This is an automated email from the ASF dual-hosted git repository. haonan pushed a commit to branch add_keyStore_validatation in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit 04b6fc194c31952b1890711d7ea24206f678f637 Author: HTHou <[email protected]> AuthorDate: Fri Oct 10 17:38:36 2025 +0800 Add keystore truststore expire check --- .../iotdb/rpc/NettyTNonblockingTransport.java | 13 ++++--- .../org/apache/iotdb/db/service/RestService.java | 2 +- .../service/AbstractThriftServiceThread.java | 40 +++++++++++++++++++++- 3 files changed, 48 insertions(+), 7 deletions(-) diff --git a/iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/NettyTNonblockingTransport.java b/iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/NettyTNonblockingTransport.java index 8cf6c51a95c..8193ae36f67 100644 --- a/iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/NettyTNonblockingTransport.java +++ b/iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/NettyTNonblockingTransport.java @@ -166,12 +166,15 @@ public class NettyTNonblockingTransport extends TNonblockingTransport { "SSL handshake completed successfully for {}:{}", host, port); } } else { - if (logger.isDebugEnabled()) { + if (!future + .cause() + .getMessage() + .contains("SslHandler removed before handshake completed")) { + logger.warn( + "SSL handshake failed for {}:{}", host, port, future.cause()); + } else if (logger.isDebugEnabled()) { logger.debug( - "SSL handshake failed for {}:{}: {}", - host, - port, - future.cause().getMessage()); + "SSL handshake failed for {}:{}", host, port, future.cause()); } } }); diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/RestService.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/RestService.java index fa8df0c9a69..7fc4d788380 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/RestService.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/RestService.java @@ -67,7 +67,7 @@ public class RestService implements IService { if (clientAuth) { sslContextFactory.setTrustStorePath(trustStorePath); sslContextFactory.setTrustStorePassword(trustStorePwd); - sslContextFactory.setNeedClientAuth(clientAuth); + sslContextFactory.setNeedClientAuth(true); } ServerConnector httpsConnector = diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java index 7537308d6cd..7d32a0d5e71 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java @@ -44,7 +44,11 @@ import org.apache.thrift.transport.TTransportFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.FileInputStream; import java.net.InetSocketAddress; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.util.Enumeration; import java.util.concurrent.CountDownLatch; import java.util.concurrent.ExecutorService; import java.util.concurrent.TimeUnit; @@ -177,13 +181,15 @@ public abstract class AbstractThriftServiceThread extends Thread { this.serviceName = serviceName; try { + validateCertificate(keyStorePath, keyStorePwd); TSSLTransportFactory.TSSLTransportParameters params = new TSSLTransportFactory.TSSLTransportParameters(); params.setKeyStore(keyStorePath, keyStorePwd); if (trustStorePath != null && !trustStorePath.isEmpty()) { + validateCertificate(trustStorePath, trustStorePwd); params.setTrustStore(trustStorePath, trustStorePwd); + params.requireClientAuth(true); } - params.requireClientAuth(false); InetSocketAddress socketAddress = new InetSocketAddress(bindAddress, port); serverTransport = TSSLTransportFactory.getServerSocket( @@ -197,6 +203,38 @@ public abstract class AbstractThriftServiceThread extends Thread { } } + private static void validateCertificate(String keyStorePath, String keystorePassword) + throws TTransportException { + try { + KeyStore keystore = KeyStore.getInstance("JKS"); + try (FileInputStream fis = new FileInputStream(keyStorePath)) { + keystore.load(fis, keystorePassword.toCharArray()); + } + + Enumeration<String> aliases = keystore.aliases(); + while (aliases.hasMoreElements()) { + String currentAlias = aliases.nextElement(); + checkCertificate(keystore, currentAlias); + } + + } catch (Exception e) { + throw new TTransportException(e); + } + } + + private static void checkCertificate(KeyStore keystore, String alias) throws Exception { + if (!keystore.containsAlias(alias)) { + return; + } + + X509Certificate cert = (X509Certificate) keystore.getCertificate(alias); + if (cert == null) { + return; + } + + cert.checkValidity(); + } + @SuppressWarnings("squid:S107") protected AbstractThriftServiceThread( TProcessor processor,
