Example 1 with ClientAuthConstraints
use of tech.pegasys.web3signer.core.config.ClientAuthConstraints in project web3signer by ConsenSys.
the class CmdLineParamsConfigFileImpl method createServerTlsArgs.
private String createServerTlsArgs() {
final StringBuilder yamlConfig = new StringBuilder();
if (signerConfig.getServerTlsOptions().isPresent()) {
final TlsOptions serverTlsOptions = signerConfig.getServerTlsOptions().get();
yamlConfig.append(String.format(YAML_STRING_FMT, "tls-keystore-file", serverTlsOptions.getKeyStoreFile().toString()));
yamlConfig.append(String.format(YAML_STRING_FMT, "tls-keystore-password-file", serverTlsOptions.getKeyStorePasswordFile().toString()));
if (serverTlsOptions.getClientAuthConstraints().isEmpty()) {
yamlConfig.append(String.format(YAML_BOOLEAN_FMT, "tls-allow-any-client", Boolean.TRUE));
} else {
final ClientAuthConstraints constraints = serverTlsOptions.getClientAuthConstraints().get();
if (constraints.getKnownClientsFile().isPresent()) {
yamlConfig.append(String.format(YAML_STRING_FMT, "tls-known-clients-file", constraints.getKnownClientsFile().get().toString()));
}
if (constraints.isCaAuthorizedClientAllowed()) {
yamlConfig.append(String.format(YAML_BOOLEAN_FMT, "tls-allow-ca-clients", Boolean.TRUE));
}
}
}
return yamlConfig.toString();
}
Also used :
ClientAuthConstraints(tech.pegasys.web3signer.core.config.ClientAuthConstraints)
TlsOptions(tech.pegasys.web3signer.core.config.TlsOptions)
Example 2 with ClientAuthConstraints
use of tech.pegasys.web3signer.core.config.ClientAuthConstraints in project web3signer by ConsenSys.
the class CmdLineParamsDefaultImpl method createServerTlsArgs.
private Collection<? extends String> createServerTlsArgs() {
final List<String> params = Lists.newArrayList();
if (signerConfig.getServerTlsOptions().isPresent()) {
final TlsOptions serverTlsOptions = signerConfig.getServerTlsOptions().get();
params.add("--tls-keystore-file");
params.add(serverTlsOptions.getKeyStoreFile().toString());
params.add("--tls-keystore-password-file");
params.add(serverTlsOptions.getKeyStorePasswordFile().toString());
if (serverTlsOptions.getClientAuthConstraints().isEmpty()) {
params.add("--tls-allow-any-client=true");
} else {
final ClientAuthConstraints constraints = serverTlsOptions.getClientAuthConstraints().get();
if (constraints.getKnownClientsFile().isPresent()) {
params.add("--tls-known-clients-file");
params.add(constraints.getKnownClientsFile().get().toString());
}
if (constraints.isCaAuthorizedClientAllowed()) {
params.add("--tls-allow-ca-clients=true");
}
}
}
return params;
}
Also used :
ClientAuthConstraints(tech.pegasys.web3signer.core.config.ClientAuthConstraints)
TlsOptions(tech.pegasys.web3signer.core.config.TlsOptions)
Example 3 with ClientAuthConstraints
use of tech.pegasys.web3signer.core.config.ClientAuthConstraints in project web3signer by ConsenSys.
the class PicoCliTlsServerOptionsValidator method validate.
public void validate() throws CommandLine.ParameterException {
final File keyStoreFile = picoCliTlsServerOptions.getKeyStoreFile();
final File keyStorePasswordFile = picoCliTlsServerOptions.getKeyStorePasswordFile();
// no need to further validate if keystore file/password are not specified
if (keyStoreFile == null && keyStorePasswordFile == null) {
return;
}
// if tls keystore is specified, the password file must be specified.
if (onlyOneInitialized(keyStoreFile, keyStorePasswordFile)) {
throw new CommandLine.ParameterException(spec.commandLine(), "--tls-keystore-file must be specified together with --tls-keystore-password-file");
}
final ClientAuthConstraints picoCliClientAuthConstraints = picoCliTlsServerOptions.clientAuthConstraints;
if (picoCliTlsServerOptions.tlsAllowAnyClient && (picoCliClientAuthConstraints.getKnownClientsFile().isPresent() || picoCliClientAuthConstraints.isCaAuthorizedClientAllowed())) {
throw new CommandLine.ParameterException(spec.commandLine(), "--tls-allow-any-client cannot be set to true when --tls-known-clients-file is specified or --tls-allow-ca-clients is set to true");
}
if (!picoCliTlsServerOptions.tlsAllowAnyClient && picoCliClientAuthConstraints.getKnownClientsFile().isEmpty() && !picoCliClientAuthConstraints.isCaAuthorizedClientAllowed()) {
throw new CommandLine.ParameterException(spec.commandLine(), "--tls-known-clients-file must be specified if both --tls-allow-any-client and --tls-allow-ca-clients are set to false");
}
}
Also used :
ClientAuthConstraints(tech.pegasys.web3signer.core.config.ClientAuthConstraints)
File(java.io.File)
Example 4 with ClientAuthConstraints
use of tech.pegasys.web3signer.core.config.ClientAuthConstraints in project web3signer by ConsenSys.
the class ServerSideTlsAcceptanceTest method createTlsSigner.
private Signer createTlsSigner(final TlsCertificateDefinition serverPresentedCerts, final TlsCertificateDefinition clientExpectedCert, final TlsCertificateDefinition clientCertInServerWhitelist, final TlsCertificateDefinition clientToPresent, final int fixedListenPort, final boolean useConfigFile) {
try {
final SignerConfigurationBuilder configBuilder = new SignerConfigurationBuilder().withHttpPort(fixedListenPort).withUseConfigFile(useConfigFile).withMode("eth1");
final ClientAuthConstraints clientAuthConstraints;
if (clientCertInServerWhitelist != null) {
final Path fingerPrintFilePath = dataPath.resolve("known_clients");
populateFingerprintFile(fingerPrintFilePath, clientCertInServerWhitelist, Optional.empty());
clientAuthConstraints = BasicClientAuthConstraints.fromFile(fingerPrintFilePath.toFile());
} else {
clientAuthConstraints = null;
}
final Path passwordPath = dataPath.resolve("keystore.passwd");
if (serverPresentedCerts.getPassword() != null) {
writeString(passwordPath, serverPresentedCerts.getPassword());
}
final TlsOptions serverOptions = new BasicTlsOptions(serverPresentedCerts.getPkcs12File(), passwordPath.toFile(), Optional.ofNullable(clientAuthConstraints));
configBuilder.withServerTlsOptions(serverOptions);
final ClientTlsConfig clientTlsConfig;
if (clientExpectedCert != null) {
clientTlsConfig = new ClientTlsConfig(clientExpectedCert, clientToPresent);
} else {
clientTlsConfig = null;
}
return new Signer(configBuilder.build(), clientTlsConfig);
} catch (final Exception e) {
fail("Failed to create EthSigner.", e);
return null;
}
}
Also used :
Path(java.nio.file.Path)
ClientTlsConfig(tech.pegasys.web3signer.dsl.tls.ClientTlsConfig)
Signer(tech.pegasys.web3signer.dsl.signer.Signer)
BasicTlsOptions(tech.pegasys.web3signer.dsl.tls.BasicTlsOptions)
ClientAuthConstraints(tech.pegasys.web3signer.core.config.ClientAuthConstraints)
BasicClientAuthConstraints(tech.pegasys.web3signer.tests.tls.support.BasicClientAuthConstraints)
SignerConfigurationBuilder(tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder)
BasicTlsOptions(tech.pegasys.web3signer.dsl.tls.BasicTlsOptions)
TlsOptions(tech.pegasys.web3signer.core.config.TlsOptions)
SSLHandshakeException(javax.net.ssl.SSLHandshakeException)
IOException(java.io.IOException)
Aggregations
ClientAuthConstraints (tech.pegasys.web3signer.core.config.ClientAuthConstraints)4
TlsOptions (tech.pegasys.web3signer.core.config.TlsOptions)3
File (java.io.File)1
IOException (java.io.IOException)1
Path (java.nio.file.Path)1
SSLHandshakeException (javax.net.ssl.SSLHandshakeException)1
Signer (tech.pegasys.web3signer.dsl.signer.Signer)1
SignerConfigurationBuilder (tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder)1
BasicTlsOptions (tech.pegasys.web3signer.dsl.tls.BasicTlsOptions)1
ClientTlsConfig (tech.pegasys.web3signer.dsl.tls.ClientTlsConfig)1
BasicClientAuthConstraints (tech.pegasys.web3signer.tests.tls.support.BasicClientAuthConstraints)1
