diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-28 15:11:14 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-28 15:11:14 +0100 |
commit | 45306ec347358fa57c162ddc725c37f9c077cdcc (patch) | |
tree | 0927692e4113c99aac1c68d64cf85c40eac1fd8e /jrt/src/com/yahoo | |
parent | 910fd0b29b0fdaf7660dc22ed289dc0c7748fa89 (diff) |
Use TlsContext to construct TlsCryptoEngine
Diffstat (limited to 'jrt/src/com/yahoo')
-rw-r--r-- | jrt/src/com/yahoo/jrt/CryptoEngine.java | 6 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/TlsCryptoEngine.java | 28 |
2 files changed, 10 insertions, 24 deletions
diff --git a/jrt/src/com/yahoo/jrt/CryptoEngine.java b/jrt/src/com/yahoo/jrt/CryptoEngine.java index c27aba73873..b1907d892b6 100644 --- a/jrt/src/com/yahoo/jrt/CryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/CryptoEngine.java @@ -2,8 +2,11 @@ package com.yahoo.jrt; +import com.yahoo.security.tls.ConfigFileManagedTlsContext; +import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; import com.yahoo.security.tls.TransportSecurityUtils.MixedMode; +import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode; import java.nio.channels.SocketChannel; @@ -20,7 +23,8 @@ public interface CryptoEngine { if (!TransportSecurityUtils.isTransportSecurityEnabled()) { return new NullCryptoEngine(); } - TlsCryptoEngine tlsCryptoEngine = new TlsCryptoEngine(TransportSecurityUtils.getOptions().get()); + TlsContext tlsContext = new ConfigFileManagedTlsContext(TransportSecurityUtils.getConfigFile().get(), Mode.DRY_RUN); + TlsCryptoEngine tlsCryptoEngine = new TlsCryptoEngine(tlsContext); if (!TransportSecurityUtils.isInsecureMixedModeEnabled()) { return tlsCryptoEngine; } diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java index db18ddf8c9d..f270974f116 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java @@ -1,12 +1,8 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; -import com.yahoo.security.SslContextBuilder; -import com.yahoo.security.tls.TransportSecurityOptions; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory; +import com.yahoo.security.tls.TlsContext; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import java.nio.channels.SocketChannel; @@ -17,32 +13,18 @@ import java.nio.channels.SocketChannel; */ public class TlsCryptoEngine implements CryptoEngine { - private final SSLContext sslContext; + private final TlsContext tlsContext; - public TlsCryptoEngine(SSLContext sslContext) { - this.sslContext = sslContext; - } - - public TlsCryptoEngine(TransportSecurityOptions options) { - this(createSslContext(options)); + public TlsCryptoEngine(TlsContext tlsContext) { + this.tlsContext = tlsContext; } @Override public TlsCryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) { - SSLEngine sslEngine = sslContext.createSSLEngine(); + SSLEngine sslEngine = tlsContext.createSslEngine(); sslEngine.setNeedClientAuth(true); sslEngine.setUseClientMode(!isServer); return new TlsCryptoSocket(channel, sslEngine); } - // TODO Move to dedicated factory type controlling certificate hot-reloading in security-utils - private static SSLContext createSslContext(TransportSecurityOptions options) { - SslContextBuilder builder = new SslContextBuilder(); - options.getCertificatesFile() - .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates)); - options.getCaCertificatesFile().ifPresent(builder::withTrustStore); - options.getAuthorizedPeers().ifPresent( - authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, Mode.DRY_RUN))); - return builder.build(); - } } |