HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.
This commit is contained in:
parent
f3b8ff54ab
commit
a2b5d60220
|
@ -202,8 +202,10 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory {
|
||||||
SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
|
SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
|
||||||
String truststorePassword = getPassword(conf, passwordProperty, "");
|
String truststorePassword = getPassword(conf, passwordProperty, "");
|
||||||
if (truststorePassword.isEmpty()) {
|
if (truststorePassword.isEmpty()) {
|
||||||
throw new GeneralSecurityException("The property '" + passwordProperty +
|
// An empty trust store password is legal; the trust store password
|
||||||
"' has not been set in the ssl configuration file.");
|
// is only required when writing to a trust store. Otherwise it's
|
||||||
|
// an optional integrity check.
|
||||||
|
truststorePassword = null;
|
||||||
}
|
}
|
||||||
long truststoreReloadInterval =
|
long truststoreReloadInterval =
|
||||||
conf.getLong(
|
conf.getLong(
|
||||||
|
|
|
@ -167,7 +167,7 @@ public final class ReloadingX509TrustManager
|
||||||
KeyStore ks = KeyStore.getInstance(type);
|
KeyStore ks = KeyStore.getInstance(type);
|
||||||
FileInputStream in = new FileInputStream(file);
|
FileInputStream in = new FileInputStream(file);
|
||||||
try {
|
try {
|
||||||
ks.load(in, password.toCharArray());
|
ks.load(in, (password == null) ? null : password.toCharArray());
|
||||||
lastLoaded = file.lastModified();
|
lastLoaded = file.lastModified();
|
||||||
LOG.debug("Loaded truststore '" + file + "'");
|
LOG.debug("Loaded truststore '" + file + "'");
|
||||||
} finally {
|
} finally {
|
||||||
|
|
|
@ -199,4 +199,22 @@ public class TestReloadingX509TrustManager {
|
||||||
}, reloadInterval, 10 * 1000);
|
}, reloadInterval, 10 * 1000);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** No password when accessing a trust store is legal. */
|
||||||
|
@Test
|
||||||
|
public void testNoPassword() throws Exception {
|
||||||
|
KeyPair kp = generateKeyPair("RSA");
|
||||||
|
cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
|
||||||
|
cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
|
||||||
|
String truststoreLocation = BASEDIR + "/testreload.jks";
|
||||||
|
createTrustStore(truststoreLocation, "password", "cert1", cert1);
|
||||||
|
|
||||||
|
final ReloadingX509TrustManager tm =
|
||||||
|
new ReloadingX509TrustManager("jks", truststoreLocation, null, 10);
|
||||||
|
try {
|
||||||
|
tm.init();
|
||||||
|
assertEquals(1, tm.getAcceptedIssuers().length);
|
||||||
|
} finally {
|
||||||
|
tm.destroy();
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue