diff options
author | Jon Bratseth <bratseth@yahoo-inc.com> | 2016-06-15 23:09:44 +0200 |
---|---|---|
committer | Jon Bratseth <bratseth@yahoo-inc.com> | 2016-06-15 23:09:44 +0200 |
commit | 72231250ed81e10d66bfe70701e64fa5fe50f712 (patch) | |
tree | 2728bba1131a6f6e5bdf95afec7d7ff9358dac50 /jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl |
Publish
Diffstat (limited to 'jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl')
6 files changed, 194 insertions, 0 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JKSKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JKSKeyStore.java new file mode 100644 index 00000000000..d9eebbeedc6 --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JKSKeyStore.java @@ -0,0 +1,34 @@ +// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl; + +import java.io.IOException; +import java.io.InputStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; + +/** + * @author tonytv + */ +public class JKSKeyStore extends SslKeyStore { + + private static final String keyStoreType = "JKS"; + private final Path keyStoreFile; + + public JKSKeyStore(Path keyStoreFile) { + this.keyStoreFile = keyStoreFile; + } + + @Override + public KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { + try(InputStream stream = Files.newInputStream(keyStoreFile)) { + KeyStore keystore = KeyStore.getInstance(keyStoreType); + keystore.load(stream, getKeyStorePassword().map(String::toCharArray).orElse(null)); + return keystore; + } + } + +} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java new file mode 100644 index 00000000000..8a3ac08a1cd --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java @@ -0,0 +1,22 @@ +// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl; + +import java.io.Reader; +import java.nio.file.Path; + +/** + * A reader along with the path used to construct it. + * + * @author tonytv + */ +public final class ReaderForPath { + + public final Reader reader; + public final Path path; + + public ReaderForPath(Reader reader, Path path) { + this.reader = reader; + this.path = path; + } + +} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactory.java new file mode 100644 index 00000000000..93cf6683ed5 --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactory.java @@ -0,0 +1,88 @@ +// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl; + +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManagerFactory; +import java.io.IOException; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; +import java.util.logging.Level; +import java.util.logging.Logger; + +/** + * @author <a href="mailto:charlesk@yahoo-inc.com">Charles Kim</a> + */ +public class SslContextFactory { + + private static final Logger log = Logger.getLogger(SslContextFactory.class.getName()); + private static final String DEFAULT_ALGORITHM = "SunX509"; + private static final String DEFAULT_PROTOCOL = "TLS"; + private final SSLContext sslContext; + + private SslContextFactory(SSLContext sslContext) { + this.sslContext = sslContext; + } + + public SSLContext getServerSSLContext() { + return this.sslContext; + } + + public static SslContextFactory newInstanceFromTrustStore(SslKeyStore trustStore) { + return newInstance(DEFAULT_ALGORITHM, DEFAULT_PROTOCOL, null, trustStore); + } + + public static SslContextFactory newInstance(SslKeyStore trustStore, SslKeyStore keyStore) { + return newInstance(DEFAULT_ALGORITHM, DEFAULT_PROTOCOL, keyStore, trustStore); + } + + public static SslContextFactory newInstance(String sslAlgorithm, String sslProtocol, + SslKeyStore keyStore, SslKeyStore trustStore) { + log.fine("Configuring SSLContext..."); + log.fine("Using " + sslAlgorithm + " algorithm."); + try { + SSLContext sslContext = SSLContext.getInstance(sslProtocol); + sslContext.init( + keyStore == null ? null : getKeyManagers(keyStore, sslAlgorithm), + trustStore == null ? null : getTrustManagers(trustStore, sslAlgorithm), + null); + return new SslContextFactory(sslContext); + } catch (Exception e) { + log.log(Level.SEVERE, "Got exception creating SSLContext.", e); + throw new RuntimeException(e); + } + } + + /** + * Used for the key store, which contains the SSL cert and private key. + */ + public static javax.net.ssl.KeyManager[] getKeyManagers(SslKeyStore keyStore, + String sslAlgorithm) + throws NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException, + KeyStoreException { + + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(sslAlgorithm); + keyManagerFactory.init( + keyStore.loadJavaKeyStore(), + keyStore.getKeyStorePassword().map(String::toCharArray).orElse(null)); + log.fine("KeyManagerFactory initialized with keystore"); + return keyManagerFactory.getKeyManagers(); + } + + /** + * Used for the trust store, which contains certificates from other parties that you expect to communicate with, + * or from Certificate Authorities that you trust to identify other parties. + */ + public static javax.net.ssl.TrustManager[] getTrustManagers(SslKeyStore trustStore, + String sslAlgorithm) + throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException { + + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(sslAlgorithm); + trustManagerFactory.init(trustStore.loadJavaKeyStore()); + log.fine("TrustManagerFactory initialized with truststore."); + return trustManagerFactory.getTrustManagers(); + } + +} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java new file mode 100644 index 00000000000..de65618a942 --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java @@ -0,0 +1,29 @@ +// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl; + +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.util.Optional; + +/** + * + * @author <a href="mailto:charlesk@yahoo-inc.com">Charles Kim</a> + */ +public abstract class SslKeyStore { + + private Optional<String> keyStorePassword = Optional.empty(); + + public Optional<String> getKeyStorePassword() { + return keyStorePassword; + } + + public void setKeyStorePassword(String keyStorePassword) { + this.keyStorePassword = Optional.of(keyStorePassword); + } + + public abstract KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException; + +} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreFactory.java new file mode 100644 index 00000000000..4d5a5b1c806 --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreFactory.java @@ -0,0 +1,17 @@ +// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl; + +import java.nio.file.Paths; + +/** + * A factory for SSL key stores. + * + * @author bratseth + */ +public interface SslKeyStoreFactory { + + SslKeyStore createKeyStore(ReaderForPath certificateFile, ReaderForPath keyFile); + + SslKeyStore createTrustStore(ReaderForPath certificateFile); + +} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/package-info.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/package-info.java new file mode 100644 index 00000000000..251a355d19b --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/package-info.java @@ -0,0 +1,4 @@ +// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +@ExportPackage +package com.yahoo.jdisc.http.ssl; +import com.yahoo.osgi.annotation.ExportPackage; |