aboutsummaryrefslogtreecommitdiffstats
path: root/zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
diff options
context:
space:
mode:
Diffstat (limited to 'zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java')
-rw-r--r--zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java116
1 files changed, 62 insertions, 54 deletions
diff --git a/zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java b/zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
index c0034a4723f..9eda60ea361 100644
--- a/zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
+++ b/zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
@@ -18,6 +18,7 @@
package org.apache.zookeeper.common;
+import com.yahoo.vespa.zookeeper.VespaZookeeperTlsContextUtils;
import io.netty.handler.ssl.DelegatingSslContext;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
@@ -28,21 +29,16 @@ import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
-
-import org.apache.zookeeper.common.X509Exception.KeyManagerException;
-import org.apache.zookeeper.common.X509Exception.SSLContextException;
-import org.apache.zookeeper.server.auth.ProviderRegistry;
-import org.apache.zookeeper.server.auth.X509AuthenticationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
- *
- * <em>NOTE: Overridden because ZK 3.9 completely broke the SSL setup APIs; for clients, key and trust stores are
- * now mandatory, unlike for servers, where it's still possible to provide a custom authProvider. This patch fixes that.
- * Based on https://github.com/apache/zookeeper/blob/branch-3.9/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java</em>
- * <p>
* X509 utilities specific for client-server communication framework.
+ * <p>
+ * <em>Modified to use Vespa's TLS context, whenever it is available, instead of the file-based key and trust stores of ZK 3.9.
+ * Based on https://github.com/apache/zookeeper/blob/branch-3.9/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java</em>
+ *
+ * @author jonmv
*/
public class ClientX509Util extends X509Util {
@@ -70,37 +66,31 @@ public class ClientX509Util extends X509Util {
}
public SslContext createNettySslContextForClient(ZKConfig config)
- throws X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
-
+ throws X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
+ SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
KeyManager km;
TrustManager tm;
- String authProviderProp = System.getProperty(getSslAuthProviderProperty());
- if (authProviderProp == null) {
+ if (VespaZookeeperTlsContextUtils.tlsContext().isPresent()) {
+ km = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().keyManager();
+ tm = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().trustManager();
+ }
+ else {
String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), "");
String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(),
getSslKeystorePasswdPathProperty());
String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
+
if (keyStoreLocation.isEmpty()) {
LOG.warn("{} not specified", getSslKeystoreLocationProperty());
km = null;
- } else {
+ }
+ else {
km = createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType);
}
- tm = getTrustManager(config);
- } else {
- X509AuthenticationProvider authProvider = (X509AuthenticationProvider) ProviderRegistry.getProvider(
- System.getProperty(getSslAuthProviderProperty(), "x509"));
- if (authProvider == null) {
- LOG.error("Auth provider not found: {}", authProviderProp);
- throw new SSLException("Could not create SSLContext with specified auth provider: " + authProviderProp);
- }
- LOG.info("Using auth provider for client: {}", authProviderProp);
- km = authProvider.getKeyManager();
- tm = authProvider.getTrustManager();
+ tm = getTrustManager(config);
}
- SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
if (km != null) {
sslContextBuilder.keyManager(km);
}
@@ -108,36 +98,54 @@ public class ClientX509Util extends X509Util {
sslContextBuilder.trustManager(tm);
}
- return createNettySslContext(config, sslContextBuilder, "Server");
+ sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
+ sslContextBuilder.protocols(getEnabledProtocols(config));
+ Iterable<String> enabledCiphers = getCipherSuites(config);
+ if (enabledCiphers != null) {
+ sslContextBuilder.ciphers(enabledCiphers);
+ }
+ sslContextBuilder.sslProvider(getSslProvider(config));
+
+ SslContext sslContext1 = sslContextBuilder.build();
+
+ if (getFipsMode(config) && isServerHostnameVerificationEnabled(config)) {
+ return addHostnameVerification(sslContext1, "Server");
+ } else {
+ return sslContext1;
+ }
}
public SslContext createNettySslContextForServer(ZKConfig config)
- throws X509Exception.SSLContextException, X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
- String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), "");
- String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(),
- getSslKeystorePasswdPathProperty());
- String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
-
- if (keyStoreLocation.isEmpty()) {
- throw new X509Exception.SSLContextException(
- "Keystore is required for SSL server: " + getSslKeystoreLocationProperty());
+ throws X509Exception.SSLContextException, X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
+ KeyManager km;
+ TrustManager tm;
+ if (VespaZookeeperTlsContextUtils.tlsContext().isPresent()) {
+ km = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().keyManager();
+ tm = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().trustManager();
}
+ else {
+ String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), "");
+ String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(),
+ getSslKeystorePasswdPathProperty());
+ String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
- KeyManager km = createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType);
- TrustManager trustManager = getTrustManager(config);
-
- return createNettySslContextForServer(config, km, trustManager);
+ if (keyStoreLocation.isEmpty()) {
+ throw new X509Exception.SSLContextException(
+ "Keystore is required for SSL server: " + getSslKeystoreLocationProperty());
+ }
+ km = createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType);
+ tm = getTrustManager(config);
+ }
+ return createNettySslContextForServer(config, km, tm);
}
- public SslContext createNettySslContextForServer(ZKConfig config, KeyManager km, TrustManager tm) throws SSLException {
- SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(km);
- if (tm != null) {
- sslContextBuilder.trustManager(tm);
+ public SslContext createNettySslContextForServer(ZKConfig config, KeyManager keyManager, TrustManager trustManager) throws SSLException {
+ SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(keyManager);
+
+ if (trustManager != null) {
+ sslContextBuilder.trustManager(trustManager);
}
- return createNettySslContext(config, sslContextBuilder, "Client");
- }
- SslContext createNettySslContext(ZKConfig config, SslContextBuilder sslContextBuilder, String clientOrServer) throws SSLException {
sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
sslContextBuilder.protocols(getEnabledProtocols(config));
sslContextBuilder.clientAuth(getClientAuth(config).toNettyClientAuth());
@@ -147,12 +155,12 @@ public class ClientX509Util extends X509Util {
}
sslContextBuilder.sslProvider(getSslProvider(config));
- SslContext sslContext = sslContextBuilder.build();
+ SslContext sslContext1 = sslContextBuilder.build();
if (getFipsMode(config) && isClientHostnameVerificationEnabled(config)) {
- return addHostnameVerification(sslContext, clientOrServer);
+ return addHostnameVerification(sslContext1, "Client");
} else {
- return sslContext;
+ return sslContext1;
}
}
@@ -201,7 +209,7 @@ public class ClientX509Util extends X509Util {
private TrustManager getTrustManager(ZKConfig config) throws X509Exception.TrustManagerException {
String trustStoreLocation = config.getProperty(getSslTruststoreLocationProperty(), "");
String trustStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslTruststorePasswdProperty(),
- getSslTruststorePasswdPathProperty());
+ getSslTruststorePasswdPathProperty());
String trustStoreType = config.getProperty(getSslTruststoreTypeProperty());
boolean sslCrlEnabled = config.getBoolean(getSslCrlEnabledProperty());
@@ -214,8 +222,8 @@ public class ClientX509Util extends X509Util {
return null;
} else {
return createTrustManager(trustStoreLocation, trustStorePassword, trustStoreType,
- sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled,
- sslClientHostnameVerificationEnabled, getFipsMode(config));
+ sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled,
+ sslClientHostnameVerificationEnabled, getFipsMode(config));
}
}
}