Skip to content
Snippets Groups Projects
Commit e583419d authored by eugene.livis's avatar eugene.livis
Browse files

More work

parent f441c4e2
No related branches found
No related tags found
No related merge requests found
...@@ -39,17 +39,37 @@ class CaseDatabaseFactory { ...@@ -39,17 +39,37 @@ class CaseDatabaseFactory {
private static final Logger logger = Logger.getLogger(CaseDatabaseFactory.class.getName()); private static final Logger logger = Logger.getLogger(CaseDatabaseFactory.class.getName());
private final SQLHelper dbQueryHelper; private final SQLHelper dbQueryHelper;
private final DbCreationHelper dbCreationHelper; private final DbCreationHelper dbCreationHelper;
// ssl=true: enables SSL encryption.
// DefaultJavaSSLFactory: uses Java's default truststore to validate server certificate.
// sslmode=verify-ca: verifies that the server we are connecting to is trusted by CA.
final static String SSL_VERIFY_URL = "?ssl=true&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory&sslmode=verify-ca";
// ssl=true: enables SSL encryption. // ssl=true: enables SSL encryption.
// NonValidatingFactory avoids hostname verification. // NonValidatingFactory avoids hostname verification.
// sslmode=require: This mode makes the encryption mandatory and also requires the connection to fail if it can't be encrypted. // sslmode=require: This mode makes the encryption mandatory and also requires the connection to fail if it can't be encrypted.
// In this mode, the JDBC driver accepts all server certificates, including self-signed ones. // In this mode, the JDBC driver accepts all server certificates, including self-signed ones.
final static String SSL_NONVERIFY_URL = "?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory&sslmode=require"; final static String SSL_NONVERIFY_URL = "?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory&sslmode=require";
// ssl=true: enables SSL encryption.
// DefaultJavaSSLFactory: uses Java's default truststore to validate server certificate.
// sslmode=verify-ca: verifies that the server we are connecting to is trusted by CA.
final static String SSL_VERIFY_DEFAULT_URL = "?ssl=true&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory&sslmode=verify-ca";
/**
* Creates JDBC URL string for implementations that use custom keystore to
* validate PostgreSQL CA-signed SSL certificates. The class that performs
* SSL certificate validation must extend org.postgresql.ssl.WrappedFactory
* and generally must follow the same logic.
*
* ssl=true: enables SSL encryption. sslmode=verify-ca: verifies that the
* server we are connecting to is trusted by CA.
*
* @param customSslValidationClassName full canonical name of a Java class
* that performs custom SSL certificate
* validation.
*
* @return JDBS URL string used to connect to PosgreSQL server via CA-signed
* SSL certificate.
*/
static String getCustomPostrgesSslVerificationUrl(String customSslValidationClassName) {
return "?ssl=true&sslfactory=" + customSslValidationClassName + "&sslmode=verify-ca";
}
/** /**
* Create a new SQLite case * Create a new SQLite case
...@@ -726,7 +746,12 @@ Connection getConnection(String databaseName) throws TskCoreException { ...@@ -726,7 +746,12 @@ Connection getConnection(String databaseName) throws TskCoreException {
if (info.isSslEnabled()) { if (info.isSslEnabled()) {
if (info.isSslVerify()) { if (info.isSslVerify()) {
url.append(SSL_VERIFY_URL); if (info.getCustomSslValidationClassName().isBlank()) {
url.append(SSL_VERIFY_DEFAULT_URL);
} else {
// use custom SSL certificate validation class
url.append(getCustomPostrgesSslVerificationUrl(info.getCustomSslValidationClassName()));
}
} else { } else {
url.append(SSL_NONVERIFY_URL); url.append(SSL_NONVERIFY_URL);
} }
......
...@@ -36,6 +36,7 @@ public class CaseDbConnectionInfo { ...@@ -36,6 +36,7 @@ public class CaseDbConnectionInfo {
private DbType dbType; private DbType dbType;
private boolean sslEnabled = false; private boolean sslEnabled = false;
private boolean sslVerify = false; private boolean sslVerify = false;
private String customSslValidationClassName;
/** /**
* The intent of this class is to hold any information needed to connect to * The intent of this class is to hold any information needed to connect to
...@@ -62,6 +63,7 @@ public CaseDbConnectionInfo(String hostNameOrIP, String portNumber, String userN ...@@ -62,6 +63,7 @@ public CaseDbConnectionInfo(String hostNameOrIP, String portNumber, String userN
throw new IllegalArgumentException("SQLite database type invalid for CaseDbConnectionInfo. CaseDbConnectionInfo should be used only for remote database types."); throw new IllegalArgumentException("SQLite database type invalid for CaseDbConnectionInfo. CaseDbConnectionInfo should be used only for remote database types.");
} }
this.dbType = dbType; this.dbType = dbType;
this.customSslValidationClassName = "";
} }
/** /**
...@@ -80,8 +82,11 @@ public CaseDbConnectionInfo(String hostNameOrIP, String portNumber, String userN ...@@ -80,8 +82,11 @@ public CaseDbConnectionInfo(String hostNameOrIP, String portNumber, String userN
* @param dbType the database type * @param dbType the database type
* @param sslEnabled a flag whether SSL is enabled * @param sslEnabled a flag whether SSL is enabled
* @param sslVerify 'true' if SSL certificate needs to be CA verified. 'false' if self-signed certificates should be accepted. * @param sslVerify 'true' if SSL certificate needs to be CA verified. 'false' if self-signed certificates should be accepted.
* @param customSslValidationClassName full canonical name of a Java class
* that performs custom SSL certificate
* validation.
*/ */
public CaseDbConnectionInfo(String hostNameOrIP, String portNumber, String userName, String password, DbType dbType, boolean sslEnabled, boolean sslVerify) { public CaseDbConnectionInfo(String hostNameOrIP, String portNumber, String userName, String password, DbType dbType, boolean sslEnabled, boolean sslVerify, String customSslValidationClassName) {
this.hostNameOrIP = hostNameOrIP; this.hostNameOrIP = hostNameOrIP;
this.portNumber = portNumber; this.portNumber = portNumber;
this.userName = userName; this.userName = userName;
...@@ -92,6 +97,7 @@ public CaseDbConnectionInfo(String hostNameOrIP, String portNumber, String userN ...@@ -92,6 +97,7 @@ public CaseDbConnectionInfo(String hostNameOrIP, String portNumber, String userN
throw new IllegalArgumentException("SQLite database type invalid for CaseDbConnectionInfo. CaseDbConnectionInfo should be used only for remote database types."); throw new IllegalArgumentException("SQLite database type invalid for CaseDbConnectionInfo. CaseDbConnectionInfo should be used only for remote database types.");
} }
this.dbType = dbType; this.dbType = dbType;
this.customSslValidationClassName = customSslValidationClassName;
} }
public DbType getDbType() { public DbType getDbType() {
...@@ -149,4 +155,12 @@ public boolean isSslVerify() { ...@@ -149,4 +155,12 @@ public boolean isSslVerify() {
public void setSslVerify(boolean sslVerify) { public void setSslVerify(boolean sslVerify) {
this.sslVerify = sslVerify; this.sslVerify = sslVerify;
} }
public String getCustomSslValidationClassName() {
return customSslValidationClassName;
}
public void setCustomSslValidationClassName(String customSslValidationClassName) {
this.customSslValidationClassName = customSslValidationClassName;
}
} }
/* /*
* Sleuth Kit Data Model * Sleuth Kit Data Model
* *
* Copyright 2011-2021 Basis Technology Corp. * Copyright 2011-2023 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
...@@ -296,7 +296,12 @@ public static void tryConnect(CaseDbConnectionInfo info) throws TskCoreException ...@@ -296,7 +296,12 @@ public static void tryConnect(CaseDbConnectionInfo info) throws TskCoreException
String connectionURL = "jdbc:postgresql://" + info.getHost() + ":" + info.getPort() + "/postgres"; String connectionURL = "jdbc:postgresql://" + info.getHost() + ":" + info.getPort() + "/postgres";
if (info.isSslEnabled()) { if (info.isSslEnabled()) {
if (info.isSslVerify()) { if (info.isSslVerify()) {
connectionURL += CaseDatabaseFactory.SSL_VERIFY_URL; if (info.getCustomSslValidationClassName().isBlank()) {
connectionURL += CaseDatabaseFactory.SSL_VERIFY_DEFAULT_URL;
} else {
// use custom SSL certificate validation class
connectionURL += CaseDatabaseFactory.getCustomPostrgesSslVerificationUrl(info.getCustomSslValidationClassName());
}
} else { } else {
connectionURL += CaseDatabaseFactory.SSL_NONVERIFY_URL; connectionURL += CaseDatabaseFactory.SSL_NONVERIFY_URL;
} }
...@@ -13407,7 +13412,12 @@ private final class PostgreSQLConnections extends ConnectionPool { ...@@ -13407,7 +13412,12 @@ private final class PostgreSQLConnections extends ConnectionPool {
+ URLEncoder.encode(dbName, StandardCharsets.UTF_8.toString()); + URLEncoder.encode(dbName, StandardCharsets.UTF_8.toString());
if (info.isSslEnabled()) { if (info.isSslEnabled()) {
if (info.isSslVerify()) { if (info.isSslVerify()) {
connectionURL += CaseDatabaseFactory.SSL_VERIFY_URL; if (info.getCustomSslValidationClassName().isBlank()) {
connectionURL += CaseDatabaseFactory.SSL_VERIFY_DEFAULT_URL;
} else {
// use custom SSL certificate validation class
connectionURL += CaseDatabaseFactory.getCustomPostrgesSslVerificationUrl(info.getCustomSslValidationClassName());
}
} else { } else {
connectionURL += CaseDatabaseFactory.SSL_NONVERIFY_URL; connectionURL += CaseDatabaseFactory.SSL_NONVERIFY_URL;
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment