summaryrefslogtreecommitdiffstats
path: root/jrt
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@oath.com>2018-11-28 15:11:14 +0100
committerBjørn Christian Seime <bjorncs@oath.com>2018-11-28 15:11:14 +0100
commit45306ec347358fa57c162ddc725c37f9c077cdcc (patch)
tree0927692e4113c99aac1c68d64cf85c40eac1fd8e /jrt
parent910fd0b29b0fdaf7660dc22ed289dc0c7748fa89 (diff)
Use TlsContext to construct TlsCryptoEngine
Diffstat (limited to 'jrt')
-rw-r--r--jrt/src/com/yahoo/jrt/CryptoEngine.java6
-rw-r--r--jrt/src/com/yahoo/jrt/TlsCryptoEngine.java28
-rw-r--r--jrt/tests/com/yahoo/jrt/CryptoUtils.java23
-rw-r--r--jrt/tests/com/yahoo/jrt/EchoTest.java8
-rw-r--r--jrt/tests/com/yahoo/jrt/SessionTest.java4
5 files changed, 39 insertions, 30 deletions
diff --git a/jrt/src/com/yahoo/jrt/CryptoEngine.java b/jrt/src/com/yahoo/jrt/CryptoEngine.java
index c27aba73873..b1907d892b6 100644
--- a/jrt/src/com/yahoo/jrt/CryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/CryptoEngine.java
@@ -2,8 +2,11 @@
package com.yahoo.jrt;
+import com.yahoo.security.tls.ConfigFileManagedTlsContext;
+import com.yahoo.security.tls.TlsContext;
import com.yahoo.security.tls.TransportSecurityUtils;
import com.yahoo.security.tls.TransportSecurityUtils.MixedMode;
+import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode;
import java.nio.channels.SocketChannel;
@@ -20,7 +23,8 @@ public interface CryptoEngine {
if (!TransportSecurityUtils.isTransportSecurityEnabled()) {
return new NullCryptoEngine();
}
- TlsCryptoEngine tlsCryptoEngine = new TlsCryptoEngine(TransportSecurityUtils.getOptions().get());
+ TlsContext tlsContext = new ConfigFileManagedTlsContext(TransportSecurityUtils.getConfigFile().get(), Mode.DRY_RUN);
+ TlsCryptoEngine tlsCryptoEngine = new TlsCryptoEngine(tlsContext);
if (!TransportSecurityUtils.isInsecureMixedModeEnabled()) {
return tlsCryptoEngine;
}
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
index db18ddf8c9d..f270974f116 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
@@ -1,12 +1,8 @@
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jrt;
-import com.yahoo.security.SslContextBuilder;
-import com.yahoo.security.tls.TransportSecurityOptions;
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode;
-import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory;
+import com.yahoo.security.tls.TlsContext;
-import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import java.nio.channels.SocketChannel;
@@ -17,32 +13,18 @@ import java.nio.channels.SocketChannel;
*/
public class TlsCryptoEngine implements CryptoEngine {
- private final SSLContext sslContext;
+ private final TlsContext tlsContext;
- public TlsCryptoEngine(SSLContext sslContext) {
- this.sslContext = sslContext;
- }
-
- public TlsCryptoEngine(TransportSecurityOptions options) {
- this(createSslContext(options));
+ public TlsCryptoEngine(TlsContext tlsContext) {
+ this.tlsContext = tlsContext;
}
@Override
public TlsCryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
- SSLEngine sslEngine = sslContext.createSSLEngine();
+ SSLEngine sslEngine = tlsContext.createSslEngine();
sslEngine.setNeedClientAuth(true);
sslEngine.setUseClientMode(!isServer);
return new TlsCryptoSocket(channel, sslEngine);
}
- // TODO Move to dedicated factory type controlling certificate hot-reloading in security-utils
- private static SSLContext createSslContext(TransportSecurityOptions options) {
- SslContextBuilder builder = new SslContextBuilder();
- options.getCertificatesFile()
- .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates));
- options.getCaCertificatesFile().ifPresent(builder::withTrustStore);
- options.getAuthorizedPeers().ifPresent(
- authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, Mode.DRY_RUN)));
- return builder.build();
- }
}
diff --git a/jrt/tests/com/yahoo/jrt/CryptoUtils.java b/jrt/tests/com/yahoo/jrt/CryptoUtils.java
index 6c843000779..b23f71d6033 100644
--- a/jrt/tests/com/yahoo/jrt/CryptoUtils.java
+++ b/jrt/tests/com/yahoo/jrt/CryptoUtils.java
@@ -5,6 +5,7 @@ import com.yahoo.security.KeyStoreBuilder;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.X509CertificateBuilder;
+import com.yahoo.security.tls.TlsContext;
import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode;
import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory;
import com.yahoo.security.tls.policy.AuthorizedPeers;
@@ -15,6 +16,7 @@ import com.yahoo.security.tls.policy.RequiredPeerCredential.Field;
import com.yahoo.security.tls.policy.Role;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
import javax.security.auth.x500.X500Principal;
import java.security.KeyPair;
import java.security.KeyStore;
@@ -34,6 +36,12 @@ import static java.util.Collections.singletonList;
* @author bjorncs
*/
class CryptoUtils {
+ static final SSLContext testSslContext = createTestSslContext();
+
+ static TlsContext createTestTlsContext() {
+ return new StaticTlsContext(testSslContext);
+ }
+
static SSLContext createTestSslContext() {
KeyPair keyPair = KeyUtils.generateKeypair(RSA);
@@ -64,4 +72,19 @@ class CryptoUtils {
new RequiredPeerCredential(
Field.CN, new HostGlobPattern("dummy"))))));
}
+
+ private static class StaticTlsContext implements TlsContext {
+
+ final SSLContext sslContext;
+
+ StaticTlsContext(SSLContext sslContext) {
+ this.sslContext = sslContext;
+ }
+
+ @Override
+ public SSLEngine createSslEngine() {
+ return sslContext.createSSLEngine();
+ }
+
+ }
}
diff --git a/jrt/tests/com/yahoo/jrt/EchoTest.java b/jrt/tests/com/yahoo/jrt/EchoTest.java
index ff036af183b..09841cb3c04 100644
--- a/jrt/tests/com/yahoo/jrt/EchoTest.java
+++ b/jrt/tests/com/yahoo/jrt/EchoTest.java
@@ -9,7 +9,7 @@ import org.junit.runners.Parameterized;
import org.junit.runners.Parameterized.Parameter;
import org.junit.runners.Parameterized.Parameters;
-import static com.yahoo.jrt.CryptoUtils.createTestSslContext;
+import static com.yahoo.jrt.CryptoUtils.createTestTlsContext;
import static org.junit.Assert.assertTrue;
@RunWith(Parameterized.class)
@@ -23,9 +23,9 @@ public class EchoTest {
@Parameter public CryptoEngine crypto;
@Parameters(name = "{0}") public static Object[] engines() {
- return new Object[] { new NullCryptoEngine(), new XorCryptoEngine(), new TlsCryptoEngine(createTestSslContext()),
- new MaybeTlsCryptoEngine(new TlsCryptoEngine(createTestSslContext()), false),
- new MaybeTlsCryptoEngine(new TlsCryptoEngine(createTestSslContext()), true) };
+ return new Object[] { new NullCryptoEngine(), new XorCryptoEngine(), new TlsCryptoEngine(createTestTlsContext()),
+ new MaybeTlsCryptoEngine(new TlsCryptoEngine(createTestTlsContext()), false),
+ new MaybeTlsCryptoEngine(new TlsCryptoEngine(createTestTlsContext()), true) };
}
@Before
diff --git a/jrt/tests/com/yahoo/jrt/SessionTest.java b/jrt/tests/com/yahoo/jrt/SessionTest.java
index 2d8f9188623..368e898978a 100644
--- a/jrt/tests/com/yahoo/jrt/SessionTest.java
+++ b/jrt/tests/com/yahoo/jrt/SessionTest.java
@@ -9,7 +9,7 @@ import org.junit.runners.Parameterized;
import org.junit.runners.Parameterized.Parameter;
import org.junit.runners.Parameterized.Parameters;
-import static com.yahoo.jrt.CryptoUtils.createTestSslContext;
+import static com.yahoo.jrt.CryptoUtils.createTestTlsContext;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
@@ -19,7 +19,7 @@ public class SessionTest implements SessionHandler {
@Parameter public CryptoEngine crypto;
@Parameters(name = "{0}") public static Object[] engines() {
- return new Object[] { new NullCryptoEngine(), new XorCryptoEngine(), new TlsCryptoEngine(createTestSslContext()) };
+ return new Object[] { new NullCryptoEngine(), new XorCryptoEngine(), new TlsCryptoEngine(createTestTlsContext()) };
}
private static class Session {