use of com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl in project coprhd-controller by CoprHD.
the class KeystoreTest method testKeystoreEngine.
@Test
public void testKeystoreEngine() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, InterruptedException, UnrecoverableEntryException {
DistributedKeyStore zookeeperKeystore = new DistributedKeyStoreImpl();
zookeeperKeystore.init(loadStoreParam);
// this is in case this test was run previously
zookeeperKeystore.setTrustedCertificates(null);
zookeeperKeystore.setKeyCertificatePair(null);
// test keystore loading
KeyStore ks = KeyStore.getInstance(SecurityProvider.KEYSTORE_TYPE, new SecurityProvider());
boolean exceptionThrown = false;
try {
ks.load(null, null);
} catch (SecurityException e) {
Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
Assert.assertEquals("Could not initialize the keystore. The ViPR keystore can only be initialized with a LoadKeyStoreParam.", e.getMessage());
exceptionThrown = true;
}
Assert.assertTrue(exceptionThrown);
exceptionThrown = false;
try {
ks.load(invalidLoadStoreParam);
} catch (SecurityException e) {
Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
Assert.assertEquals("Could not initialize the keystore. The ViPR keystore can only be initialized with a LoadKeyStoreParam.", e.getMessage());
exceptionThrown = true;
}
Assert.assertTrue(exceptionThrown);
// now it shouldn't throw
ks.load(loadStoreParam);
// ////////////////////////////////////////////////////////////////////////
// /
// / key tests
// /
// ////////////////////////////////////////////////////////////////////////
// should have by default the ViPR key
List<String> expectedAliases = new ArrayList<String>();
expectedAliases.add(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS);
assertAliasesIn(ks, expectedAliases);
// update the vipr key using ks.setEntry
Date beforeDate = new Date();
KeyCertificateEntry entry = gen.generateKeyCertificatePair();
KeyStore.PrivateKeyEntry privateKeyEntry = new PrivateKeyEntry(KeyCertificatePairGenerator.loadPrivateKeyFromBytes(entry.getKey()), entry.getCertificateChain());
KeyStore.PasswordProtection empryProtectionParam = new KeyStore.PasswordProtection("".toCharArray());
ks.setEntry(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, privateKeyEntry, new KeyStore.PasswordProtection("123".toCharArray()));
Date afterDate = new Date();
assertKeyCertificateEntryEquals(ks, entry);
assertCreationDateInTImeRange(ks, KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, beforeDate, afterDate);
// set the key entry using setKeyEntry (there are 2 versions, one with the Key
// object, and another with byte[] )
beforeDate = new Date();
entry = gen.generateKeyCertificatePair();
ks.setKeyEntry(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, entry.getKey(), entry.getCertificateChain());
afterDate = new Date();
assertKeyCertificateEntryEquals(ks, entry);
assertCreationDateInTImeRange(ks, KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, beforeDate, afterDate);
beforeDate = new Date();
entry = gen.generateKeyCertificatePair();
ks.setKeyEntry(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, KeyCertificatePairGenerator.loadPrivateKeyFromBytes(entry.getKey()), "".toCharArray(), entry.getCertificateChain());
afterDate = new Date();
assertKeyCertificateEntryEquals(ks, entry);
assertCreationDateInTImeRange(ks, KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, beforeDate, afterDate);
// ////////////////////////////////////////////////////////////////////////
// /
// / certificates tests
// /
// ////////////////////////////////////////////////////////////////////////
String certAlias = "someCert";
// add a new trusted certificate using ks.setEntry
beforeDate = new Date();
entry = gen.generateKeyCertificatePair();
KeyStore.TrustedCertificateEntry trustedCertEntry = new KeyStore.TrustedCertificateEntry(entry.getCertificateChain()[0]);
ks.setEntry(certAlias, trustedCertEntry, null);
afterDate = new Date();
expectedAliases.add(certAlias);
assertAliasesIn(ks, expectedAliases);
assertTrustedCertEquals(ks, entry, certAlias);
assertCreationDateInTImeRange(ks, certAlias, beforeDate, afterDate);
// add a new trusted certificate using ks.setCertificateEntry
beforeDate = new Date();
entry = gen.generateKeyCertificatePair();
certAlias = "someCert1";
ks.setCertificateEntry(certAlias, entry.getCertificateChain()[0]);
afterDate = new Date();
expectedAliases.add(certAlias);
assertAliasesIn(ks, expectedAliases);
assertTrustedCertEquals(ks, entry, certAlias);
assertCreationDateInTImeRange(ks, certAlias, beforeDate, afterDate);
// remove the trusted certificate entry
ks.deleteEntry(certAlias);
expectedAliases.remove(certAlias);
assertAliasesIn(ks, expectedAliases);
// ////////////////////////////////////////////////////////////////////////
// /
// / Negative testing
// /
// ////////////////////////////////////////////////////////////////////////
String invalidEntryName = "invalidEntry";
// cannot delete the ViPR key
exceptionThrown = false;
try {
ks.deleteEntry(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS);
} catch (SecurityException e) {
Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
Assert.assertEquals("The ViPR key and certificate cannot be deleted, it can only be updated.", e.getMessage());
exceptionThrown = true;
} catch (KeyStoreException e) {
Assert.fail();
}
Assert.assertTrue(exceptionThrown);
assertAliasesIn(ks, expectedAliases);
entry = gen.generateKeyCertificatePair();
// try to set a key that is not the vipr key
// using ks.setEntry
privateKeyEntry = new PrivateKeyEntry(KeyCertificatePairGenerator.loadPrivateKeyFromBytes(entry.getKey()), entry.getCertificateChain());
exceptionThrown = false;
try {
ks.setEntry(invalidEntryName, privateKeyEntry, empryProtectionParam);
} catch (SecurityException e) {
Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
Assert.assertEquals("Cannot update any key and certificate entry except for the ViPR key and certificate.", e.getMessage());
exceptionThrown = true;
}
Assert.assertTrue(exceptionThrown);
assertAliasesIn(ks, expectedAliases);
// using ks.setKey which accepts byte[]
try {
ks.setKeyEntry(invalidEntryName, entry.getKey(), entry.getCertificateChain());
} catch (SecurityException e) {
Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
Assert.assertEquals("Cannot update any key and certificate entry except for the ViPR key and certificate.", e.getMessage());
exceptionThrown = true;
}
Assert.assertTrue(exceptionThrown);
assertAliasesIn(ks, expectedAliases);
// using ks.setKey which accepts Key object
try {
ks.setKeyEntry(invalidEntryName, KeyCertificatePairGenerator.loadPrivateKeyFromBytes(entry.getKey()), "".toCharArray(), entry.getCertificateChain());
} catch (SecurityException e) {
Assert.assertEquals(ServiceCode.SECURITY_ERROR, e.getServiceCode());
Assert.assertEquals("Cannot update any key and certificate entry except for the ViPR key and certificate.", e.getMessage());
exceptionThrown = true;
}
Assert.assertTrue(exceptionThrown);
assertAliasesIn(ks, expectedAliases);
// try getting an invalid entry
Assert.assertFalse(ks.containsAlias(invalidEntryName));
Assert.assertFalse(ks.entryInstanceOf(invalidEntryName, KeyStore.TrustedCertificateEntry.class));
Assert.assertFalse(ks.entryInstanceOf(invalidEntryName, KeyStore.PrivateKeyEntry.class));
Assert.assertFalse(ks.entryInstanceOf(invalidEntryName, KeyStore.SecretKeyEntry.class));
Assert.assertFalse(ks.isCertificateEntry(invalidEntryName));
Assert.assertFalse(ks.isKeyEntry(invalidEntryName));
Assert.assertNull(ks.getCertificate(invalidEntryName));
Assert.assertNull(ks.getCertificateAlias(entry.getCertificateChain()[0]));
Assert.assertNull(ks.getCertificateChain(invalidEntryName));
Assert.assertNull(ks.getCreationDate(invalidEntryName));
Assert.assertNull(ks.getEntry(invalidEntryName, empryProtectionParam));
Assert.assertNull(ks.getKey(invalidEntryName, "".toCharArray()));
// try to delete an entry that does not exist
exceptionThrown = false;
try {
ks.deleteEntry(invalidEntryName);
} catch (SecurityException e) {
Assert.fail();
} catch (KeyStoreException e) {
exceptionThrown = true;
Assert.assertEquals("The specified alias " + invalidEntryName + " does not exist", e.getMessage());
}
Assert.assertTrue(exceptionThrown);
}
use of com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl in project coprhd-controller by CoprHD.
the class KeystoreTest method testZookeeperKeystore.
@Test
public void testZookeeperKeystore() throws IOException {
DistributedKeyStore zookeeperKeystore = new DistributedKeyStoreImpl();
boolean exceptionThrown = false;
try {
zookeeperKeystore.init(invalidLoadStoreParam);
} catch (SecurityException e) {
exceptionThrown = true;
}
Assert.assertTrue(exceptionThrown);
zookeeperKeystore.init(loadStoreParam);
// this is in case this test was run previously
zookeeperKeystore.setTrustedCertificates(null);
KeyCertificateEntry origEntry = gen.generateKeyCertificatePair();
origEntry.setCreationDate(new Date());
zookeeperKeystore.setKeyCertificatePair(origEntry);
KeyCertificateEntry storedEntry = zookeeperKeystore.getKeyCertificatePair();
assertKeyCertificateEntriesEquals(origEntry, storedEntry);
origEntry = gen.generateKeyCertificatePair();
TrustedCertificateEntry origCertEntry = new TrustedCertificateEntry(origEntry.getCertificateChain()[0], new Date());
Map<String, TrustedCertificateEntry> origCertEntries = new HashMap<String, TrustedCertificateEntry>();
origCertEntries.put("trustedCert1", origCertEntry);
zookeeperKeystore.addTrustedCertificate("trustedCert1", origCertEntry);
origEntry = gen.generateKeyCertificatePair();
origCertEntry = new TrustedCertificateEntry(origEntry.getCertificateChain()[0], new Date());
origCertEntries.put("trustedCert2", origCertEntry);
zookeeperKeystore.addTrustedCertificate("trustedCert2", origCertEntry);
assertTrustedCertsEquals(origCertEntries, zookeeperKeystore.getTrustedCertificates());
origEntry = gen.generateKeyCertificatePair();
origCertEntry = new TrustedCertificateEntry(origEntry.getCertificateChain()[0], new Date());
origCertEntries.put("trustedCert3", origCertEntry);
zookeeperKeystore.setTrustedCertificates(origCertEntries);
assertTrustedCertsEquals(origCertEntries, zookeeperKeystore.getTrustedCertificates());
origCertEntries.remove("trustedCert3");
zookeeperKeystore.setTrustedCertificates(origCertEntries);
assertTrustedCertsEquals(origCertEntries, zookeeperKeystore.getTrustedCertificates());
origCertEntries.remove("trustedCert2");
zookeeperKeystore.removeTrustedCertificate("trustedCert2");
assertTrustedCertsEquals(origCertEntries, zookeeperKeystore.getTrustedCertificates());
zookeeperKeystore.removeTrustedCertificate("trustedCert10");
}
use of com.emc.storageos.security.keystore.impl.DistributedKeyStoreImpl in project coprhd-controller by CoprHD.
the class TrustManagerTest method testCheckServerTrusted.
@Test
public void testCheckServerTrusted() throws Exception {
DistributedKeyStore zookeeperKeystore = new DistributedKeyStoreImpl();
zookeeperKeystore.init(loadStoreParam);
zookeeperKeystore.setTrustedCertificates(null);
KeyStoreUtil.setAcceptAllCertificates(zkhHelper, Boolean.FALSE);
ViPRX509TrustManager tm = new ViPRX509TrustManager(coordinatorClient);
KeyCertificatePairGenerator gen = new KeyCertificatePairGenerator();
gen.setKeyCertificateAlgorithmValuesHolder(new KeyCertificateAlgorithmValuesHolder(coordinatorClient));
KeyCertificateEntry entry = gen.generateKeyCertificatePair();
X509Certificate[] chainToVerify = new X509Certificate[] { (X509Certificate) entry.getCertificateChain()[0] };
boolean exceptionThrown = false;
try {
tm.checkServerTrusted(chainToVerify, "RSA_EXPORT");
} catch (CertificateException e) {
exceptionThrown = true;
}
Assert.assertTrue(exceptionThrown);
TrustedCertificateEntry trustedCert = new TrustedCertificateEntry(entry.getCertificateChain()[0], new Date());
zookeeperKeystore.addTrustedCertificate("someAlias", trustedCert);
// creating a new instance since trust manager caches all the certs
tm = new ViPRX509TrustManager(coordinatorClient);
try {
tm.checkServerTrusted(chainToVerify, "RSA_EXPORT");
} catch (CertificateException e) {
Assert.fail();
}
KeyStoreUtil.setAcceptAllCertificates(zkhHelper, Boolean.TRUE);
entry = gen.generateKeyCertificatePair();
chainToVerify = new X509Certificate[] { (X509Certificate) entry.getCertificateChain()[0] };
try {
tm.checkServerTrusted(chainToVerify, "RSA_EXPORT");
} catch (CertificateException e) {
Assert.fail();
}
}
Aggregations