public void testSelfSignedCert() throws Exception {
KeyPair keyPair = createKeyPair(1024, "secret");
// Certificate
String email = "*****@*****.**";
String domain = "tigase.org";
String ou = "XMPP Service";
String o = "Tigase.org";
String l = "Cambourne";
String st = "Cambridgeshire";
String c = "UK";
// System.out.println("Creating self-signed certificate for issuer: " + domain);
X509Certificate cert = createSelfSignedCertificate(email, domain, ou, o, l, st, c, keyPair);
cert.checkValidity();
assertTrue("Checked certificate validty for today - valid", true);
try {
cert.checkValidity(new Date(System.currentTimeMillis() - (1000 * 3600 * 24)));
fail("Checked certificate validty for yesterday - valid");
} catch (CertificateNotYetValidException e) {
assertTrue("Checked certificate validty for yesterday - not valid", true);
}
cert.verify(keyPair.getPublic());
assertTrue("Verified certificate with public key - done", true);
}
private static boolean isCertificateValid(final X509Certificate x509Cert, final int daysFromNow) {
try {
x509Cert.checkValidity();
if (daysFromNow > 0) {
final Date nowPlusDays =
new Date(
System.currentTimeMillis()
+ (new Long(daysFromNow).longValue() * 24l * 60l * 60l * 1000l));
x509Cert.checkValidity(nowPlusDays);
}
} catch (final Exception e) {
return false;
}
return true;
}
public static X509Certificate makeV1Certificate(
KeyPair subKP, String _subDN, KeyPair issKP, String _issDN)
throws GeneralSecurityException, IOException, OperatorCreationException {
PublicKey subPub = subKP.getPublic();
PrivateKey issPriv = issKP.getPrivate();
PublicKey issPub = issKP.getPublic();
X509v1CertificateBuilder v1CertGen =
new JcaX509v1CertificateBuilder(
new X500Name(_issDN),
allocateSerialNumber(),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100)),
new X500Name(_subDN),
subPub);
JcaContentSignerBuilder contentSignerBuilder = makeContentSignerBuilder(issPub);
X509Certificate _cert =
new JcaX509CertificateConverter()
.setProvider("SC")
.getCertificate(v1CertGen.build(contentSignerBuilder.build(issPriv)));
_cert.checkValidity(new Date());
_cert.verify(issPub);
return _cert;
}
private static X509Certificate makeCertificate(
KeyPair subKP, String _subDN, KeyPair issKP, String _issDN)
throws GeneralSecurityException, IOException {
PublicKey subPub = subKP.getPublic();
PrivateKey issPriv = issKP.getPrivate();
PublicKey issPub = issKP.getPublic();
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.reset();
v3CertGen.setSerialNumber(BigInteger.valueOf(1));
v3CertGen.setIssuerDN(new X509Name(_issDN));
v3CertGen.setNotBefore(new Date(System.currentTimeMillis()));
v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100)));
v3CertGen.setSubjectDN(new X509Name(_subDN));
v3CertGen.setPublicKey(subPub);
v3CertGen.setSignatureAlgorithm("SHA1WithRSA");
X509Certificate _cert = v3CertGen.generate(issPriv, "SunRsaSign");
_cert.checkValidity(new Date());
_cert.verify(issPub);
return _cert;
}
public static X509Certificate makeCertificate(
KeyPair subKP, String _subDN, KeyPair issKP, String _issDN, boolean _ca)
throws GeneralSecurityException, IOException, OperatorCreationException {
PublicKey subPub = subKP.getPublic();
PrivateKey issPriv = issKP.getPrivate();
PublicKey issPub = issKP.getPublic();
X509v3CertificateBuilder v3CertGen =
new JcaX509v3CertificateBuilder(
new X500Name(_issDN),
allocateSerialNumber(),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100)),
new X500Name(_subDN),
subPub);
JcaContentSignerBuilder contentSignerBuilder = makeContentSignerBuilder(issPub);
v3CertGen.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyId(subPub));
v3CertGen.addExtension(Extension.authorityKeyIdentifier, false, createAuthorityKeyId(issPub));
v3CertGen.addExtension(Extension.basicConstraints, false, new BasicConstraints(_ca));
X509Certificate _cert =
new JcaX509CertificateConverter()
.setProvider("SC")
.getCertificate(v3CertGen.build(contentSignerBuilder.build(issPriv)));
_cert.checkValidity(new Date());
_cert.verify(issPub);
return _cert;
}
/*
* mini test
*/
public static void main(String[] args) throws Exception {
final CAFactory caFactory = new CAFactory();
final X509Certificate caCert =
caFactory.create("321lfn432oifno", 24, caFactory.createNewKeyPair());
caCert.checkValidity();
System.out.println(caCert.getSubjectDN().toString());
}
/* Cert creation engine */
private static synchronized X509Certificate createX509V3Certificate(
PublicKey pubKey,
PrivateKey privKey,
int ttlMonths,
String issuerDN,
String subjectDN,
long serial,
String signAlgoritm)
throws GeneralSecurityException {
X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
certGenerator.reset();
certGenerator.setSerialNumber(java.math.BigInteger.valueOf(serial));
certGenerator.setIssuerDN(new org.bouncycastle.asn1.x509.X509Name(issuerDN));
certGenerator.setNotBefore(new java.util.Date(System.currentTimeMillis()));
certGenerator.setNotAfter(
new java.util.Date(System.currentTimeMillis() + ttlMonths * (1000L * 60 * 60 * 24 * 30)));
certGenerator.setSubjectDN(new org.bouncycastle.asn1.x509.X509Name(subjectDN));
certGenerator.setPublicKey(pubKey);
certGenerator.setSignatureAlgorithm(signAlgoritm);
X509Certificate cert =
certGenerator.generateX509Certificate(privKey, "BC", new java.security.SecureRandom());
cert.checkValidity(new java.util.Date());
cert.verify(pubKey);
return cert;
}
/**
* @param certBuf
* @return certificate chain
* @throws CertificateException
* @throws IOException
*/
public static X509Certificate[] readCertificateChain(byte[] certBuf)
throws CertificateException, IOException {
BufferedInputStream istream = new BufferedInputStream(new ByteArrayInputStream(certBuf));
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ArrayList<Certificate> certs = new ArrayList<Certificate>();
while (istream.available() > 0) {
Certificate cert = cf.generateCertificate(istream);
// log.debug("found: " + cert);
certs.add(cert);
}
istream.close();
X509Certificate[] chain = new X509Certificate[certs.size()];
Iterator<Certificate> i = certs.iterator();
int c = 0;
while (i.hasNext()) {
X509Certificate x509 = (X509Certificate) i.next();
chain[c++] = x509;
try {
x509.checkValidity();
log.debug("X509 certificate is valid");
} catch (CertificateExpiredException exp) {
log.debug("X509 certificate is expired");
// nothing to be done here
} catch (CertificateException ex) {
throw new RuntimeException("certificate byte array is not valid", ex);
}
}
return chain;
}
public static String getCertificateValidityString(X509Certificate cert, Resources res) {
try {
cert.checkValidity();
} catch (CertificateExpiredException ce) {
return "EXPIRED: ";
} catch (CertificateNotYetValidException cny) {
return "NOT YET VALID: ";
}
Date certNotAfter = cert.getNotAfter();
Date now = new Date();
long timeLeft = certNotAfter.getTime() - now.getTime(); // Time left in ms
// More than 72h left, display days
// More than 3 months display months
if (timeLeft > 90l * 24 * 3600 * 1000) {
long months = getMonthsDifference(now, certNotAfter);
return res.getString(R.string.months_left, months);
} else if (timeLeft > 72 * 3600 * 1000) {
long days = timeLeft / (24 * 3600 * 1000);
return res.getString(R.string.days_left, days);
} else {
long hours = timeLeft / (3600 * 1000);
return res.getString(R.string.hours_left, hours);
}
}
/**
* Checks whether the subject's certificate credentials are valid at a given date. If date is
* missing, current time is used as reference.
*
* @param subject Subject to check
* @param date Date the certificate is verified against. If null, the credentials are verified
* against current time.
* @throws CertificateException Subject has no associated certificate credentials or there is a
* problem with the existing certificate.
* @throws CertificateExpiredException Certificate is expired.
* @throws CertificateNotYetValidException Certificate not valid yet.
*/
public static void validateSubject(Subject subject, Date date)
throws CertificateException, CertificateExpiredException, CertificateNotYetValidException {
if (subject != null) {
Set<X509CertificateChain> certs = subject.getPublicCredentials(X509CertificateChain.class);
if (certs.size() == 0) {
// subject without certs
throw new CertificateException("No certificates associated with subject");
}
X509CertificateChain chain = certs.iterator().next();
for (X509Certificate c : chain.getChain()) {
if (date != null) {
c.checkValidity(date);
} else {
c.checkValidity();
}
}
}
}
/**
* verify that the given certificate successfully handles and confirms the signature associated
* with this signer and, if a signingTime attribute is available, that the certificate was valid
* at the time the signature was generated.
*
* @deprecated use verify(ContentVerifierProvider)
*/
public boolean verify(X509Certificate cert, Provider sigProvider)
throws NoSuchAlgorithmException, CertificateExpiredException, CertificateNotYetValidException,
CMSException {
Time signingTime = getSigningTime();
if (signingTime != null) {
cert.checkValidity(signingTime.getDate());
}
return doVerify(cert.getPublicKey(), sigProvider);
}
/**
* Checks the certificates in a certificate chain: are they valid on a specific date, and do they
* chain up correctly?
*
* @param chain
* @throws GeneralSecurityException
*/
public void verifyChain(Certificate[] chain) throws GeneralSecurityException {
// Loop over the certificates in the chain
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = (X509Certificate) chain[i];
// check if the certificate was/is valid
cert.checkValidity(signDate);
// check if the previous certificate was issued by this certificate
if (i > 0) chain[i - 1].verify(chain[i].getPublicKey());
}
LOGGER.info("All certificates are valid on " + signDate.toString());
}
@Test
public void testCert() throws Exception {
CertificateFactory certFactory = new BcCertificateFactory();
KeyPair keyPair = KeyPairFactory.newRsa2048();
X509Certificate cert = certFactory.newCertificate(keyPair, "study");
String pem = PemUtils.toPem(cert);
assertNotNull(pem);
cert = PemUtils.loadCertificateFromPem(pem);
cert.checkValidity();
cert.verify(keyPair.getPublic(), BcCmsConstants.PROVIDER);
}
/*
* Returns a String to show if the certificate is valid
*/
private String checkValidity(X509Certificate cert) {
try {
cert.checkValidity();
} catch (CertificateExpiredException e) {
return ("\r\n" + Messages.JarVerificationResult_ExpiredCertificate); // $NON-NLS-1$
} catch (CertificateNotYetValidException e) {
return ("\r\n" + Messages.JarVerificationResult_CertificateNotYetValid); // $NON-NLS-1$
}
return ("\r\n" + Messages.JarVerificationResult_CertificateValid); // $NON-NLS-1$
}
/**
* Retrieves displayable information about the certificate with the specified index in the chain.
*
* @param index The index of the certificate to request information on
* @return A list of lists of {@link CertificateInformationEntry}s.
*/
public List<List<CertificateInformationEntry>> getCertificateInfo(final int index) {
final List<List<CertificateInformationEntry>> res =
new ArrayList<List<CertificateInformationEntry>>();
final X509Certificate cert = chain[index];
List<CertificateInformationEntry> group;
boolean tooOld = false, tooNew = false;
try {
cert.checkValidity();
} catch (CertificateExpiredException ex) {
tooOld = true;
} catch (CertificateNotYetValidException ex) {
tooNew = true;
}
group = new ArrayList<CertificateInformationEntry>();
group.add(
new CertificateInformationEntry(
"Valid from", cert.getNotBefore().toString(), tooNew, false));
group.add(
new CertificateInformationEntry("Valid to", cert.getNotAfter().toString(), tooOld, false));
res.add(group);
final boolean wrongName = index == 0 && !manager.isValidHost(cert);
final String names = getAlternateNames(cert);
final Map<String, String> fields = CertificateManager.getDNFieldsFromCert(cert);
group = new ArrayList<CertificateInformationEntry>();
addCertField(fields, group, "Common name", "CN", wrongName);
group.add(
new CertificateInformationEntry(
"Alternate names", names == null ? NOTPRESENT : names, wrongName, names == null));
addCertField(fields, group, "Organisation", "O", false);
addCertField(fields, group, "Unit", "OU", false);
addCertField(fields, group, "Locality", "L", false);
addCertField(fields, group, "State", "ST", false);
addCertField(fields, group, "Country", "C", false);
res.add(group);
group = new ArrayList<CertificateInformationEntry>();
group.add(
new CertificateInformationEntry(
"Serial number", cert.getSerialNumber().toString(), false, false));
group.add(new CertificateInformationEntry("Algorithm", cert.getSigAlgName(), false, false));
group.add(
new CertificateInformationEntry(
"SSL version", String.valueOf(cert.getVersion()), false, false));
res.add(group);
return res;
}
/**
* Return true if the certificate is active<br>
* <br>
* Restituisce true se il certificato è ancora attivo
*
* @return true: if the certificate is active
*/
public boolean getInUse() {
try {
cert.checkValidity();
isInUse = true;
isExpired = false;
} catch (CertificateNotYetValidException ex) {
isInUse = false;
} catch (CertificateExpiredException ex) {
isExpired = true;
}
return isInUse;
}
/** Helper method, which extracts a valid X509 certificate for an end point. */
private X509Certificate getX509CertificateFromEndpointType(EndpointType endpointType) {
try {
String body = endpointType.getCertificate();
String endpointCertificate =
"-----BEGIN CERTIFICATE-----\n" + body + "\n-----END CERTIFICATE-----";
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert =
(X509Certificate)
certificateFactory.generateCertificate(
new ByteArrayInputStream(endpointCertificate.getBytes()));
cert.checkValidity();
return cert;
} catch (CertificateException e) {
throw new RuntimeException("Failed to get valid certificate from Endpoint data", e);
}
}
@Override
public boolean isTrusted(final X509Certificate[] chain, String authType)
throws CertificateException {
try {
if (super.isTrusted(chain, authType)) return true;
// check expiration dates
for (X509Certificate x5 : chain) {
try {
x5.checkValidity();
} catch (CertificateExpiredException | CertificateNotYetValidException ce) {
return true;
}
}
} catch (CertificateException e) {
return true; // temporary
}
return false;
}
@Test
public void testTrustStore()
throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
File caPem = getTempFile("ca/cert.pem");
KeyStore keystore = createKeyStore();
KeyStoreUtil.updateWithCaPem(keystore, caPem);
Enumeration<String> aliases = keystore.aliases();
String alias = aliases.nextElement();
assertFalse(aliases.hasMoreElements());
assertTrue(alias.contains("ca.test.jolokia.org"));
X509Certificate cert = (X509Certificate) keystore.getCertificate(alias);
cert.checkValidity();
assertTrue(cert.getSubjectDN().getName().contains(CA_CERT_SUBJECT_DN_CN));
RSAPublicKey key = (RSAPublicKey) cert.getPublicKey();
assertEquals(key.getAlgorithm(), "RSA");
}
private void validateCert(Certificate cert, boolean chainPresent) {
if (!(cert instanceof X509Certificate))
throw new IllegalArgumentException("Invalid certificate format. Expected X509 certificate");
try {
((X509Certificate) cert).checkValidity();
} catch (Exception e) {
throw new IllegalArgumentException("Certificate expired or not valid", e);
}
if (!chainPresent) {
PublicKey pubKey = cert.getPublicKey();
try {
cert.verify(pubKey);
} catch (Exception e) {
throw new IllegalArgumentException("No chain given and certificate not self signed", e);
}
}
}
/**
* Load an X509 Cert from a file and add it to the trusted set of certificates in the key store
*
* @return success
* @since 0.8.2, moved from SSLEepGet in 0.9.9
*/
public static boolean addCert(File file, String alias, KeyStore ks) {
InputStream fis = null;
try {
fis = new FileInputStream(file);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
info(
"Read X509 Certificate from "
+ file.getAbsolutePath()
+ " Issuer: "
+ cert.getIssuerX500Principal()
+ "; Valid From: "
+ cert.getNotBefore()
+ " To: "
+ cert.getNotAfter());
try {
cert.checkValidity();
} catch (CertificateExpiredException cee) {
error("Rejecting expired X509 Certificate: " + file.getAbsolutePath(), cee);
return false;
} catch (CertificateNotYetValidException cnyve) {
error("Rejecting X509 Certificate not yet valid: " + file.getAbsolutePath(), cnyve);
return false;
}
ks.setCertificateEntry(alias, cert);
info("Now trusting X509 Certificate, Issuer: " + cert.getIssuerX500Principal());
} catch (GeneralSecurityException gse) {
error("Error reading X509 Certificate: " + file.getAbsolutePath(), gse);
return false;
} catch (IOException ioe) {
error("Error reading X509 Certificate: " + file.getAbsolutePath(), ioe);
return false;
} finally {
try {
if (fis != null) fis.close();
} catch (IOException foo) {
}
}
return true;
}
private void logAndValidateCertificate() throws ServiceLifecycleException {
// let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL
// debugging
Certificate cert;
try {
cert = as.getCertificateForGateway("gateway-identity");
} catch (AliasServiceException e) {
throw new ServiceLifecycleException(
"Cannot Retreive Gateway SSL Certificate. Server will not start.", e);
}
if (cert != null) {
if (cert instanceof X509Certificate) {
X500Principal x500Principal = ((X509Certificate) cert).getSubjectX500Principal();
X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
log.certificateHostNameForGateway(parser.getCN());
Date notBefore = ((X509Certificate) cert).getNotBefore();
Date notAfter = ((X509Certificate) cert).getNotAfter();
log.certificateValidityPeriod(notBefore, notAfter);
// let's not even start if the current date is not within the validity period for the SSL
// cert
try {
((X509Certificate) cert).checkValidity();
} catch (CertificateExpiredException e) {
throw new ServiceLifecycleException(
"Gateway SSL Certificate is Expired. Server will not start.", e);
} catch (CertificateNotYetValidException e) {
throw new ServiceLifecycleException(
"Gateway SSL Certificate is not yet valid. Server will not start.", e);
}
} else {
throw new ServiceLifecycleException(
"Public certificate for the gateway cannot be found with the alias gateway-identity. Plase check the identity certificate alias.");
}
} else {
throw new ServiceLifecycleException(
"Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
}
}
@Test
public void testKeyStore()
throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException,
InvalidKeySpecException, UnrecoverableKeyException {
File serverPem = getTempFile("server/cert.pem");
File keyPem = getTempFile("server/key.pem");
KeyStore keystore = createKeyStore();
KeyStoreUtil.updateWithServerPems(keystore, serverPem, keyPem, "RSA", new char[0]);
Enumeration<String> aliases = keystore.aliases();
String alias = aliases.nextElement();
assertFalse(aliases.hasMoreElements());
assertTrue(alias.contains("server"));
X509Certificate cert = (X509Certificate) keystore.getCertificate(alias);
cert.checkValidity();
assertEquals(cert.getSubjectDN().getName(), SERVER_CERT_SUBJECT_DN);
RSAPrivateCrtKey key = (RSAPrivateCrtKey) keystore.getKey(alias, new char[0]);
assertEquals("RSA", key.getAlgorithm());
RSAPublicKey pubKey = (RSAPublicKey) cert.getPublicKey();
assertEquals("RSA", pubKey.getAlgorithm());
}
/**
* Retrieves the certificate chain that's under question.
*
* @return A list of {@link CertificateChainEntry}s corresponding to the certificate chain being
* questioned.
*/
public List<CertificateChainEntry> getCertificateChain() {
final List<CertificateChainEntry> res = new ArrayList<CertificateChainEntry>();
boolean first = true;
for (X509Certificate cert : chain) {
boolean invalid = first && !manager.isValidHost(cert);
first = false;
try {
cert.checkValidity();
} catch (CertificateException ex) {
invalid |= true;
}
res.add(
new CertificateChainEntry(
CertificateManager.getDNFieldsFromCert(cert).get("CN"),
manager.isTrusted(cert).isTrusted(),
invalid));
}
return res;
}
private static byte[] getX509Zip(User u) throws Exception {
X509Certificate cloudCert = null;
final X509Certificate x509;
String userAccessKey = null;
String userSecretKey = null;
KeyPair keyPair = null;
try {
for (AccessKey k : u.getKeys()) {
if (k.isActive()) {
userAccessKey = k.getAccessKey();
userSecretKey = k.getSecretKey();
}
}
if (userAccessKey == null) {
AccessKey k = u.createKey();
userAccessKey = k.getAccessKey();
userSecretKey = k.getSecretKey();
}
keyPair = Certs.generateKeyPair();
x509 = Certs.generateCertificate(keyPair, u.getName());
x509.checkValidity();
u.addCertificate(x509);
cloudCert = SystemCredentials.lookup(Eucalyptus.class).getCertificate();
} catch (Exception e) {
LOG.fatal(e, e);
throw e;
}
ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
ZipArchiveOutputStream zipOut = new ZipArchiveOutputStream(byteOut);
ZipArchiveEntry entry = null;
String fingerPrint = Certs.getFingerPrint(keyPair.getPublic());
if (fingerPrint != null) {
String baseName =
X509Download.NAME_SHORT
+ "-"
+ u.getName()
+ "-"
+ fingerPrint.replaceAll(":", "").toLowerCase().substring(0, 8);
zipOut.setComment("To setup the environment run: source /path/to/eucarc");
StringBuilder sb = new StringBuilder();
// TODO:GRZE:FIXME velocity
String userNumber = u.getAccount().getAccountNumber();
sb.append("EUCA_KEY_DIR=$(dirname $(readlink -f ${BASH_SOURCE}))");
if (Topology.isEnabled(Eucalyptus.class)) { // GRZE:NOTE: this is temporary
sb.append(
"\nexport EC2_URL=" + ServiceUris.remotePublicify(Topology.lookup(Eucalyptus.class)));
} else {
sb.append("\necho WARN: Eucalyptus URL is not configured. >&2");
ServiceBuilder<? extends ServiceConfiguration> builder =
ServiceBuilders.lookup(Eucalyptus.class);
ServiceConfiguration localConfig =
builder.newInstance(
Internets.localHostAddress(),
Internets.localHostAddress(),
Internets.localHostAddress(),
Eucalyptus.INSTANCE.getPort());
sb.append("\nexport EC2_URL=" + ServiceUris.remotePublicify(localConfig));
}
if (Topology.isEnabled(Walrus.class)) {
ServiceConfiguration walrusConfig = Topology.lookup(Walrus.class);
try {
String uri = ServiceUris.remotePublicify(walrusConfig).toASCIIString();
LOG.debug("Found walrus uri/configuration: uri=" + uri + " config=" + walrusConfig);
sb.append("\nexport S3_URL=" + uri);
} catch (Exception e) {
LOG.error("Failed to set Walrus URL: " + walrusConfig, e);
}
} else {
sb.append("\necho WARN: Walrus URL is not configured. >&2");
}
// Disable notifications for now
// sb.append( "\nexport AWS_SNS_URL=" + ServiceUris.remote( Notifications.class ) );
if (Topology.isEnabled(Euare.class)) { // GRZE:NOTE: this is temporary
sb.append("\nexport EUARE_URL=" + ServiceUris.remotePublicify(Euare.class));
} else {
sb.append("\necho WARN: EUARE URL is not configured. >&2");
}
sb.append("\nexport EC2_PRIVATE_KEY=${EUCA_KEY_DIR}/" + baseName + "-pk.pem");
sb.append("\nexport EC2_CERT=${EUCA_KEY_DIR}/" + baseName + "-cert.pem");
sb.append("\nexport EC2_JVM_ARGS=-Djavax.net.ssl.trustStore=${EUCA_KEY_DIR}/jssecacerts");
sb.append("\nexport EUCALYPTUS_CERT=${EUCA_KEY_DIR}/cloud-cert.pem");
sb.append("\nexport EC2_ACCOUNT_NUMBER='" + u.getAccount().getAccountNumber() + "'");
sb.append("\nexport EC2_ACCESS_KEY='" + userAccessKey + "'");
sb.append("\nexport EC2_SECRET_KEY='" + userSecretKey + "'");
sb.append("\nexport AWS_CREDENTIAL_FILE=${EUCA_KEY_DIR}/iamrc");
sb.append("\nexport EC2_USER_ID='" + userNumber + "'");
sb.append(
"\nalias ec2-bundle-image=\"ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_PRIVATE_KEY} --user ${EC2_ACCOUNT_NUMBER} --ec2cert ${EUCALYPTUS_CERT}\"");
sb.append(
"\nalias ec2-upload-bundle=\"ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL}\"");
sb.append("\n");
zipOut.putArchiveEntry(entry = new ZipArchiveEntry("eucarc"));
entry.setUnixMode(0600);
zipOut.write(sb.toString().getBytes("UTF-8"));
zipOut.closeArchiveEntry();
sb = new StringBuilder();
sb.append("AWSAccessKeyId=").append(userAccessKey).append('\n');
sb.append("AWSSecretKey=").append(userSecretKey);
zipOut.putArchiveEntry(entry = new ZipArchiveEntry("iamrc"));
entry.setUnixMode(0600);
zipOut.write(sb.toString().getBytes("UTF-8"));
zipOut.closeArchiveEntry();
/** write the private key to the zip stream * */
zipOut.putArchiveEntry(entry = new ZipArchiveEntry("cloud-cert.pem"));
entry.setUnixMode(0600);
zipOut.write(PEMFiles.getBytes(cloudCert));
zipOut.closeArchiveEntry();
zipOut.putArchiveEntry(entry = new ZipArchiveEntry("jssecacerts"));
entry.setUnixMode(0600);
KeyStore tempKs = KeyStore.getInstance("jks");
tempKs.load(null);
tempKs.setCertificateEntry("eucalyptus", cloudCert);
ByteArrayOutputStream bos = new ByteArrayOutputStream();
tempKs.store(bos, "changeit".toCharArray());
zipOut.write(bos.toByteArray());
zipOut.closeArchiveEntry();
/** write the private key to the zip stream * */
zipOut.putArchiveEntry(entry = new ZipArchiveEntry(baseName + "-pk.pem"));
entry.setUnixMode(0600);
zipOut.write(PEMFiles.getBytes(keyPair.getPrivate()));
zipOut.closeArchiveEntry();
/** write the X509 certificate to the zip stream * */
zipOut.putArchiveEntry(entry = new ZipArchiveEntry(baseName + "-cert.pem"));
entry.setUnixMode(0600);
zipOut.write(PEMFiles.getBytes(x509));
zipOut.closeArchiveEntry();
}
/** close the zip output stream and return the bytes * */
zipOut.close();
return byteOut.toByteArray();
}
/** {@inheritDoc} */
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest rqst = (HttpServletRequest) request;
HttpServletResponse rsp = (HttpServletResponse) response;
if (LOG.isDebugEnabled()) {
StringBuilder b =
new StringBuilder("Request from ")
.append(rqst.getRemoteHost())
.append("/")
.append(rqst.getRemoteAddr())
.append(":")
.append(rqst.getRemotePort());
@SuppressWarnings("unchecked")
Enumeration<String> e = rqst.getAttributeNames();
for (; e.hasMoreElements(); ) {
String attribute = e.nextElement();
b.append("\n " + attribute + " => " + rqst.getAttribute(attribute));
}
X509Certificate[] userCerts =
(X509Certificate[]) rqst.getAttribute("javax.servlet.request.X509Certificate");
if (userCerts != null)
for (X509Certificate cert : userCerts)
b.append(
"\n Client certificate Subject Name is " + cert.getSubjectX500Principal().getName());
b.append("\n The Scheme is " + rqst.getScheme());
b.append("\n The Auth Type is " + rqst.getAuthType());
b.append("\n The Path Info is " + rqst.getPathInfo());
b.append("\n The Translated Path Info is " + rqst.getPathTranslated());
b.append("\n The Context Path is " + rqst.getContextPath());
b.append("\n The Query String is " + rqst.getQueryString());
b.append("\n The Remote User is " + rqst.getRemoteUser());
b.append("\n The User Principal is " + rqst.getUserPrincipal());
b.append("\n The Request URI is " + rqst.getRequestURI());
b.append("\n The Request URL is " + rqst.getRequestURL());
b.append("\n The Servlet Path is " + rqst.getServletPath());
LOG.debug(b.toString());
}
if (rqst.getScheme().equalsIgnoreCase("https")) {
boolean isAuthorized = false;
X509Certificate[] certs =
(X509Certificate[]) rqst.getAttribute("javax.servlet.request.X509Certificate");
if (certs == null || certs.length == 0) {
rsp.sendError(HttpServletResponse.SC_BAD_REQUEST, "No client SSL certificate received");
return;
}
for (X509Certificate cert : certs) {
try {
cert.checkValidity();
} catch (CertificateExpiredException e) {
LOG.info("Received cert for " + cert.getSubjectX500Principal().getName() + " expired");
rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "Certificate expired");
return;
} catch (CertificateNotYetValidException e) {
LOG.info(
"Received cert for "
+ cert.getSubjectX500Principal().getName()
+ " is not yet valid");
rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "Certificate is not yet valid");
return;
}
}
String[] tokens = certs[0].getSubjectX500Principal().getName().split("\\s*,\\s*");
String userID = null;
for (String s : tokens) {
if (s.startsWith("CN=")) {
userID = s;
break;
}
}
if (userID == null || userID.length() < 4) {
LOG.info("Can't retrieve user ID from SSL certificate");
rsp.sendError(
HttpServletResponse.SC_FORBIDDEN, "Can't retrieve user ID from SSL certificate");
return;
}
userID = userID.substring(3);
String servletPath = rqst.getServletPath();
if (HFTP_PATTERN.matcher(servletPath).matches()) {
// request is an HSFTP request
if (FILEPATH_PATTERN.matcher(servletPath).matches()) {
// file path as part of the URL
isAuthorized =
checkPath(userID, certs[0], rqst.getPathInfo() != null ? rqst.getPathInfo() : "/");
} else {
// file path is stored in "filename" parameter
isAuthorized = checkPath(userID, certs[0], rqst.getParameter("filename"));
}
} else if (RELOAD_PATTERN.matcher(servletPath).matches() && checkUser("Admin", certs[0])) {
Configuration conf = new Configuration(false);
conf.addResource("hdfsproxy-default.xml");
Map<String, Set<Path>> permsMap = getPermMap(conf);
Map<String, Set<BigInteger>> certsMap = getCertsMap(conf);
if (permsMap == null || certsMap == null) {
LOG.warn("Permission files reloading failed");
rsp.sendError(
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Permission files reloading failed");
return;
}
ProxyFilter.permsMap = permsMap;
ProxyFilter.certsMap = certsMap;
LOG.info("User permissions and user certs files reloaded");
rsp.setStatus(HttpServletResponse.SC_OK);
return;
} else if (CLEAR_PATTERN.matcher(servletPath).matches() && checkUser("Admin", certs[0])) {
ProxyUgiManager.clearCache();
LOG.info("Ugi cache cleared");
rsp.setStatus(HttpServletResponse.SC_OK);
return;
}
if (!isAuthorized) {
rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthorized access");
return;
}
// request is authorized, set ugi for servlets
UnixUserGroupInformation ugi = ProxyUgiManager.getUgiForUser(userID);
if (ugi == null) {
LOG.info("Can't retrieve ugi for user " + userID);
rsp.sendError(
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Can't retrieve ugi for user " + userID);
return;
}
rqst.setAttribute("authorized.ugi", ugi);
} else { // http request, set ugi for servlets, only for testing purposes
String ugi = rqst.getParameter("ugi");
rqst.setAttribute("authorized.ugi", new UnixUserGroupInformation(ugi.split(",")));
}
chain.doFilter(request, response);
}
