anmolnar commented on code in PR #2009:
URL: https://github.com/apache/zookeeper/pull/2009#discussion_r1248842770
##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java:
##########
@@ -36,4 +55,149 @@ public String getSslAuthProviderProperty() {
return sslAuthProviderProperty;
}
+ public String getSslProviderProperty() {
+ return sslProviderProperty;
+ }
+
+ public SslContext createNettySslContextForClient(ZKConfig config)
+ throws X509Exception.KeyManagerException,
X509Exception.TrustManagerException, SSLException {
+ String keyStoreLocation =
config.getProperty(getSslKeystoreLocationProperty(), "");
+ String keyStorePassword = getPasswordFromConfigPropertyOrFile(config,
getSslKeystorePasswdProperty(),
+ getSslKeystorePasswdPathProperty());
+ String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
+
+ SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+ if (keyStoreLocation.isEmpty()) {
+ LOG.warn("{} not specified", getSslKeystoreLocationProperty());
+ } else {
+ sslContextBuilder.keyManager(createKeyManager(keyStoreLocation,
keyStorePassword, keyStoreType));
+ }
+
+ TrustManager tm = getTrustManager(config);
+ if (tm != null) {
+ sslContextBuilder.trustManager(tm);
+ }
+
+
sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
+ sslContextBuilder.protocols(getEnabledProtocols(config));
+ Iterable<String> enabledCiphers = getCipherSuites(config);
+ if (enabledCiphers != null) {
+ sslContextBuilder.ciphers(enabledCiphers);
+ }
+ sslContextBuilder.sslProvider(getSslProvider(config));
+
+ SslContext sslContext1 = sslContextBuilder.build();
+
+ if (getFipsMode(config) &&
isServerHostnameVerificationEnabled(config)) {
+ return addHostnameVerification(sslContext1, "Server");
+ } else {
+ return sslContext1;
+ }
+ }
+
+ public SslContext createNettySslContextForServer(ZKConfig config)
+ throws X509Exception.SSLContextException,
X509Exception.KeyManagerException, X509Exception.TrustManagerException,
SSLException {
+ String keyStoreLocation =
config.getProperty(getSslKeystoreLocationProperty(), "");
+ String keyStorePassword = getPasswordFromConfigPropertyOrFile(config,
getSslKeystorePasswdProperty(),
+ getSslKeystorePasswdPathProperty());
+ String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
+
+ if (keyStoreLocation.isEmpty()) {
+ throw new X509Exception.SSLContextException(
+ "Keystore is required for SSL server: " +
getSslKeystoreLocationProperty());
+ }
+
+ KeyManager km = createKeyManager(keyStoreLocation, keyStorePassword,
keyStoreType);
+
+ return createNettySslContextForServer(config, km,
getTrustManager(config));
+ }
+
+ public SslContext createNettySslContextForServer(ZKConfig config,
KeyManager keyManager, TrustManager trustManager) throws SSLException {
+ SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(keyManager);
+
+ if (trustManager != null) {
+ sslContextBuilder.trustManager(trustManager);
+ }
+
+
sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
+ sslContextBuilder.protocols(getEnabledProtocols(config));
+
sslContextBuilder.clientAuth(getClientAuth(config).toNettyClientAuth());
+ Iterable<String> enabledCiphers = getCipherSuites(config);
+ if (enabledCiphers != null) {
+ sslContextBuilder.ciphers(enabledCiphers);
+ }
+ sslContextBuilder.sslProvider(getSslProvider(config));
+
+ SslContext sslContext1 = sslContextBuilder.build();
+
+ if (getFipsMode(config) &&
isClientHostnameVerificationEnabled(config)) {
+ return addHostnameVerification(sslContext1, "Client");
+ } else {
+ return sslContext1;
+ }
+ }
+
+ private SslContext addHostnameVerification(SslContext sslContext, String
clientOrServer) {
+ return new DelegatingSslContext(sslContext) {
+ @Override
+ protected void initEngine(SSLEngine sslEngine) {
+ SSLParameters sslParameters = sslEngine.getSSLParameters();
+ sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+ sslEngine.setSSLParameters(sslParameters);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("{} hostname verification: enabled HTTPS style
endpoint identification algorithm", clientOrServer);
+ }
+ }
+ };
+ }
+
+ private String[] getEnabledProtocols(final ZKConfig config) {
+ String enabledProtocolsInput =
config.getProperty(getSslEnabledProtocolsProperty());
+ if (enabledProtocolsInput == null) {
+ return new String[]{ config.getProperty(getSslProtocolProperty(),
DEFAULT_PROTOCOL) };
+ }
+ return enabledProtocolsInput.split(",");
+ }
+
+ private X509Util.ClientAuth getClientAuth(final ZKConfig config) {
+ return
X509Util.ClientAuth.fromPropertyValue(config.getProperty(getSslClientAuthProperty()));
+ }
+
+ private Iterable<String> getCipherSuites(final ZKConfig config) {
+ String cipherSuitesInput =
config.getProperty(getSslCipherSuitesProperty());
+ if (cipherSuitesInput == null) {
+ if (getSslProvider(config) != SslProvider.JDK) {
Review Comment:
@hyperxpro Did you check my answer above?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
