2 * Copyright (c) 2022 PANTHEON.tech, s.r.o. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.transport.tls;
10 import com.google.common.util.concurrent.ListenableFuture;
11 import io.netty.bootstrap.Bootstrap;
12 import io.netty.bootstrap.ServerBootstrap;
13 import io.netty.handler.ssl.SslContext;
14 import io.netty.handler.ssl.SslContextBuilder;
15 import org.eclipse.jdt.annotation.NonNull;
16 import org.opendaylight.netconf.transport.api.TransportChannelListener;
17 import org.opendaylight.netconf.transport.api.TransportStack;
18 import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException;
19 import org.opendaylight.netconf.transport.tcp.TCPClient;
20 import org.opendaylight.netconf.transport.tcp.TCPServer;
21 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev231228.TcpClientGrouping;
22 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev231228.TcpServerGrouping;
23 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev231228.TlsClientGrouping;
24 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev231228.tls.client.grouping.client.identity.auth.type.Certificate;
25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev231228.tls.client.grouping.client.identity.auth.type.RawPublicKey;
28 * A {@link TransportStack} acting as a TLS client.
30 public final class TLSClient extends TLSTransportStack {
31 private TLSClient(final TransportChannelListener listener, final SslContext sslContext) {
32 super(listener, sslContext);
35 private TLSClient(final TransportChannelListener listener, final SslHandlerFactory factory) {
36 super(listener, factory);
39 public static @NonNull ListenableFuture<TLSClient> connect(final TransportChannelListener listener,
40 final Bootstrap bootstrap, final TcpClientGrouping connectParams, final TlsClientGrouping clientParams)
41 throws UnsupportedConfigurationException {
42 final var client = newClient(listener, clientParams);
43 return transformUnderlay(client, TCPClient.connect(client.asListener(), bootstrap, connectParams));
46 public static @NonNull ListenableFuture<TLSClient> connect(final TransportChannelListener listener,
47 final Bootstrap bootstrap, final TcpClientGrouping connectParams, final SslHandlerFactory factory)
48 throws UnsupportedConfigurationException {
49 final var client = new TLSClient(listener, factory);
50 return transformUnderlay(client, TCPClient.connect(client.asListener(), bootstrap, connectParams));
53 public static @NonNull ListenableFuture<TLSClient> listen(final TransportChannelListener listener,
54 final ServerBootstrap bootstrap, final TcpServerGrouping listenParams, final TlsClientGrouping clientParams)
55 throws UnsupportedConfigurationException {
56 final var client = newClient(listener, clientParams);
57 return transformUnderlay(client, TCPServer.listen(client.asListener(), bootstrap, listenParams));
60 public static @NonNull ListenableFuture<TLSClient> listen(final TransportChannelListener listener,
61 final ServerBootstrap bootstrap, final TcpServerGrouping listenParams, final SslHandlerFactory factory)
62 throws UnsupportedConfigurationException {
63 final var client = new TLSClient(listener, factory);
64 return transformUnderlay(client, TCPServer.listen(client.asListener(), bootstrap, listenParams));
67 private static TLSClient newClient(final TransportChannelListener listener, final TlsClientGrouping clientParams)
68 throws UnsupportedConfigurationException {
69 final var builder = SslContextBuilder.forClient();
71 final var clientIdentity = clientParams.getClientIdentity();
72 if (clientIdentity != null) {
73 final var authType = clientIdentity.getAuthType();
74 if (authType instanceof Certificate cert) {
75 // if-feature "client-ident-x509-cert"
76 final var certificate = cert.getCertificate();
77 if (certificate == null) {
78 throw new UnsupportedConfigurationException("Missing certificate in " + cert);
80 builder.keyManager(newKeyManager(certificate));
81 } else if (authType instanceof RawPublicKey rawKey) {
82 // if-feature "client-ident-raw-public-key"
83 final var rawPrivateKey = rawKey.getRawPrivateKey();
84 if (rawPrivateKey == null) {
85 throw new UnsupportedConfigurationException("Missing key in " + rawKey);
87 builder.keyManager(newKeyManager(rawPrivateKey));
88 } else if (authType != null) {
89 throw new UnsupportedConfigurationException("Unsupported client authentication type " + authType);
93 final var serverAuth = clientParams.getServerAuthentication();
94 if (serverAuth != null) {
95 // CA && EE X509 certificates : if-feature "server-ident-x509-cert"
96 // Raw public key : if-feature "server-ident-raw-public-key"
97 final var trustManager = newTrustManager(serverAuth.getCaCerts(), serverAuth.getEeCerts(),
98 serverAuth.getRawPublicKeys());
99 if (trustManager == null) {
100 throw new UnsupportedOperationException("No server authentication methods in " + serverAuth);
102 builder.trustManager(trustManager);
105 return new TLSClient(listener, buildSslContext(builder, clientParams.getHelloParams()));