diff options
Diffstat (limited to 'jrt/src/com/yahoo/jrt/TlsCryptoSocket.java')
| -rw-r--r-- | jrt/src/com/yahoo/jrt/TlsCryptoSocket.java | 37 |
1 files changed, 11 insertions, 26 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java index a899938dd45..ecd76e1eb17 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java @@ -1,7 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jrt; -import com.yahoo.security.tls.authz.AuthorizationResult; +import com.yahoo.security.tls.authz.ConnectionAuthContext; import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; import javax.net.ssl.SSLEngine; @@ -9,19 +9,14 @@ import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLEngineResult.HandshakeStatus; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; -import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import java.io.IOException; import java.nio.ByteBuffer; import java.nio.channels.ClosedChannelException; import java.nio.channels.SocketChannel; -import java.security.cert.X509Certificate; -import java.util.Arrays; -import java.util.List; import java.util.Optional; import java.util.logging.Logger; -import static java.util.stream.Collectors.toList; import static javax.net.ssl.SSLEngineResult.Status; /** @@ -46,7 +41,7 @@ public class TlsCryptoSocket implements CryptoSocket { private int sessionApplicationBufferSize; private ByteBuffer handshakeDummyBuffer; private HandshakeState handshakeState; - private AuthorizationResult authorizationResult; + private ConnectionAuthContext authContext; public TlsCryptoSocket(SocketChannel channel, SSLEngine sslEngine) { this.channel = channel; @@ -102,13 +97,13 @@ public class TlsCryptoSocket implements CryptoSocket { channelRead(); break; case NEED_WORK: - if (authorizationResult == null) { - PeerAuthorizerTrustManager.getAuthorizationResult(sslEngine) // only available during handshake - .ifPresent(result -> { - if (!result.succeeded()) { + if (authContext == null) { + PeerAuthorizerTrustManager.getConnectionAuthContext(sslEngine) // only available during handshake + .ifPresent(ctx -> { + if (!ctx.authorized()) { metrics.incrementPeerAuthorizationFailures(); } - authorizationResult = result; + authContext = ctx; }); } break; @@ -149,7 +144,7 @@ public class TlsCryptoSocket implements CryptoSocket { } } catch (SSLHandshakeException e) { // sslEngine.getDelegatedTask().run() and handshakeWrap() may throw SSLHandshakeException, potentially handshakeUnwrap() and sslEngine.beginHandshake() as well. - if (authorizationResult == null || authorizationResult.succeeded()) { // don't include handshake failures due from PeerAuthorizerTrustManager + if (authContext == null || authContext.authorized()) { // don't include handshake failures due from PeerAuthorizerTrustManager metrics.incrementTlsCertificateVerificationFailures(); } throw e; @@ -224,19 +219,9 @@ public class TlsCryptoSocket implements CryptoSocket { } @Override - public Optional<SecurityContext> getSecurityContext() { - try { - if (handshakeState != HandshakeState.COMPLETED) { - return Optional.empty(); - } - List<X509Certificate> peerCertificateChain = - Arrays.stream(sslEngine.getSession().getPeerCertificates()) - .map(X509Certificate.class::cast) - .collect(toList()); - return Optional.of(new SecurityContext(peerCertificateChain)); - } catch (SSLPeerUnverifiedException e) { // unverified peer: non-certificate based ciphers or peer did not provide a certificate - return Optional.of(new SecurityContext(List.of())); // secure connection, but peer does not have a certificate chain. - } + public Optional<ConnectionAuthContext> getConnectionAuthContext() { + if (handshakeState != HandshakeState.COMPLETED) return Optional.empty(); + return Optional.ofNullable(authContext); } private boolean handshakeWrap() throws IOException { |