summaryrefslogtreecommitdiffstats
path: root/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
diff options
context:
space:
mode:
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java')
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java90
1 files changed, 36 insertions, 54 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index c9c326df9ed..2befd50332a 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -7,7 +7,7 @@ import com.yahoo.security.tls.policy.AuthorizedPeers;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLParameters;
+import java.nio.file.Path;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
@@ -38,8 +38,7 @@ public class DefaultTlsContext implements TlsContext {
private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName());
private final SSLContext sslContext;
- private final String[] validCiphers;
- private final String[] validProtocols;
+ private final List<String> acceptedCiphers;
public DefaultTlsContext(List<X509Certificate> certificates,
PrivateKey privateKey,
@@ -47,77 +46,49 @@ public class DefaultTlsContext implements TlsContext {
AuthorizedPeers authorizedPeers,
AuthorizationMode mode,
List<String> acceptedCiphers) {
- this(createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode),
- acceptedCiphers);
+ this.sslContext = createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode);
+ this.acceptedCiphers = acceptedCiphers;
}
-
- public DefaultTlsContext(SSLContext sslContext, List<String> acceptedCiphers) {
- this.sslContext = sslContext;
- this.validCiphers = getAllowedCiphers(sslContext, acceptedCiphers);
- this.validProtocols = getAllowedProtocols(sslContext);
+ public DefaultTlsContext(Path tlsOptionsConfigFile, AuthorizationMode mode) {
+ TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile);
+ this.sslContext = createSslContext(options, mode);
+ this.acceptedCiphers = options.getAcceptedCiphers();
}
+ @Override
+ public SSLEngine createSslEngine() {
+ SSLEngine sslEngine = sslContext.createSSLEngine();
+ restrictSetOfEnabledCiphers(sslEngine, acceptedCiphers);
+ restrictTlsProtocols(sslEngine);
+ return sslEngine;
+ }
- private static String[] getAllowedCiphers(SSLContext sslContext, List<String> acceptedCiphers) {
- String[] supportedCipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites();
- String[] validCipherSuites = Arrays.stream(supportedCipherSuites)
+ private static void restrictSetOfEnabledCiphers(SSLEngine sslEngine, List<String> acceptedCiphers) {
+ String[] validCipherSuites = Arrays.stream(sslEngine.getSupportedCipherSuites())
.filter(suite -> ALLOWED_CIPHER_SUITES.contains(suite) && (acceptedCiphers.isEmpty() || acceptedCiphers.contains(suite)))
.toArray(String[]::new);
if (validCipherSuites.length == 0) {
throw new IllegalStateException(
String.format("None of the allowed cipher suites are supported " +
"(allowed-cipher-suites=%s, supported-cipher-suites=%s, accepted-cipher-suites=%s)",
- ALLOWED_CIPHER_SUITES, List.of(supportedCipherSuites), acceptedCiphers));
+ ALLOWED_CIPHER_SUITES, List.of(sslEngine.getSupportedCipherSuites()), acceptedCiphers));
}
- log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", List.of(validCipherSuites)));
- return validCipherSuites;
+ log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", Arrays.toString(validCipherSuites)));
+ sslEngine.setEnabledCipherSuites(validCipherSuites);
}
- private static String[] getAllowedProtocols(SSLContext sslContext) {
- String[] supportedProtocols = sslContext.getSupportedSSLParameters().getProtocols();
- String[] validProtocols = Arrays.stream(supportedProtocols)
+ private static void restrictTlsProtocols(SSLEngine sslEngine) {
+ String[] validProtocols = Arrays.stream(sslEngine.getSupportedProtocols())
.filter(ALLOWED_PROTOCOLS::contains)
.toArray(String[]::new);
if (validProtocols.length == 0) {
throw new IllegalArgumentException(
String.format("None of the allowed protocols are supported (allowed-protocols=%s, supported-protocols=%s)",
- ALLOWED_PROTOCOLS, List.of(supportedProtocols)));
+ ALLOWED_PROTOCOLS, Arrays.toString(sslEngine.getSupportedProtocols())));
}
- log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", List.of(validProtocols)));
- return validProtocols;
- }
-
- @Override
- public SSLContext context() {
- return sslContext;
- }
-
- @Override
- public SSLParameters parameters() {
- return createSslParameters();
- }
-
- @Override
- public SSLEngine createSslEngine() {
- SSLEngine sslEngine = sslContext.createSSLEngine();
- sslEngine.setSSLParameters(createSslParameters());
- return sslEngine;
- }
-
- @Override
- public SSLEngine createSslEngine(String peerHost, int peerPort) {
- SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
- sslEngine.setSSLParameters(createSslParameters());
- return sslEngine;
- }
-
- private SSLParameters createSslParameters() {
- SSLParameters newParameters = sslContext.getDefaultSSLParameters();
- newParameters.setCipherSuites(validCiphers);
- newParameters.setProtocols(validProtocols);
- newParameters.setNeedClientAuth(true);
- return newParameters;
+ log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", Arrays.toString(validProtocols)));
+ sslEngine.setEnabledProtocols(validProtocols);
}
private static SSLContext createSslContext(List<X509Certificate> certificates,
@@ -138,5 +109,16 @@ public class DefaultTlsContext implements TlsContext {
return builder.build();
}
+ private static SSLContext createSslContext(TransportSecurityOptions options, AuthorizationMode mode) {
+ SslContextBuilder builder = new SslContextBuilder();
+ options.getCertificatesFile()
+ .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates));
+ options.getCaCertificatesFile().ifPresent(builder::withTrustStore);
+ if (mode != AuthorizationMode.DISABLE) {
+ options.getAuthorizedPeers().ifPresent(
+ authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode)));
+ }
+ return builder.build();
+ }
}