Package org.apache.pulsar.common.util

Class SecurityUtility

java.lang.Object

org.apache.pulsar.common.util.SecurityUtility

public class SecurityUtility
extends Object

Helper class for the security domain.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	BC
static final String	BC_FIPS
static final String	BC_FIPS_PROVIDER_CLASS
static final String	BC_NON_FIPS_PROVIDER_CLASS
static final Provider	BC_PROVIDER
static final Provider	CONSCRYPT_PROVIDER
static final String	CONSCRYPT_PROVIDER_CLASS

Constructor Summary

Constructors

Constructor	Description
SecurityUtility()

Method Summary

Modifier and Type	Method	Description
static void	configureSSLHandler(io.netty.handler.ssl.SslHandler handler)
static io.netty.handler.ssl.SslContext	createAutoRefreshSslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, String sslContextAlgorithm, int refreshDurationSec, ScheduledExecutorService executor)	Creates SslContext with capability to do auto-cert refresh.
static io.netty.handler.ssl.SslContext	createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, InputStream trustCertsStream, Certificate[] certificates, PrivateKey privateKey, Set<String> ciphers, Set<String> protocols)
static io.netty.handler.ssl.SslContext	createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, Set<String> ciphers, Set<String> protocols)
static io.netty.handler.ssl.SslContext	createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, Certificate[] certificates, PrivateKey privateKey, Set<String> ciphers, Set<String> protocols)
static io.netty.handler.ssl.SslContext	createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, Set<String> ciphers, Set<String> protocols)
static io.netty.handler.ssl.SslContext	createNettySslContextForServer(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, Set<String> ciphers, Set<String> protocols, boolean requireTrustedClientCertOnConnect)
static SSLContext	createSslContext(boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, String providerName)
static SSLContext	createSslContext(boolean allowInsecureConnection, Certificate[] trustCertificates, String providerName)
static SSLContext	createSslContext(boolean allowInsecureConnection, Certificate[] trustCertficates, Certificate[] certificates, PrivateKey privateKey)
static SSLContext	createSslContext(boolean allowInsecureConnection, Certificate[] trustCertficates, Certificate[] certificates, PrivateKey privateKey, String providerName)
static Provider	getBCProviderFromClassPath()	Get Bouncy Castle provider from classpath, and call Security.addProvider.
static Provider	getProvider()	Get Bouncy Castle provider, and call Security.addProvider(provider) if success.
static boolean	isBCFIPS()
static X509Certificate[]	loadCertificatesFromPemFile(String certFilePath)
static X509Certificate[]	loadCertificatesFromPemStream(InputStream inStream)
static PrivateKey	loadPrivateKeyFromPemFile(String keyFilePath)
static PrivateKey	loadPrivateKeyFromPemStream(InputStream inStream)
static TrustManager[]	processConscryptTrustManagers(TrustManager[] trustManagers)	Conscrypt TrustManager instances will be configured to use the Pulsar TlsHostnameVerifier class.
static Provider	resolveProvider(String providerName)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

BC_PROVIDER

public static final Provider BC_PROVIDER

BC_FIPS_PROVIDER_CLASS

public static final String BC_FIPS_PROVIDER_CLASS

See Also:

• Constant Field Values

BC_NON_FIPS_PROVIDER_CLASS

public static final String BC_NON_FIPS_PROVIDER_CLASS

See Also:

• Constant Field Values

CONSCRYPT_PROVIDER_CLASS

public static final String CONSCRYPT_PROVIDER_CLASS

See Also:

• Constant Field Values

CONSCRYPT_PROVIDER

public static final Provider CONSCRYPT_PROVIDER

BC_FIPS

public static final String BC_FIPS

See Also:

• Constant Field Values

BC

public static final String BC

See Also:

• Constant Field Values

Constructor Details

SecurityUtility

public SecurityUtility()

Method Details

isBCFIPS

public static boolean isBCFIPS()

getProvider

public static Provider getProvider()

Get Bouncy Castle provider, and call Security.addProvider(provider) if success. 1. try get from classpath. 2. try get from Nar.

getBCProviderFromClassPath

public static Provider getBCProviderFromClassPath()
                                           throws Exception

Get Bouncy Castle provider from classpath, and call Security.addProvider. Throw Exception if failed.

Throws:

Exception

createSslContext

public static SSLContext createSslContext(boolean allowInsecureConnection,
 Certificate[] trustCertificates,
 String providerName)
                                   throws GeneralSecurityException

Throws:

GeneralSecurityException

createNettySslContextForClient

public static io.netty.handler.ssl.SslContext createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider,
 boolean allowInsecureConnection,
 String trustCertsFilePath,
 Set<String> ciphers,
 Set<String> protocols)
                                                                      throws GeneralSecurityException,
SSLException,
FileNotFoundException,
IOException

Throws:

GeneralSecurityException

SSLException

FileNotFoundException

IOException

createSslContext

public static SSLContext createSslContext(boolean allowInsecureConnection,
 String trustCertsFilePath,
 String certFilePath,
 String keyFilePath,
 String providerName)
                                   throws GeneralSecurityException

Throws:

GeneralSecurityException

createAutoRefreshSslContextForClient

public static io.netty.handler.ssl.SslContext createAutoRefreshSslContextForClient(io.netty.handler.ssl.SslProvider sslProvider,
 boolean allowInsecureConnection,
 String trustCertsFilePath,
 String certFilePath,
 String keyFilePath,
 String sslContextAlgorithm,
 int refreshDurationSec,
 ScheduledExecutorService executor)
                                                                            throws GeneralSecurityException,
SSLException,
FileNotFoundException,
IOException

Creates SslContext with capability to do auto-cert refresh.

Parameters:

allowInsecureConnection -

trustCertsFilePath -

certFilePath -

keyFilePath -

sslContextAlgorithm -

refreshDurationSec -

executor -

Returns:

Throws:

GeneralSecurityException

SSLException

FileNotFoundException

IOException

createNettySslContextForClient

public static io.netty.handler.ssl.SslContext createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider,
 boolean allowInsecureConnection,
 String trustCertsFilePath,
 String certFilePath,
 String keyFilePath,
 Set<String> ciphers,
 Set<String> protocols)
                                                                      throws GeneralSecurityException,
SSLException,
FileNotFoundException,
IOException

Throws:

GeneralSecurityException

SSLException

FileNotFoundException

IOException

createNettySslContextForClient

public static io.netty.handler.ssl.SslContext createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider,
 boolean allowInsecureConnection,
 String trustCertsFilePath,
 Certificate[] certificates,
 PrivateKey privateKey,
 Set<String> ciphers,
 Set<String> protocols)
                                                                      throws GeneralSecurityException,
SSLException,
FileNotFoundException,
IOException

Throws:

GeneralSecurityException

SSLException

FileNotFoundException

IOException

createNettySslContextForClient

public static io.netty.handler.ssl.SslContext createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider,
 boolean allowInsecureConnection,
 InputStream trustCertsStream,
 Certificate[] certificates,
 PrivateKey privateKey,
 Set<String> ciphers,
 Set<String> protocols)
                                                                      throws GeneralSecurityException,
SSLException,
FileNotFoundException,
IOException

Throws:

GeneralSecurityException

SSLException

FileNotFoundException

IOException

createNettySslContextForServer

public static io.netty.handler.ssl.SslContext createNettySslContextForServer(io.netty.handler.ssl.SslProvider sslProvider,
 boolean allowInsecureConnection,
 String trustCertsFilePath,
 String certFilePath,
 String keyFilePath,
 Set<String> ciphers,
 Set<String> protocols,
 boolean requireTrustedClientCertOnConnect)
                                                                      throws GeneralSecurityException,
SSLException,
FileNotFoundException,
IOException

Throws:

GeneralSecurityException

SSLException

FileNotFoundException

IOException

createSslContext

public static SSLContext createSslContext(boolean allowInsecureConnection,
 Certificate[] trustCertficates,
 Certificate[] certificates,
 PrivateKey privateKey)
                                   throws GeneralSecurityException

Throws:

GeneralSecurityException

createSslContext

public static SSLContext createSslContext(boolean allowInsecureConnection,
 Certificate[] trustCertficates,
 Certificate[] certificates,
 PrivateKey privateKey,
 String providerName)
                                   throws GeneralSecurityException

Throws:

GeneralSecurityException

processConscryptTrustManagers

@Private
public static TrustManager[] processConscryptTrustManagers(TrustManager[] trustManagers)

Conscrypt TrustManager instances will be configured to use the Pulsar TlsHostnameVerifier class. This method is used as a workaround for https://github.com/google/conscrypt/issues/1015 when Conscrypt / OpenSSL is used as the TLS security provider.

Parameters:

trustManagers - the array of TrustManager instances to process.

Returns:

same instance passed as parameter

loadCertificatesFromPemFile

public static X509Certificate[] loadCertificatesFromPemFile(String certFilePath)
                                                     throws KeyManagementException

Throws:

KeyManagementException

loadCertificatesFromPemStream

public static X509Certificate[] loadCertificatesFromPemStream(InputStream inStream)
                                                       throws KeyManagementException

Throws:

KeyManagementException

loadPrivateKeyFromPemFile

public static PrivateKey loadPrivateKeyFromPemFile(String keyFilePath)
                                            throws KeyManagementException

Throws:

KeyManagementException

loadPrivateKeyFromPemStream

public static PrivateKey loadPrivateKeyFromPemStream(InputStream inStream)
                                              throws KeyManagementException

Throws:

KeyManagementException

configureSSLHandler

public static void configureSSLHandler(io.netty.handler.ssl.SslHandler handler)

resolveProvider

public static Provider resolveProvider(String providerName)
                                throws NoSuchAlgorithmException

Throws:

NoSuchAlgorithmException