inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-29 15:21:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Feature/repo 5358 merge 6213 (#26)

Browse Source 
REPO-5361/REPO-5358 Merge latest changes (6.2.1.3) / Deployment modules should extend each other

In order to support the external deployment of the default keystore (MNT-21731/SEARCH-1915),
it was removed from alfresco-repository.jar and had be placed in deployment module of acs-packaging.
To support this in the new project structure, this commit moves the keystore back to
alfresco-community-repo's deployment module and has alfresco-enterprise-repo and acs-packaging
extend it in their own deployment modules. This also avoids duplication of licenses between projects.
This commit is contained in:
Alan Davis
2020-10-01 16:50:32 +01:00
committed by GitHub
parent b467a1b62e
commit bad162c91f
29 changed files with 1012 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
core/src/main/java/org/alfresco/encryption/AlfrescoKeyStoreImpl.java
View File

@@ -322,7 +322,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
try try
{ {
keyInfoManager = getKeyInfoManager(getKeyMetaDataFileLocation()); keyInfoManager = getKeyInfoManager(getKeyStoreParameters());
KeyStore ks = loadKeyStore(keyStoreParameters, keyInfoManager); KeyStore ks = loadKeyStore(keyStoreParameters, keyInfoManager);
logger.debug("Initializing key managers"); logger.debug("Initializing key managers");
@@ -355,7 +355,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
try try
{ {
keyInfoManager = getKeyInfoManager(getKeyMetaDataFileLocation()); keyInfoManager = getKeyInfoManager(getKeyStoreParameters());
KeyStore ks = loadKeyStore(getKeyStoreParameters(), keyInfoManager); KeyStore ks = loadKeyStore(getKeyStoreParameters(), keyInfoManager);
logger.debug("Initializing trust managers"); logger.debug("Initializing trust managers");
@@ -376,12 +376,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
} }
} }
} }
protected String getKeyMetaDataFileLocation()
{
return keyStoreParameters.getKeyMetaDataFileLocation();
}
protected InputStream getKeyStoreStream(String location) throws FileNotFoundException protected InputStream getKeyStoreStream(String location) throws FileNotFoundException
{ {
if(location == null) if(location == null)
@@ -396,9 +391,17 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
return new FileOutputStream(getKeyStoreParameters().getLocation()); return new FileOutputStream(getKeyStoreParameters().getLocation());
} }
protected KeyInfoManager getKeyInfoManager(String metadataFileLocation) throws FileNotFoundException, IOException protected KeyInfoManager getKeyInfoManager(KeyStoreParameters keyStoreParameters) throws IOException
{ {
return new KeyInfoManager(metadataFileLocation, keyResourceLoader); return new KeyInfoManager(keyStoreParameters, keyResourceLoader);
}
@Deprecated
protected KeyInfoManager getKeyInfoManager(String metadataFileLocation) throws IOException
{
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setKeyMetaDataFileLocation(metadataFileLocation);
return new KeyInfoManager(keyStoreParameters, keyResourceLoader);
} }
protected KeyMap cacheKeys(KeyStore ks, KeyInfoManager keyInfoManager) protected KeyMap cacheKeys(KeyStore ks, KeyInfoManager keyInfoManager)
@@ -563,7 +566,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
try try
{ {
keyInfoManager = getKeyInfoManager(keyStoreParameters.getKeyMetaDataFileLocation()); keyInfoManager = getKeyInfoManager(keyStoreParameters);
ks = loadKeyStore(keyStoreParameters, keyInfoManager); ks = loadKeyStore(keyStoreParameters, keyInfoManager);
// Loaded // Loaded
} }
@@ -635,7 +638,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
try try
{ {
keyInfoManager = getKeyInfoManager(getKeyMetaDataFileLocation()); keyInfoManager = getKeyInfoManager(getKeyStoreParameters());
Key key = getSecretKey(keyInfoManager.getKeyInformation(keyAlias)); Key key = getSecretKey(keyInfoManager.getKeyInformation(keyAlias));
encryptionKeysRegistry.registerKey(keyAlias, key); encryptionKeysRegistry.registerKey(keyAlias, key);
keys.setKey(keyAlias, key); keys.setKey(keyAlias, key);
@@ -678,7 +681,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
{ {
if(!keyStoreExists(keyStoreParameters.getLocation())) if(!keyStoreExists(keyStoreParameters.getLocation()))
{ {
keyInfoManager = getKeyInfoManager(keyStoreParameters.getKeyMetaDataFileLocation()); keyInfoManager = getKeyInfoManager(keyStoreParameters);
KeyStore ks = initialiseKeyStore(keyStoreParameters.getType(), keyStoreParameters.getProvider()); KeyStore ks = initialiseKeyStore(keyStoreParameters.getType(), keyStoreParameters.getProvider());
String keyStorePassword = keyInfoManager.getKeyStorePassword(); String keyStorePassword = keyInfoManager.getKeyStorePassword();
@@ -686,7 +689,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
{ {
throw new AlfrescoRuntimeException("Key store password is null for keystore at location " throw new AlfrescoRuntimeException("Key store password is null for keystore at location "
+ getKeyStoreParameters().getLocation() + getKeyStoreParameters().getLocation()
+ ", key store meta data location" + getKeyMetaDataFileLocation()); + ". Either specify it as a JVM property or in key store meta data location.");
} }
for(String keyAlias : keys.getKeyAliases()) for(String keyAlias : keys.getKeyAliases())
@@ -765,8 +768,13 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
} }
} }
protected Key getSecretKey(KeyInformation keyInformation) throws NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException protected Key getSecretKey(KeyInformation keyInformation) throws AlfrescoRuntimeException, NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException
{ {
if (keyInformation == null)
{
throw new AlfrescoRuntimeException("Unable to get secret key: no key information is provided");
}
byte[] keyData = keyInformation.getKeyData(); byte[] keyData = keyInformation.getKeyData();
if(keyData == null) if(keyData == null)
@@ -796,7 +804,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
writeLock.lock(); writeLock.lock();
try try
{ {
keyInfoManager = getKeyInfoManager(getKeyMetaDataFileLocation()); keyInfoManager = getKeyInfoManager(getKeyStoreParameters());
KeyStore ks = loadKeyStore(getKeyStoreParameters(), keyInfoManager); KeyStore ks = loadKeyStore(getKeyStoreParameters(), keyInfoManager);
// loading Key // loading Key
@@ -985,7 +993,7 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
public static class KeyInfoManager public static class KeyInfoManager
{ {
private KeyResourceLoader keyResourceLoader; private KeyResourceLoader keyResourceLoader;
private String metadataFileLocation; private KeyStoreParameters keyStoreParameters;
private Properties keyProps; private Properties keyProps;
private String keyStorePassword = null; private String keyStorePassword = null;
private Map<String, KeyInformation> keyInfo; private Map<String, KeyInformation> keyInfo;
@@ -1005,10 +1013,10 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
} }
} }
KeyInfoManager(String metadataFileLocation, KeyResourceLoader keyResourceLoader) throws IOException, FileNotFoundException KeyInfoManager(KeyStoreParameters keyStoreParameters, KeyResourceLoader keyResourceLoader) throws IOException, FileNotFoundException
{ {
this.keyResourceLoader = keyResourceLoader; this.keyResourceLoader = keyResourceLoader;
this.metadataFileLocation = metadataFileLocation; this.keyStoreParameters = keyStoreParameters;
keyInfo = new HashMap<String, KeyInformation>(2); keyInfo = new HashMap<String, KeyInformation>(2);
loadKeyMetaData(); loadKeyMetaData();
} }
@@ -1025,31 +1033,73 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
* Where required, <tt>null</tt> values must be inserted into the map to indicate the presence * Where required, <tt>null</tt> values must be inserted into the map to indicate the presence
* of a key that is not protected by a password. They entry for {@link #KEY_KEYSTORE_PASSWORD} * of a key that is not protected by a password. They entry for {@link #KEY_KEYSTORE_PASSWORD}
* is required if the keystore is password protected. * is required if the keystore is password protected.
*
* WARNING. Storing passwords (keyMetaDataFileLocation) on the file system is not following best security practices.
*
* <p/>Loading of keys info from system (JVM) properties takes precedence over metadata file.
* <p/>Set the unique ID of the keystore and remove the metadata file location property to use JVM properties lookup instead. The property lookup format is the following:
* <ul>
* <li>[keystore-id].password - keystore password</li>
* <li>[keystore-id].aliases - comma separated list of aliases for the keys in the keystore</li>
* <li>[keystore-id].[alias].keyData - key data bytes in base64</li>
* <li>[keystore-id].[alias].algorithm - key algorithm</li>
* <li>[keystore-id].[alias].password - key password</li>
* </ul>
*
*/ */
protected void loadKeyMetaData() throws IOException, FileNotFoundException protected void loadKeyMetaData() throws IOException, FileNotFoundException
{ {
keyProps = keyResourceLoader.loadKeyMetaData(metadataFileLocation); if (keyStoreParameters.getId() != null &&
if(keyProps != null) (keyStoreParameters.getKeyMetaDataFileLocation() == null ||
keyStoreParameters.getKeyMetaDataFileLocation().isEmpty()))
{ {
String aliases = keyProps.getProperty("aliases"); Properties jvmProperties = System.getProperties();
if(aliases == null) keyStorePassword = jvmProperties.getProperty(keyStoreParameters.getId() + ".password");
String aliases = jvmProperties.getProperty(keyStoreParameters.getId() + ".aliases");
if (aliases == null || aliases.isEmpty())
{ {
throw new AlfrescoRuntimeException("Passwords file must contain an aliases key"); logger.warn("No aliases were specified for " + keyStoreParameters.getId()
+ " keystore");
} }
else
this.keyStorePassword = keyProps.getProperty(KEY_KEYSTORE_PASSWORD);
StringTokenizer st = new StringTokenizer(aliases, ",");
while(st.hasMoreTokens())
{ {
String keyAlias = st.nextToken(); StringTokenizer st = new StringTokenizer(aliases, ",");
keyInfo.put(keyAlias, loadKeyInformation(keyAlias)); while(st.hasMoreTokens())
{
String keyAlias = st.nextToken();
keyInfo.put(keyAlias, loadKeyInformation(jvmProperties, keyAlias, keyStoreParameters.getId() + "."));
}
} }
} }
else else
{ {
// TODO logger.warn("Storing passwords (" + keyStoreParameters.getKeyMetaDataFileLocation()
//throw new FileNotFoundException("Cannot find key metadata file " + getKeyMetaDataFileLocation()); + ") on the file system is not following best security practices." +
" Please refer to documentation and use JVM properties instead");
keyProps = keyResourceLoader.loadKeyMetaData(keyStoreParameters.getKeyMetaDataFileLocation());
if(keyProps != null)
{
String aliases = keyProps.getProperty("aliases");
if(aliases == null)
{
throw new AlfrescoRuntimeException("Passwords file must contain an aliases key");
}
this.keyStorePassword = keyProps.getProperty(KEY_KEYSTORE_PASSWORD);
StringTokenizer st = new StringTokenizer(aliases, ",");
while(st.hasMoreTokens())
{
String keyAlias = st.nextToken();
keyInfo.put(keyAlias, loadKeyInformation(keyProps, keyAlias, ""));
}
}
else
{
// TODO
//throw new FileNotFoundException("Cannot find key metadata file " + getKeyMetaDataFileLocation());
}
} }
} }
@@ -1067,11 +1117,11 @@ public class AlfrescoKeyStoreImpl implements AlfrescoKeyStore
this.keyProps.remove(keyAlias); this.keyProps.remove(keyAlias);
} }
protected KeyInformation loadKeyInformation(String keyAlias) protected KeyInformation loadKeyInformation(Properties keyProps, String keyAlias, String prefix)
{ {
String keyPassword = keyProps.getProperty(keyAlias + ".password"); String keyPassword = keyProps.getProperty(prefix + keyAlias + ".password");
String keyData = keyProps.getProperty(keyAlias + ".keyData"); String keyData = keyProps.getProperty(prefix + keyAlias + ".keyData");
String keyAlgorithm = keyProps.getProperty(keyAlias + ".algorithm"); String keyAlgorithm = keyProps.getProperty(prefix + keyAlias + ".algorithm");
byte[] keyDataBytes = null; byte[] keyDataBytes = null;
if(keyData != null && !keyData.equals("")) if(keyData != null && !keyData.equals(""))

56
core/src/main/java/org/alfresco/encryption/KeyStoreParameters.java
View File

@@ -22,12 +22,15 @@ import org.alfresco.util.PropertyCheck;
/** /**
* Stores Java keystore initialisation parameters. * Stores Java keystore initialisation parameters.
* *
* WARNING. Storing passwords (keyMetaDataFileLocation) on the file system is not following best security practices.
*
* @since 4.0 * @since 4.0
* *
*/ */
public class KeyStoreParameters public class KeyStoreParameters
{ {
private String id;
private String name; private String name;
private String type; private String type;
private String provider; private String provider;
@@ -38,8 +41,40 @@ public class KeyStoreParameters
{ {
} }
public KeyStoreParameters(String name, String type, String keyStoreProvider, /**
* WARNING. Storing passwords (keyMetaDataFileLocation) on the file system is not following best security practices.
*
* <p/>Set the unique ID of the keystore and aliases to use Java system properties lookup instead. The property lookup format is:
* <ul>
* <li>[keystore-id].password - keystore password</li>
* <li>[keystore-id].aliases - comma separated list of aliases for the keys in the keystore</li>
* <li>[keystore-id].[alias].keydata - key data bytes in base64</li>
* <li>[keystore-id].[alias].algorithm - key algorithm</li>
* <li>[keystore-id].[alias].password - key password</li>
* </ul>
*
* Loading of keys info from system (JVM) properties takes precedence over metadata file.
*
* @param id unique identifier of the keystore
* @param name human readable name of the keystore
* @param type type of the keystore
* @param keyStoreProvider keystore provider
* @param keyMetaDataFileLocation path to keystore metadata file on the file system
* @param location path to keystore on the file system
*/
public KeyStoreParameters(String id, String name, String type, String keyStoreProvider,
String keyMetaDataFileLocation, String location) String keyMetaDataFileLocation, String location)
{
this(name, type, keyStoreProvider, keyMetaDataFileLocation, location);
this.id = id;
}
/**
* Use {@link #KeyStoreParameters(String, String, String, String, String, String)} instead
*/
@Deprecated()
public KeyStoreParameters(String name, String type, String keyStoreProvider,
String keyMetaDataFileLocation, String location)
{ {
super(); super();
this.name = name; this.name = name;
@@ -49,8 +84,13 @@ public class KeyStoreParameters
this.location = location; this.location = location;
} }
public void init() public void init()
{ {
if (!PropertyCheck.isValidPropertyString(getId()))
{
setId(null);
}
if (!PropertyCheck.isValidPropertyString(getLocation())) if (!PropertyCheck.isValidPropertyString(getLocation()))
{ {
setLocation(null); setLocation(null);
@@ -69,6 +109,11 @@ public class KeyStoreParameters
} }
} }
public String getId()
{
return id;
}
public String getName() public String getName()
{ {
return name; return name;
@@ -93,7 +138,12 @@ public class KeyStoreParameters
{ {
return location; return location;
} }
public void setId(String id)
{
this.id = id;
}
public void setName(String name) public void setName(String name)
{ {
this.name = name; this.name = name;

388
core/src/test/java/org/alfresco/encryption/AlfrescoKeyStoreTest.java Normal file
View File

@@ -0,0 +1,388 @@
/*
* Copyright (C) 2005-2020 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.encryption;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.alfresco.error.AlfrescoRuntimeException;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TestName;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
@RunWith(MockitoJUnitRunner.class)
public class AlfrescoKeyStoreTest
{
@Mock
private EncryptionKeysRegistry encryptionKeysRegistry;
@Rule
public TestName testName = new TestName();
@Test
public void testSysPropConfig()
{
String keyStoreId = testName.getMethodName() + "-keystore";
String alias1 = "mykey1";
String alias2 = "mykey2";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setId(keyStoreId);
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-2.jks");
System.setProperty(keyStoreId + "." + "password", "ksPwd2");
System.setProperty(keyStoreId + "." + "aliases", alias1 + "," + alias2);
System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1");
System.setProperty(keyStoreId + "." + alias2 + "." + "password", "aliasPwd2");
try
{
AlfrescoKeyStore alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
Set<String> expectedAliases = new HashSet<>();
expectedAliases.add(alias1);
expectedAliases.add(alias2);
Assert.assertEquals("The aliases are not correct", expectedAliases, alfrescoKeyStore.getKeyAliases());
Assert.assertNotNull("Failed to retrieve a key from keystore.", alfrescoKeyStore.getKey(alias1));
Assert.assertNotNull("Failed to retrieve a key from keystore.", alfrescoKeyStore.getKey(alias2));
}
finally
{
System.clearProperty(keyStoreId + "." + "password");
System.clearProperty(keyStoreId + "." + "aliases");
System.clearProperty(keyStoreId + "." + alias1 + "." + "password");
System.clearProperty(keyStoreId + "." + alias2 + "." + "password");
}
}
@Test
public void testSysPropConfigWithoutAliases()
{
String keyStoreId = testName.getMethodName() + "-keystore";
String alias1 = "mykey1";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setId(keyStoreId);
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
System.setProperty(keyStoreId + "." + "password", "ksPwd1");
System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1");
try
{
AlfrescoKeyStore keyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
Assert.assertNull(keyStore.getKey(alias1));
}
finally
{
System.clearProperty(keyStoreId + "." + "password");
System.clearProperty(keyStoreId + "." + alias1 + "." + "password");
}
}
@Test
public void testMetaDataFileConfig()
{
String alias1 = "mykey1";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/ks1-metadata.properties");
AlfrescoKeyStore alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
Set<String> expectedAliases = new HashSet<>();
expectedAliases.add(alias1);
Assert.assertEquals("The aliases are not correct", expectedAliases, alfrescoKeyStore.getKeyAliases());
Assert.assertNotNull("Failed to retrieve a key from keystore.", alfrescoKeyStore.getKey(alias1));
}
/**
* Config via System props should be default, but if the metadata file location is set, it will be used instead.
* This is done to maintain backwards compatibility and simplify testing use cases.
*/
@Test(expected = AlfrescoRuntimeException.class)
public void testConfigBothSystemAndFile()
{
String keyStoreId = testName.getMethodName() + "-keystore";
String alias1 = "mykey1";
String alias2 = "mykey2";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setId(keyStoreId);
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-2.jks");
// use metadata file from keystore with one key
keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/ks1-metadata.properties");
System.setProperty(keyStoreId + "." + "password", "ksPwd2");
System.setProperty(keyStoreId + "." + "aliases", alias1 + "," + alias2);
System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1");
System.setProperty(keyStoreId + "." + alias2 + "." + "password", "aliasPwd2");
try
{
new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
}
finally
{
System.clearProperty(keyStoreId + "." + "password");
System.clearProperty(keyStoreId + "." + "aliases");
System.clearProperty(keyStoreId + "." + alias1 + "." + "password");
System.clearProperty(keyStoreId + "." + alias2 + "." + "password");
}
}
@Test(expected = AlfrescoRuntimeException.class)
public void testValidateKeysWrongAliasMetadataFile() throws Exception
{
String alias1 = "mykey1";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/wrong-alias-metadata.properties");
AlfrescoKeyStoreImpl alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
alfrescoKeyStore.setKeysToValidate(Collections.singleton(alias1));
alfrescoKeyStore.setValidateKeyChanges(true);
alfrescoKeyStore.setEncryptionKeysRegistry(encryptionKeysRegistry);
alfrescoKeyStore.validateKeys();
}
@Test
public void testEmptyKeysMetadataFile()
{
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/empty-alias-metadata.properties");
new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
}
@Test(expected = AlfrescoRuntimeException.class)
public void testWrongKeystorePasswordMetadataFile()
{
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/wrong-keystore-password-metadata.properties");
new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
}
@Test(expected = AlfrescoRuntimeException.class)
public void testWrongKeyPasswordMetadataFile()
{
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
keyStoreParameters.setKeyMetaDataFileLocation("classpath:keystore-tests/wrong-key-password-metadata.properties");
new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
}
@Test(expected = AlfrescoRuntimeException.class)
public void testValidateKeysWrongAliasSysProps() throws Exception
{
String keyStoreId = testName.getMethodName() + "-keystore";
String alias1 = "mykey1";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setId(keyStoreId);
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
System.setProperty(keyStoreId + "." + "aliases", "wrong-alias,another-wrong-alias");
System.setProperty(keyStoreId + "." + "password", "ksPwd1");
System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1");
try
{
AlfrescoKeyStoreImpl alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
alfrescoKeyStore.setValidateKeyChanges(true);
alfrescoKeyStore.setKeysToValidate(Collections.singleton(alias1));
alfrescoKeyStore.setEncryptionKeysRegistry(encryptionKeysRegistry);
alfrescoKeyStore.validateKeys();
}
finally
{
System.clearProperty(keyStoreId + "." + "aliases");
System.clearProperty(keyStoreId + "." + "password");
System.clearProperty(keyStoreId + "." + alias1 + "." + "password");
}
}
@Test
public void testEmptyKeysSysProps()
{
String keyStoreId = testName.getMethodName() + "-keystore";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setId(keyStoreId);
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
System.setProperty(keyStoreId + "." + "aliases", "empty-alias,another-empty-alias");
System.setProperty(keyStoreId + "." + "password", "ksPwd1");
try
{
new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
}
finally
{
System.clearProperty(keyStoreId + "." + "aliases");
System.clearProperty(keyStoreId + "." + "password");
}
}
@Test(expected = AlfrescoRuntimeException.class)
public void testWrongKeystorePasswordSysProps()
{
String keyStoreId = testName.getMethodName() + "-keystore";
String alias1 = "mykey1";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setId(keyStoreId);
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
System.setProperty(keyStoreId + "." + "aliases", alias1);
System.setProperty(keyStoreId + "." + "password", "wrong-password");
System.setProperty(keyStoreId + "." + alias1 + "." + "password", "aliasPwd1");
try
{
new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
}
finally
{
System.clearProperty(keyStoreId + "." + "aliases");
System.clearProperty(keyStoreId + "." + "password");
System.clearProperty(keyStoreId + "." + alias1 + "." + "password");
}
}
@Test(expected = AlfrescoRuntimeException.class)
public void testWrongKeyPasswordSysProps()
{
String keyStoreId = testName.getMethodName() + "-keystore";
String alias1 = "mykey1";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setId(keyStoreId);
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
System.setProperty(keyStoreId + "." + "aliases", alias1);
System.setProperty(keyStoreId + "." + "password", "ksPwd1");
System.setProperty(keyStoreId + "." + alias1 + "." + "password", "wrong-key-password");
try
{
new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
}
finally
{
System.clearProperty(keyStoreId + "." + "aliases");
System.clearProperty(keyStoreId + "." + "password");
System.clearProperty(keyStoreId + "." + alias1 + "." + "password");
}
}
/**
* No exception is expected. An empty keystore can be created.
*/
@Test
public void testConfigEmptyKeystore()
{
String keyStoreId = testName.getMethodName() + "-keystore";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setId(keyStoreId);
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:non-existing-path/some-keystore.jks");
new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
}
@Test(expected = AlfrescoRuntimeException.class)
public void testValidateKeysEmptyAliasSysProps() throws Exception
{
String keyStoreId = testName.getMethodName() + "-keystore";
KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setId(keyStoreId);
keyStoreParameters.setName(testName.getMethodName());
keyStoreParameters.setType("JCEKS");
keyStoreParameters.setProvider("SunJCE");
keyStoreParameters.setLocation("classpath:keystore-tests/ks-test-1.jks");
System.setProperty(keyStoreId + "." + "password", "ksPwd1");
try
{
AlfrescoKeyStoreImpl alfrescoKeyStore = new AlfrescoKeyStoreImpl(keyStoreParameters, new SpringKeyResourceLoader());
alfrescoKeyStore.setValidateKeyChanges(true);
alfrescoKeyStore.setKeysToValidate(Collections.singleton("non-existing-alias"));
alfrescoKeyStore.setEncryptionKeysRegistry(encryptionKeysRegistry);
alfrescoKeyStore.validateKeys();
}
finally
{
System.clearProperty(keyStoreId + "." + "password");
}
}
}

2
core/src/test/resources/keystore-tests/empty-alias-metadata.properties Normal file
View File

@@ -0,0 +1,2 @@
aliases=empty-alias
keystore.password=ksPwd1

BIN
core/src/test/resources/keystore-tests/ks-test-1.jks Normal file
View File

Binary file not shown.

BIN
core/src/test/resources/keystore-tests/ks-test-2.jks Normal file
View File

Binary file not shown.

3
core/src/test/resources/keystore-tests/ks1-metadata.properties Normal file
View File

@@ -0,0 +1,3 @@
aliases=mykey1
keystore.password=ksPwd1
mykey1.password=aliasPwd1

24
core/src/test/resources/keystore-tests/passwords.txt Normal file
View File

@@ -0,0 +1,24 @@
The keystores contained in this folder are used by tests.
==================
== ks-test-1.ks ==
==================
Keystore password: ksPwd1
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
mykey1: aliasPwd1
==================
== ks-test-2.ks ==
==================
Keystore password: ksPwd2
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 2 entries
mykey1: aliasPwd1
mykey2: aliasPwd2

3
core/src/test/resources/keystore-tests/wrong-alias-metadata.properties Normal file
View File

@@ -0,0 +1,3 @@
aliases=non-existing-alias
keystore.password=ksPwd1
mykey1.password=aliasPwd1

3
core/src/test/resources/keystore-tests/wrong-key-password-metadata.properties Normal file
View File

@@ -0,0 +1,3 @@
aliases=mykey1
keystore.password=ksPwd1
mykey1.password=wrong-key-password

3
core/src/test/resources/keystore-tests/wrong-keystore-password-metadata.properties Normal file
View File

@@ -0,0 +1,3 @@
aliases=mykey1
keystore.password=wrong-password
mykey1.password=aliasPwd1

14
packaging/distribution/pom.xml Normal file
View File

@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.alfresco</groupId>
<artifactId>alfresco-community-repo-distribution</artifactId>
<name>Package Licences and Keystore for Distribution</name>
<packaging>jar</packaging>
<parent>
<groupId>org.alfresco</groupId>
<artifactId>alfresco-community-repo-packaging</artifactId>
<version>7.183.300-TEST2-SNAPSHOT</version>
</parent>
</project>

141
packaging/distribution/src/main/resources/keystore/CreateSSLKeystores.txt Normal file
View File

@@ -0,0 +1,141 @@
Instructions for Generating Repository SSL Keystores
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<store password> is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore,
${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore.
These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA).
It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository
URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available.
You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key
and certificate are available in svn.
(i) Generate the repository public/private key pair in a keystore:
$ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass <store password>
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Alfresco Repository
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]: Alfresco Software Ltd.
What is the name of your City or Locality?
[Unknown]: Maidenhead
What is the name of your State or Province?
[Unknown]: UK
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct?
[no]: yes
Enter key password for <ssl.repo>
(RETURN if same as keystore password):
(ii) Generate a certificate request for the repository key
$ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass <store password>
(iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days.
$ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365
Signature ok
subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository
Getting CA Private Key
Enter pass phrase for ca.key:
(iv) Import the Alfresco CA key into the repository key store
$ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
Enter keystore password:
Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Serial number: 805ba6dc8f62f8b8
Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
Certificate fingerprints:
MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B@..JP..+8M.p.Q
0010: 4E 38 71 D6 N8q.
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B@..JP..+8M.p.Q
0010: 4E 38 71 D6 N8q.
]
[CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB]
SerialNumber: [ 805ba6dc 8f62f8b8]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
(v) Import the CA-signed repository certificate into the repository keystore
$ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
Enter keystore password:
Certificate reply was installed in keystore
(vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'.
keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore password> -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco
(vi) Create a repository truststore containing the Alfresco CA certificate
keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass <store password>
(vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'.
(viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'.
Instructions for Generating a Certificate Authority (CA) Key and Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(i) Generate the CA private key
$ openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
(ii) Generate the CA self-signed certificate
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:UK
Locality Name (eg, city) []:Maidenhead
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Alfresco CA
Email Address []:

58
packaging/distribution/src/main/resources/keystore/generate_keystores.bat Normal file
View File

@@ -0,0 +1,58 @@
@rem Please edit the variables below to suit your installation
@rem Note: for an installation created by the Alfresco installer, you only need to edit ALFRESCO_HOME
@rem Alfresco installation directory
set ALFRESCO_HOME=C:\Alfresco-5.2
@rem The directory containing the alfresco keystores, as referenced by keystoreFile and truststoreFile attributes in tomcat\conf\server.xml
set ALFRESCO_KEYSTORE_HOME=%ALFRESCO_HOME%\alf_data\keystore
@rem Java installation directory
set JAVA_HOME=%ALFRESCO_HOME%\java
@rem Location in which new keystore files will be generated
set CERTIFICATE_HOME=%USERPROFILE%
@rem The repository server certificate subject name, as specified in tomcat\conf\tomcat-users.xml with roles="repository"
set REPO_CERT_DNAME=CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
@rem The SOLR client certificate subject name, as specified in tomcat\conf\tomcat-users.xml with roles="repoclient"
set SOLR_CLIENT_CERT_DNAME=CN=Alfresco Repository Client, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
@rem The number of days before the certificate expires
set CERTIFICATE_VALIDITY=36525
@rem Ensure certificate output dir exists
@if not exist "%CERTIFICATE_HOME%" mkdir "%CERTIFICATE_HOME%"
@rem Remove old output files (note they are backed up elsewhere)
@if exist "%CERTIFICATE_HOME%\ssl.keystore" del "%CERTIFICATE_HOME%\ssl.keystore"
@if exist "%CERTIFICATE_HOME%\ssl.truststore" del "%CERTIFICATE_HOME%\ssl.truststore"
@if exist "%CERTIFICATE_HOME%\browser.p12" del "%CERTIFICATE_HOME%\browser.p12"
@if exist "%CERTIFICATE_HOME%\ssl.repo.client.keystore" del "%CERTIFICATE_HOME%\ssl.repo.client.keystore"
@if exist "%CERTIFICATE_HOME%\ssl.repo.client.truststore" del "%CERTIFICATE_HOME%\ssl.repo.client.truststore"
@rem Generate new self-signed certificates for the repository and solr
"%JAVA_HOME%\bin\keytool" -genkeypair -keyalg RSA -dname "%REPO_CERT_DNAME%" -validity %CERTIFICATE_VALIDITY% -alias ssl.repo -keypass kT9X6oe68t -keystore "%CERTIFICATE_HOME%\ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t
"%JAVA_HOME%\bin\keytool" -exportcert -alias ssl.repo -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore "%CERTIFICATE_HOME%\ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t
"%JAVA_HOME%\bin\keytool" -genkeypair -keyalg RSA -dname "%SOLR_CLIENT_CERT_DNAME%" -validity %CERTIFICATE_VALIDITY% -alias ssl.repo.client -keypass kT9X6oe68t -keystore "%CERTIFICATE_HOME%\ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t
"%JAVA_HOME%\bin\keytool" -exportcert -alias ssl.repo.client -file "%CERTIFICATE_HOME%\ssl.repo.client.crt" -keystore "%CERTIFICATE_HOME%\ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t
@rem Create trust relationship between repository and solr
"%JAVA_HOME%\bin\keytool" -importcert -noprompt -alias ssl.repo.client -file "%CERTIFICATE_HOME%\ssl.repo.client.crt" -keystore "%CERTIFICATE_HOME%\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t
@rem Create trust relationship between repository and itself - used for searches
"%JAVA_HOME%\bin\keytool" -importcert -noprompt -alias ssl.repo -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore "%CERTIFICATE_HOME%\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t
@rem Create trust relationship between solr and repository
"%JAVA_HOME%\bin\keytool" -importcert -noprompt -alias ssl.repo -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore "%CERTIFICATE_HOME%\ssl.repo.client.truststore" -storetype JCEKS -storepass kT9X6oe68t
@rem Export repository keystore to pkcs12 format for browser compatibility
"%JAVA_HOME%\bin\keytool" -importkeystore -srckeystore "%CERTIFICATE_HOME%\ssl.keystore" -srcstorepass kT9X6oe68t -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore "%CERTIFICATE_HOME%\browser.p12" -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco
@rem Ensure keystore dir actually exists
@if not exist "%ALFRESCO_KEYSTORE_HOME%" mkdir "%ALFRESCO_KEYSTORE_HOME%"
@rem Install the new files
copy /Y "%CERTIFICATE_HOME%\ssl.keystore" "%ALFRESCO_KEYSTORE_HOME%\ssl.keystore"
copy /Y "%CERTIFICATE_HOME%\ssl.truststore" "%ALFRESCO_KEYSTORE_HOME%\ssl.truststore"
copy /Y "%CERTIFICATE_HOME%\browser.p12" "%ALFRESCO_KEYSTORE_HOME%\browser.p12"
@echo ****************************************
@echo You must copy the following files to the correct location.
@echo %CERTIFICATE_HOME%\ssl.repo.client.keystore
@echo %CERTIFICATE_HOME%\ssl.repo.client.truststore
@echo eg. for Solr 4 the location is SOLR_HOME\workspace-SpacesStore\conf and SOLR_HOME\archive-SpacesStore\conf
@echo Please ensure that you set dir.keystore=%ALFRESCO_KEYSTORE_HOME% in alfresco-global.properties
@echo ****************************************

82
packaging/distribution/src/main/resources/keystore/generate_keystores.sh Normal file
View File

@@ -0,0 +1,82 @@
#! /bin/sh
# Please edit the variables below to suit your installation
# Note: for an installation created by the Alfresco installer, you only need to edit ALFRESCO_HOME
# Alfresco installation directory
if [ -z "$ALFRESCO_HOME" ]; then
ALFRESCO_HOME=/opt/alfresco-5.2
echo "Setting ALFRESCO_HOME to $ALFRESCO_HOME"
fi
# The directory containing the alfresco keystores, as referenced by keystoreFile and truststoreFile attributes in tomcat/conf/server.xml
ALFRESCO_KEYSTORE_HOME=$ALFRESCO_HOME/alf_data/keystore
# Location in which new keystore files will be generated
if [ -z "$CERTIFICATE_HOME" ]; then
CERTIFICATE_HOME=$HOME
echo "Certificates will be generated in $CERTIFICATE_HOME and then moved to $ALFRESCO_KEYSTORE_HOME"
fi
# Java installation directory
JAVA_HOME=$ALFRESCO_HOME/java
# The repository server certificate subject name, as specified in tomcat/conf/tomcat-users.xml with roles="repository"
REPO_CERT_DNAME="CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB"
# The SOLR client certificate subject name, as specified in tomcat/conf/tomcat-users.xml with roles="repoclient"
SOLR_CLIENT_CERT_DNAME="CN=Alfresco Repository Client, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB"
# The number of days before the certificate expires
CERTIFICATE_VALIDITY=36525
# Stop
if [ -f "$ALFRESCO_HOME/alfresco.sh" ]; then "$ALFRESCO_HOME/alfresco.sh" stop; fi
# Ensure certificate output dir exists
mkdir -p "$CERTIFICATE_HOME"
# Remove old output files (note they are backed up elsewhere)
if [ -f "$CERTIFICATE_HOME/ssl.keystore" ]; then rm "$CERTIFICATE_HOME/ssl.keystore"; fi
if [ -f "$CERTIFICATE_HOME/ssl.truststore" ]; then rm "$CERTIFICATE_HOME/ssl.truststore"; fi
if [ -f "$CERTIFICATE_HOME/browser.p12" ]; then rm "$CERTIFICATE_HOME/browser.p12"; fi
if [ -f "$CERTIFICATE_HOME/ssl.repo.client.keystore" ]; then rm "$CERTIFICATE_HOME/ssl.repo.client.keystore"; fi
if [ -f "$CERTIFICATE_HOME/ssl.repo.client.truststore" ]; then rm "$CERTIFICATE_HOME/ssl.repo.client.truststore"; fi
# Generate new self-signed certificates for the repository and solr
"$JAVA_HOME/bin/keytool" -genkeypair -keyalg RSA -dname "$REPO_CERT_DNAME" -validity $CERTIFICATE_VALIDITY -alias ssl.repo -keypass kT9X6oe68t -keystore "$CERTIFICATE_HOME/ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t
"$JAVA_HOME/bin/keytool" -exportcert -alias ssl.repo -file "$CERTIFICATE_HOME/ssl.repo.crt" -keystore "$CERTIFICATE_HOME/ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t
"$JAVA_HOME/bin/keytool" -genkeypair -keyalg RSA -dname "$SOLR_CLIENT_CERT_DNAME" -validity $CERTIFICATE_VALIDITY -alias ssl.repo.client -keypass kT9X6oe68t -keystore "$CERTIFICATE_HOME/ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t
"$JAVA_HOME/bin/keytool" -exportcert -alias ssl.repo.client -file "$CERTIFICATE_HOME/ssl.repo.client.crt" -keystore "$CERTIFICATE_HOME/ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t
# Create trust relationship between repository and solr
"$JAVA_HOME/bin/keytool" -importcert -noprompt -alias ssl.repo.client -file "$CERTIFICATE_HOME/ssl.repo.client.crt" -keystore "$CERTIFICATE_HOME/ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t
# Create trust relationship between repository and itself - used for searches
"$JAVA_HOME/bin/keytool" -importcert -noprompt -alias ssl.repo -file "$CERTIFICATE_HOME/ssl.repo.crt" -keystore "$CERTIFICATE_HOME/ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t
# Create trust relationship between solr and repository
"$JAVA_HOME/bin/keytool" -importcert -noprompt -alias ssl.repo -file "$CERTIFICATE_HOME/ssl.repo.crt" -keystore "$CERTIFICATE_HOME/ssl.repo.client.truststore" -storetype JCEKS -storepass kT9X6oe68t
# Export repository keystore to pkcs12 format for browser compatibility
"$JAVA_HOME/bin/keytool" -importkeystore -srckeystore "$CERTIFICATE_HOME/ssl.keystore" -srcstorepass kT9X6oe68t -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore "$CERTIFICATE_HOME/browser.p12" -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco
# Ensure keystore dir actually exists
mkdir -p "$ALFRESCO_KEYSTORE_HOME"
# Back up old files
cp "$ALFRESCO_KEYSTORE_HOME/ssl.keystore" "$ALFRESCO_KEYSTORE_HOME/ssl.keystore.old"
cp "$ALFRESCO_KEYSTORE_HOME/ssl.truststore" "$ALFRESCO_KEYSTORE_HOME/ssl.truststore.old"
cp "$ALFRESCO_KEYSTORE_HOME/browser.p12" "$ALFRESCO_KEYSTORE_HOME/browser.p12.old"
# Install the new files
cp "$CERTIFICATE_HOME/ssl.keystore" "$ALFRESCO_KEYSTORE_HOME/ssl.keystore"
cp "$CERTIFICATE_HOME/ssl.truststore" "$ALFRESCO_KEYSTORE_HOME/ssl.truststore"
cp "$CERTIFICATE_HOME/browser.p12" "$ALFRESCO_KEYSTORE_HOME/browser.p12"
echo " "
echo "*******************************************"
echo "You must copy the following files to the correct location."
echo " "
echo " $CERTIFICATE_HOME/ssl.repo.client.keystore"
echo " $CERTIFICATE_HOME/ssl.repo.client.truststore"
echo " eg. for Solr 4 the location is SOLR_HOME/workspace-SpacesStore/conf/ and SOLR_HOME/archive-SpacesStore/conf/"
echo " "
echo "$ALFRESCO_KEYSTORE_HOME/browser.p12 has also been generated."
echo " "
echo "Please ensure that you set dir.keystore=$ALFRESCO_KEYSTORE_HOME in alfresco-global.properties"
echo "*******************************************"

0
repository/src/main/resources/alfresco/keystore/keystore → packaging/distribution/src/main/resources/keystore/metadata-keystore/keystore
View File

15
repository/src/main/resources/alfresco/keystore/keystore-passwords.properties → packaging/distribution/src/main/resources/keystore/metadata-keystore/keystore-passwords.properties
View File

@@ -1,7 +1,10 @@
aliases=metadata # This file and the keystore is deprecated
# The password protecting the keystore entries # Please generate a new keystore for new systems and use JVM properties for it's configuration
keystore.password=mp6yc0UD9e
# The password protecting the alias: metadata aliases=metadata
metadata.keyData= # The password protecting the keystore entries
metadata.algorithm=DESede keystore.password=mp6yc0UD9e
# The password protecting the alias: metadata
metadata.keyData=
metadata.algorithm=DESede
metadata.password=oKIWzVdEdA metadata.password=oKIWzVdEdA

7
packaging/distribution/src/main/resources/keystore/readme.txt Normal file
View File

@@ -0,0 +1,7 @@
See https://wiki.alfresco.com/wiki/Data_Encryption and https://wiki.alfresco.com/wiki/Alfresco_And_SOLR.
keystore is the secret key keystore, containing the secret key used to encrypt and decrypt node properties.
ssl.keystore is the repository keystore, containing the repository private/public key pair and certificate.
ssl.truststore is the repository truststore, containing certificates that the repository trusts.
browser.p12 is a pkcs12 keystore generated from ssl.keystore that contains the repository private key and certificate for use in browsers such as Firefox.

18
packaging/docker-alfresco/Dockerfile
View File

@@ -19,6 +19,8 @@ ARG TOMCAT_DIR=/usr/local/tomcat
RUN mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/mimetypes && \ RUN mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/mimetypes && \
mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/transform/renditions && \ mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/transform/renditions && \
mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/transform/pipelines && \ mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/transform/pipelines && \
mkdir /licenses && \
mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/keystore && \
mkdir ${TOMCAT_DIR}/alfresco-mmt && \ mkdir ${TOMCAT_DIR}/alfresco-mmt && \
touch ${TOMCAT_DIR}/shared/classes/alfresco-global.properties touch ${TOMCAT_DIR}/shared/classes/alfresco-global.properties
@@ -26,13 +28,13 @@ RUN mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/mimetypes && \
# Copy the WAR files to the appropriate location for your application server # Copy the WAR files to the appropriate location for your application server
# Copy the JDBC drivers for the database you are using to the lib/ directory. # Copy the JDBC drivers for the database you are using to the lib/ directory.
# Copy the alfresco-mmt.jar # Copy the alfresco-mmt.jar
# Copy Licenses to the root of the Docker image
# Copy default keystore
COPY ${resource_path}/war ${TOMCAT_DIR}/webapps COPY ${resource_path}/war ${TOMCAT_DIR}/webapps
COPY ${resource_path}/connector/* ${TOMCAT_DIR}/lib/ COPY ${resource_path}/connector/* ${TOMCAT_DIR}/lib/
COPY ${resource_path}/alfresco-mmt/* ${TOMCAT_DIR}/alfresco-mmt/ COPY ${resource_path}/alfresco-mmt/* ${TOMCAT_DIR}/alfresco-mmt/
COPY ${resource_path}/dependency/licenses/ /licenses/
# Copy Licenses to the root of the Docker image COPY ${resource_path}/dependency/keystore/metadata-keystore ${TOMCAT_DIR}/shared/classes/alfresco/extension/keystore/
RUN mkdir /licenses
COPY ${resource_path}/licenses/ /licenses/
# Change the value of the shared.loader= property to the following: # Change the value of the shared.loader= property to the following:
# shared.loader=${catalina.base}/shared/classes # shared.loader=${catalina.base}/shared/classes
@@ -70,14 +72,6 @@ RUN yum install -y fontconfig-2.13.0-4.3.el7 \
dejavu-sans-fonts-2.33-6.el7 && \ dejavu-sans-fonts-2.33-6.el7 && \
yum clean all yum clean all
# Generate default keystore. Please generate new one for production systems
ARG CERT_DNAME="CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB"
ARG CERT_VALIDITY=36525
ARG KEYSTORE_PASSWORD=mp6yc0UD9e
RUN mkdir ${TOMCAT_DIR}/shared/classes/alfresco/keystore && \
keytool -genseckey -dname "$CERT_DNAME" -validity ${CERT_VALIDITY} -alias metadata -keyalg AES -keysize 256 -keystore ${TOMCAT_DIR}/shared/classes/alfresco/keystore/keystore -storetype pkcs12 -storepass ${KEYSTORE_PASSWORD}
# The standard configuration is to have all Tomcat files owned by root with group GROUPNAME and whilst owner has read/write privileges, # The standard configuration is to have all Tomcat files owned by root with group GROUPNAME and whilst owner has read/write privileges,
# group only has restricted permissions and world has no permissions. # group only has restricted permissions and world has no permissions.
RUN mkdir -p ${TOMCAT_DIR}/conf/Catalina/localhost && \ RUN mkdir -p ${TOMCAT_DIR}/conf/Catalina/localhost && \

41
packaging/docker-alfresco/pom.xml
View File

@@ -16,29 +16,6 @@
<build> <build>
<plugins> <plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<executions>
<execution>
<id>copy-licenses</id>
<phase>process-resources</phase>
<goals>
<goal>copy-resources</goal>
</goals>
<configuration>
<resources>
<resource>
<!-- Extract licenses directory -->
<directory>../distribution/src/main/resources/licenses</directory>
<filtering>false</filtering>
</resource>
</resources>
<outputDirectory>${project.build.directory}/licenses</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId> <artifactId>maven-dependency-plugin</artifactId>
@@ -126,6 +103,24 @@
</artifactItems> </artifactItems>
</configuration> </configuration>
</execution> </execution>
<execution>
<id>unpack-licenses-and-keystore</id>
<phase>process-resources</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.alfresco</groupId>
<artifactId>alfresco-community-repo-distribution</artifactId>
<type>jar</type>
<version>${project.version}</version>
</artifactItem>
</artifactItems>
</configuration>
</execution>
</executions> </executions>
</plugin> </plugin>
</plugins> </plugins>

4
packaging/pom.xml
View File

@@ -18,6 +18,7 @@
</activation> </activation>
<modules> <modules>
<module>war</module> <module>war</module>
<module>distribution</module>
<module>docker-alfresco</module> <module>docker-alfresco</module>
</modules> </modules>
</profile> </profile>
@@ -25,18 +26,21 @@
<id>community</id> <id>community</id>
<modules> <modules>
<module>war</module> <module>war</module>
<module>distribution</module>
</modules> </modules>
</profile> </profile>
<profile> <profile>
<id>communityDocker</id> <id>communityDocker</id>
<modules> <modules>
<module>war</module> <module>war</module>
<module>distribution</module>
<module>docker-alfresco</module> <module>docker-alfresco</module>
</modules> </modules>
</profile> </profile>
<profile> <profile>
<id>all-tas-tests</id> <id>all-tas-tests</id>
<modules> <modules>
<module>distribution</module>
<module>tests</module> <module>tests</module>
</modules> </modules>
</profile> </profile>

14
packaging/tests/environment/docker-compose-minimal+transforms.yml
View File

@@ -10,6 +10,16 @@ services:
image: alfresco/alfresco-community-repo-base:latest image: alfresco/alfresco-community-repo-base:latest
environment: environment:
CATALINA_OPTS : "-agentlib:jdwp=transport=dt_socket,address=*:8000,server=y,suspend=n" CATALINA_OPTS : "-agentlib:jdwp=transport=dt_socket,address=*:8000,server=y,suspend=n"
JAVA_TOOL_OPTIONS: "
-Dencryption.keystore.type=JCEKS
-Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
-Dencryption.keyAlgorithm=DESede
-Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore
-Dmetadata-keystore.password=mp6yc0UD9e
-Dmetadata-keystore.aliases=metadata
-Dmetadata-keystore.metadata.password=oKIWzVdEdA
-Dmetadata-keystore.metadata.algorithm=DESede
"
JAVA_OPTS : JAVA_OPTS :
" "
-Ddb.driver=org.postgresql.Driver -Ddb.driver=org.postgresql.Driver
@@ -39,10 +49,6 @@ services:
-Dftp.port=1221 -Dftp.port=1221
-Dcors.enabled=true -Dcors.enabled=true
-Dcors.allowed.origins=http://localhost:4200,http://localhost:8080 -Dcors.allowed.origins=http://localhost:4200,http://localhost:8080
-Dmetadata-keystore.password=mp6yc0UD9e
-Dmetadata-keystore.aliases=metadata
-Dmetadata-keystore.metadata.password=mp6yc0UD9e
-Dmetadata-keystore.metadata.algorithm=AES
" "
ports: ports:
- 8082:8080 - 8082:8080

14
packaging/tests/environment/docker-compose-minimal.yml
View File

@@ -10,6 +10,16 @@ services:
image: alfresco/alfresco-community-repo-base:latest image: alfresco/alfresco-community-repo-base:latest
environment: environment:
CATALINA_OPTS : "-agentlib:jdwp=transport=dt_socket,address=*:8000,server=y,suspend=n" CATALINA_OPTS : "-agentlib:jdwp=transport=dt_socket,address=*:8000,server=y,suspend=n"
JAVA_TOOL_OPTIONS: "
-Dencryption.keystore.type=JCEKS
-Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
-Dencryption.keyAlgorithm=DESede
-Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore
-Dmetadata-keystore.password=mp6yc0UD9e
-Dmetadata-keystore.aliases=metadata
-Dmetadata-keystore.metadata.password=oKIWzVdEdA
-Dmetadata-keystore.metadata.algorithm=DESede
"
JAVA_OPTS : JAVA_OPTS :
" "
-Ddb.driver=org.postgresql.Driver -Ddb.driver=org.postgresql.Driver
@@ -35,10 +45,6 @@ services:
-Dftp.port=1221 -Dftp.port=1221
-Dcors.enabled=true -Dcors.enabled=true
-Dcors.allowed.origins=http://localhost:4200,http://localhost:8080 -Dcors.allowed.origins=http://localhost:4200,http://localhost:8080
-Dmetadata-keystore.password=mp6yc0UD9e
-Dmetadata-keystore.aliases=metadata
-Dmetadata-keystore.metadata.password=mp6yc0UD9e
-Dmetadata-keystore.metadata.algorithm=AES
" "
ports: ports:
- 8082:8080 - 8082:8080

8
repository/src/main/resources/alfresco/encryption-context.xml
View File

@@ -15,10 +15,12 @@
</bean> </bean>
<bean id="keyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init"> <bean id="keyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init">
<property name="id" value="metadata-keystore"/>
<property name="name" value="Key Store"/> <property name="name" value="Key Store"/>
<property name="location" value="${encryption.keystore.location}"/> <property name="location" value="${encryption.keystore.location}"/>
<property name="provider" value="${encryption.keystore.provider}"/> <property name="provider" value="${encryption.keystore.provider}"/>
<property name="type" value="${encryption.keystore.type}"/> <property name="type" value="${encryption.keystore.type}"/>
<!-- This property is left for backwards compatibility -->
<property name="keyMetaDataFileLocation" value="${encryption.keystore.keyMetaData.location}"/> <property name="keyMetaDataFileLocation" value="${encryption.keystore.keyMetaData.location}"/>
</bean> </bean>
@@ -30,18 +32,22 @@
<!-- TODO i18n for key store names --> <!-- TODO i18n for key store names -->
<bean id="sslKeyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init"> <bean id="sslKeyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init">
<property name="id" value="ssl-keystore"/>
<property name="name" value="SSL Key Store"/> <property name="name" value="SSL Key Store"/>
<property name="location" value="${encryption.ssl.keystore.location}"/> <property name="location" value="${encryption.ssl.keystore.location}"/>
<property name="type" value="${encryption.ssl.keystore.type}"/> <property name="type" value="${encryption.ssl.keystore.type}"/>
<property name="provider" value="${encryption.ssl.keystore.provider}"/> <property name="provider" value="${encryption.ssl.keystore.provider}"/>
<!-- This property is left for backwards compatibility -->
<property name="keyMetaDataFileLocation" value="${encryption.ssl.keystore.keyMetaData.location}"/> <property name="keyMetaDataFileLocation" value="${encryption.ssl.keystore.keyMetaData.location}"/>
</bean> </bean>
<bean id="sslTrustStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init"> <bean id="sslTrustStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init">
<property name="id" value="ssl-truststore"/>
<property name="name" value="SSL Trust Store"/> <property name="name" value="SSL Trust Store"/>
<property name="location" value="${encryption.ssl.truststore.location}"/> <property name="location" value="${encryption.ssl.truststore.location}"/>
<property name="type" value="${encryption.ssl.truststore.type}"/> <property name="type" value="${encryption.ssl.truststore.type}"/>
<property name="provider" value="${encryption.ssl.truststore.provider}"/> <property name="provider" value="${encryption.ssl.truststore.provider}"/>
<!-- This property is left for backwards compatibility -->
<property name="keyMetaDataFileLocation" value="${encryption.ssl.truststore.keyMetaData.location}"/> <property name="keyMetaDataFileLocation" value="${encryption.ssl.truststore.keyMetaData.location}"/>
</bean> </bean>
@@ -71,10 +77,12 @@
</bean> </bean>
<bean id="backupKeyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init"> <bean id="backupKeyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init">
<property name="id" value="metadata-backup-keystore"/>
<property name="name" value="Backup Key Store"/> <property name="name" value="Backup Key Store"/>
<property name="location" value="${encryption.keystore.backup.location}"/> <property name="location" value="${encryption.keystore.backup.location}"/>
<property name="provider" value="${encryption.keystore.backup.provider}"/> <property name="provider" value="${encryption.keystore.backup.provider}"/>
<property name="type" value="${encryption.keystore.backup.type}"/> <property name="type" value="${encryption.keystore.backup.type}"/>
<!-- This property is left for backwards compatibility -->
<property name="keyMetaDataFileLocation" value="${encryption.keystore.backup.keyMetaData.location}"/> <property name="keyMetaDataFileLocation" value="${encryption.keystore.backup.keyMetaData.location}"/>
</bean> </bean>

20
repository/src/main/resources/alfresco/repository.properties
View File

@@ -816,20 +816,22 @@ dir.keystore=classpath:alfresco/keystore
# general encryption parameters # general encryption parameters
encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator
encryption.keyAlgorithm=DESede encryption.keyAlgorithm=AES
encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding encryption.cipherAlgorithm=AES/CBC/PKCS5Padding
# secret key keystore configuration # secret key keystore configuration
encryption.keystore.location=${dir.keystore}/keystore encryption.keystore.location=${dir.keystore}/keystore
encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties # configuration via metadata is deprecated
encryption.keystore.keyMetaData.location=
encryption.keystore.provider= encryption.keystore.provider=
encryption.keystore.type=JCEKS encryption.keystore.type=pkcs12
# backup secret key keystore configuration # backup secret key keystore configuration
encryption.keystore.backup.location=${dir.keystore}/backup-keystore encryption.keystore.backup.location=${dir.keystore}/backup-keystore
encryption.keystore.backup.keyMetaData.location=${dir.keystore}/backup-keystore-passwords.properties # configuration via metadata is deprecated
encryption.keystore.backup.keyMetaData.location=
encryption.keystore.backup.provider= encryption.keystore.backup.provider=
encryption.keystore.backup.type=JCEKS encryption.keystore.backup.type=pkcs12
# Should encryptable properties be re-encrypted with new encryption keys on botstrap? # Should encryptable properties be re-encrypted with new encryption keys on botstrap?
encryption.bootstrap.reencrypt=false encryption.bootstrap.reencrypt=false
@@ -842,11 +844,13 @@ encryption.mac.algorithm=HmacSHA1
encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore
encryption.ssl.keystore.provider= encryption.ssl.keystore.provider=
encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.type=JCEKS
encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-passwords.properties # configuration via metadata is deprecated
encryption.ssl.keystore.keyMetaData.location=
encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore
encryption.ssl.truststore.provider= encryption.ssl.truststore.provider=
encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.type=JCEKS
encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties # configuration via metadata is deprecated
encryption.ssl.truststore.keyMetaData.location=
# Re-encryptor properties # Re-encryptor properties
encryption.reencryptor.chunkSize=100 encryption.reencryptor.chunkSize=100

3
repository/src/test/java/org/alfresco/AppContext02TestSuite.java
View File

@@ -65,6 +65,9 @@ import org.junit.runners.Suite;
org.alfresco.repo.content.filestore.ReadOnlyFileContentStoreTest.class, org.alfresco.repo.content.filestore.ReadOnlyFileContentStoreTest.class,
org.alfresco.repo.content.RoutingContentStoreTest.class, org.alfresco.repo.content.RoutingContentStoreTest.class,
org.alfresco.encryption.EncryptionTests.class,
org.alfresco.encryption.KeyStoreTests.class
// TODO REPO-2791 org.alfresco.repo.content.routing.StoreSelectorAspectContentStoreTest.class, // TODO REPO-2791 org.alfresco.repo.content.routing.StoreSelectorAspectContentStoreTest.class,
}) })
public class AppContext02TestSuite public class AppContext02TestSuite

72
repository/src/test/java/org/alfresco/encryption/EncryptionTests.java
View File

@@ -1,28 +1,28 @@
/* /*
* #%L * #%L
* Alfresco Repository * Alfresco Repository
* %% * %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited * Copyright (C) 2005 - 2016 Alfresco Software Limited
* %% * %%
* This file is part of the Alfresco software. * This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of * If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is * the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms: * provided under the following open source license terms:
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco.encryption; package org.alfresco.encryption;
import java.io.Serializable; import java.io.Serializable;
@@ -270,28 +270,6 @@ public class EncryptionTests extends TestCase
mainEncryptor.setKeyProvider(mainKeyProvider); mainEncryptor.setKeyProvider(mainKeyProvider);
} }
} }
public void testBootstrapReEncrypt()
{
try
{
// ensure that the backup key store is not available
backupKeyStoreParameters.setLocation("");
//backupKeyStore.reload();
mainKeyStore.reload();
reEncryptor.bootstrapReEncrypt();
fail("Should have caught missing backup key store");
}
catch(MissingKeyException e)
{
System.out.println("Successfully caught missing key exception");
}
catch(InvalidKeystoreException e)
{
fail("Unexpected exception: " + e.getMessage());
}
}
protected void testChangeKeysImpl(boolean cacheCiphers) throws Throwable protected void testChangeKeysImpl(boolean cacheCiphers) throws Throwable
{ {

58
repository/src/test/java/org/alfresco/encryption/KeyStoreTests.java
View File

@@ -1,28 +1,28 @@
/* /*
* #%L * #%L
* Alfresco Repository * Alfresco Repository
* %% * %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited * Copyright (C) 2005 - 2016 Alfresco Software Limited
* %% * %%
* This file is part of the Alfresco software. * This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of * If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is * the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms: * provided under the following open source license terms:
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco.encryption; package org.alfresco.encryption;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
@@ -37,6 +37,7 @@ import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.HashSet;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Properties; import java.util.Properties;
@@ -212,7 +213,7 @@ public class KeyStoreTests
TestAlfrescoKeyStore missingMainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), TestAlfrescoKeyStore missingMainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
Collections.singletonMap(KeyProvider.ALIAS_METADATA, generateEncodedKey()), generateKeystoreName(), generateKeystoreName()); Collections.singletonMap(KeyProvider.ALIAS_METADATA, generateEncodedKey()), generateKeystoreName(), generateKeystoreName());
missingMainKeyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
encryptionKeysRegistry.unregisterKey(KeyProvider.ALIAS_METADATA); encryptionKeysRegistry.unregisterKey(KeyProvider.ALIAS_METADATA);
keyStoreChecker.setMainKeyStore(missingMainKeyStore); keyStoreChecker.setMainKeyStore(missingMainKeyStore);
@@ -240,7 +241,7 @@ public class KeyStoreTests
// missing main keystore, missing backup keystore, metadata registered key -> error, re-instate the keystore // missing main keystore, missing backup keystore, metadata registered key -> error, re-instate the keystore
TestAlfrescoKeyStore missingMainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), TestAlfrescoKeyStore missingMainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
null, generateKeystoreName(), generateKeystoreName()); null, generateKeystoreName(), generateKeystoreName());
missingMainKeyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
assertTrue("", encryptionKeysRegistry.isKeyRegistered("metadata")); assertTrue("", encryptionKeysRegistry.isKeyRegistered("metadata"));
keyStoreChecker.setMainKeyStore(missingMainKeyStore); keyStoreChecker.setMainKeyStore(missingMainKeyStore);
@@ -268,6 +269,7 @@ public class KeyStoreTests
// create main keystore // create main keystore
TestAlfrescoKeyStore mainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), TestAlfrescoKeyStore mainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
null, generateKeystoreName(), generateKeystoreName()); null, generateKeystoreName(), generateKeystoreName());
mainKeyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
createAndPopulateKeyStore(mainKeyStore); createAndPopulateKeyStore(mainKeyStore);
// de-register metadata key // de-register metadata key
@@ -303,6 +305,7 @@ public class KeyStoreTests
TestAlfrescoKeyStore keyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), TestAlfrescoKeyStore keyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
null, generateKeystoreName(), generateKeystoreName()); null, generateKeystoreName(), generateKeystoreName());
keyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
createAndPopulateKeyStore(keyStore); createAndPopulateKeyStore(keyStore);
keyStoreChecker.setMainKeyStore(keyStore); keyStoreChecker.setMainKeyStore(keyStore);
@@ -358,6 +361,7 @@ public class KeyStoreTests
TestAlfrescoKeyStore keyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"), TestAlfrescoKeyStore keyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
null, generateKeystoreName(), generateKeystoreName()); null, generateKeystoreName(), generateKeystoreName());
keyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
createAndPopulateKeyStore(keyStore); createAndPopulateKeyStore(keyStore);
try try

9
repository/src/test/resources/alfresco-global.properties
View File

@@ -52,9 +52,16 @@ mimetype.config.cronExpression=0 0 0 ? JAN * 1970
rendition.config.cronExpression=0 0 0 ? JAN * 1970 rendition.config.cronExpression=0 0 0 ? JAN * 1970
local.transform.service.cronExpression=0 0 0 ? JAN * 1970 local.transform.service.cronExpression=0 0 0 ? JAN * 1970
transform.service.cronExpression=0 0 0 ? JAN * 1970 transform.service.cronExpression=0 0 0 ? JAN * 1970
system.delete_not_exists.batchsize=100000 system.delete_not_exists.batchsize=100000
system.delete_not_exists.delete_batchsize=1000 system.delete_not_exists.delete_batchsize=1000
system.delete_not_exists.read_only=false system.delete_not_exists.read_only=false
system.delete_not_exists.timeout_seconds=-1 system.delete_not_exists.timeout_seconds=-1
system.prop_table_cleaner.algorithm=V2 system.prop_table_cleaner.algorithm=V2
# For testing only
encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties
encryption.keyAlgorithm=DESede
encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
encryption.keystore.type=JCEKS
encryption.keystore.backup.type=JCEKS