From: Rashmi Pujar Date: Thu, 18 Feb 2016 22:30:50 +0000 (-0500) Subject: Bug 5377: Support configuring cipher suites to use for SSLEngine X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?a=commitdiff_plain;h=66856a1e126b373f93d1983485b59bfc71790fb6;p=openflowjava.git Bug 5377: Support configuring cipher suites to use for SSLEngine Change-Id: Ia8117364bd6bcbe543cb1d31dea7d27ae87c6755 Signed-off-by: Rashmi Pujar --- diff --git a/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfiguration.java b/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfiguration.java index 6676dd02..f5a71a8c 100644 --- a/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfiguration.java +++ b/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfiguration.java @@ -8,6 +8,8 @@ package org.opendaylight.openflowjava.protocol.api.connection; +import java.util.List; + import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.KeystoreType; import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.PathType; @@ -62,4 +64,9 @@ public interface TlsConfiguration { * @return password protecting specified truststore */ String getTruststorePassword(); + + /** + * @return list of cipher suites for TLS connection + */ + List getCipherSuites(); } diff --git a/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImpl.java b/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImpl.java index 78a6c6b8..2a290140 100644 --- a/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImpl.java +++ b/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImpl.java @@ -8,6 +8,8 @@ package org.opendaylight.openflowjava.protocol.api.connection; +import java.util.List; + import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.KeystoreType; import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.PathType; @@ -23,6 +25,7 @@ public class TlsConfigurationImpl implements TlsConfiguration { private String keyStore; private PathType keystorePathType; private PathType truststorePathType; + private List cipherSuites; /** * Default constructor @@ -35,13 +38,15 @@ public class TlsConfigurationImpl implements TlsConfiguration { */ public TlsConfigurationImpl(KeystoreType trustStoreType, String trustStore, PathType trustStorePathType, KeystoreType keyStoreType, - String keyStore, PathType keyStorePathType) { + String keyStore, PathType keyStorePathType, + List cipherSuites) { this.trustStoreType = trustStoreType; this.trustStore = trustStore; this.truststorePathType = trustStorePathType; this.keyStoreType = keyStoreType; this.keyStore = keyStore; this.keystorePathType = keyStorePathType; + this.cipherSuites = cipherSuites; } @Override @@ -88,4 +93,9 @@ public class TlsConfigurationImpl implements TlsConfiguration { public String getTruststorePassword() { return "opendaylight"; } + + @Override + public List getCipherSuites() { + return cipherSuites; + } } diff --git a/openflow-protocol-api/src/test/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImplTest.java b/openflow-protocol-api/src/test/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImplTest.java index f71d2302..be52a188 100644 --- a/openflow-protocol-api/src/test/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImplTest.java +++ b/openflow-protocol-api/src/test/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImplTest.java @@ -10,10 +10,14 @@ package org.opendaylight.openflowjava.protocol.api.connection; import static org.junit.Assert.*; +import java.util.List; + import org.junit.Test; import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.KeystoreType; import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.PathType; +import com.google.common.collect.Lists; + /** * @author michal.polkorab * @@ -25,8 +29,9 @@ public class TlsConfigurationImplTest { */ @Test public void test() { + List cipherSuites = Lists.newArrayList("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256"); TlsConfigurationImpl config = new TlsConfigurationImpl(KeystoreType.JKS, - "user/dir", PathType.CLASSPATH, KeystoreType.PKCS12, "/var/lib", PathType.PATH); + "user/dir", PathType.CLASSPATH, KeystoreType.PKCS12, "/var/lib", PathType.PATH, cipherSuites); assertEquals("Wrong keystore location", "/var/lib", config.getTlsKeystore()); assertEquals("Wrong truststore location", "user/dir", config.getTlsTruststore()); assertEquals("Wrong keystore type", KeystoreType.PKCS12, config.getTlsKeystoreType()); @@ -36,5 +41,6 @@ public class TlsConfigurationImplTest { assertEquals("Wrong certificate password", "opendaylight", config.getCertificatePassword()); assertEquals("Wrong keystore password", "opendaylight", config.getKeystorePassword()); assertEquals("Wrong truststore password", "opendaylight", config.getTruststorePassword()); + assertEquals("Wrong cipher suites", cipherSuites, config.getCipherSuites()); } } \ No newline at end of file diff --git a/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/TcpChannelInitializer.java b/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/TcpChannelInitializer.java index 18566eb2..881f697a 100644 --- a/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/TcpChannelInitializer.java +++ b/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/TcpChannelInitializer.java @@ -16,6 +16,7 @@ import io.netty.util.concurrent.Future; import io.netty.util.concurrent.GenericFutureListener; import java.net.InetAddress; import java.util.Iterator; +import java.util.List; import java.util.concurrent.TimeUnit; import javax.net.ssl.SSLEngine; import org.opendaylight.openflowjava.protocol.impl.core.connection.ConnectionAdapterFactory; @@ -84,6 +85,13 @@ public class TcpChannelInitializer extends ProtocolChannelInitializer suitesList = getTlsConfiguration().getCipherSuites(); + if (suitesList != null && !suitesList.isEmpty()) { + LOGGER.debug("Requested Cipher Suites are: {}", suitesList); + String[] suites = suitesList.toArray(new String[suitesList.size()]); + engine.setEnabledCipherSuites(suites); + LOGGER.debug("Cipher suites enabled in SSLEngine are: {}", engine.getEnabledCipherSuites().toString()); + } final SslHandler ssl = new SslHandler(engine); final Future handshakeFuture = ssl.handshakeFuture(); final ConnectionFacade finalConnectionFacade = connectionFacade; diff --git a/openflow-protocol-impl/src/main/java/org/opendaylight/yang/gen/v1/urn/opendaylight/params/xml/ns/yang/openflow/_switch/connection/provider/impl/rev140328/SwitchConnectionProviderModule.java b/openflow-protocol-impl/src/main/java/org/opendaylight/yang/gen/v1/urn/opendaylight/params/xml/ns/yang/openflow/_switch/connection/provider/impl/rev140328/SwitchConnectionProviderModule.java index 6077c787..6ded9bfb 100644 --- a/openflow-protocol-impl/src/main/java/org/opendaylight/yang/gen/v1/urn/opendaylight/params/xml/ns/yang/openflow/_switch/connection/provider/impl/rev140328/SwitchConnectionProviderModule.java +++ b/openflow-protocol-impl/src/main/java/org/opendaylight/yang/gen/v1/urn/opendaylight/params/xml/ns/yang/openflow/_switch/connection/provider/impl/rev140328/SwitchConnectionProviderModule.java @@ -12,6 +12,8 @@ package org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.openflo import com.google.common.base.MoreObjects; import java.net.InetAddress; import java.net.UnknownHostException; +import java.util.List; + import org.opendaylight.openflowjava.protocol.api.connection.ConnectionConfiguration; import org.opendaylight.openflowjava.protocol.api.connection.ThreadConfiguration; import org.opendaylight.openflowjava.protocol.api.connection.TlsConfiguration; @@ -136,6 +138,10 @@ public final class SwitchConnectionProviderModule extends org.opendaylight.yang. public String getTruststorePassword() { return MoreObjects.firstNonNull(tlsConfig.getTruststorePassword(), null); } + @Override + public List getCipherSuites() { + return tlsConfig.getCipherSuites(); + } }; } @Override diff --git a/openflow-protocol-impl/src/main/yang/openflow-switch-connection-provider-impl.yang b/openflow-protocol-impl/src/main/yang/openflow-switch-connection-provider-impl.yang index aead1758..1610ff1b 100644 --- a/openflow-protocol-impl/src/main/yang/openflow-switch-connection-provider-impl.yang +++ b/openflow-protocol-impl/src/main/yang/openflow-switch-connection-provider-impl.yang @@ -97,6 +97,10 @@ module openflow-switch-connection-provider-impl { description "password protecting truststore"; type string; } + leaf-list cipher-suites { + description "combination of cryptographic algorithms used by TLS connection"; + type string; + } } container threads { leaf boss-threads { diff --git a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/PublishingChannelInitializerFactoryTest.java b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/PublishingChannelInitializerFactoryTest.java index 6001e7f8..48697240 100644 --- a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/PublishingChannelInitializerFactoryTest.java +++ b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/PublishingChannelInitializerFactoryTest.java @@ -22,6 +22,8 @@ import org.opendaylight.openflowjava.protocol.impl.serialization.SerializationFa import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.KeystoreType; import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.PathType; +import com.google.common.collect.Lists; + /** * * @author jameshall @@ -43,7 +45,8 @@ public class PublishingChannelInitializerFactoryTest { MockitoAnnotations.initMocks(this); factory = new ChannelInitializerFactory(); tlsConfiguration = new TlsConfigurationImpl(KeystoreType.JKS, "/exemplary-ctlTrustStore", - PathType.CLASSPATH, KeystoreType.JKS, "/exemplary-ctlKeystore", PathType.CLASSPATH); + PathType.CLASSPATH, KeystoreType.JKS, "/exemplary-ctlKeystore", PathType.CLASSPATH, + Lists.newArrayList("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256")); factory.setDeserializationFactory(deserializationFactory); factory.setSerializationFactory(serializationFactory); factory.setSwitchConnectionHandler(switchConnectionHandler); diff --git a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/PublishingChannelInitializerTest.java b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/PublishingChannelInitializerTest.java index bcd2ebb9..b855cc91 100644 --- a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/PublishingChannelInitializerTest.java +++ b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/PublishingChannelInitializerTest.java @@ -39,6 +39,8 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.K import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.PathType; import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.openflow._switch.connection.provider.impl.rev140328.Tls; +import com.google.common.collect.Lists; + /** * * @author james.hall @@ -89,7 +91,8 @@ public class PublishingChannelInitializerTest { when(mockSocketCh.pipeline()).thenReturn(mockChPipeline) ; tlsConfiguration = new TlsConfigurationImpl(KeystoreType.JKS, "/selfSignedSwitch", PathType.CLASSPATH, - KeystoreType.JKS, "/selfSignedController", PathType.CLASSPATH); + KeystoreType.JKS, "/selfSignedController", PathType.CLASSPATH, + Lists.newArrayList("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256")); } diff --git a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/SslContextFactoryTest.java b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/SslContextFactoryTest.java index a52f44c6..c73f6c63 100644 --- a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/SslContextFactoryTest.java +++ b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/SslContextFactoryTest.java @@ -20,6 +20,8 @@ import org.opendaylight.openflowjava.protocol.api.connection.TlsConfigurationImp import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.KeystoreType; import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.PathType; +import com.google.common.collect.Lists; + /** * * @author jameshall @@ -36,7 +38,8 @@ public class SslContextFactoryTest { public void setUp() { MockitoAnnotations.initMocks(this); tlsConfiguration = new TlsConfigurationImpl(KeystoreType.JKS, "/exemplary-ctlTrustStore", - PathType.CLASSPATH, KeystoreType.JKS, "/exemplary-ctlKeystore", PathType.CLASSPATH) ; + PathType.CLASSPATH, KeystoreType.JKS, "/exemplary-ctlKeystore", PathType.CLASSPATH, + Lists.newArrayList("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256")) ; sslContextFactory = new SslContextFactory(tlsConfiguration); } diff --git a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/connection/SwitchConnectionProviderImpl02Test.java b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/connection/SwitchConnectionProviderImpl02Test.java index 78b24325..e9b36307 100644 --- a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/connection/SwitchConnectionProviderImpl02Test.java +++ b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/connection/SwitchConnectionProviderImpl02Test.java @@ -7,6 +7,7 @@ */ package org.opendaylight.openflowjava.protocol.impl.core.connection; +import com.google.common.collect.Lists; import com.google.common.util.concurrent.ListenableFuture; import java.net.InetAddress; import java.net.UnknownHostException; @@ -93,7 +94,8 @@ public class SwitchConnectionProviderImpl02Test { if (protocol.equals(TransportProtocol.TLS)) { tlsConfiguration = new TlsConfigurationImpl(KeystoreType.JKS, "/selfSignedSwitch", PathType.CLASSPATH, KeystoreType.JKS, - "/selfSignedController", PathType.CLASSPATH) ; + "/selfSignedController", PathType.CLASSPATH, + Lists.newArrayList("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256")) ; } config = new ConnectionConfigurationImpl(startupAddress, 0, tlsConfiguration, SWITCH_IDLE_TIMEOUT, true); config.setTransferProtocol(protocol); diff --git a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/connection/SwitchConnectionProviderImplTest.java b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/connection/SwitchConnectionProviderImplTest.java index 3b53eed6..491e18de 100644 --- a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/connection/SwitchConnectionProviderImplTest.java +++ b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/connection/SwitchConnectionProviderImplTest.java @@ -8,6 +8,7 @@ package org.opendaylight.openflowjava.protocol.impl.core.connection; +import com.google.common.collect.Lists; import com.google.common.util.concurrent.ListenableFuture; import java.net.InetAddress; import java.net.UnknownHostException; @@ -65,7 +66,8 @@ public class SwitchConnectionProviderImplTest { if (protocol.equals(TransportProtocol.TLS)) { tlsConfiguration = new TlsConfigurationImpl(KeystoreType.JKS, "/selfSignedSwitch", PathType.CLASSPATH, KeystoreType.JKS, - "/selfSignedController", PathType.CLASSPATH) ; + "/selfSignedController", PathType.CLASSPATH, + Lists.newArrayList("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256")) ; } config = new ConnectionConfigurationImpl(startupAddress, 0, tlsConfiguration, SWITCH_IDLE_TIMEOUT, true); config.setTransferProtocol(protocol); diff --git a/openflow-protocol-it/src/test/java/org/opendaylight/openflowjava/protocol/it/integration/IntegrationTest.java b/openflow-protocol-it/src/test/java/org/opendaylight/openflowjava/protocol/it/integration/IntegrationTest.java index e10d12de..77e747a9 100644 --- a/openflow-protocol-it/src/test/java/org/opendaylight/openflowjava/protocol/it/integration/IntegrationTest.java +++ b/openflow-protocol-it/src/test/java/org/opendaylight/openflowjava/protocol/it/integration/IntegrationTest.java @@ -74,7 +74,8 @@ public class IntegrationTest { if (protocol.equals(TransportProtocol.TLS)) { tlsConfiguration = new TlsConfigurationImpl(KeystoreType.JKS, "/selfSignedSwitch", PathType.CLASSPATH, KeystoreType.JKS, - "/selfSignedController", PathType.CLASSPATH) ; + "/selfSignedController", PathType.CLASSPATH, + new ArrayList()); } connConfig = new ConnectionConfigurationImpl(startupAddress, 0, tlsConfiguration, SWITCH_IDLE_TIMEOUT, true); connConfig.setTransferProtocol(protocol);