[jboss-svn-commits] JBL Code SVN: r35196 - in labs/jbossrules/branches/4.0.x: drools-core/src/main/java/org/drools and 3 other directories.
jboss-svn-commits at lists.jboss.org
jboss-svn-commits at lists.jboss.org
Mon Sep 20 12:47:03 EDT 2010
Author: tirelli
Date: 2010-09-20 12:47:02 -0400 (Mon, 20 Sep 2010)
New Revision: 35196
Modified:
labs/jbossrules/branches/4.0.x/drools-compiler/src/test/java/org/drools/integrationtests/MarshallingTest.java
labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/RuleBaseConfiguration.java
labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/rule/PackageCompilationData.java
labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/util/KeyStoreHelper.java
labs/jbossrules/branches/4.0.x/drools-core/src/test/java/org/drools/util/KeyStoreHelperTest.java
Log:
JBRULES-2702: Adding support to sign serialized packages and rulebases.
Modified: labs/jbossrules/branches/4.0.x/drools-compiler/src/test/java/org/drools/integrationtests/MarshallingTest.java
===================================================================
--- labs/jbossrules/branches/4.0.x/drools-compiler/src/test/java/org/drools/integrationtests/MarshallingTest.java 2010-09-20 15:02:31 UTC (rev 35195)
+++ labs/jbossrules/branches/4.0.x/drools-compiler/src/test/java/org/drools/integrationtests/MarshallingTest.java 2010-09-20 16:47:02 UTC (rev 35196)
@@ -1110,30 +1110,29 @@
}
/*
- * Deserializing an unsigned rulebase should always work
+ * A client environment configured to use signed serialization
+ * should refuse any non-signed serialized rulebase
*/
public void testSignedSerialization4() throws Exception {
- try {
- // set only the deserialisation properties, but not the serialization
- setPublicKeyProperties();
- //Compile a package
- PackageBuilder builder = new PackageBuilder();
- builder.addPackageFromDrl( new InputStreamReader( getClass().getResourceAsStream( "test_Dynamic1_0.drl" ) ) );
+ //Compile a package
+ PackageBuilder builder = new PackageBuilder();
+ builder.addPackageFromDrl( new InputStreamReader( getClass().getResourceAsStream( "test_Dynamic1_0.drl" ) ) );
- // Create a rulebase
- RuleBase ruleBase = RuleBaseFactory.newRuleBase();
- ruleBase.addPackage( builder.getPackage() );
+ // Create a rulebase
+ RuleBase ruleBase = RuleBaseFactory.newRuleBase();
+ ruleBase.addPackage( builder.getPackage() );
- // Test rulebase serialization/deserialization
- byte[] serializedRulebase = serializeOut( ruleBase );
+ // Test rulebase serialization/deserialization
+ byte[] serializedRulebase = serializeOut( ruleBase );
- try {
- ruleBase = (RuleBase) serializeIn( serializedRulebase );
- } catch ( Exception e ) {
- fail( "Deserialisation should have worked." );
- e.printStackTrace();
- }
+ try {
+ // set only the deserialisation properties, but not the serialization
+ setPublicKeyProperties();
+ ruleBase = (RuleBase) serializeIn( serializedRulebase );
+ fail( "Should not deserialize an unsigned rulebase on an environment configured to work with signed rulebases." );
+ } catch ( Exception e ) {
+ // success
} finally {
unsetPublicKeyProperties();
}
@@ -1142,22 +1141,22 @@
private void setPublicKeyProperties() {
// Set the client properties to de-serialise the signed packages
URL clientKeyStoreURL = getClass().getResource( "droolsClient.keystore" );
+ System.setProperty( KeyStoreHelper.PROP_SIGN,
+ "true" );
System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL,
clientKeyStoreURL.toExternalForm() );
System.setProperty( KeyStoreHelper.PROP_PUB_KS_PWD,
"clientpwd" );
- System.setProperty( KeyStoreHelper.PROP_PUB_ALIAS,
- "droolsKey" );
}
private void unsetPublicKeyProperties() {
// Un-set the client properties to de-serialise the signed packages
+ System.setProperty( KeyStoreHelper.PROP_SIGN,
+ "" );
System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL,
"" );
System.setProperty( KeyStoreHelper.PROP_PUB_KS_PWD,
"" );
- System.setProperty( KeyStoreHelper.PROP_PUB_ALIAS,
- "" );
}
private void setPrivateKeyProperties() {
Modified: labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/RuleBaseConfiguration.java
===================================================================
--- labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/RuleBaseConfiguration.java 2010-09-20 15:02:31 UTC (rev 35195)
+++ labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/RuleBaseConfiguration.java 2010-09-20 16:47:02 UTC (rev 35196)
@@ -72,6 +72,8 @@
implements
Serializable {
private static final long serialVersionUID = 400L;
+
+ public static final String DEFAULT_SIGN_ON_SERIALIZATION = "false";
private ChainedProperties chainedProperties;
Modified: labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/rule/PackageCompilationData.java
===================================================================
--- labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/rule/PackageCompilationData.java 2010-09-20 15:02:31 UTC (rev 35195)
+++ labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/rule/PackageCompilationData.java 2010-09-20 16:47:02 UTC (rev 35196)
@@ -31,7 +31,6 @@
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
import java.security.SignatureException;
-import java.security.UnrecoverableKeyException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
@@ -40,7 +39,6 @@
import java.util.Map.Entry;
import org.drools.CheckedDroolsException;
-import org.drools.RuleBaseConfiguration;
import org.drools.RuntimeDroolsException;
import org.drools.base.accumulators.JavaAccumulatorFunctionExecutor;
import org.drools.common.DroolsObjectInputStream;
@@ -119,8 +117,11 @@
*/
public void writeExternal(final ObjectOutput stream) throws IOException {
KeyStoreHelper helper = new KeyStoreHelper();
-
+
stream.writeBoolean( helper.isSigned() );
+ if ( helper.isSigned() ) {
+ stream.writeObject( helper.getPvtKeyAlias() );
+ }
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutput out = new ObjectOutputStream( bos );
@@ -175,18 +176,29 @@
} else {
initClassLoader( Thread.currentThread().getContextClassLoader() );
}
-
+
boolean signed = stream.readBoolean();
- if( signed && helper.getPubKeyStore() == null ) {
- throw new RuntimeDroolsException("The package was serialized with a signature. Please configure a public keystore with the public key to check the signature. Deserialization aborted.");
+ if ( helper.isSigned() != signed ) {
+ throw new RuntimeDroolsException( "This environment is configured to work with " +
+ (helper.isSigned() ? "signed" : "unsigned") +
+ " serialized objects, but the given object is " +
+ (signed ? "signed" : "unsigned") + ". Deserialization aborted." );
}
+ String pubKeyAlias = null;
+ if ( signed ) {
+ pubKeyAlias = (String) stream.readObject();
+ if ( helper.getPubKeyStore() == null ) {
+ throw new RuntimeDroolsException( "The package was serialized with a signature. Please configure a public keystore with the public key to check the signature. Deserialization aborted." );
+ }
+ }
// Return the object stored as a byte[]
byte[] bytes = (byte[]) stream.readObject();
if ( signed ) {
checkSignature( stream,
helper,
- bytes );
+ bytes,
+ pubKeyAlias );
}
this.store = (Map) new DroolsObjectInputStream( new ByteArrayInputStream( bytes ),
this.classLoader ).readObject();
@@ -197,7 +209,8 @@
if ( signed ) {
checkSignature( stream,
helper,
- bytes );
+ bytes,
+ pubKeyAlias );
}
// Use a custom ObjectInputStream that can resolve against a given classLoader
final DroolsObjectInputStream streamWithLoader = new DroolsObjectInputStream( new ByteArrayInputStream( bytes ),
@@ -206,12 +219,14 @@
}
private void checkSignature(final ObjectInput stream,
- KeyStoreHelper helper,
- byte[] bytes) throws ClassNotFoundException,
- IOException {
+ final KeyStoreHelper helper,
+ final byte[] bytes,
+ final String pubKeyAlias) throws ClassNotFoundException,
+ IOException {
byte[] signature = (byte[]) stream.readObject();
try {
- if ( !helper.checkDataWithPublicKey( bytes,
+ if ( !helper.checkDataWithPublicKey( pubKeyAlias,
+ bytes,
signature ) ) {
throw new RuntimeDroolsException( "Signature does not match serialized package. This is a security violation. Deserialisation aborted." );
}
Modified: labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/util/KeyStoreHelper.java
===================================================================
--- labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/util/KeyStoreHelper.java 2010-09-20 15:02:31 UTC (rev 35195)
+++ labs/jbossrules/branches/4.0.x/drools-core/src/main/java/org/drools/util/KeyStoreHelper.java 2010-09-20 16:47:02 UTC (rev 35196)
@@ -17,6 +17,7 @@
import java.security.cert.CertificateException;
import java.util.Properties;
+import org.drools.RuleBaseConfiguration;
import org.drools.RuntimeDroolsException;
/**
@@ -32,7 +33,6 @@
* drools.serialisation.private.keyPwd = <password>
* drools.serialisation.public.keyStoreURL = <URL>
* drools.serialisation.public.keyStorePwd = <password>
- * drools.serialisation.public.keyAlias = <key>
*
* @author etirelli
*
@@ -53,8 +53,6 @@
public static final String PROP_PUB_KS_URL = "drools.serialisation.public.keyStoreURL";
// the key store password
public static final String PROP_PUB_KS_PWD = "drools.serialisation.public.keyStorePwd";
- // the public key identifier
- public static final String PROP_PUB_ALIAS = "drools.serialisation.public.keyAlias";
private boolean signed;
private URL pvtKeyStoreURL;
@@ -63,7 +61,6 @@
private char[] pvtKeyPassword;
private URL pubKeyStoreURL;
private char[] pubKeyStorePwd;
- private String pubKeyAlias;
private KeyStore pvtKeyStore;
private KeyStore pubKeyStore;
@@ -77,7 +74,7 @@
try {
Properties prop = System.getProperties();
this.signed = Boolean.valueOf( prop.getProperty( PROP_SIGN,
- "false" ) ).booleanValue();
+ RuleBaseConfiguration.DEFAULT_SIGN_ON_SERIALIZATION ) ).booleanValue();
String url = prop.getProperty( PROP_PVT_KS_URL,
"" );
if ( url.length() > 0 ) {
@@ -97,8 +94,6 @@
}
this.pubKeyStorePwd = prop.getProperty( PROP_PUB_KS_PWD,
"" ).toCharArray();
- this.pubKeyAlias = prop.getProperty( PROP_PUB_ALIAS,
- "" );
initKeyStore();
} catch ( Exception e ) {
throw new RuntimeDroolsException( "Error initialising KeyStore: " + e.getMessage(),
@@ -141,6 +136,9 @@
NoSuchAlgorithmException,
InvalidKeyException,
SignatureException {
+ if( pvtKeyStore == null ) {
+ throw new RuntimeDroolsException( "Key store with private key not configured. Please configure it properly before using signed serialization." );
+ }
PrivateKey pvtkey = (PrivateKey) pvtKeyStore.getKey( pvtKeyAlias,
pvtKeyPassword );
Signature sig = Signature.getInstance( "MD5withRSA" );
@@ -164,12 +162,19 @@
* @throws InvalidKeyException
* @throws SignatureException
*/
- public boolean checkDataWithPublicKey(byte[] data,
- byte[] signature) throws KeyStoreException,
- NoSuchAlgorithmException,
- InvalidKeyException,
- SignatureException {
- Certificate cert = pubKeyStore.getCertificate( pubKeyAlias );
+ public boolean checkDataWithPublicKey(final String publicKeyAlias,
+ final byte[] data,
+ final byte[] signature) throws KeyStoreException,
+ NoSuchAlgorithmException,
+ InvalidKeyException,
+ SignatureException {
+ if( pvtKeyStore == null ) {
+ throw new RuntimeDroolsException( "Key store with public key not configured. Please configure it properly before using signed serialization." );
+ }
+ Certificate cert = pubKeyStore.getCertificate( publicKeyAlias );
+ if( cert == null ) {
+ throw new RuntimeDroolsException( "Public certificate for key '"+publicKeyAlias+"' not found in the configured key store. Impossible to deserialize the object." );
+ }
Signature sig = Signature.getInstance( "MD5withRSA" );
sig.initVerify( cert.getPublicKey() );
sig.update( data );
@@ -204,10 +209,6 @@
return pubKeyStorePwd;
}
- public String getPubKeyAlias() {
- return pubKeyAlias;
- }
-
public KeyStore getPvtKeyStore() {
return pvtKeyStore;
}
Modified: labs/jbossrules/branches/4.0.x/drools-core/src/test/java/org/drools/util/KeyStoreHelperTest.java
===================================================================
--- labs/jbossrules/branches/4.0.x/drools-core/src/test/java/org/drools/util/KeyStoreHelperTest.java 2010-09-20 15:02:31 UTC (rev 35195)
+++ labs/jbossrules/branches/4.0.x/drools-core/src/test/java/org/drools/util/KeyStoreHelperTest.java 2010-09-20 16:47:02 UTC (rev 35196)
@@ -42,16 +42,17 @@
System.setProperty( KeyStoreHelper.PROP_SIGN, "true" );
System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL, clientKeyStoreURL.toExternalForm() );
System.setProperty( KeyStoreHelper.PROP_PUB_KS_PWD, "clientpwd" );
- System.setProperty( KeyStoreHelper.PROP_PUB_ALIAS, "droolsKey" );
// client needs no password to access the certificate and public key
KeyStoreHelper clientHelper = new KeyStoreHelper( );
// check the signature against the data
- assertTrue( clientHelper.checkDataWithPublicKey( data,
+ assertTrue( clientHelper.checkDataWithPublicKey( "droolsKey",
+ data,
signature ) );
// check some fake data
- assertFalse( clientHelper.checkDataWithPublicKey( "fake".getBytes( "UTF8" ),
+ assertFalse( clientHelper.checkDataWithPublicKey( "droolsKey",
+ "fake".getBytes( "UTF8" ),
signature ) );
}
More information about the jboss-svn-commits
mailing list