From 4ed62ed003d9e18bc4ff04024f8e294a47395256 Mon Sep 17 00:00:00 2001
From: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Date: Mon, 01 Aug 2022 12:20:50 +0000
Subject: [PATCH] Add BCFKS FIPS key store type support (#247)
---
opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java | 104 +++++++++++++++++++++++++++++++++++++++++----------
1 files changed, 83 insertions(+), 21 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
index b5da0ef..e09f413 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
@@ -188,6 +188,7 @@
+ "ds-cfg-trust-store-type: JCEKS" + NEW_LINE
+ "ds-cfg-trust-store-file: config/truststore" + NEW_LINE;
+ private static final String DN_ADMIN_TRUST_MANAGER = "cn=Administration,cn=Trust Manager Providers," + DN_CONFIG_ROOT;
private static final String DN_ADMIN_KEY_MANAGER = "cn=Administration,cn=Key Manager Providers," + DN_CONFIG_ROOT;
/** The DN of the configuration entry defining the LDAP connection handler. */
@@ -881,9 +882,6 @@
putKeyManagerConfigAttribute(enableStartTLS, DN_LDAP_CONNECTION_HANDLER);
putKeyManagerConfigAttribute(ldapsPort, DN_LDAPS_CONNECTION_HANDLER);
putKeyManagerConfigAttribute(ldapsPort, DN_HTTP_CONNECTION_HANDLER);
- if (StaticUtils.isFips()) {
- putAdminKeyManagerConfigAttribute(ldapsPort, DN_ADMIN_KEY_MANAGER);
- }
if (keyManagerPath.isPresent())
{
@@ -900,6 +898,10 @@
throw new ConfigureDSException(e, LocalizableMessage.raw(e.toString()));
}
}
+
+ if (StaticUtils.isFips()) {
+ putAdminKeyManagerConfigAttribute(keyManagerProviderDN, DN_ADMIN_KEY_MANAGER);
+ }
}
}
@@ -923,31 +925,52 @@
}
}
- private void putAdminKeyManagerConfigAttribute(final Argument arg, final String attributeDN)
+ private void putAdminKeyManagerConfigAttribute(final Argument keyManagerProviderDN, final String attributeDN)
throws ConfigureDSException
{
- if (arg.isPresent())
+ if (keyManagerProviderDN.isPresent())
{
try
{
- updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_TYPE);
- updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_FILE);
+ boolean isBcfks = keyManagerProviderDN.getValue().toLowerCase().startsWith("cn=bcfks");
+ if (isBcfks) {
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_KEYSTORE_TYPE,
+ CoreSchema.getDirectoryStringSyntax(),
+ "BCFKS");
- updateConfigEntryWithObjectClasses(
- attributeDN,
- "top", "ds-cfg-pkcs11-key-manager-provider", "ds-cfg-key-manager-provider");
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_KEYSTORE_FILE,
+ CoreSchema.getDirectoryStringSyntax(),
+ keyManagerPath.getValue());
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_KEYMANAGER_CLASS,
- CoreSchema.getDirectoryStringSyntax(),
- "org.opends.server.extensions.PKCS11KeyManagerProvider");
-
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_KEYSTORE_PIN_FILE,
- CoreSchema.getDirectoryStringSyntax(),
- "config/keystore.pin");
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_KEYSTORE_PIN_FILE,
+ CoreSchema.getDirectoryStringSyntax(),
+ "config/keystore.pin");
+ } else {
+ updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_TYPE);
+ updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_FILE);
+
+ updateConfigEntryWithObjectClasses(
+ attributeDN,
+ "top", "ds-cfg-pkcs11-key-manager-provider", "ds-cfg-key-manager-provider");
+
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_KEYMANAGER_CLASS,
+ CoreSchema.getDirectoryStringSyntax(),
+ "org.opends.server.extensions.PKCS11KeyManagerProvider");
+
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_KEYSTORE_PIN_FILE,
+ CoreSchema.getDirectoryStringSyntax(),
+ "config/keystore.pin");
+ }
}
catch (final Exception e)
{
@@ -996,6 +1019,10 @@
removeSSLCertNicknameAttribute(DN_HTTP_CONNECTION_HANDLER);
removeSSLCertNicknameAttribute(DN_JMX_CONNECTION_HANDLER);
}
+
+ if (StaticUtils.isFips()) {
+ putAdminTrustManagerConfigAttribute(trustManagerProviderDN, DN_ADMIN_TRUST_MANAGER);
+ }
}
private void putTrustManagerAttribute(final Argument arg, final String attributeDN) throws ConfigureDSException
@@ -1017,6 +1044,41 @@
}
}
+ private void putAdminTrustManagerConfigAttribute(final Argument trustManagerProviderDN, final String attributeDN)
+ throws ConfigureDSException
+ {
+ if (keyManagerProviderDN.isPresent())
+ {
+ try
+ {
+ boolean isBcfks = keyManagerProviderDN.getValue().toLowerCase().startsWith("cn=bcfks");
+ if (isBcfks) {
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_TRUSTSTORE_TYPE,
+ CoreSchema.getDirectoryStringSyntax(),
+ "BCFKS");
+
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_TRUSTSTORE_FILE,
+ CoreSchema.getDirectoryStringSyntax(),
+ keyManagerPath.getValue());
+
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_TRUSTSTORE_PIN_FILE,
+ CoreSchema.getDirectoryStringSyntax(),
+ "config/keystore.pin");
+ }
+ }
+ catch (final Exception e)
+ {
+ throw new ConfigureDSException(e, ERR_CONFIGDS_CANNOT_UPDATE_TRUSTMANAGER_REFERENCE.get(e));
+ }
+ }
+ }
+
private void updateCertNicknameEntry(final Argument arg, final String attributeDN,
final String attrName, final List<String> attrValues) throws ConfigureDSException
{
--
Gitblit v1.10.0