diff options
Diffstat (limited to 'security-utils/src')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java | 32 | ||||
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java | 43 |
2 files changed, 49 insertions, 26 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index 572461c6cdd..f4a89da988a 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -10,7 +10,6 @@ import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; import java.security.PrivateKey; import java.security.cert.X509Certificate; -import java.util.Arrays; import java.util.List; import java.util.Set; import java.util.logging.Level; @@ -55,32 +54,23 @@ public class DefaultTlsContext implements TlsContext { } private static String[] getAllowedCiphers(SSLContext sslContext, Set<String> acceptedCiphers) { - String[] supportedCipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites(); - String[] validCipherSuites = Arrays.stream(supportedCipherSuites) - .filter(suite -> ALLOWED_CIPHER_SUITES.contains(suite) && acceptedCiphers.contains(suite)) + Set<String> supportedCiphers = TlsContext.getAllowedCipherSuites(sslContext); + String[] allowedCiphers = supportedCiphers.stream() + .filter(acceptedCiphers::contains) .toArray(String[]::new); - if (validCipherSuites.length == 0) { + if (allowedCiphers.length == 0) { throw new IllegalStateException( - String.format("None of the allowed cipher suites are supported " + - "(allowed-cipher-suites=%s, supported-cipher-suites=%s, accepted-cipher-suites=%s)", - ALLOWED_CIPHER_SUITES, List.of(supportedCipherSuites), acceptedCiphers)); + String.format("None of the accepted ciphers are supported (supported=%s, accepted=%s)", + supportedCiphers, acceptedCiphers)); } - log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", List.of(validCipherSuites))); - return validCipherSuites; + log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", List.of(allowedCiphers))); + return allowedCiphers; } private static String[] getAllowedProtocols(SSLContext sslContext) { - String[] supportedProtocols = sslContext.getSupportedSSLParameters().getProtocols(); - String[] validProtocols = Arrays.stream(supportedProtocols) - .filter(ALLOWED_PROTOCOLS::contains) - .toArray(String[]::new); - if (validProtocols.length == 0) { - throw new IllegalArgumentException( - String.format("None of the allowed protocols are supported (allowed-protocols=%s, supported-protocols=%s)", - ALLOWED_PROTOCOLS, List.of(supportedProtocols))); - } - log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", List.of(validProtocols))); - return validProtocols; + Set<String> allowedProtocols = TlsContext.getAllowedProtocols(sslContext); + log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", List.of(allowedProtocols))); + return allowedProtocols.toArray(String[]::new); } @Override diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index 6ad5f6c3612..0c09faf459f 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -4,8 +4,11 @@ package com.yahoo.security.tls; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; +import java.util.Arrays; import java.util.Set; +import static java.util.stream.Collectors.toSet; + /** * A simplified version of {@link SSLContext} modelled as an interface. * @@ -20,22 +23,52 @@ public interface TlsContext extends AutoCloseable { * For TLSv1.3 we allow the DEFAULT group ciphers. * Note that we _only_ allow AEAD ciphers for either TLS version. */ - // TODO: Remove TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256? - // These cipher suites are not supported in Java 11, see https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java Set<String> ALLOWED_CIPHER_SUITES = Set.of( "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", // Java 12 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256", // TLSv1.3 "TLS_AES_256_GCM_SHA384", // TLSv1.3 - "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3 + "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3, Java 12 Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2"); // TODO Enable TLSv1.3 + /** + * @return the allowed cipher suites supported by the provided context instance + */ + static Set<String> getAllowedCipherSuites(SSLContext context) { + String[] supportedCiphers = context.getSupportedSSLParameters().getCipherSuites(); + Set<String> enabledCiphers = Arrays.stream(supportedCiphers) + .filter(ALLOWED_CIPHER_SUITES::contains) + .collect(toSet()); + if (enabledCiphers.isEmpty()) { + throw new IllegalArgumentException( + String.format("Non of the allowed ciphers are supported (allowed=%s, supported=%s)", + ALLOWED_CIPHER_SUITES, Arrays.toString(supportedCiphers))); + + } + return enabledCiphers; + } + + /** + * @return the allowed protocols supported by the provided context instance + */ + static Set<String> getAllowedProtocols(SSLContext context) { + String[] supportedProtocols = context.getSupportedSSLParameters().getProtocols(); + Set<String> enabledProtocols = Arrays.stream(supportedProtocols) + .filter(ALLOWED_PROTOCOLS::contains) + .collect(toSet()); + if (enabledProtocols.isEmpty()) { + throw new IllegalArgumentException( + String.format("Non of the allowed protocols are supported (allowed=%s, supported=%s)", + ALLOWED_PROTOCOLS, Arrays.toString(supportedProtocols))); + } + return enabledProtocols; + } + SSLContext context(); SSLParameters parameters(); |