Add support to validate SSL certificates in the LDAP service

4 files changed, 106 insertions, 1 deletions

diff --git a/src/net/java/sip/communicator/impl/ldap/LdapDirectoryImpl.java b/src/net/java/sip/communicator/impl/ldap/LdapDirectoryImpl.java
index a9373a2..7b1888c 100644
--- a/src/net/java/sip/communicator/impl/ldap/LdapDirectoryImpl.java
+++ b/src/net/java/sip/communicator/impl/ldap/LdapDirectoryImpl.java
@@ -179,6 +179,8 @@ public class LdapDirectoryImpl
                 break;
             case SSL:
                 this.env.put(Context.SECURITY_PROTOCOL, "ssl");
+                this.env.put("java.naming.ldap.factory.socket",
+                    LdapSSLSocketFactoryDelegate.class.getName());
                 break;
         }
 
@@ -494,6 +496,10 @@ public class LdapDirectoryImpl
             }
         };
 
+        // setting the classloader is necessary so that the BundleContext can be
+        // accessed from classes instantiated from JNDI (specifically from our
+        // custom SocketFactory)
+        searchThread.setContextClassLoader(getClass().getClassLoader());
         searchThread.setDaemon(true);
         searchThread.start();
     }
diff --git a/src/net/java/sip/communicator/impl/ldap/LdapSSLSocketFactoryDelegate.java b/src/net/java/sip/communicator/impl/ldap/LdapSSLSocketFactoryDelegate.java
new file mode 100644
index 0000000..8704fc8
--- /dev/null
+++ b/src/net/java/sip/communicator/impl/ldap/LdapSSLSocketFactoryDelegate.java
@@ -0,0 +1,70 @@
+/*

+ * SIP Communicator, the OpenSource Java VoIP and Instant Messaging client.

+ *

+ * Distributable under LGPL license.

+ * See terms of license at gnu.org.

+ */

+package net.java.sip.communicator.impl.ldap;

+

+import java.io.*;

+import java.net.*;

+import java.security.*;

+

+import javax.net.*;

+

+import net.java.sip.communicator.service.certificate.*;

+import net.java.sip.communicator.util.*;

+

+/**

+ * Utility class to delegate the creation of sockets to LDAP servers to our

+ * {@link CertificateService}.

+ * <p>

+ * Note that the documentation says to extend {@link SocketFactory}, but the

+ * LDAP directory context tries to create an unconnected socket without a

+ * hostname first by calling <tt>createSocket</tt>. It would be impossible to

+ * validate the hostname against the certificate, which leads to an insecure

+ * communication. It only calls {@link #createSocket(String, int)} when

+ * <tt>createSocket</tt> is not found

+ * 

+ * @author Ingo Bauersachs

+ */

+public class LdapSSLSocketFactoryDelegate

+{

+    private final static Logger logger =

+        Logger.getLogger(LdapSSLSocketFactoryDelegate.class);

+

+    public static Object getDefault()

+    {

+        return new LdapSSLSocketFactoryDelegate();

+    }

+

+    /**

+     * Creates a socket for the specified destination host and port.

+     * 

+     * @param host The hostname that the socket connects to.

+     * @param port The port that the socket connects to.

+     * @return The created socket.

+     * @throws IOException

+     * @throws UnknownHostException When the hostname cannot be resolved to an

+     *             IP address.

+     */

+    public Socket createSocket(String host, int port)

+        throws IOException,

+        UnknownHostException

+    {

+        try

+        {

+            return LdapServiceImpl

+                .getCertificateService()

+                .getSSLContext(

+                    LdapServiceImpl.getCertificateService().getTrustManager(

+                        host)).getSocketFactory().createSocket(host, port);

+        }

+        catch (GeneralSecurityException e)

+        {

+            logger.error(

+                "unable to create socket through the certificate service", e);

+            throw new IOException(e.getMessage());

+        }

+    }

+}

diff --git a/src/net/java/sip/communicator/impl/ldap/LdapServiceImpl.java b/src/net/java/sip/communicator/impl/ldap/LdapServiceImpl.java
index 1651b2c..4c3e91b 100644
--- a/src/net/java/sip/communicator/impl/ldap/LdapServiceImpl.java
+++ b/src/net/java/sip/communicator/impl/ldap/LdapServiceImpl.java
@@ -9,6 +9,8 @@ package net.java.sip.communicator.impl.ldap;
 import java.util.*;
 
 import org.osgi.framework.*;
+
+import net.java.sip.communicator.service.certificate.CertificateService;
 import net.java.sip.communicator.service.configuration.*;
 import net.java.sip.communicator.service.contactsource.ContactSourceService;
 import net.java.sip.communicator.service.credentialsstorage.*;
@@ -56,6 +58,11 @@ public class LdapServiceImpl
     private static CredentialsStorageService credentialsService;
 
     /**
+     * Reference to the Certificate Verification Service.
+     */
+    private static CertificateService certService = null;
+
+    /**
      * Starts the service.
      *
      * @param bc BundleContext
@@ -123,6 +130,25 @@ public class LdapServiceImpl
     }
 
     /**
+     * Gets the <tt>CertificateService</tt> to be used by the functionality of
+     * the addrbook plug-in.
+     * 
+     * @return the <tt>CertificateService</tt> to be used by the functionality
+     *         of the addrbook plug-in.
+     */
+    public static CertificateService getCertificateService()
+    {
+        if (certService == null)
+        {
+            certService
+                = ServiceUtils.getService(
+                        bundleContext,
+                        CertificateService.class);
+        }
+        return certService;
+    }
+
+    /**
      * Returns all the LDAP directories
      *
      * @return the LdapDirectorySet containing all the LdapDirectory(s)
@@ -136,7 +162,7 @@ public class LdapServiceImpl
     }
 
     /**
-     * Required bu interface LdapService.
+     * Required by interface LdapService.
      * Returns the LdapFactory, used to
      * create LdapDirectory-s, LdapDirectorySettings, LdapQuery, ...
      *
diff --git a/src/net/java/sip/communicator/impl/ldap/ldap.manifest.mf b/src/net/java/sip/communicator/impl/ldap/ldap.manifest.mf
index bd27399..183a67f 100644
--- a/src/net/java/sip/communicator/impl/ldap/ldap.manifest.mf
+++ b/src/net/java/sip/communicator/impl/ldap/ldap.manifest.mf
@@ -8,7 +8,10 @@ Import-Package: org.osgi.framework,
  javax.naming,
  javax.naming.directory,
  javax.naming.event,
+ javax.net,
+ javax.net.ssl,
  net.java.sip.communicator.util,
+ net.java.sip.communicator.service.certificate,
  net.java.sip.communicator.service.configuration,
  net.java.sip.communicator.service.credentialsstorage,
  net.java.sip.communicator.service.ldap,