HADOOP-10658. SSLFactory expects truststores being configured. Contributed by Alejandro Abdelnur.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1599435 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Aaron Myers 2014-06-03 07:23:16 +00:00
parent ad5d0d7167
commit 0634b42366
4 changed files with 103 additions and 65 deletions

View File

@ -531,6 +531,8 @@ Release 2.5.0 - UNRELEASED
HADOOP-10630. Possible race condition in RetryInvocationHandler. (jing9)
HADOOP-10658. SSLFactory expects truststores being configured. (tucu via atm)
Release 2.4.1 - UNRELEASED
INCOMPATIBLE CHANGES

View File

@ -188,11 +188,7 @@ public void init(SSLFactory.Mode mode)
String locationProperty =
resolvePropertyName(mode, SSL_TRUSTSTORE_LOCATION_TPL_KEY);
String truststoreLocation = conf.get(locationProperty, "");
if (truststoreLocation.isEmpty()) {
throw new GeneralSecurityException("The property '" + locationProperty +
"' has not been set in the ssl configuration file.");
}
if (!truststoreLocation.isEmpty()) {
String passwordProperty = resolvePropertyName(mode,
SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
String truststorePassword = conf.get(passwordProperty, "");
@ -213,8 +209,12 @@ public void init(SSLFactory.Mode mode)
truststoreReloadInterval);
trustManager.init();
LOG.debug(mode.toString() + " Loaded TrustStore: " + truststoreLocation);
trustManagers = new TrustManager[]{trustManager};
} else {
LOG.warn("The property '" + locationProperty + "' has not been set, " +
"no TrustStore will be loaded");
trustManagers = null;
}
}
/**

View File

@ -214,13 +214,33 @@ public static void cleanupSSLConfig(String keystoresDir, String sslConfDir)
* SSL handshake
*/
public static void setupSSLConfig(String keystoresDir, String sslConfDir,
Configuration conf, boolean useClientCert)
Configuration conf, boolean useClientCert) throws Exception {
setupSSLConfig(keystoresDir, sslConfDir, conf, useClientCert, true);
}
/**
* Performs complete setup of SSL configuration in preparation for testing an
* SSLFactory. This includes keys, certs, keystores, truststores, the server
* SSL configuration file, the client SSL configuration file, and the master
* configuration file read by the SSLFactory.
*
* @param keystoresDir String directory to save keystores
* @param sslConfDir String directory to save SSL configuration files
* @param conf Configuration master configuration to be used by an SSLFactory,
* which will be mutated by this method
* @param useClientCert boolean true to make the client present a cert in the
* SSL handshake
* @param trustStore boolean true to create truststore, false not to create it
*/
public static void setupSSLConfig(String keystoresDir, String sslConfDir,
Configuration conf, boolean useClientCert,
boolean trustStore)
throws Exception {
String clientKS = keystoresDir + "/clientKS.jks";
String clientPassword = "clientP";
String serverKS = keystoresDir + "/serverKS.jks";
String serverPassword = "serverP";
String trustKS = keystoresDir + "/trustKS.jks";
String trustKS = null;
String trustPassword = "trustP";
File sslClientConfFile = new File(sslConfDir + "/ssl-client.xml");
@ -246,7 +266,10 @@ public static void setupSSLConfig(String keystoresDir, String sslConfDir,
sKP.getPrivate(), sCert);
certs.put("server", sCert);
if (trustStore) {
trustKS = keystoresDir + "/trustKS.jks";
KeyStoreTestUtil.createTrustStore(trustKS, trustPassword, certs);
}
Configuration clientSSLConf = createClientSSLConfig(clientKS, clientPassword,
clientPassword, trustKS);

View File

@ -50,11 +50,12 @@ public static void setUp() throws Exception {
base.mkdirs();
}
private Configuration createConfiguration(boolean clientCert)
private Configuration createConfiguration(boolean clientCert,
boolean trustStore)
throws Exception {
Configuration conf = new Configuration();
KeyStoreTestUtil.setupSSLConfig(KEYSTORES_DIR, sslConfsDir, conf,
clientCert);
clientCert, trustStore);
return conf;
}
@ -67,7 +68,7 @@ public void cleanUp() throws Exception {
@Test(expected = IllegalStateException.class)
public void clientMode() throws Exception {
Configuration conf = createConfiguration(false);
Configuration conf = createConfiguration(false, true);
SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
try {
sslFactory.init();
@ -80,7 +81,7 @@ public void clientMode() throws Exception {
}
private void serverMode(boolean clientCert, boolean socket) throws Exception {
Configuration conf = createConfiguration(clientCert);
Configuration conf = createConfiguration(clientCert, true);
SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.SERVER, conf);
try {
sslFactory.init();
@ -119,7 +120,7 @@ public void serverModeWithClientCertsVerifier() throws Exception {
@Test
public void validHostnameVerifier() throws Exception {
Configuration conf = createConfiguration(false);
Configuration conf = createConfiguration(false, true);
conf.unset(SSLFactory.SSL_HOSTNAME_VERIFIER_KEY);
SSLFactory sslFactory = new
SSLFactory(SSLFactory.Mode.CLIENT, conf);
@ -157,7 +158,7 @@ public void validHostnameVerifier() throws Exception {
@Test(expected = GeneralSecurityException.class)
public void invalidHostnameVerifier() throws Exception {
Configuration conf = createConfiguration(false);
Configuration conf = createConfiguration(false, true);
conf.set(SSLFactory.SSL_HOSTNAME_VERIFIER_KEY, "foo");
SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
try {
@ -169,7 +170,7 @@ public void invalidHostnameVerifier() throws Exception {
@Test
public void testConnectionConfigurator() throws Exception {
Configuration conf = createConfiguration(false);
Configuration conf = createConfiguration(false, true);
conf.set(SSLFactory.SSL_HOSTNAME_VERIFIER_KEY, "STRICT_IE6");
SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
try {
@ -275,7 +276,7 @@ private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode,
@Test
public void testNoClientCertsInitialization() throws Exception {
Configuration conf = createConfiguration(false);
Configuration conf = createConfiguration(false, true);
conf.unset(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY);
SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
try {
@ -285,4 +286,16 @@ public void testNoClientCertsInitialization() throws Exception {
}
}
@Test
public void testNoTrustStore() throws Exception {
Configuration conf = createConfiguration(false, false);
conf.unset(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY);
SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.SERVER, conf);
try {
sslFactory.init();
} finally {
sslFactory.destroy();
}
}
}