You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/04/18 03:33:09 UTC

[GitHub] [pulsar] rdhabalia opened a new pull request #6760: [pulsar-client] Add support to load tls certs/key dynamically from inputstream

rdhabalia opened a new pull request #6760: [pulsar-client] Add support to load tls certs/key dynamically from inputstream
URL: https://github.com/apache/pulsar/pull/6760
 
 
   ### Motivation
   Right now, Pulsar-client provides tls authentication support and default TLS provider `AuthenticationTls` expects file path of cert and key files. However, there are usescases where it will be difficult for user-applications to store certs/key file locally for tls authentication.
   eg:
   1. Applications running on docker or K8s containers will not have certs at defined location and app uses KMS or various key-vault system whose API return streams of certs.
   2. Operationally hard to manage key rotation in containers
   3. Need to avoid storing key/trust store files on file system for stronger security
   
   Therefore, it's good to have mechanism in default `AuthenticationTls` provider to read certs from memory/stream without storing certs on file-system.
   
   ### Modification
   Add Stream support in `AuthenticationTls` to provide X509Certs and PrivateKey which also performs auto-refresh when stream changes in a given provider.
   ```
   AuthenticationTls auth = new AuthenticationTls(certStreamProvider, keyStreamProvider);
   ```
   It will be also address: #5241

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [pulsar] jiazhai commented on a change in pull request #6760: [pulsar-client] Add support to load tls certs/key dynamically from inputstream

Posted by GitBox <gi...@apache.org>.
jiazhai commented on a change in pull request #6760: [pulsar-client] Add support to load tls certs/key dynamically from inputstream
URL: https://github.com/apache/pulsar/pull/6760#discussion_r410696679
 
 

 ##########
 File path: pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
 ##########
 @@ -238,24 +240,53 @@ public static SSLContext createSslContext(boolean allowInsecureConnection, Certi
         }
 
         try (FileInputStream input = new FileInputStream(certFilePath)) {
-            CertificateFactory cf = CertificateFactory.getInstance("X.509");
-            Collection<X509Certificate> collection = (Collection<X509Certificate>) cf.generateCertificates(input);
-            certificates = collection.toArray(new X509Certificate[collection.size()]);
+            certificates = loadCertificatesFromPemStream(input);
         } catch (GeneralSecurityException | IOException e) {
             throw new KeyManagementException("Certificate loading error", e);
         }
 
         return certificates;
     }
 
+    public static X509Certificate[] loadCertificatesFromPemStream(InputStream inStream) throws KeyManagementException  {
+        if (inStream == null) {
+            return null;
+        }
+        CertificateFactory cf;
+        try {
+            cf = CertificateFactory.getInstance("X.509");
+            Collection<X509Certificate> collection = (Collection<X509Certificate>) cf.generateCertificates(inStream);
+            return collection.toArray(new X509Certificate[collection.size()]);
+        } catch (CertificateException e) {
+            throw new KeyManagementException("Certificate loading error", e);
+        }
+    }
+
     public static PrivateKey loadPrivateKeyFromPemFile(String keyFilePath) throws KeyManagementException {
         PrivateKey privateKey = null;
 
         if (keyFilePath == null || keyFilePath.isEmpty()) {
             return privateKey;
         }
 
-        try (BufferedReader reader = new BufferedReader(new FileReader(keyFilePath))) {
+        try (FileInputStream input = new FileInputStream(keyFilePath)) {
+            privateKey = loadPrivateKeyFromPemStream(input);
+        } catch (IOException e) {
+            throw new KeyManagementException("Private key loading error", e);
+        }
+
+        return privateKey;
+    }
+
+    public static PrivateKey loadPrivateKeyFromPemStream(InputStream inStream) throws KeyManagementException {
+        PrivateKey privateKey = null;
+
+        if (inStream == null) {
+            return privateKey;
+        }
+
+        //TODO: check if bufferReader should be closed or not
 
 Review comment:
   This could be removed?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services