CertConstraintsInterceptor.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.cxf.transport.https;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.logging.Logger;


import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.transport.http.MessageTrustDecider;
import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;

/**
 * An interceptor that enforces certificate constraints logic at the TLS layer.
 */
public final class CertConstraintsInterceptor extends AbstractPhaseInterceptor<Message> {
    public static final CertConstraintsInterceptor INSTANCE = new CertConstraintsInterceptor();

    static final Logger LOG = LogUtils.getL7dLogger(CertConstraintsInterceptor.class);

    private CertConstraintsInterceptor() {
        super(Phase.PRE_STREAM);
    }

    public void handleMessage(Message message) throws Fault {
        final CertConstraints certConstraints
            = (CertConstraints)message.getContextualProperty(CertConstraints.class.getName());
        if (certConstraints == null) {
            return;
        }

        if (isRequestor(message)) {
            try {
                String scheme = (String)message.get("http.scheme");

                if ("https".equals(scheme)) {
                    final MessageTrustDecider orig = message.get(MessageTrustDecider.class);
                    MessageTrustDecider trust = new HttpsMessageTrustDecider(certConstraints, orig);
                    message.put(MessageTrustDecider.class, trust);
                } else {
                    throw new UntrustedURLConnectionIOException(
                        "TLS is not in use"
                    );
                }
            } catch (UntrustedURLConnectionIOException ex) {
                throw new Fault(ex);
            }
        } else {
            try {
                TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
                final Certificate[] certs = tlsInfo.getPeerCertificates();
                if (certs == null || certs.length == 0) {
                    throw new UntrustedURLConnectionIOException(
                        "No client certificates were found"
                    );
                } else {
                    X509Certificate[] x509Certs = (X509Certificate[])certs;
                    if (!certConstraints.matches(x509Certs[0])) {
                        throw new UntrustedURLConnectionIOException(
                            "The client certificate does not match the defined cert constraints"
                        );
                    }
                }
            } catch (UntrustedURLConnectionIOException ex) {
                throw new Fault(ex);
            }
        }
    }

}