/ - Diff - Metacat - Ecoinformatics Redmine

« Previous | Next »

Revision 6627

Added by ben leinfelder over 12 years ago

check replication table (not keystore) for trusted server host name match

     package edu.ucsb.nceas.metacat.replication;
     import java.io.FileInputStream;
     import java.io.IOException;
     import java.io.InputStream;
     import java.io.OutputStream;
     import java.io.PrintWriter;
     import java.security.KeyStore;
     import java.security.KeyStoreException;
     import java.security.NoSuchAlgorithmException;
     import java.security.cert.Certificate;
     import java.security.cert.CertificateException;
     import java.net.URI;
     import java.net.URISyntaxException;
     import java.security.cert.X509Certificate;
     import java.util.Enumeration;
     import java.util.Hashtable;
     import javax.naming.InvalidNameException;
     import javax.naming.ldap.LdapName;
     import javax.naming.ldap.Rdn;
     import javax.servlet.ServletConfig;
     import javax.servlet.ServletException;
     import javax.servlet.http.HttpServlet;
-...
     import org.apache.log4j.Logger;
     import org.dataone.client.auth.CertificateManager;
     import edu.ucsb.nceas.metacat.properties.PropertyService;
     import edu.ucsb.nceas.metacat.service.ServiceService;
     import edu.ucsb.nceas.metacat.service.SessionService;
     import edu.ucsb.nceas.metacat.shared.MetacatUtilException;
     import edu.ucsb.nceas.metacat.shared.ServiceException;
     import edu.ucsb.nceas.metacat.util.AuthUtil;
     import edu.ucsb.nceas.metacat.util.SessionData;
     import edu.ucsb.nceas.utilities.PropertyNotFoundException;
     public class ReplicationServlet extends HttpServlet {
-...
     		try {
     			// check if the server is included in the list of replicated servers
     			server = ((String[]) params.get("server"))[0];
     			if (!action.equals("servercontrol") && !action.equals("stop")
     					&& !action.equals("start") && !action.equals("getall")) {
-...
     				boolean isValid = false;
     				String msg = "Client certificate is invalid";
     				try {
     					isValid = hasValidCertificate(request);
     					isValid = hasValidCertificate(request, server);
     				} catch (Exception e) {
     					msg = "Could not verify client certificate: " + e.getMessage();
     					logMetacat.error(msg, e);
-...
     					return;
+    				}
     				server = ((String[]) params.get("server"))[0];
     				if (ReplicationService.getServerCodeForServerName(server) == 0) {
     					logReplication.debug("ReplicationServlet.handleGetOrPost - Action \"" + action + "\" rejected for server: "
     							+ server);
-...
+    		}
+    	}
     	private boolean hasValidCertificate(HttpServletRequest request) throws KeyStoreException, PropertyNotFoundException, NoSuchAlgorithmException, CertificateException, IOException {
     	private boolean hasValidCertificate(HttpServletRequest request, String server) throws InvalidNameException, URISyntaxException, ServiceException {
     		// get the certificate from the request
     		X509Certificate certificate = CertificateManager.getInstance().getCertificate(request);
     		if (certificate != null) {
     			String givenSubject = CertificateManager.getInstance().getSubjectDN(certificate);
     			logMetacat.debug("Given certificate subject: " + givenSubject);
     			// load the keystore
     			KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
     			InputStream is = new FileInputStream(PropertyService.getProperty("replication.keystore.file"));
     			String password = PropertyService.getProperty("replication.keystore.password");
     			keyStore.load(is, password.toCharArray());
     			// get the CN from the DN:
     			String givenServerCN = null;
     			LdapName ldapName = new LdapName(givenSubject);
     			for (Rdn rdn: ldapName.getRdns()) {
     				if (rdn.getType().equalsIgnoreCase("CN")) {
     					givenServerCN = (String) rdn.getValue();
     					logMetacat.debug("Given server CN: " + givenServerCN);
     					break;
+    				}
+    			}
     			// this is expensive
     			Enumeration<String> aliases = keyStore.aliases();
     			while (aliases.hasMoreElements()) {
     				// check that it contains our client's entry
     				String alias = aliases.nextElement();
     				logMetacat.debug("checking keyStore alias: " + alias);
     				Certificate entryCertificate = keyStore.getCertificate(alias);
     				if (entryCertificate instanceof X509Certificate) {
     					// check the subject matches
     					String entrySubject = CertificateManager.getInstance().getSubjectDN((X509Certificate) entryCertificate);
     					logMetacat.debug("Entry certificate subject: " + entrySubject);
     					if (entrySubject.equals(givenSubject)) {
     						// TODO: additional verification
     //						try {
     //							certificate.verify(entryCertificate.getPublicKey());
     //						} catch (Exception e) {
     //							logMetacat.warn("Certificate not verifiable: " + e.getMessage(), e);
     //							continue;
     //						}
     						// if we pass verification, we did it!
     						return true;
+    					}
+    				}
     			// check the replication table for this server
     			int serverCode = ReplicationService.getServerCodeForServerName(server);
     			if (serverCode != 0) {
     				// does it match (roughly) the certificate
     				URI serverURI = new URI("https://" + server);
     				String serverHost = serverURI.getHost();
     				logMetacat.debug("Checking against registerd replication server host name: " + serverHost);
     				// remove wildcard from certificate CN if it is a wildcard certificate
     				givenServerCN = givenServerCN.replace("*", "");
     				// match (ends with) same certificate name (domain)?
     				return serverHost.endsWith(givenServerCN);
+    			}
+    		}
      		return false;

Also available in: Unified diff

Project

General

Profile

Metacat

Revision 6627

Added by ben leinfelder over 12 years ago