1   /**
    2    * Licensed to the Apache Software Foundation (ASF) under one or more
    3    * contributor license agreements.  See the NOTICE file distributed with
    4    * this work for additional information regarding copyright ownership.
    5    * The ASF licenses this file to You under the Apache License, Version 2.0
    6    * (the "License"); you may not use this file except in compliance with
    7    * the License.  You may obtain a copy of the License at
    8    *
    9    *      http://www.apache.org/licenses/LICENSE-2.0
   10    *
   11    * Unless required by applicable law or agreed to in writing, software
   12    * distributed under the License is distributed on an "AS IS" BASIS,
   13    * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   14    * See the License for the specific language governing permissions and
   15    * limitations under the License.
   16    */
   17   
   18   package org.apache.activemq.transport.tcp;
   19   
   20   import java.io.IOException;
   21   import java.net.URI;
   22   import java.net.UnknownHostException;
   23   import java.security.cert.X509Certificate;
   24   
   25   import javax.net.ssl.SSLPeerUnverifiedException;
   26   import javax.net.ssl.SSLSession;
   27   import javax.net.ssl.SSLSocket;
   28   import javax.net.ssl.SSLSocketFactory;
   29   
   30   import org.apache.activemq.command.ConnectionInfo;
   31   
   32   import org.apache.activemq.wireformat.WireFormat;
   33   
   34   /**
   35    * A Transport class that uses SSL and client-side certificate authentication.
   36    * Client-side certificate authentication must be enabled through the
   37    * constructor. By default, this class will have the same client authentication
   38    * behavior as the socket it is passed. This class will set ConnectionInfo's
   39    * transportContext to the SSL certificates of the client. NOTE: Accessor method
   40    * for needClientAuth was not provided on purpose. This is because
   41    * needClientAuth's value must be set before the socket is connected. Otherwise,
   42    * unexpected situations may occur.
   43    */
   44   public class SslTransport extends TcpTransport {
   45       /**
   46        * Connect to a remote node such as a Broker.
   47        * 
   48        * @param wireFormat The WireFormat to be used.
   49        * @param socketFactory The socket factory to be used. Forcing SSLSockets
   50        *                for obvious reasons.
   51        * @param remoteLocation The remote location.
   52        * @param localLocation The local location.
   53        * @param needClientAuth If set to true, the underlying socket will need
   54        *                client certificate authentication.
   55        * @throws UnknownHostException If TcpTransport throws.
   56        * @throws IOException If TcpTransport throws.
   57        */
   58       public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI remoteLocation, URI localLocation, boolean needClientAuth) throws IOException {
   59           super(wireFormat, socketFactory, remoteLocation, localLocation);
   60           if (this.socket != null) {
   61               ((SSLSocket)this.socket).setNeedClientAuth(needClientAuth);
   62           }
   63       }
   64   
   65       /**
   66        * Initialize from a ServerSocket. No access to needClientAuth is given
   67        * since it is already set within the provided socket.
   68        * 
   69        * @param wireFormat The WireFormat to be used.
   70        * @param socket The Socket to be used. Forcing SSL.
   71        * @throws IOException If TcpTransport throws.
   72        */
   73       public SslTransport(WireFormat wireFormat, SSLSocket socket) throws IOException {
   74           super(wireFormat, socket);
   75       }
   76   
   77       /**
   78        * Overriding in order to add the client's certificates to ConnectionInfo
   79        * Commmands.
   80        * 
   81        * @param command The Command coming in.
   82        */
   83       public void doConsume(Object command) {
   84           // The instanceof can be avoided, but that would require modifying the
   85           // Command clas tree and that would require too much effort right
   86           // now.
   87           if (command instanceof ConnectionInfo) {
   88               ConnectionInfo connectionInfo = (ConnectionInfo)command;
   89               connectionInfo.setTransportContext(getPeerCertificates());
   90           } 
   91           super.doConsume(command);
   92       }
   93       
   94       /**
   95        * @return peer certificate chain associated with the ssl socket
   96        */
   97       public X509Certificate[] getPeerCertificates() {
   98       	
   99           SSLSocket sslSocket = (SSLSocket)this.socket;
  100   
  101           SSLSession sslSession = sslSocket.getSession();
  102   
  103           X509Certificate[] clientCertChain;
  104           try {
  105               clientCertChain = (X509Certificate[])sslSession.getPeerCertificates();
  106           } catch (SSLPeerUnverifiedException e) {
  107           	clientCertChain = null;
  108           }
  109       	
  110           return clientCertChain;
  111       }
  112   
  113       /**
  114        * @return pretty print of 'this'
  115        */
  116       public String toString() {
  117           return "ssl://" + socket.getInetAddress() + ":" + socket.getPort();
  118       }
  119   
  120   }