From 8703546dedda8353de7fa6957ab6cc3c8e4b9255 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 17 Jan 2018 14:06:47 +0100 Subject: Add builder helper for SSLContext in vespa-athenz Use new builder in AthenzSslContextProviderImpl --- .../athenz/impl/AthenzSslContextProviderImpl.java | 65 ++-------------------- 1 file changed, 6 insertions(+), 59 deletions(-) (limited to 'controller-server') diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java index f463d04b454..1652cb2298e 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java @@ -2,26 +2,13 @@ package com.yahoo.vespa.hosted.controller.athenz.impl; import com.google.inject.Inject; +import com.yahoo.vespa.athenz.tls.AthenzSslContextBuilder; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import java.io.FileInputStream; -import java.io.IOException; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableKeyException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; +import java.io.File; /** * @author bjorncs @@ -39,49 +26,9 @@ public class AthenzSslContextProviderImpl implements AthenzSslContextProvider { @Override public SSLContext get() { - return createSslContext(); - } - - private SSLContext createSslContext() { - try { - SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); - sslContext.init(createKeyManagersWithServiceCertificate(clientFactory.createZtsClientWithServicePrincipal()), - createTrustManagersWithAthenzCa(config), - null); - return sslContext; - } catch (NoSuchAlgorithmException | KeyManagementException e) { - throw new RuntimeException(e); - } - } - - private static KeyManager[] createKeyManagersWithServiceCertificate(ZtsClient ztsClient) { - try { - AthenzIdentityCertificate identityCertificate = ztsClient.getIdentityCertificate(); - KeyStore keyStore = KeyStore.getInstance("JKS"); - keyStore.load(null); - keyStore.setKeyEntry("athenz-controller-key", - identityCertificate.getPrivateKey(), - new char[0], - new Certificate[]{identityCertificate.getCertificate()}); - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - keyManagerFactory.init(keyStore, new char[0]); - return keyManagerFactory.getKeyManagers(); - } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | IOException e) { - throw new RuntimeException(e); - } - } - - private static TrustManager[] createTrustManagersWithAthenzCa(AthenzConfig config) { - try { - KeyStore trustStore = KeyStore.getInstance("JKS"); - try (FileInputStream in = new FileInputStream(config.athenzCaTrustStore())) { - trustStore.load(in, "changeit".toCharArray()); - } - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - trustManagerFactory.init(trustStore); - return trustManagerFactory.getTrustManagers(); - } catch (CertificateException | IOException | KeyStoreException | NoSuchAlgorithmException e) { - throw new RuntimeException(e); - } + return new AthenzSslContextBuilder() + .withTrustStore(new File(config.athenzCaTrustStore()), "JKS") + .withIdentityCertificate(clientFactory.createZtsClientWithServicePrincipal().getIdentityCertificate()) + .build(); } } -- cgit v1.2.3