risdenk commented on a change in pull request #60: KNOX-1418 - New KnoxShell
command to build truststore using the gateway server's public certificate
URL: https://github.com/apache/knox/pull/60#discussion_r260768142
##########
File path:
gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxSh.java
##########
@@ -155,6 +171,84 @@ public boolean validate() {
public abstract String getUsage();
}
+ private class KnoxBuildTrustStore extends Command {
+
+ private static final String USAGE = "buildTrustStore --gateway server-url";
+ private static final String DESC = "Downloads the gateway server's public
certificate and builds a trust store.";
+ private static final String GATEWAY_CERT_NOT_EXPORTED = "Finished work
without building truststore";
+ private static final String GATEWAY_CERT_EXPORTED_MESSAGE_PREFIX =
"Gateway server's certificate is exported into ";
+
+ @Override
+ public void execute() throws Exception {
+ String result = GATEWAY_CERT_NOT_EXPORTED;
+ try {
+ final X509Certificate gatewayServerPublicCert =
fetchPublicCertFromGatewayServer();
+ if (gatewayServerPublicCert != null) {
+ final File trustStoreFile =
Paths.get(System.getProperty("user.home"),
KnoxSession.GATEWAY_CLIENT_TRUST).toFile();
+ X509CertificateUtil.writeCertificateToJks(gatewayServerPublicCert,
trustStoreFile);
+ result = GATEWAY_CERT_EXPORTED_MESSAGE_PREFIX +
trustStoreFile.getAbsolutePath();
+ }
+ } catch(Exception e) {
+ //NOP
+ }
+ out.println(result);
+ }
+
+ private X509Certificate fetchPublicCertFromGatewayServer() throws
Exception {
+ final TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ trustManagerFactory.init((KeyStore) null);
+ final X509TrustManager defaultTrustManager = (X509TrustManager)
trustManagerFactory.getTrustManagers()[0];
+ final CertificateChainAwareTrustManager trustManagerWithCertificateChain
= new CertificateChainAwareTrustManager(defaultTrustManager);
+ final SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, new TrustManager[] {
trustManagerWithCertificateChain }, null);
+
+ final URI uri = URI.create(gateway);
+ out.println("Opening connection to " + uri.getHost() + ":" +
uri.getPort() + "...");
+ try (Socket socket =
sslContext.getSocketFactory().createSocket(uri.getHost(), uri.getPort())) {
+ socket.setSoTimeout(10000);
+ out.println("Starting SSL handshake...");
+ ((SSLSocket) socket).startHandshake();
+ out.println("No errors, certificate is already trusted");
+ trustManagerWithCertificateChain.serverCertificateChain = null; //we
already trust the given site's certs; it does not make sense to build a new
truststore
Review comment:
We could return here right instead of setting to null and then doing the
null check later?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
