Add utility classes for constructing default x509 trust/key manager

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-02-14 12:47:41 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-02-14 13:30:16 +0100
commit: b78de773a9afab179b11be5af2b2d035b989a9dd (patch)
tree: 4348b28f0172c98156733e994188d8ca0b732975 /security-utils
parent: 245a9611bce4d9d214ccb76016b67b6ca441dd24 (diff)
2 files changed, 99 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java
new file mode 100644
index 00000000000..2e48de3c01f
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java
@@ -0,0 +1,49 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import com.yahoo.security.KeyStoreBuilder;
+import com.yahoo.security.KeyStoreType;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.X509ExtendedKeyManager;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * Utility methods for constructing {@link X509ExtendedKeyManager}.
+ *
+ * @author bjorncs
+ */
+public class KeyManagerUtils {
+
+    public static X509ExtendedKeyManager createDefaultX509KeyManager(KeyStore keystore, char[] password) {
+        try {
+            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            keyManagerFactory.init(keystore, password);
+            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
+            return Arrays.stream(keyManagers)
+                    .filter(manager -> manager instanceof X509ExtendedKeyManager)
+                    .map(X509ExtendedKeyManager.class::cast)
+                    .findFirst()
+                    .orElseThrow(() -> new RuntimeException("No X509ExtendedKeyManager in " + List.of(keyManagers)));
+        } catch (GeneralSecurityException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static X509ExtendedKeyManager createDefaultX509KeyManager(PrivateKey privateKey, List<X509Certificate> certificateChain) {
+        KeyStore keystore = KeyStoreBuilder.withType(KeyStoreType.PKCS12)
+                .withKeyEntry("default", privateKey, certificateChain)
+                .build();
+        return createDefaultX509KeyManager(keystore, new char[0]);
+    }
+
+    public static X509ExtendedKeyManager createDefaultX509KeyManager() {
+        return createDefaultX509KeyManager(null, new char[0]);
+    }
+}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java
new file mode 100644
index 00000000000..f114b672ed8
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java
@@ -0,0 +1,50 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import com.yahoo.security.KeyStoreBuilder;
+import com.yahoo.security.KeyStoreType;
+
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * Utility methods for constructing {@link X509ExtendedTrustManager}.
+ *
+ * @author bjorncs
+ */
+public class TrustManagerUtils {
+
+    public static X509ExtendedTrustManager createDefaultX509TrustManager(KeyStore truststore) {
+        try {
+            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            trustManagerFactory.init(truststore);
+            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+            return Arrays.stream(trustManagers)
+                    .filter(manager -> manager instanceof X509ExtendedTrustManager)
+                    .map(X509ExtendedTrustManager.class::cast)
+                    .findFirst()
+                    .orElseThrow(() -> new RuntimeException("No X509ExtendedTrustManager in " + List.of(trustManagers)));
+        } catch (GeneralSecurityException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static X509ExtendedTrustManager createDefaultX509TrustManager(List<X509Certificate> certificates) {
+        KeyStoreBuilder truststoreBuilder = KeyStoreBuilder.withType(KeyStoreType.PKCS12);
+        for (int i = 0; i < certificates.size(); i++) {
+            truststoreBuilder.withCertificateEntry("cert-" + i, certificates.get(i));
+        }
+        KeyStore truststore = truststoreBuilder.build();
+        return createDefaultX509TrustManager(truststore);
+    }
+
+    public static X509ExtendedTrustManager createDefaultX509TrustManager() {
+        return createDefaultX509TrustManager((KeyStore) null);
+    }
+}
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-02-14 12:47:41 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-02-14 13:30:16 +0100
commit	b78de773a9afab179b11be5af2b2d035b989a9dd (patch)
tree	4348b28f0172c98156733e994188d8ca0b732975 /security-utils
parent	245a9611bce4d9d214ccb76016b67b6ca441dd24 (diff)