On 5/13/06, Rick McGuire <[EMAIL PROTECTED]> wrote:
Ok, I'll fix these up. While doing this, I spotted something that might be a bug in the existing code. Is the following test correct?if(keyInstance.isKeyUnlocked(keyAlias)) { throw new KeystoreIsLocked("Key '"+keyAlias+"' in keystore '"+keyStore+"' is locked; please use the keystore page in the admin console to unlock it"); } The test is to see if the key is unlocked, and if it is, it throws an exception complaining that the keyAlias IS locked. Either the test or the exception appears to be wrong.
It's a case of two wrongs make a right! The method behaves as isKeyLocked and is called as isKeyLocked even though the name is isKeyUnlocked. Can you just change the name and JavaDoc of KeystoreInstance.isKeyUnlocked to isKeyLocked? That'll make it more consistent with isKeystoreLocked anyway. Thanks, Aaron
> On 5/13/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> Author: rickmcguire >> Date: Sat May 13 07:00:44 2006 >> New Revision: 406106 >> >> URL: http://svn.apache.org/viewcvs?rev=406106&view=rev >> Log: >> GERONIMO-2019 -- add ability to create client-side SSLSocketFactories >> to KeystoreManager API. >> >> >> Modified: >> >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java >> >> >> Modified: >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java >> >> URL: >> http://svn.apache.org/viewcvs/geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java?rev=406106&r1=406105&r2=406106&view=diff >> >> ============================================================================== >> >> --- >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java >> (original) >> +++ >> geronimo/branches/1.1/modules/security/src/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java >> Sat May 13 07:00:44 2006 >> @@ -42,6 +42,7 @@ >> import java.util.List; >> import java.util.Vector; >> import javax.net.ssl.SSLServerSocketFactory; >> +import javax.net.ssl.SSLSocketFactory; >> import org.apache.commons.logging.Log; >> import org.apache.commons.logging.LogFactory; >> import org.apache.geronimo.gbean.AbstractName; >> @@ -173,7 +174,101 @@ >> } >> } >> >> - public SSLServerSocketFactory createSSLFactory(String provider, >> String protocol, String algorithm, String keyStore, String keyAlias, >> String trustStore, ClassLoader loader) throws KeystoreIsLocked, >> KeyIsLocked, NoSuchAlgorithmException, UnrecoverableKeyException, >> KeyStoreException, KeyManagementException, NoSuchProviderException { >> + /** >> + * Gets a SocketFactory using one Keystore to access the private >> key >> + * and another to provide the list of trusted certificate >> authorities. >> + * @param provider The SSL provider to use, or null for the default >> + * @param protocol The SSL protocol to use >> + * @param algorithm The SSL algorithm to use >> + * @param keyStore The key keystore name as provided by >> listKeystores. The >> + * KeystoreInstance for this keystore must be >> unlocked. >> + * @param keyAlias The name of the private key in the keystore. >> The >> + * KeystoreInstance for this keystore must have >> unlocked >> + * this key. >> + * @param trustStore The trust keystore name as provided by >> listKeystores. >> + * The KeystoreInstance for this keystore must >> have >> + * unlocked this key. >> + * >> + * @throws KeystoreIsLocked Occurs when the requested key >> keystore cannot >> + * be used because it has not been >> unlocked. >> + * @throws KeyIsLocked Occurs when the requested private key in >> the key >> + * keystore cannot be used because it has >> not been >> + * unlocked. >> + */ >> + public SSLSocketFactory createSSLFactory(String provider, String >> protocol, String algorithm, String keyStore, String keyAlias, String >> trustStore, ClassLoader loader) throws KeystoreIsLocked, KeyIsLocked, >> NoSuchAlgorithmException, UnrecoverableKeyException, >> KeyStoreException, KeyManagementException, NoSuchProviderException { >> + KeystoreInstance keyInstance = getKeystore(keyStore); >> + if(keyInstance.isKeystoreLocked()) { >> + throw new KeystoreIsLocked("Keystore '"+keyStore+"' is >> locked; please use the keystore page in the admin console to unlock >> it"); >> + } >> + if(keyInstance.isKeyUnlocked(keyAlias)) { >> + throw new KeystoreIsLocked("Key '"+keyAlias+"' in >> keystore '"+keyStore+"' is locked; please use the keystore page in >> the admin console to unlock it"); >> + } >> + KeystoreInstance trustInstance = trustStore == null ? null : >> getKeystore(trustStore); >> + if(trustInstance != null && trustInstance.isKeystoreLocked()) { >> + throw new KeystoreIsLocked("Keystore '"+trustStore+"' is >> locked; please use the keystore page in the admin console to unlock >> it"); >> + } >> + >> + // OMG this hurts, but it causes ClassCastExceptions >> elsewhere unless done this way! >> + try { >> + Class cls = loader.loadClass("javax.net.ssl.SSLContext"); >> + Object ctx = cls.getMethod("getInstance", new Class[] >> {String.class}).invoke(null, new Object[]{protocol}); >> + Class kmc = >> loader.loadClass("[Ljavax.net.ssl.KeyManager;"); >> + Class tmc = >> loader.loadClass("[Ljavax.net.ssl.TrustManager;"); >> + Class src = loader.loadClass("java.security.SecureRandom"); >> + cls.getMethod("init", new Class[]{kmc, tmc, >> src}).invoke(ctx, new Object[]{keyInstance.getKeyManager(algorithm, >> keyAlias), >> + >> trustInstance == null ? null : trustInstance.getTrustManager(algorithm), >> + >> new java.security.SecureRandom()}); >> + Object result = cls.getMethod("getSocketFactory", new >> Class[0]).invoke(ctx, new Object[0]); >> + return (SSLSocketFactory) result; >> + } catch (Exception e) { >> + log.error("Unable to dynamically load", e); >> + return null; >> + } >> + } >> + >> + /** >> + * Gets a ServerSocketFactory using one Keystore to access the >> private key >> + * and another to provide the list of trusted certificate >> authorities. >> + * @param provider The SSL provider to use, or null for the default >> + * @param protocol The SSL protocol to use >> + * @param algorithm The SSL algorithm to use >> + * @param keyStore The key keystore name as provided by >> listKeystores. The >> + * KeystoreInstance for this keystore must be >> unlocked. >> + * @param keyAlias The name of the private key in the keystore. >> The >> + * KeystoreInstance for this keystore must have >> unlocked >> + * this key. >> + * @param trustStore The trust keystore name as provided by >> listKeystores. >> + * The KeystoreInstance for this keystore must >> have >> + * unlocked this key. >> + * >> + * @throws KeystoreIsLocked Occurs when the requested key >> keystore cannot >> + * be used because it has not been >> unlocked. >> + * @throws KeyIsLocked Occurs when the requested private key in >> the key >> + * keystore cannot be used because it has >> not been >> + * unlocked. >> + */ >> + /** >> + * Create an SSLServerSocketFactory configured from the >> + * appropriate characteristics. >> + * >> + * @param provider The JSSE provider to use (optional). >> + * @param protocol The protocol we need a factory for. >> + * @param algorithm A particular algoritm to use. >> + * @param keyStore The keystore the factory should be >> configured with. >> + * @param keyAlias >> + * @param trustStore The trustStore to use for managing trust >> certificates. >> + * @param loader The ClassLoader instance for loading the >> factory. >> + * >> + * @return An SSLServerSocketFactory instance. >> + * @exception KeystoreIsLocked >> + * @exception KeyIsLocked >> + * @exception NoSuchAlgorithmException >> + * @exception UnrecoverableKeyException >> + * @exception KeyStoreException >> + * @exception KeyManagementException >> + * @exception NoSuchProviderException >> + */ >> + public SSLServerSocketFactory createSSLServerFactory(String >> provider, String protocol, String algorithm, String keyStore, String >> keyAlias, String trustStore, ClassLoader loader) throws >> KeystoreIsLocked, KeyIsLocked, NoSuchAlgorithmException, >> UnrecoverableKeyException, KeyStoreException, KeyManagementException, >> NoSuchProviderException { >> KeystoreInstance keyInstance = getKeystore(keyStore); >> if(keyInstance.isKeystoreLocked()) { >> throw new KeystoreIsLocked("Keystore '"+keyStore+"' is >> locked; please use the keystore page in the admin console to unlock >> it"); >> >> >> >
