Setup ssl context in Athenz identity provider

author: Morten Tokle <mortent@oath.com> 2017-12-18 15:23:38 +0100
committer: Morten Tokle <mortent@oath.com> 2017-12-18 15:39:41 +0100
commit: 8301dd3b810c42f0bd8bf9e170180c7d7afadfce (patch)
tree: 4c1b0eeef93825da72518fb8943d3970974c1d06 /container-disc/src
parent: 5b94a6b3da9aaf080e60b38689c02113de1acb43 (diff)
2 files changed, 63 insertions, 0 deletions
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
index 033b396bc9b..c4c57f4bc47 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
@@ -1,6 +1,8 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.container.jdisc.athenz;
 
+import javax.net.ssl.SSLContext;
+
 /**
  * @author mortent
  */
@@ -8,4 +10,5 @@ public interface AthenzIdentityProvider {
     String getNToken() throws AthenzIdentityProviderException;
     String getDomain();
     String getService();
+    SSLContext getSslContext();
 }
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java
index 356780a0900..3d6b32744c6 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java
@@ -8,6 +8,20 @@ import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
 import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException;
 import com.yahoo.log.LogLevel;
 
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
 import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
@@ -106,6 +120,52 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
     }
 
     @Override
+    public SSLContext getSslContext() {
+        try {
+            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+            sslContext.init(createKeyManagersWithServiceCertificate(),
+                        createTrustManagersWithAthenzCa(),
+                        null);
+            return sslContext;
+        } catch (NoSuchAlgorithmException | KeyManagementException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private KeyManager[] createKeyManagersWithServiceCertificate() {
+        try {
+            credentialsRetrievedSignal.await();
+            KeyStore keyStore = KeyStore.getInstance("JKS");
+            keyStore.load(null);
+            keyStore.setKeyEntry("instance-key",
+                                 credentials.get().getKeyPair().getPrivate(),
+                                 new char[0],
+                                 new Certificate[]{credentials.get().getCertificate()});
+            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            keyManagerFactory.init(keyStore, new char[0]);
+            return keyManagerFactory.getKeyManagers();
+        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | IOException e) {
+            throw new RuntimeException(e);
+        } catch (InterruptedException e) {
+            throw new AthenzIdentityProviderException("Failed to register instance credentials", lastThrowable.get());
+        }
+    }
+
+    private static TrustManager[] createTrustManagersWithAthenzCa() {
+        try {
+            KeyStore trustStore = KeyStore.getInstance("JKS");
+            try (FileInputStream in = new FileInputStream("/home/y/share/ssl/certs/yahoo_certificate_bundle.jks")) {
+                trustStore.load(in, null);
+            }
+            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            trustManagerFactory.init(trustStore);
+            return trustManagerFactory.getTrustManagers();
+        } catch (CertificateException | IOException | KeyStoreException | NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
     public void deconstruct() {
         scheduler.shutdown(AWAIT_TERMINTATION_TIMEOUT);
     }
author	Morten Tokle <mortent@oath.com>	2017-12-18 15:23:38 +0100
committer	Morten Tokle <mortent@oath.com>	2017-12-18 15:39:41 +0100
commit	8301dd3b810c42f0bd8bf9e170180c7d7afadfce (patch)
tree	4c1b0eeef93825da72518fb8943d3970974c1d06 /container-disc/src
parent	5b94a6b3da9aaf080e60b38689c02113de1acb43 (diff)