Apache/hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-27342 Use Hadoop Credentials API to retrieve passwords of TLS key/trust stores (#4751)

Browse Source 
Signed-off-by: Andrew Purtell <apurtell@apache.org>
Signed-off-by: Duo Zhang <zhangduo@apache.org>
Signed-off-by: Balazs Meszaros <meszibalu@apache.org>
This commit is contained in:
Andor Molnár 2022-09-01 10:06:15 +02:00 committed by GitHub
parent a7dab37b7f
commit 9838c070aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 83 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bin/hbase
View File

@ -106,6 +106,7 @@ show_usage() {
echo " cellcounter Run CellCounter tool"
echo " pre-upgrade Run Pre-Upgrade validator tool"
echo " hbtop Run HBTop tool"
echo " credential Run the Hadoop Credential Shell"
echo " CLASSNAME Run the class named CLASSNAME"
}
@ -734,6 +735,8 @@ elif [ "$COMMAND" = "hbtop" ] ; then
HBASE_HBTOP_OPTS="${HBASE_HBTOP_OPTS} -Dlog4j2.configurationFile=file:${HBASE_HOME}/conf/log4j2-hbtop.properties"
fi
HBASE_OPTS="${HBASE_OPTS} ${HBASE_HBTOP_OPTS}"
elif [ "$COMMAND" = "credential" ] ; then
CLASS='org.apache.hadoop.security.alias.CredentialShell'
else
CLASS=$COMMAND
if [[ "$CLASS" =~ .*IntegrationTest.* ]] ; then

3
hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcClient.java
View File

@ -20,7 +20,6 @@ package org.apache.hadoop.hbase.ipc;
import java.io.IOException;
import java.net.SocketAddress;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.SSLException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hadoop.hbase.HConstants;
@ -89,7 +88,7 @@ public class NettyRpcClient extends AbstractRpcClient<NettyRpcConnection> {
}
}
SslContext getSslContext() throws X509Exception, SSLException {
SslContext getSslContext() throws X509Exception, IOException {
SslContext result = sslContextForClient.get();
if (result == null) {
result = X509Util.createSslContextForClient(conf);

49
hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
View File

@ -17,7 +17,6 @@
*/
package org.apache.hadoop.hbase.io.crypto.tls;
import java.io.BufferedInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
@ -32,7 +31,6 @@ import java.util.Objects;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
@ -65,6 +63,7 @@ import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContextBuilder;
public final class X509Util {
private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
private static final char[] EMPTY_CHAR_ARRAY = new char[0];
// Config
static final String CONFIG_PREFIX = "hbase.rpc.tls.";
@ -140,12 +139,12 @@ public final class X509Util {
}
public static SslContext createSslContextForClient(Configuration config)
throws X509Exception, SSLException {
throws X509Exception, IOException {
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
String keyStoreLocation = config.get(TLS_CONFIG_KEYSTORE_LOCATION, "");
String keyStorePassword = config.get(TLS_CONFIG_KEYSTORE_PASSWORD, "");
char[] keyStorePassword = config.getPassword(TLS_CONFIG_KEYSTORE_PASSWORD);
String keyStoreType = config.get(TLS_CONFIG_KEYSTORE_TYPE, "");
if (keyStoreLocation.isEmpty()) {
@ -156,7 +155,7 @@ public final class X509Util {
}
String trustStoreLocation = config.get(TLS_CONFIG_TRUSTSTORE_LOCATION, "");
String trustStorePassword = config.get(TLS_CONFIG_TRUSTSTORE_PASSWORD, "");
char[] trustStorePassword = config.getPassword(TLS_CONFIG_TRUSTSTORE_PASSWORD);
String trustStoreType = config.get(TLS_CONFIG_TRUSTSTORE_TYPE, "");
boolean sslCrlEnabled = config.getBoolean(TLS_CONFIG_CLR, false);
@ -177,9 +176,9 @@ public final class X509Util {
}
public static SslContext createSslContextForServer(Configuration config)
throws X509Exception, SSLException {
throws X509Exception, IOException {
String keyStoreLocation = config.get(TLS_CONFIG_KEYSTORE_LOCATION, "");
String keyStorePassword = config.get(TLS_CONFIG_KEYSTORE_PASSWORD, "");
char[] keyStorePassword = config.getPassword(TLS_CONFIG_KEYSTORE_PASSWORD);
String keyStoreType = config.get(TLS_CONFIG_KEYSTORE_TYPE, "");
if (keyStoreLocation.isEmpty()) {
@ -193,7 +192,7 @@ public final class X509Util {
.forServer(createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType));
String trustStoreLocation = config.get(TLS_CONFIG_TRUSTSTORE_LOCATION, "");
String trustStorePassword = config.get(TLS_CONFIG_TRUSTSTORE_PASSWORD, "");
char[] trustStorePassword = config.getPassword(TLS_CONFIG_TRUSTSTORE_PASSWORD);
String trustStoreType = config.get(TLS_CONFIG_TRUSTSTORE_TYPE, "");
boolean sslCrlEnabled = config.getBoolean(TLS_CONFIG_CLR, false);
@ -225,27 +224,25 @@ public final class X509Util {
* @return the key manager.
* @throws KeyManagerException if something goes wrong.
*/
static X509KeyManager createKeyManager(String keyStoreLocation, String keyStorePassword,
static X509KeyManager createKeyManager(String keyStoreLocation, char[] keyStorePassword,
String keyStoreType) throws KeyManagerException {
if (keyStorePassword == null) {
keyStorePassword = "";
}
if (keyStoreType == null) {
keyStoreType = "jks";
}
if (keyStorePassword == null) {
keyStorePassword = EMPTY_CHAR_ARRAY;
}
try {
char[] password = keyStorePassword.toCharArray();
KeyStore ks = KeyStore.getInstance(keyStoreType);
try (InputStream inputStream =
new BufferedInputStream(Files.newInputStream(new File(keyStoreLocation).toPath()))) {
ks.load(inputStream, password);
try (InputStream inputStream = Files.newInputStream(new File(keyStoreLocation).toPath())) {
ks.load(inputStream, keyStorePassword);
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX");
kmf.init(ks, password);
kmf.init(ks, keyStorePassword);
for (KeyManager km : kmf.getKeyManagers()) {
if (km instanceof X509KeyManager) {
@ -272,23 +269,21 @@ public final class X509Util {
* @return the trust manager.
* @throws TrustManagerException if something goes wrong.
*/
static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword,
static X509TrustManager createTrustManager(String trustStoreLocation, char[] trustStorePassword,
String trustStoreType, boolean crlEnabled, boolean ocspEnabled) throws TrustManagerException {
if (trustStorePassword == null) {
trustStorePassword = "";
}
if (trustStoreType == null) {
trustStoreType = "jks";
}
if (trustStorePassword == null) {
trustStorePassword = EMPTY_CHAR_ARRAY;
}
try {
char[] password = trustStorePassword.toCharArray();
KeyStore ts = KeyStore.getInstance(trustStoreType);
try (InputStream inputStream =
new BufferedInputStream(Files.newInputStream(new File(trustStoreLocation).toPath()))) {
ts.load(inputStream, password);
try (InputStream inputStream = Files.newInputStream(new File(trustStoreLocation).toPath())) {
ts.load(inputStream, trustStorePassword);
}
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector());

44
hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
View File

@ -19,12 +19,13 @@ package org.apache.hadoop.hbase.io.crypto.tls;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertThrows;
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeTrue;
import static org.junit.Assume.assumeThat;
import static org.mockito.Mockito.mock;
import java.io.File;
@ -42,7 +43,6 @@ import org.apache.hadoop.hbase.HBaseCommonTestingUtility;
import org.apache.hadoop.hbase.exceptions.KeyManagerException;
import org.apache.hadoop.hbase.exceptions.SSLContextException;
import org.apache.hadoop.hbase.exceptions.TrustManagerException;
import org.apache.hadoop.hbase.exceptions.X509Exception;
import org.apache.hadoop.hbase.testclassification.MiscTests;
import org.apache.hadoop.hbase.testclassification.SmallTests;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
@ -74,6 +74,7 @@ public class TestX509Util {
HBaseClassTestRule.forClass(TestX509Util.class);
private static final HBaseCommonTestingUtility UTIL = new HBaseCommonTestingUtility();
private static final char[] EMPTY_CHAR_ARRAY = new char[0];
private static X509TestContextProvider PROVIDER;
@ -84,7 +85,7 @@ public class TestX509Util {
public X509KeyType certKeyType;
@Parameterized.Parameter(value = 2)
public String keyPassword;
public char[] keyPassword;
@Parameterized.Parameter(value = 3)
public Integer paramIndex;
@ -100,7 +101,7 @@ public class TestX509Util {
int paramIndex = 0;
for (X509KeyType caKeyType : X509KeyType.values()) {
for (X509KeyType certKeyType : X509KeyType.values()) {
for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) {
params.add(new Object[] { caKeyType, certKeyType, keyPassword, paramIndex++ });
}
}
@ -172,13 +173,6 @@ public class TestX509Util {
X509Util.createSslContextForClient(conf);
}
@Test(expected = X509Exception.class)
public void testCreateSSLContextWithoutKeyStorePassword() throws Exception {
assumeTrue(x509TestContext.isKeyStoreEncrypted());
conf.unset(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD);
X509Util.createSslContextForServer(conf);
}
@Test
public void testCreateSSLContextWithoutTrustStoreLocationClient() throws Exception {
conf.unset(X509Util.TLS_CONFIG_TRUSTSTORE_LOCATION);
@ -220,7 +214,7 @@ public class TestX509Util {
@Test
public void testLoadJKSKeyStoreNullPassword() throws Exception {
assumeTrue(x509TestContext.getKeyStorePassword().isEmpty());
assumeThat(x509TestContext.getKeyStorePassword(), equalTo(EMPTY_CHAR_ARRAY));
// Make sure that empty password and null password are treated the same
X509Util.createKeyManager(
x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), null,
@ -237,12 +231,12 @@ public class TestX509Util {
}
@Test
public void testLoadJKSKeyStoreWithWrongPassword() throws Exception {
public void testLoadJKSKeyStoreWithWrongPassword() {
assertThrows(KeyManagerException.class, () -> {
// Attempting to load with the wrong key password should fail
X509Util.createKeyManager(
x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), "wrong password",
KeyStoreFileType.JKS.getPropertyValue());
x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
"wrong password".toCharArray(), KeyStoreFileType.JKS.getPropertyValue());
});
}
@ -256,9 +250,7 @@ public class TestX509Util {
@Test
public void testLoadJKSTrustStoreNullPassword() throws Exception {
if (!x509TestContext.getTrustStorePassword().isEmpty()) {
return;
}
assumeThat(x509TestContext.getTrustStorePassword(), equalTo(EMPTY_CHAR_ARRAY));
// Make sure that empty password and null password are treated the same
X509Util.createTrustManager(
x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), null,
@ -279,8 +271,8 @@ public class TestX509Util {
assertThrows(TrustManagerException.class, () -> {
// Attempting to load with the wrong key password should fail
X509Util.createTrustManager(
x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), "wrong password",
KeyStoreFileType.JKS.getPropertyValue(), true, true);
x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
"wrong password".toCharArray(), KeyStoreFileType.JKS.getPropertyValue(), true, true);
});
}
@ -294,9 +286,7 @@ public class TestX509Util {
@Test
public void testLoadPKCS12KeyStoreNullPassword() throws Exception {
if (!x509TestContext.getKeyStorePassword().isEmpty()) {
return;
}
assumeThat(x509TestContext.getKeyStorePassword(), equalTo(EMPTY_CHAR_ARRAY));
// Make sure that empty password and null password are treated the same
X509Util.createKeyManager(
x509TestContext.getKeyStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(), null,
@ -309,7 +299,7 @@ public class TestX509Util {
// Attempting to load with the wrong key password should fail
X509Util.createKeyManager(
x509TestContext.getKeyStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
"wrong password", KeyStoreFileType.PKCS12.getPropertyValue());
"wrong password".toCharArray(), KeyStoreFileType.PKCS12.getPropertyValue());
});
}
@ -324,9 +314,7 @@ public class TestX509Util {
@Test
public void testLoadPKCS12TrustStoreNullPassword() throws Exception {
if (!x509TestContext.getTrustStorePassword().isEmpty()) {
return;
}
assumeThat(x509TestContext.getTrustStorePassword(), equalTo(EMPTY_CHAR_ARRAY));
// Make sure that empty password and null password are treated the same
X509Util.createTrustManager(
x509TestContext.getTrustStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(), null,
@ -339,7 +327,7 @@ public class TestX509Util {
// Attempting to load with the wrong key password should fail
X509Util.createTrustManager(
x509TestContext.getTrustStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
"wrong password", KeyStoreFileType.PKCS12.getPropertyValue(), true, true);
"wrong password".toCharArray(), KeyStoreFileType.PKCS12.getPropertyValue(), true, true);
});
}

26
hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java
View File

@ -56,14 +56,14 @@ public final class X509TestContext {
private final Configuration conf;
private final X509Certificate trustStoreCertificate;
private final String trustStorePassword;
private final char[] trustStorePassword;
private File trustStoreJksFile;
private File trustStorePemFile;
private File trustStorePkcs12File;
private final KeyPair keyStoreKeyPair;
private final X509Certificate keyStoreCertificate;
private final String keyStorePassword;
private final char[] keyStorePassword;
private File keyStoreJksFile;
private File keyStorePemFile;
private File keyStorePkcs12File;
@ -80,7 +80,7 @@ public final class X509TestContext {
* @param keyStorePassword the password to protect the key store private key.
*/
private X509TestContext(Configuration conf, File tempDir, KeyPair trustStoreKeyPair,
String trustStorePassword, KeyPair keyStoreKeyPair, String keyStorePassword)
char[] trustStorePassword, KeyPair keyStoreKeyPair, char[] keyStorePassword)
throws IOException, GeneralSecurityException, OperatorCreationException {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
throw new IllegalStateException("BC Security provider was not found");
@ -117,7 +117,7 @@ public final class X509TestContext {
return tempDir;
}
public String getTrustStorePassword() {
public char[] getTrustStorePassword() {
return trustStorePassword;
}
@ -198,12 +198,12 @@ public final class X509TestContext {
return keyStoreCertificate;
}
public String getKeyStorePassword() {
public char[] getKeyStorePassword() {
return keyStorePassword;
}
public boolean isKeyStoreEncrypted() {
return keyStorePassword.length() > 0;
return keyStorePassword != null;
}
public Configuration getConf() {
@ -307,11 +307,11 @@ public final class X509TestContext {
KeyStoreFileType trustStoreFileType) throws IOException {
conf.set(X509Util.TLS_CONFIG_KEYSTORE_LOCATION,
this.getKeyStoreFile(keyStoreFileType).getAbsolutePath());
conf.set(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD, this.getKeyStorePassword());
conf.set(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD, String.valueOf(this.getKeyStorePassword()));
conf.set(X509Util.TLS_CONFIG_KEYSTORE_TYPE, keyStoreFileType.getPropertyValue());
conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_LOCATION,
this.getTrustStoreFile(trustStoreFileType).getAbsolutePath());
conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_PASSWORD, this.getTrustStorePassword());
conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_PASSWORD, String.valueOf(this.getTrustStorePassword()));
conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_TYPE, trustStoreFileType.getPropertyValue());
}
@ -332,9 +332,9 @@ public final class X509TestContext {
private final Configuration conf;
private File tempDir;
private X509KeyType trustStoreKeyType;
private String trustStorePassword;
private char[] trustStorePassword;
private X509KeyType keyStoreKeyType;
private String keyStorePassword;
private char[] keyStorePassword;
/**
* Creates an empty builder with the given Configuration.
@ -342,9 +342,7 @@ public final class X509TestContext {
public Builder(Configuration conf) {
this.conf = conf;
trustStoreKeyType = X509KeyType.EC;
trustStorePassword = "";
keyStoreKeyType = X509KeyType.EC;
keyStorePassword = "";
}
/**
@ -387,7 +385,7 @@ public final class X509TestContext {
* @param password the password.
* @return this Builder.
*/
public Builder setTrustStorePassword(String password) {
public Builder setTrustStorePassword(char[] password) {
trustStorePassword = password;
return this;
}
@ -409,7 +407,7 @@ public final class X509TestContext {
* @param password the password.
* @return this Builder.
*/
public Builder setKeyStorePassword(String password) {
public Builder setKeyStorePassword(char[] password) {
keyStorePassword = password;
return this;
}

11
hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContextProvider.java
View File

@ -18,6 +18,7 @@
package org.apache.hadoop.hbase.io.crypto.tls;
import java.io.File;
import java.util.Arrays;
import java.util.Objects;
import org.apache.hadoop.conf.Configuration;
@ -35,9 +36,9 @@ public class X509TestContextProvider {
private final X509KeyType certKeyType;
private final String keyPassword;
private final char[] keyPassword;
CacheKey(X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword) {
CacheKey(X509KeyType caKeyType, X509KeyType certKeyType, char[] keyPassword) {
this.caKeyType = caKeyType;
this.certKeyType = certKeyType;
this.keyPassword = keyPassword;
@ -45,7 +46,7 @@ public class X509TestContextProvider {
@Override
public int hashCode() {
return Objects.hash(caKeyType, certKeyType, keyPassword);
return Objects.hash(caKeyType, certKeyType, Arrays.hashCode(keyPassword));
}
@Override
@ -55,7 +56,7 @@ public class X509TestContextProvider {
}
CacheKey other = (CacheKey) obj;
return caKeyType == other.caKeyType && certKeyType == other.certKeyType
&& Objects.equals(keyPassword, other.keyPassword);
&& Arrays.equals(keyPassword, other.keyPassword);
}
}
@ -79,7 +80,7 @@ public class X509TestContextProvider {
this.tempDir = tempDir;
}
public X509TestContext get(X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword) {
public X509TestContext get(X509KeyType caKeyType, X509KeyType certKeyType, char[] keyPassword) {
return ctxs.getUnchecked(new CacheKey(caKeyType, certKeyType, keyPassword));
}
}

34
hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java
View File

@ -262,7 +262,7 @@ final class X509TestHelpers {
* @throws OperatorCreationException if constructing the encryptor from the given password fails.
*/
public static String pemEncodeCertAndPrivateKey(X509Certificate cert, PrivateKey privateKey,
String keyPassword) throws IOException, OperatorCreationException {
char[] keyPassword) throws IOException, OperatorCreationException {
return pemEncodeX509Certificate(cert) + "\n" + pemEncodePrivateKey(privateKey, keyPassword);
}
@ -276,16 +276,16 @@ final class X509TestHelpers {
* @throws IOException if converting the key to PEM format fails.
* @throws OperatorCreationException if constructing the encryptor from the given password fails.
*/
public static String pemEncodePrivateKey(PrivateKey key, String password)
public static String pemEncodePrivateKey(PrivateKey key, char[] password)
throws IOException, OperatorCreationException {
StringWriter stringWriter = new StringWriter();
JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter);
OutputEncryptor encryptor = null;
if (password != null && password.length() > 0) {
if (password != null) {
encryptor =
new JceOpenSSLPKCS8EncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC)
.setProvider(BouncyCastleProvider.PROVIDER_NAME).setRandom(PRNG)
.setPasssword(password.toCharArray()).build();
.setProvider(BouncyCastleProvider.PROVIDER_NAME).setRandom(PRNG).setPasssword(password)
.build();
}
pemWriter.writeObject(new JcaPKCS8Generator(key, encryptor));
pemWriter.close();
@ -318,7 +318,7 @@ final class X509TestHelpers {
* will not be encrypted.
* @return the serialized bytes of the JKS trust store.
*/
public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, String keyPassword)
public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, char[] keyPassword)
throws IOException, GeneralSecurityException {
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
return certToTrustStoreBytes(cert, keyPassword, trustStore);
@ -335,19 +335,18 @@ final class X509TestHelpers {
* will not be encrypted.
* @return the serialized bytes of the PKCS12 trust store.
*/
public static byte[] certToPKCS12TrustStoreBytes(X509Certificate cert, String keyPassword)
public static byte[] certToPKCS12TrustStoreBytes(X509Certificate cert, char[] keyPassword)
throws IOException, GeneralSecurityException {
KeyStore trustStore = KeyStore.getInstance("PKCS12");
return certToTrustStoreBytes(cert, keyPassword, trustStore);
}
private static byte[] certToTrustStoreBytes(X509Certificate cert, String keyPassword,
private static byte[] certToTrustStoreBytes(X509Certificate cert, char[] keyPassword,
KeyStore trustStore) throws IOException, GeneralSecurityException {
char[] keyPasswordChars = keyPassword == null ? new char[0] : keyPassword.toCharArray();
trustStore.load(null, keyPasswordChars);
trustStore.load(null, keyPassword);
trustStore.setCertificateEntry(cert.getSubjectDN().toString(), cert);
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
trustStore.store(outputStream, keyPasswordChars);
trustStore.store(outputStream, keyPassword);
outputStream.flush();
byte[] result = outputStream.toByteArray();
outputStream.close();
@ -366,7 +365,7 @@ final class X509TestHelpers {
* @return the serialized bytes of the JKS key store.
*/
public static byte[] certAndPrivateKeyToJavaKeyStoreBytes(X509Certificate cert,
PrivateKey privateKey, String keyPassword) throws IOException, GeneralSecurityException {
PrivateKey privateKey, char[] keyPassword) throws IOException, GeneralSecurityException {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
return certAndPrivateKeyToBytes(cert, privateKey, keyPassword, keyStore);
}
@ -383,18 +382,17 @@ final class X509TestHelpers {
* @return the serialized bytes of the PKCS12 key store.
*/
public static byte[] certAndPrivateKeyToPKCS12Bytes(X509Certificate cert, PrivateKey privateKey,
String keyPassword) throws IOException, GeneralSecurityException {
char[] keyPassword) throws IOException, GeneralSecurityException {
KeyStore keyStore = KeyStore.getInstance("PKCS12");
return certAndPrivateKeyToBytes(cert, privateKey, keyPassword, keyStore);
}
private static byte[] certAndPrivateKeyToBytes(X509Certificate cert, PrivateKey privateKey,
String keyPassword, KeyStore keyStore) throws IOException, GeneralSecurityException {
char[] keyPasswordChars = keyPassword == null ? new char[0] : keyPassword.toCharArray();
keyStore.load(null, keyPasswordChars);
keyStore.setKeyEntry("key", privateKey, keyPasswordChars, new Certificate[] { cert });
char[] keyPassword, KeyStore keyStore) throws IOException, GeneralSecurityException {
keyStore.load(null, keyPassword);
keyStore.setKeyEntry("key", privateKey, keyPassword, new Certificate[] { cert });
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
keyStore.store(outputStream, keyPasswordChars);
keyStore.store(outputStream, keyPassword);
outputStream.flush();
byte[] result = outputStream.toByteArray();
outputStream.close();

3
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
View File

@ -25,7 +25,6 @@ import java.io.InterruptedIOException;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.concurrent.CountDownLatch;
import javax.net.ssl.SSLException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.CellScanner;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
@ -250,7 +249,7 @@ public class NettyRpcServer extends RpcServer {
}
private void initSSL(ChannelPipeline p, boolean supportPlaintext)
throws X509Exception, SSLException {
throws X509Exception, IOException {
SslContext nettySslContext = X509Util.createSslContextForServer(conf);
if (supportPlaintext) {

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestTlsRejectPlainText.java
View File

@ -72,7 +72,7 @@ public abstract class AbstractTestTlsRejectPlainText {
public X509KeyType certKeyType;
@Parameterized.Parameter(2)
public String keyPassword;
public char[] keyPassword;
private X509TestContext x509TestContext;
@ -85,7 +85,7 @@ public abstract class AbstractTestTlsRejectPlainText {
List<Object[]> params = new ArrayList<>();
for (X509KeyType caKeyType : X509KeyType.values()) {
for (X509KeyType certKeyType : X509KeyType.values()) {
for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) {
params.add(new Object[] { caKeyType, certKeyType, keyPassword });
}
}

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestNettyTlsIPC.java
View File

@ -83,7 +83,7 @@ public class TestNettyTlsIPC extends AbstractTestIPC {
public X509KeyType certKeyType;
@Parameterized.Parameter(2)
public String keyPassword;
public char[] keyPassword;
@Parameterized.Parameter(3)
public boolean acceptPlainText;
@ -100,7 +100,7 @@ public class TestNettyTlsIPC extends AbstractTestIPC {
List<Object[]> params = new ArrayList<>();
for (X509KeyType caKeyType : X509KeyType.values()) {
for (X509KeyType certKeyType : X509KeyType.values()) {
for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) {
// do not accept plain text
params.add(new Object[] { caKeyType, certKeyType, keyPassword, false, true });
// support plain text and client enables tls

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSaslTlsIPC.java
View File

@ -64,7 +64,7 @@ public class TestSaslTlsIPC extends AbstractTestSecureIPC {
public X509KeyType certKeyType;
@Parameterized.Parameter(2)
public String keyPassword;
public char[] keyPassword;
@Parameterized.Parameter(3)
public boolean acceptPlainText;
@ -81,7 +81,7 @@ public class TestSaslTlsIPC extends AbstractTestSecureIPC {
List<Object[]> params = new ArrayList<>();
for (X509KeyType caKeyType : X509KeyType.values()) {
for (X509KeyType certKeyType : X509KeyType.values()) {
for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) {
// do not accept plain text
params.add(new Object[] { caKeyType, certKeyType, keyPassword, false, true });
// support plain text and client enables tls