Source Code of io.undertow.security.impl.ClientCertAuthenticationMechanism

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2013 Red Hat, Inc., and individual contributors
 * as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.undertow.security.impl;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.AuthenticationMechanismFactory;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.idm.X509CertificateCredential;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.RenegotiationRequiredException;
import io.undertow.server.SSLSessionInfo;
import io.undertow.server.handlers.form.FormParserFactory;
import org.xnio.SslClientAuthMode;

import javax.net.ssl.SSLPeerUnverifiedException;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Map;

/**
 * The Client Cert based authentication mechanism.
 * <p/>
 * When authenticate is called the current request is checked to see if it a SSL request, this is further checked to identify if
 * the client has been verified at the SSL level.
 *
 * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
 */
public class ClientCertAuthenticationMechanism implements AuthenticationMechanism {

    public static final String FORCE_RENEGOTIATION = "force_renegotiation";

    private final String name;
    /**
     * If we should force a renegotiation if client certs were not supplied. <code>true</code> by default
     */
    private final boolean forceRenegotiation;

    public static final Factory FACTORY = new Factory();

    public ClientCertAuthenticationMechanism() {
        this(true);
    }

    public ClientCertAuthenticationMechanism(boolean forceRenegotiation) {
        this("CLIENT_CERT", forceRenegotiation);
    }

    public ClientCertAuthenticationMechanism(final String mechanismName) {
        this(mechanismName, true);
    }

    public ClientCertAuthenticationMechanism(final String mechanismName, boolean forceRenegotiation) {
        this.name = mechanismName;
        this.forceRenegotiation = forceRenegotiation;
    }

    public AuthenticationMechanismOutcome authenticate(final HttpServerExchange exchange, final SecurityContext securityContext) {
        SSLSessionInfo sslSession = exchange.getConnection().getSslSessionInfo();
        if (sslSession != null) {
            try {
                Certificate[] clientCerts = getPeerCertificates(exchange, sslSession, securityContext);
                if (clientCerts[0] instanceof X509Certificate) {
                    Credential credential = new X509CertificateCredential((X509Certificate) clientCerts[0]);

                    IdentityManager idm = securityContext.getIdentityManager();
                    Account account = idm.verify(credential);
                    if (account != null) {
                        securityContext.authenticationComplete(account, name, false);
                        return AuthenticationMechanismOutcome.AUTHENTICATED;
                    }
                }
            } catch (SSLPeerUnverifiedException e) {
                // No action - this mechanism can not attempt authentication without peer certificates so allow it to drop out
                // to NOT_ATTEMPTED.
            }
        }

        /*
         * For ClientCert we do not have a concept of a failed authentication, if the client did use a key then it was deemed
         * acceptable for the connection to be established, this mechanism then just 'attempts' to use it for authentication but
         * does not mandate success.
         */

        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    private Certificate[] getPeerCertificates(final HttpServerExchange exchange, SSLSessionInfo sslSession, SecurityContext securityContext) throws SSLPeerUnverifiedException {
        try {
            return sslSession.getPeerCertificates();
        } catch (RenegotiationRequiredException e) {
            //we only renegotiate if authentication is required
            if (forceRenegotiation && securityContext.isAuthenticationRequired()) {
                try {
                    sslSession.renegotiate(exchange, SslClientAuthMode.REQUESTED);
                    return sslSession.getPeerCertificates();

                } catch (IOException e1) {
                    //ignore
                } catch (RenegotiationRequiredException e1) {
                    //ignore
                }
            }
        }
        throw new SSLPeerUnverifiedException("");
    }

    @Override
    public ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) {
        return new ChallengeResult(false);
    }

    private static final class Factory implements AuthenticationMechanismFactory {

        @Override
        public AuthenticationMechanism create(String mechanismName, FormParserFactory formParserFactory, Map<String, String> properties) {
            String forceRenegotiation = properties.get(FORCE_RENEGOTIATION);
            return new ClientCertAuthenticationMechanism(mechanismName, forceRenegotiation == null ? true : "true".equals(forceRenegotiation));
        }
    }

}