From 9ffed3dbbbfa36b4d8db8a867cc429a3c7e313eb Mon Sep 17 00:00:00 2001 From: Scott Frederick Date: Wed, 31 May 2017 17:14:36 -0500 Subject: [PATCH] Remove mutual TLS configuration, in favor of the Cloud Foundry Java Buildpack's container security provider support. --- spring-credhub-core/pom.xml | 5 - .../ClientHttpRequestFactoryFactory.java | 38 +--- .../configuration/CredHubConfiguration.java | 20 +- .../credhub/support/SslConfiguration.java | 183 ------------------ .../ClientHttpRequestFactoryFactoryTests.java | 6 +- spring-credhub-dependencies/pom.xml | 8 - 6 files changed, 8 insertions(+), 252 deletions(-) delete mode 100644 spring-credhub-core/src/main/java/org/springframework/credhub/support/SslConfiguration.java diff --git a/spring-credhub-core/pom.xml b/spring-credhub-core/pom.xml index e0b050e..dfcbb84 100644 --- a/spring-credhub-core/pom.xml +++ b/spring-credhub-core/pom.xml @@ -39,11 +39,6 @@ httpclient true - - - org.bouncycastle - bcpkix-jdk15on - org.springframework diff --git a/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactory.java b/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactory.java index 07887dd..5225b55 100644 --- a/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactory.java +++ b/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactory.java @@ -19,17 +19,11 @@ package org.springframework.credhub.configuration; import java.io.IOException; import java.security.GeneralSecurityException; -import javax.net.ssl.SSLContext; - import org.apache.http.client.config.RequestConfig; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; -import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.client.HttpClients; -import org.apache.http.ssl.SSLContexts; import org.springframework.credhub.support.ClientOptions; -import org.springframework.credhub.support.SslConfiguration; import org.springframework.http.client.ClientHttpRequestFactory; import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; import org.springframework.util.Assert; @@ -50,23 +44,19 @@ public class ClientHttpRequestFactoryFactory { ClientHttpRequestFactoryFactory.class.getClassLoader()); /** - * Create a {@link ClientHttpRequestFactory} for the given {@link ClientOptions} and - * {@link SslConfiguration}. + * Create a {@link ClientHttpRequestFactory} for the given {@link ClientOptions}. * * @param options must not be {@literal null} - * @param sslConfiguration must not be {@literal null} * @return a new {@link ClientHttpRequestFactory}. Lifecycle beans must be initialized * after obtaining. */ - public static ClientHttpRequestFactory create(ClientOptions options, - SslConfiguration sslConfiguration) { + public static ClientHttpRequestFactory create(ClientOptions options) { Assert.notNull(options, "ClientOptions must not be null"); - Assert.notNull(sslConfiguration, "SslConfiguration must not be null"); try { if (HTTP_COMPONENTS_PRESENT) { - return HttpComponents.usingHttpComponents(options, sslConfiguration); + return HttpComponents.usingHttpComponents(options); } } catch (GeneralSecurityException e) { @@ -79,36 +69,16 @@ public class ClientHttpRequestFactoryFactory { throw new IllegalStateException("Only Apache HTTP Components is supported."); } - private static boolean hasSslConfiguration(SslConfiguration sslConfiguration) { - return sslConfiguration.getTrustStore() != null - || sslConfiguration.getKeyStore() != null; - } - /** * {@link ClientHttpRequestFactory} for Apache HttpComponents. */ static class HttpComponents { - static ClientHttpRequestFactory usingHttpComponents(ClientOptions options, - SslConfiguration sslConfiguration) + static ClientHttpRequestFactory usingHttpComponents(ClientOptions options) throws GeneralSecurityException, IOException { HttpClientBuilder httpClientBuilder = HttpClients.custom(); - if (hasSslConfiguration(sslConfiguration)) { - SSLContext sslContext = SSLContexts.custom() - .loadTrustMaterial(sslConfiguration.getKeyStore(), - new TrustSelfSignedStrategy()) - .loadKeyMaterial(sslConfiguration.getTrustStore(), - sslConfiguration.getKeyPassword()) - .build(); - - SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory( - sslContext); - httpClientBuilder.setSSLSocketFactory(sslSocketFactory); - httpClientBuilder.setSSLContext(sslContext); - } - RequestConfig requestConfig = RequestConfig.custom() .setConnectTimeout(options.getConnectionTimeout()) .setSocketTimeout(options.getReadTimeout()) diff --git a/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/CredHubConfiguration.java b/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/CredHubConfiguration.java index 5717816..4e5edd5 100644 --- a/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/CredHubConfiguration.java +++ b/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/CredHubConfiguration.java @@ -24,7 +24,6 @@ import org.springframework.credhub.core.CloudFoundryAppInstanceProperties; import org.springframework.credhub.core.CredHubProperties; import org.springframework.credhub.core.CredHubTemplate; import org.springframework.credhub.support.ClientOptions; -import org.springframework.credhub.support.SslConfiguration; import org.springframework.http.client.ClientHttpRequestFactory; /** @@ -84,18 +83,17 @@ public class CredHubConfiguration { * Create a {@link ClientFactoryWrapper} containing a * {@link ClientHttpRequestFactory}. {@link ClientHttpRequestFactory} is not exposed * as root bean because {@link ClientHttpRequestFactory} is configured with - * {@link ClientOptions} and {@link SslConfiguration} which are not necessarily + * {@link ClientOptions} which are not necessarily * applicable for the whole application. * * @return the {@link ClientFactoryWrapper} to wrap a {@link ClientHttpRequestFactory} * instance. * @see #clientOptions() - * @see #sslConfiguration() */ @Bean public ClientFactoryWrapper clientHttpRequestFactoryWrapper() { ClientHttpRequestFactory clientHttpRequestFactory = - ClientHttpRequestFactoryFactory.create(clientOptions(), sslConfiguration()); + ClientHttpRequestFactoryFactory.create(clientOptions()); return new ClientFactoryWrapper(clientHttpRequestFactory); } @@ -108,20 +106,6 @@ public class CredHubConfiguration { return new ClientOptions(); } - /** - * Create the default {@link SslConfiguration} to configure SSL context parameters. - * The default configuration uses a certificate and key supplied in the application - * container to configure mutual SSL authentication between the client application - * and the CredHub server. - * - * @return the default {@link SslConfiguration} - */ - private SslConfiguration sslConfiguration() { - CloudFoundryAppInstanceProperties properties = cloudFoundryAppInstanceProperties(); - return SslConfiguration.forContainerCert(properties.getInstanceCertLocation(), - properties.getInstanceKeyLocation()); - } - /** * Wrapper for {@link ClientHttpRequestFactory} to not expose the bean globally. */ diff --git a/spring-credhub-core/src/main/java/org/springframework/credhub/support/SslConfiguration.java b/spring-credhub-core/src/main/java/org/springframework/credhub/support/SslConfiguration.java deleted file mode 100644 index 3a02a6a..0000000 --- a/spring-credhub-core/src/main/java/org/springframework/credhub/support/SslConfiguration.java +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright 2016-2017 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.credhub.support; - -import java.io.FileReader; -import java.security.KeyStore; -import java.security.PrivateKey; -import java.security.cert.Certificate; - -import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.openssl.PEMKeyPair; -import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; - -/** - * Client configuration for SSL connectivity. - */ -public class SslConfiguration { - private static final char[] KEY_PASSWORD = "keystore".toCharArray(); - private static final String CERTIFICATE_NAME = "credhub-cert"; - private static final String KEY_NAME = "credhub-key"; - - private KeyStore trustStore; - private KeyStore keyStore; - - /** - * Create an empty {@link SslConfiguration}. Intended for internal use. - */ - public SslConfiguration() { - } - - /** - * Create an {@link SslConfiguration} that uses a certificate and private key that - * have been placed in a Cloud Foundry application container for use with mutual SSL - * authentication to CredHub. - * - * @param instanceCertLocation the absolute path of the certificate file in the app - * instance container - * @param instanceKeyLocation the absolute path of the private key file in the app - * instance container - * @return the {@link SslConfiguration} configured to use the container certificate - * and private key - */ - public static SslConfiguration forContainerCert(String instanceCertLocation, - String instanceKeyLocation) { - SslConfiguration sslConfiguration = new SslConfiguration(); - KeyStore keyStore = sslConfiguration.buildKeyStore(instanceCertLocation, - instanceKeyLocation); - sslConfiguration.setKeyStore(keyStore); - sslConfiguration.setTrustStore(keyStore); - return sslConfiguration; - } - - /** - * Get the {@link KeyStore key store} resource used to configure the SSL context. - * - * @return the key store - */ - public KeyStore getKeyStore() { - return keyStore; - } - - private void setKeyStore(KeyStore keyStore) { - this.keyStore = keyStore; - } - - /** - * Get the {@link KeyStore trust store} resource used to configure the SSL context. - * - * @return the trust store - */ - public KeyStore getTrustStore() { - return trustStore; - } - - private void setTrustStore(KeyStore keyStore) { - this.trustStore = keyStore; - } - - /** - * Get the password used to secure the generated key store. - * - * @return they key store password - */ - public char[] getKeyPassword() { - return KEY_PASSWORD; - } - - /** - * Build a {@link KeyStore} using the container certificate and private key. - * - * @param instanceCertLocation the absolute path of the certificate file in the app - * instance container - * @param instanceKeyLocation the absolute path of the private key file in the app - * instance container - * @return the created key store - */ - private KeyStore buildKeyStore(String instanceCertLocation, - String instanceKeyLocation) { - Certificate cert = parseCertificate(instanceCertLocation); - PrivateKey key = parsePrivateKey(instanceKeyLocation); - return createKeyStore(cert, key); - } - - /** - * Parse a PEM-formatted certificate and convert to a {@link Certificate}. - * - * @param certificateLocation the absolute path of the certificate file in the app - * instance container - * @return the created {@link Certificate} - */ - private Certificate parseCertificate(String certificateLocation) { - try { - PEMParser parser = new PEMParser(new FileReader(certificateLocation)); - X509CertificateHolder certHolder = - (X509CertificateHolder) parser.readObject(); - JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); - return converter.getCertificate(certHolder); - } - catch (Exception e) { - throw new IllegalArgumentException( - "Error parsing and loading certificate from location " - + certificateLocation, - e); - } - } - - /** - * Parse a PEM-formatted key and convert to a {@link PrivateKey}. - * - * @param keyLocation the absolute path of the key file in the app - * instance container - * @return the created {@link PrivateKey} - */ - private PrivateKey parsePrivateKey(String keyLocation) { - try { - PEMParser reader = new PEMParser(new FileReader(keyLocation)); - PEMKeyPair key = (PEMKeyPair) reader.readObject(); - JcaPEMKeyConverter converter = new JcaPEMKeyConverter(); - return converter.getKeyPair(key).getPrivate(); - } - catch (Exception e) { - throw new IllegalArgumentException( - "Error parsing and loading private key from location " + keyLocation, - e); - } - } - - /** - * Create a {@link KeyStore} from the provided certificate and private key. - * - * @param cert the certifcate to add to the key store - * @param key the private key to add to the key store - * @return the created {@link KeyStore} - */ - private KeyStore createKeyStore(Certificate cert, PrivateKey key) { - try { - KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); - keystore.load(null); - keystore.setCertificateEntry(CERTIFICATE_NAME, cert); - keystore.setKeyEntry(KEY_NAME, key, KEY_PASSWORD, new Certificate[] { cert }); - return keystore; - } - catch (Exception e) { - throw new IllegalArgumentException("Error creating keystore ", e); - } - } -} diff --git a/spring-credhub-core/src/test/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactoryTests.java b/spring-credhub-core/src/test/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactoryTests.java index 9976993..851af2c 100644 --- a/spring-credhub-core/src/test/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactoryTests.java +++ b/spring-credhub-core/src/test/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactoryTests.java @@ -22,21 +22,19 @@ import org.junit.Test; import org.springframework.beans.factory.DisposableBean; import org.springframework.credhub.support.ClientOptions; -import org.springframework.credhub.support.SslConfiguration; import org.springframework.http.client.ClientHttpRequestFactory; import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; import static org.hamcrest.Matchers.instanceOf; import static org.junit.Assert.assertThat; +import static org.springframework.credhub.configuration.ClientHttpRequestFactoryFactory.HttpComponents.usingHttpComponents; public class ClientHttpRequestFactoryFactoryTests { @Test public void httpComponentsClientCreated() throws Exception { - ClientHttpRequestFactory factory = - ClientHttpRequestFactoryFactory.HttpComponents.usingHttpComponents( - new ClientOptions(), new SslConfiguration()); + ClientHttpRequestFactory factory = usingHttpComponents(new ClientOptions()); assertThat(factory, instanceOf(HttpComponentsClientHttpRequestFactory.class)); diff --git a/spring-credhub-dependencies/pom.xml b/spring-credhub-dependencies/pom.xml index efcb7d1..c8ad599 100644 --- a/spring-credhub-dependencies/pom.xml +++ b/spring-credhub-dependencies/pom.xml @@ -55,7 +55,6 @@ 2.8.7 4.5.3 - 1.56 @@ -88,13 +87,6 @@ - - - org.bouncycastle - bcpkix-jdk15on - ${bouncycastle.version} - -