Merge pull request #13257 from vespa-engine/bjorncs/service-identity-provider-improvements

Expose underlying certificate and private key from SiaIdentityProvider 

2 files changed, 42 insertions, 1 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/X509CertificateWithKey.java b/security-utils/src/main/java/com/yahoo/security/X509CertificateWithKey.java
new file mode 100644
index 00000000000..4772de5c1fb
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/X509CertificateWithKey.java
@@ -0,0 +1,33 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Wraps a {@link java.security.cert.X509Certificate} with its {@link java.security.PrivateKey}.
+ * Primary motivation is APIs where the callee must correctly observe an atomic update of both certificate and key.
+ *
+ * @author bjorncs
+ */
+public class X509CertificateWithKey {
+
+    private final List<X509Certificate> certificate;
+    private final PrivateKey privateKey;
+
+    public X509CertificateWithKey(X509Certificate certificate, PrivateKey privateKey) {
+        this(Collections.singletonList(certificate), privateKey);
+    }
+
+    public X509CertificateWithKey(List<X509Certificate> certificate, PrivateKey privateKey) {
+        if (certificate.isEmpty()) throw new IllegalArgumentException();
+        this.certificate = certificate;
+        this.privateKey = privateKey;
+    }
+
+    public X509Certificate certificate() { return certificate.get(0); }
+    public List<X509Certificate> certificateWithIntermediates() { return certificate; }
+    public PrivateKey privateKey() { return privateKey; }
+}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java b/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java
index 18764f51dc5..d4e74e22e40 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java
@@ -5,19 +5,20 @@ import com.yahoo.security.KeyStoreBuilder;
 import com.yahoo.security.KeyStoreType;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateUtils;
+import com.yahoo.security.X509CertificateWithKey;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509ExtendedKeyManager;
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.net.Socket;
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.KeyStore;
 import java.security.Principal;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
+import java.util.Arrays;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
@@ -59,6 +60,13 @@ public class AutoReloadingX509KeyManager extends X509ExtendedKeyManager implemen
         return new AutoReloadingX509KeyManager(privateKeyFile, certificatesFile);
     }
 
+    public X509CertificateWithKey getCurrentCertificateWithKey() {
+        X509ExtendedKeyManager manager = mutableX509KeyManager.currentManager();
+        X509Certificate[] certificateChain = manager.getCertificateChain(CERTIFICATE_ALIAS);
+        PrivateKey privateKey = manager.getPrivateKey(CERTIFICATE_ALIAS);
+        return new X509CertificateWithKey(Arrays.asList(certificateChain), privateKey);
+    }
+
     private static KeyStore createKeystore(Path privateKey, Path certificateChain) {
         try {
             return KeyStoreBuilder.withType(KeyStoreType.PKCS12)