You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/09/26 02:29:35 UTC
git commit: KNOX-162 - support same password for key and keystore
Updated Branches:
refs/heads/master 5064bd305 -> 401718e4b
KNOX-162 - support same password for key and keystore
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/401718e4
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/401718e4
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/401718e4
Branch: refs/heads/master
Commit: 401718e4b5c2ded82804f1013dd2c20da73189f0
Parents: 5064bd3
Author: Larry McCay <lm...@hortonworks.com>
Authored: Wed Sep 25 20:29:17 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Wed Sep 25 20:29:17 2013 -0400
----------------------------------------------------------------------
.../apache/hadoop/gateway/GatewayMessages.java | 3 ++
.../security/impl/DefaultKeystoreService.java | 12 ++++--
.../services/security/impl/JettySSLService.java | 39 ++++++++++++--------
3 files changed, 36 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/401718e4/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
index 2120bbf..c294c0b 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayMessages.java
@@ -288,4 +288,7 @@ public interface GatewayMessages {
@Message( level = MessageLevel.ERROR, text = "Failed to generate alias for cluster: {0} {1}." )
void failedToGenerateAliasForCluster(String clusterName, KeystoreServiceException e);
+ @Message( level = MessageLevel.DEBUG, text = "Key passphrase not found in credential store - using master secret." )
+ void assumingKeyPassphraseIsMaster();
+
}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/401718e4/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java
index c80a8aa..e9f093d 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/DefaultKeystoreService.java
@@ -172,6 +172,10 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst
public Key getKeyForGateway(String alias, char[] passphrase) throws KeystoreServiceException {
Key key = null;
KeyStore ks = getKeystoreForGateway();
+ if (passphrase == null) {
+ passphrase = masterService.getMasterSecret();
+ LOG.assumingKeyPassphraseIsMaster();
+ }
if (ks != null) {
try {
key = ks.getKey(alias, passphrase);
@@ -216,9 +220,11 @@ public class DefaultKeystoreService extends BaseKeystoreService implements Keyst
try {
char[] masterSecret = masterService.getMasterSecret();
Key credentialKey = ks.getKey( alias, masterSecret );
- byte[] credentialBytes = credentialKey.getEncoded();
- String credentialString = new String( credentialBytes );
- credential = credentialString.toCharArray();
+ if (credentialKey != null) {
+ byte[] credentialBytes = credentialKey.getEncoded();
+ String credentialString = new String( credentialBytes );
+ credential = credentialString.toCharArray();
+ }
} catch (UnrecoverableKeyException e) {
LOG.failedToGetCredentialForCluster( clusterName, e );
} catch (KeyStoreException e) {
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/401718e4/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index 2f5a90e..30aac50 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -98,21 +98,26 @@ public class JettySSLService implements SSLService {
private void logAndValidateCertificate() throws ServiceLifecycleException {
// let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL debugging
Certificate cert = as.getCertificateForGateway("gateway-identity");
- if (cert != null && cert instanceof X509Certificate) {
- X500Principal x500Principal = ((X509Certificate)cert).getSubjectX500Principal();
- X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
- log.certificateHostNameForGateway(parser.getCN());
- Date notBefore = ((X509Certificate) cert).getNotBefore();
- Date notAfter = ((X509Certificate) cert).getNotAfter();
- log.certificateValidityPeriod(notBefore, notAfter);
-
- // let's not even start if the current date is not within the validity period for the SSL cert
- try {
- ((X509Certificate)cert).checkValidity();
- } catch (CertificateExpiredException e) {
- throw new ServiceLifecycleException("Gateway SSL Certificate is Expired. Server will not start.", e);
- } catch (CertificateNotYetValidException e) {
- throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e);
+ if (cert != null) {
+ if (cert instanceof X509Certificate) {
+ X500Principal x500Principal = ((X509Certificate)cert).getSubjectX500Principal();
+ X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
+ log.certificateHostNameForGateway(parser.getCN());
+ Date notBefore = ((X509Certificate) cert).getNotBefore();
+ Date notAfter = ((X509Certificate) cert).getNotAfter();
+ log.certificateValidityPeriod(notBefore, notAfter);
+
+ // let's not even start if the current date is not within the validity period for the SSL cert
+ try {
+ ((X509Certificate)cert).checkValidity();
+ } catch (CertificateExpiredException e) {
+ throw new ServiceLifecycleException("Gateway SSL Certificate is Expired. Server will not start.", e);
+ } catch (CertificateNotYetValidException e) {
+ throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e);
+ }
+ }
+ else {
+ throw new ServiceLifecycleException("Public certificate for the gateway cannot be found with the alias gateway-identity. Plase check the identity certificate alias.");
}
}
else {
@@ -129,6 +134,10 @@ public class JettySSLService implements SSLService {
char[] master = ms.getMasterSecret();
sslContextFactory.setKeyStorePassword(new String(master));
char[] keypass = as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
+ if (keypass == null) {
+ // there has been no alias created for the key - let's assume it is the same as the keystore password
+ keypass = master;
+ }
sslContextFactory.setKeyManagerPassword(new String(keypass));
// TODO: make specific truststore too?