ZOOKEEPER-3160: Custom User SSLContext

zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java

@@ -18,18 +18,11 @@
 package org.apache.zookeeper.common;
 
 
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.net.Socket;
-import java.security.GeneralSecurityException;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.NoSuchAlgorithmException;
-import java.security.Security;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.X509CertSelector;
-import java.util.Arrays;
-import java.util.concurrent.atomic.AtomicReference;
+import org.apache.zookeeper.common.X509Exception.KeyManagerException;
+import org.apache.zookeeper.common.X509Exception.SSLContextException;
+import org.apache.zookeeper.common.X509Exception.TrustManagerException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.KeyManager;
@@ -43,12 +36,19 @@
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509KeyManager;
 import javax.net.ssl.X509TrustManager;
-
-import org.apache.zookeeper.common.X509Exception.KeyManagerException;
-import org.apache.zookeeper.common.X509Exception.SSLContextException;
-import org.apache.zookeeper.common.X509Exception.TrustManagerException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.lang.reflect.InvocationTargetException;
+import java.net.Socket;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
+import java.util.Arrays;
+import java.util.concurrent.atomic.AtomicReference;
 
 /**
  * Utility code for X509 handling
@@ -82,6 +82,7 @@ public abstract class X509Util {
     private String sslKeystoreLocationProperty = getConfigPrefix() + "keyStore.location";
     private String sslKeystorePasswdProperty = getConfigPrefix() + "keyStore.password";
     private String sslKeystoreTypeProperty = getConfigPrefix() + "keyStore.type";
+    private String sslClientContextProperty = getConfigPrefix() + "client.context";
     private String sslTruststoreLocationProperty = getConfigPrefix() + "trustStore.location";
     private String sslTruststorePasswdProperty = getConfigPrefix() + "trustStore.password";
     private String sslTruststoreTypeProperty = getConfigPrefix() + "trustStore.type";
@@ -126,6 +127,10 @@ public String getSslKeystoreTypeProperty() {
         return sslKeystoreTypeProperty;
     }
 
+    public String getSslClientContextProperty() {
+        return sslClientContextProperty;
+    }
+
     public String getSslTruststoreLocationProperty() {
         return sslTruststoreLocationProperty;
     }
@@ -208,62 +213,76 @@ public int getSslHandshakeTimeoutMillis() {
     }
 
     public SSLContext createSSLContext(ZKConfig config) throws SSLContextException {
-        KeyManager[] keyManagers = null;
-        TrustManager[] trustManagers = null;
+        if (config.getProperty(sslClientContextProperty) != null) {
+            LOG.debug("Loading SSLContext from property '" + sslClientContextProperty + "'");
+            String sslClientContextClass = config.getProperty(sslClientContextProperty);
+            try {
+                Class<?> sslContextClass = Class.forName(sslClientContextClass);
+                ZKClientSSLContext sslContext = (ZKClientSSLContext) sslContextClass.getConstructor().newInstance();
+                return sslContext.getSSLContext();
+            } catch (ClassNotFoundException | ClassCastException | NoSuchMethodException | InvocationTargetException |
+                    InstantiationException | IllegalAccessException e) {
+                throw new SSLContextException("Could not retrieve the SSLContext from source '" + sslClientContextClass +
+                        "' provided in the property '" + sslClientContextProperty + "'", e);
+            }
+        } else {
+            KeyManager[] keyManagers = null;
+            TrustManager[] trustManagers = null;
 
-        String keyStoreLocationProp = config.getProperty(sslKeystoreLocationProperty, "");
-        String keyStorePasswordProp = config.getProperty(sslKeystorePasswdProperty, "");
-        String keyStoreTypeProp = config.getProperty(sslKeystoreTypeProperty);
+            String keyStoreLocationProp = config.getProperty(sslKeystoreLocationProperty, "");
+            String keyStorePasswordProp = config.getProperty(sslKeystorePasswdProperty, "");
+            String keyStoreTypeProp = config.getProperty(sslKeystoreTypeProperty);
 
-        // There are legal states in some use cases for null KeyManager or TrustManager.
-        // But if a user wanna specify one, location is required. Password defaults to empty string if it is not
-        // specified by the user.
+            // There are legal states in some use cases for null KeyManager or TrustManager.
+            // But if a user wanna specify one, location is required. Password defaults to empty string if it is not
+            // specified by the user.
 
-        if (keyStoreLocationProp.isEmpty()) {
-            LOG.warn(getSslKeystoreLocationProperty() + " not specified");
-        } else {
-            try {
-                keyManagers = new KeyManager[]{
-                        createKeyManager(keyStoreLocationProp, keyStorePasswordProp, keyStoreTypeProp)};
-            } catch (KeyManagerException keyManagerException) {
-                throw new SSLContextException("Failed to create KeyManager", keyManagerException);
-            } catch (IllegalArgumentException e) {
-                throw new SSLContextException("Bad value for " + sslKeystoreTypeProperty + ": " + keyStoreTypeProp, e);
+            if (keyStoreLocationProp.isEmpty()) {
+                LOG.warn(getSslKeystoreLocationProperty() + " not specified");
+            } else {
+                try {
+                    keyManagers = new KeyManager[]{
+                            createKeyManager(keyStoreLocationProp, keyStorePasswordProp, keyStoreTypeProp)};
+                } catch (KeyManagerException keyManagerException) {
+                    throw new SSLContextException("Failed to create KeyManager", keyManagerException);
+                } catch (IllegalArgumentException e) {
+                    throw new SSLContextException("Bad value for " + sslKeystoreTypeProperty + ": " + keyStoreTypeProp, e);
+                }
             }
-        }
 
-        String trustStoreLocationProp = config.getProperty(sslTruststoreLocationProperty, "");
-        String trustStorePasswordProp = config.getProperty(sslTruststorePasswdProperty, "");
-        String trustStoreTypeProp = config.getProperty(sslTruststoreTypeProperty);
+            String trustStoreLocationProp = config.getProperty(sslTruststoreLocationProperty, "");
+            String trustStorePasswordProp = config.getProperty(sslTruststorePasswdProperty, "");
+            String trustStoreTypeProp = config.getProperty(sslTruststoreTypeProperty);
 
-        boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
-        boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty);
-        boolean sslServerHostnameVerificationEnabled =
-                config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
-        boolean sslClientHostnameVerificationEnabled =
-                sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
+            boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
+            boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty);
+            boolean sslServerHostnameVerificationEnabled =
+                    config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
+            boolean sslClientHostnameVerificationEnabled =
+                    sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
 
-        if (trustStoreLocationProp.isEmpty()) {
-            LOG.warn(getSslTruststoreLocationProperty() + " not specified");
-        } else {
-            try {
-                trustManagers = new TrustManager[]{
-                        createTrustManager(trustStoreLocationProp, trustStorePasswordProp, trustStoreTypeProp, sslCrlEnabled, sslOcspEnabled,
-                                sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled)};
-            } catch (TrustManagerException trustManagerException) {
-                throw new SSLContextException("Failed to create TrustManager", trustManagerException);
-            } catch (IllegalArgumentException e) {
-                throw new SSLContextException("Bad value for " + sslTruststoreTypeProperty + ": " + trustStoreTypeProp, e);
+            if (trustStoreLocationProp.isEmpty()) {
+                LOG.warn(getSslTruststoreLocationProperty() + " not specified");
+            } else {
+                try {
+                    trustManagers = new TrustManager[]{
+                            createTrustManager(trustStoreLocationProp, trustStorePasswordProp, trustStoreTypeProp, sslCrlEnabled, sslOcspEnabled,
+                                    sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled)};
+                } catch (TrustManagerException trustManagerException) {
+                    throw new SSLContextException("Failed to create TrustManager", trustManagerException);
+                } catch (IllegalArgumentException e) {
+                    throw new SSLContextException("Bad value for " + sslTruststoreTypeProperty + ": " + trustStoreTypeProp, e);
+                }
             }
-        }
 
-        String protocol = System.getProperty(sslProtocolProperty, DEFAULT_PROTOCOL);
-        try {
-            SSLContext sslContext = SSLContext.getInstance(protocol);
-            sslContext.init(keyManagers, trustManagers, null);
-            return sslContext;
-        } catch (NoSuchAlgorithmException|KeyManagementException sslContextInitException) {
-            throw new SSLContextException(sslContextInitException);
+            String protocol = System.getProperty(sslProtocolProperty, DEFAULT_PROTOCOL);
+            try {
+                SSLContext sslContext = SSLContext.getInstance(protocol);
+                sslContext.init(keyManagers, trustManagers, null);
+                return sslContext;
+            } catch (NoSuchAlgorithmException|KeyManagementException sslContextInitException) {
+                throw new SSLContextException(sslContextInitException);
+            }
         }
     }
 

zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKClientSSLContext.java

@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.zookeeper.common;
+
+import javax.net.ssl.SSLContext;
+
+/**
+ * An interface for providing a custom {@link SSLContext} object to {@link X509Util} using {@link X509Util#getSslClientContextProperty()}
+ */
+public interface ZKClientSSLContext {
+
+    /**
+     * Returns an {@link SSLContext} for use within the {@link X509Util}
+     *
+     * @return {@link SSLContext} for use within {@link X509Util}
+     * @throws X509Exception.SSLContextException if {@link SSLContext} cannot be created
+     */
+    SSLContext getSSLContext() throws X509Exception.SSLContextException;
+
+}

zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java

@@ -42,7 +42,6 @@
 public class ZKConfig {
 
     private static final Logger LOG = LoggerFactory.getLogger(ZKConfig.class);
-
     public static final String JUTE_MAXBUFFER = "jute.maxbuffer";
 
     /**

zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java

@@ -17,6 +17,10 @@
  */
 package org.apache.zookeeper.common;
 
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 import java.security.Security;
 import java.util.Collection;
 
@@ -356,6 +360,28 @@ public void testLoadJKSTrustStoreWithWrongPassword() throws Exception {
                 true);
     }
 
+    @Test
+    public void testCreateSSLContext_invalidCustomSSLContextClass() {
+        ZKConfig zkConfig = new ZKConfig();
+        ClientX509Util clientX509Util = new ClientX509Util();
+        zkConfig.setProperty(clientX509Util.getSslClientContextProperty(), String.class.getCanonicalName());
+        try {
+            clientX509Util.createSSLContext(zkConfig);
+            fail("SSLContextException expected.");
+        } catch (X509Exception.SSLContextException e) {
+            assertTrue(e.getMessage().contains(clientX509Util.getSslClientContextProperty()));
+        }
+    }
+
+    @Test
+    public void testCreateSSLContext_validCustomSSLContextClass() throws X509Exception.SSLContextException {
+        ZKConfig zkConfig = new ZKConfig();
+        ClientX509Util clientX509Util = new ClientX509Util();
+        zkConfig.setProperty(clientX509Util.getSslClientContextProperty(), ZKTestClientSSLContext.class.getCanonicalName());
+        final SSLContext sslContext = clientX509Util.createSSLContext(zkConfig);
+        assertNull(sslContext);
+    }
+
     @Test
     public void testGetSslHandshakeDetectionTimeoutMillisProperty() {
         X509Util x509Util = new ClientX509Util();

zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTestClientSSLContext.java

@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.zookeeper.common;
+
+import javax.net.ssl.SSLContext;
+
+public class ZKTestClientSSLContext implements ZKClientSSLContext {
+
+    @Override
+    public SSLContext getSSLContext() {
+        return null;
+    }
+
+}