Examples of com.intel.mtwilson.tls.KeystoreCertificateRepository

• com.intel.mtwilson.tls.KeystoreCertificateRepository
  XXX TODO instead of (or in addition to) a SimpleKeystore constructor this class should also have a constructor that accepts a JDK KeyStore object. @author jbuhacoff

    private TlsPolicy getTlsPolicy(String tlsPolicyName, SimpleKeystore tlsKeystore) {
        if( tlsPolicyName == null ) { tlsPolicyName = "TRUST_FIRST_CERTIFICATE"; } // XXX for backwards compatibility with records that don't have a policy set, but maybe this isn't the place to put it - maybe it should be in the DAO that provides us the txthost object.
        String ucName = tlsPolicyName.toUpperCase();
        if( ucName.equals("TRUST_CA_VERIFY_HOSTNAME") ) {
            return new TrustCaAndVerifyHostnameTlsPolicy(new KeystoreCertificateRepository(tlsKeystore));
        }
        if( ucName.equals("TRUST_FIRST_CERTIFICATE") ) {
            return new TrustFirstCertificateTlsPolicy(new KeystoreCertificateRepository(tlsKeystore));
        }
        if( ucName.equals("TRUST_KNOWN_CERTIFICATE") ) {
            return new TrustKnownCertificateTlsPolicy(new KeystoreCertificateRepository(tlsKeystore));
        }
        if( ucName.equals("INSECURE") ) {
            return new InsecureTlsPolicy();
        }
        throw new IllegalArgumentException("Unknown TLS Policy: "+tlsPolicyName);

            // no 1.1 policy name, so use 1.0-RC2 settings to pick a policy
            boolean requireTrustedCertificate = config.getBoolean("mtwilson.api.ssl.requireTrustedCertificate", true);
            boolean verifyHostname = config.getBoolean("mtwilson.api.ssl.verifyHostname", true);
            if( requireTrustedCertificate && verifyHostname ) {
                log.warn("Using TLS Policy TRUST_CA_VERIFY_HOSTNAME");
                return new TrustCaAndVerifyHostnameTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
            }
            else if( requireTrustedCertificate && !verifyHostname ) {
                // two choices: trust first certificate or trust known certificate;  we choose trust first certificate as a usability default
                // furthermore we assume that the api client keystore is a server-specific keystore (it's a client configured for a specific mt wilson server)
                // that either has a server instance ssl cert or a cluster ssl cert.  either should work.
                log.warn("Using TLS Policy TRUST_FIRST_CERTIFICATE");
                return new TrustFirstCertificateTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
            }
            else { // !requireTrustedCertificate && (verifyHostname || !verifyHostname)
                log.warn("Using TLS Policy TRUST_FIRST_INSECURE");
                return new InsecureTlsPolicy();
            }
        }
        else if( tlsPolicyName.equals("TRUST_CA_VERIFY_HOSTNAME") ) {
            log.info("TLS Policy: TRUST_CA_VERIFY_HOSTNAME");
            return new TrustCaAndVerifyHostnameTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
        }
        else if( tlsPolicyName.equals("TRUST_FIRST_CERTIFICATE") ) {
            log.info("TLS Policy: TRUST_FIRST_CERTIFICATE");
            return new TrustFirstCertificateTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
        }
        else if( tlsPolicyName.equals("TRUST_KNOWN_CERTIFICATE") ) {
            log.info("TLS Policy: TRUST_KNOWN_CERTIFICATE");
            return new TrustKnownCertificateTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
        }
        else if( tlsPolicyName.equals("INSECURE") ) {
            log.warn("TLS Policy: INSECURE");
            return new InsecureTlsPolicy();
        }
        else {
            // unrecognized 1.1 policy defined, so use a secure default
            log.error("Unknown TLS Policy Name: {}", tlsPolicyName);
            return new TrustCaAndVerifyHostnameTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
        }
    }