SOLR-9068 / SOLR-5776: replace NullSecureRandom w/ NotSecurePsuedoRandom

This commit is contained in:
Chris Hostetter 2016-05-06 22:46:10 -07:00
parent a5586d29b2
commit ac0e73a521
1 changed files with 25 additions and 67 deletions

View File

@ -44,8 +44,6 @@ import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.client.solrj.impl.HttpClientUtil.SchemaRegistryProvider;
import org.apache.solr.client.solrj.impl.SolrHttpClientBuilder;
import org.apache.lucene.util.Constants;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.security.CertificateUtils;
import org.eclipse.jetty.util.ssl.SslContextFactory;
@ -101,7 +99,7 @@ public class SSLTestConfig extends SSLConfig {
assert isSSLMode();
SSLContextBuilder builder = SSLContexts.custom();
builder.setSecureRandom(NullSecureRandom.INSTANCE);
builder.setSecureRandom(NotSecurePsuedoRandom.INSTANCE);
// NOTE: KeyStore & TrustStore are swapped because they are from configured from server perspective...
// we are a client - our keystore contains the keys the server trusts, and vice versa
@ -130,7 +128,7 @@ public class SSLTestConfig extends SSLConfig {
assert isSSLMode();
SSLContextBuilder builder = SSLContexts.custom();
builder.setSecureRandom(NullSecureRandom.INSTANCE);
builder.setSecureRandom(NotSecurePsuedoRandom.INSTANCE);
builder.loadKeyMaterial(buildKeyStore(getKeyStore(), getKeyStorePassword()), getKeyStorePassword().toCharArray());
@ -263,93 +261,53 @@ public class SSLTestConfig extends SSLConfig {
}
/**
* A mocked up instance of SecureRandom that always does the minimal amount of work to generate
* "random" numbers. This is to prevent blocking issues that arise in platform default
* A mocked up instance of SecureRandom that just uses {@link Random} under the covers.
* This is to prevent blocking issues that arise in platform default
* SecureRandom instances due to too many instances / not enough random entropy.
* Tests do not need secure SSL.
*/
private static class NullSecureRandom extends SecureRandom {
/**
* The one and only instance that should be used, specific impl may vary based on platform
* @see Constants#SUN_OS
* @see <a href="https://issues.apache.org/jira/browse/SOLR-9068">SOLR-9068</a>
*/
public static final SecureRandom INSTANCE = Constants.SUN_OS
? new NullSecureRandom(NullSecureRandomSpi.PSUEDO_RAND_INSTANCE)
: new NullSecureRandom(NullSecureRandomSpi.NULL_INSTANCE);
/** A source of psuedo random data if needed */
private static class NotSecurePsuedoRandom extends SecureRandom {
public static final SecureRandom INSTANCE = new NotSecurePsuedoRandom();
private static final Random RAND = new Random(42);
/** SPI base class for all NullSecureRandom instances */
private static class NullSecureRandomSpi extends SecureRandomSpi {
private NullSecureRandomSpi() {
/* NOOP */
}
/**
* Helper method that can be used to fill an array with non-zero data.
* Default impl is No-Op
*/
public byte[] fillData(byte[] data) {
return data; /* NOOP */
}
/**
* Helper method that can be used to fill an array with non-zero data.
* (Attempted workarround of Solaris SSL Padding bug: SOLR-9068)
*/
private static final byte[] fillData(byte[] data) {
RAND.nextBytes(data);
return data;
}
/** SPI Used to init all instances */
private static final SecureRandomSpi NOT_SECURE_SPI = new SecureRandomSpi() {
/** returns a new byte[] filled with static data */
@Override
public byte[] engineGenerateSeed(int numBytes) {
return fillData(new byte[numBytes]);
}
/** fills the byte[] with static data */
@Override
public void engineNextBytes(byte[] bytes) {
fillData(bytes);
}
/** NOOP */
@Override
public void engineSetSeed(byte[] seed) { /* NOOP */ }
};
/** Instance to use on platforms w/SSLEngines that work fine when SecureRandom returns constant bytes */
public static final NullSecureRandomSpi NULL_INSTANCE = new NullSecureRandomSpi();
/**
* Instance to use on platforms that need at least psuedo-random data for the SSLEngine to not break
* (Attempted workarround of Solaris SSL Padding bug: SOLR-9068)
*/
public static final NullSecureRandomSpi PSUEDO_RAND_INSTANCE = new NullSecureRandomSpi() {
/**
* Fill with Psuedo-Random data.
* (Attempted workarround of Solaris SSL Padding bug: SOLR-9068)
*/
@Override
public byte[] fillData(byte[] data) {
RAND.nextBytes(data);
return data;
}
};
private NotSecurePsuedoRandom() {
super(NOT_SECURE_SPI, null) ;
}
private NullSecureRandom(NullSecureRandomSpi spi) {
super(spi, null);
this.spi = spi;
}
private NullSecureRandomSpi spi;
/** fills a new byte[] with data from SPI */
@Override
/** returns a new byte[] filled with static data */
public byte[] generateSeed(int numBytes) {
return spi.fillData(new byte[numBytes]);
return fillData(new byte[numBytes]);
}
/** fills the byte[] with data from SPI */
@Override
/** fills the byte[] with static data */
synchronized public void nextBytes(byte[] bytes) {
spi.fillData(bytes);
fillData(bytes);
}
/** NOOP */
@Override
synchronized public void setSeed(byte[] seed) { /* NOOP */ }
/** NOOP */
@Override
synchronized public void setSeed(long seed) { /* NOOP */ }
}