summaryrefslogtreecommitdiffstats
path: root/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
diff options
context:
space:
mode:
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java')
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java43
1 files changed, 38 insertions, 5 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index 6ad5f6c3612..0c09faf459f 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -4,8 +4,11 @@ package com.yahoo.security.tls;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
+import java.util.Arrays;
import java.util.Set;
+import static java.util.stream.Collectors.toSet;
+
/**
* A simplified version of {@link SSLContext} modelled as an interface.
*
@@ -20,22 +23,52 @@ public interface TlsContext extends AutoCloseable {
* For TLSv1.3 we allow the DEFAULT group ciphers.
* Note that we _only_ allow AEAD ciphers for either TLS version.
*/
- // TODO: Remove TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256?
- // These cipher suites are not supported in Java 11, see https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java
Set<String> ALLOWED_CIPHER_SUITES = Set.of(
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", // Java 12
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_AES_128_GCM_SHA256", // TLSv1.3
"TLS_AES_256_GCM_SHA384", // TLSv1.3
- "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3
+ "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3, Java 12
Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2"); // TODO Enable TLSv1.3
+ /**
+ * @return the allowed cipher suites supported by the provided context instance
+ */
+ static Set<String> getAllowedCipherSuites(SSLContext context) {
+ String[] supportedCiphers = context.getSupportedSSLParameters().getCipherSuites();
+ Set<String> enabledCiphers = Arrays.stream(supportedCiphers)
+ .filter(ALLOWED_CIPHER_SUITES::contains)
+ .collect(toSet());
+ if (enabledCiphers.isEmpty()) {
+ throw new IllegalArgumentException(
+ String.format("Non of the allowed ciphers are supported (allowed=%s, supported=%s)",
+ ALLOWED_CIPHER_SUITES, Arrays.toString(supportedCiphers)));
+
+ }
+ return enabledCiphers;
+ }
+
+ /**
+ * @return the allowed protocols supported by the provided context instance
+ */
+ static Set<String> getAllowedProtocols(SSLContext context) {
+ String[] supportedProtocols = context.getSupportedSSLParameters().getProtocols();
+ Set<String> enabledProtocols = Arrays.stream(supportedProtocols)
+ .filter(ALLOWED_PROTOCOLS::contains)
+ .collect(toSet());
+ if (enabledProtocols.isEmpty()) {
+ throw new IllegalArgumentException(
+ String.format("Non of the allowed protocols are supported (allowed=%s, supported=%s)",
+ ALLOWED_PROTOCOLS, Arrays.toString(supportedProtocols)));
+ }
+ return enabledProtocols;
+ }
+
SSLContext context();
SSLParameters parameters();