contrib/ssl/StrictSSLProtocolSocketFactory.java

/*
 * $HeadURL$
 * $Revision$
 * $Date$
 *
 * ====================================================================
 *
 *  Licensed to the Apache Software Foundation (ASF) under one or more
 *  contributor license agreements.  See the NOTICE file distributed with
 *  this work for additional information regarding copyright ownership.
 *  The ASF licenses this file to You under the Apache License, Version 2.0
 *  (the "License"); you may not use this file except in compliance with
 *  the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Software Foundation.  For more
 * information on the Apache Software Foundation, please see
 * <http://www.apache.org/>.
 *
 * [Additional notices, if required by prior licensing conditions]
 *
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU Lesser General Public License Version 2 or later
 * (the "LGPL"), in which case the provisions of the LGPL are 
 * applicable instead of those above.  See terms of LGPL at
 * <http://www.gnu.org/copyleft/lesser.txt>.
 * If you wish to allow use of your version of this file only under 
 * the terms of the LGPL and not to allow others to use your version
 * of this file under the Apache Software License, indicate your 
 * decision by deleting the provisions above and replace them with 
 * the notice and other provisions required by the LGPL.  If you do 
 * not delete the provisions above, a recipient may use your version 
 * of this file under either the Apache Software License or the LGPL.
 */

package org.apache.commons.httpclient.contrib.ssl;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;
import java.net.UnknownHostException;

import javax.net.SocketFactory;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.security.cert.X509Certificate;

import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.commons.httpclient.params.HttpConnectionParams;
import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * A <code>SecureProtocolSocketFactory</code> that uses JSSE to create
 * SSL sockets.  It will also support host name verification to help preventing
 * man-in-the-middle attacks.  Host name verification is turned <b>on</b> by
 * default but one will be able to turn it off, which might be a useful feature
 * during development.  Host name verification will make sure the SSL sessions
 * server host name matches with the the host name returned in the 
 * server certificates "Common Name" field of the "SubjectDN" entry.
 *
 * @author <a href="mailto:hauer@psicode.com">Sebastian Hauer</a>
 * <p>
 * DISCLAIMER: HttpClient developers DO NOT actively support this component.
 * The component is provided as a reference material, which may be inappropriate
 * for use without additional customization.
 * </p>
 */
public class StrictSSLProtocolSocketFactory 
    implements SecureProtocolSocketFactory {

    /** Log object for this class. */
    private static final Log LOG = LogFactory.getLog(StrictSSLProtocolSocketFactory.class);

    /** Host name verify flag. */
    private boolean verifyHostname = true;


    /**
     * Constructor for StrictSSLProtocolSocketFactory.
     * @param verifyHostname  The host name verification flag. If set to 
     * <code>true</code> the SSL sessions server host name will be compared
     * to the host name returned in the server certificates "Common Name" 
     * field of the "SubjectDN" entry.  If these names do not match a
     * Exception is thrown to indicate this.  Enabling host name verification 
     * will help to prevent from man-in-the-middle attacks.  If set to 
     * <code>false</code> host name verification is turned off.
     * 
     * Code sample:
     *  
     *     <blockquote>
     *     Protocol stricthttps = new Protocol( 
     *         "https", new StrictSSLProtocolSocketFactory(true), 443);
     *
     *     HttpClient client = new HttpClient();
     *     client.getHostConfiguration().setHost("localhost", 443, stricthttps);
     *     </blockquote>
     *
     */
    public StrictSSLProtocolSocketFactory(boolean verifyHostname) {
        super();
        this.verifyHostname = verifyHostname;
    }

    /**
     * Constructor for StrictSSLProtocolSocketFactory.
     * Host name verification will be enabled by default.
     */
    public StrictSSLProtocolSocketFactory() {
        super();
    }

    /**
     * Set the host name verification flag.
     *
     * @param verifyHostname  The host name verification flag. If set to 
     * <code>true</code> the SSL sessions server host name will be compared
     * to the host name returned in the server certificates "Common Name" 
     * field of the "SubjectDN" entry.  If these names do not match a
     * Exception is thrown to indicate this.  Enabling host name verification 
     * will help to prevent from man-in-the-middle attacks.  If set to 
     * <code>false</code> host name verification is turned off.
     */
    public void setHostnameVerification(boolean verifyHostname) {
        this.verifyHostname = verifyHostname;
    }

    /**
     * Gets the status of the host name verification flag.
     *
     * @return  Host name verification flag.  Either <code>true</code> if host
     * name verification is turned on, or <code>false</code> if host name
     * verification is turned off.
     */
    public boolean getHostnameVerification() {
        return verifyHostname;
    }

    
    /**
     * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
     */
    public Socket createSocket(String host, int port, 
                               InetAddress clientHost, int clientPort)
        throws IOException, UnknownHostException {
        SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
        SSLSocket sslSocket = (SSLSocket) sf.createSocket(host, port, 
                                                          clientHost, 
                                                          clientPort);
        verifyHostname(sslSocket);

        return sslSocket;
    }

    /**
     * Attempts to get a new socket connection to the given host within the given time limit.
     * <p>
     * This method employs several techniques to circumvent the limitations of older JREs that 
     * do not support connect timeout. When running in JRE 1.4 or above reflection is used to 
     * call Socket#connect(SocketAddress endpoint, int timeout) method. When executing in older 
     * JREs a controller thread is executed. The controller thread attempts to create a new socket
     * within the given limit of time. If socket constructor does not return until the timeout 
     * expires, the controller terminates and throws an {@link ConnectTimeoutException}
     * </p>
     *  
     * @param host the host name/IP
     * @param port the port on the host
     * @param clientHost the local host name/IP to bind the socket to
     * @param clientPort the port on the local machine
     * @param params {@link HttpConnectionParams Http connection parameters}
     * 
     * @return Socket a new socket
     * 
     * @throws IOException if an I/O error occurs while creating the socket
     * @throws UnknownHostException if the IP address of the host cannot be
     * determined
     */
    public Socket createSocket(
        final String host,
        final int port,
        final InetAddress localAddress,
        final int localPort,
        final HttpConnectionParams params
    ) throws IOException, UnknownHostException, ConnectTimeoutException {
        if (params == null) {
            throw new IllegalArgumentException("Parameters may not be null");
        }
        int timeout = params.getConnectionTimeout();
        Socket socket = null;
        
        SocketFactory socketfactory = SSLSocketFactory.getDefault();
        if (timeout == 0) {
            socket = socketfactory.createSocket(host, port, localAddress, localPort);
        } else {
            socket = socketfactory.createSocket();
            SocketAddress localaddr = new InetSocketAddress(localAddress, localPort);
            SocketAddress remoteaddr = new InetSocketAddress(host, port);
            socket.bind(localaddr);
            socket.connect(remoteaddr, timeout);
        }
        verifyHostname((SSLSocket)socket);
        return socket;
    }

    /**
     * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)
     */
    public Socket createSocket(String host, int port)
        throws IOException, UnknownHostException {
        SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
        SSLSocket sslSocket = (SSLSocket) sf.createSocket(host, port);
        verifyHostname(sslSocket);

        return sslSocket;
    }

    /**
     * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)
     */
    public Socket createSocket(Socket socket, String host, int port, 
                               boolean autoClose)
        throws IOException, UnknownHostException {
        SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
        SSLSocket sslSocket = (SSLSocket) sf.createSocket(socket, host, 
                                                          port, autoClose);
        verifyHostname(sslSocket);

        return sslSocket;
    }


    /**
     * Describe <code>verifyHostname</code> method here.
     *
     * @param socket a <code>SSLSocket</code> value
     * @exception SSLPeerUnverifiedException  If there are problems obtaining
     * the server certificates from the SSL session, or the server host name 
     * does not match with the "Common Name" in the server certificates 
     * SubjectDN.
     * @exception UnknownHostException  If we are not able to resolve
     * the SSL sessions returned server host name. 
     */
    private void verifyHostname(SSLSocket socket) 
        throws SSLPeerUnverifiedException, UnknownHostException {
        if (! verifyHostname) 
            return;

        SSLSession session = socket.getSession();
        String hostname = session.getPeerHost();
        try {
            InetAddress addr = InetAddress.getByName(hostname);
        } catch (UnknownHostException uhe) {
            throw new UnknownHostException("Could not resolve SSL sessions "
                                           + "server hostname: " + hostname);
        }
        
        X509Certificate[] certs = session.getPeerCertificateChain();
        if (certs == null || certs.length == 0) 
            throw new SSLPeerUnverifiedException("No server certificates found!");
        
        //get the servers DN in its string representation
        String dn = certs[0].getSubjectDN().getName();

        //might be useful to print out all certificates we receive from the
        //server, in case one has to debug a problem with the installed certs.
        if (LOG.isDebugEnabled()) {
            LOG.debug("Server certificate chain:");
            for (int i = 0; i < certs.length; i++) {
                LOG.debug("X509Certificate[" + i + "]=" + certs[i]);
            }
        }
        //get the common name from the first cert
        String cn = getCN(dn);
        if (hostname.equalsIgnoreCase(cn)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Target hostname valid: " + cn);
            }
        } else {
            throw new SSLPeerUnverifiedException(
                "HTTPS hostname invalid: expected '" + hostname + "', received '" + cn + "'");
        }
    }


    /**
     * Parses a X.500 distinguished name for the value of the 
     * "Common Name" field.
     * This is done a bit sloppy right now and should probably be done a bit
     * more according to <code>RFC 2253</code>.
     *
     * @param dn  a X.500 distinguished name.
     * @return the value of the "Common Name" field.
     */
    private String getCN(String dn) {
        int i = 0;
        i = dn.indexOf("CN=");
        if (i == -1) {
            return null;
        }
        //get the remaining DN without CN=
        dn = dn.substring(i + 3);  
        // System.out.println("dn=" + dn);
        char[] dncs = dn.toCharArray();
        for (i = 0; i < dncs.length; i++) {
            if (dncs[i] == ','  && i > 0 && dncs[i - 1] != '\\') {
                break;
            }
        }
        return dn.substring(0, i);
    }
    
    public boolean equals(Object obj) {
        if ((obj != null) && obj.getClass().equals(StrictSSLProtocolSocketFactory.class)) {
            return ((StrictSSLProtocolSocketFactory) obj).getHostnameVerification() 
                == this.verifyHostname;
        } else {
            return false;
        }
    }

    public int hashCode() {
        return StrictSSLProtocolSocketFactory.class.hashCode();
    }

}
1	/*
2	* $HeadURL$
3	* $Revision$
4	* $Date$
5	*
6	* ====================================================================
7	*
8	* Licensed to the Apache Software Foundation (ASF) under one or more
9	* contributor license agreements. See the NOTICE file distributed with
10	* this work for additional information regarding copyright ownership.
11	* The ASF licenses this file to You under the Apache License, Version 2.0
12	* (the "License"); you may not use this file except in compliance with
13	* the License. You may obtain a copy of the License at
14	*
15	* http://www.apache.org/licenses/LICENSE-2.0
16	*
17	* Unless required by applicable law or agreed to in writing, software
18	* distributed under the License is distributed on an "AS IS" BASIS,
19	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20	* See the License for the specific language governing permissions and
21	* limitations under the License.
22	* ====================================================================
23	*
24	* This software consists of voluntary contributions made by many
25	* individuals on behalf of the Apache Software Foundation. For more
26	* information on the Apache Software Foundation, please see
27	* <http://www.apache.org/>.
28	*
29	* [Additional notices, if required by prior licensing conditions]
30	*
31	* Alternatively, the contents of this file may be used under the
32	* terms of the GNU Lesser General Public License Version 2 or later
33	* (the "LGPL"), in which case the provisions of the LGPL are
34	* applicable instead of those above. See terms of LGPL at
35	* <http://www.gnu.org/copyleft/lesser.txt>.
36	* If you wish to allow use of your version of this file only under
37	* the terms of the LGPL and not to allow others to use your version
38	* of this file under the Apache Software License, indicate your
39	* decision by deleting the provisions above and replace them with
40	* the notice and other provisions required by the LGPL. If you do
41	* not delete the provisions above, a recipient may use your version
42	* of this file under either the Apache Software License or the LGPL.
43	*/
44
45	package org.apache.commons.httpclient.contrib.ssl;
46
47	import java.io.IOException;
48	import java.net.InetAddress;
49	import java.net.InetSocketAddress;
50	import java.net.Socket;
51	import java.net.SocketAddress;
52	import java.net.UnknownHostException;
53
54	import javax.net.SocketFactory;
55	import javax.net.ssl.SSLPeerUnverifiedException;
56	import javax.net.ssl.SSLSession;
57	import javax.net.ssl.SSLSocket;
58	import javax.net.ssl.SSLSocketFactory;
59	import javax.security.cert.X509Certificate;
60
61	import org.apache.commons.httpclient.ConnectTimeoutException;
62	import org.apache.commons.httpclient.params.HttpConnectionParams;
63	import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
64	import org.apache.commons.logging.Log;
65	import org.apache.commons.logging.LogFactory;
66
67	/**
68	* A <code>SecureProtocolSocketFactory</code> that uses JSSE to create
69	* SSL sockets. It will also support host name verification to help preventing
70	* man-in-the-middle attacks. Host name verification is turned <b>on</b> by
71	* default but one will be able to turn it off, which might be a useful feature
72	* during development. Host name verification will make sure the SSL sessions
73	* server host name matches with the the host name returned in the
74	* server certificates "Common Name" field of the "SubjectDN" entry.
75	*
76	* @author <a href="mailto:hauer@psicode.com">Sebastian Hauer</a>
77	* <p>
78	* DISCLAIMER: HttpClient developers DO NOT actively support this component.
79	* The component is provided as a reference material, which may be inappropriate
80	* for use without additional customization.
81	* </p>
82	*/
83	public class StrictSSLProtocolSocketFactory
84	implements SecureProtocolSocketFactory {
85
86	/** Log object for this class. */
87	private static final Log LOG = LogFactory.getLog(StrictSSLProtocolSocketFactory.class);
88
89	/** Host name verify flag. */
90	private boolean verifyHostname = true;
91
92
93	/**
94	* Constructor for StrictSSLProtocolSocketFactory.
95	* @param verifyHostname The host name verification flag. If set to
96	* <code>true</code> the SSL sessions server host name will be compared
97	* to the host name returned in the server certificates "Common Name"
98	* field of the "SubjectDN" entry. If these names do not match a
99	* Exception is thrown to indicate this. Enabling host name verification
100	* will help to prevent from man-in-the-middle attacks. If set to
101	* <code>false</code> host name verification is turned off.
102	*
103	* Code sample:
104	*
105	* <blockquote>
106	* Protocol stricthttps = new Protocol(
107	* "https", new StrictSSLProtocolSocketFactory(true), 443);
108	*
109	* HttpClient client = new HttpClient();
110	* client.getHostConfiguration().setHost("localhost", 443, stricthttps);
111	* </blockquote>
112	*
113	*/
114	public StrictSSLProtocolSocketFactory(boolean verifyHostname) {
115	super();
116	this.verifyHostname = verifyHostname;
117	}
118
119	/**
120	* Constructor for StrictSSLProtocolSocketFactory.
121	* Host name verification will be enabled by default.
122	*/
123	public StrictSSLProtocolSocketFactory() {
124	super();
125	}
126
127	/**
128	* Set the host name verification flag.
129	*
130	* @param verifyHostname The host name verification flag. If set to
131	* <code>true</code> the SSL sessions server host name will be compared
132	* to the host name returned in the server certificates "Common Name"
133	* field of the "SubjectDN" entry. If these names do not match a
134	* Exception is thrown to indicate this. Enabling host name verification
135	* will help to prevent from man-in-the-middle attacks. If set to
136	* <code>false</code> host name verification is turned off.
137	*/
138	public void setHostnameVerification(boolean verifyHostname) {
139	this.verifyHostname = verifyHostname;
140	}
141
142	/**
143	* Gets the status of the host name verification flag.
144	*
145	* @return Host name verification flag. Either <code>true</code> if host
146	* name verification is turned on, or <code>false</code> if host name
147	* verification is turned off.
148	*/
149	public boolean getHostnameVerification() {
150	return verifyHostname;
151	}
152
153
154	/**
155	* @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
156	*/
157	public Socket createSocket(String host, int port,
158	InetAddress clientHost, int clientPort)
159	throws IOException, UnknownHostException {
160	SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
161	SSLSocket sslSocket = (SSLSocket) sf.createSocket(host, port,
162	clientHost,
163	clientPort);
164	verifyHostname(sslSocket);
165
166	return sslSocket;
167	}
168
169	/**
170	* Attempts to get a new socket connection to the given host within the given time limit.
171	* <p>
172	* This method employs several techniques to circumvent the limitations of older JREs that
173	* do not support connect timeout. When running in JRE 1.4 or above reflection is used to
174	* call Socket#connect(SocketAddress endpoint, int timeout) method. When executing in older
175	* JREs a controller thread is executed. The controller thread attempts to create a new socket
176	* within the given limit of time. If socket constructor does not return until the timeout
177	* expires, the controller terminates and throws an {@link ConnectTimeoutException}
178	* </p>
179	*
180	* @param host the host name/IP
181	* @param port the port on the host
182	* @param clientHost the local host name/IP to bind the socket to
183	* @param clientPort the port on the local machine
184	* @param params {@link HttpConnectionParams Http connection parameters}
185	*
186	* @return Socket a new socket
187	*
188	* @throws IOException if an I/O error occurs while creating the socket
189	* @throws UnknownHostException if the IP address of the host cannot be
190	* determined
191	*/
192	public Socket createSocket(
193	final String host,
194	final int port,
195	final InetAddress localAddress,
196	final int localPort,
197	final HttpConnectionParams params
198	) throws IOException, UnknownHostException, ConnectTimeoutException {
199	if (params == null) {
200	throw new IllegalArgumentException("Parameters may not be null");
201	}
202	int timeout = params.getConnectionTimeout();
203	Socket socket = null;
204
205	SocketFactory socketfactory = SSLSocketFactory.getDefault();
206	if (timeout == 0) {
207	socket = socketfactory.createSocket(host, port, localAddress, localPort);
208	} else {
209	socket = socketfactory.createSocket();
210	SocketAddress localaddr = new InetSocketAddress(localAddress, localPort);
211	SocketAddress remoteaddr = new InetSocketAddress(host, port);
212	socket.bind(localaddr);
213	socket.connect(remoteaddr, timeout);
214	}
215	verifyHostname((SSLSocket)socket);
216	return socket;
217	}
218
219	/**
220	* @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)
221	*/
222	public Socket createSocket(String host, int port)
223	throws IOException, UnknownHostException {
224	SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
225	SSLSocket sslSocket = (SSLSocket) sf.createSocket(host, port);
226	verifyHostname(sslSocket);
227
228	return sslSocket;
229	}
230
231	/**
232	* @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)
233	*/
234	public Socket createSocket(Socket socket, String host, int port,
235	boolean autoClose)
236	throws IOException, UnknownHostException {
237	SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
238	SSLSocket sslSocket = (SSLSocket) sf.createSocket(socket, host,
239	port, autoClose);
240	verifyHostname(sslSocket);
241
242	return sslSocket;
243	}
244
245
246	/**
247	* Describe <code>verifyHostname</code> method here.
248	*
249	* @param socket a <code>SSLSocket</code> value
250	* @exception SSLPeerUnverifiedException If there are problems obtaining
251	* the server certificates from the SSL session, or the server host name
252	* does not match with the "Common Name" in the server certificates
253	* SubjectDN.
254	* @exception UnknownHostException If we are not able to resolve
255	* the SSL sessions returned server host name.
256	*/
257	private void verifyHostname(SSLSocket socket)
258	throws SSLPeerUnverifiedException, UnknownHostException {
259	if (! verifyHostname)
260	return;
261
262	SSLSession session = socket.getSession();
263	String hostname = session.getPeerHost();
264	try {
265	InetAddress addr = InetAddress.getByName(hostname);
266	} catch (UnknownHostException uhe) {
267	throw new UnknownHostException("Could not resolve SSL sessions "
268	+ "server hostname: " + hostname);
269	}
270
271	X509Certificate[] certs = session.getPeerCertificateChain();
272	if (certs == null \|\| certs.length == 0)
273	throw new SSLPeerUnverifiedException("No server certificates found!");
274
275	//get the servers DN in its string representation
276	String dn = certs[0].getSubjectDN().getName();
277
278	//might be useful to print out all certificates we receive from the
279	//server, in case one has to debug a problem with the installed certs.
280	if (LOG.isDebugEnabled()) {
281	LOG.debug("Server certificate chain:");
282	for (int i = 0; i < certs.length; i++) {
283	LOG.debug("X509Certificate[" + i + "]=" + certs[i]);
284	}
285	}
286	//get the common name from the first cert
287	String cn = getCN(dn);
288	if (hostname.equalsIgnoreCase(cn)) {
289	if (LOG.isDebugEnabled()) {
290	LOG.debug("Target hostname valid: " + cn);
291	}
292	} else {
293	throw new SSLPeerUnverifiedException(
294	"HTTPS hostname invalid: expected '" + hostname + "', received '" + cn + "'");
295	}
296	}
297
298
299	/**
300	* Parses a X.500 distinguished name for the value of the
301	* "Common Name" field.
302	* This is done a bit sloppy right now and should probably be done a bit
303	* more according to <code>RFC 2253</code>.
304	*
305	* @param dn a X.500 distinguished name.
306	* @return the value of the "Common Name" field.
307	*/
308	private String getCN(String dn) {
309	int i = 0;
310	i = dn.indexOf("CN=");
311	if (i == -1) {
312	return null;
313	}
314	//get the remaining DN without CN=
315	dn = dn.substring(i + 3);
316	// System.out.println("dn=" + dn);
317	char[] dncs = dn.toCharArray();
318	for (i = 0; i < dncs.length; i++) {
319	if (dncs[i] == ',' && i > 0 && dncs[i - 1] != '\\') {
320	break;
321	}
322	}
323	return dn.substring(0, i);
324	}
325
326	public boolean equals(Object obj) {
327	if ((obj != null) && obj.getClass().equals(StrictSSLProtocolSocketFactory.class)) {
328	return ((StrictSSLProtocolSocketFactory) obj).getHostnameVerification()
329	== this.verifyHostname;
330	} else {
331	return false;
332	}
333	}
334
335	public int hashCode() {
336	return StrictSSLProtocolSocketFactory.class.hashCode();
337	}
338
339	}
Name	Value
svn:eol-style	native
svn:keywords	Date Author Id Revision HeadURL