[jboss-cvs] Picketbox SVN: r410 - in branches/embargo/4.0.16.Final-vault: security-jboss-sx/jbosssx/src/main/java/org/picketbox/util and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Apr 23 13:58:36 EDT 2013
Author: pskopek
Date: 2013-04-23 13:58:36 -0400 (Tue, 23 Apr 2013)
New Revision: 410
Modified:
branches/embargo/4.0.16.Final-vault/security-jboss-sx/jbosssx/src/main/java/org/picketbox/plugins/vault/PicketBoxSecurityVault.java
branches/embargo/4.0.16.Final-vault/security-jboss-sx/jbosssx/src/main/java/org/picketbox/util/KeyStoreUtil.java
branches/embargo/4.0.16.Final-vault/security-spi/common/src/main/java/org/jboss/security/PicketBoxLogger.java
Log:
Security Vault implementation changes after review.
Modified: branches/embargo/4.0.16.Final-vault/security-jboss-sx/jbosssx/src/main/java/org/picketbox/plugins/vault/PicketBoxSecurityVault.java
===================================================================
--- branches/embargo/4.0.16.Final-vault/security-jboss-sx/jbosssx/src/main/java/org/picketbox/plugins/vault/PicketBoxSecurityVault.java 2013-04-18 12:10:11 UTC (rev 409)
+++ branches/embargo/4.0.16.Final-vault/security-jboss-sx/jbosssx/src/main/java/org/picketbox/plugins/vault/PicketBoxSecurityVault.java 2013-04-23 17:58:36 UTC (rev 410)
@@ -48,6 +48,7 @@
import java.nio.channels.FileChannel;
import java.security.*;
import java.security.KeyStore.Entry;
+import java.util.Enumeration;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
@@ -97,7 +98,7 @@
private boolean createKeyStore = false;
private String keyStoreType = defaultKeyStoreType;
-
+
// options
public static final String ENC_FILE_DIR = "ENC_FILE_DIR";
@@ -185,6 +186,9 @@
String keystorePass = decode(maskedPassword, salt, iterationCount);
keyStorePWD = keystorePass.toCharArray();
keystore = getKeyStore(keystoreURL);
+
+ checkAndConvertKeyStoreToJCEKS(keystoreURL);
+
} catch (Exception e) {
throw new SecurityVaultException(e);
}
@@ -487,22 +491,27 @@
// create new transformed vault data
vaultContent = new SecurityVaultData(newVault);
- // convert keystore to JCEKS format
- convertKeyStoreToJCEKS();
-
// add secret key (admin_key) to keystore
KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(adminKey);
+ KeyStore.PasswordProtection p = new KeyStore.PasswordProtection(keyStorePWD);
+ Entry e = keystore.getEntry(alias, p);
+ if (e != null) {
+ // rename the old entry
+ String originalAlias = alias + "-original";
+ keystore.setEntry(originalAlias, e, p);
+ keystore.deleteEntry(alias);
+ }
keystore.setEntry(alias, skEntry, new KeyStore.PasswordProtection(keyStorePWD));
- // backup original keystore file
- copyFile(new File(keystoreURL), new File(keystoreURL + ".original"));
// save the current keystore
saveKeyStoreToFile(keystoreURL);
- // backup original vault files
+ // backup original vault file (shared key file cannot be saved for obvious reasons
copyFile(new File(decodedEncFileDir + ENCODED_FILE), new File(decodedEncFileDir + ENCODED_FILE + ".original"));
- copyFile(new File(decodedEncFileDir + SHARED_KEY_FILE), new File(decodedEncFileDir + SHARED_KEY_FILE + ".original"));
+ // save vault data file
+ writeVaultData();
+
// delete original vault files
File f = new File(decodedEncFileDir + ENCODED_FILE);
if (!f.delete()) {
@@ -519,17 +528,28 @@
keystore.store(new FileOutputStream(new File(keystoreURL)), keyStorePWD);
}
- private void convertKeyStoreToJCEKS() throws Exception {
+ private void checkAndConvertKeyStoreToJCEKS(String keystoreURL) throws Exception {
if (keystore.getType().equalsIgnoreCase("JKS")) {
- createKeyStore("JCEKS");
+
+ // backup original keystore file
+ copyFile(new File(keystoreURL), new File(keystoreURL + ".original"));
+
+ KeyStore jceks = KeyStoreUtil.createKeyStore("JCEKS", keyStorePWD);
+
+ Enumeration<String> aliases = keystore.aliases();
+ while (aliases.hasMoreElements()) {
+ String entryAlias = aliases.nextElement();
+ KeyStore.PasswordProtection p = new KeyStore.PasswordProtection(keyStorePWD);
+ KeyStore.Entry e = keystore.getEntry(entryAlias, p);
+ jceks.setEntry(entryAlias, e, p);
+ }
+ keystore = jceks;
+ keyStoreType = "JCEKS"; // after conversion we have to change keyStoreType to the one we really have
+ saveKeyStoreToFile(keystoreURL);
+ PicketBoxLogger.LOGGER.keyStoreConvertedToJCEKS(KEYSTORE_URL);
}
}
- private KeyStore createKeyStore(String keyStoreType) throws Exception {
- KeyStore ks = KeyStore.getInstance(keyStoreType);
- ks.load(null, keyStorePWD);
- return ks;
- }
/**
* Creates new format for data key in vault. All parameters has to be non-null.
@@ -638,7 +658,7 @@
try {
if (createKeyStore) {
- return createKeyStore(keyStoreType);
+ return KeyStoreUtil.createKeyStore(keyStoreType, keyStorePWD);
}
}
catch (Throwable e) {
Modified: branches/embargo/4.0.16.Final-vault/security-jboss-sx/jbosssx/src/main/java/org/picketbox/util/KeyStoreUtil.java
===================================================================
--- branches/embargo/4.0.16.Final-vault/security-jboss-sx/jbosssx/src/main/java/org/picketbox/util/KeyStoreUtil.java 2013-04-18 12:10:11 UTC (rev 409)
+++ branches/embargo/4.0.16.Final-vault/security-jboss-sx/jbosssx/src/main/java/org/picketbox/util/KeyStoreUtil.java 2013-04-23 17:58:36 UTC (rev 410)
@@ -317,6 +317,19 @@
return null;
}
+ /**
+ * Create new empty keystore with specified keyStoreType and keyStorePWD
+ * @param keyStoreType - key store type
+ * @param keyStorePWD - key store password
+ * @return
+ * @throws Exception
+ */
+ public static KeyStore createKeyStore(String keyStoreType, char[] keyStorePWD) throws Exception {
+ KeyStore ks = KeyStore.getInstance(keyStoreType);
+ ks.load(null, keyStorePWD);
+ return ks;
+ }
+
private static void safeClose(InputStream fis)
{
@@ -330,6 +343,7 @@
catch(Exception e)
{}
}
+
private static void safeClose(OutputStream os)
{
try
@@ -342,4 +356,5 @@
catch(Exception e)
{}
}
+
}
\ No newline at end of file
Modified: branches/embargo/4.0.16.Final-vault/security-spi/common/src/main/java/org/jboss/security/PicketBoxLogger.java
===================================================================
--- branches/embargo/4.0.16.Final-vault/security-spi/common/src/main/java/org/jboss/security/PicketBoxLogger.java 2013-04-18 12:10:11 UTC (rev 409)
+++ branches/embargo/4.0.16.Final-vault/security-spi/common/src/main/java/org/jboss/security/PicketBoxLogger.java 2013-04-23 17:58:36 UTC (rev 410)
@@ -708,5 +708,8 @@
@Message(id = 371, value = "Security Vault does not contain SecretKey entry under alias (%s)")
void vaultDoesnotContainSecretKey(String alias);
+ @LogMessage(level = Logger.Level.INFO)
+ @Message(id = 372, value = "Security Vault key store successfuly converted to JCEKS type (%s). From now on use JCEKS as KEYSTORE_TYPE in Security Vault configuration.")
+ void keyStoreConvertedToJCEKS(String keyStoreFile);
}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list