Skip to content

Commit

Permalink
HBASE-27346 Autodetect key/truststore file type from file extension (a…
Browse files Browse the repository at this point in the history
…pache#4757)

Signed-off-by: Duo Zhang <[email protected]>
Signed-off-by: Bryan Beaudreault <[email protected]>
  • Loading branch information
anmolnar authored and bbeaudreault committed Apr 4, 2023
1 parent 6676fac commit 6e49509
Show file tree
Hide file tree
Showing 21 changed files with 1,647 additions and 126 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.io.crypto.tls;

/**
* Implementation of {@link FileKeyStoreLoader} that loads from BCKFS files.
* <p/>
* This file has been copied from the Apache ZooKeeper project.
* @see <a href=
* "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/BCFKSFileLoader.java">Base
* revision</a>
*/
final class BCFKSFileLoader extends StandardTypeFileKeyStoreLoader {
private BCFKSFileLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
char[] trustStorePassword) {
super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword,
SupportedStandardKeyFormat.BCFKS);
}

static class Builder extends FileKeyStoreLoader.Builder<BCFKSFileLoader> {
@Override
BCFKSFileLoader build() {
return new BCFKSFileLoader(keyStorePath, trustStorePath, keyStorePassword,
trustStorePassword);
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.io.crypto.tls;

import java.util.Objects;

/**
* Base class for instances of {@link KeyStoreLoader} which load the key/trust stores from files on
* a filesystem.
* <p/>
* This file has been copied from the Apache ZooKeeper project.
* @see <a href=
* "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoader.java">Base
* revision</a>
*/
abstract class FileKeyStoreLoader implements KeyStoreLoader {
final String keyStorePath;
final String trustStorePath;
final char[] keyStorePassword;
final char[] trustStorePassword;

FileKeyStoreLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
char[] trustStorePassword) {
this.keyStorePath = keyStorePath;
this.trustStorePath = trustStorePath;
this.keyStorePassword = keyStorePassword;
this.trustStorePassword = trustStorePassword;
}

/**
* Base class for builder pattern used by subclasses.
* @param <T> the subtype of FileKeyStoreLoader created by the Builder.
*/
static abstract class Builder<T extends FileKeyStoreLoader> {
String keyStorePath;
String trustStorePath;
char[] keyStorePassword;
char[] trustStorePassword;

Builder() {
}

Builder<T> setKeyStorePath(String keyStorePath) {
this.keyStorePath = Objects.requireNonNull(keyStorePath);
return this;
}

Builder<T> setTrustStorePath(String trustStorePath) {
this.trustStorePath = Objects.requireNonNull(trustStorePath);
return this;
}

Builder<T> setKeyStorePassword(char[] keyStorePassword) {
this.keyStorePassword = Objects.requireNonNull(keyStorePassword);
return this;
}

Builder<T> setTrustStorePassword(char[] trustStorePassword) {
this.trustStorePassword = Objects.requireNonNull(trustStorePassword);
return this;
}

abstract T build();
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.io.crypto.tls;

import java.util.Objects;

/**
* This file has been copied from the Apache ZooKeeper project.
* @see <a href=
* "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProvider.java">Base
* revision</a>
*/
final class FileKeyStoreLoaderBuilderProvider {
/**
* Returns a {@link FileKeyStoreLoader.Builder} that can build a loader which loads keys and certs
* from files of the given {@link KeyStoreFileType}.
* @param type the file type to load keys/certs from.
* @return a new Builder.
*/
static FileKeyStoreLoader.Builder<? extends FileKeyStoreLoader>
getBuilderForKeyStoreFileType(KeyStoreFileType type) {
switch (Objects.requireNonNull(type)) {
case JKS:
return new JKSFileLoader.Builder();
case PEM:
return new PEMFileLoader.Builder();
case PKCS12:
return new PKCS12FileLoader.Builder();
case BCFKS:
return new BCFKSFileLoader.Builder();
default:
throw new AssertionError("Unexpected StoreFileType: " + type.name());
}
}

private FileKeyStoreLoaderBuilderProvider() {
// disabled
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.io.crypto.tls;

/**
* Implementation of {@link FileKeyStoreLoader} that loads from JKS files.
* <p/>
* This file has been copied from the Apache ZooKeeper project.
* @see <a href=
* "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/JKSFileLoader.java">Base
* revision</a>
*/
final class JKSFileLoader extends StandardTypeFileKeyStoreLoader {
private JKSFileLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
char[] trustStorePassword) {
super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword,
SupportedStandardKeyFormat.JKS);
}

static class Builder extends FileKeyStoreLoader.Builder<JKSFileLoader> {
@Override
JKSFileLoader build() {
return new JKSFileLoader(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.io.crypto.tls;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;

/**
* An interface for an object that can load key stores or trust stores.
* <p/>
* This file has been copied from the Apache ZooKeeper project.
* @see <a href=
* "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreLoader.java">Base
* revision</a>
*/
interface KeyStoreLoader {
/**
* Loads a KeyStore which contains at least one private key and the associated X509 cert chain.
* @return a new KeyStore
* @throws IOException if loading the key store fails due to an IO error, such as
* "file not found".
* @throws GeneralSecurityException if loading the key store fails due to a security error, such
* as "unsupported crypto algorithm".
*/
KeyStore loadKeyStore() throws IOException, GeneralSecurityException;

/**
* Loads a KeyStore which contains at least one X509 cert chain for a trusted Certificate
* Authority (CA).
* @return a new KeyStore
* @throws IOException if loading the trust store fails due to an IO error, such as
* "file not found".
* @throws GeneralSecurityException if loading the trust store fails due to a security error, such
* as "unsupported crypto algorithm".
*/
KeyStore loadTrustStore() throws IOException, GeneralSecurityException;
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.io.crypto.tls;

import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;

/**
* Implementation of {@link FileKeyStoreLoader} that loads from PEM files.
* <p/>
* This file has been copied from the Apache ZooKeeper project.
* @see <a href=
* "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/PEMFileLoader.java">Base
* revision</a>
*/
final class PEMFileLoader extends FileKeyStoreLoader {
private PEMFileLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
char[] trustStorePassword) {
super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
}

@Override
public KeyStore loadKeyStore() throws IOException, GeneralSecurityException {
File file = new File(keyStorePath);
return PemReader.loadKeyStore(file, file, keyStorePassword);
}

@Override
public KeyStore loadTrustStore() throws IOException, GeneralSecurityException {
return PemReader.loadTrustStore(new File(trustStorePath));
}

static class Builder extends FileKeyStoreLoader.Builder<PEMFileLoader> {
@Override
PEMFileLoader build() {
return new PEMFileLoader(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.io.crypto.tls;

/**
* Implementation of {@link FileKeyStoreLoader} that loads from PKCS12 files.
* <p/>
* This file has been copied from the Apache ZooKeeper project.
* @see <a href=
* "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/PKCS12FileLoader.java">Base
* revision</a>
*/
final class PKCS12FileLoader extends StandardTypeFileKeyStoreLoader {
private PKCS12FileLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
char[] trustStorePassword) {
super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword,
SupportedStandardKeyFormat.PKCS12);
}

static class Builder extends FileKeyStoreLoader.Builder<PKCS12FileLoader> {
@Override
PKCS12FileLoader build() {
return new PKCS12FileLoader(keyStorePath, trustStorePath, keyStorePassword,
trustStorePassword);
}
}
}
Loading

0 comments on commit 6e49509

Please sign in to comment.