001: /*
002: * $Id: ApprovalCallback.java,v 1.9 2005/11/30 11:27:27 ss150821 Exp $
003: * $Source: /m/portal/ps/srap/src/com/sun/portal/rproxy/https/ApprovalCallback.java,v $
004: * $Log: ApprovalCallback.java,v $
005: * Revision 1.9 2005/11/30 11:27:27 ss150821
006: * 6356996 - Srap Code base needs to save files in the unix file format and not windows
007: *
008: * Revision 1.8 2005/02/23 09:02:00 ss150821
009: * RFE 6223490 - SRA Should use JDK based logging
010: *
011: * Revision 1.7 2005/02/23 08:59:22 ss150821
012: * RFE 6223490 - SRA Should use JDK based logging
013: *
014: * Revision 1.6 2005/02/05 01:43:09 ss150821
015: * Bug #5072272 - trustAllServerCerts should also trust all host names
016: *
017: * Revision 1.5 2004/07/27 12:58:28 vt126379
018: * RFE#5075809, CRT#99
019: *
020: * Revision 1.4 2003/01/23 10:10:13 bv131302
021: * id60 changes merged
022: *
023: * Revision 1.2.10.1 2003/01/22 11:20:46 bv131302
024: * win2k packaging stuff
025: *
026: * Revision 1.2 2002/09/11 06:22:03 ss133690
027: * CRT:1952 Option to disable Cert domain check
028: *
029: * Revision 1.1 2002/06/14 09:53:56 rt130506
030: * SRAP rebranding
031: *
032: * Revision 1.3 2002/06/12 07:55:59 bv131302
033: * more rebranding - filenames
034: *
035: * Revision 1.2 2002/06/11 16:02:08 bv131302
036: * new branded
037: *
038: * Revision 1.1 2002/05/28 09:38:20 mm132998
039: * Bug id - 4692062 , CRT - 1215 , Desc - Support for iDSAME in https mode.
040: *
041: *
042: */
043: package com.sun.portal.rproxy.https;
044:
045: import java.util.ArrayList;
046: import java.util.Enumeration;
047: import java.util.Iterator;
048: import java.util.List;
049: import java.util.StringTokenizer;
050: import java.util.logging.Level;
051: import java.util.logging.Logger;
052:
053: import org.mozilla.jss.crypto.X509Certificate;
054: import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
055:
056: import com.sun.portal.log.common.PortalLogger;
057: import com.sun.portal.rproxy.configservlet.client.GatewayProfile;
058: import com.sun.portal.util.SystemProperties;
059:
060: public class ApprovalCallback implements SSLCertificateApprovalCallback {
061: private String reqHost = null;
062:
063: static private ApprovalCallback theInstance = null;
064:
065: public static boolean trustAllServerCerts = false;
066:
067: /**
068: * Bug 4740555 - Disable Cert Domain Check
069: */
070: protected static List srapGateway_trustedSSLDomainList = new ArrayList();
071:
072: // End of code change for bug 4740555
073:
074: // private static Logger logger =
075: // Logger.getLogger("com.sun.portal.sra.rproxy");
076: private static Logger logger = PortalLogger
077: .getLogger(ApprovalCallback.class);
078:
079: static {
080: String tmp = SystemProperties
081: .get("gateway.trust_all_server_certs");
082: if (tmp != null && tmp.equals("true"))
083: trustAllServerCerts = true;
084: else
085: trustAllServerCerts = false;
086: /**
087: * Bug 4740555 - Disable Cert Domain Check
088: */
089: Iterator it = GatewayProfile.getStringList(
090: "TrustedSSLDomainList").iterator();
091: // trusted Domain list enabled list should not be case sensitive
092: while (it.hasNext())
093: srapGateway_trustedSSLDomainList.add(it.next().toString()
094: .toLowerCase());
095: // End of code change for bug 4740555
096: }
097:
098: private ApprovalCallback() {
099: }
100:
101: public ApprovalCallback(String host) {
102: if (host != null) {
103: reqHost = host.toLowerCase();
104: }
105: }
106:
107: static public ApprovalCallback getInstance() {
108: if (theInstance == null)
109: theInstance = new ApprovalCallback();
110: return theInstance;
111: }
112:
113: public boolean approve(X509Certificate cert,
114: SSLCertificateApprovalCallback.ValidityStatus status) {
115: // logger.info("ApprovalCallback: SubjectDN = " +
116: logger.info("ApprovalCallback: SubjectDN = "
117: + cert.getSubjectDN().getName());
118:
119: /*
120: * Bug #4548903 Gateway does not care if server certs are invalid. This
121: * means that, only if the reason for the error during the approval
122: * process is UNTRUSTED_CERT or UNTRUSTED_ISSUER or CA_CERT_INVALID or
123: * UNKNOWN_ISSUER and the flag trustAllServerCerts is set to true, then
124: * the gateway should approve the request.
125: */
126: /*
127: * if (trustAllServerCerts) { return true; }
128: */
129: // End of code change for Bug #4548903
130: SSLCertificateApprovalCallback.ValidityItem item;
131:
132: Enumeration errors = status.getReasons();
133:
134: int reason;
135: /**
136: * Bug 4740555 - Disable Cert Domain Check
137: */
138: String certHost = getCertHost(cert.getSubjectDN().getName());
139: // End of code change for the bug 4740555
140:
141: if (reqHost == null) {
142: int numReasons = 0;
143: while (errors.hasMoreElements()) {
144: item = (SSLCertificateApprovalCallback.ValidityItem) errors
145: .nextElement();
146: reason = item.getReason();
147: // logger.info("ApprovalCallback: reason " + reason);
148: Object[] params1 = { new Integer(reason) };
149: logger.log(Level.INFO, "PSSRRPROXY_CSPRH001", params1);
150: /*
151: * Bug #4548903 Gateway does not care if server certs are
152: * invalid.
153: */
154: // numReasons++;
155: if ((reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER)
156: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_CERT)
157: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID)
158: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER)) {
159: if (!trustAllServerCerts) {
160: numReasons++;
161: }
162: /**
163: * Bug 4740555 - Disable Cert Domain Check
164: */
165: } else if (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) {
166: if (!isTrustedDomain(certHost))
167: numReasons++;
168: // End of Change of code for Bug 4740555
169: } else {
170: numReasons++;
171: }
172: // End of code change for Bug #4548903
173:
174: }
175:
176: return (numReasons == 0);
177: }
178:
179: boolean trust = true;
180:
181: while (errors.hasMoreElements()) {
182:
183: item = (SSLCertificateApprovalCallback.ValidityItem) errors
184: .nextElement();
185:
186: reason = item.getReason();
187: // logger.info("ApprovalCallback: reason " + reason);
188: Object[] params2 = { new Integer(reason) };
189: logger.log(Level.INFO, "PSSRRPROXY_CSPRH002", params2);
190:
191: /*
192: * Bug #4548903 Gateway does not care if server certs are invalid.
193: */
194:
195: /*
196: * // bad domain if (reason != -12276) {
197: */
198: if ((reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER)
199: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_CERT)
200: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID)
201: || (reason == org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER)) {
202: if (!trustAllServerCerts) {
203: trust = false;
204: }
205: }
206: // bad domain
207: else if (reason != org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) {
208: // End of code change for Bug #4548903
209: trust = false;
210: } else {
211: /**
212: * Bug 4740555 - Disable Cert Domain Check
213: */
214: if (!isTrustedDomain(certHost)) {
215: if (!certHost.equalsIgnoreCase(reqHost)) {
216: trust = false;
217: }
218: }
219: // End of code change for Bug 4740555
220: }
221: }
222: return trust;
223: }
224:
225: private static boolean isTrustedDomain(String host) {
226: /**
227: * Bug 4740555 - Disable Cert Domain Check
228: */
229:
230: if (trustAllServerCerts)
231: return true; // If trustAllServer certs is set to true, accept
232: // all certificates as valid
233: // This can be a security hole, but hey you changed the property file.
234: // -- Sandeep Soni
235: // End of change of code for Bug 4740555
236: host = host.toLowerCase();
237: if ((srapGateway_trustedSSLDomainList == null)
238: || (srapGateway_trustedSSLDomainList.size() < 1)) {
239: return false;
240: } else if (srapGateway_trustedSSLDomainList.contains(host)) {
241: return true;
242: } else {
243: Iterator it = srapGateway_trustedSSLDomainList.iterator();
244: String next;
245: while (it.hasNext()) {
246: next = it.next().toString().trim();
247: int indx = next.indexOf("*");
248: if (indx != -1) {
249: if (indx == 0) {
250: if (host.endsWith(next.substring(1, next
251: .length()))) {
252: return true;
253: }
254: } else {
255: if ((host.startsWith(next.substring(0, indx)))
256: && (host.endsWith(next.substring(
257: indx + 1, next.length())))) {
258: return true;
259: }
260: }
261:
262: }
263: }
264: return false;
265: }
266:
267: }
268:
269: private static String getCertHost(String subjectDN) {
270: StringTokenizer st = new StringTokenizer(subjectDN, ",");
271: String token;
272:
273: while (st.hasMoreTokens()) {
274: token = st.nextToken().trim().toLowerCase();
275: if (token.startsWith("cn=")) {
276: return token.substring(3);
277: }
278: }
279: return "";
280: }
281:
282: }
|