diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2012-07-11 16:38:37 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-07-12 11:27:03 -0500 |
commit | 9e4e40b80de0ba47702392b9ad6ccecf67496db7 (patch) | |
tree | 54cb1aae68901d0b6926fdebeb6b802be2d9a043 /base | |
parent | 04f53ea43c1f6112f1d7aee00b615aad62c18c91 (diff) | |
download | pki-9e4e40b80de0ba47702392b9ad6ccecf67496db7.tar.gz pki-9e4e40b80de0ba47702392b9ad6ccecf67496db7.tar.xz pki-9e4e40b80de0ba47702392b9ad6ccecf67496db7.zip |
Fixed client cert authentication problem.
The CertRestClient has been fixed to pass the client certificate nickname
to the CMSRestClient class to configure the SSLSocket properly.
Ticket #161
Diffstat (limited to 'base')
-rw-r--r-- | base/common/src/com/netscape/cms/client/cert/CertRestClient.java | 2 | ||||
-rw-r--r-- | base/common/src/com/netscape/cms/servlet/csadmin/CMSRestClient.java | 41 |
2 files changed, 14 insertions, 29 deletions
diff --git a/base/common/src/com/netscape/cms/client/cert/CertRestClient.java b/base/common/src/com/netscape/cms/client/cert/CertRestClient.java index 689cb8f57..39d393321 100644 --- a/base/common/src/com/netscape/cms/client/cert/CertRestClient.java +++ b/base/common/src/com/netscape/cms/client/cert/CertRestClient.java @@ -43,7 +43,7 @@ public class CertRestClient extends CMSRestClient { } public CertRestClient(String baseUri, String nickname) throws URISyntaxException { - super(baseUri); + super(baseUri, nickname); certClient = createProxy(CertResource.class); certsClient = createProxy(CertsResource.class); diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CMSRestClient.java b/base/common/src/com/netscape/cms/servlet/csadmin/CMSRestClient.java index ebc851be5..7667dc70d 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/CMSRestClient.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CMSRestClient.java @@ -46,20 +46,12 @@ public abstract class CMSRestClient { this(baseUri, null); } - // Callback to approve or deny returned SSL server certs - // Right now, simply approve the cert. - // ToDO: Look into taking this JSS http client code and move it into - // its own class to be used by possible future clients. - public CMSRestClient(String baseUri, String clientCertNick) throws URISyntaxException { clientCertNickname = clientCertNick; uri = new URI(baseUri); - String protocol = uri.getScheme(); - int port = uri.getPort(); - DefaultHttpClient httpclient = new DefaultHttpClient(); httpclient.addRequestInterceptor(new HttpRequestInterceptor() { @@ -74,12 +66,9 @@ public abstract class CMSRestClient { } }); - if (protocol != null && protocol.equals("https")) { - - Scheme scheme = new Scheme("https", port, new JSSProtocolSocketFactory()); - httpclient.getConnectionManager().getSchemeRegistry().register(scheme); - - } + // register https scheme + Scheme scheme = new Scheme("https", 443, new JSSProtocolSocketFactory()); + httpclient.getConnectionManager().getSchemeRegistry().register(scheme); executor = new ApacheHttpClient4Executor(httpclient); providerFactory = ResteasyProviderFactory.getInstance(); @@ -89,11 +78,12 @@ public abstract class CMSRestClient { private class ServerCertApprovalCB implements SSLCertificateApprovalCallback { - public boolean approve(org.mozilla.jss.crypto.X509Certificate servercert, + // Callback to approve or deny returned SSL server cert. + // Right now, simply approve the cert. + public boolean approve(org.mozilla.jss.crypto.X509Certificate serverCert, SSLCertificateApprovalCallback.ValidityStatus status) { - //For now lets just accept the server cert. This is a test tool, being - // pointed at a well know kra instance. + if (verbose) System.out.println("Server certificate: "+serverCert.getSubjectDN()); SSLCertificateApprovalCallback.ValidityItem item; @@ -102,12 +92,10 @@ public abstract class CMSRestClient { item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement(); int reason = item.getReason(); - if (reason == - SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER || + if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER || reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { - //Allow these two since we haven't necessarily installed the CA cert for trust - // and we are choosing "localhost" as the host for this client. + // Allow these two since we haven't installed the CA cert for trust. return true; @@ -123,11 +111,8 @@ public abstract class CMSRestClient { private class JSSProtocolSocketFactory implements SchemeSocketFactory, LayeredSchemeSocketFactory { @Override - public Socket createSocket(HttpParams params) - throws IOException { - + public Socket createSocket(HttpParams params) throws IOException { return null; - } @Override @@ -139,8 +124,6 @@ public abstract class CMSRestClient { UnknownHostException, ConnectTimeoutException { - SSLSocket socket; - String hostName = null; int port = 0; if (remoteAddress != null) { @@ -157,6 +140,7 @@ public abstract class CMSRestClient { localAddr = localAddress.getAddress(); } + SSLSocket socket; if (sock == null) { socket = new SSLSocket(InetAddress.getByName(hostName), port, @@ -169,7 +153,8 @@ public abstract class CMSRestClient { socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null); } - if (socket != null && clientCertNickname != null) { + if (clientCertNickname != null) { + if (verbose) System.out.println("Client certificate: "+clientCertNickname); socket.setClientCertNickname(clientCertNickname); } |