You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by ri...@apache.org on 2006/05/13 16:00:45 UTC
svn commit: r406106 -
/geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
Author: rickmcguire
Date: Sat May 13 07:00:44 2006
New Revision: 406106
URL: http://svn.apache.org/viewcvs?rev=406106&view=rev
Log:
GERONIMO-2019 -- add ability to create client-side SSLSocketFactories to KeystoreManager API.
Modified:
geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
Modified: geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
URL: http://svn.apache.org/viewcvs/geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java?rev=406106&r1=406105&r2=406106&view=diff
==============================================================================
--- geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java (original)
+++ geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java Sat May 13 07:00:44 2006
@@ -42,6 +42,7 @@
import java.util.List;
import java.util.Vector;
import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocketFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.geronimo.gbean.AbstractName;
@@ -173,7 +174,101 @@
}
}
- public SSLServerSocketFactory createSSLFactory(String provider, String protocol, String algorithm, String keyStore, String keyAlias, String trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException, NoSuchProviderException {
+ /**
+ * Gets a SocketFactory using one Keystore to access the private key
+ * and another to provide the list of trusted certificate authorities.
+ * @param provider The SSL provider to use, or null for the default
+ * @param protocol The SSL protocol to use
+ * @param algorithm The SSL algorithm to use
+ * @param keyStore The key keystore name as provided by listKeystores. The
+ * KeystoreInstance for this keystore must be unlocked.
+ * @param keyAlias The name of the private key in the keystore. The
+ * KeystoreInstance for this keystore must have unlocked
+ * this key.
+ * @param trustStore The trust keystore name as provided by listKeystores.
+ * The KeystoreInstance for this keystore must have
+ * unlocked this key.
+ *
+ * @throws KeystoreIsLocked Occurs when the requested key keystore cannot
+ * be used because it has not been unlocked.
+ * @throws KeyIsLocked Occurs when the requested private key in the key
+ * keystore cannot be used because it has not been
+ * unlocked.
+ */
+ public SSLSocketFactory createSSLFactory(String provider, String protocol, String algorithm, String keyStore, String keyAlias, String trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException, NoSuchProviderException {
+ KeystoreInstance keyInstance = getKeystore(keyStore);
+ if(keyInstance.isKeystoreLocked()) {
+ throw new KeystoreIsLocked("Keystore '"+keyStore+"' is locked; please use the keystore page in the admin console to unlock it");
+ }
+ if(keyInstance.isKeyUnlocked(keyAlias)) {
+ throw new KeystoreIsLocked("Key '"+keyAlias+"' in keystore '"+keyStore+"' is locked; please use the keystore page in the admin console to unlock it");
+ }
+ KeystoreInstance trustInstance = trustStore == null ? null : getKeystore(trustStore);
+ if(trustInstance != null && trustInstance.isKeystoreLocked()) {
+ throw new KeystoreIsLocked("Keystore '"+trustStore+"' is locked; please use the keystore page in the admin console to unlock it");
+ }
+
+ // OMG this hurts, but it causes ClassCastExceptions elsewhere unless done this way!
+ try {
+ Class cls = loader.loadClass("javax.net.ssl.SSLContext");
+ Object ctx = cls.getMethod("getInstance", new Class[] {String.class}).invoke(null, new Object[]{protocol});
+ Class kmc = loader.loadClass("[Ljavax.net.ssl.KeyManager;");
+ Class tmc = loader.loadClass("[Ljavax.net.ssl.TrustManager;");
+ Class src = loader.loadClass("java.security.SecureRandom");
+ cls.getMethod("init", new Class[]{kmc, tmc, src}).invoke(ctx, new Object[]{keyInstance.getKeyManager(algorithm, keyAlias),
+ trustInstance == null ? null : trustInstance.getTrustManager(algorithm),
+ new java.security.SecureRandom()});
+ Object result = cls.getMethod("getSocketFactory", new Class[0]).invoke(ctx, new Object[0]);
+ return (SSLSocketFactory) result;
+ } catch (Exception e) {
+ log.error("Unable to dynamically load", e);
+ return null;
+ }
+ }
+
+ /**
+ * Gets a ServerSocketFactory using one Keystore to access the private key
+ * and another to provide the list of trusted certificate authorities.
+ * @param provider The SSL provider to use, or null for the default
+ * @param protocol The SSL protocol to use
+ * @param algorithm The SSL algorithm to use
+ * @param keyStore The key keystore name as provided by listKeystores. The
+ * KeystoreInstance for this keystore must be unlocked.
+ * @param keyAlias The name of the private key in the keystore. The
+ * KeystoreInstance for this keystore must have unlocked
+ * this key.
+ * @param trustStore The trust keystore name as provided by listKeystores.
+ * The KeystoreInstance for this keystore must have
+ * unlocked this key.
+ *
+ * @throws KeystoreIsLocked Occurs when the requested key keystore cannot
+ * be used because it has not been unlocked.
+ * @throws KeyIsLocked Occurs when the requested private key in the key
+ * keystore cannot be used because it has not been
+ * unlocked.
+ */
+ /**
+ * Create an SSLServerSocketFactory configured from the
+ * appropriate characteristics.
+ *
+ * @param provider The JSSE provider to use (optional).
+ * @param protocol The protocol we need a factory for.
+ * @param algorithm A particular algoritm to use.
+ * @param keyStore The keystore the factory should be configured with.
+ * @param keyAlias
+ * @param trustStore The trustStore to use for managing trust certificates.
+ * @param loader The ClassLoader instance for loading the factory.
+ *
+ * @return An SSLServerSocketFactory instance.
+ * @exception KeystoreIsLocked
+ * @exception KeyIsLocked
+ * @exception NoSuchAlgorithmException
+ * @exception UnrecoverableKeyException
+ * @exception KeyStoreException
+ * @exception KeyManagementException
+ * @exception NoSuchProviderException
+ */
+ public SSLServerSocketFactory createSSLServerFactory(String provider, String protocol, String algorithm, String keyStore, String keyAlias, String trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException, NoSuchProviderException {
KeystoreInstance keyInstance = getKeystore(keyStore);
if(keyInstance.isKeystoreLocked()) {
throw new KeystoreIsLocked("Keystore '"+keyStore+"' is locked; please use the keystore page in the admin console to unlock it");
Re: svn commit: r406106 - /geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
Posted by Aaron Mulder <am...@alumni.princeton.edu>.
On 5/13/06, Rick McGuire <ri...@gmail.com> wrote:
> Ok, I'll fix these up. While doing this, I spotted something that might
> be a bug in the existing code. Is the following test correct?
>
> if(keyInstance.isKeyUnlocked(keyAlias)) {
> throw new KeystoreIsLocked("Key '"+keyAlias+"' in keystore
> '"+keyStore+"' is locked; please use the keystore page in the admin
> console to unlock it");
> }
>
> The test is to see if the key is unlocked, and if it is, it throws an
> exception complaining that the keyAlias IS locked. Either the test or
> the exception appears to be wrong.
It's a case of two wrongs make a right! The method behaves as
isKeyLocked and is called as isKeyLocked even though the name is
isKeyUnlocked. Can you just change the name and JavaDoc of
KeystoreInstance.isKeyUnlocked to isKeyLocked? That'll make it more
consistent with isKeystoreLocked anyway.
Thanks,
Aaron
> > On 5/13/06, rickmcguire@apache.org <ri...@apache.org> wrote:
> >> Author: rickmcguire
> >> Date: Sat May 13 07:00:44 2006
> >> New Revision: 406106
> >>
> >> URL: http://svn.apache.org/viewcvs?rev=406106&view=rev
> >> Log:
> >> GERONIMO-2019 -- add ability to create client-side SSLSocketFactories
> >> to KeystoreManager API.
> >>
> >>
> >> Modified:
> >>
> >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> >>
> >>
> >> Modified:
> >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> >>
> >> URL:
> >> http://svn.apache.org/viewcvs/geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java?rev=406106&r1=406105&r2=406106&view=diff
> >>
> >> ==============================================================================
> >>
> >> ---
> >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> >> (original)
> >> +++
> >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> >> Sat May 13 07:00:44 2006
> >> @@ -42,6 +42,7 @@
> >> import java.util.List;
> >> import java.util.Vector;
> >> import javax.net.ssl.SSLServerSocketFactory;
> >> +import javax.net.ssl.SSLSocketFactory;
> >> import org.apache.commons.logging.Log;
> >> import org.apache.commons.logging.LogFactory;
> >> import org.apache.geronimo.gbean.AbstractName;
> >> @@ -173,7 +174,101 @@
> >> }
> >> }
> >>
> >> - public SSLServerSocketFactory createSSLFactory(String provider,
> >> String protocol, String algorithm, String keyStore, String keyAlias,
> >> String trustStore, ClassLoader loader) throws KeystoreIsLocked,
> >> KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException,
> >> KeyStoreException, KeyManagementException, NoSuchProviderException {
> >> + /**
> >> + * Gets a SocketFactory using one Keystore to access the private
> >> key
> >> + * and another to provide the list of trusted certificate
> >> authorities.
> >> + * @param provider The SSL provider to use, or null for the default
> >> + * @param protocol The SSL protocol to use
> >> + * @param algorithm The SSL algorithm to use
> >> + * @param keyStore The key keystore name as provided by
> >> listKeystores. The
> >> + * KeystoreInstance for this keystore must be
> >> unlocked.
> >> + * @param keyAlias The name of the private key in the keystore.
> >> The
> >> + * KeystoreInstance for this keystore must have
> >> unlocked
> >> + * this key.
> >> + * @param trustStore The trust keystore name as provided by
> >> listKeystores.
> >> + * The KeystoreInstance for this keystore must
> >> have
> >> + * unlocked this key.
> >> + *
> >> + * @throws KeystoreIsLocked Occurs when the requested key
> >> keystore cannot
> >> + * be used because it has not been
> >> unlocked.
> >> + * @throws KeyIsLocked Occurs when the requested private key in
> >> the key
> >> + * keystore cannot be used because it has
> >> not been
> >> + * unlocked.
> >> + */
> >> + public SSLSocketFactory createSSLFactory(String provider, String
> >> protocol, String algorithm, String keyStore, String keyAlias, String
> >> trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked,
> >> NoSuchAlgorithmException, UnrecoverableKeyException,
> >> KeyStoreException, KeyManagementException, NoSuchProviderException {
> >> + KeystoreInstance keyInstance = getKeystore(keyStore);
> >> + if(keyInstance.isKeystoreLocked()) {
> >> + throw new KeystoreIsLocked("Keystore '"+keyStore+"' is
> >> locked; please use the keystore page in the admin console to unlock
> >> it");
> >> + }
> >> + if(keyInstance.isKeyUnlocked(keyAlias)) {
> >> + throw new KeystoreIsLocked("Key '"+keyAlias+"' in
> >> keystore '"+keyStore+"' is locked; please use the keystore page in
> >> the admin console to unlock it");
> >> + }
> >> + KeystoreInstance trustInstance = trustStore == null ? null :
> >> getKeystore(trustStore);
> >> + if(trustInstance != null && trustInstance.isKeystoreLocked()) {
> >> + throw new KeystoreIsLocked("Keystore '"+trustStore+"' is
> >> locked; please use the keystore page in the admin console to unlock
> >> it");
> >> + }
> >> +
> >> + // OMG this hurts, but it causes ClassCastExceptions
> >> elsewhere unless done this way!
> >> + try {
> >> + Class cls = loader.loadClass("javax.net.ssl.SSLContext");
> >> + Object ctx = cls.getMethod("getInstance", new Class[]
> >> {String.class}).invoke(null, new Object[]{protocol});
> >> + Class kmc =
> >> loader.loadClass("[Ljavax.net.ssl.KeyManager;");
> >> + Class tmc =
> >> loader.loadClass("[Ljavax.net.ssl.TrustManager;");
> >> + Class src = loader.loadClass("java.security.SecureRandom");
> >> + cls.getMethod("init", new Class[]{kmc, tmc,
> >> src}).invoke(ctx, new Object[]{keyInstance.getKeyManager(algorithm,
> >> keyAlias),
> >> +
> >> trustInstance == null ? null : trustInstance.getTrustManager(algorithm),
> >> +
> >> new java.security.SecureRandom()});
> >> + Object result = cls.getMethod("getSocketFactory", new
> >> Class[0]).invoke(ctx, new Object[0]);
> >> + return (SSLSocketFactory) result;
> >> + } catch (Exception e) {
> >> + log.error("Unable to dynamically load", e);
> >> + return null;
> >> + }
> >> + }
> >> +
> >> + /**
> >> + * Gets a ServerSocketFactory using one Keystore to access the
> >> private key
> >> + * and another to provide the list of trusted certificate
> >> authorities.
> >> + * @param provider The SSL provider to use, or null for the default
> >> + * @param protocol The SSL protocol to use
> >> + * @param algorithm The SSL algorithm to use
> >> + * @param keyStore The key keystore name as provided by
> >> listKeystores. The
> >> + * KeystoreInstance for this keystore must be
> >> unlocked.
> >> + * @param keyAlias The name of the private key in the keystore.
> >> The
> >> + * KeystoreInstance for this keystore must have
> >> unlocked
> >> + * this key.
> >> + * @param trustStore The trust keystore name as provided by
> >> listKeystores.
> >> + * The KeystoreInstance for this keystore must
> >> have
> >> + * unlocked this key.
> >> + *
> >> + * @throws KeystoreIsLocked Occurs when the requested key
> >> keystore cannot
> >> + * be used because it has not been
> >> unlocked.
> >> + * @throws KeyIsLocked Occurs when the requested private key in
> >> the key
> >> + * keystore cannot be used because it has
> >> not been
> >> + * unlocked.
> >> + */
> >> + /**
> >> + * Create an SSLServerSocketFactory configured from the
> >> + * appropriate characteristics.
> >> + *
> >> + * @param provider The JSSE provider to use (optional).
> >> + * @param protocol The protocol we need a factory for.
> >> + * @param algorithm A particular algoritm to use.
> >> + * @param keyStore The keystore the factory should be
> >> configured with.
> >> + * @param keyAlias
> >> + * @param trustStore The trustStore to use for managing trust
> >> certificates.
> >> + * @param loader The ClassLoader instance for loading the
> >> factory.
> >> + *
> >> + * @return An SSLServerSocketFactory instance.
> >> + * @exception KeystoreIsLocked
> >> + * @exception KeyIsLocked
> >> + * @exception NoSuchAlgorithmException
> >> + * @exception UnrecoverableKeyException
> >> + * @exception KeyStoreException
> >> + * @exception KeyManagementException
> >> + * @exception NoSuchProviderException
> >> + */
> >> + public SSLServerSocketFactory createSSLServerFactory(String
> >> provider, String protocol, String algorithm, String keyStore, String
> >> keyAlias, String trustStore, ClassLoader loader) throws
> >> KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException,
> >> UnrecoverableKeyException, KeyStoreException, KeyManagementException,
> >> NoSuchProviderException {
> >> KeystoreInstance keyInstance = getKeystore(keyStore);
> >> if(keyInstance.isKeystoreLocked()) {
> >> throw new KeystoreIsLocked("Keystore '"+keyStore+"' is
> >> locked; please use the keystore page in the admin console to unlock
> >> it");
> >>
> >>
> >>
> >
>
>
Re: svn commit: r406106 - /geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
Posted by Rick McGuire <ri...@gmail.com>.
Aaron Mulder wrote:
> -1 to this, for a couple reasons:
>
> First and least important, in the future, please commit all 3 files
> together rather than having 3 separate commits for three separate
> files when they won't compile unless all are applied together.
>
> Second, one of the methods now has two more or less complete yet
> different sets of JavaDoc?
>
> Third, as I mentioned before, if client auth is not required, the
> client should not actually need a keystore, only a trust store.
> Currently, if you pass a keystore of null, it looks like you'd get
> either a NullPointerException or an IllegalArgumentException. The
> method you added probably needs to compensate for nulls and still
> provide a working trust store based SSLSocketFactory, and it would
> probably be good to have a second method to generate a client
> SSLSocketFactory that doen't take the keystore or related arguments at
> all.
Ok, I'll fix these up. While doing this, I spotted something that might
be a bug in the existing code. Is the following test correct?
if(keyInstance.isKeyUnlocked(keyAlias)) {
throw new KeystoreIsLocked("Key '"+keyAlias+"' in keystore
'"+keyStore+"' is locked; please use the keystore page in the admin
console to unlock it");
}
The test is to see if the key is unlocked, and if it is, it throws an
exception complaining that the keyAlias IS locked. Either the test or
the exception appears to be wrong.
>
> Thanks,
> Aaron
>
> On 5/13/06, rickmcguire@apache.org <ri...@apache.org> wrote:
>> Author: rickmcguire
>> Date: Sat May 13 07:00:44 2006
>> New Revision: 406106
>>
>> URL: http://svn.apache.org/viewcvs?rev=406106&view=rev
>> Log:
>> GERONIMO-2019 -- add ability to create client-side SSLSocketFactories
>> to KeystoreManager API.
>>
>>
>> Modified:
>>
>> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
>>
>>
>> Modified:
>> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
>>
>> URL:
>> http://svn.apache.org/viewcvs/geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java?rev=406106&r1=406105&r2=406106&view=diff
>>
>> ==============================================================================
>>
>> ---
>> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
>> (original)
>> +++
>> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
>> Sat May 13 07:00:44 2006
>> @@ -42,6 +42,7 @@
>> import java.util.List;
>> import java.util.Vector;
>> import javax.net.ssl.SSLServerSocketFactory;
>> +import javax.net.ssl.SSLSocketFactory;
>> import org.apache.commons.logging.Log;
>> import org.apache.commons.logging.LogFactory;
>> import org.apache.geronimo.gbean.AbstractName;
>> @@ -173,7 +174,101 @@
>> }
>> }
>>
>> - public SSLServerSocketFactory createSSLFactory(String provider,
>> String protocol, String algorithm, String keyStore, String keyAlias,
>> String trustStore, ClassLoader loader) throws KeystoreIsLocked,
>> KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException,
>> KeyStoreException, KeyManagementException, NoSuchProviderException {
>> + /**
>> + * Gets a SocketFactory using one Keystore to access the private
>> key
>> + * and another to provide the list of trusted certificate
>> authorities.
>> + * @param provider The SSL provider to use, or null for the default
>> + * @param protocol The SSL protocol to use
>> + * @param algorithm The SSL algorithm to use
>> + * @param keyStore The key keystore name as provided by
>> listKeystores. The
>> + * KeystoreInstance for this keystore must be
>> unlocked.
>> + * @param keyAlias The name of the private key in the keystore.
>> The
>> + * KeystoreInstance for this keystore must have
>> unlocked
>> + * this key.
>> + * @param trustStore The trust keystore name as provided by
>> listKeystores.
>> + * The KeystoreInstance for this keystore must
>> have
>> + * unlocked this key.
>> + *
>> + * @throws KeystoreIsLocked Occurs when the requested key
>> keystore cannot
>> + * be used because it has not been
>> unlocked.
>> + * @throws KeyIsLocked Occurs when the requested private key in
>> the key
>> + * keystore cannot be used because it has
>> not been
>> + * unlocked.
>> + */
>> + public SSLSocketFactory createSSLFactory(String provider, String
>> protocol, String algorithm, String keyStore, String keyAlias, String
>> trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked,
>> NoSuchAlgorithmException, UnrecoverableKeyException,
>> KeyStoreException, KeyManagementException, NoSuchProviderException {
>> + KeystoreInstance keyInstance = getKeystore(keyStore);
>> + if(keyInstance.isKeystoreLocked()) {
>> + throw new KeystoreIsLocked("Keystore '"+keyStore+"' is
>> locked; please use the keystore page in the admin console to unlock
>> it");
>> + }
>> + if(keyInstance.isKeyUnlocked(keyAlias)) {
>> + throw new KeystoreIsLocked("Key '"+keyAlias+"' in
>> keystore '"+keyStore+"' is locked; please use the keystore page in
>> the admin console to unlock it");
>> + }
>> + KeystoreInstance trustInstance = trustStore == null ? null :
>> getKeystore(trustStore);
>> + if(trustInstance != null && trustInstance.isKeystoreLocked()) {
>> + throw new KeystoreIsLocked("Keystore '"+trustStore+"' is
>> locked; please use the keystore page in the admin console to unlock
>> it");
>> + }
>> +
>> + // OMG this hurts, but it causes ClassCastExceptions
>> elsewhere unless done this way!
>> + try {
>> + Class cls = loader.loadClass("javax.net.ssl.SSLContext");
>> + Object ctx = cls.getMethod("getInstance", new Class[]
>> {String.class}).invoke(null, new Object[]{protocol});
>> + Class kmc =
>> loader.loadClass("[Ljavax.net.ssl.KeyManager;");
>> + Class tmc =
>> loader.loadClass("[Ljavax.net.ssl.TrustManager;");
>> + Class src = loader.loadClass("java.security.SecureRandom");
>> + cls.getMethod("init", new Class[]{kmc, tmc,
>> src}).invoke(ctx, new Object[]{keyInstance.getKeyManager(algorithm,
>> keyAlias),
>> +
>> trustInstance == null ? null : trustInstance.getTrustManager(algorithm),
>> +
>> new java.security.SecureRandom()});
>> + Object result = cls.getMethod("getSocketFactory", new
>> Class[0]).invoke(ctx, new Object[0]);
>> + return (SSLSocketFactory) result;
>> + } catch (Exception e) {
>> + log.error("Unable to dynamically load", e);
>> + return null;
>> + }
>> + }
>> +
>> + /**
>> + * Gets a ServerSocketFactory using one Keystore to access the
>> private key
>> + * and another to provide the list of trusted certificate
>> authorities.
>> + * @param provider The SSL provider to use, or null for the default
>> + * @param protocol The SSL protocol to use
>> + * @param algorithm The SSL algorithm to use
>> + * @param keyStore The key keystore name as provided by
>> listKeystores. The
>> + * KeystoreInstance for this keystore must be
>> unlocked.
>> + * @param keyAlias The name of the private key in the keystore.
>> The
>> + * KeystoreInstance for this keystore must have
>> unlocked
>> + * this key.
>> + * @param trustStore The trust keystore name as provided by
>> listKeystores.
>> + * The KeystoreInstance for this keystore must
>> have
>> + * unlocked this key.
>> + *
>> + * @throws KeystoreIsLocked Occurs when the requested key
>> keystore cannot
>> + * be used because it has not been
>> unlocked.
>> + * @throws KeyIsLocked Occurs when the requested private key in
>> the key
>> + * keystore cannot be used because it has
>> not been
>> + * unlocked.
>> + */
>> + /**
>> + * Create an SSLServerSocketFactory configured from the
>> + * appropriate characteristics.
>> + *
>> + * @param provider The JSSE provider to use (optional).
>> + * @param protocol The protocol we need a factory for.
>> + * @param algorithm A particular algoritm to use.
>> + * @param keyStore The keystore the factory should be
>> configured with.
>> + * @param keyAlias
>> + * @param trustStore The trustStore to use for managing trust
>> certificates.
>> + * @param loader The ClassLoader instance for loading the
>> factory.
>> + *
>> + * @return An SSLServerSocketFactory instance.
>> + * @exception KeystoreIsLocked
>> + * @exception KeyIsLocked
>> + * @exception NoSuchAlgorithmException
>> + * @exception UnrecoverableKeyException
>> + * @exception KeyStoreException
>> + * @exception KeyManagementException
>> + * @exception NoSuchProviderException
>> + */
>> + public SSLServerSocketFactory createSSLServerFactory(String
>> provider, String protocol, String algorithm, String keyStore, String
>> keyAlias, String trustStore, ClassLoader loader) throws
>> KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException,
>> UnrecoverableKeyException, KeyStoreException, KeyManagementException,
>> NoSuchProviderException {
>> KeystoreInstance keyInstance = getKeystore(keyStore);
>> if(keyInstance.isKeystoreLocked()) {
>> throw new KeystoreIsLocked("Keystore '"+keyStore+"' is
>> locked; please use the keystore page in the admin console to unlock
>> it");
>>
>>
>>
>
Re: svn commit: r406106 - /geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
Posted by Aaron Mulder <am...@alumni.princeton.edu>.
-1 to this, for a couple reasons:
First and least important, in the future, please commit all 3 files
together rather than having 3 separate commits for three separate
files when they won't compile unless all are applied together.
Second, one of the methods now has two more or less complete yet
different sets of JavaDoc?
Third, as I mentioned before, if client auth is not required, the
client should not actually need a keystore, only a trust store.
Currently, if you pass a keystore of null, it looks like you'd get
either a NullPointerException or an IllegalArgumentException. The
method you added probably needs to compensate for nulls and still
provide a working trust store based SSLSocketFactory, and it would
probably be good to have a second method to generate a client
SSLSocketFactory that doen't take the keystore or related arguments at
all.
Thanks,
Aaron
On 5/13/06, rickmcguire@apache.org <ri...@apache.org> wrote:
> Author: rickmcguire
> Date: Sat May 13 07:00:44 2006
> New Revision: 406106
>
> URL: http://svn.apache.org/viewcvs?rev=406106&view=rev
> Log:
> GERONIMO-2019 -- add ability to create client-side SSLSocketFactories to KeystoreManager API.
>
>
> Modified:
> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
>
> Modified: geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
> URL: http://svn.apache.org/viewcvs/geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java?rev=406106&r1=406105&r2=406106&view=diff
> ==============================================================================
> --- geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java (original)
> +++ geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java Sat May 13 07:00:44 2006
> @@ -42,6 +42,7 @@
> import java.util.List;
> import java.util.Vector;
> import javax.net.ssl.SSLServerSocketFactory;
> +import javax.net.ssl.SSLSocketFactory;
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
> import org.apache.geronimo.gbean.AbstractName;
> @@ -173,7 +174,101 @@
> }
> }
>
> - public SSLServerSocketFactory createSSLFactory(String provider, String protocol, String algorithm, String keyStore, String keyAlias, String trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException, NoSuchProviderException {
> + /**
> + * Gets a SocketFactory using one Keystore to access the private key
> + * and another to provide the list of trusted certificate authorities.
> + * @param provider The SSL provider to use, or null for the default
> + * @param protocol The SSL protocol to use
> + * @param algorithm The SSL algorithm to use
> + * @param keyStore The key keystore name as provided by listKeystores. The
> + * KeystoreInstance for this keystore must be unlocked.
> + * @param keyAlias The name of the private key in the keystore. The
> + * KeystoreInstance for this keystore must have unlocked
> + * this key.
> + * @param trustStore The trust keystore name as provided by listKeystores.
> + * The KeystoreInstance for this keystore must have
> + * unlocked this key.
> + *
> + * @throws KeystoreIsLocked Occurs when the requested key keystore cannot
> + * be used because it has not been unlocked.
> + * @throws KeyIsLocked Occurs when the requested private key in the key
> + * keystore cannot be used because it has not been
> + * unlocked.
> + */
> + public SSLSocketFactory createSSLFactory(String provider, String protocol, String algorithm, String keyStore, String keyAlias, String trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException, NoSuchProviderException {
> + KeystoreInstance keyInstance = getKeystore(keyStore);
> + if(keyInstance.isKeystoreLocked()) {
> + throw new KeystoreIsLocked("Keystore '"+keyStore+"' is locked; please use the keystore page in the admin console to unlock it");
> + }
> + if(keyInstance.isKeyUnlocked(keyAlias)) {
> + throw new KeystoreIsLocked("Key '"+keyAlias+"' in keystore '"+keyStore+"' is locked; please use the keystore page in the admin console to unlock it");
> + }
> + KeystoreInstance trustInstance = trustStore == null ? null : getKeystore(trustStore);
> + if(trustInstance != null && trustInstance.isKeystoreLocked()) {
> + throw new KeystoreIsLocked("Keystore '"+trustStore+"' is locked; please use the keystore page in the admin console to unlock it");
> + }
> +
> + // OMG this hurts, but it causes ClassCastExceptions elsewhere unless done this way!
> + try {
> + Class cls = loader.loadClass("javax.net.ssl.SSLContext");
> + Object ctx = cls.getMethod("getInstance", new Class[] {String.class}).invoke(null, new Object[]{protocol});
> + Class kmc = loader.loadClass("[Ljavax.net.ssl.KeyManager;");
> + Class tmc = loader.loadClass("[Ljavax.net.ssl.TrustManager;");
> + Class src = loader.loadClass("java.security.SecureRandom");
> + cls.getMethod("init", new Class[]{kmc, tmc, src}).invoke(ctx, new Object[]{keyInstance.getKeyManager(algorithm, keyAlias),
> + trustInstance == null ? null : trustInstance.getTrustManager(algorithm),
> + new java.security.SecureRandom()});
> + Object result = cls.getMethod("getSocketFactory", new Class[0]).invoke(ctx, new Object[0]);
> + return (SSLSocketFactory) result;
> + } catch (Exception e) {
> + log.error("Unable to dynamically load", e);
> + return null;
> + }
> + }
> +
> + /**
> + * Gets a ServerSocketFactory using one Keystore to access the private key
> + * and another to provide the list of trusted certificate authorities.
> + * @param provider The SSL provider to use, or null for the default
> + * @param protocol The SSL protocol to use
> + * @param algorithm The SSL algorithm to use
> + * @param keyStore The key keystore name as provided by listKeystores. The
> + * KeystoreInstance for this keystore must be unlocked.
> + * @param keyAlias The name of the private key in the keystore. The
> + * KeystoreInstance for this keystore must have unlocked
> + * this key.
> + * @param trustStore The trust keystore name as provided by listKeystores.
> + * The KeystoreInstance for this keystore must have
> + * unlocked this key.
> + *
> + * @throws KeystoreIsLocked Occurs when the requested key keystore cannot
> + * be used because it has not been unlocked.
> + * @throws KeyIsLocked Occurs when the requested private key in the key
> + * keystore cannot be used because it has not been
> + * unlocked.
> + */
> + /**
> + * Create an SSLServerSocketFactory configured from the
> + * appropriate characteristics.
> + *
> + * @param provider The JSSE provider to use (optional).
> + * @param protocol The protocol we need a factory for.
> + * @param algorithm A particular algoritm to use.
> + * @param keyStore The keystore the factory should be configured with.
> + * @param keyAlias
> + * @param trustStore The trustStore to use for managing trust certificates.
> + * @param loader The ClassLoader instance for loading the factory.
> + *
> + * @return An SSLServerSocketFactory instance.
> + * @exception KeystoreIsLocked
> + * @exception KeyIsLocked
> + * @exception NoSuchAlgorithmException
> + * @exception UnrecoverableKeyException
> + * @exception KeyStoreException
> + * @exception KeyManagementException
> + * @exception NoSuchProviderException
> + */
> + public SSLServerSocketFactory createSSLServerFactory(String provider, String protocol, String algorithm, String keyStore, String keyAlias, String trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException, NoSuchProviderException {
> KeystoreInstance keyInstance = getKeystore(keyStore);
> if(keyInstance.isKeystoreLocked()) {
> throw new KeystoreIsLocked("Keystore '"+keyStore+"' is locked; please use the keystore page in the admin console to unlock it");
>
>
>