2 * Copyright (c) 2017 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.client.mdsal.impl;
10 import static java.util.Objects.requireNonNull;
12 import java.io.IOException;
13 import java.security.GeneralSecurityException;
14 import java.security.KeyStore;
15 import java.security.KeyStoreException;
16 import java.security.cert.X509Certificate;
18 import javax.annotation.PreDestroy;
19 import javax.inject.Inject;
20 import javax.inject.Singleton;
21 import org.eclipse.jdt.annotation.NonNull;
22 import org.opendaylight.mdsal.binding.api.DataBroker;
23 import org.opendaylight.netconf.client.SslHandlerFactory;
24 import org.opendaylight.netconf.client.mdsal.api.SslHandlerFactoryProvider;
25 import org.opendaylight.netconf.keystore.legacy.AbstractNetconfKeystore;
26 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.protocol.Specification;
27 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.device.rev240120.connection.parameters.protocol.specification.TlsCase;
28 import org.osgi.service.component.annotations.Activate;
29 import org.osgi.service.component.annotations.Component;
30 import org.osgi.service.component.annotations.Deactivate;
31 import org.osgi.service.component.annotations.Reference;
34 @Component(service = SslHandlerFactoryProvider.class)
35 public final class DefaultSslHandlerFactoryProvider extends AbstractNetconfKeystore
36 implements SslHandlerFactoryProvider, AutoCloseable {
37 private static final X509Certificate[] EMPTY_CERTS = { };
38 private static final char[] EMPTY_CHARS = { };
40 private final @NonNull SslHandlerFactory nospecFactory = new SslHandlerFactoryImpl(this, Set.of());
42 private volatile @NonNull State state = State.EMPTY;
46 public DefaultSslHandlerFactoryProvider(@Reference final DataBroker dataBroker) {
58 protected void onStateUpdated(final State newState) {
63 public SslHandlerFactory getSslHandlerFactory(final Specification specification) {
64 if (specification == null) {
67 if (specification instanceof TlsCase tlsSpecification) {
68 final var excludedVersions = tlsSpecification.nonnullTls().getExcludedVersions();
69 return excludedVersions == null || excludedVersions.isEmpty() ? nospecFactory
70 : new SslHandlerFactoryImpl(this, excludedVersions);
72 throw new IllegalArgumentException("Cannot get TLS specification from: " + specification);
76 * Using private keys and trusted certificates to create a new JDK <code>KeyStore</code> which
77 * will be used by TLS clients to create <code>SSLEngine</code>. The private keys are essential
78 * to create JDK <code>KeyStore</code> while the trusted certificates are optional.
80 * @param allowedKeys Set of keys to include during KeyStore generation, empty set will create
81 * a KeyStore with all possible keys.
82 * @return A JDK KeyStore object
83 * @throws GeneralSecurityException If any security exception occurred
84 * @throws IOException If there is an I/O problem with the keystore data
86 KeyStore getJavaKeyStore(final Set<String> allowedKeys) throws GeneralSecurityException, IOException {
87 requireNonNull(allowedKeys);
88 final var current = state;
89 if (current.privateKeys().isEmpty()) {
90 throw new KeyStoreException("No keystore private key found");
93 final var keyStore = KeyStore.getInstance("JKS");
94 keyStore.load(null, null);
97 for (var entry : current.privateKeys().entrySet()) {
98 final var alias = entry.getKey();
99 if (allowedKeys.isEmpty() || allowedKeys.contains(alias)) {
100 final var privateKey = entry.getValue();
101 keyStore.setKeyEntry(alias, privateKey.key(), EMPTY_CHARS,
102 privateKey.certificateChain().toArray(EMPTY_CERTS));
106 for (var entry : current.trustedCertificates().entrySet()) {
107 keyStore.setCertificateEntry(entry.getKey(), entry.getValue());