qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kw...@apache.org
Subject qpid-broker-j git commit: QPID-8064: [Broker-J] Ensure that when providing an alias for a FileKeyStore the entry corresponds to a private-key
Date Fri, 30 Mar 2018 14:24:32 GMT
Repository: qpid-broker-j
Updated Branches:
  refs/heads/master 818cd7d3e -> eef93a82a


QPID-8064: [Broker-J] Ensure that when providing an alias for a FileKeyStore the entry corresponds
to a private-key


Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/eef93a82
Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/eef93a82
Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/eef93a82

Branch: refs/heads/master
Commit: eef93a82accc372403ec948eaedeb82c0d39ec3e
Parents: 818cd7d
Author: Keith Wall <kwall@apache.org>
Authored: Fri Mar 30 15:24:03 2018 +0100
Committer: Keith Wall <kwall@apache.org>
Committed: Fri Mar 30 15:24:25 2018 +0100

----------------------------------------------------------------------
 .../qpid/server/security/FileKeyStoreImpl.java  | 55 ++++++++------------
 .../server/security/FileTrustStoreImpl.java     | 45 ++++++----------
 .../transport/network/security/ssl/SSLUtil.java | 11 ++++
 .../org/apache/qpid/server/util/StringUtil.java |  5 ++
 .../qpid/server/security/FileKeyStoreTest.java  |  4 +-
 .../server/security/FileTrustStoreTest.java     |  2 +-
 .../AclFileAccessControlProviderImpl.java       |  3 +-
 7 files changed, 59 insertions(+), 66 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/eef93a82/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java
b/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java
index 2b3f450..50e9560 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java
@@ -55,7 +55,7 @@ import org.apache.qpid.server.model.StateTransition;
 import org.apache.qpid.server.transport.network.security.ssl.QpidBestFitX509KeyManager;
 import org.apache.qpid.server.transport.network.security.ssl.QpidServerX509KeyManager;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.server.util.ServerScopedRuntimeException;
+import org.apache.qpid.server.util.StringUtil;
 import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
 
 @ManagedObject( category = false )
@@ -125,31 +125,14 @@ public class FileKeyStoreImpl extends AbstractKeyStore<FileKeyStoreImpl>
impleme
 
     private void validateKeyStoreAttributes(FileKeyStore<?> fileKeyStore)
     {
-        java.security.KeyStore keyStore;
+        final String loggableStoreUrl = StringUtil.elideDataUrl(fileKeyStore.getStoreUrl());
         try
         {
             URL url = getUrlFromString(fileKeyStore.getStoreUrl());
             String password = fileKeyStore.getPassword();
             String keyStoreType = fileKeyStore.getKeyStoreType();
-            keyStore = SSLUtil.getInitializedKeyStore(url, password, keyStoreType);
-        }
-        catch (Exception e)
-        {
-            final String message;
-            if (e instanceof IOException && e.getCause() != null && e.getCause()
instanceof UnrecoverableKeyException)
-            {
-                message = "Check key store password. Cannot instantiate key store from '"
+ fileKeyStore.getStoreUrl() + "'.";
-            }
-            else
-            {
-                message = "Cannot instantiate key store from '" + fileKeyStore.getStoreUrl()
+ "'.";
-            }
-
-            throw new IllegalConfigurationException(message, e);
-        }
+            java.security.KeyStore keyStore = SSLUtil.getInitializedKeyStore(url, password,
keyStoreType);
 
-        try
-        {
             final String certAlias = fileKeyStore.getCertificateAlias();
             if (certAlias != null)
             {
@@ -158,32 +141,36 @@ public class FileKeyStoreImpl extends AbstractKeyStore<FileKeyStoreImpl>
impleme
                 if (cert == null)
                 {
                     throw new IllegalConfigurationException(String.format(
-                            "Cannot find a certificate with alias '%s' in key store : %s",
+                            "Cannot find a certificate with alias '%s' in key store '%s'.",
                             certAlias,
-                            fileKeyStore.getStoreUrl()));
+                            loggableStoreUrl));
                 }
 
-                if (keyStore.isCertificateEntry(certAlias))
+                if (!keyStore.entryInstanceOf(certAlias, java.security.KeyStore.PrivateKeyEntry.class))
                 {
                     throw new IllegalConfigurationException(String.format(
-                            "Alias '%s' in key store : %s does not identify a key.",
+                            "Alias '%s' in key store '%s' does not identify a private key.",
                             certAlias,
-                            fileKeyStore.getStoreUrl()));
+                            loggableStoreUrl));
 
                 }
             }
-
-            if (!containsPrivateKey(keyStore))
+            else if (!containsPrivateKey(keyStore))
             {
-                throw new IllegalConfigurationException("Keystore must contain at least one
private key.");
+                throw new IllegalConfigurationException(String.format(
+                        "Keystore '%s' must contain at least one private key.", loggableStoreUrl));
             }
         }
-        catch (KeyStoreException e)
+        catch (UnrecoverableKeyException e)
         {
-            // key store should be initialized above
-            throw new ServerScopedRuntimeException("Key store has not been initialized",
e);
+            String message = String.format("Check key store password. Cannot instantiate
key store from '%s'.", loggableStoreUrl);
+            throw new IllegalConfigurationException(message, e);
+        }
+        catch (IOException | GeneralSecurityException e)
+        {
+            final String message = String.format("Cannot instantiate key store from '%s'.",
loggableStoreUrl);
+            throw new IllegalConfigurationException(message, e);
         }
-
 
         try
         {
@@ -191,8 +178,8 @@ public class FileKeyStoreImpl extends AbstractKeyStore<FileKeyStoreImpl>
impleme
         }
         catch (NoSuchAlgorithmException e)
         {
-            throw new IllegalConfigurationException("Unknown keyManagerFactoryAlgorithm:
"
-                    + fileKeyStore.getKeyManagerFactoryAlgorithm());
+            throw new IllegalConfigurationException(String.format("Unknown keyManagerFactoryAlgorithm:
'%s'",
+                                                                  fileKeyStore.getKeyManagerFactoryAlgorithm()));
         }
 
         if(!fileKeyStore.isDurable())

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/eef93a82/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
index e562653..d6a4925 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
@@ -55,7 +55,7 @@ import org.apache.qpid.server.model.TrustStore;
 import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
 import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
 import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.server.util.ServerScopedRuntimeException;
+import org.apache.qpid.server.util.StringUtil;
 import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
 
 public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl> implements
FileTrustStore<FileTrustStoreImpl>
@@ -149,30 +149,11 @@ public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl>
i
 
     private static void validateTrustStore(FileTrustStore trustStore)
     {
-        KeyStore keyStore;
+        final String loggableStoreUrl = StringUtil.elideDataUrl(trustStore.getStoreUrl());
         try
         {
-            keyStore = initializeKeyStore(trustStore);
-        }
-        catch (Exception e)
-        {
-            final String message;
-            if (e instanceof IOException && e.getCause() != null && e.getCause()
instanceof UnrecoverableKeyException)
-            {
-                message = "Check trust store password. Cannot instantiate trust store from
'"
-                          + trustStore.getStoreUrl()
-                          + "'.";
-            }
-            else
-            {
-                message = "Cannot instantiate trust store from '" + trustStore.getStoreUrl()
+ "'.";
-            }
+            KeyStore keyStore = initializeKeyStore(trustStore);
 
-            throw new IllegalConfigurationException(message, e);
-        }
-
-        try
-        {
             final Enumeration<String> aliasesEnum = keyStore.aliases();
             boolean certificateFound = false;
             while (aliasesEnum.hasMoreElements())
@@ -186,12 +167,19 @@ public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl>
i
             }
             if (!certificateFound)
             {
-                throw new IllegalConfigurationException("Trust store must contain at least
one certificate.");
+                throw new IllegalConfigurationException(String.format(
+                        "Trust store '%s' must contain at least one certificate.", loggableStoreUrl));
             }
         }
-        catch (KeyStoreException e)
+        catch (UnrecoverableKeyException e)
         {
-            throw new ServerScopedRuntimeException("Trust store has not been initialized",
e);
+            String message = String.format("Check trust store password. Cannot instantiate
trust store from '%s'.", loggableStoreUrl);
+            throw new IllegalConfigurationException(message, e);
+        }
+        catch (IOException | GeneralSecurityException e)
+        {
+            final String message = String.format("Cannot instantiate trust store from '%s'.",
loggableStoreUrl);
+            throw new IllegalConfigurationException(message, e);
         }
 
         try
@@ -200,7 +188,8 @@ public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl>
i
         }
         catch (NoSuchAlgorithmException e)
         {
-            throw new IllegalConfigurationException("Unknown trustManagerFactoryAlgorithm:
" + trustStore.getTrustManagerFactoryAlgorithm());
+            throw new IllegalConfigurationException(String.format("Unknown trustManagerFactoryAlgorithm
'%s'",
+                                                                  trustStore.getTrustManagerFactoryAlgorithm()));
         }
     }
 
@@ -247,7 +236,7 @@ public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl>
i
     }
 
     @Override
-    protected TrustManager[] getTrustManagersInternal() throws GeneralSecurityException
+    protected TrustManager[] getTrustManagersInternal()
     {
         TrustManager[] trustManagers = _trustManagers;
         if (trustManagers == null || trustManagers.length == 0)
@@ -258,7 +247,7 @@ public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl>
i
     }
 
     @Override
-    public Certificate[] getCertificates() throws GeneralSecurityException
+    public Certificate[] getCertificates()
     {
         Certificate[] certificates = _certificates;
         return certificates == null ? new Certificate[0] : Arrays.copyOf(certificates, certificates.length);

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/eef93a82/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
b/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
index 9e6ab0a..520268c 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
@@ -427,6 +427,17 @@ public class SSLUtil
 
             ks.load(in, storeCharPassword);
         }
+        catch (IOException ioe)
+        {
+            if (ioe.getCause() instanceof GeneralSecurityException)
+            {
+                throw ((GeneralSecurityException) ioe.getCause());
+            }
+            else
+            {
+                throw ioe;
+            }
+        }
         return ks;
     }
 

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/eef93a82/broker-core/src/main/java/org/apache/qpid/server/util/StringUtil.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/util/StringUtil.java b/broker-core/src/main/java/org/apache/qpid/server/util/StringUtil.java
index 2b986a3..b986370 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/util/StringUtil.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/util/StringUtil.java
@@ -37,6 +37,11 @@ public class StringUtil
 
     private Random _random = new Random();
 
+    public static String elideDataUrl(final String path)
+    {
+        return String.valueOf(path).toLowerCase().startsWith("data:") ? "data:..." : path;
+    }
+
     public String randomAlphaNumericString(int maxLength)
     {
         char[] result = new char[maxLength];

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/eef93a82/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
----------------------------------------------------------------------
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
index 535badb..441d000 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
@@ -154,7 +154,7 @@ public class FileKeyStoreTest extends QpidTestCase
         catch (IllegalConfigurationException ice)
         {
             String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message, message.contains("does
not identify a key"));
+            assertTrue("Exception text not as unexpected:" + message, message.contains("does
not identify a private key"));
         }
     }
 
@@ -298,7 +298,7 @@ public class FileKeyStoreTest extends QpidTestCase
         catch (IllegalConfigurationException ice)
         {
             String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message, message.contains("Keystore
must contain at least one private key."));
+            assertTrue("Exception text not as unexpected:" + message, message.contains("must
contain at least one private key"));
         }
     }
 

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/eef93a82/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
----------------------------------------------------------------------
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
index bab4f26..06be7a0 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
@@ -334,7 +334,7 @@ public class FileTrustStoreTest extends QpidTestCase
         catch (IllegalConfigurationException ice)
         {
             String message = ice.getMessage();
-            assertTrue("Exception text not as unexpected:" + message, message.contains("Trust
store must contain at least one certificate."));
+            assertTrue("Exception text not as unexpected:" + message, message.contains("must
contain at least one certificate"));
         }
     }
 

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/eef93a82/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java
----------------------------------------------------------------------
diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java
index c8a90d7..0a80b81 100644
--- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java
+++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java
@@ -40,6 +40,7 @@ import org.apache.qpid.server.model.StateTransition;
 import org.apache.qpid.server.security.access.Operation;
 import org.apache.qpid.server.security.access.config.AclFileParser;
 import org.apache.qpid.server.security.access.config.RuleBasedAccessControl;
+import org.apache.qpid.server.util.StringUtil;
 import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
 
 public class AclFileAccessControlProviderImpl
@@ -86,7 +87,7 @@ public class AclFileAccessControlProviderImpl
             LOGGER.debug("Calling changeAttributes to try to force update");
             // force the change listener to fire, causing the parent broker to update its
cache
             changeAttributes(Collections.<String,Object>emptyMap());
-            getEventLogger().message(AccessControlMessages.LOADED(String.valueOf(getPath()).startsWith("data:")
? "data:..." : getPath()));
+            getEventLogger().message(AccessControlMessages.LOADED(StringUtil.elideDataUrl(getPath())));
 
         }
         catch(RuntimeException e)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message