[GitHub] [geode] DonalEvans commented on a change in pull request #6826: GEODE-9542: Enable SSL client authentication for Radish

Wed, 01 Sep 2021 10:43:34 -0700 


DonalEvans commented on a change in pull request #6826:
URL: https://github.com/apache/geode/pull/6826#discussion_r700357572



##########
File path: 
geode-apis-compatible-with-redis/src/main/java/org/apache/geode/redis/internal/netty/NettyRedisServer.java
##########
@@ -180,29 +181,45 @@ public void initChannel(SocketChannel socketChannel) {
 
   private void addSSLIfEnabled(SocketChannel ch, ChannelPipeline p) {
 
-    SSLConfig sslConfigForComponent =
+    SSLConfig sslConfigForServer =
         SSLConfigurationFactory.getSSLConfigForComponent(configSupplier.get(),
             SecurableCommunicationChannel.SERVER);
 
-    if (!sslConfigForComponent.isEnabled()) {
+    if (!sslConfigForServer.isEnabled()) {
       return;
     }
 
     SslContext sslContext;
-    try (FileInputStream fileInputStream =
-        new FileInputStream(sslConfigForComponent.getKeystore())) {
-      KeyStore ks = KeyStore.getInstance("JKS");
-      ks.load(fileInputStream, 
sslConfigForComponent.getKeystorePassword().toCharArray());
-      // Set up key manager factory to use our key store
-      KeyManagerFactory kmf =
-          
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-      kmf.init(ks, sslConfigForComponent.getKeystorePassword().toCharArray());
-
-      SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(kmf);
-      sslContext = sslContextBuilder.build();
+    try {
+      KeyManagerFactory keyManagerFactory = null;
+      if (sslConfigForServer.getKeystore() != null) {
+        keyManagerFactory = new KeyManagerFactoryWrapper(
+            
FileWatchingX509ExtendedKeyManager.newFileWatchingKeyManager(sslConfigForServer));
+      }
+
+      TrustManagerFactory trustManagerFactory = null;
+      if (sslConfigForServer.getTruststore() != null) {
+        trustManagerFactory = new TrustManagerFactoryWrapper(
+            
FileWatchingX509ExtendedTrustManager.newFileWatchingTrustManager(sslConfigForServer));
+      }
+
+      SslContextBuilder sslContextBuilder = 
SslContextBuilder.forServer(keyManagerFactory);

Review comment:
       The javadoc for `SslContextBuilder.forServer()` states that the 
`keyManagerFactory` must be non-null, but it's possible that we get to this 
point with a null `keyManagerFactory` if `sslConfigForServer.getKeystore()` 
returns null. Is it actually possible for `sslConfigForServer.getKeystore()` to 
return null? If not, that check should probably be removed.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to