diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-09-13 17:37:19 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-09-13 17:37:19 +0200 |
commit | d1152f2117d932f4dba8e942f9c08527bdcdf0fa (patch) | |
tree | 48128ea955081351f8a1cdb7139bca9c970ad688 /security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java | |
parent | b505c37019302e404df15b346ed0513fa8a83762 (diff) |
Add additional constructor for custom peer authentication mode
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java index 3b9158cf9b1..f5bd866eb27 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java @@ -46,12 +46,20 @@ public class ConfigFileBasedTlsContext implements TlsContext { private final ScheduledExecutorService scheduler = Executors.newSingleThreadScheduledExecutor(new ReloaderThreadFactory()); public ConfigFileBasedTlsContext(Path tlsOptionsConfigFile, AuthorizationMode mode) { + this(tlsOptionsConfigFile, mode, PeerAuthentication.NEED); + } + + /** + * Allows the caller to override the default peer authentication mode. This is only intended to be used in situations where + * the TLS peer authentication is enforced at a higher protocol or application layer (e.g with {@link PeerAuthentication#WANT}). + */ + public ConfigFileBasedTlsContext(Path tlsOptionsConfigFile, AuthorizationMode mode, PeerAuthentication peerAuthentication) { TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile); MutableX509TrustManager trustManager = new MutableX509TrustManager(); MutableX509KeyManager keyManager = new MutableX509KeyManager(); reloadTrustManager(options, trustManager); reloadKeyManager(options, keyManager); - this.tlsContext = createDefaultTlsContext(options, mode, trustManager, keyManager); + this.tlsContext = createDefaultTlsContext(options, mode, trustManager, keyManager, peerAuthentication); this.scheduler.scheduleAtFixedRate(new CryptoMaterialReloader(tlsOptionsConfigFile, scheduler, trustManager, keyManager), UPDATE_PERIOD.getSeconds()/*initial delay*/, UPDATE_PERIOD.getSeconds(), @@ -100,7 +108,8 @@ public class ConfigFileBasedTlsContext implements TlsContext { private static DefaultTlsContext createDefaultTlsContext(TransportSecurityOptions options, AuthorizationMode mode, MutableX509TrustManager mutableTrustManager, - MutableX509KeyManager mutableKeyManager) { + MutableX509KeyManager mutableKeyManager, + PeerAuthentication peerAuthentication) { SSLContext sslContext = new SslContextBuilder() .withKeyManager(mutableKeyManager) .withTrustManagerFactory( @@ -110,7 +119,7 @@ public class ConfigFileBasedTlsContext implements TlsContext { .build(); List<String> acceptedCiphers = options.getAcceptedCiphers(); Set<String> ciphers = acceptedCiphers.isEmpty() ? TlsContext.ALLOWED_CIPHER_SUITES : new HashSet<>(acceptedCiphers); - return new DefaultTlsContext(sslContext, ciphers, PeerAuthentication.NEED); + return new DefaultTlsContext(sslContext, ciphers, peerAuthentication); } // Wrapped methods from TlsContext |