#3204 - Adding keypass to SSL configuration
This commit is contained in:
Viktor Klang
parent
fdf6df7254
commit
ad2e3c5e37
9 changed files with 27 additions and 13 deletions
|
|
@ -329,6 +329,7 @@ An example of setting up the default Netty based SSL driver as default::
|
|||
key-store = "mykeystore"
|
||||
trust-store = "mytruststore"
|
||||
key-store-password = "changeme"
|
||||
key-password = "changeme"
|
||||
trust-store-password = "changeme"
|
||||
protocol = "TLSv1"
|
||||
random-number-generator = "AES128CounterSecureRNG"
|
||||
|
|
|
|||
|
|
@ -331,6 +331,7 @@ An example of setting up the default Netty based SSL driver as default::
|
|||
key-store = "mykeystore"
|
||||
trust-store = "mytruststore"
|
||||
key-store-password = "changeme"
|
||||
key-password = "changeme"
|
||||
trust-store-password = "changeme"
|
||||
protocol = "TLSv1"
|
||||
random-number-generator = "AES128CounterSecureRNG"
|
||||
|
|
|
|||
|
|
@ -323,6 +323,9 @@ akka {
|
|||
# This password is used for decrypting the key store
|
||||
key-store-password = "changeme"
|
||||
|
||||
# This password is used for decrypting the key
|
||||
key-password = "changeme"
|
||||
|
||||
# This is the Java Key Store used by the client connection
|
||||
trust-store = "truststore"
|
||||
|
||||
|
|
|
|||
|
|
@ -23,17 +23,20 @@ private[akka] class SSLSettings(config: Config) {
|
|||
|
||||
import config._
|
||||
|
||||
val SSLKeyStore = Option(getString("key-store")).filter(_.length > 0)
|
||||
val SSLTrustStore = Option(getString("trust-store")).filter(_.length > 0)
|
||||
val SSLKeyStorePassword = Option(getString("key-store-password")).filter(_.length > 0)
|
||||
private def emptyIsNone(s: String): Option[String] = Option(s).filter(_.length > 0)
|
||||
|
||||
val SSLTrustStorePassword = Option(getString("trust-store-password")).filter(_.length > 0)
|
||||
val SSLKeyStore = emptyIsNone(getString("key-store"))
|
||||
val SSLTrustStore = emptyIsNone(getString("trust-store"))
|
||||
val SSLKeyStorePassword = emptyIsNone(getString("key-store-password"))
|
||||
val SSLKeyPassword = emptyIsNone(getString("key-password"))
|
||||
|
||||
val SSLTrustStorePassword = emptyIsNone(getString("trust-store-password"))
|
||||
|
||||
val SSLEnabledAlgorithms = immutableSeq(getStringList("enabled-algorithms")).to[Set]
|
||||
|
||||
val SSLProtocol = Option(getString("protocol")).filter(_.length > 0)
|
||||
val SSLProtocol = emptyIsNone(getString("protocol"))
|
||||
|
||||
val SSLRandomNumberGenerator = Option(getString("random-number-generator")).filter(_.length > 0)
|
||||
val SSLRandomNumberGenerator = emptyIsNone(getString("random-number-generator"))
|
||||
|
||||
// FIXME: Change messages to reflect new configuration
|
||||
if (SSLProtocol.isEmpty) throw new ConfigurationException(
|
||||
|
|
@ -42,6 +45,8 @@ private[akka] class SSLSettings(config: Config) {
|
|||
"Configuration option 'akka.remote.netty.ssl.enable-ssl is turned on but no key/trust store is defined in 'akka.remote.netty.ssl.security.key-store' / 'akka.remote.netty.ssl.security.trust-store'.")
|
||||
if (SSLKeyStore.isDefined && SSLKeyStorePassword.isEmpty) throw new ConfigurationException(
|
||||
"Configuration option 'akka.remote.netty.ssl.security.key-store' is defined but no key-store password is defined in 'akka.remote.netty.ssl.security.key-store-password'.")
|
||||
if (SSLKeyStore.isDefined && SSLKeyPassword.isEmpty) throw new ConfigurationException(
|
||||
"Configuration option 'akka.remote.netty.ssl.security.key-store' is defined but no key password is defined in 'akka.remote.netty.ssl.security.key-password'.")
|
||||
if (SSLTrustStore.isDefined && SSLTrustStorePassword.isEmpty) throw new ConfigurationException(
|
||||
"Configuration option 'akka.remote.netty.ssl.security.trust-store' is defined but no trust-store password is defined in 'akka.remote.netty.ssl.security.trust-store-password'.")
|
||||
}
|
||||
|
|
@ -134,7 +139,7 @@ private[akka] object NettySSLSupport {
|
|||
def initializeServerSSL(settings: SSLSettings, log: LoggingAdapter): SslHandler = {
|
||||
log.debug("Server SSL is enabled, initialising ...")
|
||||
|
||||
def constructServerContext(settings: SSLSettings, log: LoggingAdapter, keyStorePath: String, keyStorePassword: String, protocol: String): Option[SSLContext] =
|
||||
def constructServerContext(settings: SSLSettings, log: LoggingAdapter, keyStorePath: String, keyStorePassword: String, keyPassword: String, protocol: String): Option[SSLContext] =
|
||||
try {
|
||||
val rng = initializeCustomSecureRandom(settings.SSLRandomNumberGenerator, log)
|
||||
val factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
|
||||
|
|
@ -143,7 +148,7 @@ private[akka] object NettySSLSupport {
|
|||
val fin = new FileInputStream(keyStorePath)
|
||||
try keyStore.load(fin, keyStorePassword.toCharArray) finally Try(fin.close())
|
||||
keyStore
|
||||
}, keyStorePassword.toCharArray)
|
||||
}, keyPassword.toCharArray)
|
||||
|
||||
val trustManagers: Option[Array[TrustManager]] = settings.SSLTrustStore map {
|
||||
path ⇒
|
||||
|
|
@ -164,10 +169,10 @@ private[akka] object NettySSLSupport {
|
|||
case e: GeneralSecurityException ⇒ throw new RemoteTransportException("Server SSL connection could not be established because SSL context could not be constructed", e)
|
||||
}
|
||||
|
||||
((settings.SSLKeyStore, settings.SSLKeyStorePassword, settings.SSLProtocol) match {
|
||||
case (Some(keyStore), Some(password), Some(protocol)) ⇒ constructServerContext(settings, log, keyStore, password, protocol)
|
||||
case (keyStore, password, protocol) ⇒ throw new GeneralSecurityException(
|
||||
"SSL key store settings went missing. [key-store: %s] [key-store-password: %s] [protocol: %s]".format(keyStore, password, protocol))
|
||||
((settings.SSLKeyStore, settings.SSLKeyStorePassword, settings.SSLKeyPassword, settings.SSLProtocol) match {
|
||||
case (Some(keyStore), Some(storePassword), Some(keyPassword), Some(protocol)) ⇒ constructServerContext(settings, log, keyStore, storePassword, keyPassword, protocol)
|
||||
case (keyStore, storePassword, keyPassword, protocol) ⇒ throw new GeneralSecurityException(
|
||||
s"SSL key store settings went missing. [key-store: $keyStore] [key-store-password: $storePassword] [key-password: $keyPassword] [protocol: $protocol]")
|
||||
}) match {
|
||||
case Some(context) ⇒
|
||||
log.debug("Using server SSL context to create SSLEngine ...")
|
||||
|
|
|
|||
|
|
@ -91,6 +91,7 @@ class RemoteConfigSpec extends AkkaSpec(
|
|||
val sslSettings = new SSLSettings(system.settings.config.getConfig("akka.remote.netty.ssl.security"))
|
||||
sslSettings.SSLKeyStore must be(Some("keystore"))
|
||||
sslSettings.SSLKeyStorePassword must be(Some("changeme"))
|
||||
sslSettings.SSLKeyPassword must be(Some("changeme"))
|
||||
sslSettings.SSLTrustStore must be(Some("truststore"))
|
||||
sslSettings.SSLTrustStorePassword must be(Some("changeme"))
|
||||
sslSettings.SSLProtocol must be(Some("TLSv1"))
|
||||
|
|
|
|||
|
|
@ -61,6 +61,7 @@ object RemotingSpec {
|
|||
key-store = "${getClass.getClassLoader.getResource("keystore").getPath}"
|
||||
trust-store = "${getClass.getClassLoader.getResource("truststore").getPath}"
|
||||
key-store-password = "changeme"
|
||||
key-password = "changeme"
|
||||
trust-store-password = "changeme"
|
||||
protocol = "TLSv1"
|
||||
random-number-generator = "AES128CounterSecureRNG"
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ object Configuration {
|
|||
trust-store = "%s"
|
||||
key-store = "%s"
|
||||
key-store-password = "changeme"
|
||||
key-password = "changeme"
|
||||
trust-store-password = "changeme"
|
||||
protocol = "TLSv1"
|
||||
random-number-generator = "%s"
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ class Ticket1978ConfigSpec extends AkkaSpec("""
|
|||
|
||||
settings.SSLKeyStore must be(Some("keystore"))
|
||||
settings.SSLKeyStorePassword must be(Some("changeme"))
|
||||
settings.SSLKeyPassword must be(Some("changeme"))
|
||||
settings.SSLTrustStore must be(Some("truststore"))
|
||||
settings.SSLTrustStorePassword must be(Some("changeme"))
|
||||
settings.SSLProtocol must be(Some("TLSv1"))
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue