From aca94cc460b2fbfaf51712a7b9d492f8dc181bd1 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Tue, 2 Jul 2019 13:59:57 +0200 Subject: Move constants from DefaultTlsContext to TlsContext --- jrt/tests/com/yahoo/jrt/CryptoUtils.java | 2 +- .../java/com/yahoo/security/tls/DefaultTlsContext.java | 13 ------------- .../src/main/java/com/yahoo/security/tls/TlsContext.java | 15 +++++++++++++++ .../com/yahoo/security/tls/DefaultTlsContextTest.java | 2 +- .../com/yahoo/security/tls/ReloadingTlsContextTest.java | 2 +- 5 files changed, 18 insertions(+), 16 deletions(-) diff --git a/jrt/tests/com/yahoo/jrt/CryptoUtils.java b/jrt/tests/com/yahoo/jrt/CryptoUtils.java index 6890fe88da5..ead9918a9c7 100644 --- a/jrt/tests/com/yahoo/jrt/CryptoUtils.java +++ b/jrt/tests/com/yahoo/jrt/CryptoUtils.java @@ -48,7 +48,7 @@ class CryptoUtils { Field.CN, new HostGlobPattern("dummy")))))); static TlsContext createTestTlsContext() { - return new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE, DefaultTlsContext.ALLOWED_CIPHER_SUITES); + return new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE, TlsContext.ALLOWED_CIPHER_SUITES); } } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index e74ad49b2f5..3c583bb8aaa 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -23,19 +23,6 @@ import java.util.logging.Logger; */ public class DefaultTlsContext implements TlsContext { - public static final List ALLOWED_CIPHER_SUITES = Arrays.asList( - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_AES_128_GCM_SHA256", // TLSv1.3 - "TLS_AES_256_GCM_SHA384", // TLSv1.3 - "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3 - - public static final List ALLOWED_PROTOCOLS = List.of("TLSv1.2"); // TODO Enable TLSv1.3 - private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName()); private final SSLContext sslContext; diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index b315dd00b31..253331ee9c6 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -4,6 +4,8 @@ package com.yahoo.security.tls; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; +import java.util.Arrays; +import java.util.List; /** * A simplified version of {@link SSLContext} modelled as an interface. @@ -12,6 +14,19 @@ import javax.net.ssl.SSLParameters; */ public interface TlsContext extends AutoCloseable { + List ALLOWED_CIPHER_SUITES = Arrays.asList( + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_AES_128_GCM_SHA256", // TLSv1.3 + "TLS_AES_256_GCM_SHA384", // TLSv1.3 + "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3 + + List ALLOWED_PROTOCOLS = List.of("TLSv1.2"); // TODO Enable TLSv1.3 + SSLContext context(); SSLParameters parameters(); diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java index 5969d4d2ace..dd36b10f86f 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java @@ -53,7 +53,7 @@ public class DefaultTlsContextTest { assertThat(sslEngine).isNotNull(); String[] enabledCiphers = sslEngine.getEnabledCipherSuites(); assertThat(enabledCiphers).isNotEmpty(); - assertThat(enabledCiphers).isSubsetOf(DefaultTlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0])); + assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0])); String[] enabledProtocols = sslEngine.getEnabledProtocols(); assertThat(enabledProtocols).contains("TLSv1.2"); diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ReloadingTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ReloadingTlsContextTest.java index f991f86fdce..bcdb0793348 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/ReloadingTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/ReloadingTlsContextTest.java @@ -60,7 +60,7 @@ public class ReloadingTlsContextTest { assertThat(sslEngine).isNotNull(); String[] enabledCiphers = sslEngine.getEnabledCipherSuites(); assertThat(enabledCiphers).isNotEmpty(); - assertThat(enabledCiphers).isSubsetOf(DefaultTlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0])); + assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0])); String[] enabledProtocols = sslEngine.getEnabledProtocols(); assertThat(enabledProtocols).contains("TLSv1.2"); -- cgit v1.2.3