001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.http.ssl;
019
020import java.io.File;
021import java.io.FileOutputStream;
022import java.io.IOException;
023import java.io.Writer;
024import java.math.BigInteger;
025import java.net.URL;
026import java.nio.charset.StandardCharsets;
027import java.security.GeneralSecurityException;
028import java.security.InvalidKeyException;
029import java.security.Key;
030import java.security.KeyPair;
031import java.security.KeyPairGenerator;
032import java.security.KeyStore;
033import java.security.NoSuchAlgorithmException;
034import java.security.NoSuchProviderException;
035import java.security.SecureRandom;
036import java.security.SignatureException;
037import java.security.cert.Certificate;
038import java.security.cert.CertificateEncodingException;
039import java.security.cert.X509Certificate;
040import java.util.Date;
041import java.util.HashMap;
042import java.util.Map;
043import javax.security.auth.x500.X500Principal;
044import org.apache.hadoop.conf.Configuration;
045import org.apache.hadoop.hbase.HBaseCommonTestingUtility;
046import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
047import org.apache.hadoop.security.ssl.SSLFactory;
048import org.bouncycastle.x509.X509V1CertificateGenerator;
049
050import org.apache.hbase.thirdparty.com.google.common.io.Files;
051
052public final class KeyStoreTestUtil {
053  private KeyStoreTestUtil() {
054  }
055
056  public static String getClasspathDir(Class<?> klass) throws Exception {
057    String file = klass.getName();
058    file = file.replace('.', '/') + ".class";
059    URL url = Thread.currentThread().getContextClassLoader().getResource(file);
060    String baseDir = url.toURI().getPath();
061    baseDir = baseDir.substring(0, baseDir.length() - file.length() - 1);
062    return baseDir;
063  }
064
065  /**
066   * Create a self-signed X.509 Certificate.
067   * @param dn        the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
068   * @param pair      the KeyPair
069   * @param days      how many days from now the Certificate is valid for
070   * @param algorithm the signing algorithm, eg "SHA1withRSA"
071   * @return the self-signed certificate
072   */
073  @SuppressWarnings("JavaUtilDate")
074  public static X509Certificate generateCertificate(String dn, KeyPair pair, int days,
075    String algorithm) throws CertificateEncodingException, InvalidKeyException,
076    IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException {
077    Date from = new Date();
078    Date to = new Date(from.getTime() + days * 86400000L);
079    BigInteger sn = new BigInteger(64, new SecureRandom());
080    KeyPair keyPair = pair;
081    X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
082    X500Principal dnName = new X500Principal(dn);
083
084    certGen.setSerialNumber(sn);
085    certGen.setIssuerDN(dnName);
086    certGen.setNotBefore(from);
087    certGen.setNotAfter(to);
088    certGen.setSubjectDN(dnName);
089    certGen.setPublicKey(keyPair.getPublic());
090    certGen.setSignatureAlgorithm(algorithm);
091    X509Certificate cert = certGen.generate(pair.getPrivate());
092    return cert;
093  }
094
095  public static KeyPair generateKeyPair(String algorithm) throws NoSuchAlgorithmException {
096    KeyPairGenerator keyGen = KeyPairGenerator.getInstance(algorithm);
097    keyGen.initialize(1024);
098    return keyGen.genKeyPair();
099  }
100
101  private static KeyStore createEmptyKeyStore() throws GeneralSecurityException, IOException {
102    return createEmptyKeyStore("jks");
103  }
104
105  private static KeyStore createEmptyKeyStore(String keyStoreType)
106    throws GeneralSecurityException, IOException {
107    KeyStore ks = KeyStore.getInstance(keyStoreType);
108    ks.load(null, null); // initialize
109    return ks;
110  }
111
112  private static void saveKeyStore(KeyStore ks, String filename, String password)
113    throws GeneralSecurityException, IOException {
114    FileOutputStream out = new FileOutputStream(filename);
115    try {
116      ks.store(out, password.toCharArray());
117    } finally {
118      out.close();
119    }
120  }
121
122  /**
123   * Creates a keystore with a single key and saves it to a file. This method will use the same
124   * password for the keystore and for the key. This method will always generate a keystore file in
125   * JKS format.
126   * @param filename   String file to save
127   * @param password   String store password to set on keystore
128   * @param alias      String alias to use for the key
129   * @param privateKey Key to save in keystore
130   * @param cert       Certificate to use as certificate chain associated to key
131   * @throws GeneralSecurityException for any error with the security APIs
132   * @throws IOException              if there is an I/O error saving the file
133   */
134  public static void createKeyStore(String filename, String password, String alias, Key privateKey,
135    Certificate cert) throws GeneralSecurityException, IOException {
136    createKeyStore(filename, password, password, alias, privateKey, cert);
137  }
138
139  /**
140   * Creates a keystore with a single key and saves it to a file. This method will always generate a
141   * keystore file in JKS format.
142   * @param filename    String file to save
143   * @param password    String store password to set on keystore
144   * @param keyPassword String key password to set on key
145   * @param alias       String alias to use for the key
146   * @param privateKey  Key to save in keystore
147   * @param cert        Certificate to use as certificate chain associated to key
148   * @throws GeneralSecurityException for any error with the security APIs
149   * @throws IOException              if there is an I/O error saving the file
150   */
151  public static void createKeyStore(String filename, String password, String keyPassword,
152    String alias, Key privateKey, Certificate cert) throws GeneralSecurityException, IOException {
153    createKeyStore(filename, password, keyPassword, alias, privateKey, cert, "JKS");
154  }
155
156  /**
157   * Creates a keystore with a single key and saves it to a file.
158   * @param filename     String file to save
159   * @param password     String store password to set on keystore
160   * @param keyPassword  String key password to set on key
161   * @param alias        String alias to use for the key
162   * @param privateKey   Key to save in keystore
163   * @param cert         Certificate to use as certificate chain associated to key
164   * @param keystoreType String keystore file type (e.g. "JKS")
165   * @throws GeneralSecurityException for any error with the security APIs
166   * @throws IOException              if there is an I/O error saving the file
167   */
168  public static void createKeyStore(String filename, String password, String keyPassword,
169    String alias, Key privateKey, Certificate cert, String keystoreType)
170    throws GeneralSecurityException, IOException {
171    KeyStore ks = createEmptyKeyStore(keystoreType);
172    ks.setKeyEntry(alias, privateKey, keyPassword.toCharArray(), new Certificate[] { cert });
173    saveKeyStore(ks, filename, password);
174  }
175
176  /**
177   * Creates a truststore with a single certificate and saves it to a file. This method uses the
178   * default JKS truststore type.
179   * @param filename String file to save
180   * @param password String store password to set on truststore
181   * @param alias    String alias to use for the certificate
182   * @param cert     Certificate to add
183   * @throws GeneralSecurityException for any error with the security APIs
184   * @throws IOException              if there is an I/O error saving the file
185   */
186  public static void createTrustStore(String filename, String password, String alias,
187    Certificate cert) throws GeneralSecurityException, IOException {
188    createTrustStore(filename, password, alias, cert, "JKS");
189  }
190
191  /**
192   * Creates a truststore with a single certificate and saves it to a file.
193   * @param filename       String file to save
194   * @param password       String store password to set on truststore
195   * @param alias          String alias to use for the certificate
196   * @param cert           Certificate to add
197   * @param trustStoreType String keystore file type (e.g. "JKS")
198   * @throws GeneralSecurityException for any error with the security APIs
199   * @throws IOException              if there is an I/O error saving the file
200   */
201  public static void createTrustStore(String filename, String password, String alias,
202    Certificate cert, String trustStoreType) throws GeneralSecurityException, IOException {
203    KeyStore ks = createEmptyKeyStore(trustStoreType);
204    ks.setCertificateEntry(alias, cert);
205    saveKeyStore(ks, filename, password);
206  }
207
208  public static <T extends Certificate> void createTrustStore(String filename, String password,
209    Map<String, T> certs) throws GeneralSecurityException, IOException {
210    KeyStore ks = createEmptyKeyStore();
211    for (Map.Entry<String, T> cert : certs.entrySet()) {
212      ks.setCertificateEntry(cert.getKey(), cert.getValue());
213    }
214    saveKeyStore(ks, filename, password);
215  }
216
217  public static void cleanupSSLConfig(Configuration conf) throws Exception {
218    File f = new File(conf.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
219      FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY)));
220    f.delete();
221    f = new File(conf.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER,
222      FileBasedKeyStoresFactory.SSL_KEYSTORE_LOCATION_TPL_KEY)));
223    f.delete();
224
225    String clientKeyStore =
226      conf.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.CLIENT,
227        FileBasedKeyStoresFactory.SSL_KEYSTORE_LOCATION_TPL_KEY));
228    if (clientKeyStore != null) {
229      f = new File(clientKeyStore);
230      f.delete();
231    }
232    f = new File(KeyStoreTestUtil.getClasspathDir(KeyStoreTestUtil.class) + "/"
233      + conf.get(SSLFactory.SSL_CLIENT_CONF_KEY));
234    f.delete();
235    f = new File(KeyStoreTestUtil.getClasspathDir(KeyStoreTestUtil.class) + "/"
236      + conf.get(SSLFactory.SSL_SERVER_CONF_KEY));
237    f.delete();
238  }
239
240  /**
241   * Performs complete setup of SSL configuration in preparation for testing an SSLFactory. This
242   * includes keys, certs, keystores, truststores, the server SSL configuration file, the client SSL
243   * configuration file, and the master configuration file read by the SSLFactory.
244   * @param keystoresDir  String directory to save keystores
245   * @param sslConfDir    String directory to save SSL configuration files
246   * @param conf          Configuration master configuration to be used by an SSLFactory, which will
247   *                      be mutated by this method
248   * @param useClientCert boolean true to make the client present a cert in the SSL handshake
249   */
250  public static void setupSSLConfig(String keystoresDir, String sslConfDir, Configuration conf,
251    boolean useClientCert) throws Exception {
252    String clientKS = keystoresDir + "/clientKS.jks";
253    String clientPassword = "clientP";
254    String serverKS = keystoresDir + "/serverKS.jks";
255    String serverPassword = "serverP";
256    String trustKS = keystoresDir + "/trustKS.jks";
257    String trustPassword = "trustP";
258
259    File sslClientConfFile = new File(sslConfDir + "/ssl-client-" + System.nanoTime() + "-"
260      + HBaseCommonTestingUtility.getRandomUUID() + ".xml");
261    File sslServerConfFile = new File(sslConfDir + "/ssl-server-" + System.nanoTime() + "-"
262      + HBaseCommonTestingUtility.getRandomUUID() + ".xml");
263
264    Map<String, X509Certificate> certs = new HashMap<>();
265
266    if (useClientCert) {
267      KeyPair cKP = KeyStoreTestUtil.generateKeyPair("RSA");
268      X509Certificate cCert =
269        KeyStoreTestUtil.generateCertificate("CN=localhost, O=client", cKP, 30, "SHA1withRSA");
270      KeyStoreTestUtil.createKeyStore(clientKS, clientPassword, "client", cKP.getPrivate(), cCert);
271      certs.put("client", cCert);
272    }
273
274    KeyPair sKP = KeyStoreTestUtil.generateKeyPair("RSA");
275    X509Certificate sCert =
276      KeyStoreTestUtil.generateCertificate("CN=localhost, O=server", sKP, 30, "SHA1withRSA");
277    KeyStoreTestUtil.createKeyStore(serverKS, serverPassword, "server", sKP.getPrivate(), sCert);
278    certs.put("server", sCert);
279
280    KeyStoreTestUtil.createTrustStore(trustKS, trustPassword, certs);
281
282    Configuration clientSSLConf =
283      createClientSSLConfig(clientKS, clientPassword, clientPassword, trustKS);
284    Configuration serverSSLConf =
285      createServerSSLConfig(serverKS, serverPassword, serverPassword, trustKS);
286
287    saveConfig(sslClientConfFile, clientSSLConf);
288    saveConfig(sslServerConfFile, serverSSLConf);
289
290    conf.set(SSLFactory.SSL_HOSTNAME_VERIFIER_KEY, "ALLOW_ALL");
291    conf.set(SSLFactory.SSL_CLIENT_CONF_KEY, sslClientConfFile.getName());
292    conf.set(SSLFactory.SSL_SERVER_CONF_KEY, sslServerConfFile.getName());
293    conf.set("dfs.https.server.keystore.resource", sslServerConfFile.getName());
294
295    conf.setBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY, useClientCert);
296  }
297
298  /**
299   * Creates SSL configuration for a client.
300   * @param clientKS    String client keystore file
301   * @param password    String store password, or null to avoid setting store password
302   * @param keyPassword String key password, or null to avoid setting key password
303   * @param trustKS     String truststore file
304   * @return Configuration for client SSL
305   */
306  public static Configuration createClientSSLConfig(String clientKS, String password,
307    String keyPassword, String trustKS) {
308    Configuration clientSSLConf =
309      createSSLConfig(SSLFactory.Mode.CLIENT, clientKS, password, keyPassword, trustKS);
310    return clientSSLConf;
311  }
312
313  /**
314   * Creates SSL configuration for a server.
315   * @param serverKS    String server keystore file
316   * @param password    String store password, or null to avoid setting store password
317   * @param keyPassword String key password, or null to avoid setting key password
318   * @param trustKS     String truststore file
319   * @return Configuration for server SSL
320   */
321  public static Configuration createServerSSLConfig(String serverKS, String password,
322    String keyPassword, String trustKS) throws IOException {
323    Configuration serverSSLConf =
324      createSSLConfig(SSLFactory.Mode.SERVER, serverKS, password, keyPassword, trustKS);
325    return serverSSLConf;
326  }
327
328  /**
329   * Creates SSL configuration.
330   * @param mode        SSLFactory.Mode mode to configure
331   * @param keystore    String keystore file
332   * @param password    String store password, or null to avoid setting store password
333   * @param keyPassword String key password, or null to avoid setting key password
334   * @param trustKS     String truststore file
335   * @return Configuration for SSL
336   */
337  private static Configuration createSSLConfig(SSLFactory.Mode mode, String keystore,
338    String password, String keyPassword, String trustKS) {
339    String trustPassword = "trustP";
340
341    Configuration sslConf = new Configuration(false);
342    if (keystore != null) {
343      sslConf.set(FileBasedKeyStoresFactory.resolvePropertyName(mode,
344        FileBasedKeyStoresFactory.SSL_KEYSTORE_LOCATION_TPL_KEY), keystore);
345    }
346    if (password != null) {
347      sslConf.set(FileBasedKeyStoresFactory.resolvePropertyName(mode,
348        FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY), password);
349    }
350    if (keyPassword != null) {
351      sslConf.set(FileBasedKeyStoresFactory.resolvePropertyName(mode,
352        FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY), keyPassword);
353    }
354    if (trustKS != null) {
355      sslConf.set(FileBasedKeyStoresFactory.resolvePropertyName(mode,
356        FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY), trustKS);
357    }
358    if (trustPassword != null) {
359      sslConf.set(FileBasedKeyStoresFactory.resolvePropertyName(mode,
360        FileBasedKeyStoresFactory.SSL_TRUSTSTORE_PASSWORD_TPL_KEY), trustPassword);
361    }
362    sslConf.set(FileBasedKeyStoresFactory.resolvePropertyName(mode,
363      FileBasedKeyStoresFactory.SSL_TRUSTSTORE_RELOAD_INTERVAL_TPL_KEY), "1000");
364
365    return sslConf;
366  }
367
368  /**
369   * Saves configuration to a file.
370   * @param file File to save
371   * @param conf Configuration contents to write to file
372   * @throws IOException if there is an I/O error saving the file
373   */
374  public static void saveConfig(File file, Configuration conf) throws IOException {
375    try (Writer writer = Files.newWriter(file, StandardCharsets.UTF_8)) {
376      conf.writeXml(writer);
377    }
378  }
379}