[jira] [Work logged] (KNOX-1418) Knox Shell command for downloading the public cert from a Knox instance

[ASF GitHub Bot (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KNOX-1418?focusedWorklogId=205016&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-205016
 ]

ASF GitHub Bot logged work on KNOX-1418:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 27/Feb/19 06:55
            Start Date: 27/Feb/19 06:55
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on pull request #60: KNOX-1418 - 
New KnoxShell command to build truststore using the gateway server's public 
certificate
URL: https://github.com/apache/knox/pull/60#discussion_r260613558
 
 

 ##########
 File path: 
gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxSh.java
 ##########
 @@ -155,6 +170,81 @@ public boolean validate() {
     public abstract String getUsage();
   }
 
+  private class KnoxBuildTrustStore extends Command {
+
+    private static final String USAGE = "buildTrustStore --gateway server-url";
+    private static final String DESC = "Downloads the gateway server's public 
certificate and builds a trust store.";
+    private static final String CLIENT_TRUST_STORE_FILE_NAME = 
"gateway-client-trust.jks";
+
+    @Override
+    public void execute() throws Exception {
+      final X509Certificate gatewayServerPublicCert = 
fetchPublicCertFromGatewayServer();
+      if (gatewayServerPublicCert != null) {
+        final File trustStoreFile = new File(System.getProperty("user.home"), 
CLIENT_TRUST_STORE_FILE_NAME);
+        X509CertificateUtil.writeCertificateToJks(gatewayServerPublicCert, 
trustStoreFile);
+        out.println("Gateway server's certificate is exported into " + 
trustStoreFile.getAbsolutePath());
+      } else {
+        out.println("Could not obtain server certificate chain");
+      }
+    }
+
+    private X509Certificate fetchPublicCertFromGatewayServer() throws 
Exception {
+      final TrustManagerFactory trustManagerFactory = 
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+      trustManagerFactory.init((KeyStore) null);
+      final X509TrustManager defaultTrustManager = (X509TrustManager) 
trustManagerFactory.getTrustManagers()[0];
+      final CertificateChainAwareTrustManager trustManagerWithCertificateChain 
= new CertificateChainAwareTrustManager(defaultTrustManager);
+      final SSLContext sslContext = SSLContext.getInstance("TLS");
+      sslContext.init(null, new TrustManager[] { 
trustManagerWithCertificateChain }, null);
+
+      final URI uri = URI.create(gateway);
+      out.println("Opening connection to " + uri.getHost() + ":" + 
uri.getPort() + "...");
+      final SSLSocket socket = (SSLSocket) 
sslContext.getSocketFactory().createSocket(uri.getHost(), uri.getPort());
+      socket.setSoTimeout(10000);
+      try {
+        out.println("Starting SSL handshake...");
+        socket.startHandshake();
+        socket.close();
+        out.println();
+        out.println("No errors, certificate is already trusted");
+      } catch (SSLException e) {
+        // NOP; this is expected in case the gateway server's certificate is 
not in the trust store the JVM uses
+        out.println("SSL exception; found non-trusted certificate");
+      }
+
+      return trustManagerWithCertificateChain.certificateChain == null ? null 
: trustManagerWithCertificateChain.certificateChain[0];
+    }
+
+    @Override
+    public String getUsage() {
+      return USAGE + ":\n\n" + DESC;
+    }
+
+    private class CertificateChainAwareTrustManager implements 
X509TrustManager {
+      private final X509TrustManager defaultTrustManager;
+      private X509Certificate[] certificateChain;
+
+      CertificateChainAwareTrustManager(X509TrustManager tm) {
+        this.defaultTrustManager = tm;
+      }
+
+      @Override
+      public X509Certificate[] getAcceptedIssuers() {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public void checkClientTrusted(X509Certificate[] chain, String authType) 
throws CertificateException {
+        throw new UnsupportedOperationException();
 
 Review comment:
   Yes; I'll fix it.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 205016)
    Time Spent: 2h 20m  (was: 2h 10m)

> Knox Shell command for downloading the public cert from a Knox instance
> -----------------------------------------------------------------------
>
>                 Key: KNOX-1418
>                 URL: https://issues.apache.org/jira/browse/KNOX-1418
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: KnoxShell
>    Affects Versions: 1.1.0
>            Reporter: Phil Zampino
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 1.3.0
>
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> To support the containerization of Knox, it would be helpful to have a 
> KnoxShell command for getting the public cert from a Knox instance 
> (equivalent to the knoxcli export-cert command, but remote).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)