diff --git a/bin/hbase b/bin/hbase index fa05a67e7830..a654f517731b 100755 --- a/bin/hbase +++ b/bin/hbase @@ -106,6 +106,7 @@ show_usage() { echo " cellcounter Run CellCounter tool" echo " pre-upgrade Run Pre-Upgrade validator tool" echo " hbtop Run HBTop tool" + echo " credential Run the Hadoop Credential Shell" echo " CLASSNAME Run the class named CLASSNAME" } @@ -734,6 +735,8 @@ elif [ "$COMMAND" = "hbtop" ] ; then HBASE_HBTOP_OPTS="${HBASE_HBTOP_OPTS} -Dlog4j2.configurationFile=file:${HBASE_HOME}/conf/log4j2-hbtop.properties" fi HBASE_OPTS="${HBASE_OPTS} ${HBASE_HBTOP_OPTS}" +elif [ "$COMMAND" = "credential" ] ; then + CLASS='org.apache.hadoop.security.alias.CredentialShell' else CLASS=$COMMAND if [[ "$CLASS" =~ .*IntegrationTest.* ]] ; then diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcClient.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcClient.java index c45b3a1edcb8..ba387d2bf320 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcClient.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcClient.java @@ -20,7 +20,6 @@ import java.io.IOException; import java.net.SocketAddress; import java.util.concurrent.atomic.AtomicReference; -import javax.net.ssl.SSLException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseInterfaceAudience; import org.apache.hadoop.hbase.HConstants; @@ -89,7 +88,7 @@ protected void closeInternal() { } } - SslContext getSslContext() throws X509Exception, SSLException { + SslContext getSslContext() throws X509Exception, IOException { SslContext result = sslContextForClient.get(); if (result == null) { result = X509Util.createSslContextForClient(conf); diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java index 78ce833448ea..76b7fad4c596 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java @@ -17,7 +17,6 @@ */ package org.apache.hadoop.hbase.io.crypto.tls; -import java.io.BufferedInputStream; import java.io.File; import java.io.IOException; import java.io.InputStream; @@ -32,7 +31,6 @@ import javax.net.ssl.CertPathTrustManagerParameters; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLException; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedTrustManager; @@ -65,6 +63,7 @@ public final class X509Util { private static final Logger LOG = LoggerFactory.getLogger(X509Util.class); + private static final char[] EMPTY_CHAR_ARRAY = new char[0]; // Config static final String CONFIG_PREFIX = "hbase.rpc.tls."; @@ -140,12 +139,12 @@ static String[] getDefaultCipherSuitesForJavaVersion(String javaVersion) { } public static SslContext createSslContextForClient(Configuration config) - throws X509Exception, SSLException { + throws X509Exception, IOException { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); String keyStoreLocation = config.get(TLS_CONFIG_KEYSTORE_LOCATION, ""); - String keyStorePassword = config.get(TLS_CONFIG_KEYSTORE_PASSWORD, ""); + char[] keyStorePassword = config.getPassword(TLS_CONFIG_KEYSTORE_PASSWORD); String keyStoreType = config.get(TLS_CONFIG_KEYSTORE_TYPE, ""); if (keyStoreLocation.isEmpty()) { @@ -156,7 +155,7 @@ public static SslContext createSslContextForClient(Configuration config) } String trustStoreLocation = config.get(TLS_CONFIG_TRUSTSTORE_LOCATION, ""); - String trustStorePassword = config.get(TLS_CONFIG_TRUSTSTORE_PASSWORD, ""); + char[] trustStorePassword = config.getPassword(TLS_CONFIG_TRUSTSTORE_PASSWORD); String trustStoreType = config.get(TLS_CONFIG_TRUSTSTORE_TYPE, ""); boolean sslCrlEnabled = config.getBoolean(TLS_CONFIG_CLR, false); @@ -177,9 +176,9 @@ public static SslContext createSslContextForClient(Configuration config) } public static SslContext createSslContextForServer(Configuration config) - throws X509Exception, SSLException { + throws X509Exception, IOException { String keyStoreLocation = config.get(TLS_CONFIG_KEYSTORE_LOCATION, ""); - String keyStorePassword = config.get(TLS_CONFIG_KEYSTORE_PASSWORD, ""); + char[] keyStorePassword = config.getPassword(TLS_CONFIG_KEYSTORE_PASSWORD); String keyStoreType = config.get(TLS_CONFIG_KEYSTORE_TYPE, ""); if (keyStoreLocation.isEmpty()) { @@ -193,7 +192,7 @@ public static SslContext createSslContextForServer(Configuration config) .forServer(createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType)); String trustStoreLocation = config.get(TLS_CONFIG_TRUSTSTORE_LOCATION, ""); - String trustStorePassword = config.get(TLS_CONFIG_TRUSTSTORE_PASSWORD, ""); + char[] trustStorePassword = config.getPassword(TLS_CONFIG_TRUSTSTORE_PASSWORD); String trustStoreType = config.get(TLS_CONFIG_TRUSTSTORE_TYPE, ""); boolean sslCrlEnabled = config.getBoolean(TLS_CONFIG_CLR, false); @@ -225,27 +224,25 @@ public static SslContext createSslContextForServer(Configuration config) * @return the key manager. * @throws KeyManagerException if something goes wrong. */ - static X509KeyManager createKeyManager(String keyStoreLocation, String keyStorePassword, + static X509KeyManager createKeyManager(String keyStoreLocation, char[] keyStorePassword, String keyStoreType) throws KeyManagerException { - if (keyStorePassword == null) { - keyStorePassword = ""; - } - if (keyStoreType == null) { keyStoreType = "jks"; } + if (keyStorePassword == null) { + keyStorePassword = EMPTY_CHAR_ARRAY; + } + try { - char[] password = keyStorePassword.toCharArray(); KeyStore ks = KeyStore.getInstance(keyStoreType); - try (InputStream inputStream = - new BufferedInputStream(Files.newInputStream(new File(keyStoreLocation).toPath()))) { - ks.load(inputStream, password); + try (InputStream inputStream = Files.newInputStream(new File(keyStoreLocation).toPath())) { + ks.load(inputStream, keyStorePassword); } KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX"); - kmf.init(ks, password); + kmf.init(ks, keyStorePassword); for (KeyManager km : kmf.getKeyManagers()) { if (km instanceof X509KeyManager) { @@ -272,23 +269,21 @@ static X509KeyManager createKeyManager(String keyStoreLocation, String keyStoreP * @return the trust manager. * @throws TrustManagerException if something goes wrong. */ - static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword, + static X509TrustManager createTrustManager(String trustStoreLocation, char[] trustStorePassword, String trustStoreType, boolean crlEnabled, boolean ocspEnabled) throws TrustManagerException { - if (trustStorePassword == null) { - trustStorePassword = ""; - } - if (trustStoreType == null) { trustStoreType = "jks"; } + if (trustStorePassword == null) { + trustStorePassword = EMPTY_CHAR_ARRAY; + } + try { - char[] password = trustStorePassword.toCharArray(); KeyStore ts = KeyStore.getInstance(trustStoreType); - try (InputStream inputStream = - new BufferedInputStream(Files.newInputStream(new File(trustStoreLocation).toPath()))) { - ts.load(inputStream, password); + try (InputStream inputStream = Files.newInputStream(new File(trustStoreLocation).toPath())) { + ts.load(inputStream, trustStorePassword); } PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector()); diff --git a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java index 16df35cf431b..09240539c924 100644 --- a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java +++ b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java @@ -19,12 +19,13 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertThrows; import static org.junit.Assert.assertTrue; -import static org.junit.Assume.assumeTrue; +import static org.junit.Assume.assumeThat; import static org.mockito.Mockito.mock; import java.io.File; @@ -42,7 +43,6 @@ import org.apache.hadoop.hbase.exceptions.KeyManagerException; import org.apache.hadoop.hbase.exceptions.SSLContextException; import org.apache.hadoop.hbase.exceptions.TrustManagerException; -import org.apache.hadoop.hbase.exceptions.X509Exception; import org.apache.hadoop.hbase.testclassification.MiscTests; import org.apache.hadoop.hbase.testclassification.SmallTests; import org.bouncycastle.jce.provider.BouncyCastleProvider; @@ -74,6 +74,7 @@ public class TestX509Util { HBaseClassTestRule.forClass(TestX509Util.class); private static final HBaseCommonTestingUtility UTIL = new HBaseCommonTestingUtility(); + private static final char[] EMPTY_CHAR_ARRAY = new char[0]; private static X509TestContextProvider PROVIDER; @@ -84,7 +85,7 @@ public class TestX509Util { public X509KeyType certKeyType; @Parameterized.Parameter(value = 2) - public String keyPassword; + public char[] keyPassword; @Parameterized.Parameter(value = 3) public Integer paramIndex; @@ -100,7 +101,7 @@ public static Collection data() { int paramIndex = 0; for (X509KeyType caKeyType : X509KeyType.values()) { for (X509KeyType certKeyType : X509KeyType.values()) { - for (String keyPassword : new String[] { "", "pa$$w0rd" }) { + for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) { params.add(new Object[] { caKeyType, certKeyType, keyPassword, paramIndex++ }); } } @@ -172,13 +173,6 @@ public void testCreateSSLContextWithoutKeyStoreLocationClient() throws Exception X509Util.createSslContextForClient(conf); } - @Test(expected = X509Exception.class) - public void testCreateSSLContextWithoutKeyStorePassword() throws Exception { - assumeTrue(x509TestContext.isKeyStoreEncrypted()); - conf.unset(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD); - X509Util.createSslContextForServer(conf); - } - @Test public void testCreateSSLContextWithoutTrustStoreLocationClient() throws Exception { conf.unset(X509Util.TLS_CONFIG_TRUSTSTORE_LOCATION); @@ -220,7 +214,7 @@ public void testLoadJKSKeyStore() throws Exception { @Test public void testLoadJKSKeyStoreNullPassword() throws Exception { - assumeTrue(x509TestContext.getKeyStorePassword().isEmpty()); + assumeThat(x509TestContext.getKeyStorePassword(), equalTo(EMPTY_CHAR_ARRAY)); // Make sure that empty password and null password are treated the same X509Util.createKeyManager( x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), null, @@ -237,12 +231,12 @@ public void testLoadJKSKeyStoreFileTypeDefaultToJks() throws Exception { } @Test - public void testLoadJKSKeyStoreWithWrongPassword() throws Exception { + public void testLoadJKSKeyStoreWithWrongPassword() { assertThrows(KeyManagerException.class, () -> { // Attempting to load with the wrong key password should fail X509Util.createKeyManager( - x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), "wrong password", - KeyStoreFileType.JKS.getPropertyValue()); + x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), + "wrong password".toCharArray(), KeyStoreFileType.JKS.getPropertyValue()); }); } @@ -256,9 +250,7 @@ public void testLoadJKSTrustStore() throws Exception { @Test public void testLoadJKSTrustStoreNullPassword() throws Exception { - if (!x509TestContext.getTrustStorePassword().isEmpty()) { - return; - } + assumeThat(x509TestContext.getTrustStorePassword(), equalTo(EMPTY_CHAR_ARRAY)); // Make sure that empty password and null password are treated the same X509Util.createTrustManager( x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), null, @@ -279,8 +271,8 @@ public void testLoadJKSTrustStoreWithWrongPassword() throws Exception { assertThrows(TrustManagerException.class, () -> { // Attempting to load with the wrong key password should fail X509Util.createTrustManager( - x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), "wrong password", - KeyStoreFileType.JKS.getPropertyValue(), true, true); + x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), + "wrong password".toCharArray(), KeyStoreFileType.JKS.getPropertyValue(), true, true); }); } @@ -294,9 +286,7 @@ public void testLoadPKCS12KeyStore() throws Exception { @Test public void testLoadPKCS12KeyStoreNullPassword() throws Exception { - if (!x509TestContext.getKeyStorePassword().isEmpty()) { - return; - } + assumeThat(x509TestContext.getKeyStorePassword(), equalTo(EMPTY_CHAR_ARRAY)); // Make sure that empty password and null password are treated the same X509Util.createKeyManager( x509TestContext.getKeyStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(), null, @@ -309,7 +299,7 @@ public void testLoadPKCS12KeyStoreWithWrongPassword() throws Exception { // Attempting to load with the wrong key password should fail X509Util.createKeyManager( x509TestContext.getKeyStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(), - "wrong password", KeyStoreFileType.PKCS12.getPropertyValue()); + "wrong password".toCharArray(), KeyStoreFileType.PKCS12.getPropertyValue()); }); } @@ -324,9 +314,7 @@ public void testLoadPKCS12TrustStore() throws Exception { @Test public void testLoadPKCS12TrustStoreNullPassword() throws Exception { - if (!x509TestContext.getTrustStorePassword().isEmpty()) { - return; - } + assumeThat(x509TestContext.getTrustStorePassword(), equalTo(EMPTY_CHAR_ARRAY)); // Make sure that empty password and null password are treated the same X509Util.createTrustManager( x509TestContext.getTrustStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(), null, @@ -339,7 +327,7 @@ public void testLoadPKCS12TrustStoreWithWrongPassword() throws Exception { // Attempting to load with the wrong key password should fail X509Util.createTrustManager( x509TestContext.getTrustStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(), - "wrong password", KeyStoreFileType.PKCS12.getPropertyValue(), true, true); + "wrong password".toCharArray(), KeyStoreFileType.PKCS12.getPropertyValue(), true, true); }); } diff --git a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java index 671cc0bbab4e..b20850788603 100644 --- a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java +++ b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java @@ -56,14 +56,14 @@ public final class X509TestContext { private final Configuration conf; private final X509Certificate trustStoreCertificate; - private final String trustStorePassword; + private final char[] trustStorePassword; private File trustStoreJksFile; private File trustStorePemFile; private File trustStorePkcs12File; private final KeyPair keyStoreKeyPair; private final X509Certificate keyStoreCertificate; - private final String keyStorePassword; + private final char[] keyStorePassword; private File keyStoreJksFile; private File keyStorePemFile; private File keyStorePkcs12File; @@ -80,7 +80,7 @@ public final class X509TestContext { * @param keyStorePassword the password to protect the key store private key. */ private X509TestContext(Configuration conf, File tempDir, KeyPair trustStoreKeyPair, - String trustStorePassword, KeyPair keyStoreKeyPair, String keyStorePassword) + char[] trustStorePassword, KeyPair keyStoreKeyPair, char[] keyStorePassword) throws IOException, GeneralSecurityException, OperatorCreationException { if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) { throw new IllegalStateException("BC Security provider was not found"); @@ -117,7 +117,7 @@ public File getTempDir() { return tempDir; } - public String getTrustStorePassword() { + public char[] getTrustStorePassword() { return trustStorePassword; } @@ -198,12 +198,12 @@ public X509Certificate getKeyStoreCertificate() { return keyStoreCertificate; } - public String getKeyStorePassword() { + public char[] getKeyStorePassword() { return keyStorePassword; } public boolean isKeyStoreEncrypted() { - return keyStorePassword.length() > 0; + return keyStorePassword != null; } public Configuration getConf() { @@ -307,11 +307,11 @@ public void setConfigurations(KeyStoreFileType keyStoreFileType, KeyStoreFileType trustStoreFileType) throws IOException { conf.set(X509Util.TLS_CONFIG_KEYSTORE_LOCATION, this.getKeyStoreFile(keyStoreFileType).getAbsolutePath()); - conf.set(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD, this.getKeyStorePassword()); + conf.set(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD, String.valueOf(this.getKeyStorePassword())); conf.set(X509Util.TLS_CONFIG_KEYSTORE_TYPE, keyStoreFileType.getPropertyValue()); conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_LOCATION, this.getTrustStoreFile(trustStoreFileType).getAbsolutePath()); - conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_PASSWORD, this.getTrustStorePassword()); + conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_PASSWORD, String.valueOf(this.getTrustStorePassword())); conf.set(X509Util.TLS_CONFIG_TRUSTSTORE_TYPE, trustStoreFileType.getPropertyValue()); } @@ -332,9 +332,9 @@ public static class Builder { private final Configuration conf; private File tempDir; private X509KeyType trustStoreKeyType; - private String trustStorePassword; + private char[] trustStorePassword; private X509KeyType keyStoreKeyType; - private String keyStorePassword; + private char[] keyStorePassword; /** * Creates an empty builder with the given Configuration. @@ -342,9 +342,7 @@ public static class Builder { public Builder(Configuration conf) { this.conf = conf; trustStoreKeyType = X509KeyType.EC; - trustStorePassword = ""; keyStoreKeyType = X509KeyType.EC; - keyStorePassword = ""; } /** @@ -387,7 +385,7 @@ public Builder setTrustStoreKeyType(X509KeyType keyType) { * @param password the password. * @return this Builder. */ - public Builder setTrustStorePassword(String password) { + public Builder setTrustStorePassword(char[] password) { trustStorePassword = password; return this; } @@ -409,7 +407,7 @@ public Builder setKeyStoreKeyType(X509KeyType keyType) { * @param password the password. * @return this Builder. */ - public Builder setKeyStorePassword(String password) { + public Builder setKeyStorePassword(char[] password) { keyStorePassword = password; return this; } diff --git a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContextProvider.java b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContextProvider.java index f5be80f45ba9..3024755a2e3e 100644 --- a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContextProvider.java +++ b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContextProvider.java @@ -18,6 +18,7 @@ package org.apache.hadoop.hbase.io.crypto.tls; import java.io.File; +import java.util.Arrays; import java.util.Objects; import org.apache.hadoop.conf.Configuration; @@ -35,9 +36,9 @@ private static final class CacheKey { private final X509KeyType certKeyType; - private final String keyPassword; + private final char[] keyPassword; - CacheKey(X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword) { + CacheKey(X509KeyType caKeyType, X509KeyType certKeyType, char[] keyPassword) { this.caKeyType = caKeyType; this.certKeyType = certKeyType; this.keyPassword = keyPassword; @@ -45,7 +46,7 @@ private static final class CacheKey { @Override public int hashCode() { - return Objects.hash(caKeyType, certKeyType, keyPassword); + return Objects.hash(caKeyType, certKeyType, Arrays.hashCode(keyPassword)); } @Override @@ -55,7 +56,7 @@ public boolean equals(Object obj) { } CacheKey other = (CacheKey) obj; return caKeyType == other.caKeyType && certKeyType == other.certKeyType - && Objects.equals(keyPassword, other.keyPassword); + && Arrays.equals(keyPassword, other.keyPassword); } } @@ -79,7 +80,7 @@ public X509TestContextProvider(Configuration conf, File tempDir) { this.tempDir = tempDir; } - public X509TestContext get(X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword) { + public X509TestContext get(X509KeyType caKeyType, X509KeyType certKeyType, char[] keyPassword) { return ctxs.getUnchecked(new CacheKey(caKeyType, certKeyType, keyPassword)); } } diff --git a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java index d4489c1d5893..1697dca8669b 100644 --- a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java +++ b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java @@ -262,7 +262,7 @@ public static KeyPair generateECKeyPair() throws GeneralSecurityException { * @throws OperatorCreationException if constructing the encryptor from the given password fails. */ public static String pemEncodeCertAndPrivateKey(X509Certificate cert, PrivateKey privateKey, - String keyPassword) throws IOException, OperatorCreationException { + char[] keyPassword) throws IOException, OperatorCreationException { return pemEncodeX509Certificate(cert) + "\n" + pemEncodePrivateKey(privateKey, keyPassword); } @@ -276,16 +276,16 @@ public static String pemEncodeCertAndPrivateKey(X509Certificate cert, PrivateKey * @throws IOException if converting the key to PEM format fails. * @throws OperatorCreationException if constructing the encryptor from the given password fails. */ - public static String pemEncodePrivateKey(PrivateKey key, String password) + public static String pemEncodePrivateKey(PrivateKey key, char[] password) throws IOException, OperatorCreationException { StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter); OutputEncryptor encryptor = null; - if (password != null && password.length() > 0) { + if (password != null) { encryptor = new JceOpenSSLPKCS8EncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC) - .setProvider(BouncyCastleProvider.PROVIDER_NAME).setRandom(PRNG) - .setPasssword(password.toCharArray()).build(); + .setProvider(BouncyCastleProvider.PROVIDER_NAME).setRandom(PRNG).setPasssword(password) + .build(); } pemWriter.writeObject(new JcaPKCS8Generator(key, encryptor)); pemWriter.close(); @@ -318,7 +318,7 @@ public static String pemEncodeX509Certificate(X509Certificate cert) throws IOExc * will not be encrypted. * @return the serialized bytes of the JKS trust store. */ - public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, String keyPassword) + public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, char[] keyPassword) throws IOException, GeneralSecurityException { KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); return certToTrustStoreBytes(cert, keyPassword, trustStore); @@ -335,19 +335,18 @@ public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, String keyP * will not be encrypted. * @return the serialized bytes of the PKCS12 trust store. */ - public static byte[] certToPKCS12TrustStoreBytes(X509Certificate cert, String keyPassword) + public static byte[] certToPKCS12TrustStoreBytes(X509Certificate cert, char[] keyPassword) throws IOException, GeneralSecurityException { KeyStore trustStore = KeyStore.getInstance("PKCS12"); return certToTrustStoreBytes(cert, keyPassword, trustStore); } - private static byte[] certToTrustStoreBytes(X509Certificate cert, String keyPassword, + private static byte[] certToTrustStoreBytes(X509Certificate cert, char[] keyPassword, KeyStore trustStore) throws IOException, GeneralSecurityException { - char[] keyPasswordChars = keyPassword == null ? new char[0] : keyPassword.toCharArray(); - trustStore.load(null, keyPasswordChars); + trustStore.load(null, keyPassword); trustStore.setCertificateEntry(cert.getSubjectDN().toString(), cert); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); - trustStore.store(outputStream, keyPasswordChars); + trustStore.store(outputStream, keyPassword); outputStream.flush(); byte[] result = outputStream.toByteArray(); outputStream.close(); @@ -366,7 +365,7 @@ private static byte[] certToTrustStoreBytes(X509Certificate cert, String keyPass * @return the serialized bytes of the JKS key store. */ public static byte[] certAndPrivateKeyToJavaKeyStoreBytes(X509Certificate cert, - PrivateKey privateKey, String keyPassword) throws IOException, GeneralSecurityException { + PrivateKey privateKey, char[] keyPassword) throws IOException, GeneralSecurityException { KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); return certAndPrivateKeyToBytes(cert, privateKey, keyPassword, keyStore); } @@ -383,18 +382,17 @@ public static byte[] certAndPrivateKeyToJavaKeyStoreBytes(X509Certificate cert, * @return the serialized bytes of the PKCS12 key store. */ public static byte[] certAndPrivateKeyToPKCS12Bytes(X509Certificate cert, PrivateKey privateKey, - String keyPassword) throws IOException, GeneralSecurityException { + char[] keyPassword) throws IOException, GeneralSecurityException { KeyStore keyStore = KeyStore.getInstance("PKCS12"); return certAndPrivateKeyToBytes(cert, privateKey, keyPassword, keyStore); } private static byte[] certAndPrivateKeyToBytes(X509Certificate cert, PrivateKey privateKey, - String keyPassword, KeyStore keyStore) throws IOException, GeneralSecurityException { - char[] keyPasswordChars = keyPassword == null ? new char[0] : keyPassword.toCharArray(); - keyStore.load(null, keyPasswordChars); - keyStore.setKeyEntry("key", privateKey, keyPasswordChars, new Certificate[] { cert }); + char[] keyPassword, KeyStore keyStore) throws IOException, GeneralSecurityException { + keyStore.load(null, keyPassword); + keyStore.setKeyEntry("key", privateKey, keyPassword, new Certificate[] { cert }); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); - keyStore.store(outputStream, keyPasswordChars); + keyStore.store(outputStream, keyPassword); outputStream.flush(); byte[] result = outputStream.toByteArray(); outputStream.close(); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java index 0a298833865e..723132df2aa0 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java @@ -25,7 +25,6 @@ import java.net.InetSocketAddress; import java.util.List; import java.util.concurrent.CountDownLatch; -import javax.net.ssl.SSLException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.CellScanner; import org.apache.hadoop.hbase.HBaseInterfaceAudience; @@ -250,7 +249,7 @@ public Pair call(BlockingService service, MethodDescriptor } private void initSSL(ChannelPipeline p, boolean supportPlaintext) - throws X509Exception, SSLException { + throws X509Exception, IOException { SslContext nettySslContext = X509Util.createSslContextForServer(conf); if (supportPlaintext) { diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestTlsRejectPlainText.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestTlsRejectPlainText.java index c6ecccaea345..dc79ab25c492 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestTlsRejectPlainText.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestTlsRejectPlainText.java @@ -72,7 +72,7 @@ public abstract class AbstractTestTlsRejectPlainText { public X509KeyType certKeyType; @Parameterized.Parameter(2) - public String keyPassword; + public char[] keyPassword; private X509TestContext x509TestContext; @@ -85,7 +85,7 @@ public static List data() { List params = new ArrayList<>(); for (X509KeyType caKeyType : X509KeyType.values()) { for (X509KeyType certKeyType : X509KeyType.values()) { - for (String keyPassword : new String[] { "", "pa$$w0rd" }) { + for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) { params.add(new Object[] { caKeyType, certKeyType, keyPassword }); } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestNettyTlsIPC.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestNettyTlsIPC.java index 758c9d327faa..65460ab3eaf2 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestNettyTlsIPC.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestNettyTlsIPC.java @@ -83,7 +83,7 @@ public class TestNettyTlsIPC extends AbstractTestIPC { public X509KeyType certKeyType; @Parameterized.Parameter(2) - public String keyPassword; + public char[] keyPassword; @Parameterized.Parameter(3) public boolean acceptPlainText; @@ -100,7 +100,7 @@ public static List data() { List params = new ArrayList<>(); for (X509KeyType caKeyType : X509KeyType.values()) { for (X509KeyType certKeyType : X509KeyType.values()) { - for (String keyPassword : new String[] { "", "pa$$w0rd" }) { + for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) { // do not accept plain text params.add(new Object[] { caKeyType, certKeyType, keyPassword, false, true }); // support plain text and client enables tls diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSaslTlsIPC.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSaslTlsIPC.java index 3d48af5074c2..1477e8aa0fca 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSaslTlsIPC.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSaslTlsIPC.java @@ -64,7 +64,7 @@ public class TestSaslTlsIPC extends AbstractTestSecureIPC { public X509KeyType certKeyType; @Parameterized.Parameter(2) - public String keyPassword; + public char[] keyPassword; @Parameterized.Parameter(3) public boolean acceptPlainText; @@ -81,7 +81,7 @@ public static List data() { List params = new ArrayList<>(); for (X509KeyType caKeyType : X509KeyType.values()) { for (X509KeyType certKeyType : X509KeyType.values()) { - for (String keyPassword : new String[] { "", "pa$$w0rd" }) { + for (char[] keyPassword : new char[][] { "".toCharArray(), "pa$$w0rd".toCharArray() }) { // do not accept plain text params.add(new Object[] { caKeyType, certKeyType, keyPassword, false, true }); // support plain text and client enables tls