diff options
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java | 36 |
1 files changed, 32 insertions, 4 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java index bfaa6c2acda..527efaab946 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzIdentityVerifier.java @@ -1,21 +1,26 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import org.apache.http.conn.ssl.X509HostnameVerifier; + import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLException; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import java.security.cert.X509Certificate; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; /** - * A {@link HostnameVerifier} that validates Athenz x509 certificates using the identity in the Common Name attribute. + * A {@link HostnameVerifier} / {@link X509HostnameVerifier} that validates + * Athenz x509 certificates using the identity in the Common Name attribute. * * @author bjorncs */ // TODO Move to dedicated Athenz bundle -public class AthenzIdentityVerifier implements HostnameVerifier { +public class AthenzIdentityVerifier implements X509HostnameVerifier { private static final Logger log = Logger.getLogger(AthenzIdentityVerifier.class.getName()); @@ -29,13 +34,36 @@ public class AthenzIdentityVerifier implements HostnameVerifier { public boolean verify(String hostname, SSLSession session) { try { X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0]; - AthenzIdentity certificateIdentity = AthenzUtils.createAthenzIdentity(cert); - return allowedIdentities.contains(certificateIdentity); + return isTrusted(AthenzUtils.createAthenzIdentity(cert)); } catch (SSLPeerUnverifiedException e) { log.log(Level.WARNING, "Unverified client: " + hostname); return false; } } + @Override + public void verify(String host, SSLSocket ssl) { + // all sockets allowed + } + + @Override + public void verify(String hostname, X509Certificate certificate) throws SSLException { + AthenzIdentity identity = AthenzUtils.createAthenzIdentity(certificate); + if (!isTrusted(identity)) { + throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); + } + } + + @Override + public void verify(String hostname, String[] cns, String[] subjectAlts) throws SSLException { + AthenzIdentity identity = AthenzUtils.createAthenzIdentity(cns[0]); + if (!isTrusted(identity)) { + throw new SSLException("Athenz identity is not trusted: " + identity.getFullName()); + } + } + + private boolean isTrusted(AthenzIdentity identity) { + return allowedIdentities.contains(identity); + } } |