Revert "Add builder helper for SSLContext in vespa-athenz"

author: Harald Musum <musum@yahoo-inc.com> 2018-01-17 19:45:45 +0100
committer: GitHub <noreply@github.com> 2018-01-17 19:45:45 +0100
commit: e1a198c29b4f7453f38d6f796626a99ba8f5e3a5 (patch)
tree: 403836969d050736403f6512a455198a2c63edad /controller-server/src
parent: 37d6a6f18c8df8ba747f302f6ad7aa35406250ab (diff)
1 files changed, 59 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java
index 1652cb2298e..f463d04b454 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java
@@ -2,13 +2,26 @@
 package com.yahoo.vespa.hosted.controller.athenz.impl;
 
 import com.google.inject.Inject;
-import com.yahoo.vespa.athenz.tls.AthenzSslContextBuilder;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory;
+import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient;
 import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
 
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import java.io.File;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
 
 /**
  * @author bjorncs
@@ -26,9 +39,49 @@ public class AthenzSslContextProviderImpl implements AthenzSslContextProvider {
 
     @Override
     public SSLContext get() {
-        return new AthenzSslContextBuilder()
-                .withTrustStore(new File(config.athenzCaTrustStore()), "JKS")
-                .withIdentityCertificate(clientFactory.createZtsClientWithServicePrincipal().getIdentityCertificate())
-                .build();
+        return createSslContext();
+    }
+
+    private SSLContext createSslContext() {
+        try {
+            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+            sslContext.init(createKeyManagersWithServiceCertificate(clientFactory.createZtsClientWithServicePrincipal()),
+                            createTrustManagersWithAthenzCa(config),
+                            null);
+            return sslContext;
+        } catch (NoSuchAlgorithmException | KeyManagementException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static KeyManager[] createKeyManagersWithServiceCertificate(ZtsClient ztsClient) {
+        try {
+            AthenzIdentityCertificate identityCertificate = ztsClient.getIdentityCertificate();
+            KeyStore keyStore = KeyStore.getInstance("JKS");
+            keyStore.load(null);
+            keyStore.setKeyEntry("athenz-controller-key",
+                                 identityCertificate.getPrivateKey(),
+                                 new char[0],
+                                 new Certificate[]{identityCertificate.getCertificate()});
+            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            keyManagerFactory.init(keyStore, new char[0]);
+            return keyManagerFactory.getKeyManagers();
+        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static TrustManager[] createTrustManagersWithAthenzCa(AthenzConfig config) {
+        try {
+            KeyStore trustStore = KeyStore.getInstance("JKS");
+            try (FileInputStream in = new FileInputStream(config.athenzCaTrustStore())) {
+                trustStore.load(in, "changeit".toCharArray());
+            }
+            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            trustManagerFactory.init(trustStore);
+            return trustManagerFactory.getTrustManagers();
+        } catch (CertificateException | IOException | KeyStoreException | NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
     }
 }
author	Harald Musum <musum@yahoo-inc.com>	2018-01-17 19:45:45 +0100
committer	GitHub <noreply@github.com>	2018-01-17 19:45:45 +0100
commit	e1a198c29b4f7453f38d6f796626a99ba8f5e3a5 (patch)
tree	403836969d050736403f6512a455198a2c63edad /controller-server/src
parent	37d6a6f18c8df8ba747f302f6ad7aa35406250ab (diff)