Package org.apache.zookeeper.common

Class X509Util

  • All Implemented Interfaces:
    Closeable, AutoCloseable
    Direct Known Subclasses:
    ClientX509Util, QuorumX509Util
    public abstract class X509Util
extends Object
implements Closeable, AutoCloseable
    Utility code for X509 handling Default cipher suites: Performance testing done by Facebook engineers shows that on Intel x86_64 machines, Java9 performs better with GCM and Java8 performs better with CBC, so these seem like reasonable defaults.

    • Constructor Detail

      • X509Util

        public X509Util()

    • Method Detail

      • getConfigPrefix

        protected abstract String getConfigPrefix()

      • shouldVerifyClientHostname

        protected abstract boolean shouldVerifyClientHostname()

      • getSslProtocolProperty

        public String getSslProtocolProperty()

      • getSslEnabledProtocolsProperty

        public String getSslEnabledProtocolsProperty()

      • getCipherSuitesProperty

        public String getCipherSuitesProperty()

      • getSslKeystoreLocationProperty

        public String getSslKeystoreLocationProperty()

      • getSslCipherSuitesProperty

        public String getSslCipherSuitesProperty()

      • getSslKeystorePasswdProperty

        public String getSslKeystorePasswdProperty()

      • getSslKeystorePasswdPathProperty

        public String getSslKeystorePasswdPathProperty()

      • getSslKeystoreTypeProperty

        public String getSslKeystoreTypeProperty()

      • getSslTruststoreLocationProperty

        public String getSslTruststoreLocationProperty()

      • getSslTruststorePasswdProperty

        public String getSslTruststorePasswdProperty()

      • getSslTruststorePasswdPathProperty

        public String getSslTruststorePasswdPathProperty()

      • getSslTruststoreTypeProperty

        public String getSslTruststoreTypeProperty()

      • getSslContextSupplierClassProperty

        public String getSslContextSupplierClassProperty()

      • getSslHostnameVerificationEnabledProperty

        public String getSslHostnameVerificationEnabledProperty()

      • getSslCrlEnabledProperty

        public String getSslCrlEnabledProperty()

      • getSslOcspEnabledProperty

        public String getSslOcspEnabledProperty()

      • getSslClientAuthProperty

        public String getSslClientAuthProperty()

      • getSslHandshakeDetectionTimeoutMillisProperty

        public String getSslHandshakeDetectionTimeoutMillisProperty()
        Returns the config property key that controls the amount of time, in milliseconds, that the first UnifiedServerSocket read operation will block for when trying to detect the client mode (TLS or PLAINTEXT).
        Returns:
        the config property key.

      • getFipsModeProperty

        public String getFipsModeProperty()

      • getFipsMode

        public boolean getFipsMode​(ZKConfig config)

      • isServerHostnameVerificationEnabled

        public boolean isServerHostnameVerificationEnabled​(ZKConfig config)

      • isClientHostnameVerificationEnabled

        public boolean isClientHostnameVerificationEnabled​(ZKConfig config)

      • getSslHandshakeTimeoutMillis

        public int getSslHandshakeTimeoutMillis()
        Returns the max amount of time, in milliseconds, that the first UnifiedServerSocket read() operation should block for when trying to detect the client mode (TLS or PLAINTEXT). Defaults to DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS.
        Returns:
        the handshake detection timeout, in milliseconds.

      • getPasswordFromConfigPropertyOrFile

        public String getPasswordFromConfigPropertyOrFile​(ZKConfig config,
                                                  String propertyName,
                                                  String pathPropertyName)
        Returns the password specified by the given property or from the file specified by the given path property. If both are specified, the value stored in the file will be returned.
        Parameters:
        config - Zookeeper configuration
        propertyName - property name
        pathPropertyName - path property name
        Returns:
        the password value

      • createKeyManager

        public static X509KeyManager createKeyManager​(String keyStoreLocation,
                                              String keyStorePassword,
                                              String keyStoreTypeProp)
                                       throws X509Exception.KeyManagerException
        Creates a key manager by loading the key store from the given file of the given type, optionally decrypting it using the given password.
        Parameters:
        keyStoreLocation - the location of the key store file.
        keyStorePassword - optional password to decrypt the key store. If empty, assumes the key store is not encrypted.
        keyStoreTypeProp - must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to autodetect the key store type from the file extension (e.g. .jks / .pem).
        Returns:
        the key manager.
        Throws:
        X509Exception.KeyManagerException - if something goes wrong.

      • createTrustManager

        public static X509TrustManager createTrustManager​(String trustStoreLocation,
                                                  String trustStorePassword,
                                                  String trustStoreTypeProp,
                                                  boolean crlEnabled,
                                                  boolean ocspEnabled,
                                                  boolean serverHostnameVerificationEnabled,
                                                  boolean clientHostnameVerificationEnabled,
                                                  boolean fipsMode)
                                           throws X509Exception.TrustManagerException
        Creates a trust manager by loading the trust store from the given file of the given type, optionally decrypting it using the given password.
        Parameters:
        trustStoreLocation - the location of the trust store file.
        trustStorePassword - optional password to decrypt the trust store (only applies to JKS trust stores). If empty, assumes the trust store is not encrypted.
        trustStoreTypeProp - must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to autodetect the trust store type from the file extension (e.g. .jks / .pem).
        crlEnabled - enable CRL (certificate revocation list) checks.
        ocspEnabled - enable OCSP (online certificate status protocol) checks.
        serverHostnameVerificationEnabled - if true, verify hostnames of remote servers that client sockets created by this X509Util connect to.
        clientHostnameVerificationEnabled - if true, verify hostnames of remote clients that server sockets created by this X509Util accept connections from.
        Returns:
        the trust manager.
        Throws:
        X509Exception.TrustManagerException - if something goes wrong.

      • enableCertFileReloading

        public void enableCertFileReloading()
                             throws IOException
        Enables automatic reloading of the trust store and key store files when they change on disk.
        Throws:
        IOException - if creating the FileChangeWatcher objects fails.

      • close

        public void close()
        Disables automatic reloading of the trust store and key store files when they change on disk. Stops background threads and closes WatchService instances.
        Specified by:
        close in interface AutoCloseable
        Specified by:
        close in interface Closeable