The server then creates a transient POA, sslPOA
, with SecurityPolicy
specifying INTEGRITY
quality of protection and no client
authentication. Note that even though the default CipherSuites are for
confidentiality, the group of objects served by this POA will use
integrity only cipher suites to protect communication.
The IOR for the secure Hello object contains an SSL component specifying integrity and establish trust in target options. The output from parseIOR:package sslHello; import util.Util; import java.io.File; import java.io.FileInputStream; import org.omg.CORBA.Any; import org.omg.CORBA.ORB; import org.omg.CORBA.Policy; import org.omg.PortableServer.POA; import org.omg.PortableServer.Servant; import org.omg.PortableServer.ImplicitActivationPolicyValue; import com.sssw.jbroker.api.security.QualityOfProtection; import com.sssw.jbroker.api.security.CSIv2.ClientAuthInfo; import com.sssw.jbroker.api.security.CSIv2.SecurityPolicy; import com.sssw.jbroker.api.security.CSIv2.SecureTransportInfo; import com.sssw.jbroker.api.security.CSIv2.SecurityPolicyValue; public class Server { public static void main(String[] args) { | try { | | | | // create the jBroker ORB | | ORB orb = ORB.init(args, null); | | | | // initialize support for SSL | | SSLUtil.initializeSSL(orb, args[0], null, true); | | | | // get the root POA | | POA rootPOA = (POA) orb.resolve_initial_references("RootPOA"); | | | | // create the security policy | | SecureTransportInfo transport = new SecureTransportInfo( | | QualityOfProtection.INTEGRITY, null, 0, false, false, true); | | Any secPolicy = orb.create_any(); | | secPolicy.insert_Value(new SecurityPolicyValue(transport, null, | | false)); | | | | // create the secure POA | | POA sslPOA = rootPOA.create_POA("sslPOA", | | rootPOA.the_POAManager(), | | new Policy[] { | | | rootPOA.create_implicit_activation_policy( | | | ImplicitActivationPolicyValue.IMPLICIT_ACTIVATION), | | | orb.create_policy(SecurityPolicy.POLICY_TYPE, secPolicy) | | }); | | | | // create a servant | | Servant hello = new HelloImpl(orb); | | | | // create a stringified object reference | | String helloIOR = orb.object_to_string( | | sslPOA.servant_to_reference(hello)); | | | | // write the stringified object reference | | Util.writeIOR(helloIOR, "ior", true); | | | | // activate the SSL POA | | sslPOA.the_POAManager().activate(); | | | | // wait for invocations | | System.out.println("waiting for invocations ..."); | | orb.run(); | | | } catch (Exception ex) { | | ex.printStackTrace(); | } } }
Type Id = IDL:helloWorld/Hello:1.0 Profiles = 1 Internet Inter-ORB Protocol (IIOP) Profile: version = 1.1 host = godel port = 0 obj key = 4A424B52 00020001 16A8D28D 5B545203 JBKR........[TR. 00000001 .... components = 1 TAG_SSL_SEC_TRANS : requires: integrity, authenticate target, SSL port: 46020
package sslHello; import org.omg.CORBA.ORB; import com.sssw.jbroker.api.security.SecurityCurrent; public class HelloImpl extends helloWorld.HelloPOA { SecurityCurrent _securityCurrent; public HelloImpl(ORB orb) { | try { | | _securityCurrent = (SecurityCurrent) orb. | | resolve_initial_references("SecurityCurrent"); | } catch (Exception ex) { | | ex.printStackTrace(); | } | | com.sssw.jbroker.orb.RequestHandlerImpl._debug = true; } public String sayHello() { | try { | | System.out.println("Caller Address: " + | | _securityCurrent.getInetAddress()); | | | | System.out.println("Negotiated Cipher: " + | | _securityCurrent.getNegotiatedCipherSuite()); | | | | SSLUtil.printCertChain(_securityCurrent.getCertificateChain()); | | | } catch (Exception ex) { | | ex.printStackTrace(); | } | | return "Hello World!\n"; } }
The client then gets the Hello
object reference and invokes
the sayHello
method on it. The client also demonstrates the
SSL specific methods that it can call to determine the negotiated cipher
suite as well as the server's certificate chain. Note that this can be
even before any method is invoked by the client.
package sslHello; import util.Util; import org.omg.CORBA.ORB; import org.omg.CORBA.portable.ObjectImpl; import java.io.ByteArrayInputStream; import helloWorld.Hello; import helloWorld.HelloHelper; import com.sssw.jbroker.api.security.CipherSuite; import com.sssw.jbroker.api.security.SecurityCurrent; public class Client { public static void main(String[] args) { | try { | | | | // create the jBroker ORB | | ORB orb = ORB.init(args, null); | | | | // initialize SSL | | SSLUtil.initializeSSL(orb, args[0], CipherSuite. | | CIPHER_SUITES_INTEGRITY_ONLY, false); | | | | // read the stringified object reference | | String helloIOR = Util.readIOR("ior"); | | | | // narrow the stringified object | | Hello hello = HelloHelper.narrow(orb.string_to_object(helloIOR)); | | | | // get the SecurityCurrent | | SecurityCurrent secCurrent = (SecurityCurrent) orb. | | resolve_initial_references("SecurityCurrent"); | | | | // print the negotiated ciphers | | System.out.println("Negotiated Cipher: " + | | secCurrent.getNegotiatedCipherSuite((ObjectImpl) hello)); | | | | // print out the peer certificates (Java 2 only) | | SSLUtil.printCertChain(secCurrent.getCertificateChain( | | (ObjectImpl) hello)); | | | | // invoke method on the object | | System.out.println(hello.sayHello()); | | | } catch (Exception ex) { | | ex.printStackTrace(); | } } }
initializeSSL
method gets the CertificateManager from the ORB, and then
sets the various pieces of data (certificates, private keys, pass phrase,
trusted CAs, and cipher suites) needed by SSL to work.
package sslHello; import com.sssw.jbroker.api.security.CipherSuite; import com.sssw.jbroker.api.security.CertificateManager; import java.io.*; import java.lang.reflect.Method; import org.omg.CORBA.ORB; import com.sssw.jbroker.api.security.CipherSuite; import com.sssw.jbroker.tools.security.PrintCert; public class SSLUtil { public static void initializeSSL(ORB orb, String dir, CipherSuite[] cipherSuites, boolean server) throws Exception { | // get the certificate Manager | CertificateManager certMgr = (CertificateManager) orb. | resolve_initial_references("CertificateManager"); | | // the dierctory with certs and keys | dir = dir + File.separator; | | // set cipher suite | certMgr.setCipherSuites(cipherSuites); | | // determine cert chain and private key files | String privKey = null, certChain = null; | if (server) { | | privKey = "data/serverKey.pkcs8"; | | certChain = "data/serverCertChain.chain"; | } else { | | privKey = "data/clientKey.pkcs8"; | | certChain = "data/clientCertChain.chain"; | } | | // set certificate chain and private key | if (privKey != null) { | | | | // load the private key | | byte[] privateKey = loadFromFile(new File(dir + privKey)); | | | | // load the certificate chain | | byte[][] serverCertChain = loadChainFromFile( | | new File(dir + certChain)); | | | | // set certificate chain and private key | | certMgr.setCertificateChain(serverCertChain, privateKey, "test"); | } | | // get the list of trusted CA certificates | File certDir = new File(dir, "certs"); | String[] certs = certDir.list(new FilenameFilter() { | | public boolean accept(File dir, String name) { | | | return name.endsWith(".cert") ? true : false; | | } | }); | | // set the trusted CAs | for (int i=0; i < certs.length; i++) | certMgr.addCACertificate(loadFromFile(new File(certDir, certs[i]))); } // print the certificate using reflection public static void printCertChain(byte[][] certs) throws Exception { | System.out.print("Peer Certificate Chain: "); | if (certs != null) { | | for (int i=0; i < certs.length; i++) { | | | if (_genCertMethod != null) { | | | | Object cert = _genCertMethod.invoke(_certFactory, | | | | new Object[] { new ByteArrayInputStream(certs[i]) }); | | | | System.out.println(cert); | | | } else PrintCert.doPrint(certs[i]); // jBroker internal API | | } | } else System.out.println("<null>"); } private static byte[][] loadChainFromFile(File file) throws IOException { | DataInputStream dis = new DataInputStream(new FileInputStream(file)); | | // get the size of the chain | int chainLen = dis.readInt(); | byte[][] chain = new byte[chainLen][]; | | // read in the individual elements | for (int i=0; i < chainLen; i++) { | | chain[i] = new byte[dis.readInt()]; | | dis.readFully(chain[i]); | } | | // return the chain | dis.close(); return chain; } private static byte[] loadFromFile(File file) throws IOException { | DataInputStream dis = new DataInputStream(new FileInputStream(file)); | byte[] bytes = new byte[dis.available()]; | dis.readFully(bytes); dis.close(); | return bytes; } // is Certificate Factory available private static Object _certFactory = null; private static Method _genCertMethod = null; static { | try { | | Class certFactoryClass = Class.forName( | | "java.security.cert.CertificateFactory"); | | Method getInstanceMethod = certFactoryClass.getDeclaredMethod( | | "getInstance", new Class[] { String.class }); | | _certFactory = getInstanceMethod.invoke(null, new Object[] { | | "X.509"}); | | _genCertMethod = _certFactory.getClass().getDeclaredMethod( | | "generateCertificate", new Class[] { InputStream.class }); | } catch (Throwable ex) {} } }
Copyright © 2000-2003, Novell, Inc. All rights reserved. |