サーバは次に、 INTEGRITY
レベルの保護を指定するSecurityPolicyを使用し、クライアント認証は使用することなく一時POAであるsslPOA
を作成します。デフォルトの暗号が機密性のために指定されている場合でも、このPOAの対象となるオブジェクトのグループは、通信を保護するために統合専用の暗号を使用します。
安全なHelloオブジェクトのIORは、統合を指定するSSLコンポーネントを含み、ターゲットオプションで信頼を確立します。parseIORからの出力:package sslHello; import util.Util; import java.io.File; import java.io.FileInputStream; import org.omg.CORBA.Any; import org.omg.CORBA.ORB; import org.omg.CORBA.Policy; import org.omg.PortableServer.POA; import org.omg.PortableServer.Servant; import org.omg.PortableServer.ImplicitActivationPolicyValue; import com.sssw.jbroker.api.security.QualityOfProtection; import com.sssw.jbroker.api.security.CSIv2.ClientAuthInfo; import com.sssw.jbroker.api.security.CSIv2.SecurityPolicy; import com.sssw.jbroker.api.security.CSIv2.SecureTransportInfo; import com.sssw.jbroker.api.security.CSIv2.SecurityPolicyValue; public class Server { public static void main(String[] args) { | try { | | | | // create the jBroker ORB | | ORB orb = ORB.init(args, null); | | | | // initialize support for SSL | | SSLUtil.initializeSSL(orb, args[0], null, true); | | | | // get the root POA | | POA rootPOA = (POA) orb.resolve_initial_references("RootPOA"); | | | | // create the security policy | | SecureTransportInfo transport = new SecureTransportInfo( | | QualityOfProtection.INTEGRITY, null, 0, false, false, true); | | Any secPolicy = orb.create_any(); | | secPolicy.insert_Value(new SecurityPolicyValue(transport, null, | | false)); | | | | // create the secure POA | | POA sslPOA = rootPOA.create_POA("sslPOA", | | rootPOA.the_POAManager(), | | new Policy[] { | | | rootPOA.create_implicit_activation_policy( | | | ImplicitActivationPolicyValue.IMPLICIT_ACTIVATION), | | | orb.create_policy(SecurityPolicy.POLICY_TYPE, secPolicy) | | }); | | | | // create a servant | | Servant hello = new HelloImpl(orb); | | | | // create a stringified object reference | | String helloIOR = orb.object_to_string( | | sslPOA.servant_to_reference(hello)); | | | | // write the stringified object reference | | Util.writeIOR(helloIOR, "ior", true); | | | | // activate the SSL POA | | sslPOA.the_POAManager().activate(); | | | | // wait for invocations | | System.out.println("waiting for invocations ..."); | | orb.run(); | | | } catch (Exception ex) { | | ex.printStackTrace(); | } } }
Type Id = IDL:helloWorld/Hello:1.0 Profiles = 1 Internet Inter-ORB Protocol (IIOP) Profile: version = 1.1 host = godel port = 0 obj key = 4A424B52 00020001 16A8D28D 5B545203 JBKR........[TR. 00000001 .... components = 1 TAG_SSL_SEC_TRANS : requires:integrity, authenticate target, SSL port: 46020
package sslHello; import org.omg.CORBA.ORB; import com.sssw.jbroker.api.security.SecurityCurrent; public class HelloImpl extends helloWorld.HelloPOA { SecurityCurrent _securityCurrent; public HelloImpl(ORB orb) { | try { | | _securityCurrent = (SecurityCurrent) orb. | | resolve_initial_references("SecurityCurrent"); | } catch (Exception ex) { | | ex.printStackTrace(); | } | | com.sssw.jbroker.orb.RequestHandlerImpl._debug = true; } public String sayHello() { | try { | | System.out.println("Caller Address: " + | | _securityCurrent.getInetAddress()); | | | | System.out.println("Negotiated Cipher: " + | | _securityCurrent.getNegotiatedCipherSuite()); | | | | SSLUtil.printCertChain(_securityCurrent.getCertificateChain()); | | | } catch (Exception ex) { | | ex.printStackTrace(); | } | | return "Hello World!\n"; } }
クライアントはその後、Hello
オブジェクト参照を取得し、そのsayHello
メソッドを呼び出します。クライアントはまた、ネゴシエーションCipherSuiteだけではなく、サーバの証明書チェーンを判別するために呼び出すことができるSSL指定メソッドも示します。クライアントにより呼び出される任意のメソッドの前でも同様です。
package sslHello; import util.Util; import org.omg.CORBA.ORB; import org.omg.CORBA.portable.ObjectImpl; import java.io.ByteArrayInputStream; import helloWorld.Hello; import helloWorld.HelloHelper; import com.sssw.jbroker.api.security.CipherSuite; import com.sssw.jbroker.api.security.SecurityCurrent; public class Client { public static void main(String[] args) { | try { | | | | // create the jBroker ORB | | ORB orb = ORB.init(args, null); | | | | // initialize SSL | | SSLUtil.initializeSSL(orb, args[0], CipherSuite. | | CIPHER_SUITES_INTEGRITY_ONLY, false); | | | | // read the stringified object reference | | String helloIOR = Util.readIOR("ior"); | | | | // narrow the stringified object | | Hello hello = HelloHelper.narrow(orb.string_to_object(helloIOR)); | | | | // get the SecurityCurrent | | SecurityCurrent secCurrent = (SecurityCurrent) orb. | | resolve_initial_references("SecurityCurrent"); | | | | // print the negotiated ciphers | | System.out.println("Negotiated Cipher: " + | | secCurrent.getNegotiatedCipherSuite((ObjectImpl) hello)); | | | | // print out the peer certificates (Java 2 only) | | SSLUtil.printCertChain(secCurrent.getCertificateChain( | | (ObjectImpl) hello)); | | | | // invoke method on the object | | System.out.println(hello.sayHello()); | | | } catch (Exception ex) { | | ex.printStackTrace(); | } } }
initializeSSL
メソッドはORBからCertificateManagerを取得し、SSLが動作するのに必要な様々なデータ(証明書、プライベートキー、パスフェーズ、信頼CA、およびCipher Suites)を設定します。
package sslHello; import com.sssw.jbroker.api.security.CipherSuite; import com.sssw.jbroker.api.security.CertificateManager; import java.io.*; import java.lang.reflect.Method; import org.omg.CORBA.ORB; import com.sssw.jbroker.api.security.CipherSuite; import com.sssw.jbroker.tools.security.PrintCert; public class SSLUtil { public static void initializeSSL(ORB orb, String dir, CipherSuite[] cipherSuites, boolean server) throws Exception { | // get the certificate Manager | CertificateManager certMgr = (CertificateManager) orb. | resolve_initial_references("CertificateManager"); | | // the dierctory with certs and keys | dir = dir + File.separator; | | // set cipher suite | certMgr.setCipherSuites(cipherSuites); | | // determine cert chain and private key files | String privKey = null, certChain = null; | if (server) { | | privKey = "data/serverKey.pkcs8"; | | certChain = "data/serverCertChain.chain"; | } else { | | privKey = "data/clientKey.pkcs8"; | | certChain = "data/clientCertChain.chain"; | } | | // set certificate chain and private key | if (privKey != null) { | | | | // load the private key | | byte[] privateKey = loadFromFile(new File(dir + privKey)); | | | | // load the certificate chain | | byte[][] serverCertChain = loadChainFromFile( | | new File(dir + certChain)); | | | | // set certificate chain and private key | | certMgr.setCertificateChain(serverCertChain, privateKey, "test"); | } | | // get the list of trusted CA certificates | File certDir = new File(dir, "certs"); | String[] certs = certDir.list(new FilenameFilter() { | | public boolean accept(File dir, String name) { | | | return name.endsWith(".cert") ? true : false; | | } | }); | | // set the trusted CAs | for (int i=0; i < certs.length; i++) | certMgr.addCACertificate(loadFromFile(new File(certDir, certs[i]))); } // print the certificate using reflection public static void printCertChain(byte[][] certs) throws Exception { | System.out.print("Peer Certificate Chain: "); | if (certs != null) { | | for (int i=0; i < certs.length; i++) { | | | if (_genCertMethod != null) { | | | | Object cert = _genCertMethod.invoke(_certFactory, | | | | new Object[] { new ByteArrayInputStream(certs[i]) }); | | | | System.out.println(cert); | | | } else PrintCert.doPrint(certs[i]); // jBroker internal API | | } | } else System.out.println("<null>"); } private static byte[][] loadChainFromFile(File file) throws IOException { | DataInputStream dis = new DataInputStream(new FileInputStream(file)); | | // get the size of the chain | int chainLen = dis.readInt(); | byte[][] chain = new byte[chainLen][]; | | // read in the individual elements | for (int i=0; i < chainLen; i++) { | | chain[i] = new byte[dis.readInt()]; | | dis.readFully(chain[i]); | } | | // return the chain | dis.close(); return chain; } private static byte[] loadFromFile(File file) throws IOException { | DataInputStream dis = new DataInputStream(new FileInputStream(file)); | byte[] bytes = new byte[dis.available()]; | dis.readFully(bytes); dis.close(); | return bytes; } // is Certificate Factory available private static Object _certFactory = null; private static Method _genCertMethod = null; static { | try { | | Class certFactoryClass = Class.forName( | | "java.security.cert.CertificateFactory"); | | Method getInstanceMethod = certFactoryClass.getDeclaredMethod( | | "getInstance", new Class[] { String.class }); | | _certFactory = getInstanceMethod.invoke(null, new Object[] { | | "X.509"}); | | _genCertMethod = _certFactory.getClass().getDeclaredMethod( | | "generateCertificate", new Class[] { InputStream.class }); | } catch (Throwable ex) {} } }
Copyright © 2000-2003, Novell, Inc.All rights reserved. |