geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick McGuire <rick...@gmail.com>
Subject Re: svn commit: r406106 - /geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
Date Sat, 13 May 2006 16:37:01 GMT
Aaron Mulder wrote:
> -1 to this, for a couple reasons:
>
> First and least important, in the future, please commit all 3 files
> together rather than having 3 separate commits for three separate
> files when they won't compile unless all are applied together.
>
> Second, one of the methods now has two more or less complete yet
> different sets of JavaDoc?
>
> Third, as I mentioned before, if client auth is not required, the
> client should not actually need a keystore, only a trust store.
> Currently, if you pass a keystore of null, it looks like you'd get
> either a NullPointerException or an IllegalArgumentException.  The
> method you added probably needs to compensate for nulls and still
> provide a working trust store based SSLSocketFactory, and it would
> probably be good to have a second method to generate a client
> SSLSocketFactory that doen't take the keystore or related arguments at
> all.
Ok, I'll fix these up.  While doing this, I spotted something that might 
be a bug in the existing code.  Is the following test correct?

if(keyInstance.isKeyUnlocked(keyAlias)) {
            throw new KeystoreIsLocked("Key '"+keyAlias+"' in keystore 
'"+keyStore+"' is locked; please use the keystore page in the admin 
console to unlock it");
        }

The test is to see if the key is unlocked, and if it is, it throws an 
exception complaining that the keyAlias IS locked.  Either the test or 
the exception appears to be wrong.


>
> Thanks,
>    Aaron
>
> On 5/13/06, rickmcguire@apache.org <rickmcguire@apache.org> wrote:
>> Author: rickmcguire
>> Date: Sat May 13 07:00:44 2006
>> New Revision: 406106
>>
>> URL: http://svn.apache.org/viewcvs?rev=406106&view=rev
>> Log:
>> GERONIMO-2019 -- add ability to create client-side SSLSocketFactories 
>> to KeystoreManager API.
>>
>>
>> Modified:
>>     
>> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java

>>
>>
>> Modified: 
>> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java

>>
>> URL: 
>> http://svn.apache.org/viewcvs/geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java?rev=406106&r1=406105&r2=406106&view=diff

>>
>> ============================================================================== 
>>
>> --- 
>> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java

>> (original)
>> +++ 
>> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java

>> Sat May 13 07:00:44 2006
>> @@ -42,6 +42,7 @@
>>  import java.util.List;
>>  import java.util.Vector;
>>  import javax.net.ssl.SSLServerSocketFactory;
>> +import javax.net.ssl.SSLSocketFactory;
>>  import org.apache.commons.logging.Log;
>>  import org.apache.commons.logging.LogFactory;
>>  import org.apache.geronimo.gbean.AbstractName;
>> @@ -173,7 +174,101 @@
>>          }
>>      }
>>
>> -    public SSLServerSocketFactory createSSLFactory(String provider, 
>> String protocol, String algorithm, String keyStore, String keyAlias, 
>> String trustStore, ClassLoader loader) throws KeystoreIsLocked, 
>> KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException, 
>> KeyStoreException, KeyManagementException, NoSuchProviderException {
>> +    /**
>> +     * Gets a SocketFactory using one Keystore to access the private 
>> key
>> +     * and another to provide the list of trusted certificate 
>> authorities.
>> +     * @param provider The SSL provider to use, or null for the default
>> +     * @param protocol The SSL protocol to use
>> +     * @param algorithm The SSL algorithm to use
>> +     * @param keyStore The key keystore name as provided by 
>> listKeystores.  The
>> +     *                 KeystoreInstance for this keystore must be 
>> unlocked.
>> +     * @param keyAlias The name of the private key in the keystore.  
>> The
>> +     *                 KeystoreInstance for this keystore must have 
>> unlocked
>> +     *                 this key.
>> +     * @param trustStore The trust keystore name as provided by 
>> listKeystores.
>> +     *                   The KeystoreInstance for this keystore must 
>> have
>> +     *                   unlocked this key.
>> +     *
>> +     * @throws KeystoreIsLocked Occurs when the requested key 
>> keystore cannot
>> +     *                          be used because it has not been 
>> unlocked.
>> +     * @throws KeyIsLocked Occurs when the requested private key in 
>> the key
>> +     *                     keystore cannot be used because it has 
>> not been
>> +     *                     unlocked.
>> +     */
>> +    public SSLSocketFactory createSSLFactory(String provider, String 
>> protocol, String algorithm, String keyStore, String keyAlias, String 
>> trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked, 
>> NoSuchAlgorithmException, UnrecoverableKeyException, 
>> KeyStoreException, KeyManagementException, NoSuchProviderException {
>> +        KeystoreInstance keyInstance = getKeystore(keyStore);
>> +        if(keyInstance.isKeystoreLocked()) {
>> +            throw new KeystoreIsLocked("Keystore '"+keyStore+"' is 
>> locked; please use the keystore page in the admin console to unlock 
>> it");
>> +        }
>> +        if(keyInstance.isKeyUnlocked(keyAlias)) {
>> +            throw new KeystoreIsLocked("Key '"+keyAlias+"' in 
>> keystore '"+keyStore+"' is locked; please use the keystore page in 
>> the admin console to unlock it");
>> +        }
>> +        KeystoreInstance trustInstance = trustStore == null ? null : 
>> getKeystore(trustStore);
>> +        if(trustInstance != null && trustInstance.isKeystoreLocked()) {
>> +            throw new KeystoreIsLocked("Keystore '"+trustStore+"' is 
>> locked; please use the keystore page in the admin console to unlock 
>> it");
>> +        }
>> +
>> +        // OMG this hurts, but it causes ClassCastExceptions 
>> elsewhere unless done this way!
>> +        try {
>> +            Class cls = loader.loadClass("javax.net.ssl.SSLContext");
>> +            Object ctx = cls.getMethod("getInstance", new Class[] 
>> {String.class}).invoke(null, new Object[]{protocol});
>> +            Class kmc = 
>> loader.loadClass("[Ljavax.net.ssl.KeyManager;");
>> +            Class tmc = 
>> loader.loadClass("[Ljavax.net.ssl.TrustManager;");
>> +            Class src = loader.loadClass("java.security.SecureRandom");
>> +            cls.getMethod("init", new Class[]{kmc, tmc, 
>> src}).invoke(ctx, new Object[]{keyInstance.getKeyManager(algorithm, 
>> keyAlias),
>> +                                                                            
>> trustInstance == null ? null : trustInstance.getTrustManager(algorithm),
>> +                                                                            
>> new java.security.SecureRandom()});
>> +            Object result = cls.getMethod("getSocketFactory", new 
>> Class[0]).invoke(ctx, new Object[0]);
>> +            return (SSLSocketFactory) result;
>> +        } catch (Exception e) {
>> +            log.error("Unable to dynamically load", e);
>> +            return null;
>> +        }
>> +    }
>> +
>> +    /**
>> +     * Gets a ServerSocketFactory using one Keystore to access the 
>> private key
>> +     * and another to provide the list of trusted certificate 
>> authorities.
>> +     * @param provider The SSL provider to use, or null for the default
>> +     * @param protocol The SSL protocol to use
>> +     * @param algorithm The SSL algorithm to use
>> +     * @param keyStore The key keystore name as provided by 
>> listKeystores.  The
>> +     *                 KeystoreInstance for this keystore must be 
>> unlocked.
>> +     * @param keyAlias The name of the private key in the keystore.  
>> The
>> +     *                 KeystoreInstance for this keystore must have 
>> unlocked
>> +     *                 this key.
>> +     * @param trustStore The trust keystore name as provided by 
>> listKeystores.
>> +     *                   The KeystoreInstance for this keystore must 
>> have
>> +     *                   unlocked this key.
>> +     *
>> +     * @throws KeystoreIsLocked Occurs when the requested key 
>> keystore cannot
>> +     *                          be used because it has not been 
>> unlocked.
>> +     * @throws KeyIsLocked Occurs when the requested private key in 
>> the key
>> +     *                     keystore cannot be used because it has 
>> not been
>> +     *                     unlocked.
>> +     */
>> +    /**
>> +     * Create an SSLServerSocketFactory configured from the
>> +     * appropriate characteristics.
>> +     *
>> +     * @param provider   The JSSE provider to use (optional).
>> +     * @param protocol   The protocol we need a factory for.
>> +     * @param algorithm  A particular algoritm to use.
>> +     * @param keyStore   The keystore the factory should be 
>> configured with.
>> +     * @param keyAlias
>> +     * @param trustStore The trustStore to use for managing trust 
>> certificates.
>> +     * @param loader     The ClassLoader instance for loading the 
>> factory.
>> +     *
>> +     * @return An SSLServerSocketFactory instance.
>> +     * @exception KeystoreIsLocked
>> +     * @exception KeyIsLocked
>> +     * @exception NoSuchAlgorithmException
>> +     * @exception UnrecoverableKeyException
>> +     * @exception KeyStoreException
>> +     * @exception KeyManagementException
>> +     * @exception NoSuchProviderException
>> +     */
>> +    public SSLServerSocketFactory createSSLServerFactory(String 
>> provider, String protocol, String algorithm, String keyStore, String 
>> keyAlias, String trustStore, ClassLoader loader) throws 
>> KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, 
>> UnrecoverableKeyException, KeyStoreException, KeyManagementException, 
>> NoSuchProviderException {
>>          KeystoreInstance keyInstance = getKeystore(keyStore);
>>          if(keyInstance.isKeystoreLocked()) {
>>              throw new KeystoreIsLocked("Keystore '"+keyStore+"' is 
>> locked; please use the keystore page in the admin console to unlock 
>> it");
>>
>>
>>
>


Mime
View raw message