This is an automated email from the ASF dual-hosted git repository.
weizhou pushed a commit to branch 4.19
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.19 by this push:
new e47b78b2bbb directdownload: fix keytool importcert (#11113)
e47b78b2bbb is described below
commit e47b78b2bbb4842625f7bf311a045815ed0badaa
Author: Wei Zhou <[email protected]>
AuthorDate: Mon Jul 7 13:36:16 2025 +0200
directdownload: fix keytool importcert (#11113)
* directdownload: fix keytool importcert
```
$ /usr/bin/keytool -importcert file
/etc/cloudstack/agent/CSCERTIFICATE-full -keystore
/etc/cloudstack/agent/cloud.jks -alias full -storepass DAWsfkJeeGrmhta6
Illegal option: file
keytool -importcert [OPTION]...
Imports a certificate or a certificate chain
Options:
-noprompt do not prompt
-trustcacerts trust certificates from cacerts
-protected password through protected mechanism
-alias <alias> alias name of the entry to process
-file <file> input file name
-keypass <arg> key password
-keystore <keystore> keystore name
-cacerts access the cacerts keystore
-storepass <arg> keystore password
-storetype <type> keystore type
-providername <name> provider name
-addprovider <name> add security provider by name (e.g. SunPKCS11)
[-providerarg <arg>] configure argument for -addprovider
-providerclass <class> add security provider by fully-qualified class name
[-providerarg <arg>] configure argument for -providerclass
-providerpath <list> provider classpath
-v verbose output
Use "keytool -?, -h, or --help" for this help message
```
* DirectDownload: drop HttpsMultiTrustManager
---
.../download/HttpsDirectTemplateDownloader.java | 11 +--
.../direct/download/HttpsMultiTrustManager.java | 102 ---------------------
...tupDirectDownloadCertificateCommandWrapper.java | 2 +-
3 files changed, 6 insertions(+), 109 deletions(-)
diff --git
a/core/src/main/java/org/apache/cloudstack/direct/download/HttpsDirectTemplateDownloader.java
b/core/src/main/java/org/apache/cloudstack/direct/download/HttpsDirectTemplateDownloader.java
index 3a48ade4cd8..e3c74213d74 100644
---
a/core/src/main/java/org/apache/cloudstack/direct/download/HttpsDirectTemplateDownloader.java
+++
b/core/src/main/java/org/apache/cloudstack/direct/download/HttpsDirectTemplateDownloader.java
@@ -39,9 +39,7 @@ import java.util.Map;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import org.apache.cloudstack.utils.security.SSLUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.io.IOUtils;
@@ -55,6 +53,7 @@ import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;
import com.cloud.utils.Pair;
@@ -120,10 +119,10 @@ public class HttpsDirectTemplateDownloader extends
DirectTemplateDownloaderImpl
String password = "changeit";
defaultKeystore.load(is, password.toCharArray());
}
- TrustManager[] tm =
HttpsMultiTrustManager.getTrustManagersFromKeyStores(customKeystore,
defaultKeystore);
- SSLContext sslContext = SSLUtils.getSSLContext();
- sslContext.init(null, tm, null);
- return sslContext;
+ return SSLContexts.custom()
+ .loadTrustMaterial(customKeystore, null)
+ .loadTrustMaterial(defaultKeystore, null)
+ .build();
} catch (KeyStoreException | NoSuchAlgorithmException |
CertificateException | IOException | KeyManagementException e) {
s_logger.error(String.format("Failure getting SSL context for
HTTPS downloader, using default SSL context: %s", e.getMessage()), e);
try {
diff --git
a/core/src/main/java/org/apache/cloudstack/direct/download/HttpsMultiTrustManager.java
b/core/src/main/java/org/apache/cloudstack/direct/download/HttpsMultiTrustManager.java
deleted file mode 100644
index fe47847c36c..00000000000
---
a/core/src/main/java/org/apache/cloudstack/direct/download/HttpsMultiTrustManager.java
+++ /dev/null
@@ -1,102 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.direct.download;
-
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Iterables;
-
-public class HttpsMultiTrustManager implements X509TrustManager {
-
- private final List<X509TrustManager> trustManagers;
-
- public HttpsMultiTrustManager(KeyStore... keystores) {
- List<X509TrustManager> trustManagers = new ArrayList<>();
- trustManagers.add(getTrustManager(null));
- for (KeyStore keystore : keystores) {
- trustManagers.add(getTrustManager(keystore));
- }
- this.trustManagers = ImmutableList.copyOf(trustManagers);
- }
-
- public static TrustManager[] getTrustManagersFromKeyStores(KeyStore...
keyStore) {
- return new TrustManager[] { new HttpsMultiTrustManager(keyStore) };
-
- }
-
- @Override
- public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
- for (X509TrustManager trustManager : trustManagers) {
- try {
- trustManager.checkClientTrusted(chain, authType);
- return;
- } catch (CertificateException ignored) {}
- }
- throw new CertificateException("None of the TrustManagers trust this
certificate chain");
- }
-
- @Override
- public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
- for (X509TrustManager trustManager : trustManagers) {
- try {
- trustManager.checkServerTrusted(chain, authType);
- return;
- } catch (CertificateException ignored) {}
- }
- throw new CertificateException("None of the TrustManagers trust this
certificate chain");
- }
-
- @Override
- public X509Certificate[] getAcceptedIssuers() {
- ImmutableList.Builder<X509Certificate> certificates =
ImmutableList.builder();
- for (X509TrustManager trustManager : trustManagers) {
- for (X509Certificate cert : trustManager.getAcceptedIssuers()) {
- certificates.add(cert);
- }
- }
- return Iterables.toArray(certificates.build(), X509Certificate.class);
- }
-
- public X509TrustManager getTrustManager(KeyStore keystore) {
- return getTrustManager(TrustManagerFactory.getDefaultAlgorithm(),
keystore);
- }
-
- public X509TrustManager getTrustManager(String algorithm, KeyStore
keystore) {
- TrustManagerFactory factory;
- try {
- factory = TrustManagerFactory.getInstance(algorithm);
- factory.init(keystore);
- return Iterables.getFirst(Iterables.filter(
- Arrays.asList(factory.getTrustManagers()),
X509TrustManager.class), null);
- } catch (NoSuchAlgorithmException | KeyStoreException e) {
- e.printStackTrace();
- }
- return null;
- }
-}
diff --git
a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtSetupDirectDownloadCertificateCommandWrapper.java
b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtSetupDirectDownloadCertificateCommandWrapper.java
index d2b69412a72..1a8de7a8c5b 100644
---
a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtSetupDirectDownloadCertificateCommandWrapper.java
+++
b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtSetupDirectDownloadCertificateCommandWrapper.java
@@ -86,7 +86,7 @@ public class
LibvirtSetupDirectDownloadCertificateCommandWrapper extends Command
private void importCertificate(String tempCerFilePath, String
keyStoreFile, String certificateName, String privatePassword) {
s_logger.debug("Importing certificate from temporary file to
keystore");
String keyToolPath = Script.getExecutableAbsolutePath("keytool");
- int result = Script.executeCommandForExitValue(keyToolPath,
"-importcert", "file", tempCerFilePath,
+ int result = Script.executeCommandForExitValue(keyToolPath,
"-importcert", "-file", tempCerFilePath,
"-keystore", keyStoreFile, "-alias",
sanitizeBashCommandArgument(certificateName), "-storepass",
privatePassword, "-noprompt");
if (result != 0) {
