org.glite.security.trustmanager
Class ContextWrapper

java.lang.Object
  extended by org.glite.security.trustmanager.ContextWrapper
All Implemented Interfaces:
SSLContextWrapper

public class ContextWrapper
extends java.lang.Object
implements SSLContextWrapper

A class wrapping the SSLContext. It adds support for PEM certs, grid proxy certs, timeouts, dynamic reloading of CRLs etc. ContextWrapper.java

Author:
Joni Hahkala Joni.Hahkala@cern.ch Created on July 18, 2002, 6:10 PM

Field Summary
static java.lang.String CA_FILES
          CA file names
static java.lang.String CA_FILES_DEFAULT
          CA files default "/etc/grid-security/certificates/*.0".
static java.lang.String CA_STORE_FILE
          CA keystore file name
static java.lang.String CA_STORE_PASSWD
          CA store password
static java.lang.String CA_STORE_TYPE
          CA store type property name
 FileCertReader certReader
          The certificate reader instance to use to read the certificates, to avoid initializing it many times.
static java.lang.String CONF_FILE
          The config file setting.
 CaseInsensitiveProperties config
          The settings of this ContextWrapper given in the constructor
static java.lang.String CONNECT_TIMEOUT
          The connect timeout setting.
static java.lang.String CREDENTIALS_CERT_FILE
          Identity cert property name.
static java.lang.String CREDENTIALS_KEY_FILE
          Credential key property name.
static java.lang.String CREDENTIALS_KEY_PASSWD
          The password for the private key.
static java.lang.String CREDENTIALS_PROXY_FILE
          Identity The credential proxy property name.
static java.lang.String CREDENTIALS_STORE_FILE
          identity keystore property names
static java.lang.String CREDENTIALS_STORE_PASSWD
          The password for the credential keystore.
static java.lang.String CREDENTIALS_STORE_TYPE
          The type of the credential keystore if keystore is used.
static java.lang.String CREDENTIALS_UPDATE_INTERVAL
          The name of setting for interval for polling the credentials for update.
static java.lang.String CREDENTIALS_UPDATE_INTERVAL_DEAFULT
          Credentials reload interval default "0 s", meaning disabled.
static java.lang.String CRL_ENABLED
          The setting for whether the CRL support is enabled or not.
static java.lang.String CRL_ENABLED_DEFAULT
          CRL support enabled default: true.
static java.lang.String CRL_FILES
          The file definition for the CRL files.
static java.lang.String CRL_FILES_DEFAULT
          CRL file default "/etc/grid-security/certificates/*.r0".
static java.lang.String CRL_REQUIRED
          The setting for whether the CRLs are required for each of the CAs.
static java.lang.String CRL_REQUIRED_DEFAULT
          CRL required default: true.
static java.lang.String CRL_UPDATE_INTERVAL
          The setting for interval for CRL updates or polling the trust directory for updates.
static java.lang.String CRL_UPDATE_INTERVAL_DEFAULT
          CRL reloading, and trustdir polling interval for updates default: 0, meaning disabled.
 java.util.Vector crls
          The CRLs of this wrapper.
static java.lang.String GRID_PROXY_STREAM
          The stream to load the proxy from
static java.lang.String HOSTNAME_CHECK
          The hostname checking setting
static java.lang.String HOSTNAME_CHECK_DEFAULT
          The hostname checking default
 javax.net.ssl.KeyManager[] identityKeyManagers
          The key manager array of this wrapper.
static java.lang.String INT_KEYSTORE_PASSWD
          Internal keystore password.
static java.lang.String KEYSTORE_TYPE_DEFAULT
          Default keystore type: JKS.
static java.lang.String LOG_CONF_FILE
          The file where to load the log4j configuration.
static java.lang.String LOG_FILE
          The file to log to.
 OpensslTrustmanager m_trustmanager
          The new trustmanager instance if the new configuration method is used (Trust directory).
static java.lang.String OVERRIDE_EXPIRATION_CHECK_ON_INIT
          Flag to override the credential expiration check on loading for testing purposes only.
 boolean overrideExpirationCheck
          Switch to bypass the expiration check.
static java.lang.String SSL_PROTOCOL
          The SSL protocol to use.
static java.lang.String SSL_PROTOCOL_DEFAULT
          SSL protocol default: TLSv1.
static java.lang.String SSL_TIMEOUT_SETTING
          timeout for ssl handshake and reading in milliseconds
static java.lang.String TIMEOUT_DEFAULT
          Timeout default 1 minute.
 java.util.Vector trustAnchors
          The trust anchors of this contextWrapper.
 CRLFileTrustManager trustManager
          The old trustmanager instance if the old configuration method is used.
static java.lang.String TRUSTSTORE_DIR
          The trust store setting
static java.lang.String TRUSTSTORE_DIR_DEFAULT
          The default trust store dir
 
Constructor Summary
ContextWrapper(java.util.Properties inputConfig)
          Creates a new ContextWrapper object.
ContextWrapper(java.util.Properties inputConfig, boolean wantLog4jConf)
          Creates a new ContextWrapper object.
ContextWrapper(java.util.Properties inputConfig, org.bouncycastle.openssl.PasswordFinder finder)
          Creates a new instance of ContextWrapper
ContextWrapper(java.util.Properties inputConfig, java.security.cert.X509Certificate[] chain, java.security.PrivateKey key)
          Creates a new ContextWrapper object.
 
Method Summary
 javax.net.ssl.SSLContext getContext()
          Returns the underlying SSLContext that is wrapped.
static long getIntervalSecs(java.lang.String intervalBlob)
          Parses a string representation of an interval into seconds.
 javax.net.ssl.X509KeyManager getKeyManager()
          Returns the internal key managers, only for debugging.
 javax.net.ssl.SSLServerSocketFactory getServerSocketFactory()
          Creates a ServerSocketFactory.
 javax.net.ssl.SSLSocketFactory getSocketFactory()
          Create a TimeoutSSLSocketFactory instance with the configuration requested.
 void init(org.bouncycastle.openssl.PasswordFinder finder, java.security.cert.X509Certificate[] chain, java.security.PrivateKey key)
          Initializes the key manager.
 void initKeyManagers(org.bouncycastle.openssl.PasswordFinder finder)
          Initializes the key manager, the key manager will be updating keymanager and updates if the update interval is set.
 void initKeyManagers(java.security.cert.X509Certificate[] chain, java.security.PrivateKey key)
          Initializes the key manager, the key manager doesn't know where update from, so it will be not updating by itself.
 void loadConfig(java.util.Properties inputConfig, boolean wantLog4jConfiguration)
          Depending on the configuration given either uses the configuration or loads the configuration from a file if the configuration file setting is set.
 void stop()
          Stops runing updater threads if there is any.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

CREDENTIALS_PROXY_FILE

public static final java.lang.String CREDENTIALS_PROXY_FILE
Identity The credential proxy property name.

See Also:
Constant Field Values

CREDENTIALS_UPDATE_INTERVAL

public static final java.lang.String CREDENTIALS_UPDATE_INTERVAL
The name of setting for interval for polling the credentials for update.

See Also:
Constant Field Values

CREDENTIALS_CERT_FILE

public static final java.lang.String CREDENTIALS_CERT_FILE
Identity cert property name.

See Also:
Constant Field Values

CREDENTIALS_KEY_FILE

public static final java.lang.String CREDENTIALS_KEY_FILE
Credential key property name.

See Also:
Constant Field Values

CREDENTIALS_KEY_PASSWD

public static final java.lang.String CREDENTIALS_KEY_PASSWD
The password for the private key.

See Also:
Constant Field Values

CREDENTIALS_STORE_FILE

public static final java.lang.String CREDENTIALS_STORE_FILE
identity keystore property names

See Also:
Constant Field Values

CREDENTIALS_STORE_TYPE

public static final java.lang.String CREDENTIALS_STORE_TYPE
The type of the credential keystore if keystore is used.

See Also:
Constant Field Values

CREDENTIALS_STORE_PASSWD

public static final java.lang.String CREDENTIALS_STORE_PASSWD
The password for the credential keystore.

See Also:
Constant Field Values

CA_FILES

public static final java.lang.String CA_FILES
CA file names

See Also:
Constant Field Values

CA_STORE_FILE

public static final java.lang.String CA_STORE_FILE
CA keystore file name

See Also:
Constant Field Values

CA_STORE_TYPE

public static final java.lang.String CA_STORE_TYPE
CA store type property name

See Also:
Constant Field Values

CA_STORE_PASSWD

public static final java.lang.String CA_STORE_PASSWD
CA store password

See Also:
Constant Field Values

CRL_FILES

public static final java.lang.String CRL_FILES
The file definition for the CRL files.

See Also:
Constant Field Values

CRL_ENABLED

public static final java.lang.String CRL_ENABLED
The setting for whether the CRL support is enabled or not.

See Also:
Constant Field Values

CRL_REQUIRED

public static final java.lang.String CRL_REQUIRED
The setting for whether the CRLs are required for each of the CAs.

See Also:
Constant Field Values

CRL_UPDATE_INTERVAL

public static final java.lang.String CRL_UPDATE_INTERVAL
The setting for interval for CRL updates or polling the trust directory for updates.

See Also:
Constant Field Values

LOG_CONF_FILE

public static final java.lang.String LOG_CONF_FILE
The file where to load the log4j configuration.

See Also:
Constant Field Values

LOG_FILE

public static final java.lang.String LOG_FILE
The file to log to.

See Also:
Constant Field Values

SSL_PROTOCOL

public static final java.lang.String SSL_PROTOCOL
The SSL protocol to use. Options are SSLv3, TLSv1 and SSLv2Hello. Can be multiple, separated with comma.

See Also:
Constant Field Values

CONF_FILE

public static final java.lang.String CONF_FILE
The config file setting. If set the configuration is read from that file. Otherwise explicit settings and defaults are used.

See Also:
Constant Field Values

SSL_TIMEOUT_SETTING

public static final java.lang.String SSL_TIMEOUT_SETTING
timeout for ssl handshake and reading in milliseconds

See Also:
Constant Field Values

CONNECT_TIMEOUT

public static final java.lang.String CONNECT_TIMEOUT
The connect timeout setting.

See Also:
Constant Field Values

OVERRIDE_EXPIRATION_CHECK_ON_INIT

public static final java.lang.String OVERRIDE_EXPIRATION_CHECK_ON_INIT
Flag to override the credential expiration check on loading for testing purposes only.

See Also:
Constant Field Values

GRID_PROXY_STREAM

public static final java.lang.String GRID_PROXY_STREAM
The stream to load the proxy from

See Also:
Constant Field Values

KEYSTORE_TYPE_DEFAULT

public static final java.lang.String KEYSTORE_TYPE_DEFAULT
Default keystore type: JKS.

See Also:
Constant Field Values

CRL_UPDATE_INTERVAL_DEFAULT

public static final java.lang.String CRL_UPDATE_INTERVAL_DEFAULT
CRL reloading, and trustdir polling interval for updates default: 0, meaning disabled. This should be enabled in servers and in long lived clients.

See Also:
Constant Field Values

CRL_REQUIRED_DEFAULT

public static final java.lang.String CRL_REQUIRED_DEFAULT
CRL required default: true.

See Also:
Constant Field Values

SSL_PROTOCOL_DEFAULT

public static final java.lang.String SSL_PROTOCOL_DEFAULT
SSL protocol default: TLSv1.

See Also:
Constant Field Values

CRL_ENABLED_DEFAULT

public static final java.lang.String CRL_ENABLED_DEFAULT
CRL support enabled default: true.

See Also:
Constant Field Values

CREDENTIALS_UPDATE_INTERVAL_DEAFULT

public static final java.lang.String CREDENTIALS_UPDATE_INTERVAL_DEAFULT
Credentials reload interval default "0 s", meaning disabled.

See Also:
Constant Field Values

CA_FILES_DEFAULT

public static final java.lang.String CA_FILES_DEFAULT
CA files default "/etc/grid-security/certificates/*.0".

See Also:
Constant Field Values

CRL_FILES_DEFAULT

public static final java.lang.String CRL_FILES_DEFAULT
CRL file default "/etc/grid-security/certificates/*.r0".

See Also:
Constant Field Values

TIMEOUT_DEFAULT

public static final java.lang.String TIMEOUT_DEFAULT
Timeout default 1 minute.

See Also:
Constant Field Values

INT_KEYSTORE_PASSWD

public static final java.lang.String INT_KEYSTORE_PASSWD
Internal keystore password.

See Also:
Constant Field Values

TRUSTSTORE_DIR

public static final java.lang.String TRUSTSTORE_DIR
The trust store setting

See Also:
Constant Field Values

TRUSTSTORE_DIR_DEFAULT

public static final java.lang.String TRUSTSTORE_DIR_DEFAULT
The default trust store dir

See Also:
Constant Field Values

HOSTNAME_CHECK

public static final java.lang.String HOSTNAME_CHECK
The hostname checking setting

See Also:
Constant Field Values

HOSTNAME_CHECK_DEFAULT

public static final java.lang.String HOSTNAME_CHECK_DEFAULT
The hostname checking default

See Also:
Constant Field Values

config

public CaseInsensitiveProperties config
The settings of this ContextWrapper given in the constructor


identityKeyManagers

public javax.net.ssl.KeyManager[] identityKeyManagers
The key manager array of this wrapper.


trustAnchors

public java.util.Vector trustAnchors
The trust anchors of this contextWrapper.


crls

public java.util.Vector crls
The CRLs of this wrapper.


certReader

public FileCertReader certReader
The certificate reader instance to use to read the certificates, to avoid initializing it many times.


trustManager

public CRLFileTrustManager trustManager
The old trustmanager instance if the old configuration method is used.


m_trustmanager

public OpensslTrustmanager m_trustmanager
The new trustmanager instance if the new configuration method is used (Trust directory).


overrideExpirationCheck

public boolean overrideExpirationCheck
Switch to bypass the expiration check. Only for testing! Overrides the expiration checking during the cert loading so that expired certs can be loaded to test the certificate rejection at the server end.

Constructor Detail

ContextWrapper

public ContextWrapper(java.util.Properties inputConfig,
                      boolean wantLog4jConf)
               throws java.io.IOException,
                      java.security.GeneralSecurityException
Creates a new ContextWrapper object.

Parameters:
inputConfig - the configuration to use.
wantLog4jConf - a flag telling whether log4j should be configured
Throws:
java.io.IOException - in case there is a problem reading config file, certificates, key or CRLs.
java.security.GeneralSecurityException - if there is a problem initializing the SSLContext.

ContextWrapper

public ContextWrapper(java.util.Properties inputConfig)
               throws java.io.IOException,
                      java.security.GeneralSecurityException
Creates a new ContextWrapper object.

Parameters:
inputConfig - the configuration to use.
Throws:
java.io.IOException - in case there is a problem reading config file, certificates, key or CRLs.
java.security.GeneralSecurityException - if there is a problem initializing the SSLContext.

ContextWrapper

public ContextWrapper(java.util.Properties inputConfig,
                      java.security.cert.X509Certificate[] chain,
                      java.security.PrivateKey key)
               throws java.io.IOException,
                      java.security.GeneralSecurityException
Creates a new ContextWrapper object.

Parameters:
inputConfig - The configuration values given.
chain - the certificate chain to use for authentication.
key - the key to use for authentication.
Throws:
java.io.IOException - in case the SSL context initialization fails.
java.security.GeneralSecurityException

ContextWrapper

public ContextWrapper(java.util.Properties inputConfig,
                      org.bouncycastle.openssl.PasswordFinder finder)
               throws java.io.IOException,
                      java.security.GeneralSecurityException
Creates a new instance of ContextWrapper

Parameters:
inputConfig - The properties used for configuring the instance of context wrapper.
finder -
Throws:
java.io.IOException
java.security.GeneralSecurityException
Method Detail

loadConfig

public void loadConfig(java.util.Properties inputConfig,
                       boolean wantLog4jConfiguration)
                throws java.io.FileNotFoundException,
                       java.io.IOException
Depending on the configuration given either uses the configuration or loads the configuration from a file if the configuration file setting is set.

Parameters:
inputConfig - the configuration values.
wantLog4jConfiguration - switch allowing the bypass of log4j initialization to allow the use of slf4j etc.
Throws:
java.io.FileNotFoundException - if the config file pointed to by the config values is not found.
java.io.IOException - if the config file loading fails.

getContext

public javax.net.ssl.SSLContext getContext()
Returns the underlying SSLContext that is wrapped. Only for debugging.

Returns:
The underlying SSLContext.

getServerSocketFactory

public javax.net.ssl.SSLServerSocketFactory getServerSocketFactory()
                                                            throws javax.net.ssl.SSLException
Creates a ServerSocketFactory.

Specified by:
getServerSocketFactory in interface SSLContextWrapper
Returns:
The SSLServerSocketFactory created using the configuration values.
Throws:
javax.net.ssl.SSLException - if a problem occurs while creating the factory.

getSocketFactory

public javax.net.ssl.SSLSocketFactory getSocketFactory()
                                                throws javax.net.ssl.SSLException
Create a TimeoutSSLSocketFactory instance with the configuration requested.

Specified by:
getSocketFactory in interface SSLContextWrapper
Returns:
SSLSocketFactory (TimeoutSSLSocketFactory) instance.
Throws:
javax.net.ssl.SSLException - In case of problems an exception is thrown.

init

public void init(org.bouncycastle.openssl.PasswordFinder finder,
                 java.security.cert.X509Certificate[] chain,
                 java.security.PrivateKey key)
          throws java.security.cert.CertificateException,
                 java.security.GeneralSecurityException,
                 java.io.IOException
Initializes the key manager.

Parameters:
finder - the Password Finder implementation to use to ask the user for password to access the private key.
chain - the certificate chain to be used as credentials.
key - the private key to be used as credential.
Throws:
java.security.cert.CertificateException - if certificate reading failed.
java.security.GeneralSecurityException - in case there is a security violation.
java.security.NoSuchAlgorithmException - if certificate or key uses unsupported algorithm.
java.io.IOException - if certificate reading failed.

initKeyManagers

public void initKeyManagers(org.bouncycastle.openssl.PasswordFinder finder)
                     throws java.security.cert.CertificateException,
                            java.security.NoSuchAlgorithmException
Initializes the key manager, the key manager will be updating keymanager and updates if the update interval is set.

Parameters:
finder - the PasswordFinder implementation to use to ask the user for password to access the private key.
Throws:
java.security.cert.CertificateException - if certificate reading failed.
java.security.NoSuchAlgorithmException - If RSA algorithm is not supported.

initKeyManagers

public void initKeyManagers(java.security.cert.X509Certificate[] chain,
                            java.security.PrivateKey key)
                     throws java.security.cert.CertificateException,
                            java.security.NoSuchAlgorithmException,
                            java.io.IOException
Initializes the key manager, the key manager doesn't know where update from, so it will be not updating by itself.

Parameters:
chain - the certificate chain to be used as credentials.
key - the private key to be used as credential.
Throws:
java.security.cert.CertificateException - if certificate reading failed.
java.security.NoSuchAlgorithmException - if certificate or key uses unsupported algorithm.
java.io.IOException - if certificate reading failed.

getIntervalSecs

public static long getIntervalSecs(java.lang.String intervalBlob)
Parses a string representation of an interval into seconds. Format: n{s,m,h,d} (s=seconds, m=minutes, h=hours, d=days)

Parameters:
intervalBlob - String defining the interval.
Returns:
the seconds calculated from the interval.

getKeyManager

public javax.net.ssl.X509KeyManager getKeyManager()
Returns the internal key managers, only for debugging.

Returns:
the internal key manager in use.

stop

public void stop()
Stops runing updater threads if there is any.