Issue 933: Add support for PEM Key file formats #965
Conversation
certificates along with JKS and PKCS12 formats. Added another KeyStore Type to the list of formats (JKS, PKCS12) currently supported during SSLContext creation. @Rev ayegorov@ Signed-off-by: Kishore Kasi Udayashankar <kudayashankar@salesforce.com>
| * | ||
| * @return | ||
| */ | ||
| public String getTLSKeyStoreType() { | ||
| return getString(TLS_KEYSTORE_TYPE, "JKS"); | ||
| public String getTLSKeyFileType() { |
There was a problem hiding this comment.
I think we cannot change all of these names it is public API.
I would prefer to keep old names
There was a problem hiding this comment.
will revert to old names
| try (FileInputStream ksin = new FileInputStream(keyStoreLocation)) { | ||
| ks.load(ksin, keyStorePassword.trim().toCharArray()); | ||
| KeyStore ks = KeyStore.getInstance(keyFileType); | ||
| FileInputStream ksin = new FileInputStream(keyFileLocation); |
There was a problem hiding this comment.
Nit: use try-with-resources
| @@ -282,10 +389,12 @@ public SslHandler newTLSHandler() { | |||
| if (protocols != null && protocols.length != 0) { | |||
| sslHandler.engine().setEnabledProtocols(protocols); | |||
| } | |||
| LOG.info("Enabled cipher protocols: {} ", Arrays.toString(sslHandler.engine().getEnabledProtocols())); | |||
|
|
|||
There was a problem hiding this comment.
Do you need this at info level?
There was a problem hiding this comment.
Not necessarily; this can move to debug
| switch (serverKeyFileFormat) { | ||
| case PEM: | ||
| baseConf.setTLSKeyFileType("PEM"); | ||
| baseConf.setTLSKeyFilePath(this.getClass().getClassLoader().getResource("server-key.pem").getPath()); |
There was a problem hiding this comment.
Do you think it is possible to generate these files at build time instead of using static files?
Certificates will expire one day.
If not so simple I am fine with keeping files, but having a readme files which explains how to rebuild the files in each format
| @@ -145,14 +145,6 @@ | |||
| // Client auth provider factory class name. It must be configured on Bookies to for the Auditor | |||
| protected static final String CLIENT_AUTH_PROVIDER_FACTORY_CLASS = "clientAuthProviderFactoryClass"; | |||
|
|
|||
| // Client TLS | |||
| protected static final String TLS_KEYSTORE_TYPE = "clientKeyStoreType"; | |||
There was a problem hiding this comment.
this breaks BC.
for each field you are change here, I think you have to do:
- in this file: change "TLS_XYZ" to "CLIENT_XYZ", but not change the value.
- change getTLSxyz() to : getProperty(TLS_XYZ, getProperty(CLIENT_XYZ, ...))
I am not what AutoRecovery is using, is it using client settings or server settings? if it is using client settings, you need also to update the configuration settings in the bookie conf.
There was a problem hiding this comment.
I am moving TLS_XYZ from ServerConfiguration and ClientConfiguration to the common class AbstractConfiguration and just use one set of config params (no clientXYZ params anymore). So, effectively this is a dead code. What I am doing here is to keep just one set of config params so both bookie and client config params names are same.
AutoRecovery can still use the same set of params as bookies to configure the bookkeeper client.
Only config param names are changing, but the variable name still remains the same as TLS_XYZ. Do you still think its a BC issue?
There was a problem hiding this comment.
yeah param name changing is considered as breaking BC. because if a client upgrades from 4.6.0 to 4.7.0, without changing the configuration, it won't work.
sijie
changed the title
|
fyi - had a conversation with @kishorekasi offline. we agreed on the approach for addressing the BC concerns here. @kishorekasi will update this PR. The example PR on showing how to deal with the BC concerns is here: kishorekasi#1 |
…start a bookie sever. Client and server are not used in the same process. So, no need for two set of TLS parameters.
bookkeeper-server/pom.xml
Outdated
| </goals> | ||
| <configuration> | ||
| <workingDirectory>${basedir}/src/test/resources</workingDirectory> | ||
| <executable>${basedir}/src/test/resources/generateKeysAndCerts.sh</executable> |
There was a problem hiding this comment.
This is going to create new certificates at every build, two problems:
- this is slow
- it requires some jind of setup of openssl
I suggest to add a profile to build the certificates and commit a working version of certificates.
When they will expire we will do another commit
There was a problem hiding this comment.
With this patch at every "mvn test" we are going to re-create new certificates.
I think we have two options:
- commit certificates and rebuild them when expired
- make the script rebuild the certificate only if it does not exist
I prefer 1)as it makes tests reproducible at 100% and it does not impact build and dev time
There was a problem hiding this comment.
@eolivelli If it makes sense, I can commit certificates with a very long expiry so that we may never need to generate the certificates again. Also move certification generation to a new profile, just in case we need it.
There was a problem hiding this comment.
It would be fine for me, thank you
There was a problem hiding this comment.
+1 on @kishorekasi 's proposed approach.
|
2-3 seconds on my Ubuntu server |
- Add a profile to generate self signed certificates on demand
(@bug W-4203319@) TLS authentication to support PEM format X.509
certificates along with JKS and PKCS12 formats.
Added another KeyStore Type to the list of formats (JKS, PKCS12)
currently supported during SSLContext creation.
@Rev ayegorov@
Signed-off-by: Kishore Kasi Udayashankar kudayashankar@salesforce.com
Descriptions of the changes in this PR:
(PR description content here)...
Master Issue: #933