Code development platform for open source projects from the European Union institutions

Skip to content
Snippets Groups Projects
Commit 0122458e authored by Joze RIHTARSIC's avatar Joze RIHTARSIC
Browse files

Keystore data refresh if file date modified

parent 2fef5d71
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/SecurityUtilsServices.java
+ 3
2
View file @ 0122458e
package eu.europa.ec.edelivery.smp.services;
import eu.europa.ec.edelivery.smp.exceptions.SMPRuntimeException;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.springframework.stereotype.Component;
import javax.crypto.*;
......@@ -102,9 +103,9 @@ public class SecurityUtilsServices {
byte[] decrypted = cipher.doFinal(decodedEncryptedPassword);
return new String(decrypted);
} catch (BadPaddingException | IllegalBlockSizeException ibse) {
throw new SMPRuntimeException(INTERNAL_ERROR,ibse, "Either private key or encrypted password might not be correct. Please check both.",ibse.getMessage());
throw new SMPRuntimeException(INTERNAL_ERROR,ibse, "Either private key '"+keyPath.getAbsolutePath()+"' or encrypted password might not be correct. Please check both. Root cause: " + ExceptionUtils.getRootCauseMessage(ibse),ibse.getMessage());
} catch (Exception exc) {
throw new SMPRuntimeException(INTERNAL_ERROR,exc, "Error occurred while decrypting the password", exc.getMessage());
throw new SMPRuntimeException(INTERNAL_ERROR,exc, "Error occurred while decrypting the password with the key: '"+keyPath.getAbsolutePath()+"'! Root cause: " + ExceptionUtils.getRootCauseMessage(exc), exc.getMessage());
}
}
}
smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIKeystoreService.java
+ 130
57
View file @ 0122458e
package eu.europa.ec.edelivery.smp.services.ui;
import eu.europa.ec.edelivery.smp.data.ui.CertificateRO;
import eu.europa.ec.edelivery.smp.data.ui.enums.SMPPropertyEnum;
import eu.europa.ec.edelivery.smp.exceptions.ErrorCode;
import eu.europa.ec.edelivery.smp.exceptions.SMPRuntimeException;
import eu.europa.ec.edelivery.smp.logging.SMPLogger;
import eu.europa.ec.edelivery.smp.logging.SMPLoggerFactory;
import eu.europa.ec.edelivery.smp.services.SecurityUtilsServices;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.springframework.beans.factory.annotation.Autowired;
......@@ -21,10 +23,7 @@ import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.*;
import static java.util.Collections.list;
import static org.apache.commons.lang3.StringUtils.isBlank;
......@@ -57,9 +56,12 @@ public class UIKeystoreService {
private Map<String, Key> keystoreKeys;
private Map<String, X509Certificate> keystoreCertificates;
List<CertificateRO> certificateROList = new ArrayList<>();
private KeyManager[] keyManagers;
private long lastUpdateKeystoreFileTime = 0;
private File lastUpdateKeystoreFile = null;
@PostConstruct
public void init() {
......@@ -71,113 +73,168 @@ public class UIKeystoreService {
private void setupJCEProvider() {
Provider[] providerList = Security.getProviders();
if (providerList == null || providerList.length <= 0 || !(providerList[0] instanceof BouncyCastleProvider)) {
Security.insertProviderAt(new org.bouncycastle.jce.provider.BouncyCastleProvider(), 1);
}
}
public void refreshData() {
public void validateConfigurationData() {
// validate configuration data
if (StringUtils.isBlank(configurationDir)) {
throw new SMPRuntimeException(ErrorCode.CONFIGURATION_ERROR, "SMP keystore folder is not set or is empty value! Set the following property in database: '" + SMPPropertyEnum.CONFIGURATION_DIR.getProperty() + "'.");
}
LOG.info("initialize from configuration folder:{}, enc file: {}, keystore {}" , configurationDir, encryptionFilename, smpKeyStoreFilename);
if (configurationDir == null || encryptionFilename == null) {
LOG.warn("Configuration folder and/or encryption filename are not set in database!");
return;
if (StringUtils.isBlank(encryptionFilename)) {
throw new SMPRuntimeException(ErrorCode.CONFIGURATION_ERROR, "Encryption filename is not set or is empty value! Set the following property in database: '" + SMPPropertyEnum.ENCRYPTION_FILENAME.getProperty() + "'.");
}
if (StringUtils.isBlank(smpKeyStoreFilename)) {
throw new SMPRuntimeException(ErrorCode.CONFIGURATION_ERROR, "SMP keystore filename is not set or is empty value! Set the following property in database: '" + SMPPropertyEnum.KEYSTORE_FILENAME.getProperty() + "'.");
}
if (StringUtils.isBlank(smpKeyStorePasswordEncrypted)) {
throw new SMPRuntimeException(ErrorCode.CONFIGURATION_ERROR, "Encrypted keystore password not exists in database : '" + SMPPropertyEnum.KEYSTORE_PASSWORD.getProperty() + "'.");
}
File file = new File(configurationDir + File.separator + encryptionFilename);
File keystoreFilePath = new File(configurationDir + File.separator + smpKeyStoreFilename);
if (!file.exists()) {
LOG.error("Encryption key file '{}' does not exists!", file.getAbsolutePath());
return;
throw new SMPRuntimeException(ErrorCode.CONFIGURATION_ERROR, "Encryption key file: '" + file.getAbsolutePath() + "' does not exists!");
}
if (!keystoreFilePath.exists()) {
LOG.error("Keystore file '{}' does not exists!", keystoreFilePath.getAbsolutePath());
return;
File keystoreFile = getKeyStoreFile();
if (!keystoreFile.exists()) {
throw new SMPRuntimeException(ErrorCode.CONFIGURATION_ERROR, "Keystore file: '" + keystoreFile.getAbsolutePath() + "' does not exists!");
}
// decrypt password
smpKeyStorePasswordDecrypted = securityUtilsServices.decrypt(file, smpKeyStorePasswordEncrypted);
}
/**
* Method validates the configuration properties and refresh the
* cached data
*/
public void refreshData() {
try {
smpKeyStorePasswordDecrypted = securityUtilsServices.decrypt(file, smpKeyStorePasswordEncrypted);
} catch (SMPRuntimeException exception) {
LOG.error("Error occurred while using encryption key: " + file.getAbsolutePath() + " Error: " + ExceptionUtils.getRootCauseMessage(exception), exception);
validateConfigurationData();
} catch (SMPRuntimeException ex) {
LOG.error("Keystore was not (re)loaded. Invalid configuration: " + ex.getMessage());
return;
}
// load keystore
KeyStore keyStore = loadKeystore();
File keystoreFile = getKeyStoreFile();
KeyStore keyStore = loadKeystore(keystoreFile);
if (keyStore == null) {
LOG.error("Keystore: '"+keystoreFile.getAbsolutePath()+"' is not loaded! Check the keystore and the configuration!");
return;
}
// init key managers for TLS
try {
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keyStore, smpKeyStorePasswordDecrypted.toCharArray());
keyManagers = kmf.getKeyManagers();
} catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException exception) {
LOG.error("Error occurred while initialize keyManagers : " + file.getAbsolutePath() + " Error: " + ExceptionUtils.getRootCauseMessage(exception), exception);
LOG.error("Error occurred while initialize keyManagers : " + keystoreFile.getAbsolutePath() + " Error: " + ExceptionUtils.getRootCauseMessage(exception), exception);
return;
}
// load keys for signature
try {
updateData(keyStore);
}
public KeyManager[] getKeyManagers() {
return keyManagers;
}
Map<String, Key> hmKeys = new HashMap<>();
Map<String, X509Certificate> hmCertificates = new HashMap<>();
private void updateData(KeyStore keyStore) {
try {
List<String> aliases= list(keyStore.aliases());
for (String alias : aliases) {
loadKeyAndCert(keyStore, alias, hmKeys,hmCertificates );
}
// setup new values
keystoreKeys.clear();
keystoreCertificates.clear();
for (String alias : list(keyStore.aliases())) {
loadKeyAndCert(keyStore, alias);
}
keystoreKeys.putAll(hmKeys);
keystoreCertificates.putAll(hmCertificates);
} catch (Exception exception) {
LOG.error("Could not load signing certificate amd private keys Error: " + ExceptionUtils.getRootCauseMessage(exception), exception);
return;
}
lastUpdateKeystoreFileTime = keystoreFile.lastModified();
lastUpdateKeystoreFile = keystoreFile;
certificateROList.clear();
}
boolean isKeyStoreChanged() {
File file = getKeyStoreFile();
return !Objects.equals(lastUpdateKeystoreFile, file ) || file.lastModified() != lastUpdateKeystoreFileTime;
}
public File getKeyStoreFile() {
return new File(configurationDir + File.separator + smpKeyStoreFilename);
}
public KeyManager[] getKeyManagers() {
// check if keystore is changes
if (isKeyStoreChanged()) {
refreshData();
}
return keyManagers;
}
private KeyStore loadKeystore() {
// Load the KeyStore and get the signing key and certificate.
File keystoreFilePath = new File(configurationDir + File.separator + smpKeyStoreFilename);
if (!keystoreFilePath.exists()) {
LOG.error("Keystore file '{}' does not exists!", keystoreFilePath.getAbsolutePath());
private KeyStore loadKeystore(File keyStoreFile) {
// Load the KeyStore.
if (!keyStoreFile.exists()) {
LOG.error("Keystore file '{}' does not exists!", keyStoreFile.getAbsolutePath());
return null;
}
KeyStore keyStore = null;
try (InputStream keystoreInputStream = new FileInputStream(keystoreFilePath)) {
try (InputStream keystoreInputStream = new FileInputStream(keyStoreFile)) {
keyStore = KeyStore.getInstance("JKS");
keyStore.load(keystoreInputStream, smpKeyStorePasswordDecrypted.toCharArray());
} catch (Exception exception) {
LOG.error("Could not load signing certificate with private key from keystore file:"
+ keystoreFilePath + " Error: " + ExceptionUtils.getRootCauseMessage(exception), exception);
+ keyStoreFile + " Error: " + ExceptionUtils.getRootCauseMessage(exception), exception);
}
return keyStore;
}
private void loadKeyAndCert(KeyStore keyStore, String alias) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
private void loadKeyAndCert(KeyStore keyStore, String alias, Map<String, Key> hmKeys, Map<String, X509Certificate> hmCertificates) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
Key key = keyStore.getKey(alias, smpKeyStorePasswordDecrypted.toCharArray());
Certificate certificate = keyStore.getCertificate(alias);
if (key == null || certificate == null || !(certificate instanceof X509Certificate)) {
throw new IllegalStateException("Wrong entry type found in keystore, only certificates with keypair are accepted, entry alias: " + alias);
LOG.warn("Wrong entry type found in keystore, only certificates with keypair are accepted, entry alias: "
+ alias + ". Entry is ignored");
return;
}
keystoreKeys.put(alias, key);
keystoreCertificates.put(alias, (X509Certificate) certificate);
// add to cache
hmKeys.put(alias, key);
hmCertificates.put(alias, (X509Certificate) certificate);;
}
public List<CertificateRO> getKeystoreEntriesList() {
List<CertificateRO> keystoreList = new ArrayList<>();
keystoreCertificates.forEach((alias, crt) -> {
CertificateRO cro = convertToRo(crt);
cro.setAlias(alias);
keystoreList.add(cro);
});
return keystoreList;
if (isKeyStoreChanged()) {
refreshData();
// refresh also the list
certificateROList.clear();
}
if (certificateROList.isEmpty() && !keystoreCertificates.isEmpty()){
keystoreCertificates.forEach( (alias, cert)-> {
CertificateRO certificateRO = convertToRo(cert);
certificateRO.setAlias(alias);
certificateROList.add(certificateRO);
});
}
return certificateROList;
}
......@@ -187,22 +244,35 @@ public class UIKeystoreService {
public Key getKey(String keyAlias) {
if (keystoreKeys.size() == 1) {
// for backward compatibility...
// don't care about configured alias in single-domain setup
// and return the only key
LOG.warn("Returning the only key in keystore regardless the configuration");
return keystoreKeys.values().iterator().next();
}
if (isBlank(keyAlias) || !keystoreKeys.containsKey(keyAlias)) {
throw new SMPRuntimeException(ErrorCode.CONFIGURATION_ERROR, "Wrong configuration, missing key pair from keystore or wrong alias: " + keyAlias);
}
return keystoreKeys.get(keyAlias);
}
public X509Certificate getCert(String certAlias) {
if (isKeyStoreChanged()) {
refreshData();
}
if (keystoreCertificates.size() == 1) {
// for backward compatibility...
// don't care about configured alias in single-domain setup
// and return the only key
LOG.warn("Returning the only certificate in keystore regardless the configuration");
return keystoreCertificates.values().iterator().next();
}
if (isBlank(certAlias) || !keystoreCertificates.containsKey(certAlias)) {
throw new SMPRuntimeException(ErrorCode.CONFIGURATION_ERROR, "Wrong configuration, missing key pair from keystore or wrong alias: " + certAlias);
throw new SMPRuntimeException(ErrorCode.CONFIGURATION_ERROR, "Wrong configuration, missing key pair from keystore or wrong alias: " + certAlias);
}
return keystoreCertificates.get(certAlias);
}
......@@ -215,12 +285,14 @@ public class UIKeystoreService {
*/
public void importKeys(KeyStore newKeystore, String password) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
KeyStore keyStore = loadKeystore();
KeyStore keyStore = loadKeystore(getKeyStoreFile());
if (keyStore != null) {
securityUtilsServices.mergeKeystore(keyStore, smpKeyStorePasswordDecrypted, newKeystore, password);
// store keystore
storeKeystore(keyStore);
updateData(keyStore);
// refresh
refreshData();
}
}
......@@ -231,17 +303,18 @@ public class UIKeystoreService {
*/
public void deleteKey(String alias) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
KeyStore keyStore = loadKeystore();
KeyStore keyStore = loadKeystore(getKeyStoreFile());
if (keyStore != null) {
keyStore.deleteEntry(alias);
// store keystore
storeKeystore(keyStore);
updateData(keyStore);
refreshData();
}
}
/**
* Store keystore
*
* @param keyStore to store
* @throws IOException
* @throws CertificateException
......
smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/services/ui/UIKeystoreServiceTest.java
+ 31
3
View file @ 0122458e
......@@ -14,6 +14,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import javax.net.ssl.KeyManager;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
......@@ -25,9 +26,7 @@ import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.*;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(classes = {UIKeystoreService.class, SecurityUtilsServices.class, ConversionTestConfig.class, PropertiesKeystoreTestConfig.class})
......@@ -202,5 +201,34 @@ public class UIKeystoreServiceTest {
return keyStore;
}
@Test
public void testDetectKeystoreChangeForEntryList() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, UnrecoverableKeyException {
// given
testInstance.importKeys(loadKeystore("test-import.jks","NewPassword1234", "JKS" ), "NewPassword1234");
assertEquals(3,testInstance.getKeystoreEntriesList().size());
// when
propertiesKeystoreTestConfig.resetKeystore();
// then
assertEquals(1, testInstance.getKeystoreEntriesList().size());
}
@Test
public void testDetectKeystoreChangeForKeyManagers() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, UnrecoverableKeyException {
// given
KeyManager km = testInstance.getKeyManagers()[0];
testInstance.importKeys(loadKeystore("test-import.jks","NewPassword1234", "JKS" ), "NewPassword1234");
// keymanager is updated
assertNotEquals(km, testInstance.getKeyManagers()[0]);
km = testInstance.getKeyManagers()[0];
// when just changing the file
propertiesKeystoreTestConfig.resetKeystore();
// then
assertNotEquals(km, testInstance.getKeyManagers()[0]);
}
}
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

For further information about the platform and support, please see https://code.europa.eu/info/about