Add interface SslHandlerFactory

[netconf.git] / netconf / netconf-topology / src / main / java / org / opendaylight / netconf / topology / AbstractNetconfTopology.java

diff --git a/netconf/netconf-topology/src/main/java/org/opendaylight/netconf/topology/AbstractNetconfTopology.java b/netconf/netconf-topology/src/main/java/org/opendaylight/netconf/topology/AbstractNetconfTopology.java
index df3eff0976e846a854bbe2f0ad66880ed54674a7..b82af0d5cb745e0fd1bfccfb6ccf942ad12cda41 100644 (file)
--- a/netconf/netconf-topology/src/main/java/org/opendaylight/netconf/topology/AbstractNetconfTopology.java
+++ b/netconf/netconf-topology/src/main/java/org/opendaylight/netconf/topology/AbstractNetconfTopology.java
@@ -12,19 +12,29 @@ import com.google.common.base.Optional;
 import com.google.common.base.Preconditions;
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 import com.google.common.util.concurrent.FutureCallback;
 import com.google.common.util.concurrent.Futures;
 import com.google.common.util.concurrent.ListenableFuture;
 import com.google.common.util.concurrent.MoreExecutors;
+import io.netty.handler.ssl.SslHandler;
 import io.netty.util.concurrent.EventExecutor;
 import java.io.File;
+import java.io.IOException;
 import java.math.BigDecimal;
 import java.net.InetSocketAddress;
 import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManagerFactory;
 import org.opendaylight.aaa.encrypt.AAAEncryptionService;
 import org.opendaylight.controller.config.threadpool.ScheduledThreadPool;
 import org.opendaylight.controller.config.threadpool.ThreadPool;
@@ -33,6 +43,7 @@ import org.opendaylight.controller.md.sal.dom.api.DOMMountPointService;
 import org.opendaylight.netconf.api.NetconfMessage;
 import org.opendaylight.netconf.client.NetconfClientDispatcher;
 import org.opendaylight.netconf.client.NetconfClientSessionListener;
+import org.opendaylight.netconf.client.SslHandlerFactory;
 import org.opendaylight.netconf.client.conf.NetconfClientConfiguration;
 import org.opendaylight.netconf.client.conf.NetconfReconnectingClientConfiguration;
 import org.opendaylight.netconf.client.conf.NetconfReconnectingClientConfigurationBuilder;
@@ -62,6 +73,8 @@ import org.opendaylight.protocol.framework.TimedReconnectStrategy;
 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Host;
 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpAddress;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.NetconfNode;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.connection.parameters.protocol.Specification;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.connection.parameters.protocol.specification.TlsCase;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.connection.status.available.capabilities.AvailableCapability.CapabilityOrigin;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.credentials.Credentials;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.credentials.credentials.KeyAuth;
@@ -588,4 +601,50 @@ public abstract class AbstractNetconfTopology implements NetconfTopology {
             facade.close();
         }
     }
+
+    private static final class SslHandlerFactoryImpl implements SslHandlerFactory {
+        private final NetconfKeystoreAdapter keystoreAdapter;
+        private final Optional<Specification> specOptional;
+
+        SslHandlerFactoryImpl(final NetconfKeystoreAdapter keystoreAdapter, final Specification specification) {
+            this.keystoreAdapter = keystoreAdapter;
+            this.specOptional = Optional.fromNullable(specification);
+        }
+
+        @Override
+        public SslHandler createSslHandler() {
+            try {
+                final KeyStore keyStore = keystoreAdapter.getJavaKeyStore();
+
+                final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+                kmf.init(keyStore, "".toCharArray());
+
+                final TrustManagerFactory tmf =
+                        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                tmf.init(keyStore);
+
+                final SSLContext sslCtx = SSLContext.getInstance("TLS");
+                sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+                final SSLEngine engine = sslCtx.createSSLEngine();
+                engine.setUseClientMode(true);
+
+                final Set<String> protocols = Sets.newHashSet(engine.getSupportedProtocols());
+                if (specOptional.isPresent()) {
+                    final Specification specification = specOptional.get();
+                    if (!(specification instanceof TlsCase)) {
+                        throw new IllegalArgumentException("Cannot get TLS specification from: " + specification);
+                    }
+                    protocols.removeAll(((TlsCase)specification).getTls().getExcludedVersions());
+                }
+
+                engine.setEnabledProtocols(protocols.toArray(new String[0]));
+                engine.setEnabledCipherSuites(engine.getSupportedCipherSuites());
+                engine.setEnableSessionCreation(true);
+
+                return new SslHandler(engine);
+            } catch (GeneralSecurityException | IOException exc) {
+                throw new IllegalStateException(exc);
+            }
+        }
+    }
 }