diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-06 15:35:40 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-19 17:00:32 +0100 |
commit | 1a6f276068714ae18c2fb5094517d16132e26d56 (patch) | |
tree | a2a44cefeced6397b4092ffc9c4eb6f2aac1b03c /security-utils/src/main/java/com/yahoo/security/tls | |
parent | a96d6d67ca5d0e4d85dba3dcf0e0fe51336373f8 (diff) |
Add withKeyManagerFactory() to specify custom key manager
- Introduce an interface for key manager factory.
- Change SslContextBuilder to call trust/key manager factory even when no truststore/keystore has been specified.
- Change trust manager factory to be specific for x509.
- Use TrustManagerUtils/KeyManagerUtil to construct default managers.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls')
2 files changed, 6 insertions, 24 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java index 80acc940a99..eee2e502183 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManager.java @@ -3,14 +3,12 @@ package com.yahoo.security.tls.authz; import com.yahoo.security.X509CertificateUtils; import com.yahoo.security.tls.AuthorizationMode; +import com.yahoo.security.tls.TrustManagerUtils; import com.yahoo.security.tls.policy.AuthorizedPeers; import javax.net.ssl.SSLEngine; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedTrustManager; import java.net.Socket; -import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -39,22 +37,8 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { this.defaultTrustManager = defaultTrustManager; } - public static TrustManager[] wrapTrustManagersFromKeystore(AuthorizedPeers authorizedPeers, AuthorizationMode mode, KeyStore keystore) throws GeneralSecurityException { - TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - factory.init(keystore); - return wrapTrustManagers(authorizedPeers, mode, factory.getTrustManagers()); - } - - public static TrustManager[] wrapTrustManagers(AuthorizedPeers authorizedPeers, AuthorizationMode mode, TrustManager[] managers) { - TrustManager[] wrappedManagers = new TrustManager[managers.length]; - for (int i = 0; i < managers.length; i++) { - if (managers[i] instanceof X509ExtendedTrustManager) { - wrappedManagers[i] = new PeerAuthorizerTrustManager(authorizedPeers, mode, (X509ExtendedTrustManager) managers[i]); - } else { - wrappedManagers[i] = managers[i]; - } - } - return wrappedManagers; + public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, AuthorizationMode mode, KeyStore truststore) { + this(authorizedPeers, mode, TrustManagerUtils.createDefaultX509TrustManager(truststore)); } @Override diff --git a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java index c0a3b4e41a5..6ec8450c035 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/authz/PeerAuthorizerTrustManagersFactory.java @@ -5,14 +5,12 @@ import com.yahoo.security.SslContextBuilder; import com.yahoo.security.tls.AuthorizationMode; import com.yahoo.security.tls.policy.AuthorizedPeers; -import javax.net.ssl.TrustManager; -import java.security.GeneralSecurityException; import java.security.KeyStore; /** * @author bjorncs */ -public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.TrustManagersFactory { +public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.TrustManagerFactory { private final AuthorizedPeers authorizedPeers; private AuthorizationMode mode; @@ -22,7 +20,7 @@ public class PeerAuthorizerTrustManagersFactory implements SslContextBuilder.Tru } @Override - public TrustManager[] createTrustManagers(KeyStore truststore) throws GeneralSecurityException { - return PeerAuthorizerTrustManager.wrapTrustManagersFromKeystore(authorizedPeers, mode, truststore); + public PeerAuthorizerTrustManager createTrustManager(KeyStore truststore) { + return new PeerAuthorizerTrustManager(authorizedPeers, mode, truststore); } } |