Class HBaseTrustManager
java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager
- All Implemented Interfaces:
TrustManager,X509TrustManager
A custom TrustManager that supports hostname verification We attempt to perform verification
using just the IP address first and if that fails will attempt to perform a reverse DNS lookup
and verify using the hostname. This file has been copied from the Apache ZooKeeper project.
- See Also:
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final booleanprivate final booleanprivate final HBaseHostnameVerifierprivate static final org.slf4j.Loggerprivate final X509ExtendedTrustManager -
Constructor Summary
ConstructorsConstructorDescriptionHBaseTrustManager(X509ExtendedTrustManager x509ExtendedTrustManager, boolean hostnameVerificationEnabled, boolean allowReverseDnsLookup) Instantiate a new HBaseTrustManager. -
Method Summary
Modifier and TypeMethodDescriptionvoidcheckClientTrusted(X509Certificate[] chain, String authType) voidcheckClientTrusted(X509Certificate[] chain, String authType, Socket socket) voidcheckClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) voidcheckServerTrusted(X509Certificate[] chain, String authType) voidcheckServerTrusted(X509Certificate[] chain, String authType, Socket socket) voidcheckServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) private voidperformHostVerification(InetAddress inetAddress, X509Certificate certificate) Compares peer's hostname with the one stored in the provided client certificate.
-
Field Details
-
LOG
-
x509ExtendedTrustManager
-
hostnameVerificationEnabled
-
allowReverseDnsLookup
-
hostnameVerifier
-
-
Constructor Details
-
HBaseTrustManager
HBaseTrustManager(X509ExtendedTrustManager x509ExtendedTrustManager, boolean hostnameVerificationEnabled, boolean allowReverseDnsLookup) Instantiate a new HBaseTrustManager.- Parameters:
x509ExtendedTrustManager- The trustmanager to use for checkClientTrusted/checkServerTrusted logichostnameVerificationEnabled- If true, this TrustManager should verify hostnames of peers when checking trust.allowReverseDnsLookup- If true, we will fall back on reverse dns if resolving of host fails
-
-
Method Details
-
getAcceptedIssuers
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
performHostVerification
private void performHostVerification(InetAddress inetAddress, X509Certificate certificate) throws CertificateException Compares peer's hostname with the one stored in the provided client certificate. Performs verification with the help of provided HostnameVerifier.- Parameters:
inetAddress- Peer's inet address.certificate- Peer's certificate- Throws:
CertificateException- Thrown if the provided certificate doesn't match the peer hostname.
-