Pass null to SSLContext.init() when keystore/truststore not specified

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-01-24 17:15:06 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-01-24 17:19:08 +0100
commit: 2502fc9021ac1672812ccf9522054994f8d0d0cc (patch)
tree: 0752aa671eaa024d5aa974181cf520fb20d34528 /vespa-athenz
parent: adce581387f2bbd3739399cac2dc8c28fe11cc3a (diff)
2 files changed, 72 insertions, 21 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java
index 513191d7c83..0c350356986 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java
@@ -14,7 +14,6 @@ import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
-import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
 
 /**
@@ -67,9 +66,9 @@ public class AthenzSslContextBuilder {
         try {
             SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
             TrustManager[] trustManagers =
-                    trustStoreSupplier != null ? createTrustManagers(trustStoreSupplier) : getDefaultTrustManagers();
+                    trustStoreSupplier != null ? createTrustManagers(trustStoreSupplier) : null;
             KeyManager[] keyManagers =
-                    keyStoreSupplier != null ? createKeyManagers(keyStoreSupplier, keyStorePassword) : getDefaultKeyManagers();
+                    keyStoreSupplier != null ? createKeyManagers(keyStoreSupplier, keyStorePassword) : null;
             sslContext.init(keyManagers, trustManagers, null);
             return sslContext;
         } catch (GeneralSecurityException e) {
@@ -81,34 +80,18 @@ public class AthenzSslContextBuilder {
 
     private static TrustManager[] createTrustManagers(KeyStoreSupplier trustStoreSupplier)
             throws GeneralSecurityException, IOException {
-        TrustManagerFactory trustManagerFactory = getTrustManagerFactory();
+        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         trustManagerFactory.init(trustStoreSupplier.get());
         return trustManagerFactory.getTrustManagers();
     }
 
     private static KeyManager[] createKeyManagers(KeyStoreSupplier keyStoreSupplier, char[] password)
             throws GeneralSecurityException, IOException {
-        KeyManagerFactory keyManagerFactory = getKeyManagerFactory();
+        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
         keyManagerFactory.init(keyStoreSupplier.get(), password);
         return keyManagerFactory.getKeyManagers();
     }
 
-    private static KeyManager[] getDefaultKeyManagers() throws NoSuchAlgorithmException {
-        return getKeyManagerFactory().getKeyManagers();
-    }
-
-    private static TrustManager[] getDefaultTrustManagers() throws NoSuchAlgorithmException {
-        return getTrustManagerFactory().getTrustManagers();
-    }
-
-    private static KeyManagerFactory getKeyManagerFactory() throws NoSuchAlgorithmException {
-        return KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-    }
-
-    private static TrustManagerFactory getTrustManagerFactory() throws NoSuchAlgorithmException {
-        return TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-    }
-
     private static KeyStore loadKeyStoreFromFile(File file, char[] password, String keyStoreType)
             throws IOException, GeneralSecurityException{
         KeyStore keyStore = KeyStore.getInstance(keyStoreType);
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilderTest.java
new file mode 100644
index 00000000000..8666951b1f8
--- /dev/null
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilderTest.java
@@ -0,0 +1,68 @@
+package com.yahoo.vespa.athenz.tls;
+
+import com.yahoo.athenz.auth.util.Crypto;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+
+/**
+ * @author bjorncs
+ */
+public class AthenzSslContextBuilderTest {
+
+    private static final char[] PASSWORD = new char[0];
+
+    @Test
+    public void can_build_sslcontext_with_truststore_only() throws Exception {
+        new AthenzSslContextBuilder()
+                .withTrustStore(createKeystore())
+                .build();
+    }
+
+    @Test
+    public void can_build_sslcontext_with_keystore_only() throws Exception {
+        new AthenzSslContextBuilder()
+                .withKeyStore(createKeystore(), PASSWORD)
+                .build();
+    }
+
+    @Test
+    public void can_build_sslcontext_with_truststore_and_keystore() throws Exception {
+        new AthenzSslContextBuilder()
+                .withKeyStore(createKeystore(), PASSWORD)
+                .withTrustStore(createKeystore())
+                .build();
+    }
+
+    private static KeyStore createKeystore() throws Exception {
+        KeyPair keyPair = createKeyPair();
+        KeyStore keystore = KeyStore.getInstance("JKS");
+        keystore.load(null);
+        keystore.setKeyEntry("entry-name", keyPair.getPrivate(), PASSWORD, new Certificate[]{createCertificate(keyPair)});
+        return keystore;
+    }
+
+    private static X509Certificate createCertificate(KeyPair keyPair) throws
+            OperatorCreationException, IOException {
+        String x500Principal = "CN=mysubject";
+        PKCS10CertificationRequest csr =
+                Crypto.getPKCS10CertRequest(
+                        Crypto.generateX509CSR(keyPair.getPrivate(), x500Principal, null));
+        return Crypto.generateX509Certificate(csr, keyPair.getPrivate(), new X500Name(x500Principal), 3600, false);
+    }
+
+    private static KeyPair createKeyPair() throws NoSuchAlgorithmException {
+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+        keyGen.initialize(512);
+        return keyGen.genKeyPair();
+    }
+}
+\ No newline at end of file
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-01-24 17:15:06 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-01-24 17:19:08 +0100
commit	2502fc9021ac1672812ccf9522054994f8d0d0cc (patch)
tree	0752aa671eaa024d5aa974181cf520fb20d34528 /vespa-athenz
parent	adce581387f2bbd3739399cac2dc8c28fe11cc3a (diff)