Java tutorial
/*- * -\-\- * docker-client * -- * Copyright (C) 2016 Spotify AB * -- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * -/-/- */ package com.spotify.docker.client; import com.google.common.base.Optional; import com.spotify.docker.client.exceptions.DockerCertificateException; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.nio.charset.Charset; import java.nio.file.Files; import java.nio.file.Path; import java.security.KeyFactory; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.util.ArrayList; import java.util.List; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.ssl.SSLContexts; import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; import org.bouncycastle.openssl.PEMKeyPair; import org.bouncycastle.openssl.PEMParser; import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** * DockerCertificates holds certificates for connecting to an HTTPS-secured Docker instance with * client/server authentication. */ public class DockerCertificates implements DockerCertificatesStore { public static final String DEFAULT_CA_CERT_NAME = "ca.pem"; public static final String DEFAULT_CLIENT_CERT_NAME = "cert.pem"; public static final String DEFAULT_CLIENT_KEY_NAME = "key.pem"; private static final char[] KEY_STORE_PASSWORD = "docker!!11!!one!".toCharArray(); private static final Logger log = LoggerFactory.getLogger(DockerCertificates.class); private final SSLContext sslContext; public DockerCertificates(final Path dockerCertPath) throws DockerCertificateException { this(new Builder().dockerCertPath(dockerCertPath)); } private DockerCertificates(final Builder builder) throws DockerCertificateException { if ((builder.caCertPath == null) || (builder.clientCertPath == null) || (builder.clientKeyPath == null)) { throw new DockerCertificateException( "caCertPath, clientCertPath, and clientKeyPath must all be specified"); } try { final PrivateKey clientKey = readPrivateKey(builder.clientKeyPath); final List<Certificate> clientCerts = readCertificates(builder.clientCertPath); final KeyStore keyStore = newKeyStore(); keyStore.setKeyEntry("key", clientKey, KEY_STORE_PASSWORD, clientCerts.toArray(new Certificate[clientCerts.size()])); final List<Certificate> caCerts = readCertificates(builder.caCertPath); final KeyStore trustStore = newKeyStore(); for (Certificate caCert : caCerts) { X509Certificate crt = (X509Certificate) caCert; String alias = crt.getSubjectX500Principal().getName(); trustStore.setCertificateEntry(alias, caCert); } this.sslContext = builder.sslContextFactory.newSslContext(keyStore, KEY_STORE_PASSWORD, trustStore); } catch (DockerCertificateException e) { throw e; } catch (CertificateException | IOException | NoSuchAlgorithmException | InvalidKeySpecException | KeyStoreException | UnrecoverableKeyException | KeyManagementException e) { throw new DockerCertificateException(e); } } private KeyStore newKeyStore() throws CertificateException, NoSuchAlgorithmException, IOException, KeyStoreException { final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null); return keyStore; } private PrivateKey readPrivateKey(Path file) throws IOException, InvalidKeySpecException, NoSuchAlgorithmException, DockerCertificateException { try (BufferedReader reader = Files.newBufferedReader(file, Charset.defaultCharset()); PEMParser pemParser = new PEMParser(reader)) { final Object readObject = pemParser.readObject(); if (readObject instanceof PEMKeyPair) { PEMKeyPair clientKeyPair = (PEMKeyPair) readObject; return generatePrivateKey(clientKeyPair.getPrivateKeyInfo()); } else if (readObject instanceof PrivateKeyInfo) { return generatePrivateKey((PrivateKeyInfo) readObject); } throw new DockerCertificateException("Can not generate private key from file: " + file.toString()); } } private static PrivateKey generatePrivateKey(PrivateKeyInfo privateKeyInfo) throws IOException, InvalidKeySpecException, NoSuchAlgorithmException { final PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(privateKeyInfo.getEncoded()); final KeyFactory kf = KeyFactory.getInstance("RSA"); return kf.generatePrivate(spec); } private List<Certificate> readCertificates(Path file) throws CertificateException, IOException { try (InputStream inputStream = Files.newInputStream(file)) { final CertificateFactory cf = CertificateFactory.getInstance("X.509"); return new ArrayList<>(cf.generateCertificates(inputStream)); } } public SSLContext sslContext() { return this.sslContext; } public HostnameVerifier hostnameVerifier() { return NoopHostnameVerifier.INSTANCE; } public interface SslContextFactory { SSLContext newSslContext(KeyStore keyStore, char[] keyPassword, KeyStore trustStore) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException; } private static class DefaultSslContextFactory implements SslContextFactory { @Override public SSLContext newSslContext(KeyStore keyStore, char[] keyPassword, KeyStore trustStore) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException { return SSLContexts.custom().loadTrustMaterial(trustStore, null).loadKeyMaterial(keyStore, keyPassword) .build(); } } public static Builder builder() { return new Builder(); } public static class Builder { private SslContextFactory sslContextFactory = new DefaultSslContextFactory(); private Path caCertPath; private Path clientKeyPath; private Path clientCertPath; public Builder dockerCertPath(final Path dockerCertPath) { this.caCertPath = dockerCertPath.resolve(DEFAULT_CA_CERT_NAME); this.clientKeyPath = dockerCertPath.resolve(DEFAULT_CLIENT_KEY_NAME); this.clientCertPath = dockerCertPath.resolve(DEFAULT_CLIENT_CERT_NAME); return this; } public Builder caCertPath(final Path caCertPath) { this.caCertPath = caCertPath; return this; } public Builder clientKeyPath(final Path clientKeyPath) { this.clientKeyPath = clientKeyPath; return this; } public Builder clientCertPath(final Path clientCertPath) { this.clientCertPath = clientCertPath; return this; } public Builder sslFactory(final SslContextFactory sslContextFactory) { this.sslContextFactory = sslContextFactory; return this; } public Optional<DockerCertificatesStore> build() throws DockerCertificateException { if (this.caCertPath == null || this.clientKeyPath == null || this.clientCertPath == null) { log.debug("caCertPath, clientKeyPath or clientCertPath not specified, not using SSL"); return Optional.absent(); } else if (Files.exists(this.caCertPath) && Files.exists(this.clientKeyPath) && Files.exists(this.clientCertPath)) { return Optional.of((DockerCertificatesStore) new DockerCertificates(this)); } else { log.debug("{}, {} or {} does not exist, not using SSL", this.caCertPath, this.clientKeyPath, this.clientCertPath); return Optional.absent(); } } } }