Yair Zaslavsky has uploaded a new change for review.
Change subject: core: Store only single certificate
......................................................................
core: Store only single certificate
Change-Id: Ic9bd8cd7f913cf23eca839452b6e113f749966f7
Signed-off-by: Yair Zaslavsky <yzasl...@redhat.com>
---
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ExternalTrustStoreInitializer.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
3 files changed, 33 insertions(+), 57 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/33/35833/1
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java
index a816c0f..499d431 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java
@@ -14,7 +14,6 @@
import org.ovirt.engine.core.bll.job.ExecutionHandler;
import org.ovirt.engine.core.bll.network.MacPoolManager;
import org.ovirt.engine.core.bll.pm.PmHealthCheckManager;
-import org.ovirt.engine.core.bll.provider.ExternalTrustStoreInitializer;
import org.ovirt.engine.core.bll.scheduling.MigrationHandler;
import org.ovirt.engine.core.bll.scheduling.SchedulingManager;
import org.ovirt.engine.core.bll.storage.StoragePoolStatusHandler;
@@ -86,8 +85,6 @@
StoragePoolStatusHandler.init();
GlusterJobsManager.init();
-
- ExternalTrustStoreInitializer.init();
try {
log.info("Init VM custom properties utilities");
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ExternalTrustStoreInitializer.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ExternalTrustStoreInitializer.java
index ea30878..7707911 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ExternalTrustStoreInitializer.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ExternalTrustStoreInitializer.java
@@ -3,8 +3,10 @@
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
-import java.io.OutputStream;
import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
import org.ovirt.engine.core.utils.EngineLocalConfig;
import org.ovirt.engine.core.utils.log.Log;
@@ -14,55 +16,49 @@
private static final Log log =
LogFactory.getLog(ExternalTrustStoreInitializer.class);
- private static String getTrustStorePath() {
- File varDir = EngineLocalConfig.getInstance().getVarDir();
- return varDir + "/" + "external_truststore";
- }
-
- public static void init() {
- File trustStoreFile = new File(getTrustStorePath());
- if (!trustStoreFile.exists()) {
- try (OutputStream out = new FileOutputStream(trustStoreFile)){
- String password =
EngineLocalConfig.getInstance().getPKITrustStorePassword();
- KeyStore trustStore =
KeyStore.getInstance(KeyStore.getDefaultType());
- // Passing null stream will create a new empty trust store
- trustStore.load(null, password.toCharArray());
- trustStore.store(out, password.toCharArray());
- } catch (Exception e) {
- log.error("Creation of the external trust store failed.", e);
- }
- }
- }
-
public static KeyStore getTrustStore() {
- KeyStore ks = null;
try {
- ks =
EngineLocalConfig.getInstance().getExternalProvidersTrustStore().exists() ?
-
KeyStore.getInstance(EngineLocalConfig.getInstance().getExternalProvidersTrustStoreType())
- : null;
- if (ks != null) {
+ KeyStore ks =
KeyStore.getInstance(EngineLocalConfig.getInstance().getExternalProvidersTrustStoreType());
+ if
(!EngineLocalConfig.getInstance().getExternalProvidersTrustStore().exists()) {
+ ks.load(null);
+ } else {
try (FileInputStream ksFileInputStream =
new
FileInputStream(EngineLocalConfig.getInstance().getExternalProvidersTrustStore()))
{
- ks.load(ksFileInputStream,
EngineLocalConfig.getInstance()
+ ks.load(ksFileInputStream, EngineLocalConfig.getInstance()
.getExternalProvidersTrustStorePassword()
.toCharArray());
}
}
+ return ks;
} catch (Exception ex) {
throw new RuntimeException(ex);
}
- return ks;
-
}
- public static void setTrustStore(KeyStore keystore) {
- try (OutputStream out = new FileOutputStream(getTrustStorePath())) {
- // TODO: do not use password of other store
- String password =
EngineLocalConfig.getInstance().getPKITrustStorePassword();
- keystore.store(out, password.toCharArray());
- }
- catch (Exception e) {
+ public static void addCertificate(Certificate cert) throws
CertificateEncodingException, KeyStoreException {
+ KeyStore keystore = getTrustStore();
+ keystore.setCertificateEntry(Integer.toString(cert.hashCode()), cert);
+
+ File trustStoreFile =
EngineLocalConfig.getInstance().getExternalProvidersTrustStore();
+ File tempFile = null;
+ try {
+ tempFile = File.createTempFile("keystore", ".tmp",
trustStoreFile.getParentFile());
+ try (FileOutputStream out = new FileOutputStream(tempFile)) {
+ keystore.store(out, EngineLocalConfig.getInstance()
+ .getExternalProvidersTrustStorePassword()
+ .toCharArray());
+ }
+ if (!tempFile.renameTo(trustStoreFile.getAbsoluteFile())) {
+ throw new RuntimeException(String.format("Failed to save trust
store to file %1$s",
+ trustStoreFile.getAbsolutePath()));
+ }
+ tempFile = null;
+ } catch (Exception e) {
throw new RuntimeException(e);
+ } finally {
+ if (tempFile != null && !tempFile.delete()) {
+ log.error("Cannot delete '{}'", tempFile.getAbsolutePath());
+ }
}
}
}
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
index 80a99b1..a99aea3 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
@@ -1,6 +1,5 @@
package org.ovirt.engine.core.bll.provider;
-import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.List;
@@ -57,24 +56,8 @@
private void saveChainToTrustStore(List<? extends Certificate> chain) {
if (chain != null && chain.size() > 0) {
- KeyStore ks = null;
try {
- ks = ExternalTrustStoreInitializer.getTrustStore();
- } catch (Throwable e) {
- handleException(e);
- }
-
- try {
- // In case there is only one certificate, we insert it.
- // Otherwise, we need to insert the entire chain except the
end certificate (the end certificate here is the first one)
- int firstCertificateIndex = chain.size() == 1 ? 0 : 1;
- for (int certIndex = firstCertificateIndex; certIndex <
chain.size(); ++certIndex) {
- Certificate certificate = chain.get(certIndex);
- String alias = Guid.newGuid().toString();
- ks.setCertificateEntry(alias, certificate);
- }
-
- ExternalTrustStoreInitializer.setTrustStore(ks);
+
ExternalTrustStoreInitializer.addCertificate(chain.get(chain.size()-1));
setSucceeded(true);
} catch (Throwable e) {
handleException(e);
--
To view, visit http://gerrit.ovirt.org/35833
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic9bd8cd7f913cf23eca839452b6e113f749966f7
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: ovirt-engine-3.5
Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
