From c0ce57cca30d2ab370a96e85fb3a30d887f170ea Mon Sep 17 00:00:00 2001 From: Jon Marius Venstad Date: Mon, 9 Dec 2019 13:35:11 +0100 Subject: Revert "Use cipher/protocol config to configure Jetty" This reverts commit 645a7d5190b95c0a47fac52d48327192b7c8e405. --- .../impl/ConfiguredSslContextFactoryProvider.java | 69 +++++++--------------- 1 file changed, 21 insertions(+), 48 deletions(-) (limited to 'jdisc_http_service/src') diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java index b2e7ba1be67..48a7c246500 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java @@ -2,16 +2,14 @@ package com.yahoo.jdisc.http.ssl.impl; import com.yahoo.jdisc.http.ConnectorConfig; -import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth; import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider; import com.yahoo.security.KeyUtils; -import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateUtils; -import com.yahoo.security.tls.AutoReloadingX509KeyManager; +import com.yahoo.security.tls.DefaultTlsContext; +import com.yahoo.security.tls.PeerAuthentication; import com.yahoo.security.tls.TlsContext; import org.eclipse.jetty.util.ssl.SslContextFactory; -import javax.net.ssl.SSLContext; import java.io.IOException; import java.io.UncheckedIOException; import java.nio.charset.StandardCharsets; @@ -19,21 +17,16 @@ import java.nio.file.Files; import java.nio.file.Paths; import java.security.PrivateKey; import java.security.cert.X509Certificate; -import java.util.ArrayList; import java.util.List; import java.util.Optional; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledCipherSuites; -import static com.yahoo.jdisc.http.ssl.impl.SslContextFactoryUtils.setEnabledProtocols; - /** * An implementation of {@link SslContextFactoryProvider} that uses the {@link ConnectorConfig} to construct a {@link SslContextFactory}. * * @author bjorncs */ -public class ConfiguredSslContextFactoryProvider implements SslContextFactoryProvider { +public class ConfiguredSslContextFactoryProvider extends TlsContextBasedProvider { - private volatile AutoReloadingX509KeyManager keyManager; private final ConnectorConfig connectorConfig; public ConfiguredSslContextFactoryProvider(ConnectorConfig connectorConfig) { @@ -42,50 +35,17 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro } @Override - public SslContextFactory getInstance(String containerId, int port) { + protected TlsContext getTlsContext(String containerId, int port) { ConnectorConfig.Ssl sslConfig = connectorConfig.ssl(); if (!sslConfig.enabled()) throw new IllegalStateException(); - SslContextBuilder builder = new SslContextBuilder(); - if (sslConfig.certificateFile().isBlank() || sslConfig.privateKeyFile().isBlank()) { - PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(getPrivateKey(sslConfig)); - List certificates = X509CertificateUtils.certificateListFromPem(getCertificate(sslConfig)); - builder.withKeyStore(privateKey, certificates); - } else { - keyManager = AutoReloadingX509KeyManager.fromPemFiles(Paths.get(sslConfig.privateKeyFile()), Paths.get(sslConfig.certificateFile())); - builder.withKeyManager(keyManager); - } + PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(getPrivateKey(sslConfig)); + List certificates = X509CertificateUtils.certificateListFromPem(getCertificate(sslConfig)); List caCertificates = getCaCertificates(sslConfig) .map(X509CertificateUtils::certificateListFromPem) .orElse(List.of()); - builder.withTrustStore(caCertificates); - - SSLContext sslContext = builder.build(); - - SslContextFactory.Server factory = new SslContextFactory.Server(); - factory.setSslContext(sslContext); - - factory.setNeedClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.NEED_AUTH); - factory.setWantClientAuth(sslConfig.clientAuth() == ClientAuth.Enum.WANT_AUTH); - - List protocols = !sslConfig.enabledProtocols().isEmpty() - ? sslConfig.enabledProtocols() - : new ArrayList<>(TlsContext.ALLOWED_PROTOCOLS); - setEnabledProtocols(factory, sslContext, protocols); - - List ciphers = !sslConfig.enabledCipherSuites().isEmpty() - ? sslConfig.enabledCipherSuites() - : new ArrayList<>(TlsContext.ALLOWED_CIPHER_SUITES); - setEnabledCipherSuites(factory, sslContext, ciphers); - - return factory; - } - - @Override - public void close() { - if (keyManager != null) { - keyManager.close(); - } + PeerAuthentication peerAuthentication = toPeerAuthentication(sslConfig.clientAuth()); + return new DefaultTlsContext(certificates, privateKey, caCertificates, null, null, peerAuthentication); } private static void validateConfig(ConnectorConfig.Ssl config) { @@ -104,6 +64,19 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro throw new IllegalArgumentException("Specified neither private key or private key file."); } + private static PeerAuthentication toPeerAuthentication(ConnectorConfig.Ssl.ClientAuth.Enum clientAuth) { + switch (clientAuth) { + case DISABLED: + return PeerAuthentication.DISABLED; + case NEED_AUTH: + return PeerAuthentication.NEED; + case WANT_AUTH: + return PeerAuthentication.WANT; + default: + throw new IllegalArgumentException("Unknown client auth: " + clientAuth); + } + } + private static boolean hasBoth(String a, String b) { return !a.isBlank() && !b.isBlank(); } private static boolean hasNeither(String a, String b) { return a.isBlank() && b.isBlank(); } -- cgit v1.2.3