aboutsummaryrefslogtreecommitdiffstats
path: root/security-utils
Commit message (Collapse)AuthorAgeFilesLines
* Add helper method for extracting DNS names from CSRMartin Polden2024-02-051-0/+11
|
* jackson 2.16 changes some of its default settings so we consolidate our use ↵Henning Baldersheim2023-11-231-13/+13
| | | | | | of the ObjectMapper. Unless special options are used, use a common instance, or create via factory metod.
* Change 'TlsContext' interface to return `X509SslContext'Bjørn Christian Seime2023-11-234-52/+62
|
* Add build method returning `X509SslContext`Bjørn Christian Seime2023-11-231-2/+5
|
* Add wrapper holding both the context and its manager instancesBjørn Christian Seime2023-11-231-0/+17
|
* Only add extensions if non-emptyBjørn Christian Seime2023-11-161-1/+2
|
* Improve error message when passing private keyMartin Polden2023-10-181-5/+9
|
* Update copyrightJon Bratseth2023-10-09117-131/+132
|
* - Bring some libraries up to date.Henning Baldersheim2023-08-291-1/+1
| | | | | - Specify versions in dependency-versions module. - Avoid using opentest4j internally.
* Enable TLSv1.3 for Vespa mTLSBjørn Christian Seime2023-07-201-10/+7
|
* Defer side channel-safe array checks to existing BC utilsTor Brede Vekterli2023-07-193-24/+13
| | | | Use constant-time array compare for TokenCheckHash equality checks.
* Short-cut re-acquiring ordered locksjonmv2023-06-271-10/+4
|
* Simplify token API by using fixed context for fingerprintsTor Brede Vekterli2023-06-153-40/+51
| | | | | | | | | | Fingerprints are now always derived using the a fixed context of `Vespa token fingerprint`. Enforcement has been added that a `TokenDomain` cannot be initialized with a context equal to the fingerprint context. This changes the fingerprint outputs from their previous values, but that's fine since they are not yet in use anywhere.
* Add factory methods accepting hex stringBjørn Christian Seime2023-06-143-0/+24
|
* Remove trailing commagjoranv2023-06-121-1/+1
|
* Manually add X-JDisc-Non-PublicApi-Export-Package headergjoranv2023-06-091-0/+1
| | | | - Bundle is built with maven-bundle-plugin
* Also include domain when printing tokenTor Brede Vekterli2023-06-063-3/+12
|
* Emit fingerprints with delimiters by defaultTor Brede Vekterli2023-06-063-3/+18
| | | | Uses standard fingerprint `hex:hex:hex:...` format
* Fix some silly typosTor Brede Vekterli2023-06-061-3/+3
|
* Add a simple token primitive to security utilsTor Brede Vekterli2023-06-066-0/+398
| | | | | | | A token is an arbitrary, opaque (secret) string from which a fingerprint and audience-specific access-check hashes can be derived. A CSPRNG-backed token generator that returns random Base62-encoded tokens (with an optional prefix) is included.
* Build with jdk20Jon Bratseth2023-04-172-4/+4
|
* Revert "Enable TLSv1.3 for Vespa mTLS"Henning Baldersheim2023-03-251-7/+10
|
* Enable TLSv1.3 for Vespa mTLSBjørn Christian Seime2023-03-241-10/+7
|
* Implement RFC 9180 HPKE sender asymmetric key authentication modeTor Brede Vekterli2023-03-234-13/+195
| | | | | | | | We already have support for the `base` unauthenticated mode, so this just adds the `auth` mode where the sender's key pair is added to the ECDH shared key derivation mix. This ensures that a message may only be successfully opened if the sender was in possession of the private key (`skS`) corresponding to the expected public key (`pkS`).
* Merge pull request #26168 from ↵Tor Brede Vekterli2023-02-242-2/+4
|\ | | | | | | | | vespa-engine/revert-26152-revert-26139-vekterli/add-content-state-api-capability Reapply: add `vespa.content.state_api` capability"
| * Revert "Revert "Add `vespa.content.state_api` capability" MERGEOK"Tor Brede Vekterli2023-02-232-2/+4
| |
* | Revert "Revert "Store original capability (set) names from JSON config in ↵Bjørn Christian Seime2023-02-236-25/+72
|/ | | | PeerPolicy" MERGEOK"
* Merge pull request #26153 from vespa-engine/revert-26145-bjorncs/capabilitiesBjørn Christian Seime2023-02-236-72/+25
|\ | | | | Revert "Store original capability (set) names from JSON config in PeerPolicy" MERGEOK
| * Revert "Store original capability (set) names from JSON config in PeerPolicy"Bjørn Christian Seime2023-02-236-72/+25
| |
* | Revert "Add `vespa.content.state_api` capability"Bjørn Christian Seime2023-02-232-4/+2
|/
* Merge pull request #26139 from ↵Tor Brede Vekterli2023-02-222-2/+4
|\ | | | | | | | | vespa-engine/vekterli/add-content-state-api-capability Add `vespa.content.state_api` capability
| * Add `vespa.content.state_api` capability to JavaTor Brede Vekterli2023-02-222-2/+4
| | | | | | | | Add new capability to existing `vespa.telemetry` capability set.
* | Store original capability (set) names from JSON config in PeerPolicyBjørn Christian Seime2023-02-226-25/+72
|/ | | | Add additional helper methods to convert `names <=> capabilities`.
* Grant container nodes access to container document apiBjørn Christian Seime2023-02-201-1/+2
|
* Specify that '/logs' requires logserver capabilityBjørn Christian Seime2023-02-171-1/+2
|
* Warn instead of fail for unknown capability (set)Bjørn Christian Seime2023-02-172-9/+10
|
* Improve metric names, fix wiringBjørn Christian Seime2023-02-161-9/+9
|
* Add capability 'vespa.sentinel.inspect_services'Bjørn Christian Seime2023-02-161-0/+1
|
* Add metrics for capability checksBjørn Christian Seime2023-02-162-0/+39
|
* Add capability 'vespa.content.proton_admin_api'Bjørn Christian Seime2023-02-151-0/+1
|
* Add slobrok capability to all application nodesBjørn Christian Seime2023-02-151-2/+2
|
* Add new capabilities to existing capability setsBjørn Christian Seime2023-02-151-6/+10
|
* Use explicit `equals` and `hashCode` to use contents of arrays, not just refsTor Brede Vekterli2023-02-142-0/+55
| | | | Also add a friendlier `toString()` that hex dumps the enc/ciphertext fields.
* Require capabilities for built-in request handlersBjørn Christian Seime2023-02-141-0/+4
|
* Revert "Revert "Bjorncs/capabilities""Henning Baldersheim2023-02-145-21/+34
|
* Revert "Bjorncs/capabilities"Henning Baldersheim2023-02-145-34/+21
|
* Add new capabilities in node specific capability setsBjørn Christian Seime2023-02-133-11/+24
|
* Rename 'from()' to 'of()'Bjørn Christian Seime2023-02-135-10/+10
|
* Define required capabilities for existing JRT RPC methodsBjørn Christian Seime2023-02-091-0/+12
|
* Introduce capbilities for unclassified APIsBjørn Christian Seime2023-02-091-0/+3
| | | | Require 'vespa.rpc.unclassified' by default for all JRT APIs