From 4ed62ed003d9e18bc4ff04024f8e294a47395256 Mon Sep 17 00:00:00 2001
From: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Date: Mon, 01 Aug 2022 12:20:50 +0000
Subject: [PATCH] Add BCFKS FIPS key store type support (#247)

---
 opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java |   58 ++++++++++++++++++++++++++++++++++++++++++++++++----------
 1 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
index 83935d6..b776bd6 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
@@ -1370,9 +1370,16 @@
         configureKeyAndTrustStore(CertificateManager.KEY_STORE_PATH_PKCS11, CertificateManager.KEY_STORE_TYPE_PKCS11,
             CertificateManager.KEY_STORE_TYPE_JKS, sec);
         configureAdminKeyAndTrustStore(CertificateManager.KEY_STORE_PATH_PKCS11, CertificateManager.KEY_STORE_TYPE_PKCS11,
-                CertificateManager.KEY_STORE_TYPE_JKS, sec);
+                CertificateManager.KEY_STORE_TYPE_JKS, sec, true);
         break;
 
+      case BCFKS:
+          configureKeyAndTrustStore(sec.getKeystorePath(), CertificateManager.KEY_STORE_TYPE_BCFKS,
+                  CertificateManager.KEY_STORE_TYPE_JKS, sec);
+          configureAdminKeyAndTrustStore(sec.getKeystorePath(), CertificateManager.KEY_STORE_TYPE_BCFKS,
+                  CertificateManager.KEY_STORE_TYPE_BCFKS, sec, true);
+          break;
+
       default:
         throw new IllegalStateException("Unknown certificate type: " + certType);
       }
@@ -1403,24 +1410,35 @@
   }
 
   private void configureAdminKeyAndTrustStore(final String keyStorePath, final String keyStoreType,
-      final String trustStoreType, final SecurityOptions sec) throws Exception
+      final String trustStoreType, final SecurityOptions sec, boolean exportKeys) throws Exception
   {
     final String keystorePassword = sec.getKeystorePassword();
-    final String trustStorePath = getPath2("admin-truststore");
 
-    CertificateManager certManager = new CertificateManager(keyStorePath, keyStoreType, keystorePassword);
-    for (String keyStoreAlias : sec.getAliasesToUse())
-    {
-      SetupUtils.exportCertificate(certManager, keyStoreAlias, getTemporaryCertificatePath());
-      configureAdminTrustStore(trustStorePath, trustStoreType, keyStoreAlias, keystorePassword);
+    if (exportKeys) {
+    	final String exportTrustStorePath = getExportTrustManagerPath(trustStoreType);
+	    CertificateManager certManager = new CertificateManager(keyStorePath, keyStoreType, keystorePassword);
+	    for (String keyStoreAlias : sec.getAliasesToUse())
+	    {
+	      SetupUtils.exportCertificate(certManager, keyStoreAlias, getTemporaryCertificatePath());
+	      configureAdminTrustStore(exportTrustStorePath, trustStoreType, keyStoreAlias, keystorePassword);
+	    }
     }
 
     // Set default trustManager to allow check server startup status
+    final String trustStorePath = getPath2("truststore");
     if (com.forgerock.opendj.util.StaticUtils.isFips()) {
+    	String usedTrustStorePath = trustStorePath;
+    	String usedTrustStoreType = "JKS";
+/*
+        if (keyStoreType.equals(CertificateManager.KEY_STORE_TYPE_BCFKS)) {
+        	usedTrustStorePath = getTrustManagerPath(keyStoreType);
+        	usedTrustStoreType = keyStoreType;
+        }
+*/
         KeyStore truststore = null;
-        try (final FileInputStream fis = new FileInputStream(trustStorePath))
+        try (final FileInputStream fis = new FileInputStream(usedTrustStorePath))
         {
-          truststore = KeyStore.getInstance(trustStoreType);
+          truststore = KeyStore.getInstance(usedTrustStoreType);
           truststore.load(fis, keystorePassword.toCharArray());
         }
         catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e)
@@ -1496,6 +1514,10 @@
       addCertificateArguments(argList, null, aliasInKeyStore, "cn=PKCS11,cn=Key Manager Providers,cn=config",
           "cn=JKS,cn=Trust Manager Providers,cn=config");
       break;
+    case BCFKS:
+        addCertificateArguments(argList, sec, aliasInKeyStore, "cn=BCFKS,cn=Key Manager Providers,cn=config",
+            "cn=BCFKS,cn=Trust Manager Providers,cn=config");
+        break;
     case NO_CERTIFICATE:
       // Nothing to do.
       break;
@@ -4045,6 +4067,22 @@
   }
 
   /**
+   * Returns the trustmanager path to be used for exported
+   * certificate.
+   *
+   * @return the trustmanager path to be used for exporting
+   *         certificate.
+   */
+  private String getExportTrustManagerPath(String type)
+  {
+	  if (type.equals(CertificateManager.KEY_STORE_TYPE_BCFKS)) {
+		  return getPath2("truststore.bcfks");
+	  }
+
+	  return getPath2("admin-truststore");
+  }
+
+  /**
    * Returns the path of the self-signed that we export to be able to create a
    * truststore.
    *

--
Gitblit v1.10.0