.lb.client-java/src/org/glite/lb/SSL.java | 233 ++++-----------------
 2 files changed, 115 insertions(+), 207 deletions(-)

diff --git a/org.glite.lb.client-java/src/org/glite/lb/LBCredentials.java b/org.glite.lb.client-java/src/org/glite/lb/LBCredentials.java
index 448365b..afc2b31 100644
--- a/org.glite.lb.client-java/src/org/glite/lb/LBCredentials.java
+++ b/org.glite.lb.client-java/src/org/glite/lb/LBCredentials.java
@@ -7,36 +7,52 @@ package org.glite.lb;
 
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.Properties;
 import javax.xml.rpc.ServiceException;
-import org.apache.axis.AxisProperties;
+import javax.net.ssl.SSLContext;
+
+import org.apache.axis.SimpleTargetedChain;
+import org.apache.axis.Handler;
+import org.apache.axis.transport.http.HTTPTransport;
+import org.apache.axis.transport.http.SocketHolder;
+import org.apache.axis.SimpleChain;
+import org.apache.axis.configuration.SimpleProvider;
+
+import org.glite.security.trustmanager.ContextWrapper;
+import org.glite.security.trustmanager.axis.SSLConfigSender;
+
 import org.glite.wsdl.services.lb.LoggingAndBookkeepingLocator;
 import org.glite.wsdl.services.lb.LoggingAndBookkeepingPortType;
 
+
 /**
  * 
  */
 public class LBCredentials {
 
+    private String proxy;
+    private String caFiles;
+    private String key;
+    private String pass;
+    private String cert;
+
     public LBCredentials(String proxy, String caFiles) {
         if (proxy == null) throw new IllegalArgumentException("Proxy cannot be null");
-        if (caFiles == null) throw new IllegalArgumentException("caFiles cannot be null");
 
-        System.setProperty(org.glite.security.trustmanager.ContextWrapper.CREDENTIALS_PROXY_FILE, proxy);
-        System.setProperty(org.glite.security.trustmanager.ContextWrapper.CA_FILES, caFiles);
-        System.setProperty(org.glite.security.trustmanager.ContextWrapper.SSL_PROTOCOL, "SSLv3");
-        AxisProperties.setProperty("axis.socketSecureFactory","org.glite.security.trustmanager.axis.AXISSocketFactory");
+	this.proxy = new String(proxy);
+	if (caFiles != null) {
+		this.caFiles = new String(caFiles);
+	}
     }
 
     public LBCredentials(String userCert, String userKey, String userPass, String caFiles) {
-        if (userCert==null || userKey==null || userPass==null || caFiles==null)
-            throw new IllegalArgumentException("One of the parameters was null");
-
-        System.setProperty(org.glite.security.trustmanager.ContextWrapper.CREDENTIALS_CERT_FILE,userCert);
-		System.setProperty(org.glite.security.trustmanager.ContextWrapper.CREDENTIALS_KEY_FILE,userKey);
-		System.setProperty(org.glite.security.trustmanager.ContextWrapper.CREDENTIALS_KEY_PASSWD,userPass);
-        System.setProperty(org.glite.security.trustmanager.ContextWrapper.CA_FILES, caFiles);
-        System.setProperty(org.glite.security.trustmanager.ContextWrapper.SSL_PROTOCOL, "SSLv3");
-        AxisProperties.setProperty("axis.socketSecureFactory","org.glite.security.trustmanager.axis.AXISSocketFactory");
+        if (userCert==null || userKey==null)
+            throw new IllegalArgumentException("key and cert must not be null");
+
+	key = new String(userKey);
+	cert = new String(userCert);
+	if (userPass != null) pass = new String(userPass);
+        if (caFiles != null) this.caFiles = new String(caFiles);
     }
 
     protected LoggingAndBookkeepingPortType getStub(String server) throws LBException {
@@ -51,13 +67,52 @@ public class LBCredentials {
             if (!queryServerAddress.getProtocol().equals("https")) {
                 throw new IllegalArgumentException("wrong protocol");
             }
-            LoggingAndBookkeepingLocator loc = new LoggingAndBookkeepingLocator();
+
+	    Handler transport = new SimpleTargetedChain(new SimpleChain(),
+					new SSLConfigSender(makeConfig()),
+					new SimpleChain());
+	    SimpleProvider transportProvider = new SimpleProvider();
+	    transportProvider.deployTransport(HTTPTransport.DEFAULT_TRANSPORT_NAME, transport);
+            LoggingAndBookkeepingLocator loc = new LoggingAndBookkeepingLocator(transportProvider);
             return loc.getLoggingAndBookkeeping(queryServerAddress);
         } catch (ServiceException ex) {
             throw new LBException(ex);
         } catch (MalformedURLException ex) {
             throw new LBException(ex);
-        }
+        } catch (org.apache.axis.AxisFault ex) {
+            throw new LBException(ex);
+	}
     }
 
+    private Properties makeConfig() {
+	Properties cf = new java.util.Properties();
+
+	if (proxy != null) cf.put(ContextWrapper.CREDENTIALS_PROXY_FILE,proxy);
+	else {
+		cf.put(ContextWrapper.CREDENTIALS_CERT_FILE,cert);
+		cf.put(ContextWrapper.CREDENTIALS_KEY_FILE,key);
+		if (pass != null) cf.put(ContextWrapper.CREDENTIALS_KEY_PASSWD, pass);
+	}
+
+	if (caFiles != null) cf.put(ContextWrapper.CA_FILES,caFiles);
+	cf.put(ContextWrapper.SSL_PROTOCOL, "SSLv3");
+
+	return cf;
+    }
+
+    protected SSLContext getSSLContext() throws LBException {
+	ContextWrapper cw;
+
+	try {
+		cw = new ContextWrapper(makeConfig());
+	}
+	catch (java.io.IOException e) {
+		throw new LBException(e);
+	}
+	catch (java.security.GeneralSecurityException e) {
+		throw new LBException(e);
+	}
+	return cw.getContext();
+
+    }
 }
diff --git a/org.glite.lb.client-java/src/org/glite/lb/SSL.java b/org.glite.lb.client-java/src/org/glite/lb/SSL.java
index f185c6c..842b660 100644
--- a/org.glite.lb.client-java/src/org/glite/lb/SSL.java
+++ b/org.glite.lb.client-java/src/org/glite/lb/SSL.java
@@ -11,229 +11,82 @@ import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Enumeration;
-import org.globus.cog.security.cert.request.BouncyCastleOpenSSLKey;
-import org.globus.gsi.GlobusCredential;
-import org.globus.gsi.GlobusCredentialException;
-import org.gridforum.jgss.ExtendedGSSCredential;
-import org.gridforum.jgss.ExtendedGSSManager;
-import org.ietf.jgss.GSSCredential;
-import org.ietf.jgss.GSSException;
+import org.glite.security.trustmanager.CRLFileTrustManager;
+import org.glite.security.trustmanager.UpdatingKeyManager;
 
 public class SSL {
 
     static final String proxyProp = "X509UserProxy";
 
-    /**
-     * Implementation of abstract class X509KeyManager. 
-     * It is used to manage X509 certificates which are used to authenticate
-     * the local side of a secure socket.
-     */
-    static class MyX509KeyManager implements X509KeyManager {
-
-        private X509Certificate[] certchain;
-        private PrivateKey key;
-
-        public MyX509KeyManager(Certificate[] cchain, PrivateKey key) {
-            this.certchain = new X509Certificate[cchain.length];
-	    System.arraycopy(cchain, 0, this.certchain, 0, cchain.length); 
-            this.key = key;
-        }
-
-        public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket
-socket) {
-/*
-            System.out.println("MyX509KeyManager.chooseClientAlias()");
-            for (int i = 0; i < keyType.length; i++) {
-                System.out.println("MyX509KeyManager.chooseClientAlias() keyType[" + i +
-"]=" + keyType[i]);
-            }
-            for (int i = 0; i < issuers.length; i++) {
-                System.out.println("MyX509KeyManager.chooseClientAlias() issuers[" + i +
-"]=" + issuers[i]);
-            }
-*/
-            return "";
-        }
-
-        public String chooseServerAlias(String keyType, Principal[] issuers, Socket
-socket) {
-/*
-            System.out.println("MyX509KeyManager.chooseServerAlias(" + keyType + ")");
-
-		if (issuers != null) for (int i=0; i<issuers.length; i++) 
-			System.out.println("	" + issuers[i]);
-*/
-	
-		return "";
-        }
-
-        public X509Certificate[] getCertificateChain(String alias) {
-//            System.out.println("MyX509KeyManager.getCertificateChain(" + alias + ")");
-            return certchain;
-        }
-
-        public String[] getClientAliases(String keyType, Principal[] issuers) {
-//            System.out.println("MyX509KeyManager.getClientAliases(" + keyType + ")");
-            return null;
-        }
-
-        public PrivateKey getPrivateKey(String alias) {
-//            System.out.println("MyX509KeyManager.getPrivateKey(" + alias + ")");
-            return key;
-        }
-
-        public String[] getServerAliases(String keyType, Principal[] issuers) {
-//            System.out.println("MyX509KeyManager.getServerAliases(" + keyType + ")");
-            return null;
-        }
-    }
-
-    /**
-     * Implementation of abstract class X509TrustManager.
-     * It is used to authenticate the remote side of a secure socket.
-     */
-    static class MyX509TrustManager implements X509TrustManager {
-
-        public X509Certificate[] getAcceptedIssuers() {
-            return null;
-        }
-
-        public void checkClientTrusted(X509Certificate[] certs, String authType) {
-            //System.out.println("X509TrustManager.checkClientTrusted(certs["+certs.length+"],"+authType+")");
-        }
-
-        public void checkServerTrusted(X509Certificate[] certs, String authType) throws
-                CertificateException {
-            //System.out.println("----X509TrustManager.checkServerTrusted-----");
-            //System.out.println("number of certs: "+certs.length+", authType="+authType);
-            //for(int i=0;i<certs.length;i++) {
-            //    System.out.println("cert["+i+"]="+certs[i].getSubjectDN());
-            //}
-            //System.out.println("--------------------------------------------");
-        }
-    }
 
     SSLContext sctx;
     SSLSocket client;
     SSLServerSocket server;
     SSLSession sess;
-    String proxy;
+    LBCredentials creds;
 
-    void init_ctx() throws KeyStoreException,NoSuchAlgorithmException,KeyManagementException {
+    void init_ctx() throws LBException {
 	    if (sctx == null) {
+	    	if (creds == null) throw new NullPointerException("credentials must be specfied");
 
-		if (proxy == null) proxy = System.getProperty(proxyProp);
-
-	        TrustManager[] trustAllCerts = new TrustManager[]{new MyX509TrustManager()};
-       	     	X509KeyManager[] myKeyManager = createX509KeyManager(proxy);
-       	     
-       	     	if (myKeyManager == null) {
-                	throw new NullPointerException("myKeyManager is null");
-            	}
-
-            	sctx = SSLContext.getInstance("SSLv3");
-            	sctx.init(myKeyManager, trustAllCerts, null);
+            	sctx = creds.getSSLContext();
 	    }
     }
 
-    public void setProxy(String p) {
-	    proxy = p;
+    public void setCredentials(LBCredentials c) {
+	    creds = c;
     }
 
-    public Socket connect(String host,int port,int timeout) throws KeyStoreException,NoSuchAlgorithmException,KeyManagementException,SocketException,IOException {
-
+    public Socket connect(String host,int port,int timeout) throws LBException {
 	    init_ctx();
 	    
-	    client = (SSLSocket) sctx.getSocketFactory().createSocket();
-
-            client.setEnabledProtocols(new String[]{"SSLv3"});
-            client.setUseClientMode(true);
-            client.setSoTimeout(timeout); //read timeout
-
-            client.connect(new InetSocketAddress(host, port), timeout); //connect timeout
-            client.startHandshake();
-
-            sess = client.getSession();
-            if (sess == null) {
-                throw new NullPointerException("null session");
-            }
+	    try {
+		    client = (SSLSocket) sctx.getSocketFactory().createSocket();
+	
+	            client.setEnabledProtocols(new String[]{"SSLv3"});
+	            client.setUseClientMode(true);
+	            client.setSoTimeout(timeout); //read timeout
+	
+	            client.connect(new InetSocketAddress(host, port), timeout); //connect timeout
+	            client.startHandshake();
+	
+	            sess = client.getSession();
+	            if (sess == null) {
+	                throw new NullPointerException("null session");
+	            }
+	    }
+	    catch (IOException e) { throw new LBException(e); }
 
 	    return client;
 	    //return new PrintStream(client.getOutputStream(),false);
     }
 
-    public Socket accept(int port,int timeout) 
-	    throws KeyStoreException,IOException,SocketException,NoSuchAlgorithmException,KeyManagementException
+    public Socket accept(int port,int timeout) throws LBException
     {
-
+	SSLSocket conn;
 	init_ctx();
 
-	server = (SSLServerSocket) sctx.getServerSocketFactory().createServerSocket();
-
-	server.setEnabledProtocols(new String[]{"SSLv3"});
-	server.setSoTimeout(timeout); 
-
-	server.bind(new InetSocketAddress(port));
-
-	SSLSocket conn = (SSLSocket) server.accept();
+	try {
+		server = (SSLServerSocket) sctx.getServerSocketFactory().createServerSocket();
+	
+		server.setEnabledProtocols(new String[]{"SSLv3"});
+		server.setSoTimeout(timeout); 
+	
+		server.bind(new InetSocketAddress(port));
+	
+		conn = (SSLSocket) server.accept();
+	}
+	catch (IOException e) { throw new LBException(e); }
 
 	return conn;
     }
 
-    public void close() throws IOException,SocketException {
+    public void close() throws LBException 
+    {
+	try {
 	    client.close();
+	}
+	catch (IOException e) { throw new LBException(e); }
     }
 
-    /**
-     * This methods reads user's certificate
-     * 
-     * @param ksfile path to certificate
-     * @return instance of KeyStore with certificate
-     * @throws java.security.KeyStoreException
-     * @throws java.security.cert.CertificateException
-     * @throws java.security.NoSuchAlgorithmException
-     * @throws java.io.IOException
-     */
-    X509KeyManager[] createX509KeyManager(String ksfile) throws KeyStoreException {
-
-        if (ksfile.endsWith(".pem") || !ksfile.contains(".")) {
-            return readPEM(ksfile);
-        }
-
-        throw new KeyStoreException("Unknown key store");
-    }
-
-    X509KeyManager[] readPEM(String ksfile) {
-        BufferedReader br = null;
-        BufferedInputStream pemFile = null;
-        ByteArrayInputStream bais = null;
-
-        X509KeyManager[] myX509KeyManager = null;
-        
-	try {
-            // read in the credential data
-            File f = new File(ksfile);
-            pemFile = new BufferedInputStream(new FileInputStream(f));
-            byte [] data = new byte[(int)f.length()];
-            pemFile.read(data);
-            
-            GlobusCredential gc = new GlobusCredential(ksfile);
-            Certificate[] cert = gc.getCertificateChain();
-
-            PrivateKey privateKey = gc.getPrivateKey();
-            myX509KeyManager = new X509KeyManager[]{new MyX509KeyManager(cert, privateKey)};
-        } catch (IOException ex) {
-            System.err.println(ex);
-        } catch (GlobusCredentialException ex) {
-            System.err.println(ex);
-        } finally {
-            try {
-                pemFile.close();
-            } catch (IOException ex) {
-                System.err.println(ex);
-            }
-        }
-
-        return myX509KeyManager;
-    }
 }
-- 
1.8.2.3