001: package com.sun.portal.util;
002:
003: import java.util.ArrayList;
004: import java.util.Iterator;
005: import java.util.List;
006: import java.util.StringTokenizer;
007: import java.util.logging.Level;
008: import java.util.logging.Logger;
009:
010: import com.sun.portal.log.common.PortalLogger;
011: import com.sun.portal.rproxy.configservlet.client.GatewayProfile;
012:
013: public class ServerCertApprovalCallback implements
014: org.mozilla.jss.ssl.SSLCertificateApprovalCallback {
015:
016: private String reqHost = null;
017:
018: static private ServerCertApprovalCallback theInstance = null;
019:
020: static boolean trustAllServerCerts = false;
021:
022: /**
023: * Bug 4740555 - Disable Cert Domain Check
024: */
025: protected static List srapGateway_trustedSSLDomainList = new ArrayList();
026:
027: // static Logger logger = Logger.getLogger("com.sun.portal.sra.rproxy");
028: private static Logger logger = PortalLogger
029: .getLogger(ServerCertApprovalCallback.class);
030: // End of code change for bug 4740555
031:
032: static {
033: String tmp = com.sun.portal.util.SystemProperties
034: .get("gateway.trust_all_server_certs");
035: if (tmp != null && tmp.equals("true"))
036: trustAllServerCerts = true;
037: else
038: trustAllServerCerts = false;
039: /**
040: * Bug 4740555 - Disable Cert Domain Check
041: */
042: Iterator it = GatewayProfile.getStringList(
043: "TrustedSSLDomainList").iterator();
044: // trusted Domain list enabled list should not be case sensitive
045: while (it.hasNext())
046: srapGateway_trustedSSLDomainList.add(it.next().toString()
047: .toLowerCase());
048: // End of code change for bug 4740555
049: }
050:
051: private ServerCertApprovalCallback() {
052: }
053:
054: public ServerCertApprovalCallback(String host) {
055: if (host != null) {
056: reqHost = host.toLowerCase();
057: }
058: }
059:
060: static public ServerCertApprovalCallback getInstance() {
061: if (theInstance == null)
062: theInstance = new ServerCertApprovalCallback();
063: return theInstance;
064: }
065:
066: public boolean approve(
067: org.mozilla.jss.crypto.X509Certificate cert,
068: org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus status) {
069: // logger.info("ServerCertApprovalCallback: SubjectDN = " +
070: // cert.getSubjectDN().getName());
071: Object[] params0 = { cert.getSubjectDN().getName() };
072: logger.log(Level.INFO, "PSSR_CSPU092", params0);
073:
074: /*
075: * Bug #4548903 Gateway does not care if server certs are invalid. This
076: * means that, only if the reason for the error during the approval
077: * process is UNTRUSTED_CERT or UNTRUSTED_ISSUER or CA_CERT_INVALID or
078: * UNKNOWN_ISSUER and the flag trustAllServerCerts is set to true, then
079: * the gateway should approve the request.
080: */
081: /*
082: * if (trustAllServerCerts) { return true; }
083: */
084: // End of code change for Bug #4548903
085: org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityItem item;
086:
087: java.util.Enumeration errors = status.getReasons();
088:
089: int reason;
090: /**
091: * Bug 4740555 - Disable Cert Domain Check
092: */
093: String certHost = getCertHost(cert.getSubjectDN().getName());
094: // End of code change for the bug 4740555
095:
096: if (reqHost == null) {
097: int numReasons = 0;
098: while (errors.hasMoreElements()) {
099: item = (org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityItem) errors
100: .nextElement();
101: reason = item.getReason();
102: // logger.severe("ServerCertApprovalCallback: reason " +
103: // reason);
104: Object[] params1 = { reason + "" };
105: logger.log(Level.SEVERE, "PSSR_CSPU093", params1);
106: /*
107: * Bug #4548903 Gateway does not care if server certs are
108: * invalid.
109: */
110: // numReasons++;
111: if ((reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER)
112: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_CERT)
113: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID)
114: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER)) {
115: if (!trustAllServerCerts) {
116: numReasons++;
117: }
118: /**
119: * Bug 4740555 - Disable Cert Domain Check
120: */
121: } else if (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) {
122: if (!isTrustedDomain(certHost))
123: numReasons++;
124: // End of Change of code for Bug 4740555
125: } else {
126: numReasons++;
127: }
128: // End of code change for Bug #4548903
129: }
130:
131: return (numReasons == 0);
132: }
133:
134: boolean trust = true;
135:
136: while (errors.hasMoreElements()) {
137:
138: item = (org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityItem) errors
139: .nextElement();
140:
141: reason = item.getReason();
142: // logger.severe("ServerCertApprovalCallback: reason " + reason);
143: Object[] params2 = { reason + "" };
144: logger.log(Level.SEVERE, "PSSR_CSPU094", params2);
145:
146: /*
147: * Bug #4548903 Gateway does not care if server certs are invalid.
148: */
149:
150: /*
151: * // bad domain if (reason != -12276) {
152: */
153: if ((reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER)
154: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_CERT)
155: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID)
156: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER)) {
157: if (!trustAllServerCerts) {
158: trust = false;
159: }
160: }
161: // bad domain
162: else if (reason != org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) {
163: // End of code change for Bug #4548903
164: trust = false;
165: } else {
166: /**
167: * Bug 4740555 - Disable Cert Domain Check
168: */
169: if (!isTrustedDomain(certHost)) {
170: if (!certHost.equalsIgnoreCase(reqHost)) {
171: trust = false;
172: }
173: }
174:
175: /*
176: * String subjectDN = cert.getSubjectDN().getName();
177: * StringTokenizer st = new StringTokenizer(subjectDN, ",");
178: * String token; boolean cnFound = false; while
179: * (st.hasMoreTokens()) { token =
180: * st.nextToken().trim().toLowerCase(); if
181: * (token.startsWith("cn=")) { String cn = token.substring(3);
182: * cnFound = true; if (!cn.equals(reqHost)) { trust = false; }
183: * break; } } if (!cnFound) { trust = false; }
184: */
185: // End of change of code for Bug 4740555
186: }
187: }
188:
189: return trust;
190: }
191:
192: private static boolean isTrustedDomain(String host) {
193: /**
194: * Bug 4740555 - Disable Cert Domain Check
195: */
196:
197: //Begin CR5072272
198: //if (trustAllServerCerts)
199: //return false;
200: //End CR5072272
201: // End of change of code for Bug 4740555
202: host = host.toLowerCase();
203: if ((srapGateway_trustedSSLDomainList == null)
204: || (srapGateway_trustedSSLDomainList.size() < 1)) {
205: return false;
206: } else if (srapGateway_trustedSSLDomainList.contains(host)) {
207: return true;
208: } else {
209: Iterator it = srapGateway_trustedSSLDomainList.iterator();
210: String next;
211: while (it.hasNext()) {
212: next = it.next().toString().trim();
213: int indx = next.indexOf("*");
214: if (indx != -1) {
215: if (indx == 0) {
216: if (host.endsWith(next.substring(1, next
217: .length()))) {
218: return true;
219: }
220: } else {
221: if ((host.startsWith(next.substring(0, indx)))
222: && (host.endsWith(next.substring(
223: indx + 1, next.length())))) {
224: return true;
225: }
226: }
227:
228: }
229: }
230: return false;
231: }
232:
233: }
234:
235: private static String getCertHost(String subjectDN) {
236: StringTokenizer st = new StringTokenizer(subjectDN, ",");
237: String token;
238:
239: while (st.hasMoreTokens()) {
240: token = st.nextToken().trim().toLowerCase();
241: if (token.startsWith("cn=")) {
242: return token.substring(3);
243: }
244: }
245: return "";
246: }
247:
248: }
|