/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.felix.karaf.jaas.config.impl;
import java.io.BufferedInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.net.URL;
import java.net.URI;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.felix.karaf.jaas.config.KeystoreInstance;
import org.apache.felix.karaf.jaas.config.KeystoreIsLocked;
/**
*
*/
public class ResourceKeystoreInstance implements KeystoreInstance {
private static final Log LOG = LogFactory.getLog(ResourceKeystoreInstance.class);
private static final String JKS = "JKS";
private String name;
private int rank;
private URL path;
private String keystorePassword;
private Map keyPasswords = new HashMap();
private File keystoreFile; // Only valid after startup and if the resource points to a file
// The following variables are the state of the keystore, which should be chucked if the file on disk changes
private List privateKeys = new ArrayList();
private List trustCerts = new ArrayList();
private KeyStore keystore;
private long keystoreReadDate = Long.MIN_VALUE;
/**
* @return the keystoreName
*/
public String getName() {
return name;
}
/**
* @param keystoreName the keystoreName to set
*/
public void setName(String keystoreName) {
this.name = keystoreName;
}
/**
* @return the rank
*/
public int getRank() {
return rank;
}
/**
* @param rank the rank to set
*/
public void setRank(int rank) {
this.rank = rank;
}
/**
* @return the keystorePath
*/
public URL getPath() {
return path;
}
/**
* @param keystorePath the keystorePath to set
*/
public void setPath(URL keystorePath) throws IOException {
this.path = keystorePath;
if (keystorePath.getProtocol().equals("file")) {
URI uri = URI.create(keystorePath.toString().replace(" ", "%20"));
this.keystoreFile = new File(uri.getSchemeSpecificPart());
}
}
/**
* @param keystorePassword the keystorePassword to set
*/
public void setKeystorePassword(String keystorePassword) {
this.keystorePassword = keystorePassword;
}
/**
* @param keyPasswords the keyPasswords to set
*/
public void setKeyPasswords(String keyPasswords) {
if (keyPasswords != null) {
String[] keys = keyPasswords.split("\\]\\!\\[");
for (int i = 0; i < keys.length; i++) {
String key = keys[i];
int pos = key.indexOf('=');
this.keyPasswords.put(key.substring(0, pos), key.substring(pos + 1).toCharArray());
}
}
}
public Certificate getCertificate(String alias) {
if (!loadKeystoreData()) {
return null;
}
try {
return keystore.getCertificate(alias);
} catch (KeyStoreException e) {
LOG.error("Unable to read certificate from keystore", e);
}
return null;
}
public String getCertificateAlias(Certificate cert) {
if (!loadKeystoreData()) {
return null;
}
try {
return keystore.getCertificateAlias(cert);
} catch (KeyStoreException e) {
LOG.error("Unable to read retrieve alias for given certificate from keystore", e);
}
return null;
}
public Certificate[] getCertificateChain(String alias) {
if (!loadKeystoreData()) {
return null;
}
try {
return keystore.getCertificateChain(alias);
} catch (KeyStoreException e) {
LOG.error("Unable to read certificate chain from keystore", e);
}
return null;
}
public KeyManager[] getKeyManager(String algorithm, String keyAlias) throws KeystoreIsLocked,
NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException {
if (isKeystoreLocked()) {
throw new KeystoreIsLocked("Keystore '" + name + "' is locked.");
}
if (!loadKeystoreData()) {
return null;
}
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(algorithm);
keyFactory.init(keystore, (char[]) keyPasswords.get(keyAlias));
return keyFactory.getKeyManagers();
}
public PrivateKey getPrivateKey(String alias) {
if (!loadKeystoreData()) {
return null;
}
try {
if (isKeyLocked(alias)) {
return null;
}
Key key = keystore.getKey(alias, (char[]) keyPasswords.get(alias));
if (key instanceof PrivateKey) {
return (PrivateKey) key;
}
} catch (KeyStoreException e) {
LOG.error("Unable to read private key from keystore", e);
} catch (NoSuchAlgorithmException e) {
LOG.error("Unable to read private key from keystore", e);
} catch (UnrecoverableKeyException e) {
LOG.error("Unable to read private key from keystore", e);
}
return null;
}
public TrustManager[] getTrustManager(String algorithm) throws KeyStoreException,
NoSuchAlgorithmException, KeystoreIsLocked {
if (isKeystoreLocked()) {
throw new KeystoreIsLocked("Keystore '" + name + "' is locked.");
}
if (!loadKeystoreData()) {
return null;
}
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(algorithm);
trustFactory.init(keystore);
return trustFactory.getTrustManagers();
}
public boolean isKeyLocked(String keyAlias) {
return keyPasswords.get(keyAlias) == null;
}
public boolean isKeystoreLocked() {
return keystorePassword == null;
}
public String[] listPrivateKeys() {
if (!loadKeystoreData()) {
return null;
}
return (String[]) privateKeys.toArray(new String[privateKeys.size()]);
}
public String[] listTrustCertificates() {
if (!loadKeystoreData()) {
return null;
}
return (String[]) trustCerts.toArray(new String[trustCerts.size()]);
}
// ==================== Internals =====================
private boolean loadKeystoreData() {
// Check to reload the data if needed
if (keystoreFile != null && keystoreReadDate >= keystoreFile.lastModified()) {
return true;
}
// If not a file, just not reload the data if it has already been loaded
if (keystoreFile == null && keystore != null) {
return true;
}
// Check if the file is invalid
if (keystoreFile != null && (!keystoreFile.exists() || !keystoreFile.canRead())) {
throw new IllegalArgumentException("Invalid keystore file (" + path + " = " + keystoreFile.getAbsolutePath() + ")");
}
// Load the keystore data
try {
keystoreReadDate = System.currentTimeMillis();
privateKeys.clear();
trustCerts.clear();
if (keystore == null) {
keystore = KeyStore.getInstance(JKS);
}
InputStream in = new BufferedInputStream(path.openStream());
keystore.load(in, keystorePassword == null ? new char[0] : keystorePassword.toCharArray());
in.close();
Enumeration aliases = keystore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
if (keystore.isKeyEntry(alias)) {
privateKeys.add(alias);
} else if (keystore.isCertificateEntry(alias)) {
trustCerts.add(alias);
}
}
return true;
} catch (KeyStoreException e) {
LOG.error("Unable to open keystore with provided password", e);
} catch (IOException e) {
LOG.error("Unable to open keystore with provided password", e);
} catch (NoSuchAlgorithmException e) {
LOG.error("Unable to open keystore with provided password", e);
} catch (CertificateException e) {
LOG.error("Unable to open keystore with provided password", e);
}
return false;
}
}