2 * Copyright (c) 2017 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.client.mdsal.impl;
10 import static java.util.Objects.requireNonNull;
12 import java.io.IOException;
13 import java.security.GeneralSecurityException;
14 import java.security.KeyStore;
15 import java.security.KeyStoreException;
16 import java.security.cert.X509Certificate;
18 import javax.annotation.PreDestroy;
19 import javax.inject.Inject;
20 import javax.inject.Singleton;
21 import org.eclipse.jdt.annotation.NonNull;
22 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
23 import org.opendaylight.mdsal.binding.api.DataBroker;
24 import org.opendaylight.mdsal.binding.api.RpcProviderService;
25 import org.opendaylight.mdsal.singleton.api.ClusterSingletonServiceProvider;
26 import org.opendaylight.netconf.client.SslHandlerFactory;
27 import org.opendaylight.netconf.client.mdsal.api.SslHandlerFactoryProvider;
28 import org.opendaylight.netconf.keystore.legacy.AbstractNetconfKeystore;
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.protocol.Specification;
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.protocol.specification.TlsCase;
31 import org.osgi.service.component.annotations.Activate;
32 import org.osgi.service.component.annotations.Component;
33 import org.osgi.service.component.annotations.Deactivate;
34 import org.osgi.service.component.annotations.Reference;
37 @Component(service = SslHandlerFactoryProvider.class)
38 public final class DefaultSslHandlerFactoryProvider extends AbstractNetconfKeystore
39 implements SslHandlerFactoryProvider, AutoCloseable {
40 private static final X509Certificate[] EMPTY_CERTS = { };
41 private static final char[] EMPTY_CHARS = { };
43 private final @NonNull SslHandlerFactory nospecFactory = new SslHandlerFactoryImpl(this, Set.of());
45 private volatile @NonNull State state = State.EMPTY;
49 public DefaultSslHandlerFactoryProvider(@Reference final DataBroker dataBroker,
50 @Reference final RpcProviderService rpcProvider,
51 @Reference final ClusterSingletonServiceProvider cssProvider,
52 @Reference final AAAEncryptionService encryptionService) {
53 start(dataBroker, rpcProvider, cssProvider, encryptionService);
64 protected void onStateUpdated(final State newState) {
69 public SslHandlerFactory getSslHandlerFactory(final Specification specification) {
70 if (specification == null) {
73 if (specification instanceof TlsCase tlsSpecification) {
74 final var excludedVersions = tlsSpecification.nonnullTls().getExcludedVersions();
75 return excludedVersions == null || excludedVersions.isEmpty() ? nospecFactory
76 : new SslHandlerFactoryImpl(this, excludedVersions);
78 throw new IllegalArgumentException("Cannot get TLS specification from: " + specification);
82 * Using private keys and trusted certificates to create a new JDK <code>KeyStore</code> which
83 * will be used by TLS clients to create <code>SSLEngine</code>. The private keys are essential
84 * to create JDK <code>KeyStore</code> while the trusted certificates are optional.
86 * @param allowedKeys Set of keys to include during KeyStore generation, empty set will create
87 * a KeyStore with all possible keys.
88 * @return A JDK KeyStore object
89 * @throws GeneralSecurityException If any security exception occurred
90 * @throws IOException If there is an I/O problem with the keystore data
92 KeyStore getJavaKeyStore(final Set<String> allowedKeys) throws GeneralSecurityException, IOException {
93 requireNonNull(allowedKeys);
94 final var current = state;
95 if (current.privateKeys().isEmpty()) {
96 throw new KeyStoreException("No keystore private key found");
99 final var keyStore = KeyStore.getInstance("JKS");
100 keyStore.load(null, null);
102 // Private keys first
103 for (var entry : current.privateKeys().entrySet()) {
104 final var alias = entry.getKey();
105 if (allowedKeys.isEmpty() || allowedKeys.contains(alias)) {
106 final var privateKey = entry.getValue();
107 keyStore.setKeyEntry(alias, privateKey.key(), EMPTY_CHARS,
108 privateKey.certificateChain().toArray(EMPTY_CERTS));
112 for (var entry : current.trustedCertificates().entrySet()) {
113 keyStore.setCertificateEntry(entry.getKey(), entry.getValue());