author | alanb |
Thu, 01 Dec 2016 08:57:53 +0000 | |
changeset 42338 | a60f280f803c |
parent 36511 | 9d0388c6b336 |
child 43243 | a48dab17a356 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
23010
6dadb192ad81
8029235: Update copyright year to match last edit in jdk8 jdk repository for 2013
lana
parents:
20742
diff
changeset
|
2 |
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package com.sun.security.auth.module; |
|
27 |
||
28 |
import java.io.File; |
|
29 |
import java.io.IOException; |
|
30 |
import java.io.InputStream; |
|
31 |
import java.net.MalformedURLException; |
|
32 |
import java.net.URL; |
|
16503
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
33 |
import java.security.*; |
2 | 34 |
import java.security.cert.*; |
16503
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
35 |
import java.security.cert.Certificate; |
2 | 36 |
import java.security.cert.X509Certificate; |
16503
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
37 |
import java.util.*; |
2 | 38 |
import javax.security.auth.Destroyable; |
39 |
import javax.security.auth.DestroyFailedException; |
|
40 |
import javax.security.auth.Subject; |
|
41 |
import javax.security.auth.x500.*; |
|
42 |
import javax.security.auth.callback.Callback; |
|
43 |
import javax.security.auth.callback.CallbackHandler; |
|
44 |
import javax.security.auth.callback.ConfirmationCallback; |
|
45 |
import javax.security.auth.callback.NameCallback; |
|
46 |
import javax.security.auth.callback.PasswordCallback; |
|
47 |
import javax.security.auth.callback.TextOutputCallback; |
|
48 |
import javax.security.auth.callback.UnsupportedCallbackException; |
|
49 |
import javax.security.auth.login.FailedLoginException; |
|
50 |
import javax.security.auth.login.LoginException; |
|
51 |
import javax.security.auth.spi.LoginModule; |
|
52 |
||
53 |
import sun.security.util.Password; |
|
54 |
||
55 |
/** |
|
56 |
* Provides a JAAS login module that prompts for a key store alias and |
|
57 |
* populates the subject with the alias's principal and credentials. Stores |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
58 |
* an {@code X500Principal} for the subject distinguished name of the |
2 | 59 |
* first certificate in the alias's credentials in the subject's principals, |
60 |
* the alias's certificate path in the subject's public credentials, and a |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
61 |
* {@code X500PrivateCredential} whose certificate is the first |
2 | 62 |
* certificate in the alias's certificate path and whose private key is the |
63 |
* alias's private key in the subject's private credentials. <p> |
|
64 |
* |
|
65 |
* Recognizes the following options in the configuration file: |
|
66 |
* <dl> |
|
67 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
68 |
* <dt> {@code keyStoreURL} </dt> |
2 | 69 |
* <dd> A URL that specifies the location of the key store. Defaults to |
70 |
* a URL pointing to the .keystore file in the directory specified by the |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
71 |
* {@code user.home} system property. The input stream from this |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
72 |
* URL is passed to the {@code KeyStore.load} method. |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
73 |
* "NONE" may be specified if a {@code null} stream must be |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
74 |
* passed to the {@code KeyStore.load} method. |
2 | 75 |
* "NONE" should be specified if the KeyStore resides |
76 |
* on a hardware token device, for example.</dd> |
|
77 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
78 |
* <dt> {@code keyStoreType} </dt> |
2 | 79 |
* <dd> The key store type. If not specified, defaults to the result of |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
80 |
* calling {@code KeyStore.getDefaultType()}. |
2 | 81 |
* If the type is "PKCS11", then keyStoreURL must be "NONE" |
82 |
* and privateKeyPasswordURL must not be specified.</dd> |
|
83 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
84 |
* <dt> {@code keyStoreProvider} </dt> |
2 | 85 |
* <dd> The key store provider. If not specified, uses the standard search |
86 |
* order to find the provider. </dd> |
|
87 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
88 |
* <dt> {@code keyStoreAlias} </dt> |
2 | 89 |
* <dd> The alias in the key store to login as. Required when no callback |
90 |
* handler is provided. No default value. </dd> |
|
91 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
92 |
* <dt> {@code keyStorePasswordURL} </dt> |
2 | 93 |
* <dd> A URL that specifies the location of the key store password. Required |
94 |
* when no callback handler is provided and |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
95 |
* {@code protected} is false. |
2 | 96 |
* No default value. </dd> |
97 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
98 |
* <dt> {@code privateKeyPasswordURL} </dt> |
2 | 99 |
* <dd> A URL that specifies the location of the specific private key password |
100 |
* needed to access the private key for this alias. |
|
101 |
* The keystore password |
|
102 |
* is used if this value is needed and not specified. </dd> |
|
103 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
104 |
* <dt> {@code protected} </dt> |
2 | 105 |
* <dd> This value should be set to "true" if the KeyStore |
106 |
* has a separate, protected authentication path |
|
107 |
* (for example, a dedicated PIN-pad attached to a smart card). |
|
108 |
* Defaults to "false". If "true" keyStorePasswordURL and |
|
109 |
* privateKeyPasswordURL must not be specified.</dd> |
|
110 |
* |
|
111 |
* </dl> |
|
112 |
*/ |
|
113 |
public class KeyStoreLoginModule implements LoginModule { |
|
114 |
||
42338
a60f280f803c
8169069: Module system implementation refresh (11/2016)
alanb
parents:
36511
diff
changeset
|
115 |
private static final ResourceBundle rb = |
a60f280f803c
8169069: Module system implementation refresh (11/2016)
alanb
parents:
36511
diff
changeset
|
116 |
ResourceBundle.getBundle("sun.security.util.AuthResources"); |
2 | 117 |
|
118 |
/* -- Fields -- */ |
|
119 |
||
120 |
private static final int UNINITIALIZED = 0; |
|
121 |
private static final int INITIALIZED = 1; |
|
122 |
private static final int AUTHENTICATED = 2; |
|
123 |
private static final int LOGGED_IN = 3; |
|
124 |
||
125 |
private static final int PROTECTED_PATH = 0; |
|
126 |
private static final int TOKEN = 1; |
|
127 |
private static final int NORMAL = 2; |
|
128 |
||
129 |
private static final String NONE = "NONE"; |
|
130 |
private static final String P11KEYSTORE = "PKCS11"; |
|
131 |
||
132 |
private static final TextOutputCallback bannerCallback = |
|
133 |
new TextOutputCallback |
|
134 |
(TextOutputCallback.INFORMATION, |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
135 |
rb.getString("Please.enter.keystore.information")); |
2 | 136 |
private final ConfirmationCallback confirmationCallback = |
137 |
new ConfirmationCallback |
|
138 |
(ConfirmationCallback.INFORMATION, |
|
139 |
ConfirmationCallback.OK_CANCEL_OPTION, |
|
140 |
ConfirmationCallback.OK); |
|
141 |
||
142 |
private Subject subject; |
|
143 |
private CallbackHandler callbackHandler; |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
144 |
private Map<String, Object> sharedState; |
2 | 145 |
private Map<String, ?> options; |
146 |
||
147 |
private char[] keyStorePassword; |
|
148 |
private char[] privateKeyPassword; |
|
149 |
private KeyStore keyStore; |
|
150 |
||
151 |
private String keyStoreURL; |
|
152 |
private String keyStoreType; |
|
153 |
private String keyStoreProvider; |
|
154 |
private String keyStoreAlias; |
|
155 |
private String keyStorePasswordURL; |
|
156 |
private String privateKeyPasswordURL; |
|
157 |
private boolean debug; |
|
158 |
private javax.security.auth.x500.X500Principal principal; |
|
159 |
private Certificate[] fromKeyStore; |
|
160 |
private java.security.cert.CertPath certP = null; |
|
161 |
private X500PrivateCredential privateCredential; |
|
162 |
private int status = UNINITIALIZED; |
|
163 |
private boolean nullStream = false; |
|
164 |
private boolean token = false; |
|
165 |
private boolean protectedPath = false; |
|
166 |
||
167 |
/* -- Methods -- */ |
|
168 |
||
169 |
/** |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
170 |
* Initialize this {@code LoginModule}. |
2 | 171 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
172 |
* @param subject the {@code Subject} to be authenticated. |
2 | 173 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
174 |
* @param callbackHandler a {@code CallbackHandler} for communicating |
2 | 175 |
* with the end user (prompting for usernames and |
176 |
* passwords, for example), |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
177 |
* which may be {@code null}. |
2 | 178 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
179 |
* @param sharedState shared {@code LoginModule} state. |
2 | 180 |
* |
181 |
* @param options options specified in the login |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
182 |
* {@code Configuration} for this particular |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
183 |
* {@code LoginModule}. |
2 | 184 |
*/ |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
185 |
// Unchecked warning from (Map<String, Object>)sharedState is safe |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
186 |
// since javax.security.auth.login.LoginContext passes a raw HashMap. |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
187 |
@SuppressWarnings("unchecked") |
2 | 188 |
public void initialize(Subject subject, |
189 |
CallbackHandler callbackHandler, |
|
190 |
Map<String,?> sharedState, |
|
191 |
Map<String,?> options) |
|
192 |
{ |
|
193 |
this.subject = subject; |
|
194 |
this.callbackHandler = callbackHandler; |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
195 |
this.sharedState = (Map<String, Object>)sharedState; |
2 | 196 |
this.options = options; |
197 |
||
198 |
processOptions(); |
|
199 |
status = INITIALIZED; |
|
200 |
} |
|
201 |
||
202 |
private void processOptions() { |
|
203 |
keyStoreURL = (String) options.get("keyStoreURL"); |
|
204 |
if (keyStoreURL == null) { |
|
205 |
keyStoreURL = |
|
206 |
"file:" + |
|
207 |
System.getProperty("user.home").replace( |
|
208 |
File.separatorChar, '/') + |
|
209 |
'/' + ".keystore"; |
|
210 |
} else if (NONE.equals(keyStoreURL)) { |
|
211 |
nullStream = true; |
|
212 |
} |
|
213 |
keyStoreType = (String) options.get("keyStoreType"); |
|
214 |
if (keyStoreType == null) { |
|
215 |
keyStoreType = KeyStore.getDefaultType(); |
|
216 |
} |
|
217 |
if (P11KEYSTORE.equalsIgnoreCase(keyStoreType)) { |
|
218 |
token = true; |
|
219 |
} |
|
220 |
||
221 |
keyStoreProvider = (String) options.get("keyStoreProvider"); |
|
222 |
||
223 |
keyStoreAlias = (String) options.get("keyStoreAlias"); |
|
224 |
||
225 |
keyStorePasswordURL = (String) options.get("keyStorePasswordURL"); |
|
226 |
||
227 |
privateKeyPasswordURL = (String) options.get("privateKeyPasswordURL"); |
|
228 |
||
229 |
protectedPath = "true".equalsIgnoreCase((String)options.get |
|
230 |
("protected")); |
|
231 |
||
232 |
debug = "true".equalsIgnoreCase((String) options.get("debug")); |
|
233 |
if (debug) { |
|
234 |
debugPrint(null); |
|
235 |
debugPrint("keyStoreURL=" + keyStoreURL); |
|
236 |
debugPrint("keyStoreType=" + keyStoreType); |
|
237 |
debugPrint("keyStoreProvider=" + keyStoreProvider); |
|
238 |
debugPrint("keyStoreAlias=" + keyStoreAlias); |
|
239 |
debugPrint("keyStorePasswordURL=" + keyStorePasswordURL); |
|
240 |
debugPrint("privateKeyPasswordURL=" + privateKeyPasswordURL); |
|
241 |
debugPrint("protectedPath=" + protectedPath); |
|
242 |
debugPrint(null); |
|
243 |
} |
|
244 |
} |
|
245 |
||
246 |
/** |
|
247 |
* Authenticate the user. |
|
248 |
* |
|
249 |
* <p> Get the Keystore alias and relevant passwords. |
|
250 |
* Retrieve the alias's principal and credentials from the Keystore. |
|
251 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
252 |
* @exception FailedLoginException if the authentication fails. |
2 | 253 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
254 |
* @return true in all cases (this {@code LoginModule} |
2 | 255 |
* should not be ignored). |
256 |
*/ |
|
257 |
||
258 |
public boolean login() throws LoginException { |
|
259 |
switch (status) { |
|
260 |
case UNINITIALIZED: |
|
261 |
default: |
|
262 |
throw new LoginException("The login module is not initialized"); |
|
263 |
case INITIALIZED: |
|
264 |
case AUTHENTICATED: |
|
265 |
||
266 |
if (token && !nullStream) { |
|
267 |
throw new LoginException |
|
268 |
("if keyStoreType is " + P11KEYSTORE + |
|
269 |
" then keyStoreURL must be " + NONE); |
|
270 |
} |
|
271 |
||
272 |
if (token && privateKeyPasswordURL != null) { |
|
273 |
throw new LoginException |
|
274 |
("if keyStoreType is " + P11KEYSTORE + |
|
275 |
" then privateKeyPasswordURL must not be specified"); |
|
276 |
} |
|
277 |
||
278 |
if (protectedPath && |
|
279 |
(keyStorePasswordURL != null || |
|
280 |
privateKeyPasswordURL != null)) { |
|
281 |
throw new LoginException |
|
282 |
("if protected is true then keyStorePasswordURL and " + |
|
283 |
"privateKeyPasswordURL must not be specified"); |
|
284 |
} |
|
285 |
||
286 |
// get relevant alias and password info |
|
287 |
||
288 |
if (protectedPath) { |
|
289 |
getAliasAndPasswords(PROTECTED_PATH); |
|
290 |
} else if (token) { |
|
291 |
getAliasAndPasswords(TOKEN); |
|
292 |
} else { |
|
293 |
getAliasAndPasswords(NORMAL); |
|
294 |
} |
|
295 |
||
296 |
// log into KeyStore to retrieve data, |
|
297 |
// then clear passwords |
|
298 |
||
299 |
try { |
|
300 |
getKeyStoreInfo(); |
|
301 |
} finally { |
|
302 |
if (privateKeyPassword != null && |
|
303 |
privateKeyPassword != keyStorePassword) { |
|
304 |
Arrays.fill(privateKeyPassword, '\0'); |
|
305 |
privateKeyPassword = null; |
|
306 |
} |
|
307 |
if (keyStorePassword != null) { |
|
308 |
Arrays.fill(keyStorePassword, '\0'); |
|
309 |
keyStorePassword = null; |
|
310 |
} |
|
311 |
} |
|
312 |
status = AUTHENTICATED; |
|
313 |
return true; |
|
314 |
case LOGGED_IN: |
|
315 |
return true; |
|
316 |
} |
|
317 |
} |
|
318 |
||
319 |
/** Get the alias and passwords to use for looking up in the KeyStore. */ |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
320 |
@SuppressWarnings("fallthrough") |
2 | 321 |
private void getAliasAndPasswords(int env) throws LoginException { |
322 |
if (callbackHandler == null) { |
|
323 |
||
324 |
// No callback handler - check for alias and password options |
|
325 |
||
326 |
switch (env) { |
|
327 |
case PROTECTED_PATH: |
|
328 |
checkAlias(); |
|
329 |
break; |
|
330 |
case TOKEN: |
|
331 |
checkAlias(); |
|
332 |
checkStorePass(); |
|
333 |
break; |
|
334 |
case NORMAL: |
|
335 |
checkAlias(); |
|
336 |
checkStorePass(); |
|
337 |
checkKeyPass(); |
|
338 |
break; |
|
339 |
} |
|
340 |
||
341 |
} else { |
|
342 |
||
343 |
// Callback handler available - prompt for alias and passwords |
|
344 |
||
345 |
NameCallback aliasCallback; |
|
346 |
if (keyStoreAlias == null || keyStoreAlias.length() == 0) { |
|
347 |
aliasCallback = new NameCallback( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
348 |
rb.getString("Keystore.alias.")); |
2 | 349 |
} else { |
350 |
aliasCallback = |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
351 |
new NameCallback(rb.getString("Keystore.alias."), |
2 | 352 |
keyStoreAlias); |
353 |
} |
|
354 |
||
355 |
PasswordCallback storePassCallback = null; |
|
356 |
PasswordCallback keyPassCallback = null; |
|
357 |
||
358 |
switch (env) { |
|
359 |
case PROTECTED_PATH: |
|
360 |
break; |
|
361 |
case NORMAL: |
|
362 |
keyPassCallback = new PasswordCallback |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
363 |
(rb.getString("Private.key.password.optional."), false); |
2 | 364 |
// fall thru |
365 |
case TOKEN: |
|
366 |
storePassCallback = new PasswordCallback |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
367 |
(rb.getString("Keystore.password."), false); |
2 | 368 |
break; |
369 |
} |
|
370 |
prompt(aliasCallback, storePassCallback, keyPassCallback); |
|
371 |
} |
|
372 |
||
373 |
if (debug) { |
|
374 |
debugPrint("alias=" + keyStoreAlias); |
|
375 |
} |
|
376 |
} |
|
377 |
||
378 |
private void checkAlias() throws LoginException { |
|
379 |
if (keyStoreAlias == null) { |
|
380 |
throw new LoginException |
|
381 |
("Need to specify an alias option to use " + |
|
382 |
"KeyStoreLoginModule non-interactively."); |
|
383 |
} |
|
384 |
} |
|
385 |
||
386 |
private void checkStorePass() throws LoginException { |
|
387 |
if (keyStorePasswordURL == null) { |
|
388 |
throw new LoginException |
|
389 |
("Need to specify keyStorePasswordURL option to use " + |
|
390 |
"KeyStoreLoginModule non-interactively."); |
|
391 |
} |
|
392 |
InputStream in = null; |
|
393 |
try { |
|
394 |
in = new URL(keyStorePasswordURL).openStream(); |
|
395 |
keyStorePassword = Password.readPassword(in); |
|
396 |
} catch (IOException e) { |
|
397 |
LoginException le = new LoginException |
|
398 |
("Problem accessing keystore password \"" + |
|
399 |
keyStorePasswordURL + "\""); |
|
400 |
le.initCause(e); |
|
401 |
throw le; |
|
402 |
} finally { |
|
403 |
if (in != null) { |
|
404 |
try { |
|
405 |
in.close(); |
|
406 |
} catch (IOException ioe) { |
|
407 |
LoginException le = new LoginException( |
|
408 |
"Problem closing the keystore password stream"); |
|
409 |
le.initCause(ioe); |
|
410 |
throw le; |
|
411 |
} |
|
412 |
} |
|
413 |
} |
|
414 |
} |
|
415 |
||
416 |
private void checkKeyPass() throws LoginException { |
|
417 |
if (privateKeyPasswordURL == null) { |
|
418 |
privateKeyPassword = keyStorePassword; |
|
419 |
} else { |
|
420 |
InputStream in = null; |
|
421 |
try { |
|
422 |
in = new URL(privateKeyPasswordURL).openStream(); |
|
423 |
privateKeyPassword = Password.readPassword(in); |
|
424 |
} catch (IOException e) { |
|
425 |
LoginException le = new LoginException |
|
426 |
("Problem accessing private key password \"" + |
|
427 |
privateKeyPasswordURL + "\""); |
|
428 |
le.initCause(e); |
|
429 |
throw le; |
|
430 |
} finally { |
|
431 |
if (in != null) { |
|
432 |
try { |
|
433 |
in.close(); |
|
434 |
} catch (IOException ioe) { |
|
435 |
LoginException le = new LoginException( |
|
436 |
"Problem closing the private key password stream"); |
|
437 |
le.initCause(ioe); |
|
438 |
throw le; |
|
439 |
} |
|
440 |
} |
|
441 |
} |
|
442 |
} |
|
443 |
} |
|
444 |
||
445 |
private void prompt(NameCallback aliasCallback, |
|
446 |
PasswordCallback storePassCallback, |
|
447 |
PasswordCallback keyPassCallback) |
|
448 |
throws LoginException { |
|
449 |
||
450 |
if (storePassCallback == null) { |
|
451 |
||
452 |
// only prompt for alias |
|
453 |
||
454 |
try { |
|
455 |
callbackHandler.handle( |
|
456 |
new Callback[] { |
|
457 |
bannerCallback, aliasCallback, confirmationCallback |
|
458 |
}); |
|
459 |
} catch (IOException e) { |
|
460 |
LoginException le = new LoginException |
|
461 |
("Problem retrieving keystore alias"); |
|
462 |
le.initCause(e); |
|
463 |
throw le; |
|
464 |
} catch (UnsupportedCallbackException e) { |
|
465 |
throw new LoginException( |
|
466 |
"Error: " + e.getCallback().toString() + |
|
467 |
" is not available to retrieve authentication " + |
|
468 |
" information from the user"); |
|
469 |
} |
|
470 |
||
471 |
int confirmationResult = confirmationCallback.getSelectedIndex(); |
|
472 |
||
473 |
if (confirmationResult == ConfirmationCallback.CANCEL) { |
|
474 |
throw new LoginException("Login cancelled"); |
|
475 |
} |
|
476 |
||
477 |
saveAlias(aliasCallback); |
|
478 |
||
479 |
} else if (keyPassCallback == null) { |
|
480 |
||
481 |
// prompt for alias and key store password |
|
482 |
||
483 |
try { |
|
484 |
callbackHandler.handle( |
|
485 |
new Callback[] { |
|
486 |
bannerCallback, aliasCallback, |
|
487 |
storePassCallback, confirmationCallback |
|
488 |
}); |
|
489 |
} catch (IOException e) { |
|
490 |
LoginException le = new LoginException |
|
491 |
("Problem retrieving keystore alias and password"); |
|
492 |
le.initCause(e); |
|
493 |
throw le; |
|
494 |
} catch (UnsupportedCallbackException e) { |
|
495 |
throw new LoginException( |
|
496 |
"Error: " + e.getCallback().toString() + |
|
497 |
" is not available to retrieve authentication " + |
|
498 |
" information from the user"); |
|
499 |
} |
|
500 |
||
501 |
int confirmationResult = confirmationCallback.getSelectedIndex(); |
|
502 |
||
503 |
if (confirmationResult == ConfirmationCallback.CANCEL) { |
|
504 |
throw new LoginException("Login cancelled"); |
|
505 |
} |
|
506 |
||
507 |
saveAlias(aliasCallback); |
|
508 |
saveStorePass(storePassCallback); |
|
509 |
||
510 |
} else { |
|
511 |
||
512 |
// prompt for alias, key store password, and key password |
|
513 |
||
514 |
try { |
|
515 |
callbackHandler.handle( |
|
516 |
new Callback[] { |
|
517 |
bannerCallback, aliasCallback, |
|
518 |
storePassCallback, keyPassCallback, |
|
519 |
confirmationCallback |
|
520 |
}); |
|
521 |
} catch (IOException e) { |
|
522 |
LoginException le = new LoginException |
|
523 |
("Problem retrieving keystore alias and passwords"); |
|
524 |
le.initCause(e); |
|
525 |
throw le; |
|
526 |
} catch (UnsupportedCallbackException e) { |
|
527 |
throw new LoginException( |
|
528 |
"Error: " + e.getCallback().toString() + |
|
529 |
" is not available to retrieve authentication " + |
|
530 |
" information from the user"); |
|
531 |
} |
|
532 |
||
533 |
int confirmationResult = confirmationCallback.getSelectedIndex(); |
|
534 |
||
535 |
if (confirmationResult == ConfirmationCallback.CANCEL) { |
|
536 |
throw new LoginException("Login cancelled"); |
|
537 |
} |
|
538 |
||
539 |
saveAlias(aliasCallback); |
|
540 |
saveStorePass(storePassCallback); |
|
541 |
saveKeyPass(keyPassCallback); |
|
542 |
} |
|
543 |
} |
|
544 |
||
545 |
private void saveAlias(NameCallback cb) { |
|
546 |
keyStoreAlias = cb.getName(); |
|
547 |
} |
|
548 |
||
549 |
private void saveStorePass(PasswordCallback c) { |
|
550 |
keyStorePassword = c.getPassword(); |
|
551 |
if (keyStorePassword == null) { |
|
552 |
/* Treat a NULL password as an empty password */ |
|
553 |
keyStorePassword = new char[0]; |
|
554 |
} |
|
555 |
c.clearPassword(); |
|
556 |
} |
|
557 |
||
558 |
private void saveKeyPass(PasswordCallback c) { |
|
559 |
privateKeyPassword = c.getPassword(); |
|
560 |
if (privateKeyPassword == null || privateKeyPassword.length == 0) { |
|
561 |
/* |
|
562 |
* Use keystore password if no private key password is |
|
563 |
* specified. |
|
564 |
*/ |
|
565 |
privateKeyPassword = keyStorePassword; |
|
566 |
} |
|
567 |
c.clearPassword(); |
|
568 |
} |
|
569 |
||
570 |
/** Get the credentials from the KeyStore. */ |
|
571 |
private void getKeyStoreInfo() throws LoginException { |
|
572 |
||
573 |
/* Get KeyStore instance */ |
|
574 |
try { |
|
575 |
if (keyStoreProvider == null) { |
|
576 |
keyStore = KeyStore.getInstance(keyStoreType); |
|
577 |
} else { |
|
578 |
keyStore = |
|
579 |
KeyStore.getInstance(keyStoreType, keyStoreProvider); |
|
580 |
} |
|
581 |
} catch (KeyStoreException e) { |
|
582 |
LoginException le = new LoginException |
|
583 |
("The specified keystore type was not available"); |
|
584 |
le.initCause(e); |
|
585 |
throw le; |
|
586 |
} catch (NoSuchProviderException e) { |
|
587 |
LoginException le = new LoginException |
|
588 |
("The specified keystore provider was not available"); |
|
589 |
le.initCause(e); |
|
590 |
throw le; |
|
591 |
} |
|
592 |
||
593 |
/* Load KeyStore contents from file */ |
|
594 |
InputStream in = null; |
|
595 |
try { |
|
596 |
if (nullStream) { |
|
597 |
// if using protected auth path, keyStorePassword will be null |
|
598 |
keyStore.load(null, keyStorePassword); |
|
599 |
} else { |
|
600 |
in = new URL(keyStoreURL).openStream(); |
|
601 |
keyStore.load(in, keyStorePassword); |
|
602 |
} |
|
603 |
} catch (MalformedURLException e) { |
|
604 |
LoginException le = new LoginException |
|
605 |
("Incorrect keyStoreURL option"); |
|
606 |
le.initCause(e); |
|
607 |
throw le; |
|
608 |
} catch (GeneralSecurityException e) { |
|
609 |
LoginException le = new LoginException |
|
610 |
("Error initializing keystore"); |
|
611 |
le.initCause(e); |
|
612 |
throw le; |
|
613 |
} catch (IOException e) { |
|
614 |
LoginException le = new LoginException |
|
615 |
("Error initializing keystore"); |
|
616 |
le.initCause(e); |
|
617 |
throw le; |
|
618 |
} finally { |
|
619 |
if (in != null) { |
|
620 |
try { |
|
621 |
in.close(); |
|
622 |
} catch (IOException ioe) { |
|
623 |
LoginException le = new LoginException |
|
624 |
("Error initializing keystore"); |
|
625 |
le.initCause(ioe); |
|
626 |
throw le; |
|
627 |
} |
|
628 |
} |
|
629 |
} |
|
630 |
||
631 |
/* Get certificate chain and create a certificate path */ |
|
632 |
try { |
|
633 |
fromKeyStore = |
|
634 |
keyStore.getCertificateChain(keyStoreAlias); |
|
635 |
if (fromKeyStore == null |
|
636 |
|| fromKeyStore.length == 0 |
|
637 |
|| !(fromKeyStore[0] instanceof X509Certificate)) |
|
638 |
{ |
|
639 |
throw new FailedLoginException( |
|
640 |
"Unable to find X.509 certificate chain in keystore"); |
|
641 |
} else { |
|
7970
af1579474d16
7008728: diamond conversion of basic security, permissions, authentication
smarks
parents:
7179
diff
changeset
|
642 |
LinkedList<Certificate> certList = new LinkedList<>(); |
2 | 643 |
for (int i=0; i < fromKeyStore.length; i++) { |
644 |
certList.add(fromKeyStore[i]); |
|
645 |
} |
|
646 |
CertificateFactory certF= |
|
647 |
CertificateFactory.getInstance("X.509"); |
|
648 |
certP = |
|
649 |
certF.generateCertPath(certList); |
|
650 |
} |
|
651 |
} catch (KeyStoreException e) { |
|
652 |
LoginException le = new LoginException("Error using keystore"); |
|
653 |
le.initCause(e); |
|
654 |
throw le; |
|
655 |
} catch (CertificateException ce) { |
|
656 |
LoginException le = new LoginException |
|
657 |
("Error: X.509 Certificate type unavailable"); |
|
658 |
le.initCause(ce); |
|
659 |
throw le; |
|
660 |
} |
|
661 |
||
662 |
/* Get principal and keys */ |
|
663 |
try { |
|
664 |
X509Certificate certificate = (X509Certificate)fromKeyStore[0]; |
|
665 |
principal = new javax.security.auth.x500.X500Principal |
|
666 |
(certificate.getSubjectDN().getName()); |
|
667 |
||
668 |
// if token, privateKeyPassword will be null |
|
669 |
Key privateKey = keyStore.getKey(keyStoreAlias, privateKeyPassword); |
|
670 |
if (privateKey == null |
|
671 |
|| !(privateKey instanceof PrivateKey)) |
|
672 |
{ |
|
673 |
throw new FailedLoginException( |
|
674 |
"Unable to recover key from keystore"); |
|
675 |
} |
|
676 |
||
677 |
privateCredential = new X500PrivateCredential( |
|
678 |
certificate, (PrivateKey) privateKey, keyStoreAlias); |
|
679 |
} catch (KeyStoreException e) { |
|
680 |
LoginException le = new LoginException("Error using keystore"); |
|
681 |
le.initCause(e); |
|
682 |
throw le; |
|
683 |
} catch (NoSuchAlgorithmException e) { |
|
684 |
LoginException le = new LoginException("Error using keystore"); |
|
685 |
le.initCause(e); |
|
686 |
throw le; |
|
687 |
} catch (UnrecoverableKeyException e) { |
|
688 |
FailedLoginException fle = new FailedLoginException |
|
689 |
("Unable to recover key from keystore"); |
|
690 |
fle.initCause(e); |
|
691 |
throw fle; |
|
692 |
} |
|
693 |
if (debug) { |
|
694 |
debugPrint("principal=" + principal + |
|
695 |
"\n certificate=" |
|
696 |
+ privateCredential.getCertificate() + |
|
697 |
"\n alias =" + privateCredential.getAlias()); |
|
698 |
} |
|
699 |
} |
|
700 |
||
701 |
/** |
|
702 |
* Abstract method to commit the authentication process (phase 2). |
|
703 |
* |
|
704 |
* <p> This method is called if the LoginContext's |
|
705 |
* overall authentication succeeded |
|
706 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules |
|
707 |
* succeeded). |
|
708 |
* |
|
709 |
* <p> If this LoginModule's own authentication attempt |
|
710 |
* succeeded (checked by retrieving the private state saved by the |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
711 |
* {@code login} method), then this method associates a |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
712 |
* {@code X500Principal} for the subject distinguished name of the |
2 | 713 |
* first certificate in the alias's credentials in the subject's |
714 |
* principals,the alias's certificate path in the subject's public |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
715 |
* credentials, and a {@code X500PrivateCredential} whose certificate |
2 | 716 |
* is the first certificate in the alias's certificate path and whose |
717 |
* private key is the alias's private key in the subject's private |
|
718 |
* credentials. If this LoginModule's own |
|
719 |
* authentication attempted failed, then this method removes |
|
720 |
* any state that was originally saved. |
|
721 |
* |
|
722 |
* @exception LoginException if the commit fails |
|
723 |
* |
|
724 |
* @return true if this LoginModule's own login and commit |
|
725 |
* attempts succeeded, or false otherwise. |
|
726 |
*/ |
|
727 |
||
728 |
public boolean commit() throws LoginException { |
|
729 |
switch (status) { |
|
730 |
case UNINITIALIZED: |
|
731 |
default: |
|
732 |
throw new LoginException("The login module is not initialized"); |
|
733 |
case INITIALIZED: |
|
734 |
logoutInternal(); |
|
735 |
throw new LoginException("Authentication failed"); |
|
736 |
case AUTHENTICATED: |
|
737 |
if (commitInternal()) { |
|
738 |
return true; |
|
739 |
} else { |
|
740 |
logoutInternal(); |
|
741 |
throw new LoginException("Unable to retrieve certificates"); |
|
742 |
} |
|
743 |
case LOGGED_IN: |
|
744 |
return true; |
|
745 |
} |
|
746 |
} |
|
747 |
||
748 |
private boolean commitInternal() throws LoginException { |
|
749 |
/* If the subject is not readonly add to the principal and credentials |
|
750 |
* set; otherwise just return true |
|
751 |
*/ |
|
752 |
if (subject.isReadOnly()) { |
|
753 |
throw new LoginException ("Subject is set readonly"); |
|
754 |
} else { |
|
755 |
subject.getPrincipals().add(principal); |
|
756 |
subject.getPublicCredentials().add(certP); |
|
757 |
subject.getPrivateCredentials().add(privateCredential); |
|
758 |
status = LOGGED_IN; |
|
759 |
return true; |
|
760 |
} |
|
761 |
} |
|
762 |
||
763 |
/** |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
764 |
* This method is called if the LoginContext's |
2 | 765 |
* overall authentication failed. |
766 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules |
|
767 |
* did not succeed). |
|
768 |
* |
|
769 |
* <p> If this LoginModule's own authentication attempt |
|
770 |
* succeeded (checked by retrieving the private state saved by the |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
771 |
* {@code login} and {@code commit} methods), |
2 | 772 |
* then this method cleans up any state that was originally saved. |
773 |
* |
|
774 |
* <p> If the loaded KeyStore's provider extends |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
775 |
* {@code java.security.AuthProvider}, |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
776 |
* then the provider's {@code logout} method is invoked. |
2 | 777 |
* |
778 |
* @exception LoginException if the abort fails. |
|
779 |
* |
|
780 |
* @return false if this LoginModule's own login and/or commit attempts |
|
781 |
* failed, and true otherwise. |
|
782 |
*/ |
|
783 |
||
784 |
public boolean abort() throws LoginException { |
|
785 |
switch (status) { |
|
786 |
case UNINITIALIZED: |
|
787 |
default: |
|
788 |
return false; |
|
789 |
case INITIALIZED: |
|
790 |
return false; |
|
791 |
case AUTHENTICATED: |
|
792 |
logoutInternal(); |
|
793 |
return true; |
|
794 |
case LOGGED_IN: |
|
795 |
logoutInternal(); |
|
796 |
return true; |
|
797 |
} |
|
798 |
} |
|
799 |
/** |
|
800 |
* Logout a user. |
|
801 |
* |
|
802 |
* <p> This method removes the Principals, public credentials and the |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
803 |
* private credentials that were added by the {@code commit} method. |
2 | 804 |
* |
805 |
* <p> If the loaded KeyStore's provider extends |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
806 |
* {@code java.security.AuthProvider}, |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
807 |
* then the provider's {@code logout} method is invoked. |
2 | 808 |
* |
809 |
* @exception LoginException if the logout fails. |
|
810 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
811 |
* @return true in all cases since this {@code LoginModule} |
2 | 812 |
* should not be ignored. |
813 |
*/ |
|
814 |
||
815 |
public boolean logout() throws LoginException { |
|
816 |
if (debug) |
|
817 |
debugPrint("Entering logout " + status); |
|
818 |
switch (status) { |
|
819 |
case UNINITIALIZED: |
|
820 |
throw new LoginException |
|
821 |
("The login module is not initialized"); |
|
822 |
case INITIALIZED: |
|
823 |
case AUTHENTICATED: |
|
824 |
default: |
|
825 |
// impossible for LoginModule to be in AUTHENTICATED |
|
826 |
// state |
|
827 |
// assert status != AUTHENTICATED; |
|
828 |
return false; |
|
829 |
case LOGGED_IN: |
|
830 |
logoutInternal(); |
|
831 |
return true; |
|
832 |
} |
|
833 |
} |
|
834 |
||
835 |
private void logoutInternal() throws LoginException { |
|
836 |
if (debug) { |
|
837 |
debugPrint("Entering logoutInternal"); |
|
838 |
} |
|
839 |
||
840 |
// assumption is that KeyStore.load did a login - |
|
841 |
// perform explicit logout if possible |
|
842 |
LoginException logoutException = null; |
|
843 |
Provider provider = keyStore.getProvider(); |
|
844 |
if (provider instanceof AuthProvider) { |
|
845 |
AuthProvider ap = (AuthProvider)provider; |
|
846 |
try { |
|
847 |
ap.logout(); |
|
848 |
if (debug) { |
|
849 |
debugPrint("logged out of KeyStore AuthProvider"); |
|
850 |
} |
|
851 |
} catch (LoginException le) { |
|
852 |
// save but continue below |
|
853 |
logoutException = le; |
|
854 |
} |
|
855 |
} |
|
856 |
||
857 |
if (subject.isReadOnly()) { |
|
858 |
// attempt to destroy the private credential |
|
859 |
// even if the Subject is read-only |
|
860 |
principal = null; |
|
861 |
certP = null; |
|
862 |
status = INITIALIZED; |
|
863 |
// destroy the private credential |
|
864 |
Iterator<Object> it = subject.getPrivateCredentials().iterator(); |
|
865 |
while (it.hasNext()) { |
|
866 |
Object obj = it.next(); |
|
867 |
if (privateCredential.equals(obj)) { |
|
868 |
privateCredential = null; |
|
869 |
try { |
|
870 |
((Destroyable)obj).destroy(); |
|
871 |
if (debug) |
|
872 |
debugPrint("Destroyed private credential, " + |
|
873 |
obj.getClass().getName()); |
|
874 |
break; |
|
875 |
} catch (DestroyFailedException dfe) { |
|
876 |
LoginException le = new LoginException |
|
877 |
("Unable to destroy private credential, " |
|
878 |
+ obj.getClass().getName()); |
|
879 |
le.initCause(dfe); |
|
880 |
throw le; |
|
881 |
} |
|
882 |
} |
|
883 |
} |
|
884 |
||
885 |
// throw an exception because we can not remove |
|
886 |
// the principal and public credential from this |
|
887 |
// read-only Subject |
|
888 |
throw new LoginException |
|
889 |
("Unable to remove Principal (" |
|
890 |
+ "X500Principal " |
|
891 |
+ ") and public credential (certificatepath) " |
|
892 |
+ "from read-only Subject"); |
|
893 |
} |
|
894 |
if (principal != null) { |
|
895 |
subject.getPrincipals().remove(principal); |
|
896 |
principal = null; |
|
897 |
} |
|
898 |
if (certP != null) { |
|
899 |
subject.getPublicCredentials().remove(certP); |
|
900 |
certP = null; |
|
901 |
} |
|
902 |
if (privateCredential != null) { |
|
903 |
subject.getPrivateCredentials().remove(privateCredential); |
|
904 |
privateCredential = null; |
|
905 |
} |
|
906 |
||
907 |
// throw pending logout exception if there is one |
|
908 |
if (logoutException != null) { |
|
909 |
throw logoutException; |
|
910 |
} |
|
911 |
status = INITIALIZED; |
|
912 |
} |
|
913 |
||
914 |
private void debugPrint(String message) { |
|
915 |
// we should switch to logging API |
|
916 |
if (message == null) { |
|
917 |
System.err.println(); |
|
918 |
} else { |
|
919 |
System.err.println("Debug KeyStoreLoginModule: " + message); |
|
920 |
} |
|
921 |
} |
|
922 |
} |