diff options
Diffstat (limited to 'java/src')
7 files changed, 21 insertions, 63 deletions
diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/CertificateVerifier.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/CertificateVerifier.java index a78009c865f..9210f8a703d 100644 --- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/CertificateVerifier.java +++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/CertificateVerifier.java @@ -22,5 +22,5 @@ public interface CertificateVerifier * @return <code>true</code> if the connection should be accepted; * <code>false</code>, otherwise. **/ - boolean verify(NativeConnectionInfo info); + boolean verify(ConnectionInfo info); } diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/Instance.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/Instance.java index 6612814e329..4302a129fc4 100644 --- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/Instance.java +++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/Instance.java @@ -47,7 +47,7 @@ class Instance extends com.zeroc.IceInternal.ProtocolInstance _engine.traceConnection(desc, engine, incoming); } - void verifyPeer(String address, NativeConnectionInfo info, String desc) + void verifyPeer(String address, ConnectionInfo info, String desc) { _engine.verifyPeer(address, info, desc); } diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/NativeConnectionInfo.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/NativeConnectionInfo.java deleted file mode 100644 index 4815c468641..00000000000 --- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/NativeConnectionInfo.java +++ /dev/null @@ -1,28 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2017 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -package com.zeroc.IceSSL; - -/** - * - * This class is a native extension of the Slice local class - * IceSSL::ConnectionInfo. It provides access to the native Java - * certificates. - * - * @see CertificateVerifier - **/ -public class NativeConnectionInfo extends ConnectionInfo -{ - /** - * The certificate chain. This may be null if the peer did not - * supply a certificate. The peer's certificate (if any) is the - * first one in the chain. - **/ - public java.security.cert.Certificate[] nativeCerts; -} diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java index 048c63c081e..da0ba6d11d0 100644 --- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java +++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java @@ -976,7 +976,7 @@ class SSLEngine return _communicator; } - void verifyPeer(String address, NativeConnectionInfo info, String desc) + void verifyPeer(String address, ConnectionInfo info, String desc) { // // IceSSL.VerifyPeer is translated into the proper SSLEngine configuration @@ -990,10 +990,10 @@ class SSLEngine } } - if(_verifyDepthMax > 0 && info.nativeCerts != null && info.nativeCerts.length > _verifyDepthMax) + if(_verifyDepthMax > 0 && info.certs != null && info.certs.length > _verifyDepthMax) { String msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected:\n" + - "length of peer's certificate chain (" + info.nativeCerts.length + ") exceeds maximum of " + + "length of peer's certificate chain (" + info.certs.length + ") exceeds maximum of " + _verifyDepthMax + "\n" + desc; if(_securityTraceLevel >= 1) { diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/TransceiverI.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/TransceiverI.java index b69a8858564..6cc60684096 100644 --- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/TransceiverI.java +++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/TransceiverI.java @@ -74,29 +74,17 @@ final class TransceiverI implements com.zeroc.IceInternal.Transceiver java.security.cert.Certificate[] pcerts = session.getPeerCertificates(); java.security.cert.Certificate[] vcerts = _instance.engine().getVerifiedCertificateChain(pcerts); _verified = vcerts != null; - _nativeCerts = _verified ? vcerts : pcerts; - java.util.ArrayList<String> certs = new java.util.ArrayList<>(); - for(java.security.cert.Certificate c : _nativeCerts) - { - StringBuilder s = new StringBuilder("-----BEGIN CERTIFICATE-----\n"); - s.append(Base64.getEncoder().encodeToString(c.getEncoded())); - s.append("\n-----END CERTIFICATE-----"); - certs.add(s.toString()); - } - _certs = certs.toArray(new String[certs.size()]); + _certs = _verified ? vcerts : pcerts; } catch(javax.net.ssl.SSLPeerUnverifiedException ex) { // No peer certificates. } - catch(java.security.cert.CertificateEncodingException ex) - { - } // // Additional verification. // - _instance.verifyPeer(_host, (NativeConnectionInfo)getInfo(), _delegate.toString()); + _instance.verifyPeer(_host, (com.zeroc.IceSSL.ConnectionInfo)getInfo(), _delegate.toString()); if(_instance.securityTraceLevel() >= 1) { @@ -293,14 +281,13 @@ final class TransceiverI implements com.zeroc.IceInternal.Transceiver @Override public com.zeroc.Ice.ConnectionInfo getInfo() { - NativeConnectionInfo info = new NativeConnectionInfo(); + ConnectionInfo info = new ConnectionInfo(); info.underlying = _delegate.getInfo(); info.incoming = _incoming; info.adapterName = _adapterName; info.cipher = _cipher; info.certs = _certs; info.verified = _verified; - info.nativeCerts = _nativeCerts; return info; } @@ -594,7 +581,6 @@ final class TransceiverI implements com.zeroc.IceInternal.Transceiver private static ByteBuffer _emptyBuffer = ByteBuffer.allocate(0); // Used during handshaking. private String _cipher; - private String[] _certs; + private java.security.cert.Certificate[] _certs; private boolean _verified; - private java.security.cert.Certificate[] _nativeCerts; } diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/TrustManager.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/TrustManager.java index 222791df9d6..12ced2676c0 100644 --- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/TrustManager.java +++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/TrustManager.java @@ -55,7 +55,7 @@ class TrustManager } boolean - verify(NativeConnectionInfo info, String desc) + verify(ConnectionInfo info, String desc) { java.util.List<java.util.List<java.util.List<RFC2253.RDNPair> > > reject = new java.util.LinkedList<java.util.List<java.util.List<RFC2253.RDNPair> > >(), @@ -126,10 +126,10 @@ class TrustManager // // If there is no certificate then we match false. // - if(info.nativeCerts != null && info.nativeCerts.length > 0) + if(info.certs != null && info.certs.length > 0) { javax.security.auth.x500.X500Principal subjectDN = - ((java.security.cert.X509Certificate)info.nativeCerts[0]).getSubjectX500Principal(); + ((java.security.cert.X509Certificate)info.certs[0]).getSubjectX500Principal(); String subjectName = subjectDN.getName(javax.security.auth.x500.X500Principal.RFC2253); assert subjectName != null; try diff --git a/java/src/IceGridGUI/src/main/java/com/zeroc/IceGridGUI/Coordinator.java b/java/src/IceGridGUI/src/main/java/com/zeroc/IceGridGUI/Coordinator.java index 4e117317372..96d86274fd5 100644 --- a/java/src/IceGridGUI/src/main/java/com/zeroc/IceGridGUI/Coordinator.java +++ b/java/src/IceGridGUI/src/main/java/com/zeroc/IceGridGUI/Coordinator.java @@ -1331,7 +1331,7 @@ public class Coordinator class AcceptInvalidCertDialog implements Runnable { - public TrustDecision show(com.zeroc.IceSSL.NativeConnectionInfo info, boolean validDate, + public TrustDecision show(com.zeroc.IceSSL.ConnectionInfo info, boolean validDate, boolean validAlternateName, boolean trustedCA) { _info = info; @@ -1377,7 +1377,7 @@ public class Coordinator } } - private com.zeroc.IceSSL.NativeConnectionInfo _info; + private com.zeroc.IceSSL.ConnectionInfo _info; private boolean _validDate; private boolean _validAlternateName; private boolean _trustedCA; @@ -1385,14 +1385,14 @@ public class Coordinator } @Override - public boolean verify(com.zeroc.IceSSL.NativeConnectionInfo info) + public boolean verify(com.zeroc.IceSSL.ConnectionInfo info) { - if(!(info.nativeCerts[0] instanceof X509Certificate)) + if(!(info.certs[0] instanceof X509Certificate)) { return false; } - X509Certificate cert = (X509Certificate) info.nativeCerts[0]; + X509Certificate cert = (X509Certificate) info.certs[0]; byte[] encoded; try { @@ -1585,7 +1585,7 @@ public class Coordinator if(decision == TrustDecision.YesThisTime) { - _transientCert = (X509Certificate) info.nativeCerts[0]; + _transientCert = (X509Certificate) info.certs[0]; return true; } else if(decision == TrustDecision.YesAlways) @@ -1602,7 +1602,7 @@ public class Coordinator break; } } - _trustedServerKeyStore.setCertificateEntry(CN, info.nativeCerts[0]); + _trustedServerKeyStore.setCertificateEntry(CN, info.certs[0]); _trustedServerKeyStore.store(new FileOutputStream(getDataDirectory() + "/ServerCerts.jks"), new char[]{}); sessionKeeper.certificateManager(parent).load(); @@ -3604,7 +3604,7 @@ public class Coordinator static class UntrustedCertificateDialog extends JDialog { - public UntrustedCertificateDialog(java.awt.Window owner, com.zeroc.IceSSL.NativeConnectionInfo info, + public UntrustedCertificateDialog(java.awt.Window owner, com.zeroc.IceSSL.ConnectionInfo info, boolean validDate, boolean validAlternateName, boolean trustedCA) throws java.security.GeneralSecurityException, java.io.IOException, javax.naming.InvalidNameException @@ -3615,7 +3615,7 @@ public class Coordinator Container contentPane = getContentPane(); contentPane.setLayout(new BoxLayout(contentPane, BoxLayout.Y_AXIS)); - X509Certificate cert = (X509Certificate)info.nativeCerts[0]; + X509Certificate cert = (X509Certificate)info.certs[0]; { DefaultFormBuilder builder = new DefaultFormBuilder(new FormLayout("pref", "pref")); builder.border(Borders.DIALOG); |