From a7fccc1122364f97c0bda86cda46978aedb66272 Mon Sep 17 00:00:00 2001 From: Hanisha Koneru Date: Tue, 7 Jan 2020 15:46:14 -0800 Subject: [PATCH] HADOOP-16727. KMS Jetty server does not startup if trust store password is null. --- .../org/apache/hadoop/http/HttpServer2.java | 12 +- .../apache/hadoop/http/TestSSLHttpServer.java | 27 +- .../hadoop/http/TestSSLHttpServerConfigs.java | 266 ++++++++++++++++++ .../hadoop/security/ssl/KeyStoreTestUtil.java | 113 +++++--- .../hadoop/security/ssl/TestSSLFactory.java | 7 +- 5 files changed, 366 insertions(+), 59 deletions(-) create mode 100644 hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java index 13c4ce11a7..3fd74f0e89 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java @@ -545,16 +545,22 @@ private ServerConnector createHttpsChannelConnector( SslContextFactory.Server sslContextFactory = new SslContextFactory.Server(); sslContextFactory.setNeedClientAuth(needsClientAuth); - sslContextFactory.setKeyManagerPassword(keyPassword); + if (keyPassword != null) { + sslContextFactory.setKeyManagerPassword(keyPassword); + } if (keyStore != null) { sslContextFactory.setKeyStorePath(keyStore); sslContextFactory.setKeyStoreType(keyStoreType); - sslContextFactory.setKeyStorePassword(keyStorePassword); + if (keyStorePassword != null) { + sslContextFactory.setKeyStorePassword(keyStorePassword); + } } if (trustStore != null) { sslContextFactory.setTrustStorePath(trustStore); sslContextFactory.setTrustStoreType(trustStoreType); - sslContextFactory.setTrustStorePassword(trustStorePassword); + if (trustStorePassword != null) { + sslContextFactory.setTrustStorePassword(trustStorePassword); + } } if(null != excludeCiphers && !excludeCiphers.isEmpty()) { sslContextFactory.setExcludeCipherSuites( diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java index 5f7a264190..5cf32f388d 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java @@ -62,16 +62,15 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { LoggerFactory.getLogger(TestSSLHttpServer.class); private static final String HTTPS_CIPHER_SUITES_KEY = "https.cipherSuites"; private static final String JAVAX_NET_DEBUG_KEY = "javax.net.debug"; - private static final String SSL_SERVER_KEYSTORE_PROP_PREFIX = "ssl.server" + - ".keystore"; - private static final String SSL_SERVER_TRUSTSTORE_PROP_PREFIX = "ssl.server" + - ".truststore"; + static final String SSL_SERVER_KEYSTORE_PROP_PREFIX = "ssl.server.keystore"; + static final String SSL_SERVER_TRUSTSTORE_PROP_PREFIX = "ssl.server" + + ".truststore"; - private static final String SERVLET_NAME_LONGHEADER = "longheader"; - private static final String SERVLET_PATH_LONGHEADER = + static final String SERVLET_NAME_LONGHEADER = "longheader"; + static final String SERVLET_PATH_LONGHEADER = "/" + SERVLET_NAME_LONGHEADER; - private static final String SERVLET_NAME_ECHO = "echo"; - private static final String SERVLET_PATH_ECHO = "/" + SERVLET_NAME_ECHO; + static final String SERVLET_NAME_ECHO = "echo"; + static final String SERVLET_PATH_ECHO = "/" + SERVLET_NAME_ECHO; private static HttpServer2 server; private static String keystoreDir; @@ -79,7 +78,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { private static SSLFactory clientSslFactory; private static String cipherSuitesPropertyValue; private static String sslDebugPropertyValue; - private static final String EXCLUDED_CIPHERS = + static final String EXCLUDED_CIPHERS = "TLS_ECDHE_RSA_WITH_RC4_128_SHA," + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, \n" + "SSL_RSA_WITH_DES_CBC_SHA," @@ -98,7 +97,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\t\n " + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"; - private static final String INCLUDED_PROTOCOLS = "SSLv2Hello,TLSv1.1"; + static final String INCLUDED_PROTOCOLS = "SSLv2Hello,TLSv1.1"; @BeforeClass public static void setup() throws Exception { @@ -166,7 +165,7 @@ public static void cleanup() throws Exception { * This ensures that the value https.cipherSuites does * not affect the result of tests. */ - private static void storeHttpsCipherSuites() { + static void storeHttpsCipherSuites() { String cipherSuites = System.getProperty(HTTPS_CIPHER_SUITES_KEY); if (cipherSuites != null) { LOG.info( @@ -177,7 +176,7 @@ private static void storeHttpsCipherSuites() { System.clearProperty(HTTPS_CIPHER_SUITES_KEY); } - private static void restoreHttpsCipherSuites() { + static void restoreHttpsCipherSuites() { if (cipherSuitesPropertyValue != null) { LOG.info("Restoring property {} to value: {}", HTTPS_CIPHER_SUITES_KEY, cipherSuitesPropertyValue); @@ -186,7 +185,7 @@ private static void restoreHttpsCipherSuites() { } } - private static void turnOnSSLDebugLogging() { + static void turnOnSSLDebugLogging() { String sslDebug = System.getProperty(JAVAX_NET_DEBUG_KEY); if (sslDebug != null) { sslDebugPropertyValue = sslDebug; @@ -194,7 +193,7 @@ private static void turnOnSSLDebugLogging() { System.setProperty(JAVAX_NET_DEBUG_KEY, "all"); } - private static void restoreSSLDebugLogging() { + static void restoreSSLDebugLogging() { if (sslDebugPropertyValue != null) { System.setProperty(JAVAX_NET_DEBUG_KEY, sslDebugPropertyValue); sslDebugPropertyValue = null; diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java new file mode 100644 index 0000000000..e88eba3428 --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java @@ -0,0 +1,266 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.http; + +import com.google.common.base.Supplier; +import java.io.File; +import java.io.IOException; +import java.net.URI; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileUtil; +import org.apache.hadoop.security.ssl.KeyStoreTestUtil; +import org.apache.hadoop.security.ssl.SSLFactory; +import org.apache.hadoop.test.GenericTestUtils; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; + +import static org.apache.hadoop.http.TestSSLHttpServer.EXCLUDED_CIPHERS; +import static org.apache.hadoop.http.TestSSLHttpServer.INCLUDED_PROTOCOLS; +import static org.apache.hadoop.http.TestSSLHttpServer.SSL_SERVER_KEYSTORE_PROP_PREFIX; +import static org.apache.hadoop.http.TestSSLHttpServer.SSL_SERVER_TRUSTSTORE_PROP_PREFIX; +import static org.apache.hadoop.security.ssl.KeyStoreTestUtil.CLIENT_KEY_STORE_PASSWORD_DEFAULT; +import static org.apache.hadoop.security.ssl.KeyStoreTestUtil.SERVER_KEY_STORE_PASSWORD_DEFAULT; +import static org.apache.hadoop.security.ssl.KeyStoreTestUtil.TRUST_STORE_PASSWORD_DEFAULT; + +/** + * Test suit for testing KeyStore and TrustStore password settings. + */ +public class TestSSLHttpServerConfigs { + + private static final String BASEDIR = + GenericTestUtils.getTempPath(TestSSLHttpServer.class.getSimpleName()); + + private static Configuration conf; + private static Configuration sslConf; + private static String keystoreDir; + private static String sslConfDir; + private static final String SERVER_PWD = SERVER_KEY_STORE_PASSWORD_DEFAULT; + private static final String CLIENT_PWD = CLIENT_KEY_STORE_PASSWORD_DEFAULT; + private static final String TRUST_STORE_PWD = TRUST_STORE_PASSWORD_DEFAULT; + + @Before + public void start() throws Exception { + TestSSLHttpServer.turnOnSSLDebugLogging(); + TestSSLHttpServer.storeHttpsCipherSuites(); + + conf = new Configuration(); + conf.setInt(HttpServer2.HTTP_MAX_THREADS_KEY, 10); + + File base = new File(BASEDIR); + FileUtil.fullyDelete(base); + base.mkdirs(); + keystoreDir = new File(BASEDIR).getAbsolutePath(); + sslConfDir = KeyStoreTestUtil.getClasspathDir(TestSSLHttpServer.class); + } + + @After + public void shutdown() throws Exception { + FileUtil.fullyDelete(new File(BASEDIR)); + KeyStoreTestUtil.cleanupSSLConfig(keystoreDir, sslConfDir); + TestSSLHttpServer.restoreHttpsCipherSuites(); + TestSSLHttpServer.restoreSSLDebugLogging(); + } + + /** + * Setup KeyStore and TrustStore with given passwords. + */ + private void setupKeyStores(String serverPassword, + String clientPassword, String trustStorePassword) throws Exception { + + KeyStoreTestUtil.setupSSLConfig(keystoreDir, sslConfDir, conf, false, true, + EXCLUDED_CIPHERS, serverPassword, clientPassword, trustStorePassword); + + sslConf = KeyStoreTestUtil.getSslConfig(); + sslConf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, INCLUDED_PROTOCOLS); + conf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, INCLUDED_PROTOCOLS); + } + + /** + * Build HttpServer2 using the given passwords to access KeyStore/ TrustStore. + */ + private HttpServer2 setupServer(String keyStoreKeyPassword, + String keyStorePassword, String trustStorePassword) throws Exception { + + HttpServer2 server = new HttpServer2.Builder().setName("test") + .addEndpoint(new URI("https://localhost")).setConf(conf) + .keyPassword(keyStoreKeyPassword) + .keyStore(sslConf.get(SSL_SERVER_KEYSTORE_PROP_PREFIX + ".location"), + keyStorePassword, + sslConf.get(SSL_SERVER_KEYSTORE_PROP_PREFIX + ".type", "jks")) + .trustStore( + sslConf.get(SSL_SERVER_TRUSTSTORE_PROP_PREFIX + ".location"), + trustStorePassword, + sslConf.get(SSL_SERVER_TRUSTSTORE_PROP_PREFIX + ".type", "jks")) + .excludeCiphers(sslConf.get("ssl.server.exclude.cipher.list")).build(); + + return server; + } + + /** + * Test if HttpServer2 start succeeds in validating KeyStore/ TrustStore + * using the given passowords. + */ + private void testServerStart(String keyStoreKeyPassword, + String keyStorePassword, String trustStorePassword) throws Exception { + HttpServer2 server = setupServer(keyStoreKeyPassword, keyStorePassword, + trustStorePassword); + try { + server.start(); + + GenericTestUtils.waitFor(new Supplier() { + @Override + public Boolean get() { + return server.isAlive(); + } + }, 200, 100000); + } finally { + server.stop(); + } + } + + @Test(timeout=120000) + public void testServerSetup() throws Exception { + setupKeyStores(SERVER_PWD, CLIENT_PWD, TRUST_STORE_PWD); + testServerStart(SERVER_PWD, SERVER_PWD, TRUST_STORE_PWD); + } + + @Test(timeout=120000) + public void testServerSetupWithoutTrustPassword() throws Exception { + setupKeyStores(SERVER_PWD, CLIENT_PWD, TRUST_STORE_PWD); + testServerStart(SERVER_PWD, SERVER_PWD, null); + } + + @Test(timeout=120000) + public void testServerSetupWithoutKeyStorePassword() throws Exception { + setupKeyStores(SERVER_PWD, CLIENT_PWD, TRUST_STORE_PWD); + testServerStart(SERVER_PWD, null, null); + } + + @Test(timeout=120000) + public void testServerSetupWithoutKeyStoreKeyPassword() throws Exception { + setupKeyStores(SERVER_PWD, CLIENT_PWD, TRUST_STORE_PWD); + testServerStart(null, SERVER_PWD, null); + } + + @Test(timeout=120000) + public void testServerSetupWithNoKeyStorePassword() throws Exception { + setupKeyStores(SERVER_PWD, CLIENT_PWD, TRUST_STORE_PWD); + // Accessing KeyStore without either of KeyStore.KeyPassword or KeyStore + // .password should fail. + try { + testServerStart(null, null, null); + Assert.fail("Server should have failed to start without any " + + "KeyStore password."); + } catch (IOException e) { + GenericTestUtils.assertExceptionContains("Problem starting http server", + e); + } + } + + @Test(timeout=120000) + public void testServerSetupWithWrongKeyStorePassword() throws Exception { + setupKeyStores(SERVER_PWD, CLIENT_PWD, TRUST_STORE_PWD); + + // Accessing KeyStore with wrong keyStore password/ keyPassword should fail. + try { + testServerStart(SERVER_PWD, "wrongPassword", null); + Assert.fail("Server should have failed to start with wrong " + + "KeyStore password."); + } catch (IOException e) { + GenericTestUtils.assertExceptionContains("Keystore was tampered with, " + + "or password was incorrect", e); + } + + try { + testServerStart("wrongPassword", SERVER_PWD, null); + Assert.fail("Server should have failed to start with wrong " + + "KeyStore password."); + } catch (IOException e) { + GenericTestUtils.assertExceptionContains("Problem starting http server", + e); + GenericTestUtils.assertExceptionContains("Cannot recover key", + e.getCause()); + } + } + + @Test(timeout=120000) + public void testKeyStoreSetupWithoutTrustStorePassword() throws Exception { + // Setup TrustStore without TrustStore password + setupKeyStores(SERVER_PWD, CLIENT_PWD, ""); + + // Accessing TrustStore without password (null password) should succeed + testServerStart(SERVER_PWD, SERVER_PWD, null); + + // Accessing TrustStore with wrong password (even if password is not + // set) should fail. + try { + testServerStart(SERVER_PWD, SERVER_PWD, "wrongPassword"); + Assert.fail("Server should have failed to start with wrong " + + "TrustStore password."); + } catch (IOException e) { + GenericTestUtils.assertExceptionContains("Keystore was tampered with, " + + "or password was incorrect", e); + } + } + + @Test(timeout=120000) + public void testKeyStoreSetupWithoutKeyStorePassword() throws Exception { + // Setup KeyStore without KeyStore password + setupKeyStores(SERVER_PWD, "", TRUST_STORE_PWD); + + // Accessing KeyStore without password (null password) should succeed + testServerStart(SERVER_PWD, null, TRUST_STORE_PWD); + + // Accessing KeyStore with wrong password (even if password is not + // set) should fail. + try { + testServerStart(SERVER_PWD, "wrongPassword", TRUST_STORE_PWD); + Assert.fail("Server should have failed to start with wrong " + + "KeyStore password."); + } catch (IOException e) { + GenericTestUtils.assertExceptionContains("Keystore was tampered with, " + + "or password was incorrect", e); + } + } + + @Test(timeout=120000) + public void testKeyStoreSetupWithoutPassword() throws Exception { + // Setup KeyStore without any password + setupKeyStores("", "", ""); + + // Accessing KeyStore with either one of KeyStore.Password or KeyStore + // .KeyPassword as empty string should pass. If the password is null, it + // is not set in SSLContextFactory while setting up the server. + testServerStart("", null, null); + testServerStart(null, "", null); + + try { + testServerStart(null, null, null); + Assert.fail("Server should have failed to start without " + + "KeyStore password."); + } catch (IOException e) { + GenericTestUtils.assertExceptionContains("Problem starting http server", + e); + GenericTestUtils.assertExceptionContains("Password must not be null", + e.getCause()); + } + } +} diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java index 0d30e6e410..f027d3b39b 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/KeyStoreTestUtil.java @@ -68,6 +68,10 @@ public class KeyStoreTestUtil { + public final static String SERVER_KEY_STORE_PASSWORD_DEFAULT = "serverP"; + public final static String CLIENT_KEY_STORE_PASSWORD_DEFAULT = "clientP"; + public final static String TRUST_STORE_PASSWORD_DEFAULT = "trustP"; + public static String getClasspathDir(Class klass) throws Exception { String file = klass.getName(); file = file.replace('.', '/') + ".class"; @@ -257,30 +261,57 @@ public static void setupSSLConfig(String keystoresDir, String sslConfDir, setupSSLConfig(keystoresDir, sslConfDir, conf, useClientCert, true,""); } - /** - * Performs complete setup of SSL configuration in preparation for testing an - * SSLFactory. This includes keys, certs, keystores, truststores, the server - * SSL configuration file, the client SSL configuration file, and the master - * configuration file read by the SSLFactory. - * - * @param keystoresDir - * @param sslConfDir - * @param conf - * @param useClientCert - * @param trustStore - * @param excludeCiphers - * @throws Exception - */ - public static void setupSSLConfig(String keystoresDir, String sslConfDir, - Configuration conf, boolean useClientCert, - boolean trustStore, String excludeCiphers) - throws Exception { + /** + * Performs complete setup of SSL configuration in preparation for testing an + * SSLFactory. This includes keys, certs, keystores, truststores, the server + * SSL configuration file, the client SSL configuration file, and the master + * configuration file read by the SSLFactory. + * + * @param keystoresDir + * @param sslConfDir + * @param conf + * @param useClientCert + * @param trustStore + * @param excludeCiphers + * @throws Exception + */ + public static void setupSSLConfig(String keystoresDir, String sslConfDir, + Configuration conf, boolean useClientCert, boolean trustStore, + String excludeCiphers) throws Exception { + setupSSLConfig(keystoresDir, sslConfDir, conf, useClientCert, trustStore, + excludeCiphers, SERVER_KEY_STORE_PASSWORD_DEFAULT, + CLIENT_KEY_STORE_PASSWORD_DEFAULT, TRUST_STORE_PASSWORD_DEFAULT); + } + + + /** + * Performs complete setup of SSL configuration in preparation for testing an + * SSLFactory. This includes keys, certs, keystores, truststores, the server + * SSL configuration file, the client SSL configuration file, and the master + * configuration file read by the SSLFactory and the passwords required to + * access the keyStores (Server and Client KeyStore Passwords and + * TrustStore Password). + * + * @param keystoresDir + * @param sslConfDir + * @param conf + * @param useClientCert + * @param trustStore + * @param excludeCiphers + * @param serverPassword + * @param clientPassword + * @param trustPassword + * @throws Exception + */ + @SuppressWarnings("checkstyle:parameternumber") + public static void setupSSLConfig(String keystoresDir, String sslConfDir, + Configuration conf, boolean useClientCert, boolean trustStore, + String excludeCiphers, String serverPassword, String clientPassword, + String trustPassword) throws Exception { + String clientKS = keystoresDir + "/clientKS.jks"; - String clientPassword = "clientP"; String serverKS = keystoresDir + "/serverKS.jks"; - String serverPassword = "serverP"; String trustKS = null; - String trustPassword = "trustP"; File sslClientConfFile = new File(sslConfDir, getClientSSLConfigFileName()); File sslServerConfFile = new File(sslConfDir, getServerSSLConfigFileName()); @@ -310,10 +341,10 @@ public static void setupSSLConfig(String keystoresDir, String sslConfDir, KeyStoreTestUtil.createTrustStore(trustKS, trustPassword, certs); } - Configuration clientSSLConf = createClientSSLConfig(clientKS, clientPassword, - clientPassword, trustKS, excludeCiphers); - Configuration serverSSLConf = createServerSSLConfig(serverKS, serverPassword, - serverPassword, trustKS, excludeCiphers); + Configuration clientSSLConf = createClientSSLConfig(clientKS, + clientPassword, clientPassword, trustKS, trustPassword, excludeCiphers); + Configuration serverSSLConf = createServerSSLConfig(serverKS, + serverPassword, serverPassword, trustKS, trustPassword, excludeCiphers); saveConfig(sslClientConfFile, clientSSLConf); saveConfig(sslServerConfFile, serverSSLConf); @@ -336,9 +367,10 @@ public static void setupSSLConfig(String keystoresDir, String sslConfDir, * @return Configuration for client SSL */ public static Configuration createClientSSLConfig(String clientKS, - String password, String keyPassword, String trustKS) { + String password, String keyPassword, String trustKS, + String trustPassword) { return createSSLConfig(SSLFactory.Mode.CLIENT, - clientKS, password, keyPassword, trustKS, ""); + clientKS, password, keyPassword, trustKS, trustPassword, ""); } /** @@ -353,10 +385,11 @@ public static Configuration createClientSSLConfig(String clientKS, * @param excludeCiphers String comma separated ciphers to exclude * @return Configuration for client SSL */ - public static Configuration createClientSSLConfig(String clientKS, - String password, String keyPassword, String trustKS, String excludeCiphers) { + public static Configuration createClientSSLConfig(String clientKS, + String password, String keyPassword, String trustKS, + String trustPassword, String excludeCiphers) { return createSSLConfig(SSLFactory.Mode.CLIENT, - clientKS, password, keyPassword, trustKS, excludeCiphers); + clientKS, password, keyPassword, trustKS, trustPassword, excludeCiphers); } /** @@ -372,9 +405,10 @@ public static Configuration createClientSSLConfig(String clientKS, * @throws java.io.IOException */ public static Configuration createServerSSLConfig(String serverKS, - String password, String keyPassword, String trustKS) throws IOException { + String password, String keyPassword, String trustKS, String trustPassword) + throws IOException { return createSSLConfig(SSLFactory.Mode.SERVER, - serverKS, password, keyPassword, trustKS, ""); + serverKS, password, keyPassword, trustKS, trustPassword, ""); } /** @@ -390,10 +424,11 @@ public static Configuration createServerSSLConfig(String serverKS, * @return * @throws IOException */ - public static Configuration createServerSSLConfig(String serverKS, - String password, String keyPassword, String trustKS, String excludeCiphers) throws IOException { + public static Configuration createServerSSLConfig(String serverKS, + String password, String keyPassword, String trustKS, String trustPassword, + String excludeCiphers) throws IOException { return createSSLConfig(SSLFactory.Mode.SERVER, - serverKS, password, keyPassword, trustKS, excludeCiphers); + serverKS, password, keyPassword, trustKS, trustPassword, excludeCiphers); } /** @@ -445,8 +480,8 @@ private static String getSSLConfigFileName(String base) { * @return Configuration for SSL */ private static Configuration createSSLConfig(SSLFactory.Mode mode, - String keystore, String password, String keyPassword, String trustKS, String excludeCiphers) { - String trustPassword = "trustP"; + String keystore, String password, String keyPassword, String trustKS, + String trustStorePwd, String excludeCiphers) { Configuration sslConf = new Configuration(false); if (keystore != null) { @@ -466,10 +501,10 @@ private static Configuration createSSLConfig(SSLFactory.Mode mode, sslConf.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY), trustKS); } - if (trustPassword != null) { + if (trustStorePwd != null) { sslConf.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_PASSWORD_TPL_KEY), - trustPassword); + trustStorePwd); } if(null != excludeCiphers && !excludeCiphers.isEmpty()) { sslConf.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java index 9f149b7427..9b4d1f205f 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestSSLFactory.java @@ -17,6 +17,7 @@ */ package org.apache.hadoop.security.ssl; +import static org.apache.hadoop.security.ssl.KeyStoreTestUtil.TRUST_STORE_PASSWORD_DEFAULT; import static org.junit.Assert.assertTrue; import org.apache.hadoop.conf.Configuration; @@ -407,7 +408,7 @@ private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode, String keystore = new File(KEYSTORES_DIR, "keystore.jks").getAbsolutePath(); String truststore = new File(KEYSTORES_DIR, "truststore.jks") .getAbsolutePath(); - String trustPassword = "trustP"; + String trustPassword = TRUST_STORE_PASSWORD_DEFAULT; // Create keys, certs, keystore, and truststore. KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA"); @@ -433,7 +434,7 @@ private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode, if (mode == SSLFactory.Mode.SERVER) { sslConfFileName = "ssl-server.xml"; sslConf = KeyStoreTestUtil.createServerSSLConfig(keystore, confPassword, - confKeyPassword, truststore); + confKeyPassword, truststore, trustPassword); if (useCredProvider) { File testDir = GenericTestUtils.getTestDir(); final Path jksPath = new Path(testDir.toString(), "test.jks"); @@ -444,7 +445,7 @@ private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode, } else { sslConfFileName = "ssl-client.xml"; sslConf = KeyStoreTestUtil.createClientSSLConfig(keystore, confPassword, - confKeyPassword, truststore); + confKeyPassword, truststore, trustPassword); } KeyStoreTestUtil.saveConfig(new File(sslConfsDir, sslConfFileName), sslConf);