Examples with KeystoreServiceException org.apache.knox.gateway.services.security.KeystoreServiceException used on opensource projects

Example 21 with KeystoreServiceException

use of org.apache.knox.gateway.services.security.KeystoreServiceException in project knox by apache.

the class DefaultCryptoService method sign.

@Override
public byte[] sign(String algorithm, String payloadToSign) {
    try {
        char[] passphrase;
        passphrase = aliasService.getGatewayIdentityPassphrase();
        PrivateKey privateKey = (PrivateKey) keystoreService.getKeyForGateway(passphrase);
        Signature signature = Signature.getInstance(algorithm);
        signature.initSign(privateKey);
        signature.update(payloadToSign.getBytes(StandardCharsets.UTF_8));
        return signature.sign();
    } catch (NoSuchAlgorithmException | AliasServiceException | KeystoreServiceException | SignatureException | InvalidKeyException e) {
        LOG.failedToSignData(e);
    }
    return null;
}

Example 22 with KeystoreServiceException

use of org.apache.knox.gateway.services.security.KeystoreServiceException in project knox by apache.

the class DefaultTokenAuthorityService method start.

@Override
public void start() throws ServiceLifecycleException {
    // Ensure that the default signing keystore is available
    KeyStore keystore;
    try {
        keystore = keystoreService.getSigningKeystore();
        if (keystore == null) {
            throw new ServiceLifecycleException(RESOURCES.signingKeystoreNotAvailable(config.getSigningKeystorePath()));
        }
    } catch (KeystoreServiceException e) {
        throw new ServiceLifecycleException(RESOURCES.signingKeystoreNotAvailable(config.getSigningKeystorePath()), e);
    }
    // Ensure that the password for the signing key is available
    try {
        cachedSigningKeyPassphrase = aliasService.getSigningKeyPassphrase();
        if (cachedSigningKeyPassphrase == null) {
            throw new ServiceLifecycleException(RESOURCES.signingKeyPassphraseNotAvailable(config.getSigningKeyPassphraseAlias()));
        }
    } catch (AliasServiceException e) {
        throw new ServiceLifecycleException(RESOURCES.signingKeyPassphraseNotAvailable(config.getSigningKeyPassphraseAlias()), e);
    }
    String signingKeyAlias = getSigningKeyAlias();
    // Ensure that the public signing keys is available
    try {
        Certificate certificate = keystore.getCertificate(signingKeyAlias);
        if (certificate == null) {
            throw new ServiceLifecycleException(RESOURCES.publicSigningKeyNotFound(signingKeyAlias));
        }
        PublicKey publicKey = certificate.getPublicKey();
        if (publicKey == null) {
            throw new ServiceLifecycleException(RESOURCES.publicSigningKeyNotFound(signingKeyAlias));
        } else if (!(publicKey instanceof RSAPublicKey)) {
            throw new ServiceLifecycleException(RESOURCES.publicSigningKeyWrongType(signingKeyAlias));
        }
        cachedSigningKeyID = Optional.of(TokenUtils.getThumbprint((RSAPublicKey) publicKey, "SHA-256"));
    } catch (KeyStoreException e) {
        throw new ServiceLifecycleException(RESOURCES.publicSigningKeyNotFound(signingKeyAlias), e);
    } catch (final JOSEException e) {
        /* in case there is an error getting KID log and move one */
        LOG.errorGettingKid(e.toString());
        cachedSigningKeyID = Optional.empty();
    }
    // Ensure that the private signing keys is available
    try {
        Key key = keystore.getKey(signingKeyAlias, cachedSigningKeyPassphrase);
        if (key == null) {
            throw new ServiceLifecycleException(RESOURCES.privateSigningKeyNotFound(signingKeyAlias));
        } else if (!(key instanceof RSAPrivateKey)) {
            throw new ServiceLifecycleException(RESOURCES.privateSigningKeyWrongType(signingKeyAlias));
        }
        signingKey = (RSAPrivateKey) key;
    } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
        throw new ServiceLifecycleException(RESOURCES.privateSigningKeyNotFound(signingKeyAlias), e);
    }
}

Example 23 with KeystoreServiceException

use of org.apache.knox.gateway.services.security.KeystoreServiceException in project knox by apache.

the class DefaultTokenAuthorityService method verifyTokenUsingRSA.

private boolean verifyTokenUsingRSA(JWT token, RSAPublicKey publicKey) throws TokenServiceException {
    try {
        PublicKey key = publicKey;
        if (key == null) {
            key = keystoreService.getSigningKeystore().getCertificate(getSigningKeyAlias()).getPublicKey();
        }
        final JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) key);
        // consider jwk for specifying the key too
        return token.verify(verifier);
    } catch (KeyStoreException | KeystoreServiceException e) {
        throw new TokenServiceException("Cannot verify token.", e);
    }
}

Example 24 with KeystoreServiceException

use of org.apache.knox.gateway.services.security.KeystoreServiceException in project knox by apache.

the class JettySSLService method init.

@Override
public void init(GatewayConfig config, Map<String, String> options) throws ServiceLifecycleException {
    // set any JSSE or security related system properties
    System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, config.getEphemeralDHKeySize());
    try {
        if (!keystoreService.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
            log.creatingCredentialStoreForGateway();
            keystoreService.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
        // LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
        // IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
        // THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
        // as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
        } else {
            log.credentialStoreForGatewayFoundNotCreating();
        }
    } catch (KeystoreServiceException e) {
        throw new ServiceLifecycleException("Keystore was not loaded properly - the provided password may not match the password for the keystore.", e);
    }
    try {
        if (!keystoreService.isKeystoreForGatewayAvailable()) {
            log.creatingKeyStoreForGateway();
            keystoreService.createKeystoreForGateway();
            char[] passphrase;
            try {
                passphrase = aliasService.getGatewayIdentityPassphrase();
            } catch (AliasServiceException e) {
                throw new ServiceLifecycleException("Error accessing credential store for the gateway.", e);
            }
            keystoreService.addSelfSignedCertForGateway(config.getIdentityKeyAlias(), passphrase);
        } else {
            log.keyStoreForGatewayFoundNotCreating();
        }
        logAndValidateCertificate(config);
    } catch (KeystoreServiceException e) {
        throw new ServiceLifecycleException("The identity keystore was not loaded properly - the provided password may not match the password for the keystore.", e);
    }
}

Example 25 with KeystoreServiceException

use of org.apache.knox.gateway.services.security.KeystoreServiceException in project knox by apache.

the class TruststoreSSLContextUtils method getTruststoreSSLContext.

public static SSLContext getTruststoreSSLContext(KeystoreService keystoreService) {
    SSLContext sslContext = null;
    try {
        if (keystoreService != null) {
            KeyStore truststore = keystoreService.getTruststoreForHttpClient();
            if (truststore != null) {
                SSLContextBuilder sslContextBuilder = SSLContexts.custom();
                sslContextBuilder.loadTrustMaterial(truststore, null);
                sslContext = sslContextBuilder.build();
            }
        }
    } catch (KeystoreServiceException | NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
        LOGGER.failedToLoadTruststore(e.getMessage(), e);
    }
    return sslContext;
}