From 4c55ac404b58f4dec46280fec2e662ffd1efdd8b Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Mon, 11 May 2020 17:36:30 +0100 Subject: [PATCH 1/9] APPSERV-149 Initial asadmin commands for generating self-signed certs --- appserver/featuresets/payara-web/pom.xml | 6 + .../packager/certificate-management/pom.xml | 135 ++++++++++ .../main/assembly/certificate-management.xml | 56 ++++ appserver/packager/pom.xml | 1 + .../certificate-management/pom.xml | 78 ++++++ .../CertificateManagementUtils.java | 215 +++++++++++++++ .../GenerateSelfSignedCertificateCommand.java | 188 +++++++++++++ ...SignedCertificateLocalInstanceCommand.java | 247 ++++++++++++++++++ ...erateSelfSignedCertificateCommandTest.java | 66 +++++ appserver/payara-appserver-modules/pom.xml | 19 +- .../admin/servermgmt/KeystoreManager.java | 2 +- .../universal/xml/MiniXmlParser.java | 80 +++++- 12 files changed, 1071 insertions(+), 22 deletions(-) create mode 100644 appserver/packager/certificate-management/pom.xml create mode 100644 appserver/packager/certificate-management/src/main/assembly/certificate-management.xml create mode 100644 appserver/payara-appserver-modules/certificate-management/pom.xml create mode 100644 appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java create mode 100644 appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java create mode 100644 appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateLocalInstanceCommand.java create mode 100644 appserver/payara-appserver-modules/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java diff --git a/appserver/featuresets/payara-web/pom.xml b/appserver/featuresets/payara-web/pom.xml index 5f2fa387c66..b3e1d598d56 100644 --- a/appserver/featuresets/payara-web/pom.xml +++ b/appserver/featuresets/payara-web/pom.xml @@ -299,5 +299,11 @@ zip + + fish.payara.server.internal.packager + certificate-management + ${project.version} + zip + diff --git a/appserver/packager/certificate-management/pom.xml b/appserver/packager/certificate-management/pom.xml new file mode 100644 index 00000000000..06e60332965 --- /dev/null +++ b/appserver/packager/certificate-management/pom.xml @@ -0,0 +1,135 @@ + + + + + 4.0.0 + + fish.payara.server.internal.packager + packages + 5.2020.2-SNAPSHOT + + certificate-management + Payara Enterprise Certificate Management Package + distribution-fragment + This pom describes how to assemble the Payara Enterprise Certificate Management package + + + ${project.build.directory}/dependency + + + + + + org.apache.maven.plugins + maven-dependency-plugin + + + process-step1 + + + process-step2 + + + + + org.apache.maven.plugins + maven-assembly-plugin + + + process-step3 + + + + + + + + ips + + false + + + + + org.apache.maven.plugins + maven-antrun-plugin + + + process-step4 + + + + + org.glassfish.build + glassfishbuild-maven-plugin + + + process-step5 + + exec + + + + + + maven-resources-plugin + + + copy-resources + + + + + + + + + + + fish.payara.server.internal.payara-appserver-modules + certificate-management + ${project.version} + + + \ No newline at end of file diff --git a/appserver/packager/certificate-management/src/main/assembly/certificate-management.xml b/appserver/packager/certificate-management/src/main/assembly/certificate-management.xml new file mode 100644 index 00000000000..1fdf08aa705 --- /dev/null +++ b/appserver/packager/certificate-management/src/main/assembly/certificate-management.xml @@ -0,0 +1,56 @@ + + + + stage-package + + dir + + + false + + + ${temp.dir}/glassfish/modules + ${install.dir.name}/glassfish/lib/asadmin + + + \ No newline at end of file diff --git a/appserver/packager/pom.xml b/appserver/packager/pom.xml index ad304a1cf78..7eccb4756b7 100644 --- a/appserver/packager/pom.xml +++ b/appserver/packager/pom.xml @@ -173,6 +173,7 @@ microprofile-package opentracing-jaxws-package monitoring-console + certificate-management diff --git a/appserver/payara-appserver-modules/certificate-management/pom.xml b/appserver/payara-appserver-modules/certificate-management/pom.xml new file mode 100644 index 00000000000..af7087ed2f9 --- /dev/null +++ b/appserver/payara-appserver-modules/certificate-management/pom.xml @@ -0,0 +1,78 @@ + + + + 4.0.0 + + fish.payara.server.internal.payara-appserver-modules + payara-appserver-modules + 5.2020.2-SNAPSHOT + + certificate-management + glassfish-jar + Payara Certificate Management + Commands and Services for generating and managing SSL/TLS certificates + + + + fish.payara.server.internal.admin + admin-cli + ${project.version} + + + fish.payara.server.internal.admin + server-mgmt + ${project.version} + + + fish.payara.server.internal.cluster + cluster-common + ${project.version} + + + fish.payara.server.internal.cluster + cluster-cli + ${project.version} + + + diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java new file mode 100644 index 00000000000..02b91c56972 --- /dev/null +++ b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java @@ -0,0 +1,215 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2020 Payara Foundation and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://github.com/payara/Payara/blob/master/LICENSE.txt + * See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at glassfish/legal/LICENSE.txt. + * + * GPL Classpath Exception: + * The Payara Foundation designates this particular file as subject to the "Classpath" + * exception as provided by the Payara Foundation in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ +package fish.payara.certificate.management; + +import com.sun.enterprise.universal.xml.MiniXmlParser; +import com.sun.enterprise.universal.xml.MiniXmlParserException; + +import java.io.File; +import java.util.Map; + +import static com.sun.enterprise.util.StringUtils.ok; + +public class CertificateManagementUtils { + + public static final String DEFAULT_KEYSTORE = "${com.sun.aas.instanceRoot}" + + File.separator + "config" + File.separator + "keystore.jks"; + public static final String DEFAULT_TRUSTSTORE = "${com.sun.aas.instanceRoot}" + + File.separator + "config" + File.separator + "cacerts.jks"; + + public static File resolveKeyStore(MiniXmlParser parser, String listener, File instanceDir) throws MiniXmlParserException { + File keystore = null; + if (listener != null) { + // Check if listener is an HTTP listener + keystore = getStoreFromHttpListeners(parser, listener, "key-store", instanceDir); + + if (keystore == null) { + // Check if listener is an IIOP listener + keystore = getStoreFromIiopListeners(parser, listener, "key-store", instanceDir); + } + } + + // Default to getting it from the JVM options if no non-default value found + if (keystore == null) { + keystore = getStoreFromJvmOptions(parser, "keyStore", instanceDir); + } + + // If it's STILL null, just go with default + if (keystore == null) { + keystore = new File(DEFAULT_KEYSTORE); + } + + return keystore; + } + + public static File resolveTrustStore(MiniXmlParser parser, String listener, File instanceDir) throws MiniXmlParserException { + File truststore = null; + if (listener != null) { + // Check if listener is an HTTP listener + truststore = getStoreFromHttpListeners(parser, listener, "trust-store", instanceDir); + + if (truststore == null) { + // Check if listener is an IIOP listener + truststore = getStoreFromIiopListeners(parser, listener, "trust-store", instanceDir); + } + } + + // Default to getting it from the JVM options if no non-default value found + if (truststore == null) { + truststore = getStoreFromJvmOptions(parser, "trustStore", instanceDir); + } + + // If it's STILL null, just go with default + if (truststore == null) { + truststore = new File(DEFAULT_TRUSTSTORE); + } + + return truststore; + } + + private static File getStoreFromHttpListeners(MiniXmlParser parser, String listener, String store, File instanceDir) throws MiniXmlParserException { + for (Map listenerAttributes : parser.getProtocolAttributes()) { + if (listenerAttributes.get("name").equals(listener)) { + // Get the keystore from the listener if it has a custom one + return getStoreFromListenerAttribute(listenerAttributes.get(store), instanceDir); + } + } + return null; + } + + private static File getStoreFromIiopListeners(MiniXmlParser parser, String listener, String store, File instanceDir) throws MiniXmlParserException { + for (Map listenerAttributes : parser.getIiopSslAttributes()) { + if (listenerAttributes.get("id").equals(listener)) { + // Get the keystore from the listener if it has a custom one + return getStoreFromListenerAttribute(listenerAttributes.get(store), instanceDir); + } + } + return null; + } + + private static File getStoreFromListenerAttribute(String storePath, File instanceDir) { + if (!ok(storePath)) { + return null; + } + + File store = new File(storePath); + if (!store.isAbsolute()) { + store = new File(instanceDir.getAbsolutePath() + File.separator + store.getPath()); + } + + return store; + } + + private static File getStoreFromJvmOptions(MiniXmlParser parser, String store, File instanceDir) throws MiniXmlParserException { + for (MiniXmlParser.JvmOption jvmOption : parser.getJvmOptions()) { + if (jvmOption.toString().startsWith("-Djavax.net.ssl." + store + "=")) { + return new File(jvmOption.toString().split("=")[1] + .replace("${com.sun.aas.instanceRoot}", instanceDir.getAbsolutePath())); + } + } + return null; + } + + public static String[] constructGenerateCertKeytoolCommand(File keystore, String password, String alias, String dname, String[] altnames) { + String[] keytoolCmd = new String[]{"-genkeypair", "-keyalg", "RSA", "-keystore", keystore.getAbsolutePath(), "-alias", alias, "-dname", dname, + "-validity", "365", "-keypass", password, "-storepass", password}; + + if (altnames != null && altnames.length != 0) { + keytoolCmd = addSubjectAlternativeNames(keytoolCmd, altnames); + } + + return keytoolCmd; + } + + protected static String[] addSubjectAlternativeNames(String[] keytoolCmd, String[] alternativeNames) { + // Create a new array to make room for the extra commands + String[] expandedKeytoolCmd = new String[keytoolCmd.length + 2]; + System.arraycopy(keytoolCmd, 0, expandedKeytoolCmd, 0, keytoolCmd.length); + + int i = keytoolCmd.length; + expandedKeytoolCmd[i] = "-ext"; + expandedKeytoolCmd[i + 1] = "SAN="; + + for (String altName : alternativeNames) { + // Check if the altname was provided without any additional info, assuming it's DNS if so + if (!altName.contains(",") && !altName.contains(":")) { + expandedKeytoolCmd[i + 1] += "DNS:" + altName; + } else { + expandedKeytoolCmd[i + 1] += altName; + } + expandedKeytoolCmd[i + 1] += ","; + } + + // Remove trailing comma + expandedKeytoolCmd[i + 1] = expandedKeytoolCmd[i + 1].substring(0, expandedKeytoolCmd[i + 1].length() - 1); + + return expandedKeytoolCmd; + } + + public static String[] constructImportCertKeytoolCommand(File keystore, File truststore, String password, String alias) { + String[] keytoolCmd = new String[]{"-importkeystore", "-srckeystore", keystore.getAbsolutePath(), + "-destkeystore", truststore.getAbsolutePath(), "-srcalias", alias, "-destalias", alias, + "-srcstorepass", password, "-deststorepass", password, + "-srckeypass", password, "-destkeypass", password}; + + return keytoolCmd; + } + + public static String getPasswordFromListener(MiniXmlParser parser, String listener) throws MiniXmlParserException { + String password = ""; + for (Map listenerAttributes : parser.getProtocolAttributes()) { + if (listenerAttributes.get("name").equals(listener)) { + // Get the keystore from the listener if it has a custom one + password = listenerAttributes.get("password"); + } + } + + if (!ok(password)) { + for (Map listenerAttributes : parser.getIiopSslAttributes()) { + if (listenerAttributes.get("id").equals(listener)) { + // Get the keystore from the listener if it has a custom one + password = listenerAttributes.get("password"); + } + } + } + + return password; + } +} diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java new file mode 100644 index 00000000000..3a0f35ee15f --- /dev/null +++ b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java @@ -0,0 +1,188 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2020 Payara Foundation and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://github.com/payara/Payara/blob/master/LICENSE.txt + * See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at glassfish/legal/LICENSE.txt. + * + * GPL Classpath Exception: + * The Payara Foundation designates this particular file as subject to the "Classpath" + * exception as provided by the Payara Foundation in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ +package fish.payara.certificate.management.admin; + +import com.sun.enterprise.admin.cli.CLICommand; +import com.sun.enterprise.admin.cli.CLIConstants; +import com.sun.enterprise.admin.cli.remote.RemoteCLICommand; +import com.sun.enterprise.admin.servermgmt.KeystoreManager; +import com.sun.enterprise.admin.servermgmt.RepositoryException; +import com.sun.enterprise.admin.servermgmt.cli.LocalDomainCommand; +import com.sun.enterprise.universal.xml.MiniXmlParser; +import com.sun.enterprise.universal.xml.MiniXmlParserException; +import com.sun.enterprise.util.SystemPropertyConstants; +import fish.payara.certificate.management.CertificateManagementUtils; +import org.glassfish.api.Param; +import org.glassfish.api.admin.CommandException; +import org.glassfish.hk2.api.PerLookup; +import org.glassfish.internal.api.Globals; +import org.jvnet.hk2.annotations.Service; + +import java.io.File; +import java.util.logging.Logger; + +@Service(name = "generate-self-signed-certificate") +@PerLookup +public class GenerateSelfSignedCertificateCommand extends LocalDomainCommand { + + private static final Logger logger = Logger.getLogger(CLICommand.class.getPackage().getName()); + private static final String helperCommandName = "_generate-self-signed-certificate-local-instance"; + + @Param(name = "domain_name", optional = true) + private String domainName0; + + @Param(name = "distinguishedname", alias = "dn") + private String dn; + + @Param(name = "alternativenames", optional = true, alias = "altnames", separator = ';') + private String[] altnames; + + @Param(name = "listener", optional = true) + private String listener; + + @Param(name = "target", optional = true, defaultValue = SystemPropertyConstants.DAS_SERVER_NAME) + private String target; + + @Param(name = "reload", optional = true) + private boolean reload; + + @Param(name = "alias", primary = true) + private String alias; + + private File keystore; + private File truststore; + + @Override + protected void validate() throws CommandException { + setDomainName(domainName0); + super.validate(); + } + + @Override + protected int executeCommand() throws CommandException { + // If we're targetting an instance that isn't the DAS, use a different command + if (target != null && !target.equals(SystemPropertyConstants.DAS_SERVER_NAME)) { +// RemoteCLICommand helperCommand = new RemoteCLICommand(helperCommandName, programOpts, env); + + String altnamesString = ""; + if (altnames != null) { + for (String altname : altnames) { + altnamesString += altname + ";"; + } + altnamesString = altnamesString.substring(0, altnamesString.length() - 1); + } + +// return helperCommand.execute(helperCommandName, +// "--distinguishedname", dn, +// "--alternativenames", altnamesString, +// "--listener", listener, +// "--instance_name", target, +// "--reload", String.valueOf(reload), +// "--alias", alias); + + GenerateSelfSignedCertificateLocalInstanceCommand helperCommand = Globals.getDefaultBaseServiceLocator().getService(GenerateSelfSignedCertificateLocalInstanceCommand.class); + + + + helperCommand.executeCommand(); + + + + + } + + String password = ""; + try { + MiniXmlParser parser = new MiniXmlParser(getDomainXml(), target); + keystore = CertificateManagementUtils.resolveKeyStore(parser, listener, getDomainRootDir()); + truststore = CertificateManagementUtils.resolveTrustStore(parser, listener, getDomainRootDir()); + password = getPassword(parser, listener); + } catch (MiniXmlParserException miniXmlParserException) { + throw new CommandException("Error parsing domain.xml", miniXmlParserException); + } + + // Run keytool command to generate self-signed cert and place in keystore + KeystoreManager.KeytoolExecutor keytoolExecutor = new KeystoreManager.KeytoolExecutor( + CertificateManagementUtils.constructGenerateCertKeytoolCommand( + keystore, password, alias, dn, altnames), + 60); + try { + keytoolExecutor.execute("certNotCreated", keystore); + } catch (RepositoryException re) { + logger.severe(re.getCause().getMessage() + .replace("keytool error: java.lang.Exception: ", "") + .replace("keytool error: java.io.IOException: ", "")); + return CLIConstants.ERROR; + } + + // Run keytool command to place self-signed cert in truststore + keytoolExecutor = new KeystoreManager.KeytoolExecutor(CertificateManagementUtils.constructImportCertKeytoolCommand( + keystore, truststore, password, alias), + 60); + + try { + keytoolExecutor.execute("certNotTrusted", keystore); + } catch (RepositoryException re) { + logger.severe(re.getCause().getMessage() + .replace("keytool error: java.lang.Exception: ", "") + .replace("keytool error: java.io.IOException: ", "")); + return CLIConstants.ERROR; + } + + + + return 0; + } + + private String getPassword(MiniXmlParser parser, String listener) throws MiniXmlParserException, CommandException { + String password = ""; + if (listener != null) { + // Check if listener has a password set + password = CertificateManagementUtils.getPasswordFromListener(parser, listener); + } + + // Default to using the master password + if (!ok(password)) { + password = getMasterPassword(); + } + + return password; + } +} \ No newline at end of file diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateLocalInstanceCommand.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateLocalInstanceCommand.java new file mode 100644 index 00000000000..aa937d1f748 --- /dev/null +++ b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateLocalInstanceCommand.java @@ -0,0 +1,247 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2020 Payara Foundation and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://github.com/payara/Payara/blob/master/LICENSE.txt + * See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at glassfish/legal/LICENSE.txt. + * + * GPL Classpath Exception: + * The Payara Foundation designates this particular file as subject to the "Classpath" + * exception as provided by the Payara Foundation in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ +package fish.payara.certificate.management.admin; + +import com.sun.enterprise.admin.cli.CLICommand; +import com.sun.enterprise.admin.cli.CLIConstants; +import com.sun.enterprise.admin.cli.cluster.LocalInstanceCommand; +import com.sun.enterprise.admin.cli.remote.RemoteCLICommand; +import com.sun.enterprise.admin.servermgmt.KeystoreManager; +import com.sun.enterprise.admin.servermgmt.RepositoryException; +import com.sun.enterprise.universal.xml.MiniXmlParser; +import com.sun.enterprise.universal.xml.MiniXmlParserException; +import com.sun.enterprise.util.SystemPropertyConstants; +import com.sun.enterprise.util.cluster.SyncRequest; +import com.sun.enterprise.util.io.FileUtils; +import fish.payara.certificate.management.CertificateManagementUtils; +import org.glassfish.api.Param; +import org.glassfish.api.admin.CommandException; +import org.glassfish.common.util.admin.AuthTokenManager; +import org.glassfish.hk2.api.PerLookup; +import org.jvnet.hk2.annotations.Service; + +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Marshaller; +import javax.xml.bind.PropertyException; +import java.io.File; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; +import java.util.logging.Logger; + +@Service(name = "_generate-self-signed-certificate-local-instance") +@PerLookup +public class GenerateSelfSignedCertificateLocalInstanceCommand extends LocalInstanceCommand { + + private static final Logger logger = Logger.getLogger(CLICommand.class.getPackage().getName()); + + @Param(name = "distinguishedname", alias = "dn") + private String dn; + + @Param(name = "alternativenames", optional = true, alias = "altnames", separator = ';') + private String[] altnames; + + @Param(name = "listener", optional = true) + private String listener; + + @Param(name = "reload", optional = true) + private boolean reload; + + @Param(name = "alias") + private String alias; + + @Param(name = "instance_name", primary = true, optional = true) + private String instanceName0; + + private File keystore; + private File truststore; + + @Override + protected void validate() throws CommandException { + if (ok(instanceName0)) + instanceName = instanceName0; + super.validate(); + } + + @Override + protected int executeCommand() throws CommandException { + String password = ""; + + try { + MiniXmlParser parser = new MiniXmlParser(getDomainXml(), instanceName0); + keystore = CertificateManagementUtils.resolveKeyStore(parser, listener, instanceDir); + truststore = CertificateManagementUtils.resolveTrustStore(parser, listener, instanceDir); + password = getPassword(parser, listener); + } catch (MiniXmlParserException miniXmlParserException) { + throw new CommandException("Error parsing domain.xml", miniXmlParserException); + } + + // If the target is not the DAS and is configured to use the default key or trust store, sync with the + // DAS instead + boolean defaultKeystore = keystore.getAbsolutePath() + .equals(CertificateManagementUtils.DEFAULT_KEYSTORE + .replace("${com.sun.aas.instanceRoot}", instanceDir.getAbsolutePath())); + boolean defaultTruststore = truststore.getAbsolutePath() + .equals(CertificateManagementUtils.DEFAULT_TRUSTSTORE + .replace("${com.sun.aas.instanceRoot}", instanceDir.getAbsolutePath())); + + if (defaultKeystore || defaultTruststore) { + logger.warning("The target instance is using the default key or trust store, any new certificates" + + " added directly to instance stores would be lost upon next sync."); + if (reload) { + logger.warning("Syncing with the DAS instead of generating a new certificate"); + synchroniseInstance(defaultKeystore, defaultTruststore); + + // Reload Keystore and Truststores + // TO-DO + + return CLIConstants.WARNING; + } else { + logger.info("Skipping sync with the DAS since --reload wasn't enabled"); + return CLIConstants.WARNING; + } + } + + + // Run keytool command to generate self-signed cert + KeystoreManager.KeytoolExecutor keytoolExecutor = new KeystoreManager.KeytoolExecutor( + CertificateManagementUtils.constructGenerateCertKeytoolCommand(keystore, password, alias, dn, altnames), + 60); + try { + keytoolExecutor.execute("keystoreNotCreated", keystore); + } catch (RepositoryException re) { + logger.severe(re.getCause().getMessage() + .replace("keytool error: java.lang.Exception: ", "") + .replace("keytool error: java.io.IOException: ", "")); + return CLIConstants.ERROR; + } + + // Run keytool command to place self-signed cert in truststore + keytoolExecutor = new KeystoreManager.KeytoolExecutor(CertificateManagementUtils.constructImportCertKeytoolCommand( + keystore, truststore, password, alias), + 60); + + try { + keytoolExecutor.execute("certNotTrusted", keystore); + } catch (RepositoryException re) { + logger.severe(re.getCause().getMessage() + .replace("keytool error: java.lang.Exception: ", "") + .replace("keytool error: java.io.IOException: ", "")); + return CLIConstants.ERROR; + } + + + return 0; + } + + private void synchroniseInstance(boolean defaultKeystore, boolean defaultTruststore) throws CommandException { + // Because we reuse the command, we also need to reuse the auth token (if one is present). + final String origAuthToken = programOpts.getAuthToken(); + if (origAuthToken != null) { + programOpts.setAuthToken(AuthTokenManager.markTokenForReuse(origAuthToken)); + } + + try { + RemoteCLICommand syncCmd = new RemoteCLICommand("_synchronize-files", programOpts, env); + + File tempFile = File.createTempFile("mt.", ".xml"); + FileUtils.deleteOnExit(tempFile); + JAXBContext context = JAXBContext.newInstance(SyncRequest.class); + + Marshaller marshaller = context.createMarshaller(); + marshaller.setProperty("jaxb.formatted.output", Boolean.TRUE); + + if (defaultKeystore && defaultTruststore) { + List filesToSync = new ArrayList<>(); + filesToSync.add(keystore); + filesToSync.add(truststore); + marshaller.marshal(createSyncRequest(filesToSync), tempFile); + } else if (defaultKeystore) { + marshaller.marshal(createSyncRequest(keystore), tempFile); + } else if (defaultTruststore) { + marshaller.marshal(createSyncRequest(truststore), tempFile); + } + + syncCmd.executeAndReturnOutput("_synchronize-files", "--upload=true", tempFile.getPath()); + } catch (IOException e) { + e.printStackTrace(); + } catch (PropertyException e) { + e.printStackTrace(); + } catch (JAXBException e) { + e.printStackTrace(); + } + + } + + private SyncRequest createSyncRequest(File fileToSync) { + List filesToSync = new ArrayList<>(); + filesToSync.add(fileToSync); + return createSyncRequest(filesToSync); + } + + private SyncRequest createSyncRequest(List filesToSync) { + SyncRequest syncRequest = new SyncRequest(); + syncRequest.instance = instanceName0; + syncRequest.dir = "config"; + + for (File fileToSync : filesToSync) { + syncRequest.files.add(new SyncRequest.ModTime(new File(instanceDir + File.separator + "config").toURI() + .relativize(fileToSync.toURI()).getPath(), System.currentTimeMillis())); + } + + return syncRequest; + } + + private String getPassword(MiniXmlParser parser, String listener) throws MiniXmlParserException, CommandException { + String password = ""; + if (listener != null) { + // Check if listener has a password set + password = CertificateManagementUtils.getPasswordFromListener(parser, listener); + } + + // Default to using the master password + if (ok(password)) { + password = getMasterPassword(); + } + + return password; + } +} diff --git a/appserver/payara-appserver-modules/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java b/appserver/payara-appserver-modules/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java new file mode 100644 index 00000000000..b0904c13b03 --- /dev/null +++ b/appserver/payara-appserver-modules/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java @@ -0,0 +1,66 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2020 Payara Foundation and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://github.com/payara/Payara/blob/master/LICENSE.txt + * See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at glassfish/legal/LICENSE.txt. + * + * GPL Classpath Exception: + * The Payara Foundation designates this particular file as subject to the "Classpath" + * exception as provided by the Payara Foundation in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ +package fish.payara.certificate.management.admin; + +import fish.payara.certificate.management.CertificateManagementUtils; +import org.junit.Assert; +import org.junit.Test; + +public class GenerateSelfSignedCertificateCommandTest extends CertificateManagementUtils { + + @Test + public void testAddSubjectAlternativeNames() { + String[] keytoolCmd = new String[]{"-genkeypair", "-keyalg", "RSA", "-keystore", "/dev/null", "-alias", + "my_test_cert", "-dname", "CN=test.payara.fish", "-validity", "365"}; + + String[] alternativeNames = new String[]{"testy.payara.fish", + "testyroo.payara.fish", + "DNS:wibbles.payara.fish,IP:127.0.0.1,EMAIL:anon@payara.fish", + "EMAIL:anon@ee.mouse,DNS:wobbles.payara.fish"}; + + String[] expandedKeytoolCommand = addSubjectAlternativeNames(keytoolCmd, alternativeNames); + + Assert.assertArrayEquals(new String[]{"-genkeypair", "-keyalg", "RSA", "-keystore", "/dev/null", "-alias", + "my_test_cert", "-dname", "CN=test.payara.fish", "-validity", "365", "-ext", + "SAN=DNS:testy.payara.fish,DNS:testyroo.payara.fish,DNS:wibbles.payara.fish," + + "IP:127.0.0.1,EMAIL:anon@payara.fish,EMAIL:anon@ee.mouse,DNS:wobbles.payara.fish"}, + expandedKeytoolCommand); + } +} diff --git a/appserver/payara-appserver-modules/pom.xml b/appserver/payara-appserver-modules/pom.xml index 2c9cdb498e4..6a84f7fd920 100644 --- a/appserver/payara-appserver-modules/pom.xml +++ b/appserver/payara-appserver-modules/pom.xml @@ -74,20 +74,11 @@ opentracing-cdi jaxrs-client-tracing yubikey-authentication + certificate-management + microprofile + security-oauth2 + security-openid + healthcheck-checker - - - jdk8 - - [1.8,) - - - microprofile - security-oauth2 - security-openid - healthcheck-checker - - - diff --git a/nucleus/admin/server-mgmt/src/main/java/com/sun/enterprise/admin/servermgmt/KeystoreManager.java b/nucleus/admin/server-mgmt/src/main/java/com/sun/enterprise/admin/servermgmt/KeystoreManager.java index c1c24b7cc2e..e704cdf1a02 100644 --- a/nucleus/admin/server-mgmt/src/main/java/com/sun/enterprise/admin/servermgmt/KeystoreManager.java +++ b/nucleus/admin/server-mgmt/src/main/java/com/sun/enterprise/admin/servermgmt/KeystoreManager.java @@ -138,7 +138,7 @@ public class KeystoreManager { KEYTOOL_CMD = nonFinalKeyTool; } - protected static class KeytoolExecutor extends ProcessExecutor { + public static class KeytoolExecutor extends ProcessExecutor { public KeytoolExecutor(String[] args, long timeoutInSeconds) { super(args, timeoutInSeconds); diff --git a/nucleus/common/common-util/src/main/java/com/sun/enterprise/universal/xml/MiniXmlParser.java b/nucleus/common/common-util/src/main/java/com/sun/enterprise/universal/xml/MiniXmlParser.java index 474aabc7aeb..e39f6174480 100644 --- a/nucleus/common/common-util/src/main/java/com/sun/enterprise/universal/xml/MiniXmlParser.java +++ b/nucleus/common/common-util/src/main/java/com/sun/enterprise/universal/xml/MiniXmlParser.java @@ -168,6 +168,20 @@ public List getAdminAddresses() { return adminAddresses; } + public List> getProtocolAttributes() throws MiniXmlParserException { + if (!valid) { + throw new MiniXmlParserException(strings.get(INVALID)); + } + return protocolAttributes; + } + + public List> getIiopSslAttributes() throws MiniXmlParserException { + if (!valid) { + throw new MiniXmlParserException(strings.get(INVALID)); + } + return iiopSslAttributes; + } + /** * @deprecated use {@link #setupConfigDir(java.io.File)} instead */ @@ -534,6 +548,9 @@ private void parseConfig() throws XMLStreamException, EndDocumentException { case "security-service": populateAdminRealmProperties(); break; + case "iiop-service": + parseIiopService(); + break; default: skipTree(name); break; @@ -581,6 +598,52 @@ private void parseNetworkConfig() } } + /** + * Parses the IIOP service for the SSL enabled IIOP listeners + * @throws XMLStreamException + * @throws EndDocumentException + */ + private void parseIiopService() throws XMLStreamException, EndDocumentException { + // Cursor --> + while (true) { + int event = next(); + // Return when we get to the + if (event == END_ELEMENT) { + if ("iiop-service".equals(parser.getLocalName())) { + return; + } + } else if (event == START_ELEMENT) { + String name = parser.getLocalName(); + if (null == name) { + skipTree(name); + } else switch (name) { + // Cursor --> START_ELEMENT of + case "iiop-listener": + // Get attributes + Map iiopAttributes = parseAttributes(); + + // Skip to ssl config if present + while (true) { + skipToButNotPast("iiop-listener", "ssl"); + name = parser.getLocalName(); + if ("ssl".equals(name)) { + iiopAttributes.putAll(parseAttributes()); + // Only store attributes of SSL enabled IIOP listeners + iiopSslAttributes.add(iiopAttributes); + } else if ("iiop-listener".equals(name)) { + break; + } + } + break; + default: + skipTree(name); + break; + } + } + } + + } + private void parseSysPropsFromServer() throws XMLStreamException, EndDocumentException { // cursor --> // these are the system-properties that OVERRIDE the ones in the @@ -927,10 +990,12 @@ private void parseListeners() throws XMLStreamException, EndDocumentException { private void parseProtocols() throws XMLStreamException, EndDocumentException { // cursor --> START_ELEMENT of protocols while (true) { - skipToButNotPast("protocols", "protocol"); + skipToButNotPast("protocols", "protocol", "ssl"); final String name = parser.getLocalName(); if ("protocol".equals(name)) { protocolAttributes.add(parseAttributes()); + } else if ("ssl".equals(name)) { + protocolAttributes.get(protocolAttributes.size() - 1).putAll(parseAttributes()); } else if ("protocols".equals(name)) { break; } @@ -1131,20 +1196,21 @@ private static class EndDocumentException extends Exception { private String serverName; private String configRef; private List jvmOptions = new ArrayList<>(); - private List profilerJvmOptions = new ArrayList(); + private List profilerJvmOptions = new ArrayList<>(); private Map javaConfig; private Map profilerConfig = Collections.emptyMap(); - private Map profilerSysProps = new HashMap(); + private Map profilerSysProps = new HashMap<>(); private boolean valid = false; - private List adminAddresses = new ArrayList(); + private List adminAddresses = new ArrayList<>(); private String domainName; private static final LocalStringsImpl strings = new LocalStringsImpl(MiniXmlParser.class); private boolean monitoringEnabled = true; // Issue 12762 Absent element means monitoring-enabled=true by default private String adminRealm = null; private Map adminRealmProperties = null; - private List> vsAttributes = new ArrayList>(); - private List> listenerAttributes = new ArrayList>(); - private List> protocolAttributes = new ArrayList>(); + private List> vsAttributes = new ArrayList<>(); + private List> listenerAttributes = new ArrayList<>(); + private List> protocolAttributes = new ArrayList<>(); + private List> iiopSslAttributes = new ArrayList<>(); private boolean sawNetworkConfig; private boolean sawDefaultConfig; private boolean sawConfig; From 66693c7f52ef0c26d6a0f949de41df0330cebb83 Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Tue, 26 May 2020 15:13:05 +0100 Subject: [PATCH 2/9] APPSERV-149 Move local instance command under original command --- .../GenerateSelfSignedCertificateCommand.java | 154 +++++++++-- ...SignedCertificateLocalInstanceCommand.java | 247 ------------------ 2 files changed, 126 insertions(+), 275 deletions(-) delete mode 100644 appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateLocalInstanceCommand.java diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java index 3a0f35ee15f..1c4d9fcf058 100644 --- a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java +++ b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java @@ -41,7 +41,9 @@ import com.sun.enterprise.admin.cli.CLICommand; import com.sun.enterprise.admin.cli.CLIConstants; -import com.sun.enterprise.admin.cli.remote.RemoteCLICommand; +import com.sun.enterprise.admin.cli.Environment; +import com.sun.enterprise.admin.cli.ProgramOptions; +import com.sun.enterprise.admin.cli.cluster.SynchronizeInstanceCommand; import com.sun.enterprise.admin.servermgmt.KeystoreManager; import com.sun.enterprise.admin.servermgmt.RepositoryException; import com.sun.enterprise.admin.servermgmt.cli.LocalDomainCommand; @@ -52,7 +54,6 @@ import org.glassfish.api.Param; import org.glassfish.api.admin.CommandException; import org.glassfish.hk2.api.PerLookup; -import org.glassfish.internal.api.Globals; import org.jvnet.hk2.annotations.Service; import java.io.File; @@ -99,31 +100,9 @@ protected void validate() throws CommandException { protected int executeCommand() throws CommandException { // If we're targetting an instance that isn't the DAS, use a different command if (target != null && !target.equals(SystemPropertyConstants.DAS_SERVER_NAME)) { -// RemoteCLICommand helperCommand = new RemoteCLICommand(helperCommandName, programOpts, env); - - String altnamesString = ""; - if (altnames != null) { - for (String altname : altnames) { - altnamesString += altname + ";"; - } - altnamesString = altnamesString.substring(0, altnamesString.length() - 1); - } - -// return helperCommand.execute(helperCommandName, -// "--distinguishedname", dn, -// "--alternativenames", altnamesString, -// "--listener", listener, -// "--instance_name", target, -// "--reload", String.valueOf(reload), -// "--alias", alias); - - GenerateSelfSignedCertificateLocalInstanceCommand helperCommand = Globals.getDefaultBaseServiceLocator().getService(GenerateSelfSignedCertificateLocalInstanceCommand.class); - - - - helperCommand.executeCommand(); - - + GenerateSelfSignedCertificateLocalInstanceCommand helperCommand = new GenerateSelfSignedCertificateLocalInstanceCommand(programOpts, env); + helperCommand.validate(); + return helperCommand.executeCommand(); } @@ -167,7 +146,6 @@ protected int executeCommand() throws CommandException { } - return 0; } @@ -185,4 +163,124 @@ private String getPassword(MiniXmlParser parser, String listener) throws MiniXml return password; } + + private class GenerateSelfSignedCertificateLocalInstanceCommand extends SynchronizeInstanceCommand { + + public GenerateSelfSignedCertificateLocalInstanceCommand(ProgramOptions programOpts, Environment env) { + super.programOpts = programOpts; + super.env = env; + } + + @Override + protected void validate() throws CommandException { + if (ok(target)) + instanceName = target; + super.validate(); + } + + @Override + protected int executeCommand() throws CommandException { + String password = ""; + boolean alreadySynced = false; + try { + File domainXml = getDomainXml(); + if (!domainXml.exists()) { + logger.info("No domain.xml found, syncing with the DAS..."); + synchronizeInstance(); + alreadySynced = true; + } + + MiniXmlParser parser = new MiniXmlParser(domainXml, target); + keystore = CertificateManagementUtils.resolveKeyStore(parser, listener, instanceDir); + truststore = CertificateManagementUtils.resolveTrustStore(parser, listener, instanceDir); + password = getPassword(parser, listener); + } catch (MiniXmlParserException miniXmlParserException) { + throw new CommandException("Error parsing domain.xml", miniXmlParserException); + } + + // If the target is not the DAS and is configured to use the default key or trust store, sync with the + // DAS instead + boolean defaultKeystore = keystore.getAbsolutePath() + .equals(CertificateManagementUtils.DEFAULT_KEYSTORE + .replace("${com.sun.aas.instanceRoot}", instanceDir.getAbsolutePath())); + boolean defaultTruststore = truststore.getAbsolutePath() + .equals(CertificateManagementUtils.DEFAULT_TRUSTSTORE + .replace("${com.sun.aas.instanceRoot}", instanceDir.getAbsolutePath())); + + if (defaultKeystore || defaultTruststore) { + logger.warning("The target instance is using the default key or trust store, any new certificates" + + " added directly to instance stores would be lost upon next sync."); + if (reload) { + if (!alreadySynced) { + logger.warning("Syncing with the DAS instead of generating a new certificate"); + synchronizeInstance(); + } + + // Reload Keystore and Truststores + // TO-DO + } else { + logger.info("Skipping sync with the DAS since --reload wasn't enabled"); + } + + if (defaultKeystore && defaultTruststore) { + // Do nothing + } else if (defaultKeystore) { + logger.info("Please add self-signed certificate to truststore manually"); + // TO-DO + // logger.info("Look at using asadmin command 'add-to-truststore'"); + } else { + logger.info("Please add self-signed certificate to keystore manually"); + // TO-DO + // logger.info("Look at using asadmin command 'add-to-keystore'"); + } + + return CLIConstants.WARNING; + } + + // Run keytool command to generate self-signed cert + KeystoreManager.KeytoolExecutor keytoolExecutor = new KeystoreManager.KeytoolExecutor( + CertificateManagementUtils.constructGenerateCertKeytoolCommand(keystore, password, alias, dn, altnames), + 60); + try { + keytoolExecutor.execute("keystoreNotCreated", keystore); + } catch (RepositoryException re) { + logger.severe(re.getCause().getMessage() + .replace("keytool error: java.lang.Exception: ", "") + .replace("keytool error: java.io.IOException: ", "")); + return CLIConstants.ERROR; + } + + // Run keytool command to place self-signed cert in truststore + keytoolExecutor = new KeystoreManager.KeytoolExecutor(CertificateManagementUtils.constructImportCertKeytoolCommand( + keystore, truststore, password, alias), + 60); + + try { + keytoolExecutor.execute("certNotTrusted", keystore); + } catch (RepositoryException re) { + logger.severe(re.getCause().getMessage() + .replace("keytool error: java.lang.Exception: ", "") + .replace("keytool error: java.io.IOException: ", "")); + return CLIConstants.ERROR; + } + + + return 0; + } + + private String getPassword(MiniXmlParser parser, String listener) throws MiniXmlParserException, CommandException { + String password = ""; + if (listener != null) { + // Check if listener has a password set + password = CertificateManagementUtils.getPasswordFromListener(parser, listener); + } + + // Default to using the master password + if (ok(password)) { + password = getMasterPassword(); + } + + return password; + } + } } \ No newline at end of file diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateLocalInstanceCommand.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateLocalInstanceCommand.java deleted file mode 100644 index aa937d1f748..00000000000 --- a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateLocalInstanceCommand.java +++ /dev/null @@ -1,247 +0,0 @@ -/* - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. - * - * Copyright (c) 2020 Payara Foundation and/or its affiliates. All rights reserved. - * - * The contents of this file are subject to the terms of either the GNU - * General Public License Version 2 only ("GPL") or the Common Development - * and Distribution License("CDDL") (collectively, the "License"). You - * may not use this file except in compliance with the License. You can - * obtain a copy of the License at - * https://github.com/payara/Payara/blob/master/LICENSE.txt - * See the License for the specific - * language governing permissions and limitations under the License. - * - * When distributing the software, include this License Header Notice in each - * file and include the License file at glassfish/legal/LICENSE.txt. - * - * GPL Classpath Exception: - * The Payara Foundation designates this particular file as subject to the "Classpath" - * exception as provided by the Payara Foundation in the GPL Version 2 section of the License - * file that accompanied this code. - * - * Modifications: - * If applicable, add the following below the License Header, with the fields - * enclosed by brackets [] replaced by your own identifying information: - * "Portions Copyright [year] [name of copyright owner]" - * - * Contributor(s): - * If you wish your version of this file to be governed by only the CDDL or - * only the GPL Version 2, indicate your decision by adding "[Contributor] - * elects to include this software in this distribution under the [CDDL or GPL - * Version 2] license." If you don't indicate a single choice of license, a - * recipient has the option to distribute your version of this file under - * either the CDDL, the GPL Version 2 or to extend the choice of license to - * its licensees as provided above. However, if you add GPL Version 2 code - * and therefore, elected the GPL Version 2 license, then the option applies - * only if the new code is made subject to such option by the copyright - * holder. - */ -package fish.payara.certificate.management.admin; - -import com.sun.enterprise.admin.cli.CLICommand; -import com.sun.enterprise.admin.cli.CLIConstants; -import com.sun.enterprise.admin.cli.cluster.LocalInstanceCommand; -import com.sun.enterprise.admin.cli.remote.RemoteCLICommand; -import com.sun.enterprise.admin.servermgmt.KeystoreManager; -import com.sun.enterprise.admin.servermgmt.RepositoryException; -import com.sun.enterprise.universal.xml.MiniXmlParser; -import com.sun.enterprise.universal.xml.MiniXmlParserException; -import com.sun.enterprise.util.SystemPropertyConstants; -import com.sun.enterprise.util.cluster.SyncRequest; -import com.sun.enterprise.util.io.FileUtils; -import fish.payara.certificate.management.CertificateManagementUtils; -import org.glassfish.api.Param; -import org.glassfish.api.admin.CommandException; -import org.glassfish.common.util.admin.AuthTokenManager; -import org.glassfish.hk2.api.PerLookup; -import org.jvnet.hk2.annotations.Service; - -import javax.xml.bind.JAXBContext; -import javax.xml.bind.JAXBException; -import javax.xml.bind.Marshaller; -import javax.xml.bind.PropertyException; -import java.io.File; -import java.io.IOException; -import java.util.ArrayList; -import java.util.List; -import java.util.logging.Logger; - -@Service(name = "_generate-self-signed-certificate-local-instance") -@PerLookup -public class GenerateSelfSignedCertificateLocalInstanceCommand extends LocalInstanceCommand { - - private static final Logger logger = Logger.getLogger(CLICommand.class.getPackage().getName()); - - @Param(name = "distinguishedname", alias = "dn") - private String dn; - - @Param(name = "alternativenames", optional = true, alias = "altnames", separator = ';') - private String[] altnames; - - @Param(name = "listener", optional = true) - private String listener; - - @Param(name = "reload", optional = true) - private boolean reload; - - @Param(name = "alias") - private String alias; - - @Param(name = "instance_name", primary = true, optional = true) - private String instanceName0; - - private File keystore; - private File truststore; - - @Override - protected void validate() throws CommandException { - if (ok(instanceName0)) - instanceName = instanceName0; - super.validate(); - } - - @Override - protected int executeCommand() throws CommandException { - String password = ""; - - try { - MiniXmlParser parser = new MiniXmlParser(getDomainXml(), instanceName0); - keystore = CertificateManagementUtils.resolveKeyStore(parser, listener, instanceDir); - truststore = CertificateManagementUtils.resolveTrustStore(parser, listener, instanceDir); - password = getPassword(parser, listener); - } catch (MiniXmlParserException miniXmlParserException) { - throw new CommandException("Error parsing domain.xml", miniXmlParserException); - } - - // If the target is not the DAS and is configured to use the default key or trust store, sync with the - // DAS instead - boolean defaultKeystore = keystore.getAbsolutePath() - .equals(CertificateManagementUtils.DEFAULT_KEYSTORE - .replace("${com.sun.aas.instanceRoot}", instanceDir.getAbsolutePath())); - boolean defaultTruststore = truststore.getAbsolutePath() - .equals(CertificateManagementUtils.DEFAULT_TRUSTSTORE - .replace("${com.sun.aas.instanceRoot}", instanceDir.getAbsolutePath())); - - if (defaultKeystore || defaultTruststore) { - logger.warning("The target instance is using the default key or trust store, any new certificates" - + " added directly to instance stores would be lost upon next sync."); - if (reload) { - logger.warning("Syncing with the DAS instead of generating a new certificate"); - synchroniseInstance(defaultKeystore, defaultTruststore); - - // Reload Keystore and Truststores - // TO-DO - - return CLIConstants.WARNING; - } else { - logger.info("Skipping sync with the DAS since --reload wasn't enabled"); - return CLIConstants.WARNING; - } - } - - - // Run keytool command to generate self-signed cert - KeystoreManager.KeytoolExecutor keytoolExecutor = new KeystoreManager.KeytoolExecutor( - CertificateManagementUtils.constructGenerateCertKeytoolCommand(keystore, password, alias, dn, altnames), - 60); - try { - keytoolExecutor.execute("keystoreNotCreated", keystore); - } catch (RepositoryException re) { - logger.severe(re.getCause().getMessage() - .replace("keytool error: java.lang.Exception: ", "") - .replace("keytool error: java.io.IOException: ", "")); - return CLIConstants.ERROR; - } - - // Run keytool command to place self-signed cert in truststore - keytoolExecutor = new KeystoreManager.KeytoolExecutor(CertificateManagementUtils.constructImportCertKeytoolCommand( - keystore, truststore, password, alias), - 60); - - try { - keytoolExecutor.execute("certNotTrusted", keystore); - } catch (RepositoryException re) { - logger.severe(re.getCause().getMessage() - .replace("keytool error: java.lang.Exception: ", "") - .replace("keytool error: java.io.IOException: ", "")); - return CLIConstants.ERROR; - } - - - return 0; - } - - private void synchroniseInstance(boolean defaultKeystore, boolean defaultTruststore) throws CommandException { - // Because we reuse the command, we also need to reuse the auth token (if one is present). - final String origAuthToken = programOpts.getAuthToken(); - if (origAuthToken != null) { - programOpts.setAuthToken(AuthTokenManager.markTokenForReuse(origAuthToken)); - } - - try { - RemoteCLICommand syncCmd = new RemoteCLICommand("_synchronize-files", programOpts, env); - - File tempFile = File.createTempFile("mt.", ".xml"); - FileUtils.deleteOnExit(tempFile); - JAXBContext context = JAXBContext.newInstance(SyncRequest.class); - - Marshaller marshaller = context.createMarshaller(); - marshaller.setProperty("jaxb.formatted.output", Boolean.TRUE); - - if (defaultKeystore && defaultTruststore) { - List filesToSync = new ArrayList<>(); - filesToSync.add(keystore); - filesToSync.add(truststore); - marshaller.marshal(createSyncRequest(filesToSync), tempFile); - } else if (defaultKeystore) { - marshaller.marshal(createSyncRequest(keystore), tempFile); - } else if (defaultTruststore) { - marshaller.marshal(createSyncRequest(truststore), tempFile); - } - - syncCmd.executeAndReturnOutput("_synchronize-files", "--upload=true", tempFile.getPath()); - } catch (IOException e) { - e.printStackTrace(); - } catch (PropertyException e) { - e.printStackTrace(); - } catch (JAXBException e) { - e.printStackTrace(); - } - - } - - private SyncRequest createSyncRequest(File fileToSync) { - List filesToSync = new ArrayList<>(); - filesToSync.add(fileToSync); - return createSyncRequest(filesToSync); - } - - private SyncRequest createSyncRequest(List filesToSync) { - SyncRequest syncRequest = new SyncRequest(); - syncRequest.instance = instanceName0; - syncRequest.dir = "config"; - - for (File fileToSync : filesToSync) { - syncRequest.files.add(new SyncRequest.ModTime(new File(instanceDir + File.separator + "config").toURI() - .relativize(fileToSync.toURI()).getPath(), System.currentTimeMillis())); - } - - return syncRequest; - } - - private String getPassword(MiniXmlParser parser, String listener) throws MiniXmlParserException, CommandException { - String password = ""; - if (listener != null) { - // Check if listener has a password set - password = CertificateManagementUtils.getPasswordFromListener(parser, listener); - } - - // Default to using the master password - if (ok(password)) { - password = getMasterPassword(); - } - - return password; - } -} From d4c4aaf472eec07c933b2ec0a88d0f94b43e01c3 Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Wed, 27 May 2020 15:37:59 +0100 Subject: [PATCH 3/9] APPSERV-149 Remove unnecessary reload parameter --- .../GenerateSelfSignedCertificateCommand.java | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java index 1c4d9fcf058..9ffa8a3ca64 100644 --- a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java +++ b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java @@ -81,9 +81,6 @@ public class GenerateSelfSignedCertificateCommand extends LocalDomainCommand { @Param(name = "target", optional = true, defaultValue = SystemPropertyConstants.DAS_SERVER_NAME) private String target; - @Param(name = "reload", optional = true) - private boolean reload; - @Param(name = "alias", primary = true) private String alias; @@ -103,8 +100,6 @@ protected int executeCommand() throws CommandException { GenerateSelfSignedCertificateLocalInstanceCommand helperCommand = new GenerateSelfSignedCertificateLocalInstanceCommand(programOpts, env); helperCommand.validate(); return helperCommand.executeCommand(); - - } String password = ""; @@ -145,7 +140,6 @@ protected int executeCommand() throws CommandException { return CLIConstants.ERROR; } - return 0; } @@ -210,16 +204,10 @@ protected int executeCommand() throws CommandException { if (defaultKeystore || defaultTruststore) { logger.warning("The target instance is using the default key or trust store, any new certificates" + " added directly to instance stores would be lost upon next sync."); - if (reload) { - if (!alreadySynced) { - logger.warning("Syncing with the DAS instead of generating a new certificate"); - synchronizeInstance(); - } - // Reload Keystore and Truststores - // TO-DO - } else { - logger.info("Skipping sync with the DAS since --reload wasn't enabled"); + if (!alreadySynced) { + logger.warning("Syncing with the DAS instead of generating a new certificate"); + synchronizeInstance(); } if (defaultKeystore && defaultTruststore) { From b5ae88989c9672fd3ea631e18dfdb7d0813e6aff Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Fri, 29 May 2020 14:45:24 +0100 Subject: [PATCH 4/9] APPSERV-149 Add support for password aliases, remove redundant code, and add javadoc --- .../CertificateManagementUtils.java | 144 +++++++++++-- .../GenerateSelfSignedCertificateCommand.java | 194 +++++++++++------- .../admin/JCEKSDomainPasswordAliasStore.java | 61 ++++++ 3 files changed, 310 insertions(+), 89 deletions(-) create mode 100644 appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/JCEKSDomainPasswordAliasStore.java diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java index 02b91c56972..4bacf90e8b4 100644 --- a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java +++ b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java @@ -47,6 +47,11 @@ import static com.sun.enterprise.util.StringUtils.ok; +/** + * Helper methods for various Certificate Management commands. + * + * @author Andrew Pielage + */ public class CertificateManagementUtils { public static final String DEFAULT_KEYSTORE = "${com.sun.aas.instanceRoot}" @@ -54,7 +59,17 @@ public class CertificateManagementUtils { public static final String DEFAULT_TRUSTSTORE = "${com.sun.aas.instanceRoot}" + File.separator + "config" + File.separator + "cacerts.jks"; - public static File resolveKeyStore(MiniXmlParser parser, String listener, File instanceDir) throws MiniXmlParserException { + /** + * Determines and returns the key store. + * + * @param parser The {@link MiniXmlParser} for extracting info from the domain.xml + * @param listener The name of the HTTP or IIOP listener to get the key store from. Can be null. + * @param instanceDir The directory of the target instance, used for relative paths + * @return The key store of the target + * @throws MiniXmlParserException If there's an issue reading the domain.xml + */ + public static File resolveKeyStore(MiniXmlParser parser, String listener, File instanceDir) + throws MiniXmlParserException { File keystore = null; if (listener != null) { // Check if listener is an HTTP listener @@ -79,7 +94,17 @@ public static File resolveKeyStore(MiniXmlParser parser, String listener, File i return keystore; } - public static File resolveTrustStore(MiniXmlParser parser, String listener, File instanceDir) throws MiniXmlParserException { + /** + * Determines and returns the trust store. + * + * @param parser The {@link MiniXmlParser} for extracting info from the domain.xml + * @param listener The name of the HTTP or IIOP listener to get the trust store from. Can be null. + * @param instanceDir The directory of the target instance, used for relative paths + * @return The trust store of the target + * @throws MiniXmlParserException If there's an issue reading the domain.xml + */ + public static File resolveTrustStore(MiniXmlParser parser, String listener, File instanceDir) + throws MiniXmlParserException { File truststore = null; if (listener != null) { // Check if listener is an HTTP listener @@ -104,26 +129,56 @@ public static File resolveTrustStore(MiniXmlParser parser, String listener, File return truststore; } - private static File getStoreFromHttpListeners(MiniXmlParser parser, String listener, String store, File instanceDir) throws MiniXmlParserException { + /** + * Gets the store from a target HTTP listener + * + * @param parser The {@link MiniXmlParser} for extracting info from the domain.xml + * @param listener The name of the HTTP listener to get the store from. + * @param storeAttribute The name of the store attribute to get (should be "key-store" or "trust-store") + * @param instanceDir The directory of the target instance, used for relative paths + * @return The store of the target, or null if no matching listener or no store configured + * @throws MiniXmlParserException If there's an issue reading the domain.xml + */ + private static File getStoreFromHttpListeners(MiniXmlParser parser, String listener, + String storeAttribute, File instanceDir) throws MiniXmlParserException { for (Map listenerAttributes : parser.getProtocolAttributes()) { if (listenerAttributes.get("name").equals(listener)) { // Get the keystore from the listener if it has a custom one - return getStoreFromListenerAttribute(listenerAttributes.get(store), instanceDir); + return getStoreFromListenerAttribute(listenerAttributes.get(storeAttribute), instanceDir); } } return null; } - private static File getStoreFromIiopListeners(MiniXmlParser parser, String listener, String store, File instanceDir) throws MiniXmlParserException { + /** + * Gets the store from a target IIOP listener + * + * @param parser The {@link MiniXmlParser} for extracting info from the domain.xml + * @param listener The name of the IIOP listener to get the store from. + * @param storeAttribute The name of the store attribute to get (should be "key-store" or "trust-store") + * @param instanceDir The directory of the target instance, used for relative paths + * @return The store of the target, or null if no matching listener or no store configured + * @throws MiniXmlParserException If there's an issue reading the domain.xml + */ + private static File getStoreFromIiopListeners(MiniXmlParser parser, String listener, + String storeAttribute, File instanceDir) throws MiniXmlParserException { for (Map listenerAttributes : parser.getIiopSslAttributes()) { if (listenerAttributes.get("id").equals(listener)) { // Get the keystore from the listener if it has a custom one - return getStoreFromListenerAttribute(listenerAttributes.get(store), instanceDir); + return getStoreFromListenerAttribute(listenerAttributes.get(storeAttribute), instanceDir); } } return null; } + /** + * Helper method that returns the store from a target listener's config attribute, + * making any relative paths absolute. + * + * @param storePath The path to the store to return as a {@link File} + * @param instanceDir The instance directory, used for making relative paths absolute + * @return The absolute path of the target store, or null if no store given + */ private static File getStoreFromListenerAttribute(String storePath, File instanceDir) { if (!ok(storePath)) { return null; @@ -137,9 +192,19 @@ private static File getStoreFromListenerAttribute(String storePath, File instanc return store; } - private static File getStoreFromJvmOptions(MiniXmlParser parser, String store, File instanceDir) throws MiniXmlParserException { + /** + * Gets the store from a target config's JVM options + * + * @param parser The {@link MiniXmlParser} for extracting info from the domain.xml + * @param storeName The JVM option name of the store (should be keyStore or trustStore) + * @param instanceDir The instance directory, used for SystemProperty substitution + * @return The absolute path of the target store + * @throws MiniXmlParserException If there's an issue reading the domain.xml + */ + private static File getStoreFromJvmOptions(MiniXmlParser parser, String storeName, File instanceDir) + throws MiniXmlParserException { for (MiniXmlParser.JvmOption jvmOption : parser.getJvmOptions()) { - if (jvmOption.toString().startsWith("-Djavax.net.ssl." + store + "=")) { + if (jvmOption.toString().startsWith("-Djavax.net.ssl." + storeName + "=")) { return new File(jvmOption.toString().split("=")[1] .replace("${com.sun.aas.instanceRoot}", instanceDir.getAbsolutePath())); } @@ -147,9 +212,21 @@ private static File getStoreFromJvmOptions(MiniXmlParser parser, String store, F return null; } - public static String[] constructGenerateCertKeytoolCommand(File keystore, String password, String alias, String dname, String[] altnames) { - String[] keytoolCmd = new String[]{"-genkeypair", "-keyalg", "RSA", "-keystore", keystore.getAbsolutePath(), "-alias", alias, "-dname", dname, - "-validity", "365", "-keypass", password, "-storepass", password}; + /** + * Constructs the command to pass to keytool for creating a self-signed cert + * + * @param keystore The key store to add the certificate to + * @param password The password for the key store + * @param alias The alias of the certificate + * @param dname The distinguished name of the certificate + * @param altnames The alternative names of the certificate + * @return A String array to pass to {@link com.sun.enterprise.admin.servermgmt.KeystoreManager.KeytoolExecutor} + */ + public static String[] constructGenerateCertKeytoolCommand(File keystore, char[] password, + String alias, String dname, String[] altnames) { + String[] keytoolCmd = new String[]{"-genkeypair", "-keyalg", "RSA", "-keystore", keystore.getAbsolutePath(), + "-alias", alias, "-dname", dname, + "-validity", "365", "-keypass", new String(password), "-storepass", new String(password)}; if (altnames != null && altnames.length != 0) { keytoolCmd = addSubjectAlternativeNames(keytoolCmd, altnames); @@ -158,6 +235,13 @@ public static String[] constructGenerateCertKeytoolCommand(File keystore, String return keytoolCmd; } + /** + * Helper method that formats the String array of alternative names into the format that the keytool expects. + * + * @param keytoolCmd The String array containing the keytool command before alternative names have been added. + * @param alternativeNames The String array containing the alternatives names + * @return A String array of the original keytool command with the alternative names added + */ protected static String[] addSubjectAlternativeNames(String[] keytoolCmd, String[] alternativeNames) { // Create a new array to make room for the extra commands String[] expandedKeytoolCmd = new String[keytoolCmd.length + 2]; @@ -183,29 +267,51 @@ protected static String[] addSubjectAlternativeNames(String[] keytoolCmd, String return expandedKeytoolCmd; } - public static String[] constructImportCertKeytoolCommand(File keystore, File truststore, String password, String alias) { + /** + * Constructs the command to pass to keytool for adding the self-signed cert to the trust store + * + * @param keystore The target key store that the certificate was added to + * @param truststore The target trust store to add the certificate to + * @param keystorePassword The password for the key store + * @param truststorePassword The password for the trust store + * @param alias The alias of the certificate + * @return A String array to pass to {@link com.sun.enterprise.admin.servermgmt.KeystoreManager.KeytoolExecutor} + */ + public static String[] constructImportCertKeytoolCommand(File keystore, File truststore, char[] keystorePassword, + char[] truststorePassword, String alias) { String[] keytoolCmd = new String[]{"-importkeystore", "-srckeystore", keystore.getAbsolutePath(), "-destkeystore", truststore.getAbsolutePath(), "-srcalias", alias, "-destalias", alias, - "-srcstorepass", password, "-deststorepass", password, - "-srckeypass", password, "-destkeypass", password}; + "-srcstorepass", new String(keystorePassword), "-deststorepass", new String(truststorePassword), + "-srckeypass", new String(keystorePassword), "-destkeypass", new String(truststorePassword), + "-noprompt"}; return keytoolCmd; } - public static String getPasswordFromListener(MiniXmlParser parser, String listener) throws MiniXmlParserException { - String password = ""; + /** + * + * + * @param parser The {@link MiniXmlParser} for extracting info from the domain.xml + * @param listener The name of the listener to get the password from. + * @param attribute The name of the store password attribute (should be key-store-password or trust-store-password) + * @return A char array containing the password of the target listener, or null if no matches or password found + * @throws MiniXmlParserException if there's an issue reading the domain.xml + */ + public static char[] getPasswordFromListener(MiniXmlParser parser, String listener, String attribute) + throws MiniXmlParserException { + char[] password = null; for (Map listenerAttributes : parser.getProtocolAttributes()) { if (listenerAttributes.get("name").equals(listener)) { // Get the keystore from the listener if it has a custom one - password = listenerAttributes.get("password"); + password = listenerAttributes.get(attribute).toCharArray(); } } - if (!ok(password)) { + if (password == null || password.length == 0) { for (Map listenerAttributes : parser.getIiopSslAttributes()) { if (listenerAttributes.get("id").equals(listener)) { // Get the keystore from the listener if it has a custom one - password = listenerAttributes.get("password"); + password = listenerAttributes.get(attribute).toCharArray(); } } } diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java index 9ffa8a3ca64..136593e1f1e 100644 --- a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java +++ b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java @@ -53,18 +53,24 @@ import fish.payara.certificate.management.CertificateManagementUtils; import org.glassfish.api.Param; import org.glassfish.api.admin.CommandException; +import org.glassfish.config.support.TranslatedConfigView; import org.glassfish.hk2.api.PerLookup; import org.jvnet.hk2.annotations.Service; import java.io.File; import java.util.logging.Logger; +/** + * CLI command for generating self-signed certificates and placing them in an instance or listener's key + * and trust stores. + * + * @author Andrew Pielage + */ @Service(name = "generate-self-signed-certificate") @PerLookup public class GenerateSelfSignedCertificateCommand extends LocalDomainCommand { private static final Logger logger = Logger.getLogger(CLICommand.class.getPackage().getName()); - private static final String helperCommandName = "_generate-self-signed-certificate-local-instance"; @Param(name = "domain_name", optional = true) private String domainName0; @@ -86,6 +92,9 @@ public class GenerateSelfSignedCertificateCommand extends LocalDomainCommand { private File keystore; private File truststore; + private char[] keystorePassword; + private char[] truststorePassword; + private char[] masterPassword; @Override protected void validate() throws CommandException { @@ -97,39 +106,129 @@ protected void validate() throws CommandException { protected int executeCommand() throws CommandException { // If we're targetting an instance that isn't the DAS, use a different command if (target != null && !target.equals(SystemPropertyConstants.DAS_SERVER_NAME)) { - GenerateSelfSignedCertificateLocalInstanceCommand helperCommand = new GenerateSelfSignedCertificateLocalInstanceCommand(programOpts, env); - helperCommand.validate(); - return helperCommand.executeCommand(); + GenerateSelfSignedCertificateLocalInstanceCommand localInstanceCommand = + new GenerateSelfSignedCertificateLocalInstanceCommand(programOpts, env); + localInstanceCommand.validate(); + return localInstanceCommand.executeCommand(); } - String password = ""; + // Parse the location of the key and trust stores, and the passwords required to access them try { MiniXmlParser parser = new MiniXmlParser(getDomainXml(), target); keystore = CertificateManagementUtils.resolveKeyStore(parser, listener, getDomainRootDir()); truststore = CertificateManagementUtils.resolveTrustStore(parser, listener, getDomainRootDir()); - password = getPassword(parser, listener); + getStorePasswords(parser, listener, getDomainRootDir()); } catch (MiniXmlParserException miniXmlParserException) { throw new CommandException("Error parsing domain.xml", miniXmlParserException); } // Run keytool command to generate self-signed cert and place in keystore + try { + addToKeystore(); + } catch (CommandException ce) { + return CLIConstants.ERROR; + } + + try { + addToTruststore(); + } catch (CommandException ce) { + return CLIConstants.WARNING; + } + + return CLIConstants.SUCCESS; + } + + /** + * Gets the passwords for the key and trust store. + * + * @param parser The {@link MiniXmlParser} for extracting info from the domain.xml + * @param listener The name of the HTTP or IIOP listener to get the key or trust store passwords from. Can be null. + * @param serverDir The directory of the target instance, used for accessing the domain-passwords store + * @throws MiniXmlParserException If there's an issue reading the domain.xml + * @throws CommandException If there's an issue getting the master password + */ + private void getStorePasswords(MiniXmlParser parser, String listener, File serverDir) + throws MiniXmlParserException, CommandException { + if (listener != null) { + // Check if listener has a password set + keystorePassword = CertificateManagementUtils.getPasswordFromListener(parser, listener, "key-store-password"); + truststorePassword = CertificateManagementUtils.getPasswordFromListener(parser, listener, "trust-store-password"); + } + + if (keystorePassword != null || keystorePassword.length > 0) { + // Expand alias if required + if (new String(keystorePassword).startsWith("${ALIAS=")) { + JCEKSDomainPasswordAliasStore passwordAliasStore = new JCEKSDomainPasswordAliasStore( + serverDir.getPath() + File.separator + "config" + File.separator + + "domain-passwords", masterPassword()); + keystorePassword = passwordAliasStore.get( + TranslatedConfigView.getAlias(new String(keystorePassword), "ALIAS")); + } + } else { + // Default to master + keystorePassword = masterPassword(); + } + + if (truststorePassword != null && truststorePassword.length > 0) { + // Expand alias if required + if (new String(truststorePassword).startsWith("${ALIAS=")) { + JCEKSDomainPasswordAliasStore passwordAliasStore = new JCEKSDomainPasswordAliasStore( + serverDir.getPath() + File.separator + "config" + File.separator + "domain-passwords", + masterPassword()); + truststorePassword = passwordAliasStore.get( + TranslatedConfigView.getAlias(new String(truststorePassword), "ALIAS")); + } + } else { + // Default to master + truststorePassword = masterPassword(); + } + } + + /** + * Gets the master password + * + * @return The master password in a char array + * @throws CommandException If there's an issue getting the master password + */ + private char[] masterPassword() throws CommandException { + if (masterPassword == null || masterPassword.length == 0) { + masterPassword = getMasterPassword().toCharArray(); + } + + return masterPassword; + } + + /** + * Generates a self-signed certificate and adds it to the target key store + * + * @throws CommandException If there's an issue adding the certificate to the key store + */ + private void addToKeystore() throws CommandException { + // Run keytool command to generate self-signed cert KeystoreManager.KeytoolExecutor keytoolExecutor = new KeystoreManager.KeytoolExecutor( - CertificateManagementUtils.constructGenerateCertKeytoolCommand( - keystore, password, alias, dn, altnames), - 60); + CertificateManagementUtils.constructGenerateCertKeytoolCommand(keystore, keystorePassword, + alias, dn, altnames), 60); + try { keytoolExecutor.execute("certNotCreated", keystore); } catch (RepositoryException re) { logger.severe(re.getCause().getMessage() .replace("keytool error: java.lang.Exception: ", "") .replace("keytool error: java.io.IOException: ", "")); - return CLIConstants.ERROR; + throw new CommandException(re); } + } + /** + * Adds the self-signed certificate to the target trust store + * + * @throws CommandException If there's an issue adding the certificate to the trust store + */ + private void addToTruststore() throws CommandException { // Run keytool command to place self-signed cert in truststore - keytoolExecutor = new KeystoreManager.KeytoolExecutor(CertificateManagementUtils.constructImportCertKeytoolCommand( - keystore, truststore, password, alias), - 60); + KeystoreManager.KeytoolExecutor keytoolExecutor = new KeystoreManager.KeytoolExecutor( + CertificateManagementUtils.constructImportCertKeytoolCommand(keystore, truststore, keystorePassword, + truststorePassword, alias), 60); try { keytoolExecutor.execute("certNotTrusted", keystore); @@ -137,27 +236,13 @@ protected int executeCommand() throws CommandException { logger.severe(re.getCause().getMessage() .replace("keytool error: java.lang.Exception: ", "") .replace("keytool error: java.io.IOException: ", "")); - return CLIConstants.ERROR; + throw new CommandException(re); } - - return 0; - } - - private String getPassword(MiniXmlParser parser, String listener) throws MiniXmlParserException, CommandException { - String password = ""; - if (listener != null) { - // Check if listener has a password set - password = CertificateManagementUtils.getPasswordFromListener(parser, listener); - } - - // Default to using the master password - if (!ok(password)) { - password = getMasterPassword(); - } - - return password; } + /** + * Local instance (non-DAS) version of the parent command. Not intended for use as a standalone CLI command. + */ private class GenerateSelfSignedCertificateLocalInstanceCommand extends SynchronizeInstanceCommand { public GenerateSelfSignedCertificateLocalInstanceCommand(ProgramOptions programOpts, Environment env) { @@ -174,7 +259,6 @@ protected void validate() throws CommandException { @Override protected int executeCommand() throws CommandException { - String password = ""; boolean alreadySynced = false; try { File domainXml = getDomainXml(); @@ -187,7 +271,7 @@ protected int executeCommand() throws CommandException { MiniXmlParser parser = new MiniXmlParser(domainXml, target); keystore = CertificateManagementUtils.resolveKeyStore(parser, listener, instanceDir); truststore = CertificateManagementUtils.resolveTrustStore(parser, listener, instanceDir); - password = getPassword(parser, listener); + getStorePasswords(parser, listener, instanceDir); } catch (MiniXmlParserException miniXmlParserException) { throw new CommandException("Error parsing domain.xml", miniXmlParserException); } @@ -225,50 +309,20 @@ protected int executeCommand() throws CommandException { return CLIConstants.WARNING; } - // Run keytool command to generate self-signed cert - KeystoreManager.KeytoolExecutor keytoolExecutor = new KeystoreManager.KeytoolExecutor( - CertificateManagementUtils.constructGenerateCertKeytoolCommand(keystore, password, alias, dn, altnames), - 60); + // Run keytool command to generate self-signed cert and place in keystore try { - keytoolExecutor.execute("keystoreNotCreated", keystore); - } catch (RepositoryException re) { - logger.severe(re.getCause().getMessage() - .replace("keytool error: java.lang.Exception: ", "") - .replace("keytool error: java.io.IOException: ", "")); + addToKeystore(); + } catch (CommandException ce) { return CLIConstants.ERROR; } - // Run keytool command to place self-signed cert in truststore - keytoolExecutor = new KeystoreManager.KeytoolExecutor(CertificateManagementUtils.constructImportCertKeytoolCommand( - keystore, truststore, password, alias), - 60); - try { - keytoolExecutor.execute("certNotTrusted", keystore); - } catch (RepositoryException re) { - logger.severe(re.getCause().getMessage() - .replace("keytool error: java.lang.Exception: ", "") - .replace("keytool error: java.io.IOException: ", "")); - return CLIConstants.ERROR; - } - - - return 0; - } - - private String getPassword(MiniXmlParser parser, String listener) throws MiniXmlParserException, CommandException { - String password = ""; - if (listener != null) { - // Check if listener has a password set - password = CertificateManagementUtils.getPasswordFromListener(parser, listener); - } - - // Default to using the master password - if (ok(password)) { - password = getMasterPassword(); + addToTruststore(); + } catch (CommandException ce) { + return CLIConstants.WARNING; } - return password; + return CLIConstants.SUCCESS; } } } \ No newline at end of file diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/JCEKSDomainPasswordAliasStore.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/JCEKSDomainPasswordAliasStore.java new file mode 100644 index 00000000000..ce1723d5f84 --- /dev/null +++ b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/JCEKSDomainPasswordAliasStore.java @@ -0,0 +1,61 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2020 Payara Foundation and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://github.com/payara/Payara/blob/master/LICENSE.txt + * See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at glassfish/legal/LICENSE.txt. + * + * GPL Classpath Exception: + * The Payara Foundation designates this particular file as subject to the "Classpath" + * exception as provided by the Payara Foundation in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ +package fish.payara.certificate.management.admin; + +import com.sun.enterprise.security.store.DomainScopedPasswordAliasStore; +import org.glassfish.security.services.impl.JCEKSPasswordAliasStore; + +/** + * Non-service version of {@link org.glassfish.security.services.impl.JCEKSDomainPasswordAliasStore} for use from + * the CLI where you have very limited access to HK2 services. Package private since not intended for use elsewhere - + * use the HK2 service. + * + * @author Andrew Pielage + */ +class JCEKSDomainPasswordAliasStore extends JCEKSPasswordAliasStore implements DomainScopedPasswordAliasStore { + + public JCEKSDomainPasswordAliasStore(String aliasStorePath, char[] masterPassword) { + try { + init(aliasStorePath, masterPassword); + } catch (Exception ex) { + throw new RuntimeException(ex); + } + } +} From 03620e048a2e2b41b34fecf9a0ee012281b55336 Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Mon, 1 Jun 2020 08:59:50 +0100 Subject: [PATCH 5/9] APPSERV-149 Fix copyright and some formatting --- .../payara-appserver-modules/certificate-management/pom.xml | 2 +- .../certificate/management/CertificateManagementUtils.java | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/appserver/payara-appserver-modules/certificate-management/pom.xml b/appserver/payara-appserver-modules/certificate-management/pom.xml index af7087ed2f9..c5890b9c0e8 100644 --- a/appserver/payara-appserver-modules/certificate-management/pom.xml +++ b/appserver/payara-appserver-modules/certificate-management/pom.xml @@ -3,7 +3,7 @@ DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. - Copyright (c) [2017-2019] Payara Foundation and/or its affiliates. All rights reserved. + Copyright (c) [2020] Payara Foundation and/or its affiliates. All rights reserved. The contents of this file are subject to the terms of either the GNU General Public License Version 2 only ("GPL") or the Common Development diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java index 4bacf90e8b4..cc7f5d172e4 100644 --- a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java +++ b/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java @@ -289,10 +289,8 @@ public static String[] constructImportCertKeytoolCommand(File keystore, File tru } /** - * - * - * @param parser The {@link MiniXmlParser} for extracting info from the domain.xml - * @param listener The name of the listener to get the password from. + * @param parser The {@link MiniXmlParser} for extracting info from the domain.xml + * @param listener The name of the listener to get the password from. * @param attribute The name of the store password attribute (should be key-store-password or trust-store-password) * @return A char array containing the password of the target listener, or null if no matches or password found * @throws MiniXmlParserException if there's an issue reading the domain.xml From e8aa19953948c595af5ed8267b876fa51dfa7952 Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Mon, 1 Jun 2020 15:40:29 +0100 Subject: [PATCH 6/9] APPSERV-149 Add help text for command --- .../certificate-management/pom.xml | 11 +++ .../admin/generate-self-signed-certificate.1 | 94 +++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 appserver/payara-appserver-modules/certificate-management/src/main/manpages/fish/payara/certificate/management/admin/generate-self-signed-certificate.1 diff --git a/appserver/payara-appserver-modules/certificate-management/pom.xml b/appserver/payara-appserver-modules/certificate-management/pom.xml index c5890b9c0e8..9298d1234f3 100644 --- a/appserver/payara-appserver-modules/certificate-management/pom.xml +++ b/appserver/payara-appserver-modules/certificate-management/pom.xml @@ -53,6 +53,17 @@ Payara Certificate Management Commands and Services for generating and managing SSL/TLS certificates + + + + src/main/resources + + **/*.1 + + + + + fish.payara.server.internal.admin diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/manpages/fish/payara/certificate/management/admin/generate-self-signed-certificate.1 b/appserver/payara-appserver-modules/certificate-management/src/main/manpages/fish/payara/certificate/management/admin/generate-self-signed-certificate.1 new file mode 100644 index 00000000000..6edc0afabc5 --- /dev/null +++ b/appserver/payara-appserver-modules/certificate-management/src/main/manpages/fish/payara/certificate/management/admin/generate-self-signed-certificate.1 @@ -0,0 +1,94 @@ +generate-self-signed-certificate(1) asadmin Utility Subcommands generate-self-signed-certificate(1) + +NAME + generate-self-signed-certificate - generates a self-signed certificate using provided + distinguished name, subject alternative names, and alias, before placing it in the + target instance or listener's key and trust stores. + +SYNOPSIS + generate-self-signed-certificate [--help] + [--domain_name domain-name] [--domaindir domain-dir] + [--target instance-name] [--listener listener-name] + [alternativenames (type:value)[;type:value]*] + --distinguishedname + alias + +DESCRIPTION + The generate-self-signed-certificate subcommand generates a self- + signed certificate using the provided distinguished name, alias, and + any provided alternative names. This certificate is then placed in + the key and trust store of the target instance or listener. + + If the instance or listener is configured to use the default key and + trust store, the command will instead synchronise the instance with + the DAS (under the assumption the certificate has been added to the + default key and trust store of the DAS), since any certificates added + to the instance stores would be lost upon next synchronisation. + +OPTIONS + --help, -? + Displays the help text for the subcommand. + + --domain_name + The unique name of the domain you want to start. This operand is + optional, defaulting to domain1 if not provided. + + --domaindir + The domain root directory, which contains the directory of the + target domain. If specified, the path must be accessible in the + file system. The default location of the domain root directory + is as-install/domains. + + --target + The name of the instance to add the generated certificate to the + key and trust store of. Defaults to server (the DAS). + + --listener + The name of the HTTP or IIOP listener to add the generated + certificate to the key and trust store of. Only applicable if + the listener has a key or trust store different to that of the + instance itself. + + --alternativenames, --altnames + The subject alternative names to add to the generated certificate. + Takes the form of a semi-colon separated list of type:value. If no + type is given, it is assumed to be DNS. + +OPERANDS + --distinguishedname, --dn + The distinguished name to use when generating the certificate. + + alias + The alias to use when generating the certificate and storing it + in the key and trust stores. If the alias already exists in the + key store, the command will fail. If the alias already exists in + the trust store, this trusted certificate will be overwritten. + +EXAMPLES + Example 1, Creating a Self-Signed Certificate for the DAS + + This example creates a self-signed certificate for the DAS. + + asadmin> generate-self-signed-certificate --dn "CN=test.payara.fish" test_cert1 + + Example 2, Created a Self-Signed Certificate for a Listener + + This example creates a self-signed certificate with alternative + names for the http-listner-2 listener of an instance named Guppy1. + + asadmin> generate-self-signed-certificate --dn "CN=test.payara.fish" + --listener http-listener-2 + --alternativenames "test2.payara.fish;DNS:test3.payara.fish,IP:127.0.0.1,EMAIL:anon@payara.fish" + --target Guppy1 + test_cert2 + +EXIT STATUS + 0 + command executed successfully + + 1 + error in executing the command + + 4 + command executed successfully but with warnings + From b8f3bd918f3c1344db0267625093e3f534c84d49 Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Tue, 2 Jun 2020 16:01:09 +0100 Subject: [PATCH 7/9] APPSERV-149 Move to extras and remove from featureset and packager --- .../certificate-management/pom.xml | 4 +- .../CertificateManagementUtils.java | 0 .../GenerateSelfSignedCertificateCommand.java | 0 .../admin/JCEKSDomainPasswordAliasStore.java | 0 .../admin/generate-self-signed-certificate.1 | 0 ...erateSelfSignedCertificateCommandTest.java | 0 appserver/extras/pom.xml | 1 + appserver/featuresets/payara-web/pom.xml | 7 - .../packager/certificate-management/pom.xml | 135 ------------------ .../main/assembly/certificate-management.xml | 56 -------- appserver/packager/pom.xml | 1 - appserver/payara-appserver-modules/pom.xml | 1 - 12 files changed, 3 insertions(+), 202 deletions(-) rename appserver/{payara-appserver-modules => extras}/certificate-management/pom.xml (96%) rename appserver/{payara-appserver-modules => extras}/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java (100%) rename appserver/{payara-appserver-modules => extras}/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java (100%) rename appserver/{payara-appserver-modules => extras}/certificate-management/src/main/java/fish/payara/certificate/management/admin/JCEKSDomainPasswordAliasStore.java (100%) rename appserver/{payara-appserver-modules => extras}/certificate-management/src/main/manpages/fish/payara/certificate/management/admin/generate-self-signed-certificate.1 (100%) rename appserver/{payara-appserver-modules => extras}/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java (100%) delete mode 100644 appserver/packager/certificate-management/pom.xml delete mode 100644 appserver/packager/certificate-management/src/main/assembly/certificate-management.xml diff --git a/appserver/payara-appserver-modules/certificate-management/pom.xml b/appserver/extras/certificate-management/pom.xml similarity index 96% rename from appserver/payara-appserver-modules/certificate-management/pom.xml rename to appserver/extras/certificate-management/pom.xml index 9298d1234f3..a4d0e85a918 100644 --- a/appserver/payara-appserver-modules/certificate-management/pom.xml +++ b/appserver/extras/certificate-management/pom.xml @@ -44,8 +44,8 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - fish.payara.server.internal.payara-appserver-modules - payara-appserver-modules + fish.payara.extras + extras 5.2020.2-SNAPSHOT certificate-management diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java b/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java similarity index 100% rename from appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java rename to appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java b/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java similarity index 100% rename from appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java rename to appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/JCEKSDomainPasswordAliasStore.java b/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/admin/JCEKSDomainPasswordAliasStore.java similarity index 100% rename from appserver/payara-appserver-modules/certificate-management/src/main/java/fish/payara/certificate/management/admin/JCEKSDomainPasswordAliasStore.java rename to appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/admin/JCEKSDomainPasswordAliasStore.java diff --git a/appserver/payara-appserver-modules/certificate-management/src/main/manpages/fish/payara/certificate/management/admin/generate-self-signed-certificate.1 b/appserver/extras/certificate-management/src/main/manpages/fish/payara/certificate/management/admin/generate-self-signed-certificate.1 similarity index 100% rename from appserver/payara-appserver-modules/certificate-management/src/main/manpages/fish/payara/certificate/management/admin/generate-self-signed-certificate.1 rename to appserver/extras/certificate-management/src/main/manpages/fish/payara/certificate/management/admin/generate-self-signed-certificate.1 diff --git a/appserver/payara-appserver-modules/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java b/appserver/extras/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java similarity index 100% rename from appserver/payara-appserver-modules/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java rename to appserver/extras/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java diff --git a/appserver/extras/pom.xml b/appserver/extras/pom.xml index 55c3c283930..fecf6035a83 100755 --- a/appserver/extras/pom.xml +++ b/appserver/extras/pom.xml @@ -61,6 +61,7 @@ javaee appserv-rt payara-micro + certificate-management diff --git a/appserver/featuresets/payara-web/pom.xml b/appserver/featuresets/payara-web/pom.xml index b3e1d598d56..67951cd6bcd 100644 --- a/appserver/featuresets/payara-web/pom.xml +++ b/appserver/featuresets/payara-web/pom.xml @@ -298,12 +298,5 @@ ${project.version} zip - - - fish.payara.server.internal.packager - certificate-management - ${project.version} - zip - diff --git a/appserver/packager/certificate-management/pom.xml b/appserver/packager/certificate-management/pom.xml deleted file mode 100644 index 06e60332965..00000000000 --- a/appserver/packager/certificate-management/pom.xml +++ /dev/null @@ -1,135 +0,0 @@ - - - - - 4.0.0 - - fish.payara.server.internal.packager - packages - 5.2020.2-SNAPSHOT - - certificate-management - Payara Enterprise Certificate Management Package - distribution-fragment - This pom describes how to assemble the Payara Enterprise Certificate Management package - - - ${project.build.directory}/dependency - - - - - - org.apache.maven.plugins - maven-dependency-plugin - - - process-step1 - - - process-step2 - - - - - org.apache.maven.plugins - maven-assembly-plugin - - - process-step3 - - - - - - - - ips - - false - - - - - org.apache.maven.plugins - maven-antrun-plugin - - - process-step4 - - - - - org.glassfish.build - glassfishbuild-maven-plugin - - - process-step5 - - exec - - - - - - maven-resources-plugin - - - copy-resources - - - - - - - - - - - fish.payara.server.internal.payara-appserver-modules - certificate-management - ${project.version} - - - \ No newline at end of file diff --git a/appserver/packager/certificate-management/src/main/assembly/certificate-management.xml b/appserver/packager/certificate-management/src/main/assembly/certificate-management.xml deleted file mode 100644 index 1fdf08aa705..00000000000 --- a/appserver/packager/certificate-management/src/main/assembly/certificate-management.xml +++ /dev/null @@ -1,56 +0,0 @@ - - - - stage-package - - dir - - - false - - - ${temp.dir}/glassfish/modules - ${install.dir.name}/glassfish/lib/asadmin - - - \ No newline at end of file diff --git a/appserver/packager/pom.xml b/appserver/packager/pom.xml index 7eccb4756b7..ad304a1cf78 100644 --- a/appserver/packager/pom.xml +++ b/appserver/packager/pom.xml @@ -173,7 +173,6 @@ microprofile-package opentracing-jaxws-package monitoring-console - certificate-management diff --git a/appserver/payara-appserver-modules/pom.xml b/appserver/payara-appserver-modules/pom.xml index 6a84f7fd920..015cc0ec2b8 100644 --- a/appserver/payara-appserver-modules/pom.xml +++ b/appserver/payara-appserver-modules/pom.xml @@ -74,7 +74,6 @@ opentracing-cdi jaxrs-client-tracing yubikey-authentication - certificate-management microprofile security-oauth2 security-openid From ba57e865db8de429fb07c224de8d442479dfdf98 Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Tue, 2 Jun 2020 16:03:08 +0100 Subject: [PATCH 8/9] APPSERV-149 Move under BuildExtras profile --- appserver/extras/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appserver/extras/pom.xml b/appserver/extras/pom.xml index fecf6035a83..5c2d944d6d3 100755 --- a/appserver/extras/pom.xml +++ b/appserver/extras/pom.xml @@ -61,7 +61,6 @@ javaee appserv-rt payara-micro - certificate-management @@ -89,6 +88,7 @@ embedded + certificate-management From a1107cf25c8a8dc4de2793519934af758eaf5d76 Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Thu, 4 Jun 2020 15:59:22 +0100 Subject: [PATCH 9/9] APPSERV-149 Fix NPEs and remove test inheritance --- .../management/CertificateManagementUtils.java | 8 ++++++-- .../admin/GenerateSelfSignedCertificateCommand.java | 2 +- .../GenerateSelfSignedCertificateCommandTest.java | 7 +++---- 3 files changed, 10 insertions(+), 7 deletions(-) rename appserver/extras/certificate-management/src/test/java/fish/payara/certificate/management/{admin => }/GenerateSelfSignedCertificateCommandTest.java (90%) diff --git a/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java b/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java index cc7f5d172e4..1ad614e6585 100644 --- a/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java +++ b/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/CertificateManagementUtils.java @@ -301,7 +301,9 @@ public static char[] getPasswordFromListener(MiniXmlParser parser, String listen for (Map listenerAttributes : parser.getProtocolAttributes()) { if (listenerAttributes.get("name").equals(listener)) { // Get the keystore from the listener if it has a custom one - password = listenerAttributes.get(attribute).toCharArray(); + if (listenerAttributes.get(attribute) != null) { + password = listenerAttributes.get(attribute).toCharArray(); + } } } @@ -309,7 +311,9 @@ public static char[] getPasswordFromListener(MiniXmlParser parser, String listen for (Map listenerAttributes : parser.getIiopSslAttributes()) { if (listenerAttributes.get("id").equals(listener)) { // Get the keystore from the listener if it has a custom one - password = listenerAttributes.get(attribute).toCharArray(); + if (listenerAttributes.get(attribute) != null) { + password = listenerAttributes.get(attribute).toCharArray(); + } } } } diff --git a/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java b/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java index 136593e1f1e..3a564123019 100644 --- a/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java +++ b/appserver/extras/certificate-management/src/main/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommand.java @@ -155,7 +155,7 @@ private void getStorePasswords(MiniXmlParser parser, String listener, File serve truststorePassword = CertificateManagementUtils.getPasswordFromListener(parser, listener, "trust-store-password"); } - if (keystorePassword != null || keystorePassword.length > 0) { + if (keystorePassword != null && keystorePassword.length > 0) { // Expand alias if required if (new String(keystorePassword).startsWith("${ALIAS=")) { JCEKSDomainPasswordAliasStore passwordAliasStore = new JCEKSDomainPasswordAliasStore( diff --git a/appserver/extras/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java b/appserver/extras/certificate-management/src/test/java/fish/payara/certificate/management/GenerateSelfSignedCertificateCommandTest.java similarity index 90% rename from appserver/extras/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java rename to appserver/extras/certificate-management/src/test/java/fish/payara/certificate/management/GenerateSelfSignedCertificateCommandTest.java index b0904c13b03..b5fc81c9c59 100644 --- a/appserver/extras/certificate-management/src/test/java/fish/payara/certificate/management/admin/GenerateSelfSignedCertificateCommandTest.java +++ b/appserver/extras/certificate-management/src/test/java/fish/payara/certificate/management/GenerateSelfSignedCertificateCommandTest.java @@ -37,13 +37,12 @@ * only if the new code is made subject to such option by the copyright * holder. */ -package fish.payara.certificate.management.admin; +package fish.payara.certificate.management; -import fish.payara.certificate.management.CertificateManagementUtils; import org.junit.Assert; import org.junit.Test; -public class GenerateSelfSignedCertificateCommandTest extends CertificateManagementUtils { +public class GenerateSelfSignedCertificateCommandTest { @Test public void testAddSubjectAlternativeNames() { @@ -55,7 +54,7 @@ public void testAddSubjectAlternativeNames() { "DNS:wibbles.payara.fish,IP:127.0.0.1,EMAIL:anon@payara.fish", "EMAIL:anon@ee.mouse,DNS:wobbles.payara.fish"}; - String[] expandedKeytoolCommand = addSubjectAlternativeNames(keytoolCmd, alternativeNames); + String[] expandedKeytoolCommand = CertificateManagementUtils.addSubjectAlternativeNames(keytoolCmd, alternativeNames); Assert.assertArrayEquals(new String[]{"-genkeypair", "-keyalg", "RSA", "-keystore", "/dev/null", "-alias", "my_test_cert", "-dname", "CN=test.payara.fish", "-validity", "365", "-ext",