From 3129a6f302a62f549ff2dd21b987e28bab686d5e Mon Sep 17 00:00:00 2001 From: Michal Polkorab Date: Tue, 1 Jul 2014 10:38:24 +0200 Subject: [PATCH] TLS support - configurable passwords - this change allows usage of arbitrary passwords (for keystore, certificate, truststore) instead of hardcoded "opendaylight" password Signed-off-by: Michal Polkorab --- .../api/connection/TlsConfiguration.java | 19 ++++++++++-- .../api/connection/TlsConfigurationImpl.java | 17 ++++++++++- .../protocol/impl/core/SslContextFactory.java | 30 ++++++------------- .../protocol/impl/core/SslKeyStore.java | 14 --------- .../SwitchConnectionProviderModule.java | 12 ++++++++ ...nflow-switch-connection-provider-impl.yang | 16 ++++++++-- .../protocol/impl/core/SslKeyStoreTest.java | 23 +------------- 7 files changed, 69 insertions(+), 62 deletions(-) diff --git a/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfiguration.java b/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfiguration.java index 54298294..00e1a410 100644 --- a/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfiguration.java +++ b/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfiguration.java @@ -39,12 +39,27 @@ public interface TlsConfiguration { public KeystoreType getTlsTruststoreType(); /** - * @return keystore path type (classpath or path) + * @return keystore path type (CLASSPATH or PATH) */ public PathType getTlsKeystorePathType(); /** - * @return truststore path type (classpath or path) + * @return truststore path type (CLASSPATH or PATH) */ public PathType getTlsTruststorePathType(); + + /** + * @return password protecting specified keystore + */ + public String getKeystorePassword(); + + /** + * @return password protecting certificate + */ + public String getCertificatePassword(); + + /** + * @return password protecting specified truststore + */ + public String getTruststorePassword(); } diff --git a/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImpl.java b/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImpl.java index d0bafdd4..4d6fa87d 100644 --- a/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImpl.java +++ b/openflow-protocol-api/src/main/java/org/opendaylight/openflowjava/protocol/api/connection/TlsConfigurationImpl.java @@ -12,8 +12,8 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.K import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.PathType; /** + * Class is used only for testing purposes - passwords are hardcoded * @author michal.polkorab - * */ public class TlsConfigurationImpl implements TlsConfiguration { @@ -73,4 +73,19 @@ public class TlsConfigurationImpl implements TlsConfiguration { public PathType getTlsTruststorePathType() { return truststorePathType; } + + @Override + public String getKeystorePassword() { + return "opendaylight"; + } + + @Override + public String getCertificatePassword() { + return "opendaylight"; + } + + @Override + public String getTruststorePassword() { + return "opendaylight"; + } } diff --git a/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/SslContextFactory.java b/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/SslContextFactory.java index 8deb4aa0..965cab3d 100644 --- a/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/SslContextFactory.java +++ b/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/SslContextFactory.java @@ -19,8 +19,6 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; import org.opendaylight.openflowjava.protocol.api.connection.TlsConfiguration; -import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.KeystoreType; -import org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.PathType; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,12 +32,7 @@ public class SslContextFactory { // "TLS" - supports some version of TLS // Use "TLSv1", "TLSv1.1", "TLSv1.2" for specific TLS version private static final String PROTOCOL = "TLS"; - private String keystore; - private KeystoreType keystoreType; - private String truststore; - private KeystoreType truststoreType; - private PathType keystorePathType; - private PathType truststorePathType; + private TlsConfiguration tlsConfig; private static final Logger LOGGER = LoggerFactory .getLogger(SslContextFactory.class); @@ -50,12 +43,7 @@ public class SslContextFactory { * keystore types */ public SslContextFactory(TlsConfiguration tlsConfig) { - keystore = tlsConfig.getTlsKeystore(); - keystoreType = tlsConfig.getTlsKeystoreType(); - keystorePathType = tlsConfig.getTlsKeystorePathType(); - truststore = tlsConfig.getTlsTruststore(); - truststoreType = tlsConfig.getTlsTruststoreType(); - truststorePathType = tlsConfig.getTlsTruststorePathType(); + this.tlsConfig = tlsConfig; } /** @@ -69,15 +57,15 @@ public class SslContextFactory { } SSLContext serverContext = null; try { - KeyStore ks = KeyStore.getInstance(keystoreType.name()); - ks.load(SslKeyStore.asInputStream(keystore, keystorePathType), - SslKeyStore.getKeyStorePassword()); + KeyStore ks = KeyStore.getInstance(tlsConfig.getTlsKeystoreType().name()); + ks.load(SslKeyStore.asInputStream(tlsConfig.getTlsKeystore(), tlsConfig.getTlsKeystorePathType()), + tlsConfig.getKeystorePassword().toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm); - kmf.init(ks, SslKeyStore.getCertificatePassword()); + kmf.init(ks, tlsConfig.getCertificatePassword().toCharArray()); - KeyStore ts = KeyStore.getInstance(truststoreType.name()); - ts.load(SslKeyStore.asInputStream(truststore, truststorePathType), - SslKeyStore.getKeyStorePassword()); + KeyStore ts = KeyStore.getInstance(tlsConfig.getTlsTruststoreType().name()); + ts.load(SslKeyStore.asInputStream(tlsConfig.getTlsTruststore(), tlsConfig.getTlsTruststorePathType()), + tlsConfig.getTruststorePassword().toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); tmf.init(ts); diff --git a/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/SslKeyStore.java b/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/SslKeyStore.java index b5fdab1a..25c2e0b2 100644 --- a/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/SslKeyStore.java +++ b/openflow-protocol-impl/src/main/java/org/opendaylight/openflowjava/protocol/impl/core/SslKeyStore.java @@ -59,18 +59,4 @@ public final class SslKeyStore { } return in; } - - /** - * @return certificate password as char[] - */ - public static char[] getCertificatePassword() { - return "opendaylight".toCharArray(); - } - - /** - * @return KeyStore password as char[] - */ - public static char[] getKeyStorePassword() { - return "opendaylight".toCharArray(); - } } diff --git a/openflow-protocol-impl/src/main/java/org/opendaylight/yang/gen/v1/urn/opendaylight/params/xml/ns/yang/openflow/_switch/connection/provider/impl/rev140328/SwitchConnectionProviderModule.java b/openflow-protocol-impl/src/main/java/org/opendaylight/yang/gen/v1/urn/opendaylight/params/xml/ns/yang/openflow/_switch/connection/provider/impl/rev140328/SwitchConnectionProviderModule.java index bf8c600f..04d16aab 100644 --- a/openflow-protocol-impl/src/main/java/org/opendaylight/yang/gen/v1/urn/opendaylight/params/xml/ns/yang/openflow/_switch/connection/provider/impl/rev140328/SwitchConnectionProviderModule.java +++ b/openflow-protocol-impl/src/main/java/org/opendaylight/yang/gen/v1/urn/opendaylight/params/xml/ns/yang/openflow/_switch/connection/provider/impl/rev140328/SwitchConnectionProviderModule.java @@ -122,6 +122,18 @@ public final class SwitchConnectionProviderModule extends org.opendaylight.yang. public org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.config.rev140630.PathType getTlsTruststorePathType() { return Objects.firstNonNull(tlsConfig.getTruststorePathType(), null); } + @Override + public String getKeystorePassword() { + return Objects.firstNonNull(tlsConfig.getKeystorePassword(), null); + } + @Override + public String getCertificatePassword() { + return Objects.firstNonNull(tlsConfig.getCertificatePassword(), null); + } + @Override + public String getTruststorePassword() { + return Objects.firstNonNull(tlsConfig.getTruststorePassword(), null); + } }; } @Override diff --git a/openflow-protocol-impl/src/main/yang/openflow-switch-connection-provider-impl.yang b/openflow-protocol-impl/src/main/yang/openflow-switch-connection-provider-impl.yang index 0abc830a..fe19560c 100644 --- a/openflow-protocol-impl/src/main/yang/openflow-switch-connection-provider-impl.yang +++ b/openflow-protocol-impl/src/main/yang/openflow-switch-connection-provider-impl.yang @@ -51,9 +51,17 @@ module openflow-switch-connection-provider-impl { type of-config:keystore-type; } leaf keystore-path-type { - description "keystore path type (classpath or path)"; + description "keystore path type (CLASSPATH or PATH)"; type of-config:path-type; } + leaf keystore-password { + description "password protecting keystore"; + type string; + } + leaf certificate-password { + description "password protecting certificate"; + type string; + } leaf truststore { description "truststore location"; type string; @@ -63,9 +71,13 @@ module openflow-switch-connection-provider-impl { type of-config:keystore-type; } leaf truststore-path-type { - description "truststore path type (classpath or path)"; + description "truststore path type (CLASSPATH or PATH)"; type of-config:path-type; } + leaf truststore-password { + description "password protecting truststore"; + type string; + } } } } diff --git a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/SslKeyStoreTest.java b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/SslKeyStoreTest.java index c75fdee9..ca6826f0 100644 --- a/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/SslKeyStoreTest.java +++ b/openflow-protocol-impl/src/test/java/org/opendaylight/openflowjava/protocol/impl/core/SslKeyStoreTest.java @@ -9,7 +9,6 @@ package org.opendaylight.openflowjava.protocol.impl.core; import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; import java.io.InputStream; @@ -53,24 +52,4 @@ public class SslKeyStoreTest { assertNotNull( inputStream ); inputStream.close(); } - - /** - * Test certificate password retrieval - */ - @Test - public void testGetCertificatePassword() { - char[] password = SslKeyStore.getCertificatePassword(); - assertNotNull(password); - assertTrue (password.length>0) ; - } - - /** - * Test keystore password retrieval - */ - @Test - public void testGetKeyStorePassword() { - char[] password = SslKeyStore.getKeyStorePassword() ; - assertNotNull(password); - assertTrue (password.length>0) ; - } -} \ No newline at end of file +} -- 2.36.6