Search in sources :

Example 1 with DistributedKeyStoreImpl

use of com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl in project coprhd-controller by CoprHD.

the class KeystoreTest method testKeystoreEngine.

@Test
public void testKeystoreEngine() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, InterruptedException, UnrecoverableEntryException {
    DistributedKeyStore zookeeperKeystore = new DistributedKeyStoreImpl();
    zookeeperKeystore.init(loadStoreParam);
    // this is in case this test was run previously
    zookeeperKeystore.setTrustedCertificates(null);
    zookeeperKeystore.setKeyCertificatePair(null);
    // test keystore loading
    KeyStore ks = KeyStore.getInstance(SecurityProvider.KEYSTORE_TYPE, new SecurityProvider());
    boolean exceptionThrown = false;
    try {
        ks.load(null, null);
    } catch (SecurityException e) {
        Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
        Assert.assertEquals("Could not initialize the keystore. The ViPR keystore can only be initialized with a LoadKeyStoreParam.", e.getMessage());
        exceptionThrown = true;
    }
    Assert.assertTrue(exceptionThrown);
    exceptionThrown = false;
    try {
        ks.load(invalidLoadStoreParam);
    } catch (SecurityException e) {
        Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
        Assert.assertEquals("Could not initialize the keystore. The ViPR keystore can only be initialized with a LoadKeyStoreParam.", e.getMessage());
        exceptionThrown = true;
    }
    Assert.assertTrue(exceptionThrown);
    // now it shouldn't throw
    ks.load(loadStoreParam);
    // ////////////////////////////////////////////////////////////////////////
    // /
    // / key tests
    // /
    // ////////////////////////////////////////////////////////////////////////
    // should have by default the ViPR key
    List<String> expectedAliases = new ArrayList<String>();
    expectedAliases.add(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS);
    assertAliasesIn(ks, expectedAliases);
    // update the vipr key using ks.setEntry
    Date beforeDate = new Date();
    KeyCertificateEntry entry = gen.generateKeyCertificatePair();
    KeyStore.PrivateKeyEntry privateKeyEntry = new PrivateKeyEntry(KeyCertificatePairGenerator.loadPrivateKeyFromBytes(entry.getKey()), entry.getCertificateChain());
    KeyStore.PasswordProtection empryProtectionParam = new KeyStore.PasswordProtection("".toCharArray());
    ks.setEntry(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, privateKeyEntry, new KeyStore.PasswordProtection("123".toCharArray()));
    Date afterDate = new Date();
    assertKeyCertificateEntryEquals(ks, entry);
    assertCreationDateInTImeRange(ks, KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, beforeDate, afterDate);
    // set the key entry using setKeyEntry (there are 2 versions, one with the Key
    // object, and another with byte[] )
    beforeDate = new Date();
    entry = gen.generateKeyCertificatePair();
    ks.setKeyEntry(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, entry.getKey(), entry.getCertificateChain());
    afterDate = new Date();
    assertKeyCertificateEntryEquals(ks, entry);
    assertCreationDateInTImeRange(ks, KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, beforeDate, afterDate);
    beforeDate = new Date();
    entry = gen.generateKeyCertificatePair();
    ks.setKeyEntry(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, KeyCertificatePairGenerator.loadPrivateKeyFromBytes(entry.getKey()), "".toCharArray(), entry.getCertificateChain());
    afterDate = new Date();
    assertKeyCertificateEntryEquals(ks, entry);
    assertCreationDateInTImeRange(ks, KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, beforeDate, afterDate);
    // ////////////////////////////////////////////////////////////////////////
    // /
    // / certificates tests
    // /
    // ////////////////////////////////////////////////////////////////////////
    String certAlias = "someCert";
    // add a new trusted certificate using ks.setEntry
    beforeDate = new Date();
    entry = gen.generateKeyCertificatePair();
    KeyStore.TrustedCertificateEntry trustedCertEntry = new KeyStore.TrustedCertificateEntry(entry.getCertificateChain()[0]);
    ks.setEntry(certAlias, trustedCertEntry, null);
    afterDate = new Date();
    expectedAliases.add(certAlias);
    assertAliasesIn(ks, expectedAliases);
    assertTrustedCertEquals(ks, entry, certAlias);
    assertCreationDateInTImeRange(ks, certAlias, beforeDate, afterDate);
    // add a new trusted certificate using ks.setCertificateEntry
    beforeDate = new Date();
    entry = gen.generateKeyCertificatePair();
    certAlias = "someCert1";
    ks.setCertificateEntry(certAlias, entry.getCertificateChain()[0]);
    afterDate = new Date();
    expectedAliases.add(certAlias);
    assertAliasesIn(ks, expectedAliases);
    assertTrustedCertEquals(ks, entry, certAlias);
    assertCreationDateInTImeRange(ks, certAlias, beforeDate, afterDate);
    // remove the trusted certificate entry
    ks.deleteEntry(certAlias);
    expectedAliases.remove(certAlias);
    assertAliasesIn(ks, expectedAliases);
    // ////////////////////////////////////////////////////////////////////////
    // /
    // / Negative testing
    // /
    // ////////////////////////////////////////////////////////////////////////
    String invalidEntryName = "invalidEntry";
    // cannot delete the ViPR key
    exceptionThrown = false;
    try {
        ks.deleteEntry(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS);
    } catch (SecurityException e) {
        Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
        Assert.assertEquals("The ViPR key and certificate cannot be deleted, it can only be updated.", e.getMessage());
        exceptionThrown = true;
    } catch (KeyStoreException e) {
        Assert.fail();
    }
    Assert.assertTrue(exceptionThrown);
    assertAliasesIn(ks, expectedAliases);
    entry = gen.generateKeyCertificatePair();
    // try to set a key that is not the vipr key
    // using ks.setEntry
    privateKeyEntry = new PrivateKeyEntry(KeyCertificatePairGenerator.loadPrivateKeyFromBytes(entry.getKey()), entry.getCertificateChain());
    exceptionThrown = false;
    try {
        ks.setEntry(invalidEntryName, privateKeyEntry, empryProtectionParam);
    } catch (SecurityException e) {
        Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
        Assert.assertEquals("Cannot update any key and certificate entry except for the ViPR key and certificate.", e.getMessage());
        exceptionThrown = true;
    }
    Assert.assertTrue(exceptionThrown);
    assertAliasesIn(ks, expectedAliases);
    // using ks.setKey which accepts byte[]
    try {
        ks.setKeyEntry(invalidEntryName, entry.getKey(), entry.getCertificateChain());
    } catch (SecurityException e) {
        Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
        Assert.assertEquals("Cannot update any key and certificate entry except for the ViPR key and certificate.", e.getMessage());
        exceptionThrown = true;
    }
    Assert.assertTrue(exceptionThrown);
    assertAliasesIn(ks, expectedAliases);
    // using ks.setKey which accepts Key object
    try {
        ks.setKeyEntry(invalidEntryName, KeyCertificatePairGenerator.loadPrivateKeyFromBytes(entry.getKey()), "".toCharArray(), entry.getCertificateChain());
    } catch (SecurityException e) {
        Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
        Assert.assertEquals("Cannot update any key and certificate entry except for the ViPR key and certificate.", e.getMessage());
        exceptionThrown = true;
    }
    Assert.assertTrue(exceptionThrown);
    assertAliasesIn(ks, expectedAliases);
    // try getting an invalid entry
    Assert.assertFalse(ks.containsAlias(invalidEntryName));
    Assert.assertFalse(ks.entryInstanceOf(invalidEntryName, KeyStore.TrustedCertificateEntry.class));
    Assert.assertFalse(ks.entryInstanceOf(invalidEntryName, KeyStore.PrivateKeyEntry.class));
    Assert.assertFalse(ks.entryInstanceOf(invalidEntryName, KeyStore.SecretKeyEntry.class));
    Assert.assertFalse(ks.isCertificateEntry(invalidEntryName));
    Assert.assertFalse(ks.isKeyEntry(invalidEntryName));
    Assert.assertNull(ks.getCertificate(invalidEntryName));
    Assert.assertNull(ks.getCertificateAlias(entry.getCertificateChain()[0]));
    Assert.assertNull(ks.getCertificateChain(invalidEntryName));
    Assert.assertNull(ks.getCreationDate(invalidEntryName));
    Assert.assertNull(ks.getEntry(invalidEntryName, empryProtectionParam));
    Assert.assertNull(ks.getKey(invalidEntryName, "".toCharArray()));
    // try to delete an entry that does not exist
    exceptionThrown = false;
    try {
        ks.deleteEntry(invalidEntryName);
    } catch (SecurityException e) {
        Assert.fail();
    } catch (KeyStoreException e) {
        exceptionThrown = true;
        Assert.assertEquals("The specified alias " + invalidEntryName + " does not exist", e.getMessage());
    }
    Assert.assertTrue(exceptionThrown);
}
Also used : ArrayList(java.util.ArrayList) SecurityException(com.emc.storageos.security.exceptions.SecurityException) KeyStoreException(java.security.KeyStoreException) KeyStore(java.security.KeyStore) Date(java.util.Date) KeyCertificateEntry(com.emc.storageos.security.keystore.impl.KeyCertificateEntry) PrivateKeyEntry(java.security.KeyStore.PrivateKeyEntry) TrustedCertificateEntry(com.emc.storageos.security.keystore.impl.TrustedCertificateEntry) DistributedKeyStoreImpl(com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl) SecurityProvider(com.emc.storageos.security.keystore.impl.SecurityProvider) PrivateKeyEntry(java.security.KeyStore.PrivateKeyEntry) Test(org.junit.Test)

Example 2 with DistributedKeyStoreImpl

use of com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl in project coprhd-controller by CoprHD.

the class KeystoreTest method testZookeeperKeystore.

@Test
public void testZookeeperKeystore() throws IOException {
    DistributedKeyStore zookeeperKeystore = new DistributedKeyStoreImpl();
    boolean exceptionThrown = false;
    try {
        zookeeperKeystore.init(invalidLoadStoreParam);
    } catch (SecurityException e) {
        exceptionThrown = true;
    }
    Assert.assertTrue(exceptionThrown);
    zookeeperKeystore.init(loadStoreParam);
    // this is in case this test was run previously
    zookeeperKeystore.setTrustedCertificates(null);
    KeyCertificateEntry origEntry = gen.generateKeyCertificatePair();
    origEntry.setCreationDate(new Date());
    zookeeperKeystore.setKeyCertificatePair(origEntry);
    KeyCertificateEntry storedEntry = zookeeperKeystore.getKeyCertificatePair();
    assertKeyCertificateEntriesEquals(origEntry, storedEntry);
    origEntry = gen.generateKeyCertificatePair();
    TrustedCertificateEntry origCertEntry = new TrustedCertificateEntry(origEntry.getCertificateChain()[0], new Date());
    Map<String, TrustedCertificateEntry> origCertEntries = new HashMap<String, TrustedCertificateEntry>();
    origCertEntries.put("trustedCert1", origCertEntry);
    zookeeperKeystore.addTrustedCertificate("trustedCert1", origCertEntry);
    origEntry = gen.generateKeyCertificatePair();
    origCertEntry = new TrustedCertificateEntry(origEntry.getCertificateChain()[0], new Date());
    origCertEntries.put("trustedCert2", origCertEntry);
    zookeeperKeystore.addTrustedCertificate("trustedCert2", origCertEntry);
    assertTrustedCertsEquals(origCertEntries, zookeeperKeystore.getTrustedCertificates());
    origEntry = gen.generateKeyCertificatePair();
    origCertEntry = new TrustedCertificateEntry(origEntry.getCertificateChain()[0], new Date());
    origCertEntries.put("trustedCert3", origCertEntry);
    zookeeperKeystore.setTrustedCertificates(origCertEntries);
    assertTrustedCertsEquals(origCertEntries, zookeeperKeystore.getTrustedCertificates());
    origCertEntries.remove("trustedCert3");
    zookeeperKeystore.setTrustedCertificates(origCertEntries);
    assertTrustedCertsEquals(origCertEntries, zookeeperKeystore.getTrustedCertificates());
    origCertEntries.remove("trustedCert2");
    zookeeperKeystore.removeTrustedCertificate("trustedCert2");
    assertTrustedCertsEquals(origCertEntries, zookeeperKeystore.getTrustedCertificates());
    zookeeperKeystore.removeTrustedCertificate("trustedCert10");
}
Also used : DistributedKeyStoreImpl(com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl) HashMap(java.util.HashMap) SecurityException(com.emc.storageos.security.exceptions.SecurityException) KeyCertificateEntry(com.emc.storageos.security.keystore.impl.KeyCertificateEntry) Date(java.util.Date) TrustedCertificateEntry(com.emc.storageos.security.keystore.impl.TrustedCertificateEntry) Test(org.junit.Test)

Example 3 with DistributedKeyStoreImpl

use of com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl in project coprhd-controller by CoprHD.

the class TrustManagerTest method testCheckServerTrusted.

@Test
public void testCheckServerTrusted() throws Exception {
    DistributedKeyStore zookeeperKeystore = new DistributedKeyStoreImpl();
    zookeeperKeystore.init(loadStoreParam);
    zookeeperKeystore.setTrustedCertificates(null);
    KeyStoreUtil.setAcceptAllCertificates(zkhHelper, Boolean.FALSE);
    ViPRX509TrustManager tm = new ViPRX509TrustManager(coordinatorClient);
    KeyCertificatePairGenerator gen = new KeyCertificatePairGenerator();
    gen.setKeyCertificateAlgorithmValuesHolder(new KeyCertificateAlgorithmValuesHolder(coordinatorClient));
    KeyCertificateEntry entry = gen.generateKeyCertificatePair();
    X509Certificate[] chainToVerify = new X509Certificate[] { (X509Certificate) entry.getCertificateChain()[0] };
    boolean exceptionThrown = false;
    try {
        tm.checkServerTrusted(chainToVerify, "RSA_EXPORT");
    } catch (CertificateException e) {
        exceptionThrown = true;
    }
    Assert.assertTrue(exceptionThrown);
    TrustedCertificateEntry trustedCert = new TrustedCertificateEntry(entry.getCertificateChain()[0], new Date());
    zookeeperKeystore.addTrustedCertificate("someAlias", trustedCert);
    // creating a new instance since trust manager caches all the certs
    tm = new ViPRX509TrustManager(coordinatorClient);
    try {
        tm.checkServerTrusted(chainToVerify, "RSA_EXPORT");
    } catch (CertificateException e) {
        Assert.fail();
    }
    KeyStoreUtil.setAcceptAllCertificates(zkhHelper, Boolean.TRUE);
    entry = gen.generateKeyCertificatePair();
    chainToVerify = new X509Certificate[] { (X509Certificate) entry.getCertificateChain()[0] };
    try {
        tm.checkServerTrusted(chainToVerify, "RSA_EXPORT");
    } catch (CertificateException e) {
        Assert.fail();
    }
}
Also used : KeyCertificateAlgorithmValuesHolder(com.emc.storageos.security.keystore.impl.KeyCertificateAlgorithmValuesHolder) DistributedKeyStoreImpl(com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl) KeyCertificatePairGenerator(com.emc.storageos.security.keystore.impl.KeyCertificatePairGenerator) CertificateException(java.security.cert.CertificateException) ViPRX509TrustManager(com.emc.storageos.security.ssl.ViPRX509TrustManager) KeyCertificateEntry(com.emc.storageos.security.keystore.impl.KeyCertificateEntry) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) TrustedCertificateEntry(com.emc.storageos.security.keystore.impl.TrustedCertificateEntry) Test(org.junit.Test)

Aggregations

DistributedKeyStoreImpl (com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl)3 KeyCertificateEntry (com.emc.storageos.security.keystore.impl.KeyCertificateEntry)3 TrustedCertificateEntry (com.emc.storageos.security.keystore.impl.TrustedCertificateEntry)3 Date (java.util.Date)3 Test (org.junit.Test)3 SecurityException (com.emc.storageos.security.exceptions.SecurityException)2 KeyCertificateAlgorithmValuesHolder (com.emc.storageos.security.keystore.impl.KeyCertificateAlgorithmValuesHolder)1 KeyCertificatePairGenerator (com.emc.storageos.security.keystore.impl.KeyCertificatePairGenerator)1 SecurityProvider (com.emc.storageos.security.keystore.impl.SecurityProvider)1 ViPRX509TrustManager (com.emc.storageos.security.ssl.ViPRX509TrustManager)1 KeyStore (java.security.KeyStore)1 PrivateKeyEntry (java.security.KeyStore.PrivateKeyEntry)1 KeyStoreException (java.security.KeyStoreException)1 CertificateException (java.security.cert.CertificateException)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1