Expore key and trust manager to ZK

author: jonmv <venstad@gmail.com> 2023-11-23 15:27:27 +0100
committer: jonmv <venstad@gmail.com> 2023-11-23 15:27:27 +0100
commit: 5858fdc96779de4b8adf8fae3abd99851a8a95ce (patch)
tree: 0dde13b2af027e238da9bc14e1a73a0ed5b33327 /zookeeper-server
parent: 2790a62449b132a963ad3b391646c022d1a57e41 (diff)
4 files changed, 46 insertions, 12 deletions
diff --git a/zookeeper-server/zookeeper-server-3.8.1/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java b/zookeeper-server/zookeeper-server-3.8.1/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
index 3c8a373f121..8bb88a83b10 100644
--- a/zookeeper-server/zookeeper-server-3.8.1/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
+++ b/zookeeper-server/zookeeper-server-3.8.1/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
@@ -2,12 +2,13 @@
 package com.yahoo.vespa.zookeeper;
 
 import org.apache.zookeeper.KeeperException;
-import org.apache.zookeeper.common.X509Exception;
 import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.server.ServerCnxn;
 import org.apache.zookeeper.server.auth.AuthenticationProvider;
 import org.apache.zookeeper.server.auth.X509AuthenticationProvider;
 
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
 import java.security.cert.X509Certificate;
 import java.util.logging.Logger;
 
@@ -20,7 +21,17 @@ public class VespaMtlsAuthenticationProvider extends X509AuthenticationProvider
 
     private static final Logger log = Logger.getLogger(VespaMtlsAuthenticationProvider.class.getName());
 
-    public VespaMtlsAuthenticationProvider() throws X509Exception { super(null, null);}
+    public VespaMtlsAuthenticationProvider() {
+        super(trustManager(), keyManager());
+    }
+
+    private static X509KeyManager keyManager() {
+        return new VespaSslContextProvider().tlsContext().keyManager();
+    }
+
+    private static X509TrustManager trustManager() {
+        return new VespaSslContextProvider().tlsContext().trustManager();
+    }
 
     @Override
     public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) {
@@ -36,6 +47,4 @@ public class VespaMtlsAuthenticationProvider extends X509AuthenticationProvider
         return KeeperException.Code.OK;
     }
 
-    @Override public String getScheme() { return "x509"; }
-
 }
diff --git a/zookeeper-server/zookeeper-server-3.9.1/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java b/zookeeper-server/zookeeper-server-3.9.1/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
index 3c8a373f121..f51b076a262 100644
--- a/zookeeper-server/zookeeper-server-3.9.1/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
+++ b/zookeeper-server/zookeeper-server-3.9.1/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
@@ -8,6 +8,9 @@ import org.apache.zookeeper.server.ServerCnxn;
 import org.apache.zookeeper.server.auth.AuthenticationProvider;
 import org.apache.zookeeper.server.auth.X509AuthenticationProvider;
 
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
 import java.security.cert.X509Certificate;
 import java.util.logging.Logger;
 
@@ -20,7 +23,17 @@ public class VespaMtlsAuthenticationProvider extends X509AuthenticationProvider
 
     private static final Logger log = Logger.getLogger(VespaMtlsAuthenticationProvider.class.getName());
 
-    public VespaMtlsAuthenticationProvider() throws X509Exception { super(null, null);}
+    public VespaMtlsAuthenticationProvider() {
+        super(trustManager(), keyManager());
+    }
+
+    private static X509KeyManager keyManager() {
+        return new VespaSslContextProvider().tlsContext().keyManager();
+    }
+
+    private static X509TrustManager trustManager() {
+        return new VespaSslContextProvider().tlsContext().trustManager();
+    }
 
     @Override
     public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) {
@@ -36,6 +49,4 @@ public class VespaMtlsAuthenticationProvider extends X509AuthenticationProvider
         return KeeperException.Code.OK;
     }
 
-    @Override public String getScheme() { return "x509"; }
-
 }
diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java
index a1b88635204..b50cbdbdbdf 100644
--- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java
+++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java
@@ -1,6 +1,7 @@
 // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.zookeeper;
 
+import com.yahoo.security.X509SslContext;
 import com.yahoo.security.tls.TlsContext;
 
 import javax.net.ssl.SSLContext;
@@ -17,9 +18,13 @@ public class VespaSslContextProvider implements Supplier<SSLContext> {
 
     @Override
     public SSLContext get() {
+        return tlsContext().context();
+    }
+
+    public X509SslContext tlsContext() {
         synchronized (VespaSslContextProvider.class) {
             if (tlsContext == null) throw new IllegalStateException("Vespa TLS is not enabled");
-            return tlsContext.sslContext().context();
+            return tlsContext.sslContext();
         }
     }
 
diff --git a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
index 3c8a373f121..8bb88a83b10 100644
--- a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
+++ b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java
@@ -2,12 +2,13 @@
 package com.yahoo.vespa.zookeeper;
 
 import org.apache.zookeeper.KeeperException;
-import org.apache.zookeeper.common.X509Exception;
 import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.server.ServerCnxn;
 import org.apache.zookeeper.server.auth.AuthenticationProvider;
 import org.apache.zookeeper.server.auth.X509AuthenticationProvider;
 
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
 import java.security.cert.X509Certificate;
 import java.util.logging.Logger;
 
@@ -20,7 +21,17 @@ public class VespaMtlsAuthenticationProvider extends X509AuthenticationProvider
 
     private static final Logger log = Logger.getLogger(VespaMtlsAuthenticationProvider.class.getName());
 
-    public VespaMtlsAuthenticationProvider() throws X509Exception { super(null, null);}
+    public VespaMtlsAuthenticationProvider() {
+        super(trustManager(), keyManager());
+    }
+
+    private static X509KeyManager keyManager() {
+        return new VespaSslContextProvider().tlsContext().keyManager();
+    }
+
+    private static X509TrustManager trustManager() {
+        return new VespaSslContextProvider().tlsContext().trustManager();
+    }
 
     @Override
     public KeeperException.Code handleAuthentication(ServerCnxn cnxn, byte[] authData) {
@@ -36,6 +47,4 @@ public class VespaMtlsAuthenticationProvider extends X509AuthenticationProvider
         return KeeperException.Code.OK;
     }
 
-    @Override public String getScheme() { return "x509"; }
-
 }
author	jonmv <venstad@gmail.com>	2023-11-23 15:27:27 +0100
committer	jonmv <venstad@gmail.com>	2023-11-23 15:27:27 +0100
commit	5858fdc96779de4b8adf8fae3abd99851a8a95ce (patch)
tree	0dde13b2af027e238da9bc14e1a73a0ed5b33327 /zookeeper-server
parent	2790a62449b132a963ad3b391646c022d1a57e41 (diff)