summaryrefslogtreecommitdiffstats
path: root/jdisc_http_service/src/main/java
diff options
context:
space:
mode:
Diffstat (limited to 'jdisc_http_service/src/main/java')
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java72
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java46
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java22
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java23
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JKSKeyStore.java (renamed from jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JksKeyStore.java)23
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java64
-rw-r--r--jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java27
7 files changed, 187 insertions, 90 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
index 54338c64c1e..96180f48229 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
@@ -8,6 +8,8 @@ import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.jdisc.http.ConnectorConfig.Ssl;
import com.yahoo.jdisc.http.ConnectorConfig.Ssl.PemKeyStore;
import com.yahoo.jdisc.http.SecretStore;
+import com.yahoo.jdisc.http.ssl.ReaderForPath;
+import com.yahoo.jdisc.http.ssl.SslKeyStore;
import com.yahoo.jdisc.http.ssl.pem.PemSslKeyStore;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.server.ConnectionFactory;
@@ -22,11 +24,15 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
import javax.servlet.ServletRequest;
import java.io.IOException;
-import java.io.UncheckedIOException;
+import java.io.Reader;
import java.lang.reflect.Field;
import java.net.Socket;
import java.net.SocketException;
+import java.nio.channels.Channels;
+import java.nio.channels.FileChannel;
import java.nio.channels.ServerSocketChannel;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
@@ -37,8 +43,10 @@ import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
+import static com.google.common.io.Closeables.closeQuietly;
import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.KeyStoreType.Enum.JKS;
import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.KeyStoreType.Enum.PEM;
+import static com.yahoo.jdisc.http.server.jetty.Exceptions.throwUnchecked;
/**
* @author Einar M R Rosenvinge
@@ -76,11 +84,11 @@ public class ConnectorFactory {
return connectorConfig;
}
- public ServerConnector createConnector(final Metric metric, final Server server, final ServerSocketChannel ch) {
+ public ServerConnector createConnector(final Metric metric, final Server server, final ServerSocketChannel ch, Map<Path, FileChannel> keyStoreChannels) {
ServerConnector connector;
if (connectorConfig.ssl().enabled()) {
connector = new JDiscServerConnector(connectorConfig, metric, server, ch,
- newSslConnectionFactory(),
+ newSslConnectionFactory(keyStoreChannels),
newHttpConnectionFactory());
} else {
connector = new JDiscServerConnector(connectorConfig, metric, server, ch,
@@ -117,7 +125,7 @@ public class ConnectorFactory {
}
//TODO: does not support loading non-yahoo readable JKS key stores.
- private SslConnectionFactory newSslConnectionFactory() {
+ private SslConnectionFactory newSslConnectionFactory(Map<Path, FileChannel> keyStoreChannels) {
Ssl sslConfig = connectorConfig.ssl();
SslContextFactory factory = new SslContextFactory();
@@ -167,7 +175,7 @@ public class ConnectorFactory {
Optional<String> keyDbPassword = secret(sslConfig.keyDbKey());
switch (sslConfig.keyStoreType()) {
case PEM:
- factory.setKeyStore(getKeyStore(sslConfig.pemKeyStore()));
+ factory.setKeyStore(getKeyStore(sslConfig.pemKeyStore(), keyStoreChannels));
if (keyDbPassword.isPresent())
log.warning("Encrypted PEM key stores are not supported.");
break;
@@ -200,16 +208,54 @@ public class ConnectorFactory {
return () -> new RuntimeException(String.format("Password is required for JKS %s store", type));
}
- private static KeyStore getKeyStore(PemKeyStore pemKeyStore) {
+ private KeyStore getKeyStore(PemKeyStore pemKeyStore, Map<Path, FileChannel> keyStoreChannels) {
Preconditions.checkArgument(!pemKeyStore.certificatePath().isEmpty(), "Missing certificate path.");
Preconditions.checkArgument(!pemKeyStore.keyPath().isEmpty(), "Missing key path.");
- try {
- Path certificatePath = Paths.get(pemKeyStore.certificatePath());
- Path keyPath = Paths.get(pemKeyStore.keyPath());
- return new PemSslKeyStore(certificatePath, keyPath)
- .loadJavaKeyStore();
- } catch (IOException e) {
- throw new UncheckedIOException(e);
+
+ class KeyStoreReaderForPath implements AutoCloseable {
+ private final Optional<FileChannel> channel;
+ public final ReaderForPath readerForPath;
+
+
+ KeyStoreReaderForPath(String pathString) {
+ Path path = Paths.get(pathString);
+ channel = Optional.ofNullable(keyStoreChannels.get(path));
+ readerForPath = new ReaderForPath(channel.map(this::getReader).orElseGet(() -> getReader(path)), path);
+ }
+
+ private Reader getReader(FileChannel channel) {
+ try {
+ channel.position(0);
+ return Channels.newReader(channel, StandardCharsets.UTF_8.newDecoder(), -1);
+ } catch (IOException e) {
+ throw throwUnchecked(e);
+ }
+
+ }
+
+ private Reader getReader(Path path) {
+ try {
+ return Files.newBufferedReader(path);
+ } catch (IOException e) {
+ throw new RuntimeException("Failed opening " + path, e);
+ }
+ }
+
+ @Override
+ public void close() {
+ //channels are reused
+ if (!channel.isPresent()) {
+ closeQuietly(readerForPath.reader);
+ }
+ }
+ }
+
+ try (KeyStoreReaderForPath certificateReader = new KeyStoreReaderForPath(pemKeyStore.certificatePath());
+ KeyStoreReaderForPath keyReader = new KeyStoreReaderForPath(pemKeyStore.keyPath())) {
+ SslKeyStore keyStore = new PemSslKeyStore(
+ new com.yahoo.jdisc.http.ssl.pem.PemKeyStore.KeyStoreLoadParameter(
+ certificateReader.readerForPath, keyReader.readerForPath));
+ return keyStore.loadJavaKeyStore();
} catch (Exception e) {
throw new RuntimeException("Failed setting up key store for " + pemKeyStore.keyPath() + ", " + pemKeyStore.certificatePath(), e);
}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
index aaa213095c6..7feca14ef29 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
@@ -44,11 +44,15 @@ import javax.servlet.DispatcherType;
import java.lang.management.ManagementFactory;
import java.net.BindException;
import java.net.MalformedURLException;
+import java.nio.channels.FileChannel;
import java.nio.channels.ServerSocketChannel;
+import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Collection;
+import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
+import java.util.Map;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
@@ -59,6 +63,7 @@ import java.util.logging.Logger;
import java.util.stream.Collectors;
import static com.yahoo.jdisc.http.server.jetty.ConnectorFactory.JDiscServerConnector;
+import static com.yahoo.jdisc.http.server.jetty.Exceptions.throwUnchecked;
/**
* @author Simon Thoresen Hult
@@ -142,9 +147,11 @@ public class JettyHttpServer extends AbstractServerProvider {
setupJmx(server, serverConfig);
((QueuedThreadPool)server.getThreadPool()).setMaxThreads(serverConfig.maxWorkerThreads());
+ Map<Path, FileChannel> keyStoreChannels = getKeyStoreFileChannels(osgiFramework.bundleContext());
+
for (ConnectorFactory connectorFactory : connectorFactories.allComponents()) {
ServerSocketChannel preBoundChannel = getChannelFromServiceLayer(connectorFactory.getConnectorConfig().listenPort(), osgiFramework.bundleContext());
- server.addConnector(connectorFactory.createConnector(metric, server, preBoundChannel));
+ server.addConnector(connectorFactory.createConnector(metric, server, preBoundChannel, keyStoreChannels));
listenedPorts.add(connectorFactory.getConnectorConfig().listenPort());
}
@@ -250,6 +257,43 @@ public class JettyHttpServer extends AbstractServerProvider {
return "/" + servletPathsConfig.servlets(id.stringValue()).path();
}
+ // Ugly trick to get generic type literal.
+ @SuppressWarnings("unchecked")
+ private static final Class<Map<?, ?>> mapClass = (Class<Map<?, ?>>) (Object) Map.class;
+
+ private Map<Path, FileChannel> getKeyStoreFileChannels(BundleContext bundleContext) {
+ try {
+ Collection<ServiceReference<Map<?, ?>>> serviceReferences = bundleContext.getServiceReferences(mapClass,
+ "(role=com.yahoo.container.standalone.StandaloneContainerActivator.KeyStoreFileChannels)");
+
+ if (serviceReferences == null || serviceReferences.isEmpty())
+ return Collections.emptyMap();
+
+ if (serviceReferences.size() != 1)
+ throw new IllegalStateException("Multiple KeyStoreFileChannels registered");
+
+ return getKeyStoreFileChannels(bundleContext, serviceReferences.iterator().next());
+ } catch (InvalidSyntaxException e) {
+ throw throwUnchecked(e);
+ }
+ }
+
+ @SuppressWarnings("unchecked")
+ private Map<Path, FileChannel> getKeyStoreFileChannels(BundleContext bundleContext, ServiceReference<Map<?, ?>> keyStoreFileChannelReference) {
+ Map<?, ?> fileChannelMap = bundleContext.getService(keyStoreFileChannelReference);
+ try {
+ if (fileChannelMap == null)
+ return Collections.emptyMap();
+
+ Map<Path, FileChannel> result = (Map<Path, FileChannel>) fileChannelMap;
+ log.fine("Using file channel for " + result.keySet());
+ return result;
+ } finally {
+ //if we change this to be anything other than a simple map, we should hold the reference as long as the object is in use.
+ bundleContext.ungetService(keyStoreFileChannelReference);
+ }
+ }
+
private ServletContextHandler createServletContextHandler() {
ServletContextHandler servletContextHandler = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS);
servletContextHandler.setContextPath("/");
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java
new file mode 100644
index 00000000000..b04d91d7403
--- /dev/null
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java
@@ -0,0 +1,22 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.ssl;
+
+import java.io.Reader;
+import java.nio.file.Path;
+
+/**
+ * A reader along with the path used to construct it.
+ *
+ * @author tonytv
+ */
+public final class ReaderForPath {
+
+ public final Reader reader;
+ public final Path path;
+
+ public ReaderForPath(Reader reader, Path path) {
+ this.reader = reader;
+ this.path = path;
+ }
+
+}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java
index c282c94c1bd..1201bb08afc 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java
@@ -1,12 +1,29 @@
// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jdisc.http.ssl;
+import java.io.IOException;
import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Optional;
/**
*
- * @author bjorncs
+ * @author <a href="mailto:charlesk@yahoo-inc.com">Charles Kim</a>
*/
-public interface SslKeyStore {
- KeyStore loadJavaKeyStore() throws Exception;
+public abstract class SslKeyStore {
+
+ private Optional<String> keyStorePassword = Optional.empty();
+
+ public Optional<String> getKeyStorePassword() {
+ return keyStorePassword;
+ }
+
+ public void setKeyStorePassword(String keyStorePassword) {
+ this.keyStorePassword = Optional.of(keyStorePassword);
+ }
+
+ public abstract KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException;
+
}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JksKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JKSKeyStore.java
index 9cb040fb97d..2ca53b731c3 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JksKeyStore.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JKSKeyStore.java
@@ -13,33 +13,22 @@ import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
/**
- * @author Tony Vaagenes
- * @author bjorncs
+ * @author tonytv
*/
-public class JksKeyStore implements SslKeyStore {
+public class JKSKeyStore extends SslKeyStore {
- private static final String KEY_STORE_TYPE = "JKS";
+ private static final String keyStoreType = "JKS";
private final Path keyStoreFile;
- private final String keyStorePassword;
- public JksKeyStore(Path keyStoreFile) {
- this(keyStoreFile, null);
- }
-
- public JksKeyStore(Path keyStoreFile, String keyStorePassword) {
+ public JKSKeyStore(Path keyStoreFile) {
this.keyStoreFile = keyStoreFile;
- this.keyStorePassword = keyStorePassword;
- }
-
- public String getKeyStorePassword() {
- return keyStorePassword;
}
@Override
public KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
try(InputStream stream = Files.newInputStream(keyStoreFile)) {
- KeyStore keystore = KeyStore.getInstance(KEY_STORE_TYPE);
- keystore.load(stream, keyStorePassword != null ? keyStorePassword.toCharArray() : null);
+ KeyStore keystore = KeyStore.getInstance(keyStoreType);
+ keystore.load(stream, getKeyStorePassword().map(String::toCharArray).orElse(null));
return keystore;
}
}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java
index 787c976f6a0..21272f202ea 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java
@@ -2,6 +2,7 @@
package com.yahoo.jdisc.http.ssl.pem;
import com.google.common.base.Preconditions;
+import com.yahoo.jdisc.http.ssl.ReaderForPath;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
@@ -15,13 +16,9 @@ import javax.annotation.concurrent.GuardedBy;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.io.Reader;
-import java.io.UncheckedIOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
import java.security.Key;
-import java.security.KeyStore;
import java.security.KeyStore.LoadStoreParameter;
+import java.security.KeyStore.ProtectionParameter;
import java.security.KeyStoreException;
import java.security.KeyStoreSpi;
import java.security.NoSuchAlgorithmException;
@@ -46,7 +43,7 @@ import static com.yahoo.jdisc.http.server.jetty.Exceptions.throwUnchecked;
* @author Tony Vaagenes
* @author bjorncs
*/
-class PemKeyStore extends KeyStoreSpi {
+public class PemKeyStore extends KeyStoreSpi {
private static String KEY_ALIAS = "KEY";
@@ -61,7 +58,9 @@ class PemKeyStore extends KeyStoreSpi {
@GuardedBy("this")
private final Map<String, Certificate> aliasToCertificate = new LinkedHashMap<>();
- PemKeyStore() {}
+
+ public PemKeyStore() {}
+
/**
* The user is responsible for closing any readers given in the parameter.
@@ -288,51 +287,30 @@ class PemKeyStore extends KeyStoreSpi {
}
}
- // A reader along with the path used to construct it.
- private static class ReaderForPath {
- final Reader reader;
- final Path path;
-
- private ReaderForPath(Reader reader, Path path) {
- this.reader = reader;
- this.path = path;
- }
-
- static ReaderForPath of(Path path) {
- try {
- return new ReaderForPath(Files.newBufferedReader(path), path);
- } catch (IOException e) {
- throw new UncheckedIOException(e);
- }
- }
- }
-
- static class TrustStoreLoadParameter implements KeyStore.LoadStoreParameter {
- final ReaderForPath certificateReader;
-
- TrustStoreLoadParameter(Path certificateReader) {
- this.certificateReader = ReaderForPath.of(certificateReader);
- }
+ public static class PemLoadStoreParameter implements LoadStoreParameter {
+ private PemLoadStoreParameter() {}
@Override
- public KeyStore.ProtectionParameter getProtectionParameter() {
+ public ProtectionParameter getProtectionParameter() {
return null;
}
}
- static class KeyStoreLoadParameter implements KeyStore.LoadStoreParameter {
- final ReaderForPath certificateReader;
- final ReaderForPath keyReader;
+ public static final class KeyStoreLoadParameter extends PemLoadStoreParameter {
+ public final ReaderForPath certificateReader;
+ public final ReaderForPath keyReader;
- KeyStoreLoadParameter(Path certificateReader, Path keyReader) {
- this.certificateReader = ReaderForPath.of(certificateReader);
- this.keyReader = ReaderForPath.of(keyReader);
+ public KeyStoreLoadParameter(ReaderForPath certificateReader, ReaderForPath keyReader) {
+ this.certificateReader = certificateReader;
+ this.keyReader = keyReader;
}
+ }
- @Override
- public KeyStore.ProtectionParameter getProtectionParameter() {
- return null;
+ public static final class TrustStoreLoadParameter extends PemLoadStoreParameter {
+ public final ReaderForPath certificateReader;
+
+ public TrustStoreLoadParameter(ReaderForPath certificateReader) {
+ this.certificateReader = certificateReader;
}
}
-
}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java
index 9f0a635f7c1..bbb8232f78e 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java
@@ -3,12 +3,11 @@ package com.yahoo.jdisc.http.ssl.pem;
import com.yahoo.jdisc.http.ssl.SslKeyStore;
import com.yahoo.jdisc.http.ssl.pem.PemKeyStore.KeyStoreLoadParameter;
+import com.yahoo.jdisc.http.ssl.pem.PemKeyStore.PemLoadStoreParameter;
import com.yahoo.jdisc.http.ssl.pem.PemKeyStore.TrustStoreLoadParameter;
import java.io.IOException;
-import java.nio.file.Path;
import java.security.KeyStore;
-import java.security.KeyStore.LoadStoreParameter;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
@@ -19,32 +18,34 @@ import java.security.cert.CertificateException;
* Responsible for creating pem key stores.
*
* @author Tony Vaagenes
- * @author bjorncs
*/
-public class PemSslKeyStore implements SslKeyStore {
+public class PemSslKeyStore extends SslKeyStore {
static {
Security.addProvider(new PemKeyStoreProvider());
}
- private static final String KEY_STORE_TYPE = "PEM";
-
- private final LoadStoreParameter loadParameter;
+ private static final String keyStoreType = "PEM";
+ private final PemLoadStoreParameter loadParameter;
private KeyStore keyStore;
- public PemSslKeyStore(Path certificatePath, Path keyPath) {
- this.loadParameter = new KeyStoreLoadParameter(certificatePath, keyPath);
+ public PemSslKeyStore(KeyStoreLoadParameter loadParameter) {
+ this.loadParameter = loadParameter;
}
- public PemSslKeyStore(Path certificatePath) {
- this.loadParameter = new TrustStoreLoadParameter(certificatePath);
+ public PemSslKeyStore(TrustStoreLoadParameter loadParameter) {
+ this.loadParameter = loadParameter;
}
@Override
public KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
+ if (getKeyStorePassword().isPresent()) {
+ throw new UnsupportedOperationException("PEM key store with password is currently not supported. Please file a feature request.");
+ }
+
//cached since Reader(in loadParameter) can only be used one time.
if (keyStore == null) {
- keyStore = KeyStore.getInstance(KEY_STORE_TYPE);
+ keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(loadParameter);
}
return keyStore;
@@ -60,6 +61,6 @@ public class PemSslKeyStore implements SslKeyStore {
super(NAME, VERSION, DESCRIPTION);
putService(new Service(this, "KeyStore", "PEM", PemKeyStore. class.getName(), PemKeyStore.aliases, PemKeyStore.attributes));
}
- }
+ }
}