diff options
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security')
6 files changed, 59 insertions, 14 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/KeyAlgorithm.java b/security-utils/src/main/java/com/yahoo/security/KeyAlgorithm.java index 3218f81f0d6..732ac2bb12c 100644 --- a/security-utils/src/main/java/com/yahoo/security/KeyAlgorithm.java +++ b/security-utils/src/main/java/com/yahoo/security/KeyAlgorithm.java @@ -1,20 +1,28 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.ECGenParameterSpec; +import java.util.Optional; + /** * @author bjorncs */ public enum KeyAlgorithm { - RSA("RSA"), - EC("EC"); + RSA("RSA", null), + EC("EC", new ECGenParameterSpec("prime256v1")); // TODO Make curve configurable final String algorithmName; + private final AlgorithmParameterSpec spec; - KeyAlgorithm(String algorithmName) { + KeyAlgorithm(String algorithmName, AlgorithmParameterSpec spec) { this.algorithmName = algorithmName; + this.spec = spec; } String getAlgorithmName() { return algorithmName; } + + Optional<AlgorithmParameterSpec> getSpec() { return Optional.ofNullable(spec); } } diff --git a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java index 0d45a62f193..76e0f5419a3 100644 --- a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java @@ -46,6 +46,9 @@ public class KeyUtils { if (keySize != -1) { keyGen.initialize(keySize); } + if (algorithm.getSpec().isPresent()) { + keyGen.initialize(algorithm.getSpec().get()); + } return keyGen.genKeyPair(); } catch (GeneralSecurityException e) { throw new RuntimeException(e); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index f2ae1dd0d38..a42c678edab 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -28,37 +28,48 @@ public class DefaultTlsContext implements TlsContext { "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"); + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_AES_128_GCM_SHA256", // TLSv1.3 + "TLS_AES_256_GCM_SHA384", // TLSv1.3 + "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3 private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName()); private final SSLContext sslContext; + private final List<String> acceptedCiphers; public DefaultTlsContext(List<X509Certificate> certificates, PrivateKey privateKey, List<X509Certificate> caCertificates, AuthorizedPeers authorizedPeers, - AuthorizationMode mode) { + AuthorizationMode mode, + List<String> acceptedCiphers) { this.sslContext = createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode); + this.acceptedCiphers = acceptedCiphers; } public DefaultTlsContext(Path tlsOptionsConfigFile, AuthorizationMode mode) { - this.sslContext = createSslContext(tlsOptionsConfigFile, mode); + TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile); + this.sslContext = createSslContext(options, mode); + this.acceptedCiphers = options.getAcceptedCiphers(); } @Override public SSLEngine createSslEngine() { SSLEngine sslEngine = sslContext.createSSLEngine(); - restrictSetOfEnabledCiphers(sslEngine); + restrictSetOfEnabledCiphers(sslEngine, acceptedCiphers); return sslEngine; } - private static void restrictSetOfEnabledCiphers(SSLEngine sslEngine) { + private static void restrictSetOfEnabledCiphers(SSLEngine sslEngine, List<String> acceptedCiphers) { String[] validCipherSuites = Arrays.stream(sslEngine.getSupportedCipherSuites()) - .filter(ALLOWED_CIPHER_SUITES::contains) + .filter(suite -> ALLOWED_CIPHER_SUITES.contains(suite) && (acceptedCiphers.isEmpty() || acceptedCiphers.contains(suite))) .toArray(String[]::new); if (validCipherSuites.length == 0) { - throw new IllegalStateException("None of the allowed cipher suites are supported"); + throw new IllegalStateException( + String.format("None of the allowed cipher suites are supported " + + "(allowed-cipher-suites=%s, supported-cipher-suites=%s, accepted-cipher-suites=%s)", + ALLOWED_CIPHER_SUITES, List.of(sslEngine.getSupportedCipherSuites()), acceptedCiphers)); } log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", Arrays.toString(validCipherSuites))); sslEngine.setEnabledCipherSuites(validCipherSuites); @@ -82,8 +93,7 @@ public class DefaultTlsContext implements TlsContext { return builder.build(); } - private static SSLContext createSslContext(Path tlsOptionsConfigFile, AuthorizationMode mode) { - TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile); + private static SSLContext createSslContext(TransportSecurityOptions options, AuthorizationMode mode) { SslContextBuilder builder = new SslContextBuilder(); options.getCertificatesFile() .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates)); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java index 82caf02223f..c0e9e1053c3 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java @@ -13,6 +13,8 @@ import java.io.UncheckedIOException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; +import java.util.ArrayList; +import java.util.List; import java.util.Objects; import java.util.Optional; @@ -27,12 +29,14 @@ public class TransportSecurityOptions { private final Path certificatesFile; private final Path caCertificatesFile; private final AuthorizedPeers authorizedPeers; + private final List<String> acceptedCiphers; private TransportSecurityOptions(Builder builder) { this.privateKeyFile = builder.privateKeyFile; this.certificatesFile = builder.certificatesFile; this.caCertificatesFile = builder.caCertificatesFile; this.authorizedPeers = builder.authorizedPeers; + this.acceptedCiphers = builder.acceptedCiphers; } public Optional<Path> getPrivateKeyFile() { @@ -51,6 +55,8 @@ public class TransportSecurityOptions { return Optional.ofNullable(authorizedPeers); } + public List<String> getAcceptedCiphers() { return acceptedCiphers; } + public static TransportSecurityOptions fromJsonFile(Path file) { try (InputStream in = Files.newInputStream(file)) { return new TransportSecurityOptionsJsonSerializer().deserialize(in); @@ -83,6 +89,7 @@ public class TransportSecurityOptions { private Path certificatesFile; private Path caCertificatesFile; private AuthorizedPeers authorizedPeers; + private List<String> acceptedCiphers = new ArrayList<>(); public Builder() {} @@ -102,6 +109,11 @@ public class TransportSecurityOptions { return this; } + public Builder withAcceptedCiphers(List<String> acceptedCiphers) { + this.acceptedCiphers = acceptedCiphers; + return this; + } + public TransportSecurityOptions build() { return new TransportSecurityOptions(this); } @@ -114,6 +126,7 @@ public class TransportSecurityOptions { ", certificatesFile=" + certificatesFile + ", caCertificatesFile=" + caCertificatesFile + ", authorizedPeers=" + authorizedPeers + + ", acceptedCiphers=" + acceptedCiphers + '}'; } @@ -125,11 +138,12 @@ public class TransportSecurityOptions { return Objects.equals(privateKeyFile, that.privateKeyFile) && Objects.equals(certificatesFile, that.certificatesFile) && Objects.equals(caCertificatesFile, that.caCertificatesFile) && - Objects.equals(authorizedPeers, that.authorizedPeers); + Objects.equals(authorizedPeers, that.authorizedPeers) && + Objects.equals(acceptedCiphers, that.acceptedCiphers); } @Override public int hashCode() { - return Objects.hash(privateKeyFile, certificatesFile, caCertificatesFile, authorizedPeers); + return Objects.hash(privateKeyFile, certificatesFile, caCertificatesFile, authorizedPeers, acceptedCiphers); } }
\ No newline at end of file diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java index fbb98d7c382..6594fa84255 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsEntity.java @@ -19,6 +19,7 @@ class TransportSecurityOptionsEntity { @JsonProperty("files") Files files; @JsonProperty("authorized-peers") @JsonInclude(NON_EMPTY) List<AuthorizedPeer> authorizedPeers; + @JsonProperty("accepted-ciphers") @JsonInclude(NON_EMPTY) List<String> acceptedCiphers; static class Files { @JsonProperty("private-key") String privateKeyFile; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java index f75cb4bcfff..a6291477942 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializer.java @@ -70,6 +70,12 @@ public class TransportSecurityOptionsJsonSerializer { } builder.withAuthorizedPeers(new AuthorizedPeers(toPeerPolicies(authorizedPeersEntity))); } + if (entity.acceptedCiphers != null) { + if (entity.acceptedCiphers.isEmpty()) { + throw new IllegalArgumentException("'accepted-ciphers' cannot be empty"); + } + builder.withAcceptedCiphers(entity.acceptedCiphers); + } return builder.build(); } @@ -145,6 +151,9 @@ public class TransportSecurityOptionsJsonSerializer { entity.authorizedPeers.add(authorizedPeer); } }); + if (!options.getAcceptedCiphers().isEmpty()) { + entity.acceptedCiphers = options.getAcceptedCiphers(); + } return entity; } |