geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder" <ammul...@alumni.princeton.edu>
Subject Re: svn commit: r406106 - /geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
Date Sat, 13 May 2006 15:35:53 GMT
-1 to this, for a couple reasons:

First and least important, in the future, please commit all 3 files
together rather than having 3 separate commits for three separate
files when they won't compile unless all are applied together.

Second, one of the methods now has two more or less complete yet
different sets of JavaDoc?

Third, as I mentioned before, if client auth is not required, the
client should not actually need a keystore, only a trust store.
Currently, if you pass a keystore of null, it looks like you'd get
either a NullPointerException or an IllegalArgumentException.  The
method you added probably needs to compensate for nulls and still
provide a working trust store based SSLSocketFactory, and it would
probably be good to have a second method to generate a client
SSLSocketFactory that doen't take the keystore or related arguments at
all.

Thanks,
    Aaron

On 5/13/06, rickmcguire@apache.org <rickmcguire@apache.org> wrote:
> Author: rickmcguire
> Date: Sat May 13 07:00:44 2006
> New Revision: 406106
>
> URL: http://svn.apache.org/viewcvs?rev=406106&view=rev
> Log:
> GERONIMO-2019 -- add ability to create client-side SSLSocketFactories to KeystoreManager
API.
>
>
> Modified:
>     geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
>
> Modified: geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> URL: http://svn.apache.org/viewcvs/geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java?rev=406106&r1=406105&r2=406106&view=diff
> ==============================================================================
> --- geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
(original)
> +++ geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
Sat May 13 07:00:44 2006
> @@ -42,6 +42,7 @@
>  import java.util.List;
>  import java.util.Vector;
>  import javax.net.ssl.SSLServerSocketFactory;
> +import javax.net.ssl.SSLSocketFactory;
>  import org.apache.commons.logging.Log;
>  import org.apache.commons.logging.LogFactory;
>  import org.apache.geronimo.gbean.AbstractName;
> @@ -173,7 +174,101 @@
>          }
>      }
>
> -    public SSLServerSocketFactory createSSLFactory(String provider, String protocol,
String algorithm, String keyStore, String keyAlias, String trustStore, ClassLoader loader)
throws KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException,
KeyStoreException, KeyManagementException, NoSuchProviderException {
> +    /**
> +     * Gets a SocketFactory using one Keystore to access the private key
> +     * and another to provide the list of trusted certificate authorities.
> +     * @param provider The SSL provider to use, or null for the default
> +     * @param protocol The SSL protocol to use
> +     * @param algorithm The SSL algorithm to use
> +     * @param keyStore The key keystore name as provided by listKeystores.  The
> +     *                 KeystoreInstance for this keystore must be unlocked.
> +     * @param keyAlias The name of the private key in the keystore.  The
> +     *                 KeystoreInstance for this keystore must have unlocked
> +     *                 this key.
> +     * @param trustStore The trust keystore name as provided by listKeystores.
> +     *                   The KeystoreInstance for this keystore must have
> +     *                   unlocked this key.
> +     *
> +     * @throws KeystoreIsLocked Occurs when the requested key keystore cannot
> +     *                          be used because it has not been unlocked.
> +     * @throws KeyIsLocked Occurs when the requested private key in the key
> +     *                     keystore cannot be used because it has not been
> +     *                     unlocked.
> +     */
> +    public SSLSocketFactory createSSLFactory(String provider, String protocol, String
algorithm, String keyStore, String keyAlias, String trustStore, ClassLoader loader) throws
KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException,
KeyManagementException, NoSuchProviderException {
> +        KeystoreInstance keyInstance = getKeystore(keyStore);
> +        if(keyInstance.isKeystoreLocked()) {
> +            throw new KeystoreIsLocked("Keystore '"+keyStore+"' is locked; please use
the keystore page in the admin console to unlock it");
> +        }
> +        if(keyInstance.isKeyUnlocked(keyAlias)) {
> +            throw new KeystoreIsLocked("Key '"+keyAlias+"' in keystore '"+keyStore+"'
is locked; please use the keystore page in the admin console to unlock it");
> +        }
> +        KeystoreInstance trustInstance = trustStore == null ? null : getKeystore(trustStore);
> +        if(trustInstance != null && trustInstance.isKeystoreLocked()) {
> +            throw new KeystoreIsLocked("Keystore '"+trustStore+"' is locked; please
use the keystore page in the admin console to unlock it");
> +        }
> +
> +        // OMG this hurts, but it causes ClassCastExceptions elsewhere unless done this
way!
> +        try {
> +            Class cls = loader.loadClass("javax.net.ssl.SSLContext");
> +            Object ctx = cls.getMethod("getInstance", new Class[] {String.class}).invoke(null,
new Object[]{protocol});
> +            Class kmc = loader.loadClass("[Ljavax.net.ssl.KeyManager;");
> +            Class tmc = loader.loadClass("[Ljavax.net.ssl.TrustManager;");
> +            Class src = loader.loadClass("java.security.SecureRandom");
> +            cls.getMethod("init", new Class[]{kmc, tmc, src}).invoke(ctx, new Object[]{keyInstance.getKeyManager(algorithm,
keyAlias),
> +                                                                            trustInstance
== null ? null : trustInstance.getTrustManager(algorithm),
> +                                                                            new java.security.SecureRandom()});
> +            Object result = cls.getMethod("getSocketFactory", new Class[0]).invoke(ctx,
new Object[0]);
> +            return (SSLSocketFactory) result;
> +        } catch (Exception e) {
> +            log.error("Unable to dynamically load", e);
> +            return null;
> +        }
> +    }
> +
> +    /**
> +     * Gets a ServerSocketFactory using one Keystore to access the private key
> +     * and another to provide the list of trusted certificate authorities.
> +     * @param provider The SSL provider to use, or null for the default
> +     * @param protocol The SSL protocol to use
> +     * @param algorithm The SSL algorithm to use
> +     * @param keyStore The key keystore name as provided by listKeystores.  The
> +     *                 KeystoreInstance for this keystore must be unlocked.
> +     * @param keyAlias The name of the private key in the keystore.  The
> +     *                 KeystoreInstance for this keystore must have unlocked
> +     *                 this key.
> +     * @param trustStore The trust keystore name as provided by listKeystores.
> +     *                   The KeystoreInstance for this keystore must have
> +     *                   unlocked this key.
> +     *
> +     * @throws KeystoreIsLocked Occurs when the requested key keystore cannot
> +     *                          be used because it has not been unlocked.
> +     * @throws KeyIsLocked Occurs when the requested private key in the key
> +     *                     keystore cannot be used because it has not been
> +     *                     unlocked.
> +     */
> +    /**
> +     * Create an SSLServerSocketFactory configured from the
> +     * appropriate characteristics.
> +     *
> +     * @param provider   The JSSE provider to use (optional).
> +     * @param protocol   The protocol we need a factory for.
> +     * @param algorithm  A particular algoritm to use.
> +     * @param keyStore   The keystore the factory should be configured with.
> +     * @param keyAlias
> +     * @param trustStore The trustStore to use for managing trust certificates.
> +     * @param loader     The ClassLoader instance for loading the factory.
> +     *
> +     * @return An SSLServerSocketFactory instance.
> +     * @exception KeystoreIsLocked
> +     * @exception KeyIsLocked
> +     * @exception NoSuchAlgorithmException
> +     * @exception UnrecoverableKeyException
> +     * @exception KeyStoreException
> +     * @exception KeyManagementException
> +     * @exception NoSuchProviderException
> +     */
> +    public SSLServerSocketFactory createSSLServerFactory(String provider, String protocol,
String algorithm, String keyStore, String keyAlias, String trustStore, ClassLoader loader)
throws KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException,
KeyStoreException, KeyManagementException, NoSuchProviderException {
>          KeystoreInstance keyInstance = getKeystore(keyStore);
>          if(keyInstance.isKeystoreLocked()) {
>              throw new KeystoreIsLocked("Keystore '"+keyStore+"' is locked; please use
the keystore page in the admin console to unlock it");
>
>
>

Mime
View raw message