Ericsson · masokol · Aug 4, 2023 · Aug 2, 2023
@@ -2,6 +2,7 @@
 
 ## Version 5.0.0 (Not yet released)
 
+* Validate TLS config for JMX and CQL - Issue #529
 * Add support for incremental repairs - Issue #31
 * Bump java driver from 4.14.1 to 4.17.0
 * Bump guava from 31.1 to 32.0.1 (CVE-2023-2976)

@@ -22,16 +22,15 @@
 import javax.management.remote.JMXConnector;
 
 import com.ericsson.bss.cassandra.ecchronos.application.config.connection.Connection;
+import com.ericsson.bss.cassandra.ecchronos.application.config.security.JmxTLSConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.ericsson.bss.cassandra.ecchronos.application.config.Config;
 import com.ericsson.bss.cassandra.ecchronos.application.config.security.Credentials;
 import com.ericsson.bss.cassandra.ecchronos.application.config.security.Security;
-import com.ericsson.bss.cassandra.ecchronos.application.config.security.TLSConfig;
 import com.ericsson.bss.cassandra.ecchronos.connection.JmxConnectionProvider;
 import com.ericsson.bss.cassandra.ecchronos.connection.impl.LocalJmxConnectionProvider;
-import com.google.common.base.Joiner;
 
 public class DefaultJmxConnectionProvider implements JmxConnectionProvider
 {
@@ -70,19 +69,21 @@ public final void close() throws IOException
 
     private Map<String, String> convertTls(final Supplier<Security.JmxSecurity> jmxSecurity)
     {
-        TLSConfig tlsConfig = jmxSecurity.get().getJmxTlsConfig();
+        JmxTLSConfig tlsConfig = jmxSecurity.get().getJmxTlsConfig();
         if (!tlsConfig.isEnabled())
         {
             return new HashMap<>();
         }
 
         Map<String, String> config = new HashMap<>();
-        config.put("com.sun.management.jmxremote.ssl.enabled.protocols", tlsConfig.getProtocol());
-        String ciphers = tlsConfig.getCipherSuites()
-                .map(Joiner.on(',')::join)
-                .orElse("");
-        config.put("com.sun.management.jmxremote.ssl.enabled.cipher.suites", ciphers);
-
+        if (tlsConfig.getProtocol() != null)
+        {
+            config.put("com.sun.management.jmxremote.ssl.enabled.protocols", tlsConfig.getProtocol());
+        }
+        if (tlsConfig.getCipherSuites() != null)
+        {
+            config.put("com.sun.management.jmxremote.ssl.enabled.cipher.suites", tlsConfig.getCipherSuites());
+        }
         config.put("javax.net.ssl.keyStore", tlsConfig.getKeyStorePath());
         config.put("javax.net.ssl.keyStorePassword", tlsConfig.getKeyStorePassword());
         config.put("javax.net.ssl.trustStore", tlsConfig.getTrustStorePath());

@@ -15,7 +15,7 @@
 package com.ericsson.bss.cassandra.ecchronos.application;
 
 import com.datastax.oss.driver.api.core.metadata.EndPoint;
-import com.ericsson.bss.cassandra.ecchronos.application.config.security.TLSConfig;
+import com.ericsson.bss.cassandra.ecchronos.application.config.security.CqlTLSConfig;
 import com.ericsson.bss.cassandra.ecchronos.connection.CertificateHandler;
 import io.netty.buffer.ByteBufAllocator;
 import io.netty.handler.ssl.SslContext;
@@ -53,11 +53,11 @@ public class ReloadingCertificateHandler implements CertificateHandler
     private static final Logger LOG = LoggerFactory.getLogger(ReloadingCertificateHandler.class);
 
     private final AtomicReference<Context> currentContext = new AtomicReference<>();
-    private final Supplier<TLSConfig> tlsConfigSupplier;
+    private final Supplier<CqlTLSConfig> myCqlTLSConfigSupplier;
 
-    public ReloadingCertificateHandler(final Supplier<TLSConfig> aTLSConfigSupplier)
+    public ReloadingCertificateHandler(final Supplier<CqlTLSConfig> cqlTLSConfigSupplier)
     {
-        this.tlsConfigSupplier = aTLSConfigSupplier;
+        this.myCqlTLSConfigSupplier = cqlTLSConfigSupplier;
     }
 
     /**
@@ -70,7 +70,7 @@ public ReloadingCertificateHandler(final Supplier<TLSConfig> aTLSConfigSupplier)
     public SSLEngine newSslEngine(final EndPoint remoteEndpoint)
     {
         Context context = getContext();
-        TLSConfig tlsConfig = context.getTlsConfig();
+        CqlTLSConfig tlsConfig = context.getTlsConfig();
         SslContext sslContext = context.getSSLContext();
 
         SSLEngine sslEngine;
@@ -98,7 +98,7 @@ public SSLEngine newSslEngine(final EndPoint remoteEndpoint)
 
     protected final Context getContext()
     {
-        TLSConfig tlsConfig = tlsConfigSupplier.get();
+        CqlTLSConfig tlsConfig = myCqlTLSConfigSupplier.get();
         Context context = currentContext.get();
 
         try
@@ -114,7 +114,7 @@ protected final Context getContext()
                 {
                     context = currentContext.get();
                 }
-                tlsConfig = tlsConfigSupplier.get();
+                tlsConfig = myCqlTLSConfigSupplier.get();
             }
         }
         catch (NoSuchAlgorithmException | IOException | UnrecoverableKeyException | CertificateException
@@ -134,24 +134,24 @@ public void close() throws Exception
 
     protected static final class Context
     {
-        private final TLSConfig myTlsConfig;
+        private final CqlTLSConfig myTlsConfig;
         private final SslContext mySslContext;
         private final Map<String, String> myChecksums = new HashMap<>();
 
-        Context(final TLSConfig tlsConfig) throws NoSuchAlgorithmException, IOException, UnrecoverableKeyException,
+        Context(final CqlTLSConfig tlsConfig) throws NoSuchAlgorithmException, IOException, UnrecoverableKeyException,
                 CertificateException, KeyStoreException, KeyManagementException
         {
             myTlsConfig = tlsConfig;
             mySslContext = createSSLContext(myTlsConfig);
             myChecksums.putAll(calculateChecksums(myTlsConfig));
         }
 
-        TLSConfig getTlsConfig()
+        CqlTLSConfig getTlsConfig()
         {
             return myTlsConfig;
         }
 
-        boolean sameConfig(final TLSConfig newTLSConfig) throws IOException, NoSuchAlgorithmException
+        boolean sameConfig(final CqlTLSConfig newTLSConfig) throws IOException, NoSuchAlgorithmException
         {
             if (!myTlsConfig.equals(newTLSConfig))
             {
@@ -160,18 +160,16 @@ boolean sameConfig(final TLSConfig newTLSConfig) throws IOException, NoSuchAlgor
             return checksumSame(newTLSConfig);
         }
 
-        private boolean checksumSame(final TLSConfig newTLSConfig) throws IOException, NoSuchAlgorithmException
+        private boolean checksumSame(final CqlTLSConfig newTLSConfig) throws IOException, NoSuchAlgorithmException
         {
             return myChecksums.equals(calculateChecksums(newTLSConfig));
         }
 
-        private Map<String, String> calculateChecksums(final TLSConfig tlsConfig)
+        private Map<String, String> calculateChecksums(final CqlTLSConfig tlsConfig)
                 throws IOException, NoSuchAlgorithmException
         {
             Map<String, String> checksums = new HashMap<>();
-            if (tlsConfig.getCertificatePath().isPresent()
-                    && tlsConfig.getCertificatePrivateKeyPath().isPresent()
-                    && tlsConfig.getTrustCertificatePath().isPresent())
+            if (tlsConfig.isCertificateConfigured())
             {
                 String certificate = tlsConfig.getCertificatePath().get();
                 checksums.put(certificate, getChecksum(certificate));
@@ -203,18 +201,15 @@ SslContext getSSLContext()
         }
     }
 
-    protected static SslContext createSSLContext(final TLSConfig tlsConfig) throws IOException,
+    protected static SslContext createSSLContext(final CqlTLSConfig tlsConfig) throws IOException,
             NoSuchAlgorithmException,
             KeyStoreException,
             CertificateException,
             UnrecoverableKeyException
     {
 
         SslContextBuilder builder = SslContextBuilder.forClient();
-
-        if (tlsConfig.getCertificatePath().isPresent()
-                && tlsConfig.getCertificatePrivateKeyPath().isPresent()
-                && tlsConfig.getTrustCertificatePath().isPresent())
+        if (tlsConfig.isCertificateConfigured())
         {
             File certificateFile = new File(tlsConfig.getCertificatePath().get());
             File certificatePrivateKeyFile = new File(tlsConfig.getCertificatePrivateKeyPath().get());
@@ -237,7 +232,7 @@ protected static SslContext createSSLContext(final TLSConfig tlsConfig) throws I
         return builder.protocols(tlsConfig.getProtocols()).build();
     }
 
-    protected static KeyManagerFactory getKeyManagerFactory(final TLSConfig tlsConfig) throws IOException,
+    protected static KeyManagerFactory getKeyManagerFactory(final CqlTLSConfig tlsConfig) throws IOException,
             NoSuchAlgorithmException, KeyStoreException, CertificateException, UnrecoverableKeyException
     {
         String algorithm = tlsConfig.getAlgorithm().orElse(KeyManagerFactory.getDefaultAlgorithm());
@@ -246,14 +241,14 @@ protected static KeyManagerFactory getKeyManagerFactory(final TLSConfig tlsConfi
         try (InputStream keystoreFile = new FileInputStream(tlsConfig.getKeyStorePath()))
         {
             KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(algorithm);
-            KeyStore keyStore = KeyStore.getInstance(tlsConfig.getStoreType());
+            KeyStore keyStore = KeyStore.getInstance(tlsConfig.getStoreType().orElse("JKS"));
             keyStore.load(keystoreFile, keystorePassword);
             keyManagerFactory.init(keyStore, keystorePassword);
             return keyManagerFactory;
         }
     }
 
-    protected static TrustManagerFactory getTrustManagerFactory(final TLSConfig tlsConfig)
+    protected static TrustManagerFactory getTrustManagerFactory(final CqlTLSConfig tlsConfig)
             throws IOException, NoSuchAlgorithmException, KeyStoreException, CertificateException
     {
         String algorithm = tlsConfig.getAlgorithm().orElse(TrustManagerFactory.getDefaultAlgorithm());
@@ -262,7 +257,7 @@ protected static TrustManagerFactory getTrustManagerFactory(final TLSConfig tlsC
         try (InputStream truststoreFile = new FileInputStream(tlsConfig.getTrustStorePath()))
         {
             TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(algorithm);
-            KeyStore keyStore = KeyStore.getInstance(tlsConfig.getStoreType());
+            KeyStore keyStore = KeyStore.getInstance(tlsConfig.getStoreType().orElse("JKS"));
             keyStore.load(truststoreFile, truststorePassword);
             trustManagerFactory.init(keyStore);
             return trustManagerFactory;