zookeeper-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From an...@apache.org
Subject [2/2] zookeeper git commit: ZOOKEEPER-3173: Quorum TLS - support PEM trust/key stores
Date Wed, 07 Nov 2018 01:30:09 GMT
ZOOKEEPER-3173: Quorum TLS - support PEM trust/key stores

Add support for loading key and trust stores from PEM files.

Unfortunately, this PR includes 2 JIRAs, because it was quite difficult
to untangle the two features as they were developed at the same time
originally:

- ZOOKEEPER-3173: Quorum TLS - support PEM trust/key stores
- ZOOKEEPER-3175: Quorum TLS - test improvements

## Added support for PEM formatted key stores and trust stores
- key store and trust store files can now be in PEM format as well as JKS.
- Added config properties to tell ZK what type of trust/key store to load:
- `zookeeper.ssl.keyStore.type` and `zookeeper.ssl.trustStore.type` for ClientX509Util
- `zookeeper.ssl.quorum.keyStore.type` and `zookeeper.ssl.quorum.trustStore.type` for QuorumX509Util
- store type properties could have the values "JKS", "PEM", or not set
- leaving the type properties unset will cause auto-detection of the store type based on the file extension (".jks" or ".pem")

## Added test utilities for easily creating X509 certs and using them in unit tests
- added new class `X509TestContext` and its friend, `X509TestHelpers`
- rewrote some existing unit tests to use these classes, and added new tests that use them
- some existing tests (i.e. `QuorumSSLTest`) should probably be ported to use this as well, haven't got around to it yet

Author: Ilya Maykov <ilyam@fb.com>

Reviewers: andor@apache.org

Closes #678 from ivmaykov/ZOOKEEPER-3173

(cherry picked from commit 03286f29d29f4c1d3496ce87d1441df91422220e)
Signed-off-by: Andor Molnar <andor@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/zookeeper/repo
Commit: http://git-wip-us.apache.org/repos/asf/zookeeper/commit/39fbc58f
Tree: http://git-wip-us.apache.org/repos/asf/zookeeper/tree/39fbc58f
Diff: http://git-wip-us.apache.org/repos/asf/zookeeper/diff/39fbc58f

Branch: refs/heads/branch-3.5
Commit: 39fbc58f17b373a73ce529f1417678d2f4e41009
Parents: 427f136
Author: Ilya Maykov <ilyam@fb.com>
Authored: Tue Nov 6 17:29:49 2018 -0800
Committer: Andor Molnar <andor@apache.org>
Committed: Tue Nov 6 17:30:04 2018 -0800

----------------------------------------------------------------------
 NOTICE.txt                                      |   6 +
 .../zookeeper/common/FileKeyStoreLoader.java    |  77 +++
 .../FileKeyStoreLoaderBuilderProvider.java      |  45 ++
 .../apache/zookeeper/common/JKSFileLoader.java  |  94 ++++
 .../zookeeper/common/KeyStoreFileType.java      | 114 +++++
 .../apache/zookeeper/common/KeyStoreLoader.java |  52 ++
 .../apache/zookeeper/common/PEMFileLoader.java  |  64 +++
 .../org/apache/zookeeper/common/X509Util.java   | 201 +++++---
 .../org/apache/zookeeper/common/ZKConfig.java   |   4 +
 .../server/auth/X509AuthenticationProvider.java |  39 +-
 .../org/apache/zookeeper/util/PemReader.java    | 236 +++++++++
 .../common/BaseX509ParameterizedTestCase.java   | 109 ++++
 .../FileKeyStoreLoaderBuilderProviderTest.java  |  46 ++
 .../zookeeper/common/JKSFileLoaderTest.java     | 165 +++++++
 .../zookeeper/common/KeyStoreFileTypeTest.java  |  90 ++++
 .../zookeeper/common/PEMFileLoaderTest.java     | 156 ++++++
 .../apache/zookeeper/common/X509KeyType.java    |  26 +
 .../zookeeper/common/X509TestContext.java       | 492 +++++++++++++++++++
 .../zookeeper/common/X509TestHelpers.java       | 402 +++++++++++++++
 .../apache/zookeeper/common/X509UtilTest.java   | 352 ++++++++-----
 .../apache/zookeeper/util/PemReaderTest.java    | 137 ++++++
 21 files changed, 2676 insertions(+), 231 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/NOTICE.txt
----------------------------------------------------------------------
diff --git a/NOTICE.txt b/NOTICE.txt
index 1ae3351..4fde4cc 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -3,3 +3,9 @@ Copyright 2009-2018 The Apache Software Foundation
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
+
+This product includes software components originally
+developed for Airlift (https://github.com/airlift/airlift),
+licensed under the Apache 2.0 license. The licensing terms
+for Airlift code can be found at:
+https://github.com/airlift/airlift/blob/master/LICENSE

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoader.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoader.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoader.java
new file mode 100644
index 0000000..6cc37b6
--- /dev/null
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoader.java
@@ -0,0 +1,77 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import java.util.Objects;
+
+/**
+ * Base class for instances of {@link KeyStoreLoader} which load the key/trust
+ * stores from files on a filesystem.
+ */
+abstract class FileKeyStoreLoader implements KeyStoreLoader {
+    final String keyStorePath;
+    final String trustStorePath;
+    final String keyStorePassword;
+    final String trustStorePassword;
+
+    FileKeyStoreLoader(String keyStorePath,
+                       String trustStorePath,
+                       String keyStorePassword,
+                       String trustStorePassword) {
+        this.keyStorePath = keyStorePath;
+        this.trustStorePath = trustStorePath;
+        this.keyStorePassword = keyStorePassword;
+        this.trustStorePassword = trustStorePassword;
+    }
+
+    /**
+     * Base class for builder pattern used by subclasses.
+     * @param <T> the subtype of FileKeyStoreLoader created by the Builder.
+     */
+    static abstract class Builder<T extends FileKeyStoreLoader> {
+        String keyStorePath;
+        String trustStorePath;
+        String keyStorePassword;
+        String trustStorePassword;
+
+        Builder() {}
+
+        Builder<T> setKeyStorePath(String keyStorePath) {
+            this.keyStorePath = Objects.requireNonNull(keyStorePath);
+            return this;
+        }
+
+        Builder<T> setTrustStorePath(String trustStorePath) {
+            this.trustStorePath = Objects.requireNonNull(trustStorePath);
+            return this;
+        }
+
+        Builder<T> setKeyStorePassword(String keyStorePassword) {
+            this.keyStorePassword = Objects.requireNonNull(keyStorePassword);
+            return this;
+        }
+
+        Builder<T> setTrustStorePassword(String trustStorePassword) {
+            this.trustStorePassword = Objects.requireNonNull(trustStorePassword);
+            return this;
+        }
+
+        abstract T build();
+    }
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProvider.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProvider.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProvider.java
new file mode 100644
index 0000000..bcbefe2
--- /dev/null
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProvider.java
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import java.util.Objects;
+
+public class FileKeyStoreLoaderBuilderProvider {
+    /**
+     * Returns a {@link FileKeyStoreLoader.Builder} that can build a loader
+     * which loads keys and certs from files of the given
+     * {@link KeyStoreFileType}.
+     *
+     * @param type the file type to load keys/certs from.
+     * @return a new Builder.
+     */
+    static FileKeyStoreLoader.Builder<? extends FileKeyStoreLoader>
+    getBuilderForKeyStoreFileType(KeyStoreFileType type) {
+        switch (Objects.requireNonNull(type)) {
+            case JKS:
+                return new JKSFileLoader.Builder();
+            case PEM:
+                return new PEMFileLoader.Builder();
+            default:
+                throw new AssertionError(
+                        "Unexpected StoreFileType: " + type.name());
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/common/JKSFileLoader.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/JKSFileLoader.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/JKSFileLoader.java
new file mode 100644
index 0000000..f391c7b
--- /dev/null
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/JKSFileLoader.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Implementation of {@link FileKeyStoreLoader} that loads from JKS files.
+ */
+class JKSFileLoader extends FileKeyStoreLoader {
+    private static final Logger LOG = LoggerFactory.getLogger(JKSFileLoader.class);
+
+    private static final char[] EMPTY_CHAR_ARRAY = new char[0];
+    private static final String JKS_KEY_STORE_TYPE = "JKS";
+
+    private JKSFileLoader(String keyStorePath,
+                          String trustStorePath,
+                          String keyStorePassword,
+                          String trustStorePassword) {
+        super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
+    }
+
+    @Override
+    public KeyStore loadKeyStore() throws IOException, GeneralSecurityException {
+        KeyStore ks = KeyStore.getInstance(JKS_KEY_STORE_TYPE);
+        InputStream inputStream = null;
+        try {
+            inputStream = new FileInputStream(new File(keyStorePath));
+            ks.load(inputStream, passwordStringToCharArray(keyStorePassword));
+            return ks;
+        } finally {
+            forceClose(inputStream);
+        }
+    }
+
+    @Override
+    public KeyStore loadTrustStore() throws IOException, GeneralSecurityException {
+        KeyStore ts = KeyStore.getInstance(JKS_KEY_STORE_TYPE);
+        InputStream inputStream = null;
+        try {
+            inputStream = new FileInputStream(new File(trustStorePath));
+            ts.load(inputStream, passwordStringToCharArray(trustStorePassword));
+            return ts;
+        } finally {
+            forceClose(inputStream);
+        }
+    }
+
+    private char[] passwordStringToCharArray(String password) {
+        return password == null ? EMPTY_CHAR_ARRAY : password.toCharArray();
+    }
+
+    private void forceClose(InputStream stream) {
+        if (stream == null) {
+            return;
+        }
+        try {
+            stream.close();
+        } catch (IOException e) {
+            LOG.info("Failed to close key store input stream", e);
+        }
+    }
+
+    static class Builder extends FileKeyStoreLoader.Builder<JKSFileLoader> {
+        @Override
+        JKSFileLoader build() {
+            return new JKSFileLoader(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreFileType.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreFileType.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreFileType.java
new file mode 100644
index 0000000..f006468
--- /dev/null
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreFileType.java
@@ -0,0 +1,114 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+/**
+ * This enum represents the file type of a KeyStore or TrustStore.
+ * Currently, JKS (java keystore) and PEM types are supported.
+ */
+public enum KeyStoreFileType {
+    // TODO: consider adding support for PKCS12
+    JKS(".jks"), PEM(".pem");
+
+    private final String defaultFileExtension;
+
+    KeyStoreFileType(String defaultFileExtension) {
+        this.defaultFileExtension = defaultFileExtension;
+    }
+
+    /**
+     * The property string that specifies that a key store or trust store
+     * should use this store file type.
+     */
+    public String getPropertyValue() {
+        return this.name();
+    }
+
+    /**
+     * The file extension that is associated with this file type.
+     */
+    public String getDefaultFileExtension() {
+        return defaultFileExtension;
+    }
+
+    /**
+     * Converts a property value to a StoreFileType enum. If the property value
+     * is <code>null</code> or an empty string, returns <code>null</code>.
+     * @param propertyValue the property value.
+     * @return the KeyStoreFileType, or <code>null</code> if
+     *         <code>propertyValue</code> is <code>null</code> or empty.
+     * @throws IllegalArgumentException if <code>propertyValue</code> is not
+     *         one of "JKS", "PEM", or empty/null.
+     */
+    public static KeyStoreFileType fromPropertyValue(String propertyValue) {
+        if (propertyValue == null || propertyValue.length() == 0) {
+            return null;
+        }
+        return KeyStoreFileType.valueOf(propertyValue.toUpperCase());
+    }
+
+    /**
+     * Detects the type of KeyStore / TrustStore file from the file extension.
+     * If the file name ends with ".jks", returns <code>StoreFileType.JKS</code>.
+     * If the file name ends with ".pem", returns <code>StoreFileType.PEM</code>.
+     * Otherwise, throws an IllegalArgumentException.
+     * @param filename the filename of the key store or trust store file.
+     * @return a KeyStoreFileType.
+     * @throws IllegalArgumentException if the filename does not end with
+     *         ".jks" or ".pem".
+     */
+    public static KeyStoreFileType fromFilename(String filename) {
+        int i = filename.lastIndexOf('.');
+        if (i >= 0) {
+            String extension = filename.substring(i);
+            for (KeyStoreFileType storeFileType : KeyStoreFileType.values()) {
+                if (storeFileType.getDefaultFileExtension().equals(extension)) {
+                    return storeFileType;
+                }
+            }
+        }
+        throw new IllegalArgumentException(
+                "Unable to auto-detect store file type from file name: " + filename);
+    }
+
+    /**
+     * If <code>propertyValue</code> is not null or empty, returns the result
+     * of <code>KeyStoreFileType.fromPropertyValue(propertyValue)</code>. Else,
+     * returns the result of <code>KeyStoreFileType.fromFileName(filename)</code>.
+     * @param propertyValue property value describing the KeyStoreFileType, or
+     *                      null/empty to auto-detect the type from the file
+     *                      name.
+     * @param filename file name of the key store file. The file extension is
+     *                 used to auto-detect the KeyStoreFileType when
+     *                 <code>propertyValue</code> is null or empty.
+     * @return a KeyStoreFileType.
+     * @throws IllegalArgumentException if <code>propertyValue</code> is not
+     *         one of "JKS", "PEM", or empty/null.
+     * @throws IllegalArgumentException if <code>propertyValue</code>is empty
+     *         or null and the type could not be determined from the file name.
+     */
+    public static KeyStoreFileType fromPropertyValueOrFileName(String propertyValue,
+                                                               String filename) {
+        KeyStoreFileType result = KeyStoreFileType.fromPropertyValue(propertyValue);
+        if (result == null) {
+            result = KeyStoreFileType.fromFilename(filename);
+        }
+        return result;
+    }
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreLoader.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreLoader.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreLoader.java
new file mode 100644
index 0000000..ad5d9d0
--- /dev/null
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreLoader.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+
+/**
+ * An interface for an object that can load key stores or trust stores.
+ */
+interface KeyStoreLoader {
+    /**
+     * Loads a KeyStore which contains at least one private key and the
+     * associated X509 cert chain.
+     *
+     * @return a new KeyStore
+     * @throws IOException if loading the key store fails due to an IO error,
+     *         such as "file not found".
+     * @throws GeneralSecurityException if loading the key store fails due to
+     *         a security error, such as "unsupported crypto algorithm".
+     */
+    KeyStore loadKeyStore() throws IOException, GeneralSecurityException;
+
+    /**
+     * Loads a KeyStore which contains at least one X509 cert chain for a
+     * trusted Certificate Authority (CA).
+     *
+     * @return a new KeyStore
+     * @throws IOException if loading the trust store fails due to an IO error,
+     *         such as "file not found".
+     * @throws GeneralSecurityException if loading the trust store fails due to
+     *         a security error, such as "unsupported crypto algorithm".
+     */
+    KeyStore loadTrustStore() throws IOException, GeneralSecurityException;
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/common/PEMFileLoader.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/PEMFileLoader.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/PEMFileLoader.java
new file mode 100644
index 0000000..637e8a8
--- /dev/null
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/PEMFileLoader.java
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.util.Optional;
+
+import org.apache.zookeeper.util.PemReader;
+
+/**
+ * Implementation of {@link FileKeyStoreLoader} that loads from PEM files.
+ */
+class PEMFileLoader extends FileKeyStoreLoader {
+    private PEMFileLoader(String keyStorePath,
+                          String trustStorePath,
+                          String keyStorePassword,
+                          String trustStorePassword) {
+        super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
+    }
+
+    @Override
+    public KeyStore loadKeyStore() throws IOException, GeneralSecurityException {
+        Optional<String> passwordOption;
+        if (keyStorePassword == null || keyStorePassword.length() == 0) {
+            passwordOption = Optional.empty();
+        } else {
+            passwordOption = Optional.of(keyStorePassword);
+        }
+        File file = new File(keyStorePath);
+        return PemReader.loadKeyStore(file, file, passwordOption);
+    }
+
+    @Override
+    public KeyStore loadTrustStore() throws IOException, GeneralSecurityException {
+        return PemReader.loadTrustStore(new File(trustStorePath));
+    }
+
+
+    static class Builder extends FileKeyStoreLoader.Builder<PEMFileLoader> {
+        @Override
+        PEMFileLoader build() {
+            return new PEMFileLoader(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
index 2112c70..5b97ac6 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
@@ -18,8 +18,17 @@
 package org.apache.zookeeper.common;
 
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import java.io.IOException;
+import java.net.Socket;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
+import java.util.Arrays;
+import java.util.concurrent.atomic.AtomicReference;
 
 import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.KeyManager;
@@ -33,26 +42,12 @@ import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509KeyManager;
 import javax.net.ssl.X509TrustManager;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.net.Socket;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Security;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.X509CertSelector;
-import java.util.Arrays;
-import java.util.concurrent.atomic.AtomicReference;
 
 import org.apache.zookeeper.common.X509Exception.KeyManagerException;
 import org.apache.zookeeper.common.X509Exception.SSLContextException;
 import org.apache.zookeeper.common.X509Exception.TrustManagerException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Utility code for X509 handling
@@ -83,8 +78,10 @@ public abstract class X509Util {
     private String cipherSuitesProperty = getConfigPrefix() + "ciphersuites";
     private String sslKeystoreLocationProperty = getConfigPrefix() + "keyStore.location";
     private String sslKeystorePasswdProperty = getConfigPrefix() + "keyStore.password";
+    private String sslKeystoreTypeProperty = getConfigPrefix() + "keyStore.type";
     private String sslTruststoreLocationProperty = getConfigPrefix() + "trustStore.location";
     private String sslTruststorePasswdProperty = getConfigPrefix() + "trustStore.password";
+    private String sslTruststoreTypeProperty = getConfigPrefix() + "trustStore.type";
     private String sslHostnameVerificationEnabledProperty = getConfigPrefix() + "hostnameVerification";
     private String sslCrlEnabledProperty = getConfigPrefix() + "crl";
     private String sslOcspEnabledProperty = getConfigPrefix() + "ocsp";
@@ -121,6 +118,10 @@ public abstract class X509Util {
         return sslKeystorePasswdProperty;
     }
 
+    public String getSslKeystoreTypeProperty() {
+        return sslKeystoreTypeProperty;
+    }
+
     public String getSslTruststoreLocationProperty() {
         return sslTruststoreLocationProperty;
     }
@@ -129,6 +130,10 @@ public abstract class X509Util {
         return sslTruststorePasswdProperty;
     }
 
+    public String getSslTruststoreTypeProperty() {
+        return sslTruststoreTypeProperty;
+    }
+
     public String getSslHostnameVerificationEnabledProperty() {
         return sslHostnameVerificationEnabledProperty;
     }
@@ -167,47 +172,49 @@ public abstract class X509Util {
         KeyManager[] keyManagers = null;
         TrustManager[] trustManagers = null;
 
-        String keyStoreLocationProp = config.getProperty(sslKeystoreLocationProperty);
-        String keyStorePasswordProp = config.getProperty(sslKeystorePasswdProperty);
+        String keyStoreLocationProp = config.getProperty(sslKeystoreLocationProperty, "");
+        String keyStorePasswordProp = config.getProperty(sslKeystorePasswdProperty, "");
+        String keyStoreTypeProp = config.getProperty(sslKeystoreTypeProperty);
 
         // There are legal states in some use cases for null KeyManager or TrustManager.
-        // But if a user wanna specify one, location and password are required.
+        // But if a user wanna specify one, location is required. Password defaults to empty string if it is not
+        // specified by the user.
 
-        if (keyStoreLocationProp == null && keyStorePasswordProp == null) {
+        if (keyStoreLocationProp.isEmpty()) {
             LOG.warn(getSslKeystoreLocationProperty() + " not specified");
         } else {
-            if (keyStoreLocationProp == null) {
-                throw new SSLContextException(getSslKeystoreLocationProperty() + " not specified");
-            }
-            if (keyStorePasswordProp == null) {
-                throw new SSLContextException(getSslKeystorePasswdProperty() + " not specified");
-            }
             try {
                 keyManagers = new KeyManager[]{
-                        createKeyManager(keyStoreLocationProp, keyStorePasswordProp)};
+                        createKeyManager(keyStoreLocationProp, keyStorePasswordProp, keyStoreTypeProp)};
             } catch (KeyManagerException keyManagerException) {
                 throw new SSLContextException("Failed to create KeyManager", keyManagerException);
+            } catch (IllegalArgumentException e) {
+                throw new SSLContextException("Bad value for " + sslKeystoreTypeProperty + ": " + keyStoreTypeProp, e);
             }
         }
 
-        String trustStoreLocationProp = config.getProperty(sslTruststoreLocationProperty);
-        String trustStorePasswordProp = config.getProperty(sslTruststorePasswdProperty);
+        String trustStoreLocationProp = config.getProperty(sslTruststoreLocationProperty, "");
+        String trustStorePasswordProp = config.getProperty(sslTruststorePasswdProperty, "");
+        String trustStoreTypeProp = config.getProperty(sslTruststoreTypeProperty);
 
         boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
         boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty);
         boolean sslServerHostnameVerificationEnabled =
-                config.getBoolean(this.getSslHostnameVerificationEnabledProperty(),true);
-        boolean sslClientHostnameVerificationEnabled = sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
+                config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
+        boolean sslClientHostnameVerificationEnabled =
+                sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
 
-        if (trustStoreLocationProp == null) {
+        if (trustStoreLocationProp.isEmpty()) {
             LOG.warn(getSslTruststoreLocationProperty() + " not specified");
         } else {
             try {
                 trustManagers = new TrustManager[]{
-                        createTrustManager(trustStoreLocationProp, trustStorePasswordProp, sslCrlEnabled, sslOcspEnabled,
+                        createTrustManager(trustStoreLocationProp, trustStorePasswordProp, trustStoreTypeProp, sslCrlEnabled, sslOcspEnabled,
                                 sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled)};
             } catch (TrustManagerException trustManagerException) {
                 throw new SSLContextException("Failed to create TrustManager", trustManagerException);
+            } catch (IllegalArgumentException e) {
+                throw new SSLContextException("Bad value for " + sslTruststoreTypeProperty + ": " + trustStoreTypeProp, e);
             }
         }
 
@@ -221,17 +228,38 @@ public abstract class X509Util {
         }
     }
 
-    public static X509KeyManager createKeyManager(String keyStoreLocation, String keyStorePassword)
+    /**
+     * Creates a key manager by loading the key store from the given file of
+     * the given type, optionally decrypting it using the given password.
+     * @param keyStoreLocation the location of the key store file.
+     * @param keyStorePassword optional password to decrypt the key store. If
+     *                         empty, assumes the key store is not encrypted.
+     * @param keyStoreTypeProp must be JKS, PEM, or null. If null, attempts to
+     *                         autodetect the key store type from the file
+     *                         extension (.jks / .pem).
+     * @return the key manager.
+     * @throws KeyManagerException if something goes wrong.
+     */
+    public static X509KeyManager createKeyManager(
+            String keyStoreLocation,
+            String keyStorePassword,
+            String keyStoreTypeProp)
             throws KeyManagerException {
-        FileInputStream inputStream = null;
+        if (keyStorePassword == null) {
+            keyStorePassword = "";
+        }
         try {
-            char[] keyStorePasswordChars = keyStorePassword.toCharArray();
-            File keyStoreFile = new File(keyStoreLocation);
-            KeyStore ks = KeyStore.getInstance("JKS");
-            inputStream = new FileInputStream(keyStoreFile);
-            ks.load(inputStream, keyStorePasswordChars);
+            KeyStoreFileType storeFileType =
+                    KeyStoreFileType.fromPropertyValueOrFileName(
+                            keyStoreTypeProp, keyStoreLocation);
+            KeyStore ks = FileKeyStoreLoaderBuilderProvider
+                    .getBuilderForKeyStoreFileType(storeFileType)
+                    .setKeyStorePath(keyStoreLocation)
+                    .setKeyStorePassword(keyStorePassword)
+                    .build()
+                    .loadKeyStore();
             KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX");
-            kmf.init(ks, keyStorePasswordChars);
+            kmf.init(ks, keyStorePassword.toCharArray());
 
             for (KeyManager km : kmf.getKeyManagers()) {
                 if (km instanceof X509KeyManager) {
@@ -239,38 +267,58 @@ public abstract class X509Util {
                 }
             }
             throw new KeyManagerException("Couldn't find X509KeyManager");
-
-        } catch (IOException|CertificateException|UnrecoverableKeyException|NoSuchAlgorithmException|KeyStoreException
-                keyManagerCreationException) {
-            throw new KeyManagerException(keyManagerCreationException);
-        } finally {
-            if (inputStream != null) {
-                try {
-                    inputStream.close();
-                } catch (IOException ioException) {
-                    LOG.info("Failed to close key store input stream", ioException);
-                }
-            }
+        } catch (IOException | GeneralSecurityException | IllegalArgumentException e) {
+            throw new KeyManagerException(e);
         }
     }
 
-    public static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword,
-                                                      boolean crlEnabled, boolean ocspEnabled,
-                                                      final boolean serverHostnameVerificationEnabled,
-                                                      final boolean clientHostnameVerificationEnabled)
+    /**
+     * Creates a trust manager by loading the trust store from the given file
+     * of the given type, optionally decrypting it using the given password.
+     * @param trustStoreLocation the location of the trust store file.
+     * @param trustStorePassword optional password to decrypt the trust store
+     *                           (only applies to JKS trust stores). If empty,
+     *                           assumes the trust store is not encrypted.
+     * @param trustStoreTypeProp must be JKS, PEM, or null. If null, attempts
+     *                           to autodetect the trust store type from the
+     *                           file extension (.jks / .pem).
+     * @param crlEnabled enable CRL (certificate revocation list) checks.
+     * @param ocspEnabled enable OCSP (online certificate status protocol)
+     *                    checks.
+     * @param serverHostnameVerificationEnabled if true, verify hostnames of
+     *                                          remote servers that client
+     *                                          sockets created by this
+     *                                          X509Util connect to.
+     * @param clientHostnameVerificationEnabled if true, verify hostnames of
+     *                                          remote clients that server
+     *                                          sockets created by this
+     *                                          X509Util accept connections
+     *                                          from.
+     * @return the trust manager.
+     * @throws TrustManagerException if something goes wrong.
+     */
+    public static X509TrustManager createTrustManager(
+            String trustStoreLocation,
+            String trustStorePassword,
+            String trustStoreTypeProp,
+            boolean crlEnabled,
+            boolean ocspEnabled,
+            final boolean serverHostnameVerificationEnabled,
+            final boolean clientHostnameVerificationEnabled)
             throws TrustManagerException {
-        FileInputStream inputStream = null;
+        if (trustStorePassword == null) {
+            trustStorePassword = "";
+        }
         try {
-            File trustStoreFile = new File(trustStoreLocation);
-            KeyStore ts = KeyStore.getInstance("JKS");
-            inputStream = new FileInputStream(trustStoreFile);
-            if (trustStorePassword != null) {
-                char[] trustStorePasswordChars = trustStorePassword.toCharArray();
-                ts.load(inputStream, trustStorePasswordChars);
-            } else {
-                ts.load(inputStream, null);
-            }
-
+            KeyStoreFileType storeFileType =
+                    KeyStoreFileType.fromPropertyValueOrFileName(
+                            trustStoreTypeProp, trustStoreLocation);
+            KeyStore ts = FileKeyStoreLoaderBuilderProvider
+                    .getBuilderForKeyStoreFileType(storeFileType)
+                    .setTrustStorePath(trustStoreLocation)
+                    .setTrustStorePassword(trustStorePassword)
+                    .build()
+                    .loadTrustStore();
             PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector());
             if (crlEnabled || ocspEnabled) {
                 pbParams.setRevocationEnabled(true);
@@ -294,17 +342,8 @@ public abstract class X509Util {
                 }
             }
             throw new TrustManagerException("Couldn't find X509TrustManager");
-        } catch (IOException|CertificateException|NoSuchAlgorithmException|InvalidAlgorithmParameterException|KeyStoreException
-                 trustManagerCreationException) {
-            throw new TrustManagerException(trustManagerCreationException);
-        } finally {
-            if (inputStream != null) {
-                try {
-                    inputStream.close();
-                } catch (IOException ioException) {
-                    LOG.info("failed to close TrustStore input stream", ioException);
-                }
-            }
+        } catch (IOException | GeneralSecurityException | IllegalArgumentException e) {
+            throw new TrustManagerException(e);
         }
     }
 

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java
index dc24b19..01bac69 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java
@@ -116,10 +116,14 @@ public class ZKConfig {
                 System.getProperty(x509Util.getSslKeystoreLocationProperty()));
         properties.put(x509Util.getSslKeystorePasswdProperty(),
                 System.getProperty(x509Util.getSslKeystorePasswdProperty()));
+        properties.put(x509Util.getSslKeystoreTypeProperty(),
+                System.getProperty(x509Util.getSslKeystoreTypeProperty()));
         properties.put(x509Util.getSslTruststoreLocationProperty(),
                 System.getProperty(x509Util.getSslTruststoreLocationProperty()));
         properties.put(x509Util.getSslTruststorePasswdProperty(),
                 System.getProperty(x509Util.getSslTruststorePasswdProperty()));
+        properties.put(x509Util.getSslTruststoreTypeProperty(),
+                System.getProperty(x509Util.getSslTruststoreTypeProperty()));
         properties.put(x509Util.getSslHostnameVerificationEnabledProperty(),
                 System.getProperty(x509Util.getSslHostnameVerificationEnabledProperty()));
         properties.put(x509Util.getSslCrlEnabledProperty(),

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
index 8a699ce..d0ca079 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
@@ -27,11 +27,11 @@ import javax.security.auth.x500.X500Principal;
 
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.common.ClientX509Util;
-import org.apache.zookeeper.common.ZKConfig;
 import org.apache.zookeeper.common.X509Exception;
 import org.apache.zookeeper.common.X509Exception.KeyManagerException;
 import org.apache.zookeeper.common.X509Exception.TrustManagerException;
 import org.apache.zookeeper.common.X509Util;
+import org.apache.zookeeper.common.ZKConfig;
 import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.server.ServerCnxn;
 import org.slf4j.Logger;
@@ -70,46 +70,37 @@ public class X509AuthenticationProvider implements AuthenticationProvider {
         ZKConfig config = new ZKConfig();
         X509Util x509Util = new ClientX509Util();
 
-        String keyStoreLocation = config.getProperty(x509Util.getSslKeystoreLocationProperty());
-        String keyStorePassword = config.getProperty(x509Util.getSslKeystorePasswdProperty());
+        String keyStoreLocation = config.getProperty(x509Util.getSslKeystoreLocationProperty(), "");
+        String keyStorePassword = config.getProperty(x509Util.getSslKeystorePasswdProperty(), "");
+        String keyStoreTypeProp = config.getProperty(x509Util.getSslKeystoreTypeProperty());
 
-        boolean crlEnabled = Boolean.parseBoolean(System.getProperty(x509Util.getSslCrlEnabledProperty()));
-        boolean ocspEnabled = Boolean.parseBoolean(System.getProperty(x509Util.getSslOcspEnabledProperty()));
-        boolean hostnameVerificationEnabled = Boolean.parseBoolean(System.getProperty(x509Util.getSslHostnameVerificationEnabledProperty()));
+        boolean crlEnabled = Boolean.parseBoolean(config.getProperty(x509Util.getSslCrlEnabledProperty()));
+        boolean ocspEnabled = Boolean.parseBoolean(config.getProperty(x509Util.getSslOcspEnabledProperty()));
+        boolean hostnameVerificationEnabled = Boolean.parseBoolean(
+                config.getProperty(x509Util.getSslHostnameVerificationEnabledProperty()));
 
         X509KeyManager km = null;
         X509TrustManager tm = null;
-        if (keyStoreLocation == null && keyStorePassword == null) {
+        if (keyStoreLocation.isEmpty()) {
             LOG.warn("keystore not specified for client connection");
         } else {
-            if (keyStoreLocation == null) {
-                throw new X509Exception("keystore location not specified for client connection");
-            }
-            if (keyStorePassword == null) {
-                throw new X509Exception("keystore password not specified for client connection");
-            }
             try {
-                km = X509Util.createKeyManager(keyStoreLocation, keyStorePassword);
+                km = X509Util.createKeyManager(keyStoreLocation, keyStorePassword, keyStoreTypeProp);
             } catch (KeyManagerException e) {
                 LOG.error("Failed to create key manager", e);
             }
         }
         
-        String trustStoreLocation = config.getProperty(x509Util.getSslTruststoreLocationProperty());
-        String trustStorePassword = config.getProperty(x509Util.getSslTruststorePasswdProperty());
+        String trustStoreLocation = config.getProperty(x509Util.getSslTruststoreLocationProperty(), "");
+        String trustStorePassword = config.getProperty(x509Util.getSslTruststorePasswdProperty(), "");
+        String trustStoreTypeProp = config.getProperty(x509Util.getSslTruststoreTypeProperty());
 
-        if (trustStoreLocation == null && trustStorePassword == null) {
+        if (trustStoreLocation.isEmpty()) {
             LOG.warn("Truststore not specified for client connection");
         } else {
-            if (trustStoreLocation == null) {
-                throw new X509Exception("Truststore location not specified for client connection");
-            }
-            if (trustStorePassword == null) {
-                throw new X509Exception("Truststore password not specified for client connection");
-            }
             try {
                 tm = X509Util.createTrustManager(
-                        trustStoreLocation, trustStorePassword, crlEnabled, ocspEnabled,
+                        trustStoreLocation, trustStorePassword, trustStoreTypeProp, crlEnabled, ocspEnabled,
                         hostnameVerificationEnabled, false);
             } catch (TrustManagerException e) {
                 LOG.error("Failed to create trust manager", e);

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/main/java/org/apache/zookeeper/util/PemReader.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/util/PemReader.java b/zookeeper-server/src/main/java/org/apache/zookeeper/util/PemReader.java
new file mode 100644
index 0000000..25017ea
--- /dev/null
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/util/PemReader.java
@@ -0,0 +1,236 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.crypto.Cipher;
+import javax.crypto.EncryptedPrivateKeyInfo;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.security.auth.x500.X500Principal;
+
+import static java.nio.charset.StandardCharsets.US_ASCII;
+import static java.util.Base64.getMimeDecoder;
+import static java.util.regex.Pattern.CASE_INSENSITIVE;
+import static javax.crypto.Cipher.DECRYPT_MODE;
+
+/**
+ * Note: this class is copied from io.airlift.security.pem.PemReader (see
+ * https://github.com/airlift/airlift/blob/master/security/src/main/java/io/airlift/security/pem/PemReader.java) with
+ * permission of the authors, to avoid adding an extra library dependency to Zookeeper.
+ * The file was copied from commit hash 86348546af43217f4d04a0cdad624b0ae4751c2c.
+ *
+ * The following modifications have been made to the original source code:
+ * <ul>
+ * <li>imports have been rearranged to match Zookeeper import order style.</li>
+ * <li>The dependency on <code>com.google.common.io.Files.asCharSource</code> has been removed.</li>
+ * <li>A dependency on <code>java.nio.file.Files</code> has been added.</li>
+ * </ul>
+ */
+public final class PemReader
+{
+    private static final Pattern CERT_PATTERN = Pattern.compile(
+            "-+BEGIN\\s+.*CERTIFICATE[^-]*-+(?:\\s|\\r|\\n)+" + // Header
+                    "([a-z0-9+/=\\r\\n]+)" +                    // Base64 text
+                    "-+END\\s+.*CERTIFICATE[^-]*-+",            // Footer
+            CASE_INSENSITIVE);
+
+    private static final Pattern PRIVATE_KEY_PATTERN = Pattern.compile(
+            "-+BEGIN\\s+.*PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+" + // Header
+                    "([a-z0-9+/=\\r\\n]+)" +                       // Base64 text
+                    "-+END\\s+.*PRIVATE\\s+KEY[^-]*-+",            // Footer
+            CASE_INSENSITIVE);
+
+    private static final Pattern PUBLIC_KEY_PATTERN = Pattern.compile(
+            "-+BEGIN\\s+.*PUBLIC\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+" + // Header
+                    "([a-z0-9+/=\\r\\n]+)" +                      // Base64 text
+                    "-+END\\s+.*PUBLIC\\s+KEY[^-]*-+",            // Footer
+            CASE_INSENSITIVE);
+
+    private PemReader() {}
+
+    public static KeyStore loadTrustStore(File certificateChainFile)
+            throws IOException, GeneralSecurityException
+    {
+        KeyStore keyStore = KeyStore.getInstance("JKS");
+        keyStore.load(null, null);
+
+        List<X509Certificate> certificateChain = readCertificateChain(certificateChainFile);
+        for (X509Certificate certificate : certificateChain) {
+            X500Principal principal = certificate.getSubjectX500Principal();
+            keyStore.setCertificateEntry(principal.getName("RFC2253"), certificate);
+        }
+        return keyStore;
+    }
+
+    public static KeyStore loadKeyStore(File certificateChainFile, File privateKeyFile, Optional<String> keyPassword)
+            throws IOException, GeneralSecurityException
+    {
+        PrivateKey key = loadPrivateKey(privateKeyFile, keyPassword);
+
+        List<X509Certificate> certificateChain = readCertificateChain(certificateChainFile);
+        if (certificateChain.isEmpty()) {
+            throw new CertificateException("Certificate file does not contain any certificates: " + certificateChainFile);
+        }
+
+        KeyStore keyStore = KeyStore.getInstance("JKS");
+        keyStore.load(null, null);
+        keyStore.setKeyEntry("key", key, keyPassword.orElse("").toCharArray(), certificateChain.toArray(new Certificate[0]));
+        return keyStore;
+    }
+
+    public static List<X509Certificate> readCertificateChain(File certificateChainFile)
+            throws IOException, GeneralSecurityException
+    {
+        String contents = new String(Files.readAllBytes(certificateChainFile.toPath()), US_ASCII);
+        return readCertificateChain(contents);
+    }
+
+    public static List<X509Certificate> readCertificateChain(String certificateChain)
+            throws CertificateException
+    {
+        Matcher matcher = CERT_PATTERN.matcher(certificateChain);
+        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+        List<X509Certificate> certificates = new ArrayList<>();
+
+        int start = 0;
+        while (matcher.find(start)) {
+            byte[] buffer = base64Decode(matcher.group(1));
+            certificates.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(buffer)));
+            start = matcher.end();
+        }
+
+        return certificates;
+    }
+
+    public static PrivateKey loadPrivateKey(File privateKeyFile, Optional<String> keyPassword)
+            throws IOException, GeneralSecurityException
+    {
+        String privateKey = new String(Files.readAllBytes(privateKeyFile.toPath()), US_ASCII);
+        return loadPrivateKey(privateKey, keyPassword);
+    }
+
+    public static PrivateKey loadPrivateKey(String privateKey, Optional<String> keyPassword)
+            throws IOException, GeneralSecurityException
+    {
+        Matcher matcher = PRIVATE_KEY_PATTERN.matcher(privateKey);
+        if (!matcher.find()) {
+            throw new KeyStoreException("did not find a private key");
+        }
+        byte[] encodedKey = base64Decode(matcher.group(1));
+
+        PKCS8EncodedKeySpec encodedKeySpec;
+        if (keyPassword.isPresent()) {
+            EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(encodedKey);
+            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName());
+            SecretKey secretKey = keyFactory.generateSecret(new PBEKeySpec(keyPassword.get().toCharArray()));
+
+            Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
+            cipher.init(DECRYPT_MODE, secretKey, encryptedPrivateKeyInfo.getAlgParameters());
+
+            encodedKeySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
+        }
+        else {
+            encodedKeySpec = new PKCS8EncodedKeySpec(encodedKey);
+        }
+
+        // this code requires a key in PKCS8 format which is not the default openssl format
+        // to convert to the PKCS8 format you use : openssl pkcs8 -topk8 ...
+        try {
+            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+            return keyFactory.generatePrivate(encodedKeySpec);
+        }
+        catch (InvalidKeySpecException ignore) {
+        }
+
+        try {
+            KeyFactory keyFactory = KeyFactory.getInstance("EC");
+            return keyFactory.generatePrivate(encodedKeySpec);
+        }
+        catch (InvalidKeySpecException ignore) {
+        }
+
+        KeyFactory keyFactory = KeyFactory.getInstance("DSA");
+        return keyFactory.generatePrivate(encodedKeySpec);
+    }
+
+    public static PublicKey loadPublicKey(File publicKeyFile)
+            throws IOException, GeneralSecurityException
+    {
+        String publicKey = new String(Files.readAllBytes(publicKeyFile.toPath()), US_ASCII);
+        return loadPublicKey(publicKey);
+    }
+
+    public static PublicKey loadPublicKey(String publicKey)
+            throws GeneralSecurityException
+    {
+        Matcher matcher = PUBLIC_KEY_PATTERN.matcher(publicKey);
+        if (!matcher.find()) {
+            throw new KeyStoreException("did not find a public key");
+        }
+        String data = matcher.group(1);
+        byte[] encodedKey = base64Decode(data);
+
+        X509EncodedKeySpec encodedKeySpec = new X509EncodedKeySpec(encodedKey);
+        try {
+            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+            return keyFactory.generatePublic(encodedKeySpec);
+        }
+        catch (InvalidKeySpecException ignore) {
+        }
+
+        try {
+            KeyFactory keyFactory = KeyFactory.getInstance("EC");
+            return keyFactory.generatePublic(encodedKeySpec);
+        }
+        catch (InvalidKeySpecException ignore) {
+        }
+
+        KeyFactory keyFactory = KeyFactory.getInstance("DSA");
+        return keyFactory.generatePublic(encodedKeySpec);
+    }
+
+    private static byte[] base64Decode(String base64)
+    {
+        return getMimeDecoder().decode(base64.getBytes(US_ASCII));
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/test/java/org/apache/zookeeper/common/BaseX509ParameterizedTestCase.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/BaseX509ParameterizedTestCase.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/BaseX509ParameterizedTestCase.java
new file mode 100644
index 0000000..73b9196
--- /dev/null
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/BaseX509ParameterizedTestCase.java
@@ -0,0 +1,109 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.Security;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.zookeeper.ZKTestCase;
+import org.apache.zookeeper.test.ClientBase;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+/**
+ * Base class for parameterized unit tests that use X509TestContext for testing
+ * different X509 parameter combinations (CA key type, cert key type, with/without
+ * a password, with/without hostname verification, etc).
+ *
+ * This base class takes care of setting up / cleaning up the test environment,
+ * and caching the X509TestContext objects used by the tests.
+ */
+public abstract class BaseX509ParameterizedTestCase extends ZKTestCase {
+    /**
+     * Default parameters suitable for most subclasses. See example usage
+     * in {@link X509UtilTest}.
+     * @return an array of parameter combinations to test with.
+     */
+    public static Collection<Object[]> defaultParams() {
+        ArrayList<Object[]> result = new ArrayList<>();
+        int paramIndex = 0;
+        for (X509KeyType caKeyType : X509KeyType.values()) {
+            for (X509KeyType certKeyType : X509KeyType.values()) {
+                for (String keyPassword : new String[]{"", "pa$$w0rd"}) {
+                    result.add(new Object[]{caKeyType, certKeyType, keyPassword, paramIndex++});
+                }
+            }
+        }
+        return result;
+    }
+
+    /**
+     * Because key generation and writing / deleting files is kind of expensive, we cache the certs and on-disk files
+     * between test cases. None of the test cases modify any of this data so it's safe to reuse between tests. This
+     * caching makes all test cases after the first one for a given parameter combination complete almost instantly.
+     */
+    protected static Map<Integer, X509TestContext> cachedTestContexts;
+    protected static File tempDir;
+
+    protected X509TestContext x509TestContext;
+
+    @BeforeClass
+    public static void setUpBaseClass() throws Exception {
+        Security.addProvider(new BouncyCastleProvider());
+        cachedTestContexts = new HashMap<>();
+        tempDir = ClientBase.createEmptyTestDir();
+    }
+
+    @AfterClass
+    public static void cleanUpBaseClass() {
+        Security.removeProvider("BC");
+        cachedTestContexts.clear();
+        cachedTestContexts = null;
+        try {
+            FileUtils.deleteDirectory(tempDir);
+        } catch (IOException e) {
+            // ignore
+        }
+    }
+
+    /**
+     * Constructor. See example usage in {@link X509UtilTest}.
+     *
+     * @param paramIndex the index under which the X509TestContext should be cached.
+     * @param contextSupplier a function that creates and returns the X509TestContext
+     *                        for the current index if one is not already cached.
+     */
+    protected BaseX509ParameterizedTestCase(
+            Integer paramIndex,
+            java.util.function.Supplier<X509TestContext> contextSupplier) {
+        if (cachedTestContexts.containsKey(paramIndex)) {
+            x509TestContext = cachedTestContexts.get(paramIndex);
+        } else {
+            x509TestContext = contextSupplier.get();
+            cachedTestContexts.put(paramIndex, x509TestContext);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/test/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProviderTest.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProviderTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProviderTest.java
new file mode 100644
index 0000000..59c27b2
--- /dev/null
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProviderTest.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import org.apache.zookeeper.ZKTestCase;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class FileKeyStoreLoaderBuilderProviderTest extends ZKTestCase {
+    @Test
+    public void testGetBuilderForJKSFileType() {
+        FileKeyStoreLoader.Builder<?> builder =
+                FileKeyStoreLoaderBuilderProvider.getBuilderForKeyStoreFileType(
+                        KeyStoreFileType.JKS);
+        Assert.assertTrue(builder instanceof JKSFileLoader.Builder);
+    }
+
+    @Test
+    public void testGetBuilderForPEMFileType() {
+        FileKeyStoreLoader.Builder<?> builder =
+                FileKeyStoreLoaderBuilderProvider.getBuilderForKeyStoreFileType(
+                        KeyStoreFileType.PEM);
+        Assert.assertTrue(builder instanceof PEMFileLoader.Builder);
+    }
+
+    @Test(expected = NullPointerException.class)
+    public void testGetBuilderForNullFileType() {
+        FileKeyStoreLoaderBuilderProvider.getBuilderForKeyStoreFileType(null);
+    }
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/test/java/org/apache/zookeeper/common/JKSFileLoaderTest.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/JKSFileLoaderTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/JKSFileLoaderTest.java
new file mode 100644
index 0000000..5e916f3
--- /dev/null
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/JKSFileLoaderTest.java
@@ -0,0 +1,165 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.util.Collection;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+@RunWith(Parameterized.class)
+public class JKSFileLoaderTest extends BaseX509ParameterizedTestCase {
+
+    @Parameterized.Parameters
+    public static Collection<Object[]> params() {
+        return BaseX509ParameterizedTestCase.defaultParams();
+    }
+
+    public JKSFileLoaderTest(
+            final X509KeyType caKeyType,
+            final X509KeyType certKeyType,
+            final String keyPassword,
+            final Integer paramIndex) {
+        super(paramIndex, () -> {
+            try {
+                return X509TestContext.newBuilder()
+                        .setTempDir(tempDir)
+                        .setKeyStorePassword(keyPassword)
+                        .setKeyStoreKeyType(certKeyType)
+                        .setTrustStorePassword(keyPassword)
+                        .setTrustStoreKeyType(caKeyType)
+                        .build();
+            } catch (Exception e) {
+                throw new RuntimeException(e);
+            }
+        });
+    }
+
+    @Test
+    public void testLoadKeyStore() throws Exception {
+        String path = x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS)
+                .getAbsolutePath();
+        KeyStore ks = new JKSFileLoader.Builder()
+                .setKeyStorePath(path)
+                .setKeyStorePassword(x509TestContext.getKeyStorePassword())
+                .build()
+                .loadKeyStore();
+        Assert.assertEquals(1, ks.size());
+    }
+
+    @Test(expected = Exception.class)
+    public void testLoadKeyStoreWithWrongPassword() throws Exception {
+        String path = x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS)
+                .getAbsolutePath();
+        new JKSFileLoader.Builder()
+                .setKeyStorePath(path)
+                .setKeyStorePassword("wrong password")
+                .build()
+                .loadKeyStore();
+    }
+
+    @Test(expected = IOException.class)
+    public void testLoadKeyStoreWithWrongFilePath() throws Exception {
+        String path = x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS)
+                .getAbsolutePath();
+        new JKSFileLoader.Builder()
+                .setKeyStorePath(path + ".does_not_exist")
+                .setKeyStorePassword(x509TestContext.getKeyStorePassword())
+                .build()
+                .loadKeyStore();
+    }
+
+    @Test(expected = NullPointerException.class)
+    public void testLoadKeyStoreWithNullFilePath() throws Exception {
+        new JKSFileLoader.Builder()
+                .setKeyStorePassword(x509TestContext.getKeyStorePassword())
+                .build()
+                .loadKeyStore();
+    }
+
+    @Test(expected = IOException.class)
+    public void testLoadKeyStoreWithWrongFileType() throws Exception {
+        // Trying to load a PEM file with JKS loader should fail
+        String path = x509TestContext.getKeyStoreFile(KeyStoreFileType.PEM)
+                .getAbsolutePath();
+        new JKSFileLoader.Builder()
+                .setKeyStorePath(path)
+                .setKeyStorePassword(x509TestContext.getKeyStorePassword())
+                .build()
+                .loadKeyStore();
+    }
+
+    @Test
+    public void testLoadTrustStore() throws Exception {
+        String path = x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS)
+                .getAbsolutePath();
+        KeyStore ts = new JKSFileLoader.Builder()
+                .setTrustStorePath(path)
+                .setTrustStorePassword(x509TestContext.getTrustStorePassword())
+                .build()
+                .loadTrustStore();
+        Assert.assertEquals(1, ts.size());
+    }
+
+    @Test(expected = Exception.class)
+    public void testLoadTrustStoreWithWrongPassword() throws Exception {
+        String path = x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS)
+                .getAbsolutePath();
+        new JKSFileLoader.Builder()
+                .setTrustStorePath(path)
+                .setTrustStorePassword("wrong password")
+                .build()
+                .loadTrustStore();
+    }
+
+    @Test(expected = IOException.class)
+    public void testLoadTrustStoreWithWrongFilePath() throws Exception {
+        String path = x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS)
+                .getAbsolutePath();
+        new JKSFileLoader.Builder()
+                .setTrustStorePath(path + ".does_not_exist")
+                .setTrustStorePassword(x509TestContext.getTrustStorePassword())
+                .build()
+                .loadTrustStore();
+    }
+
+    @Test(expected = NullPointerException.class)
+    public void testLoadTrustStoreWithNullFilePath() throws Exception {
+        new JKSFileLoader.Builder()
+                .setTrustStorePassword(x509TestContext.getTrustStorePassword())
+                .build()
+                .loadTrustStore();
+    }
+
+    @Test(expected = IOException.class)
+    public void testLoadTrustStoreWithWrongFileType() throws Exception {
+        // Trying to load a PEM file with JKS loader should fail
+        String path = x509TestContext.getTrustStoreFile(KeyStoreFileType.PEM)
+                .getAbsolutePath();
+        new JKSFileLoader.Builder()
+                .setTrustStorePath(path)
+                .setTrustStorePassword(x509TestContext.getTrustStorePassword())
+                .build()
+                .loadTrustStore();
+    }
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/test/java/org/apache/zookeeper/common/KeyStoreFileTypeTest.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/KeyStoreFileTypeTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/KeyStoreFileTypeTest.java
new file mode 100644
index 0000000..53aa0b0
--- /dev/null
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/KeyStoreFileTypeTest.java
@@ -0,0 +1,90 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import org.apache.zookeeper.ZKTestCase;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class KeyStoreFileTypeTest extends ZKTestCase {
+    @Test
+    public void testGetPropertyValue() {
+        Assert.assertEquals("PEM", KeyStoreFileType.PEM.getPropertyValue());
+        Assert.assertEquals("JKS", KeyStoreFileType.JKS.getPropertyValue());
+    }
+
+    @Test
+    public void testFromPropertyValue() {
+        Assert.assertEquals(KeyStoreFileType.PEM, KeyStoreFileType.fromPropertyValue("PEM"));
+        Assert.assertEquals(KeyStoreFileType.JKS, KeyStoreFileType.fromPropertyValue("JKS"));
+        Assert.assertNull(KeyStoreFileType.fromPropertyValue(""));
+        Assert.assertNull(KeyStoreFileType.fromPropertyValue(null));
+    }
+
+    @Test
+    public void testFromPropertyValueIgnoresCase() {
+        Assert.assertEquals(KeyStoreFileType.PEM, KeyStoreFileType.fromPropertyValue("pem"));
+        Assert.assertEquals(KeyStoreFileType.JKS, KeyStoreFileType.fromPropertyValue("jks"));
+        Assert.assertNull(KeyStoreFileType.fromPropertyValue(""));
+        Assert.assertNull(KeyStoreFileType.fromPropertyValue(null));
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testFromPropertyValueThrowsOnBadPropertyValue() {
+        KeyStoreFileType.fromPropertyValue("foobar");
+    }
+
+    @Test
+    public void testFromFilename() {
+        Assert.assertEquals(KeyStoreFileType.JKS,
+                KeyStoreFileType.fromFilename("mykey.jks"));
+        Assert.assertEquals(KeyStoreFileType.JKS,
+                KeyStoreFileType.fromFilename("/path/to/key/dir/mykey.jks"));
+        Assert.assertEquals(KeyStoreFileType.PEM,
+                KeyStoreFileType.fromFilename("mykey.pem"));
+        Assert.assertEquals(KeyStoreFileType.PEM,
+                KeyStoreFileType.fromFilename("/path/to/key/dir/mykey.pem"));
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testFromFilenameThrowsOnBadFileExtension() {
+        KeyStoreFileType.fromFilename("prod.key");
+    }
+
+    @Test
+    public void testFromPropertyValueOrFileName() {
+        // Property value takes precedence if provided
+        Assert.assertEquals(KeyStoreFileType.JKS,
+                KeyStoreFileType.fromPropertyValueOrFileName(
+                        "JKS", "prod.key"));
+        // Falls back to filename detection if no property value
+        Assert.assertEquals(KeyStoreFileType.JKS,
+                KeyStoreFileType.fromPropertyValueOrFileName("", "prod.jks"));
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testFromPropertyValueOrFileNameThrowsOnBadPropertyValue() {
+        KeyStoreFileType.fromPropertyValueOrFileName("foobar", "prod.jks");
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testFromPropertyValueOrFileNameThrowsOnBadFileExtension() {
+        KeyStoreFileType.fromPropertyValueOrFileName("", "prod.key");
+    }
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/test/java/org/apache/zookeeper/common/PEMFileLoaderTest.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/PEMFileLoaderTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/PEMFileLoaderTest.java
new file mode 100644
index 0000000..e78c750
--- /dev/null
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/PEMFileLoaderTest.java
@@ -0,0 +1,156 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.util.Collection;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+@RunWith(Parameterized.class)
+public class PEMFileLoaderTest extends BaseX509ParameterizedTestCase {
+
+    @Parameterized.Parameters
+    public static Collection<Object[]> params() {
+        return BaseX509ParameterizedTestCase.defaultParams();
+    }
+
+    public PEMFileLoaderTest(
+            final X509KeyType caKeyType,
+            final X509KeyType certKeyType,
+            final String keyPassword,
+            final Integer paramIndex) {
+        super(paramIndex, () -> {
+            try {
+                return X509TestContext.newBuilder()
+                        .setTempDir(tempDir)
+                        .setKeyStorePassword(keyPassword)
+                        .setKeyStoreKeyType(certKeyType)
+                        .setTrustStorePassword(keyPassword)
+                        .setTrustStoreKeyType(caKeyType)
+                        .build();
+            } catch (Exception e) {
+                throw new RuntimeException(e);
+            }
+        });
+    }
+
+    @Test
+    public void testLoadKeyStore() throws Exception {
+        String path = x509TestContext.getKeyStoreFile(KeyStoreFileType.PEM)
+                .getAbsolutePath();
+        KeyStore ks = new PEMFileLoader.Builder()
+                .setKeyStorePath(path)
+                .setKeyStorePassword(x509TestContext.getKeyStorePassword())
+                .build()
+                .loadKeyStore();
+        Assert.assertEquals(1, ks.size());
+    }
+
+    @Test(expected = Exception.class)
+    public void testLoadKeyStoreWithWrongPassword() throws Exception {
+        String path = x509TestContext.getKeyStoreFile(KeyStoreFileType.PEM)
+                .getAbsolutePath();
+        new PEMFileLoader.Builder()
+                .setKeyStorePath(path)
+                .setKeyStorePassword("wrong password")
+                .build()
+                .loadKeyStore();
+    }
+
+    @Test(expected = IOException.class)
+    public void testLoadKeyStoreWithWrongFilePath() throws Exception {
+        String path = x509TestContext.getKeyStoreFile(KeyStoreFileType.PEM)
+                .getAbsolutePath();
+        new PEMFileLoader.Builder()
+                .setKeyStorePath(path + ".does_not_exist")
+                .setKeyStorePassword(x509TestContext.getKeyStorePassword())
+                .build()
+                .loadKeyStore();
+    }
+
+    @Test(expected = NullPointerException.class)
+    public void testLoadKeyStoreWithNullFilePath() throws Exception {
+        new PEMFileLoader.Builder()
+                .setKeyStorePassword(x509TestContext.getKeyStorePassword())
+                .build()
+                .loadKeyStore();
+    }
+
+    @Test(expected = KeyStoreException.class)
+    public void testLoadKeyStoreWithWrongFileType() throws Exception {
+        // Trying to load a JKS file with PEM loader should fail
+        String path = x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS)
+                .getAbsolutePath();
+        new PEMFileLoader.Builder()
+                .setKeyStorePath(path)
+                .setKeyStorePassword(x509TestContext.getKeyStorePassword())
+                .build()
+                .loadKeyStore();
+    }
+
+    @Test
+    public void testLoadTrustStore() throws Exception {
+        String path = x509TestContext.getTrustStoreFile(KeyStoreFileType.PEM)
+                .getAbsolutePath();
+        KeyStore ts = new PEMFileLoader.Builder()
+                .setTrustStorePath(path)
+                .setTrustStorePassword(x509TestContext.getTrustStorePassword())
+                .build()
+                .loadTrustStore();
+        Assert.assertEquals(1, ts.size());
+    }
+
+    @Test(expected = IOException.class)
+    public void testLoadTrustStoreWithWrongFilePath() throws Exception {
+        String path = x509TestContext.getTrustStoreFile(KeyStoreFileType.PEM)
+                .getAbsolutePath();
+        new PEMFileLoader.Builder()
+                .setTrustStorePath(path + ".does_not_exist")
+                .setTrustStorePassword(x509TestContext.getTrustStorePassword())
+                .build()
+                .loadTrustStore();
+    }
+
+    @Test(expected = NullPointerException.class)
+    public void testLoadTrustStoreWithNullFilePath() throws Exception {
+        new PEMFileLoader.Builder()
+                .setTrustStorePassword(x509TestContext.getTrustStorePassword())
+                .build()
+                .loadTrustStore();
+    }
+
+    @Test
+    public void testLoadTrustStoreWithWrongFileType() throws Exception {
+        // Trying to load a JKS file with PEM loader should fail
+        String path = x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS)
+                .getAbsolutePath();
+        KeyStore ts = new PEMFileLoader.Builder()
+                .setTrustStorePath(path)
+                .setTrustStorePassword(x509TestContext.getTrustStorePassword())
+                .build()
+                .loadTrustStore();
+        Assert.assertEquals(0, ts.size());
+    }
+}

http://git-wip-us.apache.org/repos/asf/zookeeper/blob/39fbc58f/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509KeyType.java
----------------------------------------------------------------------
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509KeyType.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509KeyType.java
new file mode 100644
index 0000000..e2cdc81
--- /dev/null
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509KeyType.java
@@ -0,0 +1,26 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+/**
+ * Represents a type of key pair used for X509 certs in tests. The two options are RSA or EC (elliptic curve).
+ */
+public enum X509KeyType {
+    RSA, EC;
+}


Mime
View raw message