001/** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018package org.apache.activemq.transport.tcp; 019 020import java.io.IOException; 021import java.net.URI; 022import java.net.UnknownHostException; 023import java.security.cert.X509Certificate; 024import java.util.HashMap; 025 026import javax.net.ssl.SSLPeerUnverifiedException; 027import javax.net.ssl.SSLSession; 028import javax.net.ssl.SSLSocket; 029import javax.net.ssl.SSLSocketFactory; 030 031import org.apache.activemq.command.ConnectionInfo; 032 033import org.apache.activemq.util.IntrospectionSupport; 034import org.apache.activemq.wireformat.WireFormat; 035 036/** 037 * A Transport class that uses SSL and client-side certificate authentication. 038 * Client-side certificate authentication must be enabled through the 039 * constructor. By default, this class will have the same client authentication 040 * behavior as the socket it is passed. This class will set ConnectionInfo's 041 * transportContext to the SSL certificates of the client. NOTE: Accessor method 042 * for needClientAuth was not provided on purpose. This is because 043 * needClientAuth's value must be set before the socket is connected. Otherwise, 044 * unexpected situations may occur. 045 */ 046public class SslTransport extends TcpTransport { 047 /** 048 * Connect to a remote node such as a Broker. 049 * 050 * @param wireFormat The WireFormat to be used. 051 * @param socketFactory The socket factory to be used. Forcing SSLSockets 052 * for obvious reasons. 053 * @param remoteLocation The remote location. 054 * @param localLocation The local location. 055 * @param needClientAuth If set to true, the underlying socket will need 056 * client certificate authentication. 057 * @throws UnknownHostException If TcpTransport throws. 058 * @throws IOException If TcpTransport throws. 059 */ 060 public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI remoteLocation, URI localLocation, boolean needClientAuth) throws IOException { 061 super(wireFormat, socketFactory, remoteLocation, localLocation); 062 if (this.socket != null) { 063 ((SSLSocket)this.socket).setNeedClientAuth(needClientAuth); 064 065 // Lets try to configure the SSL SNI field. Handy in case your using 066 // a single proxy to route to different messaging apps. 067 068 // On java 1.7 it seems like it can only be configured via reflection. 069 // todo: find out if this will work on java 1.8 070 HashMap props = new HashMap(); 071 props.put("host", remoteLocation.getHost()); 072 IntrospectionSupport.setProperties(this.socket, props); 073 } 074 } 075 076 /** 077 * Initialize from a ServerSocket. No access to needClientAuth is given 078 * since it is already set within the provided socket. 079 * 080 * @param wireFormat The WireFormat to be used. 081 * @param socket The Socket to be used. Forcing SSL. 082 * @throws IOException If TcpTransport throws. 083 */ 084 public SslTransport(WireFormat wireFormat, SSLSocket socket) throws IOException { 085 super(wireFormat, socket); 086 } 087 088 /** 089 * Overriding in order to add the client's certificates to ConnectionInfo 090 * Commmands. 091 * 092 * @param command The Command coming in. 093 */ 094 public void doConsume(Object command) { 095 // The instanceof can be avoided, but that would require modifying the 096 // Command clas tree and that would require too much effort right 097 // now. 098 if (command instanceof ConnectionInfo) { 099 ConnectionInfo connectionInfo = (ConnectionInfo)command; 100 connectionInfo.setTransportContext(getPeerCertificates()); 101 } 102 super.doConsume(command); 103 } 104 105 /** 106 * @return peer certificate chain associated with the ssl socket 107 */ 108 public X509Certificate[] getPeerCertificates() { 109 110 SSLSocket sslSocket = (SSLSocket)this.socket; 111 112 SSLSession sslSession = sslSocket.getSession(); 113 114 X509Certificate[] clientCertChain; 115 try { 116 clientCertChain = (X509Certificate[])sslSession.getPeerCertificates(); 117 } catch (SSLPeerUnverifiedException e) { 118 clientCertChain = null; 119 } 120 121 return clientCertChain; 122 } 123 124 /** 125 * @return pretty print of 'this' 126 */ 127 public String toString() { 128 return "ssl://" + socket.getInetAddress() + ":" + socket.getPort(); 129 } 130 131}