external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: e0f2f1df | patch | commit | ignore whitespace

Fix for issue 3075 (ads-truststore creation failure and exception handling)...

jvergara

02.00.2008 91b56edf3ef228cb8e29df9e57a6605a5ce9557c

Fix for issue 3075 (ads-truststore creation failure and exception handling)
1. There is a problem with the default cipher algorithm provided in the CryptoManager  configuration (RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING) since it does not work in IBM Java.  RSA/ECB/PKCS1Padding must be used instead in default Java 5 AIX installations.  This issue may apply to any other JVM that do not include the same ciphers as Sun JCE.  
    
A fix to handle this case corresponds to the modifications performed in ConfigureDS.java. ConfigureDS checks whether the default cipher can be used with the JVM and if not, tries to use an alternative cipher.  If the default cipher does not work and an alternative cipher is found, the configuration of the CryptoManager is updated.

2. There is an issue with keytool utility on Java 1.6.  If we write directly the passwords to the keytool process OutputStream it fails.  Using a sleep fixes the issue.  The modifications in CertificateManager fix this problem.  Note that genkeypair is the new subcommand recommended to be used since 1.6, and the code reflects this.

Apart from that a fix with the temporary self-signed certificate that is generated has been also committed by marking the file to be deleted on exit (before these modifications the file was not deleted).

5 files modified

	opends/src/messages/messages/tools.properties	2 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/config/ConfigConstants.java	6 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/tools/ConfigureDS.java	94 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/util/CertificateManager.java	56 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/util/SetupUtils.java	2 ●●●●● patch \| view \| raw \| blame \| history

 opends/src/messages/messages/tools.properties

@@ -2343,4 +2343,6 @@
INFO_INSTALLDS_CONFIRM_INSTALL_1604=Setup the server with the parameters above
INFO_INSTALLDS_PROVIDE_DATA_AGAIN_1605=Provide the setup parameters again
INFO_INSTALLDS_CANCEL_1606=Cancel the setup
SEVERE_ERR_CONFIGDS_CANNOT_UPDATE_CRYPTO_MANAGER_1607=An error occurred while \
 attempting to update the crypto manager in the Directory Server: %s


 opends/src/server/org/opends/server/config/ConfigConstants.java

@@ -2915,6 +2915,12 @@
  public static final String ATTR_CRYPTO_CIPHER_TRANSFORMATION_NAME =
       "ds-cfg-cipher-transformation-name";

  /**
   * The name of the attribute that is used to hold the key wrapping
   * transformation used by the Crypto Manager.
   */
  public static final String ATTR_CRYPTO_CIPHER_KEY_WRAPPING_TRANSFORMATION =
    "ds-cfg-key-wrapping-transformation";

  /**
   * The name of the attribute that is used to hold the name of a

 opends/src/server/org/opends/server/tools/ConfigureDS.java

@@ -29,11 +29,19 @@



import java.security.GeneralSecurityException;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.Set;
import java.io.File;

import javax.crypto.Cipher;

import org.opends.server.admin.DefaultBehaviorProvider;
import org.opends.server.admin.DefinedDefaultBehaviorProvider;
import org.opends.server.admin.StringPropertyDefinition;
import org.opends.server.admin.std.meta.CryptoManagerCfgDefn;
import org.opends.server.api.ConfigHandler;
import org.opends.server.config.BooleanConfigAttribute;
import org.opends.server.config.ConfigEntry;
@@ -127,6 +135,11 @@
  private static final String DN_ROOT_USER =
       "cn=Directory Manager," + DN_ROOT_DN_CONFIG_BASE;

  /**
   * The DN of the Crypto Manager.
   */
  private static final String DN_CRYPTO_MANAGER = "cn=Crypto Manager,cn=config";



  /**
@@ -988,6 +1001,59 @@
      }


      // Check that the cipher specified is supported.  This is intended to
      // fix issues with JVM that do not support the default cipher (see
      // issue 3075 for instance).
      CryptoManagerCfgDefn cryptoManager = CryptoManagerCfgDefn.getInstance();
      StringPropertyDefinition prop =
        cryptoManager.getKeyWrappingTransformationPropertyDefinition();
      String defaultCipher = null;
      DefaultBehaviorProvider p = prop.getDefaultBehaviorProvider();
      if (p instanceof DefinedDefaultBehaviorProvider)
      {
        Collection<?> defaultValues =
          ((DefinedDefaultBehaviorProvider)p).getDefaultValues();
        if (!defaultValues.isEmpty())
        {
          defaultCipher = defaultValues.iterator().next().toString();
        }
      }
      if (defaultCipher != null)
      {
        // Check that the default cipher is supported by the JVM.
        try
        {
          Cipher.getInstance(defaultCipher);
        }
        catch (GeneralSecurityException ex)
        {
          // The cipher is not supported: try to find an alternative one.
          String alternativeCipher = getAlternativeCipher();
          if (alternativeCipher != null)
          {
            try
            {
              DN cipherDN = DN.decode(DN_CRYPTO_MANAGER);
              ConfigEntry configEntry = configHandler.getConfigEntry(cipherDN);

              // Set the alternative cipher
              StringConfigAttribute keyWrappingTransformation =
                new StringConfigAttribute(
                    ATTR_CRYPTO_CIPHER_KEY_WRAPPING_TRANSFORMATION,
                    Message.EMPTY, false, false, true, alternativeCipher);
              configEntry.putConfigAttribute(keyWrappingTransformation);
            }
            catch (Exception e)
            {
              Message message = ERR_CONFIGDS_CANNOT_UPDATE_CRYPTO_MANAGER.get(
                  String.valueOf(e));
              System.err.println(wrapText(message, MAX_LINE_WIDTH));
              return 1;
            }
          }
        }
      }

      // Write the updated configuration.
      try
      {
@@ -1013,5 +1079,33 @@
    // If we've gotten here, then everything was successful.
    return 0;
  }

  /**
   * Returns a cipher that is supported by the JVM we are running at.
   * Returns <CODE>null</CODE> if no alternative cipher could be found.
   * @return a cipher that is supported by the JVM we are running at.
   */
  private static String getAlternativeCipher()
  {
    final String[] preferredAlternativeCiphers =
    {
        "RSA/ECB/OAEPWITHSHA1ANDMGF1PADDING",
        "RSA/ECB/PKCS1Padding"
    };
    String alternativeCipher = null;
    for (String cipher : preferredAlternativeCiphers)
    {
      try
      {
        Cipher.getInstance(cipher);
        alternativeCipher = cipher;
        break;
      }
      catch (Throwable t)
      {
      }
    }
    return alternativeCipher;
  }
}


 opends/src/server/org/opends/server/util/CertificateManager.java

@@ -40,6 +40,7 @@
import java.util.ArrayList;
import java.util.Enumeration;

import org.opends.server.types.OperatingSystem;


/**
@@ -443,13 +444,12 @@
    // invoking the KeyTool command.
    keyStore = null;


    // First, we need to run with the "-genkey" command to create the private
    // key.
    String[] commandElements =
    {
      KEYTOOL_COMMAND,
      "-genkey",
      getGenKeyCommand(),
      "-alias", alias,
      "-dname", subjectDN,
      "-keyalg", "rsa",
@@ -541,7 +541,7 @@
    String[] commandElements =
    {
      KEYTOOL_COMMAND,
      "-genkey",
      getGenKeyCommand(),
      "-alias", alias,
      "-dname", subjectDN,
      "-keyalg", "rsa",
@@ -553,6 +553,7 @@
    // Next, we need to run with the "-certreq" command to generate the
    // certificate signing request.
    File csrFile = File.createTempFile("CertificateManager-", ".csr");
    csrFile.deleteOnExit();
    commandElements = new String[]
    {
      KEYTOOL_COMMAND,
@@ -743,11 +744,11 @@
      KEY_STORE_TYPE_PKCS11.equals(keyStoreType);

    boolean isNewKeyStorePassword = !keyStoreDefined &&
      ("-genkey".equalsIgnoreCase(commandElements[1]) ||
      (getGenKeyCommand().equalsIgnoreCase(commandElements[1]) ||
      "-import".equalsIgnoreCase(commandElements[1]));

    boolean isNewStorePassword =
      "-genkey".equalsIgnoreCase(commandElements[1]);
      getGenKeyCommand().equalsIgnoreCase(commandElements[1]);

    boolean askForStorePassword =
      !"-import".equalsIgnoreCase(commandElements[1]);
@@ -762,15 +763,34 @@
      Process process = processBuilder.start();
      InputStream inputStream = process.getInputStream();
      OutputStream out = process.getOutputStream();
      if (!isJDK15() &&
          (SetupUtils.getOperatingSystem() == OperatingSystem.AIX))
      {
        // This is required when using JDK 1.6 on AIX to be able to write
        // on the OutputStream.
        try
        {
          Thread.sleep(1500);
        } catch (Throwable t) {}
      }
      out.write(keyStorePassword.getBytes()) ;
      out.write(lineSeparator.getBytes()) ;
      out.flush() ;
      // With Java6 and above, keytool asks for the password twice.
      if (!isJDK15() && isNewKeyStorePassword)
      {
         out.write(keyStorePassword.getBytes()) ;
         out.write(lineSeparator.getBytes()) ;
         out.flush() ;
        if (SetupUtils.getOperatingSystem() == OperatingSystem.AIX)
        {
          // This is required when using JDK 1.6 on AIX to be able to write
          // on the OutputStream.
          try
          {
            Thread.sleep(1500);
          } catch (Throwable t) {}
        }
        out.write(keyStorePassword.getBytes()) ;
        out.write(lineSeparator.getBytes()) ;
        out.flush() ;
      }

      if (askForStorePassword)
@@ -779,8 +799,10 @@
        out.write(lineSeparator.getBytes()) ;
        out.flush() ;

        // With Java6 and above, keytool asks for the password twice!
        if (!isJDK15() && isNewStorePassword)
        // With Java6 and above, keytool asks for the password twice (if we
        // are not running AIX).
        if (!isJDK15() && isNewStorePassword &&
            (SetupUtils.getOperatingSystem() != OperatingSystem.AIX))
        {
          out.write(storePassword.getBytes()) ;
          out.write(lineSeparator.getBytes()) ;
@@ -934,6 +956,20 @@
    }
    return isJDK15;
  }

  private String getGenKeyCommand()
  {
    String genKeyCommand;
    if (!isJDK15())
    {
      genKeyCommand = "-genkeypair";
    }
    else
    {
      genKeyCommand = "-genkey";
    }
    return genKeyCommand;
  }
}



 opends/src/server/org/opends/server/util/SetupUtils.java

@@ -260,7 +260,7 @@
   * Commodity method to help identifying the OS we are running on.
   * @return the OperatingSystem we are running on.
   */
  private static OperatingSystem getOperatingSystem()
  public static OperatingSystem getOperatingSystem()
  {
    return OperatingSystem.forName(System.getProperty("os.name"));
  }

			@@ -2343,4 +2343,6 @@
			INFO_INSTALLDS_CONFIRM_INSTALL_1604=Setup the server with the parameters above
			INFO_INSTALLDS_PROVIDE_DATA_AGAIN_1605=Provide the setup parameters again
			INFO_INSTALLDS_CANCEL_1606=Cancel the setup
			SEVERE_ERR_CONFIGDS_CANNOT_UPDATE_CRYPTO_MANAGER_1607=An error occurred while \
			attempting to update the crypto manager in the Directory Server: %s

			@@ -2915,6 +2915,12 @@
			public static final String ATTR_CRYPTO_CIPHER_TRANSFORMATION_NAME =
			"ds-cfg-cipher-transformation-name";

			/**
			* The name of the attribute that is used to hold the key wrapping
			* transformation used by the Crypto Manager.
			*/
			public static final String ATTR_CRYPTO_CIPHER_KEY_WRAPPING_TRANSFORMATION =
			"ds-cfg-key-wrapping-transformation";

			/**
			* The name of the attribute that is used to hold the name of a

			@@ -29,11 +29,19 @@



			import java.security.GeneralSecurityException;
			import java.util.Collection;
			import java.util.HashSet;
			import java.util.LinkedList;
			import java.util.Set;
			import java.io.File;

			import javax.crypto.Cipher;

			import org.opends.server.admin.DefaultBehaviorProvider;
			import org.opends.server.admin.DefinedDefaultBehaviorProvider;
			import org.opends.server.admin.StringPropertyDefinition;
			import org.opends.server.admin.std.meta.CryptoManagerCfgDefn;
			import org.opends.server.api.ConfigHandler;
			import org.opends.server.config.BooleanConfigAttribute;
			import org.opends.server.config.ConfigEntry;
			@@ -127,6 +135,11 @@
			private static final String DN_ROOT_USER =
			"cn=Directory Manager," + DN_ROOT_DN_CONFIG_BASE;

			/**
			* The DN of the Crypto Manager.
			*/
			private static final String DN_CRYPTO_MANAGER = "cn=Crypto Manager,cn=config";



			/**
			@@ -988,6 +1001,59 @@
			}


			// Check that the cipher specified is supported. This is intended to
			// fix issues with JVM that do not support the default cipher (see
			// issue 3075 for instance).
			CryptoManagerCfgDefn cryptoManager = CryptoManagerCfgDefn.getInstance();
			StringPropertyDefinition prop =
			cryptoManager.getKeyWrappingTransformationPropertyDefinition();
			String defaultCipher = null;
			DefaultBehaviorProvider p = prop.getDefaultBehaviorProvider();
			if (p instanceof DefinedDefaultBehaviorProvider)
			{
			Collection<?> defaultValues =
			((DefinedDefaultBehaviorProvider)p).getDefaultValues();
			if (!defaultValues.isEmpty())
			{
			defaultCipher = defaultValues.iterator().next().toString();
			}
			}
			if (defaultCipher != null)
			{
			// Check that the default cipher is supported by the JVM.
			try
			{
			Cipher.getInstance(defaultCipher);
			}
			catch (GeneralSecurityException ex)
			{
			// The cipher is not supported: try to find an alternative one.
			String alternativeCipher = getAlternativeCipher();
			if (alternativeCipher != null)
			{
			try
			{
			DN cipherDN = DN.decode(DN_CRYPTO_MANAGER);
			ConfigEntry configEntry = configHandler.getConfigEntry(cipherDN);

			// Set the alternative cipher
			StringConfigAttribute keyWrappingTransformation =
			new StringConfigAttribute(
			ATTR_CRYPTO_CIPHER_KEY_WRAPPING_TRANSFORMATION,
			Message.EMPTY, false, false, true, alternativeCipher);
			configEntry.putConfigAttribute(keyWrappingTransformation);
			}
			catch (Exception e)
			{
			Message message = ERR_CONFIGDS_CANNOT_UPDATE_CRYPTO_MANAGER.get(
			String.valueOf(e));
			System.err.println(wrapText(message, MAX_LINE_WIDTH));
			return 1;
			}
			}
			}
			}

			// Write the updated configuration.
			try
			{
			@@ -1013,5 +1079,33 @@
			// If we've gotten here, then everything was successful.
			return 0;
			}

			/**
			* Returns a cipher that is supported by the JVM we are running at.
			* Returns <CODE>null</CODE> if no alternative cipher could be found.
			* @return a cipher that is supported by the JVM we are running at.
			*/
			private static String getAlternativeCipher()
			{
			final String[] preferredAlternativeCiphers =
			{
			"RSA/ECB/OAEPWITHSHA1ANDMGF1PADDING",
			"RSA/ECB/PKCS1Padding"
			};
			String alternativeCipher = null;
			for (String cipher : preferredAlternativeCiphers)
			{
			try
			{
			Cipher.getInstance(cipher);
			alternativeCipher = cipher;
			break;
			}
			catch (Throwable t)
			{
			}
			}
			return alternativeCipher;
			}
			}

			@@ -40,6 +40,7 @@
			import java.util.ArrayList;
			import java.util.Enumeration;

			import org.opends.server.types.OperatingSystem;


			/**
			@@ -443,13 +444,12 @@
			// invoking the KeyTool command.
			keyStore = null;


			// First, we need to run with the "-genkey" command to create the private
			// key.
			String[] commandElements =
			{
			KEYTOOL_COMMAND,
			"-genkey",
			getGenKeyCommand(),
			"-alias", alias,
			"-dname", subjectDN,
			"-keyalg", "rsa",
			@@ -541,7 +541,7 @@
			String[] commandElements =
			{
			KEYTOOL_COMMAND,
			"-genkey",
			getGenKeyCommand(),
			"-alias", alias,
			"-dname", subjectDN,
			"-keyalg", "rsa",
			@@ -553,6 +553,7 @@
			// Next, we need to run with the "-certreq" command to generate the
			// certificate signing request.
			File csrFile = File.createTempFile("CertificateManager-", ".csr");
			csrFile.deleteOnExit();
			commandElements = new String[]
			{
			KEYTOOL_COMMAND,
			@@ -743,11 +744,11 @@
			KEY_STORE_TYPE_PKCS11.equals(keyStoreType);

			boolean isNewKeyStorePassword = !keyStoreDefined &&
			("-genkey".equalsIgnoreCase(commandElements[1]) \|\|
			(getGenKeyCommand().equalsIgnoreCase(commandElements[1]) \|\|
			"-import".equalsIgnoreCase(commandElements[1]));

			boolean isNewStorePassword =
			"-genkey".equalsIgnoreCase(commandElements[1]);
			getGenKeyCommand().equalsIgnoreCase(commandElements[1]);

			boolean askForStorePassword =
			!"-import".equalsIgnoreCase(commandElements[1]);
			@@ -762,15 +763,34 @@
			Process process = processBuilder.start();
			InputStream inputStream = process.getInputStream();
			OutputStream out = process.getOutputStream();
			if (!isJDK15() &&
			(SetupUtils.getOperatingSystem() == OperatingSystem.AIX))
			{
			// This is required when using JDK 1.6 on AIX to be able to write
			// on the OutputStream.
			try
			{
			Thread.sleep(1500);
			} catch (Throwable t) {}
			}
			out.write(keyStorePassword.getBytes()) ;
			out.write(lineSeparator.getBytes()) ;
			out.flush() ;
			// With Java6 and above, keytool asks for the password twice.
			if (!isJDK15() && isNewKeyStorePassword)
			{
			out.write(keyStorePassword.getBytes()) ;
			out.write(lineSeparator.getBytes()) ;
			out.flush() ;
			if (SetupUtils.getOperatingSystem() == OperatingSystem.AIX)
			{
			// This is required when using JDK 1.6 on AIX to be able to write
			// on the OutputStream.
			try
			{
			Thread.sleep(1500);
			} catch (Throwable t) {}
			}
			out.write(keyStorePassword.getBytes()) ;
			out.write(lineSeparator.getBytes()) ;
			out.flush() ;
			}

			if (askForStorePassword)
			@@ -779,8 +799,10 @@
			out.write(lineSeparator.getBytes()) ;
			out.flush() ;

			// With Java6 and above, keytool asks for the password twice!
			if (!isJDK15() && isNewStorePassword)
			// With Java6 and above, keytool asks for the password twice (if we
			// are not running AIX).
			if (!isJDK15() && isNewStorePassword &&
			(SetupUtils.getOperatingSystem() != OperatingSystem.AIX))
			{
			out.write(storePassword.getBytes()) ;
			out.write(lineSeparator.getBytes()) ;
			@@ -934,6 +956,20 @@
			}
			return isJDK15;
			}

			private String getGenKeyCommand()
			{
			String genKeyCommand;
			if (!isJDK15())
			{
			genKeyCommand = "-genkeypair";
			}
			else
			{
			genKeyCommand = "-genkey";
			}
			return genKeyCommand;
			}
			}

			@@ -260,7 +260,7 @@
			* Commodity method to help identifying the OS we are running on.
			* @return the OperatingSystem we are running on.
			*/
			private static OperatingSystem getOperatingSystem()
			public static OperatingSystem getOperatingSystem()
			{
			return OperatingSystem.forName(System.getProperty("os.name"));
			}