/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* or http://forgerock.org/license/CDDLv1.0.html.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008-2010 Sun Microsystems, Inc.
* Portions Copyright 2013 ForgeRock AS
*/
package org.opends.server.util;
import java.io.*;
import java.security.*;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import org.opends.messages.Message;
import static org.opends.messages.UtilityMessages.*;
/**
* This class provides an interface for generating self-signed certificates and
* certificate signing requests, and for importing, exporting, and deleting
* certificates from a key store. It supports JKS, PKCS11, and PKCS12 key store
* types.
*
This code uses the Platform class to perform all of the certificate
management.
*/
@org.opends.server.types.PublicAPI(
stability=org.opends.server.types.StabilityLevel.VOLATILE,
mayInstantiate=true,
mayExtend=false,
mayInvoke=true)
public final class CertificateManager {
/**
* The key store type value that should be used for the "JKS" key store.
*/
public static final String KEY_STORE_TYPE_JKS = "JKS";
/**
* The key store type value that should be used for the "JCEKS" key store.
*/
public static final String KEY_STORE_TYPE_JCEKS = "JCEKS";
/**
* The key store type value that should be used for the "PKCS11" key store.
*/
public static final String KEY_STORE_TYPE_PKCS11 = "PKCS11";
/**
* The key store type value that should be used for the "PKCS12" key store.
*/
public static final String KEY_STORE_TYPE_PKCS12 = "PKCS12";
/**
* The key store path value that must be used in conjunction with the PKCS11
* key store type.
*/
public static final String KEY_STORE_PATH_PKCS11 = "NONE";
//Error message strings.
private static final String KEYSTORE_PATH_MSG = "key store path";
private static final String KEYSTORE_TYPE_MSG = "key store type";
private static final String SUBJECT_DN_MSG = "subject DN";
private static final String CERT_ALIAS_MSG = "certificate alias";
private static final String CERT_REQUEST_FILE_MSG =
"certificate request file";
// The parsed key store backing this certificate manager.
private KeyStore keyStore;
// The path to the key store that we should be using.
private final String keyStorePath;
// The name of the key store type we are using.
private final String keyStoreType;
private final char[] password;
private Boolean realAliases;
/**
* Always return true.
*
* @return This always returns true;
*/
public static boolean mayUseCertificateManager() {
return true;
}
/**
* Creates a new certificate manager instance with the provided information.
*
* @param keyStorePath The path to the key store file, or "NONE" if the key
* store type is "PKCS11". For the other key store
* types, the file does not need to exist if a new
* self-signed certificate or certificate signing
* request is to be generated, although the directory
* containing the file must exist. The key store file
* must exist if import or export operations are to be
* performed.
* @param keyStoreType The key store type to use. It should be one of
* {@code KEY_STORE_TYPE_JKS},
* {@code KEY_STORE_TYPE_JCEKS},
* {@code KEY_STORE_TYPE_PKCS11}, or
* {@code KEY_STORE_TYPE_PKCS12}.
* @param keyStorePassword The password required to access the key store.
* It must not be {@code null}.
* @throws IllegalArgumentException If an argument is invalid or {@code null}.
*
*/
public CertificateManager(String keyStorePath, String keyStoreType,
String keyStorePassword)
throws IllegalArgumentException {
ensureValid(keyStorePath, KEYSTORE_PATH_MSG);
ensureValid(keyStoreType, KEYSTORE_TYPE_MSG);
if (keyStoreType.equals(KEY_STORE_TYPE_PKCS11)) {
if (! keyStorePath.equals(KEY_STORE_PATH_PKCS11)) {
Message msg =
ERR_CERTMGR_INVALID_PKCS11_PATH.get(KEY_STORE_PATH_PKCS11);
throw new IllegalArgumentException(msg.toString());
}
} else if (keyStoreType.equals(KEY_STORE_TYPE_JKS) ||
keyStoreType.equals(KEY_STORE_TYPE_JCEKS) ||
keyStoreType.equals(KEY_STORE_TYPE_PKCS12)) {
File keyStoreFile = new File(keyStorePath);
if (keyStoreFile.exists()) {
if (! keyStoreFile.isFile()) {
Message msg = ERR_CERTMGR_INVALID_KEYSTORE_PATH.get(keyStorePath);
throw new IllegalArgumentException(msg.toString());
}
} else {
final File keyStoreDirectory = keyStoreFile.getParentFile();
if ((keyStoreDirectory == null) || (! keyStoreDirectory.exists()) ||
(! keyStoreDirectory.isDirectory())) {
Message msg = ERR_CERTMGR_INVALID_PARENT.get(keyStorePath);
throw new IllegalArgumentException(msg.toString());
}
}
} else {
Message msg = ERR_CERTMGR_INVALID_STORETYPE.get(
KEY_STORE_TYPE_JKS, KEY_STORE_TYPE_JCEKS,
KEY_STORE_TYPE_PKCS11, KEY_STORE_TYPE_PKCS12);
throw new IllegalArgumentException(msg.toString());
}
this.keyStorePath = keyStorePath;
this.keyStoreType = keyStoreType;
this.password =
keyStorePassword == null ? null : keyStorePassword.toCharArray();
keyStore = null;
}
/**
* Indicates whether the provided alias is in use in the key store.
*
* @param alias The alias for which to make the determination. It must not
* be {@code null} or empty.
*
* @return {@code true} if the key store exist and already contains a
* certificate with the given alias, or {@code false} if not.
*
* @throws KeyStoreException If a problem occurs while attempting to
* interact with the key store.
*/
public boolean aliasInUse(final String alias)
throws KeyStoreException {
ensureValid(alias, CERT_ALIAS_MSG);
KeyStore keyStore = getKeyStore();
if (keyStore == null)
return false;
return keyStore.containsAlias(alias);
}
/**
* Retrieves the aliases of the certificates in the specified key store.
*
* @return The aliases of the certificates in the specified key store, or
* {@code null} if the key store does not exist.
*
* @throws KeyStoreException If a problem occurs while attempting to
* interact with the key store.
*/
public String[] getCertificateAliases() throws KeyStoreException {
Enumeration aliasEnumeration = null;
KeyStore keyStore = getKeyStore();
if (keyStore == null)
return null;
aliasEnumeration = keyStore.aliases();
if (aliasEnumeration == null)
return new String[0];
ArrayList aliasList = new ArrayList();
while (aliasEnumeration.hasMoreElements())
aliasList.add(aliasEnumeration.nextElement());
String[] aliases = new String[aliasList.size()];
return aliasList.toArray(aliases);
}
/**
* Retrieves the certificate with the specified alias from the key store.
*
* @param alias The alias of the certificate to retrieve. It must not be
* {@code null} or empty.
*
* @return The requested certificate, or {@code null} if the specified
* certificate does not exist.
*
* @throws KeyStoreException If a problem occurs while interacting with the
* key store, or the key store does not exist..
*/
public Certificate getCertificate(String alias)
throws KeyStoreException {
ensureValid(alias, CERT_ALIAS_MSG);
Certificate cert = null;
KeyStore ks = getKeyStore();
if (ks == null) {
Message msg = ERR_CERTMGR_KEYSTORE_NONEXISTANT.get();
throw new KeyStoreException(msg.toString());
}
cert = ks.getCertificate(alias);
return cert;
}
/**
* Generates a self-signed certificate using the provided information.
*
* @param alias The nickname to use for the certificate in the key
* store. For the server certificate, it should generally
* be "server-cert". It must not be {@code null} or empty.
* @param subjectDN The subject DN to use for the certificate. It must not
* be {@code null} or empty.
* @param validity The length of time in days that the certificate should
* be valid, starting from the time the certificate is
* generated. It must be a positive integer value.
* @throws KeyStoreException If a problem occurs while actually attempting
* to generate the certificate in the key store.
*@throws IllegalArgumentException If the validity parameter is not a
* positive integer, or the alias is already
* in the keystore.
*/
public void generateSelfSignedCertificate(String alias, String subjectDN,
int validity)
throws KeyStoreException, IllegalArgumentException {
ensureValid(alias, CERT_ALIAS_MSG);
ensureValid(subjectDN, SUBJECT_DN_MSG);
if (validity <= 0) {
Message msg = ERR_CERTMGR_VALIDITY.get(validity);
throw new IllegalArgumentException(msg.toString());
}
if (aliasInUse(alias)) {
Message msg = ERR_CERTMGR_ALIAS_ALREADY_EXISTS.get(alias);
throw new IllegalArgumentException(msg.toString());
}
keyStore = null;
Platform.generateSelfSignedCertificate(getKeyStore(), keyStoreType,
keyStorePath, alias, password, subjectDN, validity);
}
/**
* Adds the provided certificate to the key store. This may be used to
* associate an externally-signed certificate with an existing private key
* with the given alias.
*
* @param alias The alias to use for the certificate. It must not
* be {@code null} or empty.
* @param certificateFile The file containing the encoded certificate. It
* must not be {@code null}, and the file must exist.
* @throws KeyStoreException If a problem occurs while interacting with the
* key store.
*
*@throws IllegalArgumentException If the certificate file is not valid.
*/
public void addCertificate(String alias, File certificateFile)
throws KeyStoreException, IllegalArgumentException {
ensureValid(alias, CERT_ALIAS_MSG);
ensureFileValid(certificateFile, CERT_REQUEST_FILE_MSG);
if ((! certificateFile.exists()) ||
(! certificateFile.isFile())) {
Message msg = ERR_CERTMGR_INVALID_CERT_FILE.get(
certificateFile.getAbsolutePath());
throw new IllegalArgumentException(msg.toString());
}
keyStore = null;
Platform.addCertificate(getKeyStore(), keyStoreType, keyStorePath, alias,
password, certificateFile.getAbsolutePath());
}
/**
* Removes the specified certificate from the key store.
*
* @param alias The alias to use for the certificate to remove. It must not
* be {@code null} or an empty string, and it must exist in
* the key store.
*
* @throws KeyStoreException If a problem occurs while interacting with the
* key store.
*@throws IllegalArgumentException If the alias is in use and cannot be
* deleted.
*/
public void removeCertificate(String alias)
throws KeyStoreException, IllegalArgumentException {
ensureValid(alias, CERT_ALIAS_MSG);
if (!aliasInUse(alias)) {
Message msg = ERR_CERTMGR_ALIAS_CAN_NOT_DELETE.get(alias);
throw new IllegalArgumentException(msg.toString());
}
keyStore = null;
Platform.deleteAlias(getKeyStore(), keyStorePath, alias, password);
}
/**
* Retrieves a handle to the key store.
*
* @return The handle to the key store, or {@code null} if the key store
* doesn't exist.
*
* @throws KeyStoreException If a problem occurs while trying to open the
* key store.
*/
private KeyStore getKeyStore()
throws KeyStoreException
{
if (keyStore != null)
{
return keyStore;
}
// For JKS and PKCS12 key stores, we should make sure the file exists, and
// we'll need an input stream that we can use to read it. For PKCS11 key
// stores there won't be a file and the input stream should be null.
FileInputStream keyStoreInputStream = null;
if (keyStoreType.equals(KEY_STORE_TYPE_JKS) ||
keyStoreType.equals(KEY_STORE_TYPE_JCEKS) ||
keyStoreType.equals(KEY_STORE_TYPE_PKCS12))
{
final File keyStoreFile = new File(keyStorePath);
if (! keyStoreFile.exists())
{
return null;
}
try
{
keyStoreInputStream = new FileInputStream(keyStoreFile);
}
catch (final Exception e)
{
throw new KeyStoreException(String.valueOf(e), e);
}
}
final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
try
{
keyStore.load(keyStoreInputStream, password);
return this.keyStore = keyStore;
}
catch (final Exception e)
{
throw new KeyStoreException(String.valueOf(e), e);
}
finally
{
if (keyStoreInputStream != null)
{
try
{
keyStoreInputStream.close();
}
catch (final Throwable t)
{
}
}
}
}
/**
* Returns whether this certificate manager contains 'real' aliases or not.
* For instance, the certificate manager can contain a PKCS12 certificate
* with no alias.
* @return whether this certificate manager contains 'real' aliases or not.
* @throws KeyStoreException if there is a problem accessing the key store.
*/
public boolean hasRealAliases() throws KeyStoreException
{
if (realAliases == null)
{
String[] aliases = getCertificateAliases();
if (aliases == null || aliases.length == 0)
{
realAliases = Boolean.FALSE;
}
else if (aliases.length > 1)
{
realAliases = Boolean.TRUE;
}
else
{
CertificateManager certManager2 = new CertificateManager(keyStorePath,
keyStoreType, new String(password));
String[] aliases2 = certManager2.getCertificateAliases();
if (aliases2 != null && aliases2.length == 1)
{
realAliases = aliases[0].equalsIgnoreCase(aliases2[0]);
}
else
{
realAliases = Boolean.FALSE;
}
}
}
return realAliases;
}
private static void ensureFileValid(File arg, String msgStr) {
if(arg == null) {
Message msg = ERR_CERTMGR_FILE_NAME_INVALID.get(msgStr);
throw new NullPointerException(msg.toString());
}
}
private static void ensureValid(String arg, String msgStr) {
if(arg == null || arg.length() == 0) {
Message msg = ERR_CERTMGR_VALUE_INVALID.get(msgStr);
throw new NullPointerException(msg.toString());
}
}
}