From 2e3005c471ba6520b17438c93f4a36369cbc3acd Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 20 Jul 2022 13:44:00 +0200 Subject: Implement RequireCapabilitiesFilter in jrt + misc Add peerSpec to Target/Connection. Always provide ConnectionAuthContext. Add helper for creating default, all-granting ConnectionAuthContext. --- .../java/com/yahoo/security/tls/ConnectionAuthContext.java | 10 +++++++--- .../src/main/java/com/yahoo/security/tls/PeerAuthorizer.java | 4 +--- .../com/yahoo/security/tls/PeerAuthorizerTrustManager.java | 3 +-- 3 files changed, 9 insertions(+), 8 deletions(-) (limited to 'security-utils') diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java index e244d5ad23f..3ee6ed1dcaa 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java @@ -18,8 +18,10 @@ public record ConnectionAuthContext(List peerCertificateChain, CapabilitySet capabilities, Set matchedPolicies) { + private static final ConnectionAuthContext DEFAULT_ALL_CAPABILITIES = + new ConnectionAuthContext(List.of(), CapabilitySet.all(), Set.of()); + public ConnectionAuthContext { - if (peerCertificateChain.isEmpty()) throw new IllegalArgumentException("Peer certificate chain is empty"); peerCertificateChain = List.copyOf(peerCertificateChain); matchedPolicies = Set.copyOf(matchedPolicies); } @@ -33,7 +35,7 @@ public record ConnectionAuthContext(List peerCertificateChain, public Optional peerCertificateString() { X509Certificate cert = peerCertificate().orElse(null); if (cert == null) return Optional.empty(); - StringBuilder b = new StringBuilder("X.509Cert{"); + StringBuilder b = new StringBuilder("["); String cn = X509CertificateUtils.getSubjectCommonName(cert).orElse(null); if (cn != null) { b.append("CN='").append(cn).append("'"); @@ -55,7 +57,9 @@ public record ConnectionAuthContext(List peerCertificateChain, if (cn != null || !dnsNames.isEmpty()) b.append(", "); b.append("SAN_URI=").append(uris); } - return Optional.of(b.append("}").toString()); + return Optional.of(b.append("]").toString()); } + public static ConnectionAuthContext defaultAllCapabilities() { return DEFAULT_ALL_CAPABILITIES; } + } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java index 608a8c9c933..99787725063 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java @@ -35,9 +35,7 @@ public class PeerAuthorizer { public ConnectionAuthContext authorizePeer(X509Certificate cert) { return authorizePeer(List.of(cert)); } public ConnectionAuthContext authorizePeer(List certChain) { - if (authorizedPeers.isEmpty()) { - return new ConnectionAuthContext(certChain, CapabilitySet.all(), Set.of()); - } + if (authorizedPeers.isEmpty()) return ConnectionAuthContext.defaultAllCapabilities(); X509Certificate cert = certChain.get(0); Set matchedPolicies = new HashSet<>(); Set grantedCapabilities = new HashSet<>(); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java index 089023e55f1..e6239e3f694 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizerTrustManager.java @@ -14,7 +14,6 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.List; import java.util.Optional; -import java.util.Set; import java.util.logging.Logger; /** @@ -106,7 +105,7 @@ public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager { log.fine(() -> "Verifying certificate: " + createInfoString(certChain[0], authType, isVerifyingClient)); ConnectionAuthContext result = mode != AuthorizationMode.DISABLE ? authorizer.authorizePeer(List.of(certChain)) - : new ConnectionAuthContext(List.of(certChain), CapabilitySet.all(), Set.of()); + : ConnectionAuthContext.defaultAllCapabilities(); if (sslEngine != null) { // getHandshakeSession() will never return null in this context sslEngine.getHandshakeSession().putValue(HANDSHAKE_SESSION_AUTH_CONTEXT_PROPERTY, result); } -- cgit v1.2.3