Repository: cloudstack Updated Branches: refs/heads/master 08a5ef7cc -> 70c79ad13
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/abfcd5b9/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/bco/BcoSocketWrapperImpl.java ---------------------------------------------------------------------- diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/bco/BcoSocketWrapperImpl.java b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/bco/BcoSocketWrapperImpl.java index eb5d7d0..3d6635c 100644 --- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/bco/BcoSocketWrapperImpl.java +++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/bco/BcoSocketWrapperImpl.java @@ -16,23 +16,24 @@ // under the License. package streamer.bco; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.security.SecureRandom; -import java.security.Security; - import org.apache.log4j.Logger; -import org.bouncycastle.asn1.x509.X509CertificateStructure; -import org.bouncycastle.crypto.tls.CertificateVerifyer; -import org.bouncycastle.crypto.tls.TlsProtocolHandler; +import org.bouncycastle.crypto.tls.Certificate; +import org.bouncycastle.crypto.tls.DefaultTlsClient; +import org.bouncycastle.crypto.tls.ServerOnlyTlsAuthentication; +import org.bouncycastle.crypto.tls.TlsAuthentication; +import org.bouncycastle.crypto.tls.TlsClientProtocol; import org.bouncycastle.jce.provider.BouncyCastleProvider; - import streamer.Direction; import streamer.Event; import streamer.SocketWrapperImpl; import streamer.ssl.SSLState; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.security.SecureRandom; +import java.security.Security; + @SuppressWarnings("deprecation") public class BcoSocketWrapperImpl extends SocketWrapperImpl { private static final Logger s_logger = Logger.getLogger(BcoSocketWrapperImpl.class); @@ -41,7 +42,7 @@ public class BcoSocketWrapperImpl extends SocketWrapperImpl { Security.addProvider(new BouncyCastleProvider()); } - private TlsProtocolHandler bcoSslSocket; + private TlsClientProtocol bcoSslSocket; public BcoSocketWrapperImpl(String id, SSLState sslState) { super(id, sslState); @@ -60,25 +61,25 @@ public class BcoSocketWrapperImpl extends SocketWrapperImpl { try { SecureRandom secureRandom = new SecureRandom(); - bcoSslSocket = new TlsProtocolHandler(socket.getInputStream(), socket.getOutputStream(), secureRandom); - - CertificateVerifyer client = new CertificateVerifyer() { + bcoSslSocket = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), secureRandom); + bcoSslSocket.connect(new DefaultTlsClient() { @Override - public boolean isValid(X509CertificateStructure[] chain) { - - try { - if (sslState != null) { - sslState.serverCertificateSubjectPublicKeyInfo = chain[0].getSubjectPublicKeyInfo().getEncoded(); + public TlsAuthentication getAuthentication() throws IOException { + return new ServerOnlyTlsAuthentication() { + @Override + public void notifyServerCertificate(final Certificate certificate) throws IOException { + try { + if (sslState != null) { + sslState.serverCertificateSubjectPublicKeyInfo = certificate.getCertificateAt(0).getSubjectPublicKeyInfo().getEncoded(); + } + } catch (IOException e) { + throw new RuntimeException("Cannot get server public key.", e); + } } - } catch (IOException e) { - throw new RuntimeException("Cannot get server public key.", e); - } - - return true; + }; } - }; - bcoSslSocket.connect(client); + }); InputStream sis = bcoSslSocket.getInputStream(); source.setInputStream(sis); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/abfcd5b9/tools/travis/before_script.sh ---------------------------------------------------------------------- diff --git a/tools/travis/before_script.sh b/tools/travis/before_script.sh index bbfc447..5b649dc 100755 --- a/tools/travis/before_script.sh +++ b/tools/travis/before_script.sh @@ -20,7 +20,7 @@ # export MAVEN_OPTS="-Xmx4096m -XX:MaxPermSize=800m -Djava.security.egd=file:/dev/urandom" echo -e "\nStarting simulator" -mvn -Dsimulator -pl :cloud-client-ui jetty:run 2>&1 > /tmp/jetty-log & +mvn -Dsimulator -Dorg.eclipse.jetty.annotations.maxWait=120 -pl :cloud-client-ui jetty:run 2>&1 > /tmp/jetty-log & while ! nc -vzw 5 localhost 8096 2>&1 > /dev/null; do grep Exception /tmp/jetty-log; sleep 10; done echo -e "\nStarting DataCenter deployment" http://git-wip-us.apache.org/repos/asf/cloudstack/blob/abfcd5b9/utils/pom.xml ---------------------------------------------------------------------- diff --git a/utils/pom.xml b/utils/pom.xml index ae1bf23..fcc0378 100755 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -106,7 +106,7 @@ </dependency> <dependency> <groupId>javax.servlet</groupId> - <artifactId>servlet-api</artifactId> + <artifactId>javax.servlet-api</artifactId> <scope>provided</scope> </dependency> <!-- Test dependency in mysql for db tests --> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/abfcd5b9/utils/src/main/java/com/cloud/utils/PasswordGenerator.java ---------------------------------------------------------------------- diff --git a/utils/src/main/java/com/cloud/utils/PasswordGenerator.java b/utils/src/main/java/com/cloud/utils/PasswordGenerator.java index 3ba54f2..3b6aa14 100644 --- a/utils/src/main/java/com/cloud/utils/PasswordGenerator.java +++ b/utils/src/main/java/com/cloud/utils/PasswordGenerator.java @@ -19,7 +19,10 @@ package com.cloud.utils; +import org.bouncycastle.jce.provider.BouncyCastleProvider; + import java.security.SecureRandom; +import java.security.Security; import java.util.ArrayList; import java.util.Collections; import java.util.List; @@ -40,6 +43,13 @@ public class PasswordGenerator { static private int minLength = 3; + static { + BouncyCastleProvider provider = new BouncyCastleProvider(); + if (Security.getProvider(provider.getName()) == null) { + Security.addProvider(provider); + } + } + public static String generateRandomPassword(int num) { Random r = new SecureRandom(); StringBuilder password = new StringBuilder(); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/abfcd5b9/utils/src/main/java/com/cloud/utils/security/CertificateHelper.java ---------------------------------------------------------------------- diff --git a/utils/src/main/java/com/cloud/utils/security/CertificateHelper.java b/utils/src/main/java/com/cloud/utils/security/CertificateHelper.java index d43542f..3e70dda 100644 --- a/utils/src/main/java/com/cloud/utils/security/CertificateHelper.java +++ b/utils/src/main/java/com/cloud/utils/security/CertificateHelper.java @@ -19,6 +19,13 @@ package com.cloud.utils.security; +import com.cloud.utils.Ternary; +import com.google.common.base.Preconditions; +import com.google.common.base.Strings; +import org.apache.commons.codec.binary.Base64; +import org.bouncycastle.util.io.pem.PemObject; +import org.bouncycastle.util.io.pem.PemReader; + import java.io.BufferedInputStream; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; @@ -40,124 +47,143 @@ import java.security.spec.PKCS8EncodedKeySpec; import java.util.ArrayList; import java.util.List; -import com.cloud.utils.exception.CloudRuntimeException; -import org.apache.commons.codec.binary.Base64; +public class CertificateHelper { + public static byte[] buildAndSaveKeystore(final String alias, final String cert, final String privateKey, final String storePassword) throws KeyStoreException, CertificateException, + NoSuchAlgorithmException, InvalidKeySpecException, IOException { + Preconditions.checkArgument(!Strings.isNullOrEmpty(alias), "Certificate alias cannot be blank"); + Preconditions.checkArgument(!Strings.isNullOrEmpty(cert), "Certificate cannot be blank"); + Preconditions.checkArgument(!Strings.isNullOrEmpty(privateKey), "Private key cannot be blank"); -import com.cloud.utils.Ternary; -import org.bouncycastle.openssl.PEMReader; + final KeyStore ks = buildKeystore(alias, cert, privateKey, storePassword); -public class CertificateHelper { - public static byte[] buildAndSaveKeystore(String alias, String cert, String privateKey, String storePassword) throws KeyStoreException, CertificateException, - NoSuchAlgorithmException, InvalidKeySpecException, IOException { - KeyStore ks = buildKeystore(alias, cert, privateKey, storePassword); - - ByteArrayOutputStream os = new ByteArrayOutputStream(); - ks.store(os, storePassword != null ? storePassword.toCharArray() : null); - os.close(); - return os.toByteArray(); + try (final ByteArrayOutputStream os = new ByteArrayOutputStream()) { + ks.store(os, storePassword != null ? storePassword.toCharArray() : null); + return os.toByteArray(); + } } - public static byte[] buildAndSaveKeystore(List<Ternary<String, String, String>> certs, String storePassword) throws KeyStoreException, NoSuchAlgorithmException, - CertificateException, IOException, InvalidKeySpecException { - KeyStore ks = KeyStore.getInstance("JKS"); - ks.load(null, storePassword != null ? storePassword.toCharArray() : null); + public static byte[] buildAndSaveKeystore(final List<Ternary<String, String, String>> certs, final String storePassword) throws KeyStoreException, NoSuchAlgorithmException, + CertificateException, IOException, InvalidKeySpecException { + Preconditions.checkNotNull(certs, "List of certificates to be saved in keystore cannot be null"); + char password[] = null; + if (storePassword != null) { + password = storePassword.toCharArray(); + } + final KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(null, password); //name,cert,key - for (Ternary<String, String, String> cert : certs) { + for (final Ternary<String, String, String> cert : certs) { if (cert.third() == null) { - Certificate c = buildCertificate(cert.second()); + final Certificate c = buildCertificate(cert.second()); ks.setCertificateEntry(cert.first(), c); } else { - Certificate[] c = new Certificate[certs.size()]; + final Certificate[] c = new Certificate[certs.size()]; int i = certs.size(); - for (Ternary<String, String, String> ct : certs) { + for (final Ternary<String, String, String> ct : certs) { c[i - 1] = buildCertificate(ct.second()); i--; } - ks.setKeyEntry(cert.first(), buildPrivateKey(cert.third()), storePassword != null ? storePassword.toCharArray() : null, c); + ks.setKeyEntry(cert.first(), buildPrivateKey(cert.third()), password, c); } } - ByteArrayOutputStream os = new ByteArrayOutputStream(); - ks.store(os, storePassword != null ? storePassword.toCharArray() : null); - os.close(); - return os.toByteArray(); + try (final ByteArrayOutputStream os = new ByteArrayOutputStream()) { + ks.store(os, password); + return os.toByteArray(); + } } - public static KeyStore loadKeystore(byte[] ksData, String storePassword) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { - assert (ksData != null); - KeyStore ks = KeyStore.getInstance("JKS"); - ks.load(new ByteArrayInputStream(ksData), storePassword != null ? storePassword.toCharArray() : null); + public static KeyStore loadKeystore(final byte[] ksData, final String storePassword) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { + Preconditions.checkNotNull(ksData, "Keystore data cannot be null"); + final KeyStore ks = KeyStore.getInstance("JKS"); + try (final ByteArrayInputStream is = new ByteArrayInputStream(ksData)) { + ks.load(is, storePassword != null ? storePassword.toCharArray() : null); + } return ks; } - public static KeyStore buildKeystore(String alias, String cert, String privateKey, String storePassword) throws KeyStoreException, CertificateException, - NoSuchAlgorithmException, InvalidKeySpecException, IOException { + public static KeyStore buildKeystore(final String alias, final String cert, final String privateKey, final String storePassword) throws KeyStoreException, CertificateException, + NoSuchAlgorithmException, InvalidKeySpecException, IOException { + Preconditions.checkArgument(!Strings.isNullOrEmpty(alias), "Certificate alias cannot be blank"); + Preconditions.checkArgument(!Strings.isNullOrEmpty(cert), "Certificate cannot be blank"); + Preconditions.checkArgument(!Strings.isNullOrEmpty(privateKey), "Private key cannot be blank"); - KeyStore ks = KeyStore.getInstance("JKS"); - ks.load(null, storePassword != null ? storePassword.toCharArray() : null); - Certificate[] certs = new Certificate[1]; + char password[] = null; + if (storePassword != null) { + password = storePassword.toCharArray(); + } + final KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(null, password); + final Certificate[] certs = new Certificate[1]; certs[0] = buildCertificate(cert); - ks.setKeyEntry(alias, buildPrivateKey(privateKey), storePassword != null ? storePassword.toCharArray() : null, certs); + ks.setKeyEntry(alias, buildPrivateKey(privateKey), password, certs); return ks; } - public static Certificate buildCertificate(String content) throws CertificateException { - assert (content != null); + public static Certificate buildCertificate(final String content) throws CertificateException { + Preconditions.checkNotNull(content, "Certificate content cannot be null"); - BufferedInputStream bis = new BufferedInputStream(new ByteArrayInputStream(content.getBytes())); - CertificateFactory cf = CertificateFactory.getInstance("X.509"); + final BufferedInputStream bis = new BufferedInputStream(new ByteArrayInputStream(content.getBytes())); + final CertificateFactory cf = CertificateFactory.getInstance("X.509"); return cf.generateCertificate(bis); } - public static Key buildPrivateKey(String base64EncodedKeyContent) throws NoSuchAlgorithmException, InvalidKeySpecException, IOException { - KeyFactory kf = KeyFactory.getInstance("RSA"); - PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec(Base64.decodeBase64(base64EncodedKeyContent)); + public static Key buildPrivateKey(final String base64EncodedKeyContent) throws NoSuchAlgorithmException, InvalidKeySpecException, IOException { + Preconditions.checkNotNull(base64EncodedKeyContent); + + final KeyFactory kf = KeyFactory.getInstance("RSA"); + final PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec(Base64.decodeBase64(base64EncodedKeyContent)); return kf.generatePrivate(keysp); } - public static List<Certificate> parseChain(String chain) throws IOException { + public static List<Certificate> parseChain(final String chain) throws IOException, CertificateException { + Preconditions.checkNotNull(chain); - List<Certificate> certs = new ArrayList<Certificate>(); - PEMReader reader = new PEMReader(new StringReader(chain)); + final List<Certificate> certs = new ArrayList<Certificate>(); + try(final PemReader pemReader = new PemReader(new StringReader(chain));) + { + final PemObject pemObject = pemReader.readPemObject(); + final CertificateFactory certificateFactory = CertificateFactory.getInstance("X509"); + final ByteArrayInputStream bais = new ByteArrayInputStream(pemObject.getContent()); - Certificate crt = null; - - while ((crt = (Certificate)reader.readObject()) != null) { - if (crt instanceof X509Certificate) { - certs.add(crt); + for (final Certificate cert : certificateFactory.generateCertificates(bais)) { + if (cert instanceof X509Certificate) { + certs.add(cert); + } + } + if (certs.isEmpty()) { + throw new IllegalStateException("Unable to decode certificate chain"); } } - if (certs.size() == 0) - throw new IllegalArgumentException("Unable to decode certificate chain"); - return certs; } - public static String generateFingerPrint(Certificate cert) { + public static String generateFingerPrint(final Certificate cert) { + Preconditions.checkNotNull(cert, "Certificate cannot be null"); final char[] HEX = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'}; - StringBuilder buffer = new StringBuilder(60); + final StringBuilder buffer = new StringBuilder(60); try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - byte[] data = md.digest(cert.getEncoded()); + final MessageDigest md = MessageDigest.getInstance("SHA-256"); + final byte[] data = md.digest(cert.getEncoded()); - for (int i = 0; i < data.length; i++) { + for (final byte element : data) { if (buffer.length() > 0) { buffer.append(":"); } - buffer.append(HEX[(0xF0 & data[i]) >>> 4]); - buffer.append(HEX[0x0F & data[i]]); + buffer.append(HEX[(0xF0 & element) >>> 4]); + buffer.append(HEX[0x0F & element]); } - } catch (CertificateEncodingException e) { - throw new CloudRuntimeException("Bad certificate encoding"); - } catch (NoSuchAlgorithmException e) { - throw new CloudRuntimeException("Bad certificate algorithm"); + } catch (final CertificateEncodingException e) { + throw new IllegalStateException("Bad certificate encoding"); + } catch (final NoSuchAlgorithmException e) { + throw new IllegalStateException("Bad certificate algorithm"); } return buffer.toString();
