You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by sa...@apache.org on 2018/08/07 00:22:13 UTC
[geode] branch feature/GEODE-5338 updated: reworked on the property
to ssl-use-default-sslcontext
This is an automated email from the ASF dual-hosted git repository.
sai_boorlagadda pushed a commit to branch feature/GEODE-5338
in repository https://gitbox.apache.org/repos/asf/geode.git
The following commit(s) were added to refs/heads/feature/GEODE-5338 by this push:
new 51213ca reworked on the property to ssl-use-default-sslcontext
51213ca is described below
commit 51213ca416d52d0631d02791059cbf96c275d634
Author: Sai Boorlagadda <sb...@pivotal.io>
AuthorDate: Mon Aug 6 17:21:21 2018 -0700
reworked on the property to ssl-use-default-sslcontext
Signed-off-by: Jens Deppe <jd...@pivotal.io>
---
.../internal/CustomSSLProviderDistributedTest.java | 4 +-
.../geode/distributed/ConfigurationProperties.java | 10 +-
.../internal/AbstractDistributionConfig.java | 6 +-
.../distributed/internal/DistributionConfig.java | 14 +-
.../internal/DistributionConfigImpl.java | 8 +-
.../org/apache/geode/internal/admin/SSLConfig.java | 10 +-
.../internal/net/SSLConfigurationFactory.java | 2 +-
.../apache/geode/internal/net/SocketCreator.java | 165 ++++++++++-----------
8 files changed, 105 insertions(+), 114 deletions(-)
diff --git a/geode-core/src/distributedTest/java/org/apache/geode/cache/client/internal/CustomSSLProviderDistributedTest.java b/geode-core/src/distributedTest/java/org/apache/geode/cache/client/internal/CustomSSLProviderDistributedTest.java
index 3ac6a6f..4c2748d 100644
--- a/geode-core/src/distributedTest/java/org/apache/geode/cache/client/internal/CustomSSLProviderDistributedTest.java
+++ b/geode-core/src/distributedTest/java/org/apache/geode/cache/client/internal/CustomSSLProviderDistributedTest.java
@@ -25,7 +25,7 @@ import static org.apache.geode.distributed.ConfigurationProperties.SSL_REQUIRE_A
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_TYPE;
-import static org.apache.geode.distributed.ConfigurationProperties.SSL_USE_DEFAULT_PROVIDER;
+import static org.apache.geode.distributed.ConfigurationProperties.SSL_USE_DEFAULT_SSLCONTEXT;
import static org.assertj.core.api.Assertions.assertThat;
import java.security.Security;
@@ -91,7 +91,7 @@ public class CustomSSLProviderDistributedTest {
{
setProperty(SSL_ENABLED_COMPONENTS, SecurableCommunicationChannels.SERVER);
setProperty(SSL_REQUIRE_AUTHENTICATION, String.valueOf("true"));
- setProperty(SSL_USE_DEFAULT_PROVIDER, String.valueOf("true"));
+ setProperty(SSL_USE_DEFAULT_SSLCONTEXT, String.valueOf("true"));
}
};
diff --git a/geode-core/src/main/java/org/apache/geode/distributed/ConfigurationProperties.java b/geode-core/src/main/java/org/apache/geode/distributed/ConfigurationProperties.java
index 7e6d66b..6fa8ee9 100644
--- a/geode-core/src/main/java/org/apache/geode/distributed/ConfigurationProperties.java
+++ b/geode-core/src/main/java/org/apache/geode/distributed/ConfigurationProperties.java
@@ -1931,17 +1931,17 @@ public interface ConfigurationProperties {
String DISTRIBUTED_TRANSACTIONS = "distributed-transactions";
/**
- * The static String definition of the <i>"ssl-use-default-provider"</i> property
+ * The static String definition of the <i>"ssl-use-default-sslcontext"</i> property
*
- * <U>Description</U>If true allows clients to provide a custom java.security.Provider. When using
- * this clients do not need to configure other ssl properties except ssl-enabled-components and
- * ssl-require-authentication.
+ * <U>Description</U>If true allows users to use the default SSLContext. When using
+ * default SSLContext, users do not need to configure other ssl properties except
+ * ssl-enabled-components and ssl-require-authentication.
* </p>
* <U>Default</U>: "false"
* </p>
* <U>Since</U>: Geode 1.8
*/
- String SSL_USE_DEFAULT_PROVIDER = "ssl-use-default-provider";
+ String SSL_USE_DEFAULT_SSLCONTEXT = "ssl-use-default-sslcontext";
/**
* The static String definition of the <i>"ssl-enabled-components"</i> property <a
* name="ssl-enabled-components"/a>
diff --git a/geode-core/src/main/java/org/apache/geode/distributed/internal/AbstractDistributionConfig.java b/geode-core/src/main/java/org/apache/geode/distributed/internal/AbstractDistributionConfig.java
index 1ac427d..da0d0ea 100644
--- a/geode-core/src/main/java/org/apache/geode/distributed/internal/AbstractDistributionConfig.java
+++ b/geode-core/src/main/java/org/apache/geode/distributed/internal/AbstractDistributionConfig.java
@@ -160,7 +160,7 @@ import static org.apache.geode.distributed.ConfigurationProperties.SSL_SERVER_AL
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_TYPE;
-import static org.apache.geode.distributed.ConfigurationProperties.SSL_USE_DEFAULT_PROVIDER;
+import static org.apache.geode.distributed.ConfigurationProperties.SSL_USE_DEFAULT_SSLCONTEXT;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_WEB_ALIAS;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_WEB_SERVICE_REQUIRE_AUTHENTICATION;
import static org.apache.geode.distributed.ConfigurationProperties.START_DEV_REST_API;
@@ -1361,8 +1361,8 @@ public abstract class AbstractDistributionConfig extends AbstractConfig
m.put(SECURITY_POST_PROCESSOR,
"User defined fully qualified class name implementing PostProcessor interface for integrated security. Defaults to \"{0}\". Legal values can be any \"class name\" implementing PostProcessor that is present in the classpath.");
- m.put(SSL_USE_DEFAULT_PROVIDER,
- "If true allows clients to provide a custom java.security.Provider. When using this clients do not need to configure other ssl properties except ssl-enabled-components and ssl-require-authentication.");
+ m.put(SSL_USE_DEFAULT_SSLCONTEXT,
+ "If true allows users to use the default SSLContext. When using default SSLContext, users do not need to configure other ssl properties except ssl-enabled-components and ssl-require-authentication.");
m.put(SSL_ENABLED_COMPONENTS,
"A comma delimited list of components that require SSL communications");
diff --git a/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfig.java b/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfig.java
index ac4dc2e..0075d0a 100644
--- a/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfig.java
+++ b/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfig.java
@@ -161,7 +161,7 @@ import static org.apache.geode.distributed.ConfigurationProperties.SSL_SERVER_AL
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_TYPE;
-import static org.apache.geode.distributed.ConfigurationProperties.SSL_USE_DEFAULT_PROVIDER;
+import static org.apache.geode.distributed.ConfigurationProperties.SSL_USE_DEFAULT_SSLCONTEXT;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_WEB_ALIAS;
import static org.apache.geode.distributed.ConfigurationProperties.SSL_WEB_SERVICE_REQUIRE_AUTHENTICATION;
import static org.apache.geode.distributed.ConfigurationProperties.START_DEV_REST_API;
@@ -4911,21 +4911,21 @@ public interface DistributionConfig extends Config, LogConfig {
SecurableCommunicationChannel[] DEFAULT_SSL_ENABLED_COMPONENTS =
new SecurableCommunicationChannel[] {};
- boolean DEFAULT_SSL_USE_DEFAULT_PROVIDER = false;
+ boolean DEFAULT_SSL_USE_DEFAULT_SSLCONTEXT = false;
@ConfigAttribute(type = Boolean.class)
- String SSL_USE_DEFAULT_PROVIDER_NAME = SSL_USE_DEFAULT_PROVIDER;
+ String SSL_USE_DEFAULT_SSLCONTEXT_NAME = SSL_USE_DEFAULT_SSLCONTEXT;
/**
- * Returns the value of the {@link ConfigurationProperties#SSL_USE_DEFAULT_PROVIDER} property.
+ * Returns the value of the {@link ConfigurationProperties#SSL_USE_DEFAULT_SSLCONTEXT} property.
*/
- @ConfigAttributeGetter(name = SSL_USE_DEFAULT_PROVIDER)
+ @ConfigAttributeGetter(name = SSL_USE_DEFAULT_SSLCONTEXT)
boolean getSSLUseDefaultProvider();
/**
- * Sets the value of the {@link ConfigurationProperties#SSL_USE_DEFAULT_PROVIDER} property.
+ * Sets the value of the {@link ConfigurationProperties#SSL_USE_DEFAULT_SSLCONTEXT} property.
*/
- @ConfigAttributeSetter(name = SSL_USE_DEFAULT_PROVIDER)
+ @ConfigAttributeSetter(name = SSL_USE_DEFAULT_SSLCONTEXT)
void setSSLUseDefaultProvider(boolean useProvider);
/**
diff --git a/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java b/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java
index 3769fd7..9a32b40 100644
--- a/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java
+++ b/geode-core/src/main/java/org/apache/geode/distributed/internal/DistributionConfigImpl.java
@@ -606,7 +606,7 @@ public class DistributionConfigImpl extends AbstractDistributionConfig implement
private SecurableCommunicationChannel[] securableCommunicationChannels =
DEFAULT_SSL_ENABLED_COMPONENTS;
- private boolean sslUseDefaultProvider = DEFAULT_SSL_USE_DEFAULT_PROVIDER;
+ private boolean sslUseDefaultSSLContext = DEFAULT_SSL_USE_DEFAULT_SSLCONTEXT;
private String sslProtocols = DEFAULT_SSL_PROTOCOLS;
private String sslCiphers = DEFAULT_SSL_CIPHERS;
private boolean sslRequireAuthentication = DEFAULT_SSL_REQUIRE_AUTHENTICATION;
@@ -851,7 +851,7 @@ public class DistributionConfigImpl extends AbstractDistributionConfig implement
this.securableCommunicationChannels =
((DistributionConfigImpl) other).securableCommunicationChannels;
- this.sslUseDefaultProvider = other.getSSLUseDefaultProvider();
+ this.sslUseDefaultSSLContext = other.getSSLUseDefaultProvider();
this.sslCiphers = other.getSSLCiphers();
this.sslProtocols = other.getSSLProtocols();
this.sslRequireAuthentication = other.getSSLRequireAuthentication();
@@ -2772,13 +2772,13 @@ public class DistributionConfigImpl extends AbstractDistributionConfig implement
@Override
public boolean getSSLUseDefaultProvider() {
- return sslUseDefaultProvider;
+ return sslUseDefaultSSLContext;
}
@Override
public void setSSLUseDefaultProvider(final boolean useDefaultProvider) {
// This conversion is required due to backwards compatibility of the existing protocols code
- this.sslUseDefaultProvider = useDefaultProvider;
+ this.sslUseDefaultSSLContext = useDefaultProvider;
}
@Override
diff --git a/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java b/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java
index 42bc7fe..6198a44 100755
--- a/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java
@@ -32,7 +32,7 @@ import org.apache.geode.management.internal.SSLUtil;
*/
public class SSLConfig {
- private boolean useDefaultProvider = DistributionConfig.DEFAULT_SSL_USE_DEFAULT_PROVIDER;
+ private boolean useDefaultSSLContext = DistributionConfig.DEFAULT_SSL_USE_DEFAULT_SSLCONTEXT;
private boolean enabled = DistributionConfig.DEFAULT_SSL_ENABLED;
private String protocols = DistributionConfig.DEFAULT_SSL_PROTOCOLS;
private String ciphers = DistributionConfig.DEFAULT_SSL_CIPHERS;
@@ -110,12 +110,12 @@ public class SSLConfig {
this.enabled = enabled;
}
- public boolean isUseDefaultProvider() {
- return this.useDefaultProvider;
+ public boolean useDefaultSSLContext() {
+ return this.useDefaultSSLContext;
}
- public void setUseDefaultProvider(boolean useDefaultProvider) {
- this.useDefaultProvider = useDefaultProvider;
+ public void setUseDefaultSSLContext(boolean useDefaultSSLContext) {
+ this.useDefaultSSLContext = useDefaultSSLContext;
}
public String getProtocols() {
diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfigurationFactory.java b/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfigurationFactory.java
index 57b4fcf..6f43aca 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfigurationFactory.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfigurationFactory.java
@@ -178,7 +178,7 @@ public class SSLConfigurationFactory {
sslConfig.setProtocols(distributionConfig.getSSLProtocols());
sslConfig.setRequireAuth(distributionConfig.getSSLRequireAuthentication());
sslConfig.setAlias(distributionConfig.getSSLDefaultAlias());
- sslConfig.setUseDefaultProvider(distributionConfig.getSSLUseDefaultProvider());
+ sslConfig.setUseDefaultSSLContext(distributionConfig.getSSLUseDefaultProvider());
return sslConfig;
}
diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
index c33ab8a..db836fc 100755
--- a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
@@ -389,6 +389,10 @@ public class SocketCreator {
*/
private SSLContext createAndConfigureSSLContext() throws GeneralSecurityException, IOException {
+ if (sslConfig.useDefaultSSLContext()) {
+ return SSLContext.getDefault();
+ }
+
SSLContext newSSLContext = getSSLContextInstance();
KeyManager[] keyManagers = getKeyManagers();
TrustManager[] trustManagers = getTrustManagers();
@@ -473,112 +477,99 @@ public class SocketCreator {
private TrustManager[] getTrustManagers()
throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
- if (sslConfig.isUseDefaultProvider()) {
- TrustManagerFactory tmf =
- TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init((KeyStore) null);
- return tmf.getTrustManagers();
- } else {
- TrustManager[] trustManagers = null;
+ TrustManager[] trustManagers = null;
- String trustStoreType = sslConfig.getTruststoreType();
- if (StringUtils.isEmpty(trustStoreType)) {
- trustStoreType = KeyStore.getDefaultType();
- }
+ String trustStoreType = sslConfig.getTruststoreType();
+ if (StringUtils.isEmpty(trustStoreType)) {
+ trustStoreType = KeyStore.getDefaultType();
+ }
- KeyStore ts = KeyStore.getInstance(trustStoreType);
- String trustStorePath = sslConfig.getTruststore();
- FileInputStream fis = new FileInputStream(trustStorePath);
- String passwordString = sslConfig.getTruststorePassword();
- char[] password = null;
- if (passwordString != null) {
- if (passwordString.trim().equals("")) {
- if (!StringUtils.isEmpty(passwordString)) {
- String toDecrypt = "encrypted(" + passwordString + ")";
- passwordString = PasswordUtil.decrypt(toDecrypt);
- password = passwordString.toCharArray();
- }
- } else {
+ KeyStore ts = KeyStore.getInstance(trustStoreType);
+ String trustStorePath = sslConfig.getTruststore();
+ FileInputStream fis = new FileInputStream(trustStorePath);
+ String passwordString = sslConfig.getTruststorePassword();
+ char[] password = null;
+ if (passwordString != null) {
+ if (passwordString.trim().equals("")) {
+ if (!StringUtils.isEmpty(passwordString)) {
+ String toDecrypt = "encrypted(" + passwordString + ")";
+ passwordString = PasswordUtil.decrypt(toDecrypt);
password = passwordString.toCharArray();
}
+ } else {
+ password = passwordString.toCharArray();
}
- ts.load(fis, password);
-
- // default algorithm can be changed by setting property "ssl.TrustManagerFactory.algorithm" in
- // security properties
- TrustManagerFactory tmf =
- TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(ts);
- trustManagers = tmf.getTrustManagers();
- // follow the security tip in java doc
- if (password != null) {
- java.util.Arrays.fill(password, ' ');
- }
- return trustManagers;
}
+ ts.load(fis, password);
+
+ // default algorithm can be changed by setting property "ssl.TrustManagerFactory.algorithm" in
+ // security properties
+ TrustManagerFactory tmf =
+ TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ tmf.init(ts);
+ trustManagers = tmf.getTrustManagers();
+ // follow the security tip in java doc
+ if (password != null) {
+ java.util.Arrays.fill(password, ' ');
+ }
+
+ return trustManagers;
}
private KeyManager[] getKeyManagers() throws KeyStoreException, IOException,
NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
- if (sslConfig.isUseDefaultProvider()) {
- KeyManagerFactory keyManagerFactory =
- KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- keyManagerFactory.init(null, null);
- return keyManagerFactory.getKeyManagers();
- } else {
- if (sslConfig.getKeystore() == null) {
- return null;
- }
+ if (sslConfig.getKeystore() == null) {
+ return null;
+ }
- KeyManager[] keyManagers = null;
- String keyStoreType = sslConfig.getKeystoreType();
- if (StringUtils.isEmpty(keyStoreType)) {
- keyStoreType = KeyStore.getDefaultType();
- }
- KeyStore keyStore = KeyStore.getInstance(keyStoreType);
- String keyStoreFilePath = sslConfig.getKeystore();
- if (StringUtils.isEmpty(keyStoreFilePath)) {
- keyStoreFilePath =
- System.getProperty("user.home") + System.getProperty("file.separator") + ".keystore";
- }
+ KeyManager[] keyManagers = null;
+ String keyStoreType = sslConfig.getKeystoreType();
+ if (StringUtils.isEmpty(keyStoreType)) {
+ keyStoreType = KeyStore.getDefaultType();
+ }
+ KeyStore keyStore = KeyStore.getInstance(keyStoreType);
+ String keyStoreFilePath = sslConfig.getKeystore();
+ if (StringUtils.isEmpty(keyStoreFilePath)) {
+ keyStoreFilePath =
+ System.getProperty("user.home") + System.getProperty("file.separator") + ".keystore";
+ }
- FileInputStream fileInputStream = new FileInputStream(keyStoreFilePath);
- String passwordString = sslConfig.getKeystorePassword();
- char[] password = null;
- if (passwordString != null) {
- if (passwordString.trim().equals("")) {
- String encryptedPass = System.getenv("javax.net.ssl.keyStorePassword");
- if (!StringUtils.isEmpty(encryptedPass)) {
- String toDecrypt = "encrypted(" + encryptedPass + ")";
- passwordString = PasswordUtil.decrypt(toDecrypt);
- password = passwordString.toCharArray();
- }
- } else {
+ FileInputStream fileInputStream = new FileInputStream(keyStoreFilePath);
+ String passwordString = sslConfig.getKeystorePassword();
+ char[] password = null;
+ if (passwordString != null) {
+ if (passwordString.trim().equals("")) {
+ String encryptedPass = System.getenv("javax.net.ssl.keyStorePassword");
+ if (!StringUtils.isEmpty(encryptedPass)) {
+ String toDecrypt = "encrypted(" + encryptedPass + ")";
+ passwordString = PasswordUtil.decrypt(toDecrypt);
password = passwordString.toCharArray();
}
+ } else {
+ password = passwordString.toCharArray();
}
- keyStore.load(fileInputStream, password);
- // default algorithm can be changed by setting property "ssl.KeyManagerFactory.algorithm" in
- // security properties
- KeyManagerFactory keyManagerFactory =
- KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- keyManagerFactory.init(keyStore, password);
- keyManagers = keyManagerFactory.getKeyManagers();
- // follow the security tip in java doc
- if (password != null) {
- java.util.Arrays.fill(password, ' ');
- }
-
- KeyManager[] extendedKeyManagers = new KeyManager[keyManagers.length];
+ }
+ keyStore.load(fileInputStream, password);
+ // default algorithm can be changed by setting property "ssl.KeyManagerFactory.algorithm" in
+ // security properties
+ KeyManagerFactory keyManagerFactory =
+ KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ keyManagerFactory.init(keyStore, password);
+ keyManagers = keyManagerFactory.getKeyManagers();
+ // follow the security tip in java doc
+ if (password != null) {
+ java.util.Arrays.fill(password, ' ');
+ }
- for (int i = 0; i < keyManagers.length; i++)
+ KeyManager[] extendedKeyManagers = new KeyManager[keyManagers.length];
- {
- extendedKeyManagers[i] = new ExtendedAliasKeyManager(keyManagers[i], sslConfig.getAlias());
- }
+ for (int i = 0; i < keyManagers.length; i++)
- return extendedKeyManagers;
+ {
+ extendedKeyManagers[i] = new ExtendedAliasKeyManager(keyManagers[i], sslConfig.getAlias());
}
+
+ return extendedKeyManagers;
}
public SSLContext getSslContext() {