diff options
| author | Benoit Foucher <benoit@zeroc.com> | 2015-04-28 19:27:04 +0200 |
|---|---|---|
| committer | Benoit Foucher <benoit@zeroc.com> | 2015-04-28 19:27:04 +0200 |
| commit | e6e102cc642e78cf9da55645c82f5bfe6eacb76d (patch) | |
| tree | ab5861ee9ad2a909fa0dc8f25b1b12e0dd1d6527 /java/src | |
| parent | Fixed ICE-6443 and other SSL fixes (diff) | |
| download | ice-e6e102cc642e78cf9da55645c82f5bfe6eacb76d.tar.bz2 ice-e6e102cc642e78cf9da55645c82f5bfe6eacb76d.tar.xz ice-e6e102cc642e78cf9da55645c82f5bfe6eacb76d.zip | |
Fixed previous commit which was incomplete
Diffstat (limited to 'java/src')
8 files changed, 227 insertions, 108 deletions
diff --git a/java/src/Ice/src/main/java/IceInternal/PropertyNames.java b/java/src/Ice/src/main/java/IceInternal/PropertyNames.java index d3660b21946..54868a2488f 100644 --- a/java/src/Ice/src/main/java/IceInternal/PropertyNames.java +++ b/java/src/Ice/src/main/java/IceInternal/PropertyNames.java @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Dec 9 12:08:30 2014 +// Generated by makeprops.py from file ./config/PropertyNames.xml, Tue Apr 28 17:34:50 2015 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -188,6 +188,7 @@ public final class PropertyNames new Property("Ice\\.Warn\\.UnusedProperties", false, null), new Property("Ice\\.CacheMessageBuffers", false, null), new Property("Ice\\.ThreadInterruptSafe", false, null), + new Property("Ice\\.Voip", false, null), null }; @@ -969,8 +970,9 @@ public final class PropertyNames public static final Property IceSSLProps[] = { new Property("IceSSL\\.Alias", false, null), - new Property("IceSSL\\.CertAuthDir", false, null), - new Property("IceSSL\\.CertAuthFile", false, null), + new Property("IceSSL\\.CAs", false, null), + new Property("IceSSL\\.CertAuthDir", true, null), + new Property("IceSSL\\.CertAuthFile", true, null), new Property("IceSSL\\.CertStore", false, null), new Property("IceSSL\\.CertFile", false, null), new Property("IceSSL\\.CertVerifier", false, null), @@ -982,10 +984,10 @@ public final class PropertyNames new Property("IceSSL\\.DHParams", false, null), new Property("IceSSL\\.EntropyDaemon", false, null), new Property("IceSSL\\.FindCert", false, null), - new Property("IceSSL\\.FindCert\\.[^\\s]+", false, null), + new Property("IceSSL\\.FindCert\\.[^\\s]+", true, null), new Property("IceSSL\\.ImportCert\\.[^\\s]+", true, null), new Property("IceSSL\\.InitOpenSSL", false, null), - new Property("IceSSL\\.KeyFile", false, null), + new Property("IceSSL\\.KeyFile", true, null), new Property("IceSSL\\.KeySet", false, null), new Property("IceSSL\\.Keychain", false, null), new Property("IceSSL\\.KeychainPassword", false, null), @@ -1008,6 +1010,7 @@ public final class PropertyNames new Property("IceSSL\\.Truststore", false, null), new Property("IceSSL\\.TruststorePassword", false, null), new Property("IceSSL\\.TruststoreType", false, null), + new Property("IceSSL\\.UsePlatformCAs", false, null), new Property("IceSSL\\.VerifyDepthMax", false, null), new Property("IceSSL\\.VerifyPeer", false, null), null diff --git a/java/src/Ice/src/main/java/IceInternal/TcpEndpointI.java b/java/src/Ice/src/main/java/IceInternal/TcpEndpointI.java index be274252438..a4547612335 100644 --- a/java/src/Ice/src/main/java/IceInternal/TcpEndpointI.java +++ b/java/src/Ice/src/main/java/IceInternal/TcpEndpointI.java @@ -9,7 +9,7 @@ package IceInternal; -final class TcpEndpointI extends IPEndpointI +final class TcpEndpointI extends IPEndpointI implements WSEndpointDelegate { public TcpEndpointI(ProtocolInstance instance, String ho, int po, java.net.InetSocketAddress sourceAddr, int ti, String conId, boolean co) @@ -40,27 +40,57 @@ final class TcpEndpointI extends IPEndpointI public Ice.EndpointInfo getInfo() { Ice.TCPEndpointInfo info = new Ice.TCPEndpointInfo() + { + @Override + public short type() { - @Override - public short type() - { - return TcpEndpointI.this.type(); - } + return TcpEndpointI.this.type(); + } - @Override - public boolean datagram() - { - return TcpEndpointI.this.datagram(); - } + @Override + public boolean datagram() + { + return TcpEndpointI.this.datagram(); + } - @Override - public boolean secure() - { - return TcpEndpointI.this.secure(); - } - }; + @Override + public boolean secure() + { + return TcpEndpointI.this.secure(); + } + }; + fillEndpointInfo(info); + return info; + } + + // + // Return the WebSocket endpoint information. + // + @Override + public Ice.EndpointInfo getWSInfo(String resource) + { + Ice.WSEndpointInfo info = new Ice.WSEndpointInfo() + { + @Override + public short type() + { + return TcpEndpointI.this.type(); + } + @Override + public boolean datagram() + { + return TcpEndpointI.this.datagram(); + } + + @Override + public boolean secure() + { + return TcpEndpointI.this.secure(); + } + }; fillEndpointInfo(info); + info.resource = resource; return info; } diff --git a/java/src/Ice/src/main/java/IceInternal/TcpTransceiver.java b/java/src/Ice/src/main/java/IceInternal/TcpTransceiver.java index 997ddc09d8c..94a5717b02d 100644 --- a/java/src/Ice/src/main/java/IceInternal/TcpTransceiver.java +++ b/java/src/Ice/src/main/java/IceInternal/TcpTransceiver.java @@ -9,7 +9,7 @@ package IceInternal; -final class TcpTransceiver implements Transceiver +final class TcpTransceiver implements Transceiver, WSTransceiverDelegate { @Override public java.nio.channels.SelectableChannel fd() @@ -79,22 +79,16 @@ final class TcpTransceiver implements Transceiver public Ice.ConnectionInfo getInfo() { Ice.TCPConnectionInfo info = new Ice.TCPConnectionInfo(); - if(_stream.fd() != null) - { - java.net.Socket socket = _stream.fd().socket(); - info.localAddress = socket.getLocalAddress().getHostAddress(); - info.localPort = socket.getLocalPort(); - if(socket.getInetAddress() != null) - { - info.remoteAddress = socket.getInetAddress().getHostAddress(); - info.remotePort = socket.getPort(); - } - if(!socket.isClosed()) - { - info.rcvSize = Network.getRecvBufferSize(_stream.fd()); - info.sndSize = Network.getSendBufferSize(_stream.fd()); - } - } + fillConnectionInfo(info); + return info; + } + + @Override + public Ice.ConnectionInfo getWSInfo(java.util.Map<String, String> headers) + { + Ice.WSConnectionInfo info = new Ice.WSConnectionInfo(); + fillConnectionInfo(info); + info.headers = headers; // Provided header is a copy so no need to clone here. return info; } @@ -115,6 +109,26 @@ final class TcpTransceiver implements Transceiver _stream = stream; } + private void fillConnectionInfo(Ice.IPConnectionInfo info) + { + if(_stream.fd() != null) + { + java.net.Socket socket = _stream.fd().socket(); + info.localAddress = socket.getLocalAddress().getHostAddress(); + info.localPort = socket.getLocalPort(); + if(socket.getInetAddress() != null) + { + info.remoteAddress = socket.getInetAddress().getHostAddress(); + info.remotePort = socket.getPort(); + } + if(!socket.isClosed()) + { + info.rcvSize = Network.getRecvBufferSize(_stream.fd()); + info.sndSize = Network.getSendBufferSize(_stream.fd()); + } + } + } + final private ProtocolInstance _instance; final private StreamSocket _stream; } diff --git a/java/src/Ice/src/main/java/IceInternal/WSEndpoint.java b/java/src/Ice/src/main/java/IceInternal/WSEndpoint.java index 7716771e919..dd64dbfb8af 100644 --- a/java/src/Ice/src/main/java/IceInternal/WSEndpoint.java +++ b/java/src/Ice/src/main/java/IceInternal/WSEndpoint.java @@ -41,29 +41,8 @@ final class WSEndpoint extends IceInternal.EndpointI @Override public Ice.EndpointInfo getInfo() { - Ice.WSEndpointInfo info = new Ice.WSEndpointInfo() - { - @Override - public short type() - { - return WSEndpoint.this.type(); - } - - @Override - public boolean datagram() - { - return WSEndpoint.this.datagram(); - } - - @Override - public boolean secure() - { - return WSEndpoint.this.secure(); - } - }; - _delegate.fillEndpointInfo(info); - info.resource = _resource; - return info; + assert(_delegate instanceof WSEndpointDelegate); + return ((WSEndpointDelegate)_delegate).getWSInfo(_resource); } @Override diff --git a/java/src/Ice/src/main/java/IceInternal/WSTransceiver.java b/java/src/Ice/src/main/java/IceInternal/WSTransceiver.java index fa8e1279fb2..d4ceb98f777 100644 --- a/java/src/Ice/src/main/java/IceInternal/WSTransceiver.java +++ b/java/src/Ice/src/main/java/IceInternal/WSTransceiver.java @@ -478,16 +478,8 @@ final class WSTransceiver implements Transceiver @Override public Ice.ConnectionInfo getInfo() { - Ice.IPConnectionInfo di = (Ice.IPConnectionInfo)_delegate.getInfo(); - Ice.WSConnectionInfo info = new Ice.WSConnectionInfo(); - info.localAddress = di.localAddress; - info.localPort = di.localPort; - info.remoteAddress = di.remoteAddress; - info.remotePort = di.remotePort; - info.rcvSize = di.rcvSize; - info.sndSize = di.sndSize; - info.headers = _parser.getHeaders(); - return info; + assert(_delegate instanceof WSTransceiverDelegate); + return ((WSTransceiverDelegate)_delegate).getWSInfo(_parser.getHeaders()); } @Override diff --git a/java/src/Ice/src/main/java/IceSSL/EndpointI.java b/java/src/Ice/src/main/java/IceSSL/EndpointI.java index 8a922bf4e0d..266d59ce306 100644 --- a/java/src/Ice/src/main/java/IceSSL/EndpointI.java +++ b/java/src/Ice/src/main/java/IceSSL/EndpointI.java @@ -9,7 +9,7 @@ package IceSSL; -final class EndpointI extends IceInternal.IPEndpointI +final class EndpointI extends IceInternal.IPEndpointI implements IceInternal.WSEndpointDelegate { public EndpointI(Instance instance, String ho, int po, java.net.InetSocketAddress sourceAddr, int ti, String conId, boolean co) @@ -43,27 +43,57 @@ final class EndpointI extends IceInternal.IPEndpointI public Ice.EndpointInfo getInfo() { Ice.IPEndpointInfo info = new IceSSL.EndpointInfo() + { + @Override + public short type() { - @Override - public short type() - { - return EndpointI.this.type(); - } + return EndpointI.this.type(); + } - @Override - public boolean datagram() - { - return EndpointI.this.datagram(); - } + @Override + public boolean datagram() + { + return EndpointI.this.datagram(); + } - @Override - public boolean secure() - { - return EndpointI.this.secure(); - } - }; + @Override + public boolean secure() + { + return EndpointI.this.secure(); + } + }; + fillEndpointInfo(info); + return info; + } + + // + // Return the secure WebSocket endpoint information. + // + @Override + public Ice.EndpointInfo getWSInfo(String resource) + { + IceSSL.WSSEndpointInfo info = new IceSSL.WSSEndpointInfo() + { + @Override + public short type() + { + return EndpointI.this.type(); + } + @Override + public boolean datagram() + { + return EndpointI.this.datagram(); + } + + @Override + public boolean secure() + { + return EndpointI.this.secure(); + } + }; fillEndpointInfo(info); + info.resource = resource; return info; } diff --git a/java/src/Ice/src/main/java/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/IceSSL/SSLEngine.java index bacb4a9cf26..daf4efdbc12 100644 --- a/java/src/Ice/src/main/java/IceSSL/SSLEngine.java +++ b/java/src/Ice/src/main/java/IceSSL/SSLEngine.java @@ -507,20 +507,70 @@ class SSLEngine } } } - else - { - ts = keys; - } // - // Collect the trust managers. + // Collect the trust managers. Use IceSSL.Truststore if + // specified, otherwise use the Java root CAs if + // Ice.Use.PlatformCAs is enabled. If none of these are enabled, + // use the keystore or a dummy trust manager which rejects any + // certificate. // javax.net.ssl.TrustManager[] trustManagers = null; { String algorithm = javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm(); javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance(algorithm); - tmf.init(ts); - trustManagers = tmf.getTrustManagers(); + java.security.KeyStore trustStore = null; + if(ts != null) + { + trustStore = ts; + } + else if(properties.getPropertyAsInt("IceSSL.UsePlatformCAs") <= 0) + { + if(keys != null) + { + trustStore = keys; + } + else + { + trustManagers = new javax.net.ssl.TrustManager[] + { + new javax.net.ssl.X509TrustManager() + { + @Override + public void + checkClientTrusted(X509Certificate[] chain, String authType) + throws CertificateException + { + throw new CertificateException("no trust anchors"); + } + + @Override + public void + checkServerTrusted(X509Certificate[] chain, String authType) + throws CertificateException + { + throw new CertificateException("no trust anchors"); + } + + @Override + public X509Certificate[] + getAcceptedIssuers() + { + return new X509Certificate[0]; + } + } + }; + } + } + else + { + trustStore = null; + } + if(trustManagers == null) + { + tmf.init(trustStore); + trustManagers = tmf.getTrustManagers(); + } assert(trustManagers != null); } @@ -537,11 +587,17 @@ class SSLEngine X509Certificate[] certs = ((javax.net.ssl.X509TrustManager)tm).getAcceptedIssuers(); for(X509Certificate cert : certs) { - anchors.add(new TrustAnchor(cert, null)); + if(cert.getBasicConstraints() >= 0) // Only add CAs + { + anchors.add(new TrustAnchor(cert, null)); + } } } - _validatorParams = new PKIXParameters(anchors); - _validatorParams.setRevocationEnabled(false); + if(!anchors.isEmpty()) + { + _validatorParams = new PKIXParameters(anchors); + _validatorParams.setRevocationEnabled(false); + } // // Wrap each trust manager. @@ -575,6 +631,11 @@ class SSLEngine Certificate[] getVerifiedCertificateChain(Certificate[] chain) { + if(_validatorParams == null) + { + return null; // Couldn't validate the given certificate chain. + } + List<Certificate> certs = new ArrayList<Certificate>(java.util.Arrays.asList(chain)); try { diff --git a/java/src/Ice/src/main/java/IceSSL/TransceiverI.java b/java/src/Ice/src/main/java/IceSSL/TransceiverI.java index c9de921c8f4..89828ffa495 100644 --- a/java/src/Ice/src/main/java/IceSSL/TransceiverI.java +++ b/java/src/Ice/src/main/java/IceSSL/TransceiverI.java @@ -13,7 +13,7 @@ import java.nio.*; import javax.net.ssl.*; import javax.net.ssl.SSLEngineResult.*; -final class TransceiverI implements IceInternal.Transceiver +final class TransceiverI implements IceInternal.Transceiver, IceInternal.WSTransceiverDelegate { @Override public java.nio.channels.SelectableChannel fd() @@ -39,7 +39,7 @@ final class TransceiverI implements IceInternal.Transceiver // // Additional verification. // - _instance.verifyPeer(getNativeConnectionInfo(), _stream.fd(), _host); + _instance.verifyPeer((NativeConnectionInfo)getInfo(), _stream.fd(), _host); if(_instance.securityTraceLevel() >= 1) { @@ -233,7 +233,18 @@ final class TransceiverI implements IceInternal.Transceiver @Override public Ice.ConnectionInfo getInfo() { - return getNativeConnectionInfo(); + NativeConnectionInfo info = new NativeConnectionInfo(); + info.nativeCerts = fillConnectionInfo(info); + return info; + } + + @Override + public Ice.ConnectionInfo getWSInfo(java.util.Map<String, String> headers) + { + WSSNativeConnectionInfo info = new WSSNativeConnectionInfo(); + info.nativeCerts = fillConnectionInfo(info); + info.headers = headers; // Provided header is a copy so no need to clone here. + return info; } @Override @@ -267,12 +278,12 @@ final class TransceiverI implements IceInternal.Transceiver } } - private NativeConnectionInfo getNativeConnectionInfo() + private java.security.cert.Certificate[] fillConnectionInfo(ConnectionInfo info) { // // This can only be called on an open transceiver. // - NativeConnectionInfo info = new NativeConnectionInfo(); + java.security.cert.Certificate[] nativeCerts = null; if(_stream.fd() != null) { java.net.Socket socket = _stream.fd().socket(); @@ -305,10 +316,9 @@ final class TransceiverI implements IceInternal.Transceiver java.security.cert.Certificate[] pcerts = session.getPeerCertificates(); java.security.cert.Certificate[] vcerts = _instance.engine().getVerifiedCertificateChain(pcerts); info.verified = vcerts != null; - info.nativeCerts = vcerts != null ? vcerts : pcerts; - + nativeCerts = vcerts != null ? vcerts : pcerts; java.util.ArrayList<String> certs = new java.util.ArrayList<String>(); - for(java.security.cert.Certificate c : info.nativeCerts) + for(java.security.cert.Certificate c : nativeCerts) { StringBuilder s = new StringBuilder("-----BEGIN CERTIFICATE-----\n"); s.append(IceUtilInternal.Base64.encode(c.getEncoded())); @@ -327,7 +337,7 @@ final class TransceiverI implements IceInternal.Transceiver } info.adapterName = _adapterName; info.incoming = _incoming; - return info; + return nativeCerts; } private int handshakeNonBlocking() |