diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-17 14:06:47 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-17 14:09:28 +0100 |
commit | 8703546dedda8353de7fa6957ab6cc3c8e4b9255 (patch) | |
tree | 7ba86cbaf3d301763e322958c1821a88a6c1038e /vespa-athenz | |
parent | ceec6d572c06ff812715c97d2c35383c48402f24 (diff) |
Add builder helper for SSLContext in vespa-athenz
Use new builder in AthenzSslContextProviderImpl
Diffstat (limited to 'vespa-athenz')
-rw-r--r-- | vespa-athenz/pom.xml | 4 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java | 125 |
2 files changed, 129 insertions, 0 deletions
diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml index 5312594472f..c3189443e43 100644 --- a/vespa-athenz/pom.xml +++ b/vespa-athenz/pom.xml @@ -140,6 +140,10 @@ <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-compiler-plugin</artifactId> + </plugin> </plugins> </build> diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java new file mode 100644 index 00000000000..513191d7c83 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java @@ -0,0 +1,125 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.tls; + +import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.UncheckedIOException; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; + +/** + * @author bjorncs + */ +public class AthenzSslContextBuilder { + + private KeyStoreSupplier trustStoreSupplier; + private KeyStoreSupplier keyStoreSupplier; + private char[] keyStorePassword; + + public AthenzSslContextBuilder() {} + + public AthenzSslContextBuilder withTrustStore(File file, String trustStoreType) { + this.trustStoreSupplier = () -> loadKeyStoreFromFile(file, null, trustStoreType); + return this; + } + + public AthenzSslContextBuilder withTrustStore(KeyStore trustStore) { + this.trustStoreSupplier = () -> trustStore; + return this; + } + + public AthenzSslContextBuilder withIdentityCertificate(AthenzIdentityCertificate certificate) { + char[] pwd = new char[0]; + this.keyStoreSupplier = () -> { + KeyStore keyStore = KeyStore.getInstance("JKS"); + keyStore.load(null); + keyStore.setKeyEntry( + "athenz-identity", certificate.getPrivateKey(), pwd, new Certificate[]{certificate.getCertificate()}); + return keyStore; + }; + this.keyStorePassword = pwd; + return this; + } + + public AthenzSslContextBuilder withKeyStore(KeyStore keyStore, char[] password) { + this.keyStoreSupplier = () -> keyStore; + this.keyStorePassword = password; + return this; + } + + public AthenzSslContextBuilder withKeyStore(File file, char[] password, String keyStoreType) { + this.keyStoreSupplier = () -> loadKeyStoreFromFile(file, password, keyStoreType); + this.keyStorePassword = password; + return this; + } + + public SSLContext build() { + try { + SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); + TrustManager[] trustManagers = + trustStoreSupplier != null ? createTrustManagers(trustStoreSupplier) : getDefaultTrustManagers(); + KeyManager[] keyManagers = + keyStoreSupplier != null ? createKeyManagers(keyStoreSupplier, keyStorePassword) : getDefaultKeyManagers(); + sslContext.init(keyManagers, trustManagers, null); + return sslContext; + } catch (GeneralSecurityException e) { + throw new RuntimeException(e); + } catch (IOException e) { + throw new UncheckedIOException(e); + } + } + + private static TrustManager[] createTrustManagers(KeyStoreSupplier trustStoreSupplier) + throws GeneralSecurityException, IOException { + TrustManagerFactory trustManagerFactory = getTrustManagerFactory(); + trustManagerFactory.init(trustStoreSupplier.get()); + return trustManagerFactory.getTrustManagers(); + } + + private static KeyManager[] createKeyManagers(KeyStoreSupplier keyStoreSupplier, char[] password) + throws GeneralSecurityException, IOException { + KeyManagerFactory keyManagerFactory = getKeyManagerFactory(); + keyManagerFactory.init(keyStoreSupplier.get(), password); + return keyManagerFactory.getKeyManagers(); + } + + private static KeyManager[] getDefaultKeyManagers() throws NoSuchAlgorithmException { + return getKeyManagerFactory().getKeyManagers(); + } + + private static TrustManager[] getDefaultTrustManagers() throws NoSuchAlgorithmException { + return getTrustManagerFactory().getTrustManagers(); + } + + private static KeyManagerFactory getKeyManagerFactory() throws NoSuchAlgorithmException { + return KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + } + + private static TrustManagerFactory getTrustManagerFactory() throws NoSuchAlgorithmException { + return TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + } + + private static KeyStore loadKeyStoreFromFile(File file, char[] password, String keyStoreType) + throws IOException, GeneralSecurityException{ + KeyStore keyStore = KeyStore.getInstance(keyStoreType); + try (FileInputStream in = new FileInputStream(file)) { + keyStore.load(in, password); + } + return keyStore; + } + + private interface KeyStoreSupplier { + KeyStore get() throws IOException, GeneralSecurityException; + } + +} |