Add withKeyManagerFactory() to specify custom key manager

- Introduce an interface for key manager factory. - Change SslContextBuilder to call trust/key manager factory even when no truststore/keystore has been specified. - Change trust manager factory to be specific for x509. - Use TrustManagerUtils/KeyManagerUtil to construct default managers.
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-02-06 15:35:40 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-02-19 17:00:32 +0100
commit: 1a6f276068714ae18c2fb5094517d16132e26d56 (patch)
tree: a2a44cefeced6397b4092ffc9c4eb6f2aac1b03c /security-utils/src/main/java/com/yahoo/security/tls
parent: a96d6d67ca5d0e4d85dba3dcf0e0fe51336373f8 (diff)
2 files changed, 6 insertions, 24 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
index 80acc940a99..eee2e502183 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java
@@ -3,14 +3,12 @@ package com.yahoo.security.tls.authz;
 
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.security.tls.AuthorizationMode;
+import com.yahoo.security.tls.TrustManagerUtils;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 
 import javax.net.ssl.SSLEngine;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509ExtendedTrustManager;
 import java.net.Socket;
-import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -39,22 +37,8 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
         this.defaultTrustManager = defaultTrustManager;
     }
 
-    public static TrustManager[] wrapTrustManagersFromKeystore(AuthorizedPeers authorizedPeers, AuthorizationMode mode, KeyStore keystore) throws GeneralSecurityException {
-        TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-        factory.init(keystore);
-        return wrapTrustManagers(authorizedPeers, mode, factory.getTrustManagers());
-    }
-
-    public static TrustManager[] wrapTrustManagers(AuthorizedPeers authorizedPeers, AuthorizationMode mode, TrustManager[] managers) {
-        TrustManager[] wrappedManagers = new TrustManager[managers.length];
-        for (int i = 0; i < managers.length; i++) {
-            if (managers[i] instanceof X509ExtendedTrustManager) {
-                wrappedManagers[i] = new PeerAuthorizerTrustManager(authorizedPeers, mode, (X509ExtendedTrustManager) managers[i]);
-            } else {
-                wrappedManagers[i] = managers[i];
-            }
-        }
-        return wrappedManagers;
+    public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, AuthorizationMode mode, KeyStore truststore) {
+        this(authorizedPeers, mode, TrustManagerUtils.createDefaultX509TrustManager(truststore));
     }
 
     @Override
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
index c0a3b4e41a5..6ec8450c035 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java
@@ -5,14 +5,12 @@ import com.yahoo.security.SslContextBuilder;
 import com.yahoo.security.tls.AuthorizationMode;
 import com.yahoo.security.tls.policy.AuthorizedPeers;
 
-import javax.net.ssl.TrustManager;
-import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 
 /**
  * @author bjorncs
  */
-public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.TrustManagersFactory {
+public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.TrustManagerFactory {
     private final AuthorizedPeers authorizedPeers;
     private AuthorizationMode mode;
 
@@ -22,7 +20,7 @@ public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.Tru
     }
 
     @Override
-    public TrustManager[] createTrustManagers(KeyStore truststore) throws GeneralSecurityException {
-        return PeerAuthorizerTrustManager.wrapTrustManagersFromKeystore(authorizedPeers, mode, truststore);
+    public PeerAuthorizerTrustManager createTrustManager(KeyStore truststore) {
+        return new PeerAuthorizerTrustManager(authorizedPeers, mode, truststore);
     }
 }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-02-06 15:35:40 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-02-19 17:00:32 +0100
commit	1a6f276068714ae18c2fb5094517d16132e26d56 (patch)
tree	a2a44cefeced6397b4092ffc9c4eb6f2aac1b03c /security-utils/src/main/java/com/yahoo/security/tls
parent	a96d6d67ca5d0e4d85dba3dcf0e0fe51336373f8 (diff)