From c5392b36c368ebdca2e8ab356eb0d1fb0d36a5cb Mon Sep 17 00:00:00 2001 From: Nick Hudson Date: Thu, 8 Mar 2012 10:16:55 +0000 Subject: Implement "CertificateWithKey" and add support for setting client certificates This change provides the functionality to allow clients to specify a PKCS#12 file containing client certificate/key for use when starting TLS sessions. The PKCS12Certificate class now subclasses "CertificateWithKey" (matching the Swiften implementation). Swiften also has "CAPICertificate", which is another subclass of CertificateWithKey. This has not been provided in this patch. From a client's point of view, all that's necessary to specify a certificate to be used for TLS is to do something like CertificateWithKey myCert = new PKCS12Certificate( "/home/fred/myp12file.p12", "secret".toCharArray()); coreClient.setCertificate(myCert); before calling "CoreClient.connect". Matching the Swiften functionality, constructing a new PKCS12Certificate does not actually perform validation of the P12 file/passphrase; that takes place when the p12 file is used. There is limited scope for returning to the caller errors describing possible problems, but JSSEContext uses the "emitError" method which does maintain error information, which is available in a debugger, or from the JSSEContext.toString() method. Test-information: Set up an M-Link server with TLS verified that - when I specify a client certificate with suitable SAN, the client sends it and the server reports authentication using the certificate - when I specify a client certificate without a suitable SAN, the client sends it but the server rejects it diff --git a/src/com/isode/stroke/client/CoreClient.java b/src/com/isode/stroke/client/CoreClient.java index c01d57a..49b6df7 100644 --- a/src/com/isode/stroke/client/CoreClient.java +++ b/src/com/isode/stroke/client/CoreClient.java @@ -31,6 +31,7 @@ import com.isode.stroke.signals.Slot; import com.isode.stroke.signals.Slot1; import com.isode.stroke.tls.CertificateTrustChecker; import com.isode.stroke.tls.CertificateVerificationError; +import com.isode.stroke.tls.CertificateWithKey; import com.isode.stroke.tls.PKCS12Certificate; import com.isode.stroke.tls.PlatformTLSFactories; @@ -169,8 +170,8 @@ public class CoreClient { assert (sessionStream_ == null); sessionStream_ = new BasicSessionStream(StreamType.ClientStreamType, connection_, payloadParserFactories_, payloadSerializers_, tlsFactories.getTLSContextFactory(), networkFactories.getTimerFactory(), eventLoop_); - if (certificate_ != null && !certificate_.isEmpty()) { - sessionStream_.setTLSCertificate(new PKCS12Certificate(certificate_, password_)); + if (certificate_ != null && !certificate_.isNull()) { + sessionStream_.setTLSCertificate(certificate_); } sessionStreamDataReadConnection_ = sessionStream_.onDataRead.connect(new Slot1() { @@ -228,7 +229,7 @@ public class CoreClient { } } - public void setCertificate(String certificate) { + public void setCertificate(CertificateWithKey certificate) { certificate_ = certificate; } @@ -454,7 +455,7 @@ public class CoreClient { private Connection connection_; private BasicSessionStream sessionStream_; private ClientSession session_; - private String certificate_; + private CertificateWithKey certificate_; private boolean disconnectRequested_; private ClientOptions options; private CertificateTrustChecker certificateTrustChecker; diff --git a/src/com/isode/stroke/session/SessionStream.java b/src/com/isode/stroke/session/SessionStream.java index ee17a09..5dbb0fc 100644 --- a/src/com/isode/stroke/session/SessionStream.java +++ b/src/com/isode/stroke/session/SessionStream.java @@ -15,6 +15,7 @@ import com.isode.stroke.signals.Signal; import com.isode.stroke.signals.Signal1; import com.isode.stroke.tls.Certificate; import com.isode.stroke.tls.CertificateVerificationError; +import com.isode.stroke.tls.CertificateWithKey; import com.isode.stroke.tls.PKCS12Certificate; public abstract class SessionStream { @@ -60,7 +61,7 @@ public abstract class SessionStream { public abstract void resetXMPPParser(); - public void setTLSCertificate(PKCS12Certificate cert) { + public void setTLSCertificate(CertificateWithKey cert) { certificate = cert; } @@ -80,7 +81,7 @@ public abstract class SessionStream { public final Signal onTLSEncrypted = new Signal(); public final Signal1 onDataRead = new Signal1(); public final Signal1 onDataWritten = new Signal1(); - protected PKCS12Certificate getTLSCertificate() { + protected CertificateWithKey getTLSCertificate() { return certificate; } @@ -94,5 +95,5 @@ public abstract class SessionStream { "; " + (hasTLSCertificate() ? "has" : "no") + " certificate"; } - private PKCS12Certificate certificate; + private CertificateWithKey certificate; } diff --git a/src/com/isode/stroke/streamstack/TLSLayer.java b/src/com/isode/stroke/streamstack/TLSLayer.java index 7051cd3..1f213fc 100644 --- a/src/com/isode/stroke/streamstack/TLSLayer.java +++ b/src/com/isode/stroke/streamstack/TLSLayer.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, Isode Limited, London, England. + * Copyright (c) 2010-2012, Isode Limited, London, England. * All rights reserved. */ /* @@ -14,7 +14,7 @@ import com.isode.stroke.signals.Signal; import com.isode.stroke.signals.Slot1; import com.isode.stroke.tls.Certificate; import com.isode.stroke.tls.CertificateVerificationError; -import com.isode.stroke.tls.PKCS12Certificate; +import com.isode.stroke.tls.CertificateWithKey; import com.isode.stroke.tls.TLSContext; import com.isode.stroke.tls.TLSContextFactory; @@ -50,7 +50,7 @@ public class TLSLayer extends StreamLayer { context.handleDataFromNetwork(data); } - public boolean setClientCertificate(PKCS12Certificate certificate) { + public boolean setClientCertificate(CertificateWithKey certificate) { return context.setClientCertificate(certificate); } diff --git a/src/com/isode/stroke/tls/CertificateWithKey.java b/src/com/isode/stroke/tls/CertificateWithKey.java new file mode 100644 index 0000000..9787add --- /dev/null +++ b/src/com/isode/stroke/tls/CertificateWithKey.java @@ -0,0 +1,24 @@ +/* Copyright (c) 2012, Isode Limited, London, England. + * All rights reserved. + * + * Acquisition and use of this software and related materials for any + * purpose requires a written licence agreement from Isode Limited, + * or a written licence from an organisation licensed by Isode Limited Limited + * to grant such a licence. + * + */ + +package com.isode.stroke.tls; +/** + * + */ +public abstract class CertificateWithKey { + public + CertificateWithKey() { + } + + + public abstract boolean isNull(); + + +} diff --git a/src/com/isode/stroke/tls/PKCS12Certificate.java b/src/com/isode/stroke/tls/PKCS12Certificate.java index 0a45f94..06b6b91 100644 --- a/src/com/isode/stroke/tls/PKCS12Certificate.java +++ b/src/com/isode/stroke/tls/PKCS12Certificate.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011 Isode Limited, London, England. + * Copyright (c) 2011-2012 Isode Limited, London, England. * All rights reserved. */ /* @@ -9,20 +9,52 @@ package com.isode.stroke.tls; import com.isode.stroke.base.ByteArray; +import com.isode.stroke.base.NotNull; -public class PKCS12Certificate { +public class PKCS12Certificate extends CertificateWithKey { public PKCS12Certificate() { } - public PKCS12Certificate(String filename, String password) { - password_ = password; + /** + * Construct a new object. + * @param filename the name of the P12 file, must not be null. + * @param password the password for the P12 file. Must not be null, + * but may be empty if no password is to be used. + */ + public PKCS12Certificate(String filename, char[] password) { + + NotNull.exceptIfNull(filename,"filename"); + NotNull.exceptIfNull(password,"password"); + filename_ = filename; + password_ = new char[password.length]; + System.arraycopy(password,0,password_,0,password.length); + data_ = new ByteArray(); data_.readFromFile(filename); } public boolean isNull() { return data_.isEmpty(); } + + public boolean isPrivateKeyExportable() { + /////Hopefully a PKCS12 is never missing a private key + return true; + } + + /** + * This returns the name of the P12 file. + * @return the P12 filename, never null. + */ + public String getCertStoreName() { + return filename_; + } + + public String getCertName() { + /* TODO */ + return null; + } + public ByteArray getData() { return data_; @@ -32,9 +64,44 @@ public class PKCS12Certificate { data_ = data; } - public String getPassword() { + /** + * Returns a reference to the password in this object. If {@link #reset()} + * has been called, then the method will return an empty array. + * @return the password for this object. + */ + public char[] getPassword() { return password_; } + @Override + public String toString() { + return "PKCS12Certificate based on file " + filename_; + } + + /** + * This method may be used once the PKCS12Certificate is no longer + * required, and will attempt to clear the memory containing the + * password in this object. After calling this method, you should + * not expect this object to be usable for subsequent authentication. + * + *

Note that this operation does NOT guarantee that all traces + * of the password will have been removed from memory. + */ + public void reset() { + if (password_ != null) { + for (int i=0; i