cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DaanHoogland <...@git.apache.org>
Subject [GitHub] cloudstack pull request: 4.9/master bountycastle changes
Date Thu, 19 May 2016 09:54:40 GMT
Github user DaanHoogland commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/1511#discussion_r63851057
  
    --- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java ---
    @@ -341,179 +350,172 @@ public SslCertResponse createCertResponse(SslCertVO cert, List<LoadBalancerCertM
     
         private void validateCert(Certificate cert, boolean chainPresent) {
     
    -        if (!(cert instanceof X509Certificate))
    +        if (!(cert instanceof X509Certificate)) {
                 throw new IllegalArgumentException("Invalid certificate format. Expected
X509 certificate");
    +        }
     
             try {
                 ((X509Certificate)cert).checkValidity();
    -        } catch (Exception e) {
    +        } catch (final Exception e) {
                 throw new IllegalArgumentException("Certificate expired or not valid", e);
             }
         }
     
         private void validateKeys(PublicKey pubKey, PrivateKey privKey) {
     
    -        if (pubKey.getAlgorithm() != privKey.getAlgorithm())
    +        if (pubKey.getAlgorithm() != privKey.getAlgorithm()) {
                 throw new IllegalArgumentException("Public and private key have different
algorithms");
    +        }
     
             // No encryption for DSA
    -        if (pubKey.getAlgorithm() != "RSA")
    +        if (pubKey.getAlgorithm() != "RSA") {
                 return;
    +        }
     
             try {
     
    -            String data = "ENCRYPT_DATA";
    -            SecureRandom random = new SecureRandom();
    -            Cipher cipher = Cipher.getInstance(pubKey.getAlgorithm());
    +            final String data = "ENCRYPT_DATA";
    +            final SecureRandom random = new SecureRandom();
    +            final Cipher cipher = Cipher.getInstance(pubKey.getAlgorithm());
                 cipher.init(Cipher.ENCRYPT_MODE, privKey, random);
    -            byte[] encryptedData = cipher.doFinal(data.getBytes());
    +            final byte[] encryptedData = cipher.doFinal(data.getBytes());
     
                 cipher.init(Cipher.DECRYPT_MODE, pubKey, random);
    -            String decreptedData = new String(cipher.doFinal(encryptedData));
    -            if (!decreptedData.equals(data))
    +            final String decreptedData = new String(cipher.doFinal(encryptedData));
    +            if (!decreptedData.equals(data)) {
                     throw new IllegalArgumentException("Bad public-private key");
    +            }
     
    -        } catch (BadPaddingException e) {
    +        } catch (final BadPaddingException e) {
                 throw new IllegalArgumentException("Bad public-private key", e);
    -        } catch (IllegalBlockSizeException e) {
    +        } catch (final IllegalBlockSizeException e) {
                 throw new IllegalArgumentException("Bad public-private key", e);
    -        } catch (NoSuchPaddingException e) {
    +        } catch (final NoSuchPaddingException e) {
                 throw new IllegalArgumentException("Bad public-private key", e);
    -        } catch (InvalidKeyException e) {
    +        } catch (final InvalidKeyException e) {
                 throw new IllegalArgumentException("Invalid public-private key", e);
    -        } catch (NoSuchAlgorithmException e) {
    +        } catch (final NoSuchAlgorithmException e) {
                 throw new IllegalArgumentException("Invalid algorithm for public-private
key", e);
             }
         }
     
         private void validateChain(List<Certificate> chain, Certificate cert) {
     
    -        List<Certificate> certs = new ArrayList<Certificate>();
    -        Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
    +        final List<Certificate> certs = new ArrayList<Certificate>();
    +        final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
     
             certs.add(cert); // adding for self signed certs
             certs.addAll(chain);
     
    -        for (Certificate c : certs) {
    -            if (!(c instanceof X509Certificate))
    +        for (final Certificate c : certs) {
    +            if (!(c instanceof X509Certificate)) {
                     throw new IllegalArgumentException("Invalid chain format. Expected X509
certificate");
    +            }
     
    -            X509Certificate xCert = (X509Certificate)c;
    +            final X509Certificate xCert = (X509Certificate)c;
     
    -            Principal subject = xCert.getSubjectDN();
    -            Principal issuer = xCert.getIssuerDN();
    +            xCert.getSubjectDN();
    +            xCert.getIssuerDN();
     
                anchors.add(new TrustAnchor(xCert, null));
             }
     
    -        X509CertSelector target = new X509CertSelector();
    +        final X509CertSelector target = new X509CertSelector();
             target.setCertificate((X509Certificate)cert);
     
             PKIXBuilderParameters params = null;
             try {
                 params = new PKIXBuilderParameters(anchors, target);
                 params.setRevocationEnabled(false);
                 params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)));
    -            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
    +            final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
                 builder.build(params);
     
    -        } catch (InvalidAlgorithmParameterException e) {
    +        } catch (final InvalidAlgorithmParameterException e) {
                 throw new IllegalArgumentException("Invalid certificate chain", e);
    -        } catch (CertPathBuilderException e) {
    +        } catch (final CertPathBuilderException e) {
                 throw new IllegalArgumentException("Invalid certificate chain", e);
    -        } catch (NoSuchAlgorithmException e) {
    +        } catch (final NoSuchAlgorithmException e) {
                 throw new IllegalArgumentException("Invalid certificate chain", e);
    -        } catch (NoSuchProviderException e) {
    +        } catch (final NoSuchProviderException e) {
                 throw new CloudRuntimeException("No provider for certificate validation",
e);
             }
     
         }
     
    -    public PrivateKey parsePrivateKey(String key, String password) throws IOException
{
    -
    -        PasswordFinder pGet = null;
    -
    -        if (password != null)
    -            pGet = new KeyPassword(password.toCharArray());
    -
    -        PEMReader privateKey = new PEMReader(new StringReader(key), pGet);
    -        Object obj = null;
    -        try {
    -            obj = privateKey.readObject();
    -        } finally {
    -            IOUtils.closeQuietly(privateKey);
    -        }
    -
    -        try {
    -
    -            if (obj instanceof KeyPair)
    -                return ((KeyPair)obj).getPrivate();
    -
    -            return (PrivateKey)obj;
    -
    -        } catch (Exception e) {
    +    public PrivateKey parsePrivateKey(final String key, final String password) throws
IOException {
    +        try (final PemReader pemReader = new PemReader(new StringReader(key));) {
    +            final PemObject pemObject = pemReader.readPemObject();
    +            final byte[] content = pemObject.getContent();
    +            final PKCS8EncodedKeySpec privKeySpec = new PKCS8EncodedKeySpec(content);
    +            final KeyFactory factory = KeyFactory.getInstance("RSA", "BC");
    +            return factory.generatePrivate(privKeySpec);
    +        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
    +            throw new IOException("No encryption provider available.", e);
    +        } catch (final InvalidKeySpecException e) {
                 throw new IOException("Invalid Key format or invalid password.", e);
             }
         }
     
         public Certificate parseCertificate(String cert) {
    -        PEMReader certPem = new PEMReader(new StringReader(cert));
    +        final PemReader certPem = new PemReader(new StringReader(cert));
             try {
    -            return (Certificate)certPem.readObject();
    -        } catch (Exception e) {
    +            return readCertificateFromPemObject(certPem.readPemObject());
    +        } catch (final Exception e) {
                 throw new InvalidParameterValueException("Invalid Certificate format. Expected
X509 certificate. Failed due to " + e.getMessage());
             } finally {
                 IOUtils.closeQuietly(certPem);
             }
         }
     
    -    public List<Certificate> parseChain(String chain) throws IOException {
    +    private Certificate readCertificateFromPemObject(PemObject pemObject) throws CertificateException
{
    +        final ByteArrayInputStream bais = new ByteArrayInputStream(pemObject.getContent());
    +        final CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
     
    -        List<Certificate> certs = new ArrayList<Certificate>();
    -        PEMReader reader = new PEMReader(new StringReader(chain));
    +        return certificateFactory.generateCertificate(bais);
    +    }
     
    -        Certificate crt = null;
     
    -        while ((crt = (Certificate)reader.readObject()) != null) {
    -            if (crt instanceof X509Certificate) {
    -                certs.add(crt);
    -            }
    -        }
    -        if (certs.size() == 0)
    -            throw new IllegalArgumentException("Unable to decode certificate chain");
    +    public List<Certificate> parseChain(String chain) throws IOException, CertificateException
{
     
    -        return certs;
    +        return CertificateHelper.parseChain(chain);
         }
     
         String generateFingerPrint(Certificate cert) {
     
             final char[] HEX = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B',
'C', 'D', 'E', 'F'};
     
    -        StringBuilder buffer = new StringBuilder(60);
    +        final StringBuilder buffer = new StringBuilder(60);
             try {
     
    -            MessageDigest md = MessageDigest.getInstance("SHA-1");
    -            byte[] data = md.digest(cert.getEncoded());
    +            final MessageDigest md = MessageDigest.getInstance("SHA-1");
    +            final byte[] data = md.digest(cert.getEncoded());
     
    -            for (int i = 0; i < data.length; i++) {
    +            for (final byte element : data) {
                     if (buffer.length() > 0) {
                         buffer.append(":");
                     }
     
    -                buffer.append(HEX[(0xF0 & data[i]) >>> 4]);
    -                buffer.append(HEX[0x0F & data[i]]);
    +                buffer.append(HEX[(0xF0 & element) >>> 4]);
    +                buffer.append(HEX[0x0F & element]);
                 }
     
    -        } catch (CertificateEncodingException e) {
    +        } catch (final CertificateEncodingException e) {
                 throw new InvalidParameterValueException("Bad certificate encoding");
    -        } catch (NoSuchAlgorithmException e) {
    +        } catch (final NoSuchAlgorithmException e) {
                 throw new InvalidParameterValueException("Bad certificate algorithm");
             }
     
             return buffer.toString();
         }
     
    -    public static class KeyPassword implements PasswordFinder {
    +    /**
    +     *
    +     * @deprecated this is only for bcprov-jdk16
    +     *
    +     */
    +    @Deprecated
    +    public static class KeyPassword {
    --- End diff --
    
    No it is a requirement in bcprov-jdk16 that needs this, not our code directly.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message