Use TlsCryptoEngine if VESPA_TLS_CONFIG_FILE is set

2 files changed, 31 insertions, 1 deletions

diff --git a/jrt/src/com/yahoo/jrt/CryptoEngine.java b/jrt/src/com/yahoo/jrt/CryptoEngine.java
index 9852d5a88a6..2ef936ec7ed 100644
--- a/jrt/src/com/yahoo/jrt/CryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/CryptoEngine.java
@@ -2,7 +2,10 @@
 package com.yahoo.jrt;
 
 
+import com.yahoo.security.tls.TransportSecurityOptions;
+
 import java.nio.channels.SocketChannel;
+import java.nio.file.Paths;
 
 
 /**
@@ -13,5 +16,12 @@ import java.nio.channels.SocketChannel;
  **/
 public interface CryptoEngine {
     public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer);
-    static public CryptoEngine createDefault() { return new NullCryptoEngine(); }
+    static public CryptoEngine createDefault() { // TODO Move this logic to a dedicated factory class
+        String tlsConfigParameter = System.getenv("VESPA_TLS_CONFIG_FILE");
+        if (tlsConfigParameter != null && !tlsConfigParameter.isEmpty()) {
+            return new TlsCryptoEngine(TransportSecurityOptions.fromJsonFile(Paths.get(tlsConfigParameter)));
+        } else {
+            return new NullCryptoEngine();
+        }
+    }
 }
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
index 279bf1d0137..b3daf5c296d 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
@@ -1,9 +1,18 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jrt;
 
+import com.yahoo.security.SslContextBuilder;
+import com.yahoo.security.X509CertificateUtils;
+import com.yahoo.security.tls.TransportSecurityOptions;
+
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.nio.channels.SocketChannel;
+import java.nio.file.Files;
+import java.security.cert.X509Certificate;
+import java.util.List;
 
 /**
  * A {@link CryptoSocket} that creates {@link TlsCryptoSocket} instances.
@@ -18,6 +27,10 @@ public class TlsCryptoEngine implements CryptoEngine {
         this.sslContext = sslContext;
     }
 
+    public TlsCryptoEngine(TransportSecurityOptions options) {
+        this(createSslContext(options));
+    }
+
     @Override
     public TlsCryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer)  {
         SSLEngine sslEngine = sslContext.createSSLEngine();
@@ -25,4 +38,11 @@ public class TlsCryptoEngine implements CryptoEngine {
         sslEngine.setUseClientMode(!isServer);
         return new TlsCryptoSocket(channel, sslEngine);
     }
+
+    private static SSLContext createSslContext(TransportSecurityOptions options) {
+        return new SslContextBuilder()
+                .withTrustStore(options.getCaCertificatesFile())
+                .withKeyStore(options.getPrivateKeyFile(), options.getCertificatesFile())
+                .build();
+    }
 }