HADOOP-17699. Remove hardcoded SunX509 usage from SSLFactory. (#3016)

This commit is contained in:
Xiaoyu Yao 2021-05-18 10:11:36 -07:00 committed by GitHub
parent 110cda3de6
commit 86729e130f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 31 additions and 7 deletions

View File

@ -273,8 +273,8 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory {
} else {
KeyStore keystore = KeyStore.getInstance(keystoreType);
keystore.load(null, null);
KeyManagerFactory keyMgrFactory = KeyManagerFactory
.getInstance(SSLFactory.SSLCERTIFICATE);
KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance(
SSLFactory.KEY_MANAGER_SSLCERTIFICATE);
keyMgrFactory.init(keystore, null);
keyManagers = keyMgrFactory.getKeyManagers();

View File

@ -143,7 +143,7 @@ public class ReloadingX509KeystoreManager extends X509ExtendedKeyManager {
LOG.debug(" Loaded KeyStore: " + path.toFile().getAbsolutePath());
KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance(
SSLFactory.SSLCERTIFICATE);
SSLFactory.KEY_MANAGER_SSLCERTIFICATE);
keyMgrFactory.init(keystore,
(keyPassword != null) ? keyPassword.toCharArray() : null);
for (KeyManager candidate: keyMgrFactory.getKeyManagers()) {

View File

@ -136,8 +136,8 @@ public final class ReloadingX509TrustManager implements X509TrustManager {
in.close();
}
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(SSLFactory.SSLCERTIFICATE);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
SSLFactory.TRUST_MANAGER_SSLCERTIFICATE);
trustManagerFactory.init(ks);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
for (TrustManager trustManager1 : trustManagers) {

View File

@ -25,14 +25,16 @@ import org.apache.hadoop.util.ReflectionUtils;
import org.apache.hadoop.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static org.apache.hadoop.util.PlatformName.IBM_JAVA;
import static org.apache.hadoop.util.PlatformName.JAVA_VENDOR_NAME;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.security.GeneralSecurityException;
@ -99,7 +101,13 @@ public class SSLFactory implements ConnectionConfigurator {
public static final String SSL_SERVER_EXCLUDE_CIPHER_LIST =
"ssl.server.exclude.cipher.list";
public static final String SSLCERTIFICATE = IBM_JAVA?"ibmX509":"SunX509";
public static final String KEY_MANAGER_SSLCERTIFICATE =
JAVA_VENDOR_NAME.contains("IBM") ? "ibmX509" :
KeyManagerFactory.getDefaultAlgorithm();
public static final String TRUST_MANAGER_SSLCERTIFICATE =
JAVA_VENDOR_NAME.contains("IBM") ? "ibmX509" :
TrustManagerFactory.getDefaultAlgorithm();
public static final String KEYSTORES_FACTORY_CLASS_KEY =
"hadoop.ssl.keystores.factory.class";

View File

@ -17,6 +17,8 @@
*/
package org.apache.hadoop.security.ssl;
import static java.security.Security.getProperty;
import static java.security.Security.setProperty;
import static org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY;
import static org.apache.hadoop.security.ssl.KeyStoreTestUtil.TRUST_STORE_PASSWORD_DEFAULT;
import static org.apache.hadoop.security.ssl.SSLFactory.Mode.CLIENT;
@ -367,6 +369,20 @@ public class TestSSLFactory {
}
}
@Test
public void testDifferentAlgorithm() throws Exception {
Configuration conf = createConfiguration(false, true);
String currAlg = getProperty("ssl.KeyManagerFactory.algorithm");
setProperty("ssl.KeyManagerFactory.algorithm", "PKIX");
SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
try {
sslFactory.init();
} finally {
sslFactory.destroy();
setProperty("ssl.KeyManagerFactory.algorithm", currAlg);
}
}
@Test
public void testConnectionConfigurator() throws Exception {
Configuration conf = createConfiguration(false, true);