Refactoring work. JM-893

git-svn-id: http://svn.igniterealtime.org/svn/repos/wildfire/trunk@6061 b35dd754-fafc-0310-a699-88a17e54d16e

Refactoring work. JM-893
git-svn-id: http://svn.igniterealtime.org/svn/repos/wildfire/trunk@6061 b35dd754-fafc-0310-a699-88a17e54d16e
3276384c · Gaston Dombiak · gato · 8ec834b8 · 3276384c · 3276384c
Commit 3276384c authored Nov 11, 2006 by Gaston Dombiak Committed by gato Nov 11, 2006
7 changed files
--- a/src/java/org/jivesoftware/util/CertificateManager.java
+++ b/src/java/org/jivesoftware/util/CertificateManager.java
--- a/src/java/org/jivesoftware/wildfire/XMPPServer.java
+++ b/src/java/org/jivesoftware/wildfire/XMPPServer.java
@@ -324,10 +324,12 @@ public class XMPPServer {

                // No certificates were found so create new self-signed certificates
                if (!dsaFound) {
-                    CertificateManager.createDSACert(ksKeys, name + "_dsa", "cn=" + name, "cn=" + name, "*." + name);
+                    CertificateManager.createDSACert(ksKeys, SSLConfig.getKeyPassword(), name + "_dsa", "cn=" + name,
+                            "cn=" + name, "*." + name);
                }
                if (!rsaFound) {
-                    CertificateManager.createRSACert(ksKeys, name + "_rsa", "cn=" + name, "cn=" + name, "*." + name);
+                    CertificateManager.createRSACert(ksKeys, SSLConfig.getKeyPassword(), name + "_rsa", "cn=" + name,
+                            "cn=" + name, "*." + name);
                }
                // Save new certificates into the key store
                if (!dsaFound || !rsaFound) {

--- a/src/java/org/jivesoftware/wildfire/net/SASLAuthentication.java
+++ b/src/java/org/jivesoftware/wildfire/net/SASLAuthentication.java
@@ -11,10 +11,11 @@

 package org.jivesoftware.wildfire.net;

-import org.dom4j.Element;
 import org.dom4j.DocumentHelper;
-import org.dom4j.QName;
+import org.dom4j.Element;
 import org.dom4j.Namespace;
+import org.dom4j.QName;
+import org.jivesoftware.util.CertificateManager;
 import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.Log;
 import org.jivesoftware.util.StringUtils;
@@ -414,7 +415,7 @@ public class SASLAuthentication {
        SocketConnection connection = (SocketConnection) session.getConnection();
        try {
            for (Certificate certificate : connection.getSSLSession().getPeerCertificates()) {
-                if (TLSStreamHandler.getPeerIdentities((X509Certificate) certificate)
+                if (CertificateManager.getPeerIdentities((X509Certificate) certificate)
                        .contains(hostname)) {
                    authenticationSuccessful(session, hostname, null);
                    return Status.authenticated;

--- a/src/java/org/jivesoftware/wildfire/net/ServerTrustManager.java
+++ b/src/java/org/jivesoftware/wildfire/net/ServerTrustManager.java
@@ -7,6 +7,7 @@

 package org.jivesoftware.wildfire.net;

+import org.jivesoftware.util.CertificateManager;
 import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.Log;

@@ -80,7 +81,7 @@ class ServerTrustManager implements X509TrustManager {
        if (verify) {
            int nSize = x509Certificates.length;

-            List<String> peerIdentities = TLSStreamHandler.getPeerIdentities(x509Certificates[0]);
+            List<String> peerIdentities = CertificateManager.getPeerIdentities(x509Certificates[0]);

            if (JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.chain", true)) {
                // Working down the chain, for every certificate in the chain,
@@ -165,25 +166,6 @@ class ServerTrustManager implements X509TrustManager {
        }
    }

-    private boolean isChainTrusted(X509Certificate[] chain) {
-        boolean trusted = false;
-        try {
-            // Start with the root and see if it is in the Keystore.
-            // The root is at the end of the chain.
-            for (int i = chain.length - 1; i >= 0; i--) {
-                if (trustStore.getCertificateAlias(chain[i]) != null) {
-                    trusted = true;
-                    break;
-                }
-            }
-        }
-        catch (Exception e) {
-            Log.error(e);
-            trusted = false;
-        }
-        return trusted;
-    }
-
    public X509Certificate[] getAcceptedIssuers() {
        if (JiveGlobals.getBooleanProperty("xmpp.server.certificate.accept-selfsigned", false)) {
            // Answer an empty list since we accept any issuer

--- a/src/java/org/jivesoftware/wildfire/net/TLSStreamHandler.java
+++ b/src/java/org/jivesoftware/wildfire/net/TLSStreamHandler.java
@@ -11,9 +11,7 @@

 package org.jivesoftware.wildfire.net;

-import org.bouncycastle.asn1.*;
 import org.jivesoftware.util.JiveGlobals;
-import org.jivesoftware.util.Log;

 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
@@ -22,21 +20,12 @@ import javax.net.ssl.SSLSession;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.io.UnsupportedEncodingException;
 import java.net.Socket;
 import java.nio.ByteBuffer;
 import java.nio.channels.Channels;
 import java.nio.channels.ReadableByteChannel;
 import java.nio.channels.SelectionKey;
 import java.nio.channels.WritableByteChannel;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;

 /**
 * TLSStreamHandler is responsible for securing plain connections by negotiating TLS. By creating
@@ -87,88 +76,6 @@ public class TLSStreamHandler {
      */
    private static ByteBuffer hsBB = ByteBuffer.allocate(0);

-    private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");
-
-    /**
-     * Returns the identities of the remote server as defined in the specified certificate. The
-     * identities are defined in the subjectDN of the certificate and it can also be defined in
-     * the subjectAltName extensions of type "xmpp". When the extension is being used then the
-     * identities defined in the extension are going to be returned. Otherwise, the value stored in
-     * the subjectDN is returned.
-     *
-     * @param x509Certificate the certificate the holds the identities of the remote server.
-     * @return the identities of the remote server as defined in the specified certificate.
-     */
-    public static List<String> getPeerIdentities(X509Certificate x509Certificate) {
-        // Look the identity in the subjectAltName extension if available
-        List<String> names = getSubjectAlternativeNames(x509Certificate);
-        if (names.isEmpty()) {
-            String name = x509Certificate.getSubjectDN().getName();
-            Matcher matcher = cnPattern.matcher(name);
-            if (matcher.find()) {
-                name = matcher.group(2);
-            }
-            // Create an array with the unique identity
-            names = new ArrayList<String>();
-            names.add(name);
-        }
-        return names;
-    }
-
-    /**
-     * Returns the JID representation of an XMPP entity contained as a SubjectAltName extension
-     * in the certificate. If none was found then return <tt>null</tt>.
-     *
-     * @param certificate the certificate presented by the remote entity.
-     * @return the JID representation of an XMPP entity contained as a SubjectAltName extension
-     *         in the certificate. If none was found then return <tt>null</tt>.
-     */
-    private static List<String> getSubjectAlternativeNames(X509Certificate certificate) {
-        List<String> identities = new ArrayList<String>();
-        try {
-            Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();
-            // Check that the certificate includes the SubjectAltName extension
-            if (altNames == null) {
-                return Collections.emptyList();
-            }
-            // Use the type OtherName to search for the certified server name
-            for (List item : altNames) {
-                Integer type = (Integer) item.get(0);
-                if (type == 0) {
-                    // Type OtherName found so return the associated value
-                    try {
-                        // Value is encoded using ASN.1 so decode it to get the server's identity
-                        ASN1InputStream decoder = new ASN1InputStream((byte[]) item.toArray()[1]);
-                        DEREncodable encoded = decoder.readObject();
-                        encoded = ((DERSequence) encoded).getObjectAt(1);
-                        encoded = ((DERTaggedObject) encoded).getObject();
-                        encoded = ((DERTaggedObject) encoded).getObject();
-                        String identity = ((DERUTF8String) encoded).getString();
-                        // Add the decoded server name to the list of identities
-                        identities.add(identity);
-                    }
-                    catch (UnsupportedEncodingException e) {
-                        // Ignore
-                    }
-                    catch (IOException e) {
-                        // Ignore
-                    }
-                    catch (Exception e) {
-                        Log.error("Error decoding subjectAltName", e);
-                    }
-                }
-                // Other types are not good for XMPP so ignore them
-                if (Log.isDebugEnabled()) {
-                    Log.debug("SubjectAltName of invalid type found: " + certificate);
-                }
-            }
-        }
-        catch (CertificateParsingException e) {
-            Log.error("Error parsing SubjectAltName in certificate: " + certificate, e);
-        }
-        return identities;
-    }
-
    /**
     * Creates a new TLSStreamHandler and secures the plain socket connection. When connecting
     * to a remote server then <tt>clientMode</tt> will be <code>true</code> and

--- a/src/web/ssl-certificates.jsp
+++ b/src/web/ssl-certificates.jsp
 <%@ page import="org.jivesoftware.util.CertificateManager,
                org.jivesoftware.util.JiveGlobals,
                org.jivesoftware.util.ParamUtils,
+                org.jivesoftware.util.StringUtils,
                org.jivesoftware.wildfire.XMPPServer,
                org.jivesoftware.wildfire.net.SSLConfig,
-                org.jivesoftware.wildfire.net.TLSStreamHandler,
                java.io.ByteArrayInputStream,
                java.security.KeyStore,
-                java.security.cert.X509Certificate,
-                java.util.Date"
+                java.security.PrivateKey,
+                java.security.cert.X509Certificate"
         errorPage="error.jsp"%>
+<%@ page import="java.util.Date" %>
 <%@ page import="java.util.Enumeration" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
-<%@ page import="org.jivesoftware.util.StringUtils" %>
-<%@ page import="java.security.PrivateKey" %>

 <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
@@ -40,11 +39,11 @@
        try {
            if (!CertificateManager.isDSACertificate(keyStore, domain)) {
                CertificateManager
-                        .createDSACert(keyStore, domain + "_dsa", "cn=" + domain, "cn=" + domain, "*." + domain);
+                        .createDSACert(keyStore, SSLConfig.getKeyPassword(), domain + "_dsa", "cn=" + domain, "cn=" + domain, "*." + domain);
            }
            if (!CertificateManager.isRSACertificate(keyStore, domain)) {
                CertificateManager
-                        .createRSACert(keyStore, domain + "_rsa", "cn=" + domain, "cn=" + domain, "*." + domain);
+                        .createRSACert(keyStore, SSLConfig.getKeyPassword(), domain + "_rsa", "cn=" + domain, "cn=" + domain, "*." + domain);
            }
            // Save new certificates into the key store
            SSLConfig.saveStores();
@@ -57,7 +56,7 @@
    if (delete) {
        if (type != null && alias != null) {
            try {
-                SSLConfig.getKeyStore().deleteEntry(alias);
+                CertificateManager.deleteCertificate(keyStore, alias);
                SSLConfig.saveStores();
                response.sendRedirect("ssl-certificates.jsp?deletesuccess=true");
                return;
@@ -72,7 +71,8 @@
        String reply = ParamUtils.getParameter(request, "reply");
        if (alias != null && reply != null && reply.trim().length() > 0) {
            try {
-                CertificateManager.installReply(alias, new ByteArrayInputStream(reply.getBytes()), true, true);
+                CertificateManager.installReply(SSLConfig.getKeyStore(), SSLConfig.getTrustStore(),
+                        SSLConfig.getKeyPassword(), alias, new ByteArrayInputStream(reply.getBytes()), true, true);
                SSLConfig.saveStores();
                response.sendRedirect("ssl-certificates.jsp?importsuccess=true");
                return;
@@ -206,19 +206,6 @@
      </tbody>
      </table>
      </div><br>
-
-  <%  } else if (errors.size() > 0) { %>
-
-      <div class="jive-error">
-      <table cellpadding="0" cellspacing="0" border="0">
-      <tbody>
-          <tr><td class="jive-icon"><img src="images/error-16x16.gif" width="16" height="16" border="0" alt=""></td>
-          <td class="jive-icon-label">
-          <fmt:message key="ssl.settings.error_certificate" />
-          </td></tr>
-      </tbody>
-      </table>
-      </div><br>
  <% } %>

  <!-- BEGIN 'Installed Certificates' -->
@@ -257,7 +244,7 @@
          String a = (String) aliases.nextElement();
          X509Certificate c = (X509Certificate) keyStore.getCertificate(a);
          StringBuffer identities = new StringBuffer();
-          for (String identity : TLSStreamHandler.getPeerIdentities(c)) {
+          for (String identity : CertificateManager.getPeerIdentities(c)) {
              identities.append(identity).append(", ");
          }
          if (identities.length() > 0) {

--- a/src/web/ssl-signing-request.jsp
+++ b/src/web/ssl-signing-request.jsp
@@ -3,10 +3,10 @@
 <%@ page import="org.jivesoftware.wildfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.wildfire.net.SSLConfig" %>
 <%@ page import="java.security.KeyStore" %>
-<%@ page import="java.security.PrivateKey" %>
 <%@ page import="java.security.cert.X509Certificate" %>
-<%@ page import="org.jivesoftware.util.StringUtils" %>
-<%@ page import="java.util.*" %>
+<%@ page import="java.util.Enumeration" %>
+<%@ page import="java.util.HashMap" %>
+<%@ page import="java.util.Map" %>

 <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
@@ -72,9 +72,9 @@
                    boolean isSigningPending = !isSelfSigned && keyStore.getCertificateChain(alias).length == 1;
                    if (isSelfSigned || isSigningPending) {
                        if (CertificateManager.isDSACertificate(certificate)) {
-                            CertificateManager.createDSACert(keyStore, alias, issuerDN.toString(), "cn=" + domain, "*." + domain);
+                            CertificateManager.createDSACert(keyStore, SSLConfig.getKeyPassword(), alias, issuerDN.toString(), "cn=" + domain, "*." + domain);
                        } else {
-                            CertificateManager.createRSACert(keyStore, alias, issuerDN.toString(), "cn=" + domain, "*." + domain);
+                            CertificateManager.createRSACert(keyStore, SSLConfig.getKeyPassword(), alias, issuerDN.toString(), "cn=" + domain, "*." + domain);
                        }
                    }
                }