X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;ds=sidebyside;f=src%2Forg%2Fcacert%2Fgigi%2Fping%2FSSLPinger.java;h=1e34c8b01d246dc8d05b49e22a732e9d00b4a8c8;hb=50a582e1c456ed43de163c6722cbfcbf88d0070d;hp=32434079a3e477c7a7d8f8e138c01a8088f67156;hpb=12064eb9e794b40506ef94e27b7aa2f55ebd9ced;p=gigi.git

diff --git a/src/org/cacert/gigi/ping/SSLPinger.java b/src/org/cacert/gigi/ping/SSLPinger.java
index 32434079..1e34c8b0 100644
--- a/src/org/cacert/gigi/ping/SSLPinger.java
+++ b/src/org/cacert/gigi/ping/SSLPinger.java
@@ -3,42 +3,58 @@ package org.cacert.gigi.ping;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.math.BigInteger;
 import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Arrays;
 
 import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLEngineResult.Status;
 import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLParameters;
+import javax.net.ssl.TrustManagerFactory;
 import javax.security.cert.X509Certificate;
 
+import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.Domain;
+import org.cacert.gigi.dbObjects.User;
+
 public class SSLPinger extends DomainPinger {
 
     public static final String[] TYPES = new String[] {
             "xmpp", "server-xmpp", "smtp", "imap"
     };
 
+    private KeyStore truststore;
+
+    public SSLPinger(KeyStore truststore) {
+        this.truststore = truststore;
+    }
+
     @Override
-    public void ping(String domain, String configuration, String expToken) {
-        try {
-            SocketChannel sch = SocketChannel.open();
+    public void ping(Domain domain, String configuration, User u, int confId) {
+        try (SocketChannel sch = SocketChannel.open()) {
+            sch.socket().setSoTimeout(5000);
             String[] parts = configuration.split(":", 2);
-            sch.connect(new InetSocketAddress(domain, Integer.parseInt(parts[0])));
+            sch.socket().connect(new InetSocketAddress(domain.getSuffix(), Integer.parseInt(parts[0])), 5000);
             if (parts.length == 2) {
                 switch (parts[1]) {
                 case "xmpp":
-                    startXMPP(sch, false, domain);
+                    startXMPP(sch, false, domain.getSuffix());
                     break;
                 case "server-xmpp":
-                    startXMPP(sch, true, domain);
+                    startXMPP(sch, true, domain.getSuffix());
                     break;
                 case "smtp":
                     startSMTP(sch);
@@ -49,9 +65,12 @@ public class SSLPinger extends DomainPinger {
 
                 }
             }
-            test(sch, domain);
+            String res = test(sch, domain.getSuffix(), u);
+            enterPingResult(confId, res, res, null);
+            return;
         } catch (IOException e) {
-            e.printStackTrace();
+            enterPingResult(confId, "error", "connection Failed", null);
+            return;
         }
 
     }
@@ -61,7 +80,7 @@ public class SSLPinger extends DomainPinger {
         InputStream is = s.getInputStream();
         OutputStream os = s.getOutputStream();
         scanFor(is, "\n");
-        os.write("ENABLE STARTTLS\r\n".getBytes());
+        os.write("ENABLE STARTTLS\r\n".getBytes("UTF-8"));
         os.flush();
         scanFor(is, "\n");
     }
@@ -70,9 +89,9 @@ public class SSLPinger extends DomainPinger {
         Socket s = sch.socket();
         InputStream is = s.getInputStream();
         OutputStream os = s.getOutputStream();
-        os.write(("<stream:stream to=\"" + domain + "\" xmlns=\"jabber:" + (server ? "server" : "client") + "\"" + " xmlns:stream=\"http://etherx.jabber.org/streams\" version=\"1.0\">").getBytes());
+        os.write(("<stream:stream to=\"" + domain + "\" xmlns=\"jabber:" + (server ? "server" : "client") + "\"" + " xmlns:stream=\"http://etherx.jabber.org/streams\" version=\"1.0\">").getBytes("UTF-8"));
         os.flush();
-        os.write("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"/>".getBytes());
+        os.write("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"/>".getBytes("UTF-8"));
         os.flush();
         scanFor(is, "<proceed");
         scanFor(is, ">");
@@ -94,13 +113,13 @@ public class SSLPinger extends DomainPinger {
         Socket s = sch.socket();
         InputStream is = s.getInputStream();
         readSMTP(is);
-        s.getOutputStream().write("EHLO ssl.pinger\r\n".getBytes());
+        s.getOutputStream().write("EHLO ssl.pinger\r\n".getBytes("UTF-8"));
         s.getOutputStream().flush();
         readSMTP(is);
-        s.getOutputStream().write("HELP\r\n".getBytes());
+        s.getOutputStream().write("HELP\r\n".getBytes("UTF-8"));
         s.getOutputStream().flush();
         readSMTP(is);
-        s.getOutputStream().write("STARTTLS\r\n".getBytes());
+        s.getOutputStream().write("STARTTLS\r\n".getBytes("UTF-8"));
         s.getOutputStream().flush();
         readSMTP(is);
     }
@@ -130,9 +149,19 @@ public class SSLPinger extends DomainPinger {
         }
     }
 
-    private void test(SocketChannel sch, String domain) {
+    private String test(SocketChannel sch, String domain, User subject) {
         try {
-            SSLContext sc = SSLContext.getDefault();
+            sch.socket().setSoTimeout(5000);
+            SSLContext sc = SSLContext.getInstance("SSL");
+            try {
+                TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
+                tmf.init(truststore);
+                sc.init(null, tmf.getTrustManagers(), new SecureRandom());
+            } catch (KeyManagementException e) {
+                e.printStackTrace();
+            } catch (KeyStoreException e) {
+                e.printStackTrace();
+            }
             SSLEngine se = sc.createSSLEngine();
             ByteBuffer enc_in = ByteBuffer.allocate(se.getSession().getPacketBufferSize());
             ByteBuffer enc_out = ByteBuffer.allocate(se.getSession().getPacketBufferSize());
@@ -179,18 +208,27 @@ public class SSLPinger extends DomainPinger {
                 }
 
             }
-            System.out.println("completed");
-            System.out.println(se.getSession().getCipherSuite());
             X509Certificate[] peerCertificateChain = se.getSession().getPeerCertificateChain();
-            for (X509Certificate x509Certificate : peerCertificateChain) {
-                System.out.println(x509Certificate.getSubjectDN().getName());
+            X509Certificate first = peerCertificateChain[0];
+
+            BigInteger serial = first.getSerialNumber();
+            Certificate c = Certificate.getBySerial(serial.toString(16));
+            if (c == null) {
+                return "Certificate not found: Serial " + serial.toString(16) + " missing.";
+            }
+            if (c.getOwner().getId() != subject.getId()) {
+                return "Owner mismatch";
             }
+            return PING_SUCCEDED;
         } catch (NoSuchAlgorithmException e) {
-            e.printStackTrace();
+            // e.printStackTrace(); TODO log for user debugging?
+            return "Security failed";
         } catch (SSLException e) {
-            e.printStackTrace();
+            // e.printStackTrace(); TODO log for user debugging?
+            return "Security failed";
         } catch (IOException e) {
-            e.printStackTrace();
+            // e.printStackTrace(); TODO log for user debugging?
+            return "Connection closed";
         }
     }
 }