Secure TCF: implemented certificate based authentication

4 files changed, 174 insertions, 0 deletions

diff --git a/plugins/org.eclipse.tm.tcf/META-INF/MANIFEST.MF b/plugins/org.eclipse.tm.tcf/META-INF/MANIFEST.MF
index 9111f93ff..95068868b 100644
--- a/plugins/org.eclipse.tm.tcf/META-INF/MANIFEST.MF
+++ b/plugins/org.eclipse.tm.tcf/META-INF/MANIFEST.MF
@@ -10,3 +10,4 @@ Bundle-RequiredExecutionEnvironment: J2SE-1.5
 Bundle-ActivationPolicy: lazy
 Eclipse-LazyStart: true
 Eclipse-ExtensibleAPI: true
+Export-Package: org.eclipse.tm.tcf.ssl;version="0.2.0"
diff --git a/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/Activator.java b/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/Activator.java
index 87fc9aef4..af00e7c60 100644
--- a/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/Activator.java
+++ b/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/Activator.java
@@ -17,8 +17,10 @@ import org.eclipse.core.runtime.IStatus;
 import org.eclipse.core.runtime.Platform;
 import org.eclipse.core.runtime.Plugin;
 import org.eclipse.core.runtime.Status;
+import org.eclipse.tm.tcf.core.ChannelTCP;
 import org.eclipse.tm.tcf.protocol.ILogger;
 import org.eclipse.tm.tcf.protocol.Protocol;
+import org.eclipse.tm.tcf.ssl.TCFSecurityManager;
 import org.osgi.framework.Bundle;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.BundleEvent;
@@ -50,10 +52,20 @@ public class Activator extends Plugin {
         plugin = this;
     }
 
+    /**
+     * Returns the shared instance
+     *
+     * @return the shared instance
+     */
+    public static Activator getDefault() {
+        return plugin;
+    }
+
     @Override
     public void start(BundleContext context) throws Exception {
         super.start(context);
         debug = Platform.inDebugMode();
+        ChannelTCP.setSSLContext(TCFSecurityManager.createSSLContext());
         Protocol.setLogger(new ILogger() {
 
             public void log(String msg, Throwable x) {
diff --git a/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/ssl/TCFSecurityManager.java b/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/ssl/TCFSecurityManager.java
new file mode 100644
index 000000000..5003fbee3
--- /dev/null
+++ b/plugins/org.eclipse.tm.tcf/src/org/eclipse/tm/tcf/ssl/TCFSecurityManager.java
@@ -0,0 +1,161 @@
+/*******************************************************************************
+ * Copyright (c) 2009 Wind River Systems, Inc. and others.
+ * All rights reserved. This program and the accompanying materials 
+ * are made available under the terms of the Eclipse Public License v1.0 
+ * which accompanies this distribution, and is available at 
+ * http://www.eclipse.org/legal/epl-v10.html 
+ *  
+ * Contributors:
+ *     Wind River Systems - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.tm.tcf.ssl;
+
+import java.io.BufferedInputStream;
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.Socket;
+import java.security.KeyFactory;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.ArrayList;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509ExtendedKeyManager;
+import javax.net.ssl.X509TrustManager;
+
+import org.eclipse.tm.tcf.Activator;
+import org.eclipse.tm.tcf.core.Base64;
+import org.eclipse.tm.tcf.protocol.Protocol;
+
+
+/**
+ * This class implements keys and certificates management for secure TCF channels.   
+ */
+public class TCFSecurityManager {
+    
+    public static File getCertificatesDirectory() {
+        File certs = Activator.getDefault().getStateLocation().append("certificates").toFile();
+        if (!certs.exists()) certs.mkdirs();
+        return certs;
+    }
+
+    public static SSLContext createSSLContext() {
+        try {
+            final File certs = getCertificatesDirectory();
+            if (!certs.exists()) certs.mkdirs();
+            final CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            SSLContext context = SSLContext.getInstance("TLS");
+            
+            X509ExtendedKeyManager km = new X509ExtendedKeyManager() {
+
+                public X509Certificate[] getCertificateChain(String alias) {
+                    File f = new File(certs, "Local.cert");
+                    try {
+                        InputStream inp = new BufferedInputStream(new FileInputStream(f));
+                        X509Certificate cert = (X509Certificate)cf.generateCertificate(inp);
+                        inp.close();
+                        return new X509Certificate[] { cert };
+                    }
+                    catch (Exception x) {
+                        Protocol.log("Cannot read certificate: " + f, x);
+                        return null;
+                    }
+                }
+                
+                public PrivateKey getPrivateKey(String alias) {
+                    File f = new File(certs, "Local.priv");
+                    try {
+                        BufferedReader r = new BufferedReader(new InputStreamReader(new FileInputStream(f), "ASCII"));
+                        StringBuffer bf = new StringBuffer();
+                        boolean app = false;
+                        for (;;) {
+                            String s = r.readLine();
+                            if (s == null) new Exception("Invalid format");
+                            else if (s.indexOf("-----BEGIN ") == 0) app = true;
+                            else if (s.indexOf("-----END ") == 0) break;
+                            else if (app) bf.append(s); 
+                        }
+                        r.close();
+                        KeyFactory kf = KeyFactory.getInstance("RSA");
+                        byte[] bytes = Base64.toByteArray(bf.toString().toCharArray());
+                        return kf.generatePrivate(new PKCS8EncodedKeySpec(bytes));
+                    }
+                    catch (Exception x) {
+                        Protocol.log("Cannot read private key: " + f, x);
+                        return null;
+                    }
+                }
+                
+                public String[] getClientAliases(String keyType, Principal[] issuers) {
+                    return new String[] { "TCF" };
+                }
+                
+                public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
+                    return "TCF";
+                }
+                
+                public String[] getServerAliases(String keyType, Principal[] issuers) {
+                    return new String[] { "TCF" };
+                }
+                
+                public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+                    return "TCF";
+                }
+            };
+            
+            X509TrustManager tm = new X509TrustManager() {
+                
+                public void checkClientTrusted(X509Certificate[] chain, String auth_type) throws CertificateException {
+                    if ("RSA".equals(auth_type) && chain != null && chain.length == 1) {
+                        for (X509Certificate cert : getAcceptedIssuers()) {
+                            if (cert.equals(chain[0])) return;
+                        }
+                    }
+                    throw new CertificateException("Client certificate validation failed");
+                }
+                
+                public void checkServerTrusted(X509Certificate[] chain, String auth_type) throws CertificateException {
+                    if ("RSA".equals(auth_type) && chain != null && chain.length == 1) {
+                        for (X509Certificate cert : getAcceptedIssuers()) {
+                            if (cert.equals(chain[0])) return;
+                        }
+                    }
+                    throw new CertificateException("Server certificate validation failed");
+                }
+                
+                public X509Certificate[] getAcceptedIssuers() {
+                    ArrayList<X509Certificate> list = new ArrayList<X509Certificate>();
+                    for (String fnm : certs.list()) {
+                        if (!fnm.endsWith(".cert")) continue;
+                        try {
+                            InputStream inp = new BufferedInputStream(new FileInputStream(new File(certs, fnm)));
+                            X509Certificate cert = (X509Certificate)cf.generateCertificate(inp);
+                            inp.close();
+                            list.add(cert);
+                        }
+                        catch (Throwable x) {
+                            Protocol.log("Cannot load certificate: " + fnm, x);
+                        }
+                    }
+                    return list.toArray(new X509Certificate[list.size()]);
+                }
+            };
+            
+            context.init(new KeyManager[] { km }, new TrustManager[] { tm }, null);
+            return context;
+        }
+        catch (Throwable x) {
+            Protocol.log("Cannot initialize SSL context", x);
+            return null;
+        }
+    }
+}
diff --git a/plugins/org.eclipse.tm.tcf/tcf.jar b/plugins/org.eclipse.tm.tcf/tcf.jar
index 16d6feb42..b283332b0 100644
--- a/plugins/org.eclipse.tm.tcf/tcf.jar
+++ b/plugins/org.eclipse.tm.tcf/tcf.jar