Class: SslOptions

Inherits:
Object
  • Object
show all
Includes:
LogStash::Util::Loggable
Defined in:
lib/logstash/inputs/tcp/compat_ssl_options.rb

Overview

Simulate a normal SslOptions builder:

ssl_context = SslOptions.builder
  .set_is_ssl_enabled(@ssl_enable)
  .set_should_verify(@ssl_verify)
  .set_ssl_cert(@ssl_cert)
  .set_ssl_key(@ssl_key)
  .set_ssl_key_passphrase(@ssl_key_passphrase.value)
  .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
  .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
  .build.toSslContext()

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.builderObject 



32
33
34
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 32

def self.builder
  new
end

Instance Method Details

#buildObject 



71
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 71

def build; self; end

#set_is_ssl_enabled(boolean) ⇒ Object 



36
37
38
39
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 36

def set_is_ssl_enabled(boolean)
  @ssl_enabled = boolean
  self
end

#set_should_verify(boolean) ⇒ Object 



41
42
43
44
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 41

def set_should_verify(boolean)
  @ssl_verify = boolean
  self
end

#set_ssl_cert(path) ⇒ Object 



46
47
48
49
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 46

def set_ssl_cert(path)
  @ssl_cert_path = path
  self
end

#set_ssl_certificate_authorities(certs) ⇒ Object 



66
67
68
69
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 66

def set_ssl_certificate_authorities(certs)
  @ssl_certificate_authorities = certs
  self
end

#set_ssl_extra_chain_certs(certs) ⇒ Object 



61
62
63
64
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 61

def set_ssl_extra_chain_certs(certs)
  @ssl_extra_chain_certs = certs
  self
end

#set_ssl_key(path) ⇒ Object 



51
52
53
54
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 51

def set_ssl_key(path)
  @ssl_key_path = path
  self
end

#set_ssl_key_passphrase(passphrase) ⇒ Object 



56
57
58
59
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 56

def set_ssl_key_passphrase(passphrase)
  @ssl_key_passphrase = passphrase
  self
end

#toSslContextObject 



73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
 
# File 'lib/logstash/inputs/tcp/compat_ssl_options.rb', line 73

def toSslContext
  return nil unless @ssl_enabled

  # Check key strength
  logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits") unless Cipher.getMaxAllowedKeyLength("AES") > 128
  # create certificate object
  cf = java.security.cert.CertificateFactory.getInstance("X.509")
  cert_chain = []
  fetch_certificates_from_file(@ssl_cert_path, cf) do |cert|
    cert_chain << cert
  end

  # convert key from pkcs1 to pkcs8 and get PrivateKey object
  pem_parser = PEMParser.new(java.io.FileReader.new(@ssl_key_path))
  java.security.Security.addProvider(BouncyCastleProvider.new)
  converter = JcaPEMKeyConverter.new
  case obj = pem_parser.readObject
  when PEMKeyPair # unencrypted pkcs#1
    private_key = converter.getKeyPair(obj).private
  when PrivateKeyInfo # unencrypted pkcs#8
    private_key = converter.getPrivateKey(obj)
  when PEMEncryptedKeyPair # encrypted pkcs#1
    key_char_array = @ssl_key_passphrase.to_java.toCharArray
    decryptor = JcePEMDecryptorProviderBuilder.new.build(key_char_array)
    key_pair = obj.decryptKeyPair(decryptor)
    private_key = converter.getKeyPair(key_pair).private
  when PKCS8EncryptedPrivateKeyInfo # encrypted pkcs#8
    key_char_array = @ssl_key_passphrase.to_java.toCharArray
    key = JceOpenSSLPKCS8DecryptorProviderBuilder.new.build(key_char_array)
    private_key = converter.getPrivateKey(obj.decryptPrivateKeyInfo(key))
  else
    raise "Could not recognize 'ssl_key' format. Class: #{obj.class}"
  end

  @ssl_extra_chain_certs.each do |file|
    fetch_certificates_from_file(file, cf) do |cert|
      cert_chain << cert
    end
  end
  sslContextBuilder = SslContextBuilder.forServer(private_key, @ssl_key_passphrase, cert_chain.to_java(X509Certificate))

  trust_certs = []

  @ssl_certificate_authorities.each do |file|
    fetch_certificates_from_file(file, cf) do |cert|
      trust_certs << cert
    end
  end

  if trust_certs.any?
    sslContextBuilder.trustManager(trust_certs.to_java(X509Certificate))
  end

  sslContextBuilder.clientAuth(@ssl_verify ? ClientAuth::REQUIRE : ClientAuth::NONE)
  sslContextBuilder.build()
end