diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-12-03 15:19:56 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-12-05 16:35:35 +0100 |
commit | caff08abecd3414fbb46bb002c22c36e1dede893 (patch) | |
tree | 08c9a8c08434294bc413f418f76c0df796fbc6ed /security-utils | |
parent | eef87496cbdd79a32367c07311eb7867c9ae2e89 (diff) |
Split ConfigFileManagedTlsContext into ReloadingTlsContext and DefaultTlsContext
Diffstat (limited to 'security-utils')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java (renamed from security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java) | 86 | ||||
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java | 73 | ||||
-rw-r--r-- | security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java | 59 |
3 files changed, 169 insertions, 49 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index 2a40d5340ac..28f05b3c6d9 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -4,29 +4,26 @@ package com.yahoo.security.tls; import com.yahoo.security.SslContextBuilder; import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory; +import com.yahoo.security.tls.policy.AuthorizedPeers; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import java.nio.file.Path; -import java.time.Duration; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.List; -import java.util.concurrent.Executors; -import java.util.concurrent.ScheduledExecutorService; -import java.util.concurrent.TimeUnit; -import java.util.concurrent.atomic.AtomicReference; import java.util.logging.Level; import java.util.logging.Logger; /** - * A {@link TlsContext} that regularly reloads the credentials referred to from the transport security options file. + * A static {@link TlsContext} * * @author bjorncs */ -public class ConfigFileManagedTlsContext implements TlsContext { +public class DefaultTlsContext implements TlsContext { - private static final Duration UPDATE_PERIOD = Duration.ofHours(1); - private static final List<String> ALLOWED_CIPHER_SUITS = Arrays.asList( + public static final List<String> ALLOWED_CIPHER_SUITS = Arrays.asList( "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", @@ -38,31 +35,25 @@ public class ConfigFileManagedTlsContext implements TlsContext { "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"); - private static final Logger log = Logger.getLogger(ConfigFileManagedTlsContext.class.getName()); + private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName()); - private final Path tlsOptionsConfigFile; - private final PeerAuthorizerTrustManager.Mode mode; - private final AtomicReference<SSLContext> currentSslContext; - private final ScheduledExecutorService scheduler = - Executors.newSingleThreadScheduledExecutor(runnable -> { - Thread thread = new Thread(runnable, "tls-context-reloader"); - thread.setDaemon(true); - return thread; - }); + private final SSLContext sslContext; + public DefaultTlsContext(List<X509Certificate> certificates, + PrivateKey privateKey, + List<X509Certificate> caCertificates, + AuthorizedPeers authorizedPeers, + PeerAuthorizerTrustManager.Mode mode) { + this.sslContext = createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode); + } - public ConfigFileManagedTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { - this.tlsOptionsConfigFile = tlsOptionsConfigFile; - this.mode = mode; - this.currentSslContext = new AtomicReference<>(createSslContext(tlsOptionsConfigFile, mode)); - this.scheduler.scheduleAtFixedRate(new SslContextReloader(), - UPDATE_PERIOD.getSeconds()/*initial delay*/, - UPDATE_PERIOD.getSeconds(), - TimeUnit.SECONDS); + public DefaultTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { + this.sslContext = createSslContext(tlsOptionsConfigFile, mode); } + @Override public SSLEngine createSslEngine() { - SSLEngine sslEngine = currentSslContext.get().createSSLEngine(); + SSLEngine sslEngine = sslContext.createSSLEngine(); restrictSetOfEnabledCiphers(sslEngine); return sslEngine; } @@ -78,6 +69,24 @@ public class ConfigFileManagedTlsContext implements TlsContext { sslEngine.setEnabledCipherSuites(validCipherSuits); } + private static SSLContext createSslContext(List<X509Certificate> certificates, + PrivateKey privateKey, + List<X509Certificate> caCertificates, + AuthorizedPeers authorizedPeers, + PeerAuthorizerTrustManager.Mode mode) { + SslContextBuilder builder = new SslContextBuilder(); + if (!certificates.isEmpty()) { + builder.withKeyStore(privateKey, certificates); + } + if (!caCertificates.isEmpty()) { + builder.withTrustStore(caCertificates); + } + if (authorizedPeers != null) { + builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode)); + } + return builder.build(); + } + private static SSLContext createSslContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile); SslContextBuilder builder = new SslContextBuilder(); @@ -89,25 +98,4 @@ public class ConfigFileManagedTlsContext implements TlsContext { return builder.build(); } - @Override - public void close() { - try { - scheduler.shutdownNow(); - scheduler.awaitTermination(5, TimeUnit.SECONDS); - } catch (InterruptedException e) { - throw new RuntimeException(e); - } - } - - private class SslContextReloader implements Runnable { - @Override - public void run() { - try { - currentSslContext.set(createSslContext(tlsOptionsConfigFile, mode)); - } catch (Throwable t) { - log.log(Level.SEVERE, String.format("Failed to load SSLContext (path='%s'): %s", tlsOptionsConfigFile, t.getMessage()), t); - } - } - } - } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java new file mode 100644 index 00000000000..04e36d24a04 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java @@ -0,0 +1,73 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; + +import javax.net.ssl.SSLEngine; +import java.nio.file.Path; +import java.time.Duration; +import java.util.concurrent.Executors; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicReference; +import java.util.logging.Level; +import java.util.logging.Logger; + +/** + * A {@link TlsContext} that regularly reloads the credentials referred to from the transport security options file. + * + * @author bjorncs + */ +public class ReloadingTlsContext implements TlsContext { + + private static final Duration UPDATE_PERIOD = Duration.ofHours(1); + + private static final Logger log = Logger.getLogger(ReloadingTlsContext.class.getName()); + + private final Path tlsOptionsConfigFile; + private final PeerAuthorizerTrustManager.Mode mode; + private final AtomicReference<TlsContext> currentTlsContext; + private final ScheduledExecutorService scheduler = + Executors.newSingleThreadScheduledExecutor(runnable -> { + Thread thread = new Thread(runnable, "tls-context-reloader"); + thread.setDaemon(true); + return thread; + }); + + public ReloadingTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { + this.tlsOptionsConfigFile = tlsOptionsConfigFile; + this.mode = mode; + this.currentTlsContext = new AtomicReference<>(new DefaultTlsContext(tlsOptionsConfigFile, mode)); + this.scheduler.scheduleAtFixedRate(new SslContextReloader(), + UPDATE_PERIOD.getSeconds()/*initial delay*/, + UPDATE_PERIOD.getSeconds(), + TimeUnit.SECONDS); + } + + @Override + public SSLEngine createSslEngine() { + return currentTlsContext.get().createSslEngine(); + } + + @Override + public void close() { + try { + scheduler.shutdownNow(); + scheduler.awaitTermination(5, TimeUnit.SECONDS); + } catch (InterruptedException e) { + throw new RuntimeException(e); + } + } + + private class SslContextReloader implements Runnable { + @Override + public void run() { + try { + currentTlsContext.set(new DefaultTlsContext(tlsOptionsConfigFile, mode)); + } catch (Throwable t) { + log.log(Level.SEVERE, String.format("Failed to load SSLContext (path='%s'): %s", tlsOptionsConfigFile, t.getMessage()), t); + } + } + } + +} diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java new file mode 100644 index 00000000000..4809bad80c5 --- /dev/null +++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java @@ -0,0 +1,59 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateBuilder; +import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager.Mode; +import com.yahoo.security.tls.policy.AuthorizedPeers; +import com.yahoo.security.tls.policy.HostGlobPattern; +import com.yahoo.security.tls.policy.PeerPolicy; +import com.yahoo.security.tls.policy.RequiredPeerCredential; +import com.yahoo.security.tls.policy.Role; +import org.junit.Test; + +import javax.net.ssl.SSLEngine; +import javax.security.auth.x500.X500Principal; +import java.security.KeyPair; +import java.security.cert.X509Certificate; +import java.time.Instant; + +import static com.yahoo.security.KeyAlgorithm.RSA; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.X509CertificateBuilder.generateRandomSerialNumber; +import static java.time.Instant.EPOCH; +import static java.time.temporal.ChronoUnit.DAYS; +import static java.util.Collections.singleton; +import static java.util.Collections.singletonList; +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author bjorncs + */ +public class DefaultTlsContextTest { + + @Test + public void can_create_sslcontext_from_credentials() { + KeyPair keyPair = KeyUtils.generateKeypair(RSA); + + X509Certificate certificate = X509CertificateBuilder + .fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, Instant.now().plus(1, DAYS), SHA256_WITH_RSA, generateRandomSerialNumber()) + .build(); + + AuthorizedPeers authorizedPeers = new AuthorizedPeers( + singleton( + new PeerPolicy( + "dummy-policy", + singleton(new Role("dummy-role")), + singletonList(new RequiredPeerCredential(RequiredPeerCredential.Field.CN, new HostGlobPattern("dummy")))))); + + DefaultTlsContext tlsContext = + new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, Mode.ENFORCE); + + SSLEngine sslEngine = tlsContext.createSslEngine(); + assertThat(sslEngine).isNotNull(); + String[] enabledCiphers = sslEngine.getEnabledCipherSuites(); + assertThat(enabledCiphers).isNotEmpty(); + assertThat(enabledCiphers).isSubsetOf(DefaultTlsContext.ALLOWED_CIPHER_SUITS.toArray(new String[0])); + } + +}
\ No newline at end of file |