Code Review / netconf.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Add transport-tls
[netconf.git] / transport / transport-tls / src / main / java / org / opendaylight / netconf / transport / tls / TLSTransportStack.java
1 /*
2  * Copyright (c) 2022 PANTHEON.tech, s.r.o. and others.  All rights reserved.
3  *
4  * This program and the accompanying materials are made available under the
5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6  * and is available at http://www.eclipse.org/legal/epl-v10.html
7  */
8 package org.opendaylight.netconf.transport.tls;
9
10 import static java.util.Objects.requireNonNull;
11 import static org.opendaylight.netconf.transport.tls.ConfigUtils.setAsymmetricKey;
12 import static org.opendaylight.netconf.transport.tls.ConfigUtils.setEndEntityCertificateWithKey;
13 import static org.opendaylight.netconf.transport.tls.ConfigUtils.setX509Certificates;
14 import static org.opendaylight.netconf.transport.tls.KeyStoreUtils.buildKeyManagerFactory;
15 import static org.opendaylight.netconf.transport.tls.KeyStoreUtils.buildTrustManagerFactory;
16 import static org.opendaylight.netconf.transport.tls.KeyStoreUtils.newKeyStore;
17
18 import com.google.common.collect.ImmutableList;
19 import com.google.common.collect.ImmutableMap;
20 import io.netty.handler.ssl.SslContext;
21 import io.netty.handler.ssl.SslContextBuilder;
22 import java.security.KeyStore;
23 import java.util.List;
24 import java.util.Set;
25 import javax.net.ssl.KeyManagerFactory;
26 import javax.net.ssl.SSLException;
27 import javax.net.ssl.TrustManagerFactory;
28 import org.eclipse.jdt.annotation.NonNull;
29 import org.eclipse.jdt.annotation.Nullable;
30 import org.opendaylight.netconf.transport.api.AbstractOverlayTransportStack;
31 import org.opendaylight.netconf.transport.api.TransportChannel;
32 import org.opendaylight.netconf.transport.api.TransportChannelListener;
33 import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException;
34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.CipherSuiteAlgBase;
35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsAes128CcmSha256;
36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsAes128GcmSha256;
37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsAes256GcmSha384;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsChacha20Poly1305Sha256;
39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithAes128Ccm;
40 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithAes128GcmSha256;
41 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithAes256Ccm;
42 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithAes256GcmSha384;
43 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithChacha20Poly1305Sha256;
44 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithAes128Ccm;
45 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithAes128GcmSha256;
46 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithAes256Ccm;
47 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithAes256GcmSha384;
48 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithChacha20Poly1305Sha256;
49 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheEcdsaWithAes128GcmSha256;
50 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheEcdsaWithAes256GcmSha384;
51 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheEcdsaWithChacha20Poly1305Sha256;
52 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdhePskWithAes128CcmSha256;
53 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdhePskWithAes128GcmSha256;
54 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdhePskWithAes256GcmSha384;
55 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdhePskWithChacha20Poly1305Sha256;
56 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheRsaWithAes128GcmSha256;
57 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheRsaWithAes256GcmSha384;
58 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheRsaWithChacha20Poly1305Sha256;
59 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalOrKeystoreAsymmetricKeyGrouping;
60 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalOrKeystoreEndEntityCertWithKeyGrouping;
61 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.HelloParamsGrouping;
62 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.TlsVersionBase;
63 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.LocalOrTruststoreCertsGrouping;
64 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.LocalOrTruststorePublicKeysGrouping;
65
66 /**
67  * Base class for TLS TransportStacks.
68  */
69 public abstract sealed class TLSTransportStack extends AbstractOverlayTransportStack<TLSTransportChannel>
70         permits TLSClient, TLSServer {
71
72     private static final ImmutableMap<CipherSuiteAlgBase, String> CIPHER_SUITES =
73             ImmutableMap.<CipherSuiteAlgBase, String>builder()
74                     .put(TlsAes128CcmSha256.VALUE, "TLS_AES_128_CCM_SHA256")
75                     .put(TlsAes128GcmSha256.VALUE, "TLS_AES_128_GCM_SHA256")
76                     .put(TlsAes256GcmSha384.VALUE, "TLS_AES_256_GCM_SHA384")
77                     .put(TlsChacha20Poly1305Sha256.VALUE, "TLS_CHACHA20_POLY1305_SHA256")
78                     .put(TlsDhePskWithAes128Ccm.VALUE, "TLS_DHE_PSK_WITH_AES_128_CCM")
79                     .put(TlsDhePskWithAes128GcmSha256.VALUE, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256")
80                     .put(TlsDhePskWithAes256Ccm.VALUE, "TLS_DHE_PSK_WITH_AES_256_CCM")
81                     .put(TlsDhePskWithAes256GcmSha384.VALUE, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384")
82                     .put(TlsDhePskWithChacha20Poly1305Sha256.VALUE, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256")
83                     .put(TlsDheRsaWithAes128Ccm.VALUE, "TLS_DHE_RSA_WITH_AES_128_CCM")
84                     .put(TlsDheRsaWithAes128GcmSha256.VALUE, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256")
85                     .put(TlsDheRsaWithAes256Ccm.VALUE, "TLS_DHE_RSA_WITH_AES_256_CCM")
86                     .put(TlsDheRsaWithAes256GcmSha384.VALUE, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384")
87                     .put(TlsDheRsaWithChacha20Poly1305Sha256.VALUE, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256")
88                     .put(TlsEcdheEcdsaWithAes128GcmSha256.VALUE, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256")
89                     .put(TlsEcdheEcdsaWithAes256GcmSha384.VALUE, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384")
90                     .put(TlsEcdheEcdsaWithChacha20Poly1305Sha256.VALUE, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256")
91                     .put(TlsEcdhePskWithAes128CcmSha256.VALUE, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256")
92                     .put(TlsEcdhePskWithAes128GcmSha256.VALUE, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256")
93                     .put(TlsEcdhePskWithAes256GcmSha384.VALUE, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384")
94                     .put(TlsEcdhePskWithChacha20Poly1305Sha256.VALUE, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256")
95                     .put(TlsEcdheRsaWithAes128GcmSha256.VALUE, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
96                     .put(TlsEcdheRsaWithAes256GcmSha384.VALUE, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
97                     .put(TlsEcdheRsaWithChacha20Poly1305Sha256.VALUE, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256")
98                     .build();
99
100     private volatile @NonNull SslContext sslContext;
101
102     TLSTransportStack(final TransportChannelListener listener, final SslContext sslContext) {
103         super(listener);
104         this.sslContext = requireNonNull(sslContext);
105     }
106
107     @Override
108     protected final void onUnderlayChannelEstablished(final TransportChannel underlayChannel) {
109         final var channel = underlayChannel.channel();
110         final var sslHandler = sslContext.newHandler(channel.alloc());
111
112         channel.pipeline().addLast(sslHandler);
113         sslHandler.handshakeFuture().addListener(future -> {
114             final var cause = future.cause();
115             if (cause != null) {
116                 notifyTransportChannelFailed(cause);
117                 channel.close();
118             } else {
119                 addTransportChannel(new TLSTransportChannel(underlayChannel));
120             }
121         });
122     }
123
124     final void setSslContext(final SslContext sslContext) {
125         this.sslContext = requireNonNull(sslContext);
126     }
127
128     static KeyManagerFactory newKeyManager(
129             final @NonNull LocalOrKeystoreEndEntityCertWithKeyGrouping endEntityCert
130     ) throws UnsupportedConfigurationException {
131         final var keyStore = newKeyStore();
132         setEndEntityCertificateWithKey(keyStore, endEntityCert);
133         return buildKeyManagerFactory(keyStore);
134     }
135
136     static KeyManagerFactory newKeyManager(final @NonNull LocalOrKeystoreAsymmetricKeyGrouping rawPrivateKey)
137             throws UnsupportedConfigurationException {
138         final var keyStore = newKeyStore();
139         setAsymmetricKey(keyStore, rawPrivateKey);
140         return buildKeyManagerFactory(keyStore);
141     }
142
143     // FIXME: should be TrustManagerBuilder
144     protected static @Nullable TrustManagerFactory newTrustManager(
145             final @Nullable LocalOrTruststoreCertsGrouping caCerts,
146             final @Nullable LocalOrTruststoreCertsGrouping eeCerts,
147             final @Nullable LocalOrTruststorePublicKeysGrouping publicKeys) throws UnsupportedConfigurationException {
148
149         if (publicKeys != null) {
150             // FIXME: implement this and advertize server-auth-raw-public-key from IetfTlsClientFeatureProvider
151             throw new UnsupportedConfigurationException("Public key authentication not implemented");
152         }
153         if (caCerts != null || eeCerts != null) {
154             // X.509 certificates
155             final KeyStore keyStore = newKeyStore();
156             setX509Certificates(keyStore, caCerts, eeCerts);
157             return buildTrustManagerFactory(keyStore);
158         }
159         return null;
160     }
161
162     static SslContext buildSslContext(final SslContextBuilder builder, final HelloParamsGrouping helloParams)
163             throws UnsupportedConfigurationException {
164         if (helloParams != null) {
165             final var tlsVersions = helloParams.getTlsVersions();
166             if (tlsVersions != null) {
167                 final var versions = tlsVersions.getTlsVersion();
168                 if (versions != null && !versions.isEmpty()) {
169                     builder.protocols(createTlsStrings(versions));
170                 }
171             }
172             final var cipherSuites = helloParams.getCipherSuites();
173             if (cipherSuites != null) {
174                 final var ciphers = cipherSuites.getCipherSuite();
175                 if (ciphers != null && !ciphers.isEmpty()) {
176                     builder.ciphers(createCipherStrings(ciphers));
177                 }
178             }
179         }
180         try {
181             return builder.build();
182         } catch (SSLException e) {
183             throw new UnsupportedConfigurationException("Cannot instantiate TLS context", e);
184         }
185     }
186
187     private static String[] createTlsStrings(final Set<TlsVersionBase> versions)
188             throws UnsupportedConfigurationException {
189         // FIXME: cache these
190         final var ret = new String[versions.size()];
191         int idx = 0;
192         for (var version : versions) {
193             final var str = IetfTlsCommonFeatureProvider.algorithmNameOf(version);
194             if (str == null) {
195                 throw new UnsupportedConfigurationException("Unhandled TLS version " + version);
196             }
197             ret[idx++] = str;
198         }
199         return ret;
200     }
201
202     private static ImmutableList<String> createCipherStrings(final List<CipherSuiteAlgBase> ciphers)
203             throws UnsupportedConfigurationException {
204         // FIXME: cache these
205         final var builder = ImmutableList.<String>builderWithExpectedSize(ciphers.size());
206         for (var cipher : ciphers) {
207             final var str = CIPHER_SUITES.get(cipher);
208             if (str == null) {
209                 throw new UnsupportedConfigurationException("Unhandled cipher suite " + cipher);
210             }
211             builder.add(str);
212         }
213         return builder.build();
214     }
215 }
Netconf