Commit b73fcc35 authored by Gaston Dombiak's avatar Gaston Dombiak Committed by gato

Added a different truststore for c2s. This is required when validating client certs.

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@9565 b35dd754-fafc-0310-a699-88a17e54d16e
parent ca7cc1b0
......@@ -91,6 +91,7 @@ rm -rf $RPM_BUILD_ROOT
%config(noreplace) %{confdir}/openfire.xml
%config(noreplace) %{confdir}/security/keystore
%config(noreplace) %{confdir}/security/truststore
%config(noreplace) %{confdir}/security/client.truststore
%dir %{homedir}/lib
%{homedir}/lib/*.jar
%{homedir}/logs
......
......@@ -115,6 +115,7 @@ chown -R daemon:daemon %{homedir}
%dir %{homedir}/resources/security
%config(noreplace) %{homedir}/resources/security/keystore
%config(noreplace) %{homedir}/resources/security/truststore
%config(noreplace) %{homedir}/resources/security/client.truststore
%doc %{homedir}/documentation
%doc %{homedir}/LICENSE.html
%doc %{homedir}/README.html
......
......@@ -82,8 +82,7 @@
<li>Copy the <i>embedded-db</i> directory from the backup to the installation directory.</li>
<li>Copy the <i>enterprise</i> directory from the backup to the installation directory, if it exists.</li>
<li>Copy the <i>plugins</i> directory from the backup to the installation directory except for _plugins/admin_.</li>
<li>Copy the <i>resources/security/keystore</i> file from the backup to the installation directory.</li>
<li>Copy the <i>resources/security/truststore</i> file from the backup to the installation directory if you modified this file.</li>
<li>Copy modified files located in <i>resources/security</i> from the backup to the installation directory.</li>
<li>Start Openfire</li>
</ol>
</ul>
......
......@@ -104,9 +104,9 @@ public class AdminConsolePlugin implements Plugin {
httpsConnector.setHost(bindInterface);
httpsConnector.setPort(adminSecurePort);
httpsConnector.setTrustPassword(SSLConfig.getTrustPassword());
httpsConnector.setTrustPassword(SSLConfig.gets2sTrustPassword());
httpsConnector.setTruststoreType(SSLConfig.getStoreType());
httpsConnector.setTruststore(SSLConfig.getTruststoreLocation());
httpsConnector.setTruststore(SSLConfig.gets2sTruststoreLocation());
httpsConnector.setNeedClientAuth(false);
httpsConnector.setWantClientAuth(false);
......
......@@ -141,9 +141,9 @@ public final class HttpBindManager {
sslConnector.setHost(getBindInterface());
sslConnector.setPort(securePort);
sslConnector.setTrustPassword(SSLConfig.getTrustPassword());
sslConnector.setTrustPassword(SSLConfig.getc2sTrustPassword());
sslConnector.setTruststoreType(SSLConfig.getStoreType());
sslConnector.setTruststore(SSLConfig.getTruststoreLocation());
sslConnector.setTruststore(SSLConfig.getc2sTruststoreLocation());
sslConnector.setNeedClientAuth(false);
sslConnector.setWantClientAuth(false);
......
......@@ -76,6 +76,8 @@ public class SSLJiveTrustManagerFactory {
return trustManagers;
}
//TODO: Is this for c2s or s2s connections? Or both?
public static TrustManager[] getTrustManagers(KeyStore truststore,
String trustpass) {
TrustManager[] trustManagers;
......@@ -86,7 +88,7 @@ public class SSLJiveTrustManagerFactory {
TrustManagerFactory trustFactory = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
if (trustpass == null) {
trustpass = SSLConfig.getTrustPassword();
trustpass = SSLConfig.gets2sTrustPassword();
}
trustFactory.init(truststore);
......
......@@ -58,6 +58,7 @@ public class TLSWrapper {
public TLSWrapper(boolean clientMode, boolean needClientAuth, String remoteServer) {
boolean c2sConnection = (remoteServer == null);
if (debug) {
System.setProperty("javax.net.debug", "all");
}
......@@ -68,8 +69,8 @@ public class TLSWrapper {
KeyStore ksKeys = SSLConfig.getKeyStore();
String keypass = SSLConfig.getKeyPassword();
KeyStore ksTrust = SSLConfig.getTrustStore();
String trustpass = SSLConfig.getTrustPassword();
KeyStore ksTrust = (c2sConnection ? SSLConfig.getc2sTrustStore() : SSLConfig.gets2sTrustStore());
String trustpass = (c2sConnection ? SSLConfig.getc2sTrustPassword() : SSLConfig.gets2sTrustPassword());
// KeyManager's decide which key material to use.
KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass);
......@@ -77,9 +78,15 @@ public class TLSWrapper {
// TrustManager's decide whether to allow connections.
TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass);
if (clientMode || needClientAuth) {
if (c2sConnection) {
// Check if we can trust certificates presented by the client
tm = new TrustManager[]{new ClientTrustManager(ksTrust)};
}
else {
// Check if we can trust certificates presented by the server
tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)};
}
}
SSLContext tlsContext = SSLContext.getInstance(PROTOCOL);
......
......@@ -24,6 +24,7 @@ import org.jivesoftware.openfire.net.SSLConfig;
import org.jivesoftware.openfire.net.SSLJiveKeyManagerFactory;
import org.jivesoftware.openfire.net.SSLJiveTrustManagerFactory;
import org.jivesoftware.openfire.net.ServerTrustManager;
import org.jivesoftware.openfire.net.ClientTrustManager;
import org.jivesoftware.openfire.session.LocalSession;
import org.jivesoftware.openfire.session.Session;
import org.jivesoftware.util.JiveGlobals;
......@@ -279,21 +280,30 @@ public class NIOConnection implements Connection {
}
public void startTLS(boolean clientMode, String remoteServer, ClientAuth authentication) throws Exception {
boolean c2s = (remoteServer == null);
KeyStore ksKeys = SSLConfig.getKeyStore();
String keypass = SSLConfig.getKeyPassword();
KeyStore ksTrust = SSLConfig.getTrustStore();
String trustpass = SSLConfig.getTrustPassword();
KeyStore ksTrust = (c2s ? SSLConfig.getc2sTrustStore() : SSLConfig.gets2sTrustStore() );
String trustpass = (c2s ? SSLConfig.getc2sTrustPassword() : SSLConfig.gets2sTrustPassword() );
if (c2s) Log.debug("NIOConnection: startTLS: using c2s");
else Log.debug("NIOConnection: startTLS: using s2s");
// KeyManager's decide which key material to use.
KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass);
// TrustManager's decide whether to allow connections.
TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass);
if (clientMode || authentication == ClientAuth.needed || authentication == ClientAuth.wanted) {
// We might need to verify a certificate from our peer, so get different TrustManager[]'s
if(c2s) {
// Check if we can trust certificates presented by the client
tm = new TrustManager[]{new ClientTrustManager(ksTrust)};
} else {
// Check if we can trust certificates presented by the server
tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)};
}
}
SSLContext tlsContext = SSLContext.getInstance("TLS");
......
......@@ -396,7 +396,7 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(SSLConfig.getKeyStore(), SSLConfig.getKeyPassword().toCharArray());
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(SSLConfig.getTrustStore());
trustFactory.init(SSLConfig.getc2sTrustStore());
sslContext.init(keyFactory.getKeyManagers(),
trustFactory.getTrustManagers(),
......
......@@ -223,17 +223,17 @@ public class CertificateManager {
// Ignore
}
catch (Exception e) {
Log.error("Error decoding subjectAltName", e);
Log.error("CertificateManager: Error decoding subjectAltName", e);
}
}
// Other types are not good for XMPP so ignore them
else if (Log.isDebugEnabled()) {
Log.debug("SubjectAltName of invalid type found: " + certificate);
Log.debug("CertificateManager: SubjectAltName of invalid type found: " + certificate.getSubjectDN());
}
}
}
catch (CertificateParsingException e) {
Log.error("Error parsing SubjectAltName in certificate: " + certificate, e);
Log.error("CertificateManager: Error parsing SubjectAltName in certificate: " + certificate.getSubjectDN(), e);
}
return identities;
}
......
......@@ -42,7 +42,7 @@
alias = domain + "_" + index;
}
// Import certificate
CertificateManager.installCert(SSLConfig.getKeyStore(), SSLConfig.getTrustStore(),
CertificateManager.installCert(SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore(),
SSLConfig.getKeyPassword(), alias, new ByteArrayInputStream(privateKey.getBytes()), passPhrase,
new ByteArrayInputStream(certificate.getBytes()), true, true);
// Save keystore
......
......@@ -73,7 +73,7 @@
String reply = ParamUtils.getParameter(request, "reply");
if (alias != null && reply != null && reply.trim().length() > 0) {
try {
CertificateManager.installReply(SSLConfig.getKeyStore(), SSLConfig.getTrustStore(),
CertificateManager.installReply(SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore(),
SSLConfig.getKeyPassword(), alias, new ByteArrayInputStream(reply.getBytes()), true, true);
SSLConfig.saveStores();
response.sendRedirect("ssl-certificates.jsp?importsuccess=true");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment