Merge pull request #17 from yahoo/privatekeystore

Move PrivateKeyStore interface to auth_core to be common for both servers

docs/setup_zms.md

@@ -5,7 +5,7 @@
     * [JDK 8](#jdk-8)
 * [Getting Software](#getting-software)
 * [Configuration](#configuration)
-    * [Private/Public Key Pair](#privatepublic-key-pair)
+    * [Private Key](#private-key)
     * [Self Signed X509 Certificate](#self-signed-x509-certificate)
     * [User Authentication](#user-authentication)
     * [System Administrators](#system-administrators)
@@ -48,17 +48,16 @@ $ cd athenz-zms-X.Y
 To run ZMS Server, the system administrator must generate the keys
 and make necessary changes to the configuration settings.
 
-### Private/Public Key Pair
+### Private Key
 ---------------------------
 
-Generate a unique private/public key pair that ZMS Server will use
+Generate a unique private key that ZMS Server will use
 to sign any NTokens it issues. From the `athenz-zms-X.Y` directory
 execute the following commands:
 
 ```shell
 $ cd var/zms_server/keys
 $ openssl genrsa -out zms_private.pem 2048
-$ openssl rsa -in zms_private.pem -pubout > zms_public.pem
 ```
 
 ### Self Signed X509 Certificate

servers/zms/src/main/java/com/yahoo/athenz/zms/pkey/PrivateKeyStore.java → libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStore.java

@@ -13,29 +13,21 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package com.yahoo.athenz.zms.pkey;
+package com.yahoo.athenz.auth;
 
 import java.security.PrivateKey;
 
 public interface PrivateKeyStore {
 
     /**
-     * Retrieve private key for this ZMS Server instance to sign its tokens
+     * Retrieve private key for this Athenz Server instance to sign its tokens
      * The private key identifier must be updated in the privateKeyId out
-     * StringBuilder field. The Private Key Store Factory has the knowledge
-     * which hostname we're processing this request for.
+     * StringBuilder field.
+     * @param serverHostName hostname of the Athenz Server instance
      * @param privateKeyId - out argument - must be updated to include key id
      * @return private key for this ZMS Server instance.
      */
-    default PrivateKey getPrivateKey(StringBuilder privateKeyId) {
-        return null;
-    }
-
-    /**
-     * Retrieve server's corresponding public key in PEM format.
-     * @return public key in PEM format
-     */
-    default String getPEMPublicKey() {
+    default PrivateKey getPrivateKey(String serverHostName, StringBuilder privateKeyId) {
         return null;
     }
 }

servers/zms/src/main/java/com/yahoo/athenz/zms/pkey/PrivateKeyStoreFactory.java → libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/PrivateKeyStoreFactory.java

@@ -13,14 +13,13 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package com.yahoo.athenz.zms.pkey;
+package com.yahoo.athenz.auth;
 
 public interface PrivateKeyStoreFactory {
 
     /**
      * Create and return a new PrivateKeyStore instance
-     * @param serverHostName hostname of the ZMS Server instance
      * @return PrivateKeyStore instance
      */
-    public PrivateKeyStore create(String serverHostName);
+    public PrivateKeyStore create();
 }

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/util/Crypto.java

@@ -416,6 +416,10 @@ public static String ybase64DecodeString(String b64) {
         return utf8String(ybase64Decode(b64));
     }
 
+    public static String ybase64EncodeString(String str) {
+        return utf8String(YBase64.encode(utf8Bytes(str)));
+    }
+
     public static X509Certificate loadX509Certificate(File certFile) throws CryptoException  {
         try (FileReader fileReader = new FileReader(certFile)) {
             return loadX509Certificate(fileReader);
@@ -1016,16 +1020,16 @@ public static boolean validatePKCS7Signature(String data, String signature, Publ
         return false;
     }
 
-    public static String x509CertificateToPem(X509Certificate cert) {
+    public static String convertToPEMFormat(Object obj) {
         StringWriter writer = new StringWriter();
         try {
             try (JcaPEMWriter pemWriter = new JcaPEMWriter(writer)) {
-                pemWriter.writeObject(cert);
+                pemWriter.writeObject(obj);
                 pemWriter.flush();
                 pemWriter.close();
             }
         } catch (IOException ex) {
-            LOG.error("x509CertificateToPem: unable to convert X509 cert to PEM: " + ex.getMessage());
+            LOG.error("convertToPEMFormat: unable to convert object to PEM: " + ex.getMessage());
             return null;
         }
 

servers/zms/src/test/java/com/yahoo/athenz/zms/pkey/PrivateKeyStoreTest.java → libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/PrivateKeyStoreTest.java

@@ -13,14 +13,16 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package com.yahoo.athenz.zms.pkey;
+package com.yahoo.athenz.auth.impl;
 
 import static org.testng.Assert.*;
 
 import java.security.PrivateKey;
 
 import org.testng.annotations.Test;
 
+import com.yahoo.athenz.auth.PrivateKeyStore;
+
 public class PrivateKeyStoreTest {
 
     public class PrivateKeyStoreInstance implements PrivateKeyStore {
@@ -29,14 +31,8 @@ public class PrivateKeyStoreInstance implements PrivateKeyStore {
         public void testGetPrivateKeyMulti() {
             PrivateKeyStoreInstance keystore = new PrivateKeyStoreInstance();
             StringBuilder sb = new StringBuilder();
-            PrivateKey key = keystore.getPrivateKey(sb);
+            PrivateKey key = keystore.getPrivateKey("hostname", sb);
             assertNull(key);
         }
-
-        @Test
-        public void testGetPEMPublicKey() {
-            PrivateKeyStoreInstance keystore = new PrivateKeyStoreInstance();
-            assertNull(keystore.getPEMPublicKey());
-        }
     }
 }

libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/util/CryptoTest.java

@@ -417,7 +417,7 @@ public void testGenerateX509CertificateAltNames() throws IOException {
         System.out.println("****** Generated Certificate With Alternative Names *********");
         System.out.println(cert.toString());
         System.out.println("PEM format:");
-        System.out.println(Crypto.x509CertificateToPem(cert));
+        System.out.println(Crypto.convertToPEMFormat(cert));
     }
 
     @Test
@@ -457,7 +457,7 @@ public void testGenerateX509CertificateInvalid() throws IOException {
     @Test
     public void testX509CertificateToPem() {
         X509Certificate cert = Crypto.loadX509Certificate(ecPublicX509Cert);
-        String pem = Crypto.x509CertificateToPem(cert);
+        String pem = Crypto.convertToPEMFormat(cert);
         assertNotNull(pem);
         assertTrue(pem.contains("BEGIN CERTIFICATE"), pem);
         assertTrue(pem.contains("END CERTIFICATE"), pem);

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMS.java

@@ -21,12 +21,12 @@
 import org.eclipse.jetty.server.HttpConfiguration;
 
 import com.yahoo.athenz.auth.Authority;
+import com.yahoo.athenz.auth.PrivateKeyStoreFactory;
 import com.yahoo.athenz.common.metrics.MetricFactory;
 import com.yahoo.athenz.common.server.log.AuditLogFactory;
 import com.yahoo.athenz.common.server.log.AuditLogMsgBuilder;
 import com.yahoo.athenz.common.server.log.AuditLogger;
 import com.yahoo.athenz.common.server.rest.Http.AuthorityList;
-import com.yahoo.athenz.zms.pkey.PrivateKeyStoreFactory;
 
 import java.net.InetAddress;
 

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java

@@ -129,7 +129,6 @@ public class ZMSImpl implements Authorizer, KeyStore, ZMSHandler {
     protected DBService dbService = null;
     protected Class<? extends ProviderClient> providerClass = null;
     protected Schema schema = null;
-    protected String publicKey = null;
     protected PrivateKey privateKey = null;
     protected String privateKeyId = "0";
     protected int userTokenTimeout = 3600;
@@ -354,13 +353,12 @@ void convertToLowerCase(Object obj) {
     static String auditLoggerMsgBldrClass = null;
 
     public ZMSImpl(String serverHostName, ObjectStore dbStore, Metric metric,
-            PrivateKey privateKey, String privateKeyId, String publicKey,
-            AuditLogger auditLog, String auditLogMsgBldrClass) {
+            PrivateKey privateKey, String privateKeyId, AuditLogger auditLog,
+            String auditLogMsgBldrClass) {
 
         auditLogger = auditLog;
         auditLoggerMsgBldrClass = auditLogMsgBldrClass;
 
-        this.publicKey = publicKey;
         this.privateKey = privateKey;
         this.privateKeyId = privateKeyId;
         this.schema = ZMSSchema.instance();
@@ -465,8 +463,9 @@ void loadServerPublicKeys() {
         // this should never happen but just in case we'll just
         // use the public key we retrieved ourselves to the map
 
-        if (serverPublicKeyMap.isEmpty()) {
-            serverPublicKeyMap.put(privateKeyId, publicKey);
+        if (serverPublicKeyMap.isEmpty() && privateKey != null) {
+            final String publicKey = Crypto.convertToPEMFormat(Crypto.extractPublicKey(privateKey));
+            serverPublicKeyMap.put(privateKeyId, Crypto.ybase64EncodeString(publicKey));
         }
     }
 
@@ -559,9 +558,10 @@ void initObjectStore() {
         createSubDomain(null, "sys", "auth", "The AuthNG domain", null, null, adminUsers,
                 null, 0, null, null, caller);
 
-        if (publicKey != null) {
+        if (privateKey != null) {
             List<PublicKeyEntry> pubKeys = new ArrayList<>();
-            pubKeys.add(new PublicKeyEntry().setId(privateKeyId).setKey(publicKey));
+            final String publicKey = Crypto.convertToPEMFormat(Crypto.extractPublicKey(privateKey));
+            pubKeys.add(new PublicKeyEntry().setId(privateKeyId).setKey(Crypto.ybase64EncodeString(publicKey)));
             ServiceIdentity id = new ServiceIdentity().setName("sys.auth.zms").setPublicKeys(pubKeys);
             dbService.executePutServiceIdentity(null, SYS_AUTH, ZMS_SERVICE, id, null, caller);
         } else {

servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSServerImpl.java

@@ -18,14 +18,14 @@
 import com.yahoo.athenz.auth.Authority;
 import com.yahoo.athenz.auth.AuthorityKeyStore;
 import com.yahoo.athenz.auth.Authorizer;
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import com.yahoo.athenz.auth.PrivateKeyStoreFactory;
 import com.yahoo.athenz.common.metrics.Metric;
 import com.yahoo.athenz.common.metrics.MetricFactory;
 import com.yahoo.athenz.common.server.db.DataSourceFactory;
 import com.yahoo.athenz.common.server.db.PoolableDataSource;
 import com.yahoo.athenz.common.server.log.AuditLogger;
 import com.yahoo.athenz.common.server.rest.Http.AuthorityList;
-import com.yahoo.athenz.zms.pkey.PrivateKeyStore;
-import com.yahoo.athenz.zms.pkey.PrivateKeyStoreFactory;
 import com.yahoo.athenz.zms.store.ObjectStore;
 import com.yahoo.athenz.zms.store.file.FileObjectStore;
 import com.yahoo.athenz.zms.store.jdbc.JDBCObjectStore;
@@ -50,9 +50,8 @@ public ZMSServerImpl(String serverHostName, PrivateKeyStoreFactory pkeyStoreFact
         // extract the private key and public keys for our service
 
         StringBuilder privKeyId = new StringBuilder(256);
-        PrivateKeyStore keyStore = pkeyStoreFactory.create(serverHostName);
-        PrivateKey pkey = keyStore.getPrivateKey(privKeyId);
-        String publicKey = keyStore.getPEMPublicKey();
+        PrivateKeyStore keyStore = pkeyStoreFactory.create();
+        PrivateKey pkey = keyStore.getPrivateKey(serverHostName, privKeyId);
 
         // create our metric and increment our startup count
 
@@ -76,7 +75,7 @@ public ZMSServerImpl(String serverHostName, PrivateKeyStoreFactory pkeyStoreFact
 
         try {
             instance = new ZMSImpl(serverHostName, store, metric, pkey, privKeyId.toString(),
-                    publicKey, auditLogger, auditLoggerMsgBldrClass);
+                    auditLogger, auditLoggerMsgBldrClass);
             instance.putAuthorityList(authList);
         } catch (Exception ex) {
             metric.increment("zms_startup_fail_sum");

servers/zms/src/main/java/com/yahoo/athenz/zms/pkey/file/FilePrivateKeyStore.java

@@ -23,11 +23,11 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.yahoo.athenz.auth.PrivateKeyStore;
 import com.yahoo.athenz.auth.util.Crypto;
 import com.yahoo.athenz.zms.ResourceException;
 import com.yahoo.athenz.zms.ZMS;
 import com.yahoo.athenz.zms.ZMSConsts;
-import com.yahoo.athenz.zms.pkey.PrivateKeyStore;
 
 public class FilePrivateKeyStore implements PrivateKeyStore {
 
@@ -37,7 +37,7 @@ public FilePrivateKeyStore() {
     }
 
     @Override
-    public PrivateKey getPrivateKey(StringBuilder privateKeyId) {
+    public PrivateKey getPrivateKey(String serverHostName, StringBuilder privateKeyId) {
 
         String privKeyName = System.getProperty(ZMSConsts.ZMS_PROP_PRIVATE_KEY,
                 ZMS.getRootDir() + "/share/athenz/sys.auth/zms.key");
@@ -67,30 +67,6 @@ public PrivateKey getPrivateKey(StringBuilder privateKeyId) {
         return pkey;
     }
 
-    @Override
-    public String getPEMPublicKey() {
-
-        String pubKeyName = System.getProperty(ZMSConsts.ZMS_PROP_PUBLIC_KEY,
-                ZMSConsts.STR_DEF_ROOT + "/share/athenz/pubkeys/zms.key");
-
-        if (LOG.isDebugEnabled()) {
-            LOG.debug("FilePrivateKeyStore: public key file=" + pubKeyName);
-        }
-
-        // check to see if this is running in dev mode and thus it's
-        // a resource in our jar file
-
-        String pubKey = null;
-        if (pubKeyName.startsWith(ZMSConsts.STR_JAR_RESOURCE)) {
-            pubKey = retrieveKeyFromResource(pubKeyName.substring(ZMSConsts.STR_JAR_RESOURCE.length()));
-        } else {
-            File pubKeyFile = new File(pubKeyName);
-            pubKey = Crypto.encodedFile(pubKeyFile);
-        }
-
-        return pubKey;
-    }
-
     String retrieveKeyFromResource(String resourceName) {
 
         String key = null;

servers/zms/src/main/java/com/yahoo/athenz/zms/pkey/file/FilePrivateKeyStoreFactory.java

@@ -15,13 +15,13 @@
  */
 package com.yahoo.athenz.zms.pkey.file;
 
-import com.yahoo.athenz.zms.pkey.PrivateKeyStore;
-import com.yahoo.athenz.zms.pkey.PrivateKeyStoreFactory;
+import com.yahoo.athenz.auth.PrivateKeyStore;
+import com.yahoo.athenz.auth.PrivateKeyStoreFactory;
 
 public class FilePrivateKeyStoreFactory implements PrivateKeyStoreFactory {
 
     @Override
-    public PrivateKeyStore create(String serverHostName) {
+    public PrivateKeyStore create() {
         return new FilePrivateKeyStore();
     }
 }

servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java

@@ -177,7 +177,7 @@ private ZMSImpl zmsInit() {
 
         Metric debugMetric = new com.yahoo.athenz.common.metrics.impl.NoOpMetric();
         ZMSImpl zmsObj = new ZMSImpl("localhost", store, debugMetric, privateKey,
-                privKeyId, pubKey, AuditLogFactory.getLogger(), null);
+                privKeyId, AuditLogFactory.getLogger(), null);
 
         ServiceIdentity service = createServiceObject("sys.auth",
                         "zms", "http://localhost", "/usr/bin/java", "root",
@@ -305,7 +305,7 @@ ZMSImpl getZmsImpl(String storeDir, AuditLogger alogger) {
 
         Metric debugMetric = new com.yahoo.athenz.common.metrics.impl.NoOpMetric();
         ZMSImpl zmsObj = new ZMSImpl("localhost", store, debugMetric, privateKey,
-                privKeyId, pubKey, alogger, null);
+                privKeyId, alogger, null);
         zmsObj.putServiceIdentity(mockDomRsrcCtx, "sys.auth", "zms", auditRef, service);
         zmsObj.setProviderClientClass(ProviderMockClient.class);
         return zmsObj;