diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-17 14:06:47 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-18 09:30:57 +0100 |
commit | 02b5e6e2dde58b7296ceb4bbd0904d63e4af518e (patch) | |
tree | 9a1965939b4dbd15d5a9771f76e21141f61c42bf /controller-server | |
parent | fa51c2160c36082d12a22508ebe665df091b44fe (diff) |
Add builder helper for SSLContext in vespa-athenz
Use new builder in AthenzSslContextProviderImpl
Diffstat (limited to 'controller-server')
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java | 65 |
1 files changed, 6 insertions, 59 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java index f463d04b454..1652cb2298e 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java @@ -2,26 +2,13 @@ package com.yahoo.vespa.hosted.controller.athenz.impl; import com.google.inject.Inject; +import com.yahoo.vespa.athenz.tls.AthenzSslContextBuilder; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import java.io.FileInputStream; -import java.io.IOException; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableKeyException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; +import java.io.File; /** * @author bjorncs @@ -39,49 +26,9 @@ public class AthenzSslContextProviderImpl implements AthenzSslContextProvider { @Override public SSLContext get() { - return createSslContext(); - } - - private SSLContext createSslContext() { - try { - SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); - sslContext.init(createKeyManagersWithServiceCertificate(clientFactory.createZtsClientWithServicePrincipal()), - createTrustManagersWithAthenzCa(config), - null); - return sslContext; - } catch (NoSuchAlgorithmException | KeyManagementException e) { - throw new RuntimeException(e); - } - } - - private static KeyManager[] createKeyManagersWithServiceCertificate(ZtsClient ztsClient) { - try { - AthenzIdentityCertificate identityCertificate = ztsClient.getIdentityCertificate(); - KeyStore keyStore = KeyStore.getInstance("JKS"); - keyStore.load(null); - keyStore.setKeyEntry("athenz-controller-key", - identityCertificate.getPrivateKey(), - new char[0], - new Certificate[]{identityCertificate.getCertificate()}); - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - keyManagerFactory.init(keyStore, new char[0]); - return keyManagerFactory.getKeyManagers(); - } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | IOException e) { - throw new RuntimeException(e); - } - } - - private static TrustManager[] createTrustManagersWithAthenzCa(AthenzConfig config) { - try { - KeyStore trustStore = KeyStore.getInstance("JKS"); - try (FileInputStream in = new FileInputStream(config.athenzCaTrustStore())) { - trustStore.load(in, "changeit".toCharArray()); - } - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - trustManagerFactory.init(trustStore); - return trustManagerFactory.getTrustManagers(); - } catch (CertificateException | IOException | KeyStoreException | NoSuchAlgorithmException e) { - throw new RuntimeException(e); - } + return new AthenzSslContextBuilder() + .withTrustStore(new File(config.athenzCaTrustStore()), "JKS") + .withIdentityCertificate(clientFactory.createZtsClientWithServicePrincipal().getIdentityCertificate()) + .build(); } } |