This is an automated email from the ASF dual-hosted git repository.
meszibalu pushed a commit to branch branch-2
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2 by this push:
new 9838c070aa1 HBASE-27342 Use Hadoop Credentials API to retrieve
passwords of TLS key/trust stores (#4751)
9838c070aa1 is described below
commit 9838c070aa1b878d6089ebab79d138a5fb01cf89
Author: Andor Molnár <[email protected]>
AuthorDate: Thu Sep 1 10:06:15 2022 +0200
HBASE-27342 Use Hadoop Credentials API to retrieve passwords of TLS
key/trust stores (#4751)
Signed-off-by: Andrew Purtell <[email protected]>
Signed-off-by: Duo Zhang <[email protected]>
Signed-off-by: Balazs Meszaros <[email protected]>
---
bin/hbase | 3 ++
.../apache/hadoop/hbase/ipc/NettyRpcClient.java | 3 +-
.../hadoop/hbase/io/crypto/tls/X509Util.java | 49 ++++++++++------------
.../hadoop/hbase/io/crypto/tls/TestX509Util.java | 44 +++++++------------
.../hbase/io/crypto/tls/X509TestContext.java | 26 ++++++------
.../io/crypto/tls/X509TestContextProvider.java | 11 ++---
.../hbase/io/crypto/tls/X509TestHelpers.java | 34 +++++++--------
.../apache/hadoop/hbase/ipc/NettyRpcServer.java | 3 +-
.../security/AbstractTestTlsRejectPlainText.java | 4 +-
.../hadoop/hbase/security/TestNettyTlsIPC.java | 4 +-
.../hadoop/hbase/security/TestSaslTlsIPC.java | 4 +-
11 files changed, 83 insertions(+), 102 deletions(-)
diff --git a/bin/hbase b/bin/hbase
index fa05a67e783..a654f517731 100755
--- a/bin/hbase
+++ b/bin/hbase
@@ -106,6 +106,7 @@ show_usage() {
echo " cellcounter Run CellCounter tool"
echo " pre-upgrade Run Pre-Upgrade validator tool"
echo " hbtop Run HBTop tool"
+ echo " credential Run the Hadoop Credential Shell"
echo " CLASSNAME Run the class named CLASSNAME"
}
@@ -734,6 +735,8 @@ elif [ "$COMMAND" = "hbtop" ] ; then
HBASE_HBTOP_OPTS="${HBASE_HBTOP_OPTS}
-Dlog4j2.configurationFile=file:${HBASE_HOME}/conf/log4j2-hbtop.properties"
fi
HBASE_OPTS="${HBASE_OPTS} ${HBASE_HBTOP_OPTS}"
+elif [ "$COMMAND" = "credential" ] ; then
+ CLASS='org.apache.hadoop.security.alias.CredentialShell'
else
CLASS=$COMMAND
if [[ "$CLASS" =~ .*IntegrationTest.* ]] ; then
diff --git
a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcClient.java
b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcClient.java
index c45b3a1edcb..ba387d2bf32 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcClient.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcClient.java
@@ -20,7 +20,6 @@ package org.apache.hadoop.hbase.ipc;
import java.io.IOException;
import java.net.SocketAddress;
import java.util.concurrent.atomic.AtomicReference;
-import javax.net.ssl.SSLException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hadoop.hbase.HConstants;
@@ -89,7 +88,7 @@ public class NettyRpcClient extends
AbstractRpcClient<NettyRpcConnection> {
}
}
- SslContext getSslContext() throws X509Exception, SSLException {
+ SslContext getSslContext() throws X509Exception, IOException {
SslContext result = sslContextForClient.get();
if (result == null) {
result = X509Util.createSslContextForClient(conf);
diff --git
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
index 78ce833448e..76b7fad4c59 100644
---
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
+++
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
@@ -17,7 +17,6 @@
*/
package org.apache.hadoop.hbase.io.crypto.tls;
-import java.io.BufferedInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
@@ -32,7 +31,6 @@ import java.util.Objects;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
@@ -65,6 +63,7 @@ import
org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContextBuilder;
public final class X509Util {
private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
+ private static final char[] EMPTY_CHAR_ARRAY = new char[0];
// Config
static final String CONFIG_PREFIX = "hbase.rpc.tls.";
@@ -140,12 +139,12 @@ public final class X509Util {
}
public static SslContext createSslContextForClient(Configuration config)
- throws X509Exception, SSLException {
+ throws X509Exception, IOException {
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
String keyStoreLocation = config.get(TLS_CONFIG_KEYSTORE_LOCATION, "");
- String keyStorePassword = config.get(TLS_CONFIG_KEYSTORE_PASSWORD, "");
+ char[] keyStorePassword = config.getPassword(TLS_CONFIG_KEYSTORE_PASSWORD);
String keyStoreType = config.get(TLS_CONFIG_KEYSTORE_TYPE, "");
if (keyStoreLocation.isEmpty()) {
@@ -156,7 +155,7 @@ public final class X509Util {
}
String trustStoreLocation = config.get(TLS_CONFIG_TRUSTSTORE_LOCATION, "");
- String trustStorePassword = config.get(TLS_CONFIG_TRUSTSTORE_PASSWORD, "");
+ char[] trustStorePassword =
config.getPassword(TLS_CONFIG_TRUSTSTORE_PASSWORD);
String trustStoreType = config.get(TLS_CONFIG_TRUSTSTORE_TYPE, "");
boolean sslCrlEnabled = config.getBoolean(TLS_CONFIG_CLR, false);
@@ -177,9 +176,9 @@ public final class X509Util {
}
public static SslContext createSslContextForServer(Configuration config)
- throws X509Exception, SSLException {
+ throws X509Exception, IOException {
String keyStoreLocation = config.get(TLS_CONFIG_KEYSTORE_LOCATION, "");
- String keyStorePassword = config.get(TLS_CONFIG_KEYSTORE_PASSWORD, "");
+ char[] keyStorePassword = config.getPassword(TLS_CONFIG_KEYSTORE_PASSWORD);
String keyStoreType = config.get(TLS_CONFIG_KEYSTORE_TYPE, "");
if (keyStoreLocation.isEmpty()) {
@@ -193,7 +192,7 @@ public final class X509Util {
.forServer(createKeyManager(keyStoreLocation, keyStorePassword,
keyStoreType));
String trustStoreLocation = config.get(TLS_CONFIG_TRUSTSTORE_LOCATION, "");
- String trustStorePassword = config.get(TLS_CONFIG_TRUSTSTORE_PASSWORD, "");
+ char[] trustStorePassword =
config.getPassword(TLS_CONFIG_TRUSTSTORE_PASSWORD);
String trustStoreType = config.get(TLS_CONFIG_TRUSTSTORE_TYPE, "");
boolean sslCrlEnabled = config.getBoolean(TLS_CONFIG_CLR, false);
@@ -225,27 +224,25 @@ public final class X509Util {
* @return the key manager.
* @throws KeyManagerException if something goes wrong.
*/
- static X509KeyManager createKeyManager(String keyStoreLocation, String
keyStorePassword,
+ static X509KeyManager createKeyManager(String keyStoreLocation, char[]
keyStorePassword,
String keyStoreType) throws KeyManagerException {
- if (keyStorePassword == null) {
- keyStorePassword = "";
- }
-
if (keyStoreType == null) {
keyStoreType = "jks";
}
+ if (keyStorePassword == null) {
+ keyStorePassword = EMPTY_CHAR_ARRAY;
+ }
+
try {
- char[] password = keyStorePassword.toCharArray();
KeyStore ks = KeyStore.getInstance(keyStoreType);
- try (InputStream inputStream =
- new BufferedInputStream(Files.newInputStream(new
File(keyStoreLocation).toPath()))) {
- ks.load(inputStream, password);
+ try (InputStream inputStream = Files.newInputStream(new
File(keyStoreLocation).toPath())) {
+ ks.load(inputStream, keyStorePassword);
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX");
- kmf.init(ks, password);
+ kmf.init(ks, keyStorePassword);
for (KeyManager km : kmf.getKeyManagers()) {
if (km instanceof X509KeyManager) {
@@ -272,23 +269,21 @@ public final class X509Util {
* @return the trust manager.
* @throws TrustManagerException if something goes wrong.
*/
- static X509TrustManager createTrustManager(String trustStoreLocation, String
trustStorePassword,
+ static X509TrustManager createTrustManager(String trustStoreLocation, char[]
trustStorePassword,
String trustStoreType, boolean crlEnabled, boolean ocspEnabled) throws
TrustManagerException {
- if (trustStorePassword == null) {
- trustStorePassword = "";
- }
-
if (trustStoreType == null) {
trustStoreType = "jks";
}
+ if (trustStorePassword == null) {
+ trustStorePassword = EMPTY_CHAR_ARRAY;
+ }
+
try {
- char[] password = trustStorePassword.toCharArray();
KeyStore ts = KeyStore.getInstance(trustStoreType);
- try (InputStream inputStream =
- new BufferedInputStream(Files.newInputStream(new
File(trustStoreLocation).toPath()))) {
- ts.load(inputStream, password);
+ try (InputStream inputStream = Files.newInputStream(new
File(trustStoreLocation).toPath())) {
+ ts.load(inputStream, trustStorePassword);
}
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new
X509CertSelector());
diff --git
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
index 16df35cf431..09240539c92 100644
---
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
+++
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
@@ -19,12 +19,13 @@ package org.apache.hadoop.hbase.io.crypto.tls;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertThrows;
import static org.junit.Assert.assertTrue;
-import static org.junit.Assume.assumeTrue;
+import static org.junit.Assume.assumeThat;
import static org.mockito.Mockito.mock;
import java.io.File;
@@ -42,7 +43,6 @@ import org.apache.hadoop.hbase.HBaseCommonTestingUtility;
import org.apache.hadoop.hbase.exceptions.KeyManagerException;
import org.apache.hadoop.hbase.exceptions.SSLContextException;
import org.apache.hadoop.hbase.exceptions.TrustManagerException;
-import org.apache.hadoop.hbase.exceptions.X509Exception;
import org.apache.hadoop.hbase.testclassification.MiscTests;
import org.apache.hadoop.hbase.testclassification.SmallTests;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
@@ -74,6 +74,7 @@ public class TestX509Util {
HBaseClassTestRule.forClass(TestX509Util.class);
private static final HBaseCommonTestingUtility UTIL = new
HBaseCommonTestingUtility();
+ private static final char[] EMPTY_CHAR_ARRAY = new char[0];
private static X509TestContextProvider PROVIDER;
@@ -84,7 +85,7 @@ public class TestX509Util {
public X509KeyType certKeyType;
@Parameterized.Parameter(value = 2)
- public String keyPassword;
+ public char[] keyPassword;
@Parameterized.Parameter(value = 3)
public Integer paramIndex;
@@ -100,7 +101,7 @@ public class TestX509Util {
int paramIndex = 0;
for (X509KeyType caKeyType : X509KeyType.values()) {
for (X509KeyType certKeyType : X509KeyType.values()) {
- for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
+ for (char[] keyPassword : new char[][] { "".toCharArray(),
"pa$$w0rd".toCharArray() }) {
params.add(new Object[] { caKeyType, certKeyType, keyPassword,
paramIndex++ });
}
}
@@ -172,13 +173,6 @@ public class TestX509Util {
X509Util.createSslContextForClient(conf);
}
- @Test(expected = X509Exception.class)
- public void testCreateSSLContextWithoutKeyStorePassword() throws Exception {
- assumeTrue(x509TestContext.isKeyStoreEncrypted());
- conf.unset(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD);
- X509Util.createSslContextForServer(conf);
- }
-
@Test
public void testCreateSSLContextWithoutTrustStoreLocationClient() throws
Exception {
conf.unset(X509Util.TLS_CONFIG_TRUSTSTORE_LOCATION);
@@ -220,7 +214,7 @@ public class TestX509Util {
@Test
public void testLoadJKSKeyStoreNullPassword() throws Exception {
- assumeTrue(x509TestContext.getKeyStorePassword().isEmpty());
+ assumeThat(x509TestContext.getKeyStorePassword(),
equalTo(EMPTY_CHAR_ARRAY));
// Make sure that empty password and null password are treated the same
X509Util.createKeyManager(
x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
null,
@@ -237,12 +231,12 @@ public class TestX509Util {
}
@Test
- public void testLoadJKSKeyStoreWithWrongPassword() throws Exception {
+ public void testLoadJKSKeyStoreWithWrongPassword() {
assertThrows(KeyManagerException.class, () -> {
// Attempting to load with the wrong key password should fail
X509Util.createKeyManager(
-
x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), "wrong
password",
- KeyStoreFileType.JKS.getPropertyValue());
+
x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
+ "wrong password".toCharArray(),
KeyStoreFileType.JKS.getPropertyValue());
});
}
@@ -256,9 +250,7 @@ public class TestX509Util {
@Test
public void testLoadJKSTrustStoreNullPassword() throws Exception {
- if (!x509TestContext.getTrustStorePassword().isEmpty()) {
- return;
- }
+ assumeThat(x509TestContext.getTrustStorePassword(),
equalTo(EMPTY_CHAR_ARRAY));
// Make sure that empty password and null password are treated the same
X509Util.createTrustManager(
x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), null,
@@ -279,8 +271,8 @@ public class TestX509Util {
assertThrows(TrustManagerException.class, () -> {
// Attempting to load with the wrong key password should fail
X509Util.createTrustManager(
-
x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
"wrong password",
- KeyStoreFileType.JKS.getPropertyValue(), true, true);
+
x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
+ "wrong password".toCharArray(),
KeyStoreFileType.JKS.getPropertyValue(), true, true);
});
}
@@ -294,9 +286,7 @@ public class TestX509Util {
@Test
public void testLoadPKCS12KeyStoreNullPassword() throws Exception {
- if (!x509TestContext.getKeyStorePassword().isEmpty()) {
- return;
- }
+ assumeThat(x509TestContext.getKeyStorePassword(),
equalTo(EMPTY_CHAR_ARRAY));
// Make sure that empty password and null password are treated the same
X509Util.createKeyManager(
x509TestContext.getKeyStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
null,
@@ -309,7 +299,7 @@ public class TestX509Util {
// Attempting to load with the wrong key password should fail
X509Util.createKeyManager(
x509TestContext.getKeyStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
- "wrong password", KeyStoreFileType.PKCS12.getPropertyValue());
+ "wrong password".toCharArray(),
KeyStoreFileType.PKCS12.getPropertyValue());
});
}
@@ -324,9 +314,7 @@ public class TestX509Util {
@Test
public void testLoadPKCS12TrustStoreNullPassword() throws Exception {
- if (!x509TestContext.getTrustStorePassword().isEmpty()) {
- return;
- }
+ assumeThat(x509TestContext.getTrustStorePassword(),
equalTo(EMPTY_CHAR_ARRAY));
// Make sure that empty password and null password are treated the same
X509Util.createTrustManager(
x509TestContext.getTrustStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
null,
@@ -339,7 +327,7 @@ public class TestX509Util {
// Attempting to load with the wrong key password should fail
X509Util.createTrustManager(
x509TestContext.getTrustStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
- "wrong password", KeyStoreFileType.PKCS12.getPropertyValue(), true,
true);
+ "wrong password".toCharArray(),
KeyStoreFileType.PKCS12.getPropertyValue(), true, true);
});
}
diff --git
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java
index 671cc0bbab4..b2085078860 100644
---
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java
+++
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java
@@ -56,14 +56,14 @@ public final class X509TestContext {
private final Configuration conf;
private final X509Certificate trustStoreCertificate;
- private final String trustStorePassword;
+ private final char[] trustStorePassword;
private File trustStoreJksFile;
private File trustStorePemFile;
private File trustStorePkcs12File;
private final KeyPair keyStoreKeyPair;
private final X509Certificate keyStoreCertificate;
- private final String keyStorePassword;
+ private final char[] keyStorePassword;
private File keyStoreJksFile;
private File keyStorePemFile;
private File keyStorePkcs12File;
@@ -80,7 +80,7 @@ public final class X509TestContext {
* @param keyStorePassword the password to protect the key store private
key.
*/
private X509TestContext(Configuration conf, File tempDir, KeyPair
trustStoreKeyPair,
- String trustStorePassword, KeyPair keyStoreKeyPair, String
keyStorePassword)
+ char[] trustStorePassword, KeyPair keyStoreKeyPair, char[]
keyStorePassword)
throws IOException, GeneralSecurityException, OperatorCreationException {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
throw new IllegalStateException("BC Security provider was not found");
@@ -117,7 +117,7 @@ public final class X509TestContext {
return tempDir;
}
- public String getTrustStorePassword() {
+ public char[] getTrustStorePassword() {
return trustStorePassword;
}
@@ -198,12 +198,12 @@ public final class X509TestContext {
return keyStoreCertificate;
}
- public String getKeyStorePassword() {
+ public char[] getKeyStorePassword() {
return keyStorePassword;
}
public boolean isKeyStoreEncrypted() {
- return keyStorePassword.length() > 0;
+ return keyStorePassword != null;
}
public Configuration getConf() {
@@ -307,11 +307,11 @@ public final class X509TestContext {
KeyStoreFileType trustStoreFileType) throws IOException {
conf.set(X509Util.TLS_CONFIG_KEYSTORE_LOCATION,
this.getKeyStoreFile(keyStoreFileType).getAbsolutePath());
- conf.set(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD,
this.getKeyStorePassword());
+ conf.set(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD,
String.valueOf(this.getKeyStorePassword()));
conf.set(X509Util.TLS_CONFIG_KEYSTORE_TYPE,
keyStoreFileType.getPropertyValue());
conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_LOCATION,
this.getTrustStoreFile(trustStoreFileType).getAbsolutePath());
- conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_PASSWORD,
this.getTrustStorePassword());
+ conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_PASSWORD,
String.valueOf(this.getTrustStorePassword()));
conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_TYPE,
trustStoreFileType.getPropertyValue());
}
@@ -332,9 +332,9 @@ public final class X509TestContext {
private final Configuration conf;
private File tempDir;
private X509KeyType trustStoreKeyType;
- private String trustStorePassword;
+ private char[] trustStorePassword;
private X509KeyType keyStoreKeyType;
- private String keyStorePassword;
+ private char[] keyStorePassword;
/**
* Creates an empty builder with the given Configuration.
@@ -342,9 +342,7 @@ public final class X509TestContext {
public Builder(Configuration conf) {
this.conf = conf;
trustStoreKeyType = X509KeyType.EC;
- trustStorePassword = "";
keyStoreKeyType = X509KeyType.EC;
- keyStorePassword = "";
}
/**
@@ -387,7 +385,7 @@ public final class X509TestContext {
* @param password the password.
* @return this Builder.
*/
- public Builder setTrustStorePassword(String password) {
+ public Builder setTrustStorePassword(char[] password) {
trustStorePassword = password;
return this;
}
@@ -409,7 +407,7 @@ public final class X509TestContext {
* @param password the password.
* @return this Builder.
*/
- public Builder setKeyStorePassword(String password) {
+ public Builder setKeyStorePassword(char[] password) {
keyStorePassword = password;
return this;
}
diff --git
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContextProvider.java
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContextProvider.java
index f5be80f45ba..3024755a2e3 100644
---
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContextProvider.java
+++
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContextProvider.java
@@ -18,6 +18,7 @@
package org.apache.hadoop.hbase.io.crypto.tls;
import java.io.File;
+import java.util.Arrays;
import java.util.Objects;
import org.apache.hadoop.conf.Configuration;
@@ -35,9 +36,9 @@ public class X509TestContextProvider {
private final X509KeyType certKeyType;
- private final String keyPassword;
+ private final char[] keyPassword;
- CacheKey(X509KeyType caKeyType, X509KeyType certKeyType, String
keyPassword) {
+ CacheKey(X509KeyType caKeyType, X509KeyType certKeyType, char[]
keyPassword) {
this.caKeyType = caKeyType;
this.certKeyType = certKeyType;
this.keyPassword = keyPassword;
@@ -45,7 +46,7 @@ public class X509TestContextProvider {
@Override
public int hashCode() {
- return Objects.hash(caKeyType, certKeyType, keyPassword);
+ return Objects.hash(caKeyType, certKeyType,
Arrays.hashCode(keyPassword));
}
@Override
@@ -55,7 +56,7 @@ public class X509TestContextProvider {
}
CacheKey other = (CacheKey) obj;
return caKeyType == other.caKeyType && certKeyType == other.certKeyType
- && Objects.equals(keyPassword, other.keyPassword);
+ && Arrays.equals(keyPassword, other.keyPassword);
}
}
@@ -79,7 +80,7 @@ public class X509TestContextProvider {
this.tempDir = tempDir;
}
- public X509TestContext get(X509KeyType caKeyType, X509KeyType certKeyType,
String keyPassword) {
+ public X509TestContext get(X509KeyType caKeyType, X509KeyType certKeyType,
char[] keyPassword) {
return ctxs.getUnchecked(new CacheKey(caKeyType, certKeyType,
keyPassword));
}
}
diff --git
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java
index d4489c1d589..1697dca8669 100644
---
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java
+++
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java
@@ -262,7 +262,7 @@ final class X509TestHelpers {
* @throws OperatorCreationException if constructing the encryptor from the
given password fails.
*/
public static String pemEncodeCertAndPrivateKey(X509Certificate cert,
PrivateKey privateKey,
- String keyPassword) throws IOException, OperatorCreationException {
+ char[] keyPassword) throws IOException, OperatorCreationException {
return pemEncodeX509Certificate(cert) + "\n" +
pemEncodePrivateKey(privateKey, keyPassword);
}
@@ -276,16 +276,16 @@ final class X509TestHelpers {
* @throws IOException if converting the key to PEM format
fails.
* @throws OperatorCreationException if constructing the encryptor from the
given password fails.
*/
- public static String pemEncodePrivateKey(PrivateKey key, String password)
+ public static String pemEncodePrivateKey(PrivateKey key, char[] password)
throws IOException, OperatorCreationException {
StringWriter stringWriter = new StringWriter();
JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter);
OutputEncryptor encryptor = null;
- if (password != null && password.length() > 0) {
+ if (password != null) {
encryptor =
new
JceOpenSSLPKCS8EncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC)
- .setProvider(BouncyCastleProvider.PROVIDER_NAME).setRandom(PRNG)
- .setPasssword(password.toCharArray()).build();
+
.setProvider(BouncyCastleProvider.PROVIDER_NAME).setRandom(PRNG).setPasssword(password)
+ .build();
}
pemWriter.writeObject(new JcaPKCS8Generator(key, encryptor));
pemWriter.close();
@@ -318,7 +318,7 @@ final class X509TestHelpers {
* will not be encrypted.
* @return the serialized bytes of the JKS trust store.
*/
- public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, String
keyPassword)
+ public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, char[]
keyPassword)
throws IOException, GeneralSecurityException {
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
return certToTrustStoreBytes(cert, keyPassword, trustStore);
@@ -335,19 +335,18 @@ final class X509TestHelpers {
* will not be encrypted.
* @return the serialized bytes of the PKCS12 trust store.
*/
- public static byte[] certToPKCS12TrustStoreBytes(X509Certificate cert,
String keyPassword)
+ public static byte[] certToPKCS12TrustStoreBytes(X509Certificate cert,
char[] keyPassword)
throws IOException, GeneralSecurityException {
KeyStore trustStore = KeyStore.getInstance("PKCS12");
return certToTrustStoreBytes(cert, keyPassword, trustStore);
}
- private static byte[] certToTrustStoreBytes(X509Certificate cert, String
keyPassword,
+ private static byte[] certToTrustStoreBytes(X509Certificate cert, char[]
keyPassword,
KeyStore trustStore) throws IOException, GeneralSecurityException {
- char[] keyPasswordChars = keyPassword == null ? new char[0] :
keyPassword.toCharArray();
- trustStore.load(null, keyPasswordChars);
+ trustStore.load(null, keyPassword);
trustStore.setCertificateEntry(cert.getSubjectDN().toString(), cert);
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
- trustStore.store(outputStream, keyPasswordChars);
+ trustStore.store(outputStream, keyPassword);
outputStream.flush();
byte[] result = outputStream.toByteArray();
outputStream.close();
@@ -366,7 +365,7 @@ final class X509TestHelpers {
* @return the serialized bytes of the JKS key store.
*/
public static byte[] certAndPrivateKeyToJavaKeyStoreBytes(X509Certificate
cert,
- PrivateKey privateKey, String keyPassword) throws IOException,
GeneralSecurityException {
+ PrivateKey privateKey, char[] keyPassword) throws IOException,
GeneralSecurityException {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
return certAndPrivateKeyToBytes(cert, privateKey, keyPassword, keyStore);
}
@@ -383,18 +382,17 @@ final class X509TestHelpers {
* @return the serialized bytes of the PKCS12 key store.
*/
public static byte[] certAndPrivateKeyToPKCS12Bytes(X509Certificate cert,
PrivateKey privateKey,
- String keyPassword) throws IOException, GeneralSecurityException {
+ char[] keyPassword) throws IOException, GeneralSecurityException {
KeyStore keyStore = KeyStore.getInstance("PKCS12");
return certAndPrivateKeyToBytes(cert, privateKey, keyPassword, keyStore);
}
private static byte[] certAndPrivateKeyToBytes(X509Certificate cert,
PrivateKey privateKey,
- String keyPassword, KeyStore keyStore) throws IOException,
GeneralSecurityException {
- char[] keyPasswordChars = keyPassword == null ? new char[0] :
keyPassword.toCharArray();
- keyStore.load(null, keyPasswordChars);
- keyStore.setKeyEntry("key", privateKey, keyPasswordChars, new
Certificate[] { cert });
+ char[] keyPassword, KeyStore keyStore) throws IOException,
GeneralSecurityException {
+ keyStore.load(null, keyPassword);
+ keyStore.setKeyEntry("key", privateKey, keyPassword, new Certificate[] {
cert });
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
- keyStore.store(outputStream, keyPasswordChars);
+ keyStore.store(outputStream, keyPassword);
outputStream.flush();
byte[] result = outputStream.toByteArray();
outputStream.close();
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
index 0a298833865..723132df2aa 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
@@ -25,7 +25,6 @@ import java.io.InterruptedIOException;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.concurrent.CountDownLatch;
-import javax.net.ssl.SSLException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.CellScanner;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
@@ -250,7 +249,7 @@ public class NettyRpcServer extends RpcServer {
}
private void initSSL(ChannelPipeline p, boolean supportPlaintext)
- throws X509Exception, SSLException {
+ throws X509Exception, IOException {
SslContext nettySslContext = X509Util.createSslContextForServer(conf);
if (supportPlaintext) {
diff --git
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestTlsRejectPlainText.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestTlsRejectPlainText.java
index c6ecccaea34..dc79ab25c49 100644
---
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestTlsRejectPlainText.java
+++
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestTlsRejectPlainText.java
@@ -72,7 +72,7 @@ public abstract class AbstractTestTlsRejectPlainText {
public X509KeyType certKeyType;
@Parameterized.Parameter(2)
- public String keyPassword;
+ public char[] keyPassword;
private X509TestContext x509TestContext;
@@ -85,7 +85,7 @@ public abstract class AbstractTestTlsRejectPlainText {
List<Object[]> params = new ArrayList<>();
for (X509KeyType caKeyType : X509KeyType.values()) {
for (X509KeyType certKeyType : X509KeyType.values()) {
- for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
+ for (char[] keyPassword : new char[][] { "".toCharArray(),
"pa$$w0rd".toCharArray() }) {
params.add(new Object[] { caKeyType, certKeyType, keyPassword });
}
}
diff --git
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestNettyTlsIPC.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestNettyTlsIPC.java
index 758c9d327fa..65460ab3eaf 100644
---
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestNettyTlsIPC.java
+++
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestNettyTlsIPC.java
@@ -83,7 +83,7 @@ public class TestNettyTlsIPC extends AbstractTestIPC {
public X509KeyType certKeyType;
@Parameterized.Parameter(2)
- public String keyPassword;
+ public char[] keyPassword;
@Parameterized.Parameter(3)
public boolean acceptPlainText;
@@ -100,7 +100,7 @@ public class TestNettyTlsIPC extends AbstractTestIPC {
List<Object[]> params = new ArrayList<>();
for (X509KeyType caKeyType : X509KeyType.values()) {
for (X509KeyType certKeyType : X509KeyType.values()) {
- for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
+ for (char[] keyPassword : new char[][] { "".toCharArray(),
"pa$$w0rd".toCharArray() }) {
// do not accept plain text
params.add(new Object[] { caKeyType, certKeyType, keyPassword,
false, true });
// support plain text and client enables tls
diff --git
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSaslTlsIPC.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSaslTlsIPC.java
index 3d48af5074c..1477e8aa0fc 100644
---
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSaslTlsIPC.java
+++
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSaslTlsIPC.java
@@ -64,7 +64,7 @@ public class TestSaslTlsIPC extends AbstractTestSecureIPC {
public X509KeyType certKeyType;
@Parameterized.Parameter(2)
- public String keyPassword;
+ public char[] keyPassword;
@Parameterized.Parameter(3)
public boolean acceptPlainText;
@@ -81,7 +81,7 @@ public class TestSaslTlsIPC extends AbstractTestSecureIPC {
List<Object[]> params = new ArrayList<>();
for (X509KeyType caKeyType : X509KeyType.values()) {
for (X509KeyType certKeyType : X509KeyType.values()) {
- for (String keyPassword : new String[] { "", "pa$$w0rd" }) {
+ for (char[] keyPassword : new char[][] { "".toCharArray(),
"pa$$w0rd".toCharArray() }) {
// do not accept plain text
params.add(new Object[] { caKeyType, certKeyType, keyPassword,
false, true });
// support plain text and client enables tls
