FC-207 - Fix handling of truststore

apache · Apr 30, 2017 · 52cb9be · 52cb9be
1 parent 49ca325
commit 52cb9be
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 1 deletion.
diff --git a/src/main/java/org/apache/directory/fortress/core/GlobalIds.java b/src/main/java/org/apache/directory/fortress/core/GlobalIds.java
@@ -443,6 +443,7 @@ public final class GlobalIds
     public static final String TRUST_STORE_PW = "trust.store.password";
 
 
+    public static final String TRUST_STORE_ON_CLASSPATH = "trust.store.onclasspath";
     public static final String SET_TRUST_STORE_PROP = "trust.store.set.prop";
     public static final String LDAP_HOST = "host";
     public static final String LDAP_PORT = "port";

diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/LdapClientTrustStoreManager.java b/src/main/java/org/apache/directory/fortress/core/ldap/LdapClientTrustStoreManager.java
@@ -22,13 +22,16 @@
 
 import org.apache.directory.fortress.core.CfgRuntimeException;
 import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.util.Config;
 import org.apache.directory.fortress.core.util.ResourceUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.Serializable;
@@ -154,6 +157,34 @@ public synchronized X509Certificate[] getAcceptedIssuers()
      */
     private synchronized X509TrustManager[] getTrustManagers( final X509Certificate[] x509Chain ) throws
         CertificateException
+    {
+        String szTrustStoreOnClasspath = Config.getInstance().getProperty( GlobalIds.TRUST_STORE_ON_CLASSPATH );
+        LOG.info( CLS_NM + ".getTrustManagers trust.store.onclasspath: {}", szTrustStoreOnClasspath );
+
+        // If false or null, read the truststore from a fully qualified filename.
+        if( szTrustStoreOnClasspath != null && szTrustStoreOnClasspath.equalsIgnoreCase( "false" ))
+        {
+            LOG.info( CLS_NM + ".getTrustManagers on filepath" );
+            return getTrustManagersOnFilepath( x509Chain );
+        }
+        // Get it off the classpath
+        else
+        {
+            LOG.info( CLS_NM + ".getTrustManagers on classpath" );
+            return getTrustManagersOnClasspath( x509Chain );
+        }
+    }
+
+
+    /**
+     * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
+     *
+     * @param x509Chain contains input X.509 certificate chain.
+     * @return array of X.509 trust managers.
+     * @throws CertificateException if trustStoreFile instance variable is null.
+     */
+    private synchronized X509TrustManager[] getTrustManagersOnClasspath( final X509Certificate[] x509Chain ) throws
+        CertificateException
     {
         // If true, verify the current date is within each certificates validity period.
         if ( isExamineValidityDates )
@@ -183,6 +214,35 @@ private synchronized X509TrustManager[] getTrustManagers( final X509Certificate[
     }
 
 
+    /**
+     * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
+     *
+     * @param x509Chain contains input X.509 certificate chain.
+     * @return array of X.509 trust managers.
+     * @throws CertificateException if trustStoreFile instance variable is null.
+     */
+    private synchronized X509TrustManager[] getTrustManagersOnFilepath( final X509Certificate[] x509Chain ) throws
+        CertificateException
+    {
+        // If true, verify the current date is within each certificates validity period.
+        if ( isExamineValidityDates )
+        {
+            final Date currentDate = new Date();
+            for ( final X509Certificate x509Cert : x509Chain )
+            {
+                x509Cert.checkValidity( currentDate );
+            }
+        }
+        // The trustStoreFile should contain the fully-qualified name of a Java TrustStore on local file system.
+        final File trustStoreFile = new File( this.trustStoreFile );
+        if ( !trustStoreFile.exists() )
+        {
+            throw new CertificateException( "FortressTrustStoreManager.getTrustManagers : file not found" );
+        }
+        return loadTrustManagers( getTrustStore() );
+    }
+
+
     /**
      * Return an array of X.509 TrustManagers.
      *

diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/LdapConnectionProvider.java b/src/main/java/org/apache/directory/fortress/core/ldap/LdapConnectionProvider.java
@@ -144,6 +144,7 @@ private void init()
         int logmax = Config.getInstance().getInt( LDAP_LOG_POOL_MAX, 10 );
         LOG.info( "LDAP POOL:  host=[{}], port=[{}], min=[{}], max=[{}]", host, port, min, max );
 
+/*
         if ( IS_SET_TRUST_STORE_PROP )
         {
             LOG.info( "Set JSSE truststore properties in Apache LDAP client:" );
@@ -154,7 +155,7 @@ private void init()
                 .TRUST_STORE_PW ) );
             System.setProperty( "javax.net.debug", Boolean.valueOf( IS_SSL_DEBUG ).toString() );
         }
-
+*/
         LdapConnectionConfig config = new LdapConnectionConfig();
         config.setLdapHost( host );
         config.setLdapPort( port );