Github user ivmaykov commented on a diff in the pull request: https://github.com/apache/zookeeper/pull/184#discussion_r194461322 --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java --- @@ -160,43 +214,120 @@ public static X509KeyManager createKeyManager(String keyStoreLocation, String ke } throw new KeyManagerException("Couldn't find X509KeyManager"); - } catch (Exception e) { - throw new KeyManagerException(e); + } catch (IOException|CertificateException|UnrecoverableKeyException|NoSuchAlgorithmException|KeyStoreException + keyManagerCreationException) { + throw new KeyManagerException(keyManagerCreationException); } finally { if (inputStream != null) { try { inputStream.close(); - } catch (IOException e) {} + } catch (IOException ioException) { + LOG.info("Failed to close key store input stream", ioException); + } } } } - public static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword) + public static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword, + boolean crlEnabled, boolean ocspEnabled, + final boolean hostnameVerificationEnabled, + final boolean shouldVerifyClientHostname) throws TrustManagerException { FileInputStream inputStream = null; try { - char[] trustStorePasswordChars = trustStorePassword.toCharArray(); File trustStoreFile = new File(trustStoreLocation); KeyStore ts = KeyStore.getInstance("JKS"); inputStream = new FileInputStream(trustStoreFile); - ts.load(inputStream, trustStorePasswordChars); - TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); - tmf.init(ts); + if (trustStorePassword != null) { + char[] trustStorePasswordChars = trustStorePassword.toCharArray(); + ts.load(inputStream, trustStorePasswordChars); + } else { + ts.load(inputStream, null); + } - for (TrustManager tm : tmf.getTrustManagers()) { - if (tm instanceof X509TrustManager) { - return (X509TrustManager) tm; + PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector()); + if (crlEnabled || ocspEnabled) { + pbParams.setRevocationEnabled(true); + System.setProperty("com.sun.net.ssl.checkRevocation", "true"); + System.setProperty("com.sun.security.enableCRLDP", "true"); + if (ocspEnabled) { + Security.setProperty("ocsp.enable", "true"); + } + + } else { + pbParams.setRevocationEnabled(false); + } + + // Revocation checking is only supported with the PKIX algorithm + TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); + tmf.init(new CertPathTrustManagerParameters(pbParams)); + + for (final TrustManager tm : tmf.getTrustManagers()) { + if (tm instanceof X509ExtendedTrustManager) { + return new ZKTrustManager((X509ExtendedTrustManager) tm, hostnameVerificationEnabled, shouldVerifyClientHostname); } } throw new TrustManagerException("Couldn't find X509TrustManager"); - } catch (Exception e) { - throw new TrustManagerException(e); + } catch (IOException|CertificateException|NoSuchAlgorithmException|InvalidAlgorithmParameterException|KeyStoreException + trustManagerCreationException) { + throw new TrustManagerException(trustManagerCreationException); } finally { if (inputStream != null) { try { inputStream.close(); - } catch (IOException e) {} + } catch (IOException ioException) { + LOG.info("failed to close TrustStore input stream", ioException); + } } } } -} \ No newline at end of file + + public SSLSocket createSSLSocket() throws X509Exception, IOException { + SSLSocket sslSocket = (SSLSocket) getDefaultSSLContext().getSocketFactory().createSocket(); + configureSSLSocket(sslSocket); + + return sslSocket; + } + + public SSLSocket createSSLSocket(Socket socket) throws X509Exception, IOException { + SSLSocket sslSocket = (SSLSocket) getDefaultSSLContext().getSocketFactory().createSocket(socket, null, socket.getPort(), true); + configureSSLSocket(sslSocket); + + return sslSocket; + } + + private void configureSSLSocket(SSLSocket sslSocket) { + if (cipherSuites != null) { + SSLParameters sslParameters = sslSocket.getSSLParameters(); + LOG.debug("Setup cipher suites for client socket: {}", Arrays.toString(cipherSuites)); + sslParameters.setCipherSuites(cipherSuites); + sslSocket.setSSLParameters(sslParameters); + } + } + + + public SSLServerSocket createSSLServerSocket() throws X509Exception, IOException { + SSLServerSocket sslServerSocket = (SSLServerSocket) getDefaultSSLContext().getServerSocketFactory().createServerSocket(); --- End diff -- I wouldn't touch `NettyServerCnxnFactory` in this PR since quorum SSL and client SSL are basically independent of each other.
---