maskit closed pull request #1245: Refactor SecurityUtility class
URL: https://github.com/apache/incubator-pulsar/pull/1245
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
index 5e1a1390b..26f97bbcb 100644
---
a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
+++
b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
@@ -28,8 +28,11 @@
import java.security.KeyFactory;
import java.security.KeyManagementException;
import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
@@ -37,7 +40,6 @@
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.Collection;
-import java.util.List;
import java.util.Set;
import javax.net.ssl.KeyManager;
@@ -60,7 +62,7 @@ public static SSLContext createSslContext(boolean
allowInsecureConnection, Certi
}
public static SslContext createNettySslContextForClient(boolean
allowInsecureConnection, String trustCertsFilePath)
- throws GeneralSecurityException, SSLException,
FileNotFoundException {
+ throws GeneralSecurityException, SSLException,
FileNotFoundException, IOException {
return createNettySslContextForClient(allowInsecureConnection,
trustCertsFilePath, (Certificate[]) null,
(PrivateKey) null);
}
@@ -75,7 +77,7 @@ public static SSLContext createSslContext(boolean
allowInsecureConnection, Strin
public static SslContext createNettySslContextForClient(boolean
allowInsecureConnection, String trustCertsFilePath,
String certFilePath, String keyFilePath)
- throws GeneralSecurityException, SSLException,
FileNotFoundException {
+ throws GeneralSecurityException, SSLException,
FileNotFoundException, IOException {
X509Certificate[] certificates =
loadCertificatesFromPemFile(certFilePath);
PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath);
return createNettySslContextForClient(allowInsecureConnection,
trustCertsFilePath, certificates, privateKey);
@@ -83,46 +85,25 @@ public static SslContext
createNettySslContextForClient(boolean allowInsecureCon
public static SslContext createNettySslContextForClient(boolean
allowInsecureConnection, String trustCertsFilePath,
Certificate[] certificates, PrivateKey privateKey)
- throws GeneralSecurityException, SSLException,
FileNotFoundException {
+ throws GeneralSecurityException, SSLException,
FileNotFoundException, IOException {
SslContextBuilder builder = SslContextBuilder.forClient();
- if (allowInsecureConnection) {
- builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
- } else {
- if (trustCertsFilePath != null && trustCertsFilePath.length() !=
0) {
- builder.trustManager(new FileInputStream(trustCertsFilePath));
- }
- }
- builder.keyManager(privateKey, (X509Certificate[]) certificates);
+ setupTrustCerts(builder, allowInsecureConnection, trustCertsFilePath);
+ setupKeyManager(builder, privateKey, (X509Certificate[]) certificates);
return builder.build();
}
public static SslContext createNettySslContextForServer(boolean
allowInsecureConnection, String trustCertsFilePath,
String certFilePath, String keyFilePath, Set<String> ciphers,
Set<String> protocols)
- throws GeneralSecurityException, SSLException,
FileNotFoundException {
+ throws GeneralSecurityException, SSLException,
FileNotFoundException, IOException {
X509Certificate[] certificates =
loadCertificatesFromPemFile(certFilePath);
PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath);
SslContextBuilder builder = SslContextBuilder.forServer(privateKey,
(X509Certificate[]) certificates);
- if (ciphers != null && ciphers.size() > 0) {
- builder.ciphers(ciphers);
- }
-
- if (protocols != null && protocols.size() > 0) {
- String[] protocolsArray = new String[protocols.size()];
- builder.protocols(protocols.toArray(protocolsArray));
- }
-
- if (allowInsecureConnection) {
- builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
- } else {
- if (trustCertsFilePath != null && trustCertsFilePath.length() !=
0) {
- builder.trustManager(new FileInputStream(trustCertsFilePath));
- } else {
- builder.trustManager((File) null);
- }
- }
- builder.keyManager(privateKey, (X509Certificate[]) certificates);
- builder.clientAuth(ClientAuth.OPTIONAL);
+ setupCiphers(builder, ciphers);
+ setupProtocols(builder, protocols);
+ setupTrustCerts(builder, allowInsecureConnection, trustCertsFilePath);
+ setupKeyManager(builder, privateKey, certificates);
+ setupClientAuthentication(builder);
return builder.build();
}
@@ -132,7 +113,30 @@ public static SSLContext createSslContext(boolean
allowInsecureConnection, Certi
TrustManager[] trustManagers = null;
KeyManager[] keyManagers = null;
- // Set trusted certificate
+ trustManagers = setupTrustCerts(ksh, allowInsecureConnection,
trustCertficates);
+ keyManagers = setupKeyManager(ksh, privateKey, certificates);
+
+ SSLContext sslCtx = SSLContext.getInstance("TLS");
+ sslCtx.init(keyManagers, trustManagers, new SecureRandom());
+ sslCtx.getDefaultSSLParameters();
+ return sslCtx;
+ }
+
+ private static KeyManager[] setupKeyManager(KeyStoreHolder ksh, PrivateKey
privateKey, Certificate[] certificates)
+ throws KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
+ KeyManager[] keyManagers = null;
+ if (certificates != null && privateKey != null) {
+ ksh.setPrivateKey("private", privateKey, certificates);
+ KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ kmf.init(ksh.getKeyStore(), "".toCharArray());
+ keyManagers = kmf.getKeyManagers();
+ }
+ return keyManagers;
+ }
+
+ private static TrustManager[] setupTrustCerts(KeyStoreHolder ksh, boolean
allowInsecureConnection,
+ Certificate[] trustCertficates) throws NoSuchAlgorithmException,
KeyStoreException {
+ TrustManager[] trustManagers;
if (allowInsecureConnection) {
trustManagers =
InsecureTrustManagerFactory.INSTANCE.getTrustManagers();
} else {
@@ -149,18 +153,7 @@ public static SSLContext createSslContext(boolean
allowInsecureConnection, Certi
trustManagers = tmf.getTrustManagers();
}
-
- // Set private key and certificate
- if (certificates != null && privateKey != null) {
- ksh.setPrivateKey("private", privateKey, certificates);
- KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- kmf.init(ksh.getKeyStore(), "".toCharArray());
- keyManagers = kmf.getKeyManagers();
- }
-
- SSLContext sslCtx = SSLContext.getInstance("TLS");
- sslCtx.init(keyManagers, trustManagers, new SecureRandom());
- return sslCtx;
+ return trustManagers;
}
public static X509Certificate[] loadCertificatesFromPemFile(String
certFilePath) throws KeyManagementException {
@@ -211,4 +204,39 @@ public static PrivateKey loadPrivateKeyFromPemFile(String
keyFilePath) throws Ke
return privateKey;
}
+ private static void setupTrustCerts(SslContextBuilder builder, boolean
allowInsecureConnection,
+ String trustCertsFilePath) throws IOException,
FileNotFoundException {
+ if (allowInsecureConnection) {
+ builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
+ } else {
+ if (trustCertsFilePath != null && trustCertsFilePath.length() !=
0) {
+ try (FileInputStream input = new
FileInputStream(trustCertsFilePath)) {
+ builder.trustManager(input);
+ }
+ } else {
+ builder.trustManager((File) null);
+ }
+ }
+ }
+
+ private static void setupKeyManager(SslContextBuilder builder, PrivateKey
privateKey,
+ X509Certificate[] certificates) {
+ builder.keyManager(privateKey, (X509Certificate[]) certificates);
+ }
+
+ private static void setupCiphers(SslContextBuilder builder, Set<String>
ciphers) {
+ if (ciphers != null && ciphers.size() > 0) {
+ builder.ciphers(ciphers);
+ }
+ }
+
+ private static void setupProtocols(SslContextBuilder builder, Set<String>
protocols) {
+ if (protocols != null && protocols.size() > 0) {
+ builder.protocols(protocols.toArray(new String[protocols.size()]));
+ }
+ }
+
+ private static void setupClientAuthentication(SslContextBuilder builder) {
+ builder.clientAuth(ClientAuth.OPTIONAL);
+ }
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
