List of usage examples for java.security.cert X509Certificate getPublicKey
public abstract PublicKey getPublicKey();
From source file:com.netscape.cmscore.apps.CMSEngine.java
/** * initialize a subsystem/* w ww. j ava 2 s . com*/ */ private void initSubsystem(SubsystemInfo ssinfo) throws EBaseException { String id = ssinfo.id; ISubsystem ss = ssinfo.instance; logger.debug("CMSEngine: initSubsystem(" + id + ")"); mSSReg.put(id, ss); if (ssinfo.updateIdOnInit) { ss.setId(id); } IConfigStore ssConfig = mConfig.getSubStore(id); if (!ssinfo.enabled) { logger.debug("CMSEngine: " + id + " disabled"); return; } logger.debug("CMSEngine: initializing " + id); ss.init(this, ssConfig); try { /* * autoShutdown.allowed=false * autoShutdown.crumbFile=[PKI_INSTANCE_PATH]/logs/autoShutdown.crumb * autoShutdown.restart.enable=false * autoShutdown.restart.max=3 * autoShutdown.restart.count=0 */ mAutoSD_Restart = mConfig.getBoolean("autoShutdown.restart.enable", false); logger.debug("CMSEngine: restart at autoShutdown: " + mAutoSD_Restart); if (mAutoSD_Restart) { mAutoSD_RestartMax = mConfig.getInteger("autoShutdown.restart.max", 3); logger.debug("CMSEngine: restart max: " + mAutoSD_RestartMax); mAutoSD_RestartCount = mConfig.getInteger("autoShutdown.restart.count", 0); logger.debug("CMSEngine: current restart count: " + mAutoSD_RestartCount); } else { //!mAutoSD_Restart mAutoSD_CrumbFile = mConfig.getString("autoShutdown.crumbFile", instanceDir + "/logs/autoShutdown.crumb"); logger.debug("CMSEngine: autoShutdown crumb file path: " + mAutoSD_CrumbFile); File crumb = new File(mAutoSD_CrumbFile); try { if (crumb.exists()) { logger.debug("CMSEngine: delete autoShutdown crumb file"); crumb.delete(); } } catch (Exception e) { logger.warn("Delete autoShutdown crumb file failed: " + e.getMessage(), e); logger.warn("Continue with initialization"); } } /* * establish signing key reference using audit signing cert * for HSM failover detection */ mSAuditCertNickName = mConfig.getString(PROP_SIGNED_AUDIT_CERT_NICKNAME); mManager = CryptoManager.getInstance(); logger.debug("CMSEngine: about to look for cert for auto-shutdown support:" + mSAuditCertNickName); org.mozilla.jss.crypto.X509Certificate cert = null; try { cert = mManager.findCertByNickname(mSAuditCertNickName); } catch (ObjectNotFoundException as) { logger.warn("CMSEngine: Unable to support auto-shutdown: " + as.getMessage()); } if (cert != null) { logger.debug("CMSEngine: found cert:" + mSAuditCertNickName); mSigningKey = mManager.findPrivKeyByCert(cert); mSigningData = cert.getPublicKey().getEncoded(); } } catch (Exception e) { logger.warn("CMSEngine: Unable to configure auto-shutdown: " + e.getMessage(), e); } // add to id - subsystem hash table. logger.debug("CMSEngine: done init id=" + id); logger.debug("CMSEngine: initialized " + id); if (id.equals("ca") || id.equals("ocsp") || id.equals("kra") || id.equals("tks")) { logger.debug("CMSEngine: get SSL server nickname"); IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver"); if (serverCertStore != null && serverCertStore.size() > 0) { String nickName = serverCertStore.getString("nickname"); String tokenName = serverCertStore.getString("tokenname"); if (tokenName != null && tokenName.length() > 0 && nickName != null && nickName.length() > 0) { setServerCertNickname(tokenName, nickName); logger.debug("Subsystem " + id + " init sslserver: tokenName:" + tokenName + " nickName:" + nickName); } else if (nickName != null && nickName.length() > 0) { setServerCertNickname(nickName); logger.debug("Subsystem " + id + " init sslserver: nickName:" + nickName); } else { logger.warn( "Subsystem " + id + " init error: SSL server certificate nickname is not available."); } } } if (id.equals("ca") || id.equals("kra")) { /* figure out if any ldap attributes need exclusion in enrollment records Default config: excludedLdapAttrs.enabled=false; (excludedLdapAttrs.attrs unspecified to take default) */ mExcludedLdapAttrsEnabled = mConfig.getBoolean("excludedLdapAttrs.enabled", false); if (mExcludedLdapAttrsEnabled == true) { logger.debug("CMSEngine: initSubsystem: excludedLdapAttrs.enabled: true"); excludedLdapAttrsList = Arrays.asList(excludedLdapAttrs); String unparsedExcludedLdapAttrs = ""; try { unparsedExcludedLdapAttrs = mConfig.getString("excludedLdapAttrs.attrs"); logger.debug("CMSEngine: initSubsystem: excludedLdapAttrs.attrs =" + unparsedExcludedLdapAttrs); } catch (Exception e) { logger.debug("CMSEngine: initSubsystem: excludedLdapAttrs.attrs unspecified, taking default"); } if (!unparsedExcludedLdapAttrs.equals("")) { excludedLdapAttrsList = Arrays.asList(unparsedExcludedLdapAttrs.split(",")); // overwrites the default //excludedLdapAttrSet = new HashSet(excludedLdapAttrsList); } } else { logger.debug("CMSEngine: initSubsystem: excludedLdapAttrs.enabled: false"); } } }
From source file:com.ext.portlet.epsos.EpsosHelperService.java
@SuppressWarnings("deprecation") public static void signSAMLAssertion(SignableSAMLObject as, String keyAlias, char[] keyPassword) throws Exception { //String KEY_STORE_NAME="Unknown-1"; //String KEY_STORE_PASS="spirit"; //String PRIVATE_KEY_PASS="spirit"; //String KEY_ALIAS="server1"; ConfigurationManagerService cms = ConfigurationManagerService.getInstance(); //String KEY_STORE_NAME =GetterUtil.getString(GnPropsUtil.get("portalb", "KEYSTORE_LOCATION"),"Unknown-1"); String KEYSTORE_LOCATION = cms.getProperty("javax.net.ssl.keyStore"); String KEY_STORE_PASS = cms.getProperty("javax.net.ssl.keyStorePassword"); //GetterUtil.getString(GnPropsUtil.get("portalb", "KEYSTORE_PASSWORD"),"spirit"); String KEY_ALIAS = cms.getProperty("javax.net.ssl.key.alias"); //GetterUtil.getString(GnPropsUtil.get("portalb", "PRIVATEKEY_ALIAS"),"server1"); String PRIVATE_KEY_PASS = cms.getProperty("javax.net.ssl.privateKeyPassword"); //GetterUtil.getString(GnPropsUtil.get("portalb", "PRIVATEKEY_PASSWORD"),"spirit"); _log.debug("-------" + KEYSTORE_LOCATION); _log.debug("-------" + KEY_STORE_PASS); _log.debug("-------" + KEY_ALIAS); _log.debug("-------" + PRIVATE_KEY_PASS); KeyStoreManager keyManager = new DefaultKeyStoreManager(); //KeyPair kp = null; X509Certificate cert = null;//from www . ja v a2 s . c o m //check if we must use the default key PrivateKey privateKey = null; PublicKey publicKey = null; if (keyAlias == null) { // kp = keyManager.getDefaultPrivateKey(); cert = (X509Certificate) keyManager.getDefaultCertificate(); } else { KeyStore keyStore = KeyStore.getInstance("JKS"); ClassLoader cl = Thread.currentThread().getContextClassLoader(); File file = new File(KEYSTORE_LOCATION); keyStore.load(new FileInputStream(file), KEY_STORE_PASS.toCharArray()); privateKey = (PrivateKey) keyStore.getKey(KEY_ALIAS, PRIVATE_KEY_PASS.toCharArray()); X509Certificate cert1 = (X509Certificate) keyStore.getCertificate(KEY_ALIAS); publicKey = cert1.getPublicKey(); //kp = keyManager.getPrivateKey(keyAlias, keyPassword); cert = (X509Certificate) keyManager.getCertificate(keyAlias); } org.opensaml.xml.signature.Signature sig = (org.opensaml.xml.signature.Signature) Configuration .getBuilderFactory().getBuilder(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME) .buildObject(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME); Credential signingCredential = SecurityHelper.getSimpleCredential(cert, privateKey); //sig.setCanonicalizationAlgorithm(SignatureConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS); sig.setSigningCredential(signingCredential); // sig.setKeyInfo(SecurityHelper.getKeyInfoGenerator(signingCredential, null, null).generate(signingCredential)); sig.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1"); sig.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#"); SecurityConfiguration secConfig = Configuration.getGlobalSecurityConfiguration(); try { SecurityHelper.prepareSignatureParams(sig, signingCredential, secConfig, null); } catch (SecurityException e) { throw new SMgrException(e.getMessage(), e); } as.setSignature(sig); try { Configuration.getMarshallerFactory().getMarshaller(as).marshall(as); } catch (MarshallingException e) { throw new SMgrException(e.getMessage(), e); } try { org.opensaml.xml.signature.Signer.signObject(sig); } catch (Exception e) { e.printStackTrace(); } }
From source file:be.fedict.eid.tsl.TrustServiceList.java
private void xmlSign(PrivateKey privateKey, X509Certificate certificate, String tslId) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, MarshalException, XMLSignatureException {/*from w ww. j a v a 2 s. c o m*/ XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance("DOM", new org.jcp.xml.dsig.internal.dom.XMLDSigRI()); LOG.debug("xml signature factory: " + signatureFactory.getClass().getName()); LOG.debug("loader: " + signatureFactory.getClass().getClassLoader()); XMLSignContext signContext = new DOMSignContext(privateKey, this.tslDocument.getDocumentElement()); signContext.putNamespacePrefix(XMLSignature.XMLNS, "ds"); DigestMethod digestMethod = signatureFactory.newDigestMethod(DigestMethod.SHA256, null); List<Reference> references = new LinkedList<Reference>(); List<Transform> transforms = new LinkedList<Transform>(); transforms.add(signatureFactory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)); Transform exclusiveTransform = signatureFactory.newTransform(CanonicalizationMethod.EXCLUSIVE, (TransformParameterSpec) null); transforms.add(exclusiveTransform); Reference reference = signatureFactory.newReference("#" + tslId, digestMethod, transforms, null, null); references.add(reference); String signatureId = "xmldsig-" + UUID.randomUUID().toString(); List<XMLObject> objects = new LinkedList<XMLObject>(); addXadesBes(signatureFactory, this.tslDocument, signatureId, certificate, references, objects); SignatureMethod signatureMethod; if (isJava6u18OrAbove()) { signatureMethod = signatureFactory .newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null); } else { signatureMethod = signatureFactory.newSignatureMethod(SignatureMethod.RSA_SHA1, null); } CanonicalizationMethod canonicalizationMethod = signatureFactory .newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null); SignedInfo signedInfo = signatureFactory.newSignedInfo(canonicalizationMethod, signatureMethod, references); List<Object> keyInfoContent = new LinkedList<Object>(); KeyInfoFactory keyInfoFactory = KeyInfoFactory.getInstance(); List<Object> x509DataObjects = new LinkedList<Object>(); x509DataObjects.add(certificate); x509DataObjects.add(keyInfoFactory.newX509IssuerSerial(certificate.getIssuerX500Principal().toString(), certificate.getSerialNumber())); X509Data x509Data = keyInfoFactory.newX509Data(x509DataObjects); keyInfoContent.add(x509Data); KeyValue keyValue; try { keyValue = keyInfoFactory.newKeyValue(certificate.getPublicKey()); } catch (KeyException e) { throw new RuntimeException("key exception: " + e.getMessage(), e); } keyInfoContent.add(keyValue); KeyInfo keyInfo = keyInfoFactory.newKeyInfo(keyInfoContent); String signatureValueId = signatureId + "-signature-value"; XMLSignature xmlSignature = signatureFactory.newXMLSignature(signedInfo, keyInfo, objects, signatureId, signatureValueId); xmlSignature.sign(signContext); }
From source file:org.alfresco.extension.countersign.signature.RepositoryManagedSignatureProvider.java
/** * Generate an X509 cert for use as the keystore cert chain * //from ww w. j a v a 2 s . c o m * @param keyPair * @return */ private X509Certificate generateCertificate(KeyPair keyPair, NodeRef person) { X509Certificate cert = null; int validDuration = Integer .parseInt(config.getProperty(RepositoryManagedSignatureProviderFactory.VALID_DURATION)); // get user's first and last name Map<QName, Serializable> props = serviceRegistry.getNodeService().getProperties(person); String firstName = String.valueOf(props.get(ContentModel.PROP_FIRSTNAME)); String lastName = String.valueOf(props.get(ContentModel.PROP_LASTNAME)); // backdate the start date by a day Calendar start = Calendar.getInstance(); start.add(Calendar.DATE, -1); java.util.Date startDate = start.getTime(); // what is the end date for this cert's validity? Calendar end = Calendar.getInstance(); end.add(Calendar.DATE, validDuration); java.util.Date endDate = end.getTime(); try { // This code works with newer versions of the BouncyCastle libraries, but not // the (severely outdated) version that ships with Alfresco /*X509v1CertificateBuilder certBuilder = new JcaX509v1CertificateBuilder( new X500Principal("CN=" + firstName + " " + lastName), BigInteger.ONE, startDate, cal.getTime(), new X500Principal("CN=" + firstName + " " + lastName), keyPair.getPublic()); AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA"); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter keyParam = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded()); ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(keyParam); X509CertificateHolder certHolder = certBuilder.build(sigGen); // now lets convert this thing back to a regular old java cert CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream certIs = new ByteArrayInputStream(certHolder.getEncoded()); cert = (X509Certificate) cf.generateCertificate(certIs); certIs.close();*/ X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); X500Principal subjectName = new X500Principal("CN=" + firstName + " " + lastName); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setNotBefore(startDate); certGen.setNotAfter(endDate); certGen.setSubjectDN(subjectName); certGen.setPublicKey(keyPair.getPublic()); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); // if we are actually generating a trusted cert, the action is a little different boolean generateTrusted = Boolean.parseBoolean( config.getProperty(RepositoryManagedSignatureProviderFactory.ENABLE_TRUSTED_CERTS)); if (generateTrusted) { KeyStore trustedKs = getTrustedKeyStore(); PrivateKey caKey = getCaKey(trustedKs); X509Certificate caCert = getCaCert(trustedKs); // set the issuer of the generated cert to the subject of the ca cert X500Principal caSubject = caCert.getSubjectX500Principal(); certGen.setIssuerDN(caSubject); //add the required extensions for the new cert certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.getPublic())); cert = certGen.generate(caKey, "BC"); //verify the cert cert.verify(caCert.getPublicKey()); } else { certGen.setIssuerDN(subjectName); cert = certGen.generate(keyPair.getPrivate(), "BC"); } } catch (CertificateException ce) { logger.error("CertificateException creating or validating X509 certificate for user: " + ce); throw new AlfrescoRuntimeException(ce.getMessage()); } catch (Exception ex) { logger.error("Unknown exception creating or validating X509 certificate for user : " + ex); ex.printStackTrace(); } return cert; }
From source file:org.apache.ambari.server.security.encryption.CertificateUtils.java
/** * Get RSA public key from X.509 certificate string (full crt file content, including header and footer) * @param certificateString certificate string * @return RSA public key/*from ww w . j a va 2 s. com*/ * @throws CertificateException * @throws UnsupportedEncodingException */ public static RSAPublicKey getPublicKeyFromString(String certificateString) throws CertificateException, UnsupportedEncodingException { CertificateFactory fact = CertificateFactory.getInstance("X.509"); ByteArrayInputStream is = new ByteArrayInputStream(certificateString.getBytes("UTF8")); X509Certificate cer = (X509Certificate) fact.generateCertificate(is); return (RSAPublicKey) cer.getPublicKey(); }
From source file:org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter.java
public static RSAPublicKey parseRSAPublicKey(String pem) throws CertificateException, UnsupportedEncodingException, ServletException { String PEM_HEADER = "-----BEGIN CERTIFICATE-----\n"; String PEM_FOOTER = "\n-----END CERTIFICATE-----"; String fullPem = PEM_HEADER + pem + PEM_FOOTER; PublicKey key = null;/*from ww w . j av a2 s . co m*/ try { CertificateFactory fact = CertificateFactory.getInstance("X.509"); ByteArrayInputStream is = new ByteArrayInputStream(fullPem.getBytes("UTF8")); X509Certificate cer = (X509Certificate) fact.generateCertificate(is); key = cer.getPublicKey(); } catch (CertificateException ce) { String message = null; if (pem.startsWith(PEM_HEADER)) { message = "CertificateException - be sure not to include PEM header " + "and footer in the PEM configuration element."; } else { message = "CertificateException - PEM may be corrupt"; } throw new ServletException(message, ce); } catch (UnsupportedEncodingException uee) { throw new ServletException(uee); } return (RSAPublicKey) key; }
From source file:org.apache.cxf.ws.security.sts.provider.token.Saml2TokenProvider.java
private Subject createSubject(X509Certificate certificate) throws Exception { DefaultBootstrap.bootstrap();/*from w ww . jav a 2 s. co m*/ NameID nameID = (new NameIDBuilder()).buildObject(); nameID.setValue(certificate.getSubjectDN().getName()); String format = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"; if (format != null) { nameID.setFormat(format); } Subject subject = (new SubjectBuilder()).buildObject(); subject.setNameID(nameID); SubjectConfirmation confirmation = (new SubjectConfirmationBuilder()).buildObject(); confirmation.setMethod(SubjectConfirmation.METHOD_HOLDER_OF_KEY); KeyInfoConfirmationDataType keyInfoDataType = new KeyInfoConfirmationDataTypeBuilder().buildObject(); BasicX509Credential keyInfoCredential = new BasicX509Credential(); keyInfoCredential.setEntityCertificate(certificate); keyInfoCredential.setPublicKey(certificate.getPublicKey()); BasicKeyInfoGeneratorFactory kiFactory = new BasicKeyInfoGeneratorFactory(); kiFactory.setEmitPublicKeyValue(true); KeyInfo keyInfo = kiFactory.newInstance().generate(keyInfoCredential); keyInfoDataType.getKeyInfos().add(keyInfo); subject.getSubjectConfirmations().add(confirmation); subject.getSubjectConfirmations().get(0).setSubjectConfirmationData(keyInfoDataType); return subject; }
From source file:org.apache.directory.studio.connection.ui.widgets.CertificateInfoComposite.java
private void populateCertificateTree() { certificateTree.removeAll();// w w w. j a v a2s.co m valueText.setText(StringUtils.EMPTY); IStructuredSelection selection = (IStructuredSelection) hierarchyTreeViewer.getSelection(); if (selection.size() != 1) { return; } CertificateChainItem certificateItem = (CertificateChainItem) selection.getFirstElement(); X509Certificate certificate = certificateItem.certificate; TreeItem rootItem = new TreeItem(certificateTree, SWT.NONE); Map<String, String> attributeMap = getAttributeMap(certificate.getSubjectX500Principal()); rootItem.setText(attributeMap.get("CN")); //$NON-NLS-1$ TreeItem certItem = createTreeItem(rootItem, Messages.getString("CertificateInfoComposite.Certificate"), //$NON-NLS-1$ StringUtils.EMPTY); createTreeItem(certItem, Messages.getString("CertificateInfoComposite.Version"), //$NON-NLS-1$ String.valueOf(certificate.getVersion())); createTreeItem(certItem, Messages.getString("CertificateInfoComposite.SerialNumber"), //$NON-NLS-1$ certificate.getSerialNumber().toString(16)); createTreeItem(certItem, Messages.getString("CertificateInfoComposite.Signature"), //$NON-NLS-1$ certificate.getSigAlgName()); createTreeItem(certItem, Messages.getString("CertificateInfoComposite.Issuer"), //$NON-NLS-1$ certificate.getIssuerX500Principal().getName()); TreeItem validityItem = createTreeItem(certItem, Messages.getString("CertificateInfoComposite.Validity"), //$NON-NLS-1$ StringUtils.EMPTY); createTreeItem(validityItem, Messages.getString("CertificateInfoComposite.NotBefore"), //$NON-NLS-1$ certificate.getNotBefore().toString()); createTreeItem(validityItem, Messages.getString("CertificateInfoComposite.NotAfter"), //$NON-NLS-1$ certificate.getNotAfter().toString()); createTreeItem(certItem, Messages.getString("CertificateInfoComposite.Subject"), //$NON-NLS-1$ certificate.getSubjectX500Principal().getName()); TreeItem pkiItem = createTreeItem(certItem, Messages.getString("CertificateInfoComposite.SubjectPublicKeyInfo"), StringUtils.EMPTY); //$NON-NLS-1$ createTreeItem(pkiItem, Messages.getString("CertificateInfoComposite.SubjectPublicKeyAlgorithm"), //$NON-NLS-1$ certificate.getPublicKey().getAlgorithm()); createTreeItem(pkiItem, Messages.getString("CertificateInfoComposite.SubjectPublicKey"), //$NON-NLS-1$ new String(Hex.encodeHex(certificate.getPublicKey().getEncoded()))); TreeItem extItem = createTreeItem(certItem, Messages.getString("CertificateInfoComposite.Extensions"), //$NON-NLS-1$ StringUtils.EMPTY); populateExtensions(extItem, certificate, true); populateExtensions(extItem, certificate, false); createTreeItem(rootItem, Messages.getString("CertificateInfoComposite.SignatureAlgorithm"), //$NON-NLS-1$ certificate.getSigAlgName()); createTreeItem(rootItem, Messages.getString("CertificateInfoComposite.Signature"), //$NON-NLS-1$ new String(Hex.encodeHex(certificate.getSignature()))); rootItem.setExpanded(true); certItem.setExpanded(true); validityItem.setExpanded(true); pkiItem.setExpanded(true); extItem.setExpanded(true); }
From source file:org.apache.drill.cv.exec.server.rest.CvDrillWebServer.java
/** * Create an HTTPS connector for given jetty server instance. If the admin has specified * keystore/truststore settings they will be used else a self-signed certificate is generated and * used./*from w w w. j a va 2 s . c o m*/ * * @return Initialized {@link ServerConnector} for HTTPS connectios. * @throws Exception */ private ServerConnector createHttpsConnector() throws Exception { CvDrillWebServer.logger.info("Setting up HTTPS connector for web server"); final SslContextFactory sslContextFactory = new SslContextFactory(); if (config.hasPath(ExecConstants.HTTP_KEYSTORE_PATH) && !Strings.isNullOrEmpty(config.getString(ExecConstants.HTTP_KEYSTORE_PATH))) { CvDrillWebServer.logger.info("Using configured SSL settings for web server"); sslContextFactory.setKeyStorePath(config.getString(ExecConstants.HTTP_KEYSTORE_PATH)); sslContextFactory.setKeyStorePassword(config.getString(ExecConstants.HTTP_KEYSTORE_PASSWORD)); // TrustStore and TrustStore password are optional if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PATH)) { sslContextFactory.setTrustStorePath(config.getString(ExecConstants.HTTP_TRUSTSTORE_PATH)); if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PASSWORD)) { sslContextFactory .setTrustStorePassword(config.getString(ExecConstants.HTTP_TRUSTSTORE_PASSWORD)); } } } else { CvDrillWebServer.logger.info("Using generated self-signed SSL settings for web server"); final SecureRandom random = new SecureRandom(); // Generate a private-public key pair final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(1024, random); final KeyPair keyPair = keyPairGenerator.generateKeyPair(); final DateTime now = DateTime.now(); // Create builder for certificate attributes final X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE) .addRDN(BCStyle.OU, "Apache Drill (auth-generated)") .addRDN(BCStyle.O, "Apache Software Foundation (auto-generated)") .addRDN(BCStyle.CN, workManager.getContext().getEndpoint().getAddress()); final Date notBefore = now.minusMinutes(1).toDate(); final Date notAfter = now.plusYears(5).toDate(); final BigInteger serialNumber = new BigInteger(128, random); // Create a certificate valid for 5years from now. final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(nameBuilder.build(), // attributes serialNumber, notBefore, notAfter, nameBuilder.build(), keyPair.getPublic()); // Sign the certificate using the private key final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); final X509Certificate certificate = new JcaX509CertificateConverter() .getCertificate(certificateBuilder.build(contentSigner)); // Check the validity certificate.checkValidity(now.toDate()); // Make sure the certificate is self-signed. certificate.verify(certificate.getPublicKey()); // Generate a random password for keystore protection final String keyStorePasswd = RandomStringUtils.random(20); final KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(null, null); keyStore.setKeyEntry("DrillAutoGeneratedCert", keyPair.getPrivate(), keyStorePasswd.toCharArray(), new java.security.cert.Certificate[] { certificate }); sslContextFactory.setKeyStore(keyStore); sslContextFactory.setKeyStorePassword(keyStorePasswd); } final HttpConfiguration httpsConfig = new HttpConfiguration(); httpsConfig.addCustomizer(new SecureRequestCustomizer()); // SSL Connector final ServerConnector sslConnector = new ServerConnector(embeddedJetty, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig)); sslConnector.setPort(getWebserverPort()); return sslConnector; }
From source file:org.apache.drill.exec.server.rest.WebServer.java
/** * Create an HTTPS connector for given jetty server instance. If the admin has specified keystore/truststore settings * they will be used else a self-signed certificate is generated and used. * * @return Initialized {@link ServerConnector} for HTTPS connectios. * @throws Exception/*from www . j a va 2s. c om*/ */ private ServerConnector createHttpsConnector() throws Exception { logger.info("Setting up HTTPS connector for web server"); final SslContextFactory sslContextFactory = new SslContextFactory(); if (config.hasPath(ExecConstants.HTTP_KEYSTORE_PATH) && !Strings.isNullOrEmpty(config.getString(ExecConstants.HTTP_KEYSTORE_PATH))) { logger.info("Using configured SSL settings for web server"); sslContextFactory.setKeyStorePath(config.getString(ExecConstants.HTTP_KEYSTORE_PATH)); sslContextFactory.setKeyStorePassword(config.getString(ExecConstants.HTTP_KEYSTORE_PASSWORD)); // TrustStore and TrustStore password are optional if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PATH)) { sslContextFactory.setTrustStorePath(config.getString(ExecConstants.HTTP_TRUSTSTORE_PATH)); if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PASSWORD)) { sslContextFactory .setTrustStorePassword(config.getString(ExecConstants.HTTP_TRUSTSTORE_PASSWORD)); } } } else { logger.info("Using generated self-signed SSL settings for web server"); final SecureRandom random = new SecureRandom(); // Generate a private-public key pair final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(1024, random); final KeyPair keyPair = keyPairGenerator.generateKeyPair(); final DateTime now = DateTime.now(); // Create builder for certificate attributes final X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE) .addRDN(BCStyle.OU, "Apache Drill (auth-generated)") .addRDN(BCStyle.O, "Apache Software Foundation (auto-generated)") .addRDN(BCStyle.CN, workManager.getContext().getEndpoint().getAddress()); final Date notBefore = now.minusMinutes(1).toDate(); final Date notAfter = now.plusYears(5).toDate(); final BigInteger serialNumber = new BigInteger(128, random); // Create a certificate valid for 5years from now. final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(nameBuilder.build(), // attributes serialNumber, notBefore, notAfter, nameBuilder.build(), keyPair.getPublic()); // Sign the certificate using the private key final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); final X509Certificate certificate = new JcaX509CertificateConverter() .getCertificate(certificateBuilder.build(contentSigner)); // Check the validity certificate.checkValidity(now.toDate()); // Make sure the certificate is self-signed. certificate.verify(certificate.getPublicKey()); // Generate a random password for keystore protection final String keyStorePasswd = RandomStringUtils.random(20); final KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(null, null); keyStore.setKeyEntry("DrillAutoGeneratedCert", keyPair.getPrivate(), keyStorePasswd.toCharArray(), new java.security.cert.Certificate[] { certificate }); sslContextFactory.setKeyStore(keyStore); sslContextFactory.setKeyStorePassword(keyStorePasswd); } final HttpConfiguration httpsConfig = new HttpConfiguration(); httpsConfig.addCustomizer(new SecureRequestCustomizer()); // SSL Connector final ServerConnector sslConnector = new ServerConnector(embeddedJetty, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig)); sslConnector.setPort(config.getInt(ExecConstants.HTTP_PORT)); return sslConnector; }