@Override
public void engineLoad(KeyStore.LoadStoreParameter param)
throws IOException, NoSuchAlgorithmException, CertificateException {
if (param instanceof DomainLoadStoreParameter) {
DomainLoadStoreParameter domainParameter = (DomainLoadStoreParameter) param;
List<KeyStoreBuilderComponents> builders =
getBuilders(domainParameter.getConfiguration(), domainParameter.getProtectionParams());
for (KeyStoreBuilderComponents builder : builders) {
try {
// Load the keystores (file-based and non-file-based)
if (builder.file != null) {
keystores.put(
builder.name,
KeyStore.Builder.newInstance(
builder.type, builder.provider, builder.file, builder.protection)
.getKeyStore());
} else {
keystores.put(
builder.name,
KeyStore.Builder.newInstance(builder.type, builder.provider, builder.protection)
.getKeyStore());
}
} catch (KeyStoreException e) {
throw new IOException(e);
}
}
} else {
throw new UnsupportedOperationException(
"This keystore must be loaded using a " + "DomainLoadStoreParameter");
}
}
/**
* Loads the keystore from the given input stream.
*
* <p>If a password is given, it is used to check the integrity of the keystore data. Otherwise,
* the integrity of the keystore is not checked.
*
* @param stream the input stream from which the keystore is loaded
* @param password the (optional) password used to check the integrity of the keystore.
* @exception IOException if there is an I/O or format problem with the keystore data
* @exception NoSuchAlgorithmException if the algorithm used to check the integrity of the
* keystore cannot be found
* @exception CertificateException if any of the certificates in the keystore could not be loaded
*/
public void engineLoad(InputStream stream, char[] password)
throws IOException, NoSuchAlgorithmException, CertificateException {
// Support loading from a stream only for a JKS or default type keystore
try {
KeyStore keystore = null;
try {
keystore = KeyStore.getInstance("JKS");
keystore.load(stream, password);
} catch (Exception e) {
// Retry
if (!"JKS".equalsIgnoreCase(DEFAULT_KEYSTORE_TYPE)) {
keystore = KeyStore.getInstance(DEFAULT_KEYSTORE_TYPE);
keystore.load(stream, password);
} else {
throw e;
}
}
String keystoreName = DEFAULT_STREAM_PREFIX + streamCounter++;
keystores.put(keystoreName, keystore);
} catch (Exception e) {
throw new UnsupportedOperationException(
"This keystore must be loaded using a " + "DomainLoadStoreParameter");
}
}
/**
* Stores this keystore to the given output stream, and protects its integrity with the given
* password.
*
* @param stream the output stream to which this keystore is written.
* @param password the password to generate the keystore integrity check
* @exception IOException if there was an I/O problem with data
* @exception NoSuchAlgorithmException if the appropriate data integrity algorithm could not be
* found
* @exception CertificateException if any of the certificates included in the keystore data could
* not be stored
*/
public void engineStore(OutputStream stream, char[] password)
throws IOException, NoSuchAlgorithmException, CertificateException {
// Support storing to a stream only when a single keystore has been
// configured
try {
if (keystores.size() == 1) {
keystores.values().iterator().next().store(stream, password);
return;
}
} catch (KeyStoreException e) {
throw new IllegalStateException(e);
}
throw new UnsupportedOperationException(
"This keystore must be stored using a DomainLoadStoreParameter");
}
/*
* Returns a keystore entry alias and a list of target keystores.
* When the supplied alias prefix identifies a keystore then that single
* keystore is returned. When no alias prefix is supplied then all the
* keystores are returned.
*/
private AbstractMap.SimpleEntry<String, Collection<KeyStore>> getKeystoresForReading(
String alias) {
String[] splits = alias.split(this.entryNameSeparatorRegEx, 2);
if (splits.length == 2) { // prefixed alias
KeyStore keystore = keystores.get(splits[0]);
if (keystore != null) {
return new AbstractMap.SimpleEntry<>(
splits[1], (Collection<KeyStore>) Collections.singleton(keystore));
}
} else if (splits.length == 1) { // unprefixed alias
// Check all keystores for the first occurrence of the alias
return new AbstractMap.SimpleEntry<>(alias, keystores.values());
}
return new AbstractMap.SimpleEntry<>(
"", (Collection<KeyStore>) Collections.<KeyStore>emptyList());
}
/*
* Returns a keystore entry alias and a single target keystore.
* An alias prefix must be supplied.
*/
private AbstractMap.SimpleEntry<String, AbstractMap.SimpleEntry<String, KeyStore>>
getKeystoreForWriting(String alias) {
String[] splits = alias.split(this.entryNameSeparator, 2);
if (splits.length == 2) { // prefixed alias
KeyStore keystore = keystores.get(splits[0]);
if (keystore != null) {
return new AbstractMap.SimpleEntry<>(
splits[1], new AbstractMap.SimpleEntry<>(splits[0], keystore));
}
}
return null;
}
/**
* Retrieves the number of entries in this keystore.
*
* @return the number of entries in this keystore
*/
public int engineSize() {
int size = 0;
try {
for (KeyStore keystore : keystores.values()) {
size += keystore.size();
}
} catch (KeyStoreException e) {
throw new IllegalStateException(e);
}
return size;
}
/**
* Returns the (alias) name of the first keystore entry whose certificate matches the given
* certificate.
*
* <p>This method attempts to match the given certificate with each keystore entry. If the entry
* being considered is a <i>trusted certificate entry</i>, the given certificate is compared to
* that entry's certificate. If the entry being considered is a <i>key entry</i>, the given
* certificate is compared to the first element of that entry's certificate chain (if a chain
* exists).
*
* @param cert the certificate to match with.
* @return the (alias) name of the first entry with matching certificate, or null if no such entry
* exists in this keystore.
*/
public String engineGetCertificateAlias(Certificate cert) {
try {
String alias = null;
for (KeyStore keystore : keystores.values()) {
if ((alias = keystore.getCertificateAlias(cert)) != null) {
break;
}
}
return alias;
} catch (KeyStoreException e) {
throw new IllegalStateException(e);
}
}
/**
* Lists all the alias names of this keystore.
*
* @return enumeration of the alias names
*/
public Enumeration<String> engineAliases() {
final Iterator<Map.Entry<String, KeyStore>> iterator = keystores.entrySet().iterator();
return new Enumeration<String>() {
private int index = 0;
private Map.Entry<String, KeyStore> keystoresEntry = null;
private String prefix = null;
private Enumeration<String> aliases = null;
public boolean hasMoreElements() {
try {
if (aliases == null) {
if (iterator.hasNext()) {
keystoresEntry = iterator.next();
prefix = keystoresEntry.getKey() + entryNameSeparator;
aliases = keystoresEntry.getValue().aliases();
} else {
return false;
}
}
if (aliases.hasMoreElements()) {
return true;
} else {
if (iterator.hasNext()) {
keystoresEntry = iterator.next();
prefix = keystoresEntry.getKey() + entryNameSeparator;
aliases = keystoresEntry.getValue().aliases();
} else {
return false;
}
}
} catch (KeyStoreException e) {
return false;
}
return aliases.hasMoreElements();
}
public String nextElement() {
if (hasMoreElements()) {
return prefix + aliases.nextElement();
}
throw new NoSuchElementException();
}
};
}
@Override
public void engineStore(KeyStore.LoadStoreParameter param)
throws IOException, NoSuchAlgorithmException, CertificateException {
if (param instanceof DomainLoadStoreParameter) {
DomainLoadStoreParameter domainParameter = (DomainLoadStoreParameter) param;
List<KeyStoreBuilderComponents> builders =
getBuilders(domainParameter.getConfiguration(), domainParameter.getProtectionParams());
for (KeyStoreBuilderComponents builder : builders) {
try {
KeyStore.ProtectionParameter pp = builder.protection;
if (!(pp instanceof KeyStore.PasswordProtection)) {
throw new KeyStoreException(
new IllegalArgumentException(
"ProtectionParameter" + " must be a KeyStore.PasswordProtection"));
}
char[] password = ((KeyStore.PasswordProtection) builder.protection).getPassword();
// Store the keystores
KeyStore keystore = keystores.get(builder.name);
try (FileOutputStream stream = new FileOutputStream(builder.file)) {
keystore.store(stream, password);
}
} catch (KeyStoreException e) {
throw new IOException(e);
}
}
} else {
throw new UnsupportedOperationException(
"This keystore must be stored using a " + "DomainLoadStoreParameter");
}
}
/*
* Parse a keystore domain configuration file and associated collection
* of keystore passwords to create a collection of KeyStore.Builder.
*/
private List<KeyStoreBuilderComponents> getBuilders(
URI configuration, Map<String, KeyStore.ProtectionParameter> passwords) throws IOException {
PolicyParser parser = new PolicyParser(true); // expand properties
Collection<PolicyParser.DomainEntry> domains = null;
List<KeyStoreBuilderComponents> builders = new ArrayList<>();
String uriDomain = configuration.getFragment();
try (InputStreamReader configurationReader =
new InputStreamReader(PolicyUtil.getInputStream(configuration.toURL()), "UTF-8")) {
parser.read(configurationReader);
domains = parser.getDomainEntries();
} catch (MalformedURLException mue) {
throw new IOException(mue);
} catch (PolicyParser.ParsingException pe) {
throw new IOException(pe);
}
for (PolicyParser.DomainEntry domain : domains) {
Map<String, String> domainProperties = domain.getProperties();
if (uriDomain != null && (!uriDomain.equalsIgnoreCase(domain.getName()))) {
continue; // skip this domain
}
if (domainProperties.containsKey(ENTRY_NAME_SEPARATOR)) {
this.entryNameSeparator = domainProperties.get(ENTRY_NAME_SEPARATOR);
// escape any regex meta characters
char ch = 0;
StringBuilder s = new StringBuilder();
for (int i = 0; i < this.entryNameSeparator.length(); i++) {
ch = this.entryNameSeparator.charAt(i);
if (REGEX_META.indexOf(ch) != -1) {
s.append('\\');
}
s.append(ch);
}
this.entryNameSeparatorRegEx = s.toString();
}
Collection<PolicyParser.KeyStoreEntry> keystores = domain.getEntries();
for (PolicyParser.KeyStoreEntry keystore : keystores) {
String keystoreName = keystore.getName();
Map<String, String> properties = new HashMap<>(domainProperties);
properties.putAll(keystore.getProperties());
String keystoreType = DEFAULT_KEYSTORE_TYPE;
if (properties.containsKey(KEYSTORE_TYPE)) {
keystoreType = properties.get(KEYSTORE_TYPE);
}
Provider keystoreProvider = null;
if (properties.containsKey(KEYSTORE_PROVIDER_NAME)) {
String keystoreProviderName = properties.get(KEYSTORE_PROVIDER_NAME);
keystoreProvider = Security.getProvider(keystoreProviderName);
if (keystoreProvider == null) {
throw new IOException("Error locating JCE provider: " + keystoreProviderName);
}
}
File keystoreFile = null;
if (properties.containsKey(KEYSTORE_URI)) {
String uri = properties.get(KEYSTORE_URI);
try {
if (uri.startsWith("file://")) {
keystoreFile = new File(new URI(uri));
} else {
keystoreFile = new File(uri);
}
} catch (URISyntaxException | IllegalArgumentException e) {
throw new IOException(
"Error processing keystore property: " + "keystoreURI=\"" + uri + "\"", e);
}
}
KeyStore.ProtectionParameter keystoreProtection = null;
if (passwords.containsKey(keystoreName)) {
keystoreProtection = passwords.get(keystoreName);
} else if (properties.containsKey(KEYSTORE_PASSWORD_ENV)) {
String env = properties.get(KEYSTORE_PASSWORD_ENV);
String pwd = System.getenv(env);
if (pwd != null) {
keystoreProtection = new KeyStore.PasswordProtection(pwd.toCharArray());
} else {
throw new IOException(
"Error processing keystore property: " + "keystorePasswordEnv=\"" + env + "\"");
}
} else {
keystoreProtection = new KeyStore.PasswordProtection(null);
}
builders.add(
new KeyStoreBuilderComponents(
keystoreName, keystoreType, keystoreProvider, keystoreFile, keystoreProtection));
}
break; // skip other domains
}
if (builders.isEmpty()) {
throw new IOException("Error locating domain configuration data " + "for: " + configuration);
}
return builders;
}
