This is an automated email from the ASF dual-hosted git repository.

maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 3d5d760  Refactor SecurityUtility class (#1245)
3d5d760 is described below

commit 3d5d76088819dad653d516de85b951051b2772fd
Author: Masakazu Kitajo <mas...@apache.org>
AuthorDate: Mon Feb 19 21:51:09 2018 +0900

    Refactor SecurityUtility class (#1245)
---
 .../apache/pulsar/common/util/SecurityUtility.java | 120 +++++++++++++--------
 1 file changed, 74 insertions(+), 46 deletions(-)

diff --git 
a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
 
b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
index 5e1a139..26f97bb 100644
--- 
a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
+++ 
b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
@@ -28,8 +28,11 @@ import java.security.GeneralSecurityException;
 import java.security.KeyFactory;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -37,7 +40,6 @@ import java.security.spec.KeySpec;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Base64;
 import java.util.Collection;
-import java.util.List;
 import java.util.Set;
 
 import javax.net.ssl.KeyManager;
@@ -60,7 +62,7 @@ public class SecurityUtility {
     }
 
     public static SslContext createNettySslContextForClient(boolean 
allowInsecureConnection, String trustCertsFilePath)
-            throws GeneralSecurityException, SSLException, 
FileNotFoundException {
+            throws GeneralSecurityException, SSLException, 
FileNotFoundException, IOException {
         return createNettySslContextForClient(allowInsecureConnection, 
trustCertsFilePath, (Certificate[]) null,
                 (PrivateKey) null);
     }
@@ -75,7 +77,7 @@ public class SecurityUtility {
 
     public static SslContext createNettySslContextForClient(boolean 
allowInsecureConnection, String trustCertsFilePath,
             String certFilePath, String keyFilePath)
-            throws GeneralSecurityException, SSLException, 
FileNotFoundException {
+            throws GeneralSecurityException, SSLException, 
FileNotFoundException, IOException {
         X509Certificate[] certificates = 
loadCertificatesFromPemFile(certFilePath);
         PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath);
         return createNettySslContextForClient(allowInsecureConnection, 
trustCertsFilePath, certificates, privateKey);
@@ -83,46 +85,25 @@ public class SecurityUtility {
 
     public static SslContext createNettySslContextForClient(boolean 
allowInsecureConnection, String trustCertsFilePath,
             Certificate[] certificates, PrivateKey privateKey)
-            throws GeneralSecurityException, SSLException, 
FileNotFoundException {
+            throws GeneralSecurityException, SSLException, 
FileNotFoundException, IOException {
         SslContextBuilder builder = SslContextBuilder.forClient();
-        if (allowInsecureConnection) {
-            builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
-        } else {
-            if (trustCertsFilePath != null && trustCertsFilePath.length() != 
0) {
-                builder.trustManager(new FileInputStream(trustCertsFilePath));
-            }
-        }
-        builder.keyManager(privateKey, (X509Certificate[]) certificates);
+        setupTrustCerts(builder, allowInsecureConnection, trustCertsFilePath);
+        setupKeyManager(builder, privateKey, (X509Certificate[]) certificates);
         return builder.build();
     }
 
     public static SslContext createNettySslContextForServer(boolean 
allowInsecureConnection, String trustCertsFilePath,
             String certFilePath, String keyFilePath, Set<String> ciphers, 
Set<String> protocols)
-            throws GeneralSecurityException, SSLException, 
FileNotFoundException {
+            throws GeneralSecurityException, SSLException, 
FileNotFoundException, IOException {
         X509Certificate[] certificates = 
loadCertificatesFromPemFile(certFilePath);
         PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath);
 
         SslContextBuilder builder = SslContextBuilder.forServer(privateKey, 
(X509Certificate[]) certificates);
-        if (ciphers != null && ciphers.size() > 0) {
-            builder.ciphers(ciphers);
-        }
-
-        if (protocols != null && protocols.size() > 0) {
-            String[] protocolsArray = new String[protocols.size()];
-            builder.protocols(protocols.toArray(protocolsArray));
-        }
-        
-        if (allowInsecureConnection) {
-            builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
-        } else {
-            if (trustCertsFilePath != null && trustCertsFilePath.length() != 
0) {
-                builder.trustManager(new FileInputStream(trustCertsFilePath));
-            } else {
-                builder.trustManager((File) null);
-            }
-        }
-        builder.keyManager(privateKey, (X509Certificate[]) certificates);
-        builder.clientAuth(ClientAuth.OPTIONAL);
+        setupCiphers(builder, ciphers);
+        setupProtocols(builder, protocols);
+        setupTrustCerts(builder, allowInsecureConnection, trustCertsFilePath);
+        setupKeyManager(builder, privateKey, certificates);
+        setupClientAuthentication(builder);
         return builder.build();
     }
 
@@ -132,7 +113,30 @@ public class SecurityUtility {
         TrustManager[] trustManagers = null;
         KeyManager[] keyManagers = null;
 
-        // Set trusted certificate
+        trustManagers = setupTrustCerts(ksh, allowInsecureConnection, 
trustCertficates);
+        keyManagers = setupKeyManager(ksh, privateKey, certificates);
+
+        SSLContext sslCtx = SSLContext.getInstance("TLS");
+        sslCtx.init(keyManagers, trustManagers, new SecureRandom());
+        sslCtx.getDefaultSSLParameters();
+        return sslCtx;
+    }
+
+    private static KeyManager[] setupKeyManager(KeyStoreHolder ksh, PrivateKey 
privateKey, Certificate[] certificates)
+            throws KeyStoreException, NoSuchAlgorithmException, 
UnrecoverableKeyException {
+        KeyManager[] keyManagers = null;
+        if (certificates != null && privateKey != null) {
+            ksh.setPrivateKey("private", privateKey, certificates);
+            KeyManagerFactory kmf = 
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            kmf.init(ksh.getKeyStore(), "".toCharArray());
+            keyManagers = kmf.getKeyManagers();
+        }
+        return keyManagers;
+    }
+
+    private static TrustManager[] setupTrustCerts(KeyStoreHolder ksh, boolean 
allowInsecureConnection,
+            Certificate[] trustCertficates) throws NoSuchAlgorithmException, 
KeyStoreException {
+        TrustManager[] trustManagers;
         if (allowInsecureConnection) {
             trustManagers = 
InsecureTrustManagerFactory.INSTANCE.getTrustManagers();
         } else {
@@ -149,18 +153,7 @@ public class SecurityUtility {
 
             trustManagers = tmf.getTrustManagers();
         }
-
-        // Set private key and certificate
-        if (certificates != null && privateKey != null) {
-            ksh.setPrivateKey("private", privateKey, certificates);
-            KeyManagerFactory kmf = 
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            kmf.init(ksh.getKeyStore(), "".toCharArray());
-            keyManagers = kmf.getKeyManagers();
-        }
-
-        SSLContext sslCtx = SSLContext.getInstance("TLS");
-        sslCtx.init(keyManagers, trustManagers, new SecureRandom());
-        return sslCtx;
+        return trustManagers;
     }
 
     public static X509Certificate[] loadCertificatesFromPemFile(String 
certFilePath) throws KeyManagementException {
@@ -211,4 +204,39 @@ public class SecurityUtility {
         return privateKey;
     }
 
+    private static void setupTrustCerts(SslContextBuilder builder, boolean 
allowInsecureConnection,
+            String trustCertsFilePath) throws IOException, 
FileNotFoundException {
+        if (allowInsecureConnection) {
+            builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
+        } else {
+            if (trustCertsFilePath != null && trustCertsFilePath.length() != 
0) {
+                try (FileInputStream input = new 
FileInputStream(trustCertsFilePath)) {
+                    builder.trustManager(input);
+                }
+            } else {
+                builder.trustManager((File) null);
+            }
+        }
+    }
+
+    private static void setupKeyManager(SslContextBuilder builder, PrivateKey 
privateKey,
+            X509Certificate[] certificates) {
+        builder.keyManager(privateKey, (X509Certificate[]) certificates);
+    }
+
+    private static void setupCiphers(SslContextBuilder builder, Set<String> 
ciphers) {
+        if (ciphers != null && ciphers.size() > 0) {
+            builder.ciphers(ciphers);
+        }
+    }
+
+    private static void setupProtocols(SslContextBuilder builder, Set<String> 
protocols) {
+        if (protocols != null && protocols.size() > 0) {
+            builder.protocols(protocols.toArray(new String[protocols.size()]));
+        }
+    }
+
+    private static void setupClientAuthentication(SslContextBuilder builder) {
+        builder.clientAuth(ClientAuth.OPTIONAL);
+    }
 }

-- 
To stop receiving notification emails like this one, please contact
mas...@apache.org.

Reply via email to