aboutsummaryrefslogtreecommitdiffstats
path: root/jrt/src/com
diff options
context:
space:
mode:
Diffstat (limited to 'jrt/src/com')
-rw-r--r--jrt/src/com/yahoo/jrt/Connection.java6
-rw-r--r--jrt/src/com/yahoo/jrt/CryptoSocket.java6
-rw-r--r--jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java6
-rw-r--r--jrt/src/com/yahoo/jrt/SecurityContext.java24
-rw-r--r--jrt/src/com/yahoo/jrt/Target.java6
-rw-r--r--jrt/src/com/yahoo/jrt/TlsCryptoSocket.java37
6 files changed, 28 insertions, 57 deletions
diff --git a/jrt/src/com/yahoo/jrt/Connection.java b/jrt/src/com/yahoo/jrt/Connection.java
index 00aceb7e352..644e2ef4ff3 100644
--- a/jrt/src/com/yahoo/jrt/Connection.java
+++ b/jrt/src/com/yahoo/jrt/Connection.java
@@ -1,6 +1,8 @@
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jrt;
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.SelectionKey;
@@ -436,9 +438,9 @@ class Connection extends Target {
}
@Override
- public Optional<SecurityContext> getSecurityContext() {
+ public Optional<ConnectionAuthContext> getConnectionAuthContext() {
return Optional.ofNullable(socket)
- .flatMap(CryptoSocket::getSecurityContext);
+ .flatMap(CryptoSocket::getConnectionAuthContext);
}
public boolean isClient() {
diff --git a/jrt/src/com/yahoo/jrt/CryptoSocket.java b/jrt/src/com/yahoo/jrt/CryptoSocket.java
index 78308b76624..aac91362405 100644
--- a/jrt/src/com/yahoo/jrt/CryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/CryptoSocket.java
@@ -2,6 +2,8 @@
package com.yahoo.jrt;
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.SocketChannel;
@@ -103,10 +105,10 @@ public interface CryptoSocket {
public void dropEmptyBuffers();
/**
- * Returns the security context for the current connection (given handshake completed),
+ * Returns the auth context for the current connection (given handshake completed),
* or empty if the current connection is not secure.
*/
- default public Optional<SecurityContext> getSecurityContext() {
+ default public Optional<ConnectionAuthContext> getConnectionAuthContext() {
return Optional.empty();
}
}
diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
index df01f4f2fa7..42442289cd1 100644
--- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
@@ -1,6 +1,8 @@
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jrt;
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.SocketChannel;
@@ -130,5 +132,7 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
@Override public int write(ByteBuffer src) throws IOException { return socket.write(src); }
@Override public FlushResult flush() throws IOException { return socket.flush(); }
@Override public void dropEmptyBuffers() { socket.dropEmptyBuffers(); }
- @Override public Optional<SecurityContext> getSecurityContext() { return Optional.ofNullable(socket).flatMap(CryptoSocket::getSecurityContext); }
+ @Override public Optional<ConnectionAuthContext> getConnectionAuthContext() {
+ return Optional.ofNullable(socket).flatMap(CryptoSocket::getConnectionAuthContext);
+ }
}
diff --git a/jrt/src/com/yahoo/jrt/SecurityContext.java b/jrt/src/com/yahoo/jrt/SecurityContext.java
deleted file mode 100644
index 4eef99cb93f..00000000000
--- a/jrt/src/com/yahoo/jrt/SecurityContext.java
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jrt;
-
-import java.security.cert.X509Certificate;
-import java.util.List;
-
-/**
- * @author bjorncs
- */
-public class SecurityContext {
-
- private final List<X509Certificate> peerCertificateChain;
-
- public SecurityContext(List<X509Certificate> peerCertificateChain) {
- this.peerCertificateChain = peerCertificateChain;
- }
-
- /**
- * @return the peer certificate chain if the peer was authenticated, empty list if not.
- */
- public List<X509Certificate> peerCertificateChain() {
- return peerCertificateChain;
- }
-}
diff --git a/jrt/src/com/yahoo/jrt/Target.java b/jrt/src/com/yahoo/jrt/Target.java
index a59aa341fe0..239a71f53b3 100644
--- a/jrt/src/com/yahoo/jrt/Target.java
+++ b/jrt/src/com/yahoo/jrt/Target.java
@@ -1,6 +1,8 @@
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jrt;
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
+
import java.util.Optional;
/**
@@ -69,9 +71,9 @@ public abstract class Target {
public Exception getConnectionLostReason() { return null; }
/**
- * Returns the security context associated with this target, or empty if no connection or is insecure.
+ * Returns the connection auth context associated with this target, or empty if no connection or is insecure.
*/
- public abstract Optional<SecurityContext> getSecurityContext();
+ public abstract Optional<ConnectionAuthContext> getConnectionAuthContext();
/**
* Check if this target represents the client side of a
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index a899938dd45..ecd76e1eb17 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -1,7 +1,7 @@
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jrt;
-import com.yahoo.security.tls.authz.AuthorizationResult;
+import com.yahoo.security.tls.authz.ConnectionAuthContext;
import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
import javax.net.ssl.SSLEngine;
@@ -9,19 +9,14 @@ import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
-import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.ClosedChannelException;
import java.nio.channels.SocketChannel;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.List;
import java.util.Optional;
import java.util.logging.Logger;
-import static java.util.stream.Collectors.toList;
import static javax.net.ssl.SSLEngineResult.Status;
/**
@@ -46,7 +41,7 @@ public class TlsCryptoSocket implements CryptoSocket {
private int sessionApplicationBufferSize;
private ByteBuffer handshakeDummyBuffer;
private HandshakeState handshakeState;
- private AuthorizationResult authorizationResult;
+ private ConnectionAuthContext authContext;
public TlsCryptoSocket(SocketChannel channel, SSLEngine sslEngine) {
this.channel = channel;
@@ -102,13 +97,13 @@ public class TlsCryptoSocket implements CryptoSocket {
channelRead();
break;
case NEED_WORK:
- if (authorizationResult == null) {
- PeerAuthorizerTrustManager.getAuthorizationResult(sslEngine) // only available during handshake
- .ifPresent(result -> {
- if (!result.succeeded()) {
+ if (authContext == null) {
+ PeerAuthorizerTrustManager.getConnectionAuthContext(sslEngine) // only available during handshake
+ .ifPresent(ctx -> {
+ if (!ctx.authorized()) {
metrics.incrementPeerAuthorizationFailures();
}
- authorizationResult = result;
+ authContext = ctx;
});
}
break;
@@ -149,7 +144,7 @@ public class TlsCryptoSocket implements CryptoSocket {
}
} catch (SSLHandshakeException e) {
// sslEngine.getDelegatedTask().run() and handshakeWrap() may throw SSLHandshakeException, potentially handshakeUnwrap() and sslEngine.beginHandshake() as well.
- if (authorizationResult == null || authorizationResult.succeeded()) { // don't include handshake failures due from PeerAuthorizerTrustManager
+ if (authContext == null || authContext.authorized()) { // don't include handshake failures due from PeerAuthorizerTrustManager
metrics.incrementTlsCertificateVerificationFailures();
}
throw e;
@@ -224,19 +219,9 @@ public class TlsCryptoSocket implements CryptoSocket {
}
@Override
- public Optional<SecurityContext> getSecurityContext() {
- try {
- if (handshakeState != HandshakeState.COMPLETED) {
- return Optional.empty();
- }
- List<X509Certificate> peerCertificateChain =
- Arrays.stream(sslEngine.getSession().getPeerCertificates())
- .map(X509Certificate.class::cast)
- .collect(toList());
- return Optional.of(new SecurityContext(peerCertificateChain));
- } catch (SSLPeerUnverifiedException e) { // unverified peer: non-certificate based ciphers or peer did not provide a certificate
- return Optional.of(new SecurityContext(List.of())); // secure connection, but peer does not have a certificate chain.
- }
+ public Optional<ConnectionAuthContext> getConnectionAuthContext() {
+ if (handshakeState != HandshakeState.COMPLETED) return Optional.empty();
+ return Optional.ofNullable(authContext);
}
private boolean handshakeWrap() throws IOException {