CryptoManagerSync.java revision 5081e9ab01cd629017696999c99b593b6d746f63
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008-2010 Sun Microsystems, Inc.
* Portions Copyright 2014 ForgeRock AS
*/
/**
* This class defines an object that synchronizes certificates from the admin
* data branch into the trust store backend, and synchronizes secret-key entries
* from the admin data branch to the crypto manager secret-key cache.
*/
public class CryptoManagerSync extends InternalDirectoryServerPlugin
implements BackendInitializationListener
{
/** The debug log tracer for this object. */
/** The DN of the administration suffix. */
private DN adminSuffixDN;
/** The DN of the instance keys container within the admin suffix. */
private DN instanceKeysDN;
/** The DN of the secret keys container within the admin suffix. */
private DN secretKeysDN;
/** The DN of the trust store root. */
private DN trustStoreRootDN;
/** The attribute type that is used to specify a server instance certificate. */
private final AttributeType attrCert;
/** The attribute type that holds a server certificate identifier. */
private final AttributeType attrAlias;
/** The attribute type that holds the time a key was compromised. */
private final AttributeType attrCompromisedTime;
/** A filter on object class to select key entries. */
private SearchFilter keySearchFilter;
/** The instance key objectclass. */
private final ObjectClass ocInstanceKey;
/** The cipher key objectclass. */
private final ObjectClass ocCipherKey;
/** The mac key objectclass. */
private final ObjectClass ocMacKey;
/** Dummy configuration DN. */
/**
* Creates a new instance of this trust store synchronization thread.
*
* @throws InitializationException in case an exception occurs during
* initialization, such as a failure to publish the instance-key-pair
* public-key-certificate in ADS.
*/
public CryptoManagerSync() throws InitializationException
{
// No implementation required for modify_dn operations
// FIXME: Technically it is possible to perform a subtree modDN
// in this case however such subtree modDN would essentially be
// moving configuration branches which should not happen.
true);
try {
}
catch (CryptoManagerException ex) {
}
try
{
")");
}
catch (DirectoryException e)
{
}
ConfigConstants.ATTR_CRYPTO_KEY_ID, true);
{
}
}
{
try
{
}
catch (DirectoryException e)
{
throw new RuntimeException(e);
}
}
private void searchAdminSuffix()
{
SearchRequest request = newSearchRequest(adminSuffixDN, SearchScope.WHOLE_SUBTREE, keySearchFilter);
{
}
{
try
{
}
catch (DirectoryException e)
{
logger.traceException(e);
}
}
}
/** {@inheritDoc} */
{
{
{
{
}
}
}
}
/** {@inheritDoc} */
{
// No implementation required.
}
throws DirectoryException
{
{
}
else
{
try
{
{
}
{
}
}
catch (CryptoManagerException e)
{
throw new DirectoryException(
}
}
}
throws DirectoryException
{
// Only process the entry if it has the expected form of RDN.
if (!srcRDN.isMultiValued() &&
{
// Extract any change notification control.
try
{
{
{
if (c instanceof LDAPControl)
{
}
else
{
}
}
}
}
catch (DirectoryException e)
{
// ignore
}
// Get any existing local trust store entry.
{
// entry was deleted so remove it from the local trust store
{
}
}
{
// key was compromised so remove it from the local trust store
{
}
}
{
// The entry was added
}
else
{
// The entry was modified
}
}
}
/**
* Modify an entry in the local trust store if it differs from an entry in
* the ADS branch.
* @param srcEntry The instance key entry in the ADS branch.
* @param dstEntry The local trust store entry.
*/
{
// Check for changes to the certificate value.
boolean differ = false;
{
{
differ = true;
}
}
{
differ = true;
}
if (differ)
{
// The trust store backend does not implement modify so we need to
// delete then add.
}
}
/**
* Delete an entry from the local trust store.
* @param dstDN The DN of the entry to be deleted in the local trust store.
*/
{
{
}
}
/**
* Add an entry to the local trust store.
* @param srcEntry The instance key entry in the ADS branch.
* @param dstDN The DN of the entry to be added in the local trust store.
*/
{
{
}
{
}
{
}
}
/** {@inheritDoc} */
{
{
return PostResponse.continueOperationProcessing();
}
{
}
{
try
{
{
}
{
}
}
catch (CryptoManagerException e)
{
"Failed to import key entry: %s", e.getMessage()));
}
}
return PostResponse.continueOperationProcessing();
}
{
// Only process the entry if it has the expected form of RDN.
if (!srcRDN.isMultiValued() &&
{
{
}
}
}
/** {@inheritDoc} */
{
{
return PostResponse.continueOperationProcessing();
}
// Only process the entry if it has the expected form of RDN.
// FIXME: Technically it is possible to perform a subtree in
// this case however such subtree delete would essentially be
// removing configuration branches which should not happen.
if (!srcRDN.isMultiValued() &&
{
}
return PostResponse.continueOperationProcessing();
}
/** {@inheritDoc} */
{
{
return PostResponse.continueOperationProcessing();
}
{
}
{
try
{
{
}
{
}
}
catch (CryptoManagerException e)
{
"Failed to import modified key entry: %s", e.getMessage()));
}
}
return PostResponse.continueOperationProcessing();
}
{
// Only process the entry if it has the expected form of RDN.
if (!srcRDN.isMultiValued() &&
{
// Get any existing local trust store entry.
try
{
}
catch (DirectoryException e)
{
// ignore
}
{
// The key was compromised so we should remove it from the local
// trust store.
{
}
}
{
}
else
{
}
}
}
}