Skip to content

Commit

Permalink
[ELY-2496] Update warnings for SecretKey retrieval
Browse files Browse the repository at this point in the history
  • Loading branch information
@jessicarod7
jessicarod7 committed May 23, 2023
1 parent 0bd8c07 commit babbb20
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 30 deletions.
57 changes: 35 additions & 22 deletions tool/src/main/java/org/wildfly/security/tool/Command.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,10 @@

import javax.crypto.SecretKey;

import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.SecretKeyCredential;
import org.wildfly.security.credential.store.CredentialStore;
import org.wildfly.security.credential.store.CredentialStoreException;
import org.wildfly.security.credential.store.UnsupportedCredentialTypeException;
import org.wildfly.security.credential.store.impl.PropertiesCredentialStore;
import org.wildfly.security.encryption.SecretKeyUtil;
import org.wildfly.security.password.WildFlyElytronPasswordProvider;
Expand Down Expand Up @@ -204,7 +204,7 @@ public void printDuplicatesWarning(CommandLine cmdLine) {
* <code>
* List<String> allowedDuplicates = new ArrayList<String>()
* {{ add(PASSWORD_CREDENTIAL_VALUE_PARAM);
* }};
* }};
* </code>
*/
public void printDuplicatesWarning(CommandLine cmdLine, List<String> duplicatesAllowed) {
Expand Down Expand Up @@ -324,7 +324,7 @@ protected Supplier<Provider[]> getProvidersSupplier(final String providersList)
* @throws Exception when an existing credential store does not contain the secret key
*/
SecretKey getSecretKey(Boolean createCredentialStore, String credentialStoreLocation, String alias, Boolean populate,
String inputRealmLocation) throws Exception {
int descriptorBlockCount) throws Exception {
CredentialStore credentialStore;
String csType = PropertiesCredentialStore.NAME;
try {
Expand All @@ -337,29 +337,42 @@ SecretKey getSecretKey(Boolean createCredentialStore, String credentialStoreLoca
implProps.put("create", String.valueOf(createCredentialStore));
implProps.put("location", credentialStoreLocation);
implProps.put("modifiable", Boolean.TRUE.toString());
credentialStore.initialize(implProps);

try {
credentialStore.retrieve(alias, SecretKeyCredential.class).getSecretKey();
credentialStore.initialize(implProps);
} catch (CredentialStoreException e) {
warningHandler(ElytronToolMessages.msg.skippingDescriptorBlockCredentialStoreNotLoaded(descriptorBlockCount));
}

SecretKeyCredential secretKeyCredential;
try {
secretKeyCredential = credentialStore.retrieve(alias, SecretKeyCredential.class);
} catch (UnsupportedCredentialTypeException e) {
warningHandler(ElytronToolMessages.msg.skippingDescriptorBlockSecretKeyUnsupported(credentialStoreLocation, descriptorBlockCount));
return null;
}

// Acquire SecretKey, and populate credential store if set
SecretKey key;
if (secretKeyCredential != null) {
System.out.println(ElytronToolMessages.msg.existingCredentialStore());
} catch (Exception e) {
if (!createCredentialStore) {
warningHandler(ElytronToolMessages.msg.skippingBlockMissingCredentialStore());
return null;
}
if (populate) {
SecretKey key = SecretKeyUtil.generateSecretKey(256);
Credential keyCredential = new SecretKeyCredential(key);
credentialStore.store(alias, keyCredential);
key = secretKeyCredential.getSecretKey();
} else if (populate) {
try {
SecretKey newKey = SecretKeyUtil.generateSecretKey(256);
SecretKeyCredential newKeyCredential = new SecretKeyCredential(newKey);
credentialStore.store(alias, newKeyCredential);
credentialStore.flush();
} else {
errorHandler(ElytronToolMessages.msg.cmdFileSystemPopulateUnspecified());

key = newKey;
} catch (GeneralSecurityException e) {
warningHandler(ElytronToolMessages.msg.skippingDescriptorBlockUnableToPopulateCredentialStore(
credentialStoreLocation, descriptorBlockCount));
return null;
}
}
SecretKey key;
try {
key = credentialStore.retrieve(alias, SecretKeyCredential.class).getSecretKey();
} catch (NullPointerException e) {
System.out.println(ElytronToolMessages.msg.cmdFileSystemEncryptionNoSecretKey(credentialStoreLocation, inputRealmLocation));

} else {
warningHandler(ElytronToolMessages.msg.cmdFileSystemEncryptionNoSecretKey(credentialStoreLocation, descriptorBlockCount));
return null;
}

Expand Down
17 changes: 10 additions & 7 deletions tool/src/main/java/org/wildfly/security/tool/ElytronToolMessages.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -485,11 +485,8 @@ public interface ElytronToolMessages extends BasicLogger {
@Message(id = NONE, value = "'FileSystemRealmEncrypt' command is used to convert un-encrypted FileSystemSecurityRealm(s) to encrypted FileSystemSecurityRealm(s) with a SecretKey.")
String cmdFileSystemEncryptHelpHeader();

@Message(id = NONE, value = "The populate parameter was set to false and the Secret Key did not exist in the Credential Store.")
MissingOptionException cmdFileSystemPopulateUnspecified();

@Message(id = NONE, value = "Unable to locate Secret Key with Credential Store located at %s. Skipping realm located at %s.")
String cmdFileSystemEncryptionNoSecretKey(String credentialStore, String realmLocation);
@Message(id = NONE, value = "Secret Key was not found in the Credential Store at %s, and populate option was not set. Skipping descriptor file block number %d.")
String cmdFileSystemEncryptionNoSecretKey(String credentialStorePath, Integer blockNumber);

@Message(id = NONE, value = "The character set used to convert the password string to a byte array. Defaults to UTF-8.")
String cmdFileSystemRealmIntegrityHashCharsetDesc();
Expand Down Expand Up @@ -600,8 +597,14 @@ public interface ElytronToolMessages extends BasicLogger {
@Message(id = NONE, value = "Found credential store and alias, using pre-existing key")
String existingCredentialStore();

@Message(id = NONE, value = "Could not find credential store and secret key alias, skipping block")
String skippingBlockMissingCredentialStore();
@Message(id = NONE, value = "Skipping descriptor file block number %d due to failure to load Credential Store.")
String skippingDescriptorBlockCredentialStoreNotLoaded(Integer blockNumber);

@Message(id = NONE, value = "Credential Store at %s does not support SecretKey. Skipping descriptor file block number %d.")
String skippingDescriptorBlockSecretKeyUnsupported(String credentialStorePath, Integer blockNumber);

@Message(id = NONE, value = "Exception was thrown while populating Credential Store at %s. Skipping descriptor file block number %d.")
String skippingDescriptorBlockUnableToPopulateCredentialStore(String credentialStorePath, Integer blockNumber);

@Message(id = NONE, value = "No Credential Store location or Secret Key Alias specified.")
MissingOptionException missingCredentialStoreSecretKey();
Expand Down
4 changes: 3 additions & 1 deletion tool/src/main/java/org/wildfly/security/tool/FileSystemEncryptRealmCommand.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -689,14 +689,16 @@ private void findMissingRequiredValuesAndSetValues(int count, Descriptor descrip
*/

private void createFileSystemRealm() throws Exception {
int blockCount = 0;
for (Descriptor descriptor : descriptors) {
blockCount++;
System.out.println(ElytronToolMessages.msg.fileSystemRealmEncryptCreatingRealm(descriptor.getInputRealmLocation()));

if (checkDescriptorFields(descriptor)) continue;

// Load secret key
SecretKey key = getSecretKey(descriptor.getCreateCredentialStore(), descriptor.getCredentialStore(),
descriptor.getSecretKeyAlias(), descriptor.getPopulate(), descriptor.getInputRealmLocation());
descriptor.getSecretKeyAlias(), descriptor.getPopulate(), blockCount);
if (key == null) continue;

FileSystemSecurityRealm oldFileSystemRealm = FileSystemSecurityRealm.builder()
Expand Down

0 comments on commit babbb20

Please sign in to comment.