Search in sources :

Example 1 with X509Certificate

use of java.security.cert.X509Certificate in project hadoop by apache.

the class ReloadingX509TrustManager method getAcceptedIssuers.

@Override
public X509Certificate[] getAcceptedIssuers() {
    X509Certificate[] issuers = EMPTY;
    X509TrustManager tm = trustManagerRef.get();
    if (tm != null) {
        issuers = tm.getAcceptedIssuers();
    }
    return issuers;
}
Also used : X509TrustManager(javax.net.ssl.X509TrustManager) X509Certificate(java.security.cert.X509Certificate)

Example 2 with X509Certificate

use of java.security.cert.X509Certificate in project hadoop by apache.

the class TestReloadingX509TrustManager method testReload.

@Test(timeout = 30000)
public void testReload() throws Exception {
    KeyPair kp = generateKeyPair("RSA");
    cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
    cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
    String truststoreLocation = BASEDIR + "/testreload.jks";
    createTrustStore(truststoreLocation, "password", "cert1", cert1);
    final ReloadingX509TrustManager tm = new ReloadingX509TrustManager("jks", truststoreLocation, "password", 10);
    try {
        tm.init();
        assertEquals(1, tm.getAcceptedIssuers().length);
        // Wait so that the file modification time is different
        Thread.sleep((tm.getReloadInterval() + 1000));
        // Add another cert
        Map<String, X509Certificate> certs = new HashMap<String, X509Certificate>();
        certs.put("cert1", cert1);
        certs.put("cert2", cert2);
        createTrustStore(truststoreLocation, "password", certs);
        GenericTestUtils.waitFor(new Supplier<Boolean>() {

            @Override
            public Boolean get() {
                return tm.getAcceptedIssuers().length == 2;
            }
        }, (int) tm.getReloadInterval(), 10000);
    } finally {
        tm.destroy();
    }
}
Also used : KeyPair(java.security.KeyPair) KeyStoreTestUtil.generateKeyPair(org.apache.hadoop.security.ssl.KeyStoreTestUtil.generateKeyPair) HashMap(java.util.HashMap) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 3 with X509Certificate

use of java.security.cert.X509Certificate in project hadoop by apache.

the class TestReloadingX509TrustManager method testReloadCorruptTrustStore.

@Test(timeout = 30000)
public void testReloadCorruptTrustStore() throws Exception {
    KeyPair kp = generateKeyPair("RSA");
    cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
    cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
    String truststoreLocation = BASEDIR + "/testcorrupt.jks";
    createTrustStore(truststoreLocation, "password", "cert1", cert1);
    ReloadingX509TrustManager tm = new ReloadingX509TrustManager("jks", truststoreLocation, "password", 10);
    try {
        tm.init();
        assertEquals(1, tm.getAcceptedIssuers().length);
        final X509Certificate cert = tm.getAcceptedIssuers()[0];
        // Wait so that the file modification time is different
        Thread.sleep((tm.getReloadInterval() + 1000));
        assertFalse(reloaderLog.getOutput().contains(ReloadingX509TrustManager.RELOAD_ERROR_MESSAGE));
        OutputStream os = new FileOutputStream(truststoreLocation);
        os.write(1);
        os.close();
        waitForFailedReloadAtLeastOnce((int) tm.getReloadInterval());
        assertEquals(1, tm.getAcceptedIssuers().length);
        assertEquals(cert, tm.getAcceptedIssuers()[0]);
    } finally {
        reloaderLog.stopCapturing();
        tm.destroy();
    }
}
Also used : KeyPair(java.security.KeyPair) KeyStoreTestUtil.generateKeyPair(org.apache.hadoop.security.ssl.KeyStoreTestUtil.generateKeyPair) OutputStream(java.io.OutputStream) FileOutputStream(java.io.FileOutputStream) FileOutputStream(java.io.FileOutputStream) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 4 with X509Certificate

use of java.security.cert.X509Certificate in project hadoop by apache.

the class TestSSLFactory method checkSSLFactoryInitWithPasswords.

/**
   * Checks that SSLFactory initialization is successful with the given
   * arguments.  This is a helper method for writing test cases that cover
   * different combinations of settings for the store password and key password.
   * It takes care of bootstrapping a keystore, a truststore, and SSL client or
   * server configuration.  Then, it initializes an SSLFactory.  If no exception
   * is thrown, then initialization was successful.
   *
   * @param mode SSLFactory.Mode mode to test
   * @param password String store password to set on keystore
   * @param keyPassword String key password to set on keystore
   * @param confPassword String store password to set in SSL config file, or null
   *   to avoid setting in SSL config file
   * @param confKeyPassword String key password to set in SSL config file, or
   *   null to avoid setting in SSL config file
   * @param useCredProvider boolean to indicate whether passwords should be set
   * into the config or not. When set to true nulls are set and aliases are
   * expected to be resolved through credential provider API through the
   * Configuration.getPassword method
   * @throws Exception for any error
   */
private void checkSSLFactoryInitWithPasswords(SSLFactory.Mode mode, String password, String keyPassword, String confPassword, String confKeyPassword, boolean useCredProvider) throws Exception {
    String keystore = new File(KEYSTORES_DIR, "keystore.jks").getAbsolutePath();
    String truststore = new File(KEYSTORES_DIR, "truststore.jks").getAbsolutePath();
    String trustPassword = "trustP";
    // Create keys, certs, keystore, and truststore.
    KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
    X509Certificate cert = KeyStoreTestUtil.generateCertificate("CN=Test", keyPair, 30, "SHA1withRSA");
    KeyStoreTestUtil.createKeyStore(keystore, password, keyPassword, "Test", keyPair.getPrivate(), cert);
    Map<String, X509Certificate> certs = Collections.singletonMap("server", cert);
    KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);
    // Create SSL configuration file, for either server or client.
    final String sslConfFileName;
    final Configuration sslConf;
    // provider
    if (useCredProvider) {
        confPassword = null;
        confKeyPassword = null;
    }
    if (mode == SSLFactory.Mode.SERVER) {
        sslConfFileName = "ssl-server.xml";
        sslConf = KeyStoreTestUtil.createServerSSLConfig(keystore, confPassword, confKeyPassword, truststore);
        if (useCredProvider) {
            File testDir = GenericTestUtils.getTestDir();
            final Path jksPath = new Path(testDir.toString(), "test.jks");
            final String ourUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();
            sslConf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
        }
    } else {
        sslConfFileName = "ssl-client.xml";
        sslConf = KeyStoreTestUtil.createClientSSLConfig(keystore, confPassword, confKeyPassword, truststore);
    }
    KeyStoreTestUtil.saveConfig(new File(sslConfsDir, sslConfFileName), sslConf);
    // Create the master configuration for use by the SSLFactory, which by
    // default refers to the ssl-server.xml or ssl-client.xml created above.
    Configuration conf = new Configuration();
    conf.setBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY, true);
    // Try initializing an SSLFactory.
    SSLFactory sslFactory = new SSLFactory(mode, conf);
    try {
        sslFactory.init();
    } finally {
        sslFactory.destroy();
    }
}
Also used : Path(org.apache.hadoop.fs.Path) KeyPair(java.security.KeyPair) Configuration(org.apache.hadoop.conf.Configuration) File(java.io.File) X509Certificate(java.security.cert.X509Certificate)

Example 5 with X509Certificate

use of java.security.cert.X509Certificate in project hadoop by apache.

the class TestReloadingX509TrustManager method testReloadMissingTrustStore.

@Test(timeout = 30000)
public void testReloadMissingTrustStore() throws Exception {
    KeyPair kp = generateKeyPair("RSA");
    cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
    cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
    String truststoreLocation = BASEDIR + "/testmissing.jks";
    createTrustStore(truststoreLocation, "password", "cert1", cert1);
    ReloadingX509TrustManager tm = new ReloadingX509TrustManager("jks", truststoreLocation, "password", 10);
    try {
        tm.init();
        assertEquals(1, tm.getAcceptedIssuers().length);
        X509Certificate cert = tm.getAcceptedIssuers()[0];
        assertFalse(reloaderLog.getOutput().contains(ReloadingX509TrustManager.RELOAD_ERROR_MESSAGE));
        new File(truststoreLocation).delete();
        waitForFailedReloadAtLeastOnce((int) tm.getReloadInterval());
        assertEquals(1, tm.getAcceptedIssuers().length);
        assertEquals(cert, tm.getAcceptedIssuers()[0]);
    } finally {
        reloaderLog.stopCapturing();
        tm.destroy();
    }
}
Also used : KeyPair(java.security.KeyPair) KeyStoreTestUtil.generateKeyPair(org.apache.hadoop.security.ssl.KeyStoreTestUtil.generateKeyPair) File(java.io.File) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Aggregations

X509Certificate (java.security.cert.X509Certificate)1706 IOException (java.io.IOException)336 CertificateException (java.security.cert.CertificateException)272 ByteArrayInputStream (java.io.ByteArrayInputStream)260 CertificateFactory (java.security.cert.CertificateFactory)251 ArrayList (java.util.ArrayList)232 Certificate (java.security.cert.Certificate)227 KeyStore (java.security.KeyStore)177 PrivateKey (java.security.PrivateKey)150 InputStream (java.io.InputStream)134 File (java.io.File)112 KeyStoreException (java.security.KeyStoreException)112 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)111 GeneralSecurityException (java.security.GeneralSecurityException)100 Test (org.junit.Test)90 List (java.util.List)89 PublicKey (java.security.PublicKey)88 X509TrustManager (javax.net.ssl.X509TrustManager)80 X500Principal (javax.security.auth.x500.X500Principal)76 HashSet (java.util.HashSet)64