Added a different truststore for c2s. This is required when validating client certs.

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@9565 b35dd754-fafc-0310-a699-88a17e54d16e

build/rpm-rhx/openfire.spec

@@ -91,6 +91,7 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) %{confdir}/openfire.xml
 %config(noreplace) %{confdir}/security/keystore
 %config(noreplace) %{confdir}/security/truststore
+%config(noreplace) %{confdir}/security/client.truststore
 %dir %{homedir}/lib
 %{homedir}/lib/*.jar
 %{homedir}/logs

build/rpm/openfire.spec

@@ -115,6 +115,7 @@ chown -R daemon:daemon %{homedir}
 %dir %{homedir}/resources/security
 %config(noreplace) %{homedir}/resources/security/keystore
 %config(noreplace) %{homedir}/resources/security/truststore
+%config(noreplace) %{homedir}/resources/security/client.truststore
 %doc %{homedir}/documentation
 %doc %{homedir}/LICENSE.html 
 %doc %{homedir}/README.html 

documentation/docs/upgrade-guide.html

@@ -82,8 +82,7 @@
         <li>Copy the <i>embedded-db</i> directory from the backup to the installation directory.</li>
         <li>Copy the <i>enterprise</i> directory from the backup to the installation directory, if it exists.</li>
         <li>Copy the <i>plugins</i> directory from the backup to the installation directory except for _plugins/admin_.</li>
-        <li>Copy the <i>resources/security/keystore</i> file from the backup to the installation directory.</li>
-        <li>Copy the <i>resources/security/truststore</i> file from the backup to the installation directory if you modified this file.</li>
+        <li>Copy modified files located in <i>resources/security</i> from the backup to the installation directory.</li>
         <li>Start Openfire</li>
     </ol>
 </ul>

src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java

@@ -104,9 +104,9 @@ public class AdminConsolePlugin implements Plugin {
                 httpsConnector.setHost(bindInterface);
                 httpsConnector.setPort(adminSecurePort);
 
-                httpsConnector.setTrustPassword(SSLConfig.getTrustPassword());
+                httpsConnector.setTrustPassword(SSLConfig.gets2sTrustPassword());
                 httpsConnector.setTruststoreType(SSLConfig.getStoreType());
-                httpsConnector.setTruststore(SSLConfig.getTruststoreLocation());
+                httpsConnector.setTruststore(SSLConfig.gets2sTruststoreLocation());
                 httpsConnector.setNeedClientAuth(false);
                 httpsConnector.setWantClientAuth(false);
 
@@ -334,4 +334,4 @@ public class AdminConsolePlugin implements Plugin {
             return SSLConfig.getSSLContext();
         }
     }
-}
\ No newline at end of file
+}

src/java/org/jivesoftware/openfire/http/HttpBindManager.java

@@ -141,9 +141,9 @@ public final class HttpBindManager {
                 sslConnector.setHost(getBindInterface());
                 sslConnector.setPort(securePort);
 
-                sslConnector.setTrustPassword(SSLConfig.getTrustPassword());
+                sslConnector.setTrustPassword(SSLConfig.getc2sTrustPassword());
                 sslConnector.setTruststoreType(SSLConfig.getStoreType());
-                sslConnector.setTruststore(SSLConfig.getTruststoreLocation());
+                sslConnector.setTruststore(SSLConfig.getc2sTruststoreLocation());
                 sslConnector.setNeedClientAuth(false);
                 sslConnector.setWantClientAuth(false);
 

src/java/org/jivesoftware/openfire/net/SSLJiveTrustManagerFactory.java

@@ -76,6 +76,8 @@ public class SSLJiveTrustManagerFactory {
         return trustManagers;
     }
     
+
+    //TODO: Is this for c2s or s2s connections? Or both?
     public static TrustManager[] getTrustManagers(KeyStore truststore,
 			String trustpass) {
 		TrustManager[] trustManagers;
@@ -86,7 +88,7 @@ public class SSLJiveTrustManagerFactory {
 				TrustManagerFactory trustFactory = TrustManagerFactory
 						.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 				if (trustpass == null) {
-					trustpass = SSLConfig.getTrustPassword();
+					trustpass = SSLConfig.gets2sTrustPassword();
 				}
 
 				trustFactory.init(truststore);

src/java/org/jivesoftware/openfire/net/TLSWrapper.java

@@ -58,6 +58,7 @@ public class TLSWrapper {
 
     public TLSWrapper(boolean clientMode, boolean needClientAuth, String remoteServer) {
 
+        boolean c2sConnection = (remoteServer == null);
         if (debug) {
             System.setProperty("javax.net.debug", "all");
         }
@@ -68,8 +69,8 @@ public class TLSWrapper {
             KeyStore ksKeys = SSLConfig.getKeyStore();
             String keypass = SSLConfig.getKeyPassword();
 
-            KeyStore ksTrust = SSLConfig.getTrustStore();
-            String trustpass = SSLConfig.getTrustPassword();
+            KeyStore ksTrust = (c2sConnection ? SSLConfig.getc2sTrustStore() : SSLConfig.gets2sTrustStore());
+            String trustpass = (c2sConnection ? SSLConfig.getc2sTrustPassword() : SSLConfig.gets2sTrustPassword());
 
             // KeyManager's decide which key material to use.
             KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass);
@@ -77,8 +78,14 @@ public class TLSWrapper {
             // TrustManager's decide whether to allow connections.
             TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass);
             if (clientMode || needClientAuth) {
-                // Check if we can trust certificates presented by the server
-                tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)};
+                if (c2sConnection) {
+                    // Check if we can trust certificates presented by the client
+                    tm = new TrustManager[]{new ClientTrustManager(ksTrust)};
+                }
+                else {
+                    // Check if we can trust certificates presented by the server
+                    tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)};
+                }
             }
 
             SSLContext tlsContext = SSLContext.getInstance(PROTOCOL);

src/java/org/jivesoftware/openfire/nio/NIOConnection.java

@@ -24,6 +24,7 @@ import org.jivesoftware.openfire.net.SSLConfig;
 import org.jivesoftware.openfire.net.SSLJiveKeyManagerFactory;
 import org.jivesoftware.openfire.net.SSLJiveTrustManagerFactory;
 import org.jivesoftware.openfire.net.ServerTrustManager;
+import org.jivesoftware.openfire.net.ClientTrustManager;
 import org.jivesoftware.openfire.session.LocalSession;
 import org.jivesoftware.openfire.session.Session;
 import org.jivesoftware.util.JiveGlobals;
@@ -279,20 +280,29 @@ public class NIOConnection implements Connection {
     }
 
     public void startTLS(boolean clientMode, String remoteServer, ClientAuth authentication) throws Exception {
+        boolean c2s = (remoteServer == null);
         KeyStore ksKeys = SSLConfig.getKeyStore();
         String keypass = SSLConfig.getKeyPassword();
 
-        KeyStore ksTrust = SSLConfig.getTrustStore();
-        String trustpass = SSLConfig.getTrustPassword();
-
+        KeyStore ksTrust = (c2s ? SSLConfig.getc2sTrustStore() : SSLConfig.gets2sTrustStore() );
+        String trustpass = (c2s ? SSLConfig.getc2sTrustPassword() : SSLConfig.gets2sTrustPassword() );
+        if (c2s)  Log.debug("NIOConnection: startTLS: using c2s");
+        else Log.debug("NIOConnection: startTLS: using s2s");
         // KeyManager's decide which key material to use.
         KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass);
 
         // TrustManager's decide whether to allow connections.
         TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass);
+
         if (clientMode || authentication == ClientAuth.needed || authentication == ClientAuth.wanted) {
-            // Check if we can trust certificates presented by the server
-            tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)};
+            // We might need to verify a certificate from our peer, so get different TrustManager[]'s
+            if(c2s) {
+                // Check if we can trust certificates presented by the client
+                tm = new TrustManager[]{new ClientTrustManager(ksTrust)};
+            } else {
+                // Check if we can trust certificates presented by the server
+                tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)};
+            }
         }
 
         SSLContext tlsContext = SSLContext.getInstance("TLS");

src/java/org/jivesoftware/openfire/spi/ConnectionManagerImpl.java

@@ -396,7 +396,7 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                 keyFactory.init(SSLConfig.getKeyStore(), SSLConfig.getKeyPassword().toCharArray());
                 TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-                trustFactory.init(SSLConfig.getTrustStore());
+                trustFactory.init(SSLConfig.getc2sTrustStore());
 
                 sslContext.init(keyFactory.getKeyManagers(),
                         trustFactory.getTrustManagers(),

src/java/org/jivesoftware/util/CertificateManager.java

@@ -223,17 +223,17 @@ public class CertificateManager {
                         // Ignore
                     }
                     catch (Exception e) {
-                        Log.error("Error decoding subjectAltName", e);
+                        Log.error("CertificateManager: Error decoding subjectAltName", e);
                     }
                 }
                 // Other types are not good for XMPP so ignore them
                 else if (Log.isDebugEnabled()) {
-                    Log.debug("SubjectAltName of invalid type found: " + certificate);
+                    Log.debug("CertificateManager: SubjectAltName of invalid type found: " + certificate.getSubjectDN());
                 }
             }
         }
         catch (CertificateParsingException e) {
-            Log.error("Error parsing SubjectAltName in certificate: " + certificate, e);
+            Log.error("CertificateManager: Error parsing SubjectAltName in certificate: " + certificate.getSubjectDN(), e);
         }
         return identities;
     }

src/web/import-certificate.jsp

@@ -42,7 +42,7 @@
                     alias = domain + "_" + index;
                 }
                 // Import certificate
-                CertificateManager.installCert(SSLConfig.getKeyStore(), SSLConfig.getTrustStore(),
+                CertificateManager.installCert(SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore(),
                         SSLConfig.getKeyPassword(), alias, new ByteArrayInputStream(privateKey.getBytes()), passPhrase,
                         new ByteArrayInputStream(certificate.getBytes()), true, true);
                 // Save keystore
@@ -157,4 +157,4 @@
   <!-- END 'Import Private Key and Certificate' -->
 
   </body>
-</html>
\ No newline at end of file
+</html>

src/web/ssl-certificates.jsp

@@ -73,7 +73,7 @@
         String reply = ParamUtils.getParameter(request, "reply");
         if (alias != null && reply != null && reply.trim().length() > 0) {
             try {
-                CertificateManager.installReply(SSLConfig.getKeyStore(), SSLConfig.getTrustStore(),
+                CertificateManager.installReply(SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore(),
                         SSLConfig.getKeyPassword(), alias, new ByteArrayInputStream(reply.getBytes()), true, true);
                 SSLConfig.saveStores();
                 response.sendRedirect("ssl-certificates.jsp?importsuccess=true");
@@ -409,4 +409,4 @@
   <% } %>
   <!-- END 'Signing request' -->
   </body>
-</html>
\ No newline at end of file
+</html>