inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

ALF-9510 checkin. Also some fixes for ALF-8702.

Browse Source 
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@30070 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Steven Glover
2011-08-25 16:22:33 +00:00
parent 98947fda5c
commit b8d0df0c95
26 changed files with 969 additions and 529 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
source/java/org/alfresco/encryption/KeyStoreChecker.java
View File

@@ -18,56 +18,36 @@
*/
package org.alfresco.encryption;
import java.io.FileOutputStream;
import java.io.Serializable;
import java.security.InvalidKeyException;
import java.security.Key;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.service.cmr.attributes.AttributeService;
import org.alfresco.service.cmr.attributes.AttributeService.AttributeQueryCallback;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.util.EqualsHelper;
import org.alfresco.util.GUID;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* Validates an Alfresco keystore by ensuring that it's registered keys have not changed.
*
* The keys are registered using the AttributeService and are stored in one level under TOP_LEVEL_KEY
* (so key aliases must be unique across however many keystores are being used).
*
* @since 4.0
*
*/
public class KeyStoreChecker
{
public static String TOP_LEVEL_KEY = "keyCheck";
private static final Log logger = LogFactory.getLog(KeyStoreChecker.class);
private static enum KEY_STATUS
{
OK, CHANGED, MISSING;
};
private AttributeService attributeService;
private Encryptor encryptor;
private TransactionService transactionService;
private EncryptionKeysRegistryImpl encryptionKeysRegistry;
public KeyStoreChecker()
{
}
public void setAttributeService(AttributeService attributeService)
public void setEncryptionKeysRegistry(EncryptionKeysRegistryImpl encryptionKeysRegistry)
{
this.attributeService = attributeService;
}
public void setEncryptor(Encryptor encryptor)
{
this.encryptor = encryptor;
this.encryptionKeysRegistry = encryptionKeysRegistry;
}
public void setTransactionService(TransactionService transactionService)
@@ -75,100 +55,38 @@ public class KeyStoreChecker
this.transactionService = transactionService;
}
public KeyStoreChecker(AttributeService attributeService, Encryptor encryptor, TransactionService transactionService)
public KeyStoreChecker(EncryptionKeysRegistryImpl encryptionKeysRegistry)
{
this.attributeService = attributeService;
this.transactionService = transactionService;
this.encryptor = encryptor;
this.encryptionKeysRegistry = encryptionKeysRegistry;
}
private KEY_STATUS checkKey(AlfrescoKeyStore keyStore, String keyAlias)
{
if(attributeService.exists(TOP_LEVEL_KEY, keyStore.getLocation(), keyAlias))
{
try
{
// check that the key has not changed by decrypting the encrypted guid attribute
// comparing against the guid
KeyCheck keyCheck = (KeyCheck)attributeService.getAttribute(TOP_LEVEL_KEY, keyStore.getLocation(), keyAlias);
Serializable storedGUID = encryptor.unsealObject(keyAlias, keyCheck.getEncrypted());
return EqualsHelper.nullSafeEquals(storedGUID, keyCheck.getGuid()) ? KEY_STATUS.OK : KEY_STATUS.CHANGED;
}
catch(InvalidKeyException e)
{
// key exception indicates that the key has changed - it can't decrypt the
// previously-encrypted data
return KEY_STATUS.CHANGED;
}
}
else
{
return KEY_STATUS.MISSING;
}
}
private void registerKey(AlfrescoKeyStore keyStore, String keyAlias)
protected void createKeyStore(AlfrescoKeyStore keyStore)
{
// register the key by creating an attribute that stores a guid and its encrypted value
String guid = GUID.generate();
Serializable encrypted = encryptor.sealObject(keyAlias, null, guid);
KeyCheck keyCheck = new KeyCheck(guid, encrypted);
attributeService.createAttribute(keyCheck, TOP_LEVEL_KEY, keyStore.getLocation(), keyAlias);
logger.info("Registered key " + keyAlias);
keyStore.create();
// Register the key store keys
for(String keyAlias : keyStore.getKeyAliases())
{
encryptionKeysRegistry.registerKey(keyAlias);
}
}
protected KeysReport getKeysReport(AlfrescoKeyStore keyStore)
{
final List<String> registeredKeys = new ArrayList<String>();
if(attributeService.exists(TOP_LEVEL_KEY, keyStore.getLocation()))
{
attributeService.getAttributes(new AttributeQueryCallback()
{
public boolean handleAttribute(Long id, Serializable value,
Serializable[] keys)
{
registeredKeys.add((String)value);
return true;
}
},
TOP_LEVEL_KEY, keyStore.getLocation());
}
List<String> keyAliasesChanged = new ArrayList<String>();
List<String> keyAliasesUnchanged = new ArrayList<String>();
for(String keyAlias : registeredKeys)
{
KEY_STATUS keyStatus = checkKey(keyStore, keyAlias);
if(keyStatus == KEY_STATUS.CHANGED)
{
keyAliasesChanged.add(keyAlias);
}
else
{
keyAliasesUnchanged.add(keyAlias);
}
}
return new KeysReport(keyAliasesChanged, keyAliasesUnchanged);
}
public void checkKeyStore(final AlfrescoKeyStore keyStore)
{
// TODO check that, if keystore exists, keys are registered
RetryingTransactionHelper retryingTransactionHelper = transactionService.getRetryingTransactionHelper();
final RetryingTransactionCallback<Void> checkKeysCallback = new RetryingTransactionCallback<Void>()
{
public Void execute() throws Throwable
{
KeysReport keysReport = getKeysReport(keyStore);
KeysReport keysReport = encryptionKeysRegistry.getKeysReport();
// Check for the existence of a key store first
if(keyStore.exists())
{
// The keystore exists - check whether any keys have been changed
if(keysReport.getKeysChanged().size() > 0)
// find out which registered keys have changed
if(keysReport.getKeysChanged().size() > 0)
{
// Note: this will halt the application bootstrap.
throw new AlfrescoRuntimeException("The keys with aliases " + keysReport.getKeysChanged() + " have been changed, re-instate the previous keystore");
@@ -182,9 +100,7 @@ public class KeyStoreChecker
// Note: this will halt the application bootstrap.
throw new AlfrescoRuntimeException("Keys have already been registered, re-instate the previous keystore");
}
// no keys found, create a new keystore
// TODO
if(logger.isDebugEnabled())
{
logger.debug("Keystore not found, creating...");
@@ -197,157 +113,4 @@ public class KeyStoreChecker
};
retryingTransactionHelper.doInTransaction(checkKeysCallback, false);
}
protected void createKeyStore(AlfrescoKeyStore keyStore)
{
new CreatingKeyStore(keyStore).create();
}
public static class KeysReport
{
private List<String> keysChanged;
private List<String> keysUnchanged;
public KeysReport(List<String> keysChanged, List<String> keysUnchanged)
{
super();
this.keysChanged = keysChanged;
this.keysUnchanged = keysUnchanged;
}
public List<String> getKeysChanged()
{
return keysChanged;
}
public List<String> getKeysUnchanged()
{
return keysUnchanged;
}
}
/**
* A KeyCheck object stores a well-known guid and it's encrypted value.
*
* @since 4.0
*
*/
private static class KeyCheck implements Serializable
{
private static final long serialVersionUID = 4514315444977162903L;
private String guid;
private Serializable encrypted;
public KeyCheck(String guid, Serializable encrypted)
{
super();
this.guid = guid;
this.encrypted = encrypted;
}
public String getGuid()
{
return guid;
}
public Serializable getEncrypted()
{
return encrypted;
}
public boolean equals(Object other)
{
if(this == other)
{
return true;
}
if(!(other instanceof KeyCheck))
{
return false;
}
KeyCheck keyCheck = (KeyCheck)other;
return EqualsHelper.nullSafeEquals(keyCheck.getGuid(), getGuid()) &&
EqualsHelper.nullSafeEquals(keyCheck.getEncrypted(), getEncrypted());
}
}
public void removeRegisteredKeys(final AlfrescoKeyStore keyStore)
{
RetryingTransactionHelper retryingTransactionHelper = transactionService.getRetryingTransactionHelper();
final RetryingTransactionCallback<Void> removeKeysCallback = new RetryingTransactionCallback<Void>()
{
public Void execute() throws Throwable
{
attributeService.removeAttributes(TOP_LEVEL_KEY, keyStore.getLocation());
return null;
}
};
retryingTransactionHelper.doInTransaction(removeKeysCallback, false);
}
private class CreatingKeyStore extends CachingKeyStore
{
CreatingKeyStore(AlfrescoKeyStore keyStore)
{
super(keyStore.getkeyStoreParameters(), keyStore.getKeyResourceLoader());
}
public void create()
{
KeyInfoManager keyInfoManager = null;
try
{
keyInfoManager = getKeyInfoManager();
ks.load(null, null);
String keyStorePassword = keyInfoManager.getKeyStorePassword();
if(keyStorePassword == null)
{
throw new AlfrescoRuntimeException("Key store password is null for keystore at location " + getLocation()
+ ", key store meta data location" + getKeyMetaDataFileLocation());
}
// Add keys from the passwords file to the keystore
for(Map.Entry<String, CachingKeyStore.KeyInformation> keyEntry : keyInfoManager.getKeyInfo().entrySet())
{
KeyInformation keyInfo = keyInfoManager.getKeyInformation(keyEntry.getKey());
String keyPassword = keyInfo.getPassword();
if(keyPassword == null)
{
throw new AlfrescoRuntimeException("No password found for encryption key " + keyEntry.getKey());
}
Key key = generateSecretKey(keyEntry.getValue());
ks.setKeyEntry(keyInfo.getAlias(), key, keyInfo.getPassword().toCharArray(), null);
}
ks.store(new FileOutputStream(getLocation()), keyStorePassword.toCharArray());
// Register the key store keys
for(Map.Entry<String, CachingKeyStore.KeyInformation> keyEntry : keyInfoManager.getKeyInfo().entrySet())
{
registerKey(this, keyEntry.getKey());
}
}
catch(Throwable e)
{
throw new AlfrescoRuntimeException(
"Failed to create keystore: \n" +
" Location: " + getLocation() + "\n" +
" Provider: " + getProvider() + "\n" +
" Type: " + getType(),
e);
}
finally
{
if(keyInfoManager != null)
{
keyInfoManager.clear();
}
}
}
}
}