diff options
Diffstat (limited to 'jdisc_http_service/src/main/java')
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java | 72 | ||||
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java | 46 | ||||
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java | 22 | ||||
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java | 23 | ||||
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JKSKeyStore.java (renamed from jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JksKeyStore.java) | 23 | ||||
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java | 64 | ||||
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java | 27 |
7 files changed, 187 insertions, 90 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java index 54338c64c1e..96180f48229 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java @@ -8,6 +8,8 @@ import com.yahoo.jdisc.http.ConnectorConfig; import com.yahoo.jdisc.http.ConnectorConfig.Ssl; import com.yahoo.jdisc.http.ConnectorConfig.Ssl.PemKeyStore; import com.yahoo.jdisc.http.SecretStore; +import com.yahoo.jdisc.http.ssl.ReaderForPath; +import com.yahoo.jdisc.http.ssl.SslKeyStore; import com.yahoo.jdisc.http.ssl.pem.PemSslKeyStore; import org.eclipse.jetty.http.HttpVersion; import org.eclipse.jetty.server.ConnectionFactory; @@ -22,11 +24,15 @@ import org.eclipse.jetty.util.ssl.SslContextFactory; import javax.servlet.ServletRequest; import java.io.IOException; -import java.io.UncheckedIOException; +import java.io.Reader; import java.lang.reflect.Field; import java.net.Socket; import java.net.SocketException; +import java.nio.channels.Channels; +import java.nio.channels.FileChannel; import java.nio.channels.ServerSocketChannel; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.security.KeyStore; @@ -37,8 +43,10 @@ import java.util.function.Supplier; import java.util.logging.Level; import java.util.logging.Logger; +import static com.google.common.io.Closeables.closeQuietly; import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.KeyStoreType.Enum.JKS; import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.KeyStoreType.Enum.PEM; +import static com.yahoo.jdisc.http.server.jetty.Exceptions.throwUnchecked; /** * @author Einar M R Rosenvinge @@ -76,11 +84,11 @@ public class ConnectorFactory { return connectorConfig; } - public ServerConnector createConnector(final Metric metric, final Server server, final ServerSocketChannel ch) { + public ServerConnector createConnector(final Metric metric, final Server server, final ServerSocketChannel ch, Map<Path, FileChannel> keyStoreChannels) { ServerConnector connector; if (connectorConfig.ssl().enabled()) { connector = new JDiscServerConnector(connectorConfig, metric, server, ch, - newSslConnectionFactory(), + newSslConnectionFactory(keyStoreChannels), newHttpConnectionFactory()); } else { connector = new JDiscServerConnector(connectorConfig, metric, server, ch, @@ -117,7 +125,7 @@ public class ConnectorFactory { } //TODO: does not support loading non-yahoo readable JKS key stores. - private SslConnectionFactory newSslConnectionFactory() { + private SslConnectionFactory newSslConnectionFactory(Map<Path, FileChannel> keyStoreChannels) { Ssl sslConfig = connectorConfig.ssl(); SslContextFactory factory = new SslContextFactory(); @@ -167,7 +175,7 @@ public class ConnectorFactory { Optional<String> keyDbPassword = secret(sslConfig.keyDbKey()); switch (sslConfig.keyStoreType()) { case PEM: - factory.setKeyStore(getKeyStore(sslConfig.pemKeyStore())); + factory.setKeyStore(getKeyStore(sslConfig.pemKeyStore(), keyStoreChannels)); if (keyDbPassword.isPresent()) log.warning("Encrypted PEM key stores are not supported."); break; @@ -200,16 +208,54 @@ public class ConnectorFactory { return () -> new RuntimeException(String.format("Password is required for JKS %s store", type)); } - private static KeyStore getKeyStore(PemKeyStore pemKeyStore) { + private KeyStore getKeyStore(PemKeyStore pemKeyStore, Map<Path, FileChannel> keyStoreChannels) { Preconditions.checkArgument(!pemKeyStore.certificatePath().isEmpty(), "Missing certificate path."); Preconditions.checkArgument(!pemKeyStore.keyPath().isEmpty(), "Missing key path."); - try { - Path certificatePath = Paths.get(pemKeyStore.certificatePath()); - Path keyPath = Paths.get(pemKeyStore.keyPath()); - return new PemSslKeyStore(certificatePath, keyPath) - .loadJavaKeyStore(); - } catch (IOException e) { - throw new UncheckedIOException(e); + + class KeyStoreReaderForPath implements AutoCloseable { + private final Optional<FileChannel> channel; + public final ReaderForPath readerForPath; + + + KeyStoreReaderForPath(String pathString) { + Path path = Paths.get(pathString); + channel = Optional.ofNullable(keyStoreChannels.get(path)); + readerForPath = new ReaderForPath(channel.map(this::getReader).orElseGet(() -> getReader(path)), path); + } + + private Reader getReader(FileChannel channel) { + try { + channel.position(0); + return Channels.newReader(channel, StandardCharsets.UTF_8.newDecoder(), -1); + } catch (IOException e) { + throw throwUnchecked(e); + } + + } + + private Reader getReader(Path path) { + try { + return Files.newBufferedReader(path); + } catch (IOException e) { + throw new RuntimeException("Failed opening " + path, e); + } + } + + @Override + public void close() { + //channels are reused + if (!channel.isPresent()) { + closeQuietly(readerForPath.reader); + } + } + } + + try (KeyStoreReaderForPath certificateReader = new KeyStoreReaderForPath(pemKeyStore.certificatePath()); + KeyStoreReaderForPath keyReader = new KeyStoreReaderForPath(pemKeyStore.keyPath())) { + SslKeyStore keyStore = new PemSslKeyStore( + new com.yahoo.jdisc.http.ssl.pem.PemKeyStore.KeyStoreLoadParameter( + certificateReader.readerForPath, keyReader.readerForPath)); + return keyStore.loadJavaKeyStore(); } catch (Exception e) { throw new RuntimeException("Failed setting up key store for " + pemKeyStore.keyPath() + ", " + pemKeyStore.certificatePath(), e); } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java index aaa213095c6..7feca14ef29 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java @@ -44,11 +44,15 @@ import javax.servlet.DispatcherType; import java.lang.management.ManagementFactory; import java.net.BindException; import java.net.MalformedURLException; +import java.nio.channels.FileChannel; import java.nio.channels.ServerSocketChannel; +import java.nio.file.Path; import java.util.ArrayList; import java.util.Collection; +import java.util.Collections; import java.util.EnumSet; import java.util.List; +import java.util.Map; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; @@ -59,6 +63,7 @@ import java.util.logging.Logger; import java.util.stream.Collectors; import static com.yahoo.jdisc.http.server.jetty.ConnectorFactory.JDiscServerConnector; +import static com.yahoo.jdisc.http.server.jetty.Exceptions.throwUnchecked; /** * @author Simon Thoresen Hult @@ -142,9 +147,11 @@ public class JettyHttpServer extends AbstractServerProvider { setupJmx(server, serverConfig); ((QueuedThreadPool)server.getThreadPool()).setMaxThreads(serverConfig.maxWorkerThreads()); + Map<Path, FileChannel> keyStoreChannels = getKeyStoreFileChannels(osgiFramework.bundleContext()); + for (ConnectorFactory connectorFactory : connectorFactories.allComponents()) { ServerSocketChannel preBoundChannel = getChannelFromServiceLayer(connectorFactory.getConnectorConfig().listenPort(), osgiFramework.bundleContext()); - server.addConnector(connectorFactory.createConnector(metric, server, preBoundChannel)); + server.addConnector(connectorFactory.createConnector(metric, server, preBoundChannel, keyStoreChannels)); listenedPorts.add(connectorFactory.getConnectorConfig().listenPort()); } @@ -250,6 +257,43 @@ public class JettyHttpServer extends AbstractServerProvider { return "/" + servletPathsConfig.servlets(id.stringValue()).path(); } + // Ugly trick to get generic type literal. + @SuppressWarnings("unchecked") + private static final Class<Map<?, ?>> mapClass = (Class<Map<?, ?>>) (Object) Map.class; + + private Map<Path, FileChannel> getKeyStoreFileChannels(BundleContext bundleContext) { + try { + Collection<ServiceReference<Map<?, ?>>> serviceReferences = bundleContext.getServiceReferences(mapClass, + "(role=com.yahoo.container.standalone.StandaloneContainerActivator.KeyStoreFileChannels)"); + + if (serviceReferences == null || serviceReferences.isEmpty()) + return Collections.emptyMap(); + + if (serviceReferences.size() != 1) + throw new IllegalStateException("Multiple KeyStoreFileChannels registered"); + + return getKeyStoreFileChannels(bundleContext, serviceReferences.iterator().next()); + } catch (InvalidSyntaxException e) { + throw throwUnchecked(e); + } + } + + @SuppressWarnings("unchecked") + private Map<Path, FileChannel> getKeyStoreFileChannels(BundleContext bundleContext, ServiceReference<Map<?, ?>> keyStoreFileChannelReference) { + Map<?, ?> fileChannelMap = bundleContext.getService(keyStoreFileChannelReference); + try { + if (fileChannelMap == null) + return Collections.emptyMap(); + + Map<Path, FileChannel> result = (Map<Path, FileChannel>) fileChannelMap; + log.fine("Using file channel for " + result.keySet()); + return result; + } finally { + //if we change this to be anything other than a simple map, we should hold the reference as long as the object is in use. + bundleContext.ungetService(keyStoreFileChannelReference); + } + } + private ServletContextHandler createServletContextHandler() { ServletContextHandler servletContextHandler = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS); servletContextHandler.setContextPath("/"); diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java new file mode 100644 index 00000000000..b04d91d7403 --- /dev/null +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/ReaderForPath.java @@ -0,0 +1,22 @@ +// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.ssl; + +import java.io.Reader; +import java.nio.file.Path; + +/** + * A reader along with the path used to construct it. + * + * @author tonytv + */ +public final class ReaderForPath { + + public final Reader reader; + public final Path path; + + public ReaderForPath(Reader reader, Path path) { + this.reader = reader; + this.path = path; + } + +} diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java index c282c94c1bd..1201bb08afc 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStore.java @@ -1,12 +1,29 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jdisc.http.ssl; +import java.io.IOException; import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.util.Optional; /** * - * @author bjorncs + * @author <a href="mailto:charlesk@yahoo-inc.com">Charles Kim</a> */ -public interface SslKeyStore { - KeyStore loadJavaKeyStore() throws Exception; +public abstract class SslKeyStore { + + private Optional<String> keyStorePassword = Optional.empty(); + + public Optional<String> getKeyStorePassword() { + return keyStorePassword; + } + + public void setKeyStorePassword(String keyStorePassword) { + this.keyStorePassword = Optional.of(keyStorePassword); + } + + public abstract KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException; + } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JksKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JKSKeyStore.java index 9cb040fb97d..2ca53b731c3 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JksKeyStore.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/jks/JKSKeyStore.java @@ -13,33 +13,22 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; /** - * @author Tony Vaagenes - * @author bjorncs + * @author tonytv */ -public class JksKeyStore implements SslKeyStore { +public class JKSKeyStore extends SslKeyStore { - private static final String KEY_STORE_TYPE = "JKS"; + private static final String keyStoreType = "JKS"; private final Path keyStoreFile; - private final String keyStorePassword; - public JksKeyStore(Path keyStoreFile) { - this(keyStoreFile, null); - } - - public JksKeyStore(Path keyStoreFile, String keyStorePassword) { + public JKSKeyStore(Path keyStoreFile) { this.keyStoreFile = keyStoreFile; - this.keyStorePassword = keyStorePassword; - } - - public String getKeyStorePassword() { - return keyStorePassword; } @Override public KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { try(InputStream stream = Files.newInputStream(keyStoreFile)) { - KeyStore keystore = KeyStore.getInstance(KEY_STORE_TYPE); - keystore.load(stream, keyStorePassword != null ? keyStorePassword.toCharArray() : null); + KeyStore keystore = KeyStore.getInstance(keyStoreType); + keystore.load(stream, getKeyStorePassword().map(String::toCharArray).orElse(null)); return keystore; } } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java index 787c976f6a0..21272f202ea 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemKeyStore.java @@ -2,6 +2,7 @@ package com.yahoo.jdisc.http.ssl.pem; import com.google.common.base.Preconditions; +import com.yahoo.jdisc.http.ssl.ReaderForPath; import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; @@ -15,13 +16,9 @@ import javax.annotation.concurrent.GuardedBy; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.io.Reader; -import java.io.UncheckedIOException; -import java.nio.file.Files; -import java.nio.file.Path; import java.security.Key; -import java.security.KeyStore; import java.security.KeyStore.LoadStoreParameter; +import java.security.KeyStore.ProtectionParameter; import java.security.KeyStoreException; import java.security.KeyStoreSpi; import java.security.NoSuchAlgorithmException; @@ -46,7 +43,7 @@ import static com.yahoo.jdisc.http.server.jetty.Exceptions.throwUnchecked; * @author Tony Vaagenes * @author bjorncs */ -class PemKeyStore extends KeyStoreSpi { +public class PemKeyStore extends KeyStoreSpi { private static String KEY_ALIAS = "KEY"; @@ -61,7 +58,9 @@ class PemKeyStore extends KeyStoreSpi { @GuardedBy("this") private final Map<String, Certificate> aliasToCertificate = new LinkedHashMap<>(); - PemKeyStore() {} + + public PemKeyStore() {} + /** * The user is responsible for closing any readers given in the parameter. @@ -288,51 +287,30 @@ class PemKeyStore extends KeyStoreSpi { } } - // A reader along with the path used to construct it. - private static class ReaderForPath { - final Reader reader; - final Path path; - - private ReaderForPath(Reader reader, Path path) { - this.reader = reader; - this.path = path; - } - - static ReaderForPath of(Path path) { - try { - return new ReaderForPath(Files.newBufferedReader(path), path); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - } - - static class TrustStoreLoadParameter implements KeyStore.LoadStoreParameter { - final ReaderForPath certificateReader; - - TrustStoreLoadParameter(Path certificateReader) { - this.certificateReader = ReaderForPath.of(certificateReader); - } + public static class PemLoadStoreParameter implements LoadStoreParameter { + private PemLoadStoreParameter() {} @Override - public KeyStore.ProtectionParameter getProtectionParameter() { + public ProtectionParameter getProtectionParameter() { return null; } } - static class KeyStoreLoadParameter implements KeyStore.LoadStoreParameter { - final ReaderForPath certificateReader; - final ReaderForPath keyReader; + public static final class KeyStoreLoadParameter extends PemLoadStoreParameter { + public final ReaderForPath certificateReader; + public final ReaderForPath keyReader; - KeyStoreLoadParameter(Path certificateReader, Path keyReader) { - this.certificateReader = ReaderForPath.of(certificateReader); - this.keyReader = ReaderForPath.of(keyReader); + public KeyStoreLoadParameter(ReaderForPath certificateReader, ReaderForPath keyReader) { + this.certificateReader = certificateReader; + this.keyReader = keyReader; } + } - @Override - public KeyStore.ProtectionParameter getProtectionParameter() { - return null; + public static final class TrustStoreLoadParameter extends PemLoadStoreParameter { + public final ReaderForPath certificateReader; + + public TrustStoreLoadParameter(ReaderForPath certificateReader) { + this.certificateReader = certificateReader; } } - } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java index 9f0a635f7c1..bbb8232f78e 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/pem/PemSslKeyStore.java @@ -3,12 +3,11 @@ package com.yahoo.jdisc.http.ssl.pem; import com.yahoo.jdisc.http.ssl.SslKeyStore; import com.yahoo.jdisc.http.ssl.pem.PemKeyStore.KeyStoreLoadParameter; +import com.yahoo.jdisc.http.ssl.pem.PemKeyStore.PemLoadStoreParameter; import com.yahoo.jdisc.http.ssl.pem.PemKeyStore.TrustStoreLoadParameter; import java.io.IOException; -import java.nio.file.Path; import java.security.KeyStore; -import java.security.KeyStore.LoadStoreParameter; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.Provider; @@ -19,32 +18,34 @@ import java.security.cert.CertificateException; * Responsible for creating pem key stores. * * @author Tony Vaagenes - * @author bjorncs */ -public class PemSslKeyStore implements SslKeyStore { +public class PemSslKeyStore extends SslKeyStore { static { Security.addProvider(new PemKeyStoreProvider()); } - private static final String KEY_STORE_TYPE = "PEM"; - - private final LoadStoreParameter loadParameter; + private static final String keyStoreType = "PEM"; + private final PemLoadStoreParameter loadParameter; private KeyStore keyStore; - public PemSslKeyStore(Path certificatePath, Path keyPath) { - this.loadParameter = new KeyStoreLoadParameter(certificatePath, keyPath); + public PemSslKeyStore(KeyStoreLoadParameter loadParameter) { + this.loadParameter = loadParameter; } - public PemSslKeyStore(Path certificatePath) { - this.loadParameter = new TrustStoreLoadParameter(certificatePath); + public PemSslKeyStore(TrustStoreLoadParameter loadParameter) { + this.loadParameter = loadParameter; } @Override public KeyStore loadJavaKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { + if (getKeyStorePassword().isPresent()) { + throw new UnsupportedOperationException("PEM key store with password is currently not supported. Please file a feature request."); + } + //cached since Reader(in loadParameter) can only be used one time. if (keyStore == null) { - keyStore = KeyStore.getInstance(KEY_STORE_TYPE); + keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(loadParameter); } return keyStore; @@ -60,6 +61,6 @@ public class PemSslKeyStore implements SslKeyStore { super(NAME, VERSION, DESCRIPTION); putService(new Service(this, "KeyStore", "PEM", PemKeyStore. class.getName(), PemKeyStore.aliases, PemKeyStore.attributes)); } - } + } } |