From 0505fc5833dfc17b69bcb12e2c28e4e07a7b339f Mon Sep 17 00:00:00 2001
From: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Date: Fri, 29 Jul 2022 16:59:10 +0000
Subject: [PATCH] Revert "Check if BC FIPS provider exists before loading it"
---
opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java | 28 ---
opendj-server-legacy/src/main/java/org/opends/server/util/CertificateManager.java | 12 -
opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java | 2
opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java | 4
opendj-core/src/main/resources/com/forgerock/opendj/ldap/core.properties | 8
opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java | 12 -
opendj-server-legacy/resource/config/config.ldif | 22 --
opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java | 104 ++----------
opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java | 72 ++------
opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java | 50 ------
opendj-core/src/main/java/org/forgerock/opendj/ldap/TrustManagers.java | 16 --
opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java | 58 +------
opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java | 20 +-
opendj-server-legacy/src/messages/org/opends/messages/tool.properties | 6
opendj-server-legacy/src/messages/org/opends/messages/utility.properties | 2
opendj-server-legacy/src/messages/org/opends/messages/quickSetup.properties | 7
opendj-core/pom.xml | 4
17 files changed, 68 insertions(+), 359 deletions(-)
diff --git a/opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java b/opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java
index 248fc6d..a63d46b 100644
--- a/opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java
+++ b/opendj-cli/src/main/java/com/forgerock/opendj/cli/ConnectionFactoryProvider.java
@@ -851,10 +851,6 @@
return new PromptingTrustManager(app, tm);
}
- if (isFips) {
- return TrustManagers.checkUsingPkcs11TrustStore();
- }
-
return tm;
}
diff --git a/opendj-core/pom.xml b/opendj-core/pom.xml
index 402b311..64446f4 100644
--- a/opendj-core/pom.xml
+++ b/opendj-core/pom.xml
@@ -112,8 +112,8 @@
<properties>
- <bc.fips.version>1.0.2.3</bc.fips.version>
- <bctls.fips.version>1.0.13</bctls.fips.version>
+ <bc.fips.version>1.0.2.1</bc.fips.version>
+ <bctls.fips.version>1.0.9</bctls.fips.version>
<opendj.osgi.import.additional>
com.sun.security.auth*;resolution:=optional
diff --git a/opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java b/opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java
index a46387e..a69bf2a 100644
--- a/opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java
+++ b/opendj-core/src/main/java/com/forgerock/opendj/util/FipsStaticUtils.java
@@ -4,66 +4,30 @@
import static com.forgerock.opendj.ldap.CoreMessages.INFO_BC_PROVIDER_REGISTER;
import static com.forgerock.opendj.ldap.CoreMessages.INFO_BC_PROVIDER_REGISTERED_ALREADY;
-import static com.forgerock.opendj.ldap.CoreMessages.INFO_BC_FIPS_PROVIDER_NOT_EXISTS;
-import static com.forgerock.opendj.ldap.CoreMessages.INFO_BC_FIPS_PROVIDER_REGISTER;
-import static com.forgerock.opendj.ldap.CoreMessages.INFO_BC_PROVIDER_FAILED_TO_CREATE;
-
-import java.security.Security;
public class FipsStaticUtils {
private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
+ /**
+ * A zero-length byte array.
+ */
+ public static final byte[] EMPTY_BYTES = new byte[0];
- public static final String BC_PROVIDER_NAME = "BC";
- public static final String BC_FIPS_PROVIDER_NAME = "BCFIPS";
+ public static void registerBcProvider()
+ {
+ if(!StaticUtils.isFips()) {
+ return;
+ }
+ org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider bouncyCastleProvider
+ = (org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider) java.security.Security.getProvider(org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.PROVIDER_NAME);
+ if (bouncyCastleProvider == null) {
+ FipsStaticUtils.logger.info(INFO_BC_PROVIDER_REGISTER.get());
- private static final String BC_GENERIC_PROVIDER_CLASS_NAME = "org.bouncycastle.jce.provider.BouncyCastleProvider";
- private static final String BC_FIPS_PROVIDER_CLASS_NAME = "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider";
-
- public static void registerBcProvider(){
- if (!StaticUtils.isFips()) {
- return;
- }
-
- String providerName = BC_PROVIDER_NAME;
- String className = BC_GENERIC_PROVIDER_CLASS_NAME;
-
- boolean bcFipsProvider = checkBcFipsProvider();
- if (bcFipsProvider) {
- logger.info(INFO_BC_FIPS_PROVIDER_REGISTER);
-
- providerName = BC_FIPS_PROVIDER_NAME;
- className = BC_FIPS_PROVIDER_CLASS_NAME;
- } else {
- logger.info(INFO_BC_PROVIDER_REGISTER.get());
- }
-
- installBCProvider(providerName, className);
+ bouncyCastleProvider = new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider();
+ java.security.Security.insertProviderAt(bouncyCastleProvider, 1);
+ } else {
+ FipsStaticUtils.logger.info(INFO_BC_PROVIDER_REGISTERED_ALREADY.get());
+ }
}
- private static void installBCProvider(String providerName, String providerClassName) {
- java.security.Provider bouncyCastleProvider = Security.getProvider(providerName);
- if (bouncyCastleProvider == null) {
- try {
- bouncyCastleProvider = (java.security.Provider) Class.forName(providerClassName).getConstructor().newInstance();
- java.security.Security.insertProviderAt(bouncyCastleProvider, 1);
- } catch (ReflectiveOperationException | IllegalArgumentException | SecurityException ex) {
- logger.error(INFO_BC_PROVIDER_FAILED_TO_CREATE.get());
- }
- } else {
- logger.info(INFO_BC_PROVIDER_REGISTERED_ALREADY.get());
- }
- }
-
- private static boolean checkBcFipsProvider() {
- try {
- // Check if there is BC FIPS provider libs
- Class.forName(BC_FIPS_PROVIDER_CLASS_NAME);
- } catch (ClassNotFoundException e) {
- logger.trace(INFO_BC_FIPS_PROVIDER_NOT_EXISTS.get(), e);
- return false;
- }
-
- return true;
- }
}
diff --git a/opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java b/opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java
index 16ecb55..ed0f3bb 100644
--- a/opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java
+++ b/opendj-core/src/main/java/com/forgerock/opendj/util/StaticUtils.java
@@ -36,6 +36,9 @@
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadFactory;
+import static com.forgerock.opendj.ldap.CoreMessages.INFO_BC_PROVIDER_REGISTER;
+import static com.forgerock.opendj.ldap.CoreMessages.INFO_BC_PROVIDER_REGISTERED_ALREADY;
+
/**
* Common utility methods.
*/
@@ -63,11 +66,6 @@
*/
public static final String EOL = System.getProperty("line.separator");
- /**
- * A zero-length byte array.
- */
- public static final byte[] EMPTY_BYTES = new byte[0];
-
/** The name of the time zone for universal coordinated time (UTC). */
private static final String TIME_ZONE_UTC = "UTC";
@@ -786,14 +784,12 @@
if (providers[i].getName().toLowerCase().contains("fips"))
return true;
}
-
return false;
}
- public static void registerBcProvider(){
- try {
- FipsStaticUtils.registerBcProvider();
- } catch (NoClassDefFoundError e) {}
- }
-
+ public static void registerBcProvider() {
+ try {
+ FipsStaticUtils.registerBcProvider();
+ } catch (NoClassDefFoundError e) {}
+ }
}
diff --git a/opendj-core/src/main/java/org/forgerock/opendj/ldap/TrustManagers.java b/opendj-core/src/main/java/org/forgerock/opendj/ldap/TrustManagers.java
index 803c2a0..42cc7d0 100644
--- a/opendj-core/src/main/java/org/forgerock/opendj/ldap/TrustManagers.java
+++ b/opendj-core/src/main/java/org/forgerock/opendj/ldap/TrustManagers.java
@@ -522,22 +522,6 @@
throw new NoSuchAlgorithmException();
}
- public static X509TrustManager checkUsingPkcs11TrustStore() throws GeneralSecurityException, IOException {
- final KeyStore keyStore = KeyStore.getInstance("PKCS11");
- keyStore.load(null, null);
-
- final TrustManagerFactory tmf =
- TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(keyStore);
-
- for (final TrustManager tm : tmf.getTrustManagers()) {
- if (tm instanceof X509TrustManager) {
- return (X509TrustManager) tm;
- }
- }
- throw new NoSuchAlgorithmException();
- }
-
public static boolean isFips() {
Provider[] providers = Security.getProviders();
for (int i = 0; i < providers.length; i++) {
diff --git a/opendj-core/src/main/resources/com/forgerock/opendj/ldap/core.properties b/opendj-core/src/main/resources/com/forgerock/opendj/ldap/core.properties
index a7b9847..fd4eb60 100644
--- a/opendj-core/src/main/resources/com/forgerock/opendj/ldap/core.properties
+++ b/opendj-core/src/main/resources/com/forgerock/opendj/ldap/core.properties
@@ -616,12 +616,8 @@
INFO_RESULT_OFFSET_RANGE_ERROR=Offset Range Error
INFO_RESULT_VIRTUAL_LIST_VIEW_ERROR=Virtual List View Error
INFO_RESULT_NO_OPERATION=No Operation
-INFO_BC_PROVIDER_REGISTER=Attempting to install BC Provider
-INFO_BC_FIPS_PROVIDER_REGISTER=Attempting to install BC FIPS provider
-INFO_BC_FIPS_PROVIDER_NOT_EXISTS=BC FIPS provider is not available
-INFO_BC_PROVIDER_REGISTERED_ALREADY=BC Provider was registered already
-INFO_BC_PROVIDER_FAILED_TO_CREATE=Failed to create BC Provider
-
+INFO_BC_PROVIDER_REGISTER=Registering Bouncy Castle Provider
+INFO_BC_PROVIDER_REGISTERED_ALREADY=Bouncy Castle Provider was registered already
#
# Protocol messages
#
diff --git a/opendj-server-legacy/resource/config/config.ldif b/opendj-server-legacy/resource/config/config.ldif
index f836b18..9326f10 100644
--- a/opendj-server-legacy/resource/config/config.ldif
+++ b/opendj-server-legacy/resource/config/config.ldif
@@ -693,17 +693,6 @@
ds-cfg-enabled: false
ds-cfg-key-store-pin-file: config/keystore.pin
-dn: cn=BCFKS,cn=Key Manager Providers,cn=config
-objectClass: top
-objectClass: ds-cfg-key-manager-provider
-objectClass: ds-cfg-file-based-key-manager-provider
-cn: BCFKS
-ds-cfg-java-class: org.opends.server.extensions.FileBasedKeyManagerProvider
-ds-cfg-enabled: false
-ds-cfg-key-store-type: BCFKS
-ds-cfg-key-store-file: config/keystore.bcfks
-ds-cfg-key-store-pin-file: config/keystore.pin
-
dn: cn=Loggers,cn=config
objectClass: top
objectClass: ds-cfg-branch
@@ -1577,17 +1566,6 @@
ds-cfg-trust-store-type: PKCS12
ds-cfg-trust-store-file: config/truststore.p12
-dn: cn=BCFKS,cn=Trust Manager Providers,cn=config
-objectClass: top
-objectClass: ds-cfg-trust-manager-provider
-objectClass: ds-cfg-file-based-trust-manager-provider
-cn: BCFKS
-ds-cfg-java-class: org.opends.server.extensions.FileBasedTrustManagerProvider
-ds-cfg-enabled: false
-ds-cfg-trust-store-type: BCFKS
-ds-cfg-trust-store-file: config/truststore.bcfks
-ds-cfg-trust-store-pin-file: config/keystore.pin
-
dn: cn=Virtual Attributes,cn=config
objectClass: top
objectClass: ds-cfg-branch
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java
index 7872560..c021bc9 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/SecurityOptions.java
@@ -48,9 +48,7 @@
/** Use an existing PKCS#11 key store. */
PKCS11,
/** Use an existing PKCS#12 key store. */
- PKCS12,
- /** Use an existing BCFKS key store. */
- BCFKS
+ PKCS12
}
private CertificateType certificateType;
@@ -216,30 +214,6 @@
}
/**
- * Creates a new instance of a SecurityOptions using a BCFKS Key Store.
- *
- * @param keystorePath
- * the path of the key store.
- * @param keystorePwd
- * the password of the key store.
- * @param enableSSL
- * whether SSL is enabled or not.
- * @param enableStartTLS
- * whether Start TLS is enabled or not.
- * @param sslPort
- * the value of the LDAPS port.
- * @param aliasesToUse
- * the aliases of the certificates in the keystore to be used.
- * @return a new instance of a SecurityOptions using a PKCS#12 Key Store.
- */
- public static SecurityOptions createBCFKSCertificateOptions( String keystorePath, String keystorePwd,
- boolean enableSSL, boolean enableStartTLS, int sslPort, Collection<String> aliasesToUse)
- {
- return createOptionsForCertificatType(
- CertificateType.BCFKS, keystorePath, keystorePwd, enableSSL, enableStartTLS, sslPort, aliasesToUse);
- }
-
- /**
* Creates a new instance of a SecurityOptions using the provided type Key
* Store.
*
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
index b776bd6..83935d6 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/installer/Installer.java
@@ -1370,16 +1370,9 @@
configureKeyAndTrustStore(CertificateManager.KEY_STORE_PATH_PKCS11, CertificateManager.KEY_STORE_TYPE_PKCS11,
CertificateManager.KEY_STORE_TYPE_JKS, sec);
configureAdminKeyAndTrustStore(CertificateManager.KEY_STORE_PATH_PKCS11, CertificateManager.KEY_STORE_TYPE_PKCS11,
- CertificateManager.KEY_STORE_TYPE_JKS, sec, true);
+ CertificateManager.KEY_STORE_TYPE_JKS, sec);
break;
- case BCFKS:
- configureKeyAndTrustStore(sec.getKeystorePath(), CertificateManager.KEY_STORE_TYPE_BCFKS,
- CertificateManager.KEY_STORE_TYPE_JKS, sec);
- configureAdminKeyAndTrustStore(sec.getKeystorePath(), CertificateManager.KEY_STORE_TYPE_BCFKS,
- CertificateManager.KEY_STORE_TYPE_BCFKS, sec, true);
- break;
-
default:
throw new IllegalStateException("Unknown certificate type: " + certType);
}
@@ -1410,35 +1403,24 @@
}
private void configureAdminKeyAndTrustStore(final String keyStorePath, final String keyStoreType,
- final String trustStoreType, final SecurityOptions sec, boolean exportKeys) throws Exception
+ final String trustStoreType, final SecurityOptions sec) throws Exception
{
final String keystorePassword = sec.getKeystorePassword();
+ final String trustStorePath = getPath2("admin-truststore");
- if (exportKeys) {
- final String exportTrustStorePath = getExportTrustManagerPath(trustStoreType);
- CertificateManager certManager = new CertificateManager(keyStorePath, keyStoreType, keystorePassword);
- for (String keyStoreAlias : sec.getAliasesToUse())
- {
- SetupUtils.exportCertificate(certManager, keyStoreAlias, getTemporaryCertificatePath());
- configureAdminTrustStore(exportTrustStorePath, trustStoreType, keyStoreAlias, keystorePassword);
- }
+ CertificateManager certManager = new CertificateManager(keyStorePath, keyStoreType, keystorePassword);
+ for (String keyStoreAlias : sec.getAliasesToUse())
+ {
+ SetupUtils.exportCertificate(certManager, keyStoreAlias, getTemporaryCertificatePath());
+ configureAdminTrustStore(trustStorePath, trustStoreType, keyStoreAlias, keystorePassword);
}
// Set default trustManager to allow check server startup status
- final String trustStorePath = getPath2("truststore");
if (com.forgerock.opendj.util.StaticUtils.isFips()) {
- String usedTrustStorePath = trustStorePath;
- String usedTrustStoreType = "JKS";
-/*
- if (keyStoreType.equals(CertificateManager.KEY_STORE_TYPE_BCFKS)) {
- usedTrustStorePath = getTrustManagerPath(keyStoreType);
- usedTrustStoreType = keyStoreType;
- }
-*/
KeyStore truststore = null;
- try (final FileInputStream fis = new FileInputStream(usedTrustStorePath))
+ try (final FileInputStream fis = new FileInputStream(trustStorePath))
{
- truststore = KeyStore.getInstance(usedTrustStoreType);
+ truststore = KeyStore.getInstance(trustStoreType);
truststore.load(fis, keystorePassword.toCharArray());
}
catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e)
@@ -1514,10 +1496,6 @@
addCertificateArguments(argList, null, aliasInKeyStore, "cn=PKCS11,cn=Key Manager Providers,cn=config",
"cn=JKS,cn=Trust Manager Providers,cn=config");
break;
- case BCFKS:
- addCertificateArguments(argList, sec, aliasInKeyStore, "cn=BCFKS,cn=Key Manager Providers,cn=config",
- "cn=BCFKS,cn=Trust Manager Providers,cn=config");
- break;
case NO_CERTIFICATE:
// Nothing to do.
break;
@@ -4067,22 +4045,6 @@
}
/**
- * Returns the trustmanager path to be used for exported
- * certificate.
- *
- * @return the trustmanager path to be used for exporting
- * certificate.
- */
- private String getExportTrustManagerPath(String type)
- {
- if (type.equals(CertificateManager.KEY_STORE_TYPE_BCFKS)) {
- return getPath2("truststore.bcfks");
- }
-
- return getPath2("admin-truststore");
- }
-
- /**
* Returns the path of the self-signed that we export to be able to create a
* truststore.
*
diff --git a/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java b/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java
index a6f8390..fbb5067 100644
--- a/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java
+++ b/opendj-server-legacy/src/main/java/org/opends/quicksetup/util/Utils.java
@@ -1285,8 +1285,6 @@
return INFO_PKCS11_CERTIFICATE.get();
case PKCS12:
return INFO_PKCS12_CERTIFICATE.get();
- case BCFKS:
- return INFO_BCFKS_CERTIFICATE.get();
default:
throw new IllegalStateException("Unknown certificate options type: " + ops.getCertificateType());
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
index e09f413..b5da0ef 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/ConfigureDS.java
@@ -188,7 +188,6 @@
+ "ds-cfg-trust-store-type: JCEKS" + NEW_LINE
+ "ds-cfg-trust-store-file: config/truststore" + NEW_LINE;
- private static final String DN_ADMIN_TRUST_MANAGER = "cn=Administration,cn=Trust Manager Providers," + DN_CONFIG_ROOT;
private static final String DN_ADMIN_KEY_MANAGER = "cn=Administration,cn=Key Manager Providers," + DN_CONFIG_ROOT;
/** The DN of the configuration entry defining the LDAP connection handler. */
@@ -882,6 +881,9 @@
putKeyManagerConfigAttribute(enableStartTLS, DN_LDAP_CONNECTION_HANDLER);
putKeyManagerConfigAttribute(ldapsPort, DN_LDAPS_CONNECTION_HANDLER);
putKeyManagerConfigAttribute(ldapsPort, DN_HTTP_CONNECTION_HANDLER);
+ if (StaticUtils.isFips()) {
+ putAdminKeyManagerConfigAttribute(ldapsPort, DN_ADMIN_KEY_MANAGER);
+ }
if (keyManagerPath.isPresent())
{
@@ -898,10 +900,6 @@
throw new ConfigureDSException(e, LocalizableMessage.raw(e.toString()));
}
}
-
- if (StaticUtils.isFips()) {
- putAdminKeyManagerConfigAttribute(keyManagerProviderDN, DN_ADMIN_KEY_MANAGER);
- }
}
}
@@ -925,52 +923,31 @@
}
}
- private void putAdminKeyManagerConfigAttribute(final Argument keyManagerProviderDN, final String attributeDN)
+ private void putAdminKeyManagerConfigAttribute(final Argument arg, final String attributeDN)
throws ConfigureDSException
{
- if (keyManagerProviderDN.isPresent())
+ if (arg.isPresent())
{
try
{
- boolean isBcfks = keyManagerProviderDN.getValue().toLowerCase().startsWith("cn=bcfks");
- if (isBcfks) {
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_KEYSTORE_TYPE,
- CoreSchema.getDirectoryStringSyntax(),
- "BCFKS");
+ updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_TYPE);
+ updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_FILE);
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_KEYSTORE_FILE,
- CoreSchema.getDirectoryStringSyntax(),
- keyManagerPath.getValue());
+ updateConfigEntryWithObjectClasses(
+ attributeDN,
+ "top", "ds-cfg-pkcs11-key-manager-provider", "ds-cfg-key-manager-provider");
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_KEYSTORE_PIN_FILE,
- CoreSchema.getDirectoryStringSyntax(),
- "config/keystore.pin");
- } else {
- updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_TYPE);
- updateConfigEntryByRemovingAttribute(attributeDN, ATTR_KEYSTORE_FILE);
-
- updateConfigEntryWithObjectClasses(
- attributeDN,
- "top", "ds-cfg-pkcs11-key-manager-provider", "ds-cfg-key-manager-provider");
-
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_KEYMANAGER_CLASS,
- CoreSchema.getDirectoryStringSyntax(),
- "org.opends.server.extensions.PKCS11KeyManagerProvider");
-
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_KEYSTORE_PIN_FILE,
- CoreSchema.getDirectoryStringSyntax(),
- "config/keystore.pin");
- }
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_KEYMANAGER_CLASS,
+ CoreSchema.getDirectoryStringSyntax(),
+ "org.opends.server.extensions.PKCS11KeyManagerProvider");
+
+ updateConfigEntryWithAttribute(
+ attributeDN,
+ ATTR_KEYSTORE_PIN_FILE,
+ CoreSchema.getDirectoryStringSyntax(),
+ "config/keystore.pin");
}
catch (final Exception e)
{
@@ -1019,10 +996,6 @@
removeSSLCertNicknameAttribute(DN_HTTP_CONNECTION_HANDLER);
removeSSLCertNicknameAttribute(DN_JMX_CONNECTION_HANDLER);
}
-
- if (StaticUtils.isFips()) {
- putAdminTrustManagerConfigAttribute(trustManagerProviderDN, DN_ADMIN_TRUST_MANAGER);
- }
}
private void putTrustManagerAttribute(final Argument arg, final String attributeDN) throws ConfigureDSException
@@ -1044,41 +1017,6 @@
}
}
- private void putAdminTrustManagerConfigAttribute(final Argument trustManagerProviderDN, final String attributeDN)
- throws ConfigureDSException
- {
- if (keyManagerProviderDN.isPresent())
- {
- try
- {
- boolean isBcfks = keyManagerProviderDN.getValue().toLowerCase().startsWith("cn=bcfks");
- if (isBcfks) {
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_TRUSTSTORE_TYPE,
- CoreSchema.getDirectoryStringSyntax(),
- "BCFKS");
-
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_TRUSTSTORE_FILE,
- CoreSchema.getDirectoryStringSyntax(),
- keyManagerPath.getValue());
-
- updateConfigEntryWithAttribute(
- attributeDN,
- ATTR_TRUSTSTORE_PIN_FILE,
- CoreSchema.getDirectoryStringSyntax(),
- "config/keystore.pin");
- }
- }
- catch (final Exception e)
- {
- throw new ConfigureDSException(e, ERR_CONFIGDS_CANNOT_UPDATE_TRUSTMANAGER_REFERENCE.get(e));
- }
- }
- }
-
private void updateCertNicknameEntry(final Argument arg, final String attributeDN,
final String attrName, final List<String> attrValues) throws ConfigureDSException
{
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java
index f5bf1a4..8410788 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDS.java
@@ -820,11 +820,6 @@
certType = SecurityOptions.CertificateType.PKCS12;
pathToCertificat = argParser.usePkcs12Arg.getValue();
}
- else if (argParser.useBcfksArg.isPresent())
- {
- certType = SecurityOptions.CertificateType.BCFKS;
- pathToCertificat = argParser.useBcfksArg.getValue();
- }
else
{
certType = SecurityOptions.CertificateType.NO_CERTIFICATE;
@@ -1597,12 +1592,6 @@
createSecurityOptionsPrompting(SecurityOptions.CertificateType.PKCS11,
enableSSL, enableStartTLS, ldapsPort);
}
- else if (argParser.useBcfksArg.isPresent())
- {
- securityOptions =
- createSecurityOptionsPrompting(SecurityOptions.CertificateType.BCFKS,
- enableSSL, enableStartTLS, ldapsPort);
- }
else if (!enableSSL && !enableStartTLS)
{
// If the user did not want to enable SSL or start TLS do not ask
@@ -1616,15 +1605,13 @@
final int JCEKS = 3;
final int PKCS12 = 4;
final int PKCS11 = 5;
- final int BCFKS = 6;
- final int[] indexes = {SELF_SIGNED, JKS, JCEKS, PKCS12, PKCS11, BCFKS};
+ final int[] indexes = {SELF_SIGNED, JKS, JCEKS, PKCS12, PKCS11};
final LocalizableMessage[] msgs = {
INFO_INSTALLDS_CERT_OPTION_SELF_SIGNED.get(),
INFO_INSTALLDS_CERT_OPTION_JKS.get(),
INFO_INSTALLDS_CERT_OPTION_JCEKS.get(),
INFO_INSTALLDS_CERT_OPTION_PKCS12.get(),
- INFO_INSTALLDS_CERT_OPTION_PKCS11.get(),
- INFO_INSTALLDS_CERT_OPTION_BCFKS.get()
+ INFO_INSTALLDS_CERT_OPTION_PKCS11.get()
};
final MenuBuilder<Integer> builder = new MenuBuilder<>(this);
@@ -1660,10 +1647,6 @@
builder.setDefault(LocalizableMessage.raw(String.valueOf(PKCS12)),
MenuResult.success(PKCS12));
break;
- case BCFKS:
- builder.setDefault(LocalizableMessage.raw(String.valueOf(BCFKS)),
- MenuResult.success(BCFKS));
- break;
default:
builder.setDefault(LocalizableMessage.raw(String.valueOf(SELF_SIGNED)),
MenuResult.success(SELF_SIGNED));
@@ -1722,13 +1705,6 @@
SecurityOptions.CertificateType.PKCS11, enableSSL,
enableStartTLS, ldapsPort);
}
- else if (certType == BCFKS)
- {
- securityOptions =
- createSecurityOptionsPrompting(
- SecurityOptions.CertificateType.BCFKS, enableSSL,
- enableStartTLS, ldapsPort);
- }
else
{
throw new IllegalStateException("Unexpected cert type: "+ certType);
@@ -1876,13 +1852,6 @@
pwd);
break;
- case BCFKS:
- certManager = new CertificateManager(
- path,
- CertificateManager.KEY_STORE_TYPE_BCFKS,
- pwd);
- break;
-
default:
throw new IllegalArgumentException("Invalid type: "+type);
}
@@ -1904,9 +1873,6 @@
case PKCS11:
errorMessages.add(INFO_PKCS11_KEYSTORE_DOES_NOT_EXIST.get());
break;
- case BCFKS:
- errorMessages.add(INFO_BCFKS_KEYSTORE_DOES_NOT_EXIST.get());
- break;
default:
throw new IllegalArgumentException("Invalid type: "+type);
}
@@ -2034,15 +2000,6 @@
}
pathPrompt = INFO_INSTALLDS_PROMPT_PKCS12_PATH.get();
break;
- case BCFKS:
- path = argParser.useBcfksArg.getValue();
- defaultPathValue = argParser.useBcfksArg.getValue();
- if (defaultPathValue == null)
- {
- defaultPathValue = lastResetKeyStorePath;
- }
- pathPrompt = INFO_INSTALLDS_PROMPT_BCFKS_PATH.get();
- break;
default:
throw new IllegalStateException(
"Called promptIfRequiredCertificate with invalid type: "+type);
@@ -2138,9 +2095,6 @@
certNicknames);
case PKCS11:
return SecurityOptions.createPKCS11CertificateOptions(pwd, enableSSL, enableStartTLS, ldapsPort, certNicknames);
- case BCFKS:
- return SecurityOptions.createBCFKSCertificateOptions(path, pwd, enableSSL, enableStartTLS, ldapsPort,
- certNicknames);
default:
throw new IllegalStateException("Called createSecurityOptionsPrompting with invalid type: " + type);
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java
index f46da3c..8bb16e8 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/InstallDSArgumentParser.java
@@ -79,7 +79,6 @@
BooleanArgument generateSelfSignedCertificateArg;
StringArgument hostNameArg;
BooleanArgument usePkcs11Arg;
- StringArgument useBcfksArg;
private FileBasedArgument directoryManagerPwdFileArg;
private FileBasedArgument keyStorePasswordFileArg;
IntegerArgument ldapPortArg;
@@ -343,13 +342,6 @@
.buildArgument();
addArgument(usePkcs11Arg);
- useBcfksArg =
- StringArgument.builder("useBcfksKeystore")
- .description(INFO_INSTALLDS_DESCRIPTION_USE_BCFKS.get())
- .valuePlaceholder(INFO_KEYSTOREPATH_PLACEHOLDER.get())
- .buildArgument();
- addArgument(useBcfksArg);
-
useJavaKeyStoreArg =
StringArgument.builder("useJavaKeystore")
.description(INFO_INSTALLDS_DESCRIPTION_USE_JAVAKEYSTORE.get())
@@ -619,10 +611,6 @@
{
certificateType++;
}
- if (useBcfksArg.isPresent())
- {
- certificateType++;
- }
if (certificateType > 1)
{
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/util/CertificateManager.java b/opendj-server-legacy/src/main/java/org/opends/server/util/CertificateManager.java
index 4b10875..dd453b0 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/util/CertificateManager.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/util/CertificateManager.java
@@ -64,11 +64,6 @@
public static final String KEY_STORE_TYPE_PKCS12 = "PKCS12";
/**
- * The key store type value that should be used for the "BCFKS" key store.
- */
- public static final String KEY_STORE_TYPE_BCFKS = "BCFKS";
-
- /**
* The key store path value that must be used in conjunction with the PKCS11
* key store type.
*/
@@ -162,7 +157,7 @@
}
} else if (keyStoreType.equals(KEY_STORE_TYPE_JKS) ||
keyStoreType.equals(KEY_STORE_TYPE_JCEKS) ||
- keyStoreType.equals(KEY_STORE_TYPE_PKCS12) || keyStoreType.equals(KEY_STORE_TYPE_BCFKS)) {
+ keyStoreType.equals(KEY_STORE_TYPE_PKCS12)) {
File keyStoreFile = new File(keyStorePath);
if (keyStoreFile.exists()) {
if (! keyStoreFile.isFile()) {
@@ -179,7 +174,7 @@
} else {
LocalizableMessage msg = ERR_CERTMGR_INVALID_STORETYPE.get(
KEY_STORE_TYPE_JKS, KEY_STORE_TYPE_JCEKS,
- KEY_STORE_TYPE_PKCS11, KEY_STORE_TYPE_PKCS12, KEY_STORE_TYPE_BCFKS);
+ KEY_STORE_TYPE_PKCS11, KEY_STORE_TYPE_PKCS12);
throw new IllegalArgumentException(msg.toString());
}
this.keyStorePath = keyStorePath;
@@ -382,8 +377,7 @@
FileInputStream keyStoreInputStream = null;
if (keyStoreType.equals(KEY_STORE_TYPE_JKS) ||
keyStoreType.equals(KEY_STORE_TYPE_JCEKS) ||
- keyStoreType.equals(KEY_STORE_TYPE_PKCS12) ||
- keyStoreType.equals(KEY_STORE_TYPE_BCFKS))
+ keyStoreType.equals(KEY_STORE_TYPE_PKCS12))
{
final File keyStoreFile = new File(keyStorePath);
if (! keyStoreFile.exists())
diff --git a/opendj-server-legacy/src/messages/org/opends/messages/quickSetup.properties b/opendj-server-legacy/src/messages/org/opends/messages/quickSetup.properties
index 4645220..abd9358 100644
--- a/opendj-server-legacy/src/messages/org/opends/messages/quickSetup.properties
+++ b/opendj-server-legacy/src/messages/org/opends/messages/quickSetup.properties
@@ -506,13 +506,6 @@
INFO_PKCS12_KEYSTORE_DOES_NOT_EXIST=No certificates for the PCKS#12 key store \
could be found. Check that the provided path and PIN are valid and that \
the key store contains certificates.
-INFO_BCFKS_CERTIFICATE=Use existing BCFKS File
-INFO_BCFKS_CERTIFICATE_LABEL=BCFKS File
-INFO_BCFKS_CERTIFICATE_TOOLTIP=Select this option if you have a BCFKS \
- certificate.
-INFO_BCFKS_KEYSTORE_DOES_NOT_EXIST=No certificates for the BCFKS key store \
- could be found. Check that the provided path and PIN are valid and that \
- the key store contains certificates.
INFO_PREVIOUS_BUTTON_LABEL=< Previous
INFO_PREVIOUS_BUTTON_TOOLTIP=Go to Previous Step
INFO_PROGRESS_CANCELING=Canceling
diff --git a/opendj-server-legacy/src/messages/org/opends/messages/tool.properties b/opendj-server-legacy/src/messages/org/opends/messages/tool.properties
index 89347db..05ff5d2 100644
--- a/opendj-server-legacy/src/messages/org/opends/messages/tool.properties
+++ b/opendj-server-legacy/src/messages/org/opends/messages/tool.properties
@@ -1785,7 +1785,6 @@
INFO_INSTALLDS_ENABLE_STARTTLS_1382=Do you want to enable Start TLS?
INFO_INSTALLDS_PROMPT_JKS_PATH_1383=Java Key Store (JKS) path:
INFO_INSTALLDS_PROMPT_PKCS12_PATH_1384=PKCS#12 key Store path:
-INFO_INSTALLDS_PROMPT_BCFKS_PATH_11002=BCFKS key Store path:
INFO_INSTALLDS_PROMPT_KEYSTORE_PASSWORD_1385=Key store PIN:
INFO_INSTALLDS_PROMPT_CERTNICKNAME_1386=Use nickname %s?
INFO_INSTALLDS_HEADER_CERT_TYPE_1387=Certificate server options:
@@ -1797,8 +1796,6 @@
a PKCS#12 key store
INFO_INSTALLDS_CERT_OPTION_PKCS11_1391=Use an existing certificate on a \
PKCS#11 token
-INFO_INSTALLDS_CERT_OPTION_BCFKS_11001=Use an existing certificate located on a \
- BCFKS key store
INFO_INSTALLDS_PROMPT_START_SERVER_1393=Do you want to start the server when \
the configuration is completed?
ERR_INSTALLDS_CERTNICKNAME_NOT_FOUND_1394=The provided certificate \
@@ -1821,9 +1818,6 @@
INFO_INSTALLDS_DESCRIPTION_USE_PKCS11_1400=Use a certificate in a \
PKCS#11 token that the server should use when accepting SSL-based \
connections or performing StartTLS negotiation
-INFO_INSTALLDS_DESCRIPTION_USE_BCFKS_11000=Path of a BCFKS key \
- store containing the certificate that the server should use when accepting \
- SSL-based connections or performing StartTLS negotiation
INFO_INSTALLDS_DESCRIPTION_USE_JAVAKEYSTORE_1401=Path of a Java \
Key Store (JKS) containing a certificate to be used as the server certificate. \
This does not apply to the administration connector, which uses \
diff --git a/opendj-server-legacy/src/messages/org/opends/messages/utility.properties b/opendj-server-legacy/src/messages/org/opends/messages/utility.properties
index fcb641f..029fa06 100644
--- a/opendj-server-legacy/src/messages/org/opends/messages/utility.properties
+++ b/opendj-server-legacy/src/messages/org/opends/messages/utility.properties
@@ -321,7 +321,7 @@
ERR_CERTMGR_INVALID_PARENT_274=Parent directory for key store path \
%s does not exist or is not a directory
ERR_CERTMGR_INVALID_STORETYPE_275=Invalid key store type, it must \
-be one of the following: %s, %s, %s, %s or %s
+be one of the following: %s, %s, %s or %s
ERR_CERTMGR_KEYSTORE_NONEXISTANT_276=Keystore does not exist, \
it must exist to retrieve an alias, delete an alias or generate a \
certificate request
--
Gitblit v1.10.0