diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-07-19 14:30:27 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-19 14:30:27 +0200 |
commit | 46ba1b00aa19e937e2c257b34c23417adeef56eb (patch) | |
tree | 7e595f7ca0c17bc74b07c18472f4cd2d4f57c4d4 /jrt/src/com/yahoo | |
parent | 8be6dd28753425126507b68c93a24607124871eb (diff) | |
parent | 529a26d7e1062a006196366454f1a047ca31202c (diff) |
Merge pull request #23496 from vespa-engine/bjorncs/capabilitiesv8.21.11
Bjorncs/capabilities
Diffstat (limited to 'jrt/src/com/yahoo')
-rw-r--r-- | jrt/src/com/yahoo/jrt/Connection.java | 6 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/CryptoSocket.java | 6 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java | 6 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/SecurityContext.java | 24 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/Target.java | 6 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/TlsCryptoSocket.java | 37 |
6 files changed, 28 insertions, 57 deletions
diff --git a/jrt/src/com/yahoo/jrt/Connection.java b/jrt/src/com/yahoo/jrt/Connection.java index 00aceb7e352..644e2ef4ff3 100644 --- a/jrt/src/com/yahoo/jrt/Connection.java +++ b/jrt/src/com/yahoo/jrt/Connection.java @@ -1,6 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; +import com.yahoo.security.tls.authz.ConnectionAuthContext; + import java.io.IOException; import java.nio.ByteBuffer; import java.nio.channels.SelectionKey; @@ -436,9 +438,9 @@ class Connection extends Target { } @Override - public Optional<SecurityContext> getSecurityContext() { + public Optional<ConnectionAuthContext> getConnectionAuthContext() { return Optional.ofNullable(socket) - .flatMap(CryptoSocket::getSecurityContext); + .flatMap(CryptoSocket::getConnectionAuthContext); } public boolean isClient() { diff --git a/jrt/src/com/yahoo/jrt/CryptoSocket.java b/jrt/src/com/yahoo/jrt/CryptoSocket.java index 78308b76624..aac91362405 100644 --- a/jrt/src/com/yahoo/jrt/CryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/CryptoSocket.java @@ -2,6 +2,8 @@ package com.yahoo.jrt; +import com.yahoo.security.tls.authz.ConnectionAuthContext; + import java.io.IOException; import java.nio.ByteBuffer; import java.nio.channels.SocketChannel; @@ -103,10 +105,10 @@ public interface CryptoSocket { public void dropEmptyBuffers(); /** - * Returns the security context for the current connection (given handshake completed), + * Returns the auth context for the current connection (given handshake completed), * or empty if the current connection is not secure. */ - default public Optional<SecurityContext> getSecurityContext() { + default public Optional<ConnectionAuthContext> getConnectionAuthContext() { return Optional.empty(); } } diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java index df01f4f2fa7..42442289cd1 100644 --- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java @@ -1,6 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; +import com.yahoo.security.tls.authz.ConnectionAuthContext; + import java.io.IOException; import java.nio.ByteBuffer; import java.nio.channels.SocketChannel; @@ -130,5 +132,7 @@ public class MaybeTlsCryptoSocket implements CryptoSocket { @Override public int write(ByteBuffer src) throws IOException { return socket.write(src); } @Override public FlushResult flush() throws IOException { return socket.flush(); } @Override public void dropEmptyBuffers() { socket.dropEmptyBuffers(); } - @Override public Optional<SecurityContext> getSecurityContext() { return Optional.ofNullable(socket).flatMap(CryptoSocket::getSecurityContext); } + @Override public Optional<ConnectionAuthContext> getConnectionAuthContext() { + return Optional.ofNullable(socket).flatMap(CryptoSocket::getConnectionAuthContext); + } } diff --git a/jrt/src/com/yahoo/jrt/SecurityContext.java b/jrt/src/com/yahoo/jrt/SecurityContext.java deleted file mode 100644 index 4eef99cb93f..00000000000 --- a/jrt/src/com/yahoo/jrt/SecurityContext.java +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.jrt; - -import java.security.cert.X509Certificate; -import java.util.List; - -/** - * @author bjorncs - */ -public class SecurityContext { - - private final List<X509Certificate> peerCertificateChain; - - public SecurityContext(List<X509Certificate> peerCertificateChain) { - this.peerCertificateChain = peerCertificateChain; - } - - /** - * @return the peer certificate chain if the peer was authenticated, empty list if not. - */ - public List<X509Certificate> peerCertificateChain() { - return peerCertificateChain; - } -} diff --git a/jrt/src/com/yahoo/jrt/Target.java b/jrt/src/com/yahoo/jrt/Target.java index a59aa341fe0..239a71f53b3 100644 --- a/jrt/src/com/yahoo/jrt/Target.java +++ b/jrt/src/com/yahoo/jrt/Target.java @@ -1,6 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; +import com.yahoo.security.tls.authz.ConnectionAuthContext; + import java.util.Optional; /** @@ -69,9 +71,9 @@ public abstract class Target { public Exception getConnectionLostReason() { return null; } /** - * Returns the security context associated with this target, or empty if no connection or is insecure. + * Returns the connection auth context associated with this target, or empty if no connection or is insecure. */ - public abstract Optional<SecurityContext> getSecurityContext(); + public abstract Optional<ConnectionAuthContext> getConnectionAuthContext(); /** * Check if this target represents the client side of a diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java index a899938dd45..ecd76e1eb17 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java @@ -1,7 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; -import com.yahoo.security.tls.authz.AuthorizationResult; +import com.yahoo.security.tls.authz.ConnectionAuthContext; import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; import javax.net.ssl.SSLEngine; @@ -9,19 +9,14 @@ import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLEngineResult.HandshakeStatus; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; -import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import java.io.IOException; import java.nio.ByteBuffer; import java.nio.channels.ClosedChannelException; import java.nio.channels.SocketChannel; -import java.security.cert.X509Certificate; -import java.util.Arrays; -import java.util.List; import java.util.Optional; import java.util.logging.Logger; -import static java.util.stream.Collectors.toList; import static javax.net.ssl.SSLEngineResult.Status; /** @@ -46,7 +41,7 @@ public class TlsCryptoSocket implements CryptoSocket { private int sessionApplicationBufferSize; private ByteBuffer handshakeDummyBuffer; private HandshakeState handshakeState; - private AuthorizationResult authorizationResult; + private ConnectionAuthContext authContext; public TlsCryptoSocket(SocketChannel channel, SSLEngine sslEngine) { this.channel = channel; @@ -102,13 +97,13 @@ public class TlsCryptoSocket implements CryptoSocket { channelRead(); break; case NEED_WORK: - if (authorizationResult == null) { - PeerAuthorizerTrustManager.getAuthorizationResult(sslEngine) // only available during handshake - .ifPresent(result -> { - if (!result.succeeded()) { + if (authContext == null) { + PeerAuthorizerTrustManager.getConnectionAuthContext(sslEngine) // only available during handshake + .ifPresent(ctx -> { + if (!ctx.authorized()) { metrics.incrementPeerAuthorizationFailures(); } - authorizationResult = result; + authContext = ctx; }); } break; @@ -149,7 +144,7 @@ public class TlsCryptoSocket implements CryptoSocket { } } catch (SSLHandshakeException e) { // sslEngine.getDelegatedTask().run() and handshakeWrap() may throw SSLHandshakeException, potentially handshakeUnwrap() and sslEngine.beginHandshake() as well. - if (authorizationResult == null || authorizationResult.succeeded()) { // don't include handshake failures due from PeerAuthorizerTrustManager + if (authContext == null || authContext.authorized()) { // don't include handshake failures due from PeerAuthorizerTrustManager metrics.incrementTlsCertificateVerificationFailures(); } throw e; @@ -224,19 +219,9 @@ public class TlsCryptoSocket implements CryptoSocket { } @Override - public Optional<SecurityContext> getSecurityContext() { - try { - if (handshakeState != HandshakeState.COMPLETED) { - return Optional.empty(); - } - List<X509Certificate> peerCertificateChain = - Arrays.stream(sslEngine.getSession().getPeerCertificates()) - .map(X509Certificate.class::cast) - .collect(toList()); - return Optional.of(new SecurityContext(peerCertificateChain)); - } catch (SSLPeerUnverifiedException e) { // unverified peer: non-certificate based ciphers or peer did not provide a certificate - return Optional.of(new SecurityContext(List.of())); // secure connection, but peer does not have a certificate chain. - } + public Optional<ConnectionAuthContext> getConnectionAuthContext() { + if (handshakeState != HandshakeState.COMPLETED) return Optional.empty(); + return Optional.ofNullable(authContext); } private boolean handshakeWrap() throws IOException { |