| commit | author | age | ||
| 6db426 | 1 | /* |
| JM | 2 | * Copyright 2012 gitblit.com. |
| 3 | * | |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package com.gitblit; | |
| 17 | ||
| 18 | import java.io.File; | |
| 19 | import java.io.FileInputStream; | |
| 20 | import java.io.InputStream; | |
| 21 | import java.security.cert.CertificateException; | |
| 22 | import java.security.cert.CertificateFactory; | |
| 23 | import java.security.cert.X509CRL; | |
| 24 | import java.security.cert.X509CRLEntry; | |
| 25 | import java.security.cert.X509Certificate; | |
| 26 | import java.text.MessageFormat; | |
| 27 | import java.util.concurrent.atomic.AtomicLong; | |
| 28 | ||
| 29 | import javax.net.ssl.X509TrustManager; | |
| 30 | ||
| 31 | import org.slf4j.Logger; | |
| 32 | import org.slf4j.LoggerFactory; | |
| 33 | ||
| 34 | /** | |
| 35 | * GitblitTrustManager is a wrapper trust manager that hot-reloads a local file | |
| 36 | * CRL and enforces client certificate revocations. The GitblitTrustManager | |
| 37 | * also implements fuzzy revocation enforcement in case of issuer mismatch BUT | |
| 38 | * serial number match. These rejecions are specially noted in the log. | |
| 39 | * | |
| 40 | * @author James Moger | |
| 41 | */ | |
| 42 | public class GitblitTrustManager implements X509TrustManager { | |
| 43 | ||
| 44 | private static final Logger logger = LoggerFactory.getLogger(GitblitTrustManager.class); | |
| 45 | ||
| 46 | private final X509TrustManager delegate; | |
| 47 | private final File caRevocationList; | |
| 48 | ||
| 49 | private final AtomicLong lastModified = new AtomicLong(0); | |
| 50 | private volatile X509CRL crl; | |
| 51 | ||
| 52 | public GitblitTrustManager(X509TrustManager delegate, File crlFile) { | |
| 53 | this.delegate = delegate; | |
| 54 | this.caRevocationList = crlFile; | |
| 55 | } | |
| 56 | ||
| 57 | @Override | |
| 58 | public void checkClientTrusted(X509Certificate[] chain, String authType) | |
| 59 | throws CertificateException { | |
| 60 | X509Certificate cert = chain[0]; | |
| 61 | if (isRevoked(cert)) { | |
| 62 | String message = MessageFormat.format("Rejecting revoked certificate {0,number,0} for {1}", | |
| 63 | cert.getSerialNumber(), cert.getSubjectDN().getName()); | |
| 64 | logger.warn(message); | |
| 65 | throw new CertificateException(message); | |
| 66 | } | |
| 67 | delegate.checkClientTrusted(chain, authType); | |
| 68 | } | |
| 69 | ||
| 70 | @Override | |
| 71 | public void checkServerTrusted(X509Certificate[] chain, String authType) | |
| 72 | throws CertificateException { | |
| 73 | delegate.checkServerTrusted(chain, authType); | |
| 74 | } | |
| 75 | ||
| 76 | @Override | |
| 77 | public X509Certificate[] getAcceptedIssuers() { | |
| 78 | return delegate.getAcceptedIssuers(); | |
| 79 | } | |
| 80 | ||
| 81 | protected boolean isRevoked(X509Certificate cert) { | |
| 82 | if (!caRevocationList.exists()) { | |
| 83 | return false; | |
| 84 | } | |
| 85 | read(); | |
| 86 | ||
| 87 | if (crl.isRevoked(cert)) { | |
| 88 | // exact cert is revoked | |
| 89 | return true; | |
| 90 | } | |
| 91 | ||
| 92 | X509CRLEntry entry = crl.getRevokedCertificate(cert.getSerialNumber()); | |
| 93 | if (entry != null) { | |
| 94 | logger.warn("Certificate issuer does not match CRL issuer, but serial number has been revoked!"); | |
| 95 | logger.warn(" cert issuer = " + cert.getIssuerX500Principal()); | |
| 96 | logger.warn(" crl issuer = " + crl.getIssuerX500Principal()); | |
| 97 | return true; | |
| 98 | } | |
| 99 | ||
| 100 | return false; | |
| 101 | } | |
| 102 | ||
| 103 | protected synchronized void read() { | |
| 104 | if (lastModified.get() == caRevocationList.lastModified()) { | |
| 105 | return; | |
| 106 | } | |
| 107 | logger.info("Reloading CRL from " + caRevocationList.getAbsolutePath()); | |
| 108 | InputStream inStream = null; | |
| 109 | try { | |
| 110 | inStream = new FileInputStream(caRevocationList); | |
| 111 | CertificateFactory cf = CertificateFactory.getInstance("X.509"); | |
| 112 | X509CRL list = (X509CRL)cf.generateCRL(inStream); | |
| 113 | crl = list; | |
| 114 | lastModified.set(caRevocationList.lastModified()); | |
| 115 | } catch (Exception e) { | |
| 116 | } finally { | |
| 117 | if (inStream != null) { | |
| 118 | try { | |
| 119 | inStream.close(); | |
| 120 | } catch (Exception e) { | |
| 121 | } | |
| 122 | } | |
| 123 | } | |
| 124 | } | |
| 125 | } | |
