Search in sources :

Example 11 with AliasServiceException

use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.

the class DefaultCryptoService method sign.

@Override
public byte[] sign(String algorithm, String alias, String payloadToSign) {
    try {
        char[] passphrase = null;
        passphrase = as.getGatewayIdentityPassphrase();
        PrivateKey privateKey = (PrivateKey) ks.getKeyForGateway(alias, passphrase);
        Signature signature = Signature.getInstance(algorithm);
        signature.initSign(privateKey);
        signature.update(payloadToSign.getBytes("UTF-8"));
        return signature.sign();
    } catch (NoSuchAlgorithmException e) {
        LOG.failedToSignData(e);
    } catch (InvalidKeyException e) {
        LOG.failedToSignData(e);
    } catch (SignatureException e) {
        LOG.failedToSignData(e);
    } catch (UnsupportedEncodingException e) {
        LOG.failedToSignData(e);
    } catch (KeystoreServiceException e) {
        LOG.failedToSignData(e);
    } catch (AliasServiceException e) {
        LOG.failedToSignData(e);
    }
    return null;
}
Also used : PrivateKey(java.security.PrivateKey) Signature(java.security.Signature) AliasServiceException(org.apache.knox.gateway.services.security.AliasServiceException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SignatureException(java.security.SignatureException) InvalidKeyException(java.security.InvalidKeyException) KeystoreServiceException(org.apache.knox.gateway.services.security.KeystoreServiceException)

Example 12 with AliasServiceException

use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.

the class JettySSLService method buildSslContextFactory.

public Object buildSslContextFactory(String keystoreFileName) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
    SslContextFactory sslContextFactory = new SslContextFactory(true);
    sslContextFactory.setCertAlias("gateway-identity");
    sslContextFactory.setKeyStoreType(keystoreType);
    sslContextFactory.setKeyStorePath(keystoreFileName);
    char[] master = ms.getMasterSecret();
    sslContextFactory.setKeyStorePassword(new String(master));
    char[] keypass = null;
    try {
        keypass = as.getGatewayIdentityPassphrase();
    } catch (AliasServiceException e) {
    // nop - default passphrase will be used
    }
    if (keypass == null) {
        // there has been no alias created for the key - let's assume it is the same as the keystore password
        keypass = master;
    }
    sslContextFactory.setKeyManagerPassword(new String(keypass));
    String truststorePassword = null;
    if (clientAuthNeeded || clientAuthWanted) {
        if (truststorePath != null) {
            sslContextFactory.setTrustStore(loadKeyStore(keystoreFileName, keystoreType, master));
            char[] truststorePwd = null;
            try {
                truststorePwd = as.getPasswordFromAliasForGateway(GATEWAY_TRUSTSTORE_PASSWORD);
            } catch (AliasServiceException e) {
            // nop - master secret will be used
            }
            if (truststorePwd != null) {
                truststorePassword = new String(truststorePwd);
            } else {
                truststorePassword = new String(master);
            }
            sslContextFactory.setTrustStorePassword(truststorePassword);
            sslContextFactory.setTrustStoreType(trustStoreType);
        } else {
            // when clientAuthIsNeeded but no truststore provided
            // default to the server's keystore and details
            sslContextFactory.setTrustStore(loadKeyStore(keystoreFileName, keystoreType, master));
            sslContextFactory.setTrustStorePassword(new String(master));
            sslContextFactory.setTrustStoreType(keystoreType);
        }
    }
    if (clientAuthNeeded) {
        sslContextFactory.setNeedClientAuth(clientAuthNeeded);
    } else {
        sslContextFactory.setWantClientAuth(clientAuthWanted);
    }
    sslContextFactory.setTrustAll(trustAllCerts);
    if (sslIncludeCiphers != null && !sslIncludeCiphers.isEmpty()) {
        sslContextFactory.setIncludeCipherSuites(sslIncludeCiphers.toArray(new String[sslIncludeCiphers.size()]));
    }
    if (sslExcludeCiphers != null && !sslExcludeCiphers.isEmpty()) {
        sslContextFactory.setExcludeCipherSuites(sslExcludeCiphers.toArray(new String[sslExcludeCiphers.size()]));
    }
    if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) {
        sslContextFactory.setExcludeProtocols(sslExcludeProtocols.toArray(new String[sslExcludeProtocols.size()]));
    }
    return sslContextFactory;
}
Also used : SslContextFactory(org.eclipse.jetty.util.ssl.SslContextFactory) AliasServiceException(org.apache.knox.gateway.services.security.AliasServiceException)

Example 13 with AliasServiceException

use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.

the class JettySSLService method init.

@Override
public void init(GatewayConfig config, Map<String, String> options) throws ServiceLifecycleException {
    // set any JSSE or security related system properties
    System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, config.getEphemeralDHKeySize());
    try {
        if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
            log.creatingCredentialStoreForGateway();
            ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
        // LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
        // IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
        // THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
        // as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
        } else {
            log.credentialStoreForGatewayFoundNotCreating();
        }
    } catch (KeystoreServiceException e) {
        throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e);
    }
    try {
        if (!ks.isKeystoreForGatewayAvailable()) {
            log.creatingKeyStoreForGateway();
            ks.createKeystoreForGateway();
            char[] passphrase = null;
            try {
                passphrase = as.getGatewayIdentityPassphrase();
            } catch (AliasServiceException e) {
                throw new ServiceLifecycleException("Error accessing credential store for the gateway.", e);
            }
            if (passphrase == null) {
                passphrase = ms.getMasterSecret();
            }
            ks.addSelfSignedCertForGateway("gateway-identity", passphrase);
        } else {
            log.keyStoreForGatewayFoundNotCreating();
        }
        logAndValidateCertificate();
    } catch (KeystoreServiceException e) {
        throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e);
    }
    keystoreType = config.getKeystoreType();
    sslIncludeCiphers = config.getIncludedSSLCiphers();
    sslExcludeCiphers = config.getExcludedSSLCiphers();
    sslExcludeProtocols = config.getExcludedSSLProtocols();
    clientAuthNeeded = config.isClientAuthNeeded();
    clientAuthWanted = config.isClientAuthWanted();
    truststorePath = config.getTruststorePath();
    trustAllCerts = config.getTrustAllCerts();
    trustStoreType = config.getTruststoreType();
}
Also used : AliasServiceException(org.apache.knox.gateway.services.security.AliasServiceException) ServiceLifecycleException(org.apache.knox.gateway.services.ServiceLifecycleException) KeystoreServiceException(org.apache.knox.gateway.services.security.KeystoreServiceException)

Example 14 with AliasServiceException

use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.

the class DefaultTokenAuthorityService method issueToken.

@Override
public JWT issueToken(Principal p, List<String> audiences, String algorithm, long expires) throws TokenServiceException {
    String[] claimArray = new String[4];
    claimArray[0] = "KNOXSSO";
    claimArray[1] = p.getName();
    claimArray[2] = null;
    if (expires == -1) {
        claimArray[3] = null;
    } else {
        claimArray[3] = String.valueOf(expires);
    }
    JWT token = null;
    if (SUPPORTED_SIG_ALGS.contains(algorithm)) {
        token = new JWTToken(algorithm, claimArray, audiences);
        RSAPrivateKey key;
        char[] passphrase = null;
        try {
            passphrase = getSigningKeyPassphrase();
        } catch (AliasServiceException e) {
            throw new TokenServiceException(e);
        }
        try {
            key = (RSAPrivateKey) ks.getSigningKey(getSigningKeyAlias(), passphrase);
            JWSSigner signer = new RSASSASigner(key);
            token.sign(signer);
        } catch (KeystoreServiceException e) {
            throw new TokenServiceException(e);
        }
    } else {
        throw new TokenServiceException("Cannot issue token - Unsupported algorithm");
    }
    return token;
}
Also used : JWT(org.apache.knox.gateway.services.security.token.impl.JWT) AliasServiceException(org.apache.knox.gateway.services.security.AliasServiceException) RSASSASigner(com.nimbusds.jose.crypto.RSASSASigner) KeystoreServiceException(org.apache.knox.gateway.services.security.KeystoreServiceException) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) JWSSigner(com.nimbusds.jose.JWSSigner) TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)

Example 15 with AliasServiceException

use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.

the class DefaultTokenAuthorityService method init.

@Override
public void init(GatewayConfig config, Map<String, String> options) throws ServiceLifecycleException {
    if (as == null || ks == null) {
        throw new ServiceLifecycleException("Alias or Keystore service is not set");
    }
    signingKeyAlias = config.getSigningKeyAlias();
    @SuppressWarnings("unused") RSAPrivateKey key;
    char[] passphrase = null;
    try {
        passphrase = as.getPasswordFromAliasForGateway(SIGNING_KEY_PASSPHRASE);
        if (passphrase != null) {
            key = (RSAPrivateKey) ks.getSigningKey(getSigningKeyAlias(), passphrase);
            if (key == null) {
                throw new ServiceLifecycleException("Provisioned passphrase cannot be used to acquire signing key.");
            }
        }
    } catch (AliasServiceException e) {
        throw new ServiceLifecycleException("Provisioned signing key passphrase cannot be acquired.", e);
    } catch (KeystoreServiceException e) {
        throw new ServiceLifecycleException("Provisioned signing key passphrase cannot be acquired.", e);
    }
}
Also used : AliasServiceException(org.apache.knox.gateway.services.security.AliasServiceException) ServiceLifecycleException(org.apache.knox.gateway.services.ServiceLifecycleException) KeystoreServiceException(org.apache.knox.gateway.services.security.KeystoreServiceException) RSAPrivateKey(java.security.interfaces.RSAPrivateKey)

Aggregations

AliasServiceException (org.apache.knox.gateway.services.security.AliasServiceException)15 KeystoreServiceException (org.apache.knox.gateway.services.security.KeystoreServiceException)6 GatewayServices (org.apache.knox.gateway.services.GatewayServices)5 AliasService (org.apache.knox.gateway.services.security.AliasService)4 ServiceLifecycleException (org.apache.knox.gateway.services.ServiceLifecycleException)3 IOException (java.io.IOException)2 RSAPrivateKey (java.security.interfaces.RSAPrivateKey)2 HashMap (java.util.HashMap)2 JWSSigner (com.nimbusds.jose.JWSSigner)1 RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 InvalidKeyException (java.security.InvalidKeyException)1 KeyStore (java.security.KeyStore)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 PrivateKey (java.security.PrivateKey)1 Signature (java.security.Signature)1 SignatureException (java.security.SignatureException)1 Certificate (java.security.cert.Certificate)1 CertificateExpiredException (java.security.cert.CertificateExpiredException)1 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)1