plugins/netconf-client-mdsal/src/main/java/org/opendaylight/netconf/client/mdsal/impl/DefaultSslHandlerFactoryProvider.java

   1 /*
   2  * Copyright (c) 2017 Cisco Systems, Inc. and others.  All rights reserved.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  */
   8 package org.opendaylight.netconf.client.mdsal.impl;
   9
  10 import static java.util.Objects.requireNonNull;
  11
  12 import java.io.IOException;
  13 import java.security.GeneralSecurityException;
  14 import java.security.KeyStore;
  15 import java.security.KeyStoreException;
  16 import java.security.cert.X509Certificate;
  17 import java.util.Set;
  18 import javax.annotation.PreDestroy;
  19 import javax.inject.Inject;
  20 import javax.inject.Singleton;
  21 import org.eclipse.jdt.annotation.NonNull;
  22 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
  23 import org.opendaylight.mdsal.binding.api.DataBroker;
  24 import org.opendaylight.mdsal.binding.api.RpcProviderService;
  25 import org.opendaylight.mdsal.singleton.api.ClusterSingletonServiceProvider;
  26 import org.opendaylight.netconf.client.SslHandlerFactory;
  27 import org.opendaylight.netconf.client.mdsal.api.SslHandlerFactoryProvider;
  28 import org.opendaylight.netconf.keystore.legacy.AbstractNetconfKeystore;
  29 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.protocol.Specification;
  30 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.protocol.specification.TlsCase;
  31 import org.osgi.service.component.annotations.Activate;
  32 import org.osgi.service.component.annotations.Component;
  33 import org.osgi.service.component.annotations.Deactivate;
  34 import org.osgi.service.component.annotations.Reference;
  35
  36 @Singleton
  37 @Component(service = SslHandlerFactoryProvider.class)
  38 public final class DefaultSslHandlerFactoryProvider extends AbstractNetconfKeystore
  39         implements SslHandlerFactoryProvider, AutoCloseable {
  40     private static final X509Certificate[] EMPTY_CERTS = { };
  41     private static final char[] EMPTY_CHARS = { };
  42
  43     private final @NonNull SslHandlerFactory nospecFactory = new SslHandlerFactoryImpl(this, Set.of());
  44
  45     private volatile @NonNull State state = State.EMPTY;
  46
  47     @Inject
  48     @Activate
  49     public DefaultSslHandlerFactoryProvider(@Reference final DataBroker dataBroker,
  50             @Reference final RpcProviderService rpcProvider,
  51             @Reference final ClusterSingletonServiceProvider cssProvider,
  52             @Reference final AAAEncryptionService encryptionService) {
  53         start(dataBroker, rpcProvider, cssProvider, encryptionService);
  54     }
  55
  56     @Deactivate
  57     @PreDestroy
  58     @Override
  59     public void close() {
  60         stop();
  61     }
  62
  63     @Override
  64     protected void onStateUpdated(final State newState) {
  65         state = newState;
  66     }
  67
  68     @Override
  69     public SslHandlerFactory getSslHandlerFactory(final Specification specification) {
  70         if (specification == null) {
  71             return nospecFactory;
  72         }
  73         if (specification instanceof TlsCase tlsSpecification) {
  74             final var excludedVersions = tlsSpecification.nonnullTls().getExcludedVersions();
  75             return excludedVersions == null || excludedVersions.isEmpty() ? nospecFactory
  76                 : new SslHandlerFactoryImpl(this, excludedVersions);
  77         }
  78         throw new IllegalArgumentException("Cannot get TLS specification from: " + specification);
  79     }
  80
  81     /**
  82      * Using private keys and trusted certificates to create a new JDK <code>KeyStore</code> which
  83      * will be used by TLS clients to create <code>SSLEngine</code>. The private keys are essential
  84      * to create JDK <code>KeyStore</code> while the trusted certificates are optional.
  85      *
  86      * @param allowedKeys Set of keys to include during KeyStore generation, empty set will create
  87      *                   a KeyStore with all possible keys.
  88      * @return A JDK KeyStore object
  89      * @throws GeneralSecurityException If any security exception occurred
  90      * @throws IOException If there is an I/O problem with the keystore data
  91      */
  92     KeyStore getJavaKeyStore(final Set<String> allowedKeys) throws GeneralSecurityException, IOException {
  93         requireNonNull(allowedKeys);
  94         final var current = state;
  95         if (current.privateKeys().isEmpty()) {
  96             throw new KeyStoreException("No keystore private key found");
  97         }
  98
  99         final var keyStore = KeyStore.getInstance("JKS");
 100         keyStore.load(null, null);
 101
 102         // Private keys first
 103         for (var entry : current.privateKeys().entrySet()) {
 104             final var alias = entry.getKey();
 105             if (allowedKeys.isEmpty() || allowedKeys.contains(alias)) {
 106                 final var privateKey = entry.getValue();
 107                 keyStore.setKeyEntry(alias, privateKey.key(), EMPTY_CHARS,
 108                     privateKey.certificateChain().toArray(EMPTY_CERTS));
 109             }
 110         }
 111
 112         for (var entry : current.trustedCertificates().entrySet()) {
 113             keyStore.setCertificateEntry(entry.getKey(), entry.getValue());
 114         }
 115
 116         return keyStore;
 117     }
 118 }