Class X509Util

  • All Implemented Interfaces:
    java.io.Closeable, java.lang.AutoCloseable
    Direct Known Subclasses:
    ClientX509Util, QuorumX509Util

    public abstract class X509Util
    extends java.lang.Object
    implements java.io.Closeable, java.lang.AutoCloseable
    Utility code for X509 handling Default cipher suites: Performance testing done by Facebook engineers shows that on Intel x86_64 machines, Java9 performs better with GCM and Java8 performs better with CBC, so these seem like reasonable defaults.
    • Field Detail

      • DEFAULT_PROTOCOL

        public static final java.lang.String DEFAULT_PROTOCOL
        See Also:
        Constant Field Values
      • DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS

        public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
        See Also:
        Constant Field Values
    • Constructor Detail

      • X509Util

        public X509Util()
      • X509Util

        public X509Util​(ZKConfig zkConfig)
    • Method Detail

      • getConfigPrefix

        protected abstract java.lang.String getConfigPrefix()
      • shouldVerifyClientHostname

        protected abstract boolean shouldVerifyClientHostname()
      • getSslProtocolProperty

        public java.lang.String getSslProtocolProperty()
      • getSslEnabledProtocolsProperty

        public java.lang.String getSslEnabledProtocolsProperty()
      • getCipherSuitesProperty

        public java.lang.String getCipherSuitesProperty()
      • getSslKeystoreLocationProperty

        public java.lang.String getSslKeystoreLocationProperty()
      • getSslCipherSuitesProperty

        public java.lang.String getSslCipherSuitesProperty()
      • getSslKeystorePasswdProperty

        public java.lang.String getSslKeystorePasswdProperty()
      • getSslKeystorePasswdPathProperty

        public java.lang.String getSslKeystorePasswdPathProperty()
      • getSslKeystoreTypeProperty

        public java.lang.String getSslKeystoreTypeProperty()
      • getSslTruststoreLocationProperty

        public java.lang.String getSslTruststoreLocationProperty()
      • getSslTruststorePasswdProperty

        public java.lang.String getSslTruststorePasswdProperty()
      • getSslTruststorePasswdPathProperty

        public java.lang.String getSslTruststorePasswdPathProperty()
      • getSslTruststoreTypeProperty

        public java.lang.String getSslTruststoreTypeProperty()
      • getSslContextSupplierClassProperty

        public java.lang.String getSslContextSupplierClassProperty()
      • getSslHostnameVerificationEnabledProperty

        public java.lang.String getSslHostnameVerificationEnabledProperty()
      • getSslCrlEnabledProperty

        public java.lang.String getSslCrlEnabledProperty()
      • getSslOcspEnabledProperty

        public java.lang.String getSslOcspEnabledProperty()
      • getSslClientAuthProperty

        public java.lang.String getSslClientAuthProperty()
      • getSslHandshakeDetectionTimeoutMillisProperty

        public java.lang.String getSslHandshakeDetectionTimeoutMillisProperty()
        Returns the config property key that controls the amount of time, in milliseconds, that the first UnifiedServerSocket read operation will block for when trying to detect the client mode (TLS or PLAINTEXT).
        Returns:
        the config property key.
      • getSslHandshakeTimeoutMillis

        public int getSslHandshakeTimeoutMillis()
        Returns the max amount of time, in milliseconds, that the first UnifiedServerSocket read() operation should block for when trying to detect the client mode (TLS or PLAINTEXT). Defaults to DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS.
        Returns:
        the handshake detection timeout, in milliseconds.
      • loadKeyStore

        public static java.security.KeyStore loadKeyStore​(java.lang.String keyStoreLocation,
                                                          java.lang.String keyStorePassword,
                                                          java.lang.String keyStoreTypeProp)
                                                   throws java.io.IOException,
                                                          java.security.GeneralSecurityException
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException
      • loadTrustStore

        public static java.security.KeyStore loadTrustStore​(java.lang.String trustStoreLocation,
                                                            java.lang.String trustStorePassword,
                                                            java.lang.String trustStoreTypeProp)
                                                     throws java.io.IOException,
                                                            java.security.GeneralSecurityException
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException
      • getPasswordFromConfigPropertyOrFile

        public java.lang.String getPasswordFromConfigPropertyOrFile​(ZKConfig config,
                                                                    java.lang.String propertyName,
                                                                    java.lang.String pathPropertyName)
        Returns the password specified by the given property or from the file specified by the given path property. If both are specified, the value stored in the file will be returned.
        Parameters:
        config - Zookeeper configuration
        propertyName - property name
        pathPropertyName - path property name
        Returns:
        the password value
      • createKeyManager

        public static javax.net.ssl.X509KeyManager createKeyManager​(java.lang.String keyStoreLocation,
                                                                    java.lang.String keyStorePassword,
                                                                    java.lang.String keyStoreTypeProp)
                                                             throws X509Exception.KeyManagerException
        Creates a key manager by loading the key store from the given file of the given type, optionally decrypting it using the given password.
        Parameters:
        keyStoreLocation - the location of the key store file.
        keyStorePassword - optional password to decrypt the key store. If empty, assumes the key store is not encrypted.
        keyStoreTypeProp - must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to autodetect the key store type from the file extension (e.g. .jks / .pem).
        Returns:
        the key manager.
        Throws:
        X509Exception.KeyManagerException - if something goes wrong.
      • createTrustManager

        public static javax.net.ssl.X509TrustManager createTrustManager​(java.lang.String trustStoreLocation,
                                                                        java.lang.String trustStorePassword,
                                                                        java.lang.String trustStoreTypeProp,
                                                                        boolean crlEnabled,
                                                                        boolean ocspEnabled,
                                                                        boolean serverHostnameVerificationEnabled,
                                                                        boolean clientHostnameVerificationEnabled)
                                                                 throws X509Exception.TrustManagerException
        Creates a trust manager by loading the trust store from the given file of the given type, optionally decrypting it using the given password.
        Parameters:
        trustStoreLocation - the location of the trust store file.
        trustStorePassword - optional password to decrypt the trust store (only applies to JKS trust stores). If empty, assumes the trust store is not encrypted.
        trustStoreTypeProp - must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to autodetect the trust store type from the file extension (e.g. .jks / .pem).
        crlEnabled - enable CRL (certificate revocation list) checks.
        ocspEnabled - enable OCSP (online certificate status protocol) checks.
        serverHostnameVerificationEnabled - if true, verify hostnames of remote servers that client sockets created by this X509Util connect to.
        clientHostnameVerificationEnabled - if true, verify hostnames of remote clients that server sockets created by this X509Util accept connections from.
        Returns:
        the trust manager.
        Throws:
        X509Exception.TrustManagerException - if something goes wrong.
      • createSSLSocket

        public javax.net.ssl.SSLSocket createSSLSocket()
                                                throws X509Exception,
                                                       java.io.IOException
        Throws:
        X509Exception
        java.io.IOException
      • createSSLSocket

        public javax.net.ssl.SSLSocket createSSLSocket​(java.net.Socket socket,
                                                       byte[] pushbackBytes)
                                                throws X509Exception,
                                                       java.io.IOException
        Throws:
        X509Exception
        java.io.IOException
      • createSSLServerSocket

        public javax.net.ssl.SSLServerSocket createSSLServerSocket()
                                                            throws X509Exception,
                                                                   java.io.IOException
        Throws:
        X509Exception
        java.io.IOException
      • createSSLServerSocket

        public javax.net.ssl.SSLServerSocket createSSLServerSocket​(int port)
                                                            throws X509Exception,
                                                                   java.io.IOException
        Throws:
        X509Exception
        java.io.IOException
      • enableCertFileReloading

        public void enableCertFileReloading()
                                     throws java.io.IOException
        Enables automatic reloading of the trust store and key store files when they change on disk.
        Throws:
        java.io.IOException - if creating the FileChangeWatcher objects fails.
      • close

        public void close()
        Disables automatic reloading of the trust store and key store files when they change on disk. Stops background threads and closes WatchService instances.
        Specified by:
        close in interface java.lang.AutoCloseable
        Specified by:
        close in interface java.io.Closeable