diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-17 14:06:47 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-01-18 09:30:57 +0100 |
commit | 02b5e6e2dde58b7296ceb4bbd0904d63e4af518e (patch) | |
tree | 9a1965939b4dbd15d5a9771f76e21141f61c42bf /vespa-athenz | |
parent | fa51c2160c36082d12a22508ebe665df091b44fe (diff) |
Add builder helper for SSLContext in vespa-athenz
Use new builder in AthenzSslContextProviderImpl
Diffstat (limited to 'vespa-athenz')
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java | 125 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/package-info.java | 9 |
2 files changed, 134 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java new file mode 100644 index 00000000000..513191d7c83 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java @@ -0,0 +1,125 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.tls; + +import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.UncheckedIOException; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; + +/** + * @author bjorncs + */ +public class AthenzSslContextBuilder { + + private KeyStoreSupplier trustStoreSupplier; + private KeyStoreSupplier keyStoreSupplier; + private char[] keyStorePassword; + + public AthenzSslContextBuilder() {} + + public AthenzSslContextBuilder withTrustStore(File file, String trustStoreType) { + this.trustStoreSupplier = () -> loadKeyStoreFromFile(file, null, trustStoreType); + return this; + } + + public AthenzSslContextBuilder withTrustStore(KeyStore trustStore) { + this.trustStoreSupplier = () -> trustStore; + return this; + } + + public AthenzSslContextBuilder withIdentityCertificate(AthenzIdentityCertificate certificate) { + char[] pwd = new char[0]; + this.keyStoreSupplier = () -> { + KeyStore keyStore = KeyStore.getInstance("JKS"); + keyStore.load(null); + keyStore.setKeyEntry( + "athenz-identity", certificate.getPrivateKey(), pwd, new Certificate[]{certificate.getCertificate()}); + return keyStore; + }; + this.keyStorePassword = pwd; + return this; + } + + public AthenzSslContextBuilder withKeyStore(KeyStore keyStore, char[] password) { + this.keyStoreSupplier = () -> keyStore; + this.keyStorePassword = password; + return this; + } + + public AthenzSslContextBuilder withKeyStore(File file, char[] password, String keyStoreType) { + this.keyStoreSupplier = () -> loadKeyStoreFromFile(file, password, keyStoreType); + this.keyStorePassword = password; + return this; + } + + public SSLContext build() { + try { + SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); + TrustManager[] trustManagers = + trustStoreSupplier != null ? createTrustManagers(trustStoreSupplier) : getDefaultTrustManagers(); + KeyManager[] keyManagers = + keyStoreSupplier != null ? createKeyManagers(keyStoreSupplier, keyStorePassword) : getDefaultKeyManagers(); + sslContext.init(keyManagers, trustManagers, null); + return sslContext; + } catch (GeneralSecurityException e) { + throw new RuntimeException(e); + } catch (IOException e) { + throw new UncheckedIOException(e); + } + } + + private static TrustManager[] createTrustManagers(KeyStoreSupplier trustStoreSupplier) + throws GeneralSecurityException, IOException { + TrustManagerFactory trustManagerFactory = getTrustManagerFactory(); + trustManagerFactory.init(trustStoreSupplier.get()); + return trustManagerFactory.getTrustManagers(); + } + + private static KeyManager[] createKeyManagers(KeyStoreSupplier keyStoreSupplier, char[] password) + throws GeneralSecurityException, IOException { + KeyManagerFactory keyManagerFactory = getKeyManagerFactory(); + keyManagerFactory.init(keyStoreSupplier.get(), password); + return keyManagerFactory.getKeyManagers(); + } + + private static KeyManager[] getDefaultKeyManagers() throws NoSuchAlgorithmException { + return getKeyManagerFactory().getKeyManagers(); + } + + private static TrustManager[] getDefaultTrustManagers() throws NoSuchAlgorithmException { + return getTrustManagerFactory().getTrustManagers(); + } + + private static KeyManagerFactory getKeyManagerFactory() throws NoSuchAlgorithmException { + return KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + } + + private static TrustManagerFactory getTrustManagerFactory() throws NoSuchAlgorithmException { + return TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + } + + private static KeyStore loadKeyStoreFromFile(File file, char[] password, String keyStoreType) + throws IOException, GeneralSecurityException{ + KeyStore keyStore = KeyStore.getInstance(keyStoreType); + try (FileInputStream in = new FileInputStream(file)) { + keyStore.load(in, password); + } + return keyStore; + } + + private interface KeyStoreSupplier { + KeyStore get() throws IOException, GeneralSecurityException; + } + +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/package-info.java new file mode 100644 index 00000000000..f1fa2c35bc6 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/package-info.java @@ -0,0 +1,9 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +/** + * @author bjorncs + */ + +@ExportPackage +package com.yahoo.vespa.athenz.tls; + +import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file |