Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge branch 'dev/grze/EUCA-4334' into testing

  • Loading branch information...
commit 685fd49c6d0c9e7eb9730466228bcf4e9ed49d80 2 parents f2cd66b + b495b57
@grze grze authored
View
12 ...odules/authentication/src/main/java/com/eucalyptus/auth/crypto/DefaultCryptoProvider.java
@@ -91,12 +91,12 @@
import com.eucalyptus.records.EventType;
import com.google.common.primitives.Longs;
-public class DefaultCryptoProvider implements CryptoProvider, CertificateProvider, HmacProvider {
- public static String KEY_ALGORITHM = "RSA";
- public static String KEY_SIGNING_ALGORITHM = "SHA512WithRSA";
- public static int KEY_SIZE = 2048;//TODO:GRZE:RELEASE: configurable
- public static String PROVIDER = "BC";
- private static Logger LOG = Logger.getLogger( DefaultCryptoProvider.class );
+public final class DefaultCryptoProvider implements CryptoProvider, CertificateProvider, HmacProvider {
+ public static String KEY_ALGORITHM = "RSA";
+ private static final String KEY_SIGNING_ALGORITHM = "SHA512WithRSA";
+ private static final int KEY_SIZE = 2048;
+ public static String PROVIDER = "BC";
+ private static Logger LOG = Logger.getLogger( DefaultCryptoProvider.class );
public DefaultCryptoProvider( ) {}
View
62 clc/modules/msgs/src/main/java/com/eucalyptus/component/auth/SystemCredentials.java
@@ -65,9 +65,11 @@
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
+import java.security.Key;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAKey;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.apache.log4j.Logger;
@@ -91,6 +93,7 @@
import com.eucalyptus.records.EventRecord;
import com.eucalyptus.records.EventType;
import com.eucalyptus.system.SubDirectory;
+import com.google.common.base.Predicate;
public class SystemCredentials {
private static Logger LOG = Logger.getLogger( SystemCredentials.class );
@@ -329,11 +332,31 @@ public boolean load( ) throws Exception {
}
- private static class EucaKeyStore extends AbstractKeyStore {
+ private static final class EucaKeyStore extends AbstractKeyStore {
public static String FORMAT = "pkcs12";
private static String KEY_STORE_PASS = "eucalyptus";
private static String FILENAME = "euca.p12";
+ /**
+ * Enforces that keys are less than the MAX_SIZE of 4096.
+ */
+ private enum RestrictSize implements Predicate<Key> {
+ INSTANCE;
+ private static final int MAX_SIZE = 4096;
+
+ public boolean apply( Key arg0 ) {
+ RSAKey key = ( ( RSAKey ) arg0 );
+ if ( key.getModulus( ).bitLength( ) > MAX_SIZE ) {
+ SecurityException ex = new SecurityException( "Illegal key size: " + key.getModulus( ).bitLength( ) + " > " + MAX_SIZE + " (max key size)" );
+ LOG.trace( ex, ex );
+ throw ex;
+ } else {
+ return true;
+ }
+ }
+
+ }
+
private static KeyStore singleton = EucaKeyStore.getInstance( );
public static KeyStore getInstance( ) {
@@ -365,9 +388,44 @@ public boolean check( ) throws GeneralSecurityException {
return ( this.getCertificate( ComponentIds.lookup( HttpService.class ).name( ) ) != null )
&& ( this.getCertificate( ComponentIds.lookup( Eucalyptus.class ).name( ) ) != null );
}
+
+ @Override
+ public final KeyPair getKeyPair( String alias, String password ) throws GeneralSecurityException {
+ KeyPair keyPair = super.getKeyPair( alias, password );
+ RestrictSize.INSTANCE.apply( keyPair.getPrivate( ) );
+ RestrictSize.INSTANCE.apply( keyPair.getPublic( ) );
+ return keyPair;
+ }
+
+ @Override
+ public final X509Certificate getCertificate( String alias ) throws GeneralSecurityException {
+ X509Certificate certificate = super.getCertificate( alias );
+ RestrictSize.INSTANCE.apply( certificate.getPublicKey( ) );
+ return certificate;
+ }
+
+ @Override
+ public final Key getKey( String alias, String password ) throws GeneralSecurityException {
+ Key key = super.getKey( alias, password );
+ RestrictSize.INSTANCE.apply( key );
+ return key;
+ }
+
+ @Override
+ public final void addCertificate( String alias, X509Certificate cert ) throws IOException, GeneralSecurityException {
+ RestrictSize.INSTANCE.apply( cert.getPublicKey( ) );
+ super.addCertificate( alias, cert );
+ }
+
+ @Override
+ public final void addKeyPair( String alias, X509Certificate cert, PrivateKey privateKey, String keyPassword ) throws IOException, GeneralSecurityException {
+ RestrictSize.INSTANCE.apply( cert.getPublicKey( ) );
+ RestrictSize.INSTANCE.apply( privateKey );
+ super.addKeyPair( alias, cert, privateKey, keyPassword );
+ }
}
- public static KeyStore getKeyStore( ) {
+ public static final KeyStore getKeyStore( ) {
return EucaKeyStore.getInstance( );
}
Please sign in to comment.
Something went wrong with that request. Please try again.