From 09694a2afb2c8e894eac59233442755fb20a7e4f Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Mon, 10 May 2021 16:17:27 +0800 Subject: [PATCH 01/18] add jre key store --- .../keyvault/jca/KeyVaultKeyStore.java | 79 ++++++++++++++++++- 1 file changed, 77 insertions(+), 2 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index 4de4d7293aafd..981ee26ea5e1e 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -10,6 +10,9 @@ import java.io.InputStreamReader; import java.io.OutputStream; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; import java.security.Key; import java.security.KeyStore; import java.security.KeyStoreException; @@ -20,6 +23,8 @@ import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Collections; import java.util.Date; @@ -76,13 +81,18 @@ public final class KeyVaultKeyStore extends KeyStoreSpi { */ private KeyVaultClient keyVaultClient; + /** + * Stores the jre key store. + */ + private KeyStore jreKeyStore; + /** * Constructor. * *

* The constructor uses System.getProperty for - * azure.keyvault.uri, - * azure.keyvault.aadAuthenticationUrl, + * azure.keyvault.uri, + * azure.keyvault.aadAuthenticationUrl, * azure.keyvault.tenantId, * azure.keyvault.clientId, * azure.keyvault.clientSecret and @@ -102,6 +112,13 @@ public KeyVaultKeyStore() { } else { keyVaultClient = new KeyVaultClient(keyVaultUri, managedIdentity); } + + try { + jreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + JREKeyStore.loadKeyStore(jreKeyStore); + } catch (KeyStoreException e) { + LOGGER.log(WARNING, "Unable to get the jre key store.", e); + } } @Override @@ -360,4 +377,62 @@ private void sideLoad() { LOGGER.log(WARNING, "Unable to determine certificates to side-load", ioe); } } + private static class JREKeyStore{ + private static final String javaHome = privilegedGetProperty("java.home", ""); + private static final Path storePath= Paths.get(javaHome).resolve("lib").resolve("security"); + private static final Path defaultStore = storePath.resolve("cacerts"); + private static final Path jsseDefaultStore = storePath.resolve("jssecacerts"); + private static final String keyStorePassword = privilegedGetProperty("javax.net.ssl.keyStorePassword", "changeit"); + private static final String keyPassword = keyStorePassword; + + private static void loadKeyStore(KeyStore ks){ + if (null != ks){ + try (final InputStream inStream = Files.newInputStream(getKeyStoreFile())) { + ks.load(inStream, keyStorePassword.toCharArray()); + }catch (IOException | NoSuchAlgorithmException | CertificateException e){ + LOGGER.log(WARNING, "unable to load the jre key store", e); + } + } + } + + private static Path getKeyStoreFile() { + String storePropName = privilegedGetProperty( + "javax.net.ssl.keyStore", ""); + return getStoreFile(storePropName); + } + + private static Path getStoreFile(String storePropName){ + Path storeProp; + if (storePropName.isEmpty()){ + storeProp = jsseDefaultStore; + }else { + storeProp = Paths.get(storePropName); + } + + Path[] fileNames = + new Path[]{storeProp, defaultStore}; + for (Path fileName : fileNames) { + if (Files.exists(fileName) && Files.isReadable(fileName)){ + return fileName; + } + } + return null; + } + + private static String privilegedGetProperty(String theProp, String defaultVal){ + if (System.getSecurityManager() == null) { + String value = System.getProperty(theProp, ""); + return (value.isEmpty()) ? defaultVal : value; + } else { + return AccessController.doPrivileged( + (PrivilegedAction) () -> { + String value = System.getProperty(theProp, ""); + return (value.isEmpty()) ? defaultVal : value; + }); + } + } + } + + + } From f3e2f65ae92afd7ab53233590d39a8b4d007b234 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Mon, 10 May 2021 16:36:59 +0800 Subject: [PATCH 02/18] minor change --- .../keyvault/jca/KeyVaultKeyStore.java | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index 981ee26ea5e1e..9413eec22cedb 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -84,7 +84,7 @@ public final class KeyVaultKeyStore extends KeyStoreSpi { /** * Stores the jre key store. */ - private KeyStore jreKeyStore; + private KeyStore defaultKeyStore; /** * Constructor. @@ -112,13 +112,7 @@ public KeyVaultKeyStore() { } else { keyVaultClient = new KeyVaultClient(keyVaultUri, managedIdentity); } - - try { - jreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); - JREKeyStore.loadKeyStore(jreKeyStore); - } catch (KeyStoreException e) { - LOGGER.log(WARNING, "Unable to get the jre key store.", e); - } + defaultKeyStore = JREKeyStore.getDefault(); } @Override @@ -395,6 +389,17 @@ private static void loadKeyStore(KeyStore ks){ } } + private static KeyStore getDefault(){ + KeyStore defaultKeyStore = null; + try{ + defaultKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + JREKeyStore.loadKeyStore(defaultKeyStore); + } catch (KeyStoreException e) { + LOGGER.log(WARNING, "Unable to get the jre key store.", e); + } + return defaultKeyStore; + } + private static Path getKeyStoreFile() { String storePropName = privilegedGetProperty( "javax.net.ssl.keyStore", ""); From e05eb8d1b1ada7319ca32a7d7eb066fc6ae3b89d Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Mon, 10 May 2021 16:43:15 +0800 Subject: [PATCH 03/18] minor change --- .../keyvault/jca/KeyVaultKeyStore.java | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index 9413eec22cedb..7f81cb784ff00 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -379,27 +379,27 @@ private static class JREKeyStore{ private static final String keyStorePassword = privilegedGetProperty("javax.net.ssl.keyStorePassword", "changeit"); private static final String keyPassword = keyStorePassword; - private static void loadKeyStore(KeyStore ks){ - if (null != ks){ - try (final InputStream inStream = Files.newInputStream(getKeyStoreFile())) { - ks.load(inStream, keyStorePassword.toCharArray()); - }catch (IOException | NoSuchAlgorithmException | CertificateException e){ - LOGGER.log(WARNING, "unable to load the jre key store", e); - } - } - } - private static KeyStore getDefault(){ KeyStore defaultKeyStore = null; try{ defaultKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); - JREKeyStore.loadKeyStore(defaultKeyStore); + loadKeyStore(defaultKeyStore); } catch (KeyStoreException e) { LOGGER.log(WARNING, "Unable to get the jre key store.", e); } return defaultKeyStore; } + private static void loadKeyStore(KeyStore ks){ + if (null != ks){ + try (final InputStream inStream = Files.newInputStream(getKeyStoreFile())) { + ks.load(inStream, keyStorePassword.toCharArray()); + }catch (IOException | NoSuchAlgorithmException | CertificateException e){ + LOGGER.log(WARNING, "unable to load the jre key store", e); + } + } + } + private static Path getKeyStoreFile() { String storePropName = privilegedGetProperty( "javax.net.ssl.keyStore", ""); @@ -438,6 +438,4 @@ private static String privilegedGetProperty(String theProp, String defaultVal){ } } - - } From dcc4995bd6a8b2854d0292df948c558aed0c3be0 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Tue, 11 May 2021 14:24:00 +0800 Subject: [PATCH 04/18] add jre key store --- .../keyvault/jca/KeyVaultKeyStore.java | 93 +++++++++++++++---- 1 file changed, 74 insertions(+), 19 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index 7f81cb784ff00..a72940e98992a 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -13,24 +13,12 @@ import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; -import java.security.Key; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.KeyStoreSpi; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableEntryException; +import java.security.*; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; -import java.security.AccessController; -import java.security.PrivilegedAction; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Date; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.List; +import java.util.*; import java.util.logging.Logger; import static java.util.logging.Level.INFO; @@ -84,7 +72,12 @@ public final class KeyVaultKeyStore extends KeyStoreSpi { /** * Stores the jre key store. */ - private KeyStore defaultKeyStore; + private static final KeyStore defaultKeyStore; + + /** + * Stores the jre key store aliases. + */ + private static final Set jreAliases; /** * Constructor. @@ -112,15 +105,33 @@ public KeyVaultKeyStore() { } else { keyVaultClient = new KeyVaultClient(keyVaultUri, managedIdentity); } + + } + + static { defaultKeyStore = JREKeyStore.getDefault(); + jreAliases = new HashSet<>(); + if(null != defaultKeyStore){ + try { + jreAliases.addAll(Collections.list(defaultKeyStore.aliases())); + } catch (KeyStoreException e) { + LOGGER.log(WARNING, "Unable to load the jre key store aliases.", e); + } + + } } + + @Override public Enumeration engineAliases() { if (aliases == null) { aliases = keyVaultClient.getAliases(); } - return Collections.enumeration(aliases); + Set als = new HashSet<>(); + als.addAll(aliases); + als.addAll(jreAliases); + return Collections.enumeration(als); } @Override @@ -152,6 +163,12 @@ public Certificate engineGetCertificate(String alias) { if (!aliases.contains(alias)) { aliases.add(alias); } + }else { + try { + certificate = defaultKeyStore.getCertificate(alias); + } catch (KeyStoreException e) { + LOGGER.log(WARNING, "Unable to load certificate from jre Key store.", e); + } } } return certificate; @@ -171,7 +188,15 @@ public String engineGetCertificateAlias(Certificate cert) { break; } } + if (null == alias){ + try { + alias = defaultKeyStore.getCertificateAlias(cert); + } catch (KeyStoreException e) { + LOGGER.log(WARNING, "Unable to load the alias from jre Key store.", e); + } + } } + return alias; } @@ -182,6 +207,12 @@ public Certificate[] engineGetCertificateChain(String alias) { if (certificate != null) { chain = new Certificate[1]; chain[0] = certificate; + }else { + try { + chain = defaultKeyStore.getCertificateChain(alias); + }catch (KeyStoreException e) { + LOGGER.log(WARNING, "Unable to load the certificate chain from jre Key store.", e); + } } return chain; } @@ -211,6 +242,8 @@ public Key engineGetKey(String alias, char[] password) { if (!aliases.contains(alias)) { aliases.add(alias); } + }else { + key = JREKeyStore.getKey(defaultKeyStore, alias); } } return key; @@ -221,12 +254,18 @@ public boolean engineIsCertificateEntry(String alias) { if (aliases == null) { aliases = keyVaultClient.getAliases(); } - return aliases.contains(alias); + Set als = new HashSet<>(); + als.addAll(aliases); + als.addAll(jreAliases); + return als.contains(alias); } @Override public boolean engineIsKeyEntry(String alias) { - return engineIsCertificateEntry(alias); + if (aliases == null) { + aliases = keyVaultClient.getAliases(); + } + return aliases.contains(alias); } @Override @@ -282,7 +321,13 @@ public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) { @Override public int engineSize() { - return aliases != null ? aliases.size() : 0; + int size = 0; + try { + size = defaultKeyStore.size(); + } catch (KeyStoreException e) { + LOGGER.log(WARNING, "Unable to get the size of the jre key store." ,e); + } + return size + (aliases != null ? aliases.size() : 0); } @Override @@ -371,6 +416,7 @@ private void sideLoad() { LOGGER.log(WARNING, "Unable to determine certificates to side-load", ioe); } } + private static class JREKeyStore{ private static final String javaHome = privilegedGetProperty("java.home", ""); private static final Path storePath= Paths.get(javaHome).resolve("lib").resolve("security"); @@ -424,6 +470,15 @@ private static Path getStoreFile(String storePropName){ return null; } + private static Key getKey(KeyStore ks, String alias){ + try { + return ks.getKey(alias, keyPassword.toCharArray()); + } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) { + LOGGER.log(WARNING, "Unable to get the key from jre key store.", e); + } + return null; + } + private static String privilegedGetProperty(String theProp, String defaultVal){ if (System.getSecurityManager() == null) { String value = System.getProperty(theProp, ""); From 9bd7ff9ff4d04940a2b2d42ee434e3f9213e96b4 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Tue, 11 May 2021 15:35:48 +0800 Subject: [PATCH 05/18] import clauses change --- .../azure/security/keyvault/jca/KeyVaultKeyStore.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index a72940e98992a..b199cfff09da4 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -13,7 +13,16 @@ import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; -import java.security.*; +import java.security.Key; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.KeyStoreSpi; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableEntryException; +import java.security.PrivilegedAction; +import java.security.AccessController; +import java.security.UnrecoverableKeyException; + import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; From 0814b93a65f4eb1d36a048e731c78ef55b371918 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Tue, 11 May 2021 15:36:41 +0800 Subject: [PATCH 06/18] import clauses change --- .../com/azure/security/keyvault/jca/KeyVaultKeyStore.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index b199cfff09da4..8e190950ec691 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -27,7 +27,12 @@ import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; -import java.util.*; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Date; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.List; import java.util.logging.Logger; import static java.util.logging.Level.INFO; From b07b85b6f9c06b8f9b778ab70638be7528398681 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Tue, 11 May 2021 15:38:35 +0800 Subject: [PATCH 07/18] import clauses change --- .../com/azure/security/keyvault/jca/KeyVaultKeyStore.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index 8e190950ec691..67a5065d70610 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -22,7 +22,6 @@ import java.security.PrivilegedAction; import java.security.AccessController; import java.security.UnrecoverableKeyException; - import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; @@ -33,8 +32,9 @@ import java.util.Enumeration; import java.util.HashMap; import java.util.List; +import java.util.Set; +import java.util.HashSet; import java.util.logging.Logger; - import static java.util.logging.Level.INFO; import static java.util.logging.Level.WARNING; From 3f87f18fa15fbcc6f5761929ad611988fdbe9109 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Tue, 11 May 2021 15:46:32 +0800 Subject: [PATCH 08/18] format change --- .../keyvault/jca/KeyVaultKeyStore.java | 73 +++++++++---------- 1 file changed, 35 insertions(+), 38 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index 67a5065d70610..ae18b6d0a7a92 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -86,12 +86,12 @@ public final class KeyVaultKeyStore extends KeyStoreSpi { /** * Stores the jre key store. */ - private static final KeyStore defaultKeyStore; + private static final KeyStore DEFAULT_KEY_STORE; /** * Stores the jre key store aliases. */ - private static final Set jreAliases; + private static final Set JRE_ALIASES; /** * Constructor. @@ -123,20 +123,17 @@ public KeyVaultKeyStore() { } static { - defaultKeyStore = JREKeyStore.getDefault(); - jreAliases = new HashSet<>(); - if(null != defaultKeyStore){ + DEFAULT_KEY_STORE = JREKeyStore.getDefault(); + JRE_ALIASES = new HashSet<>(); + if (null != DEFAULT_KEY_STORE) { try { - jreAliases.addAll(Collections.list(defaultKeyStore.aliases())); + JRE_ALIASES.addAll(Collections.list(DEFAULT_KEY_STORE.aliases())); } catch (KeyStoreException e) { LOGGER.log(WARNING, "Unable to load the jre key store aliases.", e); } - } } - - @Override public Enumeration engineAliases() { if (aliases == null) { @@ -144,7 +141,7 @@ public Enumeration engineAliases() { } Set als = new HashSet<>(); als.addAll(aliases); - als.addAll(jreAliases); + als.addAll(JRE_ALIASES); return Collections.enumeration(als); } @@ -177,9 +174,9 @@ public Certificate engineGetCertificate(String alias) { if (!aliases.contains(alias)) { aliases.add(alias); } - }else { + } else { try { - certificate = defaultKeyStore.getCertificate(alias); + certificate = DEFAULT_KEY_STORE.getCertificate(alias); } catch (KeyStoreException e) { LOGGER.log(WARNING, "Unable to load certificate from jre Key store.", e); } @@ -202,9 +199,9 @@ public String engineGetCertificateAlias(Certificate cert) { break; } } - if (null == alias){ + if (null == alias) { try { - alias = defaultKeyStore.getCertificateAlias(cert); + alias = DEFAULT_KEY_STORE.getCertificateAlias(cert); } catch (KeyStoreException e) { LOGGER.log(WARNING, "Unable to load the alias from jre Key store.", e); } @@ -223,7 +220,7 @@ public Certificate[] engineGetCertificateChain(String alias) { chain[0] = certificate; }else { try { - chain = defaultKeyStore.getCertificateChain(alias); + chain = DEFAULT_KEY_STORE.getCertificateChain(alias); }catch (KeyStoreException e) { LOGGER.log(WARNING, "Unable to load the certificate chain from jre Key store.", e); } @@ -256,8 +253,8 @@ public Key engineGetKey(String alias, char[] password) { if (!aliases.contains(alias)) { aliases.add(alias); } - }else { - key = JREKeyStore.getKey(defaultKeyStore, alias); + } else { + key = JREKeyStore.getKey(DEFAULT_KEY_STORE, alias); } } return key; @@ -270,7 +267,7 @@ public boolean engineIsCertificateEntry(String alias) { } Set als = new HashSet<>(); als.addAll(aliases); - als.addAll(jreAliases); + als.addAll(JRE_ALIASES); return als.contains(alias); } @@ -337,7 +334,7 @@ public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) { public int engineSize() { int size = 0; try { - size = defaultKeyStore.size(); + size = DEFAULT_KEY_STORE.size(); } catch (KeyStoreException e) { LOGGER.log(WARNING, "Unable to get the size of the jre key store." ,e); } @@ -431,15 +428,15 @@ private void sideLoad() { } } - private static class JREKeyStore{ - private static final String javaHome = privilegedGetProperty("java.home", ""); - private static final Path storePath= Paths.get(javaHome).resolve("lib").resolve("security"); - private static final Path defaultStore = storePath.resolve("cacerts"); - private static final Path jsseDefaultStore = storePath.resolve("jssecacerts"); - private static final String keyStorePassword = privilegedGetProperty("javax.net.ssl.keyStorePassword", "changeit"); - private static final String keyPassword = keyStorePassword; + private static class JREKeyStore { + private static final String JAVA_HOME = privilegedGetProperty("java.home", ""); + private static final Path STORE_PATH = Paths.get(JAVA_HOME).resolve("lib").resolve("security"); + private static final Path DEFAULT_STORE = STORE_PATH.resolve("cacerts"); + private static final Path JSSE_DEFAULT_STORE = STORE_PATH.resolve("jssecacerts"); + private static final String KEY_STORE_PASSWORD = privilegedGetProperty("javax.net.ssl.keyStorePassword", "changeit"); + private static final String KEY_PASSWORD = KEY_STORE_PASSWORD; - private static KeyStore getDefault(){ + private static KeyStore getDefault() { KeyStore defaultKeyStore = null; try{ defaultKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); @@ -450,11 +447,11 @@ private static KeyStore getDefault(){ return defaultKeyStore; } - private static void loadKeyStore(KeyStore ks){ - if (null != ks){ - try (final InputStream inStream = Files.newInputStream(getKeyStoreFile())) { - ks.load(inStream, keyStorePassword.toCharArray()); - }catch (IOException | NoSuchAlgorithmException | CertificateException e){ + private static void loadKeyStore(KeyStore ks) { + if (null != ks) { + try (InputStream inStream = Files.newInputStream(getKeyStoreFile())) { + ks.load(inStream, KEY_STORE_PASSWORD.toCharArray()); + } catch (IOException | NoSuchAlgorithmException | CertificateException e) { LOGGER.log(WARNING, "unable to load the jre key store", e); } } @@ -466,18 +463,18 @@ private static Path getKeyStoreFile() { return getStoreFile(storePropName); } - private static Path getStoreFile(String storePropName){ + private static Path getStoreFile(String storePropName) { Path storeProp; if (storePropName.isEmpty()){ - storeProp = jsseDefaultStore; - }else { + storeProp = JSSE_DEFAULT_STORE; + } else { storeProp = Paths.get(storePropName); } Path[] fileNames = - new Path[]{storeProp, defaultStore}; + new Path[]{storeProp, DEFAULT_STORE}; for (Path fileName : fileNames) { - if (Files.exists(fileName) && Files.isReadable(fileName)){ + if (Files.exists(fileName) && Files.isReadable(fileName)) { return fileName; } } @@ -486,7 +483,7 @@ private static Path getStoreFile(String storePropName){ private static Key getKey(KeyStore ks, String alias){ try { - return ks.getKey(alias, keyPassword.toCharArray()); + return ks.getKey(alias, KEY_PASSWORD.toCharArray()); } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) { LOGGER.log(WARNING, "Unable to get the key from jre key store.", e); } From 4c175ab9339c955b3daba56b130c3a66139639f8 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Tue, 11 May 2021 15:49:19 +0800 Subject: [PATCH 09/18] format change --- .../java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java | 1 - 1 file changed, 1 deletion(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index ae18b6d0a7a92..7d4dc38731595 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -207,7 +207,6 @@ public String engineGetCertificateAlias(Certificate cert) { } } } - return alias; } From 2182d5f3a3e65e80ccce53616a7964b8269455ae Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Tue, 11 May 2021 15:59:58 +0800 Subject: [PATCH 10/18] format change --- .../java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index 7d4dc38731595..4ebd2aabaae73 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -91,7 +91,7 @@ public final class KeyVaultKeyStore extends KeyStoreSpi { /** * Stores the jre key store aliases. */ - private static final Set JRE_ALIASES; + private static final Set JRE_ALIASES; /** * Constructor. From cdeab01e0c8cdc46a9816bbf7571b1d85a75eadc Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Wed, 12 May 2021 08:14:36 +0800 Subject: [PATCH 11/18] format change --- .../security/keyvault/jca/KeyVaultKeyStore.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index 4ebd2aabaae73..e1a7e3f3fc6ae 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -217,10 +217,10 @@ public Certificate[] engineGetCertificateChain(String alias) { if (certificate != null) { chain = new Certificate[1]; chain[0] = certificate; - }else { + } else { try { chain = DEFAULT_KEY_STORE.getCertificateChain(alias); - }catch (KeyStoreException e) { + } catch (KeyStoreException e) { LOGGER.log(WARNING, "Unable to load the certificate chain from jre Key store.", e); } } @@ -335,7 +335,7 @@ public int engineSize() { try { size = DEFAULT_KEY_STORE.size(); } catch (KeyStoreException e) { - LOGGER.log(WARNING, "Unable to get the size of the jre key store." ,e); + LOGGER.log(WARNING, "Unable to get the size of the jre key store.", e); } return size + (aliases != null ? aliases.size() : 0); } @@ -437,7 +437,7 @@ private static class JREKeyStore { private static KeyStore getDefault() { KeyStore defaultKeyStore = null; - try{ + try { defaultKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); loadKeyStore(defaultKeyStore); } catch (KeyStoreException e) { @@ -464,7 +464,7 @@ private static Path getKeyStoreFile() { private static Path getStoreFile(String storePropName) { Path storeProp; - if (storePropName.isEmpty()){ + if (storePropName.isEmpty()) { storeProp = JSSE_DEFAULT_STORE; } else { storeProp = Paths.get(storePropName); @@ -480,7 +480,7 @@ private static Path getStoreFile(String storePropName) { return null; } - private static Key getKey(KeyStore ks, String alias){ + private static Key getKey(KeyStore ks, String alias) { try { return ks.getKey(alias, KEY_PASSWORD.toCharArray()); } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) { @@ -489,7 +489,7 @@ private static Key getKey(KeyStore ks, String alias){ return null; } - private static String privilegedGetProperty(String theProp, String defaultVal){ + private static String privilegedGetProperty(String theProp, String defaultVal) { if (System.getSecurityManager() == null) { String value = System.getProperty(theProp, ""); return (value.isEmpty()) ? defaultVal : value; From 1da84ef5c5fbef1bd3c64e609dcc0513c42521d1 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Thu, 13 May 2021 11:22:27 +0800 Subject: [PATCH 12/18] remove redundant non-null check --- sdk/keyvault/azure-security-keyvault-jca/pom.xml | 4 ++++ .../com/azure/security/keyvault/jca/KeyVaultKeyStore.java | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/pom.xml b/sdk/keyvault/azure-security-keyvault-jca/pom.xml index a98efad3bfaf0..0d318eececc0f 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/pom.xml +++ b/sdk/keyvault/azure-security-keyvault-jca/pom.xml @@ -57,6 +57,10 @@ org.apache.commons com.azure.keyvault.jca.org.apache.commons + + org.apache.http + com.azure.keyvault.jca.org.apache.http + mozilla com.azure.keyvault.jca.mozilla diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index e1a7e3f3fc6ae..f30f6ea0453bf 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -447,13 +447,11 @@ private static KeyStore getDefault() { } private static void loadKeyStore(KeyStore ks) { - if (null != ks) { try (InputStream inStream = Files.newInputStream(getKeyStoreFile())) { ks.load(inStream, KEY_STORE_PASSWORD.toCharArray()); } catch (IOException | NoSuchAlgorithmException | CertificateException e) { LOGGER.log(WARNING, "unable to load the jre key store", e); } - } } private static Path getKeyStoreFile() { From f3afdae75fdf0a08d6aaec3639a818ffe8ef6efe Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Thu, 13 May 2021 11:24:11 +0800 Subject: [PATCH 13/18] minor revert --- sdk/keyvault/azure-security-keyvault-jca/pom.xml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/pom.xml b/sdk/keyvault/azure-security-keyvault-jca/pom.xml index 0d318eececc0f..a98efad3bfaf0 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/pom.xml +++ b/sdk/keyvault/azure-security-keyvault-jca/pom.xml @@ -57,10 +57,6 @@ org.apache.commons com.azure.keyvault.jca.org.apache.commons - - org.apache.http - com.azure.keyvault.jca.org.apache.http - mozilla com.azure.keyvault.jca.mozilla From 216a124e5d3529d7ae14d9429c5097e42f790545 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Fri, 14 May 2021 11:26:46 +0800 Subject: [PATCH 14/18] fix checkstyle --- .../azure/security/keyvault/jca/KeyVaultKeyStore.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index f30f6ea0453bf..caeedca74d8b8 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -447,11 +447,11 @@ private static KeyStore getDefault() { } private static void loadKeyStore(KeyStore ks) { - try (InputStream inStream = Files.newInputStream(getKeyStoreFile())) { - ks.load(inStream, KEY_STORE_PASSWORD.toCharArray()); - } catch (IOException | NoSuchAlgorithmException | CertificateException e) { - LOGGER.log(WARNING, "unable to load the jre key store", e); - } + try (InputStream inStream = Files.newInputStream(getKeyStoreFile())) { + ks.load(inStream, KEY_STORE_PASSWORD.toCharArray()); + } catch (IOException | NoSuchAlgorithmException | CertificateException e) { + LOGGER.log(WARNING, "unable to load the jre key store", e); + } } private static Path getKeyStoreFile() { From 5ed09210280a52ff03f1fea6bd3dadac80b8546c Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Mon, 17 May 2021 15:30:22 +0800 Subject: [PATCH 15/18] check alias before getting cert. --- .../keyvault/jca/KeyVaultKeyStore.java | 20 ++-- .../keyvault/jca/JREKeyStoreTest.java | 91 +++++++++++++++++++ 2 files changed, 101 insertions(+), 10 deletions(-) create mode 100644 sdk/keyvault/azure-security-test-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/JREKeyStoreTest.java diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index caeedca74d8b8..78ebe52e0d0e1 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -161,20 +161,20 @@ public boolean engineEntryInstanceOf(String alias, Class true); + + PoolingHttpClientConnectionManager manager = new PoolingHttpClientConnectionManager( + RegistryBuilder.create() + .register("https", sslConnectionSocketFactory) + .build()); + + /* + * And now execute the test. + */ + String result = null; + + try (CloseableHttpClient client = HttpClients.custom().setConnectionManager(manager).build()) { + HttpGet httpGet = new HttpGet("https://google.com:443"); + ResponseHandler responseHandler = (HttpResponse response) -> { + int status = response.getStatusLine().getStatusCode(); + String result1 = null; + if (status == 200) { + result1 = "Success"; + } + return result1; + }; + result = client.execute(httpGet, responseHandler); + } catch (IOException ioe) { + ioe.printStackTrace(); + } + + /* + * And verify all went well. + */ + assertEquals("Success", result); + + + + } +} From 6f7210fb6c7471efe57d632c5f01cca2a1768b18 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Mon, 17 May 2021 17:21:53 +0800 Subject: [PATCH 16/18] add EnabledIfEnvironmentVariable --- .../jca/{JREKeyStoreTest.java => JreKeyStoreTest.java} | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) rename sdk/keyvault/azure-security-test-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/{JREKeyStoreTest.java => JreKeyStoreTest.java} (93%) diff --git a/sdk/keyvault/azure-security-test-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/JREKeyStoreTest.java b/sdk/keyvault/azure-security-test-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/JreKeyStoreTest.java similarity index 93% rename from sdk/keyvault/azure-security-test-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/JREKeyStoreTest.java rename to sdk/keyvault/azure-security-test-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/JreKeyStoreTest.java index 64ad89da02d2a..3001a82d58f1c 100644 --- a/sdk/keyvault/azure-security-test-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/JREKeyStoreTest.java +++ b/sdk/keyvault/azure-security-test-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/JreKeyStoreTest.java @@ -11,6 +11,7 @@ import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; import org.apache.http.ssl.SSLContexts; import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariable; import javax.net.ssl.SSLContext; import java.io.IOException; @@ -20,7 +21,8 @@ import static org.junit.jupiter.api.Assertions.assertEquals; -public class JREKeyStoreTest { +@EnabledIfEnvironmentVariable(named = "AZURE_KEYVAULT_CERTIFICATE_NAME", matches = "myalias") +public class JreKeyStoreTest { @Test public void testJreKS() throws Exception{ /* From 5ae87336a00db4714640ad7a8a052958dafbae22 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Tue, 18 May 2021 10:41:08 +0800 Subject: [PATCH 17/18] rearrange code because pipleline spotbugs complains about redundant non-null check --- .../azure/security/keyvault/jca/KeyVaultKeyStore.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index 78ebe52e0d0e1..b5d97f6d90137 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -447,10 +447,18 @@ private static KeyStore getDefault() { } private static void loadKeyStore(KeyStore ks) { - try (InputStream inStream = Files.newInputStream(getKeyStoreFile())) { + InputStream inStream = null; + try { + inStream = Files.newInputStream(getKeyStoreFile()); ks.load(inStream, KEY_STORE_PASSWORD.toCharArray()); } catch (IOException | NoSuchAlgorithmException | CertificateException e) { LOGGER.log(WARNING, "unable to load the jre key store", e); + } finally { + try { + inStream.close(); + }catch (NullPointerException | IOException e ){ + LOGGER.log(WARNING, "", e); + } } } From aba3530920a9810266ab59e08534658bce0e0645 Mon Sep 17 00:00:00 2001 From: Michael Qi Date: Tue, 25 May 2021 13:44:04 +0800 Subject: [PATCH 18/18] Fix check style failures --- .../java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index b5d97f6d90137..8a03ee3e8c852 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -456,7 +456,7 @@ private static void loadKeyStore(KeyStore ks) { } finally { try { inStream.close(); - }catch (NullPointerException | IOException e ){ + } catch (NullPointerException | IOException e ) { LOGGER.log(WARNING, "", e); } }