diff -r -c openfire_src.orig/src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java openfire_src/src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java *** openfire_src.orig/src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java Fri Nov 21 19:53:55 2008 --- openfire_src/src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java Mon Dec 29 21:59:18 2008 *************** *** 95,118 **** // Create a connector for https traffic if it's enabled. sslEnabled = false; try { ! if (adminSecurePort > 0 && CertificateManager.isRSACertificate(SSLConfig.getKeyStore(), "*")) { ! if (!CertificateManager.isRSACertificate(SSLConfig.getKeyStore(), ! XMPPServer.getInstance().getServerInfo().getXMPPDomain())) { ! Log.warn("Admin console: Using RSA certificates but they are not valid for the hosted domain"); } JiveSslConnector httpsConnector = new JiveSslConnector(); String bindInterface = getBindInterface(); httpsConnector.setHost(bindInterface); httpsConnector.setPort(adminSecurePort); ! httpsConnector.setTrustPassword(SSLConfig.gets2sTrustPassword()); ! httpsConnector.setTruststoreType(SSLConfig.getStoreType()); ! httpsConnector.setTruststore(SSLConfig.gets2sTruststoreLocation()); ! httpsConnector.setNeedClientAuth(false); ! httpsConnector.setWantClientAuth(false); httpsConnector.setKeyPassword(SSLConfig.getKeyPassword()); httpsConnector.setKeystoreType(SSLConfig.getStoreType()); httpsConnector.setKeystore(SSLConfig.getKeystoreLocation()); --- 95,134 ---- // Create a connector for https traffic if it's enabled. sslEnabled = false; try { ! if (adminSecurePort > 0 && CertificateManager.isRSACertificate(SSLConfig.getAdminKeyStore(), "*")) { ! String fqdn = XMPPServer.getInstance().getServerInfo().getXMPPDomain(); ! if (!CertificateManager.isRSACertificate(SSLConfig.getAdminKeyStore(), fqdn) { ! Log.warn("Admin console: RSA certificate used for the admin console does " + ! "not match the domain name '"+ fqdn+"'"); } JiveSslConnector httpsConnector = new JiveSslConnector(); + String bindInterface = getBindInterface(); httpsConnector.setHost(bindInterface); httpsConnector.setPort(adminSecurePort); ! // Only needed if we're actually checking client certs. ! // ! httpsConnector.setTrustPassword(SSLConfig.getAdminTrustPassword()); ! httpsConnector.setTruststoreType(SSLConfig.getAdminStoreType()); ! httpsConnector.setTruststore(SSLConfig.getAdminTruststoreLocation()); ! ! // Set policy for checking client certificates - if any ! String certPol = JiveGlobals.getProperty("xmpp.socket.ssl.admin.policy", "disabled"); ! if(certPol.equals("needed") || certPol.equals("enabled")) { ! httpsConnector.setNeedClientAuth(true); ! httpsConnector.setWantClientAuth(true); ! } else if(certPol.equals("wanted")) { ! httpsConnector.setNeedClientAuth(false); ! httpsConnector.setWantClientAuth(true); ! } else { ! httpsConnector.setNeedClientAuth(false); ! httpsConnector.setWantClientAuth(false); ! } + // Cert used for the actual key httpsConnector.setKeyPassword(SSLConfig.getKeyPassword()); httpsConnector.setKeystoreType(SSLConfig.getStoreType()); httpsConnector.setKeystore(SSLConfig.getKeystoreLocation()); diff -r -c openfire_src.orig/src/java/org/jivesoftware/openfire/net/SSLConfig.java openfire_src/src/java/org/jivesoftware/openfire/net/SSLConfig.java *** openfire_src.orig/src/java/org/jivesoftware/openfire/net/SSLConfig.java Fri Nov 21 19:53:56 2008 --- openfire_src/src/java/org/jivesoftware/openfire/net/SSLConfig.java Mon Dec 29 21:58:17 2008 *************** *** 49,54 **** --- 49,58 ---- private static String keyStoreLocation; private static String keypass; + private static KeyStore adminKeyStore; + private static String adminKeyStoreLocation; + private static String adminkeypass; + private static KeyStore s2sTrustStore; private static String s2sTrustStoreLocation; private static String s2sTrustpass; *************** *** 68,79 **** // Get the keystore location. The default location is security/keystore keyStoreLocation = JiveGlobals.getProperty("xmpp.socket.ssl.keystore", "resources" + File.separator + "security" + File.separator + "keystore"); - keyStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + keyStoreLocation; // Get the keystore password. The default password is "changeit". keypass = JiveGlobals.getProperty("xmpp.socket.ssl.keypass", "changeit"); keypass = keypass.trim(); // Get the truststore location for c2s connections c2sTrustStoreLocation = JiveGlobals.getProperty("xmpp.socket.ssl.client.truststore", "resources" + File.separator + "security" + File.separator + "client.truststore"); --- 72,92 ---- // Get the keystore location. The default location is security/keystore keyStoreLocation = JiveGlobals.getProperty("xmpp.socket.ssl.keystore", "resources" + File.separator + "security" + File.separator + "keystore"); // Get the keystore password. The default password is "changeit". keypass = JiveGlobals.getProperty("xmpp.socket.ssl.keypass", "changeit"); keypass = keypass.trim(); + // Get the admin keystore location. The default location is the keystore location. + adminKeyStoreLocation = JiveGlobals.getProperty("xmpp.socket.ssl.admin.keystore", keyStoreLocation); + + // Get the admin keystore password. The default password is that of the keystore location. + adminkeypass = JiveGlobals.getProperty("xmpp.socket.ssl.admin.keypass", keypass); + adminkeypass = adminkeypass.trim(); + + adminKeyStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + adminKeyStoreLocation; + keyStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + keyStoreLocation; + // Get the truststore location for c2s connections c2sTrustStoreLocation = JiveGlobals.getProperty("xmpp.socket.ssl.client.truststore", "resources" + File.separator + "security" + File.separator + "client.truststore"); *************** *** 91,114 **** s2sTrustpass = JiveGlobals.getProperty("xmpp.socket.ssl.trustpass", "changeit"); s2sTrustpass = s2sTrustpass.trim(); ! // Load s2s keystore and trusstore try { keyStore = KeyStore.getInstance(storeType); keyStore.load(new FileInputStream(keyStoreLocation), keypass.toCharArray()); s2sTrustStore = KeyStore.getInstance(storeType); s2sTrustStore.load(new FileInputStream(s2sTrustStoreLocation), s2sTrustpass.toCharArray()); - - } catch (Exception e) { ! Log.error("SSLConfig startup problem.\n" + " storeType: [" + storeType + "]\n" + " keyStoreLocation: [" + keyStoreLocation + "]\n" + " keypass: [" + keypass + "]\n" + " s2sTrustStoreLocation: [" + s2sTrustStoreLocation + "]\n" + " s2sTrustpass: [" + s2sTrustpass + "]\n"); keyStore = null; s2sTrustStore = null; s2sFactory = null; } --- 104,131 ---- s2sTrustpass = JiveGlobals.getProperty("xmpp.socket.ssl.trustpass", "changeit"); s2sTrustpass = s2sTrustpass.trim(); ! // Load s2s keystore and trusstores for the normal http and admin http interface try { keyStore = KeyStore.getInstance(storeType); keyStore.load(new FileInputStream(keyStoreLocation), keypass.toCharArray()); + adminKeyStore = KeyStore.getInstance(storeType); + adminKeyStore.load(new FileInputStream(adminKeyStoreLocation), adminkeypass.toCharArray()); + s2sTrustStore = KeyStore.getInstance(storeType); s2sTrustStore.load(new FileInputStream(s2sTrustStoreLocation), s2sTrustpass.toCharArray()); } catch (Exception e) { ! Log.error("SSLConfig startup problem: "+e.getMessage()+"\n" + " storeType: [" + storeType + "]\n" + " keyStoreLocation: [" + keyStoreLocation + "]\n" + " keypass: [" + keypass + "]\n" + + " admoinKeyStoreLocation: [" + adminKeyStoreLocation + "]\n" + + " adminkeypass: [" + adminKeypass + "]\n" + " s2sTrustStoreLocation: [" + s2sTrustStoreLocation + "]\n" + " s2sTrustpass: [" + s2sTrustpass + "]\n"); keyStore = null; + adminKeyStore = null; s2sTrustStore = null; s2sFactory = null; } *************** *** 129,135 **** c2sTrustStore.load(null, c2sTrustpass.toCharArray()); } catch (Exception ex) { ! Log.error("SSLConfig startup problem.\n" + " storeType: [" + storeType + "]\n" + " c2sTrustStoreLocation: [" + c2sTrustStoreLocation + "]\n" + " c2sTrustPass: [" + c2sTrustpass + "]", e); --- 146,152 ---- c2sTrustStore.load(null, c2sTrustpass.toCharArray()); } catch (Exception ex) { ! Log.error("SSLConfig startup problem: "+e.getMessage()+"\n" + " storeType: [" + storeType + "]\n" + " c2sTrustStoreLocation: [" + c2sTrustStoreLocation + "]\n" + " c2sTrustPass: [" + c2sTrustpass + "]", e); *************** *** 201,206 **** --- 218,224 ---- " c2sTrustStoreLocation: [" + c2sTrustStoreLocation + "]\n" + " c2sTrustpass: [" + c2sTrustpass + "]", e); keyStore = null; + adminKeyStore = null; s2sTrustStore = null; c2sTrustStore = null; s2sFactory = null; *************** *** 218,223 **** --- 236,250 ---- } /** + * Get the Admin Key Store password + * + * @return the key store password + */ + public static String getAdminKeyPassword() { + return adminkeypass; + } + + /** * Return the Trust Store password for s2s connections. * * @return the s2s trust store password. *************** *** 271,276 **** --- 298,315 ---- } /** + * Get the Admin Key Store + * + * @return the Key Store + */ + public static KeyStore getAdminKeyStore() throws IOException { + if (adminKeyStore == null) { + throw new IOException(); + } + return adminKeyStore; + } + + /** * Get the Trust Store for s2s connections * * @return the s2s Trust Store *************** *** 296,302 **** /** * Initializes (wipes and recreates) the keystore, and returns the new keystore. ! * * @return Newly initialized keystore. */ public static KeyStore initializeKeyStore() { --- 335,341 ---- /** * Initializes (wipes and recreates) the keystore, and returns the new keystore. ! * @todo Never used ? * @return Newly initialized keystore. */ public static KeyStore initializeKeyStore() { *************** *** 369,374 **** --- 408,422 ---- } /** + * Get the Admin Key Store location + * + * @return the admin keystore location + */ + public static String getAdminKeystoreLocation() { + return adminKeyStoreLocation; + } + + /** * Get the s2s Trust Store location * * @return the s2s Trust Store location