diff options
author | eutarass | 2009-05-27 17:17:41 +0000 |
---|---|---|
committer | eutarass | 2009-05-27 17:17:41 +0000 |
commit | f77572bc3acfdda3121c288f7f0660d22c2589fe (patch) | |
tree | 579e7f2fd1e2457535018d3fc02786e33c41d828 /plugins/org.eclipse.tm.tcf | |
parent | 6fe22546a998c07bd789881de4397a4dadf4c098 (diff) | |
download | org.eclipse.tcf-f77572bc3acfdda3121c288f7f0660d22c2589fe.tar.gz org.eclipse.tcf-f77572bc3acfdda3121c288f7f0660d22c2589fe.tar.xz org.eclipse.tcf-f77572bc3acfdda3121c288f7f0660d22c2589fe.zip |
Secure TCF: implemented certificate based authentication
Diffstat (limited to 'plugins/org.eclipse.tm.tcf')
-rw-r--r-- | plugins/org.eclipse.tm.tcf/META-INF/MANIFEST.MF | 1 | ||||
-rw-r--r-- | plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/Activator.java | 12 | ||||
-rw-r--r-- | plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/ssl/TCFSecurityManager.java | 161 | ||||
-rw-r--r-- | plugins/org.eclipse.tm.tcf/tcf.jar | bin | 378097 -> 388017 bytes |
4 files changed, 174 insertions, 0 deletions
diff --git a/plugins/org.eclipse.tm.tcf/META-INF/MANIFEST.MF b/plugins/org.eclipse.tm.tcf/META-INF/MANIFEST.MF index 9111f93ff..95068868b 100644 --- a/plugins/org.eclipse.tm.tcf/META-INF/MANIFEST.MF +++ b/plugins/org.eclipse.tm.tcf/META-INF/MANIFEST.MF @@ -10,3 +10,4 @@ Bundle-RequiredExecutionEnvironment: J2SE-1.5 Bundle-ActivationPolicy: lazy Eclipse-LazyStart: true Eclipse-ExtensibleAPI: true +Export-Package: org.eclipse.tm.tcf.ssl;version="0.2.0" diff --git a/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/Activator.java b/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/Activator.java index 87fc9aef4..af00e7c60 100644 --- a/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/Activator.java +++ b/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/Activator.java @@ -17,8 +17,10 @@ import org.eclipse.core.runtime.IStatus; import org.eclipse.core.runtime.Platform; import org.eclipse.core.runtime.Plugin; import org.eclipse.core.runtime.Status; +import org.eclipse.tm.tcf.core.ChannelTCP; import org.eclipse.tm.tcf.protocol.ILogger; import org.eclipse.tm.tcf.protocol.Protocol; +import org.eclipse.tm.tcf.ssl.TCFSecurityManager; import org.osgi.framework.Bundle; import org.osgi.framework.BundleContext; import org.osgi.framework.BundleEvent; @@ -50,10 +52,20 @@ public class Activator extends Plugin { plugin = this; } + /** + * Returns the shared instance + * + * @return the shared instance + */ + public static Activator getDefault() { + return plugin; + } + @Override public void start(BundleContext context) throws Exception { super.start(context); debug = Platform.inDebugMode(); + ChannelTCP.setSSLContext(TCFSecurityManager.createSSLContext()); Protocol.setLogger(new ILogger() { public void log(String msg, Throwable x) { diff --git a/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/ssl/TCFSecurityManager.java b/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/ssl/TCFSecurityManager.java new file mode 100644 index 000000000..5003fbee3 --- /dev/null +++ b/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/ssl/TCFSecurityManager.java @@ -0,0 +1,161 @@ +/******************************************************************************* + * Copyright (c) 2009 Wind River Systems, Inc. and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License v1.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-v10.html + * + * Contributors: + * Wind River Systems - initial API and implementation + *******************************************************************************/ +package org.eclipse.tm.tcf.ssl; + +import java.io.BufferedInputStream; +import java.io.BufferedReader; +import java.io.File; +import java.io.FileInputStream; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.net.Socket; +import java.security.KeyFactory; +import java.security.Principal; +import java.security.PrivateKey; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.security.spec.PKCS8EncodedKeySpec; +import java.util.ArrayList; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509ExtendedKeyManager; +import javax.net.ssl.X509TrustManager; + +import org.eclipse.tm.tcf.Activator; +import org.eclipse.tm.tcf.core.Base64; +import org.eclipse.tm.tcf.protocol.Protocol; + + +/** + * This class implements keys and certificates management for secure TCF channels. + */ +public class TCFSecurityManager { + + public static File getCertificatesDirectory() { + File certs = Activator.getDefault().getStateLocation().append("certificates").toFile(); + if (!certs.exists()) certs.mkdirs(); + return certs; + } + + public static SSLContext createSSLContext() { + try { + final File certs = getCertificatesDirectory(); + if (!certs.exists()) certs.mkdirs(); + final CertificateFactory cf = CertificateFactory.getInstance("X.509"); + SSLContext context = SSLContext.getInstance("TLS"); + + X509ExtendedKeyManager km = new X509ExtendedKeyManager() { + + public X509Certificate[] getCertificateChain(String alias) { + File f = new File(certs, "Local.cert"); + try { + InputStream inp = new BufferedInputStream(new FileInputStream(f)); + X509Certificate cert = (X509Certificate)cf.generateCertificate(inp); + inp.close(); + return new X509Certificate[] { cert }; + } + catch (Exception x) { + Protocol.log("Cannot read certificate: " + f, x); + return null; + } + } + + public PrivateKey getPrivateKey(String alias) { + File f = new File(certs, "Local.priv"); + try { + BufferedReader r = new BufferedReader(new InputStreamReader(new FileInputStream(f), "ASCII")); + StringBuffer bf = new StringBuffer(); + boolean app = false; + for (;;) { + String s = r.readLine(); + if (s == null) new Exception("Invalid format"); + else if (s.indexOf("-----BEGIN ") == 0) app = true; + else if (s.indexOf("-----END ") == 0) break; + else if (app) bf.append(s); + } + r.close(); + KeyFactory kf = KeyFactory.getInstance("RSA"); + byte[] bytes = Base64.toByteArray(bf.toString().toCharArray()); + return kf.generatePrivate(new PKCS8EncodedKeySpec(bytes)); + } + catch (Exception x) { + Protocol.log("Cannot read private key: " + f, x); + return null; + } + } + + public String[] getClientAliases(String keyType, Principal[] issuers) { + return new String[] { "TCF" }; + } + + public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) { + return "TCF"; + } + + public String[] getServerAliases(String keyType, Principal[] issuers) { + return new String[] { "TCF" }; + } + + public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) { + return "TCF"; + } + }; + + X509TrustManager tm = new X509TrustManager() { + + public void checkClientTrusted(X509Certificate[] chain, String auth_type) throws CertificateException { + if ("RSA".equals(auth_type) && chain != null && chain.length == 1) { + for (X509Certificate cert : getAcceptedIssuers()) { + if (cert.equals(chain[0])) return; + } + } + throw new CertificateException("Client certificate validation failed"); + } + + public void checkServerTrusted(X509Certificate[] chain, String auth_type) throws CertificateException { + if ("RSA".equals(auth_type) && chain != null && chain.length == 1) { + for (X509Certificate cert : getAcceptedIssuers()) { + if (cert.equals(chain[0])) return; + } + } + throw new CertificateException("Server certificate validation failed"); + } + + public X509Certificate[] getAcceptedIssuers() { + ArrayList<X509Certificate> list = new ArrayList<X509Certificate>(); + for (String fnm : certs.list()) { + if (!fnm.endsWith(".cert")) continue; + try { + InputStream inp = new BufferedInputStream(new FileInputStream(new File(certs, fnm))); + X509Certificate cert = (X509Certificate)cf.generateCertificate(inp); + inp.close(); + list.add(cert); + } + catch (Throwable x) { + Protocol.log("Cannot load certificate: " + fnm, x); + } + } + return list.toArray(new X509Certificate[list.size()]); + } + }; + + context.init(new KeyManager[] { km }, new TrustManager[] { tm }, null); + return context; + } + catch (Throwable x) { + Protocol.log("Cannot initialize SSL context", x); + return null; + } + } +} diff --git a/plugins/org.eclipse.tm.tcf/tcf.jar b/plugins/org.eclipse.tm.tcf/tcf.jar Binary files differindex 16d6feb42..b283332b0 100644 --- a/plugins/org.eclipse.tm.tcf/tcf.jar +++ b/plugins/org.eclipse.tm.tcf/tcf.jar |