You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by rg...@apache.org on 2016/03/29 13:10:06 UTC
svn commit: r1736998 - in
/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security:
AbstractKeyStore.java FileKeyStoreImpl.java NonJavaKeyStoreImpl.java
Author: rgodfrey
Date: Tue Mar 29 11:10:06 2016
New Revision: 1736998
URL: http://svn.apache.org/viewvc?rev=1736998&view=rev
Log:
QPID-6995 : Move duplicate code into base class, address comment from [~k-wall] regarding exception handling
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java?rev=1736998&r1=1736997&r2=1736998&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/AbstractKeyStore.java Tue Mar 29 11:10:06 2016
@@ -20,10 +20,18 @@
*/
package org.apache.qpid.server.security;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Date;
import java.util.Map;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
+import com.google.common.util.concurrent.Futures;
+import com.google.common.util.concurrent.ListenableFuture;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -33,7 +41,9 @@ import org.apache.qpid.server.model.Abst
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfigurationChangeListener;
import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.KeyStore;
+import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
public abstract class AbstractKeyStore<X extends AbstractKeyStore<X>>
@@ -41,7 +51,7 @@ public abstract class AbstractKeyStore<X
{
private static Logger LOGGER = LoggerFactory.getLogger(AbstractKeyStore.class);
- private static final long ONE_DAY = 24l * 60l * 60l * 1000l;
+ protected static final long ONE_DAY = 24l * 60l * 60l * 1000l;
private final Broker<?> _broker;
private final EventLogger _eventLogger;
@@ -161,5 +171,64 @@ public abstract class AbstractKeyStore<X
}
}
+ protected final ListenableFuture<Void> deleteIfNotInUse()
+ {
+ // verify that it is not in use
+ String storeName = getName();
+
+ Collection<Port> ports = new ArrayList<Port>(getBroker().getPorts());
+ for (Port port : ports)
+ {
+ if (port.getKeyStore() == this)
+ {
+ throw new IntegrityViolationException("Key store '" + storeName + "' can't be deleted as it is in use by a port:" + port.getName());
+ }
+ }
+ deleted();
+ setState(State.DELETED);
+ getEventLogger().message(KeyStoreMessages.DELETE(getName()));
+ return Futures.immediateFuture(null);
+ }
+
protected abstract void checkCertificateExpiry();
+
+ protected void checkCertificatesExpiry(final long currentTime,
+ final Date expiryTestDate,
+ final X509Certificate[] chain)
+ {
+ if(chain != null)
+ {
+ for(X509Certificate cert : chain)
+ {
+ try
+ {
+ cert.checkValidity(expiryTestDate);
+ }
+ catch(CertificateExpiredException e)
+ {
+ long timeToExpiry = cert.getNotAfter().getTime() - currentTime;
+ int days = Math.max(0,(int)(timeToExpiry / (ONE_DAY)));
+
+ getEventLogger().message(KeyStoreMessages.EXPIRING(getName(), String.valueOf(days), cert.getSubjectDN().toString()));
+ }
+ catch(CertificateNotYetValidException e)
+ {
+ // ignore
+ }
+ }
+ }
+ }
+
+ protected final int getCertificateExpiryWarnPeriod()
+ {
+ try
+ {
+ return getContextValue(Integer.class, CERTIFICATE_EXPIRY_WARN_PERIOD);
+ }
+ catch (NullPointerException | IllegalArgumentException e)
+ {
+ LOGGER.warn("The value of the context variable '{}' for keystore {} cannot be converted to an integer. The value {} will be used as a default", CERTIFICATE_EXPIRY_WARN_PERIOD, getName(), DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD);
+ return DEFAULT_CERTIFICATE_EXPIRY_WARN_PERIOD;
+ }
+ }
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java?rev=1736998&r1=1736997&r2=1736998&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java Tue Mar 29 11:10:06 2016
@@ -29,17 +29,11 @@ import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Map;
import java.util.Set;
-import java.util.concurrent.ScheduledFuture;
-import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
@@ -47,21 +41,14 @@ import javax.net.ssl.X509KeyManager;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.logging.messages.KeyStoreMessages;
import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.ConfigurationChangeListener;
import org.apache.qpid.server.model.ConfiguredObject;
-import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
-import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
@@ -72,7 +59,6 @@ import org.apache.qpid.transport.network
@ManagedObject( category = false )
public class FileKeyStoreImpl extends AbstractKeyStore<FileKeyStoreImpl> implements FileKeyStore<FileKeyStoreImpl>
{
- private static final long ONE_DAY = 24l * 60l * 60l * 1000l;
@ManagedAttributeField
private String _type;
@@ -111,21 +97,7 @@ public class FileKeyStoreImpl extends Ab
@StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
protected ListenableFuture<Void> doDelete()
{
- // verify that it is not in use
- String storeName = getName();
-
- Collection<Port> ports = new ArrayList<Port>(getBroker().getPorts());
- for (Port port : ports)
- {
- if (port.getKeyStore() == this)
- {
- throw new IntegrityViolationException("Key store '" + storeName + "' can't be deleted as it is in use by a port:" + port.getName());
- }
- }
- deleted();
- setState(State.DELETED);
- getEventLogger().message(KeyStoreMessages.DELETE(getName()));
- return Futures.immediateFuture(null);
+ return deleteIfNotInUse();
}
@StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
@@ -318,72 +290,45 @@ public class FileKeyStoreImpl extends Ab
protected void checkCertificateExpiry()
{
- try
+ int expiryWarning = getCertificateExpiryWarnPeriod();
+ if(expiryWarning > 0)
{
+ long currentTime = System.currentTimeMillis();
+ Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long)expiryWarning));
- int expiryWarning = getContextValue(Integer.class, CERTIFICATE_EXPIRY_WARN_PERIOD);
- if(expiryWarning > 0)
+ try
{
- long currentTime = System.currentTimeMillis();
- Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long)expiryWarning));
-
- try
- {
- URL url = getUrlFromString(_storeUrl);
- final java.security.KeyStore ks = SSLUtil.getInitializedKeyStore(url, getPassword(), _keyStoreType);
+ URL url = getUrlFromString(_storeUrl);
+ final java.security.KeyStore ks = SSLUtil.getInitializedKeyStore(url, getPassword(), _keyStoreType);
- char[] keyStoreCharPassword = getPassword() == null ? null : getPassword().toCharArray();
+ char[] keyStoreCharPassword = getPassword() == null ? null : getPassword().toCharArray();
- final KeyManagerFactory kmf = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
+ final KeyManagerFactory kmf = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
- kmf.init(ks, keyStoreCharPassword);
+ kmf.init(ks, keyStoreCharPassword);
- for (KeyManager km : kmf.getKeyManagers())
+ for (KeyManager km : kmf.getKeyManagers())
+ {
+ if (km instanceof X509KeyManager)
{
- if (km instanceof X509KeyManager)
- {
- X509KeyManager x509KeyManager = (X509KeyManager) km;
-
- for(String alias : Collections.list(ks.aliases()))
- {
- final X509Certificate[] chain =
- x509KeyManager.getCertificateChain(alias);
- if(chain != null)
- {
- for(X509Certificate cert : chain)
- {
- try
- {
- cert.checkValidity(expiryTestDate);
- }
- catch(CertificateExpiredException e)
- {
- long timeToExpiry = cert.getNotAfter().getTime() - currentTime;
- int days = Math.max(0,(int)(timeToExpiry / (ONE_DAY)));
-
- getEventLogger().message(KeyStoreMessages.EXPIRING(getName(), String.valueOf(days), cert.getSubjectDN().toString()));
- }
- catch(CertificateNotYetValidException e)
- {
- // ignore
- }
- }
- }
- }
+ X509KeyManager x509KeyManager = (X509KeyManager) km;
+ for(String alias : Collections.list(ks.aliases()))
+ {
+ checkCertificatesExpiry(currentTime, expiryTestDate,
+ x509KeyManager.getCertificateChain(alias));
}
+
}
}
- catch (GeneralSecurityException | IOException e)
- {
+ }
+ catch (GeneralSecurityException | IOException e)
+ {
- }
}
}
- catch(IllegalArgumentException | NullPointerException e)
- {
- }
+
}
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java?rev=1736998&r1=1736997&r2=1736998&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java Tue Mar 29 11:10:06 2016
@@ -74,7 +74,6 @@ import org.apache.qpid.transport.network
public class NonJavaKeyStoreImpl extends AbstractKeyStore<NonJavaKeyStoreImpl> implements NonJavaKeyStore<NonJavaKeyStoreImpl>
{
private static final Logger LOGGER = LoggerFactory.getLogger(NonJavaKeyStoreImpl.class);
- private static final long ONE_DAY = 24l * 60l * 60l * 1000l;
@ManagedAttributeField( afterSet = "updateKeyManagers" )
private String _privateKeyUrl;
@@ -180,24 +179,7 @@ public class NonJavaKeyStoreImpl extends
@StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
protected ListenableFuture<Void> doDelete()
{
- // verify that it is not in use
- String storeName = getName();
-
- Collection<Port> ports = new ArrayList<Port>(getBroker().getPorts());
- for (Port port : ports)
- {
- if (port.getKeyStore() == this)
- {
- throw new IntegrityViolationException("Key store '"
- + storeName
- + "' can't be deleted as it is in use by a port:"
- + port.getName());
- }
- }
- deleted();
- setState(State.DELETED);
- getEventLogger().message(KeyStoreMessages.DELETE(getName()));
- return Futures.immediateFuture(null);
+ return deleteIfNotInUse();
}
@StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
@@ -300,36 +282,13 @@ public class NonJavaKeyStoreImpl extends
private void checkCertificateExpiry(final X509Certificate... certificates)
{
- int expiryWarning = getContextValue(Integer.class, CERTIFICATE_EXPIRY_WARN_PERIOD);
+ int expiryWarning = getCertificateExpiryWarnPeriod();
if(expiryWarning > 0)
{
long currentTime = System.currentTimeMillis();
Date expiryTestDate = new Date(currentTime + (ONE_DAY * (long) expiryWarning));
-
- if (certificates != null)
- {
- for (X509Certificate cert : certificates)
- {
- try
- {
- cert.checkValidity(expiryTestDate);
- }
- catch (CertificateExpiredException e)
- {
- long timeToExpiry = cert.getNotAfter().getTime() - currentTime;
- int days = Math.max(0, (int) (timeToExpiry / (ONE_DAY)));
-
- getEventLogger().message(KeyStoreMessages.EXPIRING(getName(),
- String.valueOf(days),
- cert.getSubjectDN().toString()));
- }
- catch (CertificateNotYetValidException e)
- {
- // ignore
- }
- }
- }
+ checkCertificatesExpiry(currentTime, expiryTestDate, certificates);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org