Fixed client cert authentication problem.

The CertRestClient has been fixed to pass the client certificate nickname
to the CMSRestClient class to configure the SSLSocket properly.

Ticket #161

2 files changed, 14 insertions, 29 deletions

diff --git a/base/common/src/com/netscape/cms/client/cert/CertRestClient.java b/base/common/src/com/netscape/cms/client/cert/CertRestClient.java
index 689cb8f57..39d393321 100644
--- a/base/common/src/com/netscape/cms/client/cert/CertRestClient.java
+++ b/base/common/src/com/netscape/cms/client/cert/CertRestClient.java
@@ -43,7 +43,7 @@ public class CertRestClient extends CMSRestClient {
     }
 
     public CertRestClient(String baseUri, String nickname) throws URISyntaxException {
-        super(baseUri);
+        super(baseUri, nickname);
 
         certClient = createProxy(CertResource.class);
         certsClient = createProxy(CertsResource.class);
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CMSRestClient.java b/base/common/src/com/netscape/cms/servlet/csadmin/CMSRestClient.java
index ebc851be5..7667dc70d 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/CMSRestClient.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/CMSRestClient.java
@@ -46,20 +46,12 @@ public abstract class CMSRestClient {
         this(baseUri, null);
     }
 
-    // Callback to approve or deny returned SSL server certs
-    // Right now, simply approve the cert.
-    // ToDO: Look into taking this JSS http client code and move it into
-    // its own class to be used by possible future clients.
-
     public CMSRestClient(String baseUri, String clientCertNick) throws URISyntaxException {
 
         clientCertNickname = clientCertNick;
 
         uri = new URI(baseUri);
 
-        String protocol = uri.getScheme();
-        int port = uri.getPort();
-
         DefaultHttpClient httpclient = new DefaultHttpClient();
 
         httpclient.addRequestInterceptor(new HttpRequestInterceptor() {
@@ -74,12 +66,9 @@ public abstract class CMSRestClient {
             }
         });
 
-        if (protocol != null && protocol.equals("https")) {
-
-            Scheme scheme = new Scheme("https", port, new JSSProtocolSocketFactory());
-            httpclient.getConnectionManager().getSchemeRegistry().register(scheme);
-
-        }
+        // register https scheme
+        Scheme scheme = new Scheme("https", 443, new JSSProtocolSocketFactory());
+        httpclient.getConnectionManager().getSchemeRegistry().register(scheme);
 
         executor = new ApacheHttpClient4Executor(httpclient);
         providerFactory = ResteasyProviderFactory.getInstance();
@@ -89,11 +78,12 @@ public abstract class CMSRestClient {
 
     private class ServerCertApprovalCB implements SSLCertificateApprovalCallback {
 
-        public boolean approve(org.mozilla.jss.crypto.X509Certificate servercert,
+        // Callback to approve or deny returned SSL server cert.
+        // Right now, simply approve the cert.
+        public boolean approve(org.mozilla.jss.crypto.X509Certificate serverCert,
                 SSLCertificateApprovalCallback.ValidityStatus status) {
 
-            //For now lets just accept the server cert. This is a test tool, being
-            // pointed at a well know kra instance.
+            if (verbose) System.out.println("Server certificate: "+serverCert.getSubjectDN());
 
             SSLCertificateApprovalCallback.ValidityItem item;
 
@@ -102,12 +92,10 @@ public abstract class CMSRestClient {
                 item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement();
                 int reason = item.getReason();
 
-                if (reason ==
-                        SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER ||
+                if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER ||
                         reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) {
 
-                    //Allow these two since we haven't necessarily installed the CA cert for trust
-                    // and we are choosing "localhost" as the host for this client.
+                    // Allow these two since we haven't installed the CA cert for trust.
 
                     return true;
 
@@ -123,11 +111,8 @@ public abstract class CMSRestClient {
     private class JSSProtocolSocketFactory implements SchemeSocketFactory, LayeredSchemeSocketFactory {
 
         @Override
-        public Socket createSocket(HttpParams params)
-                throws IOException {
-
+        public Socket createSocket(HttpParams params) throws IOException {
             return null;
-
         }
 
         @Override
@@ -139,8 +124,6 @@ public abstract class CMSRestClient {
                 UnknownHostException,
                 ConnectTimeoutException {
 
-            SSLSocket socket;
-
             String hostName = null;
             int port = 0;
             if (remoteAddress != null) {
@@ -157,6 +140,7 @@ public abstract class CMSRestClient {
                 localAddr = localAddress.getAddress();
             }
 
+            SSLSocket socket;
             if (sock == null) {
                 socket = new SSLSocket(InetAddress.getByName(hostName),
                         port,
@@ -169,7 +153,8 @@ public abstract class CMSRestClient {
                 socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null);
             }
 
-            if (socket != null && clientCertNickname != null) {
+            if (clientCertNickname != null) {
+                if (verbose) System.out.println("Client certificate: "+clientCertNickname);
                 socket.setClientCertNickname(clientCertNickname);
             }