use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class DefaultCryptoService method sign.
@Override
public byte[] sign(String algorithm, String alias, String payloadToSign) {
try {
char[] passphrase = null;
passphrase = as.getGatewayIdentityPassphrase();
PrivateKey privateKey = (PrivateKey) ks.getKeyForGateway(alias, passphrase);
Signature signature = Signature.getInstance(algorithm);
signature.initSign(privateKey);
signature.update(payloadToSign.getBytes("UTF-8"));
return signature.sign();
} catch (NoSuchAlgorithmException e) {
LOG.failedToSignData(e);
} catch (InvalidKeyException e) {
LOG.failedToSignData(e);
} catch (SignatureException e) {
LOG.failedToSignData(e);
} catch (UnsupportedEncodingException e) {
LOG.failedToSignData(e);
} catch (KeystoreServiceException e) {
LOG.failedToSignData(e);
} catch (AliasServiceException e) {
LOG.failedToSignData(e);
}
return null;
}
use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class JettySSLService method buildSslContextFactory.
public Object buildSslContextFactory(String keystoreFileName) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
SslContextFactory sslContextFactory = new SslContextFactory(true);
sslContextFactory.setCertAlias("gateway-identity");
sslContextFactory.setKeyStoreType(keystoreType);
sslContextFactory.setKeyStorePath(keystoreFileName);
char[] master = ms.getMasterSecret();
sslContextFactory.setKeyStorePassword(new String(master));
char[] keypass = null;
try {
keypass = as.getGatewayIdentityPassphrase();
} catch (AliasServiceException e) {
// nop - default passphrase will be used
}
if (keypass == null) {
// there has been no alias created for the key - let's assume it is the same as the keystore password
keypass = master;
}
sslContextFactory.setKeyManagerPassword(new String(keypass));
String truststorePassword = null;
if (clientAuthNeeded || clientAuthWanted) {
if (truststorePath != null) {
sslContextFactory.setTrustStore(loadKeyStore(keystoreFileName, keystoreType, master));
char[] truststorePwd = null;
try {
truststorePwd = as.getPasswordFromAliasForGateway(GATEWAY_TRUSTSTORE_PASSWORD);
} catch (AliasServiceException e) {
// nop - master secret will be used
}
if (truststorePwd != null) {
truststorePassword = new String(truststorePwd);
} else {
truststorePassword = new String(master);
}
sslContextFactory.setTrustStorePassword(truststorePassword);
sslContextFactory.setTrustStoreType(trustStoreType);
} else {
// when clientAuthIsNeeded but no truststore provided
// default to the server's keystore and details
sslContextFactory.setTrustStore(loadKeyStore(keystoreFileName, keystoreType, master));
sslContextFactory.setTrustStorePassword(new String(master));
sslContextFactory.setTrustStoreType(keystoreType);
}
}
if (clientAuthNeeded) {
sslContextFactory.setNeedClientAuth(clientAuthNeeded);
} else {
sslContextFactory.setWantClientAuth(clientAuthWanted);
}
sslContextFactory.setTrustAll(trustAllCerts);
if (sslIncludeCiphers != null && !sslIncludeCiphers.isEmpty()) {
sslContextFactory.setIncludeCipherSuites(sslIncludeCiphers.toArray(new String[sslIncludeCiphers.size()]));
}
if (sslExcludeCiphers != null && !sslExcludeCiphers.isEmpty()) {
sslContextFactory.setExcludeCipherSuites(sslExcludeCiphers.toArray(new String[sslExcludeCiphers.size()]));
}
if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) {
sslContextFactory.setExcludeProtocols(sslExcludeProtocols.toArray(new String[sslExcludeProtocols.size()]));
}
return sslContextFactory;
}
use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class JettySSLService method init.
@Override
public void init(GatewayConfig config, Map<String, String> options) throws ServiceLifecycleException {
// set any JSSE or security related system properties
System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, config.getEphemeralDHKeySize());
try {
if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
log.creatingCredentialStoreForGateway();
ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
// LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
// IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
// THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
// as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
} else {
log.credentialStoreForGatewayFoundNotCreating();
}
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e);
}
try {
if (!ks.isKeystoreForGatewayAvailable()) {
log.creatingKeyStoreForGateway();
ks.createKeystoreForGateway();
char[] passphrase = null;
try {
passphrase = as.getGatewayIdentityPassphrase();
} catch (AliasServiceException e) {
throw new ServiceLifecycleException("Error accessing credential store for the gateway.", e);
}
if (passphrase == null) {
passphrase = ms.getMasterSecret();
}
ks.addSelfSignedCertForGateway("gateway-identity", passphrase);
} else {
log.keyStoreForGatewayFoundNotCreating();
}
logAndValidateCertificate();
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e);
}
keystoreType = config.getKeystoreType();
sslIncludeCiphers = config.getIncludedSSLCiphers();
sslExcludeCiphers = config.getExcludedSSLCiphers();
sslExcludeProtocols = config.getExcludedSSLProtocols();
clientAuthNeeded = config.isClientAuthNeeded();
clientAuthWanted = config.isClientAuthWanted();
truststorePath = config.getTruststorePath();
trustAllCerts = config.getTrustAllCerts();
trustStoreType = config.getTruststoreType();
}
use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class DefaultTokenAuthorityService method issueToken.
@Override
public JWT issueToken(Principal p, List<String> audiences, String algorithm, long expires) throws TokenServiceException {
String[] claimArray = new String[4];
claimArray[0] = "KNOXSSO";
claimArray[1] = p.getName();
claimArray[2] = null;
if (expires == -1) {
claimArray[3] = null;
} else {
claimArray[3] = String.valueOf(expires);
}
JWT token = null;
if (SUPPORTED_SIG_ALGS.contains(algorithm)) {
token = new JWTToken(algorithm, claimArray, audiences);
RSAPrivateKey key;
char[] passphrase = null;
try {
passphrase = getSigningKeyPassphrase();
} catch (AliasServiceException e) {
throw new TokenServiceException(e);
}
try {
key = (RSAPrivateKey) ks.getSigningKey(getSigningKeyAlias(), passphrase);
JWSSigner signer = new RSASSASigner(key);
token.sign(signer);
} catch (KeystoreServiceException e) {
throw new TokenServiceException(e);
}
} else {
throw new TokenServiceException("Cannot issue token - Unsupported algorithm");
}
return token;
}
use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class DefaultTokenAuthorityService method init.
@Override
public void init(GatewayConfig config, Map<String, String> options) throws ServiceLifecycleException {
if (as == null || ks == null) {
throw new ServiceLifecycleException("Alias or Keystore service is not set");
}
signingKeyAlias = config.getSigningKeyAlias();
@SuppressWarnings("unused") RSAPrivateKey key;
char[] passphrase = null;
try {
passphrase = as.getPasswordFromAliasForGateway(SIGNING_KEY_PASSPHRASE);
if (passphrase != null) {
key = (RSAPrivateKey) ks.getSigningKey(getSigningKeyAlias(), passphrase);
if (key == null) {
throw new ServiceLifecycleException("Provisioned passphrase cannot be used to acquire signing key.");
}
}
} catch (AliasServiceException e) {
throw new ServiceLifecycleException("Provisioned signing key passphrase cannot be acquired.", e);
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException("Provisioned signing key passphrase cannot be acquired.", e);
}
}
Aggregations