Revision 6585
Added by ben leinfelder over 12 years ago
| src/edu/ucsb/nceas/metacat/replication/ReplicationServlet.java | ||
|---|---|---|
| 26 | 26 |
|
| 27 | 27 |
package edu.ucsb.nceas.metacat.replication; |
| 28 | 28 |
|
| 29 |
import java.io.ByteArrayInputStream; |
|
| 29 | 30 |
import java.io.FileInputStream; |
| 30 | 31 |
import java.io.FileNotFoundException; |
| 31 | 32 |
import java.io.IOException; |
| ... | ... | |
| 35 | 36 |
import java.security.KeyStore; |
| 36 | 37 |
import java.security.KeyStoreException; |
| 37 | 38 |
import java.security.NoSuchAlgorithmException; |
| 39 |
import java.security.cert.Certificate; |
|
| 38 | 40 |
import java.security.cert.CertificateException; |
| 39 | 41 |
import java.security.cert.X509Certificate; |
| 40 | 42 |
import java.util.Enumeration; |
| ... | ... | |
| 47 | 49 |
import javax.servlet.http.HttpServletResponse; |
| 48 | 50 |
import javax.servlet.http.HttpSession; |
| 49 | 51 |
|
| 52 |
import org.apache.commons.io.IOUtils; |
|
| 50 | 53 |
import org.apache.log4j.Logger; |
| 51 | 54 |
import org.dataone.client.auth.CertificateManager; |
| 52 | 55 |
|
| ... | ... | |
| 274 | 277 |
// get the certificate from the request |
| 275 | 278 |
X509Certificate certificate = CertificateManager.getInstance().getCertificate(request); |
| 276 | 279 |
if (certificate != null) {
|
| 280 |
String givenSubject = CertificateManager.getInstance().getSubjectDN(certificate); |
|
| 281 |
logMetacat.debug("Given certificate subject: " + givenSubject);
|
|
| 282 |
|
|
| 277 | 283 |
// load the keystore |
| 278 | 284 |
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); |
| 279 | 285 |
InputStream is = new FileInputStream(PropertyService.getProperty("replication.keystore.file"));
|
| 280 | 286 |
String password = PropertyService.getProperty("replication.keystore.password");
|
| 281 | 287 |
keyStore.load(is, password.toCharArray()); |
| 282 |
// check that it contains our client's entry |
|
| 283 |
String alias = keyStore.getCertificateAlias(certificate); |
|
| 284 |
if (alias != null) {
|
|
| 285 |
// TODO: more checking? |
|
| 286 |
return true; |
|
| 288 |
|
|
| 289 |
// this is expensive |
|
| 290 |
Enumeration<String> aliases = keyStore.aliases(); |
|
| 291 |
while (aliases.hasMoreElements()) {
|
|
| 292 |
// check that it contains our client's entry |
|
| 293 |
String alias = aliases.nextElement(); |
|
| 294 |
logMetacat.debug("checking keyStore alias: " + alias);
|
|
| 295 |
Certificate entryCertificate = keyStore.getCertificate(alias); |
|
| 296 |
if (entryCertificate instanceof X509Certificate) {
|
|
| 297 |
// check the subject matches |
|
| 298 |
String entrySubject = CertificateManager.getInstance().getSubjectDN((X509Certificate) entryCertificate); |
|
| 299 |
logMetacat.debug("Entry certificate subject: " + entrySubject);
|
|
| 300 |
if (entrySubject.equals(givenSubject)) {
|
|
| 301 |
// check the public key matches |
|
| 302 |
boolean equal = IOUtils.contentEquals( |
|
| 303 |
new ByteArrayInputStream(entryCertificate.getPublicKey().getEncoded()), |
|
| 304 |
new ByteArrayInputStream(certificate.getPublicKey().getEncoded())); |
|
| 305 |
if (equal) {
|
|
| 306 |
return true; |
|
| 307 |
} |
|
| 308 |
} |
|
| 309 |
} |
|
| 287 | 310 |
} |
| 288 | 311 |
} |
| 289 | 312 |
return false; |
Also available in: Unified diff
inspect keystore entries for matching client certificate