Changes to allow for the setup of trust relationships with ATSs.

CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/SecureTokenUtil.java

@@ -65,6 +65,8 @@ public final class SecureTokenUtil
    //
    // The map key has the format: "IssuerDN=certissuername SN=certserialnumber"
    private Map<String,X509Certificate> m_x509ISNCertMap;
+   private Date m_x509ISNCertMapRefreshDate;
+   private int m_x509ISNCertMapRefreshInterval = 360; // seconds
 
    // SecureToken template
    private static final String m_secureTokenTemplate =
@@ -93,6 +95,90 @@ public final class SecureTokenUtil
     */
    public SecureTokenUtil(boolean serverMode) throws Exception
    {
+      // Start by creating the trusted ATS Cert Map
+      m_x509ISNCertMap = createTrustedAtsCertMap();
+      m_x509ISNCertMapRefreshDate = new Date();
+      m_x509ISNCertMapRefreshDate.setTime(m_x509ISNCertMapRefreshDate.getTime() + (m_x509ISNCertMapRefreshInterval * 1000));
+
+      // Obtain the signing key and certificate if we are in server mode
+      if (serverMode)
+      {
+         InputStream inStream = null;
+         try
+         {
+            // Load our crypto properties
+            Properties cryptoProperties = new Properties();
+            ClassLoader classLoader = SecureTokenUtil.class.getClassLoader();
+            inStream = classLoader.getResourceAsStream("casa_crypto.properties");
+            cryptoProperties.load(inStream);
+
+            // Get necessary keystore info from the crypto properties
+            String keystoreType = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.type", "jks");
+            String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.file");
+            String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.password");
+            if (keystoreType == null
+                || keystoreFile == null
+                || keystorePass == null)
+            {
+               m_log.error("Constructor()- Missing crypto configuration");
+               throw new Exception("SecureTokenUtil()- Missing crypto configuration");
+            }
+
+            // Instantiate and load the keystore
+            KeyStore keyStore = KeyStore.getInstance(keystoreType);
+            FileInputStream fis = new FileInputStream(keystoreFile);
+            keyStore.load(fis, keystorePass.toCharArray());
+
+            // Get signing key and cert if in server mode
+            if (serverMode)
+            {
+               String privateKeyAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
+               String privateKeyPass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.alias.password");
+               String certificateAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
+               if (privateKeyAlias == null
+                   || privateKeyPass == null
+                   || certificateAlias == null)
+               {
+                  m_log.error("Constructor()- Missing crypto configuration");
+                  throw new Exception("SecureTokenUtil()- Missing crypto configuration");
+               }
+
+               // Get the key that will be used for signing tokens
+               m_signingKey = (PrivateKey) keyStore.getKey(privateKeyAlias,
+                                                           privateKeyPass.toCharArray());
+               if (m_signingKey == null)
+               {
+                  m_log.error("Constructor()- Signing key not found in keystore");
+                  throw new Exception("SecureTokenUtil()- Signing key not found in keystore");
+               }
+
+               // Get the signing certificate
+               m_signingCert = (X509Certificate) keyStore.getCertificate(certificateAlias);
+               if (m_signingCert == null)
+               {
+                  m_log.error("Constructor()- Signing cert not found in keystore");
+                  throw new Exception("SecureTokenUtil()- Signing cert not found in keystore");
+               }
+            }
+         }
+         finally
+         {
+            // Make sure that the input stream has been closed
+            if (inStream != null)
+               inStream.close();
+         }
+      }
+   }
+
+   /**
+    * Static Create Trusted ATS Certificate Map.
+    * <p/>
+    * @return Trusted ATS Certificate Map
+    * @throws Exception
+    */
+   private static Map<String,X509Certificate> createTrustedAtsCertMap() throws Exception
+   {
+      Map<String,X509Certificate> x509ISNCertMap;
       InputStream inStream = null;
       try
       {
@@ -104,14 +190,14 @@ public final class SecureTokenUtil
 
          // Get necessary keystore info from the crypto properties
          String keystoreType = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.type", "jks");
-         String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.file");
-         String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.password");
+         String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file");
+         String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password");
          if (keystoreType == null
              || keystoreFile == null
              || keystorePass == null)
          {
-            m_log.error("Constructor()- Missing crypto configuration");
-            throw new Exception("SecureTokenUtil()- Missing crypto configuration");
+            m_log.error("SecureTokenUtil.createTrustedAtsCertMap()- Missing crypto configuration");
+            throw new Exception("SecureTokenUtil.createTrustedAtsCertMap()- Missing crypto configuration");
          }
 
          // Instantiate and load the keystore
@@ -119,40 +205,8 @@ public final class SecureTokenUtil
          FileInputStream fis = new FileInputStream(keystoreFile);
          keyStore.load(fis, keystorePass.toCharArray());
 
-         // Get signing key and cert if in server mode
-         if (serverMode)
-         {
-            String privateKeyAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
-            String privateKeyPass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.alias.password");
-            String certificateAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
-            if (privateKeyAlias == null
-                || privateKeyPass == null
-                || certificateAlias == null)
-            {
-               m_log.error("Constructor()- Missing crypto configuration");
-               throw new Exception("SecureTokenUtil()- Missing crypto configuration");
-            }
-
-            // Get the key that will be used for signing tokens
-            m_signingKey = (PrivateKey) keyStore.getKey(privateKeyAlias,
-                                                        privateKeyPass.toCharArray());
-            if (m_signingKey == null)
-            {
-               m_log.error("Constructor()- Signing key not found in keystore");
-               throw new Exception("SecureTokenUtil()- Signing key not found in keystore");
-            }
-
-            // Get the signing certificate
-            m_signingCert = (X509Certificate) keyStore.getCertificate(certificateAlias);
-            if (m_signingCert == null)
-            {
-               m_log.error("Constructor()- Signing cert not found in keystore");
-               throw new Exception("SecureTokenUtil()- Signing cert not found in keystore");
-            }
-         }
-
          // Create the Certificate issuer:sn map
-         m_x509ISNCertMap = new HashMap<String,X509Certificate>();
+         x509ISNCertMap = new HashMap<String,X509Certificate>();
          Enumeration<String> aliases = keyStore.aliases();
          while (aliases.hasMoreElements())
          {
@@ -160,7 +214,7 @@ public final class SecureTokenUtil
             if (cert != null)
             {
                // Add this certificate to our map
-               m_x509ISNCertMap.put("IssuerDN=" + cert.getIssuerDN().getName() + " SN=" + cert.getSerialNumber().toString(), cert);
+               x509ISNCertMap.put("IssuerDN=" + cert.getIssuerDN().getName() + " SN=" + cert.getSerialNumber().toString(), cert);
             }
          }
       }
@@ -170,6 +224,36 @@ public final class SecureTokenUtil
          if (inStream != null)
             inStream.close();
       }
+
+      return x509ISNCertMap;
+   }
+
+   /**
+    * Check Trusted ATS Certificate Map.
+    */
+   private synchronized Map<String,X509Certificate> checkTrustedAtsCertMap()
+   {
+      // Check if we need to refresh the trusted ATS Cert map
+      Date currDate = new Date();
+      if (currDate.compareTo(m_x509ISNCertMapRefreshDate) > 0)
+      {
+         // It is time to update the trusted ATS certificate map
+         try
+         {
+            // Set up the next refresh date
+            m_x509ISNCertMapRefreshDate.setTime(currDate.getTime() + (m_x509ISNCertMapRefreshInterval * 1000));
+
+            // Re-create the trusted ATS certificate map
+            Map<String,X509Certificate> newX509ISNCertMap = createTrustedAtsCertMap();
+            m_x509ISNCertMap = newX509ISNCertMap;
+         }
+         catch (Exception e)
+         {
+            m_log.error("SecureTokenUtil.checkTrustedAtsCertMap()- Exception caught, msg = " + e.getMessage());
+         }
+      }
+
+      return m_x509ISNCertMap;
    }
 
    /**
@@ -181,7 +265,8 @@ public final class SecureTokenUtil
     */
    private X509Certificate getCertWithX509IssuerSerialData(String issuerName, String serialNumber)
    {
-      return m_x509ISNCertMap.get("IssuerDN=" + issuerName + " SN=" + serialNumber);
+      Map<String,X509Certificate> x509ISNCertMap = checkTrustedAtsCertMap();
+      return x509ISNCertMap.get("IssuerDN=" + issuerName + " SN=" + serialNumber);
    }
 
    /**