net.geant.edugain.meta.publish
Class AuthSSLProtocolSocketFactory

java.lang.Object
  net.geant.edugain.meta.publish.AuthSSLProtocolSocketFactory

All Implemented Interfaces:

org.apache.commons.httpclient.protocol.ProtocolSocketFactory, org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory

public class AuthSSLProtocolSocketFactory
extends java.lang.Object
implements org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory

AuthSSLProtocolSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.

AuthSSLProtocolSocketFactory will enable server authentication when supplied with a truststore file containg one or several trusted certificates. The client secure socket will reject the connection during the SSL session handshake if the target HTTPS server attempts to authenticate itself with a non-trusted certificate.

Use JDK keytool utility to import a trusted certificate and generate a truststore file:

     keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
    

AuthSSLProtocolSocketFactory will enable client authentication when supplied with a keystore file containg a private key/public certificate pair. The client secure socket will use the private key to authenticate itself to the target HTTPS server during the SSL session handshake if requested to do so by the server. The target HTTPS server will in its turn verify the certificate presented by the client in order to establish client's authenticity

Use the following sequence of actions to generate a keystore file

• Use JDK keytool utility to generate a new key

  keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore

  For simplicity use the same password for the key as that of the keystore

• Issue a certificate signing request (CSR)

  keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore

• Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.

• Import the trusted CA root certificate

  keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore

• Import the PKCS#7 file containg the complete certificate chain

  keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore

• Verify the content the resultant keystore file

  keytool -list -v -keystore my.keystore

Example of using custom protocol socket factory for a specific host:

     Protocol authhttps = new Protocol("https",
          new AuthSSLProtocolSocketFactory(
              new URL("file:my.keystore"), "mypassword",
              new URL("file:my.truststore"), "mypassword"), 443);

     HttpClient client = new HttpClient();
     client.getHostConfiguration().setHost("localhost", 443, authhttps);
     // use relative url only
     GetMethod httpget = new GetMethod("/");
     client.executeMethod(httpget);
     

Example of using custom protocol socket factory per default instead of the standard one:

     Protocol authhttps = new Protocol("https",
          new AuthSSLProtocolSocketFactory(
              new URL("file:my.keystore"), "mypassword",
              new URL("file:my.truststore"), "mypassword"), 443);
     Protocol.registerProtocol("https", authhttps);

     HttpClient client = new HttpClient();
     GetMethod httpget = new GetMethod("https://localhost/");
     client.executeMethod(httpget);
     

Author:

Oleg Kalnichevski

DISCLAIMER: HttpClient developers DO NOT actively support this component. The component is provided as a reference material, which may be inappropriate for use without additional customization.

Field Summary

private java.lang.String	keystorePassword
private java.net.URL	keystoreUrl
private static org.apache.commons.logging.Log	LOG Log object for this class.
private javax.net.ssl.SSLContext	sslcontext
private java.lang.String	truststorePassword
private java.net.URL	truststoreUrl

Constructor Summary

AuthSSLProtocolSocketFactory(java.net.URL keystoreUrl, java.lang.String keystorePassword, java.net.URL truststoreUrl, java.lang.String truststorePassword)
Constructor for AuthSSLProtocolSocketFactory.

Method Summary

private static javax.net.ssl.KeyManager[]	createKeyManagers(java.security.KeyStore keystore, java.lang.String password)
private static java.security.KeyStore	createKeyStore(java.net.URL url, java.lang.String password)
java.net.Socket	createSocket(java.net.Socket socket, java.lang.String host, int port, boolean autoClose)
java.net.Socket	createSocket(java.lang.String host, int port)
java.net.Socket	createSocket(java.lang.String host, int port, java.net.InetAddress clientHost, int clientPort)
java.net.Socket	createSocket(java.lang.String host, int port, java.net.InetAddress localAddress, int localPort, org.apache.commons.httpclient.params.HttpConnectionParams params) Attempts to get a new socket connection to the given host within the given time limit.
private javax.net.ssl.SSLContext	createSSLContext()
private static javax.net.ssl.TrustManager[]	createTrustManagers(java.security.KeyStore keystore)
private javax.net.ssl.SSLContext	getSSLContext()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

private static final org.apache.commons.logging.Log LOG

Log object for this class.

keystoreUrl

private java.net.URL keystoreUrl

keystorePassword

private java.lang.String keystorePassword

truststoreUrl

private java.net.URL truststoreUrl

truststorePassword

private java.lang.String truststorePassword

sslcontext

private javax.net.ssl.SSLContext sslcontext

Constructor Detail

AuthSSLProtocolSocketFactory

public AuthSSLProtocolSocketFactory(java.net.URL keystoreUrl,
                                    java.lang.String keystorePassword,
                                    java.net.URL truststoreUrl,
                                    java.lang.String truststorePassword)

Constructor for AuthSSLProtocolSocketFactory. Either a keystore or truststore file must be given. Otherwise SSL context initialization error will result.

Parameters:

keystoreUrl - URL of the keystore file. May be null if HTTPS client authentication is not to be used.

keystorePassword - Password to unlock the keystore. IMPORTANT: this implementation assumes that the same password is used to protect the key and the keystore itself.

truststoreUrl - URL of the truststore file. May be null if HTTPS server authentication is not to be used.

truststorePassword - Password to unlock the truststore.

Method Detail

createKeyStore

private static java.security.KeyStore createKeyStore(java.net.URL url,
                                                     java.lang.String password)
                                              throws java.security.KeyStoreException,
                                                     java.security.NoSuchAlgorithmException,
                                                     java.security.cert.CertificateException,
                                                     java.io.IOException

Throws:

java.security.KeyStoreException

java.security.NoSuchAlgorithmException

java.security.cert.CertificateException

java.io.IOException

createKeyManagers

private static javax.net.ssl.KeyManager[] createKeyManagers(java.security.KeyStore keystore,
                                                            java.lang.String password)
                                                     throws java.security.KeyStoreException,
                                                            java.security.NoSuchAlgorithmException,
                                                            java.security.UnrecoverableKeyException

Throws:

java.security.KeyStoreException

java.security.NoSuchAlgorithmException

java.security.UnrecoverableKeyException

createTrustManagers

private static javax.net.ssl.TrustManager[] createTrustManagers(java.security.KeyStore keystore)
                                                         throws java.security.KeyStoreException,
                                                                java.security.NoSuchAlgorithmException

Throws:

java.security.KeyStoreException

java.security.NoSuchAlgorithmException

createSSLContext

private javax.net.ssl.SSLContext createSSLContext()

getSSLContext

private javax.net.ssl.SSLContext getSSLContext()

createSocket

public java.net.Socket createSocket(java.lang.String host,
                                    int port,
                                    java.net.InetAddress localAddress,
                                    int localPort,
                                    org.apache.commons.httpclient.params.HttpConnectionParams params)
                             throws java.io.IOException,
                                    java.net.UnknownHostException,
                                    org.apache.commons.httpclient.ConnectTimeoutException

Attempts to get a new socket connection to the given host within the given time limit.

To circumvent the limitations of older JREs that do not support connect timeout a controller thread is executed. The controller thread attempts to create a new socket within the given limit of time. If socket constructor does not return until the timeout expires, the controller terminates and throws an ConnectTimeoutException

Specified by:

createSocket in interface org.apache.commons.httpclient.protocol.ProtocolSocketFactory

Parameters:

host - the host name/IP

port - the port on the host

localAddress - the local host name/IP to bind the socket to

localPort - the port on the local machine

params - Http connection parameters

Returns:

Socket a new socket

Throws:

java.io.IOException - if an I/O error occurs while creating the socket

java.net.UnknownHostException - if the IP address of the host cannot be determined

org.apache.commons.httpclient.ConnectTimeoutException

createSocket

public java.net.Socket createSocket(java.lang.String host,
                                    int port,
                                    java.net.InetAddress clientHost,
                                    int clientPort)
                             throws java.io.IOException,
                                    java.net.UnknownHostException

Specified by:

createSocket in interface org.apache.commons.httpclient.protocol.ProtocolSocketFactory

Throws:

java.io.IOException

java.net.UnknownHostException

See Also:

ProtocolSocketFactory.createSocket(java.lang.String,int,java.net.InetAddress,int)

createSocket

public java.net.Socket createSocket(java.lang.String host,
                                    int port)
                             throws java.io.IOException,
                                    java.net.UnknownHostException

Specified by:

createSocket in interface org.apache.commons.httpclient.protocol.ProtocolSocketFactory

Throws:

java.io.IOException

java.net.UnknownHostException

See Also:

ProtocolSocketFactory.createSocket(java.lang.String,int)

createSocket

public java.net.Socket createSocket(java.net.Socket socket,
                                    java.lang.String host,
                                    int port,
                                    boolean autoClose)
                             throws java.io.IOException,
                                    java.net.UnknownHostException

Specified by:

createSocket in interface org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory

Throws:

java.io.IOException

java.net.UnknownHostException

See Also:

SecureProtocolSocketFactory.createSocket(java.net.Socket,java.lang.String,int,boolean)