001    /**
002     * Licensed to the Apache Software Foundation (ASF) under one or more
003     * contributor license agreements.  See the NOTICE file distributed with
004     * this work for additional information regarding copyright ownership.
005     * The ASF licenses this file to You under the Apache License, Version 2.0
006     * (the "License"); you may not use this file except in compliance with
007     * the License.  You may obtain a copy of the License at
008     *
009     *      http://www.apache.org/licenses/LICENSE-2.0
010     *
011     * Unless required by applicable law or agreed to in writing, software
012     * distributed under the License is distributed on an "AS IS" BASIS,
013     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014     * See the License for the specific language governing permissions and
015     * limitations under the License.
016     */
017    
018    package org.apache.activemq.transport.tcp;
019    
020    import java.io.IOException;
021    import java.net.URI;
022    import java.net.UnknownHostException;
023    import java.security.cert.X509Certificate;
024    
025    import javax.net.ssl.SSLPeerUnverifiedException;
026    import javax.net.ssl.SSLSession;
027    import javax.net.ssl.SSLSocket;
028    import javax.net.ssl.SSLSocketFactory;
029    
030    import org.apache.activemq.command.ConnectionInfo;
031    
032    import org.apache.activemq.wireformat.WireFormat;
033    
034    /**
035     * A Transport class that uses SSL and client-side certificate authentication.
036     * Client-side certificate authentication must be enabled through the
037     * constructor. By default, this class will have the same client authentication
038     * behavior as the socket it is passed. This class will set ConnectionInfo's
039     * transportContext to the SSL certificates of the client. NOTE: Accessor method
040     * for needClientAuth was not provided on purpose. This is because
041     * needClientAuth's value must be set before the socket is connected. Otherwise,
042     * unexpected situations may occur.
043     */
044    public class SslTransport extends TcpTransport {
045        /**
046         * Connect to a remote node such as a Broker.
047         * 
048         * @param wireFormat The WireFormat to be used.
049         * @param socketFactory The socket factory to be used. Forcing SSLSockets
050         *                for obvious reasons.
051         * @param remoteLocation The remote location.
052         * @param localLocation The local location.
053         * @param needClientAuth If set to true, the underlying socket will need
054         *                client certificate authentication.
055         * @throws UnknownHostException If TcpTransport throws.
056         * @throws IOException If TcpTransport throws.
057         */
058        public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI remoteLocation, URI localLocation, boolean needClientAuth) throws IOException {
059            super(wireFormat, socketFactory, remoteLocation, localLocation);
060            if (this.socket != null) {
061                ((SSLSocket)this.socket).setNeedClientAuth(needClientAuth);
062            }
063        }
064    
065        /**
066         * Initialize from a ServerSocket. No access to needClientAuth is given
067         * since it is already set within the provided socket.
068         * 
069         * @param wireFormat The WireFormat to be used.
070         * @param socket The Socket to be used. Forcing SSL.
071         * @throws IOException If TcpTransport throws.
072         */
073        public SslTransport(WireFormat wireFormat, SSLSocket socket) throws IOException {
074            super(wireFormat, socket);
075        }
076    
077        /**
078         * Overriding in order to add the client's certificates to ConnectionInfo
079         * Commmands.
080         * 
081         * @param command The Command coming in.
082         */
083        public void doConsume(Object command) {
084            // The instanceof can be avoided, but that would require modifying the
085            // Command clas tree and that would require too much effort right
086            // now.
087            if (command instanceof ConnectionInfo) {
088                ConnectionInfo connectionInfo = (ConnectionInfo)command;
089                connectionInfo.setTransportContext(getPeerCertificates());
090            } 
091            super.doConsume(command);
092        }
093        
094        /**
095         * @return peer certificate chain associated with the ssl socket
096         */
097        public X509Certificate[] getPeerCertificates() {
098            
099            SSLSocket sslSocket = (SSLSocket)this.socket;
100    
101            SSLSession sslSession = sslSocket.getSession();
102    
103            X509Certificate[] clientCertChain;
104            try {
105                clientCertChain = (X509Certificate[])sslSession.getPeerCertificates();
106            } catch (SSLPeerUnverifiedException e) {
107                    clientCertChain = null;
108            }
109            
110            return clientCertChain;
111        }
112    
113        /**
114         * @return pretty print of 'this'
115         */
116        public String toString() {
117            return "ssl://" + socket.getInetAddress() + ":" + socket.getPort();
118        }
119    
120    }