diff options
| author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-07-03 13:39:47 +0200 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-07-03 15:15:56 +0200 |
| commit | fac5a80821f78cee3217b71c28ea2ddd5bc38841 (patch) | |
| tree | c2760f6ee5974ee4ed08f9aad21d32e3d600e042 /security-utils | |
| parent | e79a7e85d8f79e2cbf1495a6da468b3009ea4d2c (diff) | |
Make peer authentication in TlsContext configurable
Diffstat (limited to 'security-utils')
4 files changed, 34 insertions, 8 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFiledBasedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFiledBasedTlsContext.java index c30f92cec63..a4bb04e620b 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFiledBasedTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFiledBasedTlsContext.java @@ -109,7 +109,8 @@ public class ConfigFiledBasedTlsContext implements TlsContext { .orElseGet(() -> new PeerAuthorizerTrustManager(new AuthorizedPeers(Set.of()), AuthorizationMode.DISABLE, mutableTrustManager))) .build(); List<String> acceptedCiphers = options.getAcceptedCiphers(); - return new DefaultTlsContext(sslContext, acceptedCiphers.isEmpty() ? TlsContext.ALLOWED_CIPHER_SUITES : new HashSet<>(acceptedCiphers)); + Set<String> ciphers = acceptedCiphers.isEmpty() ? TlsContext.ALLOWED_CIPHER_SUITES : new HashSet<>(acceptedCiphers); + return new DefaultTlsContext(sslContext, ciphers, PeerAuthentication.NEED); } // Wrapped methods from TlsContext diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index b2edf2f1ebc..572461c6cdd 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -28,27 +28,32 @@ public class DefaultTlsContext implements TlsContext { private final SSLContext sslContext; private final String[] validCiphers; private final String[] validProtocols; + private final PeerAuthentication peerAuthentication; public DefaultTlsContext(List<X509Certificate> certificates, PrivateKey privateKey, List<X509Certificate> caCertificates, AuthorizedPeers authorizedPeers, - AuthorizationMode mode) { - this(createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode)); + AuthorizationMode mode, + PeerAuthentication peerAuthentication) { + this(createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode), peerAuthentication); } + public DefaultTlsContext(SSLContext sslContext, PeerAuthentication peerAuthentication) { + this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, peerAuthentication); + } public DefaultTlsContext(SSLContext sslContext) { - this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES); + this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, PeerAuthentication.NEED); } - DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers) { + DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers, PeerAuthentication peerAuthentication) { this.sslContext = sslContext; + this.peerAuthentication = peerAuthentication; this.validCiphers = getAllowedCiphers(sslContext, acceptedCiphers); this.validProtocols = getAllowedProtocols(sslContext); } - private static String[] getAllowedCiphers(SSLContext sslContext, Set<String> acceptedCiphers) { String[] supportedCipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites(); String[] validCipherSuites = Arrays.stream(supportedCipherSuites) @@ -106,7 +111,18 @@ public class DefaultTlsContext implements TlsContext { SSLParameters newParameters = sslContext.getDefaultSSLParameters(); newParameters.setCipherSuites(validCiphers); newParameters.setProtocols(validProtocols); - newParameters.setNeedClientAuth(true); + switch (peerAuthentication) { + case WANT: + newParameters.setWantClientAuth(true); + break; + case NEED: + newParameters.setNeedClientAuth(true); + break; + case DISABLED: + break; + default: + throw new UnsupportedOperationException("Unknown peer authentication: " + peerAuthentication); + } return newParameters; } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthentication.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthentication.java new file mode 100644 index 00000000000..9aa7b642b4a --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthentication.java @@ -0,0 +1,9 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +/** + * @author bjorncs + */ +public enum PeerAuthentication { + WANT, NEED, DISABLED +} diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java index f27614a0ec3..727a64ae934 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java @@ -46,7 +46,7 @@ public class DefaultTlsContextTest { singletonList(new RequiredPeerCredential(RequiredPeerCredential.Field.CN, new HostGlobPattern("dummy")))))); DefaultTlsContext tlsContext = - new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE); + new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE, PeerAuthentication.NEED); SSLEngine sslEngine = tlsContext.createSslEngine(); assertThat(sslEngine).isNotNull(); |