diff options
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java | 64 |
1 files changed, 26 insertions, 38 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index 8f4838c9940..4e810c2d304 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -2,9 +2,9 @@ package com.yahoo.security.tls; import com.yahoo.security.SslContextBuilder; +import com.yahoo.security.X509SslContext; import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; import java.security.PrivateKey; import java.security.cert.X509Certificate; @@ -23,30 +23,35 @@ public class DefaultTlsContext implements TlsContext { private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName()); - private final SSLContext sslContext; + private final X509SslContext sslContext; private final String[] validCiphers; private final String[] validProtocols; private final PeerAuthentication peerAuthentication; - public DefaultTlsContext(List<X509Certificate> certificates, - PrivateKey privateKey, - List<X509Certificate> caCertificates, - AuthorizedPeers authorizedPeers, - AuthorizationMode mode, - PeerAuthentication peerAuthentication, - HostnameVerification hostnameVerification) { - this(createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode, hostnameVerification), peerAuthentication); + public static DefaultTlsContext of(X509SslContext sslContext, PeerAuthentication peerAuthentication) { + return new DefaultTlsContext(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, TlsContext.ALLOWED_PROTOCOLS, peerAuthentication); } - public DefaultTlsContext(SSLContext sslContext, PeerAuthentication peerAuthentication) { - this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, TlsContext.ALLOWED_PROTOCOLS, peerAuthentication); + public static DefaultTlsContext of( + List<X509Certificate> certificates, PrivateKey privateKey, List<X509Certificate> caCertificates, + AuthorizedPeers authorizedPeers, AuthorizationMode mode, PeerAuthentication peerAuthentication, + HostnameVerification hostnameVerification) { + var ctx = createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode, hostnameVerification); + return of(ctx, peerAuthentication); } - DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers, Set<String> acceptedProtocols, PeerAuthentication peerAuthentication) { + public static DefaultTlsContext of( + X509SslContext sslContext, Set<String> acceptedCiphers, Set<String> acceptedProtocols, + PeerAuthentication peerAuthentication) { + return new DefaultTlsContext(sslContext, acceptedCiphers, acceptedProtocols, peerAuthentication); + } + + private DefaultTlsContext(X509SslContext sslContext, Set<String> acceptedCiphers, Set<String> acceptedProtocols, + PeerAuthentication peerAuthentication) { this.sslContext = sslContext; this.peerAuthentication = peerAuthentication; - this.validCiphers = getAllowedCiphers(sslContext, acceptedCiphers); - this.validProtocols = getAllowedProtocols(sslContext, acceptedProtocols); + this.validCiphers = getAllowedCiphers(sslContext.context(), acceptedCiphers); + this.validProtocols = getAllowedProtocols(sslContext.context(), acceptedProtocols); } private static String[] getAllowedCiphers(SSLContext sslContext, Set<String> acceptedCiphers) { @@ -78,7 +83,7 @@ public class DefaultTlsContext implements TlsContext { } @Override - public SSLContext context() { + public X509SslContext sslContext() { return sslContext; } @@ -87,22 +92,8 @@ public class DefaultTlsContext implements TlsContext { return createSslParameters(); } - @Override - public SSLEngine createSslEngine() { - SSLEngine sslEngine = sslContext.createSSLEngine(); - sslEngine.setSSLParameters(createSslParameters()); - return sslEngine; - } - - @Override - public SSLEngine createSslEngine(String peerHost, int peerPort) { - SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort); - sslEngine.setSSLParameters(createSslParameters()); - return sslEngine; - } - private SSLParameters createSslParameters() { - SSLParameters newParameters = sslContext.getDefaultSSLParameters(); + SSLParameters newParameters = sslContext.context().getDefaultSSLParameters(); newParameters.setCipherSuites(validCiphers); newParameters.setProtocols(validProtocols); switch (peerAuthentication) { @@ -120,12 +111,9 @@ public class DefaultTlsContext implements TlsContext { return newParameters; } - private static SSLContext createSslContext(List<X509Certificate> certificates, - PrivateKey privateKey, - List<X509Certificate> caCertificates, - AuthorizedPeers authorizedPeers, - AuthorizationMode mode, - HostnameVerification hostnameVerification) { + private static X509SslContext createSslContext( + List<X509Certificate> certificates, PrivateKey privateKey, List<X509Certificate> caCertificates, + AuthorizedPeers authorizedPeers, AuthorizationMode mode, HostnameVerification hostnameVerification) { SslContextBuilder builder = new SslContextBuilder(); if (!certificates.isEmpty()) { builder.withKeyStore(privateKey, certificates); @@ -135,7 +123,7 @@ public class DefaultTlsContext implements TlsContext { } return builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager(authorizedPeers, mode, hostnameVerification, truststore)) - .build(); + .buildContext(); } } |