[Pki-devel] [PATCH] 0122 Modify ExternalProcessKeyRetriever to read JSON

Fraser Tweedale ftweedal at redhat.com
Sat Jun 4 11:00:14 UTC 2016 

Hi Endi et al,

Attached patch changes ExternalProcessKeyRetriever to read JSON data
(https://fedorahosted.org/pki/ticket/2351).  Would be nice to get
this into 10.2.2 because it will simplify IPA custodia retrieval
helper.

I am using Jackson for JSON parsing.  This is already an implicit
dependency, but should I also add it spec file as explicit
dependency?

Cheers,
Fraser
-------------- next part --------------
From 7183cece34b766b5e1db6837291151b4d58aa9c9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Sat, 4 Jun 2016 20:49:38 +1000
Subject: [PATCH] Modify ExternalProcessKeyRetriever to read JSON

The ExternalProcessKeyRetriever currently uses a hackish format
where the certificate and PKIArchiveOptions data are separated by a
null byte.  Update the code to expect JSON instead.

No backwards compatibility is provided because at time of writing
the ExternalProcessKeyRetriever is only used in a FreeIPA feature
still under development.

Fixes: https://fedorahosted.org/pki/ticket/2351
---
 base/ca/src/CMakeLists.txt                         | 15 +++++++++
 .../netscape/ca/ExternalProcessKeyRetriever.java   | 37 +++++++++++++---------
 2 files changed, 37 insertions(+), 15 deletions(-)

diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
index 1817dacfbacaeb2635db2550e32ff62c26d628ef..2a43c8dbb4f88c22df244bb752ea963b2f0d646c 100644
--- a/base/ca/src/CMakeLists.txt
+++ b/base/ca/src/CMakeLists.txt
@@ -38,6 +38,20 @@ find_file(COMMONS_LANG_JAR
         /usr/share/java
 )
 
+find_file(JACKSON_CORE_JAR
+    NAMES
+        jackson-core-asl.jar
+    PATHS
+        /usr/share/java/jackson
+)
+
+find_file(JACKSON_MAPPER_JAR
+    NAMES
+        jackson-mapper-asl.jar
+    PATHS
+        /usr/share/java/jackson
+)
+
 find_file(JAXRS_API_JAR
     NAMES
         jaxrs-api.jar
@@ -81,6 +95,7 @@ javac(pki-ca-classes
         org/dogtagpki/server/ca/*.java
     CLASSPATH
         ${COMMONS_CODEC_JAR} ${COMMONS_IO_JAR} ${COMMONS_LANG_JAR}
+        ${JACKSON_CORE_JAR} ${JACKSON_MAPPER_JAR}
         ${JSS_JAR} ${SYMKEY_JAR}
         ${LDAPJDK_JAR}
         ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR}
diff --git a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
index 6aee9716e1e5953018ed4c3f3316c9b7d4c88a45..a1b77485284d699bbb524bfc64b3c348663c4c1e 100644
--- a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
+++ b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
@@ -18,6 +18,8 @@
 
 package com.netscape.ca;
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.lang.Process;
 import java.lang.ProcessBuilder;
 import java.util.Collection;
@@ -26,6 +28,9 @@ import java.util.Stack;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.ArrayUtils;
 
+import org.codehaus.jackson.map.ObjectMapper;
+import org.codehaus.jackson.JsonNode;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -65,21 +70,7 @@ public class ExternalProcessKeyRetriever implements KeyRetriever {
                 int exitValue = p.waitFor();
                 if (exitValue != 0)
                     continue;
-
-                /* Read a PEM-encoded certificate and a base64-encoded
-                 * PKIArchiveOptions containing the wrapped private key,
-                 * separated by a null byte.
-                 */
-                byte[] output = IOUtils.toByteArray(p.getInputStream());
-                int splitIndex = ArrayUtils.indexOf(output, (byte) 0);
-                if (splitIndex == ArrayUtils.INDEX_NOT_FOUND) {
-                    CMS.debug("Invalid output: null byte not found");
-                    continue;
-                }
-                return new Result(
-                    ArrayUtils.subarray(output, 0, splitIndex),
-                    ArrayUtils.subarray(output, splitIndex + 1, output.length)
-                );
+                return parseResult(p.getInputStream());
             } catch (Throwable e) {
                 CMS.debug("Caught exception while executing command: " + e);
             } finally {
@@ -89,4 +80,20 @@ public class ExternalProcessKeyRetriever implements KeyRetriever {
         CMS.debug("Failed to retrieve key from any host.");
         return null;
     }
+
+    /* Read a PEM-encoded certificate and a base64-encoded
+     * PKIArchiveOptions containing the wrapped private key.
+     * Data is expected to be a JSON object with keys "certificate"
+     * and "wrapped_key".
+     */
+    private Result parseResult(InputStream in) throws IOException {
+        JsonNode root = (new ObjectMapper()).readTree(in);
+        String cert = root.path("certificate").getTextValue();
+        byte[] pao = root.path("wrapped_key").getBinaryValue();
+        if (cert == null)
+            throw new RuntimeException("missing \"certificate\" field");
+        if (pao == null)
+            throw new RuntimeException("missing \"wrapped_key\" field");
+        return new Result(cert.getBytes(), pao);
+    }
 }
-- 
2.5.5

More information about the Pki-devel mailing list