diff --git a/core/src/main/java/org/alfresco/encryption/AlfrescoKeyStoreImpl.java b/core/src/main/java/org/alfresco/encryption/AlfrescoKeyStoreImpl.java index 085bec231a..747d4e652a 100644 --- a/core/src/main/java/org/alfresco/encryption/AlfrescoKeyStoreImpl.java +++ b/core/src/main/java/org/alfresco/encryption/AlfrescoKeyStoreImpl.java @@ -322,7 +322,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore try { - keyInfoManager = getKeyInfoManager(getKeyMetaDataFileLocation()); + keyInfoManager = getKeyInfoManager(getKeyStoreParameters()); KeyStore ks = loadKeyStore(keyStoreParameters, keyInfoManager); logger.debug("Initializing key managers"); @@ -355,7 +355,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore try { - keyInfoManager = getKeyInfoManager(getKeyMetaDataFileLocation()); + keyInfoManager = getKeyInfoManager(getKeyStoreParameters()); KeyStore ks = loadKeyStore(getKeyStoreParameters(), keyInfoManager); logger.debug("Initializing trust managers"); @@ -376,12 +376,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore } } } - - protected String getKeyMetaDataFileLocation() - { - return keyStoreParameters.getKeyMetaDataFileLocation(); - } - + protected InputStream getKeyStoreStream(String location) throws FileNotFoundException { if(location == null) @@ -396,9 +391,17 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore return new FileOutputStream(getKeyStoreParameters().getLocation()); } - protected KeyInfoManager getKeyInfoManager(String metadataFileLocation) throws FileNotFoundException, IOException + protected KeyInfoManager getKeyInfoManager(KeyStoreParameters keyStoreParameters) throws IOException { - return new KeyInfoManager(metadataFileLocation, keyResourceLoader); + return new KeyInfoManager(keyStoreParameters, keyResourceLoader); + } + + @Deprecated + protected KeyInfoManager getKeyInfoManager(String metadataFileLocation) throws IOException + { + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setKeyMetaDataFileLocation(metadataFileLocation); + return new KeyInfoManager(keyStoreParameters, keyResourceLoader); } protected KeyMap cacheKeys(KeyStore ks, KeyInfoManager keyInfoManager) @@ -563,7 +566,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore try { - keyInfoManager = getKeyInfoManager(keyStoreParameters.getKeyMetaDataFileLocation()); + keyInfoManager = getKeyInfoManager(keyStoreParameters); ks = loadKeyStore(keyStoreParameters, keyInfoManager); // Loaded } @@ -635,7 +638,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore try { - keyInfoManager = getKeyInfoManager(getKeyMetaDataFileLocation()); + keyInfoManager = getKeyInfoManager(getKeyStoreParameters()); Key key = getSecretKey(keyInfoManager.getKeyInformation(keyAlias)); encryptionKeysRegistry.registerKey(keyAlias, key); keys.setKey(keyAlias, key); @@ -678,7 +681,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore { if(!keyStoreExists(keyStoreParameters.getLocation())) { - keyInfoManager = getKeyInfoManager(keyStoreParameters.getKeyMetaDataFileLocation()); + keyInfoManager = getKeyInfoManager(keyStoreParameters); KeyStore ks = initialiseKeyStore(keyStoreParameters.getType(), keyStoreParameters.getProvider()); String keyStorePassword = keyInfoManager.getKeyStorePassword(); @@ -686,7 +689,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore { throw new AlfrescoRuntimeException("Key store password is null for keystore at location " + getKeyStoreParameters().getLocation() - + ", key store meta data location" + getKeyMetaDataFileLocation()); + + ". Either specify it as a JVM property or in key store meta data location."); } for(String keyAlias : keys.getKeyAliases()) @@ -765,8 +768,13 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore } } - protected Key getSecretKey(KeyInformation keyInformation) throws NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException + protected Key getSecretKey(KeyInformation keyInformation) throws AlfrescoRuntimeException, NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException { + if (keyInformation == null) + { + throw new AlfrescoRuntimeException("Unable to get secret key: no key information is provided"); + } + byte[] keyData = keyInformation.getKeyData(); if(keyData == null) @@ -796,7 +804,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore writeLock.lock(); try { - keyInfoManager = getKeyInfoManager(getKeyMetaDataFileLocation()); + keyInfoManager = getKeyInfoManager(getKeyStoreParameters()); KeyStore ks = loadKeyStore(getKeyStoreParameters(), keyInfoManager); // loading Key @@ -985,7 +993,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore public static class KeyInfoManager { private KeyResourceLoader keyResourceLoader; - private String metadataFileLocation; + private KeyStoreParameters keyStoreParameters; private Properties keyProps; private String keyStorePassword = null; private Map keyInfo; @@ -1005,10 +1013,10 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore } } - KeyInfoManager(String metadataFileLocation, KeyResourceLoader keyResourceLoader) throws IOException, FileNotFoundException + KeyInfoManager(KeyStoreParameters keyStoreParameters, KeyResourceLoader keyResourceLoader) throws IOException, FileNotFoundException { this.keyResourceLoader = keyResourceLoader; - this.metadataFileLocation = metadataFileLocation; + this.keyStoreParameters = keyStoreParameters; keyInfo = new HashMap(2); loadKeyMetaData(); } @@ -1025,31 +1033,73 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore * Where required, null values must be inserted into the map to indicate the presence * of a key that is not protected by a password. They entry for {@link #KEY_KEYSTORE_PASSWORD} * is required if the keystore is password protected. + * + * WARNING. Storing passwords (keyMetaDataFileLocation) on the file system is not following best security practices. + * + *

Loading of keys info from system (JVM) properties takes precedence over metadata file. + *

Set the unique ID of the keystore and remove the metadata file location property to use JVM properties lookup instead. The property lookup format is the following: + *

+ * */ protected void loadKeyMetaData() throws IOException, FileNotFoundException { - keyProps = keyResourceLoader.loadKeyMetaData(metadataFileLocation); - if(keyProps != null) + if (keyStoreParameters.getId() != null && + (keyStoreParameters.getKeyMetaDataFileLocation() == null || + keyStoreParameters.getKeyMetaDataFileLocation().isEmpty())) { - String aliases = keyProps.getProperty("aliases"); - if(aliases == null) + Properties jvmProperties = System.getProperties(); + keyStorePassword = jvmProperties.getProperty(keyStoreParameters.getId() + ".password"); + String aliases = jvmProperties.getProperty(keyStoreParameters.getId() + ".aliases"); + if (aliases == null || aliases.isEmpty()) { - throw new AlfrescoRuntimeException("Passwords file must contain an aliases key"); + logger.warn("No aliases were specified for " + keyStoreParameters.getId() + + " keystore"); } - - this.keyStorePassword = keyProps.getProperty(KEY_KEYSTORE_PASSWORD); - - StringTokenizer st = new StringTokenizer(aliases, ","); - while(st.hasMoreTokens()) + else { - String keyAlias = st.nextToken(); - keyInfo.put(keyAlias, loadKeyInformation(keyAlias)); + StringTokenizer st = new StringTokenizer(aliases, ","); + while(st.hasMoreTokens()) + { + String keyAlias = st.nextToken(); + keyInfo.put(keyAlias, loadKeyInformation(jvmProperties, keyAlias, keyStoreParameters.getId() + ".")); + } } } else { - // TODO - //throw new FileNotFoundException("Cannot find key metadata file " + getKeyMetaDataFileLocation()); + logger.warn("Storing passwords (" + keyStoreParameters.getKeyMetaDataFileLocation() + + ") on the file system is not following best security practices." + + " Please refer to documentation and use JVM properties instead"); + + keyProps = keyResourceLoader.loadKeyMetaData(keyStoreParameters.getKeyMetaDataFileLocation()); + if(keyProps != null) + { + String aliases = keyProps.getProperty("aliases"); + if(aliases == null) + { + throw new AlfrescoRuntimeException("Passwords file must contain an aliases key"); + } + + this.keyStorePassword = keyProps.getProperty(KEY_KEYSTORE_PASSWORD); + + StringTokenizer st = new StringTokenizer(aliases, ","); + while(st.hasMoreTokens()) + { + String keyAlias = st.nextToken(); + keyInfo.put(keyAlias, loadKeyInformation(keyProps, keyAlias, "")); + } + } + else + { + // TODO + //throw new FileNotFoundException("Cannot find key metadata file " + getKeyMetaDataFileLocation()); + } } } @@ -1067,11 +1117,11 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore this.keyProps.remove(keyAlias); } - protected KeyInformation loadKeyInformation(String keyAlias) + protected KeyInformation loadKeyInformation(Properties keyProps, String keyAlias, String prefix) { - String keyPassword = keyProps.getProperty(keyAlias + ".password"); - String keyData = keyProps.getProperty(keyAlias + ".keyData"); - String keyAlgorithm = keyProps.getProperty(keyAlias + ".algorithm"); + String keyPassword = keyProps.getProperty(prefix + keyAlias + ".password"); + String keyData = keyProps.getProperty(prefix + keyAlias + ".keyData"); + String keyAlgorithm = keyProps.getProperty(prefix + keyAlias + ".algorithm"); byte[] keyDataBytes = null; if(keyData != null && !keyData.equals("")) diff --git a/core/src/main/java/org/alfresco/encryption/KeyStoreParameters.java b/core/src/main/java/org/alfresco/encryption/KeyStoreParameters.java index 5b8ebe4504..d70a26e59d 100644 --- a/core/src/main/java/org/alfresco/encryption/KeyStoreParameters.java +++ b/core/src/main/java/org/alfresco/encryption/KeyStoreParameters.java @@ -22,12 +22,15 @@ import org.alfresco.util.PropertyCheck; /** * Stores Java keystore initialisation parameters. - * + * + * WARNING. Storing passwords (keyMetaDataFileLocation) on the file system is not following best security practices. + * * @since 4.0 * */ public class KeyStoreParameters { + private String id; private String name; private String type; private String provider; @@ -38,8 +41,40 @@ public class KeyStoreParameters { } - public KeyStoreParameters(String name, String type, String keyStoreProvider, + /** + * WARNING. Storing passwords (keyMetaDataFileLocation) on the file system is not following best security practices. + * + *

Set the unique ID of the keystore and aliases to use Java system properties lookup instead. The property lookup format is: + *

+ * + * Loading of keys info from system (JVM) properties takes precedence over metadata file. + * + * @param id unique identifier of the keystore + * @param name human readable name of the keystore + * @param type type of the keystore + * @param keyStoreProvider keystore provider + * @param keyMetaDataFileLocation path to keystore metadata file on the file system + * @param location path to keystore on the file system + */ + public KeyStoreParameters(String id, String name, String type, String keyStoreProvider, String keyMetaDataFileLocation, String location) + { + this(name, type, keyStoreProvider, keyMetaDataFileLocation, location); + this.id = id; + } + + /** + * Use {@link #KeyStoreParameters(String, String, String, String, String, String)} instead + */ + @Deprecated() + public KeyStoreParameters(String name, String type, String keyStoreProvider, + String keyMetaDataFileLocation, String location) { super(); this.name = name; @@ -49,8 +84,13 @@ public class KeyStoreParameters this.location = location; } + public void init() { + if (!PropertyCheck.isValidPropertyString(getId())) + { + setId(null); + } if (!PropertyCheck.isValidPropertyString(getLocation())) { setLocation(null); @@ -69,6 +109,11 @@ public class KeyStoreParameters } } + public String getId() + { + return id; + } + public String getName() { return name; @@ -93,7 +138,12 @@ public class KeyStoreParameters { return location; } - + + public void setId(String id) + { + this.id = id; + } + public void setName(String name) { this.name = name; diff --git a/core/src/test/java/org/alfresco/encryption/AlfrescoKeyStoreTest.java b/core/src/test/java/org/alfresco/encryption/AlfrescoKeyStoreTest.java new file mode 100644 index 0000000000..e0bd3fd214 --- /dev/null +++ b/core/src/test/java/org/alfresco/encryption/AlfrescoKeyStoreTest.java @@ -0,0 +1,388 @@ +/* + * Copyright (C) 2005-2020 Alfresco Software Limited. + * + * This file is part of Alfresco + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + */ +package org.alfresco.encryption; + +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; +import org.alfresco.error.AlfrescoRuntimeException; +import org.junit.Assert; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TestName; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.junit.MockitoJUnitRunner; + +@RunWith(MockitoJUnitRunner.class) +public class AlfrescoKeyStoreTest +{ + @Mock + private EncryptionKeysRegistry encryptionKeysRegistry; + + @Rule + public TestName testName = new TestName(); + + @Test + public void testSysPropConfig() + { + String keyStoreId = testName.getMethodName() + "-keystore"; + String alias1 = "mykey1"; + String alias2 = "mykey2"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setId(keyStoreId); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-2.jks"); + + System.setProperty(keyStoreId + "." + "password", "ksPwd2"); + System.setProperty(keyStoreId + "." + "aliases", alias1 + "," + alias2); + System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1"); + System.setProperty(keyStoreId + "." + alias2 + "." + "password", "aliasPwd2"); + + try + { + AlfrescoKeyStore alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + Set expectedAliases = new HashSet<>(); + expectedAliases.add(alias1); + expectedAliases.add(alias2); + Assert.assertEquals("The aliases are not correct", expectedAliases, alfrescoKeyStore.getKeyAliases()); + + Assert.assertNotNull("Failed to retrieve a key from keystore.", alfrescoKeyStore.getKey(alias1)); + Assert.assertNotNull("Failed to retrieve a key from keystore.", alfrescoKeyStore.getKey(alias2)); + } + finally + { + System.clearProperty(keyStoreId + "." + "password"); + System.clearProperty(keyStoreId + "." + "aliases"); + System.clearProperty(keyStoreId + "." + alias1 + "." + "password"); + System.clearProperty(keyStoreId + "." + alias2 + "." + "password"); + } + + } + + @Test + public void testSysPropConfigWithoutAliases() + { + String keyStoreId = testName.getMethodName() + "-keystore"; + String alias1 = "mykey1"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setId(keyStoreId); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + + System.setProperty(keyStoreId + "." + "password", "ksPwd1"); + System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1"); + try + { + AlfrescoKeyStore keyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + Assert.assertNull(keyStore.getKey(alias1)); + } + finally + { + System.clearProperty(keyStoreId + "." + "password"); + System.clearProperty(keyStoreId + "." + alias1 + "." + "password"); + } + } + + @Test + public void testMetaDataFileConfig() + { + String alias1 = "mykey1"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/ks1-metadata.properties"); + + AlfrescoKeyStore alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + Set expectedAliases = new HashSet<>(); + expectedAliases.add(alias1); + Assert.assertEquals("The aliases are not correct", expectedAliases, alfrescoKeyStore.getKeyAliases()); + + Assert.assertNotNull("Failed to retrieve a key from keystore.", alfrescoKeyStore.getKey(alias1)); + } + + /** + * Config via System props should be default, but if the metadata file location is set, it will be used instead. + * This is done to maintain backwards compatibility and simplify testing use cases. + */ + @Test(expected = AlfrescoRuntimeException.class) + public void testConfigBothSystemAndFile() + { + String keyStoreId = testName.getMethodName() + "-keystore"; + String alias1 = "mykey1"; + String alias2 = "mykey2"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setId(keyStoreId); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-2.jks"); + // use metadata file from keystore with one key + keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/ks1-metadata.properties"); + + System.setProperty(keyStoreId + "." + "password", "ksPwd2"); + System.setProperty(keyStoreId + "." + "aliases", alias1 + "," + alias2); + System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1"); + System.setProperty(keyStoreId + "." + alias2 + "." + "password", "aliasPwd2"); + + try + { + new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + } + finally + { + System.clearProperty(keyStoreId + "." + "password"); + System.clearProperty(keyStoreId + "." + "aliases"); + System.clearProperty(keyStoreId + "." + alias1 + "." + "password"); + System.clearProperty(keyStoreId + "." + alias2 + "." + "password"); + } + + } + + @Test(expected = AlfrescoRuntimeException.class) + public void testValidateKeysWrongAliasMetadataFile() throws Exception + { + String alias1 = "mykey1"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/wrong-alias-metadata.properties"); + + AlfrescoKeyStoreImpl alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + alfrescoKeyStore.setKeysToValidate(Collections.singleton(alias1)); + alfrescoKeyStore.setValidateKeyChanges(true); + alfrescoKeyStore.setEncryptionKeysRegistry(encryptionKeysRegistry); + alfrescoKeyStore.validateKeys(); + } + + @Test + public void testEmptyKeysMetadataFile() + { + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/empty-alias-metadata.properties"); + + new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + } + + @Test(expected = AlfrescoRuntimeException.class) + public void testWrongKeystorePasswordMetadataFile() + { + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/wrong-keystore-password-metadata.properties"); + + new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + } + + @Test(expected = AlfrescoRuntimeException.class) + public void testWrongKeyPasswordMetadataFile() + { + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/wrong-key-password-metadata.properties"); + + new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + } + + @Test(expected = AlfrescoRuntimeException.class) + public void testValidateKeysWrongAliasSysProps() throws Exception + { + String keyStoreId = testName.getMethodName() + "-keystore"; + String alias1 = "mykey1"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setId(keyStoreId); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + + System.setProperty(keyStoreId + "." + "aliases", "wrong-alias,another-wrong-alias"); + System.setProperty(keyStoreId + "." + "password", "ksPwd1"); + System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1"); + + try + { + AlfrescoKeyStoreImpl alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + alfrescoKeyStore.setValidateKeyChanges(true); + alfrescoKeyStore.setKeysToValidate(Collections.singleton(alias1)); + alfrescoKeyStore.setEncryptionKeysRegistry(encryptionKeysRegistry); + alfrescoKeyStore.validateKeys(); + } + finally + { + System.clearProperty(keyStoreId + "." + "aliases"); + System.clearProperty(keyStoreId + "." + "password"); + System.clearProperty(keyStoreId + "." + alias1 + "." + "password"); + } + } + + @Test + public void testEmptyKeysSysProps() + { + String keyStoreId = testName.getMethodName() + "-keystore"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setId(keyStoreId); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + + System.setProperty(keyStoreId + "." + "aliases", "empty-alias,another-empty-alias"); + System.setProperty(keyStoreId + "." + "password", "ksPwd1"); + + try + { + new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + } + finally + { + System.clearProperty(keyStoreId + "." + "aliases"); + System.clearProperty(keyStoreId + "." + "password"); + } + } + + @Test(expected = AlfrescoRuntimeException.class) + public void testWrongKeystorePasswordSysProps() + { + String keyStoreId = testName.getMethodName() + "-keystore"; + String alias1 = "mykey1"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setId(keyStoreId); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + + System.setProperty(keyStoreId + "." + "aliases", alias1); + System.setProperty(keyStoreId + "." + "password", "wrong-password"); + System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1"); + + try + { + new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + } + finally + { + System.clearProperty(keyStoreId + "." + "aliases"); + System.clearProperty(keyStoreId + "." + "password"); + System.clearProperty(keyStoreId + "." + alias1 + "." + "password"); + } + } + + @Test(expected = AlfrescoRuntimeException.class) + public void testWrongKeyPasswordSysProps() + { + String keyStoreId = testName.getMethodName() + "-keystore"; + String alias1 = "mykey1"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setId(keyStoreId); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + + System.setProperty(keyStoreId + "." + "aliases", alias1); + System.setProperty(keyStoreId + "." + "password", "ksPwd1"); + System.setProperty(keyStoreId + "." + alias1 + "." + "password", "wrong-key-password"); + + try + { + new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + } + finally + { + System.clearProperty(keyStoreId + "." + "aliases"); + System.clearProperty(keyStoreId + "." + "password"); + System.clearProperty(keyStoreId + "." + alias1 + "." + "password"); + } + } + + /** + * No exception is expected. An empty keystore can be created. + */ + @Test + public void testConfigEmptyKeystore() + { + String keyStoreId = testName.getMethodName() + "-keystore"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setId(keyStoreId); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:non-existing-path/some-keystore.jks"); + + new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + } + + @Test(expected = AlfrescoRuntimeException.class) + public void testValidateKeysEmptyAliasSysProps() throws Exception + { + String keyStoreId = testName.getMethodName() + "-keystore"; + + KeyStoreParameters keyStoreParameters = new KeyStoreParameters(); + keyStoreParameters.setId(keyStoreId); + keyStoreParameters.setName(testName.getMethodName()); + keyStoreParameters.setType("JCEKS"); + keyStoreParameters.setProvider("SunJCE"); + keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks"); + + System.setProperty(keyStoreId + "." + "password", "ksPwd1"); + + try + { + AlfrescoKeyStoreImpl alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader()); + alfrescoKeyStore.setValidateKeyChanges(true); + alfrescoKeyStore.setKeysToValidate(Collections.singleton("non-existing-alias")); + alfrescoKeyStore.setEncryptionKeysRegistry(encryptionKeysRegistry); + alfrescoKeyStore.validateKeys(); + } + finally + { + System.clearProperty(keyStoreId + "." + "password"); + } + } +} diff --git a/core/src/test/resources/keystore-tests/empty-alias-metadata.properties b/core/src/test/resources/keystore-tests/empty-alias-metadata.properties new file mode 100644 index 0000000000..626fb1266b --- /dev/null +++ b/core/src/test/resources/keystore-tests/empty-alias-metadata.properties @@ -0,0 +1,2 @@ +aliases=empty-alias +keystore.password=ksPwd1 diff --git a/core/src/test/resources/keystore-tests/ks-test-1.jks b/core/src/test/resources/keystore-tests/ks-test-1.jks new file mode 100644 index 0000000000..01bd383454 Binary files /dev/null and b/core/src/test/resources/keystore-tests/ks-test-1.jks differ diff --git a/core/src/test/resources/keystore-tests/ks-test-2.jks b/core/src/test/resources/keystore-tests/ks-test-2.jks new file mode 100644 index 0000000000..3723222500 Binary files /dev/null and b/core/src/test/resources/keystore-tests/ks-test-2.jks differ diff --git a/core/src/test/resources/keystore-tests/ks1-metadata.properties b/core/src/test/resources/keystore-tests/ks1-metadata.properties new file mode 100644 index 0000000000..d21236fb6f --- /dev/null +++ b/core/src/test/resources/keystore-tests/ks1-metadata.properties @@ -0,0 +1,3 @@ +aliases=mykey1 +keystore.password=ksPwd1 +mykey1.password=aliasPwd1 \ No newline at end of file diff --git a/core/src/test/resources/keystore-tests/passwords.txt b/core/src/test/resources/keystore-tests/passwords.txt new file mode 100644 index 0000000000..f48d2729c1 --- /dev/null +++ b/core/src/test/resources/keystore-tests/passwords.txt @@ -0,0 +1,24 @@ +The keystores contained in this folder are used by tests. + +================== +== ks-test-1.ks == +================== + +Keystore password: ksPwd1 +Keystore type: JCEKS +Keystore provider: SunJCE + +Your keystore contains 1 entry +mykey1: aliasPwd1 + +================== +== ks-test-2.ks == +================== + +Keystore password: ksPwd2 +Keystore type: JCEKS +Keystore provider: SunJCE + +Your keystore contains 2 entries +mykey1: aliasPwd1 +mykey2: aliasPwd2 diff --git a/core/src/test/resources/keystore-tests/wrong-alias-metadata.properties b/core/src/test/resources/keystore-tests/wrong-alias-metadata.properties new file mode 100644 index 0000000000..e3616f1cb3 --- /dev/null +++ b/core/src/test/resources/keystore-tests/wrong-alias-metadata.properties @@ -0,0 +1,3 @@ +aliases=non-existing-alias +keystore.password=ksPwd1 +mykey1.password=aliasPwd1 \ No newline at end of file diff --git a/core/src/test/resources/keystore-tests/wrong-key-password-metadata.properties b/core/src/test/resources/keystore-tests/wrong-key-password-metadata.properties new file mode 100644 index 0000000000..ae8ff14924 --- /dev/null +++ b/core/src/test/resources/keystore-tests/wrong-key-password-metadata.properties @@ -0,0 +1,3 @@ +aliases=mykey1 +keystore.password=ksPwd1 +mykey1.password=wrong-key-password \ No newline at end of file diff --git a/core/src/test/resources/keystore-tests/wrong-keystore-password-metadata.properties b/core/src/test/resources/keystore-tests/wrong-keystore-password-metadata.properties new file mode 100644 index 0000000000..c2f92dffbe --- /dev/null +++ b/core/src/test/resources/keystore-tests/wrong-keystore-password-metadata.properties @@ -0,0 +1,3 @@ +aliases=mykey1 +keystore.password=wrong-password +mykey1.password=aliasPwd1 \ No newline at end of file diff --git a/packaging/distribution/pom.xml b/packaging/distribution/pom.xml new file mode 100644 index 0000000000..ae6644c7e2 --- /dev/null +++ b/packaging/distribution/pom.xml @@ -0,0 +1,14 @@ + + + 4.0.0 + org.alfresco + alfresco-community-repo-distribution + Package Licences and Keystore for Distribution + jar + + + org.alfresco + alfresco-community-repo-packaging + 7.183.300-TEST2-SNAPSHOT + + diff --git a/packaging/distribution/src/main/resources/keystore/CreateSSLKeystores.txt b/packaging/distribution/src/main/resources/keystore/CreateSSLKeystores.txt new file mode 100644 index 0000000000..25addea011 --- /dev/null +++ b/packaging/distribution/src/main/resources/keystore/CreateSSLKeystores.txt @@ -0,0 +1,141 @@ +Instructions for Generating Repository SSL Keystores +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore, +${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore. + +These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA). +It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository +URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available. +You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key +and certificate are available in svn. + +(i) Generate the repository public/private key pair in a keystore: + +$ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass +Enter keystore password: +Re-enter new password: +What is your first and last name? + [Unknown]: Alfresco Repository +What is the name of your organizational unit? + [Unknown]: +What is the name of your organization? + [Unknown]: Alfresco Software Ltd. +What is the name of your City or Locality? + [Unknown]: Maidenhead +What is the name of your State or Province? + [Unknown]: UK +What is the two-letter country code for this unit? + [Unknown]: GB +Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct? + [no]: yes + +Enter key password for + (RETURN if same as keystore password): + +(ii) Generate a certificate request for the repository key + +$ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass + +(iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days. + +$ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365 +Signature ok +subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository +Getting CA Private Key +Enter pass phrase for ca.key: + +(iv) Import the Alfresco CA key into the repository key store + +$ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass +Enter keystore password: +Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB +Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB +Serial number: 805ba6dc8f62f8b8 +Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021 +Certificate fingerprints: + MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0 + SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3 + Signature algorithm name: SHA1withRSA + Version: 3 + +Extensions: + +#1: ObjectId: 2.5.29.14 Criticality=false +SubjectKeyIdentifier [ +KeyIdentifier [ +0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B@..JP..+8M.p.Q +0010: 4E 38 71 D6 N8q. +] +] + +#2: ObjectId: 2.5.29.19 Criticality=false +BasicConstraints:[ + CA:true + PathLen:2147483647 +] + +#3: ObjectId: 2.5.29.35 Criticality=false +AuthorityKeyIdentifier [ +KeyIdentifier [ +0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B@..JP..+8M.p.Q +0010: 4E 38 71 D6 N8q. +] + +[CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB] +SerialNumber: [ 805ba6dc 8f62f8b8] +] + +Trust this certificate? [no]: yes +Certificate was added to keystore + +(v) Import the CA-signed repository certificate into the repository keystore + +$ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass +Enter keystore password: +Certificate reply was installed in keystore + +(vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'. + +keytool -importkeystore -srckeystore ssl.keystore -srcstorepass -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco + +(vi) Create a repository truststore containing the Alfresco CA certificate + +keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass +keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass + +(vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'. +(viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'. + +Instructions for Generating a Certificate Authority (CA) Key and Certificate +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +(i) Generate the CA private key + +$ openssl genrsa -des3 -out ca.key 1024 +Generating RSA private key, 1024 bit long modulus +..........++++++ +..++++++ +e is 65537 (0x10001) +Enter pass phrase for ca.key: +Verifying - Enter pass phrase for ca.key: + +(ii) Generate the CA self-signed certificate + +$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt +Enter pass phrase for ca.key: +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [AU]:GB +State or Province Name (full name) [Some-State]:UK +Locality Name (eg, city) []:Maidenhead +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd. +Organizational Unit Name (eg, section) []: +Common Name (eg, YOUR name) []:Alfresco CA +Email Address []: + diff --git a/packaging/distribution/src/main/resources/keystore/generate_keystores.bat b/packaging/distribution/src/main/resources/keystore/generate_keystores.bat new file mode 100644 index 0000000000..5aed5e9fa0 --- /dev/null +++ b/packaging/distribution/src/main/resources/keystore/generate_keystores.bat @@ -0,0 +1,58 @@ +@rem Please edit the variables below to suit your installation +@rem Note: for an installation created by the Alfresco installer, you only need to edit ALFRESCO_HOME + +@rem Alfresco installation directory +set ALFRESCO_HOME=C:\Alfresco-5.2 +@rem The directory containing the alfresco keystores, as referenced by keystoreFile and truststoreFile attributes in tomcat\conf\server.xml +set ALFRESCO_KEYSTORE_HOME=%ALFRESCO_HOME%\alf_data\keystore +@rem Java installation directory +set JAVA_HOME=%ALFRESCO_HOME%\java +@rem Location in which new keystore files will be generated +set CERTIFICATE_HOME=%USERPROFILE% +@rem The repository server certificate subject name, as specified in tomcat\conf\tomcat-users.xml with roles="repository" +set REPO_CERT_DNAME=CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB +@rem The SOLR client certificate subject name, as specified in tomcat\conf\tomcat-users.xml with roles="repoclient" +set SOLR_CLIENT_CERT_DNAME=CN=Alfresco Repository Client, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB +@rem The number of days before the certificate expires +set CERTIFICATE_VALIDITY=36525 + +@rem Ensure certificate output dir exists +@if not exist "%CERTIFICATE_HOME%" mkdir "%CERTIFICATE_HOME%" + +@rem Remove old output files (note they are backed up elsewhere) +@if exist "%CERTIFICATE_HOME%\ssl.keystore" del "%CERTIFICATE_HOME%\ssl.keystore" +@if exist "%CERTIFICATE_HOME%\ssl.truststore" del "%CERTIFICATE_HOME%\ssl.truststore" +@if exist "%CERTIFICATE_HOME%\browser.p12" del "%CERTIFICATE_HOME%\browser.p12" +@if exist "%CERTIFICATE_HOME%\ssl.repo.client.keystore" del "%CERTIFICATE_HOME%\ssl.repo.client.keystore" +@if exist "%CERTIFICATE_HOME%\ssl.repo.client.truststore" del "%CERTIFICATE_HOME%\ssl.repo.client.truststore" + +@rem Generate new self-signed certificates for the repository and solr +"%JAVA_HOME%\bin\keytool" -genkeypair -keyalg RSA -dname "%REPO_CERT_DNAME%" -validity %CERTIFICATE_VALIDITY% -alias ssl.repo -keypass kT9X6oe68t -keystore "%CERTIFICATE_HOME%\ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t +"%JAVA_HOME%\bin\keytool" -exportcert -alias ssl.repo -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore "%CERTIFICATE_HOME%\ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t +"%JAVA_HOME%\bin\keytool" -genkeypair -keyalg RSA -dname "%SOLR_CLIENT_CERT_DNAME%" -validity %CERTIFICATE_VALIDITY% -alias ssl.repo.client -keypass kT9X6oe68t -keystore "%CERTIFICATE_HOME%\ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t +"%JAVA_HOME%\bin\keytool" -exportcert -alias ssl.repo.client -file "%CERTIFICATE_HOME%\ssl.repo.client.crt" -keystore "%CERTIFICATE_HOME%\ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t + +@rem Create trust relationship between repository and solr +"%JAVA_HOME%\bin\keytool" -importcert -noprompt -alias ssl.repo.client -file "%CERTIFICATE_HOME%\ssl.repo.client.crt" -keystore "%CERTIFICATE_HOME%\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t +@rem Create trust relationship between repository and itself - used for searches +"%JAVA_HOME%\bin\keytool" -importcert -noprompt -alias ssl.repo -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore "%CERTIFICATE_HOME%\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t +@rem Create trust relationship between solr and repository +"%JAVA_HOME%\bin\keytool" -importcert -noprompt -alias ssl.repo -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore "%CERTIFICATE_HOME%\ssl.repo.client.truststore" -storetype JCEKS -storepass kT9X6oe68t +@rem Export repository keystore to pkcs12 format for browser compatibility +"%JAVA_HOME%\bin\keytool" -importkeystore -srckeystore "%CERTIFICATE_HOME%\ssl.keystore" -srcstorepass kT9X6oe68t -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore "%CERTIFICATE_HOME%\browser.p12" -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco + +@rem Ensure keystore dir actually exists +@if not exist "%ALFRESCO_KEYSTORE_HOME%" mkdir "%ALFRESCO_KEYSTORE_HOME%" + +@rem Install the new files +copy /Y "%CERTIFICATE_HOME%\ssl.keystore" "%ALFRESCO_KEYSTORE_HOME%\ssl.keystore" +copy /Y "%CERTIFICATE_HOME%\ssl.truststore" "%ALFRESCO_KEYSTORE_HOME%\ssl.truststore" +copy /Y "%CERTIFICATE_HOME%\browser.p12" "%ALFRESCO_KEYSTORE_HOME%\browser.p12" + +@echo **************************************** +@echo You must copy the following files to the correct location. +@echo %CERTIFICATE_HOME%\ssl.repo.client.keystore +@echo %CERTIFICATE_HOME%\ssl.repo.client.truststore +@echo eg. for Solr 4 the location is SOLR_HOME\workspace-SpacesStore\conf and SOLR_HOME\archive-SpacesStore\conf +@echo Please ensure that you set dir.keystore=%ALFRESCO_KEYSTORE_HOME% in alfresco-global.properties +@echo **************************************** \ No newline at end of file diff --git a/packaging/distribution/src/main/resources/keystore/generate_keystores.sh b/packaging/distribution/src/main/resources/keystore/generate_keystores.sh new file mode 100644 index 0000000000..180c990945 --- /dev/null +++ b/packaging/distribution/src/main/resources/keystore/generate_keystores.sh @@ -0,0 +1,82 @@ +#! /bin/sh +# Please edit the variables below to suit your installation +# Note: for an installation created by the Alfresco installer, you only need to edit ALFRESCO_HOME + +# Alfresco installation directory +if [ -z "$ALFRESCO_HOME" ]; then + ALFRESCO_HOME=/opt/alfresco-5.2 + echo "Setting ALFRESCO_HOME to $ALFRESCO_HOME" +fi + +# The directory containing the alfresco keystores, as referenced by keystoreFile and truststoreFile attributes in tomcat/conf/server.xml +ALFRESCO_KEYSTORE_HOME=$ALFRESCO_HOME/alf_data/keystore + +# Location in which new keystore files will be generated +if [ -z "$CERTIFICATE_HOME" ]; then + CERTIFICATE_HOME=$HOME + echo "Certificates will be generated in $CERTIFICATE_HOME and then moved to $ALFRESCO_KEYSTORE_HOME" +fi + +# Java installation directory +JAVA_HOME=$ALFRESCO_HOME/java + +# The repository server certificate subject name, as specified in tomcat/conf/tomcat-users.xml with roles="repository" +REPO_CERT_DNAME="CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" +# The SOLR client certificate subject name, as specified in tomcat/conf/tomcat-users.xml with roles="repoclient" +SOLR_CLIENT_CERT_DNAME="CN=Alfresco Repository Client, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" +# The number of days before the certificate expires +CERTIFICATE_VALIDITY=36525 + +# Stop +if [ -f "$ALFRESCO_HOME/alfresco.sh" ]; then "$ALFRESCO_HOME/alfresco.sh" stop; fi + +# Ensure certificate output dir exists +mkdir -p "$CERTIFICATE_HOME" + +# Remove old output files (note they are backed up elsewhere) +if [ -f "$CERTIFICATE_HOME/ssl.keystore" ]; then rm "$CERTIFICATE_HOME/ssl.keystore"; fi +if [ -f "$CERTIFICATE_HOME/ssl.truststore" ]; then rm "$CERTIFICATE_HOME/ssl.truststore"; fi +if [ -f "$CERTIFICATE_HOME/browser.p12" ]; then rm "$CERTIFICATE_HOME/browser.p12"; fi +if [ -f "$CERTIFICATE_HOME/ssl.repo.client.keystore" ]; then rm "$CERTIFICATE_HOME/ssl.repo.client.keystore"; fi +if [ -f "$CERTIFICATE_HOME/ssl.repo.client.truststore" ]; then rm "$CERTIFICATE_HOME/ssl.repo.client.truststore"; fi + +# Generate new self-signed certificates for the repository and solr +"$JAVA_HOME/bin/keytool" -genkeypair -keyalg RSA -dname "$REPO_CERT_DNAME" -validity $CERTIFICATE_VALIDITY -alias ssl.repo -keypass kT9X6oe68t -keystore "$CERTIFICATE_HOME/ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t +"$JAVA_HOME/bin/keytool" -exportcert -alias ssl.repo -file "$CERTIFICATE_HOME/ssl.repo.crt" -keystore "$CERTIFICATE_HOME/ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t +"$JAVA_HOME/bin/keytool" -genkeypair -keyalg RSA -dname "$SOLR_CLIENT_CERT_DNAME" -validity $CERTIFICATE_VALIDITY -alias ssl.repo.client -keypass kT9X6oe68t -keystore "$CERTIFICATE_HOME/ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t +"$JAVA_HOME/bin/keytool" -exportcert -alias ssl.repo.client -file "$CERTIFICATE_HOME/ssl.repo.client.crt" -keystore "$CERTIFICATE_HOME/ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t + +# Create trust relationship between repository and solr +"$JAVA_HOME/bin/keytool" -importcert -noprompt -alias ssl.repo.client -file "$CERTIFICATE_HOME/ssl.repo.client.crt" -keystore "$CERTIFICATE_HOME/ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t +# Create trust relationship between repository and itself - used for searches +"$JAVA_HOME/bin/keytool" -importcert -noprompt -alias ssl.repo -file "$CERTIFICATE_HOME/ssl.repo.crt" -keystore "$CERTIFICATE_HOME/ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t +# Create trust relationship between solr and repository +"$JAVA_HOME/bin/keytool" -importcert -noprompt -alias ssl.repo -file "$CERTIFICATE_HOME/ssl.repo.crt" -keystore "$CERTIFICATE_HOME/ssl.repo.client.truststore" -storetype JCEKS -storepass kT9X6oe68t +# Export repository keystore to pkcs12 format for browser compatibility +"$JAVA_HOME/bin/keytool" -importkeystore -srckeystore "$CERTIFICATE_HOME/ssl.keystore" -srcstorepass kT9X6oe68t -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore "$CERTIFICATE_HOME/browser.p12" -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco + +# Ensure keystore dir actually exists +mkdir -p "$ALFRESCO_KEYSTORE_HOME" + +# Back up old files +cp "$ALFRESCO_KEYSTORE_HOME/ssl.keystore" "$ALFRESCO_KEYSTORE_HOME/ssl.keystore.old" +cp "$ALFRESCO_KEYSTORE_HOME/ssl.truststore" "$ALFRESCO_KEYSTORE_HOME/ssl.truststore.old" +cp "$ALFRESCO_KEYSTORE_HOME/browser.p12" "$ALFRESCO_KEYSTORE_HOME/browser.p12.old" + +# Install the new files +cp "$CERTIFICATE_HOME/ssl.keystore" "$ALFRESCO_KEYSTORE_HOME/ssl.keystore" +cp "$CERTIFICATE_HOME/ssl.truststore" "$ALFRESCO_KEYSTORE_HOME/ssl.truststore" +cp "$CERTIFICATE_HOME/browser.p12" "$ALFRESCO_KEYSTORE_HOME/browser.p12" + +echo " " +echo "*******************************************" +echo "You must copy the following files to the correct location." +echo " " +echo " $CERTIFICATE_HOME/ssl.repo.client.keystore" +echo " $CERTIFICATE_HOME/ssl.repo.client.truststore" +echo " eg. for Solr 4 the location is SOLR_HOME/workspace-SpacesStore/conf/ and SOLR_HOME/archive-SpacesStore/conf/" +echo " " +echo "$ALFRESCO_KEYSTORE_HOME/browser.p12 has also been generated." +echo " " +echo "Please ensure that you set dir.keystore=$ALFRESCO_KEYSTORE_HOME in alfresco-global.properties" +echo "*******************************************" diff --git a/repository/src/main/resources/alfresco/keystore/keystore b/packaging/distribution/src/main/resources/keystore/metadata-keystore/keystore similarity index 100% rename from repository/src/main/resources/alfresco/keystore/keystore rename to packaging/distribution/src/main/resources/keystore/metadata-keystore/keystore diff --git a/repository/src/main/resources/alfresco/keystore/keystore-passwords.properties b/packaging/distribution/src/main/resources/keystore/metadata-keystore/keystore-passwords.properties similarity index 58% rename from repository/src/main/resources/alfresco/keystore/keystore-passwords.properties rename to packaging/distribution/src/main/resources/keystore/metadata-keystore/keystore-passwords.properties index cbdb6fb66c..5b31ff26c6 100644 --- a/repository/src/main/resources/alfresco/keystore/keystore-passwords.properties +++ b/packaging/distribution/src/main/resources/keystore/metadata-keystore/keystore-passwords.properties @@ -1,7 +1,10 @@ -aliases=metadata -# The password protecting the keystore entries -keystore.password=mp6yc0UD9e -# The password protecting the alias: metadata -metadata.keyData= -metadata.algorithm=DESede +# This file and the keystore is deprecated +# Please generate a new keystore for new systems and use JVM properties for it's configuration + +aliases=metadata +# The password protecting the keystore entries +keystore.password=mp6yc0UD9e +# The password protecting the alias: metadata +metadata.keyData= +metadata.algorithm=DESede metadata.password=oKIWzVdEdA \ No newline at end of file diff --git a/packaging/distribution/src/main/resources/keystore/readme.txt b/packaging/distribution/src/main/resources/keystore/readme.txt new file mode 100644 index 0000000000..fbc76233aa --- /dev/null +++ b/packaging/distribution/src/main/resources/keystore/readme.txt @@ -0,0 +1,7 @@ +See https://wiki.alfresco.com/wiki/Data_Encryption and https://wiki.alfresco.com/wiki/Alfresco_And_SOLR. + +keystore is the secret key keystore, containing the secret key used to encrypt and decrypt node properties. +ssl.keystore is the repository keystore, containing the repository private/public key pair and certificate. +ssl.truststore is the repository truststore, containing certificates that the repository trusts. + +browser.p12 is a pkcs12 keystore generated from ssl.keystore that contains the repository private key and certificate for use in browsers such as Firefox. \ No newline at end of file diff --git a/packaging/docker-alfresco/Dockerfile b/packaging/docker-alfresco/Dockerfile index 7904e141ab..dd87639da2 100644 --- a/packaging/docker-alfresco/Dockerfile +++ b/packaging/docker-alfresco/Dockerfile @@ -19,6 +19,8 @@ ARG TOMCAT_DIR=/usr/local/tomcat RUN mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/mimetypes && \ mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/transform/renditions && \ mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/transform/pipelines && \ + mkdir /licenses && \ + mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/keystore && \ mkdir ${TOMCAT_DIR}/alfresco-mmt && \ touch ${TOMCAT_DIR}/shared/classes/alfresco-global.properties @@ -26,13 +28,13 @@ RUN mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/mimetypes && \ # Copy the WAR files to the appropriate location for your application server # Copy the JDBC drivers for the database you are using to the lib/ directory. # Copy the alfresco-mmt.jar +# Copy Licenses to the root of the Docker image +# Copy default keystore COPY ${resource_path}/war ${TOMCAT_DIR}/webapps COPY ${resource_path}/connector/* ${TOMCAT_DIR}/lib/ COPY ${resource_path}/alfresco-mmt/* ${TOMCAT_DIR}/alfresco-mmt/ - -# Copy Licenses to the root of the Docker image -RUN mkdir /licenses -COPY ${resource_path}/licenses/ /licenses/ +COPY ${resource_path}/dependency/licenses/ /licenses/ +COPY ${resource_path}/dependency/keystore/metadata-keystore ${TOMCAT_DIR}/shared/classes/alfresco/extension/keystore/ # Change the value of the shared.loader= property to the following: # shared.loader=${catalina.base}/shared/classes @@ -70,14 +72,6 @@ RUN yum install -y fontconfig-2.13.0-4.3.el7 \ dejavu-sans-fonts-2.33-6.el7 && \ yum clean all -# Generate default keystore. Please generate new one for production systems -ARG CERT_DNAME="CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" -ARG CERT_VALIDITY=36525 -ARG KEYSTORE_PASSWORD=mp6yc0UD9e -RUN mkdir ${TOMCAT_DIR}/shared/classes/alfresco/keystore && \ - keytool -genseckey -dname "$CERT_DNAME" -validity ${CERT_VALIDITY} -alias metadata -keyalg AES -keysize 256 -keystore ${TOMCAT_DIR}/shared/classes/alfresco/keystore/keystore -storetype pkcs12 -storepass ${KEYSTORE_PASSWORD} - - # The standard configuration is to have all Tomcat files owned by root with group GROUPNAME and whilst owner has read/write privileges, # group only has restricted permissions and world has no permissions. RUN mkdir -p ${TOMCAT_DIR}/conf/Catalina/localhost && \ diff --git a/packaging/docker-alfresco/pom.xml b/packaging/docker-alfresco/pom.xml index 1bd1c66b81..5b158c19cc 100644 --- a/packaging/docker-alfresco/pom.xml +++ b/packaging/docker-alfresco/pom.xml @@ -16,29 +16,6 @@ - - org.apache.maven.plugins - maven-resources-plugin - - - copy-licenses - process-resources - - copy-resources - - - - - - ../distribution/src/main/resources/licenses - false - - - ${project.build.directory}/licenses - - - - org.apache.maven.plugins maven-dependency-plugin @@ -126,6 +103,24 @@ + + + unpack-licenses-and-keystore + process-resources + + unpack + + + + + org.alfresco + alfresco-community-repo-distribution + jar + ${project.version} + + + + diff --git a/packaging/pom.xml b/packaging/pom.xml index 3f76416d5c..872c280620 100644 --- a/packaging/pom.xml +++ b/packaging/pom.xml @@ -18,6 +18,7 @@ war + distribution docker-alfresco @@ -25,18 +26,21 @@ community war + distribution communityDocker war + distribution docker-alfresco all-tas-tests + distribution tests diff --git a/packaging/tests/environment/docker-compose-minimal+transforms.yml b/packaging/tests/environment/docker-compose-minimal+transforms.yml index 30dfa8f706..f524927a29 100644 --- a/packaging/tests/environment/docker-compose-minimal+transforms.yml +++ b/packaging/tests/environment/docker-compose-minimal+transforms.yml @@ -10,6 +10,16 @@ services: image: alfresco/alfresco-community-repo-base:latest environment: CATALINA_OPTS : "-agentlib:jdwp=transport=dt_socket,address=*:8000,server=y,suspend=n" + JAVA_TOOL_OPTIONS: " + -Dencryption.keystore.type=JCEKS + -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding + -Dencryption.keyAlgorithm=DESede + -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore + -Dmetadata-keystore.password=mp6yc0UD9e + -Dmetadata-keystore.aliases=metadata + -Dmetadata-keystore.metadata.password=oKIWzVdEdA + -Dmetadata-keystore.metadata.algorithm=DESede + " JAVA_OPTS : " -Ddb.driver=org.postgresql.Driver @@ -39,10 +49,6 @@ services: -Dftp.port=1221 -Dcors.enabled=true -Dcors.allowed.origins=http://localhost:4200,http://localhost:8080 - -Dmetadata-keystore.password=mp6yc0UD9e - -Dmetadata-keystore.aliases=metadata - -Dmetadata-keystore.metadata.password=mp6yc0UD9e - -Dmetadata-keystore.metadata.algorithm=AES " ports: - 8082:8080 diff --git a/packaging/tests/environment/docker-compose-minimal.yml b/packaging/tests/environment/docker-compose-minimal.yml index cb746e94b1..e453021122 100644 --- a/packaging/tests/environment/docker-compose-minimal.yml +++ b/packaging/tests/environment/docker-compose-minimal.yml @@ -10,6 +10,16 @@ services: image: alfresco/alfresco-community-repo-base:latest environment: CATALINA_OPTS : "-agentlib:jdwp=transport=dt_socket,address=*:8000,server=y,suspend=n" + JAVA_TOOL_OPTIONS: " + -Dencryption.keystore.type=JCEKS + -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding + -Dencryption.keyAlgorithm=DESede + -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore + -Dmetadata-keystore.password=mp6yc0UD9e + -Dmetadata-keystore.aliases=metadata + -Dmetadata-keystore.metadata.password=oKIWzVdEdA + -Dmetadata-keystore.metadata.algorithm=DESede + " JAVA_OPTS : " -Ddb.driver=org.postgresql.Driver @@ -35,10 +45,6 @@ services: -Dftp.port=1221 -Dcors.enabled=true -Dcors.allowed.origins=http://localhost:4200,http://localhost:8080 - -Dmetadata-keystore.password=mp6yc0UD9e - -Dmetadata-keystore.aliases=metadata - -Dmetadata-keystore.metadata.password=mp6yc0UD9e - -Dmetadata-keystore.metadata.algorithm=AES " ports: - 8082:8080 diff --git a/repository/src/main/resources/alfresco/encryption-context.xml b/repository/src/main/resources/alfresco/encryption-context.xml index d1048874b5..8b8d3b256d 100644 --- a/repository/src/main/resources/alfresco/encryption-context.xml +++ b/repository/src/main/resources/alfresco/encryption-context.xml @@ -15,10 +15,12 @@ + + @@ -30,18 +32,22 @@ + + + + @@ -71,10 +77,12 @@ + + diff --git a/repository/src/main/resources/alfresco/repository.properties b/repository/src/main/resources/alfresco/repository.properties index 5dc27f298c..1dacf93bf7 100644 --- a/repository/src/main/resources/alfresco/repository.properties +++ b/repository/src/main/resources/alfresco/repository.properties @@ -816,20 +816,22 @@ dir.keystore=classpath:alfresco/keystore # general encryption parameters encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator -encryption.keyAlgorithm=DESede -encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding +encryption.keyAlgorithm=AES +encryption.cipherAlgorithm=AES/CBC/PKCS5Padding # secret key keystore configuration encryption.keystore.location=${dir.keystore}/keystore -encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties +# configuration via metadata is deprecated +encryption.keystore.keyMetaData.location= encryption.keystore.provider= -encryption.keystore.type=JCEKS +encryption.keystore.type=pkcs12 # backup secret key keystore configuration encryption.keystore.backup.location=${dir.keystore}/backup-keystore -encryption.keystore.backup.keyMetaData.location=${dir.keystore}/backup-keystore-passwords.properties +# configuration via metadata is deprecated +encryption.keystore.backup.keyMetaData.location= encryption.keystore.backup.provider= -encryption.keystore.backup.type=JCEKS +encryption.keystore.backup.type=pkcs12 # Should encryptable properties be re-encrypted with new encryption keys on botstrap? encryption.bootstrap.reencrypt=false @@ -842,11 +844,13 @@ encryption.mac.algorithm=HmacSHA1 encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.provider= encryption.ssl.keystore.type=JCEKS -encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-passwords.properties +# configuration via metadata is deprecated +encryption.ssl.keystore.keyMetaData.location= encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.provider= encryption.ssl.truststore.type=JCEKS -encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties +# configuration via metadata is deprecated +encryption.ssl.truststore.keyMetaData.location= # Re-encryptor properties encryption.reencryptor.chunkSize=100 diff --git a/repository/src/test/java/org/alfresco/AppContext02TestSuite.java b/repository/src/test/java/org/alfresco/AppContext02TestSuite.java index dc4c52511e..ffcb4604c9 100644 --- a/repository/src/test/java/org/alfresco/AppContext02TestSuite.java +++ b/repository/src/test/java/org/alfresco/AppContext02TestSuite.java @@ -65,6 +65,9 @@ import org.junit.runners.Suite; org.alfresco.repo.content.filestore.ReadOnlyFileContentStoreTest.class, org.alfresco.repo.content.RoutingContentStoreTest.class, + org.alfresco.encryption.EncryptionTests.class, + org.alfresco.encryption.KeyStoreTests.class + // TODO REPO-2791 org.alfresco.repo.content.routing.StoreSelectorAspectContentStoreTest.class, }) public class AppContext02TestSuite diff --git a/repository/src/test/java/org/alfresco/encryption/EncryptionTests.java b/repository/src/test/java/org/alfresco/encryption/EncryptionTests.java index a35c097425..27dfa6cf5f 100644 --- a/repository/src/test/java/org/alfresco/encryption/EncryptionTests.java +++ b/repository/src/test/java/org/alfresco/encryption/EncryptionTests.java @@ -1,28 +1,28 @@ -/* - * #%L - * Alfresco Repository - * %% - * Copyright (C) 2005 - 2016 Alfresco Software Limited - * %% - * This file is part of the Alfresco software. - * If the software was purchased under a paid Alfresco license, the terms of - * the paid license agreement will prevail. Otherwise, the software is - * provided under the following open source license terms: - * - * Alfresco is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * Alfresco is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with Alfresco. If not, see . - * #L% - */ +/* + * #%L + * Alfresco Repository + * %% + * Copyright (C) 2005 - 2016 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ package org.alfresco.encryption; import java.io.Serializable; @@ -270,28 +270,6 @@ public class EncryptionTests extends TestCase mainEncryptor.setKeyProvider(mainKeyProvider); } } - - public void testBootstrapReEncrypt() - { - try - { - // ensure that the backup key store is not available - backupKeyStoreParameters.setLocation(""); - //backupKeyStore.reload(); - mainKeyStore.reload(); - - reEncryptor.bootstrapReEncrypt(); - fail("Should have caught missing backup key store"); - } - catch(MissingKeyException e) - { - System.out.println("Successfully caught missing key exception"); - } - catch(InvalidKeystoreException e) - { - fail("Unexpected exception: " + e.getMessage()); - } - } protected void testChangeKeysImpl(boolean cacheCiphers) throws Throwable { diff --git a/repository/src/test/java/org/alfresco/encryption/KeyStoreTests.java b/repository/src/test/java/org/alfresco/encryption/KeyStoreTests.java index 04b791cc2b..76ec78f963 100644 --- a/repository/src/test/java/org/alfresco/encryption/KeyStoreTests.java +++ b/repository/src/test/java/org/alfresco/encryption/KeyStoreTests.java @@ -1,28 +1,28 @@ -/* - * #%L - * Alfresco Repository - * %% - * Copyright (C) 2005 - 2016 Alfresco Software Limited - * %% - * This file is part of the Alfresco software. - * If the software was purchased under a paid Alfresco license, the terms of - * the paid license agreement will prevail. Otherwise, the software is - * provided under the following open source license terms: - * - * Alfresco is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * Alfresco is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with Alfresco. If not, see . - * #L% - */ +/* + * #%L + * Alfresco Repository + * %% + * Copyright (C) 2005 - 2016 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ package org.alfresco.encryption; import static org.junit.Assert.assertTrue; @@ -37,6 +37,7 @@ import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collections; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Properties; @@ -212,7 +213,7 @@ public class KeyStoreTests TestAlfrescoKeyStore missingMainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), Collections.singletonMap(KeyProvider.ALIAS_METADATA, generateEncodedKey()), generateKeystoreName(), generateKeystoreName()); - + missingMainKeyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata"))); encryptionKeysRegistry.unregisterKey(KeyProvider.ALIAS_METADATA); keyStoreChecker.setMainKeyStore(missingMainKeyStore); @@ -240,7 +241,7 @@ public class KeyStoreTests // missing main keystore, missing backup keystore, metadata registered key -> error, re-instate the keystore TestAlfrescoKeyStore missingMainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), null, generateKeystoreName(), generateKeystoreName()); - + missingMainKeyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata"))); assertTrue("", encryptionKeysRegistry.isKeyRegistered("metadata")); keyStoreChecker.setMainKeyStore(missingMainKeyStore); @@ -268,6 +269,7 @@ public class KeyStoreTests // create main keystore TestAlfrescoKeyStore mainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), null, generateKeystoreName(), generateKeystoreName()); + mainKeyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata"))); createAndPopulateKeyStore(mainKeyStore); // de-register metadata key @@ -303,6 +305,7 @@ public class KeyStoreTests TestAlfrescoKeyStore keyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), null, generateKeystoreName(), generateKeystoreName()); + keyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata"))); createAndPopulateKeyStore(keyStore); keyStoreChecker.setMainKeyStore(keyStore); @@ -358,6 +361,7 @@ public class KeyStoreTests TestAlfrescoKeyStore keyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), null, generateKeystoreName(), generateKeystoreName()); + keyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata"))); createAndPopulateKeyStore(keyStore); try diff --git a/repository/src/test/resources/alfresco-global.properties b/repository/src/test/resources/alfresco-global.properties index dde45eec57..03ae918a73 100644 --- a/repository/src/test/resources/alfresco-global.properties +++ b/repository/src/test/resources/alfresco-global.properties @@ -52,9 +52,16 @@ mimetype.config.cronExpression=0 0 0 ? JAN * 1970 rendition.config.cronExpression=0 0 0 ? JAN * 1970 local.transform.service.cronExpression=0 0 0 ? JAN * 1970 transform.service.cronExpression=0 0 0 ? JAN * 1970 - + system.delete_not_exists.batchsize=100000 system.delete_not_exists.delete_batchsize=1000 system.delete_not_exists.read_only=false system.delete_not_exists.timeout_seconds=-1 system.prop_table_cleaner.algorithm=V2 + +# For testing only +encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties +encryption.keyAlgorithm=DESede +encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding +encryption.keystore.type=JCEKS +encryption.keystore.backup.type=JCEKS