From e6b68159bff34d85aca3c5349b5eb4559ddb0d67 Mon Sep 17 00:00:00 2001
From: Matthew Swift <matthew.swift@forgerock.com>
Date: Mon, 26 Sep 2016 20:12:52 +0000
Subject: [PATCH] Minor cleanup: factor out method for parsing key store PIN configuration
---
opendj-server-legacy/src/main/java/org/opends/server/extensions/PKCS11KeyManagerProvider.java | 427 +++++++++++------------------------------------------
1 files changed, 91 insertions(+), 336 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/extensions/PKCS11KeyManagerProvider.java b/opendj-server-legacy/src/main/java/org/opends/server/extensions/PKCS11KeyManagerProvider.java
index 771fd7d..bf07ed8 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/extensions/PKCS11KeyManagerProvider.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/extensions/PKCS11KeyManagerProvider.java
@@ -19,10 +19,6 @@
import static org.opends.messages.ExtensionMessages.*;
import static org.opends.server.util.StaticUtils.*;
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileReader;
-import java.io.IOException;
import java.security.KeyStore;
import java.util.List;
@@ -34,377 +30,136 @@
import org.forgerock.opendj.config.server.ConfigChangeResult;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.config.server.ConfigurationChangeListener;
-import org.forgerock.opendj.ldap.DN;
-import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.server.config.server.PKCS11KeyManagerProviderCfg;
import org.opends.server.api.KeyManagerProvider;
import org.opends.server.core.DirectoryServer;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.InitializationException;
-import org.opends.server.util.StaticUtils;
/**
* This class defines a key manager provider that will access keys stored on a
* PKCS#11 device. It will use the Java PKCS#11 interface, which may need to be
* configured on the underlying system.
*/
-public class PKCS11KeyManagerProvider
- extends KeyManagerProvider<PKCS11KeyManagerProviderCfg>
- implements ConfigurationChangeListener<PKCS11KeyManagerProviderCfg>
+public class PKCS11KeyManagerProvider extends KeyManagerProvider<PKCS11KeyManagerProviderCfg> implements
+ ConfigurationChangeListener<PKCS11KeyManagerProviderCfg>
{
- private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
+ private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
+ /** The keystore type to use when accessing the PKCS#11 keystore. */
+ private static final String PKCS11_KEYSTORE_TYPE = "PKCS11";
+ /** The PIN needed to access the keystore. */
+ private char[] keyStorePIN;
+ /** The current configuration for this key manager provider. */
+ private PKCS11KeyManagerProviderCfg currentConfig;
- /** The keystore type to use when accessing the PKCS#11 keystore. */
- public static final String PKCS11_KEYSTORE_TYPE = "PKCS11";
-
- /** The DN of the configuration entry for this key manager provider. */
- private DN configEntryDN;
-
- /** The PIN needed to access the keystore. */
- private char[] keyStorePIN;
-
- /** The current configuration for this key manager provider. */
- private PKCS11KeyManagerProviderCfg currentConfig;
-
- /**
- * Creates a new instance of this PKCS#11 key manager provider. The
- * <CODE>initializeKeyManagerProvider</CODE> method must be called on the
- * resulting object before it may be used.
- */
- public PKCS11KeyManagerProvider()
- {
- // No implementation is required.
- }
-
- @Override
- public void initializeKeyManagerProvider(
- PKCS11KeyManagerProviderCfg configuration)
- throws ConfigException, InitializationException
- {
- // Store the DN of the configuration entry and register to be notified of
- // configuration changes.
- currentConfig = configuration;
- configEntryDN = configuration.dn();
- configuration.addPKCS11ChangeListener(this);
-
- // Get the PIN needed to access the contents of the PKCS#11
- // keystore. We will offer several places to look for the PIN, and
- // we will do so in the following order:
- //
- // - In a specified Java property
- // - In a specified environment variable
- // - In a specified file on the server filesystem.
- // - As the value of a configuration attribute.
- //
- // In any case, the PIN must be in the clear.
- keyStorePIN = null;
-
- if (configuration.getKeyStorePinProperty() != null) {
- String propertyName = configuration.getKeyStorePinProperty();
- String pinStr = System.getProperty(propertyName);
-
- if (pinStr == null) {
- LocalizableMessage message = ERR_PKCS11_KEYMANAGER_PIN_PROPERTY_NOT_SET.get(
- propertyName, configEntryDN);
- throw new InitializationException(message);
- }
-
- keyStorePIN = pinStr.toCharArray();
- } else if (configuration.getKeyStorePinEnvironmentVariable() != null) {
- String enVarName = configuration
- .getKeyStorePinEnvironmentVariable();
- String pinStr = System.getenv(enVarName);
-
- if (pinStr == null) {
- LocalizableMessage message = ERR_PKCS11_KEYMANAGER_PIN_ENVAR_NOT_SET.get(
- enVarName, configEntryDN);
- throw new InitializationException(message);
- }
-
- keyStorePIN = pinStr.toCharArray();
- } else if (configuration.getKeyStorePinFile() != null) {
- String fileName = configuration.getKeyStorePinFile();
- File pinFile = getFileForPath(fileName);
-
- if (!pinFile.exists()) {
- LocalizableMessage message = ERR_PKCS11_KEYMANAGER_PIN_NO_SUCH_FILE.get(fileName, configEntryDN);
- throw new InitializationException(message);
- }
-
- String pinStr;
- try {
- BufferedReader br = new BufferedReader(
- new FileReader(pinFile));
- pinStr = br.readLine();
- br.close();
- } catch (IOException ioe) {
- logger.traceException(ioe);
-
- LocalizableMessage message = ERR_PKCS11_KEYMANAGER_PIN_FILE_CANNOT_READ.
- get(fileName, configEntryDN, getExceptionMessage(ioe));
- throw new InitializationException(message, ioe);
- }
-
- if (pinStr == null) {
- LocalizableMessage message = ERR_PKCS11_KEYMANAGER_PIN_FILE_EMPTY.get(fileName, configEntryDN);
- throw new InitializationException(message);
- }
-
- keyStorePIN = pinStr.toCharArray();
- } else if (configuration.getKeyStorePin() != null) {
- keyStorePIN = configuration.getKeyStorePin().toCharArray();
- }
- }
-
- @Override
- public void finalizeKeyManagerProvider()
- {
- currentConfig.removePKCS11ChangeListener(this);
- }
-
- @Override
- public KeyManager[] getKeyManagers()
- throws DirectoryException
- {
- KeyStore keyStore;
- try
- {
- keyStore = KeyStore.getInstance(PKCS11_KEYSTORE_TYPE);
- keyStore.load(null, keyStorePIN);
- }
- catch (Exception e)
- {
- logger.traceException(e);
-
- LocalizableMessage message =
- ERR_PKCS11_KEYMANAGER_CANNOT_LOAD.get(getExceptionMessage(e));
- throw new DirectoryException(DirectoryServer.getServerErrorResultCode(),
- message, e);
+ /**
+ * Creates a new instance of this PKCS#11 key manager provider. The
+ * <CODE>initializeKeyManagerProvider</CODE> method must be called on the
+ * resulting object before it may be used.
+ */
+ public PKCS11KeyManagerProvider() {
+ // No implementation is required.
}
- try
+ @Override
+ public void initializeKeyManagerProvider(PKCS11KeyManagerProviderCfg configuration)
+ throws ConfigException, InitializationException
{
- String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
- KeyManagerFactory keyManagerFactory =
- KeyManagerFactory.getInstance(keyManagerAlgorithm);
- keyManagerFactory.init(keyStore, keyStorePIN);
- return keyManagerFactory.getKeyManagers();
+ currentConfig = configuration;
+ keyStorePIN = getKeyStorePIN(configuration);
+ configuration.addPKCS11ChangeListener(this);
}
- catch (Exception e)
- {
- logger.traceException(e);
- LocalizableMessage message = ERR_PKCS11_KEYMANAGER_CANNOT_CREATE_FACTORY.get(
- getExceptionMessage(e));
- throw new DirectoryException(DirectoryServer.getServerErrorResultCode(),
- message, e);
+ private char[] getKeyStorePIN(PKCS11KeyManagerProviderCfg cfg) throws InitializationException
+ {
+ return FileBasedKeyManagerProvider.getKeyStorePIN(cfg.getKeyStorePinProperty(),
+ cfg.getKeyStorePinEnvironmentVariable(),
+ cfg.getKeyStorePinFile(),
+ cfg.getKeyStorePin(),
+ cfg.dn(),
+ ERR_PKCS11_KEYMANAGER_PIN_PROPERTY_NOT_SET,
+ ERR_PKCS11_KEYMANAGER_PIN_ENVAR_NOT_SET,
+ ERR_PKCS11_KEYMANAGER_PIN_NO_SUCH_FILE,
+ ERR_PKCS11_KEYMANAGER_PIN_FILE_CANNOT_READ,
+ ERR_PKCS11_KEYMANAGER_PIN_FILE_EMPTY);
}
- }
- @Override
- public boolean isConfigurationAcceptable(
- PKCS11KeyManagerProviderCfg configuration,
- List<LocalizableMessage> unacceptableReasons)
- {
- return isConfigurationChangeAcceptable(configuration, unacceptableReasons);
- }
-
- @Override
- public boolean isConfigurationChangeAcceptable(
- PKCS11KeyManagerProviderCfg configuration,
- List<LocalizableMessage> unacceptableReasons)
- {
- boolean configAcceptable = true;
- DN cfgEntryDN = configuration.dn();
-
-
- // Get the PIN needed to access the contents of the keystore file.
- //
- // We will offer several places to look for the PIN, and we will
- // do so in the following order:
- //
- // - In a specified Java property
- // - In a specified environment variable
- // - In a specified file on the server filesystem.
- // - As the value of a configuration attribute.
- //
- // In any case, the PIN must be in the clear.
- //
- // It is acceptable to have no PIN (OPENDJ-18)
- if (configuration.getKeyStorePinProperty() != null)
+ @Override
+ public void finalizeKeyManagerProvider()
{
- String propertyName = configuration.getKeyStorePinProperty();
- String pinStr = System.getProperty(propertyName);
-
- if (pinStr == null)
- {
- unacceptableReasons.add(ERR_PKCS11_KEYMANAGER_PIN_PROPERTY_NOT_SET.get(propertyName, cfgEntryDN));
- configAcceptable = false;
- }
+ currentConfig.removePKCS11ChangeListener(this);
}
- else if (configuration.getKeyStorePinEnvironmentVariable() != null)
- {
- String enVarName = configuration.getKeyStorePinEnvironmentVariable();
- String pinStr = System.getenv(enVarName);
- if (pinStr == null)
- {
- unacceptableReasons.add(ERR_PKCS11_KEYMANAGER_PIN_ENVAR_NOT_SET.get(enVarName, configEntryDN));
- configAcceptable = false;
- }
- }
- else if (configuration.getKeyStorePinFile() != null)
+ @Override
+ public KeyManager[] getKeyManagers() throws DirectoryException
{
- String fileName = configuration.getKeyStorePinFile();
- File pinFile = getFileForPath(fileName);
-
- if (!pinFile.exists())
- {
- unacceptableReasons.add(ERR_PKCS11_KEYMANAGER_PIN_NO_SUCH_FILE.get(fileName, configEntryDN));
- configAcceptable = false;
- }
- else
- {
- String pinStr = null;
- BufferedReader br = null;
- try {
- br = new BufferedReader(new FileReader(pinFile));
- pinStr = br.readLine();
- }
- catch (IOException ioe)
+ KeyStore keyStore;
+ try
{
- unacceptableReasons.add(
- ERR_PKCS11_KEYMANAGER_PIN_FILE_CANNOT_READ.get(
- fileName, cfgEntryDN, getExceptionMessage(ioe)));
- configAcceptable = false;
+ keyStore = KeyStore.getInstance(PKCS11_KEYSTORE_TYPE);
+ keyStore.load(null, keyStorePIN);
}
- finally
+ catch (Exception e)
{
- StaticUtils.close(br);
+ logger.traceException(e);
+
+ LocalizableMessage message = ERR_PKCS11_KEYMANAGER_CANNOT_LOAD.get(getExceptionMessage(e));
+ throw new DirectoryException(DirectoryServer.getServerErrorResultCode(), message, e);
}
- if (pinStr == null)
+ try
{
- unacceptableReasons.add(ERR_PKCS11_KEYMANAGER_PIN_FILE_EMPTY.get(fileName, configEntryDN));
- configAcceptable = false;
+ String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
+ KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(keyManagerAlgorithm);
+ keyManagerFactory.init(keyStore, keyStorePIN);
+ return keyManagerFactory.getKeyManagers();
}
- }
- }
- else if (configuration.getKeyStorePin() != null)
- {
- String pinStr = configuration.getKeyStorePin();
- if (pinStr == null)
- {
- // We should have a pin from the configuration, but no.
- unacceptableReasons.add(
- ERR_PKCS11_KEYMANAGER_CANNOT_DETERMINE_PIN_FROM_ATTR.get(cfgEntryDN, null));
- configAcceptable = false;
- }
- }
-
- return configAcceptable;
- }
-
- @Override
- public ConfigChangeResult applyConfigurationChange(
- PKCS11KeyManagerProviderCfg configuration)
- {
- final ConfigChangeResult ccr = new ConfigChangeResult();
-
- // Get the PIN needed to access the contents of the keystore file.
- //
- // We will offer several places to look for the PIN, and we will
- // do so in the following order:
- //
- // - In a specified Java property
- // - In a specified environment variable
- // - In a specified file on the server filesystem.
- // - As the value of a configuration attribute.
- //
- // In any case, the PIN must be in the clear.
- char[] newPIN = null;
-
- if (configuration.getKeyStorePinProperty() != null)
- {
- String propertyName = configuration.getKeyStorePinProperty();
- String pinStr = System.getProperty(propertyName);
-
- if (pinStr == null)
- {
- ccr.setResultCode(DirectoryServer.getServerErrorResultCode());
- ccr.addMessage(ERR_PKCS11_KEYMANAGER_PIN_PROPERTY_NOT_SET.get(propertyName, configEntryDN));
- }
- else
- {
- newPIN = pinStr.toCharArray();
- }
- }
- else if (configuration.getKeyStorePinEnvironmentVariable() != null)
- {
- String enVarName = configuration.getKeyStorePinEnvironmentVariable();
- String pinStr = System.getenv(enVarName);
-
- if (pinStr == null)
- {
- ccr.setResultCode(DirectoryServer.getServerErrorResultCode());
- ccr.addMessage(ERR_PKCS11_KEYMANAGER_PIN_ENVAR_NOT_SET.get(enVarName, configEntryDN));
- }
- else
- {
- newPIN = pinStr.toCharArray();
- }
- }
- else if (configuration.getKeyStorePinFile() != null)
- {
- String fileName = configuration.getKeyStorePinFile();
- File pinFile = getFileForPath(fileName);
-
- if (!pinFile.exists())
- {
- ccr.setResultCode(DirectoryServer.getServerErrorResultCode());
- ccr.addMessage(ERR_PKCS11_KEYMANAGER_PIN_NO_SUCH_FILE.get(fileName, configEntryDN));
- }
- else
- {
- String pinStr = null;
- BufferedReader br = null;
- try {
- br = new BufferedReader(new FileReader(pinFile));
- pinStr = br.readLine();
- }
- catch (IOException ioe)
+ catch (Exception e)
{
- ccr.setResultCode(DirectoryServer.getServerErrorResultCode());
- ccr.addMessage(ERR_PKCS11_KEYMANAGER_PIN_FILE_CANNOT_READ.get(
- fileName, configEntryDN, getExceptionMessage(ioe)));
- }
- finally
- {
- StaticUtils.close(br);
- }
+ logger.traceException(e);
- if (pinStr == null)
- {
- ccr.setResultCode(DirectoryServer.getServerErrorResultCode());
- ccr.addMessage(ERR_PKCS11_KEYMANAGER_PIN_FILE_EMPTY.get(fileName, configEntryDN));
+ LocalizableMessage message = ERR_PKCS11_KEYMANAGER_CANNOT_CREATE_FACTORY.get(getExceptionMessage(e));
+ throw new DirectoryException(DirectoryServer.getServerErrorResultCode(), message, e);
}
- else
- {
- newPIN = pinStr.toCharArray();
- }
- }
}
- else if (configuration.getKeyStorePin() != null)
+
+ @Override
+ public boolean isConfigurationAcceptable(PKCS11KeyManagerProviderCfg configuration,
+ List<LocalizableMessage> unacceptableReasons)
{
- newPIN = configuration.getKeyStorePin().toCharArray();
+ return isConfigurationChangeAcceptable(configuration, unacceptableReasons);
}
- if (ccr.getResultCode() == ResultCode.SUCCESS)
+ @Override
+ public boolean isConfigurationChangeAcceptable(PKCS11KeyManagerProviderCfg configuration,
+ List<LocalizableMessage> unacceptableReasons)
{
- currentConfig = configuration;
- keyStorePIN = newPIN;
+ try
+ {
+ getKeyStorePIN(configuration);
+ return true;
+ }
+ catch (InitializationException e)
+ {
+ unacceptableReasons.add(e.getMessageObject());
+ return false;
+ }
}
- return ccr;
- }
+ @Override
+ public ConfigChangeResult applyConfigurationChange(PKCS11KeyManagerProviderCfg configuration)
+ {
+ final ConfigChangeResult ccr = new ConfigChangeResult();
+ try
+ {
+ keyStorePIN = getKeyStorePIN(configuration);
+ currentConfig = configuration;
+ }
+ catch (InitializationException e)
+ {
+ ccr.setResultCode(DirectoryServer.getServerErrorResultCode());
+ ccr.addMessage(e.getMessageObject());
+ }
+ return ccr;
+ }
}
--
Gitblit v1.10.0