diff --git a/src/main/java/io/cryostat/agent/ConfigModule.java b/src/main/java/io/cryostat/agent/ConfigModule.java index 5cb3d4d9..5a2e4a03 100644 --- a/src/main/java/io/cryostat/agent/ConfigModule.java +++ b/src/main/java/io/cryostat/agent/ConfigModule.java @@ -115,12 +115,6 @@ public abstract class ConfigModule { "cryostat.agent.webclient.tls.client-auth.key.pass-charset"; public static final String CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEY_PASS = "cryostat.agent.webclient.tls.client-auth.key.pass"; - public static final String CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS_FILE = - "cryostat.agent.webclient.tls.client-auth.keystore.pass.file"; - public static final String CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS_CHARSET = - "cryostat.agent.webclient.tls.client-auth.keystore.pass-charset"; - public static final String CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS = - "cryostat.agent.webclient.tls.client-auth.keystore.pass"; public static final String CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_TYPE = "cryostat.agent.webclient.tls.client-auth.keystore.type"; public static final String CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEY_MANAGER_TYPE = @@ -491,42 +485,6 @@ public static String provideCryostatAgentWebclientTlsClientAuthKeyPassCharset(Co CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEY_PASS_CHARSET, String.class); } - @Provides - @Singleton - @Named(CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEY_PASS) - public static Optional provideCryostatAgentWebclientTlsClientAuthKeyPass( - Config config) { - return config.getOptionalValue( - CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS, String.class); - } - - @Provides - @Singleton - @Named(CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS_FILE) - public static Optional provideCryostatAgentWebclientTlsClientAuthKeystorePassFile( - Config config) { - return config.getOptionalValue( - CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS_FILE, String.class); - } - - @Provides - @Singleton - @Named(CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS_CHARSET) - public static String provideCryostatAgentWebclientTlsClientAuthKeystorePassCharset( - Config config) { - return config.getValue( - CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS_CHARSET, String.class); - } - - @Provides - @Singleton - @Named(CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS) - public static Optional provideCryostatAgentWebclientTlsClientAuthKeystorePass( - Config config) { - return config.getOptionalValue( - CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS, String.class); - } - @Provides @Singleton @Named(CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_TYPE) diff --git a/src/main/java/io/cryostat/agent/MainModule.java b/src/main/java/io/cryostat/agent/MainModule.java index c14199cb..c387d5f7 100644 --- a/src/main/java/io/cryostat/agent/MainModule.java +++ b/src/main/java/io/cryostat/agent/MainModule.java @@ -223,12 +223,6 @@ public static SSLContext provideClientSslContext( String clientAuthKeyEncoding, @Named(ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_TYPE) String clientAuthKeystoreType, - @Named(ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS) - Optional clientAuthKeystorePass, - @Named(ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS_FILE) - Optional clientAuthKeystorePassFile, - @Named(ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEYSTORE_PASS_CHARSET) - String clientAuthKeystorePassFileCharset, @Named(ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEY_PASS) Optional clientAuthKeyPass, @Named(ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEY_PASS_FILE) @@ -239,13 +233,8 @@ public static SSLContext provideClientSslContext( String clientAuthKeyManagerType) { try { KeyManager[] keyManagers = null; - if (clientAuthCertPath.isPresent()) { + if (clientAuthCertPath.isPresent() && clientAuthKeyPath.isPresent()) { KeyStore ks = KeyStore.getInstance(clientAuthKeystoreType); - Optional keystorePass = - readPass( - clientAuthKeystorePass, - clientAuthKeystorePassFile, - clientAuthKeystorePassFileCharset); Optional keyPass = readPass( clientAuthKeyPass, @@ -260,7 +249,7 @@ public static SSLContext provideClientSslContext( new BufferedInputStream( new FileInputStream( Path.of(clientAuthKeyPath.get()).toFile()))) { - ks.load(null, keystorePass.map(CharBuffer::array).orElse(null)); + ks.load(null, null); CertificateFactory certFactory = CertificateFactory.getInstance(clientAuthCertType); Certificate[] certChain = @@ -295,13 +284,19 @@ public static SSLContext provideClientSslContext( keyPass.map(CharBuffer::array).orElse(null), certChain); KeyManagerFactory kmf = KeyManagerFactory.getInstance(clientAuthKeyManagerType); - kmf.init(ks, keystorePass.map(CharBuffer::array).orElse(null)); + kmf.init(ks, null); keyManagers = kmf.getKeyManagers(); } finally { Arrays.fill(keyBytes, (byte) 0); - clearBuffer(keystorePass); clearBuffer(keyPass); } + } else if (clientAuthCertPath.isPresent() || clientAuthKeyPath.isPresent()) { + throw new IllegalArgumentException( + String.format( + "To use TLS client authentication, both the certificate (%s) and" + + " private key (%s) properties must be set.", + ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_CERT_PATH, + ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_CLIENT_AUTH_KEY_PATH)); } X509TrustManager trustManager = null; @@ -338,7 +333,7 @@ public X509Certificate[] getAcceptedIssuers() { KeyStore ts = KeyStore.getInstance(truststoreType); ts.load(null, null); // initialize truststore with user provided path and pass - if (!truststorePath.isEmpty() && !truststorePass.isEmpty()) { + if (truststorePath.isPresent() && truststorePass.isPresent()) { Charset charset = Charset.forName(passCharset); CharsetDecoder decoder = charset.newDecoder(); ByteBuffer byteBuffer = ByteBuffer.wrap(truststorePass.get().get()); @@ -352,12 +347,16 @@ public X509Certificate[] getAcceptedIssuers() { Arrays.fill(charBuffer.array(), '\0'); truststorePass.get().clear(); } - } else if (!truststorePath.isEmpty() || !truststorePass.isEmpty()) { + } else if (truststorePath.isPresent() || truststorePass.isPresent()) { throw new IllegalArgumentException( String.format( "To import a truststore, provide both the path to the" - + " truststore and the pass, or a path to a file containing" - + " the pass")); + + " truststore (%s) and the pass (%s), or a path to a file" + + " containing the pass (%s)", + ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUSTSTORE_PATH, + ConfigModule.CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUSTSTORE_PASS, + ConfigModule + .CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUSTSTORE_PASS_FILE)); } // initialize truststore with user provided certs diff --git a/src/main/resources/META-INF/microprofile-config.properties b/src/main/resources/META-INF/microprofile-config.properties index 274d07c1..eb9ca580 100644 --- a/src/main/resources/META-INF/microprofile-config.properties +++ b/src/main/resources/META-INF/microprofile-config.properties @@ -22,12 +22,7 @@ cryostat.agent.webclient.tls.client-auth.key.type=RSA cryostat.agent.webclient.tls.client-auth.key.pass= cryostat.agent.webclient.tls.client-auth.key.pass.file= cryostat.agent.webclient.tls.client-auth.key.pass-charset=utf-8 -cryostat.agent.webclient.tls.client-auth.keystore.path= -cryostat.agent.webclient.tls.client-auth.keystore.pass.file= -cryostat.agent.webclient.tls.client-auth.keystore.pass= -cryostat.agent.webclient.tls.client-auth.keystore.cert= cryostat.agent.webclient.tls.client-auth.keystore.type=PKCS12 -cryostat.agent.webclient.tls.client-auth.keystore.pass-charset=utf-8 cryostat.agent.webclient.tls.client-auth.key-manager.type=SunX509 cryostat.agent.webserver.host=0.0.0.0 cryostat.agent.webserver.port=9977