Merge pull request #20 from rareddy/teiid-2294

TEIID-2294: adding ability to key alias name in a keystore
teiid · Nov 7, 2012 · f86ad9b · f86ad9b
2 parents ae07d29 + f56608b
commit f86ad9b
Show file tree

Hide file tree

Showing 10 changed files with 106 additions and 10 deletions.
diff --git a/client/src/main/java/org/teiid/net/socket/SocketUtil.java b/client/src/main/java/org/teiid/net/socket/SocketUtil.java
@@ -31,8 +31,12 @@
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.PrivateKey;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Locale;
 import java.util.Properties;
 import java.util.logging.Logger;
 
@@ -42,6 +46,7 @@
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
 
 import org.teiid.core.util.PropertiesUtils;
 import org.teiid.jdbc.JDBCPlugin;
@@ -64,6 +69,7 @@ public class SocketUtil {
     static final String KEYSTORE_PASSWORD = "org.teiid.ssl.keyStorePassword"; //$NON-NLS-1$
     static final String KEYSTORE_FILENAME = "org.teiid.ssl.keyStore"; //$NON-NLS-1$
     public static final String ALLOW_ANON = "org.teiid.ssl.allowAnon"; //$NON-NLS-1$
+    static final String KEYSTORE_ALIAS = "org.teiid.ssl.keyAlias"; //$NON-NLS-1$
 
     static final String DEFAULT_KEYSTORE_TYPE = "JKS"; //$NON-NLS-1$
 
@@ -98,7 +104,8 @@ public static SSLSocketFactory getSSLSocketFactory(Properties props) throws IOEx
         String keystoreProtocol = props.getProperty(PROTOCOL, DEFAULT_PROTOCOL); 
         String keystoreAlgorithm = props.getProperty(KEYSTORE_ALGORITHM); 
         String truststore = props.getProperty(TRUSTSTORE_FILENAME, keystore); 
-        String truststorePassword = props.getProperty(TRUSTSTORE_PASSWORD, keystorePassword); 
+        String truststorePassword = props.getProperty(TRUSTSTORE_PASSWORD, keystorePassword);
+        String keyAlias = props.getProperty(KEYSTORE_ALIAS);
 
         boolean anon = PropertiesUtils.getBooleanProperty(props, ALLOW_ANON, true);
 
@@ -110,10 +117,10 @@ public static SSLSocketFactory getSSLSocketFactory(Properties props) throws IOEx
         // 3) else = javax properties; this is default way to define the SSL anywhere.
         if (keystore != null) {
             // 2 way SSL
-            result = getClientSSLContext(keystore, keystorePassword, truststore, truststorePassword, keystoreAlgorithm, keystoreType, keystoreProtocol);
+            result = getClientSSLContext(keystore, keystorePassword, truststore, truststorePassword, keystoreAlgorithm, keystoreType, keystoreProtocol, keyAlias);
         } else  if(truststore != null) {
             // One way SSL with custom properties defined
-            result = getClientSSLContext(null, null, truststore, truststorePassword, keystoreAlgorithm, keystoreType, keystoreProtocol);
+            result = getClientSSLContext(null, null, truststore, truststorePassword, keystoreAlgorithm, keystoreType, keystoreProtocol, keyAlias);
         } else {
         	result = SSLContext.getDefault();
         }
@@ -130,8 +137,9 @@ static SSLContext getClientSSLContext(String keystore,
                                             String truststorePassword,
                                             String algorithm,
                                             String keystoreType,
-                                            String protocol) throws IOException, GeneralSecurityException {
-        return getSSLContext(keystore, password, truststore, truststorePassword, algorithm, keystoreType, protocol);
+                                            String protocol,
+                                            String keyAlias) throws IOException, GeneralSecurityException {
+        return getSSLContext(keystore, password, truststore, truststorePassword, algorithm, keystoreType, protocol, keyAlias);
     }
 
     public static boolean addCipherSuite(SSLSocket engine, String cipherSuite) {
@@ -151,7 +159,7 @@ public static boolean addCipherSuite(SSLSocket engine, String cipherSuite) {
     }
 
     public static SSLContext getAnonSSLContext() throws IOException, GeneralSecurityException {
-        return getSSLContext(null, null, null, null, null, null, DEFAULT_PROTOCOL);
+        return getSSLContext(null, null, null, null, null, null, DEFAULT_PROTOCOL, null);
     }
 
     public static SSLContext getSSLContext(String keystore,
@@ -160,7 +168,8 @@ public static SSLContext getSSLContext(String keystore,
                                             String truststorePassword,
                                             String algorithm,
                                             String keystoreType,
-                                            String protocol) throws IOException, GeneralSecurityException {
+                                            String protocol,
+                                            String keyAlias) throws IOException, GeneralSecurityException {
 
     	if (algorithm == null) {
     		algorithm = KeyManagerFactory.getDefaultAlgorithm();
@@ -170,9 +179,22 @@ public static SSLContext getSSLContext(String keystore,
         if (keystore != null) {
             KeyStore ks = loadKeyStore(keystore, password, keystoreType);
             if (ks != null) {
+
+                if (keyAlias != null && !ks.isKeyEntry(keyAlias)) {
+                    throw new IOException(JDBCPlugin.Util.getString("alias_no_key_entry", keyAlias)); //$NON-NLS-1$
+                }            	
+
                 KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
                 kmf.init(ks, password.toCharArray());
                 keyManagers = kmf.getKeyManagers();
+                if (keyAlias != null) {
+                    if (DEFAULT_KEYSTORE_TYPE.equals(keystoreType)) {
+                        keyAlias = keyAlias.toLowerCase(Locale.ENGLISH);
+                    }
+                    for(int i=0; i < keyManagers.length; i++) {
+                    	keyManagers[i] = new AliasAwareKeyManager((X509KeyManager)keyManagers[i], keyAlias);
+                    }
+                }                
             }
         }
 
@@ -225,4 +247,43 @@ public static KeyStore loadKeyStore(String name, String password, String type) t
         return ks;
     }
 
+    static class AliasAwareKeyManager implements X509KeyManager {
+    	private X509KeyManager delegate;
+    	private String keyAlias;
+
+    	public AliasAwareKeyManager(X509KeyManager delegate, String alias) {
+    		this.delegate = delegate;
+    		this.keyAlias = alias;
+    	}
+
+		@Override
+		public String chooseClientAlias(String[] keyType, Principal[] issuers,Socket socket) {
+			return delegate.chooseClientAlias(keyType, issuers, socket);
+		}
+
+		@Override
+		public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+			return keyAlias;
+		}
+
+		@Override
+		public X509Certificate[] getCertificateChain(String alias) {
+			return delegate.getCertificateChain(alias);
+		}
+
+		@Override
+		public String[] getClientAliases(String keyType, Principal[] issuers) {
+			return delegate.getClientAliases(keyType, issuers);
+		}
+
+		@Override
+		public PrivateKey getPrivateKey(String alias) {
+			return delegate.getPrivateKey(alias);
+		}
+
+		@Override
+		public String[] getServerAliases(String keyType, Principal[] issuers) {
+			return delegate.getServerAliases(keyType, issuers);
+		}
+    }
 }
diff --git a/client/src/main/resources/org/teiid/jdbc/i18n.properties b/client/src/main/resources/org/teiid/jdbc/i18n.properties
@@ -174,4 +174,5 @@ unexpected_element=Unexpected Element {0} encountered, expecting one of {1}
 ambigious_gss_selection=Either configure "java.security.krb5.conf" property or combination of "java.security.krb5.realm" and "java.security.krb5.kdc" properties. Not both.
 no_gss_selection=No KRB5 configuration found. Either configure "java.security.krb5.conf" property or combination of "java.security.krb5.realm" and "java.security.krb5.kdc" properties.
 TEIID20029={0} value outside of 32-bit value range.  Please set the system property org.teiid.longDatesTimes to true to avoid this error.
-TEIID20030=The position cannot be set by a blocking call in asynch mode as the results have not yet been formed. 
+TEIID20030=The position cannot be set by a blocking call in asynch mode as the results have not yet been formed. 
+alias_no_key_entry=The SSL keystore configured does not contain certificate with alias {0}
diff --git a/client/src/main/resources/teiid-client-settings.orig.properties b/client/src/main/resources/teiid-client-settings.orig.properties
@@ -36,6 +36,12 @@ org.teiid.ssl.keyStoreType=JKS
 
 #org.teiid.ssl.keyStorePassword=
 
+#
+# The key alias(not required, if given named certificate is used)
+#
+
+#org.teiid.ssl.keyAlias=
+
 #
 # The classpath or filesystem location of the
 # trust store.

diff --git a/jboss-integration/src/main/java/org/teiid/jboss/Element.java b/jboss-integration/src/main/java/org/teiid/jboss/Element.java
@@ -122,6 +122,7 @@ enum Element {
 	SSL_ENABLED_CIPHER_SUITES_ATTRIBUTE("enabled-cipher-suites", "enabled-cipher-suites", ModelType.STRING, false, null),
 	SSL_KETSTORE_ELEMENT("keystore"),
 	SSL_KETSTORE_NAME_ATTRIBUTE("name", "keystore-name", ModelType.STRING, false, null),
+	SSL_KETSTORE_ALIAS_ATTRIBUTE("key-alias", "keystore-key-alias", ModelType.STRING, false, null),
 	SSL_KETSTORE_PASSWORD_ATTRIBUTE("password", "keystore-password", ModelType.EXPRESSION, false, null),
 	SSL_KETSTORE_TYPE_ATTRIBUTE("type", "keystore-type", ModelType.STRING, false, "JKS"),
 	SSL_TRUSTSTORE_ELEMENT("truststore"),

diff --git a/jboss-integration/src/main/java/org/teiid/jboss/TeiidSubsystemParser.java b/jboss-integration/src/main/java/org/teiid/jboss/TeiidSubsystemParser.java
@@ -168,6 +168,7 @@ private void writeTransportConfiguration( XMLExtendedStreamWriter writer, ModelN
 				writeAttribute(writer, Element.SSL_KETSTORE_NAME_ATTRIBUTE, node);
 				writeAttribute(writer, Element.SSL_KETSTORE_PASSWORD_ATTRIBUTE, node);
 				writeAttribute(writer, Element.SSL_KETSTORE_TYPE_ATTRIBUTE, node);
+				writeAttribute(writer, Element.SSL_KETSTORE_ALIAS_ATTRIBUTE, node);
 				writer.writeEndElement();
 			}
 
@@ -543,6 +544,10 @@ private ModelNode parseKeystore(XMLExtendedStreamReader reader, ModelNode node)
     				node.get(element.getModelName()).set(attrValue);
     				break;
 
+    			case SSL_KETSTORE_ALIAS_ATTRIBUTE:
+    				node.get(element.getModelName()).set(attrValue);
+    				break;
+
     			default:
     				throw ParseUtils.unexpectedAttribute(reader, i);    			
     			}

diff --git a/jboss-integration/src/main/java/org/teiid/jboss/TransportAdd.java b/jboss-integration/src/main/java/org/teiid/jboss/TransportAdd.java
@@ -91,7 +91,8 @@ class TransportAdd extends AbstractAddStepHandler implements DescriptionProvider
 		Element.SSL_KETSTORE_PASSWORD_ATTRIBUTE,
 		Element.SSL_KETSTORE_TYPE_ATTRIBUTE,
 		Element.SSL_TRUSTSTORE_NAME_ATTRIBUTE,
-		Element.SSL_TRUSTSTORE_PASSWORD_ATTRIBUTE
+		Element.SSL_TRUSTSTORE_PASSWORD_ATTRIBUTE,
+		Element.SSL_KETSTORE_ALIAS_ATTRIBUTE
 
 	};
 
@@ -266,6 +267,10 @@ private SocketConfiguration buildSocketConfiguration(final OperationContext cont
     		ssl.setKeystoreFilename(Element.SSL_KETSTORE_NAME_ATTRIBUTE.asString(node, context));
     	}	
 
+    	if (Element.SSL_KETSTORE_ALIAS_ATTRIBUTE.isDefined(node)) {
+    		ssl.setKeystorekeyAlias(Element.SSL_KETSTORE_ALIAS_ATTRIBUTE.asString(node, context));
+    	}    	
+
     	if (Element.SSL_ENABLED_CIPHER_SUITES_ATTRIBUTE.isDefined(node)) {
     		ssl.setEnabledCipherSuites(Element.SSL_ENABLED_CIPHER_SUITES_ATTRIBUTE.asString(node, context));
     	}

diff --git a/jboss-integration/src/main/resources/org/teiid/jboss/i18n.properties b/jboss-integration/src/main/resources/org/teiid/jboss/i18n.properties
@@ -160,6 +160,7 @@ ssl-ssl-protocol.describe=SSL protocol used
 ssl-keymanagement-algorithm.describe=Use key management algorithm
 enabled-cipher-suites.describe=Cipher suites that are allowed to be used for SSL. Use to restrict encryption strength(128 bit, 256 bit). Only provide encryption suites that are supported by both client and server JVM. ex:SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA
 keystore-name.describe=Keystore File Name
+keystore-key-alias.describe=key Alias name
 keystore-password.describe=Keystore password
 keystore-type.describe=Keystore type
 truststore-name.describe=Truststore Name

diff --git a/jboss-integration/src/main/resources/schema/jboss-teiid.xsd b/jboss-integration/src/main/resources/schema/jboss-teiid.xsd
@@ -321,6 +321,11 @@
                                         <xs:documentation>Keystore Type</xs:documentation>
                                     </xs:annotation>                    
                                 </xs:attribute>
+                                <xs:attribute name="key-alias" type="xs:string">
+                                    <xs:annotation>
+                                        <xs:documentation>key alias name</xs:documentation>
+                                    </xs:annotation>                    
+                                </xs:attribute>                                
                             </xs:complexType>                        
                         </xs:element>
                         <xs:element name="truststore" minOccurs="0" maxOccurs="1">

diff --git a/jboss-integration/src/test/resources/teiid-transport-config.txt b/jboss-integration/src/test/resources/teiid-transport-config.txt
@@ -109,5 +109,10 @@
         "type" => EXPRESSION,
         "description" => "Truststore Password",
         "required" => false
+    },
+    "keystore-key-alias" => {
+        "type" => STRING,
+        "description" => "key Alias name",
+        "required" => false
     }
 }}
diff --git a/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java b/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java
@@ -60,6 +60,7 @@ public class SSLConfiguration {
     private String trustStorePassword = ""; //$NON-NLS-1$
     private String authenticationMode = ONEWAY;
     private String[] enabledCipherSuites;
+    private String keyAlias; 
 
 
 	public SSLEngine getServerSSLEngine() throws IOException, GeneralSecurityException {
@@ -79,7 +80,8 @@ public SSLEngine getServerSSLEngine() throws IOException, GeneralSecurityExcepti
                                     trustStorePassword,
                                     keyManagerFactoryAlgorithm,
                                     keyStoreType,
-                                    sslProtocol);
+                                    sslProtocol,
+                                    keyAlias);
         } 
 
         SSLEngine result = context.createSSLEngine();
@@ -157,4 +159,8 @@ public void setEnabledCipherSuites(String enabledCipherSuites) {
 	public String[] getEnabledCipherSuitesAsArray() {
 		return enabledCipherSuites;
 	}
+
+	public void setKeystorekeyAlias(String alias) {
+		this.keyAlias = alias;
+	}
 }