diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-05-28 15:15:20 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-05-28 15:15:20 +0200 |
commit | 9f13db56dd103aa03154facd0dbaf3634dc6878e (patch) | |
tree | 6aae503350b470c17200a90a149031f2ad2b12c2 /security-utils | |
parent | 4552075772789e0db6d4ab0e21157b393274432b (diff) | |
parent | 848fa86f8836ba6b7d5840cc59b46dff9111010e (diff) |
Merge pull request #13257 from vespa-engine/bjorncs/service-identity-provider-improvements
Expose underlying certificate and private key from SiaIdentityProvider
Diffstat (limited to 'security-utils')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/X509CertificateWithKey.java | 33 | ||||
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java | 10 |
2 files changed, 42 insertions, 1 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/X509CertificateWithKey.java b/security-utils/src/main/java/com/yahoo/security/X509CertificateWithKey.java new file mode 100644 index 00000000000..4772de5c1fb --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/X509CertificateWithKey.java @@ -0,0 +1,33 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security; + +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.List; + +/** + * Wraps a {@link java.security.cert.X509Certificate} with its {@link java.security.PrivateKey}. + * Primary motivation is APIs where the callee must correctly observe an atomic update of both certificate and key. + * + * @author bjorncs + */ +public class X509CertificateWithKey { + + private final List<X509Certificate> certificate; + private final PrivateKey privateKey; + + public X509CertificateWithKey(X509Certificate certificate, PrivateKey privateKey) { + this(Collections.singletonList(certificate), privateKey); + } + + public X509CertificateWithKey(List<X509Certificate> certificate, PrivateKey privateKey) { + if (certificate.isEmpty()) throw new IllegalArgumentException(); + this.certificate = certificate; + this.privateKey = privateKey; + } + + public X509Certificate certificate() { return certificate.get(0); } + public List<X509Certificate> certificateWithIntermediates() { return certificate; } + public PrivateKey privateKey() { return privateKey; } +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java b/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java index 18764f51dc5..d4e74e22e40 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java @@ -5,19 +5,20 @@ import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateUtils; +import com.yahoo.security.X509CertificateWithKey; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedKeyManager; import java.io.IOException; import java.io.UncheckedIOException; import java.net.Socket; -import java.nio.file.Files; import java.nio.file.Path; import java.security.KeyStore; import java.security.Principal; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.time.Duration; +import java.util.Arrays; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; @@ -59,6 +60,13 @@ public class AutoReloadingX509KeyManager extends X509ExtendedKeyManager implemen return new AutoReloadingX509KeyManager(privateKeyFile, certificatesFile); } + public X509CertificateWithKey getCurrentCertificateWithKey() { + X509ExtendedKeyManager manager = mutableX509KeyManager.currentManager(); + X509Certificate[] certificateChain = manager.getCertificateChain(CERTIFICATE_ALIAS); + PrivateKey privateKey = manager.getPrivateKey(CERTIFICATE_ALIAS); + return new X509CertificateWithKey(Arrays.asList(certificateChain), privateKey); + } + private static KeyStore createKeystore(Path privateKey, Path certificateChain) { try { return KeyStoreBuilder.withType(KeyStoreType.PKCS12) |