Example 6 with Tls
use of org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.allowed.devices.device.transport.Tls in project bgpcep by opendaylight.
the class AbstractPCEPSessionNegotiator method handleMessageStartTlsWait.
private boolean handleMessageStartTlsWait(final Message msg) {
if (msg instanceof Starttls) {
final SslContextFactory sslFactory = new SslContextFactory(this.tlsConfiguration);
final SSLContext sslContext = sslFactory.getServerContext();
if (sslContext == null) {
this.sendErrorMessage(PCEPErrors.NOT_POSSIBLE_WITHOUT_TLS);
negotiationFailed(new IllegalStateException("Failed to establish a TLS connection."));
this.state = State.FINISHED;
return true;
}
final SSLEngine engine = sslContext.createSSLEngine();
engine.setNeedClientAuth(true);
engine.setUseClientMode(false);
this.channel.pipeline().addFirst(new SslHandler(engine));
LOG.info("PCEPS TLS connection with peer: {} established succesfully.", this.channel);
startNegotiationWithOpen();
return true;
} else if (!(msg instanceof Pcerr)) {
this.sendErrorMessage(PCEPErrors.NON_STARTTLS_MSG_RCVD);
negotiationFailed(new IllegalStateException("Unexpected message recieved."));
this.state = State.FINISHED;
return true;
}
return false;
}
Also used :
SslContextFactory(org.opendaylight.protocol.pcep.impl.tls.SslContextFactory)
SSLEngine(javax.net.ssl.SSLEngine)
Pcerr(org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.pcep.message.rev181109.Pcerr)
SSLContext(javax.net.ssl.SSLContext)
Starttls(org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.pcep.message.rev181109.Starttls)
SslHandler(io.netty.handler.ssl.SslHandler)
Example 7 with Tls
use of org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.allowed.devices.device.transport.Tls in project openflowplugin by opendaylight.
the class OFFrameDecoder method exceptionCaught.
@Override
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
if (cause instanceof io.netty.handler.ssl.NotSslRecordException) {
LOG.warn("Not an TLS record exception - please verify TLS configuration.");
} else {
LOG.warn("Unexpected exception from downstream.", cause);
}
LOG.warn("Closing connection.");
ctx.close();
if (tlsPresent) {
String errorCause = getSslErrorCause(cause);
LOG.trace("SSL Error info {}", errorCause);
this.connectionFacade.consume(new SslConnectionErrorBuilder().setInfo(errorCause).build());
}
}
Also used :
SslConnectionErrorBuilder(org.opendaylight.yang.gen.v1.urn.opendaylight.openflow.system.rev130927.SslConnectionErrorBuilder)
Example 8 with Tls
use of org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.allowed.devices.device.transport.Tls in project netconf by opendaylight.
the class NetconfConnectDeviceCommand method execute.
@Override
public Object execute() {
if (!NetconfCommandUtils.isIpValid(deviceIp) || !NetconfCommandUtils.isPortValid(devicePort)) {
return "Invalid IP:" + deviceIp + " or Port:" + devicePort + "Please enter a valid entry to proceed.";
}
final boolean isTcpOnly = connectionType.equals("true");
final boolean isSchemaless = schemaless.equals("true");
final NetconfNodeBuilder netconfNodeBuilder = new NetconfNodeBuilder();
netconfNodeBuilder.setHost(new Host(new IpAddress(new Ipv4Address(deviceIp)))).setPort(new PortNumber(Uint16.valueOf(Integer.decode(devicePort)))).setTcpOnly(isTcpOnly).setSchemaless(isSchemaless);
if (isTcpOnly || protocol.equalsIgnoreCase("ssh")) {
if (Strings.isNullOrEmpty(username) || Strings.isNullOrEmpty(password)) {
return "Empty Username:" + username + " or Password:" + password + ". In TCP or SSH mode, you must provide valid username and password.";
}
final Credentials credentials = new LoginPasswordBuilder().setPassword(password).setUsername(username).build();
netconfNodeBuilder.setCredentials(credentials);
if (!isTcpOnly) {
netconfNodeBuilder.setProtocol(new ProtocolBuilder().setName(Name.SSH).build());
}
} else if (protocol.equalsIgnoreCase("tls")) {
TlsCase tlsCase = null;
if (!Strings.isNullOrEmpty(excludedTlsVersions)) {
tlsCase = new TlsCaseBuilder().setTls(new TlsBuilder().setExcludedVersions(Arrays.asList(excludedTlsVersions.split(","))).build()).build();
}
netconfNodeBuilder.setProtocol(new ProtocolBuilder().setName(Name.TLS).setSpecification(tlsCase).build());
} else {
return "Invalid protocol: " + protocol + ". Only SSH and TLS are supported.";
}
service.connectDevice(netconfNodeBuilder.build(), deviceId);
final String message = "Netconf connector added succesfully";
return message;
}
Also used :
TlsCase(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.connection.parameters.protocol.specification.TlsCase)
NetconfNodeBuilder(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.NetconfNodeBuilder)
TlsCaseBuilder(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.connection.parameters.protocol.specification.TlsCaseBuilder)
Host(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Host)
ProtocolBuilder(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.connection.parameters.ProtocolBuilder)
IpAddress(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpAddress)
LoginPasswordBuilder(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.credentials.credentials.LoginPasswordBuilder)
TlsBuilder(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.connection.parameters.protocol.specification.tls._case.TlsBuilder)
PortNumber(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.PortNumber)
Credentials(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.credentials.Credentials)
Ipv4Address(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv4Address)
Example 9 with Tls
use of org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.allowed.devices.device.transport.Tls in project netconf by opendaylight.
the class NetconfKeystoreAdapter method getJavaKeyStore.
/**
* Using private keys and trusted certificates to create a new JDK <code>KeyStore</code> which
* will be used by TLS clients to create <code>SSLEngine</code>. The private keys are essential
* to create JDK <code>KeyStore</code> while the trusted certificates are optional.
*
* @param allowedKeys Set of keys to include during KeyStore generation, empty set will creatr
* a KeyStore with all possible keys.
* @return A JDK KeyStore object
* @throws GeneralSecurityException If any security exception occurred
* @throws IOException If there is an I/O problem with the keystore data
*/
public KeyStore getJavaKeyStore(final Set<String> allowedKeys) throws GeneralSecurityException, IOException {
requireNonNull(allowedKeys);
final KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
synchronized (privateKeys) {
if (privateKeys.isEmpty()) {
throw new KeyStoreException("No keystore private key found");
}
for (Map.Entry<String, PrivateKey> entry : privateKeys.entrySet()) {
if (!allowedKeys.isEmpty() && !allowedKeys.contains(entry.getKey())) {
continue;
}
final java.security.PrivateKey key = getJavaPrivateKey(entry.getValue().getData());
final List<X509Certificate> certificateChain = getCertificateChain(entry.getValue().getCertificateChain().toArray(new String[0]));
if (certificateChain.isEmpty()) {
throw new CertificateException("No certificate chain associated with private key found");
}
keyStore.setKeyEntry(entry.getKey(), key, "".toCharArray(), certificateChain.stream().toArray(Certificate[]::new));
}
}
synchronized (trustedCertificates) {
for (Map.Entry<String, TrustedCertificate> entry : trustedCertificates.entrySet()) {
final List<X509Certificate> x509Certificates = getCertificateChain(new String[] { entry.getValue().getCertificate() });
keyStore.setCertificateEntry(entry.getKey(), x509Certificates.get(0));
}
}
return keyStore;
}
Also used :
PrivateKey(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017._private.keys.PrivateKey)
CertificateException(java.security.cert.CertificateException)
KeyStoreException(java.security.KeyStoreException)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
TrustedCertificate(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017.trusted.certificates.TrustedCertificate)
HashMap(java.util.HashMap)
Map(java.util.Map)
X509Certificate(java.security.cert.X509Certificate)
TrustedCertificate(org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017.trusted.certificates.TrustedCertificate)
Certificate(java.security.cert.Certificate)
Aggregations
Starttls (org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.pcep.message.rev181109.Starttls)4
SslHandler (io.netty.handler.ssl.SslHandler)3
SSLContext (javax.net.ssl.SSLContext)3
SSLEngine (javax.net.ssl.SSLEngine)3
Pcerr (org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.pcep.message.rev181109.Pcerr)3
KeyStore (java.security.KeyStore)2
Test (org.junit.Test)2
SslContextFactory (org.opendaylight.protocol.pcep.impl.tls.SslContextFactory)2
PCEPErrors (org.opendaylight.protocol.pcep.spi.PCEPErrors)2
TlsCase (org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.node.topology.rev150114.netconf.node.connection.parameters.protocol.specification.TlsCase)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
Preconditions (com.google.common.base.Preconditions)1
Channel (io.netty.channel.Channel)1
ChannelFutureListener (io.netty.channel.ChannelFutureListener)1
Promise (io.netty.util.concurrent.Promise)1
IOException (java.io.IOException)1
GeneralSecurityException (java.security.GeneralSecurityException)1
KeyStoreException (java.security.KeyStoreException)1
Certificate (java.security.cert.Certificate)1
CertificateException (java.security.cert.CertificateException)1
