HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.

This commit is contained in:
Xiao Chen 2016-12-05 12:19:26 -08:00
parent f3b8ff54ab
commit a2b5d60220
3 changed files with 23 additions and 3 deletions

View File

@ -202,8 +202,10 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory {
SSL_TRUSTSTORE_PASSWORD_TPL_KEY); SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
String truststorePassword = getPassword(conf, passwordProperty, ""); String truststorePassword = getPassword(conf, passwordProperty, "");
if (truststorePassword.isEmpty()) { if (truststorePassword.isEmpty()) {
throw new GeneralSecurityException("The property '" + passwordProperty + // An empty trust store password is legal; the trust store password
"' has not been set in the ssl configuration file."); // is only required when writing to a trust store. Otherwise it's
// an optional integrity check.
truststorePassword = null;
} }
long truststoreReloadInterval = long truststoreReloadInterval =
conf.getLong( conf.getLong(

View File

@ -167,7 +167,7 @@ public final class ReloadingX509TrustManager
KeyStore ks = KeyStore.getInstance(type); KeyStore ks = KeyStore.getInstance(type);
FileInputStream in = new FileInputStream(file); FileInputStream in = new FileInputStream(file);
try { try {
ks.load(in, password.toCharArray()); ks.load(in, (password == null) ? null : password.toCharArray());
lastLoaded = file.lastModified(); lastLoaded = file.lastModified();
LOG.debug("Loaded truststore '" + file + "'"); LOG.debug("Loaded truststore '" + file + "'");
} finally { } finally {

View File

@ -199,4 +199,22 @@ public class TestReloadingX509TrustManager {
}, reloadInterval, 10 * 1000); }, reloadInterval, 10 * 1000);
} }
/** No password when accessing a trust store is legal. */
@Test
public void testNoPassword() throws Exception {
KeyPair kp = generateKeyPair("RSA");
cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
String truststoreLocation = BASEDIR + "/testreload.jks";
createTrustStore(truststoreLocation, "password", "cert1", cert1);
final ReloadingX509TrustManager tm =
new ReloadingX509TrustManager("jks", truststoreLocation, null, 10);
try {
tm.init();
assertEquals(1, tm.getAcceptedIssuers().length);
} finally {
tm.destroy();
}
}
} }