You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ignite.apache.org by sb...@apache.org on 2017/08/28 14:48:05 UTC
[4/8] ignite git commit: Fixed "IGNITE-6168 Need SSL client
authentication during discovery". This closes #2505.
Fixed "IGNITE-6168 Need SSL client authentication during discovery". This closes #2505.
Signed-off-by: nikolay_tikhonov <nt...@gridgain.com>
Project: http://git-wip-us.apache.org/repos/asf/ignite/repo
Commit: http://git-wip-us.apache.org/repos/asf/ignite/commit/02801f8f
Tree: http://git-wip-us.apache.org/repos/asf/ignite/tree/02801f8f
Diff: http://git-wip-us.apache.org/repos/asf/ignite/diff/02801f8f
Branch: refs/heads/ignite-6149
Commit: 02801f8f28e4936b2770a7a96d9d3809cce16d42
Parents: 6f279b0
Author: Ilya Kasnacheev <il...@gmail.com>
Authored: Fri Aug 25 15:32:05 2017 +0300
Committer: nikolay_tikhonov <nt...@gridgain.com>
Committed: Fri Aug 25 15:32:05 2017 +0300
----------------------------------------------------------------------
modules/clients/src/test/keystore/ca/node01.jks | Bin 0 -> 3719 bytes
modules/clients/src/test/keystore/ca/node02.jks | Bin 0 -> 4598 bytes
modules/clients/src/test/keystore/ca/node03.jks | Bin 0 -> 3754 bytes
modules/clients/src/test/keystore/ca/oneca.cnf | 15 ++
modules/clients/src/test/keystore/ca/oneca.key | 28 ++++
.../clients/src/test/keystore/ca/oneindex.txt | 1 +
.../src/test/keystore/ca/oneindex.txt.attr | 1 +
modules/clients/src/test/keystore/ca/oneserial | 1 +
.../clients/src/test/keystore/ca/trust-both.jks | Bin 0 -> 1718 bytes
.../clients/src/test/keystore/ca/trust-one.jks | Bin 0 -> 877 bytes
.../clients/src/test/keystore/ca/trust-two.jks | Bin 0 -> 891 bytes
modules/clients/src/test/keystore/ca/twoca.cnf | 15 ++
modules/clients/src/test/keystore/ca/twoca.key | 28 ++++
.../clients/src/test/keystore/ca/twoindex.txt | 2 +
.../src/test/keystore/ca/twoindex.txt.attr | 1 +
modules/clients/src/test/keystore/ca/twoserial | 1 +
.../ignite/spi/discovery/tcp/ServerImpl.java | 11 +-
modules/core/src/test/config/tests.properties | 8 ++
.../tcp/TcpDiscoverySslTrustedSelfTest.java | 42 ++++++
.../TcpDiscoverySslTrustedUntrustedTest.java | 140 +++++++++++++++++++
.../ignite/testframework/GridTestUtils.java | 20 +++
.../IgniteSpiDiscoverySelfTestSuite.java | 4 +
22 files changed, 316 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/node01.jks
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/node01.jks b/modules/clients/src/test/keystore/ca/node01.jks
new file mode 100644
index 0000000..23c0643
Binary files /dev/null and b/modules/clients/src/test/keystore/ca/node01.jks differ
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/node02.jks
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/node02.jks b/modules/clients/src/test/keystore/ca/node02.jks
new file mode 100644
index 0000000..26da4b5
Binary files /dev/null and b/modules/clients/src/test/keystore/ca/node02.jks differ
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/node03.jks
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/node03.jks b/modules/clients/src/test/keystore/ca/node03.jks
new file mode 100644
index 0000000..831ca24
Binary files /dev/null and b/modules/clients/src/test/keystore/ca/node03.jks differ
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/oneca.cnf
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/oneca.cnf b/modules/clients/src/test/keystore/ca/oneca.cnf
new file mode 100644
index 0000000..2da42ca
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/oneca.cnf
@@ -0,0 +1,15 @@
+[ ca ]
+default_ca = oneca
+
+[ oneca ]
+certificate = ./oneca.pem
+database = ./oneindex.txt
+private_key = ./oneca.key
+new_certs_dir = ./
+default_md = sha1
+serial = ./oneserial
+default_days = 365
+policy = policy_match
+
+[policy_match]
+commonName = supplied
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/oneca.key
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/oneca.key b/modules/clients/src/test/keystore/ca/oneca.key
new file mode 100644
index 0000000..8815206
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/oneca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDw4NjQ0YkcVbBo
+jvaXpcIB6fay0saNihfQ85anbxI63fvnOnUZrXnfwruUP5Az57WHi2+qzHLujytE
+QqCqo/PlSQ5jJ7s2HJVPgDVCM6qlc9/wXaYHTfGmurbf3DCGY8+qDBNcs2M5Kztj
+Pb0RIn++idVUBiiVlgrj+Tqy6AatNT6r70EBLQnVmR6aU+z/iuDNzj4M/DA35C61
+Fug4zYQIJEENSRNtNtp5VDfMaopAwZTg0ENCz5nhSAv6d0NHDsZWtK60P9nuOFsJ
+16Hmlv/RyHaVSf+OvxZjZDcWhEorlHA5mhF/RU/8iczstE2JMk6vOQ0LwKO+05gL
+2/9oJKYrAgMBAAECggEBAOf8xRQoGdMuO94Xgir/O2A4gp4rHYsHqnRVhYzwDjCf
+xpIl3M3EI5J7q8jVhv5WdKB8jCmFClPzkwoE2VQ+3xC+UZrxkv5EfRC6O5DszbbX
+aJ/IsbRrPwcC4EmteRaVXlU5mBQ5uKBAoMutlD/CaCGMAecQn1mhzg9N41iW2odI
+2AxK8ATSogCyNdVe82bedVXauBW8Kbsr5TCOxpUTrnLFhCl2aDvqFzmJFop+13E7
+V25Xz6DzrsCrWhw8Ghjh5YAYTq8RatAx53/DBYuOFlMLuSxbBcISEXjzSmNtIgsY
+BgVMPltzbIVgkzvdNDtr0JMXPdHgX9aJ1lR2Obod+zECgYEA/XxcqmWq/mY+DbXf
+5ZPXf26bms1Mx9FAK5t4hF8GGOO63HMH5n84tUKhWTJCSFo8rjsGc/b+amj1oY6J
+BJtTLUP8sJSdYQzC2SybOrFT5XskHv4NgIdVX9zNbJS+Z5BYoLfwTyziSMjay6B7
+5kE8QbBzK6MyhyBYoItMQDZMwicCgYEA80R5ArTGCMsTK0YNFlS2Y5XKORRunwEM
+1Mm741P9ejhf/NUiwez8TrcRB+i7BjjC68idhP0zUKEsKEedAP4uWpic2wbBYOuH
+7BsNxXLQ3XJeLJ066fhqOdPA3pz3NP82EBp65g41RxpzlW74LpfnE4/kxk1pi4UP
+LpJpzqeFsl0CgYEA1ICWOq9Cm0ThTqMjERZQuV7jifIEJRtR3XzXmrkCpoj7VOYG
+QIB07Nfv5ZPRp1AmwLVw4nS0skZNbWPNkBQatb7iLrJYAU0uZ9wSQjD4sU/7ZxP6
+A77wno2/lQBZYv7Knem1xtpM1VG0wrJGTDByMGuZEYMdz9QZGHXOtaIP1U8CgYAy
+ZJTMwrXjTG4EINbFMXc22eiyOlFQDt+hlMifJt7zWopHzb8NfRInHDUi9ksH1upJ
+/Zzj16+xnDGRhoQ3mG/xxHt5w8R7V08o0dHgfRBXT0HC7C8wGI2ovPzPIKT1DYkd
+fN7ImVjgCdK3ue0fecgcfUpe6dpbVIz4kMvqSzme4QKBgQDjUk7m8szM4C8BIYQH
+1yo5kSPYQUZuc2UFYozd5ZNj791iAptrSSd2Mmck8MkT3oDAbH+SWg4Qw7UA/kNe
+264vVvNIzss7bw8UFcHT6JN9gdk08EsrW+IT3vopt3QlB/wYCHCqr47VviVneqWn
+og1hf+rw1WNr3atLP/NLnWWN7g==
+-----END PRIVATE KEY-----
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/oneindex.txt
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/oneindex.txt b/modules/clients/src/test/keystore/ca/oneindex.txt
new file mode 100644
index 0000000..8d347d0
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/oneindex.txt
@@ -0,0 +1 @@
+V 180824104710Z 01 unknown /CN=node01
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/oneindex.txt.attr
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/oneindex.txt.attr b/modules/clients/src/test/keystore/ca/oneindex.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/oneindex.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/oneserial
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/oneserial b/modules/clients/src/test/keystore/ca/oneserial
new file mode 100644
index 0000000..9e22bcb
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/oneserial
@@ -0,0 +1 @@
+02
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/trust-both.jks
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/trust-both.jks b/modules/clients/src/test/keystore/ca/trust-both.jks
new file mode 100644
index 0000000..1d8ccc2
Binary files /dev/null and b/modules/clients/src/test/keystore/ca/trust-both.jks differ
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/trust-one.jks
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/trust-one.jks b/modules/clients/src/test/keystore/ca/trust-one.jks
new file mode 100644
index 0000000..0b91ca7
Binary files /dev/null and b/modules/clients/src/test/keystore/ca/trust-one.jks differ
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/trust-two.jks
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/trust-two.jks b/modules/clients/src/test/keystore/ca/trust-two.jks
new file mode 100644
index 0000000..1939287
Binary files /dev/null and b/modules/clients/src/test/keystore/ca/trust-two.jks differ
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/twoca.cnf
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/twoca.cnf b/modules/clients/src/test/keystore/ca/twoca.cnf
new file mode 100644
index 0000000..1efa25a
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/twoca.cnf
@@ -0,0 +1,15 @@
+[ ca ]
+default_ca = twoca
+
+[ twoca ]
+certificate = ./twoca.pem
+database = ./twoindex.txt
+private_key = ./twoca.key
+new_certs_dir = ./
+default_md = sha1
+policy = policy_match
+serial = ./twoserial
+default_days = 365
+
+[policy_match]
+commonName = supplied
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/twoca.key
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/twoca.key b/modules/clients/src/test/keystore/ca/twoca.key
new file mode 100644
index 0000000..4053881
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/twoca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCvv6fLWOIk9Hhn
+JMsfoySItogO+hhV4kREDEGi8SfAblHEKCiY4GxvtgtxS3EWyoYFynI8HK7GQNma
+tAQ49QtUP5FA36VRx3/9eh85je4AqXVgF/4qX0PdygMuSFOIxWYshj9CIwVHmiS2
++IiVthe6OsAUSMnfIFzIxlEygpi6/I2N2WchkOlWiWo1G9E4RQOjKrwCGM/mWy6Y
+KIB2u3dSaNpfNZy2+sxBRXrtDUQzDxbVv9lCQ3DkZwVr2HnfMxZ9oFP5x8HoPyJi
+uS4qLUWypnbvIuBLnlR4LX/VSONCg6PzkafQdSvoYX5XPYDF32PUiSZS+U7URHzN
+nqC7nn97AgMBAAECggEAdEvHlfjoFHotXltrijDjkQ/wMrDt/47ti3XszQz1OBII
+S1wjmR4Qw09cfQjl+aXkT9qqAvsb8BajqAptLN+CMqqpzJrxg48XM71nAifYEVoR
+UJgv2QwXFaGCv1Ke7EdrmBTxsSsJaFso5mbJwv+u7c3IouOTqfF5VGZe/qSKulgh
+/swDJTFCo+JwISTJlVppR6xUVTtLpl4JFyWWExfGpOFmCfy818lhpJLV9HZzh142
+zssJCBevpaKng4DsHVmhvhi1f8zNV674C0cJ8yCBCVFAVw5WufaWRSh8PnHT9AR8
++dqrGh+0EtmjJR9qy88LLEayWZKxE4oQLSUcDSe6OQKBgQDUK8/gZPzsepq0AOTD
+qL21nkMmA00J5u4USgB5S27PrYQB1p4uf1wfwVfmXC21Pyrwl+/mx9ukkQB907jG
+5vQTF81YEV1Z9eT5gCjE0XeCK40kYNdvfhlTPeuJteqEnrFDWZQ3WGD+6/TQoEfj
+BibgaAroKvlGF8mLWfAC9qqcrQKBgQDUDbkdUtthgZdDVoAzMS9kWB37pj1io3+8
+dOZ9i8farzTW3FcX9T504YPvazoNllKVaiO/q1sODI+7gtixYVKriZsqqE/h7ndS
+mc7OVfxqxoy5bW2XZUHNbefG/JTJvy4Zj8ANnes7Cb5fJtNtB3xa3JaGRFo91te6
+2M/6v2MpxwKBgG1Hf5MpEKhQYbwStcEc+VFBCX7btmNCQR/MGcBfnNx0l4hG3UQ/
+rthgQgDRO22d8mTnLNYl3Dg/wwwL76DqtY3b9ZTFpNo/70aevuDYroAqJFE3W97+
+CNc6DkXon7jc75or2k5DQ/oo1/hYhY4lzgJJNEzuTWPPvqv6j8dG+wslAoGAY+tn
+e8LMLuDihs9er0CQ5UaEMkz+Bdmm2gV3ilbwQEJosom23EoqOOb+xTUQcNCRb2hJ
+GgrDaBZRL/kS5FpImx3HKM2QfpRgU2K4SQ/JVgLi0okWp80Fuaf9HA1uirX0IgVT
+aNctvW707l8cJvbtCN+CahgRMaxnkNqS/cNrFYcCgYBBzR2qDcTn48gs7LvrlzMO
+RwamzD0LEibRUvw17rcmf4x2tFqx8hnyh4ahpPxlcB5SRSKhs2RKFf4AONGHMFAW
+IU/pxQJdk32NX1Xg5TjiNS+khW2Yp7voytvYyP7JMbSlp1NZbgNVYA4voikFNZ/O
+63NWew8dD+Gx5ZEWXg2Nvw==
+-----END PRIVATE KEY-----
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/twoindex.txt
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/twoindex.txt b/modules/clients/src/test/keystore/ca/twoindex.txt
new file mode 100644
index 0000000..00b7307
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/twoindex.txt
@@ -0,0 +1,2 @@
+V 180824104716Z 01 unknown /CN=node02
+V 180824104719Z 02 unknown /CN=node03
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/twoindex.txt.attr
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/twoindex.txt.attr b/modules/clients/src/test/keystore/ca/twoindex.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/twoindex.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/clients/src/test/keystore/ca/twoserial
----------------------------------------------------------------------
diff --git a/modules/clients/src/test/keystore/ca/twoserial b/modules/clients/src/test/keystore/ca/twoserial
new file mode 100644
index 0000000..75016ea
--- /dev/null
+++ b/modules/clients/src/test/keystore/ca/twoserial
@@ -0,0 +1 @@
+03
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
index ca7dd4d..5d7e39e 100644
--- a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
+++ b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
@@ -57,6 +57,7 @@ import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import org.apache.ignite.Ignite;
import org.apache.ignite.IgniteCheckedException;
@@ -5578,8 +5579,14 @@ class ServerImpl extends TcpDiscoveryImpl {
for (port = spi.locPort; port <= lastPort; port++) {
try {
- if (spi.isSslEnabled())
- srvrSock = spi.sslSrvSockFactory.createServerSocket(port, 0, spi.locHost);
+ if (spi.isSslEnabled()) {
+ SSLServerSocket sslSock = (SSLServerSocket)spi.sslSrvSockFactory
+ .createServerSocket(port, 0, spi.locHost);
+
+ sslSock.setNeedClientAuth(true);
+
+ srvrSock = sslSock;
+ }
else
srvrSock = new ServerSocket(port, 0, spi.locHost);
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/core/src/test/config/tests.properties
----------------------------------------------------------------------
diff --git a/modules/core/src/test/config/tests.properties b/modules/core/src/test/config/tests.properties
index 3275c3c..1ea5b3d 100644
--- a/modules/core/src/test/config/tests.properties
+++ b/modules/core/src/test/config/tests.properties
@@ -135,6 +135,14 @@ ssh.password=passwd
ssl.keystore.path=@{IGNITE_HOME}/modules/clients/src/test/keystore/server.jks
ssl.keystore.password=123456
+# node01 signed with trust-one, node02 and node03 by trust-two, trust-both contains both CAs
+ssl.keystore.node01.path=@{IGNITE_HOME}/modules/clients/src/test/keystore/ca/node01.jks
+ssl.keystore.node02.path=@{IGNITE_HOME}/modules/clients/src/test/keystore/ca/node02.jks
+ssl.keystore.node03.path=@{IGNITE_HOME}/modules/clients/src/test/keystore/ca/node03.jks
+ssl.keystore.trustone.path=@{IGNITE_HOME}/modules/clients/src/test/keystore/ca/trust-one.jks
+ssl.keystore.trusttwo.path=@{IGNITE_HOME}/modules/clients/src/test/keystore/ca/trust-two.jks
+ssl.keystore.trustboth.path=@{IGNITE_HOME}/modules/clients/src/test/keystore/ca/trust-both.jks
+
# Hadoop home directory.
hadoop.home=@{HADOOP_HOME}
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySslTrustedSelfTest.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySslTrustedSelfTest.java b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySslTrustedSelfTest.java
new file mode 100644
index 0000000..56567f9
--- /dev/null
+++ b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySslTrustedSelfTest.java
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.spi.discovery.tcp;
+
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.testframework.GridTestUtils;
+
+/**
+ * Test for {@link TcpDiscoverySpi} with SSL.
+ */
+public class TcpDiscoverySslTrustedSelfTest extends TcpDiscoverySelfTest {
+ /**
+ * @throws Exception If fails.
+ */
+ public TcpDiscoverySslTrustedSelfTest() throws Exception {
+ super();
+ }
+
+ /** {@inheritDoc} */
+ @Override protected IgniteConfiguration getConfiguration(String igniteInstanceName) throws Exception {
+ IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName);
+
+ cfg.setSslContextFactory(GridTestUtils.sslTrustedFactory("node02", "trustboth"));
+
+ return cfg;
+ }
+}
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySslTrustedUntrustedTest.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySslTrustedUntrustedTest.java b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySslTrustedUntrustedTest.java
new file mode 100644
index 0000000..e1c6755
--- /dev/null
+++ b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySslTrustedUntrustedTest.java
@@ -0,0 +1,140 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.spi.discovery.tcp;
+
+import java.util.concurrent.Callable;
+import org.apache.ignite.IgniteCheckedException;
+import org.apache.ignite.configuration.IgniteConfiguration;
+import org.apache.ignite.testframework.GridTestUtils;
+import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest;
+
+/**
+ * Tests cases when node connects to cluster with different SSL configuration.
+ * Exception with meaningful message should be thrown.
+ */
+public class TcpDiscoverySslTrustedUntrustedTest extends GridCommonAbstractTest {
+ /** */
+ private volatile String keyStore;
+ /** */
+ private volatile String trustStore;
+
+ /** {@inheritDoc} */
+ @Override protected IgniteConfiguration getConfiguration(String gridName) throws Exception {
+ IgniteConfiguration cfg = super.getConfiguration(gridName);
+
+ cfg.setSslContextFactory(GridTestUtils.sslTrustedFactory(keyStore, trustStore));
+
+ return cfg;
+ }
+
+ /** {@inheritDoc} */
+ @Override protected void afterTest() throws Exception {
+ stopAllGrids();
+ }
+
+ /**
+ * @throws Exception If failed.
+ */
+ public void testSameKey() throws Exception {
+ checkDiscoverySuccess("node01", "trustone", "node01", "trustone");
+ }
+
+ /**
+ * @throws Exception If failed.
+ */
+ public void testDifferentKeys() throws Exception {
+ checkDiscoverySuccess("node02", "trusttwo", "node03", "trusttwo");
+ }
+
+ /**
+ * @throws Exception If failed.
+ */
+ public void testBothTrusts() throws Exception {
+ checkDiscoverySuccess("node01", "trustboth", "node02", "trustboth", "node03", "trustboth");
+ }
+
+ /**
+ * @throws Exception If failed.
+ */
+ public void testDifferentCa() throws Exception {
+ checkDiscoveryFailure("node01", "trustone", "node02", "trusttwo");
+ }
+
+ /**
+ * @throws Exception If failed.
+ */
+ public void testWrongCa() throws Exception {
+ checkDiscoveryFailure("node02", "trustone", "node03", "trustone");
+ }
+
+ /**
+ * @throws Exception If failed.
+ */
+ public void testMismatchingCaSecond() throws Exception {
+ checkDiscoveryFailure("node01", "trustboth", "node03", "trusttwo");
+ }
+
+ /**
+ * @throws Exception If failed.
+ */
+ public void testMismatchingCaFirst() throws Exception {
+ checkDiscoveryFailure("node02", "trusttwo", "node01", "trustboth");
+ }
+
+ /**
+ * @param keysTrusts Pairs of key store, trust store.
+ * @throws Exception If failed.
+ */
+ private void checkDiscoverySuccess(String... keysTrusts) throws Exception {
+ if (keysTrusts.length % 2 != 0)
+ fail("Wrong parameters");
+
+ for (int i = 0; i < keysTrusts.length / 2; i++) {
+ keyStore = keysTrusts[2 * i];
+ trustStore = keysTrusts[2 * i + 1];
+
+ startGrid(i);
+ }
+ }
+
+ /**
+ * @param keyStoreOk Key store of first instance.
+ * @param trustStoreOk Trust store of first instance.
+ * @param keyStoreFail Key store of second (failing) instance.
+ * @param trustStoreFail Trust store of second (failing) instance.
+ * @throws Exception If failed.
+ */
+ private void checkDiscoveryFailure(String keyStoreOk, String trustStoreOk,
+ final String keyStoreFail, final String trustStoreFail) throws Exception {
+ keyStore = keyStoreOk;
+ trustStore = trustStoreOk;
+
+ startGrid(0);
+
+ GridTestUtils.assertThrows(null, new Callable<Object>() {
+ @Override public Object call() throws Exception {
+ keyStore = keyStoreFail;
+ trustStore = trustStoreFail;
+
+ startGrid(1);
+
+ return null;
+ }
+ }, IgniteCheckedException.class, "Unable to establish secure connection.");
+ }
+}
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/core/src/test/java/org/apache/ignite/testframework/GridTestUtils.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/testframework/GridTestUtils.java b/modules/core/src/test/java/org/apache/ignite/testframework/GridTestUtils.java
index 585c759..abae97c 100644
--- a/modules/core/src/test/java/org/apache/ignite/testframework/GridTestUtils.java
+++ b/modules/core/src/test/java/org/apache/ignite/testframework/GridTestUtils.java
@@ -1700,6 +1700,26 @@ public final class GridTestUtils {
}
/**
+ * Creates test-purposed SSL context factory from specified key store and trust store.
+ *
+ * @param keyStore Key store name.
+ * @param trustStore Trust store name.
+ * @return SSL context factory used in test.
+ */
+ public static Factory<SSLContext> sslTrustedFactory(String keyStore, String trustStore) {
+ SslContextFactory factory = new SslContextFactory();
+
+ factory.setKeyStoreFilePath(U.resolveIgnitePath(GridTestProperties.getProperty(
+ "ssl.keystore." + keyStore + ".path")).getAbsolutePath());
+ factory.setKeyStorePassword(GridTestProperties.getProperty("ssl.keystore.password").toCharArray());
+ factory.setTrustStoreFilePath(U.resolveIgnitePath(GridTestProperties.getProperty(
+ "ssl.keystore." + trustStore + ".path")).getAbsolutePath());
+ factory.setTrustStorePassword(GridTestProperties.getProperty("ssl.keystore.password").toCharArray());
+
+ return factory;
+ }
+
+ /**
* @param o1 Object 1.
* @param o2 Object 2.
* @return Equals or not.
http://git-wip-us.apache.org/repos/asf/ignite/blob/02801f8f/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteSpiDiscoverySelfTestSuite.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteSpiDiscoverySelfTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteSpiDiscoverySelfTestSuite.java
index c506ca7..3335797 100644
--- a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteSpiDiscoverySelfTestSuite.java
+++ b/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteSpiDiscoverySelfTestSuite.java
@@ -40,6 +40,8 @@ import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpiSelfTest;
import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpiStartStopSelfTest;
import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySslSecuredUnsecuredTest;
import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySslSelfTest;
+import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySslTrustedSelfTest;
+import org.apache.ignite.spi.discovery.tcp.TcpDiscoverySslTrustedUntrustedTest;
import org.apache.ignite.spi.discovery.tcp.ipfinder.jdbc.TcpDiscoveryJdbcIpFinderSelfTest;
import org.apache.ignite.spi.discovery.tcp.ipfinder.multicast.TcpDiscoveryMulticastIpFinderSelfTest;
import org.apache.ignite.spi.discovery.tcp.ipfinder.sharedfs.TcpDiscoverySharedFsIpFinderSelfTest;
@@ -98,7 +100,9 @@ public class IgniteSpiDiscoverySelfTestSuite extends TestSuite {
// SSL.
suite.addTest(new TestSuite(TcpDiscoverySslSelfTest.class));
+ suite.addTest(new TestSuite(TcpDiscoverySslTrustedSelfTest.class));
suite.addTest(new TestSuite(TcpDiscoverySslSecuredUnsecuredTest.class));
+ suite.addTest(new TestSuite(TcpDiscoverySslTrustedUntrustedTest.class));
return suite;
}