[GitHub] [arrow] mhilton opened a new issue, #35741: [Java] JDBC driver throws exception when loading system trust store on MacOS

["mhilton (via GitHub)" <gi...@apache.org>]

mhilton opened a new issue, #35741:
URL: https://github.com/apache/arrow/issues/35741

   ### Describe the bug, including details regarding any error messages, version, and platform.
   
   On MacOS attempting to use the system trust store with the JDBC driver results in an exception. The following is a minimal application which triggers the problem:
   
   ```java
   import java.sql.*;
   
   public class FlightSQLTLSTest {
   
   public static void main(String[] args) {
   	if (args.length != 1) {
   		System.err.println("usage: java FlightSQLTLSTest dsn");
   		System.exit(2);
   	}
   	
   	String dsn = args[0];
   	try {
   		Connection conn = DriverManager.getConnection(dsn);
   		DatabaseMetaData md = conn.getMetaData();
   		ResultSet rs = md.getCatalogs();
   		while (rs.next()) {
   			System.out.println(rs.getString(1));
   		}
   		rs.close();
   		conn.close();
   	} catch (SQLException e) {
   		e.printStackTrace();
   		System.exit(1);
   	}
   	
   }
   
   }
   ```
   
   When the supplied DSN uses TLS with the system certificates `useEncryption=true&useSystemTrustStore=true` then the following execption is thrown on MacOS.
   
   ```
   java.sql.SQLException: java.lang.IllegalArgumentException: Input stream does not contain valid certificates.
   	at org.apache.arrow.driver.jdbc.client.ArrowFlightSqlClientHandler$Builder.build(ArrowFlightSqlClientHandler.java:586)
   	at org.apache.arrow.driver.jdbc.ArrowFlightConnection.createNewClientHandler(ArrowFlightConnection.java:109)
   	at org.apache.arrow.driver.jdbc.ArrowFlightConnection.createNewConnection(ArrowFlightConnection.java:88)
   	at org.apache.arrow.driver.jdbc.ArrowFlightJdbcDriver.connect(ArrowFlightJdbcDriver.java:85)
   	at org.apache.arrow.driver.jdbc.ArrowFlightJdbcDriver.connect(ArrowFlightJdbcDriver.java:49)
   	at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:683)
   	at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:253)
   	at FlightSQLTLSTest.main(FlightSQLTLSTest.java:13)
   Caused by: java.lang.IllegalArgumentException: Input stream does not contain valid certificates.
   	at cfjd.io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:276)
   	at cfjd.org.apache.arrow.flight.FlightClient$Builder.build(FlightClient.java:698)
   	at org.apache.arrow.driver.jdbc.client.ArrowFlightSqlClientHandler$Builder.build(ArrowFlightSqlClientHandler.java:572)
   	... 7 more
   Caused by: java.security.cert.CertificateException: found no certificates in input stream
   	at cfjd.io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:107)
   	at cfjd.io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:1226)
   	at cfjd.io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:274)
   	... 9 more
   ```
   
   On linux the program runs as expected, outputting the list of catalogs.
   
   ### Version information
   
   MacOS version: 13.3.1 (a) (22E772610a)
   flight-sql-jdbc-driver version: 12.0.0
   
   ```
   $ uname -a
   Darwin cromarty.local 22.4.0 Darwin Kernel Version 22.4.0: Mon Mar  6 20:59:28 PST 2023; root:xnu-8796.101.5~3/RELEASE_ARM64_T6000 arm64
   $ java -version
   openjdk version "20.0.1" 2023-04-18
   OpenJDK Runtime Environment Homebrew (build 20.0.1)
   OpenJDK 64-Bit Server VM Homebrew (build 20.0.1, mixed mode, sharing)
   ```
   
   Note: This is using the openjdk provided by homebrew.
   
   ### Component(s)
   
   Java


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@arrow.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] davisusanibar commented on issue #35741: [Java] JDBC driver throws exception when loading system trust store on MacOS

["davisusanibar (via GitHub)" <gi...@apache.org>]

davisusanibar commented on issue #35741:
URL: https://github.com/apache/arrow/issues/35741#issuecomment-1652181700

   > > This is more or less a SSL parameter configuration that needs to be set according to the implementation of one-way or two-way SSL that is independent of the Arrow JDBC.
   > 
   > I don't believe this is the case. The important point being that the identical command runs correctly on linux using exactly the same DSN.
   
   Hy @mhilton. In order to support SSL 1 Way / 2 Way properly, the client and server must implement parameters.
   
   SSL errors are independent of the operating system (Win/Unix/Others) and related to missing client or server configuration.
   
   Using the MySQL SSL client/server configured properly, the JDBC driver can read and load Trustore and Keystore:
   
   ```java
   import java.io.IOException;
   import java.sql.Connection;
   import java.sql.DriverManager;
   import java.sql.ResultSet;
   import java.sql.SQLException;
   
   import org.apache.arrow.adapter.jdbc.ArrowVectorIterator;
   import org.apache.arrow.adapter.jdbc.JdbcToArrow;
   import org.apache.arrow.memory.BufferAllocator;
   import org.apache.arrow.memory.RootAllocator;
   import org.apache.arrow.vector.VectorSchemaRoot;
   
   public class JdbcAdapterToMysqlWithSSL {
     public static void main(String[] args) {
       System.setProperty("javax.net.debug", "all");
       try (BufferAllocator allocator = new RootAllocator();
            Connection connection = DriverManager.getConnection(
                "jdbc:mysql://root:password@localhost:3306/mysql?" +
                    "sslMode=VERIFY_CA&"+
                    "trustCertificateKeyStoreUrl=file:///Users/dsusanibar/Downloads/sslmysql/truststore.jks&"+
                    "trustCertificateKeyStorePassword=mypassword&" +
                    "clientCertificateKeyStoreUrl=file:///Users/dsusanibar/Downloads/sslmysql/keystore.jks&" +
                    "clientCertificateKeyStorePassword=mypassword")
       ) {
         try (ResultSet resultSet = connection.createStatement().executeQuery(
             "SELECT * FROM mysql.user");
              ArrowVectorIterator iterator = JdbcToArrow.sqlToArrowVectorIterator(
                  resultSet, allocator)) {
           while (iterator.hasNext()) {
             try (VectorSchemaRoot root = iterator.next()) {
               System.out.print(root.contentToTSVString());
             }
           }
         }
       } catch (SQLException | IOException e) {
         e.printStackTrace();
       }
     }
     /*
     Trustore:
     --------
     $ sudo keytool -importcert -alias useMySQLServer -file /usr/local/mysql/data/ca.pem \
       -keystore truststore.jks -storepass mypassword
     Keystore:
     --------
     $ sudo openssl pkcs12 -export -in /usr/local/mysql/data/client-cert.pem -inkey /usr/local/mysql/data/client-key.pem \
     -name "mysqlclient" -passout pass:mypassword -out client-keystore.p12
     $ sudo keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 \
      -srcstorepass mypassword -destkeystore keystore.jks -deststoretype JKS -deststorepass mypassword
      */
   }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] davisusanibar commented on issue #35741: [Java] JDBC driver throws exception when loading system trust store on MacOS

["davisusanibar (via GitHub)" <gi...@apache.org>]

davisusanibar commented on issue #35741:
URL: https://github.com/apache/arrow/issues/35741#issuecomment-1635806838

   Hi @mhilton
   
   This is more or less a SSL parameter configuration that needs to be set according to the implementation of one-way or two-way SSL that is independent of the Arrow JDBC.
   
   Please let us know if we could close this issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] mhilton commented on issue #35741: [Java] JDBC driver throws exception when loading system trust store on MacOS

["mhilton (via GitHub)" <gi...@apache.org>]

mhilton commented on issue #35741:
URL: https://github.com/apache/arrow/issues/35741#issuecomment-1639525808

   > This is more or less a SSL parameter configuration that needs to be set according to the implementation of one-way or two-way SSL that is independent of the Arrow JDBC.
   
   I don't believe this is the case. The important point being that the identical command runs correctly on linux using exactly the same DSN.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] pitrou commented on issue #35741: [Java] JDBC driver throws exception when loading system trust store on MacOS

["pitrou (via GitHub)" <gi...@apache.org>]

pitrou commented on issue #35741:
URL: https://github.com/apache/arrow/issues/35741#issuecomment-1561503093

   cc @davisusanibar 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org