This is an automated email from the ASF dual-hosted git repository.
abstractdog pushed a commit to branch branch-0.9
in repository https://gitbox.apache.org/repos/asf/tez.git
The following commit(s) were added to refs/heads/branch-0.9 by this push:
new d8585bb TEZ-4342: TestSecureShuffle is broken - No subject
alternative names present (#158) (Laszlo Bodor reviewed by Rajesh Balamohan)
d8585bb is described below
commit d8585bb2672283ba564da4416ef1bf46bcd754b6
Author: Bodor Laszlo <[email protected]>
AuthorDate: Mon Oct 25 13:19:48 2021 +0200
TEZ-4342: TestSecureShuffle is broken - No subject alternative names
present (#158) (Laszlo Bodor reviewed by Rajesh Balamohan)
---
.../org/apache/tez/test/TestSecureShuffle.java | 50 ++++++++++++++++++++--
1 file changed, 46 insertions(+), 4 deletions(-)
diff --git a/tez-tests/src/test/java/org/apache/tez/test/TestSecureShuffle.java
b/tez-tests/src/test/java/org/apache/tez/test/TestSecureShuffle.java
index 0150e6f..00196a2 100644
--- a/tez-tests/src/test/java/org/apache/tez/test/TestSecureShuffle.java
+++ b/tez-tests/src/test/java/org/apache/tez/test/TestSecureShuffle.java
@@ -24,14 +24,19 @@ import java.io.BufferedWriter;
import java.io.File;
import java.io.IOException;
import java.io.OutputStreamWriter;
+import java.math.BigInteger;
import java.net.InetAddress;
import java.security.KeyPair;
+import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
+import java.util.Date;
import java.util.HashMap;
import java.util.Map;
+import javax.security.auth.x500.X500Principal;
+
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FSDataOutputStream;
import org.apache.hadoop.fs.FileSystem;
@@ -45,6 +50,10 @@ import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.tez.dag.api.TezConfiguration;
import org.apache.tez.mapreduce.examples.TestOrderedWordCount;
import org.apache.tez.runtime.library.api.TezRuntimeConfiguration;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.X509Extensions;
+import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
@@ -221,8 +230,9 @@ public class TestSecureShuffle {
* (as discussed in
https://github.com/AsyncHttpClient/async-http-client/issues/928), that's why
* it cannot be set for an async http connection. So instead of hacking an
ALLOW_ALL verifier
* somehow (which cannot be propagated to netty), a valid certificate with
the actual hostname
- * should be generated in setupSSLConfig, so the only change is the usage of
- * "InetAddress.getLocalHost().getHostName()".
+ * should be generated in setupSSLConfig. So, one change is the usage of
+ * InetAddress.getLocalHost().getHostName(), the other is using local
generateCertificate,
+ * which fixes another issue.
*/
public static void setupSSLConfig(String keystoresDir, String sslConfDir,
Configuration config,
boolean useClientCert, boolean trustStore) throws Exception {
@@ -241,7 +251,7 @@ public class TestSecureShuffle {
if (useClientCert) {
KeyPair cKP = KeyStoreTestUtil.generateKeyPair("RSA");
X509Certificate cCert =
- KeyStoreTestUtil.generateCertificate("CN=localhost, O=client", cKP,
30, "SHA1withRSA");
+ generateCertificate("CN=localhost, O=client", cKP, 30,
"SHA1withRSA");
KeyStoreTestUtil.createKeyStore(clientKS, clientPassword, "client",
cKP.getPrivate(), cCert);
certs.put("client", cCert);
}
@@ -249,7 +259,7 @@ public class TestSecureShuffle {
String localhostName = InetAddress.getLocalHost().getHostName();
KeyPair sKP = KeyStoreTestUtil.generateKeyPair("RSA");
X509Certificate sCert =
- KeyStoreTestUtil.generateCertificate("CN="+localhostName+", O=server",
sKP, 30, "SHA1withRSA");
+ generateCertificate("CN="+localhostName+", O=server", sKP, 30,
"SHA1withRSA");
KeyStoreTestUtil.createKeyStore(serverKS, serverPassword, "server",
sKP.getPrivate(), sCert);
certs.put("server", sCert);
@@ -273,4 +283,36 @@ public class TestSecureShuffle {
config.set(SSLFactory.SSL_SERVER_CONF_KEY, sslServerConfFile.getName());
config.setBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY, useClientCert);
}
+
+ /**
+ * This is a copied version of hadoop's
KeyStoreTestUtil.generateCertificate, which takes care of setting
+ * IP address as a SSL Subject Alternative Name (SAN). Without this, SSL
shuffle failed with async http client.
+ * Introduced by TEZ-4342.
+ */
+ public static X509Certificate generateCertificate(String dn, KeyPair pair,
int days, String algorithm)
+ throws Exception {
+
+ Date from = new Date();
+ Date to = new Date(from.getTime() + days * 86400000L);
+ BigInteger sn = new BigInteger(64, new SecureRandom());
+ KeyPair keyPair = pair;
+ X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
+
+ String hostAddress = InetAddress.getLocalHost().getHostAddress();
+ certGen.addExtension(X509Extensions.SubjectAlternativeName, false,
+ new GeneralNames(new GeneralName(GeneralName.iPAddress, hostAddress)));
+
+ X500Principal dnName = new X500Principal(dn);
+
+ certGen.setSerialNumber(sn);
+ certGen.setIssuerDN(dnName);
+ certGen.setNotBefore(from);
+ certGen.setNotAfter(to);
+ certGen.setSubjectDN(dnName);
+ certGen.setPublicKey(keyPair.getPublic());
+ certGen.setSignatureAlgorithm(algorithm);
+
+ X509Certificate cert = certGen.generate(pair.getPrivate());
+ return cert;
+ }
}
