[
https://issues.apache.org/jira/browse/CLOUDSTACK-9632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15710041#comment-15710041
]
ASF GitHub Bot commented on CLOUDSTACK-9632:
--------------------------------------------
Github user jburwell commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/1799#discussion_r90310270
--- Diff:
utils/src/main/java/com/cloud/utils/security/CertificateHelper.java ---
@@ -40,123 +46,122 @@
import java.util.ArrayList;
import java.util.List;
-import com.cloud.utils.exception.CloudRuntimeException;
-import org.apache.commons.codec.binary.Base64;
-
-import com.cloud.utils.Ternary;
-import org.bouncycastle.openssl.PEMReader;
-
public class CertificateHelper {
- public static byte[] buildAndSaveKeystore(String alias, String cert,
String privateKey, String storePassword) throws KeyStoreException,
CertificateException,
- NoSuchAlgorithmException, InvalidKeySpecException, IOException {
- KeyStore ks = buildKeystore(alias, cert, privateKey,
storePassword);
-
- ByteArrayOutputStream os = new ByteArrayOutputStream();
- ks.store(os, storePassword != null ? storePassword.toCharArray() :
null);
- os.close();
- return os.toByteArray();
+ public static byte[] buildAndSaveKeystore(final String alias, final
String cert, final String privateKey, final String storePassword) throws
KeyStoreException, CertificateException,
+ NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+ final KeyStore ks = buildKeystore(alias, cert, privateKey,
storePassword);
+
+ try (final ByteArrayOutputStream os = new ByteArrayOutputStream())
{
+ ks.store(os, storePassword != null ?
storePassword.toCharArray() : null);
+ return os.toByteArray();
+ }
}
- public static byte[] buildAndSaveKeystore(List<Ternary<String, String,
String>> certs, String storePassword) throws KeyStoreException,
NoSuchAlgorithmException,
- CertificateException, IOException, InvalidKeySpecException {
- KeyStore ks = KeyStore.getInstance("JKS");
+ public static byte[] buildAndSaveKeystore(final List<Ternary<String,
String, String>> certs, final String storePassword) throws KeyStoreException,
NoSuchAlgorithmException,
+ CertificateException, IOException, InvalidKeySpecException {
+ final KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, storePassword != null ? storePassword.toCharArray()
: null);
//name,cert,key
- for (Ternary<String, String, String> cert : certs) {
+ for (final Ternary<String, String, String> cert : certs) {
if (cert.third() == null) {
- Certificate c = buildCertificate(cert.second());
+ final Certificate c = buildCertificate(cert.second());
ks.setCertificateEntry(cert.first(), c);
} else {
- Certificate[] c = new Certificate[certs.size()];
+ final Certificate[] c = new Certificate[certs.size()];
int i = certs.size();
- for (Ternary<String, String, String> ct : certs) {
+ for (final Ternary<String, String, String> ct : certs) {
c[i - 1] = buildCertificate(ct.second());
i--;
}
ks.setKeyEntry(cert.first(),
buildPrivateKey(cert.third()), storePassword != null ?
storePassword.toCharArray() : null, c);
}
}
- ByteArrayOutputStream os = new ByteArrayOutputStream();
- ks.store(os, storePassword != null ? storePassword.toCharArray() :
null);
- os.close();
- return os.toByteArray();
+ try (final ByteArrayOutputStream os = new ByteArrayOutputStream())
{
+ ks.store(os, storePassword != null ?
storePassword.toCharArray() : null);
+ return os.toByteArray();
+ }
}
- public static KeyStore loadKeystore(byte[] ksData, String
storePassword) throws KeyStoreException, CertificateException,
NoSuchAlgorithmException, IOException {
- assert (ksData != null);
- KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(new ByteArrayInputStream(ksData), storePassword != null ?
storePassword.toCharArray() : null);
+ public static KeyStore loadKeystore(final byte[] ksData, final String
storePassword) throws KeyStoreException, CertificateException,
NoSuchAlgorithmException, IOException {
+ assert ksData != null;
+ final KeyStore ks = KeyStore.getInstance("JKS");
+ try (final ByteArrayInputStream is = new
ByteArrayInputStream(ksData)) {
+ ks.load(is, storePassword != null ?
storePassword.toCharArray() : null);
+ }
return ks;
}
- public static KeyStore buildKeystore(String alias, String cert, String
privateKey, String storePassword) throws KeyStoreException,
CertificateException,
- NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+ public static KeyStore buildKeystore(final String alias, final String
cert, final String privateKey, final String storePassword) throws
KeyStoreException, CertificateException,
+ NoSuchAlgorithmException, InvalidKeySpecException, IOException {
- KeyStore ks = KeyStore.getInstance("JKS");
+ final KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, storePassword != null ? storePassword.toCharArray()
: null);
- Certificate[] certs = new Certificate[1];
+ final Certificate[] certs = new Certificate[1];
certs[0] = buildCertificate(cert);
ks.setKeyEntry(alias, buildPrivateKey(privateKey), storePassword
!= null ? storePassword.toCharArray() : null, certs);
return ks;
}
- public static Certificate buildCertificate(String content) throws
CertificateException {
- assert (content != null);
+ public static Certificate buildCertificate(final String content)
throws CertificateException {
+ assert content != null;
- BufferedInputStream bis = new BufferedInputStream(new
ByteArrayInputStream(content.getBytes()));
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ final BufferedInputStream bis = new BufferedInputStream(new
ByteArrayInputStream(content.getBytes()));
+ final CertificateFactory cf =
CertificateFactory.getInstance("X.509");
return cf.generateCertificate(bis);
}
- public static Key buildPrivateKey(String base64EncodedKeyContent)
throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
- KeyFactory kf = KeyFactory.getInstance("RSA");
- PKCS8EncodedKeySpec keysp = new
PKCS8EncodedKeySpec(Base64.decodeBase64(base64EncodedKeyContent));
+ public static Key buildPrivateKey(final String
base64EncodedKeyContent) throws NoSuchAlgorithmException,
InvalidKeySpecException, IOException {
+ final KeyFactory kf = KeyFactory.getInstance("RSA");
+ final PKCS8EncodedKeySpec keysp = new
PKCS8EncodedKeySpec(Base64.decodeBase64(base64EncodedKeyContent));
return kf.generatePrivate(keysp);
}
- public static List<Certificate> parseChain(String chain) throws
IOException {
+ public static List<Certificate> parseChain(final String chain) throws
IOException, CertificateException {
- List<Certificate> certs = new ArrayList<Certificate>();
- PEMReader reader = new PEMReader(new StringReader(chain));
+ final List<Certificate> certs = new ArrayList<Certificate>();
+ try(final PemReader pemReader = new PemReader(new
StringReader(chain));)
+ {
+ final PemObject pemObject = pemReader.readPemObject();
+ final CertificateFactory certificateFactory =
CertificateFactory.getInstance("X509");
+ final ByteArrayInputStream bais = new
ByteArrayInputStream(pemObject.getContent());
- Certificate crt = null;
-
- while ((crt = (Certificate)reader.readObject()) != null) {
- if (crt instanceof X509Certificate) {
- certs.add(crt);
+ for (final Certificate cert :
certificateFactory.generateCertificates(bais)) {
+ if (cert instanceof X509Certificate) {
+ certs.add(cert);
+ }
+ }
+ if (certs.isEmpty()) {
+ throw new IllegalArgumentException("Unable to decode
certificate chain");
}
}
- if (certs.size() == 0)
- throw new IllegalArgumentException("Unable to decode
certificate chain");
-
return certs;
}
- public static String generateFingerPrint(Certificate cert) {
+ public static String generateFingerPrint(final Certificate cert) {
--- End diff --
Please consider adding a `Preconditions.checkArgument`check to verify that
`cert` is not `null`.
> Upgrade bountycastle to 1.55+
> -----------------------------
>
> Key: CLOUDSTACK-9632
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9632
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Fix For: Future, 4.10.0.0
>
>
> Upgrade bountycastle library to latest versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
