Merge pull request #23528 from vespa-engine/bjorncs/capabilities

Bjorncs/capabilities [run-systemtest]

81 files changed, 448 insertions, 289 deletions

diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java
index 147a05bc27e..61a4a0fe41f 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java
@@ -8,7 +8,7 @@ import com.yahoo.security.KeyStoreType;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.tls.DefaultTlsContext;
-import com.yahoo.security.tls.MutableX509KeyManager;
+import com.yahoo.security.MutableX509KeyManager;
 import com.yahoo.security.tls.PeerAuthentication;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.vespa.athenz.api.AthenzService;
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java
index 61dc67bd7d4..df904bf8010 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java
@@ -17,7 +17,7 @@ import java.util.Optional;
 import java.util.stream.Collectors;
 
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
 
 /**
  * Helper class for creating {@link X509Certificate}s.
@@ -66,7 +66,7 @@ public class Certificates {
 
     private static Optional<String> getInstanceIdFromSAN(List<SubjectAlternativeName> subjectAlternativeNames) {
         return subjectAlternativeNames.stream()
-                .filter(san -> san.getType() == DNS_NAME)
+                .filter(san -> san.getType() == DNS)
                 .map(SubjectAlternativeName::getValue)
                 .map(Certificates::parseInstanceId)
                 .flatMap(Optional::stream)
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
index 9bd6153f159..f5dbcb6a699 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
@@ -97,8 +97,8 @@ public class CertificateAuthorityApiHandler extends ThreadedHttpRequestHandler {
         var instanceRegistration = deserializeRequest(request, InstanceSerializer::registrationFromSlime);
 
         InstanceConfirmation confirmation = new InstanceConfirmation(instanceRegistration.provider(), instanceRegistration.domain(), instanceRegistration.service(), EntityBindingsMapper.toSignedIdentityDocumentEntity(instanceRegistration.attestationData()));
-        confirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.IP_ADDRESS));
-        confirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.DNS_NAME));
+        confirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.IP));
+        confirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.DNS));
         if (!instanceValidator.isValidInstance(confirmation)) {
             log.log(Level.INFO, "Invalid instance registration for " + instanceRegistration.toString());
             return ErrorResponse.forbidden("Unable to launch service: " +instanceRegistration.service());
@@ -130,8 +130,8 @@ public class CertificateAuthorityApiHandler extends ThreadedHttpRequestHandler {
         refreshesSameService(instanceRefresh, athenzService);
 
         InstanceConfirmation instanceConfirmation = new InstanceConfirmation(provider, athenzService.getDomain().getName(), athenzService.getName(), null);
-        instanceConfirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.IP_ADDRESS));
-        instanceConfirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.DNS_NAME));
+        instanceConfirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.IP));
+        instanceConfirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.DNS));
         if(!instanceValidator.isValidRefresh(instanceConfirmation)) {
             return ErrorResponse.forbidden("Unable to refresh cert: " + instanceRefresh.csr().getSubject().toString());
         }
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java
index b225cbef21c..4012776949e 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java
@@ -68,10 +68,10 @@ public class CertificateTester {
         KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
         var builder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA512_WITH_ECDSA);
         for (var dnsName : dnsNames) {
-            builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS_NAME, dnsName);
+            builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS, dnsName);
         }
         for (var ipAddress : ipAddresses) {
-            builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.IP_ADDRESS, ipAddress);
+            builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.IP, ipAddress);
         }
         return builder.build();
     }
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java
index 613ced895e9..19ee3d22330 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java
@@ -48,9 +48,9 @@ public class CertificatesTest {
         assertEquals(2, certificate.getSubjectAlternativeNames().size());
 
         var subjectAlternativeNames = List.copyOf(certificate.getSubjectAlternativeNames());
-        assertEquals(List.of(SubjectAlternativeName.Type.DNS_NAME.getTag(), dnsName),
+        assertEquals(List.of(SubjectAlternativeName.Type.DNS.getTag(), dnsName),
                      subjectAlternativeNames.get(0));
-        assertEquals(List.of(SubjectAlternativeName.Type.IP_ADDRESS.getTag(), ip),
+        assertEquals(List.of(SubjectAlternativeName.Type.IP.getTag(), ip),
                      subjectAlternativeNames.get(1));
     }
 
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
index 288d064f150..536a446df2f 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.java
@@ -12,7 +12,7 @@ import com.yahoo.config.provision.security.NodeIdentity;
 import com.yahoo.jrt.Request;
 import com.yahoo.security.tls.MixedMode;
 import com.yahoo.security.tls.TransportSecurityUtils;
-import com.yahoo.security.tls.authz.ConnectionAuthContext;
+import com.yahoo.security.tls.ConnectionAuthContext;
 import com.yahoo.vespa.config.ConfigKey;
 import com.yahoo.vespa.config.protocol.JRTServerConfigRequestV3;
 import com.yahoo.vespa.config.server.RequestHandler;
@@ -166,14 +166,14 @@ public class MultiTenantRpcAuthorizer implements RpcAuthorizer {
 
     // TODO Make peer identity mandatory once TLS mixed mode is removed
     private Optional<NodeIdentity> getPeerIdentity(Request request) {
-        Optional<ConnectionAuthContext> authCtx = request.target().getConnectionAuthContext();
-        if (authCtx.isEmpty()) {
+        ConnectionAuthContext authCtx = request.target().connectionAuthContext();
+        if (authCtx.peerCertificate().isEmpty()) {
             if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.DISABLED) {
                 throw new IllegalStateException("Security context missing"); // security context should always be present
             }
             return Optional.empty(); // client choose to communicate over insecure channel
         }
-        List<X509Certificate> certChain = authCtx.get().peerCertificateChain();
+        List<X509Certificate> certChain = authCtx.peerCertificateChain();
         if (certChain.isEmpty()) {
             throw new IllegalStateException("Client authentication is not enforced!"); // clients should be required to authenticate when TLS is enabled
         }
diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java
index 5b5b795a412..bffed6eb0b1 100644
--- a/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java
+++ b/configserver/src/test/java/com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizerTest.java
@@ -18,8 +18,8 @@ import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SignatureAlgorithm;
 import com.yahoo.security.X509CertificateBuilder;
-import com.yahoo.security.tls.authz.ConnectionAuthContext;
-import com.yahoo.security.tls.policy.CapabilitySet;
+import com.yahoo.security.tls.CapabilitySet;
+import com.yahoo.security.tls.ConnectionAuthContext;
 import com.yahoo.slime.Cursor;
 import com.yahoo.slime.JsonFormat;
 import com.yahoo.slime.Slime;
@@ -250,9 +250,9 @@ public class MultiTenantRpcAuthorizerTest {
 
     private static Request mockJrtRpcRequest(String payload) {
         ConnectionAuthContext authContext =
-                new ConnectionAuthContext(PEER_CERTIFICATE_CHAIN, CapabilitySet.none(), Set.of());
+                new ConnectionAuthContext(PEER_CERTIFICATE_CHAIN, CapabilitySet.all(), Set.of());
         Target target = mock(Target.class);
-        when(target.getConnectionAuthContext()).thenReturn(Optional.of(authContext));
+        when(target.connectionAuthContext()).thenReturn(authContext);
         Request request = mock(Request.class);
         when(request.target()).thenReturn(target);
         Values values = new Values();
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java
index f559a368fe3..18490765576 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java
@@ -6,7 +6,7 @@ import com.yahoo.jdisc.http.ConnectorConfig;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.tls.TransportSecurityOptions;
 import com.yahoo.security.tls.TransportSecurityUtils;
-import com.yahoo.security.tls.TrustAllX509TrustManager;
+import com.yahoo.security.TrustAllX509TrustManager;
 import org.eclipse.jetty.client.HttpClient;
 import org.eclipse.jetty.client.ProxyProtocolClientConnectionFactory;
 import org.eclipse.jetty.client.api.ContentResponse;
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
index 05a013c036e..27c5aff22a9 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
@@ -6,7 +6,7 @@ import com.yahoo.jdisc.http.SslProvider;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.X509CertificateUtils;
-import com.yahoo.security.tls.AutoReloadingX509KeyManager;
+import com.yahoo.security.AutoReloadingX509KeyManager;
 import com.yahoo.security.tls.TlsContext;
 
 import javax.net.ssl.SSLContext;
diff --git a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java
index fce4d6ee74e..e8e358252dc 100644
--- a/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java
+++ b/container-core/src/test/java/com/yahoo/jdisc/http/ssl/impl/TlsContextBasedProviderTest.java
@@ -4,11 +4,11 @@ package com.yahoo.jdisc.http.ssl.impl;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateBuilder;
 import com.yahoo.security.tls.AuthorizationMode;
+import com.yahoo.security.tls.AuthorizedPeers;
 import com.yahoo.security.tls.DefaultTlsContext;
 import com.yahoo.security.tls.HostnameVerification;
 import com.yahoo.security.tls.PeerAuthentication;
 import com.yahoo.security.tls.TlsContext;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
 import org.junit.Test;
 
 import javax.security.auth.x500.X500Principal;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java
index 9bfd8f9d34e..ecea1ce6913 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java
@@ -59,7 +59,7 @@ public class EndpointCertificateValidatorImpl implements EndpointCertificateVali
 
             X509Certificate endEntityCertificate = x509CertificateList.get(0);
             Set<String> subjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(endEntityCertificate).stream()
-                    .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS_NAME))
+                    .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS))
                     .map(SubjectAlternativeName::getValue).collect(Collectors.toSet());
 
             if (!subjectAlternativeNames.containsAll(requiredNamesForZone))
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
index 63223f3c221..d74075831f1 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
@@ -37,7 +37,7 @@ import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFil
 import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilter.MATCHED_ROLE_ATTRIBUTE;
 import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilter.RESULT_ATTRIBUTE;
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
-import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME;
+import static com.yahoo.security.SubjectAlternativeName.Type.EMAIL;
 import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
@@ -262,7 +262,7 @@ public class AthenzAuthorizationFilterTest {
         Instant now = Instant.now();
         return X509CertificateBuilder
                 .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_ECDSA, BigInteger.ONE)
-                .addSubjectAlternativeName(new SubjectAlternativeName(RFC822_NAME, identity.getFullName() + "@my.domain.my-identity-provider"))
+                .addSubjectAlternativeName(new SubjectAlternativeName(EMAIL, identity.getFullName() + "@my.domain.my-identity-provider"))
                 .build();
     }
 
diff --git a/jrt/src/com/yahoo/jrt/Connection.java b/jrt/src/com/yahoo/jrt/Connection.java
index 644e2ef4ff3..1e4092efb75 100644
--- a/jrt/src/com/yahoo/jrt/Connection.java
+++ b/jrt/src/com/yahoo/jrt/Connection.java
@@ -1,9 +1,10 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
-import com.yahoo.security.tls.authz.ConnectionAuthContext;
+import com.yahoo.security.tls.ConnectionAuthContext;
 
 import java.io.IOException;
+import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
 import java.nio.channels.SelectionKey;
 import java.nio.channels.Selector;
@@ -11,7 +12,6 @@ import java.nio.channels.SocketChannel;
 import java.util.HashMap;
 import java.util.IdentityHashMap;
 import java.util.Map;
-import java.util.Optional;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -438,9 +438,16 @@ class Connection extends Target {
     }
 
     @Override
-    public Optional<ConnectionAuthContext> getConnectionAuthContext() {
-        return Optional.ofNullable(socket)
-                .flatMap(CryptoSocket::getConnectionAuthContext);
+    public ConnectionAuthContext connectionAuthContext() {
+        if (socket == null) throw new IllegalStateException("Not connected");
+        return socket.connectionAuthContext();
+    }
+
+    @Override
+    public Spec peerSpec() {
+        if (socket == null) throw new IllegalStateException("Not connected");
+        InetSocketAddress addr = (InetSocketAddress) socket.channel().socket().getRemoteSocketAddress();
+        return new Spec(addr.getHostString(), addr.getPort());
     }
 
     public boolean isClient() {
diff --git a/jrt/src/com/yahoo/jrt/CryptoSocket.java b/jrt/src/com/yahoo/jrt/CryptoSocket.java
index aac91362405..e30579d2bdc 100644
--- a/jrt/src/com/yahoo/jrt/CryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/CryptoSocket.java
@@ -2,12 +2,11 @@
 package com.yahoo.jrt;
 
 
-import com.yahoo.security.tls.authz.ConnectionAuthContext;
+import com.yahoo.security.tls.ConnectionAuthContext;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
-import java.util.Optional;
 
 
 /**
@@ -104,11 +103,6 @@ public interface CryptoSocket {
      **/
     public void dropEmptyBuffers();
 
-    /**
-     * Returns the auth context for the current connection (given handshake completed),
-     * or empty if the current connection is not secure.
-     */
-    default public Optional<ConnectionAuthContext> getConnectionAuthContext() {
-        return Optional.empty();
-    }
+    /** Returns the auth context for the current connection (given handshake completed) */
+    default ConnectionAuthContext connectionAuthContext() { return ConnectionAuthContext.defaultAllCapabilities(); }
 }
diff --git a/jrt/src/com/yahoo/jrt/ErrorCode.java b/jrt/src/com/yahoo/jrt/ErrorCode.java
index beaabcea316..8e129cfef98 100644
--- a/jrt/src/com/yahoo/jrt/ErrorCode.java
+++ b/jrt/src/com/yahoo/jrt/ErrorCode.java
@@ -49,4 +49,7 @@ public class ErrorCode
 
     /** Method failed (111) **/
     public static final int METHOD_FAILED   = 111;
+
+    /** Permission denied (112) **/
+    public static final int PERMISSION_DENIED = 112;
 }
diff --git a/jrt/src/com/yahoo/jrt/InvocationServer.java b/jrt/src/com/yahoo/jrt/InvocationServer.java
index 9df92eb20a6..7704c0019ed 100644
--- a/jrt/src/com/yahoo/jrt/InvocationServer.java
+++ b/jrt/src/com/yahoo/jrt/InvocationServer.java
@@ -31,7 +31,11 @@ class InvocationServer {
     public void invoke() {
         if (method != null) {
             if (method.checkParameters(request)) {
-                method.invoke(request);
+                if (method.requestAccessFilter().allow(request)) {
+                    method.invoke(request);
+                } else {
+                    request.setError(ErrorCode.PERMISSION_DENIED, "Permission denied");
+                }
             } else {
                 request.setError(ErrorCode.WRONG_PARAMS, "Parameters in " + request + " does not match " + method);
             }
diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
index 42442289cd1..ab9d78d2676 100644
--- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
@@ -1,12 +1,11 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
-import com.yahoo.security.tls.authz.ConnectionAuthContext;
+import com.yahoo.security.tls.ConnectionAuthContext;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SocketChannel;
-import java.util.Optional;
 
 /**
  * A crypto socket for the server side of a connection that
@@ -132,7 +131,5 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
     @Override public int write(ByteBuffer src) throws IOException { return socket.write(src); }
     @Override public FlushResult flush() throws IOException { return socket.flush(); }
     @Override public void dropEmptyBuffers() { socket.dropEmptyBuffers(); }
-    @Override public Optional<ConnectionAuthContext> getConnectionAuthContext() {
-        return Optional.ofNullable(socket).flatMap(CryptoSocket::getConnectionAuthContext);
-    }
+    @Override public ConnectionAuthContext connectionAuthContext() { return socket.connectionAuthContext(); }
 }
diff --git a/jrt/src/com/yahoo/jrt/Method.java b/jrt/src/com/yahoo/jrt/Method.java
index 4fc9f0714da..89c66747e0b 100644
--- a/jrt/src/com/yahoo/jrt/Method.java
+++ b/jrt/src/com/yahoo/jrt/Method.java
@@ -40,6 +40,8 @@ public class Method {
     private String[] returnName;
     private String[] returnDesc;
 
+    private RequestAccessFilter filter = RequestAccessFilter.ALLOW_ALL;
+
     private static final String undocumented = "???";
 
 
@@ -147,6 +149,10 @@ public class Method {
         return this;
     }
 
+    public Method requestAccessFilter(RequestAccessFilter filter) { this.filter = filter; return this; }
+
+    public RequestAccessFilter requestAccessFilter() { return filter; }
+
     /**
      * Obtain the name of a parameter
      *
diff --git a/jrt/src/com/yahoo/jrt/RequestAccessFilter.java b/jrt/src/com/yahoo/jrt/RequestAccessFilter.java
new file mode 100644
index 00000000000..6701436d6ce
--- /dev/null
+++ b/jrt/src/com/yahoo/jrt/RequestAccessFilter.java
@@ -0,0 +1,17 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jrt;
+
+/**
+ * Request access filter is invoked before any call to {@link Method#invoke(Request)}.
+ * If {@link #allow(Request)} returns false, the method is not invoked, and the request is failed with error
+ * {@link ErrorCode#PERMISSION_DENIED}.
+ *
+ * @author bjorncs
+ */
+public interface RequestAccessFilter {
+
+    RequestAccessFilter ALLOW_ALL = __ -> true;
+
+    boolean allow(Request r);
+
+}
diff --git a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
new file mode 100644
index 00000000000..bb2eafcf711
--- /dev/null
+++ b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
@@ -0,0 +1,54 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jrt;
+
+import com.yahoo.security.tls.Capability;
+import com.yahoo.security.tls.CapabilityMode;
+import com.yahoo.security.tls.CapabilitySet;
+import com.yahoo.security.tls.ConnectionAuthContext;
+import com.yahoo.security.tls.TransportSecurityUtils;
+
+import java.util.logging.Logger;
+
+import static com.yahoo.security.tls.CapabilityMode.DISABLE;
+import static com.yahoo.security.tls.CapabilityMode.LOG_ONLY;
+
+/**
+ * @author bjorncs
+ */
+public class RequireCapabilitiesFilter implements RequestAccessFilter {
+
+    private static final Logger log = Logger.getLogger(RequireCapabilitiesFilter.class.getName());
+    private static final CapabilityMode MODE = TransportSecurityUtils.getCapabilityMode();
+
+    private final CapabilitySet requiredCapabilities;
+
+    public RequireCapabilitiesFilter(CapabilitySet requiredCapabilities) {
+        this.requiredCapabilities = requiredCapabilities;
+    }
+
+    public RequireCapabilitiesFilter(Capability... requiredCapabilities) {
+        this(CapabilitySet.from(requiredCapabilities));
+    }
+
+    @Override
+    public boolean allow(Request r) {
+        if (MODE == DISABLE) return true;
+        ConnectionAuthContext ctx = r.target().connectionAuthContext();
+        CapabilitySet peerCapabilities = ctx.capabilities();
+        boolean authorized = peerCapabilities.has(requiredCapabilities);
+        if (!authorized) {
+            String msg = "%sPermission denied for RPC method '%s'. Peer at %s with %s. Call requires %s, but peer has %s"
+                    .formatted(MODE == LOG_ONLY ? "Dry-run: " : "", r.methodName(), r.target().peerSpec(), ctx.peerCertificateString().orElseThrow(),
+                            requiredCapabilities.toNames(), peerCapabilities.toNames());
+            if (MODE == LOG_ONLY) {
+                log.info(msg);
+                return true;
+            } else {
+                log.warning(msg);
+                return false;
+            }
+        }
+        return true;
+    }
+
+}
diff --git a/jrt/src/com/yahoo/jrt/Target.java b/jrt/src/com/yahoo/jrt/Target.java
index 239a71f53b3..0e8c27deac5 100644
--- a/jrt/src/com/yahoo/jrt/Target.java
+++ b/jrt/src/com/yahoo/jrt/Target.java
@@ -1,9 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
-import com.yahoo.security.tls.authz.ConnectionAuthContext;
-
-import java.util.Optional;
+import com.yahoo.security.tls.ConnectionAuthContext;
 
 /**
  * A Target represents a connection endpoint with RPC
@@ -71,9 +69,13 @@ public abstract class Target {
     public Exception getConnectionLostReason() { return null; }
 
     /**
-     * Returns the connection auth context associated with this target, or empty if no connection or is insecure.
+     * Returns the connection auth context associated with this target.
      */
-    public abstract Optional<ConnectionAuthContext> getConnectionAuthContext();
+    public abstract ConnectionAuthContext connectionAuthContext();
+
+
+    /** @return address spec of socket peer */
+    public abstract Spec peerSpec();
 
     /**
      * Check if this target represents the client side of a
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index ecd76e1eb17..13274dc3ba5 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -1,8 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
-import com.yahoo.security.tls.authz.ConnectionAuthContext;
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
+import com.yahoo.security.tls.ConnectionAuthContext;
+import com.yahoo.security.tls.PeerAuthorizerTrustManager;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
@@ -14,7 +14,7 @@ import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.ClosedChannelException;
 import java.nio.channels.SocketChannel;
-import java.util.Optional;
+import java.util.Objects;
 import java.util.logging.Logger;
 
 import static javax.net.ssl.SSLEngineResult.Status;
@@ -219,9 +219,9 @@ public class TlsCryptoSocket implements CryptoSocket {
     }
 
     @Override
-    public Optional<ConnectionAuthContext> getConnectionAuthContext() {
-        if (handshakeState != HandshakeState.COMPLETED) return Optional.empty();
-        return Optional.ofNullable(authContext);
+    public ConnectionAuthContext connectionAuthContext() {
+        if (handshakeState != HandshakeState.COMPLETED) throw new IllegalStateException("Handshake not complete");
+        return Objects.requireNonNull(authContext);
     }
 
     private boolean handshakeWrap() throws IOException {
diff --git a/jrt/tests/com/yahoo/jrt/CryptoUtils.java b/jrt/tests/com/yahoo/jrt/CryptoUtils.java
index d5ce32ee5ee..cef138ffba1 100644
--- a/jrt/tests/com/yahoo/jrt/CryptoUtils.java
+++ b/jrt/tests/com/yahoo/jrt/CryptoUtils.java
@@ -4,14 +4,14 @@ package com.yahoo.jrt;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateBuilder;
 import com.yahoo.security.tls.AuthorizationMode;
+import com.yahoo.security.tls.AuthorizedPeers;
 import com.yahoo.security.tls.DefaultTlsContext;
 import com.yahoo.security.tls.HostnameVerification;
 import com.yahoo.security.tls.PeerAuthentication;
+import com.yahoo.security.tls.PeerPolicy;
+import com.yahoo.security.tls.RequiredPeerCredential;
+import com.yahoo.security.tls.RequiredPeerCredential.Field;
 import com.yahoo.security.tls.TlsContext;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-import com.yahoo.security.tls.policy.PeerPolicy;
-import com.yahoo.security.tls.policy.RequiredPeerCredential;
-import com.yahoo.security.tls.policy.RequiredPeerCredential.Field;
 
 import javax.security.auth.x500.X500Principal;
 import java.security.KeyPair;
diff --git a/jrt/tests/com/yahoo/jrt/EchoTest.java b/jrt/tests/com/yahoo/jrt/EchoTest.java
index e6243eaf4da..47c6e806635 100644
--- a/jrt/tests/com/yahoo/jrt/EchoTest.java
+++ b/jrt/tests/com/yahoo/jrt/EchoTest.java
@@ -2,7 +2,7 @@
 package com.yahoo.jrt;
 
 
-import com.yahoo.security.tls.authz.ConnectionAuthContext;
+import com.yahoo.security.tls.ConnectionAuthContext;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.runner.RunWith;
@@ -16,7 +16,6 @@ import java.util.List;
 import static com.yahoo.jrt.CryptoUtils.createTestTlsContext;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 @RunWith(Parameterized.class)
@@ -147,7 +146,7 @@ public class EchoTest {
         for (int i = 0; i < p.size(); i++) {
             r.add(p.get(i));
         }
-        connAuthCtx = req.target().getConnectionAuthContext().orElse(null);
+        connAuthCtx = req.target().connectionAuthContext();
     }
 
     @org.junit.Test
@@ -168,8 +167,6 @@ public class EchoTest {
         if (connAuthCtxAssertion != null) {
             assertNotNull(connAuthCtx);
             connAuthCtxAssertion.assertConnectionAuthContext(connAuthCtx);
-        } else {
-            assertNull(connAuthCtx);
         }
     }
 }
diff --git a/jrt/tests/com/yahoo/jrt/InvokeAsyncTest.java b/jrt/tests/com/yahoo/jrt/InvokeAsyncTest.java
index 5e9f426bb17..436b650198e 100644
--- a/jrt/tests/com/yahoo/jrt/InvokeAsyncTest.java
+++ b/jrt/tests/com/yahoo/jrt/InvokeAsyncTest.java
@@ -16,6 +16,7 @@ public class InvokeAsyncTest {
     Supervisor   client;
     Target       target;
     Test.Barrier barrier;
+    SimpleRequestAccessFilter filter;
 
     @Before
     public void setUp() throws ListenFailedException {
@@ -23,11 +24,13 @@ public class InvokeAsyncTest {
         client   = new Supervisor(new Transport());
         acceptor = server.listen(new Spec(0));
         target   = client.connect(new Spec("localhost", acceptor.port()));
+        filter = new SimpleRequestAccessFilter();
         server.addMethod(new Method("concat", "ss", "s", this::rpc_concat)
                          .methodDesc("Concatenate 2 strings")
                          .paramDesc(0, "str1", "a string")
                          .paramDesc(1, "str2", "another string")
-                         .returnDesc(0, "ret", "str1 followed by str2"));
+                         .returnDesc(0, "ret", "str1 followed by str2")
+                         .requestAccessFilter(filter));
         barrier = new Test.Barrier();
     }
 
@@ -65,4 +68,21 @@ public class InvokeAsyncTest {
         assertEquals("abcdef", req.returnValues().get(0).asString());
     }
 
+    @org.junit.Test
+    public void testFilterIsInvoked() {
+        Request req = new Request("concat");
+        req.parameters().add(new StringValue("abc"));
+        req.parameters().add(new StringValue("def"));
+        assertFalse(filter.invoked);
+        Test.Waiter w = new Test.Waiter();
+        target.invokeAsync(req, 10, w);
+        assertFalse(w.isDone());
+        barrier.breakIt();
+        w.waitDone();
+        assertTrue(w.isDone());
+        assertFalse(req.isError());
+        assertEquals("abcdef", req.returnValues().get(0).asString());
+        assertTrue(filter.invoked);
+    }
+
 }
diff --git a/jrt/tests/com/yahoo/jrt/InvokeErrorTest.java b/jrt/tests/com/yahoo/jrt/InvokeErrorTest.java
index a9a0b18b5a1..3b58ba2f42e 100644
--- a/jrt/tests/com/yahoo/jrt/InvokeErrorTest.java
+++ b/jrt/tests/com/yahoo/jrt/InvokeErrorTest.java
@@ -6,6 +6,7 @@ import org.junit.After;
 import org.junit.Before;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
 public class InvokeErrorTest {
@@ -16,6 +17,8 @@ public class InvokeErrorTest {
     Supervisor   client;
     Target       target;
     Test.Barrier barrier;
+    SimpleRequestAccessFilter filter;
+    RpcTestMethod             testMethod;
 
     @Before
     public void setUp() throws ListenFailedException {
@@ -23,7 +26,9 @@ public class InvokeErrorTest {
         client   = new Supervisor(new Transport());
         acceptor = server.listen(new Spec(0));
         target   = client.connect(new Spec("localhost", acceptor.port()));
-        server.addMethod(new Method("test", "iib", "i", this::rpc_test));
+        filter = new SimpleRequestAccessFilter();
+        testMethod = new RpcTestMethod();
+        server.addMethod(new Method("test", "iib", "i", testMethod).requestAccessFilter(filter));
         server.addMethod(new Method("test_barrier", "iib", "i", this::rpc_test_barrier));
         barrier = new Test.Barrier();
     }
@@ -36,22 +41,8 @@ public class InvokeErrorTest {
         server.transport().shutdown().join();
     }
 
-    private void rpc_test(Request req) {
-        int value = req.parameters().get(0).asInt32();
-        int error = req.parameters().get(1).asInt32();
-        int extra = req.parameters().get(2).asInt8();
-
-        req.returnValues().add(new Int32Value(value));
-        if (extra != 0) {
-            req.returnValues().add(new Int32Value(value));
-        }
-        if (error != 0) {
-            req.setError(error, "Custom error");
-        }
-    }
-
     private void rpc_test_barrier(Request req) {
-        rpc_test(req);
+        testMethod.invoke(req);
         barrier.waitFor();
     }
 
@@ -157,4 +148,40 @@ public class InvokeErrorTest {
         assertEquals(ErrorCode.CONNECTION, req1.errorCode());
     }
 
+    @org.junit.Test
+    public void testFilterFailsRequest() {
+        Request r = new Request("test");
+        r.parameters().add(new Int32Value(42));
+        r.parameters().add(new Int32Value(0));
+        r.parameters().add(new Int8Value((byte)0));
+        filter.allowed = false;
+        assertFalse(filter.invoked);
+        target.invokeSync(r, timeout);
+        assertTrue(r.isError());
+        assertTrue(filter.invoked);
+        assertFalse(testMethod.invoked);
+        assertEquals(ErrorCode.PERMISSION_DENIED, r.errorCode());
+        assertEquals("Permission denied", r.errorMessage());
+    }
+
+    private static class RpcTestMethod implements MethodHandler {
+        boolean invoked = false;
+
+        @Override public void invoke(Request req) { invoked = true; rpc_test(req); }
+
+        void rpc_test(Request req) {
+            int value = req.parameters().get(0).asInt32();
+            int error = req.parameters().get(1).asInt32();
+            int extra = req.parameters().get(2).asInt8();
+
+            req.returnValues().add(new Int32Value(value));
+            if (extra != 0) {
+                req.returnValues().add(new Int32Value(value));
+            }
+            if (error != 0) {
+                req.setError(error, "Custom error");
+            }
+        }
+    }
+
 }
diff --git a/jrt/tests/com/yahoo/jrt/InvokeSyncTest.java b/jrt/tests/com/yahoo/jrt/InvokeSyncTest.java
index ca7d0db129d..ec196bea47c 100644
--- a/jrt/tests/com/yahoo/jrt/InvokeSyncTest.java
+++ b/jrt/tests/com/yahoo/jrt/InvokeSyncTest.java
@@ -12,6 +12,7 @@ import java.io.IOException;
 import java.io.PrintStream;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
 
@@ -21,6 +22,7 @@ public class InvokeSyncTest {
     Acceptor   acceptor;
     Supervisor client;
     Target     target;
+    SimpleRequestAccessFilter filter;
     
     @Before
     public void setUp() throws ListenFailedException {
@@ -28,11 +30,13 @@ public class InvokeSyncTest {
         client   = new Supervisor(new Transport());
         acceptor = server.listen(new Spec(0));
         target   = client.connect(new Spec("localhost", acceptor.port()));
+        filter = new SimpleRequestAccessFilter();
         server.addMethod(new Method("concat", "ss", "s", this::rpc_concat)
                          .methodDesc("Concatenate 2 strings")
                          .paramDesc(0, "str1", "a string")
                          .paramDesc(1, "str2", "another string")
-                         .returnDesc(0, "ret", "str1 followed by str2"));
+                         .returnDesc(0, "ret", "str1 followed by str2")
+                          .requestAccessFilter(filter));
         server.addMethod(new Method("alltypes", "bhilfds", "s", this::rpc_alltypes)
                           .methodDesc("Method taking all types of params"));
     }
@@ -84,4 +88,17 @@ public class InvokeSyncTest {
         assertEquals(baos.toString(), "This was alltypes. The string param was: baz\n");
     }
 
+    @org.junit.Test
+    public void testFilterIsInvoked() {
+        Request req = new Request("concat");
+        req.parameters().add(new StringValue("abc"));
+        req.parameters().add(new StringValue("def"));
+        assertFalse(filter.invoked);
+        target.invokeSync(req, 10);
+        assertFalse(req.isError());
+        assertEquals("abcdef", req.returnValues().get(0).asString());
+        assertTrue(filter.invoked);
+    }
+
+
 }
diff --git a/jrt/tests/com/yahoo/jrt/SimpleRequestAccessFilter.java b/jrt/tests/com/yahoo/jrt/SimpleRequestAccessFilter.java
new file mode 100644
index 00000000000..38d59720848
--- /dev/null
+++ b/jrt/tests/com/yahoo/jrt/SimpleRequestAccessFilter.java
@@ -0,0 +1,9 @@
+package com.yahoo.jrt;// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+/**
+ * @author bjorncs
+ */
+class SimpleRequestAccessFilter implements RequestAccessFilter {
+    volatile boolean invoked = false, allowed = true;
+    @Override public boolean allow(Request r) { invoked = true; return allowed; }
+}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java b/security-utils/src/main/java/com/yahoo/security/AutoReloadingX509KeyManager.java
index 259d4b50d3f..243343240cb 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/AutoReloadingX509KeyManager.java
@@ -1,11 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls;
-
-import com.yahoo.security.KeyStoreBuilder;
-import com.yahoo.security.KeyStoreType;
-import com.yahoo.security.KeyUtils;
-import com.yahoo.security.X509CertificateUtils;
-import com.yahoo.security.X509CertificateWithKey;
+package com.yahoo.security;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509ExtendedKeyManager;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyManagerUtils.java
index c9216d7273c..5611ef5162b 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/KeyManagerUtils.java
@@ -1,8 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls;
-
-import com.yahoo.security.KeyStoreBuilder;
-import com.yahoo.security.KeyStoreType;
+package com.yahoo.security;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509KeyManager.java b/security-utils/src/main/java/com/yahoo/security/MutableX509KeyManager.java
index 6d784efc3e8..3ba6c8f2723 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509KeyManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/MutableX509KeyManager.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls;
+package com.yahoo.security;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509ExtendedKeyManager;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/MutableX509TrustManager.java
index 6db43ef94a9..afbd0a6fa86 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/MutableX509TrustManager.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls;
+package com.yahoo.security;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509ExtendedTrustManager;
diff --git a/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java b/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java
index 9b999e056e0..d7353711a2a 100644
--- a/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java
+++ b/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java
@@ -21,7 +21,7 @@ import java.security.KeyPair;
 import java.util.ArrayList;
 import java.util.List;
 
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
 
 /**
  * @author bjorncs
@@ -49,7 +49,7 @@ public class Pkcs10CsrBuilder {
     }
 
     public Pkcs10CsrBuilder addSubjectAlternativeName(String dns) {
-        this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dns));
+        this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS, dns));
         return this;
     }
 
diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
index 5c16e4ed70d..d91c47e5eed 100644
--- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
+++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
@@ -1,10 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.security;
 
-import com.yahoo.security.tls.KeyManagerUtils;
-import com.yahoo.security.tls.TlsContext;
-import com.yahoo.security.tls.TrustManagerUtils;
-
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
@@ -133,7 +129,7 @@ public class SslContextBuilder {
 
     public SSLContext build() {
         try {
-            SSLContext sslContext = SSLContext.getInstance(TlsContext.SSL_CONTEXT_VERSION);
+            SSLContext sslContext = SSLContext.getInstance("TLS");
             X509ExtendedTrustManager trustManager = this.trustManager != null
                     ? this.trustManager
                     : trustManagerFactory.createTrustManager(trustStoreSupplier.get());
diff --git a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java
index 92dd41f7f88..c01de58987c 100644
--- a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java
+++ b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java
@@ -99,15 +99,15 @@ public class SubjectAlternativeName {
     }
 
     public enum Type {
-        OTHER_NAME(0),
-        RFC822_NAME(1),
-        DNS_NAME(2),
-        X400_ADDRESS(3),
-        DIRECTORY_NAME(4),
-        EDI_PARITY_NAME(5),
-        UNIFORM_RESOURCE_IDENTIFIER(6),
-        IP_ADDRESS(7),
-        REGISTERED_ID(8);
+        OTHER(0),
+        EMAIL(1),
+        DNS(2),
+        X400(3),
+        DIRECTORY(4),
+        EDI_PARITY(5),
+        URI(6),
+        IP(7),
+        REGISTERED(8);
 
         final int tag;
 
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TrustAllX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/TrustAllX509TrustManager.java
index b0303620cf7..89a737b1ef7 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TrustAllX509TrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/TrustAllX509TrustManager.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls;
+package com.yahoo.security;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509ExtendedTrustManager;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/TrustManagerUtils.java
index 4172e337789..bb852ee89a3 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/TrustManagerUtils.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls;
+package com.yahoo.security;
 
 import com.yahoo.security.KeyStoreBuilder;
 import com.yahoo.security.KeyStoreType;
diff --git a/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java b/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java
index 6ec10a2f803..f59d34ebb10 100644
--- a/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java
+++ b/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java
@@ -28,7 +28,7 @@ import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
 
 
 /**
@@ -116,7 +116,7 @@ public class X509CertificateBuilder {
     }
 
     public X509CertificateBuilder addSubjectAlternativeName(String dnsName) {
-        this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dnsName));
+        this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS, dnsName));
         return this;
     }
 
diff --git a/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java b/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java
index f9f23ee1eb2..feb3b4df3e0 100644
--- a/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/X509CertificateUtils.java
@@ -32,10 +32,10 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
-import java.time.temporal.ChronoUnit;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Optional;
 import java.util.Random;
 
 import static com.yahoo.security.Extension.SUBJECT_ALTERNATIVE_NAMES;
@@ -115,6 +115,12 @@ public class X509CertificateUtils {
         return getCommonNames(certificate.getSubjectX500Principal());
     }
 
+    public static Optional<String> getSubjectCommonName(X509Certificate c) {
+        List<String> names = getSubjectCommonNames(c);
+        if (names.isEmpty()) return Optional.empty();
+        return Optional.of(names.get(names.size() - 1));
+    }
+
     public static List<String> getIssuerCommonNames(X509Certificate certificate) {
         return getCommonNames(certificate.getIssuerX500Principal());
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java b/security-utils/src/main/java/com/yahoo/security/tls/AuthorizedPeers.java
index 5e49a5b341c..9631ab32334 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/AuthorizedPeers.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/AuthorizedPeers.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import java.util.Set;
 
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/Capability.java b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java
index 09d4de37831..0ae253985a6 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/Capability.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/Capability.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import java.util.Arrays;
 
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java
new file mode 100644
index 00000000000..c2fa11ce7f7
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilityMode.java
@@ -0,0 +1,26 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import java.util.Arrays;
+
+/**
+ * @author bjorncs
+ */
+public enum CapabilityMode {
+    DISABLE("disable"), LOG_ONLY("log_only"), ENFORCE("enforce");
+
+    private final String configValue;
+
+    CapabilityMode(String configValue) { this.configValue = configValue; }
+
+    public String configValue() { return configValue; }
+
+    /** @return Default value when mode is not explicitly specified */
+    public static CapabilityMode defaultValue() { return DISABLE; }
+
+    public static CapabilityMode fromConfigValue(String configValue) {
+        return Arrays.stream(values())
+                .filter(c -> c.configValue.equals(configValue))
+                .findFirst().orElseThrow(() -> new IllegalArgumentException("Unknown value: " + configValue));
+    }
+}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/CapabilitySet.java b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java
index 50de98c621c..ec402719efa 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/CapabilitySet.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/CapabilitySet.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import java.util.Arrays;
 import java.util.Collection;
@@ -72,6 +72,9 @@ public class CapabilitySet {
 
     public boolean hasAll() { return this.caps.equals(ALL_CAPABILITIES.caps); }
     public boolean hasNone() { return this.caps.equals(NO_CAPABILITIES.caps); }
+    public boolean has(CapabilitySet caps) { return this.caps.containsAll(caps.caps); }
+    public boolean has(Collection<Capability> caps) { return this.caps.containsAll(caps); }
+    public boolean has(Capability... caps) {  return this.caps.containsAll(List.of(caps)); }
 
     public SortedSet<String> toNames() {
         return caps.stream().map(Capability::asString).collect(Collectors.toCollection(TreeSet::new));
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java
index cc664786734..69635b92e74 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java
@@ -4,9 +4,10 @@ package com.yahoo.security.tls;
 import com.yahoo.security.KeyStoreBuilder;
 import com.yahoo.security.KeyStoreType;
 import com.yahoo.security.KeyUtils;
+import com.yahoo.security.MutableX509KeyManager;
+import com.yahoo.security.MutableX509TrustManager;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.X509CertificateUtils;
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
new file mode 100644
index 00000000000..b4e8878fb01
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
@@ -0,0 +1,72 @@
+package com.yahoo.security.tls;
+
+import com.yahoo.security.SubjectAlternativeName;
+import com.yahoo.security.X509CertificateUtils;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
+import static com.yahoo.security.SubjectAlternativeName.Type.URI;
+
+/**
+ * @author bjorncs
+ */
+public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
+                                    CapabilitySet capabilities,
+                                    Set<String> matchedPolicies) {
+
+    private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES = new ConnectionAuthContext(List.of());
+
+    public ConnectionAuthContext {
+        peerCertificateChain = List.copyOf(peerCertificateChain);
+        matchedPolicies = Set.copyOf(matchedPolicies);
+    }
+
+    private ConnectionAuthContext(List<X509Certificate> certs) { this(certs, CapabilitySet.all(), Set.of()); }
+
+    public boolean authorized() { return !capabilities.hasNone(); }
+
+    public Optional<X509Certificate> peerCertificate() {
+        return peerCertificateChain.isEmpty() ? Optional.empty() : Optional.of(peerCertificateChain.get(0));
+    }
+
+    public Optional<String> peerCertificateString() {
+        X509Certificate cert = peerCertificate().orElse(null);
+        if (cert == null) return Optional.empty();
+        StringBuilder b = new StringBuilder("[");
+        String cn = X509CertificateUtils.getSubjectCommonName(cert).orElse(null);
+        if (cn != null) {
+            b.append("CN='").append(cn).append("'");
+        }
+        var sans = X509CertificateUtils.getSubjectAlternativeNames(cert);
+        List<String> dnsNames = sans.stream()
+                .filter(s -> s.getType() == DNS)
+                .map(SubjectAlternativeName::getValue)
+                .toList();
+        if (!dnsNames.isEmpty()) {
+            if (cn != null) b.append(", ");
+            b.append("SAN_DNS=").append(dnsNames);
+        }
+        List<String> uris = sans.stream()
+                .filter(s -> s.getType() == URI)
+                .map(SubjectAlternativeName::getValue)
+                .toList();
+        if (!uris.isEmpty()) {
+            if (cn != null || !dnsNames.isEmpty()) b.append(", ");
+            b.append("SAN_URI=").append(uris);
+        }
+        return Optional.of(b.append("]").toString());
+    }
+
+    /** Construct instance with all capabilities */
+    public static ConnectionAuthContext defaultAllCapabilities() { return DEFAULT_ALL_CAPABILITIES; }
+
+    /** Construct instance with all capabilities */
+    public static ConnectionAuthContext defaultAllCapabilities(List<X509Certificate> certs) {
+        return new ConnectionAuthContext(certs);
+    }
+
+}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index c2ee573dfc6..88e4f409260 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -2,8 +2,6 @@
 package com.yahoo.security.tls;
 
 import com.yahoo.security.SslContextBuilder;
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/GlobPattern.java
index 46a38a77844..c945e48a361 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/GlobPattern.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import java.util.Arrays;
 import java.util.Objects;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/HostGlobPattern.java
index cb9ba13cae4..7e2c40182f0 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/HostGlobPattern.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import java.util.Objects;
 
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
index a87c578f8c6..5db86fd93bc 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java
@@ -1,12 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.authz;
+package com.yahoo.security.tls;
 
 import com.yahoo.security.SubjectAlternativeName;
 import com.yahoo.security.X509CertificateUtils;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-import com.yahoo.security.tls.policy.CapabilitySet;
-import com.yahoo.security.tls.policy.PeerPolicy;
-import com.yahoo.security.tls.policy.RequiredPeerCredential;
 
 import java.security.cert.X509Certificate;
 import java.util.HashSet;
@@ -15,9 +11,9 @@ import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Logger;
 
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
-import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS;
-import static com.yahoo.security.SubjectAlternativeName.Type.UNIFORM_RESOURCE_IDENTIFIER;
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
+import static com.yahoo.security.SubjectAlternativeName.Type.IP;
+import static com.yahoo.security.SubjectAlternativeName.Type.URI;
 import static java.util.stream.Collectors.toList;
 
 /**
@@ -39,9 +35,7 @@ public class PeerAuthorizer {
     public ConnectionAuthContext authorizePeer(X509Certificate cert) { return authorizePeer(List.of(cert)); }
 
     public ConnectionAuthContext authorizePeer(List<X509Certificate> certChain) {
-        if (authorizedPeers.isEmpty()) {
-            return new ConnectionAuthContext(certChain, CapabilitySet.all(), Set.of());
-        }
+        if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities(certChain);
         X509Certificate cert = certChain.get(0);
         Set<String> matchedPolicies = new HashSet<>();
         Set<CapabilitySet> grantedCapabilities = new HashSet<>();
@@ -82,7 +76,7 @@ public class PeerAuthorizer {
 
     private static List<String> getSubjectAlternativeNames(X509Certificate peerCertificate) {
         return X509CertificateUtils.getSubjectAlternativeNames(peerCertificate).stream()
-                .filter(san -> san.getType() == DNS_NAME || san.getType() == IP_ADDRESS || san.getType() == UNIFORM_RESOURCE_IDENTIFIER)
+                .filter(san -> san.getType() == DNS || san.getType() == IP || san.getType() == URI)
                 .map(SubjectAlternativeName::getValue)
                 .collect(toList());
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
index 334216a2c19..b92cd6c9538 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java
@@ -1,12 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.authz;
+package com.yahoo.security.tls;
 
+import com.yahoo.security.TrustManagerUtils;
 import com.yahoo.security.X509CertificateUtils;
-import com.yahoo.security.tls.AuthorizationMode;
-import com.yahoo.security.tls.HostnameVerification;
-import com.yahoo.security.tls.TrustManagerUtils;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-import com.yahoo.security.tls.policy.CapabilitySet;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
@@ -18,7 +14,6 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
-import java.util.Set;
 import java.util.logging.Logger;
 
 /**
@@ -110,7 +105,7 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
         log.fine(() -> "Verifying certificate: " + createInfoString(certChain[0], authType, isVerifyingClient));
         ConnectionAuthContext result = mode != AuthorizationMode.DISABLE
                 ? authorizer.authorizePeer(List.of(certChain))
-                : new ConnectionAuthContext(List.of(certChain), CapabilitySet.all(), Set.of());
+                : ConnectionAuthContext.defaultAllCapabilities(List.of(certChain));
         if (sslEngine != null) { // getHandshakeSession() will never return null in this context
             sslEngine.getHandshakeSession().putValue(HANDSHAKE_SESSION_AUTH_CONTEXT_PROPERTY, result);
         }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerPolicy.java
index cb39e5e9c3c..ea3d4cfe002 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/PeerPolicy.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerPolicy.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import java.util.List;
 import java.util.Optional;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/RequiredPeerCredential.java b/security-utils/src/main/java/com/yahoo/security/tls/RequiredPeerCredential.java
index 4c96a2935f8..9a18da9dffd 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/RequiredPeerCredential.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/RequiredPeerCredential.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import java.util.Objects;
 
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java
index a8802b7f0d3..4397f27ebb7 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java
@@ -1,9 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.security.tls;
 
-import com.yahoo.security.tls.json.TransportSecurityOptionsJsonSerializer;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsEntity.java
index b80a7e4f2fb..f1799a64a57 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsEntity.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.json;
+package com.yahoo.security.tls;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializer.java
index fcd84056212..0349d4085db 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializer.java
@@ -1,16 +1,11 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.json;
+package com.yahoo.security.tls;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.yahoo.security.tls.TransportSecurityOptions;
-import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.AuthorizedPeer;
-import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.CredentialField;
-import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.Files;
-import com.yahoo.security.tls.json.TransportSecurityOptionsEntity.RequiredCredential;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-import com.yahoo.security.tls.policy.CapabilitySet;
-import com.yahoo.security.tls.policy.PeerPolicy;
-import com.yahoo.security.tls.policy.RequiredPeerCredential;
+import com.yahoo.security.tls.TransportSecurityOptionsEntity.AuthorizedPeer;
+import com.yahoo.security.tls.TransportSecurityOptionsEntity.CredentialField;
+import com.yahoo.security.tls.TransportSecurityOptionsEntity.Files;
+import com.yahoo.security.tls.TransportSecurityOptionsEntity.RequiredCredential;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -29,11 +24,11 @@ import static java.util.stream.Collectors.toSet;
 /**
  * @author bjorncs
  */
-public class TransportSecurityOptionsJsonSerializer {
+class TransportSecurityOptionsJsonSerializer {
 
     private static final ObjectMapper mapper = new ObjectMapper();
 
-    public TransportSecurityOptions deserialize(InputStream in) {
+    TransportSecurityOptions deserialize(InputStream in) {
         try {
             TransportSecurityOptionsEntity entity = mapper.readValue(in, TransportSecurityOptionsEntity.class);
             return toTransportSecurityOptions(entity);
@@ -42,7 +37,7 @@ public class TransportSecurityOptionsJsonSerializer {
         }
     }
 
-    public void serialize(OutputStream out, TransportSecurityOptions options) {
+    void serialize(OutputStream out, TransportSecurityOptions options) {
         try {
             mapper.writerWithDefaultPrettyPrinter().writeValue(out, toTransportSecurityOptionsEntity(options));
         } catch (IOException e) {
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
index cbd3857d2d5..21d97613f95 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
@@ -18,6 +18,7 @@ public class TransportSecurityUtils {
     public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE";
     public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE";
     public static final String INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_AUTHORIZATION_MODE";
+    public static final String CAPABILITIES_ENV_VAR = "VESPA_TLS_CAPABILITIES_ENFORCEMENT_MODE";
 
     private TransportSecurityUtils() {}
 
@@ -49,6 +50,12 @@ public class TransportSecurityUtils {
                 .orElse(AuthorizationMode.defaultValue());
     }
 
+    public static CapabilityMode getCapabilityMode() {
+        return getEnvironmentVariable(System.getenv(), CAPABILITIES_ENV_VAR)
+                .map(CapabilityMode::fromConfigValue)
+                .orElse(CapabilityMode.defaultValue());
+    }
+
     public static Optional<Path> getConfigFile() {
         return getConfigFile(System.getenv());
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/UriGlobPattern.java
index b2cc0688bb9..18d18a5ab3c 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/UriGlobPattern.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import java.util.Objects;
 
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/ConnectionAuthContext.java
deleted file mode 100644
index 877ba4e74bd..00000000000
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/ConnectionAuthContext.java
+++ /dev/null
@@ -1,26 +0,0 @@
-package com.yahoo.security.tls.authz;
-
-import com.yahoo.security.tls.policy.CapabilitySet;
-
-import java.security.cert.X509Certificate;
-import java.util.List;
-import java.util.Set;
-
-/**
- * @author bjorncs
- */
-public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
-                                    CapabilitySet capabilities,
-                                    Set<String> matchedPolicies) {
-
-    public ConnectionAuthContext {
-        if (peerCertificateChain.isEmpty()) throw new IllegalArgumentException("Peer certificate chain is empty");
-        peerCertificateChain = List.copyOf(peerCertificateChain);
-        matchedPolicies = Set.copyOf(matchedPolicies);
-    }
-
-    public boolean authorized() { return !capabilities.hasNone(); }
-
-    public X509Certificate peerCertificate() { return peerCertificateChain.get(0); }
-
-}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/package-info.java
deleted file mode 100644
index 5066026757d..00000000000
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-/**
- * @author bjorncs
- */
-@ExportPackage
-package com.yahoo.security.tls.authz;
-
-import com.yahoo.osgi.annotation.ExportPackage;
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/https/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/https/package-info.java
deleted file mode 100644
index 91a1672e19f..00000000000
--- a/security-utils/src/main/java/com/yahoo/security/tls/https/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-/**
- * @author bjorncs
- */
-@ExportPackage
-package com.yahoo.security.tls.https;
-
-import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/json/package-info.java
deleted file mode 100644
index be7ec33bf04..00000000000
--- a/security-utils/src/main/java/com/yahoo/security/tls/json/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-/**
- * @author bjorncs
- */
-@ExportPackage
-package com.yahoo.security.tls.json;
-
-import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java
deleted file mode 100644
index 61ce90654f8..00000000000
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-/**
- * @author bjorncs
- */
-@ExportPackage
-package com.yahoo.security.tls.policy;
-
-import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/AutoReloadingX509KeyManagerTest.java b/security-utils/src/test/java/com/yahoo/security/AutoReloadingX509KeyManagerTest.java
index f5bc2a9c84e..5bde63598c0 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/AutoReloadingX509KeyManagerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/AutoReloadingX509KeyManagerTest.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls;
+package com.yahoo.security;
 
+import com.yahoo.security.AutoReloadingX509KeyManager;
 import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SignatureAlgorithm;
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509KeyManagerTest.java b/security-utils/src/test/java/com/yahoo/security/MutableX509KeyManagerTest.java
index 3f45d22d8ed..871b0937f18 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509KeyManagerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/MutableX509KeyManagerTest.java
@@ -1,10 +1,11 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls;
+package com.yahoo.security;
 
 import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyStoreBuilder;
 import com.yahoo.security.KeyStoreType;
 import com.yahoo.security.KeyUtils;
+import com.yahoo.security.MutableX509KeyManager;
 import com.yahoo.security.SignatureAlgorithm;
 import com.yahoo.security.X509CertificateBuilder;
 import org.junit.Test;
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java b/security-utils/src/test/java/com/yahoo/security/MutableX509TrustManagerTest.java
index 1d04ed86322..489aa7eb4da 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/MutableX509TrustManagerTest.java
@@ -1,12 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls;
-
-import com.yahoo.security.KeyAlgorithm;
-import com.yahoo.security.KeyStoreBuilder;
-import com.yahoo.security.KeyStoreType;
-import com.yahoo.security.KeyUtils;
-import com.yahoo.security.SignatureAlgorithm;
-import com.yahoo.security.X509CertificateBuilder;
+package com.yahoo.security;
+
 import org.junit.Test;
 
 import javax.security.auth.x500.X500Principal;
diff --git a/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java b/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java
index 6dd5eb52373..d03c52027bf 100644
--- a/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java
@@ -8,7 +8,7 @@ import java.security.KeyPair;
 import java.util.Arrays;
 import java.util.List;
 
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
@@ -21,8 +21,8 @@ public class Pkcs10CsrTest {
     public void can_read_subject_alternative_names() {
         X500Principal subject = new X500Principal("CN=subject");
         KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
-        SubjectAlternativeName san1 = new SubjectAlternativeName(DNS_NAME, "san1.com");
-        SubjectAlternativeName san2 = new SubjectAlternativeName(DNS_NAME, "san2.com");
+        SubjectAlternativeName san1 = new SubjectAlternativeName(DNS, "san1.com");
+        SubjectAlternativeName san2 = new SubjectAlternativeName(DNS, "san2.com");
         Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA)
                 .addSubjectAlternativeName(san1)
                 .addSubjectAlternativeName(san2)
diff --git a/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java b/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java
index b2e800542b8..6bb87554de3 100644
--- a/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java
@@ -12,7 +12,7 @@ import java.time.temporal.ChronoUnit;
 import java.util.Arrays;
 import java.util.List;
 
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -54,7 +54,7 @@ public class X509CertificateUtilsTest {
     public void can_list_subject_alternative_names() {
         KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
         X500Principal subject = new X500Principal("CN=myservice");
-        SubjectAlternativeName san = new SubjectAlternativeName(DNS_NAME, "dns-san");
+        SubjectAlternativeName san = new SubjectAlternativeName(DNS, "dns-san");
         X509Certificate cert = X509CertificateBuilder
                 .fromKeypair(
                         keypair,
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java b/security-utils/src/test/java/com/yahoo/security/tls/AuthorizedPeersTest.java
index 3ad826d3996..e4c530dbb0b 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/policy/AuthorizedPeersTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/AuthorizedPeersTest.java
@@ -1,11 +1,13 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
+import com.yahoo.security.tls.PeerPolicy;
+import com.yahoo.security.tls.RequiredPeerCredential;
 import org.junit.Test;
 
 import java.util.HashSet;
 
-import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN;
+import static com.yahoo.security.tls.RequiredPeerCredential.Field.CN;
 import static java.util.Arrays.asList;
 import static java.util.Collections.singletonList;
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/CapabilitySetTest.java b/security-utils/src/test/java/com/yahoo/security/tls/CapabilitySetTest.java
index 429e5b24513..87b16dbff1f 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/policy/CapabilitySetTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/CapabilitySetTest.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import org.junit.jupiter.api.Test;
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
index 358929606cd..b6c40a0c2e1 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
@@ -3,9 +3,6 @@ package com.yahoo.security.tls;
 
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateBuilder;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-import com.yahoo.security.tls.policy.PeerPolicy;
-import com.yahoo.security.tls.policy.RequiredPeerCredential;
 import org.junit.Test;
 
 import javax.net.ssl.SSLEngine;
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/GlobPatternTest.java
index 4350aa2b0a9..a93bffe6961 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/GlobPatternTest.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import org.junit.jupiter.api.Test;
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/HostGlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/HostGlobPatternTest.java
index a42eaaf74b0..a5628a637f8 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/policy/HostGlobPatternTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/HostGlobPatternTest.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import org.junit.Test;
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java
index 3791aed4155..94b0dc4f83e 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/authz/PeerAuthorizerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java
@@ -1,16 +1,11 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.authz;
+package com.yahoo.security.tls;
 
 import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SubjectAlternativeName.Type;
 import com.yahoo.security.X509CertificateBuilder;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-import com.yahoo.security.tls.policy.Capability;
-import com.yahoo.security.tls.policy.CapabilitySet;
-import com.yahoo.security.tls.policy.PeerPolicy;
-import com.yahoo.security.tls.policy.RequiredPeerCredential;
-import com.yahoo.security.tls.policy.RequiredPeerCredential.Field;
+import com.yahoo.security.tls.RequiredPeerCredential.Field;
 import org.junit.Test;
 
 import javax.security.auth.x500.X500Principal;
@@ -25,9 +20,9 @@ import java.util.Optional;
 import java.util.Set;
 
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
-import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN;
-import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS;
-import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI;
+import static com.yahoo.security.tls.RequiredPeerCredential.Field.CN;
+import static com.yahoo.security.tls.RequiredPeerCredential.Field.SAN_DNS;
+import static com.yahoo.security.tls.RequiredPeerCredential.Field.SAN_URI;
 import static java.util.Arrays.asList;
 import static java.util.Collections.emptyList;
 import static java.util.Collections.singletonList;
@@ -136,8 +131,8 @@ public class PeerAuthorizerTest {
                         Instant.EPOCH.plus(100000, ChronoUnit.DAYS),
                         SHA256_WITH_ECDSA,
                         BigInteger.ONE);
-        sanDns.forEach(san -> builder.addSubjectAlternativeName(Type.DNS_NAME, san));
-        sanUri.forEach(san -> builder.addSubjectAlternativeName(Type.UNIFORM_RESOURCE_IDENTIFIER, san));
+        sanDns.forEach(san -> builder.addSubjectAlternativeName(Type.DNS, san));
+        sanUri.forEach(san -> builder.addSubjectAlternativeName(Type.URI, san));
         return builder.build();
     }
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java
index 852d6ae94c9..476ab689903 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsJsonSerializerTest.java
@@ -1,12 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.json;
+package com.yahoo.security.tls;
 
-import com.yahoo.security.tls.TransportSecurityOptions;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
-import com.yahoo.security.tls.policy.Capability;
-import com.yahoo.security.tls.policy.CapabilitySet;
-import com.yahoo.security.tls.policy.PeerPolicy;
-import com.yahoo.security.tls.policy.RequiredPeerCredential;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
@@ -24,9 +18,9 @@ import java.util.Collections;
 import java.util.LinkedHashSet;
 import java.util.Optional;
 
-import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.CN;
-import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_DNS;
-import static com.yahoo.security.tls.policy.RequiredPeerCredential.Field.SAN_URI;
+import static com.yahoo.security.tls.RequiredPeerCredential.Field.CN;
+import static com.yahoo.security.tls.RequiredPeerCredential.Field.SAN_DNS;
+import static com.yahoo.security.tls.RequiredPeerCredential.Field.SAN_URI;
 import static com.yahoo.test.json.JsonTestHelper.assertJsonEquals;
 import static org.junit.Assert.assertEquals;
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/UriGlobPatternTest.java
index c60c782da14..4d89d71cf85 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/UriGlobPatternTest.java
@@ -1,5 +1,5 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.security.tls.policy;
+package com.yahoo.security.tls;
 
 import org.junit.jupiter.api.Test;
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java
index 92be935d293..5b129de412d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java
@@ -29,10 +29,10 @@ public class RoleCsrGenerator {
     public Pkcs10Csr generateCsr(AthenzIdentity identity, AthenzRole role, KeyPair keyPair) {
         return Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=" + role.toResourceNameString()), keyPair, SHA256_WITH_RSA)
                 .addSubjectAlternativeName(
-                        Type.DNS_NAME,
+                        Type.DNS,
                         String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace(".", "-"), dnsSuffix))
                 .addSubjectAlternativeName(
-                        Type.RFC822_NAME,
+                        Type.EMAIL,
                         String.format("%s@%s", identity.getFullName(), dnsSuffix))
                 .build();
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
index e76384d4d8b..a032b23bfb3 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
@@ -5,7 +5,7 @@ import com.yahoo.component.annotation.Inject;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.X509CertificateWithKey;
-import com.yahoo.security.tls.AutoReloadingX509KeyManager;
+import com.yahoo.security.AutoReloadingX509KeyManager;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.utils.SiaUtils;
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index c92f7259e77..52ce860bfce 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -14,7 +14,7 @@ import com.yahoo.security.KeyStoreBuilder;
 import com.yahoo.security.Pkcs10Csr;
 import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.X509CertificateWithKey;
-import com.yahoo.security.tls.MutableX509KeyManager;
+import com.yahoo.security.MutableX509KeyManager;
 import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzRole;
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
index 518f77ae79c..21ce30fd244 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
@@ -13,9 +13,9 @@ import java.security.KeyPair;
 import java.util.Set;
 
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA;
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
-import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS;
-import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME;
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
+import static com.yahoo.security.SubjectAlternativeName.Type.IP;
+import static com.yahoo.security.SubjectAlternativeName.Type.EMAIL;
 
 /**
  * Generates a {@link Pkcs10Csr} for an instance.
@@ -41,14 +41,14 @@ public class CsrGenerator {
         // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
         Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA)
                 .addSubjectAlternativeName(
-                        DNS_NAME,
+                        DNS,
                         String.format(
                                 "%s.%s.%s",
                                 instanceIdentity.getName(),
                                 instanceIdentity.getDomainName().replace(".", "-"),
                                 dnsSuffix))
-                .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId));
-        ipAddresses.forEach(ip ->  pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip)));
+                .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId));
+        ipAddresses.forEach(ip ->  pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip)));
         return pkcs10CsrBuilder.build();
     }
 
@@ -58,8 +58,8 @@ public class CsrGenerator {
                                      KeyPair keyPair) {
         X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName()));
         return Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA)
-                .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId))
-                .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix))
+                .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId))
+                .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix))
                 .build();
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
index bb62dc51603..7542e976260 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
@@ -12,9 +12,7 @@ import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
 
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
-import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME;
-import static com.yahoo.security.SubjectAlternativeName.Type.UNIFORM_RESOURCE_IDENTIFIER;
+import static com.yahoo.security.SubjectAlternativeName.Type;
 
 /**
  * Utility methods for Athenz issued x509 certificates
@@ -34,7 +32,7 @@ public class AthenzX509CertificateUtils {
 
     private static Optional<AthenzIdentity> getRoleIdentityFromEmail(List<SubjectAlternativeName> sans) {
         return sans.stream()
-                .filter(san -> san.getType() == RFC822_NAME)
+                .filter(san -> san.getType() == Type.EMAIL)
                 .map(com.yahoo.security.SubjectAlternativeName::getValue)
                 .map(AthenzX509CertificateUtils::getIdentityFromSanEmail)
                 .findFirst();
@@ -43,7 +41,7 @@ public class AthenzX509CertificateUtils {
     private static Optional<AthenzIdentity> getRoleIdentityFromUri(List<SubjectAlternativeName> sans) {
         String uriPrefix = "athenz://principal/";
         return sans.stream()
-                .filter(s -> s.getType() == UNIFORM_RESOURCE_IDENTIFIER && s.getValue().startsWith(uriPrefix))
+                .filter(s -> s.getType() == Type.URI && s.getValue().startsWith(uriPrefix))
                 .map(san -> {
                     String uriPath = URI.create(san.getValue()).getPath();
                     return AthenzIdentities.from(uriPath.substring(uriPrefix.length()));
@@ -78,7 +76,7 @@ public class AthenzX509CertificateUtils {
         String uriPrefix = "athenz://instanceid/";
         return sans.stream()
                 .filter(san -> {
-                    if (san.getType() != UNIFORM_RESOURCE_IDENTIFIER) return false;
+                    if (san.getType() != Type.URI) return false;
                     return san.getValue().startsWith(uriPrefix);
                 })
                 .map(san -> {
@@ -92,7 +90,7 @@ public class AthenzX509CertificateUtils {
         String dnsNameDelimiter = ".instanceid.athenz.";
         return sans.stream()
                 .filter(san -> {
-                    if (san.getType() != DNS_NAME) return false;
+                    if (san.getType() != Type.DNS) return false;
                     return san.getValue().contains(dnsNameDelimiter);
                 })
                 .map(san -> {
diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java
index d2361853436..6dcdc76a593 100644
--- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java
+++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java
@@ -5,12 +5,12 @@ import com.yahoo.cloud.config.ZookeeperServerConfig;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateBuilder;
 import com.yahoo.security.tls.AuthorizationMode;
+import com.yahoo.security.tls.AuthorizedPeers;
 import com.yahoo.security.tls.DefaultTlsContext;
 import com.yahoo.security.tls.HostnameVerification;
 import com.yahoo.security.tls.MixedMode;
 import com.yahoo.security.tls.PeerAuthentication;
 import com.yahoo.security.tls.TlsContext;
-import com.yahoo.security.tls.policy.AuthorizedPeers;
 import com.yahoo.yolean.Exceptions;
 import org.junit.Before;
 import org.junit.Rule;