@InterfaceAudience.Private public final class X509Util extends Object
Modifier and Type | Class and Description |
---|---|
static class |
X509Util.ClientAuth
Enum specifying the client auth requirement of server-side TLS sockets created by this
X509Util.
|
Modifier | Constructor and Description |
---|---|
private |
X509Util() |
Modifier and Type | Method and Description |
---|---|
private static boolean |
configureOpenSslIfAvailable(org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContextBuilder sslContextBuilder,
org.apache.hadoop.conf.Configuration conf)
Adds SslProvider.OPENSSL if OpenSsl is available and enabled.
|
(package private) static X509KeyManager |
createKeyManager(String keyStoreLocation,
char[] keyStorePassword,
String keyStoreType)
Creates a key manager by loading the key store from the given file of the given type,
optionally decrypting it using the given password.
|
static org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext |
createSslContextForClient(org.apache.hadoop.conf.Configuration config) |
static org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext |
createSslContextForServer(org.apache.hadoop.conf.Configuration config) |
(package private) static X509TrustManager |
createTrustManager(String trustStoreLocation,
char[] trustStorePassword,
String trustStoreType,
boolean crlEnabled,
boolean ocspEnabled,
boolean verifyHostName,
boolean allowReverseDnsLookup)
Creates a trust manager by loading the trust store from the given file of the given type,
optionally decrypting it using the given password.
|
static void |
enableCertFileReloading(org.apache.hadoop.conf.Configuration config,
AtomicReference<FileChangeWatcher> keystoreWatcher,
AtomicReference<FileChangeWatcher> trustStoreWatcher,
Runnable resetContext)
Enable certificate file reloading by creating FileWatchers for keystore and truststore.
|
private static String[] |
getCBCCiphers() |
private static String[] |
getCipherSuites(org.apache.hadoop.conf.Configuration config,
boolean useOpenSsl) |
(package private) static String[] |
getDefaultCipherSuites(boolean useOpenSsl) |
(package private) static String[] |
getDefaultCipherSuitesForJavaVersion(String javaVersion) |
private static String[] |
getEnabledProtocols(org.apache.hadoop.conf.Configuration config) |
private static String[] |
getGCMCiphers() |
private static String[] |
getOpenSslFilteredDefaultCiphers()
Not all of our default ciphers are available in OpenSSL.
|
private static String[] |
getTls13Ciphers() |
private static void |
handleWatchEvent(Path filePath,
WatchEvent<?> event,
Runnable resetContext)
Handler for watch events that let us know a file we may care about has changed on disk.
|
private static FileChangeWatcher |
newFileChangeWatcher(String fileLocation,
Runnable resetContext) |
private static final org.slf4j.Logger LOG
private static final char[] EMPTY_CHAR_ARRAY
static final String CONFIG_PREFIX
public static final String TLS_CONFIG_PROTOCOL
public static final String TLS_CONFIG_KEYSTORE_LOCATION
public static final String TLS_CONFIG_KEYSTORE_TYPE
public static final String TLS_CONFIG_KEYSTORE_PASSWORD
public static final String TLS_CONFIG_TRUSTSTORE_LOCATION
public static final String TLS_CONFIG_TRUSTSTORE_TYPE
public static final String TLS_CONFIG_TRUSTSTORE_PASSWORD
public static final String TLS_CONFIG_CLR
public static final String TLS_CONFIG_OCSP
public static final String TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED
public static final String TLS_ENABLED_PROTOCOLS
public static final String TLS_CIPHER_SUITES
public static final String TLS_CERT_RELOAD
public static final String TLS_USE_OPENSSL
public static final String DEFAULT_PROTOCOL
public static final String HBASE_SERVER_NETTY_TLS_ENABLED
public static final String HBASE_SERVER_NETTY_TLS_CLIENT_AUTH_MODE
public static final String HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME
public static final String HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT
public static final String HBASE_SERVER_NETTY_TLS_WRAP_SIZE
public static final int DEFAULT_HBASE_SERVER_NETTY_TLS_WRAP_SIZE
public static final String HBASE_CLIENT_NETTY_TLS_ENABLED
public static final String HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME
public static final String HBASE_CLIENT_NETTY_TLS_HANDSHAKETIMEOUT
public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS
private static final String[] DEFAULT_CIPHERS_JAVA8
private static final String[] DEFAULT_CIPHERS_JAVA9
private static final String[] DEFAULT_CIPHERS_JAVA11
private static final String[] DEFAULT_CIPHERS_OPENSSL
private X509Util()
private static String[] getTls13Ciphers()
private static String[] getGCMCiphers()
private static String[] getCBCCiphers()
private static String[] getOpenSslFilteredDefaultCiphers()
static String[] getDefaultCipherSuites(boolean useOpenSsl)
static String[] getDefaultCipherSuitesForJavaVersion(String javaVersion)
public static org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext createSslContextForClient(org.apache.hadoop.conf.Configuration config) throws X509Exception, IOException
X509Exception
IOException
private static boolean configureOpenSslIfAvailable(org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContextBuilder sslContextBuilder, org.apache.hadoop.conf.Configuration conf)
public static org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext createSslContextForServer(org.apache.hadoop.conf.Configuration config) throws X509Exception, IOException
X509Exception
IOException
static X509KeyManager createKeyManager(String keyStoreLocation, char[] keyStorePassword, String keyStoreType) throws KeyManagerException
keyStoreLocation
- the location of the key store file.keyStorePassword
- optional password to decrypt the key store. If empty, assumes the key
store is not encrypted.keyStoreType
- must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to
autodetect the key store type from the file extension (e.g. .jks /
.pem).KeyManagerException
- if something goes wrong.static X509TrustManager createTrustManager(String trustStoreLocation, char[] trustStorePassword, String trustStoreType, boolean crlEnabled, boolean ocspEnabled, boolean verifyHostName, boolean allowReverseDnsLookup) throws TrustManagerException
trustStoreLocation
- the location of the trust store file.trustStorePassword
- optional password to decrypt the trust store (only applies to JKS
trust stores). If empty, assumes the trust store is not encrypted.trustStoreType
- must be JKS, PEM, PKCS12, BCFKS or null. If null, attempts to
autodetect the trust store type from the file extension (e.g. .jks
/ .pem).crlEnabled
- enable CRL (certificate revocation list) checks.ocspEnabled
- enable OCSP (online certificate status protocol) checks.verifyHostName
- if true, ssl peer hostname must match name in certificateallowReverseDnsLookup
- if true, allow falling back to reverse dns lookup in verifying
hostnameTrustManagerException
- if something goes wrong.private static String[] getEnabledProtocols(org.apache.hadoop.conf.Configuration config)
private static String[] getCipherSuites(org.apache.hadoop.conf.Configuration config, boolean useOpenSsl)
public static void enableCertFileReloading(org.apache.hadoop.conf.Configuration config, AtomicReference<FileChangeWatcher> keystoreWatcher, AtomicReference<FileChangeWatcher> trustStoreWatcher, Runnable resetContext) throws IOException
keystoreWatcher
- Reference to keystoreFileWatcher.trustStoreWatcher
- Reference to truststoreFileWatcher.resetContext
- Callback for file changes.IOException
private static FileChangeWatcher newFileChangeWatcher(String fileLocation, Runnable resetContext) throws IOException
IOException
private static void handleWatchEvent(Path filePath, WatchEvent<?> event, Runnable resetContext)
filePath
- the path to the file we are watching for changes.event
- the WatchEvent.Copyright © 2007–2020 The Apache Software Foundation. All rights reserved.