Search in sources :

Example 1 with SimpleKeystore

use of com.intel.mtwilson.util.crypto.SimpleKeystore in project OpenAttestation by OpenAttestation.

the class CheckLoginController method handleRequestInternal.

@Override
protected ModelAndView handleRequestInternal(HttpServletRequest req, HttpServletResponse res) throws Exception {
    logger.info("CheckLoginController >>");
    //Creating ModelAndView Object with Login page to return to user if Login is not successful.
    ModelAndView view = new ModelAndView("Login");
    //RsaCredential credential = null;
    File keystoreFile = null;
    SimpleKeystore keystore = null;
    String username = "admin";
    URL baseURL = new URL(WLMPConfig.getConfiguration().getString("mtwilson.api.baseurl"));
    final String keystoreFilename = WLMPConfig.getConfiguration().getString("mtwilson.wlmp.keystore.dir") + File.separator + "portal.jks";
    final String keystorePassword = WLMPConfig.getConfiguration().getString("mtwilson.wlmp.keystore.password");
    try {
        //this line will throw exception if file with username is not present in specific dir.
        keystoreFile = new File(keystoreFilename);
    } catch (Exception e) {
        logger.severe("File Not found on server >> " + keystoreFilename);
        view.addObject("message", "Key store is not configured/saved correctly in " + keystoreFilename + ".");
        return view;
    }
    try {
        keystore = new SimpleKeystore(keystoreFile, keystorePassword);
    //credential = keystore.getRsaCredentialX509(username, keystorePassword);
    } catch (Exception e) {
        view.addObject("result", false);
        view.addObject("message", "Username or Password does not match. Please try again.");
        return view;
    }
    try {
        Properties p = new Properties();
        // must be secure out of the box!
        p.setProperty("mtwilson.api.ssl.policy", WLMPConfig.getConfiguration().getString("mtwilson.api.ssl.policy", "TRUST_CA_VERIFY_HOSTNAME"));
        // must be secure out of the box!
        p.setProperty("mtwilson.api.ssl.requireTrustedCertificate", WLMPConfig.getConfiguration().getString("mtwilson.api.ssl.requireTrustedCertificate", "true"));
        // must be secure out of the box!
        p.setProperty("mtwilson.api.ssl.verifyHostname", WLMPConfig.getConfiguration().getString("mtwilson.api.ssl.verifyHostname", "true"));
        // Instantiate the API Client object and store it in the session. Otherwise either we need
        // to store the password in the session or the decrypted RSA key
        ApiClient rsaApiClient = new ApiClient(baseURL, keystore, new MapConfiguration(p));
        //Storing variable into a session object used while calling into RESt Services.
        HttpSession session = req.getSession();
        session.setAttribute("logged-in", true);
        session.setAttribute("username", username);
        session.setAttribute("apiClientObject", rsaApiClient);
        session.setMaxInactiveInterval(WLMPConfig.getConfiguration().getInt("mtwilson.wlmp.sessionTimeOut"));
        X509Certificate[] trustedCertificates = keystore.getTrustedCertificates(SimpleKeystore.SAML);
        session.setAttribute("trustedCertificates", trustedCertificates);
        //Redirecting user to a home page after successful login.
        res.sendRedirect("home.html");
    } catch (Exception e) {
        view.addObject("message", "The username or password you entered is incorrect.");
        return view;
    }
    return null;
}
Also used : SimpleKeystore(com.intel.mtwilson.util.crypto.SimpleKeystore) HttpSession(javax.servlet.http.HttpSession) MapConfiguration(org.apache.commons.configuration.MapConfiguration) ModelAndView(org.springframework.web.servlet.ModelAndView) Properties(java.util.Properties) ApiClient(com.intel.mtwilson.ApiClient) File(java.io.File) URL(java.net.URL) X509Certificate(java.security.cert.X509Certificate)

Example 2 with SimpleKeystore

use of com.intel.mtwilson.util.crypto.SimpleKeystore in project OpenAttestation by OpenAttestation.

the class HostAgentFactory method getManifest.

/**
     * XXX TODO this method is moved here from the previous interface ManifestStrategy.
     * It's currently here to minimize code changes for the current release
     * but its functionality needs to be moved somewhere else - the trust utils
     * library should not know about the mt wilson database structure.
     * This implementation is a combination of getHostAgent and code from the original getManifest.
     * @param host
     * @return 
     */
public HashMap<String, ? extends IManifest> getManifest(TblHosts host) {
    try {
        InternetAddress hostAddress = new InternetAddress(host.getName());
        String connectionString = getConnectionString(host);
        // txtHost.getTlsPolicy();  // XXX TODO TxtHost doesn't have this field yet
        String tlsPolicyName = host.getTlsPolicyName() == null ? "TRUST_FIRST_CERTIFICATE" : host.getTlsPolicyName();
        //            ByteArrayResource resource = new ByteArrayResource(host.getTlsKeystore() == null ? new byte[0] : host.getTlsKeystore()); // XXX TODO it's the responsibility of the caller to save the TblHosts record after calling this method if the policy is trust first certificate ; we need to get tie the keystore to the database, especially for TRUST_FIRST_CERTIFICATE, so if it's the first connection we can save the certificate back to the database after connecting
        // XXX TODO uh oh... opening a keystore requires a password, so we can verify its signed contents, which is important. putting the password in the txthost record won't be secure.  password needs to  come from attestation service configuration - or from the user.  this isn't an issue for the factory because the factory is supposed to get the keystore AFTER it has been opened with the password.  but when this code moves to the JPA/DAO/Repository layer, we'll need to have a password from somewhere.         
        String password = "password";
        // XXX TODO see above commment about password;  the per-host trusted certificates keystore has to either be protected by a password known to all mt wilson instances (stored in database or sync'd across each server's configuration files) or it has to be protected by a group secret known to all authorized clients (and then we need a mechanism for the api client to send us the secret in the request, and a way get secrets in and out of api client's keystore so it can be sync'd across the authorized group of clients) or we can just not store it encrypted and use a pem-format keystore instead of a java KeyStore 
        SimpleKeystore tlsKeystore = new SimpleKeystore(host.getTlsKeystoreResource(), password);
        // XXX TODO not sure that this belongs in the http-authorization package, because policy names are an application-level thing (allowed configurations), and creating the right repository is an application-level thing too (mutable vs immutable, and underlying implementation - keystore, array, cms of pem-list.
        TlsPolicy tlsPolicy = getTlsPolicy(tlsPolicyName, tlsKeystore);
        HostAgent hostAgent = getHostAgent(hostAddress, connectionString, tlsPolicy);
        HashMap<String, ? extends IManifest> manifest = hostAgent.getManifest();
        //            host.setTlsKeystore(resource.toByteArray()); // if the tls policy is TRUST_FIRST_CERTIFICATE then it's possible a new cert has been saved in it and we have to make sure it gets saved to the host record;  for all other tls policies there would be no change so this is a no-op -  the byte array will be the same as the one we started with
        return manifest;
    } catch (Exception e) {
        throw new IllegalArgumentException("Cannot get manifest for " + host.getName() + ": " + e.toString(), e);
    }
}
Also used : InternetAddress(com.intel.mtwilson.util.net.InternetAddress) SimpleKeystore(com.intel.mtwilson.util.crypto.SimpleKeystore) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) KeyManagementException(java.security.KeyManagementException) TrustFirstCertificateTlsPolicy(com.intel.mtwilson.tls.TrustFirstCertificateTlsPolicy) InsecureTlsPolicy(com.intel.mtwilson.tls.InsecureTlsPolicy) TrustCaAndVerifyHostnameTlsPolicy(com.intel.mtwilson.tls.TrustCaAndVerifyHostnameTlsPolicy) TrustKnownCertificateTlsPolicy(com.intel.mtwilson.tls.TrustKnownCertificateTlsPolicy) TlsPolicy(com.intel.mtwilson.tls.TlsPolicy)

Example 3 with SimpleKeystore

use of com.intel.mtwilson.util.crypto.SimpleKeystore in project OpenAttestation by OpenAttestation.

the class HostAgentFactory method getTlsPolicy.

public TlsPolicy getTlsPolicy(String tlsPolicyName, Resource resource) throws KeyManagementException {
    // XXX TODO uh oh... opening a keystore requires a password, so we can verify its signed contents, which is important. putting the password in the txthost record won't be secure.  password needs to  come from attestation service configuration - or from the user.  this isn't an issue for the factory because the factory is supposed to get the keystore AFTER it has been opened with the password.  but when this code moves to the JPA/DAO/Repository layer, we'll need to have a password from somewhere.         
    String password = "password";
    // XXX TODO only because txthost doesn't have the field yet... we should get the keystore from the txthost object
    SimpleKeystore tlsKeystore = new SimpleKeystore(resource, password);
    // XXX TODO not sure that this belongs in the http-authorization package, because policy names are an application-level thing (allowed configurations), and creating the right repository is an application-level thing too (mutable vs immutable, and underlying implementation - keystore, array, cms of pem-list.
    TlsPolicy tlsPolicy = getTlsPolicy(tlsPolicyName, tlsKeystore);
    return tlsPolicy;
}
Also used : SimpleKeystore(com.intel.mtwilson.util.crypto.SimpleKeystore) TrustFirstCertificateTlsPolicy(com.intel.mtwilson.tls.TrustFirstCertificateTlsPolicy) InsecureTlsPolicy(com.intel.mtwilson.tls.InsecureTlsPolicy) TrustCaAndVerifyHostnameTlsPolicy(com.intel.mtwilson.tls.TrustCaAndVerifyHostnameTlsPolicy) TrustKnownCertificateTlsPolicy(com.intel.mtwilson.tls.TrustKnownCertificateTlsPolicy) TlsPolicy(com.intel.mtwilson.tls.TlsPolicy)

Example 4 with SimpleKeystore

use of com.intel.mtwilson.util.crypto.SimpleKeystore in project OpenAttestation by OpenAttestation.

the class CreateSSLCertificate method execute.

@Override
public void execute(String[] args) throws Exception {
    if (args.length < 5) {
        throw new IllegalArgumentException("Usage: CreateSSLCertificate \"192.168.1.100\" \"ip:192.168.1.100\" /path/to/keystore.jks alias [env:password_var]");
    }
    String subject = args[0];
    String alternateName = args[1];
    File keystoreFile = new File(args[2]);
    String alias = args[3];
    String password = args[4];
    BufferedReader in = new BufferedReader(new InputStreamReader(System.in));
    if (password == null || password.isEmpty()) {
        System.out.print("Password: ");
        password = in.readLine();
        System.out.print("Password again: ");
        String passwordAgain = in.readLine();
        if (!password.equals(passwordAgain)) {
            throw new IllegalArgumentException("The two passwords don't match");
        }
    } else if (password.startsWith("env:") && password.length() > 4) {
        String varName = password.substring(4);
        password = System.getenv(varName);
    }
    SimpleKeystore keystore = new SimpleKeystore(keystoreFile, password);
    KeyPair keypair = RsaUtil.generateRsaKeyPair(RsaUtil.MINIMUM_RSA_KEY_SIZE);
    X509Certificate certificate = RsaUtil.generateX509Certificate(subject, alternateName, keypair, RsaUtil.DEFAULT_RSA_KEY_EXPIRES_DAYS);
    keystore.addKeyPairX509(keypair.getPrivate(), certificate, alias, password);
    keystore.save();
}
Also used : SimpleKeystore(com.intel.mtwilson.util.crypto.SimpleKeystore) KeyPair(java.security.KeyPair) InputStreamReader(java.io.InputStreamReader) BufferedReader(java.io.BufferedReader) File(java.io.File) X509Certificate(java.security.cert.X509Certificate)

Example 5 with SimpleKeystore

use of com.intel.mtwilson.util.crypto.SimpleKeystore in project OpenAttestation by OpenAttestation.

the class CreateUser method execute.

@Override
public void execute(String[] args) throws Exception {
    // args[1] should be path to folder
    File directory = new File(args[0]);
    String username = null, password = null;
    // args[2] is optional username (if not provided we will prompt)
    if (args.length > 1) {
        username = args[1];
    }
    // args[3] is optional password plaintext (not recommended) or environment variable name (recommended) (if not provided we will prompt)
    if (args.length > 2) {
        password = args[2];
    }
    BufferedReader in = new BufferedReader(new InputStreamReader(System.in));
    if (username == null || username.isEmpty()) {
        System.out.print("Username: ");
        username = in.readLine();
    }
    if (password == null || password.isEmpty()) {
        System.out.print("Password: ");
        password = in.readLine();
        System.out.print("Password again: ");
        String passwordAgain = in.readLine();
        if (!password.equals(passwordAgain)) {
            System.err.println("The two passwords don't match");
            System.exit(1);
        }
    } else if (password.startsWith("env:") && password.length() > 4) {
        String varName = password.substring(4);
        password = System.getenv(varName);
    }
    if (password == null || password.isEmpty() || password.length() < 6) {
        System.err.println("The password must be at least six characters");
        System.exit(1);
    }
    //String.format("CN=%s", username);
    String subject = username;
    File keystoreFile = new File(directory.getAbsoluteFile() + File.separator + Filename.encode(username) + ".jks");
    SimpleKeystore keystore = new SimpleKeystore(keystoreFile, password);
    KeyPair keypair = RsaUtil.generateRsaKeyPair(RsaUtil.MINIMUM_RSA_KEY_SIZE);
    X509Certificate certificate = RsaUtil.generateX509Certificate(subject, keypair, RsaUtil.DEFAULT_RSA_KEY_EXPIRES_DAYS);
    keystore.addKeyPairX509(keypair.getPrivate(), certificate, username, password);
    keystore.save();
    System.out.println("Created keystore: " + keystoreFile.getName());
}
Also used : SimpleKeystore(com.intel.mtwilson.util.crypto.SimpleKeystore) KeyPair(java.security.KeyPair) InputStreamReader(java.io.InputStreamReader) BufferedReader(java.io.BufferedReader) File(java.io.File) X509Certificate(java.security.cert.X509Certificate)

Aggregations

SimpleKeystore (com.intel.mtwilson.util.crypto.SimpleKeystore)5 File (java.io.File)3 X509Certificate (java.security.cert.X509Certificate)3 InsecureTlsPolicy (com.intel.mtwilson.tls.InsecureTlsPolicy)2 TlsPolicy (com.intel.mtwilson.tls.TlsPolicy)2 TrustCaAndVerifyHostnameTlsPolicy (com.intel.mtwilson.tls.TrustCaAndVerifyHostnameTlsPolicy)2 TrustFirstCertificateTlsPolicy (com.intel.mtwilson.tls.TrustFirstCertificateTlsPolicy)2 TrustKnownCertificateTlsPolicy (com.intel.mtwilson.tls.TrustKnownCertificateTlsPolicy)2 BufferedReader (java.io.BufferedReader)2 InputStreamReader (java.io.InputStreamReader)2 KeyPair (java.security.KeyPair)2 ApiClient (com.intel.mtwilson.ApiClient)1 InternetAddress (com.intel.mtwilson.util.net.InternetAddress)1 IOException (java.io.IOException)1 MalformedURLException (java.net.MalformedURLException)1 URL (java.net.URL)1 KeyManagementException (java.security.KeyManagementException)1 Properties (java.util.Properties)1 HttpSession (javax.servlet.http.HttpSession)1 MapConfiguration (org.apache.commons.configuration.MapConfiguration)1