Class KeystoreManager
- java.lang.Object
-
- com.sun.enterprise.admin.servermgmt.KeystoreManager
-
- Direct Known Subclasses:
MasterPasswordFileManager
,NodeKeystoreManager
public class KeystoreManager extends Object
- Author:
- kebbs
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
KeystoreManager.KeytoolExecutor
-
Field Summary
Fields Modifier and Type Field Description protected PEFileLayout
_fileLayout
static String
CERTIFICATE_ALIAS
static String
DEFAULT_MASTER_PASSWORD
static String
INSTANCE_SECURE_ADMIN_ALIAS
-
Constructor Summary
Constructors Constructor Description KeystoreManager()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addKeyPair(File keyStore, String storeType, char[] storePw, PrivateKey privKey, char[] keyPw, Certificate[] certChain, String alias)
Adds/updates a keypair to a keystore.void
addKeyPair(File keyStore, String storeType, char[] storePw, PrivateKey privKey, Certificate[] certChain, String alias)
Adds/updates a keypair to a keystore.void
changeKeyPassword(File keyStore, String storeType, char[] storePw, String alias, char[] oldKeyPw, char[] newKeyPw)
Changes a private key's password.void
changeKeyStorePassword(File keyStore, String storeType, char[] oldPw, char[] newPw)
Changes the keystore's password and all contained keys'.void
changeKeyStorePassword(File keyStore, String storeType, char[] oldPw, char[] newPw, boolean changeKeyPasswords)
Changes the keystore's password and all contained keys'.protected void
changeKeyStorePassword(String oldPassword, String newPassword, File keystore)
Changes the keystore passwordprotected void
changeS1ASAliasPassword(RepositoryConfig config, String storePassword, String oldKeyPassword, String newKeyPassword)
Changes the key password for the default cert whose alias is s1as.protected void
changeSSLCertificateDatabasePassword(RepositoryConfig config, String oldPassword, String newPassword)
Changes the password of the keystore, truststore and the key password of the s1as alias.protected void
chmod(String args, File file)
void
copyCert(File keyStore, File trustStore, String alias, String masterPassword)
Copies a certificate from a keyStore to a trustStore.protected void
copyCertificates(File keyStore, File trustStore, DomainConfig config, String masterPassword)
Copy certain certificates from the keystore into the truststore.protected void
createKeyStore(File keystore, RepositoryConfig config, String masterPassword)
Create the default SSL key store using keytool to generate a self signed certificate.protected void
enforcePasswordComplexity(char[] pw, String msgId)
Throws an IllegalArgumentException if the password's complexity does not meet requirementsprotected static String
getCertificateDN(RepositoryConfig cfg, String CNSuffix)
static String
getDASCertDN(RepositoryConfig cfg)
protected PEFileLayout
getFileLayout(RepositoryConfig config)
static String
getInstanceCertDN(RepositoryConfig cfg)
protected Map<String,Certificate>
getInvalidCertificates(KeyStore keyStore)
Gets the invalid certs from the given KeyStore as a map by their aliasprotected Map<String,Certificate>
getValidCertificates(KeyStore keyStore)
Gets the valid certs from the given KeyStore as a map by their aliasKeyStore
openKeyStore(File source, String storeType, char[] pw)
Loads a (JKS or PKCS#12) keystore.Collection<? extends Certificate>
readPemCertificateChain(File pemFile)
Reads X509 certificate(s) from the provided filesPrivateKey
readPlainPKCS8PrivateKey(File keyFile)
Reads an unencrypted, PKCS#8 formattted and base64 encoded RSA private key from the given FilePrivateKey
readPlainPKCS8PrivateKey(InputStream is, String algo)
Reads an unencrypted, PKCS#8 formattted and base64 encoded private key from the given InputStream using the specified algovoid
saveKeyStore(KeyStore keyStore, File dest, char[] pw)
Saves the (modified) keystore.protected void
updateCertificates(File trustStore, String masterPassword)
Cleans the given truststore of invalid certs and copies all valid certificates from the currently used JDK to the given trust store.
-
-
-
Field Detail
-
CERTIFICATE_ALIAS
public static final String CERTIFICATE_ALIAS
- See Also:
- Constant Field Values
-
INSTANCE_SECURE_ADMIN_ALIAS
public static final String INSTANCE_SECURE_ADMIN_ALIAS
- See Also:
- Constant Field Values
-
DEFAULT_MASTER_PASSWORD
public static final String DEFAULT_MASTER_PASSWORD
- See Also:
- Constant Field Values
-
_fileLayout
protected PEFileLayout _fileLayout
-
-
Method Detail
-
getCertificateDN
protected static String getCertificateDN(RepositoryConfig cfg, String CNSuffix)
-
getFileLayout
protected PEFileLayout getFileLayout(RepositoryConfig config)
-
createKeyStore
protected void createKeyStore(File keystore, RepositoryConfig config, String masterPassword) throws RepositoryException
Create the default SSL key store using keytool to generate a self signed certificate.- Parameters:
keystore
-config
-masterPassword
-- Throws:
RepositoryException
-
copyCertificates
protected void copyCertificates(File keyStore, File trustStore, DomainConfig config, String masterPassword) throws DomainException
Copy certain certificates from the keystore into the truststore.- Parameters:
keyStore
- keystore to copy fromtrustStore
- the truststore to copy toconfig
- the domain's configurationmasterPassword
- the master password for the truststore- Throws:
DomainException
- if an error occured
-
updateCertificates
protected void updateCertificates(File trustStore, String masterPassword) throws RepositoryException
Cleans the given truststore of invalid certs and copies all valid certificates from the currently used JDK to the given trust store.- Parameters:
trustStore
- the trust store to copy the certificates to.masterPassword
- the password to the trust store.- Throws:
RepositoryException
- if an error occured aRepositoryException
will wrap the original exception
-
getValidCertificates
protected Map<String,Certificate> getValidCertificates(KeyStore keyStore) throws RepositoryException
Gets the valid certs from the given KeyStore as a map by their alias- Parameters:
keyStore
- the KeyStore to get the certs from- Returns:
- map of valid certs. Key is alias of the cert
- Throws:
RepositoryException
-
getInvalidCertificates
protected Map<String,Certificate> getInvalidCertificates(KeyStore keyStore) throws RepositoryException
Gets the invalid certs from the given KeyStore as a map by their alias- Parameters:
keyStore
- the KeyStore to get the certs from- Returns:
- map of invalid certs. Kkey is alias of the cert
- Throws:
RepositoryException
-
copyCert
public void copyCert(File keyStore, File trustStore, String alias, String masterPassword) throws RepositoryException
Copies a certificate from a keyStore to a trustStore.- Parameters:
keyStore
- the key store to copy the certificate from.trustStore
- the trust store to copy the certificate to.alias
- the name of the certificate to copy.masterPassword
- the password for the trust stores.- Throws:
RepositoryException
-
enforcePasswordComplexity
protected void enforcePasswordComplexity(char[] pw, String msgId)
Throws an IllegalArgumentException if the password's complexity does not meet requirements- Parameters:
pw
-msgId
-
-
openKeyStore
public KeyStore openKeyStore(File source, String storeType, char[] pw) throws KeyStoreException
Loads a (JKS or PKCS#12) keystore. This method does not use the keytool, but instead the JAVA API- Parameters:
source
- the path of the file to be opened and loaded into the keystorestoreType
- the type of the keystore to be readpw
- the keystore password- Returns:
- the keystore, if load was successful
- Throws:
KeyStoreException
-
saveKeyStore
public void saveKeyStore(KeyStore keyStore, File dest, char[] pw) throws KeyStoreException
Saves the (modified) keystore. This method does not use the keytool, but instead the JAVA API- Parameters:
keyStore
- the keystore to be writtendest
- path of the file the keystore is to be written topw
- keystore password- Throws:
KeyStoreException
-
addKeyPair
public void addKeyPair(File keyStore, String storeType, char[] storePw, PrivateKey privKey, Certificate[] certChain, String alias) throws KeyStoreException
Adds/updates a keypair to a keystore. This method does not use the keytool, but instead the JAVA API- Parameters:
keyStore
- the keystore. Must not be null.storeType
- the type of the keystore (JKS or PKCS#12)storePw
- the keystore password. Since glassfish requires that keystore and key passwords are identical, this is also used as password for the private keyprivKey
- the private key to be added to the storecertChain
- chain of certificatesalias
- the alis of the key to be used inside the keystore- Throws:
KeyStoreException
- in case of problems
-
addKeyPair
public void addKeyPair(File keyStore, String storeType, char[] storePw, PrivateKey privKey, char[] keyPw, Certificate[] certChain, String alias) throws KeyStoreException
Adds/updates a keypair to a keystore. This method does not use the keytool, but instead the JAVA APINOTE: Glassfish expects the keystore and key passwords to be identical. For this reason prefer using
addKeyPair(java.io.File, java.lang.String, char[], java.security.PrivateKey, java.security.cert.Certificate[], java.lang.String)
instead- Parameters:
keyStore
- the keystore. Must not be null.storeType
- the type of the keystore (JKS or PKCS#12).storePw
- the keystore passwordprivKey
- the private key to be added to the storekeyPw
- the private key's password.certChain
- chain of certificatesalias
- the alis of the key to be used inside the keystore- Throws:
KeyStoreException
- in case of problems
-
changeKeyStorePassword
protected void changeKeyStorePassword(String oldPassword, String newPassword, File keystore) throws RepositoryException
Changes the keystore password- Parameters:
oldPassword
- the old keystore passwordnewPassword
- the new keystore passwordkeystore
- the keystore whose password is to be changed.- Throws:
RepositoryException
-
changeKeyStorePassword
public void changeKeyStorePassword(File keyStore, String storeType, char[] oldPw, char[] newPw) throws KeyStoreException
Changes the keystore's password and all contained keys'. This is done to ensure the convention used by glassfish: same password for the keystore and all keys inside.This method DOES NOT use the keytool, but manipulates the given file directly from JAVA.
- Parameters:
keyStore
- the destination keystore - may be null for an in-memory keystorestoreType
- the type of the keystore (JKS or PKCS#12)oldPw
- the old passwordnewPw
- the new password- Throws:
KeyStoreException
- in case of problems
-
changeKeyStorePassword
public void changeKeyStorePassword(File keyStore, String storeType, char[] oldPw, char[] newPw, boolean changeKeyPasswords) throws KeyStoreException
Changes the keystore's password and all contained keys'.NOTE: Glassfish expects the keystore and key passwords to be identical. For this reason prefer using
changeKeyStorePassword(java.io.File, java.lang.String, char[], char[])
insteadThis method DOES NOT use the keytool, but manipulates the given file directly from JAVA.
- Parameters:
keyStore
- the destination keystore - may be null for an in-memory keystorestoreType
- the type of the keystore (JKS or PKCS#12)oldPw
- the old passwordnewPw
- the new passwordchangeKeyPasswords
- if true, all the keys contained in the keystore will have their passwords set to newStorePw as well- Throws:
KeyStoreException
- in case of problems
-
changeKeyPassword
public void changeKeyPassword(File keyStore, String storeType, char[] storePw, String alias, char[] oldKeyPw, char[] newKeyPw) throws KeyStoreException
Changes a private key's password. This method DOES NOT use the keytool, but manipulates the given file directly from JAVA. In addition, this method changes just the password of the key, not the keystore.NOTE: Glassfish expects the keystore and key passwords to be identical. For this reason prefer using
changeKeyStorePassword(java.io.File, java.lang.String, char[], char[])
instead- Parameters:
keyStore
- the path of the keystore where the key with alias is to be modifiedstoreType
- - either "JKS" or "PKCS12"storePw
- - must not be nullalias
- the alias of the key to be changedoldKeyPw
- the old passwordnewKeyPw
- the new password- Throws:
KeyStoreException
- in case of problems
-
readPlainPKCS8PrivateKey
public PrivateKey readPlainPKCS8PrivateKey(File keyFile) throws IOException, InvalidKeySpecException, NoSuchAlgorithmException
Reads an unencrypted, PKCS#8 formattted and base64 encoded RSA private key from the given File- Parameters:
keyFile
- the file containing the private key- Returns:
- the RSA private key
- Throws:
IOException
InvalidKeySpecException
NoSuchAlgorithmException
-
readPlainPKCS8PrivateKey
public PrivateKey readPlainPKCS8PrivateKey(InputStream is, String algo) throws InvalidKeySpecException, NoSuchAlgorithmException
Reads an unencrypted, PKCS#8 formattted and base64 encoded private key from the given InputStream using the specified algo- Parameters:
is
- the input stream containing the private keyalgo
- the algorithm used for the private key- Returns:
- the RSA private key
- Throws:
UncheckedIOException
- if there is an error with theInputStream
InvalidKeySpecException
- if the key used was not a valid with the algorithmNoSuchAlgorithmException
- if no provider exists for the specified algorithm
-
readPemCertificateChain
public Collection<? extends Certificate> readPemCertificateChain(File pemFile) throws KeyStoreException
Reads X509 certificate(s) from the provided files- Parameters:
pemFile
- path to the PEM (or .cer) file containing the X.509 certificate- Returns:
- certificate chain loaded from the file, if successful
- Throws:
KeyStoreException
- in case of problems
-
changeS1ASAliasPassword
protected void changeS1ASAliasPassword(RepositoryConfig config, String storePassword, String oldKeyPassword, String newKeyPassword) throws RepositoryException
Changes the key password for the default cert whose alias is s1as. The assumption here is that the keystore password is not the same as the key password. This is due to the fact that the keystore password should first be changed followed next by the key password. The end result is that the keystore and s1as key both have the same passwords. This function will tolerate deletion of the s1as alias, but it will not tolerate changing the s1as key from something other than the database password.- Parameters:
config
-storePassword
- the keystore passwordoldKeyPassword
- the old password for the s1as aliasnewKeyPassword
- the new password for the s1as alias- Throws:
RepositoryException
-
changeSSLCertificateDatabasePassword
protected void changeSSLCertificateDatabasePassword(RepositoryConfig config, String oldPassword, String newPassword) throws RepositoryException
Changes the password of the keystore, truststore and the key password of the s1as alias. It is expected that the key / truststores may not exist. This is due to the fact that the user may have deleted them and wishes to set up their own key/truststore- Parameters:
config
- the configuration with details of the truststore location and master passwordoldPassword
- the previous passwordnewPassword
- the new password- Throws:
RepositoryException
-
chmod
protected void chmod(String args, File file) throws IOException
- Throws:
IOException
-
getDASCertDN
public static String getDASCertDN(RepositoryConfig cfg)
-
getInstanceCertDN
public static String getInstanceCertDN(RepositoryConfig cfg)
-
-