001/**
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017
018package org.apache.activemq.transport.tcp;
019
020import java.io.IOException;
021import java.net.URI;
022import java.net.UnknownHostException;
023import java.security.cert.X509Certificate;
024import java.util.HashMap;
025
026import javax.net.ssl.SSLPeerUnverifiedException;
027import javax.net.ssl.SSLSession;
028import javax.net.ssl.SSLSocket;
029import javax.net.ssl.SSLSocketFactory;
030
031import org.apache.activemq.command.ConnectionInfo;
032import org.apache.activemq.util.IntrospectionSupport;
033import org.apache.activemq.wireformat.WireFormat;
034
035/**
036 * A Transport class that uses SSL and client-side certificate authentication.
037 * Client-side certificate authentication must be enabled through the
038 * constructor. By default, this class will have the same client authentication
039 * behavior as the socket it is passed. This class will set ConnectionInfo's
040 * transportContext to the SSL certificates of the client. NOTE: Accessor method
041 * for needClientAuth was not provided on purpose. This is because
042 * needClientAuth's value must be set before the socket is connected. Otherwise,
043 * unexpected situations may occur.
044 */
045public class SslTransport extends TcpTransport {
046    /**
047     * Connect to a remote node such as a Broker.
048     *
049     * @param wireFormat The WireFormat to be used.
050     * @param socketFactory The socket factory to be used. Forcing SSLSockets
051     *                for obvious reasons.
052     * @param remoteLocation The remote location.
053     * @param localLocation The local location.
054     * @param needClientAuth If set to true, the underlying socket will need
055     *                client certificate authentication.
056     * @throws UnknownHostException If TcpTransport throws.
057     * @throws IOException If TcpTransport throws.
058     */
059    public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI remoteLocation, URI localLocation, boolean needClientAuth) throws IOException {
060        super(wireFormat, socketFactory, remoteLocation, localLocation);
061        if (this.socket != null) {
062            ((SSLSocket)this.socket).setNeedClientAuth(needClientAuth);
063
064            // Lets try to configure the SSL SNI field.  Handy in case your using
065            // a single proxy to route to different messaging apps.
066
067            // On java 1.7 it seems like it can only be configured via reflection.
068            // todo: find out if this will work on java 1.8
069            HashMap props = new HashMap();
070            props.put("host", remoteLocation.getHost());
071            IntrospectionSupport.setProperties(this.socket, props);
072        }
073    }
074
075    /**
076     * Initialize from a ServerSocket. No access to needClientAuth is given
077     * since it is already set within the provided socket.
078     *
079     * @param wireFormat The WireFormat to be used.
080     * @param socket The Socket to be used. Forcing SSL.
081     * @throws IOException If TcpTransport throws.
082     */
083    public SslTransport(WireFormat wireFormat, SSLSocket socket) throws IOException {
084        super(wireFormat, socket);
085    }
086
087    public SslTransport(WireFormat format, SSLSocket socket,
088            InitBuffer initBuffer) throws IOException {
089        super(format, socket, initBuffer);
090    }
091
092    /**
093     * Overriding in order to add the client's certificates to ConnectionInfo
094     * Commmands.
095     *
096     * @param command The Command coming in.
097     */
098    @Override
099    public void doConsume(Object command) {
100        // The instanceof can be avoided, but that would require modifying the
101        // Command clas tree and that would require too much effort right
102        // now.
103        if (command instanceof ConnectionInfo) {
104            ConnectionInfo connectionInfo = (ConnectionInfo)command;
105            connectionInfo.setTransportContext(getPeerCertificates());
106        }
107        super.doConsume(command);
108    }
109
110    /**
111     * @return peer certificate chain associated with the ssl socket
112     */
113    public X509Certificate[] getPeerCertificates() {
114
115        SSLSocket sslSocket = (SSLSocket)this.socket;
116
117        SSLSession sslSession = sslSocket.getSession();
118
119        X509Certificate[] clientCertChain;
120        try {
121            clientCertChain = (X509Certificate[])sslSession.getPeerCertificates();
122        } catch (SSLPeerUnverifiedException e) {
123                clientCertChain = null;
124        }
125
126        return clientCertChain;
127    }
128
129    /**
130     * @return pretty print of 'this'
131     */
132    @Override
133    public String toString() {
134        return "ssl://" + socket.getInetAddress() + ":" + socket.getPort();
135    }
136
137}