Signal/Signal-Server
1
0
Fork 0
mirror of https://github.com/signalapp/Signal-Server synced 2026-04-21 05:48:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow the storage service client to trust the Signal CA root.

Browse Source
This commit is contained in:
Jon Chambers
2020-12-23 17:54:03 -05:00
committed by Jon Chambers
parent cdc6afefe2
commit a1434524a4
5 changed files with 100 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureStorageServiceConfiguration.java
View File

@@ -24,6 +24,10 @@ public class SecureStorageServiceConfiguration {
@JsonProperty
private String uri;
@NotBlank
@JsonProperty
private String storageCaCertificate;
@NotNull
@Valid
@JsonProperty
@@ -47,6 +51,15 @@ public class SecureStorageServiceConfiguration {
return uri;
}
@VisibleForTesting
public void setStorageCaCertificate(final String certificatePem) {
this.storageCaCertificate = certificatePem;
}
public String getStorageCaCertificate() {
return storageCaCertificate;
}
public CircuitBreakerConfiguration getCircuitBreakerConfiguration() {
return circuitBreaker;
}

4
service/src/main/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClient.java
View File

@@ -17,6 +17,7 @@ import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.time.Duration;
import java.util.UUID;
import java.util.concurrent.CompletableFuture;
@@ -34,7 +35,7 @@ public class SecureStorageClient {
@VisibleForTesting
static final String DELETE_PATH = "/v1/storage";
public SecureStorageClient(final ExternalServiceCredentialGenerator storageServiceCredentialGenerator, final Executor executor, final SecureStorageServiceConfiguration configuration) {
public SecureStorageClient(final ExternalServiceCredentialGenerator storageServiceCredentialGenerator, final Executor executor, final SecureStorageServiceConfiguration configuration) throws CertificateException {
this.storageServiceCredentialGenerator = storageServiceCredentialGenerator;
this.deleteUri = URI.create(configuration.getUri()).resolve(DELETE_PATH);
this.httpClient = FaultTolerantHttpClient.newBuilder()
@@ -45,6 +46,7 @@ public class SecureStorageClient {
.withRedirect(HttpClient.Redirect.NEVER)
.withExecutor(executor)
.withName("secure-storage")
.withTrustedServerCertificate(configuration.getStorageCaCertificate())
.build();
}

41
service/src/main/java/org/whispersystems/textsecuregcm/storage/DirectoryReconciliationClient.java
View File

@@ -5,13 +5,13 @@
package org.whispersystems.textsecuregcm.storage;
import com.codahale.metrics.SharedMetricRegistries;
import org.bouncycastle.openssl.PEMReader;
import org.glassfish.jersey.SslConfigurator;
import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature;
import org.whispersystems.textsecuregcm.configuration.DirectoryServerConfiguration;
import org.whispersystems.textsecuregcm.entities.DirectoryReconciliationRequest;
import org.whispersystems.textsecuregcm.entities.DirectoryReconciliationResponse;
import org.whispersystems.textsecuregcm.util.CertificateExpirationGauge;
import org.whispersystems.textsecuregcm.util.CertificateUtil;
import org.whispersystems.textsecuregcm.util.Constants;
import javax.net.ssl.SSLContext;
@@ -19,14 +19,8 @@ import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.MediaType;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import static com.codahale.metrics.MetricRegistry.name;
@@ -43,7 +37,7 @@ public class DirectoryReconciliationClient {
SharedMetricRegistries.getOrCreate(Constants.METRICS_NAME)
.register(name(getClass(), directoryServerConfiguration.getReplicationName(), "days_until_certificate_expiration"),
new CertificateExpirationGauge(getCertificate(directoryServerConfiguration.getReplicationCaCertificate())));
new CertificateExpirationGauge(CertificateUtil.getCertificate(directoryServerConfiguration.getReplicationCaCertificate())));
}
public DirectoryReconciliationResponse sendChunk(DirectoryReconciliationRequest request) {
@@ -56,7 +50,7 @@ public class DirectoryReconciliationClient {
private static Client initializeClient(DirectoryServerConfiguration directoryServerConfiguration)
throws CertificateException
{
KeyStore trustStore = initializeKeyStore(directoryServerConfiguration.getReplicationCaCertificate());
KeyStore trustStore = CertificateUtil.buildKeyStoreForPem(directoryServerConfiguration.getReplicationCaCertificate());
SSLContext sslContext = SslConfigurator.newInstance()
.securityProtocol("TLSv1.2")
.trustStore(trustStore)
@@ -66,33 +60,4 @@ public class DirectoryReconciliationClient {
.sslContext(sslContext)
.build();
}
private static KeyStore initializeKeyStore(String caCertificatePem)
throws CertificateException
{
try {
X509Certificate certificate = getCertificate(caCertificatePem);
if (certificate == null) {
throw new CertificateException("No certificate found in parsing!");
}
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
keyStore.setCertificateEntry("ca", certificate);
return keyStore;
} catch (IOException | KeyStoreException ex) {
throw new CertificateException(ex);
} catch (NoSuchAlgorithmException ex) {
throw new AssertionError(ex);
}
}
private static X509Certificate getCertificate(final String certificatePem) throws CertificateException {
try (PEMReader reader = new PEMReader(new InputStreamReader(new ByteArrayInputStream(certificatePem.getBytes())))) {
return (X509Certificate) reader.readObject();
} catch (IOException e) {
throw new CertificateException(e);
}
}
}

47
service/src/main/java/org/whispersystems/textsecuregcm/util/CertificateUtil.java Normal file
View File

@@ -0,0 +1,47 @@
/*
* Copyright 2020 Signal Messenger, LLC
* SPDX-License-Identifier: AGPL-3.0-only
*/
package org.whispersystems.textsecuregcm.util;
import org.bouncycastle.openssl.PEMReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
public class CertificateUtil {
public static KeyStore buildKeyStoreForPem(final String caCertificatePem) throws CertificateException
{
try {
X509Certificate certificate = getCertificate(caCertificatePem);
if (certificate == null) {
throw new CertificateException("No certificate found in parsing!");
}
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
keyStore.setCertificateEntry("ca", certificate);
return keyStore;
} catch (IOException | KeyStoreException ex) {
throw new CertificateException(ex);
} catch (NoSuchAlgorithmException ex) {
throw new AssertionError(ex);
}
}
public static X509Certificate getCertificate(final String certificatePem) throws CertificateException {
try (PEMReader reader = new PEMReader(new InputStreamReader(new ByteArrayInputStream(certificatePem.getBytes())))) {
return (X509Certificate) reader.readObject();
} catch (IOException e) {
throw new CertificateException(e);
}
}
}