X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fping%2FSSLPinger.java;h=6a20dafe7266384a3133248dc30d1d05ad755e61;hb=90771b77a6e7cd00bce47feeb35786f0371b89bd;hp=81c739372ca4a2925b2c852f9be92b263d5c9255;hpb=446d3aa82c177eb844f6f19c8f85d4a6e631efe7;p=gigi.git

diff --git a/src/org/cacert/gigi/ping/SSLPinger.java b/src/org/cacert/gigi/ping/SSLPinger.java
index 81c73937..6a20dafe 100644
--- a/src/org/cacert/gigi/ping/SSLPinger.java
+++ b/src/org/cacert/gigi/ping/SSLPinger.java
@@ -3,25 +3,32 @@ package org.cacert.gigi.ping;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.math.BigInteger;
 import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Arrays;
 
 import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLEngineResult.Status;
 import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLParameters;
+import javax.net.ssl.TrustManagerFactory;
 import javax.security.cert.X509Certificate;
 
-import org.cacert.gigi.Domain;
-import org.cacert.gigi.User;
+import org.cacert.gigi.dbObjects.Certificate;
+import org.cacert.gigi.dbObjects.Domain;
+import org.cacert.gigi.dbObjects.User;
 
 public class SSLPinger extends DomainPinger {
 
@@ -29,10 +36,15 @@ public class SSLPinger extends DomainPinger {
             "xmpp", "server-xmpp", "smtp", "imap"
     };
 
+    private KeyStore truststore;
+
+    public SSLPinger(KeyStore truststore) {
+        this.truststore = truststore;
+    }
+
     @Override
     public String ping(Domain domain, String configuration, User u) {
-        try {
-            SocketChannel sch = SocketChannel.open();
+        try (SocketChannel sch = SocketChannel.open()) {
             String[] parts = configuration.split(":", 2);
             sch.connect(new InetSocketAddress(domain.getSuffix(), Integer.parseInt(parts[0])));
             if (parts.length == 2) {
@@ -52,7 +64,7 @@ public class SSLPinger extends DomainPinger {
 
                 }
             }
-            return test(sch, domain.getSuffix());
+            return test(sch, domain.getSuffix(), u);
         } catch (IOException e) {
             return "Connecton failed";
         }
@@ -133,9 +145,18 @@ public class SSLPinger extends DomainPinger {
         }
     }
 
-    private String test(SocketChannel sch, String domain) {
+    private String test(SocketChannel sch, String domain, User subject) {
         try {
-            SSLContext sc = SSLContext.getDefault();
+            SSLContext sc = SSLContext.getInstance("SSL");
+            try {
+                TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
+                tmf.init(truststore);
+                sc.init(null, tmf.getTrustManagers(), new SecureRandom());
+            } catch (KeyManagementException e) {
+                e.printStackTrace();
+            } catch (KeyStoreException e) {
+                e.printStackTrace();
+            }
             SSLEngine se = sc.createSSLEngine();
             ByteBuffer enc_in = ByteBuffer.allocate(se.getSession().getPacketBufferSize());
             ByteBuffer enc_out = ByteBuffer.allocate(se.getSession().getPacketBufferSize());
@@ -182,21 +203,23 @@ public class SSLPinger extends DomainPinger {
                 }
 
             }
-            System.out.println("completed");
-            System.out.println(se.getSession().getCipherSuite());
             X509Certificate[] peerCertificateChain = se.getSession().getPeerCertificateChain();
-            for (X509Certificate x509Certificate : peerCertificateChain) {
-                System.out.println(x509Certificate.getSubjectDN().getName());
+            X509Certificate first = peerCertificateChain[0];
+
+            BigInteger serial = first.getSerialNumber();
+            Certificate c = Certificate.getBySerial(serial.toString(16));
+            if (c.getOwner().getId() != subject.getId()) {
+                return "Owner mismatch";
             }
             return PING_SUCCEDED;
         } catch (NoSuchAlgorithmException e) {
-            e.printStackTrace();
+            // e.printStackTrace(); TODO log for user debugging?
             return "Security failed";
         } catch (SSLException e) {
-            e.printStackTrace();
+            // e.printStackTrace(); TODO log for user debugging?
             return "Security failed";
         } catch (IOException e) {
-            e.printStackTrace();
+            // e.printStackTrace(); TODO log for user debugging?
             return "Connection closed";
         }
     }