You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by to...@apache.org on 2017/02/01 01:12:52 UTC
[2/3] kudu git commit: [security] method to extract public part of an
RSA key
http://git-wip-us.apache.org/repos/asf/kudu/blob/d91313d6/src/kudu/security/test/test_certs.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/test/test_certs.cc b/src/kudu/security/test/test_certs.cc
index 1f1e5e5..44d4aef 100644
--- a/src/kudu/security/test/test_certs.cc
+++ b/src/kudu/security/test/test_certs.cc
@@ -157,6 +157,19 @@ gmbcYCewtt7dFP9tvx6k7aUQ6CKzg0GxaIHQecNzjxYrw8sb4Js=
-----END RSA PRIVATE KEY-----
)***";
+// Corresponding public key for the kCaPrivateKey
+const char kCaPublicKey[] = R"***(
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp7FdU57RJ817HGXWeowF
+HLwwJhZOXWRtG3lVDr3xpdhw80ELuCcQFb7xhprZ/ceXVh7nXNQac6XgVTocUOIi
+rn3+UoI0bZfdqaViPOQiZefgznqv7msRaz4egdaS6qYxrGeslq0zzo5/QrePlCs5
+R+3+pPlHq9I+cUf+nP7pxwGQAZXRQVV2yFhIaTErOJVN0nZGLyhmDJ65F4bEuRc6
+oofNw5QWKe9Dx97zJpCvWREBo9GjV4Wo5FcAwBTgrK9+JWNkwQaPSnjsh6QkdU9V
+UyikSYwyOHNF9uvGsqsxwgbp7hpwXUoB3jAYj0CkJHd7W9x9uCEM7saFMyzAsKcx
+hQIDAQAB
+-----END PUBLIC KEY-----
+)***";
+
// See the comment for kCaCert_
// (but use '-1' as number of days for the certificate expiration).
const char kCaExpiredCert[] = R"***(
@@ -215,6 +228,19 @@ H/sbP2R+P6RvQceLEEtk6ZZLiuScVmLtVOpUoUZb3Rx6a7GKbec7oQ==
-----END RSA PRIVATE KEY-----
)***";
+// Corresponding public part of the kCaExpiredPrivateKey
+const char kCaExpiredPublicKey[] = R"***(
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqPj5nRm57mr9YtZDvHR
+EuVFHTwPcKzDeff9fnrKKwOJPSF0Bou/BjS1S7yQYAtmT/EMi7qxEWjgrR1qW+mu
+R8QN+zAwNdkdLrFK3SJigQ4a/OeSH86aHXUDekV8mgBgzP90osbHf7AiqrGzkYWq
++ApTO/IgnXgaWbbdt5znGTW5lKQ4O2CYhpcMMC1sBBjW7Qqx+Gi8iXub0zlJ2mVI
+8o+zb9qvSDb8fa0JYxasRDn/nB0wKZC3f/GfRs+lJZUTEy5+eMhVdj1RjVBE+mgW
+7L27On24ViPU7B3DjM0SYnD6ZOUWMH0mtwO8W3OoK8MJhPvFP7Lr5QfSjiBH+ryL
+OwIDAQAB
+-----END PUBLIC KEY-----
+)***";
+
} // namespace ca
Status CreateTestSSLCerts(const string& dir,
http://git-wip-us.apache.org/repos/asf/kudu/blob/d91313d6/src/kudu/security/test/test_certs.h
----------------------------------------------------------------------
diff --git a/src/kudu/security/test/test_certs.h b/src/kudu/security/test/test_certs.h
index 863c141..f45ea88 100644
--- a/src/kudu/security/test/test_certs.h
+++ b/src/kudu/security/test/test_certs.h
@@ -34,12 +34,16 @@ extern const char kCaCert[];
// The private key (RSA, 2048 bits) for the certificate above.
// This is 2048 bit RSA key, in PEM format.
extern const char kCaPrivateKey[];
+// The public part of the abovementioned private key.
+extern const char kCaPublicKey[];
// Expired root CA certificate (PEM format).
extern const char kCaExpiredCert[];
// The private key for the expired CA certificate described above.
// This is 2048 bit RSA key, in PEM format.
extern const char kCaExpiredPrivateKey[];
+// The public part of the abovementioned private key.
+extern const char kCaExpiredPublicKey[];
} // namespace ca
http://git-wip-us.apache.org/repos/asf/kudu/blob/d91313d6/src/kudu/security/tls_handshake-test.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/tls_handshake-test.cc b/src/kudu/security/tls_handshake-test.cc
index 08f32ba..a8f5f6d 100644
--- a/src/kudu/security/tls_handshake-test.cc
+++ b/src/kudu/security/tls_handshake-test.cc
@@ -25,6 +25,8 @@
#include "kudu/security/tls_context.h"
#include "kudu/util/test_util.h"
+using std::string;
+
namespace kudu {
namespace security {
http://git-wip-us.apache.org/repos/asf/kudu/blob/d91313d6/src/kudu/security/tls_handshake.h
----------------------------------------------------------------------
diff --git a/src/kudu/security/tls_handshake.h b/src/kudu/security/tls_handshake.h
index a138c76..e7fcdd2 100644
--- a/src/kudu/security/tls_handshake.h
+++ b/src/kudu/security/tls_handshake.h
@@ -20,6 +20,7 @@
#include <memory>
#include <string>
+#include "kudu/security/crypto.h"
#include "kudu/security/openssl_util.h"
#include "kudu/util/net/socket.h"
#include "kudu/util/status.h"
http://git-wip-us.apache.org/repos/asf/kudu/blob/d91313d6/src/kudu/security/tls_socket.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/tls_socket.cc b/src/kudu/security/tls_socket.cc
index 20b023e..6728133 100644
--- a/src/kudu/security/tls_socket.cc
+++ b/src/kudu/security/tls_socket.cc
@@ -20,6 +20,7 @@
#include <openssl/err.h>
#include <openssl/ssl.h>
+#include "kudu/gutil/basictypes.h"
#include "kudu/security/openssl_util.h"
namespace kudu {
http://git-wip-us.apache.org/repos/asf/kudu/blob/d91313d6/src/kudu/security/token_signer.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/token_signer.cc b/src/kudu/security/token_signer.cc
index e40c86b..46a8846 100644
--- a/src/kudu/security/token_signer.cc
+++ b/src/kudu/security/token_signer.cc
@@ -19,11 +19,12 @@
#include <map>
#include <memory>
-#include <string>
+#include <vector>
#include <gflags/gflags.h>
#include "kudu/gutil/walltime.h"
+#include "kudu/security/crypto.h"
#include "kudu/security/openssl_util.h"
#include "kudu/security/token.pb.h"
#include "kudu/security/token_signing_key.h"
@@ -39,8 +40,8 @@ DEFINE_int64(token_signing_key_validity_seconds, 60 * 60 * 24 * 7,
// TODO(PKI): add flag tags
using std::lock_guard;
-using std::string;
using std::unique_ptr;
+using std::vector;
namespace kudu {
namespace security {
@@ -53,14 +54,15 @@ TokenSigner::~TokenSigner() {
}
Status TokenSigner::RotateSigningKey() {
- Key key;
- RETURN_NOT_OK_PREPEND(GeneratePrivateKey(FLAGS_token_signing_key_num_rsa_bits, &key),
- "could not generate new RSA token-signing key");
+ unique_ptr<PrivateKey> key(new PrivateKey());
+ RETURN_NOT_OK_PREPEND(
+ GeneratePrivateKey(FLAGS_token_signing_key_num_rsa_bits, key.get()),
+ "could not generate new RSA token-signing key");
int64_t expire = WallTime_Now() + FLAGS_token_signing_key_validity_seconds;
lock_guard<RWMutex> l(lock_);
int64_t seq = next_seq_num_++;
- unique_ptr<TokenSigningPrivateKey> new_tsk(
- new TokenSigningPrivateKey(seq, expire, std::move(key)));
+ unique_ptr<TokenSigningPrivateKey> new_tsk(new TokenSigningPrivateKey(
+ seq, expire, unique_ptr<PrivateKey>(key.release())));
keys_by_seq_[seq] = std::move(new_tsk);
return Status::OK();
}
http://git-wip-us.apache.org/repos/asf/kudu/blob/d91313d6/src/kudu/security/token_signing_key.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/token_signing_key.cc b/src/kudu/security/token_signing_key.cc
index 5971e63..ba84ee6 100644
--- a/src/kudu/security/token_signing_key.cc
+++ b/src/kudu/security/token_signing_key.cc
@@ -17,11 +17,15 @@
#include "kudu/security/token_signing_key.h"
+#include <memory>
+
#include <glog/logging.h>
#include "kudu/security/token.pb.h"
#include "kudu/util/status.h"
+using std::unique_ptr;
+
namespace kudu {
namespace security {
@@ -39,7 +43,7 @@ bool TokenSigningPublicKey::VerifySignature(const SignedTokenPB& token) const {
}
TokenSigningPrivateKey::TokenSigningPrivateKey(
- int64_t key_seq_num, int64_t expire_time, Key key)
+ int64_t key_seq_num, int64_t expire_time, unique_ptr<PrivateKey> key)
: key_(std::move(key)),
key_seq_num_(key_seq_num),
expire_time_(expire_time) {
http://git-wip-us.apache.org/repos/asf/kudu/blob/d91313d6/src/kudu/security/token_signing_key.h
----------------------------------------------------------------------
diff --git a/src/kudu/security/token_signing_key.h b/src/kudu/security/token_signing_key.h
index 38fa795..540c847 100644
--- a/src/kudu/security/token_signing_key.h
+++ b/src/kudu/security/token_signing_key.h
@@ -16,7 +16,10 @@
// under the License.
#pragma once
+#include <memory>
+
#include "kudu/gutil/macros.h"
+#include "kudu/security/crypto.h"
#include "kudu/security/openssl_util.h"
#include "kudu/security/token.pb.h"
#include "kudu/util/status.h"
@@ -56,7 +59,9 @@ class TokenSigningPublicKey {
// number and expiration date.
class TokenSigningPrivateKey {
public:
- TokenSigningPrivateKey(int64_t key_seq_num, int64_t expire_time, Key key);
+ TokenSigningPrivateKey(int64_t key_seq_num,
+ int64_t expire_time,
+ std::unique_ptr<PrivateKey> key);
~TokenSigningPrivateKey();
// Sign a token, and store the signature and signing key's sequence number.
@@ -65,7 +70,7 @@ class TokenSigningPrivateKey {
// Export the public-key portion of this signing key.
void ExportPublicKeyPB(TokenSigningPublicKeyPB* pb);
private:
- Key key_;
+ std::unique_ptr<PrivateKey> key_;
int64_t key_seq_num_;
int64_t expire_time_;