Attachment #133137 for bug #264858

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

View | Details | Raw Unified | Return to bug 264858
Collapse All | Expand All




/*******************************************************************************
 * Copyright (c) 2006, 2009 IBM Corporation and others.
 * All rights reserved. This program and the accompanying materials
 * are made available under the terms of the Eclipse Public License v1.0
 * which accompanies this distribution, and is available at

 * David McKnight   (IBM) - [225507][api][breaking] RSE dstore API leaks non-API types
 * Noriaki Takatsu  (IBM) - [259905][api] Provide a facility to use its own keystore
 * David McKnight  (IBM) - [259905][api] provide public API for getting/setting key managers for SSLContext
 * David McKnight  (IBM)  - [264858][dstore] OpenRSE always picks the first trusted certificate
 *******************************************************************************/

package org.eclipse.dstore.internal.core.util.ssl;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;

import org.eclipse.dstore.core.util.ssl.BaseSSLContext;
import org.eclipse.dstore.core.util.ssl.DStoreKeyStore;

				KeyStore ks = DStoreKeyStore.getKeyStore(filePath, password);
				String keymgrAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
				KeyManagerFactory kmf = KeyManagerFactory.getInstance(keymgrAlgorithm);
				kmf.init(ks, password.toCharArray());								
	
				serverContext = SSLContext.getInstance("SSL"); //$NON-NLS-1$
				
				keyManagers = kmf.getKeyManagers();
				
				// read optional system property that indicates a default certificate alias
				String defaultAlias = System.getProperty("DSTORE_DEFAULT_CERTIFICATE_ALIAS"); //$NON-NLS-1$
				if (defaultAlias != null){
					KeyManager[] x509KeyManagers = new X509KeyManager[10];
				
					for(int i=0;i<keyManagers.length; i++){
						if(keyManagers[i] instanceof X509KeyManager){						
							x509KeyManagers[i] = new DStoreKeyManager((X509KeyManager)keyManagers[i], defaultAlias);
						}
					}								
					serverContext.init(x509KeyManagers, null, null);
				}
				else {
					serverContext.init(keyManagers, null, null);
				}
			}
			else
			{

Lines 111-118 Link Here

(-)src/org/eclipse/dstore/internal/core/util/ssl/DataStoreTrustManager.java (-2 / +4 lines)
111	X509Certificate tcert = (X509Certificate)_trustedCerts.get(j);	111	X509Certificate tcert = (X509Certificate)_trustedCerts.get(j);
112	try	112	try
113	{	113	{
114	cert.verify(tcert.getPublicKey());	114	if (cert.getSubjectDN().equals(tcert.getIssuerDN())) {
115	foundMatch = true;	115	cert.verify(tcert.getPublicKey());
		116	foundMatch = true;
		117	}
116	}	118	}
117	catch (Exception e)	119	catch (Exception e)
118	{	120	{




/********************************************************************************
 * Copyright (c) 2009 IBM Corporation. All rights reserved.
 * This program and the accompanying materials are made available under the terms
 * of the Eclipse Public License v1.0 which accompanies this distribution, and is 
 * available at http://www.eclipse.org/legal/epl-v10.html
 * 
 * Initial Contributors:
 * The following IBM employees contributed to the Remote System Explorer
 * component that contains this file: David McKnight.
 * 
 * Contributors:
 * David McKnight  (IBM)  - [264858][dstore] OpenRSE always picks the first trusted certificate
 ********************************************************************************/
package org.eclipse.dstore.internal.core.util.ssl;

import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;

import javax.net.ssl.X509KeyManager;

public class DStoreKeyManager implements X509KeyManager {
	
	private X509KeyManager _keyManager;
	private String _defaultAlias;
	
	public DStoreKeyManager(X509KeyManager keyManager, String defaultAlias){
		_keyManager = keyManager;
		_defaultAlias = defaultAlias;
	}
	
	public String chooseClientAlias(String[] keyType, Principal[] issuers,
			Socket socket) {
		if (_defaultAlias != null){
			return _defaultAlias;
		}
		else {
			return _keyManager.chooseClientAlias(keyType, issuers, socket);
		}
	}

	public String chooseServerAlias(String keyType, Principal[] issuers,
			Socket socket) {
		if (_defaultAlias != null){
			return _defaultAlias;
		}
		else {
			return _keyManager.chooseServerAlias(keyType, issuers, socket);
		}
	}

	public X509Certificate[] getCertificateChain(String alias) {
		return _keyManager.getCertificateChain(alias);
	}

	public String[] getClientAliases(String keyType, Principal[] issuers) {
		return _keyManager.getClientAliases(keyType, issuers);
	}

	public PrivateKey getPrivateKey(String alias) {
		return _keyManager.getPrivateKey(alias);
	}

	public String[] getServerAliases(String keyType, Principal[] issuers) {
		return _keyManager.getServerAliases(keyType, issuers);
	}

}

Return to bug 264858

Lines 1-5 Link Here

(-)src/org/eclipse/dstore/internal/core/util/ssl/DStoreSSLContext.java (-4 / +23 lines)
1	/*******************************************************************************	1	/*******************************************************************************
2	* Copyright (c) 2006, 2008 IBM Corporation and others.	2	* Copyright (c) 2006, 2009 IBM Corporation and others.
3	* All rights reserved. This program and the accompanying materials	3	* All rights reserved. This program and the accompanying materials
4	* are made available under the terms of the Eclipse Public License v1.0	4	* are made available under the terms of the Eclipse Public License v1.0
5	* which accompanies this distribution, and is available at	5	* which accompanies this distribution, and is available at
Lines 15-20 Link Here
15	* David McKnight (IBM) - [225507][api][breaking] RSE dstore API leaks non-API types	15	* David McKnight (IBM) - [225507][api][breaking] RSE dstore API leaks non-API types
16	* Noriaki Takatsu (IBM) - [259905][api] Provide a facility to use its own keystore	16	* Noriaki Takatsu (IBM) - [259905][api] Provide a facility to use its own keystore
17	* David McKnight (IBM) - [259905][api] provide public API for getting/setting key managers for SSLContext	17	* David McKnight (IBM) - [259905][api] provide public API for getting/setting key managers for SSLContext
		18	* David McKnight (IBM) - [264858][dstore] OpenRSE always picks the first trusted certificate
18	*******************************************************************************/	19	*******************************************************************************/
19		20
20	package org.eclipse.dstore.internal.core.util.ssl;	21	package org.eclipse.dstore.internal.core.util.ssl;
Lines 25-30 Link Here
25	import javax.net.ssl.KeyManagerFactory;	26	import javax.net.ssl.KeyManagerFactory;
26	import javax.net.ssl.SSLContext;	27	import javax.net.ssl.SSLContext;
27	import javax.net.ssl.TrustManager;	28	import javax.net.ssl.TrustManager;
		29	import javax.net.ssl.X509KeyManager;
28		30
29	import org.eclipse.dstore.core.util.ssl.BaseSSLContext;	31	import org.eclipse.dstore.core.util.ssl.BaseSSLContext;
30	import org.eclipse.dstore.core.util.ssl.DStoreKeyStore;	32	import org.eclipse.dstore.core.util.ssl.DStoreKeyStore;
Lines 46-55 Link Here
46	KeyStore ks = DStoreKeyStore.getKeyStore(filePath, password);	48	KeyStore ks = DStoreKeyStore.getKeyStore(filePath, password);
47	String keymgrAlgorithm = KeyManagerFactory.getDefaultAlgorithm();	49	String keymgrAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
48	KeyManagerFactory kmf = KeyManagerFactory.getInstance(keymgrAlgorithm);	50	KeyManagerFactory kmf = KeyManagerFactory.getInstance(keymgrAlgorithm);
49	kmf.init(ks, password.toCharArray());	51	kmf.init(ks, password.toCharArray());
50		52
51	serverContext = SSLContext.getInstance("SSL"); //$NON-NLS-1$	53	serverContext = SSLContext.getInstance("SSL"); //$NON-NLS-1$
52	serverContext.init(kmf.getKeyManagers(), null, null);	54
		55	keyManagers = kmf.getKeyManagers();
		56
		57	// read optional system property that indicates a default certificate alias
		58	String defaultAlias = System.getProperty("DSTORE_DEFAULT_CERTIFICATE_ALIAS"); //$NON-NLS-1$
		59	if (defaultAlias != null){
		60	KeyManager[] x509KeyManagers = new X509KeyManager[10];
		61
		62	for(int i=0;i<keyManagers.length; i++){
		63	if(keyManagers[i] instanceof X509KeyManager){
		64	x509KeyManagers[i] = new DStoreKeyManager((X509KeyManager)keyManagers[i], defaultAlias);
		65	}
		66	}
		67	serverContext.init(x509KeyManagers, null, null);
		68	}
		69	else {
		70	serverContext.init(keyManagers, null, null);
		71	}
53	}	72	}
54	else	73	else
55	{	74	{

Added Link Here

(-)src/org/eclipse/dstore/internal/core/util/ssl/DStoreKeyManager.java (+69 lines)
1	/********************************************************************************
2	* Copyright (c) 2009 IBM Corporation. All rights reserved.
3	* This program and the accompanying materials are made available under the terms
4	* of the Eclipse Public License v1.0 which accompanies this distribution, and is
5	* available at http://www.eclipse.org/legal/epl-v10.html
6	*
7	* Initial Contributors:
8	* The following IBM employees contributed to the Remote System Explorer
9	* component that contains this file: David McKnight.
10	*
11	* Contributors:
12	* David McKnight (IBM) - [264858][dstore] OpenRSE always picks the first trusted certificate
13	********************************************************************************/
14	package org.eclipse.dstore.internal.core.util.ssl;
15
16	import java.net.Socket;
17	import java.security.Principal;
18	import java.security.PrivateKey;
19	import java.security.cert.X509Certificate;
20
21	import javax.net.ssl.X509KeyManager;
22
23	public class DStoreKeyManager implements X509KeyManager {
24
25	private X509KeyManager _keyManager;
26	private String _defaultAlias;
27
28	public DStoreKeyManager(X509KeyManager keyManager, String defaultAlias){
29	_keyManager = keyManager;
30	_defaultAlias = defaultAlias;
31	}
32
33	public String chooseClientAlias(String[] keyType, Principal[] issuers,
34	Socket socket) {
35	if (_defaultAlias != null){
36	return _defaultAlias;
37	}
38	else {
39	return _keyManager.chooseClientAlias(keyType, issuers, socket);
40	}
41	}
42
43	public String chooseServerAlias(String keyType, Principal[] issuers,
44	Socket socket) {
45	if (_defaultAlias != null){
46	return _defaultAlias;
47	}
48	else {
49	return _keyManager.chooseServerAlias(keyType, issuers, socket);
50	}
51	}
52
53	public X509Certificate[] getCertificateChain(String alias) {
54	return _keyManager.getCertificateChain(alias);
55	}
56
57	public String[] getClientAliases(String keyType, Principal[] issuers) {
58	return _keyManager.getClientAliases(keyType, issuers);
59	}
60
61	public PrivateKey getPrivateKey(String alias) {
62	return _keyManager.getPrivateKey(alias);
63	}
64
65	public String[] getServerAliases(String keyType, Principal[] issuers) {
66	return _keyManager.getServerAliases(keyType, issuers);
67	}
68
69	}