diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-12 12:57:05 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-14 14:15:30 +0100 |
commit | 1033173344e362a54d7c0c20b6fcca90aacc2da3 (patch) | |
tree | 75fc006dbf7fa720f6b4f2ae75e4d4e457adeec1 /security-utils | |
parent | daca503e5462ae38c162d3fcddd39e53e6a10516 (diff) |
Add mutable x509 trust manager
Add a x509 trust manager where certificates can be updated while the manager is in use.
Diffstat (limited to 'security-utils')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java | 70 | ||||
-rw-r--r-- | security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java | 59 |
2 files changed, 129 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java new file mode 100644 index 00000000000..ed424480d26 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java @@ -0,0 +1,70 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.X509ExtendedTrustManager; +import java.net.Socket; +import java.security.KeyStore; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; + +/** + * A {@link X509ExtendedTrustManager} which can be updated with new CA certificates while in use. + * + * @author bjorncs + */ +public class MutableX509TrustManager extends X509ExtendedTrustManager { + + private volatile X509ExtendedTrustManager currentManager; + + public MutableX509TrustManager(KeyStore truststore) { + this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(truststore); + } + + public MutableX509TrustManager() { + this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(); + } + + public void updateTruststore(KeyStore truststore) { + this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(truststore); + } + + public void useDefaultTruststore() { + this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + currentManager.checkClientTrusted(chain, authType); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { + currentManager.checkServerTrusted(chain, authType); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { + currentManager.checkClientTrusted(chain, authType, socket); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { + currentManager.checkServerTrusted(chain, authType, socket); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { + currentManager.checkClientTrusted(chain, authType, sslEngine); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { + currentManager.checkServerTrusted(chain, authType, sslEngine); + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return currentManager.getAcceptedIssuers(); + } +} diff --git a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java new file mode 100644 index 00000000000..4c4ea332818 --- /dev/null +++ b/security-utils/src/test/java/com/yahoo/security/tls/MutableX509TrustManagerTest.java @@ -0,0 +1,59 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyStoreBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.SignatureAlgorithm; +import com.yahoo.security.X509CertificateBuilder; +import org.junit.Test; + +import javax.security.auth.x500.X500Principal; +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.time.Instant; + +import static java.time.temporal.ChronoUnit.DAYS; +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author bjorncs + */ +public class MutableX509TrustManagerTest { + + @Test + public void key_manager_can_be_updated_with_new_certificate() { + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC); + + X509Certificate initialCertificate = generateCertificate(new X500Principal("CN=issuer1"), keyPair); + KeyStore initialTruststore = generateTruststore(initialCertificate); + + MutableX509TrustManager trustManager = new MutableX509TrustManager(initialTruststore); + + X509Certificate[] initialAcceptedIssuers = trustManager.getAcceptedIssuers(); + assertThat(initialAcceptedIssuers).containsExactly(initialCertificate); + + X509Certificate updatedCertificate = generateCertificate(new X500Principal("CN=issuer2"), keyPair); + KeyStore updatedTruststore = generateTruststore(updatedCertificate); + trustManager.updateTruststore(updatedTruststore); + + X509Certificate[] updatedAcceptedIssuers = trustManager.getAcceptedIssuers(); + assertThat(updatedAcceptedIssuers).containsExactly(updatedCertificate); + } + + private static X509Certificate generateCertificate(X500Principal issuer, KeyPair keyPair) { + return X509CertificateBuilder.fromKeypair( + keyPair, issuer, Instant.EPOCH, Instant.EPOCH.plus(1, DAYS), SignatureAlgorithm.SHA256_WITH_ECDSA, BigInteger.ONE) + .build(); + } + + private static KeyStore generateTruststore(X509Certificate certificate) { + return KeyStoreBuilder.withType(KeyStoreType.PKCS12) + .withCertificateEntry("default", certificate) + .build(); + } + +}
\ No newline at end of file |