You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2018/02/19 12:51:14 UTC
[GitHub] maskit closed pull request #1245: Refactor SecurityUtility class
maskit closed pull request #1245: Refactor SecurityUtility class
URL: https://github.com/apache/incubator-pulsar/pull/1245
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
index 5e1a1390b..26f97bbcb 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
@@ -28,8 +28,11 @@
import java.security.KeyFactory;
import java.security.KeyManagementException;
import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
@@ -37,7 +40,6 @@
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.Collection;
-import java.util.List;
import java.util.Set;
import javax.net.ssl.KeyManager;
@@ -60,7 +62,7 @@ public static SSLContext createSslContext(boolean allowInsecureConnection, Certi
}
public static SslContext createNettySslContextForClient(boolean allowInsecureConnection, String trustCertsFilePath)
- throws GeneralSecurityException, SSLException, FileNotFoundException {
+ throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
return createNettySslContextForClient(allowInsecureConnection, trustCertsFilePath, (Certificate[]) null,
(PrivateKey) null);
}
@@ -75,7 +77,7 @@ public static SSLContext createSslContext(boolean allowInsecureConnection, Strin
public static SslContext createNettySslContextForClient(boolean allowInsecureConnection, String trustCertsFilePath,
String certFilePath, String keyFilePath)
- throws GeneralSecurityException, SSLException, FileNotFoundException {
+ throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
X509Certificate[] certificates = loadCertificatesFromPemFile(certFilePath);
PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath);
return createNettySslContextForClient(allowInsecureConnection, trustCertsFilePath, certificates, privateKey);
@@ -83,46 +85,25 @@ public static SslContext createNettySslContextForClient(boolean allowInsecureCon
public static SslContext createNettySslContextForClient(boolean allowInsecureConnection, String trustCertsFilePath,
Certificate[] certificates, PrivateKey privateKey)
- throws GeneralSecurityException, SSLException, FileNotFoundException {
+ throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
SslContextBuilder builder = SslContextBuilder.forClient();
- if (allowInsecureConnection) {
- builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
- } else {
- if (trustCertsFilePath != null && trustCertsFilePath.length() != 0) {
- builder.trustManager(new FileInputStream(trustCertsFilePath));
- }
- }
- builder.keyManager(privateKey, (X509Certificate[]) certificates);
+ setupTrustCerts(builder, allowInsecureConnection, trustCertsFilePath);
+ setupKeyManager(builder, privateKey, (X509Certificate[]) certificates);
return builder.build();
}
public static SslContext createNettySslContextForServer(boolean allowInsecureConnection, String trustCertsFilePath,
String certFilePath, String keyFilePath, Set<String> ciphers, Set<String> protocols)
- throws GeneralSecurityException, SSLException, FileNotFoundException {
+ throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
X509Certificate[] certificates = loadCertificatesFromPemFile(certFilePath);
PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath);
SslContextBuilder builder = SslContextBuilder.forServer(privateKey, (X509Certificate[]) certificates);
- if (ciphers != null && ciphers.size() > 0) {
- builder.ciphers(ciphers);
- }
-
- if (protocols != null && protocols.size() > 0) {
- String[] protocolsArray = new String[protocols.size()];
- builder.protocols(protocols.toArray(protocolsArray));
- }
-
- if (allowInsecureConnection) {
- builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
- } else {
- if (trustCertsFilePath != null && trustCertsFilePath.length() != 0) {
- builder.trustManager(new FileInputStream(trustCertsFilePath));
- } else {
- builder.trustManager((File) null);
- }
- }
- builder.keyManager(privateKey, (X509Certificate[]) certificates);
- builder.clientAuth(ClientAuth.OPTIONAL);
+ setupCiphers(builder, ciphers);
+ setupProtocols(builder, protocols);
+ setupTrustCerts(builder, allowInsecureConnection, trustCertsFilePath);
+ setupKeyManager(builder, privateKey, certificates);
+ setupClientAuthentication(builder);
return builder.build();
}
@@ -132,7 +113,30 @@ public static SSLContext createSslContext(boolean allowInsecureConnection, Certi
TrustManager[] trustManagers = null;
KeyManager[] keyManagers = null;
- // Set trusted certificate
+ trustManagers = setupTrustCerts(ksh, allowInsecureConnection, trustCertficates);
+ keyManagers = setupKeyManager(ksh, privateKey, certificates);
+
+ SSLContext sslCtx = SSLContext.getInstance("TLS");
+ sslCtx.init(keyManagers, trustManagers, new SecureRandom());
+ sslCtx.getDefaultSSLParameters();
+ return sslCtx;
+ }
+
+ private static KeyManager[] setupKeyManager(KeyStoreHolder ksh, PrivateKey privateKey, Certificate[] certificates)
+ throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
+ KeyManager[] keyManagers = null;
+ if (certificates != null && privateKey != null) {
+ ksh.setPrivateKey("private", privateKey, certificates);
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ kmf.init(ksh.getKeyStore(), "".toCharArray());
+ keyManagers = kmf.getKeyManagers();
+ }
+ return keyManagers;
+ }
+
+ private static TrustManager[] setupTrustCerts(KeyStoreHolder ksh, boolean allowInsecureConnection,
+ Certificate[] trustCertficates) throws NoSuchAlgorithmException, KeyStoreException {
+ TrustManager[] trustManagers;
if (allowInsecureConnection) {
trustManagers = InsecureTrustManagerFactory.INSTANCE.getTrustManagers();
} else {
@@ -149,18 +153,7 @@ public static SSLContext createSslContext(boolean allowInsecureConnection, Certi
trustManagers = tmf.getTrustManagers();
}
-
- // Set private key and certificate
- if (certificates != null && privateKey != null) {
- ksh.setPrivateKey("private", privateKey, certificates);
- KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- kmf.init(ksh.getKeyStore(), "".toCharArray());
- keyManagers = kmf.getKeyManagers();
- }
-
- SSLContext sslCtx = SSLContext.getInstance("TLS");
- sslCtx.init(keyManagers, trustManagers, new SecureRandom());
- return sslCtx;
+ return trustManagers;
}
public static X509Certificate[] loadCertificatesFromPemFile(String certFilePath) throws KeyManagementException {
@@ -211,4 +204,39 @@ public static PrivateKey loadPrivateKeyFromPemFile(String keyFilePath) throws Ke
return privateKey;
}
+ private static void setupTrustCerts(SslContextBuilder builder, boolean allowInsecureConnection,
+ String trustCertsFilePath) throws IOException, FileNotFoundException {
+ if (allowInsecureConnection) {
+ builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
+ } else {
+ if (trustCertsFilePath != null && trustCertsFilePath.length() != 0) {
+ try (FileInputStream input = new FileInputStream(trustCertsFilePath)) {
+ builder.trustManager(input);
+ }
+ } else {
+ builder.trustManager((File) null);
+ }
+ }
+ }
+
+ private static void setupKeyManager(SslContextBuilder builder, PrivateKey privateKey,
+ X509Certificate[] certificates) {
+ builder.keyManager(privateKey, (X509Certificate[]) certificates);
+ }
+
+ private static void setupCiphers(SslContextBuilder builder, Set<String> ciphers) {
+ if (ciphers != null && ciphers.size() > 0) {
+ builder.ciphers(ciphers);
+ }
+ }
+
+ private static void setupProtocols(SslContextBuilder builder, Set<String> protocols) {
+ if (protocols != null && protocols.size() > 0) {
+ builder.protocols(protocols.toArray(new String[protocols.size()]));
+ }
+ }
+
+ private static void setupClientAuthentication(SslContextBuilder builder) {
+ builder.clientAuth(ClientAuth.OPTIONAL);
+ }
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services