Package org.apache.hadoop.hbase.io.crypto.tls

Class X509TestContext

java.lang.Object

org.apache.hadoop.hbase.io.crypto.tls.X509TestContext

@Private
public final class X509TestContext
extends Object

This class simplifies the creation of certificates and private keys for SSL/TLS connections.

This file has been copied from the Apache ZooKeeper project.

See Also:

• Base revision

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	X509TestContext.Builder	Builder class, used for creating new instances of X509TestContext.

Field Summary

Fields

Modifier and Type	Field	Description
private final org.apache.hadoop.conf.Configuration	conf
private static final String	KEY_STORE_PREFIX
private File	keyStoreBcfksFile
private X509Certificate	keyStoreCertificate
private File	keyStoreJksFile
private KeyPair	keyStoreKeyPair
private final char[]	keyStorePassword
private File	keyStorePemFile
private File	keyStorePkcs12File
private final File	tempDir
private static final String	TRUST_STORE_PREFIX
private File	trustStoreBcfksFile
private X509Certificate	trustStoreCertificate
private File	trustStoreJksFile
private KeyPair	trustStoreKeyPair
private final char[]	trustStorePassword
private File	trustStorePemFile
private File	trustStorePkcs12File

Constructor Summary

Constructors

Modifier	Constructor	Description
private	X509TestContext(File tempDir, org.apache.hadoop.conf.Configuration conf, X509Certificate trustStoreCertificate, char[] trustStorePassword, KeyPair trustStoreKeyPair, File trustStoreJksFile, File trustStorePemFile, File trustStorePkcs12File, KeyPair keyStoreKeyPair, char[] keyStorePassword, X509Certificate keyStoreCertificate)	Used by cloneWithNewKeystoreCert(X509Certificate).
private	X509TestContext(org.apache.hadoop.conf.Configuration conf, File tempDir, KeyPair trustStoreKeyPair, char[] trustStorePassword, KeyPair keyStoreKeyPair, char[] keyStorePassword)	Constructor is intentionally private, use the Builder class instead.

Method Summary

Modifier and Type	Method	Description
void	clearConfigurations()
X509TestContext	cloneWithNewKeystoreCert(X509Certificate cert)	Creates a clone of the current context, but injecting the passed certificate as the KeyStore cert.
private void	createCertificates(String... subjectAltNames)
private void	generateKeyStoreBcfksFile()
private void	generateKeyStoreJksFile()
private void	generateKeyStorePemFile()
private void	generateKeyStorePkcs12File()
private void	generateTrustStoreBcfksFile()
private void	generateTrustStoreJksFile()
private void	generateTrustStorePemFile()
private void	generateTrustStorePkcs12File()
org.apache.hadoop.conf.Configuration	getConf()
private File	getKeyStoreBcfksFile()
X509Certificate	getKeyStoreCertificate()
File	getKeyStoreFile(org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType storeFileType)	Returns the path to the key store file in the given format (JKS, PEM, ...).
private File	getKeyStoreJksFile()
char[]	getKeyStorePassword()
private File	getKeyStorePemFile()
private File	getKeyStorePkcs12File()
File	getTempDir()
private File	getTrustStoreBcfksFile()
File	getTrustStoreFile(org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType storeFileType)	Returns the path to the trust store file in the given format (JKS or PEM).
private File	getTrustStoreJksFile()
char[]	getTrustStorePassword()
private File	getTrustStorePemFile()
private File	getTrustStorePkcs12File()
boolean	isKeyStoreEncrypted()
static X509TestContext.Builder	newBuilder(org.apache.hadoop.conf.Configuration conf)	Returns a new default-constructed Builder.
X509Certificate	newCert(org.bouncycastle.asn1.x500.X500Name name, String... subjectAltNames)	Generates a new certificate using this context's CA and keystoreKeyPair.
void	regenerateStores(X509KeyType keyStoreKeyType, X509KeyType trustStoreKeyType, org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType keyStoreFileType, org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType trustStoreFileType, String... subjectAltNames)
void	setConfigurations(org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType keyStoreFileType, org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType trustStoreFileType)	Sets the SSL system properties such that the given X509Util object can be used to create SSL Contexts that will use the trust store and key store files created by this test context.
void	setKeystoreConfigurations(org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType keyStoreFileType, org.apache.hadoop.conf.Configuration confToSet)	Sets the KeyStore-related SSL system properties onto the given Configuration such that X509Util can be used to create SSL Contexts using that KeyStore.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

TRUST_STORE_PREFIX

private static final String TRUST_STORE_PREFIX

See Also:

• Constant Field Values

KEY_STORE_PREFIX

private static final String KEY_STORE_PREFIX

See Also:

• Constant Field Values

tempDir

private final File tempDir

conf

private final org.apache.hadoop.conf.Configuration conf

trustStoreCertificate

private X509Certificate trustStoreCertificate

trustStorePassword

private final char[] trustStorePassword

trustStoreKeyPair

private KeyPair trustStoreKeyPair

trustStoreJksFile

private File trustStoreJksFile

trustStorePemFile

private File trustStorePemFile

trustStorePkcs12File

private File trustStorePkcs12File

trustStoreBcfksFile

private File trustStoreBcfksFile

keyStoreKeyPair

private KeyPair keyStoreKeyPair

keyStoreCertificate

private X509Certificate keyStoreCertificate

keyStorePassword

private final char[] keyStorePassword

keyStoreJksFile

private File keyStoreJksFile

keyStorePemFile

private File keyStorePemFile

keyStorePkcs12File

private File keyStorePkcs12File

keyStoreBcfksFile

private File keyStoreBcfksFile

Constructor Details

X509TestContext

private X509TestContext(org.apache.hadoop.conf.Configuration conf,
 File tempDir,
 KeyPair trustStoreKeyPair,
 char[] trustStorePassword,
 KeyPair keyStoreKeyPair,
 char[] keyStorePassword)
                 throws IOException,
GeneralSecurityException,
org.bouncycastle.operator.OperatorCreationException

Constructor is intentionally private, use the Builder class instead.

Parameters:

conf - the configuration

tempDir - the directory in which key store and trust store temp files will be written.

trustStoreKeyPair - the key pair for the trust store.

trustStorePassword - the password to protect a JKS trust store (ignored for PEM trust stores).

keyStoreKeyPair - the key pair for the key store.

keyStorePassword - the password to protect the key store private key.

Throws:

IOException

GeneralSecurityException

org.bouncycastle.operator.OperatorCreationException

X509TestContext

private X509TestContext(File tempDir,
 org.apache.hadoop.conf.Configuration conf,
 X509Certificate trustStoreCertificate,
 char[] trustStorePassword,
 KeyPair trustStoreKeyPair,
 File trustStoreJksFile,
 File trustStorePemFile,
 File trustStorePkcs12File,
 KeyPair keyStoreKeyPair,
 char[] keyStorePassword,
 X509Certificate keyStoreCertificate)

Used by cloneWithNewKeystoreCert(X509Certificate). Should set all fields except generated keystore path fields

Method Details

newCert

public X509Certificate newCert(org.bouncycastle.asn1.x500.X500Name name,
 String... subjectAltNames)
                        throws GeneralSecurityException,
IOException,
org.bouncycastle.operator.OperatorCreationException

Generates a new certificate using this context's CA and keystoreKeyPair. By default, the cert will have localhost in the subjectAltNames. This can be overridden by passing one or more string arguments after the cert name. The expectation for those arguments is that they are valid DNS names.

Throws:

GeneralSecurityException

IOException

org.bouncycastle.operator.OperatorCreationException

getTempDir

public File getTempDir()

getTrustStorePassword

public char[] getTrustStorePassword()

getTrustStoreFile

public File getTrustStoreFile(org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType storeFileType)
                       throws IOException

Returns the path to the trust store file in the given format (JKS or PEM). Note that the file is created lazily, the first time this method is called. The trust store file is temporary and will be deleted on exit.

Parameters:

storeFileType - the store file type (JKS or PEM).

Returns:

the path to the trust store file.

Throws:

IOException - if there is an error creating the trust store file.

getTrustStoreJksFile

private File getTrustStoreJksFile()
                           throws IOException

Throws:

IOException

generateTrustStoreJksFile

private void generateTrustStoreJksFile()
                                throws IOException

Throws:

IOException

getTrustStorePemFile

private File getTrustStorePemFile()
                           throws IOException

Throws:

IOException

generateTrustStorePemFile

private void generateTrustStorePemFile()
                                throws IOException

Throws:

IOException

getTrustStorePkcs12File

private File getTrustStorePkcs12File()
                              throws IOException

Throws:

IOException

generateTrustStorePkcs12File

private void generateTrustStorePkcs12File()
                                   throws IOException

Throws:

IOException

getTrustStoreBcfksFile

private File getTrustStoreBcfksFile()
                             throws IOException

Throws:

IOException

generateTrustStoreBcfksFile

private void generateTrustStoreBcfksFile()
                                  throws IOException

Throws:

IOException

getKeyStoreCertificate

public X509Certificate getKeyStoreCertificate()

getKeyStorePassword

public char[] getKeyStorePassword()

isKeyStoreEncrypted

public boolean isKeyStoreEncrypted()

getConf

public org.apache.hadoop.conf.Configuration getConf()

getKeyStoreFile

public File getKeyStoreFile(org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType storeFileType)
                     throws IOException

Returns the path to the key store file in the given format (JKS, PEM, ...). Note that the file is created lazily, the first time this method is called. The key store file is temporary and will be deleted on exit.

Parameters:

storeFileType - the store file type (JKS, PEM, ...).

Returns:

the path to the key store file.

Throws:

IOException - if there is an error creating the key store file.

getKeyStoreJksFile

private File getKeyStoreJksFile()
                         throws IOException

Throws:

IOException

generateKeyStoreJksFile

private void generateKeyStoreJksFile()
                              throws IOException

Throws:

IOException

getKeyStorePemFile

private File getKeyStorePemFile()
                         throws IOException

Throws:

IOException

generateKeyStorePemFile

private void generateKeyStorePemFile()
                              throws IOException,
org.bouncycastle.operator.OperatorCreationException

Throws:

IOException

org.bouncycastle.operator.OperatorCreationException

getKeyStorePkcs12File

private File getKeyStorePkcs12File()
                            throws IOException

Throws:

IOException

generateKeyStorePkcs12File

private void generateKeyStorePkcs12File()
                                 throws IOException

Throws:

IOException

getKeyStoreBcfksFile

private File getKeyStoreBcfksFile()
                           throws IOException

Throws:

IOException

generateKeyStoreBcfksFile

private void generateKeyStoreBcfksFile()
                                throws IOException

Throws:

IOException

setConfigurations

public void setConfigurations(org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType keyStoreFileType,
 org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType trustStoreFileType)
                       throws IOException

Sets the SSL system properties such that the given X509Util object can be used to create SSL Contexts that will use the trust store and key store files created by this test context. Example usage:

     X509TestContext testContext = ...; // create the test context
     X509Util x509Util = new QuorumX509Util();
     testContext.setSystemProperties(x509Util, KeyStoreFileType.JKS, KeyStoreFileType.JKS);
     // The returned context will use the key store and trust store created by the test context.
     SSLContext ctx = x509Util.getDefaultSSLContext();
 

Parameters:

keyStoreFileType - the store file type to use for the key store (JKS, PEM, ...).

trustStoreFileType - the store file type to use for the trust store (JKS, PEM, ...).

Throws:

IOException - if there is an error creating the key store file or trust store file.

setKeystoreConfigurations

public void setKeystoreConfigurations(org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType keyStoreFileType,
 org.apache.hadoop.conf.Configuration confToSet)
                               throws IOException

Sets the KeyStore-related SSL system properties onto the given Configuration such that X509Util can be used to create SSL Contexts using that KeyStore. This can be used in special circumstances to inject a "bad" certificate where the keystore doesn't match the CA in the truststore. Or use it to create a connection without a truststore.

Throws:

IOException

See Also:

• which sets both keystore and truststore and is more applicable to general use.

clearConfigurations

public void clearConfigurations()

cloneWithNewKeystoreCert

public X509TestContext cloneWithNewKeystoreCert(X509Certificate cert)

Creates a clone of the current context, but injecting the passed certificate as the KeyStore cert. The new context's keystore path fields are nulled, so the next call to setConfigurations(KeyStoreFileType, KeyStoreFileType), setKeystoreConfigurations(KeyStoreFileType, Configuration) , or getKeyStoreFile(KeyStoreFileType) will create a new keystore with this certificate in place.

Parameters:

cert - the cert to replace

regenerateStores

public void regenerateStores(X509KeyType keyStoreKeyType,
 X509KeyType trustStoreKeyType,
 org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType keyStoreFileType,
 org.apache.hadoop.hbase.io.crypto.tls.KeyStoreFileType trustStoreFileType,
 String... subjectAltNames)
                      throws GeneralSecurityException,
IOException,
org.bouncycastle.operator.OperatorCreationException

Throws:

GeneralSecurityException

IOException

org.bouncycastle.operator.OperatorCreationException

createCertificates

private void createCertificates(String... subjectAltNames)
                         throws GeneralSecurityException,
IOException,
org.bouncycastle.operator.OperatorCreationException

Throws:

GeneralSecurityException

IOException

org.bouncycastle.operator.OperatorCreationException

newBuilder

public static X509TestContext.Builder newBuilder(org.apache.hadoop.conf.Configuration conf)

Returns a new default-constructed Builder.

Returns:

a new Builder.