From fa24aef24dc4b182e18fc43d4b06916f80b51363 Mon Sep 17 00:00:00 2001
From: coulbeck <coulbeck@localhost>
Date: Tue, 02 Oct 2007 01:04:43 +0000
Subject: [PATCH] More changes for issue 466. - Defines the schema for secret keys. - Keeps the crypto manager secret key cache up to date with secret keys published in ADS.

---
 opends/src/server/org/opends/server/core/TrustStoreSyncThread.java |  107 +++++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 91 insertions(+), 16 deletions(-)

diff --git a/opends/src/server/org/opends/server/core/TrustStoreSyncThread.java b/opends/src/server/org/opends/server/core/TrustStoreSyncThread.java
index 2b72403..d096375 100644
--- a/opends/src/server/org/opends/server/core/TrustStoreSyncThread.java
+++ b/opends/src/server/org/opends/server/core/TrustStoreSyncThread.java
@@ -46,7 +46,9 @@
 import static org.opends.server.util.ServerConstants.
      OID_ENTRY_CHANGE_NOTIFICATION;
 import org.opends.server.config.ConfigConstants;
-import static org.opends.server.config.ConfigConstants.OC_INSTANCE_KEY;
+import static org.opends.server.config.ConfigConstants.OC_CRYPTO_INSTANCE_KEY;
+import static org.opends.server.config.ConfigConstants.OC_CRYPTO_CIPHER_KEY;
+import static org.opends.server.config.ConfigConstants.OC_CRYPTO_MAC_KEY;
 import org.opends.server.protocols.internal.InternalClientConnection;
 import org.opends.server.protocols.internal.InternalSearchOperation;
 import org.opends.server.protocols.internal.InternalSearchListener;
@@ -90,6 +92,9 @@
   // The DN of the instance keys container within the admin suffix.
   private DN instanceKeysDN;
 
+  // The DN of the secret keys container within the admin suffix.
+  private DN secretKeysDN;
+
   // The DN of the trust store root.
   private DN trustStoreRootDN;
 
@@ -102,8 +107,8 @@
   // The attribute type that holds the time a key was compromised.
   AttributeType attrCompromisedTime;
 
-  // A filter on the instance key object class.
-  private SearchFilter instanceKeyFilter;
+  // A filter on object class to select key entries.
+  private SearchFilter keySearchFilter;
 
   // Indicates whether the ADS suffix backend is initialized.
   private boolean adminBackendInitialized;
@@ -117,6 +122,15 @@
   // Indicates whether the initial search has been done.
   private boolean searchDone;
 
+  // The instance key objectclass.
+  private ObjectClass ocInstanceKey;
+
+  // The cipher key objectclass.
+  private ObjectClass ocCipherKey;
+
+  // The mac key objectclass.
+  private ObjectClass ocMacKey;
+
   /**
    * Creates a new instance of this trust store synchronization thread.
    */
@@ -140,22 +154,33 @@
     {
       adminSuffixDN = DN.decode(ADSContext.getAdministrationSuffixDN());
       instanceKeysDN = adminSuffixDN.concat(DN.decode("cn=instance keys"));
+      secretKeysDN = adminSuffixDN.concat(DN.decode("cn=secret keys"));
       trustStoreRootDN = DN.decode(ConfigConstants.DN_TRUST_STORE_ROOT);
-      instanceKeyFilter =
-           SearchFilter.createFilterFromString(
-                "(objectclass=" + ConfigConstants.OC_INSTANCE_KEY + ")");
+      keySearchFilter =
+           SearchFilter.createFilterFromString("(|" +
+                "(objectclass=" + OC_CRYPTO_INSTANCE_KEY + ")" +
+                "(objectclass=" + OC_CRYPTO_CIPHER_KEY + ")" +
+                "(objectclass=" + OC_CRYPTO_MAC_KEY + ")" +
+                ")");
     }
     catch (DirectoryException e)
     {
       //
     }
 
+    ocInstanceKey = DirectoryServer.getObjectClass(
+         OC_CRYPTO_INSTANCE_KEY, true);
+    ocCipherKey = DirectoryServer.getObjectClass(
+         OC_CRYPTO_CIPHER_KEY, true);
+    ocMacKey = DirectoryServer.getObjectClass(
+         OC_CRYPTO_MAC_KEY, true);
+
     attrCert = DirectoryServer.getAttributeType(
-         ConfigConstants.ATTR_ADS_CERTIFICATE, true);
+         ConfigConstants.ATTR_CRYPTO_PUBLIC_KEY_CERTIFICATE, true);
     attrAlias = DirectoryServer.getAttributeType(
-         ConfigConstants.ATTR_CERT_ALIAS, true);
+         ConfigConstants.ATTR_CRYPTO_KEY_ID, true);
     attrCompromisedTime = DirectoryServer.getAttributeType(
-         "ds-cfg-key-compromised-time", true);
+         ConfigConstants.ATTR_CRYPTO_KEY_COMPROMISED_TIME, true);
 
     if (DirectoryServer.getBackendWithBaseDN(adminSuffixDN) != null)
     {
@@ -226,7 +251,7 @@
                                      adminSuffixDN, SearchScope.WHOLE_SUBTREE,
                                      DereferencePolicy.NEVER_DEREF_ALIASES,
                                      0, 0,
-                                     false, instanceKeyFilter, attributes,
+                                     false, keySearchFilter, attributes,
                                      this);
 
     searchOperation.run();
@@ -403,6 +428,35 @@
                                         SearchResultEntry searchEntry)
        throws DirectoryException
   {
+    if (searchEntry.hasObjectClass(ocInstanceKey))
+    {
+      handleInstanceKeySearchEntry(searchEntry);
+    }
+    else
+    {
+      try
+      {
+        if (searchEntry.hasObjectClass(ocCipherKey))
+        {
+          DirectoryServer.getCryptoManager().importCipherKeyEntry(searchEntry);
+        }
+        else if (searchEntry.hasObjectClass(ocMacKey))
+        {
+          DirectoryServer.getCryptoManager().importMacKeyEntry(searchEntry);
+        }
+      }
+      catch (CryptoManager.CryptoManagerException e)
+      {
+        throw new DirectoryException(
+             DirectoryServer.getServerErrorResultCode(), e);
+      }
+    }
+  }
+
+
+  private void handleInstanceKeySearchEntry(SearchResultEntry searchEntry)
+       throws DirectoryException
+  {
     RDN srcRDN = searchEntry.getDN().getRDN();
 
     // Only process the entry if it has the expected form of RDN.
@@ -545,13 +599,10 @@
    */
   private void addEntry(Entry srcEntry, DN dstDN)
   {
-    ObjectClass instanceKeyOC =
-         DirectoryServer.getObjectClass(OC_INSTANCE_KEY, true);
-
     LinkedHashMap<ObjectClass,String> ocMap =
          new LinkedHashMap<ObjectClass,String>(2);
     ocMap.put(DirectoryServer.getTopObjectClass(), OC_TOP);
-    ocMap.put(instanceKeyOC, OC_INSTANCE_KEY);
+    ocMap.put(ocInstanceKey, OC_CRYPTO_INSTANCE_KEY);
 
     HashMap<AttributeType, List<Attribute>> userAttrs =
          new HashMap<AttributeType, List<Attribute>>();
@@ -600,11 +651,35 @@
   public void handleAddOperation(PostResponseAddOperation addOperation,
                                  Entry entry)
   {
-    if (!addOperation.getEntryDN().isDescendantOf(instanceKeysDN))
+    if (addOperation.getEntryDN().isDescendantOf(instanceKeysDN))
     {
-      return;
+      handleInstanceKeyAddOperation(entry);
     }
+    else if (addOperation.getEntryDN().isDescendantOf(secretKeysDN))
+    {
+      try
+      {
+        if (entry.hasObjectClass(ocCipherKey))
+        {
+          DirectoryServer.getCryptoManager().importCipherKeyEntry(entry);
+        }
+        else if (entry.hasObjectClass(ocMacKey))
+        {
+          DirectoryServer.getCryptoManager().importMacKeyEntry(entry);
+        }
+      }
+      catch (CryptoManager.CryptoManagerException e)
+      {
+        Message message = Message.raw("Failed to import key entry: %s",
+                                      e.getMessage());
+        ErrorLogger.logError(message);
+      }
+    }
+  }
 
+
+  private void handleInstanceKeyAddOperation(Entry entry)
+  {
     RDN srcRDN = entry.getDN().getRDN();
 
     // Only process the entry if it has the expected form of RDN.

--
Gitblit v1.10.0