View Javadoc
1   /**
2    * Copyright 2014 Internet2
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *   http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package edu.internet2.middleware.grouperClient.ssl;
17  
18  
19  
20  import java.io.IOException;
21  import java.net.InetAddress;
22  import java.net.Socket;
23  import java.net.UnknownHostException;
24  import java.security.KeyStore;
25  import java.security.KeyStoreException;
26  import java.security.NoSuchAlgorithmException;
27  import java.security.cert.CertificateException;
28  import java.security.cert.X509Certificate;
29  
30  import javax.net.ssl.SSLSocketFactory;
31  
32  import javax.net.ssl.SSLContext;
33  import javax.net.ssl.TrustManager;
34  import javax.net.ssl.TrustManagerFactory;
35  import javax.net.ssl.X509TrustManager;
36  
37  import edu.internet2.middleware.grouperClientExt.org.apache.commons.httpclient.ConnectTimeoutException;
38  import edu.internet2.middleware.grouperClientExt.org.apache.commons.httpclient.params.HttpConnectionParams;
39  import edu.internet2.middleware.grouperClientExt.org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
40  
41  
42    /**
43     * Apache code for SSL that doesnt fail with self-signed certs
44     * 
45     * @author mchyzer
46     */
47    public class EasySslSocketFactory implements SecureProtocolSocketFactory {
48  
49      /**
50       *  
51       */
52      public EasySslSocketFactory() {
53        super();
54      }
55  
56      /**
57       * <p>
58       * EasySSLProtocolSocketFactory can be used to creats SSL {@link Socket}s
59       * that accept self-signed certificates.
60       * </p>
61       * 
62       * <p>
63       * This socket factory SHOULD NOT be used for productive systems due to
64       * security reasons, unless it is a concious decision and you are perfectly
65       * aware of security implications of accepting self-signed certificates
66       * </p>
67       * @return SSLSocketFactory
68       */
69      private static SSLSocketFactory getEasySSLSocketFactory() {
70        SSLContext context = null;
71  
72        try {
73          context = SSLContext.getInstance("SSL");
74          context.init(null, new TrustManager[] { new EasyX509TrustManager(null) }, null);
75        } catch (Exception e) {
76          throw new RuntimeException(e);
77        }
78  
79        return context.getSocketFactory();
80      }
81  
82      /**
83       * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
84       */
85      public Socket createSocket(String host, int port, InetAddress clientHost,
86          int clientPort) throws IOException, UnknownHostException {
87        Socket socket = getEasySSLSocketFactory().createSocket(host, port, clientHost,
88            clientPort);
89  
90        return socket;
91      }
92  
93      /**
94       * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)
95       */
96      public Socket createSocket(String host, int port) throws IOException,
97          UnknownHostException {
98        return getEasySSLSocketFactory().createSocket(host, port);
99      }
100 
101     /**
102      * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)
103      */
104     public Socket createSocket(Socket socket, String host, int port, boolean autoClose)
105         throws IOException, UnknownHostException {
106       return getEasySSLSocketFactory().createSocket(socket, host, port, autoClose);
107     }
108 
109     /**
110      * jakarta code for SSL that doesnt fail with self-signed certs
111      * 
112      * @author mchyzer
113      */
114     public static class EasyX509TrustManager implements X509TrustManager {
115 
116       /**
117        * Field standardTrustManager.
118        */
119       private X509TrustManager standardTrustManager = null;
120 
121       /**
122        * Constructor for EasyX509TrustManager.
123        * @param keystore KeyStore
124        * @throws NoSuchAlgorithmException
125        * @throws KeyStoreException
126        */
127       public EasyX509TrustManager(KeyStore keystore) throws NoSuchAlgorithmException,
128           KeyStoreException {
129         super();
130 
131         TrustManagerFactory factory = TrustManagerFactory.getInstance("SunX509");
132         factory.init(keystore);
133 
134         TrustManager[] trustmanagers = factory.getTrustManagers();
135 
136         if (trustmanagers.length == 0) {
137           throw new NoSuchAlgorithmException("SunX509 trust manager not supported");
138         }
139 
140         this.standardTrustManager = (X509TrustManager) trustmanagers[0];
141       }
142 
143       /**
144      * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
145      */
146     @Override
147     public X509Certificate[] getAcceptedIssuers() {
148       return this.standardTrustManager.getAcceptedIssuers();
149     }
150 
151     /**
152      * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String)
153        */
154     @Override
155     public void checkClientTrusted(X509Certificate[] chain, String authType)
156         throws CertificateException {
157       this.standardTrustManager.checkClientTrusted(chain, authType);
158       }
159 
160       /**
161      * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String)
162        */
163     @Override
164     public void checkServerTrusted(X509Certificate[] chain, String authType)
165         throws CertificateException {
166       if ((chain != null) && (chain.length == 1)) {
167         X509Certificate certificate = chain[0];
168 
169             //certificate.checkValidity();
170           }
171 
172       //this.standardTrustManager.checkClientTrusted(chain, authType);
173       }
174     }
175 
176     /**
177      * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int, org.apache.commons.httpclient.params.HttpConnectionParams)
178      */
179   public Socket createSocket(String host, int port, InetAddress clientHost,
180       int clientPort, HttpConnectionParams arg4)
181       throws IOException, UnknownHostException, ConnectTimeoutException {
182     Socket socket = getEasySSLSocketFactory().createSocket(host, port, clientHost,
183         clientPort);
184 
185       return socket;
186     }
187   }