New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFCORE-3305][WFCORE-3425] Add more runtime operations to the Elytron key-store resource for advanced KeyStore manipulation #2949
Conversation
Full integration - Windows Build 4601 outcome was FAILURE using a merge of 0f9dd63 Failed tests
|
Added a few more tests for the import-certificate operation as discussed with Martin Choma. |
a412a42
to
6b3b7a8
Compare
retest this please |
certChain[0] = certAndKey.getSelfSignedCertificate(); | ||
keyStore.setKeyEntry(alias, privateKey, keyPassword, certChain); | ||
} catch (KeyStoreException | IllegalArgumentException | DateTimeException e) { | ||
throw new OperationFailedException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do all of these indicate user errors? If any don't, throw a runtime exception.
if (e instanceof OperationFailedException) { | ||
throw (OperationFailedException) e; | ||
} else { | ||
throw new OperationFailedException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't throw OFE unless it's a user mistake. If not use a runtime exception.
if (e instanceof OperationFailedException) { | ||
throw (OperationFailedException) e; | ||
} else { | ||
throw new OperationFailedException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same thing.
if (e instanceof OperationFailedException) { | ||
throw (OperationFailedException) e; | ||
} else { | ||
throw new OperationFailedException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more time. :)
if (e instanceof OperationFailedException) { | ||
throw (OperationFailedException) e; | ||
} else { | ||
throw new OperationFailedException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
etc
try { | ||
return keyStoreService.resolveKeyPassword(credentialSourceSupplier); | ||
} catch (Exception e) { | ||
throw new OperationFailedException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
etc
This should get an approval by someone more familiar with elytron and with the requirements. It also needs to be out of the analysis phase so we know those requirements are set. :) Seems ok to me other than my notes about exception handling. If there's additional external testing of this going on, please comment noting that and comment when that's done. |
I've updated the exception handling. The two test failures currently occurring on Windows ( |
Just a note that Martin Choma has moved this issue out of the analysis phase now so the requirements are set. |
retest this please |
1 similar comment
retest this please |
Core - Full Integration Build 6593 outcome was FAILURE using a merge of 29f83bd Failed tests
|
I have marked EAP7-650 as Test Development done. There are no blockers on this. I am OK with getting this into WF12. |
@@ -271,6 +266,21 @@ boolean isModified() { | |||
return trackingKeyStore.isModified(); | |||
} | |||
|
|||
char[] resolveKeyPassword(final ExceptionSupplier<CredentialSource, Exception> keyPasswordCredentialSourceSupplier) throws Exception { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not related to this PR but we also want at some point to look at KeyStore password re-use for the KeyManager resource as well.
Do we have any information about the new binary files so if anyone is debugging or needs to recreate them they know what they need? |
…source for advanced KeyStore manipulation The new operations are as follows: * generate-key-pair * generate-certificate-signing-request * import-certificate * export-certificate * change-alias
…t doesn't exist and wasn't flagged as required when attempting to store the KeyStore to the file
@darranl I've added a readme file with information about the new binary files. |
Thanks @fjuma looks good. |
Core - Full Integration Build 6675 outcome was FAILURE using a merge of 1b4ef35 Failed tests
|
retest this please |
@fjuma I resolved the two WFCORE's mentioned in the title but I'll leave any EAP7 etc manipulation to you. :) |
This PR adds more runtime-only management operations to the Elytron subsystem key-store resource for advanced KeyStore manipulation. The new operations are as follows:
generate-key-pair: This will generate a key pair and wrap the resulting public key in a self-signed X.509 certificate. The generated private key and self-signed certificate will be added to the KeyStore.
generate-certificate-signing-request: This will generate a PKCS Subsystem test framework tweaks #10 certificate signing request using a PrivateKeyEntry from the KeyStore. The generated certificate signing request will be output to a file.
import-certificate: This will import a certificate or certificate chain from a file into an entry in the KeyStore.
export-certificate: This will export a certificate from an entry in the KeyStore to a file.
change-alias: This will move an existing KeyStore entry to a new alias.
After executing the generate-key-pair, import-certificate, or change-alias operations, executing the store operation will persist the resulting changes to the file that backs the KeyStore.
This PR also adds a commit to fix WFCORE-3425. This ensures that for a file-backed key-store, if the file doesn’t exist and wasn’t flagged as required, then the file will get created properly when executing the store operation.
https://issues.jboss.org/browse/WFCORE-3305
https://issues.jboss.org/browse/WFCORE-3425
Documentation PR: wildfly/wildfly#10830