Hot reload for downstream client certificate

Author: dajudge

cautils/src/main/java/com/dajudge/proxybase/ca/selfsign/CertificateAuthority.java

@@ -19,6 +19,7 @@
 
 import com.dajudge.proxybase.ca.Helpers;
 import com.dajudge.proxybase.certs.KeyStoreManager;
+import com.dajudge.proxybase.certs.KeyStoreWrapper;
 
 import java.io.IOException;
 import java.security.*;
@@ -41,8 +42,9 @@ public CertificateAuthority(
 
 
     private PrivateKey caPrivateKey() {
-        final KeyStore keyStore = keyStoreManager.getKeyStore().getKeyStore();
-        final char[] password = keyStoreManager.getKeyStore().getKeyPassword();
+        final KeyStoreWrapper wrapper = keyStoreManager.getKeyStore();
+        final KeyStore keyStore = wrapper.getKeyStore();
+        final char[] password = wrapper.getKeyPassword();
         return loadKey(keyStore, keyAlias, password);
     }
 

proxybase/build.gradle

@@ -10,5 +10,6 @@ dependencies {
     testImplementation 'junit:junit:4.13'
     testImplementation project(":cautils")
     testImplementation project(":testca")
+    testImplementation 'org.mockito:mockito-core:2.23.4'
     testRuntime 'ch.qos.logback:logback-classic:1.2.3'
 }

proxybase/src/main/java/com/dajudge/proxybase/DownstreamChannelFactory.java

@@ -17,6 +17,7 @@
 
 package com.dajudge.proxybase;
 
+import com.dajudge.proxybase.config.Endpoint;
 import io.netty.bootstrap.Bootstrap;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelInitializer;
@@ -43,6 +44,7 @@ public Channel create(
             final Consumer<SocketChannel> initializer
     ) {
         try {
+            LOG.debug("Creating downstream channel for {}:{}", endpoint.getHost(), endpoint.getPort());
             final Channel channel = new Bootstrap()
                     .group(workerGroup)
                     .channel(NioSocketChannel.class)

proxybase/src/main/java/com/dajudge/proxybase/DownstreamSslHandlerFactory.java

@@ -17,33 +17,51 @@
 
 package com.dajudge.proxybase;
 
+import com.dajudge.proxybase.certs.Filesystem;
 import com.dajudge.proxybase.certs.KeyStoreManager;
+import com.dajudge.proxybase.config.DownstreamSslConfig;
 import io.netty.channel.ChannelHandler;
 import io.netty.handler.ssl.SslHandler;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
-import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
-import java.util.List;
-import java.util.stream.Stream;
+import java.util.Optional;
+import java.util.function.Supplier;
 
+import static com.dajudge.proxybase.HostnameCheck.NULL_VERIFIER;
 import static com.dajudge.proxybase.SslUtils.createKeyManagers;
 import static com.dajudge.proxybase.SslUtils.createTrustManagers;
-import static java.util.stream.Collectors.toList;
+import static com.dajudge.proxybase.certs.ReloadingKeyStoreManager.createReloader;
 
 public class DownstreamSslHandlerFactory {
+    public static ChannelHandler createDownstreamSslHandler(
+            final DownstreamSslConfig config,
+            final String downstreamHostname,
+            final Supplier<Long> clock,
+            final Filesystem filesystem
+            ) {
+        final HostnameCheck hostnameCheck = config.isHostnameVerificationEnabled()
+                ? new HttpClientHostnameCheck(downstreamHostname)
+                : NULL_VERIFIER;
+        return createDownstreamSslHandler(
+                hostnameCheck,
+                createReloader(config.getTrustStore(), clock, filesystem),
+                config.getKeyStore().map(it -> createReloader(it, clock, filesystem))
+        );
+    }
+
     public static ChannelHandler createDownstreamSslHandler(
             final HostnameCheck hostnameCheck,
             final KeyStoreManager trustStoreManager,
-            final KeyStoreManager keyStoreManager
+            final Optional<KeyStoreManager> keyStoreManager
     ) {
         try {
             final SSLContext clientContext = SSLContext.getInstance("TLS");
             final X509TrustManager[] trustManagers = {
-                    new HostCheckingTrustManager(createDefaultTrustManagers(trustStoreManager), hostnameCheck)
+                    new HostCheckingTrustManager(createTrustManagers(trustStoreManager), hostnameCheck)
             };
             clientContext.init(createKeyManagers(keyStoreManager), trustManagers, null);
             final SSLEngine engine = clientContext.createSSLEngine();
@@ -53,9 +71,4 @@ public static ChannelHandler createDownstreamSslHandler(
             throw new RuntimeException("Failed to initialize downstream SSL handler", e);
         }
     }
-
-    private static List<X509TrustManager> createDefaultTrustManagers(final KeyStoreManager trustStoreManager) {
-        return Stream.of((createTrustManagers(trustStoreManager)))
-                .map(it -> (X509TrustManager) it).collect(toList());
-    }
 }

proxybase/src/main/java/com/dajudge/proxybase/HostCheckingTrustManager.java

@@ -22,15 +22,17 @@
 import java.security.cert.X509Certificate;
 import java.util.Collection;
 
+import static java.util.Arrays.asList;
+
 class HostCheckingTrustManager implements X509TrustManager {
     private final Collection<X509TrustManager> nextManagers;
     private final HostnameCheck hostnameCheck;
 
     HostCheckingTrustManager(
-            final Collection<X509TrustManager> nextManagers,
+            final X509TrustManager[] nextManagers,
             final HostnameCheck hostnameCheck
     ) {
-        this.nextManagers = nextManagers;
+        this.nextManagers = asList(nextManagers);
         this.hostnameCheck = hostnameCheck;
     }
 

proxybase/src/main/java/com/dajudge/proxybase/HostnameCheck.java

@@ -20,7 +20,7 @@
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 
-interface HostnameCheck {
+public interface HostnameCheck {
     void verify(X509Certificate cert) throws CertificateException;
 
     HostnameCheck NULL_VERIFIER = (cert) -> {

proxybase/src/main/java/com/dajudge/proxybase/ProxyChannelFactory.java

@@ -17,6 +17,7 @@
 
 package com.dajudge.proxybase;
 
+import com.dajudge.proxybase.config.Endpoint;
 import io.netty.channel.Channel;
 import io.netty.channel.socket.SocketChannel;
 

proxybase/src/main/java/com/dajudge/proxybase/SslUtils.java

@@ -17,8 +17,8 @@
 
 package com.dajudge.proxybase;
 
-import com.dajudge.proxybase.certs.KeyStoreWrapper;
 import com.dajudge.proxybase.certs.KeyStoreManager;
+import com.dajudge.proxybase.certs.KeyStoreWrapper;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
@@ -28,17 +28,22 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
 import java.util.Arrays;
+import java.util.Optional;
 
 import static javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm;
 
 class SslUtils {
     static X509TrustManager[] createTrustManagers(final KeyStoreManager trustStoreManager) {
+        return createTrustManagers(Optional.of(trustStoreManager));
+    }
+
+    static X509TrustManager[] createTrustManagers(final Optional<KeyStoreManager> trustStoreManager) {
         try {
-            if (trustStoreManager == null) {
+            if (!trustStoreManager.isPresent()) {
                 return new X509TrustManager[]{};
             }
             final TrustManagerFactory factory = TrustManagerFactory.getInstance(getDefaultAlgorithm());
-            factory.init(trustStoreManager.getKeyStore().getKeyStore());
+            factory.init(trustStoreManager.get().getKeyStore().getKeyStore());
             return Arrays.stream(factory.getTrustManagers())
                     .filter(it -> it instanceof X509TrustManager)
                     .map(it -> (X509TrustManager) it)
@@ -49,12 +54,17 @@ static X509TrustManager[] createTrustManagers(final KeyStoreManager trustStoreMa
     }
 
     static X509KeyManager[] createKeyManagers(final KeyStoreManager keyStoreManager) {
+        return createKeyManagers(Optional.of(keyStoreManager));
+    }
+
+    static X509KeyManager[] createKeyManagers(final Optional<KeyStoreManager> keyStoreManager) {
         try {
-            if (keyStoreManager == null) {
+            if (!keyStoreManager.isPresent()) {
                 return new X509KeyManager[]{};
             }
             final KeyManagerFactory factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            final KeyStoreWrapper keyStore = keyStoreManager.getKeyStore();
+            final KeyStoreManager keyStoreWrapper = keyStoreManager.get();
+            final KeyStoreWrapper keyStore = keyStoreWrapper.getKeyStore();
             factory.init(keyStore.getKeyStore(), keyStore.getKeyPassword());
             return Arrays.stream(factory.getKeyManagers())
                     .filter(it -> it instanceof X509KeyManager)

proxybase/src/main/java/com/dajudge/proxybase/UpstreamChannelFactory.java

@@ -17,6 +17,7 @@
 
 package com.dajudge.proxybase;
 
+import com.dajudge.proxybase.config.Endpoint;
 import io.netty.bootstrap.ServerBootstrap;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelFuture;

proxybase/src/main/java/com/dajudge/proxybase/UpstreamSslHandlerFactory.java

@@ -17,7 +17,9 @@
 
 package com.dajudge.proxybase;
 
+import com.dajudge.proxybase.certs.Filesystem;
 import com.dajudge.proxybase.certs.KeyStoreManager;
+import com.dajudge.proxybase.config.UpstreamSslConfig;
 import io.netty.channel.ChannelHandler;
 import io.netty.handler.ssl.SslHandler;
 
@@ -27,14 +29,29 @@
 import javax.net.ssl.TrustManager;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
+import java.util.Optional;
+import java.util.function.Supplier;
 
 import static com.dajudge.proxybase.SslUtils.createKeyManagers;
 import static com.dajudge.proxybase.SslUtils.createTrustManagers;
+import static com.dajudge.proxybase.certs.ReloadingKeyStoreManager.createReloader;
 
 public class UpstreamSslHandlerFactory {
+    public static ChannelHandler createUpstreamSslHandler(
+            final UpstreamSslConfig config,
+            final Supplier<Long> clock,
+            final Filesystem filesystem
+    ) {
+        return createUpstreamSslHandler(
+                config.isClientAuthRequired(),
+                config.getTrustStore().map(trustStore -> createReloader(trustStore, clock, filesystem)),
+                createReloader(config.getKeyStore(), clock, filesystem)
+        );
+    }
+
     public static ChannelHandler createUpstreamSslHandler(
             final boolean enableClientAuth,
-            final KeyStoreManager trustStoreManager,
+            final Optional<KeyStoreManager> trustStoreManager,
             final KeyStoreManager keyStoreManager
     ) {
         try {