aboutsummaryrefslogtreecommitdiffstats
path: root/security/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'security/ssl')
-rw-r--r--security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SecurityKeysStore.java4
-rw-r--r--security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactory.java24
-rw-r--r--security/ssl/src/test/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactoryIT.java95
-rw-r--r--security/ssl/src/test/resources/sample/cert.jksbin0 -> 4512 bytes
-rw-r--r--security/ssl/src/test/resources/sample/invalid.pass1
-rw-r--r--security/ssl/src/test/resources/sample/jks.pass1
-rw-r--r--security/ssl/src/test/resources/sample/trust.jksbin0 -> 1413 bytes
-rw-r--r--security/ssl/src/test/resources/sample/trust.pass1
8 files changed, 120 insertions, 6 deletions
diff --git a/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SecurityKeysStore.java b/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SecurityKeysStore.java
index 401055ca..d1c912b0 100644
--- a/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SecurityKeysStore.java
+++ b/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SecurityKeysStore.java
@@ -52,4 +52,8 @@ public interface SecurityKeysStore {
return KeyStoreTypes.inferTypeFromExtension(path())
.getOrElseThrow(() -> new SecurityConfigurationException("Could not determine key store type by file name"));
}
+
+ static SecurityKeysStore fromPath(Path path) {
+ return ImmutableSecurityKeysStore.of(path);
+ }
}
diff --git a/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactory.java b/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactory.java
index 076490a9..963484a1 100644
--- a/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactory.java
+++ b/security/ssl/src/main/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactory.java
@@ -63,16 +63,27 @@ public class SslFactory {
}
/**
- * Creates Netty SSL <em>server</em> context using provided security keys.
+ * Creates Netty SSL <em>server</em> context using provided security keys. Will require client authentication.
*
- * @param keys - Security keys to be used
+ * @param keys - security keys to be used
* @return configured SSL context
*/
public SslContext createSecureServerContext(final SecurityKeys keys) {
+ return createSecureServerContext(keys, ClientAuth.REQUIRE);
+ }
+
+ /**
+ * Creates Netty SSL <em>server</em> context using provided security keys.
+ *
+ * @param keys - security keys to be used
+ * @param clientAuth - how to authenticate client
+ * @return configured SSL context
+ */
+ public SslContext createSecureServerContext(final SecurityKeys keys, final ClientAuth clientAuth) {
try {
return SslContextBuilder.forServer(keyManagerFactory(keys))
.trustManager(trustManagerFactory(keys))
- .clientAuth(ClientAuth.REQUIRE)
+ .clientAuth(clientAuth)
.build();
} catch (SSLException e) {
throw new SecurityConfigurationException(EXCEPTION_MESSAGE, e);
@@ -111,7 +122,8 @@ public class SslFactory {
kmf.init(loadKeyStoreFromFile(store, passwordChars), passwordChars);
return kmf;
} catch (GeneralSecurityException | IOException ex) {
- throw new ReadingSecurityKeysStoreException("Could not read private keys from store", ex);
+ throw new ReadingSecurityKeysStoreException(
+ "Could not read private keys from store: " + ex.getMessage(), ex);
}
});
}
@@ -123,7 +135,8 @@ public class SslFactory {
tmf.init(loadKeyStoreFromFile(store, passwordChars));
return tmf;
} catch (GeneralSecurityException | IOException ex) {
- throw new ReadingSecurityKeysStoreException("Could not read trusted keys from store", ex);
+ throw new ReadingSecurityKeysStoreException(
+ "Could not read trusted keys from store: " + ex.getMessage(), ex);
}
});
}
@@ -133,6 +146,5 @@ public class SslFactory {
KeyStore ks = KeyStore.getInstance(store.type());
ks.load(Files.newInputStream(store.path(), StandardOpenOption.READ), keyStorePassword);
return ks;
-
}
}
diff --git a/security/ssl/src/test/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactoryIT.java b/security/ssl/src/test/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactoryIT.java
new file mode 100644
index 00000000..966aa5cb
--- /dev/null
+++ b/security/ssl/src/test/java/org/onap/dcaegen2/services/sdk/security/ssl/SslFactoryIT.java
@@ -0,0 +1,95 @@
+/*
+ * ============LICENSE_START====================================
+ * DCAEGEN2-SERVICES-SDK
+ * =========================================================
+ * Copyright (C) 2019 Nokia. All rights reserved.
+ * =========================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=====================================
+ */
+package org.onap.dcaegen2.services.sdk.security.ssl;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.onap.dcaegen2.services.sdk.security.ssl.Passwords.fromResource;
+
+import io.netty.handler.ssl.SslContext;
+import java.net.URISyntaxException;
+import java.nio.file.Paths;
+import org.assertj.core.api.Assertions;
+import org.jetbrains.annotations.NotNull;
+import org.junit.jupiter.api.Test;
+import org.onap.dcaegen2.services.sdk.security.ssl.exceptions.ReadingSecurityKeysStoreException;
+
+/**
+ * @author <a href="mailto:piotr.jaszczyk@nokia.com">Piotr Jaszczyk</a>
+ * @since April 2019
+ */
+class SslFactoryIT {
+
+ private SslFactory sut = new SslFactory();
+
+ @Test
+ void testSuccessCase() throws Exception {
+ // given
+ final SecurityKeys securityKeys = ImmutableSecurityKeys.builder()
+ .keyStore(keyStoreFromResource("/sample/cert.jks"))
+ .keyStorePassword(fromResource("/sample/jks.pass"))
+ .trustStore(keyStoreFromResource("/sample/trust.jks"))
+ .trustStorePassword(fromResource("/sample/trust.pass"))
+ .build();
+
+ // when
+ final SslContext ctx = sut.createSecureServerContext(securityKeys);
+
+ // then
+ assertThat(ctx.isServer()).describedAs("is server ssl context").isTrue();
+ }
+
+ @Test
+ void testInvalidKeyStorePasswordCase() throws Exception {
+ // given
+ final SecurityKeys securityKeys = ImmutableSecurityKeys.builder()
+ .keyStore(keyStoreFromResource("/sample/cert.jks"))
+ .keyStorePassword(fromResource("/sample/invalid.pass"))
+ .trustStore(keyStoreFromResource("/sample/trust.jks"))
+ .trustStorePassword(fromResource("/sample/trust.pass"))
+ .build();
+
+ // when & then
+ assertThatThrownBy(() -> sut.createSecureServerContext(securityKeys))
+ .isInstanceOf(ReadingSecurityKeysStoreException.class)
+ .hasMessageContaining("Keystore was tampered with, or password was incorrect");
+ }
+
+ @Test
+ void testInvalidTrustStorePasswordCase() throws Exception {
+ // given
+ final SecurityKeys securityKeys = ImmutableSecurityKeys.builder()
+ .keyStore(keyStoreFromResource("/sample/cert.jks"))
+ .keyStorePassword(fromResource("/sample/jks.pass"))
+ .trustStore(keyStoreFromResource("/sample/trust.jks"))
+ .trustStorePassword(fromResource("/sample/invalid.pass"))
+ .build();
+
+ // when & then
+ assertThatThrownBy(() -> sut.createSecureServerContext(securityKeys))
+ .isInstanceOf(ReadingSecurityKeysStoreException.class)
+ .hasMessageContaining("Keystore was tampered with, or password was incorrect");
+ }
+
+ private @NotNull SecurityKeysStore keyStoreFromResource(String resource) throws URISyntaxException {
+ return SecurityKeysStore.fromPath(
+ Paths.get(Passwords.class.getResource(resource).toURI()));
+ }
+}
diff --git a/security/ssl/src/test/resources/sample/cert.jks b/security/ssl/src/test/resources/sample/cert.jks
new file mode 100644
index 00000000..e74ce64f
--- /dev/null
+++ b/security/ssl/src/test/resources/sample/cert.jks
Binary files differ
diff --git a/security/ssl/src/test/resources/sample/invalid.pass b/security/ssl/src/test/resources/sample/invalid.pass
new file mode 100644
index 00000000..6003d102
--- /dev/null
+++ b/security/ssl/src/test/resources/sample/invalid.pass
@@ -0,0 +1 @@
+invalid password \ No newline at end of file
diff --git a/security/ssl/src/test/resources/sample/jks.pass b/security/ssl/src/test/resources/sample/jks.pass
new file mode 100644
index 00000000..39823872
--- /dev/null
+++ b/security/ssl/src/test/resources/sample/jks.pass
@@ -0,0 +1 @@
+mYHC98!qX}7h?W}jRv}MIXTJ \ No newline at end of file
diff --git a/security/ssl/src/test/resources/sample/trust.jks b/security/ssl/src/test/resources/sample/trust.jks
new file mode 100644
index 00000000..10103cfb
--- /dev/null
+++ b/security/ssl/src/test/resources/sample/trust.jks
Binary files differ
diff --git a/security/ssl/src/test/resources/sample/trust.pass b/security/ssl/src/test/resources/sample/trust.pass
new file mode 100644
index 00000000..168e64bd
--- /dev/null
+++ b/security/ssl/src/test/resources/sample/trust.pass
@@ -0,0 +1 @@
+*TQH?Lnszprs4LmlAj38yds( \ No newline at end of file