From dev-return-70504-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org  Mon Jun 11 18:19:57 2018
Return-Path: <dev-return-70504-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 1284018077A
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 11 Jun 2018 18:19:56 +0200 (CEST)
Received: (qmail 27925 invoked by uid 500); 11 Jun 2018 16:19:55 -0000
Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:dev@zookeeper.apache.org>
List-Id: <dev.zookeeper.apache.org>
Reply-To: dev@zookeeper.apache.org
Delivered-To: mailing list dev@zookeeper.apache.org
Received: (qmail 27298 invoked by uid 99); 11 Jun 2018 16:19:55 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Jun 2018 16:19:55 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 652B0E0BEA; Mon, 11 Jun 2018 16:19:53 +0000 (UTC)
From: ivmaykov <git@git.apache.org>
To: dev@zookeeper.apache.org
Reply-To: dev@zookeeper.apache.org
References: <git-pr-184-zookeeper@git.apache.org>
In-Reply-To: <git-pr-184-zookeeper@git.apache.org>
Subject: [GitHub] zookeeper pull request #184: ZOOKEEPER-236: SSL Support for Atomic Broadcast...
Content-Type: text/plain
Message-Id: <20180611161954.652B0E0BEA@git1-us-west.apache.org>
Date: Mon, 11 Jun 2018 16:19:53 +0000 (UTC)

Github user ivmaykov commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r194460585
  
    --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java ---
    @@ -18,64 +18,119 @@
     package org.apache.zookeeper.common;
     
     
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import javax.net.ssl.CertPathTrustManagerParameters;
     import javax.net.ssl.KeyManager;
     import javax.net.ssl.KeyManagerFactory;
     import javax.net.ssl.SSLContext;
    +import javax.net.ssl.SSLParameters;
    +import javax.net.ssl.SSLServerSocket;
    +import javax.net.ssl.SSLSocket;
     import javax.net.ssl.TrustManager;
     import javax.net.ssl.TrustManagerFactory;
    +import javax.net.ssl.X509ExtendedTrustManager;
     import javax.net.ssl.X509KeyManager;
     import javax.net.ssl.X509TrustManager;
     import java.io.File;
     import java.io.FileInputStream;
     import java.io.IOException;
    +import java.net.Socket;
    +import java.security.InvalidAlgorithmParameterException;
    +import java.security.KeyManagementException;
     import java.security.KeyStore;
    +import java.security.KeyStoreException;
    +import java.security.NoSuchAlgorithmException;
    +import java.security.Security;
    +import java.security.UnrecoverableKeyException;
    +import java.security.cert.CertificateException;
    +import java.security.cert.PKIXBuilderParameters;
    +import java.security.cert.X509CertSelector;
    +import java.util.Arrays;
     
    -import org.slf4j.Logger;
    -import org.slf4j.LoggerFactory;
    -
    -import static org.apache.zookeeper.common.X509Exception.KeyManagerException;
    -import static org.apache.zookeeper.common.X509Exception.SSLContextException;
    -import static org.apache.zookeeper.common.X509Exception.TrustManagerException;
    +import org.apache.zookeeper.common.X509Exception.KeyManagerException;
    +import org.apache.zookeeper.common.X509Exception.SSLContextException;
    +import org.apache.zookeeper.common.X509Exception.TrustManagerException;
     
     /**
      * Utility code for X509 handling
      */
    -public class X509Util {
    +public abstract class X509Util {
         private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
     
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_LOCATION}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_KEYSTORE_LOCATION = "zookeeper.ssl.keyStore.location";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_PASSWD}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_KEYSTORE_PASSWD = "zookeeper.ssl.keyStore.password";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_LOCATION}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_TRUSTSTORE_LOCATION = "zookeeper.ssl.trustStore.location";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_PASSWD}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_TRUSTSTORE_PASSWD = "zookeeper.ssl.trustStore.password";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_AUTHPROVIDER}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_AUTHPROVIDER = "zookeeper.ssl.authProvider";
    -
    -    public static SSLContext createSSLContext() throws SSLContextException {
    -        /**
    +    static final String DEFAULT_PROTOCOL = "TLSv1.2";
    +
    +    private String sslProtocolProperty = getConfigPrefix() + "protocol";
    +    private String cipherSuitesProperty = getConfigPrefix() + "ciphersuites";
    +    private String sslKeystoreLocationProperty = getConfigPrefix() + "keyStore.location";
    +    private String sslKeystorePasswdProperty = getConfigPrefix() + "keyStore.password";
    +    private String sslTruststoreLocationProperty = getConfigPrefix() + "trustStore.location";
    +    private String sslTruststorePasswdProperty = getConfigPrefix() + "trustStore.password";
    +    private String sslHostnameVerificationEnabledProperty = getConfigPrefix() + "hostnameVerification";
    +    private String sslCrlEnabledProperty = getConfigPrefix() + "crl";
    +    private String sslOcspEnabledProperty = getConfigPrefix() + "ocsp";
    +
    +    private String[] cipherSuites;
    +
    +    private volatile SSLContext defaultSSLContext;
    +
    +    public X509Util() {
    +        String cipherSuitesInput = System.getProperty(cipherSuitesProperty);
    +        if (cipherSuitesInput == null) {
    +            cipherSuites = null;
    +        } else {
    +            cipherSuites = cipherSuitesInput.split(",");
    +        }
    +    }
    +
    +    protected abstract String getConfigPrefix();
    +    protected abstract boolean shouldVerifyClientHostname();
    +
    +    public String getSslProtocolProperty() {
    +        return sslProtocolProperty;
    +    }
    +
    +    public String getCipherSuitesProperty() {
    +        return cipherSuitesProperty;
    +    }
    +
    +    public String getSslKeystoreLocationProperty() {
    +        return sslKeystoreLocationProperty;
    +    }
    +
    +    public String getSslKeystorePasswdProperty() {
    +        return sslKeystorePasswdProperty;
    +    }
    +
    +    public String getSslTruststoreLocationProperty() {
    +        return sslTruststoreLocationProperty;
    +    }
    +
    +    public String getSslTruststorePasswdProperty() {
    +        return sslTruststorePasswdProperty;
    +    }
    +
    +    public String getSslHostnameVerificationEnabledProperty() {
    +        return sslHostnameVerificationEnabledProperty;
    +    }
    +    public String getSslCrlEnabledProperty() {
    +        return sslCrlEnabledProperty;
    +    }
    +
    +    public String getSslOcspEnabledProperty() {
    +        return sslOcspEnabledProperty;
    +    }
    +
    +    public synchronized SSLContext getDefaultSSLContext() throws X509Exception.SSLContextException {
    --- End diff --
    
    You forgot to remove `synchronized` from the signature :)


---