set up server cert

pom.xml

@@ -269,6 +269,18 @@
     <resource>
       <directory>src/main/resources</directory>
       <filtering>true</filtering>
+      <excludes>
+          <exclude>**/*.p12</exclude>
+          <exclude>**/*.cer</exclude>
+      </excludes>
+    </resource>
+    <resource>
+      <directory>src/main/resources</directory>
+      <filtering>false</filtering>
+      <includes>
+          <include>**/*.p12</include>
+          <include>**/*.cer</include>
+      </includes>
     </resource>
   </resources>
   <plugins>

src/main/java/io/cryostat/agent/MainModule.java

@@ -38,6 +38,7 @@
 import io.cryostat.agent.triggers.TriggerModule;
 import io.cryostat.core.JvmIdentifier;
 import io.cryostat.core.net.IDException;
+import io.cryostat.core.sys.FileSystem;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -236,6 +237,12 @@ public static FlightRecorderHelper provideFlightRecorderHelper() {
         return new FlightRecorderHelper();
     }
 
+    @Provides
+    @Singleton
+    public static FileSystem provideFileSystem() {
+        return new FileSystem();
+    }
+
     @Provides
     @Singleton
     @Named(JVM_ID)

src/main/java/io/cryostat/agent/WebServer.java

@@ -15,8 +15,8 @@
  */
 package io.cryostat.agent;
 
-import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.InetSocketAddress;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
@@ -28,7 +28,9 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.time.Duration;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -44,7 +46,6 @@
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLParameters;
 import javax.net.ssl.TrustManagerFactory;
 
 import io.cryostat.agent.remote.RemoteContext;
@@ -59,6 +60,7 @@
 import com.sun.net.httpserver.HttpsParameters;
 import com.sun.net.httpserver.HttpsServer;
 import dagger.Lazy;
+import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpStatus;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -107,7 +109,7 @@ class WebServer {
         this.compressionFilter = new CompressionFilter();
     }
 
-    void start() throws IOException, NoSuchAlgorithmException {
+    void start() {
         if (this.https != null) {
             stop();
         }
@@ -118,57 +120,79 @@ void start() throws IOException, NoSuchAlgorithmException {
             SSLContext sslContext = SSLContext.getInstance("TLS");
 
             // initialize keystore
-            FileInputStream passwordFile = new FileInputStream("keystore.pass");
-            char[] password = new String(passwordFile.readAllBytes()).toCharArray();
-            passwordFile.close();
-            KeyStore ks = KeyStore.getInstance("JKS");
-            FileInputStream fis = new FileInputStream("cryostat-keystore.p12");
-            ks.load(fis, password);
-
+            InputStream pass = this.getClass().getResourceAsStream("/certs/keystore.pass");
+            String password = IOUtils.toString(pass, StandardCharsets.US_ASCII);
+            password = password.substring(0, password.length() - 1);
+            pass.close();
+            KeyStore ks = KeyStore.getInstance("PKCS12");
+            InputStream keystore =
+                    this.getClass().getResourceAsStream("/certs/cryostat-keystore.p12");
+            ks.load(keystore, password.toCharArray());
+            if (keystore != null) {
+                keystore.close();
+            }
+
+            // set up certificate factory
+            InputStream certFile = this.getClass().getResourceAsStream("/certs/server.cer");
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            Certificate cert = cf.generateCertificate(certFile);
+            ks.setCertificateEntry("serverCert", cert);
+            certFile.close();
+
             // set up key manager factory
-            KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            kmf.init(ks, password);
+            KeyManagerFactory kmf =
+                    KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            kmf.init(ks, password.toCharArray());
 
             // set up trust manager factory
-            // TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-            // tmf.init(ks);
+            TrustManagerFactory tmf =
+                    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            tmf.init(ks);
 
             // set up HTTPS context
-            sslContext.init(kmf.getKeyManagers(), null, null);
-            this.https.setHttpsConfigurator(new HttpsConfigurator(sslContext) {
-                public void configure(HttpsParameters params) {
-                    try {
-                        SSLContext context = getSSLContext();
-                        SSLEngine engine = context.createSSLEngine();
-                        params.setNeedClientAuth(false);
-                        params.setCipherSuites(engine.getEnabledCipherSuites());
-                        params.setProtocols((engine.getEnabledProtocols()));
-                        params.setSSLParameters(context.getDefaultSSLParameters());
-                    } catch (Exception e) {
-                        log.error("Failed to configure the HTTPS parameters", e);
-                    }
-                }
-            });
-        } catch (KeyStoreException 
-                | CertificateException 
-                | UnrecoverableKeyException 
-                | KeyManagementException e) {
+            sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+            this.https.setHttpsConfigurator(
+                    new HttpsConfigurator(sslContext) {
+                        public void configure(HttpsParameters params) {
+                            try {
+                                SSLContext context = getSSLContext();
+                                SSLEngine engine = context.createSSLEngine();
+                                params.setNeedClientAuth(false);
+                                params.setCipherSuites(engine.getEnabledCipherSuites());
+                                params.setProtocols((engine.getEnabledProtocols()));
+                                params.setSSLParameters(context.getDefaultSSLParameters());
+                            } catch (Exception e) {
+                                log.error(
+                                        "Failed to configure the HTTPS context and parameters", e);
+                            }
+                        }
+                    });
+
+            Set<RemoteContext> mergedContexts = new HashSet<>(remoteContexts.get());
+            mergedContexts.add(new PingContext(registration));
+            mergedContexts.stream()
+                    .filter(RemoteContext::available)
+                    .forEach(
+                            rc -> {
+                                HttpContext ctx =
+                                        this.https.createContext(rc.path(), wrap(rc::handle));
+                                ctx.setAuthenticator(agentAuthenticator);
+                                ctx.getFilters().add(requestLoggingFilter);
+                                ctx.getFilters().add(compressionFilter);
+                            });
+            this.https.setExecutor(executor);
+            this.https.start();
+
+            log.info("HERE WE ARE");
+
+        } catch (KeyStoreException
+                | CertificateException
+                | UnrecoverableKeyException
+                | KeyManagementException
+                | IOException
+                | NoSuchAlgorithmException e) {
             log.error("Failed to set up HTTPS server", e);
         }
-
-        Set<RemoteContext> mergedContexts = new HashSet<>(remoteContexts.get());
-        mergedContexts.add(new PingContext(registration));
-        mergedContexts.stream()
-                .filter(RemoteContext::available)
-                .forEach(
-                        rc -> {
-                            HttpContext ctx = this.https.createContext(rc.path(), wrap(rc::handle));
-                            ctx.setAuthenticator(agentAuthenticator);
-                            ctx.getFilters().add(requestLoggingFilter);
-                            ctx.getFilters().add(compressionFilter);
-                        });
-        this.https.setExecutor(executor);
-        this.https.start();
     }
 
     Path discoverCertPath() {

src/main/java/io/cryostat/agent/certs/keystore.pass

@@ -0,0 +1 @@
+7XIvZiCyrx6akly_dDvOtpe7QM6ksYoH

src/main/resources/certs/generate-dev-certs.sh

@@ -0,0 +1,58 @@
+#!/bin/sh
+
+set -x
+
+CERTS_DIR=$(realpath "$(dirname "$0")")
+
+SSL_KEYSTORE=cryostat-keystore.p12
+
+SSL_KEYSTORE_PASS_FILE=keystore.pass
+
+cleanup() {
+    cd "$CERTS_DIR"
+    rm $SSL_KEYSTORE $SSL_KEYSTORE_PASS_FILE
+    cd -
+}
+
+case "$1" in
+    clean)
+        cleanup
+        exit 0
+        ;;
+    generate)
+        ;;
+    *)
+        echo "Usage: $0 [clean|generate]"
+        exit 1
+        ;;
+esac
+
+set -e
+
+genpass() {
+    < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32
+}
+
+SSL_KEYSTORE_PASS=$(genpass)
+
+cd "$CERTS_DIR"
+trap "cd -" EXIT
+
+echo "$SSL_KEYSTORE_PASS" > $SSL_KEYSTORE_PASS_FILE
+
+keytool \
+    -genkeypair -v \
+    -alias custom-cryostat \
+    -dname "cn=cryostat, o=Cryostat, c=CA" \
+    -storetype PKCS12 \
+    -validity 365 \
+    -keyalg RSA \
+    -storepass "$SSL_KEYSTORE_PASS" \
+    -keystore "$SSL_KEYSTORE"
+
+keytool \
+    -exportcert -v \
+    -alias custom-cryostat \
+    -keystore "$SSL_KEYSTORE" \
+    -storepass "$SSL_KEYSTORE_PASS" \
+    -file server.cer