GEODE-3393: One-way SSL commit failing with userHome/.keystore not found. This now closes #682
Signed-off-by: Galen O'Sullivan <gosuli...@pivotal.io> Project: http://git-wip-us.apache.org/repos/asf/geode/repo Commit: http://git-wip-us.apache.org/repos/asf/geode/commit/684f85d2 Tree: http://git-wip-us.apache.org/repos/asf/geode/tree/684f85d2 Diff: http://git-wip-us.apache.org/repos/asf/geode/diff/684f85d2 Branch: refs/heads/feature/GEODE-3249 Commit: 684f85d2881dd1b0b68bc49b303fb45a8b17452d Parents: c1129c7 Author: Udo Kohlmeyer <ukohlme...@pivotal.io> Authored: Thu Aug 3 14:13:06 2017 -0700 Committer: Udo Kohlmeyer <ukohlme...@pivotal.io> Committed: Mon Aug 14 15:31:36 2017 -0700 ---------------------------------------------------------------------- .../apache/geode/internal/admin/SSLConfig.java | 5 ++- .../geode/internal/net/SocketCreator.java | 38 ++++++----------- .../net/SSLConfigurationFactoryJUnitTest.java | 6 ++- .../internal/net/SocketCreatorJUnitTest.java | 43 ++++++++++++++++++++ 4 files changed, 62 insertions(+), 30 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/geode/blob/684f85d2/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java b/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java index 0171933..65e4694 100755 --- a/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java +++ b/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java @@ -16,6 +16,7 @@ package org.apache.geode.internal.admin; import static org.apache.geode.distributed.ConfigurationProperties.*; +import java.security.KeyStore; import java.util.Iterator; import java.util.Properties; @@ -33,11 +34,11 @@ public class SSLConfig { private String ciphers = DistributionConfig.DEFAULT_SSL_CIPHERS; private boolean requireAuth = DistributionConfig.DEFAULT_SSL_REQUIRE_AUTHENTICATION; private String keystore = DistributionConfig.DEFAULT_SSL_KEYSTORE; - private String keystoreType = DistributionConfig.DEFAULT_CLUSTER_SSL_KEYSTORE_TYPE; + private String keystoreType = KeyStore.getDefaultType(); private String keystorePassword = DistributionConfig.DEFAULT_SSL_KEYSTORE_PASSWORD; private String truststore = DistributionConfig.DEFAULT_SSL_TRUSTSTORE; private String truststorePassword = DistributionConfig.DEFAULT_SSL_TRUSTSTORE_PASSWORD; - private String truststoreType = DistributionConfig.DEFAULT_CLUSTER_SSL_KEYSTORE_TYPE; + private String truststoreType = KeyStore.getDefaultType(); private String alias = null; private SecurableCommunicationChannel securableCommunicationChannel = null; http://git-wip-us.apache.org/repos/asf/geode/blob/684f85d2/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java index dbe18a9..47fd766 100755 --- a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java +++ b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java @@ -333,7 +333,6 @@ public class SocketCreator { * <p> * Caller must synchronize on the SocketCreator instance. */ - @SuppressWarnings("hiding") private void initialize() { try { // set p2p values... @@ -384,7 +383,7 @@ public class SocketCreator { /** * Creates & configures the SSLContext when SSL is enabled. - * + * * @return new SSLContext configured using the given protocols & properties * * @throws GeneralSecurityException if security information can not be found @@ -402,7 +401,7 @@ public class SocketCreator { /** * Used by CacheServerLauncher and SystemAdmin to read the properties from console - * + * * @param env Map in which the properties are to be read from console. */ public static void readSSLProperties(Map<String, String> env) { @@ -413,7 +412,7 @@ public class SocketCreator { * Used to read the properties from console. AgentLauncher calls this method directly & ignores * gemfire.properties. CacheServerLauncher and SystemAdmin call this through * {@link #readSSLProperties(Map)} and do NOT ignore gemfire.properties. - * + * * @param env Map in which the properties are to be read from console. * @param ignoreGemFirePropsFile if <code>false</code> existing gemfire.properties file is read, * if <code>true</code>, properties from gemfire.properties file are ignored. @@ -537,6 +536,10 @@ public class SocketCreator { NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException { GfeConsoleReader consoleReader = GfeConsoleReaderFactory.getDefaultConsoleReader(); + if (sslConfig.getKeystore() == null) { + return null; + } + KeyManager[] keyManagers = null; String keyStoreType = sslConfig.getKeystoreType(); if (StringUtils.isEmpty(keyStoreType)) { @@ -611,7 +614,7 @@ public class SocketCreator { /** * Constructor. - * + * * @param mgr The X509KeyManager used as a delegate * @param keyAlias The alias name of the server's keypair and supporting certificate chain */ @@ -791,7 +794,7 @@ public class SocketCreator { /** * Creates or bind server socket to a random port selected from tcp-port-range which is same as * membership-port-range. - * + * * @param ba * @param backlog * @param isBindAddress @@ -811,7 +814,7 @@ public class SocketCreator { /** * Creates or bind server socket to a random port selected from tcp-port-range which is same as * membership-port-range. - * + * * @param ba * @param backlog * @param isBindAddress @@ -1021,14 +1024,6 @@ public class SocketCreator { ex); throw ex; } - } catch (SSLException ex) { - logger - .fatal( - LocalizedMessage.create( - LocalizedStrings.SocketCreator_SSL_ERROR_IN_CONNECTING_TO_PEER_0_1, - new Object[] {socket.getInetAddress(), Integer.valueOf(socket.getPort())}), - ex); - throw ex; } } } @@ -1108,16 +1103,7 @@ public class SocketCreator { .create(LocalizedStrings.SocketCreator_SSL_ERROR_IN_AUTHENTICATING_PEER), ex); throw ex; } - } catch (SSLException ex) { - logger - .fatal( - LocalizedMessage.create( - LocalizedStrings.SocketCreator_SSL_ERROR_IN_CONNECTING_TO_PEER_0_1, - new Object[] {socket.getInetAddress(), Integer.valueOf(socket.getPort())}), - ex); - throw ex; } - } } @@ -1219,7 +1205,7 @@ public class SocketCreator { /** * This method uses JNDI to look up an address in DNS and return its name - * + * * @param addr * * @return the host name associated with the address or null if lookup isn't possible or there is @@ -1295,7 +1281,7 @@ public class SocketCreator { * Fails Assertion if the conversion would result in <code>java.lang.UnknownHostException</code>. * <p> * Any leading slashes on host will be ignored. - * + * * @param host string version the InetAddress * * @return the host converted to InetAddress instance http://git-wip-us.apache.org/repos/asf/geode/blob/684f85d2/geode-core/src/test/java/org/apache/geode/internal/net/SSLConfigurationFactoryJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/internal/net/SSLConfigurationFactoryJUnitTest.java b/geode-core/src/test/java/org/apache/geode/internal/net/SSLConfigurationFactoryJUnitTest.java index 47f0d2b..cd7585c 100644 --- a/geode-core/src/test/java/org/apache/geode/internal/net/SSLConfigurationFactoryJUnitTest.java +++ b/geode-core/src/test/java/org/apache/geode/internal/net/SSLConfigurationFactoryJUnitTest.java @@ -51,6 +51,8 @@ import org.apache.geode.internal.security.SecurableCommunicationChannel; import org.apache.geode.test.junit.categories.MembershipTest; import org.apache.geode.test.junit.categories.UnitTest; +import java.security.KeyStore; + @Category({UnitTest.class, MembershipTest.class}) public class SSLConfigurationFactoryJUnitTest { @@ -216,11 +218,11 @@ public class SSLConfigurationFactoryJUnitTest { properties.setProperty(CLUSTER_SSL_ENABLED, "true"); properties.setProperty(MCAST_PORT, "0"); System.setProperty(SSLConfigurationFactory.JAVAX_KEYSTORE, "keystore"); - System.setProperty(SSLConfigurationFactory.JAVAX_KEYSTORE_TYPE, "JKS"); + System.setProperty(SSLConfigurationFactory.JAVAX_KEYSTORE_TYPE, KeyStore.getDefaultType()); System.setProperty(SSLConfigurationFactory.JAVAX_KEYSTORE_PASSWORD, "keystorePassword"); System.setProperty(SSLConfigurationFactory.JAVAX_TRUSTSTORE, "truststore"); System.setProperty(SSLConfigurationFactory.JAVAX_TRUSTSTORE_PASSWORD, "truststorePassword"); - System.setProperty(SSLConfigurationFactory.JAVAX_TRUSTSTORE_TYPE, "JKS"); + System.setProperty(SSLConfigurationFactory.JAVAX_TRUSTSTORE_TYPE, KeyStore.getDefaultType()); DistributionConfigImpl distributionConfig = new DistributionConfigImpl(properties); SSLConfigurationFactory.setDistributionConfig(distributionConfig); SSLConfig sslConfig = http://git-wip-us.apache.org/repos/asf/geode/blob/684f85d2/geode-core/src/test/java/org/apache/geode/internal/net/SocketCreatorJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/internal/net/SocketCreatorJUnitTest.java b/geode-core/src/test/java/org/apache/geode/internal/net/SocketCreatorJUnitTest.java new file mode 100644 index 0000000..b258ee1 --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/internal/net/SocketCreatorJUnitTest.java @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ +package org.apache.geode.internal.net; + +import org.apache.geode.internal.admin.SSLConfig; +import org.apache.geode.test.junit.categories.UnitTest; +import org.apache.geode.util.test.TestUtil; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +@Category(UnitTest.class) +public class SocketCreatorJUnitTest { + + @Test + public void testCreateSocketCreatorWithKeystoreUnset() throws Exception { + SSLConfig testSSLConfig = new SSLConfig(); + testSSLConfig.setEnabled(true); + testSSLConfig.setKeystore(null); + testSSLConfig.setKeystorePassword(""); + testSSLConfig.setTruststore(getSingleKeyKeystore()); + testSSLConfig.setTruststorePassword("password"); + // GEODE-3393: This would fail with java.io.FileNotFoundException: $USER_HOME/.keystore + new SocketCreator(testSSLConfig); + + } + + private String getSingleKeyKeystore() { + return TestUtil.getResourcePath(getClass(), "/ssl/trusted.keystore"); + } + +}