001/** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018package org.apache.activemq.transport.tcp; 019 020import java.io.IOException; 021import java.net.URI; 022import java.net.UnknownHostException; 023import java.security.cert.X509Certificate; 024import java.util.HashMap; 025 026import javax.net.ssl.SSLPeerUnverifiedException; 027import javax.net.ssl.SSLSession; 028import javax.net.ssl.SSLSocket; 029import javax.net.ssl.SSLSocketFactory; 030 031import org.apache.activemq.command.ConnectionInfo; 032import org.apache.activemq.util.IntrospectionSupport; 033import org.apache.activemq.wireformat.WireFormat; 034 035/** 036 * A Transport class that uses SSL and client-side certificate authentication. 037 * Client-side certificate authentication must be enabled through the 038 * constructor. By default, this class will have the same client authentication 039 * behavior as the socket it is passed. This class will set ConnectionInfo's 040 * transportContext to the SSL certificates of the client. NOTE: Accessor method 041 * for needClientAuth was not provided on purpose. This is because 042 * needClientAuth's value must be set before the socket is connected. Otherwise, 043 * unexpected situations may occur. 044 */ 045public class SslTransport extends TcpTransport { 046 /** 047 * Connect to a remote node such as a Broker. 048 * 049 * @param wireFormat The WireFormat to be used. 050 * @param socketFactory The socket factory to be used. Forcing SSLSockets 051 * for obvious reasons. 052 * @param remoteLocation The remote location. 053 * @param localLocation The local location. 054 * @param needClientAuth If set to true, the underlying socket will need 055 * client certificate authentication. 056 * @throws UnknownHostException If TcpTransport throws. 057 * @throws IOException If TcpTransport throws. 058 */ 059 public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI remoteLocation, URI localLocation, boolean needClientAuth) throws IOException { 060 super(wireFormat, socketFactory, remoteLocation, localLocation); 061 if (this.socket != null) { 062 ((SSLSocket)this.socket).setNeedClientAuth(needClientAuth); 063 064 // Lets try to configure the SSL SNI field. Handy in case your using 065 // a single proxy to route to different messaging apps. 066 067 // On java 1.7 it seems like it can only be configured via reflection. 068 // todo: find out if this will work on java 1.8 069 HashMap props = new HashMap(); 070 props.put("host", remoteLocation.getHost()); 071 IntrospectionSupport.setProperties(this.socket, props); 072 } 073 } 074 075 /** 076 * Initialize from a ServerSocket. No access to needClientAuth is given 077 * since it is already set within the provided socket. 078 * 079 * @param wireFormat The WireFormat to be used. 080 * @param socket The Socket to be used. Forcing SSL. 081 * @throws IOException If TcpTransport throws. 082 */ 083 public SslTransport(WireFormat wireFormat, SSLSocket socket) throws IOException { 084 super(wireFormat, socket); 085 } 086 087 public SslTransport(WireFormat format, SSLSocket socket, 088 InitBuffer initBuffer) throws IOException { 089 super(format, socket, initBuffer); 090 } 091 092 /** 093 * Overriding in order to add the client's certificates to ConnectionInfo 094 * Commmands. 095 * 096 * @param command The Command coming in. 097 */ 098 @Override 099 public void doConsume(Object command) { 100 // The instanceof can be avoided, but that would require modifying the 101 // Command clas tree and that would require too much effort right 102 // now. 103 if (command instanceof ConnectionInfo) { 104 ConnectionInfo connectionInfo = (ConnectionInfo)command; 105 connectionInfo.setTransportContext(getPeerCertificates()); 106 } 107 super.doConsume(command); 108 } 109 110 /** 111 * @return peer certificate chain associated with the ssl socket 112 */ 113 public X509Certificate[] getPeerCertificates() { 114 115 SSLSocket sslSocket = (SSLSocket)this.socket; 116 117 SSLSession sslSession = sslSocket.getSession(); 118 119 X509Certificate[] clientCertChain; 120 try { 121 clientCertChain = (X509Certificate[])sslSession.getPeerCertificates(); 122 } catch (SSLPeerUnverifiedException e) { 123 clientCertChain = null; 124 } 125 126 return clientCertChain; 127 } 128 129 /** 130 * @return pretty print of 'this' 131 */ 132 @Override 133 public String toString() { 134 return "ssl://" + socket.getInetAddress() + ":" + socket.getPort(); 135 } 136 137}