Add mutable x509 trust manager

Add a x509 trust manager where certificates can be updated while the manager is in use.

2 files changed, 129 insertions, 0 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java
new file mode 100644
index 00000000000..ed424480d26
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java
@@ -0,0 +1,70 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.net.Socket;
+import java.security.KeyStore;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ * A {@link X509ExtendedTrustManager} which can be updated with new CA certificates while in use.
+ *
+ * @author bjorncs
+ */
+public class MutableX509TrustManager extends X509ExtendedTrustManager {
+
+    private volatile X509ExtendedTrustManager currentManager;
+
+    public MutableX509TrustManager(KeyStore truststore) {
+        this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(truststore);
+    }
+
+    public MutableX509TrustManager() {
+        this.currentManager = TrustManagerUtils.createDefaultX509TrustManager();
+    }
+
+    public void updateTruststore(KeyStore truststore) {
+        this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(truststore);
+    }
+
+    public void useDefaultTruststore() {
+        this.currentManager = TrustManagerUtils.createDefaultX509TrustManager();
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        currentManager.checkClientTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        currentManager.checkServerTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        currentManager.checkClientTrusted(chain, authType, socket);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        currentManager.checkServerTrusted(chain, authType, socket);
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
+        currentManager.checkClientTrusted(chain, authType, sslEngine);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
+        currentManager.checkServerTrusted(chain, authType, sslEngine);
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return currentManager.getAcceptedIssuers();
+    }
+}
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java
new file mode 100644
index 00000000000..4c4ea332818
--- /dev/null
+++ b/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java
@@ -0,0 +1,59 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyStoreBuilder;
+import com.yahoo.security.KeyStoreType;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.SignatureAlgorithm;
+import com.yahoo.security.X509CertificateBuilder;
+import org.junit.Test;
+
+import javax.security.auth.x500.X500Principal;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+
+import static java.time.temporal.ChronoUnit.DAYS;
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author bjorncs
+ */
+public class MutableX509TrustManagerTest {
+
+    @Test
+    public void key_manager_can_be_updated_with_new_certificate() {
+        KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC);
+
+        X509Certificate initialCertificate = generateCertificate(new X500Principal("CN=issuer1"), keyPair);
+        KeyStore initialTruststore = generateTruststore(initialCertificate);
+
+        MutableX509TrustManager trustManager = new MutableX509TrustManager(initialTruststore);
+
+        X509Certificate[] initialAcceptedIssuers = trustManager.getAcceptedIssuers();
+        assertThat(initialAcceptedIssuers).containsExactly(initialCertificate);
+
+        X509Certificate updatedCertificate = generateCertificate(new X500Principal("CN=issuer2"), keyPair);
+        KeyStore updatedTruststore = generateTruststore(updatedCertificate);
+        trustManager.updateTruststore(updatedTruststore);
+
+        X509Certificate[] updatedAcceptedIssuers = trustManager.getAcceptedIssuers();
+        assertThat(updatedAcceptedIssuers).containsExactly(updatedCertificate);
+    }
+
+    private static X509Certificate generateCertificate(X500Principal issuer, KeyPair keyPair) {
+        return X509CertificateBuilder.fromKeypair(
+                keyPair, issuer, Instant.EPOCH, Instant.EPOCH.plus(1, DAYS), SignatureAlgorithm.SHA256_WITH_ECDSA, BigInteger.ONE)
+                .build();
+    }
+
+    private static KeyStore generateTruststore(X509Certificate certificate) {
+        return KeyStoreBuilder.withType(KeyStoreType.PKCS12)
+                .withCertificateEntry("default", certificate)
+                .build();
+    }
+
+}
\ No newline at end of file