[GitHub] zookeeper pull request #184: ZOOKEEPER-236: SSL Support for Atomic Broadcast...

[hanm]

Github user hanm commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r221088959
  
    --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java ---
    @@ -160,43 +239,130 @@ public static X509KeyManager createKeyManager(String 
keyStoreLocation, String ke
                 }
                 throw new KeyManagerException("Couldn't find X509KeyManager");
     
    -        } catch (Exception e) {
    -            throw new KeyManagerException(e);
    +        } catch 
(IOException|CertificateException|UnrecoverableKeyException|NoSuchAlgorithmException|KeyStoreException
    +                keyManagerCreationException) {
    +            throw new KeyManagerException(keyManagerCreationException);
             } finally {
                 if (inputStream != null) {
                     try {
                         inputStream.close();
    -                } catch (IOException e) {}
    +                } catch (IOException ioException) {
    +                    LOG.info("Failed to close key store input stream", 
ioException);
    +                }
                 }
             }
         }
     
    -    public static X509TrustManager createTrustManager(String 
trustStoreLocation, String trustStorePassword)
    +    public static X509TrustManager createTrustManager(String 
trustStoreLocation, String trustStorePassword,
    +                                                      boolean crlEnabled, 
boolean ocspEnabled,
    +                                                      final boolean 
serverHostnameVerificationEnabled,
    +                                                      final boolean 
clientHostnameVerificationEnabled)
                 throws TrustManagerException {
             FileInputStream inputStream = null;
             try {
    -            char[] trustStorePasswordChars = 
trustStorePassword.toCharArray();
                 File trustStoreFile = new File(trustStoreLocation);
                 KeyStore ts = KeyStore.getInstance("JKS");
                 inputStream = new FileInputStream(trustStoreFile);
    -            ts.load(inputStream, trustStorePasswordChars);
    -            TrustManagerFactory tmf = 
TrustManagerFactory.getInstance("SunX509");
    -            tmf.init(ts);
    +            if (trustStorePassword != null) {
    +                char[] trustStorePasswordChars = 
trustStorePassword.toCharArray();
    +                ts.load(inputStream, trustStorePasswordChars);
    +            } else {
    +                ts.load(inputStream, null);
    +            }
    +
    +            PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, 
new X509CertSelector());
    +            if (crlEnabled || ocspEnabled) {
    +                pbParams.setRevocationEnabled(true);
    +                System.setProperty("com.sun.net.ssl.checkRevocation", 
"true");
    +                System.setProperty("com.sun.security.enableCRLDP", "true");
    +                if (ocspEnabled) {
    +                    Security.setProperty("ocsp.enable", "true");
    +                }
    +
    --- End diff --
    
    nit: remove extra line.


---