From 86729e130fb563d87917850a41bff3b0a886246f Mon Sep 17 00:00:00 2001 From: Xiaoyu Yao Date: Tue, 18 May 2021 10:11:36 -0700 Subject: [PATCH] HADOOP-17699. Remove hardcoded SunX509 usage from SSLFactory. (#3016) --- .../security/ssl/FileBasedKeyStoresFactory.java | 4 ++-- .../ssl/ReloadingX509KeystoreManager.java | 2 +- .../security/ssl/ReloadingX509TrustManager.java | 4 ++-- .../apache/hadoop/security/ssl/SSLFactory.java | 12 ++++++++++-- .../hadoop/security/ssl/TestSSLFactory.java | 16 ++++++++++++++++ 5 files changed, 31 insertions(+), 7 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java index 236d881581..ddaa972c07 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java @@ -273,8 +273,8 @@ public void init(SSLFactory.Mode mode) } else { KeyStore keystore = KeyStore.getInstance(keystoreType); keystore.load(null, null); - KeyManagerFactory keyMgrFactory = KeyManagerFactory - .getInstance(SSLFactory.SSLCERTIFICATE); + KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance( + SSLFactory.KEY_MANAGER_SSLCERTIFICATE); keyMgrFactory.init(keystore, null); keyManagers = keyMgrFactory.getKeyManagers(); diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509KeystoreManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509KeystoreManager.java index 72e8b6b63b..216d949de1 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509KeystoreManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509KeystoreManager.java @@ -143,7 +143,7 @@ private X509ExtendedKeyManager loadKeyManager(Path path) LOG.debug(" Loaded KeyStore: " + path.toFile().getAbsolutePath()); KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance( - SSLFactory.SSLCERTIFICATE); + SSLFactory.KEY_MANAGER_SSLCERTIFICATE); keyMgrFactory.init(keystore, (keyPassword != null) ? keyPassword.toCharArray() : null); for (KeyManager candidate: keyMgrFactory.getKeyManagers()) { diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java index 68fd4c1610..5ae966f2c5 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java @@ -136,8 +136,8 @@ X509TrustManager loadTrustManager(Path path) in.close(); } - TrustManagerFactory trustManagerFactory = - TrustManagerFactory.getInstance(SSLFactory.SSLCERTIFICATE); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( + SSLFactory.TRUST_MANAGER_SSLCERTIFICATE); trustManagerFactory.init(ks); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); for (TrustManager trustManager1 : trustManagers) { diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java index d168a317df..fe3233d848 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java @@ -25,14 +25,16 @@ import org.apache.hadoop.util.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import static org.apache.hadoop.util.PlatformName.IBM_JAVA; +import static org.apache.hadoop.util.PlatformName.JAVA_VENDOR_NAME; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManagerFactory; import java.io.IOException; import java.net.HttpURLConnection; import java.security.GeneralSecurityException; @@ -99,7 +101,13 @@ public enum Mode { CLIENT, SERVER } public static final String SSL_SERVER_EXCLUDE_CIPHER_LIST = "ssl.server.exclude.cipher.list"; - public static final String SSLCERTIFICATE = IBM_JAVA?"ibmX509":"SunX509"; + public static final String KEY_MANAGER_SSLCERTIFICATE = + JAVA_VENDOR_NAME.contains("IBM") ? "ibmX509" : + KeyManagerFactory.getDefaultAlgorithm(); + + public static final String TRUST_MANAGER_SSLCERTIFICATE = + JAVA_VENDOR_NAME.contains("IBM") ? "ibmX509" : + TrustManagerFactory.getDefaultAlgorithm(); public static final String KEYSTORES_FACTORY_CLASS_KEY = "hadoop.ssl.keystores.factory.class"; diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java index 4e5a6fbd7e..ece6a05ef5 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java @@ -17,6 +17,8 @@ */ package org.apache.hadoop.security.ssl; +import static java.security.Security.getProperty; +import static java.security.Security.setProperty; import static org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY; import static org.apache.hadoop.security.ssl.KeyStoreTestUtil.TRUST_STORE_PASSWORD_DEFAULT; import static org.apache.hadoop.security.ssl.SSLFactory.Mode.CLIENT; @@ -367,6 +369,20 @@ public void invalidHostnameVerifier() throws Exception { } } + @Test + public void testDifferentAlgorithm() throws Exception { + Configuration conf = createConfiguration(false, true); + String currAlg = getProperty("ssl.KeyManagerFactory.algorithm"); + setProperty("ssl.KeyManagerFactory.algorithm", "PKIX"); + SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf); + try { + sslFactory.init(); + } finally { + sslFactory.destroy(); + setProperty("ssl.KeyManagerFactory.algorithm", currAlg); + } + } + @Test public void testConnectionConfigurator() throws Exception { Configuration conf = createConfiguration(false, true);