HADOOP-17699. Remove hardcoded SunX509 usage from SSLFactory. (#3016)

This commit is contained in:
Xiaoyu Yao 2021-05-18 10:11:36 -07:00 committed by GitHub
parent 110cda3de6
commit 86729e130f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 31 additions and 7 deletions

View File

@ -273,8 +273,8 @@ public void init(SSLFactory.Mode mode)
} else { } else {
KeyStore keystore = KeyStore.getInstance(keystoreType); KeyStore keystore = KeyStore.getInstance(keystoreType);
keystore.load(null, null); keystore.load(null, null);
KeyManagerFactory keyMgrFactory = KeyManagerFactory KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance(
.getInstance(SSLFactory.SSLCERTIFICATE); SSLFactory.KEY_MANAGER_SSLCERTIFICATE);
keyMgrFactory.init(keystore, null); keyMgrFactory.init(keystore, null);
keyManagers = keyMgrFactory.getKeyManagers(); keyManagers = keyMgrFactory.getKeyManagers();

View File

@ -143,7 +143,7 @@ private X509ExtendedKeyManager loadKeyManager(Path path)
LOG.debug(" Loaded KeyStore: " + path.toFile().getAbsolutePath()); LOG.debug(" Loaded KeyStore: " + path.toFile().getAbsolutePath());
KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance( KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance(
SSLFactory.SSLCERTIFICATE); SSLFactory.KEY_MANAGER_SSLCERTIFICATE);
keyMgrFactory.init(keystore, keyMgrFactory.init(keystore,
(keyPassword != null) ? keyPassword.toCharArray() : null); (keyPassword != null) ? keyPassword.toCharArray() : null);
for (KeyManager candidate: keyMgrFactory.getKeyManagers()) { for (KeyManager candidate: keyMgrFactory.getKeyManagers()) {

View File

@ -136,8 +136,8 @@ X509TrustManager loadTrustManager(Path path)
in.close(); in.close();
} }
TrustManagerFactory trustManagerFactory = TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getInstance(SSLFactory.SSLCERTIFICATE); SSLFactory.TRUST_MANAGER_SSLCERTIFICATE);
trustManagerFactory.init(ks); trustManagerFactory.init(ks);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
for (TrustManager trustManager1 : trustManagers) { for (TrustManager trustManager1 : trustManagers) {

View File

@ -25,14 +25,16 @@
import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.util.StringUtils;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import static org.apache.hadoop.util.PlatformName.IBM_JAVA; import static org.apache.hadoop.util.PlatformName.JAVA_VENDOR_NAME;
import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import java.io.IOException; import java.io.IOException;
import java.net.HttpURLConnection; import java.net.HttpURLConnection;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
@ -99,7 +101,13 @@ public enum Mode { CLIENT, SERVER }
public static final String SSL_SERVER_EXCLUDE_CIPHER_LIST = public static final String SSL_SERVER_EXCLUDE_CIPHER_LIST =
"ssl.server.exclude.cipher.list"; "ssl.server.exclude.cipher.list";
public static final String SSLCERTIFICATE = IBM_JAVA?"ibmX509":"SunX509"; public static final String KEY_MANAGER_SSLCERTIFICATE =
JAVA_VENDOR_NAME.contains("IBM") ? "ibmX509" :
KeyManagerFactory.getDefaultAlgorithm();
public static final String TRUST_MANAGER_SSLCERTIFICATE =
JAVA_VENDOR_NAME.contains("IBM") ? "ibmX509" :
TrustManagerFactory.getDefaultAlgorithm();
public static final String KEYSTORES_FACTORY_CLASS_KEY = public static final String KEYSTORES_FACTORY_CLASS_KEY =
"hadoop.ssl.keystores.factory.class"; "hadoop.ssl.keystores.factory.class";

View File

@ -17,6 +17,8 @@
*/ */
package org.apache.hadoop.security.ssl; package org.apache.hadoop.security.ssl;
import static java.security.Security.getProperty;
import static java.security.Security.setProperty;
import static org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY; import static org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY;
import static org.apache.hadoop.security.ssl.KeyStoreTestUtil.TRUST_STORE_PASSWORD_DEFAULT; import static org.apache.hadoop.security.ssl.KeyStoreTestUtil.TRUST_STORE_PASSWORD_DEFAULT;
import static org.apache.hadoop.security.ssl.SSLFactory.Mode.CLIENT; import static org.apache.hadoop.security.ssl.SSLFactory.Mode.CLIENT;
@ -367,6 +369,20 @@ public void invalidHostnameVerifier() throws Exception {
} }
} }
@Test
public void testDifferentAlgorithm() throws Exception {
Configuration conf = createConfiguration(false, true);
String currAlg = getProperty("ssl.KeyManagerFactory.algorithm");
setProperty("ssl.KeyManagerFactory.algorithm", "PKIX");
SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
try {
sslFactory.init();
} finally {
sslFactory.destroy();
setProperty("ssl.KeyManagerFactory.algorithm", currAlg);
}
}
@Test @Test
public void testConnectionConfigurator() throws Exception { public void testConnectionConfigurator() throws Exception {
Configuration conf = createConfiguration(false, true); Configuration conf = createConfiguration(false, true);