[
https://issues.apache.org/jira/browse/CLOUDSTACK-9632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15710072#comment-15710072
]
ASF GitHub Bot commented on CLOUDSTACK-9632:
--------------------------------------------
Github user jburwell commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/1799#discussion_r90342302
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO
cert, List<LoadBalancerCertM
return response;
}
- private void validateCert(Certificate cert, boolean chainPresent) {
+ private void validateCert(final Certificate cert, final boolean
chainPresent) {
- if (!(cert instanceof X509Certificate))
+ if (!(cert instanceof X509Certificate)) {
throw new IllegalArgumentException("Invalid certificate
format. Expected X509 certificate");
+ }
try {
((X509Certificate)cert).checkValidity();
- } catch (Exception e) {
+ } catch (final Exception e) {
throw new IllegalArgumentException("Certificate expired or not
valid", e);
}
}
- private void validateKeys(PublicKey pubKey, PrivateKey privKey) {
+ private void validateKeys(final PublicKey pubKey, final PrivateKey
privKey) {
- if (pubKey.getAlgorithm() != privKey.getAlgorithm())
+ if (pubKey.getAlgorithm() != privKey.getAlgorithm()) {
throw new IllegalArgumentException("Public and private key
have different algorithms");
+ }
// No encryption for DSA
- if (pubKey.getAlgorithm() != "RSA")
+ if (pubKey.getAlgorithm() != "RSA") {
return;
+ }
try {
- String data = "ENCRYPT_DATA";
- SecureRandom random = new SecureRandom();
- Cipher cipher = Cipher.getInstance(pubKey.getAlgorithm());
+ final String data = "ENCRYPT_DATA";
+ final SecureRandom random = new SecureRandom();
+ final Cipher cipher =
Cipher.getInstance(pubKey.getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, privKey, random);
- byte[] encryptedData = cipher.doFinal(data.getBytes());
+ final byte[] encryptedData = cipher.doFinal(data.getBytes());
cipher.init(Cipher.DECRYPT_MODE, pubKey, random);
- String decreptedData = new
String(cipher.doFinal(encryptedData));
- if (!decreptedData.equals(data))
+ final String decreptedData = new
String(cipher.doFinal(encryptedData));
+ if (!decreptedData.equals(data)) {
throw new IllegalArgumentException("Bad public-private
key");
+ }
- } catch (BadPaddingException e) {
+ } catch (final BadPaddingException e) {
throw new IllegalArgumentException("Bad public-private key",
e);
- } catch (IllegalBlockSizeException e) {
+ } catch (final IllegalBlockSizeException e) {
throw new IllegalArgumentException("Bad public-private key",
e);
- } catch (NoSuchPaddingException e) {
+ } catch (final NoSuchPaddingException e) {
throw new IllegalArgumentException("Bad public-private key",
e);
- } catch (InvalidKeyException e) {
+ } catch (final InvalidKeyException e) {
throw new IllegalArgumentException("Invalid public-private
key", e);
- } catch (NoSuchAlgorithmException e) {
+ } catch (final NoSuchAlgorithmException e) {
throw new IllegalArgumentException("Invalid algorithm for
public-private key", e);
}
}
- private void validateChain(List<Certificate> chain, Certificate cert) {
+ private void validateChain(final List<Certificate> chain, final
Certificate cert) {
- List<Certificate> certs = new ArrayList<Certificate>();
- Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
+ final List<Certificate> certs = new ArrayList<Certificate>();
+ final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
certs.add(cert); // adding for self signed certs
certs.addAll(chain);
- for (Certificate c : certs) {
- if (!(c instanceof X509Certificate))
+ for (final Certificate c : certs) {
+ if (!(c instanceof X509Certificate)) {
throw new IllegalArgumentException("Invalid chain format.
Expected X509 certificate");
+ }
- X509Certificate xCert = (X509Certificate)c;
+ final X509Certificate xCert = (X509Certificate)c;
- Principal subject = xCert.getSubjectDN();
- Principal issuer = xCert.getIssuerDN();
+ xCert.getSubjectDN();
+ xCert.getIssuerDN();
- anchors.add(new TrustAnchor(xCert, null));
+ anchors.add(new TrustAnchor(xCert, null));
}
- X509CertSelector target = new X509CertSelector();
+ final X509CertSelector target = new X509CertSelector();
target.setCertificate((X509Certificate)cert);
PKIXBuilderParameters params = null;
try {
params = new PKIXBuilderParameters(anchors, target);
params.setRevocationEnabled(false);
params.addCertStore(CertStore.getInstance("Collection", new
CollectionCertStoreParameters(certs)));
- CertPathBuilder builder = CertPathBuilder.getInstance("PKIX",
"BC");
+ final CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX", "BC");
builder.build(params);
- } catch (InvalidAlgorithmParameterException e) {
+ } catch (final InvalidAlgorithmParameterException e) {
throw new IllegalArgumentException("Invalid certificate
chain", e);
- } catch (CertPathBuilderException e) {
+ } catch (final CertPathBuilderException e) {
throw new IllegalArgumentException("Invalid certificate
chain", e);
- } catch (NoSuchAlgorithmException e) {
+ } catch (final NoSuchAlgorithmException e) {
throw new IllegalArgumentException("Invalid certificate
chain", e);
- } catch (NoSuchProviderException e) {
+ } catch (final NoSuchProviderException e) {
throw new CloudRuntimeException("No provider for certificate
validation", e);
}
}
- public PrivateKey parsePrivateKey(String key, String password) throws
IOException {
-
- PasswordFinder pGet = null;
-
- if (password != null)
- pGet = new KeyPassword(password.toCharArray());
-
- PEMReader privateKey = new PEMReader(new StringReader(key), pGet);
- Object obj = null;
- try {
- obj = privateKey.readObject();
- } finally {
- IOUtils.closeQuietly(privateKey);
- }
-
- try {
-
- if (obj instanceof KeyPair)
- return ((KeyPair)obj).getPrivate();
-
- return (PrivateKey)obj;
-
- } catch (Exception e) {
- throw new IOException("Invalid Key format or invalid
password.", e);
+ public PrivateKey parsePrivateKey(final String key) throws IOException
{
+ try (final PemReader pemReader = new PemReader(new
StringReader(key));) {
+ final PemObject pemObject = pemReader.readPemObject();
+ final byte[] content = pemObject.getContent();
+ final PKCS8EncodedKeySpec privKeySpec = new
PKCS8EncodedKeySpec(content);
+ final KeyFactory factory = KeyFactory.getInstance("RSA", "BC");
+ return factory.generatePrivate(privKeySpec);
+ } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+ throw new IOException("No encryption provider available.", e);
+ } catch (final InvalidKeySpecException e) {
+ throw new IOException("Invalid Key format.", e);
}
}
- public Certificate parseCertificate(String cert) {
- PEMReader certPem = new PEMReader(new StringReader(cert));
+ public Certificate parseCertificate(final String cert) {
+ final PemReader certPem = new PemReader(new StringReader(cert));
try {
- return (Certificate)certPem.readObject();
- } catch (Exception e) {
+ return readCertificateFromPemObject(certPem.readPemObject());
+ } catch (final Exception e) {
throw new InvalidParameterValueException("Invalid Certificate
format. Expected X509 certificate. Failed due to " + e.getMessage());
} finally {
IOUtils.closeQuietly(certPem);
}
}
- public List<Certificate> parseChain(String chain) throws IOException {
+ private Certificate readCertificateFromPemObject(final PemObject
pemObject) throws CertificateException {
+ final ByteArrayInputStream bais = new
ByteArrayInputStream(pemObject.getContent());
+ final CertificateFactory certificateFactory =
CertificateFactory.getInstance("X509");
- List<Certificate> certs = new ArrayList<Certificate>();
- PEMReader reader = new PEMReader(new StringReader(chain));
+ return certificateFactory.generateCertificate(bais);
+ }
- Certificate crt = null;
- while ((crt = (Certificate)reader.readObject()) != null) {
- if (crt instanceof X509Certificate) {
- certs.add(crt);
- }
- }
- if (certs.size() == 0)
- throw new IllegalArgumentException("Unable to decode
certificate chain");
+ public List<Certificate> parseChain(final String chain) throws
IOException, CertificateException {
- return certs;
+ return CertificateHelper.parseChain(chain);
}
- String generateFingerPrint(Certificate cert) {
+ String generateFingerPrint(final Certificate cert) {
--- End diff --
This method appears to be a duplicate of
`CertificateHelper.generateFingerPrint(Certificate)`. Please consider
eliminating this method in favor of it.
> Upgrade bountycastle to 1.55+
> -----------------------------
>
> Key: CLOUDSTACK-9632
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9632
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Fix For: Future, 4.10.0.0
>
>
> Upgrade bountycastle library to latest versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
