You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by he...@apache.org on 2016/02/24 21:40:44 UTC
brooklyn-server git commit: better logging for secure keys failing
test
Repository: brooklyn-server
Updated Branches:
refs/heads/master eebc62f50 -> 52c6caf95
better logging for secure keys failing test
Project: http://git-wip-us.apache.org/repos/asf/brooklyn-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-server/commit/52c6caf9
Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-server/tree/52c6caf9
Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-server/diff/52c6caf9
Branch: refs/heads/master
Commit: 52c6caf95dc56a9a54f2f6620d8c31850fa4791e
Parents: eebc62f
Author: Alex Heneveld <al...@cloudsoftcorp.com>
Authored: Wed Feb 24 12:40:24 2016 -0800
Committer: Alex Heneveld <al...@cloudsoftcorp.com>
Committed: Wed Feb 24 12:40:24 2016 -0800
----------------------------------------------------------------------
.../util/core/crypto/SecureKeysAndSignerTest.java | 14 ++++++--------
.../util/crypto/SecureKeysWithoutBouncyCastle.java | 9 +++++++++
2 files changed, 15 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/52c6caf9/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java b/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java
index b569111..985ae47 100644
--- a/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java
+++ b/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java
@@ -27,8 +27,6 @@ import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.apache.brooklyn.util.core.ResourceUtils;
-import org.apache.brooklyn.util.core.crypto.FluentKeySigner;
-import org.apache.brooklyn.util.core.crypto.SecureKeys;
import org.apache.brooklyn.util.core.crypto.SecureKeys.PassphraseProblem;
import org.apache.brooklyn.util.crypto.AuthorizedKeysParser;
import org.apache.brooklyn.util.os.Os;
@@ -67,13 +65,13 @@ public class SecureKeysAndSignerTest {
// SecureKeys.getTrustManager(signerCert).checkClientTrusted(new X509Certificate[] { aCert }, "RSA");
// NB, the above failes; we have to convert to a canonical implementation, handled by the following
- Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(signerCert, signerCert));
- Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(aCert, signerCert));
- Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(bCert, signerCert));
+ Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(signerCert, signerCert, false));
+ Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(aCert, signerCert, false));
+ Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(bCert, signerCert, false));
Assert.assertFalse(SecureKeys.isCertificateAuthorizedBy(signerCert, aCert));
Assert.assertFalse(SecureKeys.isCertificateAuthorizedBy(bCert, aCert));
- Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(selfCert1, selfCert1));
+ Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(selfCert1, selfCert1, false));
Assert.assertFalse(SecureKeys.isCertificateAuthorizedBy(selfCert1, signerCert));
}
@@ -88,7 +86,7 @@ public class SecureKeysAndSignerTest {
KeyPair aKey = SecureKeys.newKeyPair();
X509Certificate aCert = signer.newCertificateFor("A", aKey);
- Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(aCert, caCert));
+ Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(aCert, caCert, false));
}
@Test
@@ -153,7 +151,7 @@ public class SecureKeysAndSignerTest {
KeyPair key = SecureKeys.readPem(ResourceUtils.create(this).getResourceFromUrl("classpath://brooklyn/util/crypto/sample_rsa_passphrase.pem"), "passphrase");
checkNonTrivial(key);
File f = Os.newTempFile(getClass(), "brooklyn-sample_rsa_passphrase_without_passphrase.pem");
- Files.write(SecureKeys.stringPem(key), f, Charset.defaultCharset());
+ Files.write(SecureKeys.toPem(key), f, Charset.defaultCharset());
KeyPair key2 = SecureKeys.readPem(new FileInputStream(f), null);
checkNonTrivial(key2);
Assert.assertEquals(key2.getPrivate().getEncoded(), key.getPrivate().getEncoded());
http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/52c6caf9/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java
----------------------------------------------------------------------
diff --git a/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java b/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java
index b801fb8..3e1ca7a 100644
--- a/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java
+++ b/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java
@@ -36,12 +36,15 @@ import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.apache.brooklyn.util.exceptions.Exceptions;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
* Utility methods for generating and working with keys, with no BC dependencies
*/
public class SecureKeysWithoutBouncyCastle {
+ private static final Logger log = LoggerFactory.getLogger(SecureKeysWithoutBouncyCastle.class);
private static KeyPairGenerator defaultKeyPairGenerator = newKeyPairGenerator("RSA", 1024);
protected SecureKeysWithoutBouncyCastle() {}
@@ -145,11 +148,17 @@ public class SecureKeysWithoutBouncyCastle {
}
public static boolean isCertificateAuthorizedBy(X509Certificate candidate, X509Certificate authority) {
+ return isCertificateAuthorizedBy(candidate, authority, true);
+ }
+ public static boolean isCertificateAuthorizedBy(X509Certificate candidate, X509Certificate authority, boolean quiet) {
try {
candidate = getCanonicalImpl(candidate);
getTrustManager(authority).checkClientTrusted(new X509Certificate[] { candidate }, "RSA");
return true;
} catch (CertificateException e) {
+ if (!quiet) {
+ log.warn("Certificate "+candidate+" not trusted with authority "+authority+": "+e);
+ }
return false;
}
}