(kudu) branch master updated: [Java] Fix TLS truststore init for FIPS providers

Sat, 10 Jan 2026 02:11:07 -0800 

This is an automated email from the ASF dual-hosted git repository.

mgreber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git


The following commit(s) were added to refs/heads/master by this push:
     new 3332cc181 [Java] Fix TLS truststore init for FIPS providers
3332cc181 is described below

commit 3332cc1810eec928af6236a77e73332df84008bd
Author: Marton Greber <[email protected]>
AuthorDate: Thu Jan 8 17:29:12 2026 +0100

    [Java] Fix TLS truststore init for FIPS providers
    
    In some field deployments running with a proprietary FIPS-compliant
    crypto provider, the default KeyStore implementation rejects
    KeyStore.load((LoadStoreParameter) null) with
    IllegalArgumentException("'param' arg cannot be null"), causing TLS
    trust-store construction in SecurityContext.trustCertificates() to fail.
    
    Fix SecurityContext to initialize the in-memory KeyStore via
    load(null, new char[0]) instead of the 1-arg overload, avoiding the
    null-parameter path while preserving "empty keystore" semantics.
    This is not a breaking change: both calls are valid KeyStore
    initialization forms and for JDK keystores load(null, ...) is the
    documented way [1] to create an empty KeyStore. We only make the
    initialization more compatible with FIPS-oriented providers.
    
    [1]: 
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/KeyStore.html#load(java.io.InputStream,char%5B%5D)
    
    Change-Id: I361341146c9115a17df182c397dbf4119ec68464
    Reviewed-on: http://gerrit.cloudera.org:8080/23841
    Tested-by: Marton Greber <[email protected]>
    Reviewed-by: Zoltan Chovan <[email protected]>
    Reviewed-by: Alexey Serbin <[email protected]>
---
 .../src/main/java/org/apache/kudu/client/SecurityContext.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git 
a/java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java 
b/java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java
index dec16b27f..26eba805d 100644
--- a/java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java
+++ b/java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java
@@ -417,7 +417,7 @@ class SecurityContext {
     // ones to an existing KeyStore doesn't have any effect.
     try {
       KeyStore certKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-      certKeyStore.load(null);
+      certKeyStore.load(null, new char[0]);
       int i = 0;
       for (X509Certificate cert : certs) {
         certKeyStore.setCertificateEntry(String.format("cert-%d",  i++), cert);

Reply via email to