zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tumativ <...@git.apache.org>
Subject [GitHub] zookeeper pull request #678: ZOOKEEPER-3173: Quorum TLS - support PEM trust/...
Date Fri, 02 Nov 2018 02:29:30 GMT
Github user tumativ commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/678#discussion_r230255350
  
    --- Diff: zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java ---
    @@ -254,23 +282,54 @@ public static X509KeyManager createKeyManager(String keyStoreLocation,
String ke
             }
         }
     
    -    public static X509TrustManager createTrustManager(String trustStoreLocation, String
trustStorePassword,
    -                                                      boolean crlEnabled, boolean ocspEnabled,
    -                                                      final boolean serverHostnameVerificationEnabled,
    -                                                      final boolean clientHostnameVerificationEnabled)
    +    /**
    +     * Creates a trust manager by loading the trust store from the given file
    +     * of the given type, optionally decrypting it using the given password.
    +     * @param trustStoreLocation the location of the trust store file.
    +     * @param trustStorePassword optional password to decrypt the trust store
    +     *                           (only applies to JKS trust stores). If empty,
    +     *                           assumes the trust store is not encrypted.
    +     * @param trustStoreTypeProp must be JKS, PEM, or null. If null, attempts
    +     *                           to autodetect the trust store type from the
    +     *                           file extension (.jks / .pem).
    +     * @param crlEnabled enable CRL (certificate revocation list) checks.
    +     * @param ocspEnabled enable OCSP (online certificate status protocol)
    +     *                    checks.
    +     * @param serverHostnameVerificationEnabled if true, verify hostnames of
    +     *                                          remote servers that client
    +     *                                          sockets created by this
    +     *                                          X509Util connect to.
    +     * @param clientHostnameVerificationEnabled if true, verify hostnames of
    +     *                                          remote clients that server
    +     *                                          sockets created by this
    +     *                                          X509Util accept connections
    +     *                                          from.
    +     * @return the trust manager.
    +     * @throws TrustManagerException if something goes wrong.
    +     */
    +    public static X509TrustManager createTrustManager(
    +            String trustStoreLocation,
    +            String trustStorePassword,
    +            String trustStoreTypeProp,
    +            boolean crlEnabled,
    +            boolean ocspEnabled,
    +            final boolean serverHostnameVerificationEnabled,
    +            final boolean clientHostnameVerificationEnabled)
                 throws TrustManagerException {
             FileInputStream inputStream = null;
    +        if (trustStorePassword == null) {
    +            trustStorePassword = "";
    +        }
             try {
    -            File trustStoreFile = new File(trustStoreLocation);
    -            KeyStore ts = KeyStore.getInstance("JKS");
    -            inputStream = new FileInputStream(trustStoreFile);
    -            if (trustStorePassword != null) {
    -                char[] trustStorePasswordChars = trustStorePassword.toCharArray();
    -                ts.load(inputStream, trustStorePasswordChars);
    -            } else {
    -                ts.load(inputStream, null);
    -            }
    -
    +            KeyStoreFileType storeFileType =
    --- End diff --
    
    IllegalArgumentException is possible here. I see it not handled


---

Mime
View raw message