Package org.apache.zookeeper.common
Class X509Util
- java.lang.Object
-
- org.apache.zookeeper.common.X509Util
-
- All Implemented Interfaces:
java.io.Closeable
,java.lang.AutoCloseable
- Direct Known Subclasses:
ClientX509Util
,QuorumX509Util
public abstract class X509Util extends java.lang.Object implements java.io.Closeable, java.lang.AutoCloseable
Utility code for X509 handling Default cipher suites: Performance testing done by Facebook engineers shows that on Intel x86_64 machines, Java9 performs better with GCM and Java8 performs better with CBC, so these seem like reasonable defaults.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
X509Util.ClientAuth
Enum specifying the client auth requirement of server-side TLS sockets created by this X509Util.
-
Field Summary
Fields Modifier and Type Field Description static int
DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
static java.lang.String
DEFAULT_PROTOCOL
-
Method Summary
All Methods Static Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description void
close()
Disables automatic reloading of the trust store and key store files when they change on disk.static javax.net.ssl.X509KeyManager
createKeyManager(java.lang.String keyStoreLocation, java.lang.String keyStorePassword, java.lang.String keyStoreTypeProp)
Creates a key manager by loading the key store from the given file of the given type, optionally decrypting it using the given password.javax.net.ssl.SSLContext
createSSLContext(ZKConfig config)
SSLContextAndOptions
createSSLContextAndOptions(ZKConfig config)
SSLContextAndOptions
createSSLContextAndOptionsFromConfig(ZKConfig config)
javax.net.ssl.SSLServerSocket
createSSLServerSocket()
javax.net.ssl.SSLServerSocket
createSSLServerSocket(int port)
javax.net.ssl.SSLSocket
createSSLSocket()
javax.net.ssl.SSLSocket
createSSLSocket(java.net.Socket socket, byte[] pushbackBytes)
static javax.net.ssl.X509TrustManager
createTrustManager(java.lang.String trustStoreLocation, java.lang.String trustStorePassword, java.lang.String trustStoreTypeProp, boolean crlEnabled, boolean ocspEnabled, boolean serverHostnameVerificationEnabled, boolean clientHostnameVerificationEnabled)
Creates a trust manager by loading the trust store from the given file of the given type, optionally decrypting it using the given password.void
enableCertFileReloading()
Enables automatic reloading of the trust store and key store files when they change on disk.java.lang.String
getCipherSuitesProperty()
protected abstract java.lang.String
getConfigPrefix()
javax.net.ssl.SSLContext
getDefaultSSLContext()
SSLContextAndOptions
getDefaultSSLContextAndOptions()
java.lang.String
getPasswordFromConfigPropertyOrFile(ZKConfig config, java.lang.String propertyName, java.lang.String pathPropertyName)
Returns the password specified by the given property or from the file specified by the given path property.java.lang.String
getSslCipherSuitesProperty()
java.lang.String
getSslClientAuthProperty()
java.lang.String
getSslContextSupplierClassProperty()
java.lang.String
getSslCrlEnabledProperty()
java.lang.String
getSslEnabledProtocolsProperty()
java.lang.String
getSslHandshakeDetectionTimeoutMillisProperty()
Returns the config property key that controls the amount of time, in milliseconds, that the first UnifiedServerSocket read operation will block for when trying to detect the client mode (TLS or PLAINTEXT).int
getSslHandshakeTimeoutMillis()
Returns the max amount of time, in milliseconds, that the first UnifiedServerSocket read() operation should block for when trying to detect the client mode (TLS or PLAINTEXT).java.lang.String
getSslHostnameVerificationEnabledProperty()
java.lang.String
getSslKeystoreLocationProperty()
java.lang.String
getSslKeystorePasswdPathProperty()
java.lang.String
getSslKeystorePasswdProperty()
java.lang.String
getSslKeystoreTypeProperty()
java.lang.String
getSslOcspEnabledProperty()
java.lang.String
getSslProtocolProperty()
java.lang.String
getSslTruststoreLocationProperty()
java.lang.String
getSslTruststorePasswdPathProperty()
java.lang.String
getSslTruststorePasswdProperty()
java.lang.String
getSslTruststoreTypeProperty()
static java.security.KeyStore
loadKeyStore(java.lang.String keyStoreLocation, java.lang.String keyStorePassword, java.lang.String keyStoreTypeProp)
static java.security.KeyStore
loadTrustStore(java.lang.String trustStoreLocation, java.lang.String trustStorePassword, java.lang.String trustStoreTypeProp)
protected abstract boolean
shouldVerifyClientHostname()
-
-
-
Field Detail
-
DEFAULT_PROTOCOL
public static final java.lang.String DEFAULT_PROTOCOL
- See Also:
- Constant Field Values
-
DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
X509Util
public X509Util()
-
X509Util
public X509Util(ZKConfig zkConfig)
-
-
Method Detail
-
getConfigPrefix
protected abstract java.lang.String getConfigPrefix()
-
shouldVerifyClientHostname
protected abstract boolean shouldVerifyClientHostname()
-
getSslProtocolProperty
public java.lang.String getSslProtocolProperty()
-
getSslEnabledProtocolsProperty
public java.lang.String getSslEnabledProtocolsProperty()
-
getCipherSuitesProperty
public java.lang.String getCipherSuitesProperty()
-
getSslKeystoreLocationProperty
public java.lang.String getSslKeystoreLocationProperty()
-
getSslCipherSuitesProperty
public java.lang.String getSslCipherSuitesProperty()
-
getSslKeystorePasswdProperty
public java.lang.String getSslKeystorePasswdProperty()
-
getSslKeystorePasswdPathProperty
public java.lang.String getSslKeystorePasswdPathProperty()
-
getSslKeystoreTypeProperty
public java.lang.String getSslKeystoreTypeProperty()
-
getSslTruststoreLocationProperty
public java.lang.String getSslTruststoreLocationProperty()
-
getSslTruststorePasswdProperty
public java.lang.String getSslTruststorePasswdProperty()
-
getSslTruststorePasswdPathProperty
public java.lang.String getSslTruststorePasswdPathProperty()
-
getSslTruststoreTypeProperty
public java.lang.String getSslTruststoreTypeProperty()
-
getSslContextSupplierClassProperty
public java.lang.String getSslContextSupplierClassProperty()
-
getSslHostnameVerificationEnabledProperty
public java.lang.String getSslHostnameVerificationEnabledProperty()
-
getSslCrlEnabledProperty
public java.lang.String getSslCrlEnabledProperty()
-
getSslOcspEnabledProperty
public java.lang.String getSslOcspEnabledProperty()
-
getSslClientAuthProperty
public java.lang.String getSslClientAuthProperty()
-
getSslHandshakeDetectionTimeoutMillisProperty
public java.lang.String getSslHandshakeDetectionTimeoutMillisProperty()
Returns the config property key that controls the amount of time, in milliseconds, that the first UnifiedServerSocket read operation will block for when trying to detect the client mode (TLS or PLAINTEXT).- Returns:
- the config property key.
-
getDefaultSSLContext
public javax.net.ssl.SSLContext getDefaultSSLContext() throws X509Exception.SSLContextException
-
createSSLContext
public javax.net.ssl.SSLContext createSSLContext(ZKConfig config) throws X509Exception.SSLContextException
-
getDefaultSSLContextAndOptions
public SSLContextAndOptions getDefaultSSLContextAndOptions() throws X509Exception.SSLContextException
-
getSslHandshakeTimeoutMillis
public int getSslHandshakeTimeoutMillis()
Returns the max amount of time, in milliseconds, that the first UnifiedServerSocket read() operation should block for when trying to detect the client mode (TLS or PLAINTEXT). Defaults toDEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
.- Returns:
- the handshake detection timeout, in milliseconds.
-
createSSLContextAndOptions
public SSLContextAndOptions createSSLContextAndOptions(ZKConfig config) throws X509Exception.SSLContextException
-
createSSLContextAndOptionsFromConfig
public SSLContextAndOptions createSSLContextAndOptionsFromConfig(ZKConfig config) throws X509Exception.SSLContextException
-
loadKeyStore
public static java.security.KeyStore loadKeyStore(java.lang.String keyStoreLocation, java.lang.String keyStorePassword, java.lang.String keyStoreTypeProp) throws java.io.IOException, java.security.GeneralSecurityException
- Throws:
java.io.IOException
java.security.GeneralSecurityException
-
loadTrustStore
public static java.security.KeyStore loadTrustStore(java.lang.String trustStoreLocation, java.lang.String trustStorePassword, java.lang.String trustStoreTypeProp) throws java.io.IOException, java.security.GeneralSecurityException
- Throws:
java.io.IOException
java.security.GeneralSecurityException
-
getPasswordFromConfigPropertyOrFile
public java.lang.String getPasswordFromConfigPropertyOrFile(ZKConfig config, java.lang.String propertyName, java.lang.String pathPropertyName)
Returns the password specified by the given property or from the file specified by the given path property. If both are specified, the value stored in the file will be returned.- Parameters:
config
- Zookeeper configurationpropertyName
- property namepathPropertyName
- path property name- Returns:
- the password value
-
createKeyManager
public static javax.net.ssl.X509KeyManager createKeyManager(java.lang.String keyStoreLocation, java.lang.String keyStorePassword, java.lang.String keyStoreTypeProp) throws X509Exception.KeyManagerException
Creates a key manager by loading the key store from the given file of the given type, optionally decrypting it using the given password.- Parameters:
keyStoreLocation
- the location of the key store file.keyStorePassword
- optional password to decrypt the key store. If empty, assumes the key store is not encrypted.keyStoreTypeProp
- must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to autodetect the key store type from the file extension (e.g. .jks / .pem).- Returns:
- the key manager.
- Throws:
X509Exception.KeyManagerException
- if something goes wrong.
-
createTrustManager
public static javax.net.ssl.X509TrustManager createTrustManager(java.lang.String trustStoreLocation, java.lang.String trustStorePassword, java.lang.String trustStoreTypeProp, boolean crlEnabled, boolean ocspEnabled, boolean serverHostnameVerificationEnabled, boolean clientHostnameVerificationEnabled) throws X509Exception.TrustManagerException
Creates a trust manager by loading the trust store from the given file of the given type, optionally decrypting it using the given password.- Parameters:
trustStoreLocation
- the location of the trust store file.trustStorePassword
- optional password to decrypt the trust store (only applies to JKS trust stores). If empty, assumes the trust store is not encrypted.trustStoreTypeProp
- must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to autodetect the trust store type from the file extension (e.g. .jks / .pem).crlEnabled
- enable CRL (certificate revocation list) checks.ocspEnabled
- enable OCSP (online certificate status protocol) checks.serverHostnameVerificationEnabled
- if true, verify hostnames of remote servers that client sockets created by this X509Util connect to.clientHostnameVerificationEnabled
- if true, verify hostnames of remote clients that server sockets created by this X509Util accept connections from.- Returns:
- the trust manager.
- Throws:
X509Exception.TrustManagerException
- if something goes wrong.
-
createSSLSocket
public javax.net.ssl.SSLSocket createSSLSocket() throws X509Exception, java.io.IOException
- Throws:
X509Exception
java.io.IOException
-
createSSLSocket
public javax.net.ssl.SSLSocket createSSLSocket(java.net.Socket socket, byte[] pushbackBytes) throws X509Exception, java.io.IOException
- Throws:
X509Exception
java.io.IOException
-
createSSLServerSocket
public javax.net.ssl.SSLServerSocket createSSLServerSocket() throws X509Exception, java.io.IOException
- Throws:
X509Exception
java.io.IOException
-
createSSLServerSocket
public javax.net.ssl.SSLServerSocket createSSLServerSocket(int port) throws X509Exception, java.io.IOException
- Throws:
X509Exception
java.io.IOException
-
enableCertFileReloading
public void enableCertFileReloading() throws java.io.IOException
Enables automatic reloading of the trust store and key store files when they change on disk.- Throws:
java.io.IOException
- if creating the FileChangeWatcher objects fails.
-
close
public void close()
Disables automatic reloading of the trust store and key store files when they change on disk. Stops background threads and closes WatchService instances.- Specified by:
close
in interfacejava.lang.AutoCloseable
- Specified by:
close
in interfacejava.io.Closeable
-
-