From 60835ed008586f85a22737d0161cb026f2dbffec Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Sat, 18 Aug 2012 02:30:44 -0500 Subject: Moved REST CLI into pki-tools. The pki-client.jar has been split and merged into pki-certsrv.jar and pki-tools.jar. The REST client classes are now packaged in com.netscape.certsrv. packages. The REST CLI classes are now packaged in com.netscape.cmstools. packages. The "pki" script has been moved into pki-tools RPM package. Ticket #215 --- .../com/netscape/certsrv/client/ClientConfig.java | 189 +++++++++++++ .../src/com/netscape/certsrv/client/PKIClient.java | 304 +++++++++++++++++++++ .../certsrv/client/PKIErrorInterceptor.java | 62 +++++ 3 files changed, 555 insertions(+) create mode 100644 base/common/src/com/netscape/certsrv/client/ClientConfig.java create mode 100644 base/common/src/com/netscape/certsrv/client/PKIClient.java create mode 100644 base/common/src/com/netscape/certsrv/client/PKIErrorInterceptor.java (limited to 'base/common/src/com/netscape/certsrv/client') diff --git a/base/common/src/com/netscape/certsrv/client/ClientConfig.java b/base/common/src/com/netscape/certsrv/client/ClientConfig.java new file mode 100644 index 000000000..885b60a26 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/client/ClientConfig.java @@ -0,0 +1,189 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2012 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.certsrv.client; + +import java.io.StringReader; +import java.io.StringWriter; +import java.net.URI; +import java.net.URISyntaxException; + +import javax.xml.bind.JAXBContext; +import javax.xml.bind.Marshaller; +import javax.xml.bind.Unmarshaller; +import javax.xml.bind.annotation.XmlElement; +import javax.xml.bind.annotation.XmlRootElement; + +/** + * @author Endi S. Dewata + */ +@XmlRootElement(name="Client") +public class ClientConfig { + + public static Marshaller marshaller; + public static Unmarshaller unmarshaller; + + static { + try { + marshaller = JAXBContext.newInstance(ClientConfig.class).createMarshaller(); + marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); + unmarshaller = JAXBContext.newInstance(ClientConfig.class).createUnmarshaller(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + URI serverURI; + + String certDatabase; + String certNickname; + String username; + String password; + + @XmlElement(name="ServerURI") + public URI getServerURI() { + return serverURI; + } + + public void setServerURI(String serverUri) throws URISyntaxException { + this.serverURI = new URI(serverUri); + } + + public void setServerURI(URI serverUri) { + this.serverURI = serverUri; + } + + @XmlElement(name="CertDatabase") + public String getCertDatabase() { + return certDatabase; + } + + public void setCertDatabase(String certDatabase) { + this.certDatabase = certDatabase; + } + + @XmlElement(name="CertNickname") + public String getCertNickname() { + return certNickname; + } + + public void setCertNickname(String certNickname) { + this.certNickname = certNickname; + } + + @XmlElement(name="Username") + public String getUsername() { + return username; + } + + public void setUsername(String username) { + this.username = username; + } + + @XmlElement(name="Password") + public String getPassword() { + return password; + } + + public void setPassword(String password) { + this.password = password; + } + + @Override + public int hashCode() { + final int prime = 31; + int result = 1; + result = prime * result + ((certDatabase == null) ? 0 : certDatabase.hashCode()); + result = prime * result + ((certNickname == null) ? 0 : certNickname.hashCode()); + result = prime * result + ((password == null) ? 0 : password.hashCode()); + result = prime * result + ((serverURI == null) ? 0 : serverURI.hashCode()); + result = prime * result + ((username == null) ? 0 : username.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + ClientConfig other = (ClientConfig) obj; + if (certDatabase == null) { + if (other.certDatabase != null) + return false; + } else if (!certDatabase.equals(other.certDatabase)) + return false; + if (certNickname == null) { + if (other.certNickname != null) + return false; + } else if (!certNickname.equals(other.certNickname)) + return false; + if (password == null) { + if (other.password != null) + return false; + } else if (!password.equals(other.password)) + return false; + if (serverURI == null) { + if (other.serverURI != null) + return false; + } else if (!serverURI.equals(other.serverURI)) + return false; + if (username == null) { + if (other.username != null) + return false; + } else if (!username.equals(other.username)) + return false; + return true; + } + + public String toString() { + try { + StringWriter sw = new StringWriter(); + marshaller.marshal(this, sw); + return sw.toString(); + + } catch (Exception e) { + return super.toString(); + } + } + + public static ClientConfig valueOf(String string) throws Exception { + try { + return (ClientConfig)unmarshaller.unmarshal(new StringReader(string)); + } catch (Exception e) { + return null; + } + } + + public static void main(String args[]) throws Exception { + + ClientConfig before = new ClientConfig(); + before.setServerURI("http://localhost:9180/ca"); + before.setCertDatabase("certs"); + before.setCertNickname("caadmin"); + before.setPassword("12345"); + + String string = before.toString(); + System.out.println(string); + + ClientConfig after = ClientConfig.valueOf(string); + System.out.println(before.equals(after)); + } +} diff --git a/base/common/src/com/netscape/certsrv/client/PKIClient.java b/base/common/src/com/netscape/certsrv/client/PKIClient.java new file mode 100644 index 000000000..5127c052d --- /dev/null +++ b/base/common/src/com/netscape/certsrv/client/PKIClient.java @@ -0,0 +1,304 @@ +package com.netscape.certsrv.client; + +import java.io.File; +import java.io.IOException; +import java.net.InetAddress; +import java.net.InetSocketAddress; +import java.net.Socket; +import java.net.URI; +import java.net.URISyntaxException; +import java.net.UnknownHostException; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.List; + +import org.apache.commons.httpclient.ConnectTimeoutException; +import org.apache.http.Header; +import org.apache.http.HttpEntityEnclosingRequest; +import org.apache.http.HttpException; +import org.apache.http.HttpRequest; +import org.apache.http.HttpRequestInterceptor; +import org.apache.http.HttpResponse; +import org.apache.http.HttpResponseInterceptor; +import org.apache.http.ProtocolException; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.apache.http.auth.params.AuthPNames; +import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.client.params.AuthPolicy; +import org.apache.http.client.params.HttpClientParams; +import org.apache.http.conn.scheme.LayeredSchemeSocketFactory; +import org.apache.http.conn.scheme.Scheme; +import org.apache.http.conn.scheme.SchemeSocketFactory; +import org.apache.http.impl.client.ClientParamsStack; +import org.apache.http.impl.client.DefaultHttpClient; +import org.apache.http.impl.client.DefaultRedirectStrategy; +import org.apache.http.impl.client.EntityEnclosingRequestWrapper; +import org.apache.http.impl.client.RequestWrapper; +import org.apache.http.params.HttpParams; +import org.apache.http.protocol.HttpContext; +import org.jboss.resteasy.client.ClientExecutor; +import org.jboss.resteasy.client.ClientResponse; +import org.jboss.resteasy.client.ClientResponseFailure; +import org.jboss.resteasy.client.ProxyFactory; +import org.jboss.resteasy.client.core.BaseClientResponse; +import org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor; +import org.jboss.resteasy.client.core.extractors.ClientErrorHandler; +import org.jboss.resteasy.spi.ResteasyProviderFactory; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.AlreadyInitializedException; +import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; +import org.mozilla.jss.ssl.SSLSocket; + + +public abstract class PKIClient { + + protected boolean verbose; + + protected ClientConfig config; + + protected ResteasyProviderFactory providerFactory; + protected ClientErrorHandler errorHandler; + protected ClientExecutor executor; + + public PKIClient(ClientConfig config) { + this.config = config; + + DefaultHttpClient httpClient = new DefaultHttpClient(); + + // Register https scheme. + Scheme scheme = new Scheme("https", 443, new JSSProtocolSocketFactory()); + httpClient.getConnectionManager().getSchemeRegistry().register(scheme); + + if (config.getUsername() != null && config.getPassword() != null) { + List authPref = new ArrayList(); + authPref.add(AuthPolicy.BASIC); + httpClient.getParams().setParameter(AuthPNames.PROXY_AUTH_PREF, authPref); + + httpClient.getCredentialsProvider().setCredentials( + AuthScope.ANY, + new UsernamePasswordCredentials(config.getUsername(), config.getPassword())); + } + + httpClient.addRequestInterceptor(new HttpRequestInterceptor() { + @Override + public void process(HttpRequest request, HttpContext context) throws HttpException, IOException { + if (verbose) { + System.out.println("HTTP request: "+request.getRequestLine()); + for (Header header : request.getAllHeaders()) { + System.out.println(" "+header.getName()+": "+header.getValue()); + } + } + + // Set the request parameter to follow redirections. + HttpParams params = request.getParams(); + if (params instanceof ClientParamsStack) { + ClientParamsStack paramsStack = (ClientParamsStack)request.getParams(); + params = paramsStack.getRequestParams(); + } + HttpClientParams.setRedirecting(params, true); + } + }); + + httpClient.addResponseInterceptor(new HttpResponseInterceptor() { + @Override + public void process(HttpResponse response, HttpContext context) throws HttpException, IOException { + if (verbose) { + System.out.println("HTTP response: "+response.getStatusLine()); + for (Header header : response.getAllHeaders()) { + System.out.println(" "+header.getName()+": "+header.getValue()); + } + } + } + }); + + httpClient.setRedirectStrategy(new DefaultRedirectStrategy() { + @Override + public HttpUriRequest getRedirect(HttpRequest request, HttpResponse response, HttpContext context) + throws ProtocolException { + + HttpUriRequest uriRequest = super.getRedirect(request, response, context); + + URI uri = uriRequest.getURI(); + if (verbose) System.out.println("HTTP redirect: "+uri); + + // Redirect the original request to the new URI. + RequestWrapper wrapper; + if (request instanceof HttpEntityEnclosingRequest) { + wrapper = new EntityEnclosingRequestWrapper((HttpEntityEnclosingRequest)request); + } else { + wrapper = new RequestWrapper(request); + } + wrapper.setURI(uri); + + return wrapper; + } + + @Override + public boolean isRedirected(HttpRequest request, HttpResponse response, HttpContext context) + throws ProtocolException { + + // The default redirection policy does not redirect POST or PUT. + // This overrides the policy to follow redirections for all HTTP methods. + return response.getStatusLine().getStatusCode() == 302; + } + }); + + executor = new ApacheHttpClient4Executor(httpClient); + providerFactory = ResteasyProviderFactory.getInstance(); + providerFactory.addClientErrorInterceptor(new PKIErrorInterceptor()); + errorHandler = new ClientErrorHandler(providerFactory.getClientErrorInterceptors()); + } + + private class ServerCertApprovalCB implements SSLCertificateApprovalCallback { + + // Callback to approve or deny returned SSL server cert. + // Right now, simply approve the cert. + public boolean approve(org.mozilla.jss.crypto.X509Certificate serverCert, + SSLCertificateApprovalCallback.ValidityStatus status) { + + if (verbose) System.out.println("Server certificate: "+serverCert.getSubjectDN()); + + SSLCertificateApprovalCallback.ValidityItem item; + + Enumeration errors = status.getReasons(); + while (errors.hasMoreElements()) { + item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement(); + int reason = item.getReason(); + + if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER || + reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) { + + // Allow these two since we haven't installed the CA cert for trust. + + return true; + + } + } + + // For other errors return false. + + return false; + } + } + + private class JSSProtocolSocketFactory implements SchemeSocketFactory, LayeredSchemeSocketFactory { + + @Override + public Socket createSocket(HttpParams params) throws IOException { + return null; + } + + @Override + public Socket connectSocket(Socket sock, + InetSocketAddress remoteAddress, + InetSocketAddress localAddress, + HttpParams params) + throws IOException, + UnknownHostException, + ConnectTimeoutException { + + // Initialize JSS before using SSLSocket, + // otherwise it will throw UnsatisfiedLinkError. + if (config.getCertDatabase() == null) { + try { + // No database specified, use $HOME/.pki/nssdb. + File homeDir = new File(System.getProperty("user.home")); + File pkiDir = new File(homeDir, ".pki"); + File nssdbDir = new File(pkiDir, "nssdb"); + nssdbDir.mkdirs(); + + CryptoManager.initialize(nssdbDir.getAbsolutePath()); + + } catch (AlreadyInitializedException e) { + // ignore + + } catch (Exception e) { + throw new Error(e); + } + + } else { + // Database specified, already initialized by the main program. + } + + String hostName = null; + int port = 0; + if (remoteAddress != null) { + hostName = remoteAddress.getHostName(); + port = remoteAddress.getPort(); + } + + int localPort = 0; + InetAddress localAddr = null; + + if (localAddress != null) { + localPort = localAddress.getPort(); + localAddr = localAddress.getAddress(); + } + + SSLSocket socket; + if (sock == null) { + socket = new SSLSocket(InetAddress.getByName(hostName), + port, + localAddr, + localPort, + new ServerCertApprovalCB(), + null); + + } else { + socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null); + } + + String certNickname = config.getCertNickname(); + if (certNickname != null) { + if (verbose) System.out.println("Client certificate: "+certNickname); + socket.setClientCertNickname(certNickname); + } + + return socket; + } + + @Override + public boolean isSecure(Socket sock) { + // We only use this factory in the case of SSL Connections. + return true; + } + + @Override + public Socket createLayeredSocket(Socket socket, String target, int port, boolean autoClose) + throws IOException, UnknownHostException { + // This method implementation is required to get SSL working. + return null; + } + + } + + public T createProxy(Class clazz) throws URISyntaxException { + URI uri = new URI(config.getServerURI()+"/rest"); + return ProxyFactory.create(clazz, uri, executor, providerFactory); + } + + @SuppressWarnings("unchecked") + public T getEntity(ClientResponse response) { + BaseClientResponse clientResponse = (BaseClientResponse)response; + try { + clientResponse.checkFailureStatus(); + + } catch (ClientResponseFailure e) { + errorHandler.clientErrorHandling((BaseClientResponse) e.getResponse(), e); + + } catch (RuntimeException e) { + errorHandler.clientErrorHandling(clientResponse, e); + } + + return response.getEntity(); + } + + public boolean isVerbose() { + return verbose; + } + + public void setVerbose(boolean verbose) { + this.verbose = verbose; + } +} diff --git a/base/common/src/com/netscape/certsrv/client/PKIErrorInterceptor.java b/base/common/src/com/netscape/certsrv/client/PKIErrorInterceptor.java new file mode 100644 index 000000000..7d29b9fd9 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/client/PKIErrorInterceptor.java @@ -0,0 +1,62 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.client; + +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.MultivaluedMap; + +import org.jboss.resteasy.client.ClientResponse; +import org.jboss.resteasy.client.core.ClientErrorInterceptor; + +import com.netscape.certsrv.base.PKIException; + +public class PKIErrorInterceptor implements ClientErrorInterceptor { + + public void handle(ClientResponse response) { + + // handle HTTP code 4xx and 5xx + int code = response.getResponseStatus().getStatusCode(); + if (code < 400) + return; + + MultivaluedMap headers = response.getHeaders(); + String contentType = headers.getFirst("Content-Type"); + + // handle XML content only + if (contentType == null || !contentType.startsWith(MediaType.APPLICATION_XML)) + return; + + PKIException exception; + + try { + // Requires RESTEasy 2.3.2 + // https://issues.jboss.org/browse/RESTEASY-652 + PKIException.Data data = response.getEntity(PKIException.Data.class); + + Class clazz = Class.forName(data.className); + exception = (PKIException) clazz.getConstructor(PKIException.Data.class).newInstance(data); + + } catch (Exception e) { + e.printStackTrace(); + return; + } + + throw exception; + } + +} -- cgit