keystoreutiladmin.java

开源的OpenId的一个java实现

/*
 * Copyright 2005-2007 WSO2, Inc. (http://wso2.com)
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.wso2.solutions.identity.admin;

import org.apache.ws.security.util.UUIDGenerator;
import org.wso2.solutions.identity.IdentityProviderConstants;
import org.wso2.solutions.identity.IdentityProviderException;
import org.wso2.utils.ServerConfiguration;

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;

public class KeystoreUtilAdmin {

    /**
     * Instance of the main keystore of the identity provider
     */
    private static KeyStore identityProviderKeystore = null;
    
    /**
     * The key store that holds certificaates of 
     * personal Relying Parties of users.
     * This holds trusted Relying party certificates
     */
    private static KeyStore userRPTruststore = null;
    
    
    /**
     * Certificates of users used to obtain information cards backed by those
     * certificates. 
     */
    private static KeyStore userPersonalCertificateStore = null;
    

    /**
     * Provides the instance of the main keystore of the identity provider.
     * @return A java.security.Keystore instance
     * @throws IdentityProviderException
     */
    private KeyStore getKeyStore() throws IdentityProviderException {

        if(identityProviderKeystore != null) {
            return identityProviderKeystore;
        }
        
        return loadKeystore();
    }
    
    /**
     * Provides the instance of the main keystore of the identity provider.
     * @return A java.security.Keystore instance
     * @throws IdentityProviderException
     */
    private KeyStore getUserRPTrustStore() throws IdentityProviderException {

        if(userRPTruststore != null) {
            return userRPTruststore;
        }
        
        return loadUserRPTrustStore();
    }
  
    private KeyStore getUserPersonalCertStore() throws IdentityProviderException {
        if(userPersonalCertificateStore != null) {
            return userPersonalCertificateStore;
        }
        
        return loadUserPersonalCertStore();
    }
    

    /**
     * Load the main keystore of the identity provider using the configuration
     * from the server.xml(org.wso2.util.ServerConfiguration).
     * @return A java.security.Keystore instance
     * @throws IdentityProviderException
     */
    private KeyStore loadKeystore() throws IdentityProviderException {

        ServerConfiguration serverConfig = ServerConfiguration.getInstance();
        String storeFilePath = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.IDP_STORE_LOCATION);
        String type = serverConfig.getFirstProperty(IdentityProviderConstants.ServerConfig.IDP_STORE_TYPE);
        String passwd = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.IDP_STORE_PASSWORD);

        try {
            FileInputStream is = new FileInputStream(storeFilePath);

            identityProviderKeystore = KeyStore.getInstance(type);

            identityProviderKeystore.load(is, passwd.toCharArray());
            is.close();
            return identityProviderKeystore;
        } catch (Exception e) {
            throw new IdentityProviderException("errorInKeystoreAccess",
                    new String[] { storeFilePath }, e);
        }
        
        
    }
    
    
    /**
     * Load the key store that holds user trusted relying parties.
     * @return A java.security.Keystore instance
     * @throws IdentityProviderException
     */
    private KeyStore loadUserRPTrustStore() throws IdentityProviderException {

        ServerConfiguration serverConfig = ServerConfiguration.getInstance();
        String storeFilePath = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_TRUSTED_RP_STORE_LOCATION);
        String type = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_TRUSTED_RP_STORE_TYPE);
        String passwd = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_TRUSTED_RP_STORE_PASSWORD);

        try {
            FileInputStream is = new FileInputStream(storeFilePath);

            userRPTruststore = KeyStore.getInstance(type);

            userRPTruststore.load(is, passwd.toCharArray());
            is.close();
            return userRPTruststore;
        } catch (Exception e) {
            throw new IdentityProviderException("errorInKeystoreAccess",
                    new String[] { storeFilePath }, e);
        }
        
    }
    
    /**
     * Load the user personal certificate keystore of the identity provider 
     * using the configuration from the server.xml(org.wso2.util.ServerConfiguration).
     * @return A java.security.Keystore instance
     * @throws IdentityProviderException
     */
    private KeyStore loadUserPersonalCertStore() throws IdentityProviderException {

        ServerConfiguration serverConfig = ServerConfiguration.getInstance();
        String storeFilePath = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.
                        USER_PERSONAL_STORE_LOCATION);
        String type = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.
                        USER_PERSONAL_STORE_TYPE);
        String passwd = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.
                        USER_PERSONAL_STORE_PASSWORD);

        try {
            FileInputStream is = new FileInputStream(storeFilePath);

            userPersonalCertificateStore = KeyStore.getInstance(type);

            userPersonalCertificateStore.load(is, passwd.toCharArray());
            is.close();
            return userPersonalCertificateStore;
        } catch (Exception e) {
            throw new IdentityProviderException("errorInKeystoreAccess",
                    new String[] { storeFilePath }, e);
        }
        
        
    }
        
    
    public boolean isCertExists(X509Certificate cert)
            throws IdentityProviderException {
        try {
            return getKeyStore().containsAlias(getAlias(cert));
        } catch (Exception e) {
            throw new IdentityProviderException("errorReadingKeystore", e);
        }

    }

    public String importCert(X509Certificate cert)
            throws IdentityProviderException {

        KeyStore store = getKeyStore();
        ServerConfiguration serverConfig = ServerConfiguration.getInstance();
        String storeFilePath = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.IDP_STORE_LOCATION);
        String passwd = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.IDP_STORE_PASSWORD);
        String alias = null;
        try {
            
            alias = getAlias(cert);
            if (store.getCertificate(alias) != null) {
                throw new IdentityProviderException("relyingPartyExists",
                        new String[] { alias });
            }
            store.setCertificateEntry(alias, cert);
            FileOutputStream os = new FileOutputStream(storeFilePath);
            store.store(os, passwd.toCharArray());
            os.flush();
            os.close();
        } catch (Exception e) {
            throw new IdentityProviderException("errorInKeystoreAccess",
                    new String[] { storeFilePath }, e);
        }

        //Make sure we load the new store with the new cert info
        loadKeystore();
        return alias;

    }

    /**
     * This method imports the Certificate to Trust store if it present already.
     * 
     * @param cert
     * @return
     * @throws IdentityProviderException
     */
    public String importCertToUserTrustStore(X509Certificate cert)
            throws IdentityProviderException {
        KeyStore store = getUserRPTrustStore();
        ServerConfiguration serverConfig = ServerConfiguration.getInstance();
        String storeFilePath = serverConfig
            .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_TRUSTED_RP_STORE_LOCATION);
        String passwd = serverConfig
            .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_TRUSTED_RP_STORE_PASSWORD);

        String alias = null;
        try {
            alias = getAlias(cert);
            if (store.getCertificate(alias) == null) {
                // then import
                store.setCertificateEntry(alias, cert);
                FileOutputStream os = new FileOutputStream(storeFilePath);
                store.store(os, passwd.toCharArray());
                os.flush();
                os.close();
            }
        } catch (Exception e) {
            throw new IdentityProviderException("errorInKeystoreAccess",
                    new String[] { storeFilePath }, e);
        }
        
        //to reflect the changes
        this.loadUserRPTrustStore();
        return alias;
    }

    public X509Certificate getCertificateFromUserTrustedRP(String alias)
            throws IdentityProviderException {
        KeyStore store = this.loadUserRPTrustStore();
        X509Certificate cert = null;
        try {
            cert = (X509Certificate) store.getCertificate(alias);
        } catch (Exception e) {
            throw new IdentityProviderException("errorInKeystoreAccess",
                    new String[]{"User Personal RelyingParty Trust Storee"}, e);
        }

        return cert;
    }

    /**
     * Removes the Certificate from default store
     * 
     * @param alias
     * @throws IdentityProviderException
     */
    public void deleteRelyingParty(String alias)
            throws IdentityProviderException {

        KeyStore store = getKeyStore();
        try {

            if (store.containsAlias(alias) && !store.isKeyEntry(alias)) {
                // If this is not the private key entry remove it
                store.deleteEntry(alias);
            }
        } catch (Exception e) {
            throw new IdentityProviderException("errorReadingKeystore", e);
        }
    }

    /**
     * Removes the Certificate from User trusted RP store
     * 
     * @param alias
     * @throws IdentityProviderException
     */
    public void removeCertEntryFromUserTrustedRP(String alias)
            throws IdentityProviderException {
        ServerConfiguration serverConfig = ServerConfiguration.getInstance();
        String storeFilePath = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_TRUSTED_RP_STORE_LOCATION);
        String type = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_TRUSTED_RP_STORE_TYPE);
        String passwd = serverConfig
                .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_TRUSTED_RP_STORE_PASSWORD);

        try {
            FileInputStream is = new FileInputStream(storeFilePath);

            KeyStore store = KeyStore.getInstance(type);

            store.load(is, passwd.toCharArray());

            if (store.containsAlias(alias) && !store.isKeyEntry(alias)) {
                // If this is not the private key entry remove it
                store.deleteEntry(alias);
            }
        } catch (Exception e) {
            throw new IdentityProviderException("errorInKeystoreAccess",
                    new String[] { storeFilePath }, e);
        }
    }

    private String getAlias(X509Certificate cert) throws Exception {
        // Alias should be the host name
        String name = cert.getSubjectDN().getName();
        String[] parts = name.split(",");
        String alias = null;
        for (int i = 0; i < parts.length; i++) {
            String cnStr = parts[i].trim();
            if (cnStr.startsWith("CN")) {
                alias = cnStr.substring(3).toLowerCase();
                break;
            }
        }
        if (alias == null) {
            throw new IdentityProviderException("certNameInvalid",
                    new String[] { name });
        }
        return alias;
    }


    /**
     * Imports the Certificate to user personal cert store.
     * 
     * @param cert
     * @return
     * @throws IdentityProviderException
     */
    public String importCertToUserPersonalCertStore(X509Certificate cert)
            throws IdentityProviderException {
        KeyStore store = getUserPersonalCertStore();
        ServerConfiguration serverConfig = ServerConfiguration.getInstance();
        String storeFilePath = serverConfig
            .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_PERSONAL_STORE_LOCATION);
        String passwd = serverConfig
            .getFirstProperty(IdentityProviderConstants.ServerConfig.USER_PERSONAL_STORE_PASSWORD);

        String alias = null;
        try {
            alias = UUIDGenerator.getUUID();
            store.setCertificateEntry(alias, cert);
            FileOutputStream os = new FileOutputStream(storeFilePath);
            store.store(os, passwd.toCharArray());
            os.flush();
            os.close();
        } catch (Exception e) {
            throw new IdentityProviderException("errorInKeystoreAccess",
                    new String[] { storeFilePath }, e);
        }
        
        //to reflect the changes
        this.loadUserPersonalCertStore();
        return alias;
    }


}