HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.

This commit is contained in:
Xiao Chen 2016-12-05 12:19:26 -08:00
parent f3b8ff54ab
commit a2b5d60220
3 changed files with 23 additions and 3 deletions

View File

@ -202,8 +202,10 @@ public void init(SSLFactory.Mode mode)
SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
String truststorePassword = getPassword(conf, passwordProperty, "");
if (truststorePassword.isEmpty()) {
throw new GeneralSecurityException("The property '" + passwordProperty +
"' has not been set in the ssl configuration file.");
// An empty trust store password is legal; the trust store password
// is only required when writing to a trust store. Otherwise it's
// an optional integrity check.
truststorePassword = null;
}
long truststoreReloadInterval =
conf.getLong(

View File

@ -167,7 +167,7 @@ X509TrustManager loadTrustManager()
KeyStore ks = KeyStore.getInstance(type);
FileInputStream in = new FileInputStream(file);
try {
ks.load(in, password.toCharArray());
ks.load(in, (password == null) ? null : password.toCharArray());
lastLoaded = file.lastModified();
LOG.debug("Loaded truststore '" + file + "'");
} finally {

View File

@ -199,4 +199,22 @@ public Boolean get() {
}, reloadInterval, 10 * 1000);
}
/** No password when accessing a trust store is legal. */
@Test
public void testNoPassword() throws Exception {
KeyPair kp = generateKeyPair("RSA");
cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
String truststoreLocation = BASEDIR + "/testreload.jks";
createTrustStore(truststoreLocation, "password", "cert1", cert1);
final ReloadingX509TrustManager tm =
new ReloadingX509TrustManager("jks", truststoreLocation, null, 10);
try {
tm.init();
assertEquals(1, tm.getAcceptedIssuers().length);
} finally {
tm.destroy();
}
}
}