geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder" <ammul...@alumni.princeton.edu>
Subject Re: svn commit: r406106 - /geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
Date Sat, 13 May 2006 17:06:30 GMT
On 5/13/06, Rick McGuire <rickmcg@gmail.com> wrote:
> Ok, I'll fix these up.  While doing this, I spotted something that might
> be a bug in the existing code.  Is the following test correct?
>
> if(keyInstance.isKeyUnlocked(keyAlias)) {
>             throw new KeystoreIsLocked("Key '"+keyAlias+"' in keystore
> '"+keyStore+"' is locked; please use the keystore page in the admin
> console to unlock it");
>         }
>
> The test is to see if the key is unlocked, and if it is, it throws an
> exception complaining that the keyAlias IS locked.  Either the test or
> the exception appears to be wrong.

It's a case of two wrongs make a right!  The method behaves as
isKeyLocked and is called as isKeyLocked even though the name is
isKeyUnlocked.  Can you just change the name and JavaDoc of
KeystoreInstance.isKeyUnlocked to isKeyLocked?  That'll make it more
consistent with isKeystoreLocked anyway.

Thanks,
    Aaron


> > On 5/13/06, rickmcguire@apache.org <rickmcguire@apache.org> wrote:
> >> Author: rickmcguire
> >> Date: Sat May 13 07:00:44 2006
> >> New Revision: 406106
> >>
> >> URL: http://svn.apache.org/viewcvs?rev=406106&view=rev
> >> Log:
> >> GERONIMO-2019 -- add ability to create client-side SSLSocketFactories
> >> to KeystoreManager API.
> >>
> >>
> >> Modified:
> >>
> >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> >>
> >>
> >> Modified:
> >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> >>
> >> URL:
> >> http://svn.apache.org/viewcvs/geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java?rev=406106&r1=406105&r2=406106&view=diff
> >>
> >> ==============================================================================
> >>
> >> ---
> >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> >> (original)
> >> +++
> >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> >> Sat May 13 07:00:44 2006
> >> @@ -42,6 +42,7 @@
> >>  import java.util.List;
> >>  import java.util.Vector;
> >>  import javax.net.ssl.SSLServerSocketFactory;
> >> +import javax.net.ssl.SSLSocketFactory;
> >>  import org.apache.commons.logging.Log;
> >>  import org.apache.commons.logging.LogFactory;
> >>  import org.apache.geronimo.gbean.AbstractName;
> >> @@ -173,7 +174,101 @@
> >>          }
> >>      }
> >>
> >> -    public SSLServerSocketFactory createSSLFactory(String provider,
> >> String protocol, String algorithm, String keyStore, String keyAlias,
> >> String trustStore, ClassLoader loader) throws KeystoreIsLocked,
> >> KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException,
> >> KeyStoreException, KeyManagementException, NoSuchProviderException {
> >> +    /**
> >> +     * Gets a SocketFactory using one Keystore to access the private
> >> key
> >> +     * and another to provide the list of trusted certificate
> >> authorities.
> >> +     * @param provider The SSL provider to use, or null for the default
> >> +     * @param protocol The SSL protocol to use
> >> +     * @param algorithm The SSL algorithm to use
> >> +     * @param keyStore The key keystore name as provided by
> >> listKeystores.  The
> >> +     *                 KeystoreInstance for this keystore must be
> >> unlocked.
> >> +     * @param keyAlias The name of the private key in the keystore.
> >> The
> >> +     *                 KeystoreInstance for this keystore must have
> >> unlocked
> >> +     *                 this key.
> >> +     * @param trustStore The trust keystore name as provided by
> >> listKeystores.
> >> +     *                   The KeystoreInstance for this keystore must
> >> have
> >> +     *                   unlocked this key.
> >> +     *
> >> +     * @throws KeystoreIsLocked Occurs when the requested key
> >> keystore cannot
> >> +     *                          be used because it has not been
> >> unlocked.
> >> +     * @throws KeyIsLocked Occurs when the requested private key in
> >> the key
> >> +     *                     keystore cannot be used because it has
> >> not been
> >> +     *                     unlocked.
> >> +     */
> >> +    public SSLSocketFactory createSSLFactory(String provider, String
> >> protocol, String algorithm, String keyStore, String keyAlias, String
> >> trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked,
> >> NoSuchAlgorithmException, UnrecoverableKeyException,
> >> KeyStoreException, KeyManagementException, NoSuchProviderException {
> >> +        KeystoreInstance keyInstance = getKeystore(keyStore);
> >> +        if(keyInstance.isKeystoreLocked()) {
> >> +            throw new KeystoreIsLocked("Keystore '"+keyStore+"' is
> >> locked; please use the keystore page in the admin console to unlock
> >> it");
> >> +        }
> >> +        if(keyInstance.isKeyUnlocked(keyAlias)) {
> >> +            throw new KeystoreIsLocked("Key '"+keyAlias+"' in
> >> keystore '"+keyStore+"' is locked; please use the keystore page in
> >> the admin console to unlock it");
> >> +        }
> >> +        KeystoreInstance trustInstance = trustStore == null ? null :
> >> getKeystore(trustStore);
> >> +        if(trustInstance != null && trustInstance.isKeystoreLocked())
{
> >> +            throw new KeystoreIsLocked("Keystore '"+trustStore+"' is
> >> locked; please use the keystore page in the admin console to unlock
> >> it");
> >> +        }
> >> +
> >> +        // OMG this hurts, but it causes ClassCastExceptions
> >> elsewhere unless done this way!
> >> +        try {
> >> +            Class cls = loader.loadClass("javax.net.ssl.SSLContext");
> >> +            Object ctx = cls.getMethod("getInstance", new Class[]
> >> {String.class}).invoke(null, new Object[]{protocol});
> >> +            Class kmc =
> >> loader.loadClass("[Ljavax.net.ssl.KeyManager;");
> >> +            Class tmc =
> >> loader.loadClass("[Ljavax.net.ssl.TrustManager;");
> >> +            Class src = loader.loadClass("java.security.SecureRandom");
> >> +            cls.getMethod("init", new Class[]{kmc, tmc,
> >> src}).invoke(ctx, new Object[]{keyInstance.getKeyManager(algorithm,
> >> keyAlias),
> >> +
> >> trustInstance == null ? null : trustInstance.getTrustManager(algorithm),
> >> +
> >> new java.security.SecureRandom()});
> >> +            Object result = cls.getMethod("getSocketFactory", new
> >> Class[0]).invoke(ctx, new Object[0]);
> >> +            return (SSLSocketFactory) result;
> >> +        } catch (Exception e) {
> >> +            log.error("Unable to dynamically load", e);
> >> +            return null;
> >> +        }
> >> +    }
> >> +
> >> +    /**
> >> +     * Gets a ServerSocketFactory using one Keystore to access the
> >> private key
> >> +     * and another to provide the list of trusted certificate
> >> authorities.
> >> +     * @param provider The SSL provider to use, or null for the default
> >> +     * @param protocol The SSL protocol to use
> >> +     * @param algorithm The SSL algorithm to use
> >> +     * @param keyStore The key keystore name as provided by
> >> listKeystores.  The
> >> +     *                 KeystoreInstance for this keystore must be
> >> unlocked.
> >> +     * @param keyAlias The name of the private key in the keystore.
> >> The
> >> +     *                 KeystoreInstance for this keystore must have
> >> unlocked
> >> +     *                 this key.
> >> +     * @param trustStore The trust keystore name as provided by
> >> listKeystores.
> >> +     *                   The KeystoreInstance for this keystore must
> >> have
> >> +     *                   unlocked this key.
> >> +     *
> >> +     * @throws KeystoreIsLocked Occurs when the requested key
> >> keystore cannot
> >> +     *                          be used because it has not been
> >> unlocked.
> >> +     * @throws KeyIsLocked Occurs when the requested private key in
> >> the key
> >> +     *                     keystore cannot be used because it has
> >> not been
> >> +     *                     unlocked.
> >> +     */
> >> +    /**
> >> +     * Create an SSLServerSocketFactory configured from the
> >> +     * appropriate characteristics.
> >> +     *
> >> +     * @param provider   The JSSE provider to use (optional).
> >> +     * @param protocol   The protocol we need a factory for.
> >> +     * @param algorithm  A particular algoritm to use.
> >> +     * @param keyStore   The keystore the factory should be
> >> configured with.
> >> +     * @param keyAlias
> >> +     * @param trustStore The trustStore to use for managing trust
> >> certificates.
> >> +     * @param loader     The ClassLoader instance for loading the
> >> factory.
> >> +     *
> >> +     * @return An SSLServerSocketFactory instance.
> >> +     * @exception KeystoreIsLocked
> >> +     * @exception KeyIsLocked
> >> +     * @exception NoSuchAlgorithmException
> >> +     * @exception UnrecoverableKeyException
> >> +     * @exception KeyStoreException
> >> +     * @exception KeyManagementException
> >> +     * @exception NoSuchProviderException
> >> +     */
> >> +    public SSLServerSocketFactory createSSLServerFactory(String
> >> provider, String protocol, String algorithm, String keyStore, String
> >> keyAlias, String trustStore, ClassLoader loader) throws
> >> KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException,
> >> UnrecoverableKeyException, KeyStoreException, KeyManagementException,
> >> NoSuchProviderException {
> >>          KeystoreInstance keyInstance = getKeystore(keyStore);
> >>          if(keyInstance.isKeystoreLocked()) {
> >>              throw new KeystoreIsLocked("Keystore '"+keyStore+"' is
> >> locked; please use the keystore page in the admin console to unlock
> >> it");
> >>
> >>
> >>
> >
>
>

Mime
View raw message