Merge "Throw exception if decryption/encryption fails"

aaa-cert/src/main/java/org/opendaylight/aaa/cert/impl/KeyStoresDataUtils.java

@@ -7,6 +7,9 @@
  */
 package org.opendaylight.aaa.cert.impl;
 
+import java.nio.charset.Charset;
+import java.security.GeneralSecurityException;
+import java.util.Base64;
 import java.util.List;
 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
 import org.opendaylight.mdsal.binding.api.DataBroker;
@@ -29,7 +32,6 @@
  * KeyStoresDataUtils manage the SslData operations add, delete and update.
  *
  * @author mserngawy
- *
  */
 public class KeyStoresDataUtils {
 
@@ -62,9 +64,15 @@ public static OdlKeystore updateOdlKeystore(final OdlKeystore baseOdlKeyStore, f
     public SslData addSslData(final DataBroker dataBroker, final String bundleName, final OdlKeystore odlKeystore,
             final TrustKeystore trustKeystore, final List<CipherSuites> cipherSuites, final String tlsProtocols) {
         final SslDataKey sslDataKey = new SslDataKey(bundleName);
-        final SslData sslData = new SslDataBuilder().withKey(sslDataKey).setOdlKeystore(encryptOdlKeyStore(odlKeystore))
-                .setTrustKeystore(encryptTrustKeystore(trustKeystore)).setCipherSuites(cipherSuites)
-                .setTlsProtocols(tlsProtocols).build();
+        final SslData sslData;
+        try {
+            sslData = new SslDataBuilder().withKey(sslDataKey).setOdlKeystore(encryptOdlKeyStore(odlKeystore))
+                    .setTrustKeystore(encryptTrustKeystore(trustKeystore)).setCipherSuites(cipherSuites)
+                    .setTlsProtocols(tlsProtocols).build();
+        } catch (GeneralSecurityException e) {
+            LOG.error("Encryption of TrustKeystore for SslData failed.", e);
+            return null;
+        }
 
         if (MdsalUtils.put(dataBroker, LogicalDatastoreType.CONFIGURATION, getSslDataIid(bundleName), sslData)) {
             return new SslDataBuilder().withKey(sslDataKey).setOdlKeystore(odlKeystore).setTrustKeystore(trustKeystore)
@@ -99,13 +107,13 @@ public OdlKeystore createOdlKeystore(final String name, final String alias, fina
         LOG.debug("Odl keystore string {} ", keyStoreBytes);
 
         return new OdlKeystoreBuilder().setKeystoreFile(keyStoreBytes)
-                .setAlias(alias).setDname(dname).setKeyAlg(keyAlg)
-                .setKeysize(keySize)
-                .setName(name)
-                .setSignAlg(sigAlg)
-                .setStorePassword(password)
-                .setValidity(validity)
-                .build();
+            .setAlias(alias).setDname(dname).setKeyAlg(keyAlg)
+            .setKeysize(keySize)
+            .setName(name)
+            .setSignAlg(sigAlg)
+            .setStorePassword(password)
+            .setValidity(validity)
+            .build();
     }
 
     public TrustKeystore createTrustKeystore(final String name, final String password, final byte[] keyStoreBytes) {
@@ -118,66 +126,76 @@ public TrustKeystore createTrustKeystore(final String name, final String passwor
                 password);
         LOG.debug("trust keystore string {} ", keyStoreBytes);
         return new TrustKeystoreBuilder()
-                .setKeystoreFile(keyStoreBytes)
-                .setName(name)
-                .setStorePassword(password)
-                .build();
+            .setKeystoreFile(keyStoreBytes)
+            .setName(name)
+            .setStorePassword(password)
+            .build();
     }
 
-    private OdlKeystore decryptOdlKeyStore(final OdlKeystore odlKeystore) {
-        if (odlKeystore == null) {
-            return null;
-        }
-        final OdlKeystoreBuilder odlKeystoreBuilder = new OdlKeystoreBuilder(odlKeystore);
-        odlKeystoreBuilder.setKeystoreFile(encryService.decrypt(odlKeystore.getKeystoreFile()));
-        odlKeystoreBuilder.setStorePassword(encryService.decrypt(odlKeystore.getStorePassword()));
-        return odlKeystoreBuilder.build();
+    private OdlKeystore decryptOdlKeyStore(final OdlKeystore odlKeystore) throws GeneralSecurityException {
+        return odlKeystore == null ? null : new OdlKeystoreBuilder(odlKeystore)
+            .setKeystoreFile(decryptNullable(odlKeystore.getKeystoreFile()))
+            .setStorePassword(decryptStringFromBase64(odlKeystore.getStorePassword()))
+            .build();
     }
 
-    private SslData decryptSslData(final SslData sslData) {
-        if (sslData == null) {
-            return null;
-        }
-        final SslDataBuilder sslDataBuilder = new SslDataBuilder(sslData)
-                .setOdlKeystore(decryptOdlKeyStore(sslData.getOdlKeystore()))
-                .setTrustKeystore(decryptTrustKeystore(sslData.getTrustKeystore()));
-        return sslDataBuilder.build();
+    private SslData decryptSslData(final SslData sslData) throws GeneralSecurityException {
+        return sslData == null ? null : new SslDataBuilder(sslData)
+            .setOdlKeystore(decryptOdlKeyStore(sslData.getOdlKeystore()))
+            .setTrustKeystore(decryptTrustKeystore(sslData.getTrustKeystore()))
+            .build();
     }
 
-    private TrustKeystore decryptTrustKeystore(final TrustKeystore trustKeyStore) {
-        if (trustKeyStore == null) {
-            return null;
-        }
-        final TrustKeystoreBuilder trustKeyStoreBuilder = new TrustKeystoreBuilder(trustKeyStore);
-        trustKeyStoreBuilder.setKeystoreFile(encryService.decrypt(trustKeyStore.getKeystoreFile()));
-        trustKeyStoreBuilder.setStorePassword(encryService.decrypt(trustKeyStore.getStorePassword()));
-        return trustKeyStoreBuilder.build();
+    private TrustKeystore decryptTrustKeystore(final TrustKeystore trustKeyStore) throws GeneralSecurityException {
+        return trustKeyStore == null ? null : new TrustKeystoreBuilder(trustKeyStore)
+            .setKeystoreFile(decryptNullable(trustKeyStore.getKeystoreFile()))
+            .setStorePassword(decryptStringFromBase64(trustKeyStore.getStorePassword()))
+            .build();
+    }
+
+    private byte[] decryptNullable(final byte[] bytes) throws GeneralSecurityException {
+        return bytes == null ? null : encryService.decrypt(bytes);
+    }
+
+    private String decryptStringFromBase64(final String base64) throws GeneralSecurityException {
+        return base64 == null ? null
+            : new String(encryService.decrypt(Base64.getDecoder().decode(base64)), Charset.defaultCharset());
     }
 
-    private OdlKeystore encryptOdlKeyStore(final OdlKeystore odlKeystore) {
-        final OdlKeystoreBuilder odlKeystoreBuilder = new OdlKeystoreBuilder(odlKeystore);
-        odlKeystoreBuilder.setKeystoreFile(encryService.encrypt(odlKeystore.getKeystoreFile()));
-        odlKeystoreBuilder.setStorePassword(encryService.encrypt(odlKeystore.getStorePassword()));
-        return odlKeystoreBuilder.build();
+    private String encryptStringToBase64(final String str) throws GeneralSecurityException {
+        return str == null ? null
+            : Base64.getEncoder().encodeToString(encryService.encrypt(str.getBytes(Charset.defaultCharset())));
     }
 
-    private SslData encryptSslData(final SslData sslData) {
-        final SslDataBuilder sslDataBuilder = new SslDataBuilder(sslData)
-                .setOdlKeystore(encryptOdlKeyStore(sslData.getOdlKeystore()))
-                .setTrustKeystore(encryptTrustKeystore(sslData.getTrustKeystore()));
-        return sslDataBuilder.build();
+    private OdlKeystore encryptOdlKeyStore(final OdlKeystore odlKeystore) throws GeneralSecurityException {
+        return new OdlKeystoreBuilder(odlKeystore)
+            .setKeystoreFile(encryService.encrypt(odlKeystore.getKeystoreFile()))
+            .setStorePassword(encryptStringToBase64(odlKeystore.getStorePassword()))
+            .build();
     }
 
-    private TrustKeystore encryptTrustKeystore(final TrustKeystore trustKeyStore) {
-        final TrustKeystoreBuilder trustKeyStoreBuilder = new TrustKeystoreBuilder(trustKeyStore);
-        trustKeyStoreBuilder.setKeystoreFile(encryService.encrypt(trustKeyStore.getKeystoreFile()));
-        trustKeyStoreBuilder.setStorePassword(encryService.encrypt(trustKeyStore.getStorePassword()));
-        return trustKeyStoreBuilder.build();
+    private SslData encryptSslData(final SslData sslData) throws GeneralSecurityException {
+        return new SslDataBuilder(sslData)
+            .setOdlKeystore(encryptOdlKeyStore(sslData.getOdlKeystore()))
+            .setTrustKeystore(encryptTrustKeystore(sslData.getTrustKeystore()))
+            .build();
+    }
+
+    private TrustKeystore encryptTrustKeystore(final TrustKeystore trustKeyStore) throws GeneralSecurityException {
+        return new TrustKeystoreBuilder(trustKeyStore)
+            .setKeystoreFile(encryService.encrypt(trustKeyStore.getKeystoreFile()))
+            .setStorePassword(encryptStringToBase64(trustKeyStore.getStorePassword()))
+            .build();
     }
 
     public SslData getSslData(final DataBroker dataBroker, final String bundleName) {
         final InstanceIdentifier<SslData> sslDataIid = getSslDataIid(bundleName);
-        return decryptSslData(MdsalUtils.read(dataBroker, LogicalDatastoreType.CONFIGURATION, sslDataIid));
+        try {
+            return decryptSslData(MdsalUtils.read(dataBroker, LogicalDatastoreType.CONFIGURATION, sslDataIid));
+        } catch (GeneralSecurityException e) {
+            LOG.error("Decryption of KeyStore for SslData failed.", e);
+            return null;
+        }
     }
 
     public boolean removeSslData(final DataBroker dataBroker, final String bundleName) {
@@ -187,25 +205,29 @@ public boolean removeSslData(final DataBroker dataBroker, final String bundleNam
 
     public boolean updateSslData(final DataBroker dataBroker, final SslData sslData) {
         final InstanceIdentifier<SslData> sslDataIid = getSslDataIid(sslData.getBundleName());
-        return MdsalUtils.merge(dataBroker, LogicalDatastoreType.CONFIGURATION, sslDataIid, encryptSslData(sslData));
+        final SslData encryptedSslData;
+        try {
+            encryptedSslData = encryptSslData(sslData);
+        } catch (GeneralSecurityException e) {
+            LOG.error("Encryption of KeyStore for SslData failed.", e);
+            return false;
+        }
+        return MdsalUtils.merge(dataBroker, LogicalDatastoreType.CONFIGURATION, sslDataIid, encryptedSslData);
     }
 
     public boolean updateSslDataCipherSuites(final DataBroker dataBroker, final SslData baseSslData,
             final List<CipherSuites> cipherSuites) {
-        final SslDataBuilder sslDataBuilder = new SslDataBuilder(baseSslData).setCipherSuites(cipherSuites);
-        return updateSslData(dataBroker, sslDataBuilder.build());
+        return updateSslData(dataBroker, new SslDataBuilder(baseSslData).setCipherSuites(cipherSuites).build());
     }
 
     public boolean updateSslDataOdlKeystore(final DataBroker dataBroker, final SslData baseSslData,
             final OdlKeystore odlKeyStore) {
-        final SslDataBuilder sslDataBuilder = new SslDataBuilder(baseSslData).setOdlKeystore(odlKeyStore);
-        return updateSslData(dataBroker, sslDataBuilder.build());
+        return updateSslData(dataBroker, new SslDataBuilder(baseSslData).setOdlKeystore(odlKeyStore).build());
     }
 
     public boolean updateSslDataTrustKeystore(final DataBroker dataBroker, final SslData baseSslData,
             final TrustKeystore trustKeyStore) {
-        final SslDataBuilder sslDataBuilder = new SslDataBuilder(baseSslData).setTrustKeystore(trustKeyStore);
-        return updateSslData(dataBroker, sslDataBuilder.build());
+        return updateSslData(dataBroker, new SslDataBuilder(baseSslData).setTrustKeystore(trustKeyStore).build());
     }
 
     public TrustKeystore updateTrustKeystore(final TrustKeystore baseTrustKeyStore, final byte[] keyStoreBytes) {

aaa-cert/src/test/java/org/opendaylight/aaa/cert/impl/AaaCertMdsalProviderTest.java

@@ -9,22 +9,20 @@
 
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
-import static org.mockito.ArgumentMatchers.isA;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.opendaylight.aaa.cert.impl.TestUtils.mockDataBroker;
 
 import java.io.File;
+import java.nio.charset.Charset;
 import java.security.KeyStore;
 import java.security.Security;
-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.yang.aaa.cert.mdsal.rev160321.cipher.suite.CipherSuites;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.yang.aaa.cert.mdsal.rev160321.cipher.suite.CipherSuitesBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.yang.aaa.cert.mdsal.rev160321.key.stores.SslData;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.yang.aaa.cert.mdsal.rev160321.key.stores.SslDataBuilder;
@@ -68,11 +66,9 @@ public static void setUpBeforeClass() throws Exception {
         final TrustKeystore unsignedTrustKeyStore = keyStoresDataUtils.createTrustKeystore(TRUST_NAME, PASSWORD,
                 odlKeyTool);
 
-        final CipherSuites cipherSuite = new CipherSuitesBuilder().setSuiteName(CIPHER_SUITE_NAME).build();
-
-        final List<CipherSuites> cipherSuites = new ArrayList<>(Arrays.asList(cipherSuite));
-
-        signedSslData = new SslDataBuilder().setCipherSuites(cipherSuites).setOdlKeystore(signedOdlKeystore)
+        signedSslData = new SslDataBuilder()
+            .setCipherSuites(List.of(new CipherSuitesBuilder().setSuiteName(CIPHER_SUITE_NAME).build()))
+            .setOdlKeystore(signedOdlKeystore)
                 .setTrustKeystore(signedTrustKeyStore).setTlsProtocols(PROTOCOL).setBundleName(BUNDLE_NAME).build();
 
         final OdlKeystore unsignedOdlKeystore = new OdlKeystoreBuilder().setAlias(ALIAS).setDname(D_NAME)
@@ -84,11 +80,14 @@ public static void setUpBeforeClass() throws Exception {
         unsignedSslData = new SslDataBuilder().setOdlKeystore(unsignedOdlKeystore)
                 .setTrustKeystore(unsignedTrustKeyStore).setBundleName(BUNDLE_NAME).build();
 
+        when(aaaEncryptionServiceInit.encrypt(PASSWORD.getBytes()))
+            .thenReturn(PASSWORD.getBytes(Charset.defaultCharset()));
         when(aaaEncryptionServiceInit.decrypt(unsignedTrustKeyStore.getKeystoreFile()))
                 .thenReturn(unsignedTrustKeyStore.getKeystoreFile());
         when(aaaEncryptionServiceInit.decrypt(signedOdlKeystore.getKeystoreFile()))
                 .thenReturn(signedOdlKeystore.getKeystoreFile());
-        when(aaaEncryptionServiceInit.decrypt(isA(String.class))).thenReturn(PASSWORD);
+        when(aaaEncryptionServiceInit.decrypt(new byte[] { -91, -85, 44, 90, -118, -35 }))
+            .thenReturn(PASSWORD.getBytes(Charset.defaultCharset()));
         aaaEncryptionService = aaaEncryptionServiceInit;
 
         // Create class

aaa-cert/src/test/java/org/opendaylight/aaa/cert/impl/AaaCertRpcServiceImplTest.java

@@ -9,14 +9,15 @@
 
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
-import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.opendaylight.aaa.cert.impl.TestUtils.mockDataBroker;
 
 import com.google.common.util.concurrent.Futures;
 import java.io.File;
+import java.nio.charset.Charset;
 import java.security.Security;
+import java.util.Base64;
 import java.util.List;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.BeforeClass;
@@ -99,7 +100,10 @@ public static void setUpBeforeClass() throws Exception {
                 .thenReturn(unsignedTrustKeyStore.getKeystoreFile());
         when(aaaEncryptionServiceInit.decrypt(signedOdlKeystore.getKeystoreFile()))
                 .thenReturn(signedOdlKeystore.getKeystoreFile());
-        when(aaaEncryptionServiceInit.decrypt(any(String.class))).thenReturn(PASSWORD);
+        when(aaaEncryptionServiceInit.decrypt(Base64.getDecoder().decode(PASSWORD)))
+            .thenReturn(PASSWORD.getBytes(Charset.defaultCharset()));
+        when(aaaEncryptionServiceInit.encrypt(PASSWORD.getBytes(Charset.defaultCharset())))
+            .thenReturn(PASSWORD.getBytes(Charset.defaultCharset()));
         aaaEncryptionService = aaaEncryptionServiceInit;
 
         // Create class

aaa-cert/src/test/java/org/opendaylight/aaa/cert/impl/KeyStoresDataUtilsTest.java

@@ -10,11 +10,10 @@
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.isA;
 import static org.mockito.Mockito.doReturn;
-import static org.mockito.Mockito.mock;
 
 import java.io.File;
+import java.nio.charset.Charset;
 import java.security.Security;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -23,6 +22,7 @@
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
 import org.opendaylight.mdsal.binding.api.DataBroker;
@@ -48,7 +48,6 @@ public class KeyStoresDataUtilsTest {
         Security.addProvider(new BouncyCastleProvider());
     }
 
-    private static final AAAEncryptionService AAA_ENCRYPTION_SERVICE = mock(AAAEncryptionService.class);
     private static final byte[] ENCRYPTED_BYTE = new byte[] { 1, 2, 3 };
     private static final String ALIAS = "fooTest";
     private static final String BUNDLE_NAME = "opendaylight";
@@ -61,10 +60,17 @@ public class KeyStoresDataUtilsTest {
     private static final String TRUST_NAME = "trustTest.jks";
     private static final String TEST_PATH = "target" + File.separator + "test" + File.separator;
 
-    private final DataBroker dataBroker = mock(DataBroker.class);
+    @Mock
+    private AAAEncryptionService encryptionService;
+    @Mock
+    private DataBroker dataBroker;
+    @Mock
+    private WriteTransaction wtx;
+    @Mock
+    private ReadTransaction rtx;
 
     @Test
-    public void keyStoresDataUtilsTest() {
+    public void keyStoresDataUtilsTest() throws Exception {
         // Test vars setup
         final OdlKeystore odlKeystore = new OdlKeystoreBuilder().setAlias(ALIAS).setDname(D_NAME).setName(ODL_NAME)
                 .setStorePassword(PASSWORD).setValidity(KeyStoreConstant.DEFAULT_VALIDITY)
@@ -81,22 +87,21 @@ public void keyStoresDataUtilsTest() {
                 .setBundleName(BUNDLE_NAME).build();
 
         final ODLKeyTool odlKeyTool = new ODLKeyTool(TEST_PATH);
-        final KeyStoresDataUtils keyStoresDataUtils = new KeyStoresDataUtils(AAA_ENCRYPTION_SERVICE);
+        final KeyStoresDataUtils keyStoresDataUtils = new KeyStoresDataUtils(encryptionService);
 
         // Mock setup
-        final WriteTransaction wtx = mock(WriteTransaction.class);
         doReturn(CommitInfo.emptyFluentFuture()).when(wtx).commit();
         doReturn(wtx).when(dataBroker).newWriteOnlyTransaction();
 
-        final ReadTransaction rtx = mock(ReadTransaction.class);
         doReturn(FluentFutures.immediateFluentFuture(Optional.of(sslData))).when(rtx).read(
             any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
         doReturn(rtx).when(dataBroker).newReadOnlyTransaction();
 
-        doReturn(ENCRYPTED_STRING).when(AAA_ENCRYPTION_SERVICE).encrypt(isA(String.class));
+        doReturn(ENCRYPTED_STRING.getBytes(Charset.defaultCharset())).when(encryptionService).encrypt(any());
+        doReturn(PASSWORD.getBytes(Charset.defaultCharset())).when(encryptionService).decrypt(any());
 
         // getKeystoresIid
-        InstanceIdentifier instanceIdentifierResult = KeyStoresDataUtils.getKeystoresIid();
+        InstanceIdentifier<?> instanceIdentifierResult = KeyStoresDataUtils.getKeystoresIid();
         assertNotNull(instanceIdentifierResult);
 
         // getSslIid()