Reloadable server TLS KeyStore

nima/common/tls/src/main/java/io/helidon/nima/common/tls/ReloadableX509KeyManager.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.nima.common.tls;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Objects;
+
+import javax.net.ssl.X509KeyManager;
+
+class ReloadableX509KeyManager implements X509KeyManager, TlsReloadableComponent {
+
+    private static final System.Logger LOGGER = System.getLogger(ReloadableX509KeyManager.class.getName());
+
+    private volatile X509KeyManager keyManager;
+
+    ReloadableX509KeyManager(X509KeyManager keyManager) {
+        this.keyManager = keyManager;
+    }
+
+    @Override
+    public String[] getClientAliases(String s, Principal[] principals) {
+        return keyManager.getClientAliases(s, principals);
+    }
+
+    @Override
+    public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
+        return keyManager.chooseClientAlias(strings, principals, socket);
+    }
+
+    @Override
+    public String[] getServerAliases(String s, Principal[] principals) {
+        return keyManager.getServerAliases(s, principals);
+    }
+
+    @Override
+    public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
+        return keyManager.chooseServerAlias(s, principals, socket);
+    }
+
+    @Override
+    public X509Certificate[] getCertificateChain(String s) {
+        return keyManager.getCertificateChain(s);
+    }
+
+    @Override
+    public PrivateKey getPrivateKey(String s) {
+        return keyManager.getPrivateKey(s);
+    }
+
+    @Override
+    public void reload(Tls tls) {
+        Objects.requireNonNull(tls.originalKeyManager(), "Cannot unset key manager");
+        if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
+            LOGGER.log(System.Logger.Level.DEBUG, "Reloading TLS X509KeyManager");
+        }
+        this.keyManager = tls.originalKeyManager();
+    }
+
+    static class NotReloadableKeyManager implements TlsReloadableComponent {
+        @Override
+        public void reload(Tls tls) {
+            if (tls.originalKeyManager() != null) {
+                throw new UnsupportedOperationException("Cannot reload key manager if one was not set during server start");
+            }
+        }
+    }
+}

nima/common/tls/src/main/java/io/helidon/nima/common/tls/ReloadableX509TrustManager.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.nima.common.tls;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Objects;
+
+import javax.net.ssl.X509TrustManager;
+
+class ReloadableX509TrustManager implements X509TrustManager, TlsReloadableComponent {
+
+    private static final System.Logger LOGGER = System.getLogger(ReloadableX509TrustManager.class.getName());
+
+    private volatile X509TrustManager trustManager;
+
+    ReloadableX509TrustManager(X509TrustManager trustManager) {
+        this.trustManager = trustManager;
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        trustManager.checkClientTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        trustManager.checkServerTrusted(chain, authType);
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return trustManager.getAcceptedIssuers();
+    }
+
+    @Override
+    public void reload(Tls tls) {
+        Objects.requireNonNull(tls.originalKeyManager(), "Cannot unset trust store");
+        if (LOGGER.isLoggable(System.Logger.Level.DEBUG)) {
+            LOGGER.log(System.Logger.Level.DEBUG, "Reloading TLS X509TrustManager");
+        }
+        this.trustManager = tls.originalTrustManager();
+    }
+
+    static class NotReloadableTrustManager implements TlsReloadableComponent {
+        @Override
+        public void reload(Tls tls) {
+            if (tls.originalTrustManager() != null) {
+                throw new UnsupportedOperationException("Cannot set trust manager if one was not set during server start");
+            }
+        }
+    }
+}

nima/common/tls/src/main/java/io/helidon/nima/common/tls/Tls.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Oracle and/or its affiliates.
+ * Copyright (c) 2022, 2023 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,11 +30,13 @@
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.List;
 import java.util.Objects;
 
+import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -44,7 +46,10 @@
 import javax.net.ssl.SSLSessionContext;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
 
 import io.helidon.common.LazyValue;
 import io.helidon.common.config.Config;
@@ -74,6 +79,9 @@ public abstract sealed class Tls permits Tls.ExplicitContextTlsConfig, Tls.TlsCo
     private final SSLParameters sslParameters;
     private final SSLSocketFactory sslSocketFactory;
     private final SSLServerSocketFactory sslServerSocketFactory;
+    private final List<TlsReloadableComponent> reloadableComponents;
+    private final X509TrustManager originalTrustManager;
+    private final X509KeyManager originalKeyManager;
     private final boolean enabled;
 
     private Tls(Builder builder) {
@@ -82,6 +90,9 @@ private Tls(Builder builder) {
         this.sslSocketFactory = sslContext.getSocketFactory();
         this.sslServerSocketFactory = sslContext.getServerSocketFactory();
         this.enabled = builder.enabled;
+        this.reloadableComponents = List.copyOf(builder.reloadableComponents);
+        this.originalTrustManager = builder.originalTrustManager;
+        this.originalKeyManager = builder.originalKeyManager;
     }
 
     /**
@@ -181,6 +192,25 @@ public SSLParameters sslParameters() {
         return sslParameters;
     }
 
+    /**
+     * Reload reloadable TLS components with the new configuration.
+     *
+     * @param tls new TLS configuration
+     */
+    public void reload(Tls tls) {
+        for (TlsReloadableComponent reloadableComponent : reloadableComponents) {
+            reloadableComponent.reload(tls);
+        }
+    }
+
+    X509TrustManager originalTrustManager() {
+        return originalTrustManager;
+    }
+
+    X509KeyManager originalKeyManager() {
+        return originalKeyManager;
+    }
+
     /**
      * Whether this TLS configuration is enabled or not.
      *
@@ -263,6 +293,13 @@ public static class Builder implements io.helidon.common.Builder<Builder, Tls> {
         private String endpointIdentificationAlgorithm = ENDPOINT_IDENTIFICATION_HTTPS;
         private boolean enabled = true;
 
+        /*
+         * TLS reloading
+         */
+        private final List<TlsReloadableComponent> reloadableComponents = new ArrayList<>();
+        private X509TrustManager originalTrustManager;
+        private X509KeyManager originalKeyManager;
+
         private Builder() {
         }
 
@@ -666,8 +703,8 @@ private SSLContext sslContext() throws GeneralSecurityException, IOException {
                 sslContext = SSLContext.getInstance(protocol, provider);
             }
 
-            sslContext.init(kmf == null ? null : kmf.getKeyManagers(),
-                            tmf == null ? null : tmf.getTrustManagers(),
+            sslContext.init(kmf == null ? null : wrapX509KeyManagers(kmf.getKeyManagers()),
+                            tmf == null ? null : wrapX509TrustManagers(tmf.getTrustManagers()),
                             secureRandom);
 
             SSLSessionContext serverSessionContext = sslContext.getServerSessionContext();
@@ -680,6 +717,40 @@ private SSLContext sslContext() throws GeneralSecurityException, IOException {
             return sslContext;
         }
 
+        private TrustManager[] wrapX509TrustManagers(TrustManager[] trustManagers) {
+            TrustManager[] toReturn = new TrustManager[trustManagers.length];
+            System.arraycopy(trustManagers, 0, toReturn, 0, toReturn.length);
+            for (int i = 0; i < trustManagers.length; i++) {
+                TrustManager trustManager = trustManagers[i];
+                if (trustManager instanceof X509TrustManager x509TrustManager) {
+                    originalTrustManager = x509TrustManager;
+                    var wrappedTrustManager = new ReloadableX509TrustManager(x509TrustManager);
+                    reloadableComponents.add(wrappedTrustManager);
+                    toReturn[i] = wrappedTrustManager;
+                    return toReturn;
+                }
+            }
+            reloadableComponents.add(new ReloadableX509TrustManager.NotReloadableTrustManager());
+            return toReturn;
+        }
+
+        private KeyManager[] wrapX509KeyManagers(KeyManager[] keyManagers) {
+            KeyManager[] toReturn = new KeyManager[keyManagers.length];
+            System.arraycopy(keyManagers, 0, toReturn, 0, toReturn.length);
+            for (int i = 0; i < keyManagers.length; i++) {
+                KeyManager keyManager = keyManagers[i];
+                if (keyManager instanceof X509KeyManager x509KeyManager) {
+                    originalKeyManager = x509KeyManager;
+                    ReloadableX509KeyManager wrappedKeyManager = new ReloadableX509KeyManager(x509KeyManager);
+                    reloadableComponents.add(wrappedKeyManager);
+                    toReturn[i] = wrappedKeyManager;
+                    return toReturn;
+                }
+            }
+            reloadableComponents.add(new ReloadableX509KeyManager.NotReloadableKeyManager());
+            return toReturn;
+        }
+
         private void sessionTimeoutSeconds(int seconds) {
             this.sessionTimeout(Duration.ofSeconds(seconds));
         }

nima/common/tls/src/main/java/io/helidon/nima/common/tls/TlsReloadableComponent.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.nima.common.tls;
+
+
+interface TlsReloadableComponent {
+
+    void reload(Tls tls);
+
+}