diff options
author | Harald Musum <musum@yahoo-inc.com> | 2018-01-17 19:45:45 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-17 19:45:45 +0100 |
commit | e1a198c29b4f7453f38d6f796626a99ba8f5e3a5 (patch) | |
tree | 403836969d050736403f6512a455198a2c63edad /controller-server/src | |
parent | 37d6a6f18c8df8ba747f302f6ad7aa35406250ab (diff) |
Revert "Add builder helper for SSLContext in vespa-athenz"
Diffstat (limited to 'controller-server/src')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java | 65 |
1 files changed, 59 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java index 1652cb2298e..f463d04b454 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java @@ -2,13 +2,26 @@ package com.yahoo.vespa.hosted.controller.athenz.impl; import com.google.inject.Inject; -import com.yahoo.vespa.athenz.tls.AthenzSslContextBuilder; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; +import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; +import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; -import java.io.File; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import java.io.FileInputStream; +import java.io.IOException; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; /** * @author bjorncs @@ -26,9 +39,49 @@ public class AthenzSslContextProviderImpl implements AthenzSslContextProvider { @Override public SSLContext get() { - return new AthenzSslContextBuilder() - .withTrustStore(new File(config.athenzCaTrustStore()), "JKS") - .withIdentityCertificate(clientFactory.createZtsClientWithServicePrincipal().getIdentityCertificate()) - .build(); + return createSslContext(); + } + + private SSLContext createSslContext() { + try { + SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); + sslContext.init(createKeyManagersWithServiceCertificate(clientFactory.createZtsClientWithServicePrincipal()), + createTrustManagersWithAthenzCa(config), + null); + return sslContext; + } catch (NoSuchAlgorithmException | KeyManagementException e) { + throw new RuntimeException(e); + } + } + + private static KeyManager[] createKeyManagersWithServiceCertificate(ZtsClient ztsClient) { + try { + AthenzIdentityCertificate identityCertificate = ztsClient.getIdentityCertificate(); + KeyStore keyStore = KeyStore.getInstance("JKS"); + keyStore.load(null); + keyStore.setKeyEntry("athenz-controller-key", + identityCertificate.getPrivateKey(), + new char[0], + new Certificate[]{identityCertificate.getCertificate()}); + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + keyManagerFactory.init(keyStore, new char[0]); + return keyManagerFactory.getKeyManagers(); + } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | IOException e) { + throw new RuntimeException(e); + } + } + + private static TrustManager[] createTrustManagersWithAthenzCa(AthenzConfig config) { + try { + KeyStore trustStore = KeyStore.getInstance("JKS"); + try (FileInputStream in = new FileInputStream(config.athenzCaTrustStore())) { + trustStore.load(in, "changeit".toCharArray()); + } + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + trustManagerFactory.init(trustStore); + return trustManagerFactory.getTrustManagers(); + } catch (CertificateException | IOException | KeyStoreException | NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } } } |