Add helper methods in TlsContext to determine allowed ciphers/protocols

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-11-25 17:02:12 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-11-25 17:39:36 +0100
commit: f470e9913311bbca1d62f11c1d2d1f13193bca61 (patch)
tree: c9f79732609b071d7536a74bb1192b1bb0f1c55c /security-utils
parent: 3f1c5a2c64cd24fd85f5af58b9a7bdd89dca80c5 (diff)
2 files changed, 49 insertions, 26 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index 572461c6cdd..f4a89da988a 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -10,7 +10,6 @@ import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
@@ -55,32 +54,23 @@ public class DefaultTlsContext implements TlsContext {
     }
 
     private static String[] getAllowedCiphers(SSLContext sslContext, Set<String> acceptedCiphers) {
-        String[] supportedCipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites();
-        String[] validCipherSuites = Arrays.stream(supportedCipherSuites)
-                .filter(suite -> ALLOWED_CIPHER_SUITES.contains(suite) && acceptedCiphers.contains(suite))
+        Set<String> supportedCiphers = TlsContext.getAllowedCipherSuites(sslContext);
+        String[] allowedCiphers = supportedCiphers.stream()
+                .filter(acceptedCiphers::contains)
                 .toArray(String[]::new);
-        if (validCipherSuites.length == 0) {
+        if (allowedCiphers.length == 0) {
             throw new IllegalStateException(
-                    String.format("None of the allowed cipher suites are supported " +
-                                          "(allowed-cipher-suites=%s, supported-cipher-suites=%s, accepted-cipher-suites=%s)",
-                                  ALLOWED_CIPHER_SUITES, List.of(supportedCipherSuites), acceptedCiphers));
+                    String.format("None of the accepted ciphers are supported (supported=%s, accepted=%s)",
+                                  supportedCiphers, acceptedCiphers));
         }
-        log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", List.of(validCipherSuites)));
-        return validCipherSuites;
+        log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", List.of(allowedCiphers)));
+        return allowedCiphers;
     }
 
     private static String[] getAllowedProtocols(SSLContext sslContext) {
-        String[] supportedProtocols = sslContext.getSupportedSSLParameters().getProtocols();
-        String[] validProtocols = Arrays.stream(supportedProtocols)
-                .filter(ALLOWED_PROTOCOLS::contains)
-                .toArray(String[]::new);
-        if (validProtocols.length == 0) {
-            throw new IllegalArgumentException(
-                    String.format("None of the allowed protocols are supported (allowed-protocols=%s, supported-protocols=%s)",
-                                  ALLOWED_PROTOCOLS, List.of(supportedProtocols)));
-        }
-        log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", List.of(validProtocols)));
-        return validProtocols;
+        Set<String> allowedProtocols = TlsContext.getAllowedProtocols(sslContext);
+        log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", List.of(allowedProtocols)));
+        return allowedProtocols.toArray(String[]::new);
     }
 
     @Override
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index 6ad5f6c3612..0c09faf459f 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -4,8 +4,11 @@ package com.yahoo.security.tls;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
+import java.util.Arrays;
 import java.util.Set;
 
+import static java.util.stream.Collectors.toSet;
+
 /**
  * A simplified version of {@link SSLContext} modelled as an interface.
  *
@@ -20,22 +23,52 @@ public interface TlsContext extends AutoCloseable {
      * For TLSv1.3 we allow the DEFAULT group ciphers.
      * Note that we _only_ allow AEAD ciphers for either TLS version.
      */
-    // TODO: Remove TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-    // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256?
-    // These cipher suites are not supported in Java 11, see https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java
     Set<String> ALLOWED_CIPHER_SUITES = Set.of(
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", // Java 12
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_AES_128_GCM_SHA256", // TLSv1.3
             "TLS_AES_256_GCM_SHA384", // TLSv1.3
-            "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3
+            "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3, Java 12
 
     Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2"); // TODO Enable TLSv1.3
 
+    /**
+     * @return the allowed cipher suites supported by the provided context instance
+     */
+    static Set<String> getAllowedCipherSuites(SSLContext context) {
+        String[] supportedCiphers = context.getSupportedSSLParameters().getCipherSuites();
+        Set<String> enabledCiphers = Arrays.stream(supportedCiphers)
+                .filter(ALLOWED_CIPHER_SUITES::contains)
+                .collect(toSet());
+        if (enabledCiphers.isEmpty()) {
+            throw new IllegalArgumentException(
+                    String.format("Non of the allowed ciphers are supported (allowed=%s, supported=%s)",
+                                  ALLOWED_CIPHER_SUITES, Arrays.toString(supportedCiphers)));
+
+        }
+        return enabledCiphers;
+    }
+
+    /**
+     * @return the allowed protocols supported by the provided context instance
+     */
+    static Set<String> getAllowedProtocols(SSLContext context) {
+        String[] supportedProtocols = context.getSupportedSSLParameters().getProtocols();
+        Set<String> enabledProtocols = Arrays.stream(supportedProtocols)
+                .filter(ALLOWED_PROTOCOLS::contains)
+                .collect(toSet());
+        if (enabledProtocols.isEmpty()) {
+            throw new IllegalArgumentException(
+                    String.format("Non of the allowed protocols are supported (allowed=%s, supported=%s)",
+                                  ALLOWED_PROTOCOLS, Arrays.toString(supportedProtocols)));
+        }
+        return enabledProtocols;
+    }
+
     SSLContext context();
 
     SSLParameters parameters();
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-11-25 17:02:12 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-11-25 17:39:36 +0100
commit	f470e9913311bbca1d62f11c1d2d1f13193bca61 (patch)
tree	c9f79732609b071d7536a74bb1192b1bb0f1c55c /security-utils
parent	3f1c5a2c64cd24fd85f5af58b9a7bdd89dca80c5 (diff)