diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-04 15:26:01 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-04 15:26:01 +0100 |
commit | 86b5cffd4ce022d42fb65ebf14546e6f1f360f49 (patch) | |
tree | a48c79fe10bf35b776b340bbd0ff00554d8b7ef5 /controller-api | |
parent | 15b47111e575f4cfa97309a8a12e6406b3428fee (diff) |
Revert "Implement Apache Http verifier interface in AthenzIdentityVerifier"
This reverts commit 615232d1cd53b20c7e91a2d445c4cd162c11e54b.
Diffstat (limited to 'controller-api')
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java | 36 |
1 files changed, 4 insertions, 32 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java index 527efaab946..bfaa6c2acda 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java @@ -1,26 +1,21 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; -import org.apache.http.conn.ssl.X509HostnameVerifier; - import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLException; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; -import javax.net.ssl.SSLSocket; import java.security.cert.X509Certificate; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; /** - * A {@link HostnameVerifier} / {@link X509HostnameVerifier} that validates - * Athenz x509 certificates using the identity in the Common Name attribute. + * A {@link HostnameVerifier} that validates Athenz x509 certificates using the identity in the Common Name attribute. * * @author bjorncs */ // TODO Move to dedicated Athenz bundle -public class AthenzIdentityVerifier implements X509HostnameVerifier { +public class AthenzIdentityVerifier implements HostnameVerifier { private static final Logger log = Logger.getLogger(AthenzIdentityVerifier.class.getName()); @@ -34,36 +29,13 @@ public class AthenzIdentityVerifier implements X509HostnameVerifier { public boolean verify(String hostname, SSLSession session) { try { X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0]; - return isTrusted(AthenzUtils.createAthenzIdentity(cert)); + AthenzIdentity certificateIdentity = AthenzUtils.createAthenzIdentity(cert); + return allowedIdentities.contains(certificateIdentity); } catch (SSLPeerUnverifiedException e) { log.log(Level.WARNING, "Unverified client: " + hostname); return false; } } - @Override - public void verify(String host, SSLSocket ssl) { - // all sockets allowed - } - - @Override - public void verify(String hostname, X509Certificate certificate) throws SSLException { - AthenzIdentity identity = AthenzUtils.createAthenzIdentity(certificate); - if (!isTrusted(identity)) { - throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); - } - } - - @Override - public void verify(String hostname, String[] cns, String[] subjectAlts) throws SSLException { - AthenzIdentity identity = AthenzUtils.createAthenzIdentity(cns[0]); - if (!isTrusted(identity)) { - throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); - } - } - - private boolean isTrusted(AthenzIdentity identity) { - return allowedIdentities.contains(identity); - } } |