HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.
This commit is contained in:
parent
f3b8ff54ab
commit
a2b5d60220
@ -202,8 +202,10 @@ public void init(SSLFactory.Mode mode)
|
||||
SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
|
||||
String truststorePassword = getPassword(conf, passwordProperty, "");
|
||||
if (truststorePassword.isEmpty()) {
|
||||
throw new GeneralSecurityException("The property '" + passwordProperty +
|
||||
"' has not been set in the ssl configuration file.");
|
||||
// An empty trust store password is legal; the trust store password
|
||||
// is only required when writing to a trust store. Otherwise it's
|
||||
// an optional integrity check.
|
||||
truststorePassword = null;
|
||||
}
|
||||
long truststoreReloadInterval =
|
||||
conf.getLong(
|
||||
|
@ -167,7 +167,7 @@ X509TrustManager loadTrustManager()
|
||||
KeyStore ks = KeyStore.getInstance(type);
|
||||
FileInputStream in = new FileInputStream(file);
|
||||
try {
|
||||
ks.load(in, password.toCharArray());
|
||||
ks.load(in, (password == null) ? null : password.toCharArray());
|
||||
lastLoaded = file.lastModified();
|
||||
LOG.debug("Loaded truststore '" + file + "'");
|
||||
} finally {
|
||||
|
@ -199,4 +199,22 @@ public Boolean get() {
|
||||
}, reloadInterval, 10 * 1000);
|
||||
}
|
||||
|
||||
/** No password when accessing a trust store is legal. */
|
||||
@Test
|
||||
public void testNoPassword() throws Exception {
|
||||
KeyPair kp = generateKeyPair("RSA");
|
||||
cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
|
||||
cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
|
||||
String truststoreLocation = BASEDIR + "/testreload.jks";
|
||||
createTrustStore(truststoreLocation, "password", "cert1", cert1);
|
||||
|
||||
final ReloadingX509TrustManager tm =
|
||||
new ReloadingX509TrustManager("jks", truststoreLocation, null, 10);
|
||||
try {
|
||||
tm.init();
|
||||
assertEquals(1, tm.getAcceptedIssuers().length);
|
||||
} finally {
|
||||
tm.destroy();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user