From 2502fc9021ac1672812ccf9522054994f8d0d0cc Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 24 Jan 2018 17:15:06 +0100 Subject: Pass null to SSLContext.init() when keystore/truststore not specified --- .../vespa/athenz/tls/AthenzSslContextBuilder.java | 25 ++------ .../athenz/tls/AthenzSslContextBuilderTest.java | 68 ++++++++++++++++++++++ 2 files changed, 72 insertions(+), 21 deletions(-) create mode 100644 vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilderTest.java (limited to 'vespa-athenz/src') diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java index 513191d7c83..0c350356986 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilder.java @@ -14,7 +14,6 @@ import java.io.IOException; import java.io.UncheckedIOException; import java.security.GeneralSecurityException; import java.security.KeyStore; -import java.security.NoSuchAlgorithmException; import java.security.cert.Certificate; /** @@ -67,9 +66,9 @@ public class AthenzSslContextBuilder { try { SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); TrustManager[] trustManagers = - trustStoreSupplier != null ? createTrustManagers(trustStoreSupplier) : getDefaultTrustManagers(); + trustStoreSupplier != null ? createTrustManagers(trustStoreSupplier) : null; KeyManager[] keyManagers = - keyStoreSupplier != null ? createKeyManagers(keyStoreSupplier, keyStorePassword) : getDefaultKeyManagers(); + keyStoreSupplier != null ? createKeyManagers(keyStoreSupplier, keyStorePassword) : null; sslContext.init(keyManagers, trustManagers, null); return sslContext; } catch (GeneralSecurityException e) { @@ -81,34 +80,18 @@ public class AthenzSslContextBuilder { private static TrustManager[] createTrustManagers(KeyStoreSupplier trustStoreSupplier) throws GeneralSecurityException, IOException { - TrustManagerFactory trustManagerFactory = getTrustManagerFactory(); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStoreSupplier.get()); return trustManagerFactory.getTrustManagers(); } private static KeyManager[] createKeyManagers(KeyStoreSupplier keyStoreSupplier, char[] password) throws GeneralSecurityException, IOException { - KeyManagerFactory keyManagerFactory = getKeyManagerFactory(); + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStoreSupplier.get(), password); return keyManagerFactory.getKeyManagers(); } - private static KeyManager[] getDefaultKeyManagers() throws NoSuchAlgorithmException { - return getKeyManagerFactory().getKeyManagers(); - } - - private static TrustManager[] getDefaultTrustManagers() throws NoSuchAlgorithmException { - return getTrustManagerFactory().getTrustManagers(); - } - - private static KeyManagerFactory getKeyManagerFactory() throws NoSuchAlgorithmException { - return KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - } - - private static TrustManagerFactory getTrustManagerFactory() throws NoSuchAlgorithmException { - return TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - } - private static KeyStore loadKeyStoreFromFile(File file, char[] password, String keyStoreType) throws IOException, GeneralSecurityException{ KeyStore keyStore = KeyStore.getInstance(keyStoreType); diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilderTest.java new file mode 100644 index 00000000000..8666951b1f8 --- /dev/null +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/AthenzSslContextBuilderTest.java @@ -0,0 +1,68 @@ +package com.yahoo.vespa.athenz.tls; + +import com.yahoo.athenz.auth.util.Crypto; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.junit.Test; + +import java.io.IOException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; + +/** + * @author bjorncs + */ +public class AthenzSslContextBuilderTest { + + private static final char[] PASSWORD = new char[0]; + + @Test + public void can_build_sslcontext_with_truststore_only() throws Exception { + new AthenzSslContextBuilder() + .withTrustStore(createKeystore()) + .build(); + } + + @Test + public void can_build_sslcontext_with_keystore_only() throws Exception { + new AthenzSslContextBuilder() + .withKeyStore(createKeystore(), PASSWORD) + .build(); + } + + @Test + public void can_build_sslcontext_with_truststore_and_keystore() throws Exception { + new AthenzSslContextBuilder() + .withKeyStore(createKeystore(), PASSWORD) + .withTrustStore(createKeystore()) + .build(); + } + + private static KeyStore createKeystore() throws Exception { + KeyPair keyPair = createKeyPair(); + KeyStore keystore = KeyStore.getInstance("JKS"); + keystore.load(null); + keystore.setKeyEntry("entry-name", keyPair.getPrivate(), PASSWORD, new Certificate[]{createCertificate(keyPair)}); + return keystore; + } + + private static X509Certificate createCertificate(KeyPair keyPair) throws + OperatorCreationException, IOException { + String x500Principal = "CN=mysubject"; + PKCS10CertificationRequest csr = + Crypto.getPKCS10CertRequest( + Crypto.generateX509CSR(keyPair.getPrivate(), x500Principal, null)); + return Crypto.generateX509Certificate(csr, keyPair.getPrivate(), new X500Name(x500Principal), 3600, false); + } + + private static KeyPair createKeyPair() throws NoSuchAlgorithmException { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512); + return keyGen.genKeyPair(); + } +} \ No newline at end of file -- cgit v1.2.3