diff options
| author | Bjørn Christian Seime <bjorncs@oath.com> | 2017-12-19 13:29:06 +0100 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-03 13:50:08 +0100 |
| commit | 615232d1cd53b20c7e91a2d445c4cd162c11e54b (patch) | |
| tree | ec97afeff982890afac20efeb29b51b2fb253b5e /controller-api | |
| parent | e14db24752753b083edbc1897f029ddb7213d748 (diff) | |
Implement Apache Http verifier interface in AthenzIdentityVerifier
Diffstat (limited to 'controller-api')
| -rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java | 36 |
1 files changed, 32 insertions, 4 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java index bfaa6c2acda..527efaab946 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java @@ -1,21 +1,26 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import org.apache.http.conn.ssl.X509HostnameVerifier; + import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLException; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import java.security.cert.X509Certificate; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; /** - * A {@link HostnameVerifier} that validates Athenz x509 certificates using the identity in the Common Name attribute. + * A {@link HostnameVerifier} / {@link X509HostnameVerifier} that validates + * Athenz x509 certificates using the identity in the Common Name attribute. * * @author bjorncs */ // TODO Move to dedicated Athenz bundle -public class AthenzIdentityVerifier implements HostnameVerifier { +public class AthenzIdentityVerifier implements X509HostnameVerifier { private static final Logger log = Logger.getLogger(AthenzIdentityVerifier.class.getName()); @@ -29,13 +34,36 @@ public class AthenzIdentityVerifier implements HostnameVerifier { public boolean verify(String hostname, SSLSession session) { try { X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0]; - AthenzIdentity certificateIdentity = AthenzUtils.createAthenzIdentity(cert); - return allowedIdentities.contains(certificateIdentity); + return isTrusted(AthenzUtils.createAthenzIdentity(cert)); } catch (SSLPeerUnverifiedException e) { log.log(Level.WARNING, "Unverified client: " + hostname); return false; } } + @Override + public void verify(String host, SSLSocket ssl) { + // all sockets allowed + } + + @Override + public void verify(String hostname, X509Certificate certificate) throws SSLException { + AthenzIdentity identity = AthenzUtils.createAthenzIdentity(certificate); + if (!isTrusted(identity)) { + throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); + } + } + + @Override + public void verify(String hostname, String[] cns, String[] subjectAlts) throws SSLException { + AthenzIdentity identity = AthenzUtils.createAthenzIdentity(cns[0]); + if (!isTrusted(identity)) { + throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); + } + } + + private boolean isTrusted(AthenzIdentity identity) { + return allowedIdentities.contains(identity); + } } |