2 * Copyright (c) 2017 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.client.mdsal.impl;
10 import static java.util.Objects.requireNonNull;
12 import java.io.IOException;
13 import java.security.GeneralSecurityException;
14 import java.security.KeyStore;
15 import java.security.KeyStoreException;
16 import java.security.cert.Certificate;
17 import java.security.cert.CertificateException;
19 import javax.annotation.PreDestroy;
20 import javax.inject.Inject;
21 import javax.inject.Singleton;
22 import org.eclipse.jdt.annotation.NonNull;
23 import org.opendaylight.mdsal.binding.api.DataBroker;
24 import org.opendaylight.netconf.client.SslHandlerFactory;
25 import org.opendaylight.netconf.client.mdsal.api.SslHandlerFactoryProvider;
26 import org.opendaylight.netconf.keystore.legacy.AbstractNetconfKeystore;
27 import org.opendaylight.netconf.keystore.legacy.SecurityHelper;
28 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.protocol.Specification;
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.protocol.specification.TlsCase;
30 import org.osgi.service.component.annotations.Activate;
31 import org.osgi.service.component.annotations.Component;
32 import org.osgi.service.component.annotations.Deactivate;
33 import org.osgi.service.component.annotations.Reference;
36 @Component(service = SslHandlerFactoryProvider.class)
37 public final class DefaultSslHandlerFactoryProvider extends AbstractNetconfKeystore
38 implements SslHandlerFactoryProvider, AutoCloseable {
39 private static final char[] EMPTY_CHARS = { };
41 private final @NonNull SslHandlerFactory nospecFactory = new SslHandlerFactoryImpl(this, Set.of());
43 private volatile @NonNull State state = State.EMPTY;
47 public DefaultSslHandlerFactoryProvider(@Reference final DataBroker dataBroker) {
59 protected void onStateUpdated(final State newState) {
64 public SslHandlerFactory getSslHandlerFactory(final Specification specification) {
65 if (specification == null) {
68 if (specification instanceof TlsCase tlsSpecification) {
69 final var excludedVersions = tlsSpecification.nonnullTls().getExcludedVersions();
70 return excludedVersions == null || excludedVersions.isEmpty() ? nospecFactory
71 : new SslHandlerFactoryImpl(this, excludedVersions);
73 throw new IllegalArgumentException("Cannot get TLS specification from: " + specification);
77 * Using private keys and trusted certificates to create a new JDK <code>KeyStore</code> which
78 * will be used by TLS clients to create <code>SSLEngine</code>. The private keys are essential
79 * to create JDK <code>KeyStore</code> while the trusted certificates are optional.
81 * @return A JDK KeyStore object
82 * @throws GeneralSecurityException If any security exception occurred
83 * @throws IOException If there is an I/O problem with the keystore data
85 KeyStore getJavaKeyStore() throws GeneralSecurityException, IOException {
86 return getJavaKeyStore(Set.of());
90 * Using private keys and trusted certificates to create a new JDK <code>KeyStore</code> which
91 * will be used by TLS clients to create <code>SSLEngine</code>. The private keys are essential
92 * to create JDK <code>KeyStore</code> while the trusted certificates are optional.
94 * @param allowedKeys Set of keys to include during KeyStore generation, empty set will create
95 * a KeyStore with all possible keys.
96 * @return A JDK KeyStore object
97 * @throws GeneralSecurityException If any security exception occurred
98 * @throws IOException If there is an I/O problem with the keystore data
100 KeyStore getJavaKeyStore(final Set<String> allowedKeys) throws GeneralSecurityException, IOException {
101 requireNonNull(allowedKeys);
102 final var current = state;
103 if (current.privateKeys().isEmpty()) {
104 throw new KeyStoreException("No keystore private key found");
107 final var keyStore = KeyStore.getInstance("JKS");
108 keyStore.load(null, null);
110 final var helper = new SecurityHelper();
112 // Private keys first
113 for (var entry : current.privateKeys().entrySet()) {
114 final var alias = entry.getKey();
115 if (!allowedKeys.isEmpty() && !allowedKeys.contains(alias)) {
119 final var privateKey = entry.getValue();
120 final var key = helper.getJavaPrivateKey(privateKey.getData());
121 // TODO: requireCertificateChain() here and filter in update path
122 final var certChain = privateKey.getCertificateChain();
123 if (certChain == null || certChain.isEmpty()) {
124 throw new CertificateException("No certificate chain associated with private key " + alias + " found");
127 final var chain = new Certificate[certChain.size()];
129 for (var cert : certChain) {
130 chain[idx++] = helper.getCertificate(cert);
132 keyStore.setKeyEntry(alias, key, EMPTY_CHARS, chain);
135 for (var entry : current.trustedCertificates().entrySet()) {
136 keyStore.setCertificateEntry(entry.getKey(), helper.getCertificate(entry.getValue().getCertificate()));