[GitHub] zookeeper pull request #184: ZOOKEEPER-236: SSL Support for Atomic Broadcast...

[ivmaykov]

Github user ivmaykov commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r195517786
  
    --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java ---
    @@ -18,64 +18,119 @@
     package org.apache.zookeeper.common;
     
     
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import javax.net.ssl.CertPathTrustManagerParameters;
     import javax.net.ssl.KeyManager;
     import javax.net.ssl.KeyManagerFactory;
     import javax.net.ssl.SSLContext;
    +import javax.net.ssl.SSLParameters;
    +import javax.net.ssl.SSLServerSocket;
    +import javax.net.ssl.SSLSocket;
     import javax.net.ssl.TrustManager;
     import javax.net.ssl.TrustManagerFactory;
    +import javax.net.ssl.X509ExtendedTrustManager;
     import javax.net.ssl.X509KeyManager;
     import javax.net.ssl.X509TrustManager;
     import java.io.File;
     import java.io.FileInputStream;
     import java.io.IOException;
    +import java.net.Socket;
    +import java.security.InvalidAlgorithmParameterException;
    +import java.security.KeyManagementException;
     import java.security.KeyStore;
    +import java.security.KeyStoreException;
    +import java.security.NoSuchAlgorithmException;
    +import java.security.Security;
    +import java.security.UnrecoverableKeyException;
    +import java.security.cert.CertificateException;
    +import java.security.cert.PKIXBuilderParameters;
    +import java.security.cert.X509CertSelector;
    +import java.util.Arrays;
     
    -import org.slf4j.Logger;
    -import org.slf4j.LoggerFactory;
    -
    -import static 
org.apache.zookeeper.common.X509Exception.KeyManagerException;
    -import static 
org.apache.zookeeper.common.X509Exception.SSLContextException;
    -import static 
org.apache.zookeeper.common.X509Exception.TrustManagerException;
    +import org.apache.zookeeper.common.X509Exception.KeyManagerException;
    +import org.apache.zookeeper.common.X509Exception.SSLContextException;
    +import org.apache.zookeeper.common.X509Exception.TrustManagerException;
     
     /**
      * Utility code for X509 handling
      */
    -public class X509Util {
    +public abstract class X509Util {
         private static final Logger LOG = 
LoggerFactory.getLogger(X509Util.class);
     
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_LOCATION}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_KEYSTORE_LOCATION = 
"zookeeper.ssl.keyStore.location";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_PASSWD}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_KEYSTORE_PASSWD = 
"zookeeper.ssl.keyStore.password";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_LOCATION}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_TRUSTSTORE_LOCATION = 
"zookeeper.ssl.trustStore.location";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_PASSWD}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_TRUSTSTORE_PASSWD = 
"zookeeper.ssl.trustStore.password";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_AUTHPROVIDER}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_AUTHPROVIDER = 
"zookeeper.ssl.authProvider";
    -
    -    public static SSLContext createSSLContext() throws SSLContextException 
{
    -        /**
    +    static final String DEFAULT_PROTOCOL = "TLSv1.2";
    +
    +    private String sslProtocolProperty = getConfigPrefix() + "protocol";
    +    private String cipherSuitesProperty = getConfigPrefix() + 
"ciphersuites";
    +    private String sslKeystoreLocationProperty = getConfigPrefix() + 
"keyStore.location";
    +    private String sslKeystorePasswdProperty = getConfigPrefix() + 
"keyStore.password";
    +    private String sslTruststoreLocationProperty = getConfigPrefix() + 
"trustStore.location";
    +    private String sslTruststorePasswdProperty = getConfigPrefix() + 
"trustStore.password";
    +    private String sslHostnameVerificationEnabledProperty = 
getConfigPrefix() + "hostnameVerification";
    +    private String sslCrlEnabledProperty = getConfigPrefix() + "crl";
    +    private String sslOcspEnabledProperty = getConfigPrefix() + "ocsp";
    +
    +    private String[] cipherSuites;
    +
    +    private volatile SSLContext defaultSSLContext;
    +
    +    public X509Util() {
    +        String cipherSuitesInput = 
System.getProperty(cipherSuitesProperty);
    +        if (cipherSuitesInput == null) {
    +            cipherSuites = null;
    +        } else {
    +            cipherSuites = cipherSuitesInput.split(",");
    +        }
    +    }
    +
    +    protected abstract String getConfigPrefix();
    +    protected abstract boolean shouldVerifyClientHostname();
    +
    +    public String getSslProtocolProperty() {
    +        return sslProtocolProperty;
    +    }
    +
    +    public String getCipherSuitesProperty() {
    +        return cipherSuitesProperty;
    +    }
    +
    +    public String getSslKeystoreLocationProperty() {
    +        return sslKeystoreLocationProperty;
    +    }
    +
    +    public String getSslKeystorePasswdProperty() {
    +        return sslKeystorePasswdProperty;
    +    }
    +
    +    public String getSslTruststoreLocationProperty() {
    +        return sslTruststoreLocationProperty;
    +    }
    +
    +    public String getSslTruststorePasswdProperty() {
    +        return sslTruststorePasswdProperty;
    +    }
    +
    +    public String getSslHostnameVerificationEnabledProperty() {
    +        return sslHostnameVerificationEnabledProperty;
    +    }
    +    public String getSslCrlEnabledProperty() {
    +        return sslCrlEnabledProperty;
    +    }
    +
    +    public String getSslOcspEnabledProperty() {
    +        return sslOcspEnabledProperty;
    +    }
    +
    +    public synchronized SSLContext getDefaultSSLContext() throws 
X509Exception.SSLContextException {
    --- End diff --
    
    Still need to remove `synchronized` here.


---