[RHBPMS-4312] KeyStore integration into KIE (apache#1588)

* [RHBPMS-4312] Added loading passwords from a keystore * [RHBPMS-4312] Added licence header
kiegroup · Nov 13, 2017 · e965011 · e965011
1 parent 96a1951
commit e965011
Show file tree

Hide file tree

Showing 5 changed files with 198 additions and 102 deletions.
diff --git a/...piler/src/test/java/org/drools/compiler/integrationtests/marshalling/MarshallingTest.java b/...piler/src/test/java/org/drools/compiler/integrationtests/marshalling/MarshallingTest.java
@@ -72,7 +72,7 @@
 import org.drools.core.spi.KnowledgeHelper;
 import org.drools.core.time.impl.DurationTimer;
 import org.drools.core.time.impl.PseudoClockScheduler;
-import org.drools.core.util.KeyStoreHelper;
+import org.drools.core.util.KeyStoreConstants;
 import org.junit.Assert;
 import org.junit.Ignore;
 import org.junit.Test;
@@ -995,50 +995,50 @@ public void testSignedSerialization4() throws Exception {
     private void setPublicKeyProperties() {
         // Set the client properties to de-serialise the signed packages
         URL clientKeyStoreURL = getClass().getResource( "droolsClient.keystore" );
-        System.setProperty( KeyStoreHelper.PROP_SIGN,
+        System.setProperty( KeyStoreConstants.PROP_SIGN,
                             "true" );
-        System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL,
+        System.setProperty( KeyStoreConstants.PROP_PUB_KS_URL,
                             clientKeyStoreURL.toExternalForm() );
-        System.setProperty( KeyStoreHelper.PROP_PUB_KS_PWD,
+        System.setProperty( KeyStoreConstants.PROP_PUB_KS_PWD,
                             "clientpwd" );
     }
 
     private void unsetPublicKeyProperties() {
         // Un-set the client properties to de-serialise the signed packages
-        System.setProperty( KeyStoreHelper.PROP_SIGN,
+        System.setProperty( KeyStoreConstants.PROP_SIGN,
                             "" );
-        System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL,
+        System.setProperty( KeyStoreConstants.PROP_PUB_KS_URL,
                             "" );
-        System.setProperty( KeyStoreHelper.PROP_PUB_KS_PWD,
+        System.setProperty( KeyStoreConstants.PROP_PUB_KS_PWD,
                             "" );
     }
 
     private void setPrivateKeyProperties() {
         // Set the server properties to serialise the signed packages
         URL serverKeyStoreURL = getClass().getResource( "droolsServer.keystore" );
-        System.setProperty( KeyStoreHelper.PROP_SIGN,
+        System.setProperty( KeyStoreConstants.PROP_SIGN,
                             "true" );
-        System.setProperty( KeyStoreHelper.PROP_PVT_KS_URL,
+        System.setProperty( KeyStoreConstants.PROP_PVT_KS_URL,
                             serverKeyStoreURL.toExternalForm() );
-        System.setProperty( KeyStoreHelper.PROP_PVT_KS_PWD,
+        System.setProperty( KeyStoreConstants.PROP_PVT_KS_PWD,
                             "serverpwd" );
-        System.setProperty( KeyStoreHelper.PROP_PVT_ALIAS,
+        System.setProperty( KeyStoreConstants.PROP_PVT_ALIAS,
                             "droolsKey" );
-        System.setProperty( KeyStoreHelper.PROP_PVT_PWD,
+        System.setProperty( KeyStoreConstants.PROP_PVT_PWD,
                             "keypwd" );
     }
 
     private void unsetPrivateKeyProperties() {
         // Un-set the server properties to serialise the signed packages
-        System.setProperty( KeyStoreHelper.PROP_SIGN,
+        System.setProperty( KeyStoreConstants.PROP_SIGN,
                             "" );
-        System.setProperty( KeyStoreHelper.PROP_PVT_KS_URL,
+        System.setProperty( KeyStoreConstants.PROP_PVT_KS_URL,
                             "" );
-        System.setProperty( KeyStoreHelper.PROP_PVT_KS_PWD,
+        System.setProperty( KeyStoreConstants.PROP_PVT_KS_PWD,
                             "" );
-        System.setProperty( KeyStoreHelper.PROP_PVT_ALIAS,
+        System.setProperty( KeyStoreConstants.PROP_PVT_ALIAS,
                             "" );
-        System.setProperty( KeyStoreHelper.PROP_PVT_PWD,
+        System.setProperty( KeyStoreConstants.PROP_PVT_PWD,
                             "" );
     }
 

diff --git a/drools-core/src/main/java/org/drools/core/util/KeyStoreConstants.java b/drools-core/src/main/java/org/drools/core/util/KeyStoreConstants.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.drools.core.util;
+
+public class KeyStoreConstants {
+
+    // true if packages should be signed during serialization
+    public static final String PROP_SIGN = "drools.serialization.sign";
+    // the URL to the key store where the private key is stored
+    public static final String PROP_PVT_KS_URL = "drools.serialization.private.keyStoreURL";
+    // the key store password
+    public static final String PROP_PVT_KS_PWD = "drools.serialization.private.keyStorePwd";
+    // the private key identifier
+    public static final String PROP_PVT_ALIAS = "drools.serialization.private.keyAlias";
+    // the private key password
+    public static final String PROP_PVT_PWD = "drools.serialization.private.keyPwd";
+    // the URL to the key store where the public key is stored
+    public static final String PROP_PUB_KS_URL = "drools.serialization.public.keyStoreURL";
+    // the key store password
+    public static final String PROP_PUB_KS_PWD = "drools.serialization.public.keyStorePwd";
+
+    // the URL to the key store where the private key is stored
+    public static final String PROP_PWD_KS_URL = "kie.keystore.keyStoreURL";
+    // the key store password
+    public static final String PROP_PWD_KS_PWD = "kie.keystore.keyStorePwd";
+    // the private key identifier
+    public static final String PROP_PWD_ALIAS = "kie.keystore.keyAlias";
+    // the private key identifier
+    public static final String PROP_PWD_PWD = "kie.keystore.keyPwd";
+
+    public static final String KEY_CERTIFICATE_TYPE = "JKS";
+
+    public static final String KEY_PASSWORD_TYPE = "JCEKS";
+}
diff --git a/drools-core/src/main/java/org/drools/core/util/KeyStoreHelper.java b/drools-core/src/main/java/org/drools/core/util/KeyStoreHelper.java
@@ -16,6 +16,7 @@
 package org.drools.core.util;
 
 import java.io.IOException;
+import java.net.MalformedURLException;
 import java.net.URL;
 import java.security.InvalidKeyException;
 import java.security.KeyStore;
@@ -27,16 +28,29 @@
 import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
-import java.util.Properties;
+import javax.crypto.SecretKey;
 
 import org.drools.core.RuleBaseConfiguration;
 
+import static org.drools.core.util.KeyStoreConstants.KEY_CERTIFICATE_TYPE;
+import static org.drools.core.util.KeyStoreConstants.KEY_PASSWORD_TYPE;
+import static org.drools.core.util.KeyStoreConstants.PROP_PWD_ALIAS;
+import static org.drools.core.util.KeyStoreConstants.PROP_PWD_PWD;
+import static org.drools.core.util.KeyStoreConstants.PROP_PWD_KS_PWD;
+import static org.drools.core.util.KeyStoreConstants.PROP_PWD_KS_URL;
+import static org.drools.core.util.KeyStoreConstants.PROP_PUB_KS_PWD;
+import static org.drools.core.util.KeyStoreConstants.PROP_PUB_KS_URL;
+import static org.drools.core.util.KeyStoreConstants.PROP_PVT_ALIAS;
+import static org.drools.core.util.KeyStoreConstants.PROP_PVT_KS_PWD;
+import static org.drools.core.util.KeyStoreConstants.PROP_PVT_KS_URL;
+import static org.drools.core.util.KeyStoreConstants.PROP_PVT_PWD;
+
 /**
- * A helper class to deal with the key store and signing process during 
+ * A helper class to deal with the key store and signing process during
  * Serialisation
- * 
+ * <p>
  * This class will read and use the following system properties:
- * 
+ * <p>
  * drools.serialization.sign = <false|true>
  * drools.serialization.private.keyStoreURL = <URL>
  * drools.serialization.private.keyStorePwd = <password>
@@ -47,90 +61,99 @@
  */
 public class KeyStoreHelper {
 
-    // true if packages should be signed during serialization
+    private boolean signed;
-    public static final String PROP_SIGN       = "drools.serialization.sign";
+
-    // the URL to the key store where the private key is stored
+    private URL pvtKeyStoreURL;
-    public static final String PROP_PVT_KS_URL = "drools.serialization.private.keyStoreURL";
+    private char[] pvtKeyStorePwd;
-    // the key store password
+    private String pvtKeyAlias;
-    public static final String PROP_PVT_KS_PWD = "drools.serialization.private.keyStorePwd";
+    private char[] pvtKeyPassword;
-    // the private key identifier
+
-    public static final String PROP_PVT_ALIAS  = "drools.serialization.private.keyAlias";
+    private URL pubKeyStoreURL;
-    // the private key password
+    private char[] pubKeyStorePwd;
-    public static final String PROP_PVT_PWD    = "drools.serialization.private.keyPwd";
+
-    // the URL to the key store where the public key is stored
+    private URL pwdKeyStoreURL;
-    public static final String PROP_PUB_KS_URL = "drools.serialization.public.keyStoreURL";
+    private char[] pwdKeyStorePwd;
-    // the key store password
+    private String pwdKeyAlias;
-    public static final String PROP_PUB_KS_PWD = "drools.serialization.public.keyStorePwd";
+    private char[] pwdKeyPassword;
-
+
-    private boolean            signed;
+    private KeyStore pvtKeyStore;
-    private URL                pvtKeyStoreURL;
+    private KeyStore pubKeyStore;
-    private char[]             pvtKeyStorePwd;
+    private KeyStore pwdKeyStore;
-    private String             pvtKeyAlias;
-    private char[]             pvtKeyPassword;
-    private URL                pubKeyStoreURL;
-    private char[]             pubKeyStorePwd;
-
-    private KeyStore           pvtKeyStore;
-    private KeyStore           pubKeyStore;
 
     /**
      * Creates a KeyStoreHelper and initialises the KeyStore, by loading its entries.
-     * 
+     * @throws RuntimeException in case any error happens when initialising and loading the keystore.
-     * @throws RuntimeDroolsException in case any error happens when initialising and loading the keystore.
      */
     public KeyStoreHelper() {
         try {
-            this.signed = Boolean.valueOf( System.getProperty( PROP_SIGN,
+            this.signed = Boolean.valueOf(System.getProperty(KeyStoreConstants.PROP_SIGN,
-                                                               RuleBaseConfiguration.DEFAULT_SIGN_ON_SERIALIZATION ) ).booleanValue();
+                                                             RuleBaseConfiguration.DEFAULT_SIGN_ON_SERIALIZATION)).booleanValue();
-            String url = System.getProperty( PROP_PVT_KS_URL,
+
-                                             "" );
+            loadPrivateKeyStoreProperties();
-            if ( url.length() > 0 ) {
+            loadPublicKeyStoreProperties();
-                this.pvtKeyStoreURL = new URL( url );
+            loadPasswordKeyStoreProperties();
-            }
+
-            this.pvtKeyStorePwd = System.getProperty( PROP_PVT_KS_PWD,
-                                                       "" ).toCharArray();
-            this.pvtKeyAlias = System.getProperty( PROP_PVT_ALIAS,
-                                                   "" );
-            this.pvtKeyPassword = System.getProperty( PROP_PVT_PWD,
-                                                      "" ).toCharArray();
-
-            url = System.getProperty( PROP_PUB_KS_URL,
-                                      "" );
-            if ( url.length() > 0 ) {
-                this.pubKeyStoreURL = new URL( url );
-            }
-            this.pubKeyStorePwd = System.getProperty( PROP_PUB_KS_PWD,
-                                                       "" ).toCharArray();
             initKeyStore();
-        } catch ( Exception e ) {
+        } catch (Exception e) {
-            throw new RuntimeException( "Error initialising KeyStore: " + e.getMessage(), e );
+            throw new RuntimeException("Error initialising KeyStore: " + e.getMessage(), e);
         }
     }
 
-    private void initKeyStore() throws NoSuchAlgorithmException,
+    private void loadPrivateKeyStoreProperties() throws MalformedURLException {
-                               CertificateException,
+        String url = System.getProperty(PROP_PVT_KS_URL, "");
-                               IOException,
+        if (url.length() > 0) {
-                               KeyStoreException {
+            this.pvtKeyStoreURL = new URL(url);
-        if ( pvtKeyStoreURL != null ) {
-            this.pvtKeyStore = KeyStore.getInstance( "JKS" );
-            this.pvtKeyStore.load( pvtKeyStoreURL.openStream(),
-                                   pvtKeyStorePwd );
         }
-        if ( pubKeyStoreURL != null ) {
+        this.pvtKeyStorePwd = System.getProperty(PROP_PVT_KS_PWD, "").toCharArray();
-            this.pubKeyStore = KeyStore.getInstance( "JKS" );
+        this.pvtKeyAlias = System.getProperty(PROP_PVT_ALIAS, "");
-            this.pubKeyStore.load( pubKeyStoreURL.openStream(),
+        this.pvtKeyPassword = System.getProperty(PROP_PVT_PWD, "").toCharArray();
-                                   pubKeyStorePwd );
+    }
+
+    private void loadPublicKeyStoreProperties() throws MalformedURLException {
+        String url = System.getProperty(PROP_PUB_KS_URL, "");
+        if (url.length() > 0) {
+            this.pubKeyStoreURL = new URL(url);
+        }
+        this.pubKeyStorePwd = System.getProperty(PROP_PUB_KS_PWD, "").toCharArray();
+    }
+
+    private void loadPasswordKeyStoreProperties() throws MalformedURLException {
+        String url = System.getProperty(PROP_PWD_KS_URL, "");
+        if (url.length() > 0) {
+            pwdKeyStoreURL = new URL(url);
         }
+        pwdKeyStorePwd = System.getProperty(PROP_PWD_KS_PWD, "").toCharArray();
+        pwdKeyAlias = System.getProperty(PROP_PWD_ALIAS, "");
+        pwdKeyPassword = System.getProperty(PROP_PWD_PWD, "").toCharArray();
+    }
+
+    private void initKeyStore() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException {
+        if (pvtKeyStoreURL != null) {
+            this.pvtKeyStore = loadKeystore(KEY_CERTIFICATE_TYPE, pvtKeyStoreURL, pvtKeyStorePwd);
+        }
+        if (pubKeyStoreURL != null) {
+            this.pubKeyStore = loadKeystore(KEY_CERTIFICATE_TYPE, pubKeyStoreURL, pubKeyStorePwd);
+        }
+        if (pwdKeyStoreURL != null) {
+            this.pwdKeyStore = loadKeystore(KEY_PASSWORD_TYPE, pwdKeyStoreURL, pwdKeyStorePwd);
+        }
+    }
+
+    private KeyStore loadKeystore(String keyCertificateType, URL url, char[] password) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
+        KeyStore keyStore = KeyStore.getInstance(keyCertificateType);
+        keyStore.load(url.openStream(), password);
+
+        return keyStore;
     }
 
     /**
-     * Generates the signature for the given byte[] using MD5 with RSA algorithm and the 
+     * Generates the signature for the given byte[] using MD5 with RSA algorithm and the
-     * private key with which this helper was initialised. 
+     * private key with which this helper was initialised.
-     *  
+     *
      * @param data the byte[] of data to be signed
-     * 
+     *
-     * @return the signature, encrypted with the private key 
+     * @return the signature, encrypted with the private key
-     * 
+     *
      * @throws UnrecoverableKeyException
      * @throws KeyStoreException
      * @throws NoSuchAlgorithmException
@@ -154,15 +177,15 @@ public byte[] signDataWithPrivateKey(byte[] data) throws UnrecoverableKeyExcepti
     }
 
     /**
-     * Checks the given byte[] data against the signature, using the 
+     * Checks the given byte[] data against the signature, using the
      * public key with which this helper was initialised and the algorithm
      * MD5 with RSA.
-     * 
+     *
      * @param data the original data that was signed
      * @param signature the provided signature
-     * 
+     *
      * @return true in case the signature matches, false otherwise.
-     *  
+     *
      * @throws KeyStoreException
      * @throws NoSuchAlgorithmException
      * @throws InvalidKeyException
@@ -187,6 +210,16 @@ public boolean checkDataWithPublicKey(final String publicKeyAlias,
         return sig.verify( signature );
     }
 
+    public String getPasswordKey() {
+        SecretKey passwordKey;
+        try {
+            passwordKey = (SecretKey) pwdKeyStore.getKey(pwdKeyAlias, pwdKeyPassword);
+        } catch (Exception e) {
+            throw new RuntimeException("Unable to load a key from Key Store. Source " + e.getMessage());
+        }
+        return new String(passwordKey.getEncoded());
+    }
+
     public boolean isSigned() {
         return signed;
     }
@@ -222,5 +255,4 @@ public KeyStore getPvtKeyStore() {
     public KeyStore getPubKeyStore() {
         return pubKeyStore;
     }
-
 }