geode-junit/src/main/java/org/apache/geode/cache/ssl/CertStores.java - geode - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
  * agreements. See the NOTICE file distributed with this work for additional information regarding
  * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance with the License. You may obtain a
  * copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License
  * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
  * or implied. See the License for the specific language governing permissions and limitations under
  * the License.
  */
 package org.apache.geode.cache.ssl;

 import static org.apache.geode.distributed.ConfigurationProperties.SSL_CIPHERS;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENABLED_COMPONENTS;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENDPOINT_IDENTIFICATION_ENABLED;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE_PASSWORD;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE_TYPE;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_PROTOCOLS;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_REQUIRE_AUTHENTICATION;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_TYPE;

 import java.io.EOFException;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;

 /**
  * The {@code CertStores} class encapsulates the key and trust stores typically used by various
  * components in a Geode cluster. It currently supports certificate collections for servers,
  * locators and clients. All certificates are signed by a single Root Certificate Authority.
  */
 public class CertStores {
   private final String storePrefix;

   // Contents of keystore
   private Map<String, CertificateMaterial> keyStoreEntries = new HashMap<>();

   // Contents of truststore
   private Map<String, CertificateMaterial> trustedCerts = new HashMap<>();

   private String trustStorePassword = "password";
   private String keyStorePassword = "password";

   public static CertStores locatorStore() {
     return new CertStores("locator");
   }

   public static CertStores serverStore() {
     return new CertStores("server");
   }

   public static CertStores clientStore() {
     return new CertStores("client");
   }

   public CertStores(String storePrefix) {
     this.storePrefix = storePrefix;
   }

   public CertStores withCertificate(String alias, CertificateMaterial material) {
     keyStoreEntries.put(alias, material);
     return this;
   }

   public CertStores trust(String alias, CertificateMaterial material) {
     this.trustedCerts.put(alias, material);
     return this;
   }

   public Properties propertiesWith(String components)
       throws GeneralSecurityException, IOException {
     return this.propertiesWith(components, "any", "any", true, true);
   }

   public Properties propertiesWith(String components, boolean requireAuth,
       boolean endPointIdentification)
       throws GeneralSecurityException, IOException {
     return this.propertiesWith(components, "any", "any", requireAuth, endPointIdentification);
   }

   public Properties propertiesWith(String components, String protocols,
       String ciphers, boolean requireAuth, boolean endPointIdentification)
       throws GeneralSecurityException, IOException {
     File trustStoreFile = File.createTempFile(storePrefix + "-TS-", ".jks");
     trustStoreFile.deleteOnExit();
     createTrustStore(trustStoreFile.getPath(), trustStorePassword);

     File keyStoreFile = File.createTempFile(storePrefix + "-KS-", ".jks");
     keyStoreFile.deleteOnExit();
     createKeyStore(keyStoreFile.getPath(), keyStorePassword);

     return propertiesWith(components, protocols, ciphers, trustStoreFile, keyStoreFile, requireAuth,
         endPointIdentification);
   }

   private Properties propertiesWith(String components, String protocols, String ciphers,
       File trustStoreFile, File keyStoreFile, boolean requireAuth, boolean endPointVerification) {

     Properties sslConfigs = new Properties();
     sslConfigs.setProperty(SSL_ENABLED_COMPONENTS, components);
     sslConfigs.setProperty(SSL_KEYSTORE, keyStoreFile.getPath());
     sslConfigs.setProperty(SSL_KEYSTORE_TYPE, "JKS");
     sslConfigs.setProperty(SSL_KEYSTORE_PASSWORD, keyStorePassword);
     sslConfigs.setProperty(SSL_TRUSTSTORE, trustStoreFile.getPath());
     sslConfigs.setProperty(SSL_TRUSTSTORE_PASSWORD, trustStorePassword);
     sslConfigs.setProperty(SSL_TRUSTSTORE_TYPE, "JKS");
     sslConfigs.setProperty(SSL_PROTOCOLS, protocols);
     sslConfigs.setProperty(SSL_CIPHERS, ciphers);
     sslConfigs.setProperty(SSL_REQUIRE_AUTHENTICATION, String.valueOf(requireAuth));
     sslConfigs.setProperty(SSL_ENDPOINT_IDENTIFICATION_ENABLED,
         String.valueOf(endPointVerification));

     return sslConfigs;
   }

   private void createTrustStore(String filename, String password)
       throws GeneralSecurityException, IOException {
     KeyStore ks = KeyStore.getInstance("JKS");
     try (InputStream in = Files.newInputStream(Paths.get(filename))) {
       ks.load(in, password.toCharArray());
     } catch (EOFException e) {
       ks = createEmptyKeyStore();
     }
     for (Map.Entry<String, CertificateMaterial> cert : trustedCerts.entrySet()) {
       ks.setCertificateEntry(cert.getKey(), cert.getValue().getCertificate());
     }

     try (OutputStream out = Files.newOutputStream(Paths.get(filename))) {
       ks.store(out, password.toCharArray());
     }
   }

   private void createKeyStore(String filename, String password)
       throws GeneralSecurityException, IOException {
     KeyStore ks = createEmptyKeyStore();

     for (Map.Entry<String, CertificateMaterial> entry : keyStoreEntries.entrySet()) {
       CertificateMaterial cert = entry.getValue();

       List<Certificate> chain = new ArrayList<>();
       chain.add(cert.getCertificate());

       cert.getIssuer().ifPresent(chain::add);

       ks.setKeyEntry(entry.getKey(), cert.getPrivateKey(), password.toCharArray(),
           chain.toArray(new Certificate[] {}));
     }
     try (OutputStream out = Files.newOutputStream(Paths.get(filename))) {
       ks.store(out, password.toCharArray());
     }
   }


   private KeyStore createEmptyKeyStore() throws GeneralSecurityException, IOException {
     KeyStore ks = KeyStore.getInstance("JKS");
     ks.load(null, null); // initialize
     return ks;
   }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more contributor license
	* agreements. See the NOTICE file distributed with this work for additional information regarding
	* copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance with the License. You may obtain a
	* copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software distributed under the License
	* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
	* or implied. See the License for the specific language governing permissions and limitations under
	* the License.
	*/
	package org.apache.geode.cache.ssl;

	import static org.apache.geode.distributed.ConfigurationProperties.SSL_CIPHERS;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENABLED_COMPONENTS;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENDPOINT_IDENTIFICATION_ENABLED;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE_PASSWORD;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE_TYPE;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_PROTOCOLS;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_REQUIRE_AUTHENTICATION;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;
	import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_TYPE;

	import java.io.EOFException;
	import java.io.File;
	import java.io.IOException;
	import java.io.InputStream;
	import java.io.OutputStream;
	import java.nio.file.Files;
	import java.nio.file.Paths;
	import java.security.GeneralSecurityException;
	import java.security.KeyStore;
	import java.security.cert.Certificate;
	import java.util.ArrayList;
	import java.util.HashMap;
	import java.util.List;
	import java.util.Map;
	import java.util.Properties;

	/**
	* The {@code CertStores} class encapsulates the key and trust stores typically used by various
	* components in a Geode cluster. It currently supports certificate collections for servers,
	* locators and clients. All certificates are signed by a single Root Certificate Authority.
	*/
	public class CertStores {
	private final String storePrefix;

	// Contents of keystore
	private Map<String, CertificateMaterial> keyStoreEntries = new HashMap<>();

	// Contents of truststore
	private Map<String, CertificateMaterial> trustedCerts = new HashMap<>();

	private String trustStorePassword = "password";
	private String keyStorePassword = "password";

	public static CertStores locatorStore() {
	return new CertStores("locator");
	}

	public static CertStores serverStore() {
	return new CertStores("server");
	}

	public static CertStores clientStore() {
	return new CertStores("client");
	}

	public CertStores(String storePrefix) {
	this.storePrefix = storePrefix;
	}

	public CertStores withCertificate(String alias, CertificateMaterial material) {
	keyStoreEntries.put(alias, material);
	return this;
	}

	public CertStores trust(String alias, CertificateMaterial material) {
	this.trustedCerts.put(alias, material);
	return this;
	}

	public Properties propertiesWith(String components)
	throws GeneralSecurityException, IOException {
	return this.propertiesWith(components, "any", "any", true, true);
	}

	public Properties propertiesWith(String components, boolean requireAuth,
	boolean endPointIdentification)
	throws GeneralSecurityException, IOException {
	return this.propertiesWith(components, "any", "any", requireAuth, endPointIdentification);
	}

	public Properties propertiesWith(String components, String protocols,
	String ciphers, boolean requireAuth, boolean endPointIdentification)
	throws GeneralSecurityException, IOException {
	File trustStoreFile = File.createTempFile(storePrefix + "-TS-", ".jks");
	trustStoreFile.deleteOnExit();
	createTrustStore(trustStoreFile.getPath(), trustStorePassword);

	File keyStoreFile = File.createTempFile(storePrefix + "-KS-", ".jks");
	keyStoreFile.deleteOnExit();
	createKeyStore(keyStoreFile.getPath(), keyStorePassword);

	return propertiesWith(components, protocols, ciphers, trustStoreFile, keyStoreFile, requireAuth,
	endPointIdentification);
	}

	private Properties propertiesWith(String components, String protocols, String ciphers,
	File trustStoreFile, File keyStoreFile, boolean requireAuth, boolean endPointVerification) {

	Properties sslConfigs = new Properties();
	sslConfigs.setProperty(SSL_ENABLED_COMPONENTS, components);
	sslConfigs.setProperty(SSL_KEYSTORE, keyStoreFile.getPath());
	sslConfigs.setProperty(SSL_KEYSTORE_TYPE, "JKS");
	sslConfigs.setProperty(SSL_KEYSTORE_PASSWORD, keyStorePassword);
	sslConfigs.setProperty(SSL_TRUSTSTORE, trustStoreFile.getPath());
	sslConfigs.setProperty(SSL_TRUSTSTORE_PASSWORD, trustStorePassword);
	sslConfigs.setProperty(SSL_TRUSTSTORE_TYPE, "JKS");
	sslConfigs.setProperty(SSL_PROTOCOLS, protocols);
	sslConfigs.setProperty(SSL_CIPHERS, ciphers);
	sslConfigs.setProperty(SSL_REQUIRE_AUTHENTICATION, String.valueOf(requireAuth));
	sslConfigs.setProperty(SSL_ENDPOINT_IDENTIFICATION_ENABLED,
	String.valueOf(endPointVerification));

	return sslConfigs;
	}

	private void createTrustStore(String filename, String password)
	throws GeneralSecurityException, IOException {
	KeyStore ks = KeyStore.getInstance("JKS");
	try (InputStream in = Files.newInputStream(Paths.get(filename))) {
	ks.load(in, password.toCharArray());
	} catch (EOFException e) {
	ks = createEmptyKeyStore();
	}
	for (Map.Entry<String, CertificateMaterial> cert : trustedCerts.entrySet()) {
	ks.setCertificateEntry(cert.getKey(), cert.getValue().getCertificate());
	}

	try (OutputStream out = Files.newOutputStream(Paths.get(filename))) {
	ks.store(out, password.toCharArray());
	}
	}

	private void createKeyStore(String filename, String password)
	throws GeneralSecurityException, IOException {
	KeyStore ks = createEmptyKeyStore();

	for (Map.Entry<String, CertificateMaterial> entry : keyStoreEntries.entrySet()) {
	CertificateMaterial cert = entry.getValue();

	List<Certificate> chain = new ArrayList<>();
	chain.add(cert.getCertificate());

	cert.getIssuer().ifPresent(chain::add);

	ks.setKeyEntry(entry.getKey(), cert.getPrivateKey(), password.toCharArray(),
	chain.toArray(new Certificate[] {}));
	}
	try (OutputStream out = Files.newOutputStream(Paths.get(filename))) {
	ks.store(out, password.toCharArray());
	}
	}


	private KeyStore createEmptyKeyStore() throws GeneralSecurityException, IOException {
	KeyStore ks = KeyStore.getInstance("JKS");
	ks.load(null, null); // initialize
	return ks;
	}

	}