X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fping%2FSSLPinger.java;h=acc36adc47650e584b11226f59b5d6869d4b6218;hb=6d65334306c8b7bd10fbbfa07bc8f38475ff6d08;hp=ccb05b84a218761293a76b6ea5ce26a383e41858;hpb=50c8c66dc1d3245e8eaedf17e273f8c0522f1435;p=gigi.git diff --git a/src/org/cacert/gigi/ping/SSLPinger.java b/src/org/cacert/gigi/ping/SSLPinger.java index ccb05b84..acc36adc 100644 --- a/src/org/cacert/gigi/ping/SSLPinger.java +++ b/src/org/cacert/gigi/ping/SSLPinger.java @@ -3,42 +3,58 @@ package org.cacert.gigi.ping; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.math.BigInteger; import java.net.InetSocketAddress; import java.net.Socket; import java.nio.ByteBuffer; import java.nio.channels.SocketChannel; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.Arrays; import javax.net.ssl.SNIHostName; import javax.net.ssl.SNIServerName; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLEngineResult.HandshakeStatus; import javax.net.ssl.SSLEngineResult.Status; import javax.net.ssl.SSLException; -import javax.net.ssl.SSLEngineResult.HandshakeStatus; import javax.net.ssl.SSLParameters; +import javax.net.ssl.TrustManagerFactory; import javax.security.cert.X509Certificate; +import org.cacert.gigi.dbObjects.Certificate; +import org.cacert.gigi.dbObjects.Domain; +import org.cacert.gigi.dbObjects.User; + public class SSLPinger extends DomainPinger { public static final String[] TYPES = new String[] { "xmpp", "server-xmpp", "smtp", "imap" }; + private KeyStore truststore; + + public SSLPinger(KeyStore truststore) { + this.truststore = truststore; + } + @Override - public String ping(String domain, String configuration) { - try { - SocketChannel sch = SocketChannel.open(); + public void ping(Domain domain, String configuration, User u, int confId) { + try (SocketChannel sch = SocketChannel.open()) { + sch.socket().setSoTimeout(5000); String[] parts = configuration.split(":", 2); - sch.connect(new InetSocketAddress(domain, Integer.parseInt(parts[0]))); + sch.socket().connect(new InetSocketAddress(domain.getSuffix(), Integer.parseInt(parts[0])), 5000); if (parts.length == 2) { switch (parts[1]) { case "xmpp": - startXMPP(sch, false, domain); + startXMPP(sch, false, domain.getSuffix()); break; case "server-xmpp": - startXMPP(sch, true, domain); + startXMPP(sch, true, domain.getSuffix()); break; case "smtp": startSMTP(sch); @@ -49,9 +65,12 @@ public class SSLPinger extends DomainPinger { } } - return test(sch, domain); + String res = test(sch, domain.getSuffix(), u); + enterPingResult(confId, res, res, null); + return; } catch (IOException e) { - return "Connecton failed"; + enterPingResult(confId, "error", "connection Failed", null); + return; } } @@ -61,7 +80,7 @@ public class SSLPinger extends DomainPinger { InputStream is = s.getInputStream(); OutputStream os = s.getOutputStream(); scanFor(is, "\n"); - os.write("ENABLE STARTTLS\r\n".getBytes()); + os.write("ENABLE STARTTLS\r\n".getBytes("UTF-8")); os.flush(); scanFor(is, "\n"); } @@ -70,9 +89,9 @@ public class SSLPinger extends DomainPinger { Socket s = sch.socket(); InputStream is = s.getInputStream(); OutputStream os = s.getOutputStream(); - os.write(("").getBytes()); + os.write(("").getBytes("UTF-8")); os.flush(); - os.write("".getBytes()); + os.write("".getBytes("UTF-8")); os.flush(); scanFor(is, ""); @@ -94,13 +113,13 @@ public class SSLPinger extends DomainPinger { Socket s = sch.socket(); InputStream is = s.getInputStream(); readSMTP(is); - s.getOutputStream().write("EHLO ssl.pinger\r\n".getBytes()); + s.getOutputStream().write("EHLO ssl.pinger\r\n".getBytes("UTF-8")); s.getOutputStream().flush(); readSMTP(is); - s.getOutputStream().write("HELP\r\n".getBytes()); + s.getOutputStream().write("HELP\r\n".getBytes("UTF-8")); s.getOutputStream().flush(); readSMTP(is); - s.getOutputStream().write("STARTTLS\r\n".getBytes()); + s.getOutputStream().write("STARTTLS\r\n".getBytes("UTF-8")); s.getOutputStream().flush(); readSMTP(is); } @@ -130,9 +149,19 @@ public class SSLPinger extends DomainPinger { } } - private String test(SocketChannel sch, String domain) { + private String test(SocketChannel sch, String domain, User subject) { try { - SSLContext sc = SSLContext.getDefault(); + sch.socket().setSoTimeout(5000); + SSLContext sc = SSLContext.getInstance("SSL"); + try { + TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); + tmf.init(truststore); + sc.init(null, tmf.getTrustManagers(), new SecureRandom()); + } catch (KeyManagementException e) { + e.printStackTrace(); + } catch (KeyStoreException e) { + e.printStackTrace(); + } SSLEngine se = sc.createSSLEngine(); ByteBuffer enc_in = ByteBuffer.allocate(se.getSession().getPacketBufferSize()); ByteBuffer enc_out = ByteBuffer.allocate(se.getSession().getPacketBufferSize()); @@ -179,21 +208,26 @@ public class SSLPinger extends DomainPinger { } } - System.out.println("completed"); - System.out.println(se.getSession().getCipherSuite()); X509Certificate[] peerCertificateChain = se.getSession().getPeerCertificateChain(); - for (X509Certificate x509Certificate : peerCertificateChain) { - System.out.println(x509Certificate.getSubjectDN().getName()); + X509Certificate first = peerCertificateChain[0]; + + BigInteger serial = first.getSerialNumber(); + Certificate c = Certificate.getBySerial(serial.toString(16)); + if (c == null) { + return "Certificate not found"; + } + if (c.getOwner().getId() != subject.getId()) { + return "Owner mismatch"; } return PING_SUCCEDED; } catch (NoSuchAlgorithmException e) { - e.printStackTrace(); + // e.printStackTrace(); TODO log for user debugging? return "Security failed"; } catch (SSLException e) { - e.printStackTrace(); + // e.printStackTrace(); TODO log for user debugging? return "Security failed"; } catch (IOException e) { - e.printStackTrace(); + // e.printStackTrace(); TODO log for user debugging? return "Connection closed"; } }