diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-28 15:11:14 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-28 15:11:14 +0100 |
commit | 45306ec347358fa57c162ddc725c37f9c077cdcc (patch) | |
tree | 0927692e4113c99aac1c68d64cf85c40eac1fd8e /jrt | |
parent | 910fd0b29b0fdaf7660dc22ed289dc0c7748fa89 (diff) |
Use TlsContext to construct TlsCryptoEngine
Diffstat (limited to 'jrt')
-rw-r--r-- | jrt/src/com/yahoo/jrt/CryptoEngine.java | 6 | ||||
-rw-r--r-- | jrt/src/com/yahoo/jrt/TlsCryptoEngine.java | 28 | ||||
-rw-r--r-- | jrt/tests/com/yahoo/jrt/CryptoUtils.java | 23 | ||||
-rw-r--r-- | jrt/tests/com/yahoo/jrt/EchoTest.java | 8 | ||||
-rw-r--r-- | jrt/tests/com/yahoo/jrt/SessionTest.java | 4 |
5 files changed, 39 insertions, 30 deletions
diff --git a/jrt/src/com/yahoo/jrt/CryptoEngine.java b/jrt/src/com/yahoo/jrt/CryptoEngine.java index c27aba73873..b1907d892b6 100644 --- a/jrt/src/com/yahoo/jrt/CryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/CryptoEngine.java @@ -2,8 +2,11 @@ package com.yahoo.jrt; +import com.yahoo.security.tls.ConfigFileManagedTlsContext; +import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; import com.yahoo.security.tls.TransportSecurityUtils.MixedMode; +import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode; import java.nio.channels.SocketChannel; @@ -20,7 +23,8 @@ public interface CryptoEngine { if (!TransportSecurityUtils.isTransportSecurityEnabled()) { return new NullCryptoEngine(); } - TlsCryptoEngine tlsCryptoEngine = new TlsCryptoEngine(TransportSecurityUtils.getOptions().get()); + TlsContext tlsContext = new ConfigFileManagedTlsContext(TransportSecurityUtils.getConfigFile().get(), Mode.DRY_RUN); + TlsCryptoEngine tlsCryptoEngine = new TlsCryptoEngine(tlsContext); if (!TransportSecurityUtils.isInsecureMixedModeEnabled()) { return tlsCryptoEngine; } diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java index db18ddf8c9d..f270974f116 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java @@ -1,12 +1,8 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; -import com.yahoo.security.SslContextBuilder; -import com.yahoo.security.tls.TransportSecurityOptions; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode; -import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory; +import com.yahoo.security.tls.TlsContext; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import java.nio.channels.SocketChannel; @@ -17,32 +13,18 @@ import java.nio.channels.SocketChannel; */ public class TlsCryptoEngine implements CryptoEngine { - private final SSLContext sslContext; + private final TlsContext tlsContext; - public TlsCryptoEngine(SSLContext sslContext) { - this.sslContext = sslContext; - } - - public TlsCryptoEngine(TransportSecurityOptions options) { - this(createSslContext(options)); + public TlsCryptoEngine(TlsContext tlsContext) { + this.tlsContext = tlsContext; } @Override public TlsCryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) { - SSLEngine sslEngine = sslContext.createSSLEngine(); + SSLEngine sslEngine = tlsContext.createSslEngine(); sslEngine.setNeedClientAuth(true); sslEngine.setUseClientMode(!isServer); return new TlsCryptoSocket(channel, sslEngine); } - // TODO Move to dedicated factory type controlling certificate hot-reloading in security-utils - private static SSLContext createSslContext(TransportSecurityOptions options) { - SslContextBuilder builder = new SslContextBuilder(); - options.getCertificatesFile() - .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates)); - options.getCaCertificatesFile().ifPresent(builder::withTrustStore); - options.getAuthorizedPeers().ifPresent( - authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, Mode.DRY_RUN))); - return builder.build(); - } } diff --git a/jrt/tests/com/yahoo/jrt/CryptoUtils.java b/jrt/tests/com/yahoo/jrt/CryptoUtils.java index 6c843000779..b23f71d6033 100644 --- a/jrt/tests/com/yahoo/jrt/CryptoUtils.java +++ b/jrt/tests/com/yahoo/jrt/CryptoUtils.java @@ -5,6 +5,7 @@ import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyUtils; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateBuilder; +import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode; import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory; import com.yahoo.security.tls.policy.AuthorizedPeers; @@ -15,6 +16,7 @@ import com.yahoo.security.tls.policy.RequiredPeerCredential.Field; import com.yahoo.security.tls.policy.Role; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; import javax.security.auth.x500.X500Principal; import java.security.KeyPair; import java.security.KeyStore; @@ -34,6 +36,12 @@ import static java.util.Collections.singletonList; * @author bjorncs */ class CryptoUtils { + static final SSLContext testSslContext = createTestSslContext(); + + static TlsContext createTestTlsContext() { + return new StaticTlsContext(testSslContext); + } + static SSLContext createTestSslContext() { KeyPair keyPair = KeyUtils.generateKeypair(RSA); @@ -64,4 +72,19 @@ class CryptoUtils { new RequiredPeerCredential( Field.CN, new HostGlobPattern("dummy")))))); } + + private static class StaticTlsContext implements TlsContext { + + final SSLContext sslContext; + + StaticTlsContext(SSLContext sslContext) { + this.sslContext = sslContext; + } + + @Override + public SSLEngine createSslEngine() { + return sslContext.createSSLEngine(); + } + + } } diff --git a/jrt/tests/com/yahoo/jrt/EchoTest.java b/jrt/tests/com/yahoo/jrt/EchoTest.java index ff036af183b..09841cb3c04 100644 --- a/jrt/tests/com/yahoo/jrt/EchoTest.java +++ b/jrt/tests/com/yahoo/jrt/EchoTest.java @@ -9,7 +9,7 @@ import org.junit.runners.Parameterized; import org.junit.runners.Parameterized.Parameter; import org.junit.runners.Parameterized.Parameters; -import static com.yahoo.jrt.CryptoUtils.createTestSslContext; +import static com.yahoo.jrt.CryptoUtils.createTestTlsContext; import static org.junit.Assert.assertTrue; @RunWith(Parameterized.class) @@ -23,9 +23,9 @@ public class EchoTest { @Parameter public CryptoEngine crypto; @Parameters(name = "{0}") public static Object[] engines() { - return new Object[] { new NullCryptoEngine(), new XorCryptoEngine(), new TlsCryptoEngine(createTestSslContext()), - new MaybeTlsCryptoEngine(new TlsCryptoEngine(createTestSslContext()), false), - new MaybeTlsCryptoEngine(new TlsCryptoEngine(createTestSslContext()), true) }; + return new Object[] { new NullCryptoEngine(), new XorCryptoEngine(), new TlsCryptoEngine(createTestTlsContext()), + new MaybeTlsCryptoEngine(new TlsCryptoEngine(createTestTlsContext()), false), + new MaybeTlsCryptoEngine(new TlsCryptoEngine(createTestTlsContext()), true) }; } @Before diff --git a/jrt/tests/com/yahoo/jrt/SessionTest.java b/jrt/tests/com/yahoo/jrt/SessionTest.java index 2d8f9188623..368e898978a 100644 --- a/jrt/tests/com/yahoo/jrt/SessionTest.java +++ b/jrt/tests/com/yahoo/jrt/SessionTest.java @@ -9,7 +9,7 @@ import org.junit.runners.Parameterized; import org.junit.runners.Parameterized.Parameter; import org.junit.runners.Parameterized.Parameters; -import static com.yahoo.jrt.CryptoUtils.createTestSslContext; +import static com.yahoo.jrt.CryptoUtils.createTestTlsContext; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -19,7 +19,7 @@ public class SessionTest implements SessionHandler { @Parameter public CryptoEngine crypto; @Parameters(name = "{0}") public static Object[] engines() { - return new Object[] { new NullCryptoEngine(), new XorCryptoEngine(), new TlsCryptoEngine(createTestSslContext()) }; + return new Object[] { new NullCryptoEngine(), new XorCryptoEngine(), new TlsCryptoEngine(createTestTlsContext()) }; } private static class Session { |