1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
package com.netscape.cms.servlet.csadmin;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.UnknownHostException;
import java.util.Enumeration;
import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.scheme.LayeredSchemeSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.params.HttpParams;
import org.jboss.resteasy.client.ClientExecutor;
import org.jboss.resteasy.client.ProxyFactory;
import org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
import org.mozilla.jss.ssl.SSLSocket;
public abstract class CMSRestClient {
protected String clientCertNickname;
protected ResteasyProviderFactory providerFactory;
protected ClientExecutor executor;
protected URI uri;
public CMSRestClient(String baseUri) throws URISyntaxException {
this(baseUri, null);
}
// Callback to approve or deny returned SSL server certs
// Right now, simply approve the cert.
// ToDO: Look into taking this JSS http client code and move it into
// its own class to be used by possible future clients.
public CMSRestClient(String baseUri, String clientCertNick) throws URISyntaxException {
clientCertNickname = clientCertNick;
uri = new URI(baseUri);
String protocol = uri.getScheme();
int port = uri.getPort();
HttpClient httpclient = new DefaultHttpClient();
if (protocol != null && protocol.equals("https")) {
Scheme scheme = new Scheme("https", port, new JSSProtocolSocketFactory());
httpclient.getConnectionManager().getSchemeRegistry().register(scheme);
}
executor = new ApacheHttpClient4Executor(httpclient);
providerFactory = ResteasyProviderFactory.getInstance();
providerFactory.addClientErrorInterceptor(new CMSErrorInterceptor());
}
private class ServerCertApprovalCB implements SSLCertificateApprovalCallback {
public boolean approve(org.mozilla.jss.crypto.X509Certificate servercert,
SSLCertificateApprovalCallback.ValidityStatus status) {
//For now lets just accept the server cert. This is a test tool, being
// pointed at a well know kra instance.
SSLCertificateApprovalCallback.ValidityItem item;
Enumeration<?> errors = status.getReasons();
while (errors.hasMoreElements()) {
item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement();
int reason = item.getReason();
if (reason ==
SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER ||
reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) {
//Allow these two since we haven't necessarily installed the CA cert for trust
// and we are choosing "localhost" as the host for this client.
return true;
}
}
//For other errors return false
return false;
}
}
private class JSSProtocolSocketFactory implements SchemeSocketFactory, LayeredSchemeSocketFactory {
@Override
public Socket createSocket(HttpParams params)
throws IOException {
return null;
}
@Override
public Socket connectSocket(Socket sock,
InetSocketAddress remoteAddress,
InetSocketAddress localAddress,
HttpParams params)
throws IOException,
UnknownHostException,
ConnectTimeoutException {
SSLSocket socket;
String hostName = null;
int port = 0;
if (remoteAddress != null) {
hostName = remoteAddress.getHostName();
port = remoteAddress.getPort();
}
int localPort = 0;
InetAddress localAddr = null;
if (localAddress != null) {
localPort = localAddress.getPort();
localAddr = localAddress.getAddress();
}
if (sock == null) {
socket = new SSLSocket(InetAddress.getByName(hostName),
port,
localAddr,
localPort,
new ServerCertApprovalCB(),
null);
} else {
socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null);
}
if (socket != null && clientCertNickname != null) {
socket.setClientCertNickname(clientCertNickname);
}
return socket;
}
@Override
public boolean isSecure(Socket sock) {
//We only use this factory in the case of SSL Connections
return true;
}
@Override
public Socket createLayeredSocket(Socket arg0, String arg1, int arg2, boolean arg3) throws IOException,
UnknownHostException {
//This method implementation is required to get SSL working.
return null;
}
}
public <T> T createProxy(Class<T> clazz) {
return ProxyFactory.create(clazz, uri, executor, providerFactory);
}
}
|
