Commit b73fcc35 authored by Gaston Dombiak's avatar Gaston Dombiak Committed by gato

Added a different truststore for c2s. This is required when validating client certs.

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@9565 b35dd754-fafc-0310-a699-88a17e54d16e
parent ca7cc1b0
...@@ -91,6 +91,7 @@ rm -rf $RPM_BUILD_ROOT ...@@ -91,6 +91,7 @@ rm -rf $RPM_BUILD_ROOT
%config(noreplace) %{confdir}/openfire.xml %config(noreplace) %{confdir}/openfire.xml
%config(noreplace) %{confdir}/security/keystore %config(noreplace) %{confdir}/security/keystore
%config(noreplace) %{confdir}/security/truststore %config(noreplace) %{confdir}/security/truststore
%config(noreplace) %{confdir}/security/client.truststore
%dir %{homedir}/lib %dir %{homedir}/lib
%{homedir}/lib/*.jar %{homedir}/lib/*.jar
%{homedir}/logs %{homedir}/logs
......
...@@ -115,6 +115,7 @@ chown -R daemon:daemon %{homedir} ...@@ -115,6 +115,7 @@ chown -R daemon:daemon %{homedir}
%dir %{homedir}/resources/security %dir %{homedir}/resources/security
%config(noreplace) %{homedir}/resources/security/keystore %config(noreplace) %{homedir}/resources/security/keystore
%config(noreplace) %{homedir}/resources/security/truststore %config(noreplace) %{homedir}/resources/security/truststore
%config(noreplace) %{homedir}/resources/security/client.truststore
%doc %{homedir}/documentation %doc %{homedir}/documentation
%doc %{homedir}/LICENSE.html %doc %{homedir}/LICENSE.html
%doc %{homedir}/README.html %doc %{homedir}/README.html
......
...@@ -82,8 +82,7 @@ ...@@ -82,8 +82,7 @@
<li>Copy the <i>embedded-db</i> directory from the backup to the installation directory.</li> <li>Copy the <i>embedded-db</i> directory from the backup to the installation directory.</li>
<li>Copy the <i>enterprise</i> directory from the backup to the installation directory, if it exists.</li> <li>Copy the <i>enterprise</i> directory from the backup to the installation directory, if it exists.</li>
<li>Copy the <i>plugins</i> directory from the backup to the installation directory except for _plugins/admin_.</li> <li>Copy the <i>plugins</i> directory from the backup to the installation directory except for _plugins/admin_.</li>
<li>Copy the <i>resources/security/keystore</i> file from the backup to the installation directory.</li> <li>Copy modified files located in <i>resources/security</i> from the backup to the installation directory.</li>
<li>Copy the <i>resources/security/truststore</i> file from the backup to the installation directory if you modified this file.</li>
<li>Start Openfire</li> <li>Start Openfire</li>
</ol> </ol>
</ul> </ul>
......
...@@ -104,9 +104,9 @@ public class AdminConsolePlugin implements Plugin { ...@@ -104,9 +104,9 @@ public class AdminConsolePlugin implements Plugin {
httpsConnector.setHost(bindInterface); httpsConnector.setHost(bindInterface);
httpsConnector.setPort(adminSecurePort); httpsConnector.setPort(adminSecurePort);
httpsConnector.setTrustPassword(SSLConfig.getTrustPassword()); httpsConnector.setTrustPassword(SSLConfig.gets2sTrustPassword());
httpsConnector.setTruststoreType(SSLConfig.getStoreType()); httpsConnector.setTruststoreType(SSLConfig.getStoreType());
httpsConnector.setTruststore(SSLConfig.getTruststoreLocation()); httpsConnector.setTruststore(SSLConfig.gets2sTruststoreLocation());
httpsConnector.setNeedClientAuth(false); httpsConnector.setNeedClientAuth(false);
httpsConnector.setWantClientAuth(false); httpsConnector.setWantClientAuth(false);
......
...@@ -141,9 +141,9 @@ public final class HttpBindManager { ...@@ -141,9 +141,9 @@ public final class HttpBindManager {
sslConnector.setHost(getBindInterface()); sslConnector.setHost(getBindInterface());
sslConnector.setPort(securePort); sslConnector.setPort(securePort);
sslConnector.setTrustPassword(SSLConfig.getTrustPassword()); sslConnector.setTrustPassword(SSLConfig.getc2sTrustPassword());
sslConnector.setTruststoreType(SSLConfig.getStoreType()); sslConnector.setTruststoreType(SSLConfig.getStoreType());
sslConnector.setTruststore(SSLConfig.getTruststoreLocation()); sslConnector.setTruststore(SSLConfig.getc2sTruststoreLocation());
sslConnector.setNeedClientAuth(false); sslConnector.setNeedClientAuth(false);
sslConnector.setWantClientAuth(false); sslConnector.setWantClientAuth(false);
......
...@@ -76,6 +76,8 @@ public class SSLJiveTrustManagerFactory { ...@@ -76,6 +76,8 @@ public class SSLJiveTrustManagerFactory {
return trustManagers; return trustManagers;
} }
//TODO: Is this for c2s or s2s connections? Or both?
public static TrustManager[] getTrustManagers(KeyStore truststore, public static TrustManager[] getTrustManagers(KeyStore truststore,
String trustpass) { String trustpass) {
TrustManager[] trustManagers; TrustManager[] trustManagers;
...@@ -86,7 +88,7 @@ public class SSLJiveTrustManagerFactory { ...@@ -86,7 +88,7 @@ public class SSLJiveTrustManagerFactory {
TrustManagerFactory trustFactory = TrustManagerFactory TrustManagerFactory trustFactory = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm()); .getInstance(TrustManagerFactory.getDefaultAlgorithm());
if (trustpass == null) { if (trustpass == null) {
trustpass = SSLConfig.getTrustPassword(); trustpass = SSLConfig.gets2sTrustPassword();
} }
trustFactory.init(truststore); trustFactory.init(truststore);
......
...@@ -58,6 +58,7 @@ public class TLSWrapper { ...@@ -58,6 +58,7 @@ public class TLSWrapper {
public TLSWrapper(boolean clientMode, boolean needClientAuth, String remoteServer) { public TLSWrapper(boolean clientMode, boolean needClientAuth, String remoteServer) {
boolean c2sConnection = (remoteServer == null);
if (debug) { if (debug) {
System.setProperty("javax.net.debug", "all"); System.setProperty("javax.net.debug", "all");
} }
...@@ -68,8 +69,8 @@ public class TLSWrapper { ...@@ -68,8 +69,8 @@ public class TLSWrapper {
KeyStore ksKeys = SSLConfig.getKeyStore(); KeyStore ksKeys = SSLConfig.getKeyStore();
String keypass = SSLConfig.getKeyPassword(); String keypass = SSLConfig.getKeyPassword();
KeyStore ksTrust = SSLConfig.getTrustStore(); KeyStore ksTrust = (c2sConnection ? SSLConfig.getc2sTrustStore() : SSLConfig.gets2sTrustStore());
String trustpass = SSLConfig.getTrustPassword(); String trustpass = (c2sConnection ? SSLConfig.getc2sTrustPassword() : SSLConfig.gets2sTrustPassword());
// KeyManager's decide which key material to use. // KeyManager's decide which key material to use.
KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass); KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass);
...@@ -77,9 +78,15 @@ public class TLSWrapper { ...@@ -77,9 +78,15 @@ public class TLSWrapper {
// TrustManager's decide whether to allow connections. // TrustManager's decide whether to allow connections.
TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass); TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass);
if (clientMode || needClientAuth) { if (clientMode || needClientAuth) {
if (c2sConnection) {
// Check if we can trust certificates presented by the client
tm = new TrustManager[]{new ClientTrustManager(ksTrust)};
}
else {
// Check if we can trust certificates presented by the server // Check if we can trust certificates presented by the server
tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)}; tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)};
} }
}
SSLContext tlsContext = SSLContext.getInstance(PROTOCOL); SSLContext tlsContext = SSLContext.getInstance(PROTOCOL);
......
...@@ -24,6 +24,7 @@ import org.jivesoftware.openfire.net.SSLConfig; ...@@ -24,6 +24,7 @@ import org.jivesoftware.openfire.net.SSLConfig;
import org.jivesoftware.openfire.net.SSLJiveKeyManagerFactory; import org.jivesoftware.openfire.net.SSLJiveKeyManagerFactory;
import org.jivesoftware.openfire.net.SSLJiveTrustManagerFactory; import org.jivesoftware.openfire.net.SSLJiveTrustManagerFactory;
import org.jivesoftware.openfire.net.ServerTrustManager; import org.jivesoftware.openfire.net.ServerTrustManager;
import org.jivesoftware.openfire.net.ClientTrustManager;
import org.jivesoftware.openfire.session.LocalSession; import org.jivesoftware.openfire.session.LocalSession;
import org.jivesoftware.openfire.session.Session; import org.jivesoftware.openfire.session.Session;
import org.jivesoftware.util.JiveGlobals; import org.jivesoftware.util.JiveGlobals;
...@@ -279,21 +280,30 @@ public class NIOConnection implements Connection { ...@@ -279,21 +280,30 @@ public class NIOConnection implements Connection {
} }
public void startTLS(boolean clientMode, String remoteServer, ClientAuth authentication) throws Exception { public void startTLS(boolean clientMode, String remoteServer, ClientAuth authentication) throws Exception {
boolean c2s = (remoteServer == null);
KeyStore ksKeys = SSLConfig.getKeyStore(); KeyStore ksKeys = SSLConfig.getKeyStore();
String keypass = SSLConfig.getKeyPassword(); String keypass = SSLConfig.getKeyPassword();
KeyStore ksTrust = SSLConfig.getTrustStore(); KeyStore ksTrust = (c2s ? SSLConfig.getc2sTrustStore() : SSLConfig.gets2sTrustStore() );
String trustpass = SSLConfig.getTrustPassword(); String trustpass = (c2s ? SSLConfig.getc2sTrustPassword() : SSLConfig.gets2sTrustPassword() );
if (c2s) Log.debug("NIOConnection: startTLS: using c2s");
else Log.debug("NIOConnection: startTLS: using s2s");
// KeyManager's decide which key material to use. // KeyManager's decide which key material to use.
KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass); KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass);
// TrustManager's decide whether to allow connections. // TrustManager's decide whether to allow connections.
TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass); TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass);
if (clientMode || authentication == ClientAuth.needed || authentication == ClientAuth.wanted) { if (clientMode || authentication == ClientAuth.needed || authentication == ClientAuth.wanted) {
// We might need to verify a certificate from our peer, so get different TrustManager[]'s
if(c2s) {
// Check if we can trust certificates presented by the client
tm = new TrustManager[]{new ClientTrustManager(ksTrust)};
} else {
// Check if we can trust certificates presented by the server // Check if we can trust certificates presented by the server
tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)}; tm = new TrustManager[]{new ServerTrustManager(remoteServer, ksTrust)};
} }
}
SSLContext tlsContext = SSLContext.getInstance("TLS"); SSLContext tlsContext = SSLContext.getInstance("TLS");
......
...@@ -396,7 +396,7 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana ...@@ -396,7 +396,7 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(SSLConfig.getKeyStore(), SSLConfig.getKeyPassword().toCharArray()); keyFactory.init(SSLConfig.getKeyStore(), SSLConfig.getKeyPassword().toCharArray());
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(SSLConfig.getTrustStore()); trustFactory.init(SSLConfig.getc2sTrustStore());
sslContext.init(keyFactory.getKeyManagers(), sslContext.init(keyFactory.getKeyManagers(),
trustFactory.getTrustManagers(), trustFactory.getTrustManagers(),
......
...@@ -223,17 +223,17 @@ public class CertificateManager { ...@@ -223,17 +223,17 @@ public class CertificateManager {
// Ignore // Ignore
} }
catch (Exception e) { catch (Exception e) {
Log.error("Error decoding subjectAltName", e); Log.error("CertificateManager: Error decoding subjectAltName", e);
} }
} }
// Other types are not good for XMPP so ignore them // Other types are not good for XMPP so ignore them
else if (Log.isDebugEnabled()) { else if (Log.isDebugEnabled()) {
Log.debug("SubjectAltName of invalid type found: " + certificate); Log.debug("CertificateManager: SubjectAltName of invalid type found: " + certificate.getSubjectDN());
} }
} }
} }
catch (CertificateParsingException e) { catch (CertificateParsingException e) {
Log.error("Error parsing SubjectAltName in certificate: " + certificate, e); Log.error("CertificateManager: Error parsing SubjectAltName in certificate: " + certificate.getSubjectDN(), e);
} }
return identities; return identities;
} }
......
...@@ -42,7 +42,7 @@ ...@@ -42,7 +42,7 @@
alias = domain + "_" + index; alias = domain + "_" + index;
} }
// Import certificate // Import certificate
CertificateManager.installCert(SSLConfig.getKeyStore(), SSLConfig.getTrustStore(), CertificateManager.installCert(SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore(),
SSLConfig.getKeyPassword(), alias, new ByteArrayInputStream(privateKey.getBytes()), passPhrase, SSLConfig.getKeyPassword(), alias, new ByteArrayInputStream(privateKey.getBytes()), passPhrase,
new ByteArrayInputStream(certificate.getBytes()), true, true); new ByteArrayInputStream(certificate.getBytes()), true, true);
// Save keystore // Save keystore
......
...@@ -73,7 +73,7 @@ ...@@ -73,7 +73,7 @@
String reply = ParamUtils.getParameter(request, "reply"); String reply = ParamUtils.getParameter(request, "reply");
if (alias != null && reply != null && reply.trim().length() > 0) { if (alias != null && reply != null && reply.trim().length() > 0) {
try { try {
CertificateManager.installReply(SSLConfig.getKeyStore(), SSLConfig.getTrustStore(), CertificateManager.installReply(SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore(),
SSLConfig.getKeyPassword(), alias, new ByteArrayInputStream(reply.getBytes()), true, true); SSLConfig.getKeyPassword(), alias, new ByteArrayInputStream(reply.getBytes()), true, true);
SSLConfig.saveStores(); SSLConfig.saveStores();
response.sendRedirect("ssl-certificates.jsp?importsuccess=true"); response.sendRedirect("ssl-certificates.jsp?importsuccess=true");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment