cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ff...@apache.org
Subject [1/2] cxf git commit: [CXF-7401]CXF http-jetty fails to get private key if the jks keystore file contains multiple private keys with different password
Date Wed, 14 Jun 2017 04:42:39 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 8341f4e08 -> 23408fdbb


[CXF-7401]CXF http-jetty fails to get private key if the jks keystore file contains multiple
private keys with different password

(cherry picked from commit e877d30982ae970738495160090a8e948f33c199)
(cherry picked from commit a11b4b530f18d5d87e9bca3d7b2f6a71bcf0d00c)


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f4955276
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f4955276
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f4955276

Branch: refs/heads/3.0.x-fixes
Commit: f49552767f77e1510d3abd24ab243d9693ed45c1
Parents: 8341f4e
Author: Freeman Fang <freeman.fang@gmail.com>
Authored: Tue Jun 13 16:36:37 2017 +0800
Committer: Freeman Fang <freeman.fang@gmail.com>
Committed: Wed Jun 14 10:45:42 2017 +0800

----------------------------------------------------------------------
 .../jsse/MultiKeyPasswordKeyManager.java        |  83 +++++++++++++++++++
 .../jsse/TLSClientParametersConfig.java         |  10 ++-
 .../jsse/TLSParameterJaxBUtils.java             |  36 ++++++++
 .../jsse/TLSServerParametersConfig.java         |  10 ++-
 .../cxf/systest/https/conduit/jaxws-server.xml  |   8 +-
 .../src/test/resources/keys/MultipleKeys.jks    | Bin 0 -> 4391 bytes
 6 files changed, 139 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f4955276/core/src/main/java/org/apache/cxf/configuration/jsse/MultiKeyPasswordKeyManager.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/MultiKeyPasswordKeyManager.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/MultiKeyPasswordKeyManager.java
new file mode 100644
index 0000000..c6dcbc9
--- /dev/null
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/MultiKeyPasswordKeyManager.java
@@ -0,0 +1,83 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.configuration.jsse;
+
+import java.net.Socket;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.X509KeyManager;
+
+public class MultiKeyPasswordKeyManager implements X509KeyManager {
+    private final KeyStore mKeyStore;
+    private final String mKeyAlias;
+    private final String mKeyPassword;
+
+    public MultiKeyPasswordKeyManager(KeyStore keystore, String keyAlias, String keyPassword)
{
+        mKeyStore = keystore;
+        mKeyAlias = keyAlias;
+        mKeyPassword = keyPassword;
+    }
+
+    public String[] getClientAliases(String keyType, Principal[] issuers) {
+        return new String[] {
+            mKeyAlias
+        };
+    }
+
+    public String[] getServerAliases(String keyType, Principal[] issuers) {
+        return new String[] {
+            mKeyAlias
+        };
+    }
+    public X509Certificate[] getCertificateChain(String alias) {
+        Certificate[] chain = null;
+        try {
+            chain = mKeyStore.getCertificateChain(alias);
+        } catch (KeyStoreException kse) {
+            throw new RuntimeException(kse);
+        }
+        final X509Certificate[] certChain = new X509Certificate[chain.length];
+        for (int i = 0; i < chain.length; i++) {
+            certChain[i] = (X509Certificate)chain[i];
+        }
+        return certChain;
+    }
+
+    public PrivateKey getPrivateKey(String alias) {
+        try {
+            return (PrivateKey)mKeyStore.getKey(alias, mKeyPassword.toCharArray());
+        } catch (GeneralSecurityException gse) {
+            throw new RuntimeException(gse);
+        }
+    }
+
+    public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
{
+        return mKeyAlias;
+    }
+
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+        return mKeyAlias;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/f4955276/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
index e67571b..730847e 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
@@ -108,8 +108,14 @@ public final class TLSClientParametersConfig {
                         params.getSecureRandomParameters()));
         }
         if (params.isSetKeyManagers() && !usingDefaults) {
-            ret.setKeyManagers(
-                TLSParameterJaxBUtils.getKeyManagers(params.getKeyManagers()));
+            if (!params.isSetCertAlias()) {
+                ret.setKeyManagers(
+                                    TLSParameterJaxBUtils.getKeyManagers(params.getKeyManagers()));
+            } else {
+                ret.setKeyManagers(
+                                    TLSParameterJaxBUtils.getKeyManagers(params.getKeyManagers(),

+                                                                         params.getCertAlias()));
+            }
         }
         if (params.isSetTrustManagers() && !usingDefaults) {
             ret.setTrustManagers(

http://git-wip-us.apache.org/repos/asf/cxf/blob/f4955276/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
index 6d94122..18b0228 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
@@ -284,6 +284,42 @@ public final class TLSParameterJaxBUtils {
 
         return fac.getKeyManagers();
     }
+    
+    /**
+     * This method converts the JAXB KeyManagersType into a list of
+     * JSSE KeyManagers.
+     */
+    public static KeyManager[] getKeyManagers(KeyManagersType kmc, String alias)
+        throws GeneralSecurityException,
+               IOException {
+
+        KeyStore keyStore = getKeyStore(kmc.getKeyStore(), false);
+
+        String alg = kmc.isSetFactoryAlgorithm()
+                     ? kmc.getFactoryAlgorithm()
+                     : KeyManagerFactory.getDefaultAlgorithm();
+
+        char[] keyPass = getKeyPassword(kmc);
+
+        KeyManagerFactory fac =
+                     kmc.isSetProvider()
+                     ? KeyManagerFactory.getInstance(alg, kmc.getProvider())
+                     : KeyManagerFactory.getInstance(alg);
+                     
+        try {             
+            fac.init(keyStore, keyPass);
+
+            return fac.getKeyManagers();
+        } catch (java.security.UnrecoverableKeyException uke) {
+            //jsse has the restriction that different key in keystore
+            //cannot has different password, use MultiKeyPasswordKeyManager
+            //as fallback when this happen
+            MultiKeyPasswordKeyManager manager
+                = new MultiKeyPasswordKeyManager(keyStore, alias,
+                                             new String(keyPass));
+            return new KeyManager[]{manager};
+        }
+    }
 
     /**
      * This method converts the JAXB KeyManagersType into a list of

http://git-wip-us.apache.org/repos/asf/cxf/blob/f4955276/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
index 137e80d..0813845 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
@@ -72,8 +72,14 @@ public class TLSServerParametersConfig
             this.setClientAuthentication(params.getClientAuthentication());
         }
         if (params.isSetKeyManagers()) {
-            this.setKeyManagers(
-                TLSParameterJaxBUtils.getKeyManagers(params.getKeyManagers()));
+            if (!params.isSetCertAlias()) {
+                this.setKeyManagers(
+                                    TLSParameterJaxBUtils.getKeyManagers(params.getKeyManagers()));
+            } else {
+                this.setKeyManagers(
+                                    TLSParameterJaxBUtils.getKeyManagers(params.getKeyManagers(),

+                                                                         params.getCertAlias()));
+            }
         }
         if (params.isSetTrustManagers()) {
             this.setTrustManagers(

http://git-wip-us.apache.org/repos/asf/cxf/blob/f4955276/systests/transports/src/test/resources/org/apache/cxf/systest/https/conduit/jaxws-server.xml
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/resources/org/apache/cxf/systest/https/conduit/jaxws-server.xml
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/conduit/jaxws-server.xml
index 2ded663..680af5f 100644
--- a/systests/transports/src/test/resources/org/apache/cxf/systest/https/conduit/jaxws-server.xml
+++ b/systests/transports/src/test/resources/org/apache/cxf/systest/https/conduit/jaxws-server.xml
@@ -49,8 +49,8 @@ under the License.
     <httpj:engine-factory id="port-9002-tls-config">
         <httpj:engine port="${testutil.ports.BusServer.2}">
             <httpj:tlsServerParameters>
-                <sec:keyManagers keyPassword="password">
-                    <sec:keyStore type="JKS" password="password" resource="keys/Bethal.jks"/>
+                <sec:keyManagers keyPassword="changit">
+                    <sec:keyStore type="JKS" password="password" resource="keys/MultipleKeys.jks"/>
                 </sec:keyManagers>
                 <sec:trustManagers>
                     <sec:keyStore type="JKS" password="password" resource="keys/Truststore.jks"/>
@@ -65,8 +65,8 @@ under the License.
     <!-- -->
     <http:conduit name="{http://apache.org/hello_world/services}HttpsPort.http-conduit">
         <http:tlsClientParameters disableCNCheck="true">
-            <sec:keyManagers keyPassword="password">
-                <sec:keyStore type="JKS" password="password" resource="keys/Morpit.jks"/>
+            <sec:keyManagers keyPassword="anotherchangit">
+                <sec:keyStore type="JKS" password="password" resource="keys/MultipleKeys.jks"/>
             </sec:keyManagers>
             <sec:trustManagers>
                 <sec:keyStore type="JKS" password="password" resource="keys/Truststore.jks"/>

http://git-wip-us.apache.org/repos/asf/cxf/blob/f4955276/testutils/src/test/resources/keys/MultipleKeys.jks
----------------------------------------------------------------------
diff --git a/testutils/src/test/resources/keys/MultipleKeys.jks b/testutils/src/test/resources/keys/MultipleKeys.jks
new file mode 100644
index 0000000..9e6c477
Binary files /dev/null and b/testutils/src/test/resources/keys/MultipleKeys.jks differ


Mime
View raw message