Publish

6 files changed, 194 insertions, 0 deletions

diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JKSKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JKSKeyStore.java
new file mode 100644
index 00000000000..d9eebbeedc6
--- /dev/null
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/JKSKeyStore.java
@@ -0,0 +1,34 @@
+// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.ssl;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+
+/**
+ * @author tonytv
+ */
+public class JKSKeyStore extends SslKeyStore {
+
+    private static final String keyStoreType = "JKS";
+    private final Path keyStoreFile;
+
+    public JKSKeyStore(Path keyStoreFile) {
+        this.keyStoreFile = keyStoreFile;
+    }
+
+    @Override
+    public KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
+        try(InputStream stream = Files.newInputStream(keyStoreFile)) {
+            KeyStore keystore = KeyStore.getInstance(keyStoreType);
+            keystore.load(stream, getKeyStorePassword().map(String::toCharArray).orElse(null));
+            return keystore;
+        }
+    }
+
+}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java
new file mode 100644
index 00000000000..8a3ac08a1cd
--- /dev/null
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java
@@ -0,0 +1,22 @@
+// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.ssl;
+
+import java.io.Reader;
+import java.nio.file.Path;
+
+/**
+ * A reader along with the path used to construct it.
+ *
+ * @author tonytv
+ */
+public final class ReaderForPath {
+
+    public final Reader reader;
+    public final Path path;
+
+    public ReaderForPath(Reader reader, Path path) {
+        this.reader = reader;
+        this.path = path;
+    }
+
+}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactory.java
new file mode 100644
index 00000000000..93cf6683ed5
--- /dev/null
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslContextFactory.java
@@ -0,0 +1,88 @@
+// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.ssl;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.IOException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * @author <a href="mailto:charlesk@yahoo-inc.com">Charles Kim</a>
+ */
+public class SslContextFactory {
+
+    private static final Logger log = Logger.getLogger(SslContextFactory.class.getName());
+    private static final String DEFAULT_ALGORITHM = "SunX509";
+    private static final String DEFAULT_PROTOCOL = "TLS";
+    private final SSLContext sslContext;
+
+    private SslContextFactory(SSLContext sslContext) {
+        this.sslContext = sslContext;
+    }
+
+    public SSLContext getServerSSLContext() {
+        return this.sslContext;
+    }
+
+    public static SslContextFactory newInstanceFromTrustStore(SslKeyStore trustStore) {
+        return newInstance(DEFAULT_ALGORITHM, DEFAULT_PROTOCOL, null, trustStore);
+    }
+
+    public static SslContextFactory newInstance(SslKeyStore trustStore, SslKeyStore keyStore) {
+        return newInstance(DEFAULT_ALGORITHM, DEFAULT_PROTOCOL, keyStore, trustStore);
+    }
+
+    public static SslContextFactory newInstance(String sslAlgorithm, String sslProtocol,
+                                                SslKeyStore keyStore, SslKeyStore trustStore) {
+        log.fine("Configuring SSLContext...");
+        log.fine("Using " + sslAlgorithm + " algorithm.");
+        try {
+            SSLContext sslContext = SSLContext.getInstance(sslProtocol);
+            sslContext.init(
+                    keyStore == null ? null : getKeyManagers(keyStore, sslAlgorithm),
+                    trustStore == null ? null : getTrustManagers(trustStore, sslAlgorithm),
+                    null);
+            return new SslContextFactory(sslContext);
+        } catch (Exception e) {
+            log.log(Level.SEVERE, "Got exception creating SSLContext.", e);
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * Used for the key store, which contains the SSL cert and private key.
+     */
+    public static javax.net.ssl.KeyManager[] getKeyManagers(SslKeyStore keyStore,
+                                                            String sslAlgorithm)
+            throws NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException,
+                   KeyStoreException {
+
+        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(sslAlgorithm);
+        keyManagerFactory.init(
+                keyStore.loadJavaKeyStore(),
+                keyStore.getKeyStorePassword().map(String::toCharArray).orElse(null));
+        log.fine("KeyManagerFactory initialized with keystore");
+        return keyManagerFactory.getKeyManagers();
+    }
+
+    /**
+     * Used for the trust store, which contains certificates from other parties that you expect to communicate with,
+     * or from Certificate Authorities that you trust to identify other parties.
+     */
+    public static javax.net.ssl.TrustManager[] getTrustManagers(SslKeyStore trustStore,
+                                                                String sslAlgorithm)
+            throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException {
+
+        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(sslAlgorithm);
+        trustManagerFactory.init(trustStore.loadJavaKeyStore());
+        log.fine("TrustManagerFactory initialized with truststore.");
+        return trustManagerFactory.getTrustManagers();
+    }
+
+}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java
new file mode 100644
index 00000000000..de65618a942
--- /dev/null
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java
@@ -0,0 +1,29 @@
+// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.ssl;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Optional;
+
+/**
+ *
+ * @author <a href="mailto:charlesk@yahoo-inc.com">Charles Kim</a>
+ */
+public abstract class SslKeyStore {
+
+	private Optional<String> keyStorePassword = Optional.empty();
+
+    public Optional<String> getKeyStorePassword() {
+		return keyStorePassword;
+	}
+
+	public void setKeyStorePassword(String keyStorePassword) {
+		this.keyStorePassword = Optional.of(keyStorePassword);
+	}
+
+    public abstract KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException;
+
+}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreFactory.java
new file mode 100644
index 00000000000..4d5a5b1c806
--- /dev/null
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreFactory.java
@@ -0,0 +1,17 @@
+// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.ssl;
+
+import java.nio.file.Paths;
+
+/**
+ * A factory for SSL key stores.
+ *
+ * @author bratseth
+ */
+public interface SslKeyStoreFactory {
+
+    SslKeyStore createKeyStore(ReaderForPath certificateFile, ReaderForPath keyFile);
+
+    SslKeyStore createTrustStore(ReaderForPath certificateFile);
+
+}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/package-info.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/package-info.java
new file mode 100644
index 00000000000..251a355d19b
--- /dev/null
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/package-info.java
@@ -0,0 +1,4 @@
+// Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+@ExportPackage
+package com.yahoo.jdisc.http.ssl;
+import com.yahoo.osgi.annotation.ExportPackage;