You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by he...@apache.org on 2016/02/24 21:40:44 UTC

brooklyn-server git commit: better logging for secure keys failing test

Repository: brooklyn-server
Updated Branches:
  refs/heads/master eebc62f50 -> 52c6caf95


better logging for secure keys failing test


Project: http://git-wip-us.apache.org/repos/asf/brooklyn-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-server/commit/52c6caf9
Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-server/tree/52c6caf9
Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-server/diff/52c6caf9

Branch: refs/heads/master
Commit: 52c6caf95dc56a9a54f2f6620d8c31850fa4791e
Parents: eebc62f
Author: Alex Heneveld <al...@cloudsoftcorp.com>
Authored: Wed Feb 24 12:40:24 2016 -0800
Committer: Alex Heneveld <al...@cloudsoftcorp.com>
Committed: Wed Feb 24 12:40:24 2016 -0800

----------------------------------------------------------------------
 .../util/core/crypto/SecureKeysAndSignerTest.java     | 14 ++++++--------
 .../util/crypto/SecureKeysWithoutBouncyCastle.java    |  9 +++++++++
 2 files changed, 15 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/52c6caf9/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java b/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java
index b569111..985ae47 100644
--- a/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java
+++ b/core/src/test/java/org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.java
@@ -27,8 +27,6 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 
 import org.apache.brooklyn.util.core.ResourceUtils;
-import org.apache.brooklyn.util.core.crypto.FluentKeySigner;
-import org.apache.brooklyn.util.core.crypto.SecureKeys;
 import org.apache.brooklyn.util.core.crypto.SecureKeys.PassphraseProblem;
 import org.apache.brooklyn.util.crypto.AuthorizedKeysParser;
 import org.apache.brooklyn.util.os.Os;
@@ -67,13 +65,13 @@ public class SecureKeysAndSignerTest {
 //        SecureKeys.getTrustManager(signerCert).checkClientTrusted(new X509Certificate[] { aCert }, "RSA");
         // NB, the above failes; we have to convert to a canonical implementation, handled by the following
         
-        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(signerCert, signerCert));
-        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(aCert, signerCert));
-        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(bCert, signerCert));
+        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(signerCert, signerCert, false));
+        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(aCert, signerCert, false));
+        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(bCert, signerCert, false));
         Assert.assertFalse(SecureKeys.isCertificateAuthorizedBy(signerCert, aCert));
         Assert.assertFalse(SecureKeys.isCertificateAuthorizedBy(bCert, aCert));
         
-        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(selfCert1, selfCert1));
+        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(selfCert1, selfCert1, false));
         Assert.assertFalse(SecureKeys.isCertificateAuthorizedBy(selfCert1, signerCert));
     }
 
@@ -88,7 +86,7 @@ public class SecureKeysAndSignerTest {
         KeyPair aKey = SecureKeys.newKeyPair();
         X509Certificate aCert = signer.newCertificateFor("A", aKey);
         
-        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(aCert, caCert));
+        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(aCert, caCert, false));
     }
 
     @Test
@@ -153,7 +151,7 @@ public class SecureKeysAndSignerTest {
         KeyPair key = SecureKeys.readPem(ResourceUtils.create(this).getResourceFromUrl("classpath://brooklyn/util/crypto/sample_rsa_passphrase.pem"), "passphrase");
         checkNonTrivial(key);
         File f = Os.newTempFile(getClass(), "brooklyn-sample_rsa_passphrase_without_passphrase.pem");
-        Files.write(SecureKeys.stringPem(key), f, Charset.defaultCharset());
+        Files.write(SecureKeys.toPem(key), f, Charset.defaultCharset());
         KeyPair key2 = SecureKeys.readPem(new FileInputStream(f), null);
         checkNonTrivial(key2);
         Assert.assertEquals(key2.getPrivate().getEncoded(), key.getPrivate().getEncoded());

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/52c6caf9/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java
----------------------------------------------------------------------
diff --git a/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java b/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java
index b801fb8..3e1ca7a 100644
--- a/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java
+++ b/utils/common/src/main/java/org/apache/brooklyn/util/crypto/SecureKeysWithoutBouncyCastle.java
@@ -36,12 +36,15 @@ import javax.net.ssl.X509TrustManager;
 import javax.security.auth.x500.X500Principal;
 
 import org.apache.brooklyn.util.exceptions.Exceptions;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Utility methods for generating and working with keys, with no BC dependencies
  */
 public class SecureKeysWithoutBouncyCastle {
 
+    private static final Logger log = LoggerFactory.getLogger(SecureKeysWithoutBouncyCastle.class);
     private static KeyPairGenerator defaultKeyPairGenerator = newKeyPairGenerator("RSA", 1024);  
 
     protected SecureKeysWithoutBouncyCastle() {}
@@ -145,11 +148,17 @@ public class SecureKeysWithoutBouncyCastle {
     }
 
     public static boolean isCertificateAuthorizedBy(X509Certificate candidate, X509Certificate authority) {
+        return isCertificateAuthorizedBy(candidate, authority, true);
+    }
+    public static boolean isCertificateAuthorizedBy(X509Certificate candidate, X509Certificate authority, boolean quiet) {
         try {
             candidate = getCanonicalImpl(candidate);
             getTrustManager(authority).checkClientTrusted(new X509Certificate[] { candidate }, "RSA");
             return true;
         } catch (CertificateException e) {
+            if (!quiet) {
+                log.warn("Certificate "+candidate+" not trusted with authority "+authority+": "+e);
+            }
             return false;
         }
     }