zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From afine <...@git.apache.org>
Subject [GitHub] zookeeper pull request #184: ZOOKEEPER-236: SSL Support for Atomic Broadcast...
Date Mon, 01 May 2017 18:09:05 GMT
Github user afine commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r114167751
  
    --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java ---
    @@ -160,43 +213,120 @@ public static X509KeyManager createKeyManager(String keyStoreLocation,
String ke
                 }
                 throw new KeyManagerException("Couldn't find X509KeyManager");
     
    -        } catch (Exception e) {
    -            throw new KeyManagerException(e);
    +        } catch (IOException|CertificateException|UnrecoverableKeyException|NoSuchAlgorithmException|KeyStoreException
    +                keyManagerCreationException) {
    +            throw new KeyManagerException(keyManagerCreationException);
             } finally {
                 if (inputStream != null) {
                     try {
                         inputStream.close();
    -                } catch (IOException e) {}
    +                } catch (IOException ioException) {
    +                    LOG.info("Failed to close key store input stream", ioException);
    +                }
                 }
             }
         }
     
    -    public static X509TrustManager createTrustManager(String trustStoreLocation, String
trustStorePassword)
    +    public static X509TrustManager createTrustManager(String trustStoreLocation, String
trustStorePassword,
    +                                                      boolean crlEnabled, boolean ocspEnabled,
    +                                                      final boolean hostnameVerificationEnabled,
    +                                                      final boolean shouldVerifyClientHostname)
                 throws TrustManagerException {
             FileInputStream inputStream = null;
             try {
    -            char[] trustStorePasswordChars = trustStorePassword.toCharArray();
                 File trustStoreFile = new File(trustStoreLocation);
                 KeyStore ts = KeyStore.getInstance("JKS");
                 inputStream = new FileInputStream(trustStoreFile);
    -            ts.load(inputStream, trustStorePasswordChars);
    -            TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
    -            tmf.init(ts);
    +            if (trustStorePassword != null) {
    +                char[] trustStorePasswordChars = trustStorePassword.toCharArray();
    +                ts.load(inputStream, trustStorePasswordChars);
    +            } else {
    +                ts.load(inputStream, null);
    +            }
     
    -            for (TrustManager tm : tmf.getTrustManagers()) {
    -                if (tm instanceof X509TrustManager) {
    -                    return (X509TrustManager) tm;
    +            PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector());
    +            if (crlEnabled || ocspEnabled) {
    +                pbParams.setRevocationEnabled(true);
    +                System.setProperty("com.sun.net.ssl.checkRevocation", "true");
    +                System.setProperty("com.sun.security.enableCRLDP", "true");
    +                if (ocspEnabled) {
    +                    Security.setProperty("ocsp.enable", "true");
    +                }
    +
    +            } else {
    +                pbParams.setRevocationEnabled(false);
    +            }
    +
    +            // Revocation checking is only supported with the PKIX algorithm
    +            TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
    +            tmf.init(new CertPathTrustManagerParameters(pbParams));
    +
    +            for (final TrustManager tm : tmf.getTrustManagers()) {
    +                if (tm instanceof X509ExtendedTrustManager) {
    +                    return new ZKTrustManager((X509ExtendedTrustManager) tm, hostnameVerificationEnabled,
shouldVerifyClientHostname);
                     }
                 }
                 throw new TrustManagerException("Couldn't find X509TrustManager");
    -        } catch (Exception e) {
    -            throw new TrustManagerException(e);
    +        } catch (IOException|CertificateException|NoSuchAlgorithmException|InvalidAlgorithmParameterException|KeyStoreException
    +                 trustManagerCreationException) {
    +            throw new TrustManagerException(trustManagerCreationException);
             } finally {
                 if (inputStream != null) {
                     try {
                         inputStream.close();
    -                } catch (IOException e) {}
    +                } catch (IOException ioException) {
    +                    LOG.info("failed to close TrustStore input stream", ioException);
    +                }
                 }
             }
         }
    -}
    \ No newline at end of file
    +
    +    public SSLSocket createSSLSocket() throws X509Exception, IOException {
    +        SSLSocket sslSocket = (SSLSocket) getDefaultSSLContext().getSocketFactory().createSocket();
    +        configureSSLSocket(sslSocket);
    +
    +        return sslSocket;
    +    }
    +
    +    public SSLSocket createSSLSocket(Socket socket) throws X509Exception, IOException
{
    +        SSLSocket sslSocket = (SSLSocket) getDefaultSSLContext().getSocketFactory().createSocket(socket,
null, socket.getPort(), true);
    +        configureSSLSocket(sslSocket);
    +
    +        return sslSocket;
    +    }
    +
    +    private void configureSSLSocket(SSLSocket sslSocket) {
    +        SSLParameters sslParameters = sslSocket.getSSLParameters();
    +        sslParameters.setNeedClientAuth(true);
    --- End diff --
    
    Good catch, this can be removed.  https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSocket.html#setNeedClientAuth-boolean-
    
    `Configures the socket to require client authentication. This option is only useful for
sockets in the server mode.`



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message