@Override
public void init(GatewayConfig config, Map<String, String> options)
throws ServiceLifecycleException {
// set any JSSE or security related system properties
System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, config.getEphemeralDHKeySize());
try {
if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
log.creatingCredentialStoreForGateway();
ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
// LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
// IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
// THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
// as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
} else {
log.credentialStoreForGatewayFoundNotCreating();
}
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException(
"Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.",
e);
}
try {
if (!ks.isKeystoreForGatewayAvailable()) {
log.creatingKeyStoreForGateway();
ks.createKeystoreForGateway();
char[] passphrase = null;
try {
passphrase = as.getGatewayIdentityPassphrase();
} catch (AliasServiceException e) {
throw new ServiceLifecycleException(
"Error accessing credential store for the gateway.", e);
}
if (passphrase == null) {
passphrase = ms.getMasterSecret();
}
ks.addSelfSignedCertForGateway("gateway-identity", passphrase);
} else {
log.keyStoreForGatewayFoundNotCreating();
}
logAndValidateCertificate();
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException(
"Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.",
e);
}
keystoreType = config.getKeystoreType();
sslExcludeProtocols = config.getExcludedSSLProtocols();
clientAuthNeeded = config.isClientAuthNeeded();
truststorePath = config.getTruststorePath();
trustAllCerts = config.getTrustAllCerts();
trustStoreType = config.getTruststoreType();
}
@Override
public boolean verifyToken(JWTToken token) throws TokenServiceException {
boolean rc = false;
PublicKey key;
try {
key = ks.getKeystoreForGateway().getCertificate("gateway-identity").getPublicKey();
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) key);
// TODO: interrogate the token for issuer claim in order to determine the public key to use
// for verification
// consider jwk for specifying the key too
rc = token.verify(verifier);
} catch (KeyStoreException e) {
throw new TokenServiceException("Cannot verify token.", e);
} catch (KeystoreServiceException e) {
throw new TokenServiceException("Cannot verify token.", e);
}
return rc;
}
/* (non-Javadoc)
* @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String)
*/
@Override
public JWTToken issueToken(Principal p, String audience, String algorithm, long expires)
throws TokenServiceException {
String[] claimArray = new String[4];
claimArray[0] = "HSSO";
claimArray[1] = p.getName();
if (audience == null) {
audience = "HSSO";
}
claimArray[2] = audience;
// TODO: make the validity period configurable
if (expires == -1) {
claimArray[3] = Long.toString((System.currentTimeMillis()) + 30000);
} else {
claimArray[3] = String.valueOf(expires);
}
JWTToken token = null;
if ("RS256".equals(algorithm)) {
token = new JWTToken("RS256", claimArray);
RSAPrivateKey key;
char[] passphrase = null;
try {
passphrase = as.getGatewayIdentityPassphrase();
} catch (AliasServiceException e) {
throw new TokenServiceException(e);
}
try {
key = (RSAPrivateKey) ks.getKeyForGateway("gateway-identity", passphrase);
JWSSigner signer = new RSASSASigner(key);
token.sign(signer);
} catch (KeystoreServiceException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
} else {
// log inappropriate alg
}
return token;
}