2 * Copyright (c) 2024 PANTHEON.tech, s.r.o. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.keystore.legacy.impl;
10 import static java.util.Objects.requireNonNull;
12 import com.google.common.collect.Maps;
13 import java.nio.charset.StandardCharsets;
14 import java.security.GeneralSecurityException;
15 import java.security.cert.X509Certificate;
16 import java.util.ArrayList;
17 import java.util.Base64;
18 import java.util.HashMap;
21 import java.util.concurrent.ConcurrentHashMap;
22 import java.util.concurrent.atomic.AtomicReference;
23 import java.util.function.Consumer;
24 import javax.annotation.PreDestroy;
25 import javax.inject.Inject;
26 import javax.inject.Singleton;
27 import org.eclipse.jdt.annotation.NonNull;
28 import org.eclipse.jdt.annotation.NonNullByDefault;
29 import org.eclipse.jdt.annotation.Nullable;
30 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
31 import org.opendaylight.mdsal.binding.api.DataBroker;
32 import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
33 import org.opendaylight.mdsal.binding.api.RpcProviderService;
34 import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
35 import org.opendaylight.mdsal.singleton.api.ClusterSingletonServiceProvider;
36 import org.opendaylight.netconf.keystore.legacy.CertifiedPrivateKey;
37 import org.opendaylight.netconf.keystore.legacy.NetconfKeystore;
38 import org.opendaylight.netconf.keystore.legacy.NetconfKeystoreService;
39 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017.Keystore;
40 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017._private.keys.PrivateKey;
41 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017.trusted.certificates.TrustedCertificate;
42 import org.opendaylight.yangtools.concepts.AbstractObjectRegistration;
43 import org.opendaylight.yangtools.concepts.Immutable;
44 import org.opendaylight.yangtools.concepts.Mutable;
45 import org.opendaylight.yangtools.concepts.ObjectRegistration;
46 import org.opendaylight.yangtools.concepts.Registration;
47 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
48 import org.osgi.service.component.annotations.Activate;
49 import org.osgi.service.component.annotations.Component;
50 import org.osgi.service.component.annotations.Deactivate;
51 import org.osgi.service.component.annotations.Reference;
52 import org.slf4j.Logger;
53 import org.slf4j.LoggerFactory;
56 * Abstract substrate for implementing security services based on the contents of {@link Keystore}.
59 @Component(service = NetconfKeystoreService.class)
60 public final class DefaultNetconfKeystoreService implements NetconfKeystoreService, AutoCloseable {
62 private record ConfigState(
63 Map<String, PrivateKey> privateKeys,
64 Map<String, TrustedCertificate> trustedCertificates) implements Immutable {
65 static final ConfigState EMPTY = new ConfigState(Map.of(), Map.of());
68 privateKeys = Map.copyOf(privateKeys);
69 trustedCertificates = Map.copyOf(trustedCertificates);
74 record ConfigStateBuilder(
75 HashMap<String, PrivateKey> privateKeys,
76 HashMap<String, TrustedCertificate> trustedCertificates) implements Mutable {
78 requireNonNull(privateKeys);
79 requireNonNull(trustedCertificates);
83 private static final Logger LOG = LoggerFactory.getLogger(DefaultNetconfKeystoreService.class);
85 private final Set<ObjectRegistration<Consumer<NetconfKeystore>>> consumers = ConcurrentHashMap.newKeySet();
86 private final AtomicReference<NetconfKeystore> keystore = new AtomicReference<>(null);
87 private final AtomicReference<ConfigState> config = new AtomicReference<>(ConfigState.EMPTY);
88 private final SecurityHelper securityHelper = new SecurityHelper();
89 private final Registration configListener;
90 private final Registration rpcSingleton;
94 public DefaultNetconfKeystoreService(@Reference final DataBroker dataBroker,
95 @Reference final RpcProviderService rpcProvider,
96 @Reference final ClusterSingletonServiceProvider cssProvider,
97 @Reference final AAAEncryptionService encryptionService) {
98 configListener = dataBroker.registerTreeChangeListener(
99 DataTreeIdentifier.of(LogicalDatastoreType.CONFIGURATION, InstanceIdentifier.create(Keystore.class)),
100 new ConfigListener(this));
101 rpcSingleton = cssProvider.registerClusterSingletonService(
102 new RpcSingleton(dataBroker, rpcProvider, encryptionService));
104 // FIXME: create an operation datastore updater and register it as a consumer
106 LOG.info("NETCONF keystore service started");
112 public void close() {
113 rpcSingleton.close();
114 configListener.close();
115 LOG.info("NETCONF keystore service stopped");
119 public Registration registerKeystoreConsumer(final Consumer<NetconfKeystore> consumer) {
120 final var reg = new AbstractObjectRegistration<>(consumer) {
122 protected void removeRegistration() {
123 consumers.remove(this);
128 final var ks = keystore.getAcquire();
135 void runUpdate(final Consumer<@NonNull ConfigStateBuilder> task) {
136 final var prevState = config.getAcquire();
138 final var builder = new ConfigStateBuilder(new HashMap<>(prevState.privateKeys),
139 new HashMap<>(prevState.trustedCertificates));
140 task.accept(builder);
141 final var newState = new ConfigState(builder.privateKeys, builder.trustedCertificates);
143 // Careful application -- check if listener is still up and whether the state was not updated.
144 if (configListener == null || config.compareAndExchangeRelease(prevState, newState) != prevState) {
148 Throwable failure = null;
150 final var keys = Maps.<String, CertifiedPrivateKey>newHashMapWithExpectedSize(newState.privateKeys.size());
151 for (var key : newState.privateKeys.values()) {
152 final var keyName = key.requireName();
154 final byte[] keyBytes;
156 keyBytes = base64Decode(key.requireData());
157 } catch (IllegalArgumentException e) {
158 LOG.debug("Failed to decode private key {}", keyName, e);
159 failure = updateFailure(failure, e);
163 final java.security.PrivateKey privateKey;
165 privateKey = securityHelper.generatePrivateKey(keyBytes);
166 } catch (GeneralSecurityException e) {
167 LOG.debug("Failed to generate key for {}", keyName, e);
168 failure = updateFailure(failure, e);
172 final var certChain = key.requireCertificateChain();
173 if (certChain.isEmpty()) {
174 LOG.debug("Key {} has an empty certificate chain", keyName);
175 failure = updateFailure(failure,
176 new IllegalArgumentException("Empty certificate chain for private key " + keyName));
180 final var certs = new ArrayList<X509Certificate>(certChain.size());
181 for (int i = 0, size = certChain.size(); i < size; i++) {
184 bytes = base64Decode(certChain.get(i));
185 } catch (IllegalArgumentException e) {
186 LOG.debug("Failed to decode certificate chain item {} for private key {}", i, keyName, e);
187 failure = updateFailure(failure, e);
191 final X509Certificate x509cert;
193 x509cert = securityHelper.generateCertificate(bytes);
194 } catch (GeneralSecurityException e) {
195 LOG.debug("Failed to generate certificate chain item {} for private key {}", i, keyName, e);
196 failure = updateFailure(failure, e);
203 keys.put(keyName, new CertifiedPrivateKey(privateKey, certs));
206 final var certs = Maps.<String, X509Certificate>newHashMapWithExpectedSize(newState.trustedCertificates.size());
207 for (var cert : newState.trustedCertificates.values()) {
208 final var certName = cert.requireName();
212 bytes = base64Decode(cert.requireCertificate());
213 } catch (IllegalArgumentException e) {
214 LOG.debug("Failed to decode trusted certificate {}", certName, e);
215 failure = updateFailure(failure, e);
219 final X509Certificate x509cert;
221 x509cert = securityHelper.generateCertificate(bytes);
222 } catch (GeneralSecurityException e) {
223 LOG.debug("Failed to generate certificate for {}", certName, e);
224 failure = updateFailure(failure, e);
228 certs.put(certName, x509cert);
231 if (failure != null) {
232 LOG.warn("New configuration is invalid, not applying it", failure);
236 final var newKeystore = new NetconfKeystore(keys, certs);
237 keystore.setRelease(newKeystore);
238 consumers.forEach(consumer -> consumer.getInstance().accept(newKeystore));
241 private static byte[] base64Decode(final String base64) {
242 return Base64.getMimeDecoder().decode(base64.getBytes(StandardCharsets.US_ASCII));
245 private static @NonNull Throwable updateFailure(final @Nullable Throwable failure, final @NonNull Exception ex) {
246 if (failure != null) {
247 failure.addSuppressed(ex);