Fix 3315942, merge patch provided by Jeremiah Albrant: Ask user to select client certificate

git-svn-id: http://svn.code.sf.net/p/davmail/code/trunk@1715 3d1905a2-6b24-0410-a738-b14d5a86fcbd
2025-01-07 03:38:05 -05:00 · 2011-06-23 22:01:06 +00:00 · 2011-06-23 22:01:06 +00:00 · 7fef14109f
commit 7fef14109f
parent c85225384b
4 changed files with 510 additions and 217 deletions
--- a/pom.xml
+++ b/pom.xml
@ -86,6 +86,13 @@
                <role>Java Contributor</role>
            </roles>
        </contributor>
+        <contributor>
+            <name>Jeremiah Albrant</name>
+            <url>http://sourceforge.net/users/?user_id=2903536</url>
+            <roles>
+                <role>Java Contributor</role>
+            </roles>
+        </contributor>
        <contributor>
            <name>Henning Holtschneider</name>
            <email>hehol@users.sourceforge.net</email>
@ -225,7 +232,7 @@
        <dependency>
            <groupId>org.eclipse</groupId>
            <artifactId>swt</artifactId>
-            <version>3.6.0</version>
+            <version>3.7.0</version>
            <optional>true</optional>
        </dependency>
        <dependency>
--- a/src/java/davmail/http/DavGatewaySSLProtocolSocketFactory.java
+++ b/src/java/davmail/http/DavGatewaySSLProtocolSocketFactory.java
@ -128,8 +128,20 @@ public class DavGatewaySSLProtocolSocketFactory implements SecureProtocolSocketF
        ManagerFactoryParameters keyStoreBuilderParameters = new KeyStoreBuilderParameters(keyStoreBuilders);
        keyManagerFactory.init(keyStoreBuilderParameters);

+        // Get a list of key managers
+        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
+
+        // Walk through the key managers and replace all X509 Key Managers with
+        // a specialized wrapped DavMail X509 Key Manager
+        for (int i = 0; i < keyManagers.length; i++) {
+            KeyManager keyManager = keyManagers[i];
+            if (keyManager instanceof X509KeyManager) {
+                keyManagers[i] = new DavMailX509KeyManager((X509KeyManager) keyManager);
+            }
+        }
+
        SSLContext context = SSLContext.getInstance("SSL");
-        context.init(keyManagerFactory.getKeyManagers(), new TrustManager[]{new DavGatewayX509TrustManager()}, null);
+        context.init(keyManagers, new TrustManager[]{new DavGatewayX509TrustManager()}, null);
        return context;
    }

@ -140,7 +152,6 @@ public class DavGatewaySSLProtocolSocketFactory implements SecureProtocolSocketF
        return this.sslcontext;
    }

-
    public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException {
        try {
            return getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort);
@ -169,7 +180,6 @@ public class DavGatewaySSLProtocolSocketFactory implements SecureProtocolSocketF
        }
    }

-
    public Socket createSocket(String host, int port) throws IOException {
        try {
            return getSSLContext().getSocketFactory().createSocket(host, port);
--- a/src/java/davmail/http/DavMailX509KeyManager.java
+++ b/src/java/davmail/http/DavMailX509KeyManager.java
@ -0,0 +1,165 @@
+/*
+ * DavMail POP/IMAP/SMTP/CalDav/LDAP Exchange Gateway
+ * Copyright (C) 2011  Mickael Guessant
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package davmail.http;
+
+import davmail.ui.SelectCertificateDialog;
+import org.apache.log4j.Logger;
+
+import javax.net.ssl.X509KeyManager;
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+
+/**
+ * Special X509 Key Manager that handles cases where more than one private key
+ * is sufficient to establish the HTTPs connection by asking the user to
+ * select one.
+ */
+public class DavMailX509KeyManager implements X509KeyManager {
+
+    protected static final Logger LOGGER = Logger.getLogger(DavMailX509KeyManager.class);
+
+    // Wrap an existing key manager to handle most of the interface as a pass through
+    private final X509KeyManager keyManager;
+
+    // Remember selected alias so we don't continually bug the user
+    private String cachedAlias;
+
+    /**
+     * Build the specialized key manager wrapping the default one
+     *
+     * @param keyManager original key manager
+     */
+    public DavMailX509KeyManager(X509KeyManager keyManager) {
+        this.keyManager = keyManager;
+    }
+
+    /**
+     * Get the client aliases, simply pass this through to wrapped key manager
+     */
+    public String[] getClientAliases(String string, Principal[] principals) {
+        return keyManager.getClientAliases(string, principals);
+    }
+
+    /**
+     * Select a client alias. Some servers are misconfigured and claim to accept
+     * any client certificate during the SSL handshake, however OWA only authenticates
+     * using a single certificate.
+     * <p/>
+     * This method allows the user to select the right client certificate
+     */
+    public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
+        // Build a list of all aliases
+        ArrayList<String> aliases = new ArrayList<String>();
+        for (String keyTypeValue : keyType) {
+            String[] keyAliases = keyManager.getClientAliases(keyTypeValue, issuers);
+
+            if (keyAliases != null) {
+                aliases.addAll(Arrays.asList(keyAliases));
+            }
+        }
+
+        // If there are more than one show a dialog and return the selected alias
+        if (aliases.size() > 1) {
+
+            //If there's a saved pattern try to match it
+            if (cachedAlias != null) {
+                for (String alias : aliases) {
+                    if (cachedAlias.equals(stripAlias(alias))) {
+                        LOGGER.debug(alias + " matched cached alias: " + cachedAlias);
+                        return alias;
+                    }
+                }
+
+                // pattern didn't match, clear the pattern and ask user to select an alias
+                cachedAlias = null;
+            }
+
+            String[] aliasesArray = aliases.toArray(new String[aliases.size()]);
+            SelectCertificateDialog selectCertificateDialog = new SelectCertificateDialog(aliasesArray);
+
+            LOGGER.debug("User selected Key Alias: " + selectCertificateDialog.getSelectedAlias());
+
+            cachedAlias = stripAlias(selectCertificateDialog.getSelectedAlias().substring(10));
+            LOGGER.debug("Stored Key Alias Pattern: " + cachedAlias);
+
+            return selectCertificateDialog.getSelectedAlias();
+
+            // exactly one, simply return that and don't bother the user
+        } else if (aliases.size() == 1) {
+            LOGGER.debug("One Private Key found, returning that");
+            return aliases.get(0);
+
+            // none, return null
+        } else {
+            LOGGER.debug("No Private Keys found");
+            return null;
+        }
+    }
+
+    /**
+     * PKCS11 aliases are in the format: dd.0, dd is incremented
+     * every time the SSL connection is re-negotiated
+     *
+     * @param alias original alias
+     * @return alias without prefix
+     */
+    protected String stripAlias(String alias) {
+        String value = alias;
+        if (value != null && value.length() > 1) {
+            char firstChar = value.charAt(0);
+            int dotIndex = value.indexOf('.'); 
+            if (firstChar >= '0' && firstChar <= '9' && dotIndex >= 0) {
+                value = value.substring(dotIndex+1);
+            }
+        }
+        return value;
+    }
+
+    /**
+     * Passthrough to wrapped keymanager
+     */
+    public String[] getServerAliases(String string, Principal[] prncpls) {
+        return keyManager.getServerAliases(string, prncpls);
+    }
+
+    /**
+     * Passthrough to wrapped keymanager
+     */
+    public String chooseServerAlias(String string, Principal[] prncpls, Socket socket) {
+        return keyManager.chooseServerAlias(string, prncpls, socket);
+    }
+
+    /**
+     * Passthrough to wrapped keymanager
+     */
+    public X509Certificate[] getCertificateChain(String string) {
+        return keyManager.getCertificateChain(string);
+    }
+
+    /**
+     * Passthrough to wrapped keymanager
+     */
+    public PrivateKey getPrivateKey(String string) {
+        return keyManager.getPrivateKey(string);
+    }
+}
--- a/src/java/davmail/ui/SelectCertificateDialog.java
+++ b/src/java/davmail/ui/SelectCertificateDialog.java
@ -0,0 +1,111 @@
+/*
+ * DavMail POP/IMAP/SMTP/CalDav/LDAP Exchange Gateway
+ * Copyright (C) 2011  Mickael Guessant
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package davmail.ui;
+
+import davmail.BundleMessage;
+import davmail.ui.tray.DavGatewayTray;
+
+import javax.swing.*;
+import java.awt.*;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+
+/**
+ * Let user select a client certificate
+ */
+public class SelectCertificateDialog extends JDialog {
+    protected JList aliasListBox;
+    protected String selectedAlias;
+
+    /**
+     * Gets user selected alias.
+     *
+     * @return user selected alias
+     */
+    public String getSelectedAlias() {
+        return this.selectedAlias;
+    }
+
+    /**
+     * Select a client certificate
+     *
+     * @param aliases An array of certificate aliases for the user to pick from
+     */
+    public SelectCertificateDialog(String[] aliases) {
+        setAlwaysOnTop(true);
+
+        setTitle(BundleMessage.format("UI_CERTIFICATE_ALIAS_PROMPT"));
+        try {
+            setIconImage(DavGatewayTray.getFrameIcon());
+        } catch (NoSuchMethodError error) {
+            DavGatewayTray.debug(new BundleMessage("LOG_UNABLE_TO_SET_ICON_IMAGE"));
+        }
+
+        JPanel questionPanel = new JPanel();
+        questionPanel.setLayout(new BoxLayout(questionPanel, BoxLayout.Y_AXIS));
+        JLabel imageLabel = new JLabel();
+        imageLabel.setIcon(UIManager.getIcon("OptionPane.questionIcon"));
+        imageLabel.setText(BundleMessage.format("UI_CERTIFICATE_ALIAS_PROMPT"));
+        questionPanel.add(imageLabel);
+
+        aliasListBox = new JList(aliases);
+        aliasListBox.setMaximumSize(aliasListBox.getPreferredSize());
+
+        JPanel aliasPanel = new JPanel();
+        aliasPanel.setLayout(new BoxLayout(aliasPanel, BoxLayout.Y_AXIS));
+        aliasPanel.add(aliasListBox);
+
+        add(questionPanel, BorderLayout.NORTH);
+        add(aliasPanel, BorderLayout.CENTER);
+        add(getButtonPanel(), BorderLayout.SOUTH);
+        setModal(true);
+
+        pack();
+        // center frame
+        setLocation(getToolkit().getScreenSize().width / 2 -
+                getSize().width / 2,
+                getToolkit().getScreenSize().height / 2 -
+                        getSize().height / 2);
+        setVisible(true);
+        requestFocus();
+    }
+
+    protected JPanel getButtonPanel() {
+        JPanel buttonPanel = new JPanel();
+        JButton okButton = new JButton(BundleMessage.format("UI_BUTTON_OK"));
+        JButton cancelButton = new JButton(BundleMessage.format("UI_BUTTON_CANCEL"));
+        okButton.addActionListener(new ActionListener() {
+            public void actionPerformed(ActionEvent evt) {
+                selectedAlias = aliasListBox.getSelectedValue().toString();
+                setVisible(false);
+            }
+        });
+        cancelButton.addActionListener(new ActionListener() {
+            public void actionPerformed(ActionEvent evt) {
+                selectedAlias = null;
+                setVisible(false);
+            }
+        });
+
+        buttonPanel.add(okButton);
+        buttonPanel.add(cancelButton);
+        return buttonPanel;
+    }
+
+}