More Crypto Handle Repository work.

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@457 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

diff --git a/src/edu/internet2/middleware/shibboleth/aa/AAServlet.java b/src/edu/internet2/middleware/shibboleth/aa/AAServlet.java
index 8a2ddd6..9270491 100755 (executable)
--- a/src/edu/internet2/middleware/shibboleth/aa/AAServlet.java
+++ b/src/edu/internet2/middleware/shibboleth/aa/AAServlet.java
@@ -163,6 +163,9 @@ public class AAServlet extends HttpServlet {
                defaultProps.setProperty(
                        "java.naming.factory.initial",
                        "edu.internet2.middleware.shibboleth.aaLocal.EchoCtxFactory");
+               defaultProps.setProperty(
+                       "edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStorePath",
+                       getServletContext().getRealPath("/WEB-INF/conf/handle.jks"));
 
                //Load from file
                Properties properties = new Properties(defaultProps);

diff --git a/src/edu/internet2/middleware/shibboleth/hs/HandleRepositoryFactory.java b/src/edu/internet2/middleware/shibboleth/hs/HandleRepositoryFactory.java
index c2bf502..e4d7143 100644 (file)
--- a/src/edu/internet2/middleware/shibboleth/hs/HandleRepositoryFactory.java
+++ b/src/edu/internet2/middleware/shibboleth/hs/HandleRepositoryFactory.java
@@ -75,11 +75,9 @@ public class HandleRepositoryFactory {
                        Class implementorClass =
                                Class.forName(
                                        props.getProperty("edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation"));
-                       Class[] params = new Class[1];
-                       params[0] = Class.forName("java.util.Properties");
+                       Class[] params = new Class[] { Properties.class };
                        Constructor implementorConstructor = implementorClass.getConstructor(params);
-                       Object[] args = new Object[1];
-                       args[0] = props;
+                       Object[] args = new Object[] { props };
                        log.debug("Initializing Handle Repository of type (" + implementorClass.getName() + ").");
                        return (HandleRepository) implementorConstructor.newInstance(args);
 
@@ -88,10 +86,10 @@ public class HandleRepositoryFactory {
                                "Failed to instantiate an Handle Repository: HandleRepository "
                                        + "implementation must contain a constructor that accepts a Properties bundle for "
                                        + "configuration data.");
-                       throw new HandleRepositoryException("Failed to instantiate an Handle Repository.");
+                       throw new HandleRepositoryException("Failed to instantiate a Handle Repository.");
                } catch (Exception e) {
-                       log.error("Failed to instantiate an Handle Repository: " + e);
-                       throw new HandleRepositoryException("Failed to instantiate an Handle Repository: " + e.getMessage());
+                       log.error("Failed to instantiate a Handle Repository: " + e + ":" + e.getCause());
+                       throw new HandleRepositoryException("Failed to instantiate a Handle Repository: " + e.getMessage());
 
                }
        }

diff --git a/src/edu/internet2/middleware/shibboleth/hs/HandleServlet.java b/src/edu/internet2/middleware/shibboleth/hs/HandleServlet.java
index 153abe6..b42c405 100644 (file)
--- a/src/edu/internet2/middleware/shibboleth/hs/HandleServlet.java
+++ b/src/edu/internet2/middleware/shibboleth/hs/HandleServlet.java
@@ -107,6 +107,9 @@ public class HandleServlet extends HttpServlet {
                defaultProps.setProperty(
                        "edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer",
                        "shib2.internet2.edu");
+               defaultProps.setProperty(
+                       "edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStorePath",
+                       getServletContext().getRealPath("/WEB-INF/conf/handle.jks"));
 
                //Load from file
                Properties properties = new Properties(defaultProps);

diff --git a/src/edu/internet2/middleware/shibboleth/hs/provider/CryptoHandleRepository.java b/src/edu/internet2/middleware/shibboleth/hs/provider/CryptoHandleRepository.java
index 3ee14c1..79f52a5 100644 (file)
--- a/src/edu/internet2/middleware/shibboleth/hs/provider/CryptoHandleRepository.java
+++ b/src/edu/internet2/middleware/shibboleth/hs/provider/CryptoHandleRepository.java
@@ -51,18 +51,25 @@ package edu.internet2.middleware.shibboleth.hs.provider;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutput;
 import java.io.ObjectOutputStream;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
 import java.util.Properties;
 import java.util.zip.GZIPInputStream;
 import java.util.zip.GZIPOutputStream;
 
 import javax.crypto.Cipher;
-import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 
+import org.apache.log4j.Logger;
+
 import sun.misc.BASE64Decoder;
 import sun.misc.BASE64Encoder;
 
@@ -78,22 +85,53 @@ import edu.internet2.middleware.shibboleth.hs.HandleRepositoryException;
  */
 public class CryptoHandleRepository extends BaseHandleRepository implements HandleRepository {
 
-       static SecretKey secret;
+       private static Logger log = Logger.getLogger(CryptoHandleRepository.class.getName());
+       protected SecretKey secret;
 
        public CryptoHandleRepository(Properties properties) throws HandleRepositoryException {
                super(properties);
-               KeyGenerator keyGen;
                try {
-                       if (secret == null) {
-                               keyGen = KeyGenerator.getInstance("DESede");
-
-                               secret = keyGen.generateKey();
-                       } else {
-                       System.err.println("Already have a key");       
-                       }
+                       KeyStore keyStore = KeyStore.getInstance("JCEKS");
+
+                       keyStore.load(
+                               new FileInputStream(
+                                       properties
+                                               .getProperty("edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStorePath")),
+                               properties
+                                       .getProperty("edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStorePassword")
+                                       .toCharArray());
+                       secret =
+                               (SecretKey) keyStore.getKey(
+                                       properties.getProperty(
+                                               "edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStoreKeyAlias"),
+                                       properties
+                                               .getProperty("edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStoreKeyPassword")
+                                               .toCharArray());
+
+               } catch (KeyStoreException e) {
+                       log.error(
+                               "An error occurred while loading the java keystore.  Unable to initialize Crypto Handle Repository: "
+                                       + e);
+                       throw new HandleRepositoryException("An error occurred while loading the java keystore.  Unable to initialize Crypto Handle Repository.");
+               } catch (CertificateException e) {
+                       log.error(
+                               "The java keystore contained corrupted data.  Unable to initialize Crypto Handle Repository: " + e);
+                       throw new HandleRepositoryException("The java keystore contained corrupted data.  Unable to initialize Crypto Handle Repository.");
                } catch (NoSuchAlgorithmException e) {
-                       System.err.println(e);
-                       return;
+                       log.error(
+                               "Appropriate JCE provider not found in the java environment. Unable to initialize Crypto Handle Repository: "
+                                       + e);
+                       throw new HandleRepositoryException("Appropriate JCE provider not found in the java environment. Unable to initialize Crypto Handle Repository.");
+               } catch (IOException e) {
+                       log.error(
+                               "An error accessing while loading the java keystore.  Unable to initialize Crypto Handle Repository: "
+                                       + e);
+                       throw new HandleRepositoryException("An error occurred while accessing the java keystore.  Unable to initialize Crypto Handle Repository.");
+               } catch (UnrecoverableKeyException e) {
+                       log.error(
+                               "Secret could not be loaded from the java keystore.  Verify that the alias and password are correct: "
+                                       + e);
+                       throw new HandleRepositoryException("Secret could not be loaded from the java keystore.  Verify that the alias and password are correct. ");
                }
        }
 

diff --git a/webApplication/WEB-INF/conf/handle.jks b/webApplication/WEB-INF/conf/handle.jks
new file mode 100755 (executable)
index 0000000..ed395af
Binary files /dev/null and b/webApplication/WEB-INF/conf/handle.jks differ

diff --git a/webApplication/WEB-INF/conf/origin.properties b/webApplication/WEB-INF/conf/origin.properties
index ff74266..42aac73 100755 (executable)
--- a/webApplication/WEB-INF/conf/origin.properties
+++ b/webApplication/WEB-INF/conf/origin.properties
@@ -1,8 +1,6 @@
 #Full Path to ARP repository
-#edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository.Path = \
-#      /opt/local/tomcat/webapps/shibboleth/WEB-INF/conf/arps/
-edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation = \
-       edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
+#edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository.Path = /opt/local/tomcat/webapps/shibboleth/WEB-INF/conf/arps/
+edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation = edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
 
 edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName = shib2.internet2.edu
 edu.internet2.middleware.shibboleth.aa.AAServlet.ldapUserDnPhrase = uid=
@@ -14,17 +12,19 @@ java.naming.factory.initial=edu.internet2.middleware.shibboleth.aaLocal.EchoCtxF
 #java.naming.security.principal =
 #java.naming.security.credentials =
 
-#edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation = \
-#      edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository
-       
-edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation = \
-       edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
+edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation = edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository
+edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStoreKeyPassword = shibhs
+edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStoreKeyAlias = handleKey
+#edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStorePath =
+edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStorePassword = shibhs
+
+#edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation = edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
        
-edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL = 1800000
+edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL = 10000
 edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer = shib2.internet2.edu
 edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath = /WEB-INF/conf/keystore.jks
 edu.internet2.middleware.shibboleth.hs.HandleServlet.authenticationDomain = shibdev.edu
-edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl = http://66.108.96.194/shibboleth/AA
+edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl = http://snc.cc.columbia.edu/shibboleth/AA
 edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword = shibhs
 edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias = shibhs
 edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword = shibhs