Package org.apache.pulsar.common.util
Class SecurityUtility
java.lang.Object
org.apache.pulsar.common.util.SecurityUtility
Helper class for the security domain.
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic void
configureSSLHandler
(io.netty.handler.ssl.SslHandler handler) static io.netty.handler.ssl.SslContext
createAutoRefreshSslContextForClient
(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, String sslContextAlgorithm, int refreshDurationSec, ScheduledExecutorService executor) CreatesSslContext
with capability to do auto-cert refresh.static io.netty.handler.ssl.SslContext
createNettySslContextForClient
(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, InputStream trustCertsStream, Certificate[] certificates, PrivateKey privateKey, Set<String> ciphers, Set<String> protocols) static io.netty.handler.ssl.SslContext
createNettySslContextForClient
(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, Set<String> ciphers, Set<String> protocols) static io.netty.handler.ssl.SslContext
createNettySslContextForClient
(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, Certificate[] certificates, PrivateKey privateKey, Set<String> ciphers, Set<String> protocols) static io.netty.handler.ssl.SslContext
createNettySslContextForClient
(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, Set<String> ciphers, Set<String> protocols) static io.netty.handler.ssl.SslContext
createNettySslContextForServer
(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, Set<String> ciphers, Set<String> protocols, boolean requireTrustedClientCertOnConnect) static SSLContext
createSslContext
(boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, String providerName) static SSLContext
createSslContext
(boolean allowInsecureConnection, Certificate[] trustCertificates, String providerName) static SSLContext
createSslContext
(boolean allowInsecureConnection, Certificate[] trustCertficates, Certificate[] certificates, PrivateKey privateKey) static SSLContext
createSslContext
(boolean allowInsecureConnection, Certificate[] trustCertficates, Certificate[] certificates, PrivateKey privateKey, String providerName) static Provider
Get Bouncy Castle provider from classpath, and call Security.addProvider.static Provider
Get Bouncy Castle provider, and call Security.addProvider(provider) if success.static boolean
isBCFIPS()
static X509Certificate[]
loadCertificatesFromPemFile
(String certFilePath) static X509Certificate[]
loadCertificatesFromPemStream
(InputStream inStream) static PrivateKey
loadPrivateKeyFromPemFile
(String keyFilePath) static PrivateKey
loadPrivateKeyFromPemStream
(InputStream inStream) static TrustManager[]
processConscryptTrustManagers
(TrustManager[] trustManagers) Conscrypt TrustManager instances will be configured to use the PulsarTlsHostnameVerifier
class.static Provider
resolveProvider
(String providerName)
-
Field Details
-
BC_PROVIDER
-
BC_FIPS_PROVIDER_CLASS
- See Also:
-
BC_NON_FIPS_PROVIDER_CLASS
- See Also:
-
CONSCRYPT_PROVIDER_CLASS
- See Also:
-
CONSCRYPT_PROVIDER
-
BC_FIPS
- See Also:
-
BC
- See Also:
-
-
Constructor Details
-
SecurityUtility
public SecurityUtility()
-
-
Method Details
-
isBCFIPS
public static boolean isBCFIPS() -
getProvider
Get Bouncy Castle provider, and call Security.addProvider(provider) if success. 1. try get from classpath. 2. try get from Nar. -
getBCProviderFromClassPath
Get Bouncy Castle provider from classpath, and call Security.addProvider. Throw Exception if failed.- Throws:
Exception
-
createSslContext
public static SSLContext createSslContext(boolean allowInsecureConnection, Certificate[] trustCertificates, String providerName) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
createNettySslContextForClient
public static io.netty.handler.ssl.SslContext createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, Set<String> ciphers, Set<String> protocols) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException -
createSslContext
public static SSLContext createSslContext(boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, String providerName) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
createAutoRefreshSslContextForClient
public static io.netty.handler.ssl.SslContext createAutoRefreshSslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, String sslContextAlgorithm, int refreshDurationSec, ScheduledExecutorService executor) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException CreatesSslContext
with capability to do auto-cert refresh.- Parameters:
allowInsecureConnection
-trustCertsFilePath
-certFilePath
-keyFilePath
-sslContextAlgorithm
-refreshDurationSec
-executor
-- Returns:
- Throws:
GeneralSecurityException
SSLException
FileNotFoundException
IOException
-
createNettySslContextForClient
public static io.netty.handler.ssl.SslContext createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, Set<String> ciphers, Set<String> protocols) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException -
createNettySslContextForClient
public static io.netty.handler.ssl.SslContext createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, Certificate[] certificates, PrivateKey privateKey, Set<String> ciphers, Set<String> protocols) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException -
createNettySslContextForClient
public static io.netty.handler.ssl.SslContext createNettySslContextForClient(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, InputStream trustCertsStream, Certificate[] certificates, PrivateKey privateKey, Set<String> ciphers, Set<String> protocols) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException -
createNettySslContextForServer
public static io.netty.handler.ssl.SslContext createNettySslContextForServer(io.netty.handler.ssl.SslProvider sslProvider, boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, Set<String> ciphers, Set<String> protocols, boolean requireTrustedClientCertOnConnect) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException -
createSslContext
public static SSLContext createSslContext(boolean allowInsecureConnection, Certificate[] trustCertficates, Certificate[] certificates, PrivateKey privateKey) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
createSslContext
public static SSLContext createSslContext(boolean allowInsecureConnection, Certificate[] trustCertficates, Certificate[] certificates, PrivateKey privateKey, String providerName) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
processConscryptTrustManagers
Conscrypt TrustManager instances will be configured to use the PulsarTlsHostnameVerifier
class. This method is used as a workaround for https://github.com/google/conscrypt/issues/1015 when Conscrypt / OpenSSL is used as the TLS security provider.- Parameters:
trustManagers
- the array of TrustManager instances to process.- Returns:
- same instance passed as parameter
-
loadCertificatesFromPemFile
public static X509Certificate[] loadCertificatesFromPemFile(String certFilePath) throws KeyManagementException - Throws:
KeyManagementException
-
loadCertificatesFromPemStream
public static X509Certificate[] loadCertificatesFromPemStream(InputStream inStream) throws KeyManagementException - Throws:
KeyManagementException
-
loadPrivateKeyFromPemFile
public static PrivateKey loadPrivateKeyFromPemFile(String keyFilePath) throws KeyManagementException - Throws:
KeyManagementException
-
loadPrivateKeyFromPemStream
public static PrivateKey loadPrivateKeyFromPemStream(InputStream inStream) throws KeyManagementException - Throws:
KeyManagementException
-
configureSSLHandler
public static void configureSSLHandler(io.netty.handler.ssl.SslHandler handler) -
resolveProvider
- Throws:
NoSuchAlgorithmException
-