From 0a321a46d2fb40302514000318cc1bcd57162f7f Mon Sep 17 00:00:00 2001 From: Yuya Ebihara Date: Tue, 14 Nov 2023 16:45:38 +0900 Subject: [PATCH] Use SslUtils.createSSLContext in Hive connector --- plugin/trino-hive/pom.xml | 5 - .../DefaultThriftMetastoreClientFactory.java | 110 +----------------- 2 files changed, 4 insertions(+), 111 deletions(-) diff --git a/plugin/trino-hive/pom.xml b/plugin/trino-hive/pom.xml index d2bd5b9582ee..144933e8198b 100644 --- a/plugin/trino-hive/pom.xml +++ b/plugin/trino-hive/pom.xml @@ -111,11 +111,6 @@ log - - io.airlift - security - - io.airlift stats diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/metastore/thrift/DefaultThriftMetastoreClientFactory.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/metastore/thrift/DefaultThriftMetastoreClientFactory.java index cb2319390b3e..c9a586dd7475 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/metastore/thrift/DefaultThriftMetastoreClientFactory.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/metastore/thrift/DefaultThriftMetastoreClientFactory.java @@ -15,38 +15,22 @@ import com.google.common.net.HostAndPort; import com.google.inject.Inject; -import io.airlift.security.pem.PemReader; import io.airlift.units.Duration; import io.trino.plugin.hive.metastore.thrift.ThriftHiveMetastoreClient.TransportSupplier; import io.trino.spi.NodeManager; import org.apache.thrift.transport.TTransport; import org.apache.thrift.transport.TTransportException; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509TrustManager; -import javax.security.auth.x500.X500Principal; import java.io.File; -import java.io.FileInputStream; import java.io.IOException; -import java.io.InputStream; import java.security.GeneralSecurityException; -import java.security.KeyStore; -import java.security.cert.Certificate; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateNotYetValidException; -import java.security.cert.X509Certificate; -import java.util.Arrays; -import java.util.List; import java.util.Optional; import java.util.concurrent.atomic.AtomicInteger; +import static io.trino.plugin.base.ssl.SslUtils.createSSLContext; import static java.lang.Math.toIntExact; -import static java.util.Collections.list; import static java.util.Objects.requireNonNull; public class DefaultThriftMetastoreClientFactory @@ -95,7 +79,7 @@ public DefaultThriftMetastoreClientFactory( config.isTlsEnabled(), Optional.ofNullable(config.getKeystorePath()), Optional.ofNullable(config.getKeystorePassword()), - config.getTruststorePath(), + Optional.ofNullable(config.getTruststorePath()), Optional.ofNullable(config.getTruststorePassword())), Optional.ofNullable(config.getSocksProxy()), config.getConnectTimeout(), @@ -137,7 +121,7 @@ private static Optional buildSslContext( boolean tlsEnabled, Optional keyStorePath, Optional keyStorePassword, - File trustStorePath, + Optional trustStorePath, Optional trustStorePassword) { if (!tlsEnabled) { @@ -145,96 +129,10 @@ private static Optional buildSslContext( } try { - // load KeyStore if configured and get KeyManagers - KeyManager[] keyManagers = null; - char[] keyManagerPassword = new char[0]; - if (keyStorePath.isPresent()) { - KeyStore keyStore; - try { - keyStore = PemReader.loadKeyStore(keyStorePath.get(), keyStorePath.get(), keyStorePassword); - } - catch (IOException | GeneralSecurityException e) { - keyManagerPassword = keyStorePassword.map(String::toCharArray).orElse(null); - keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); - try (InputStream in = new FileInputStream(keyStorePath.get())) { - keyStore.load(in, keyManagerPassword); - } - } - validateCertificates(keyStore); - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - keyManagerFactory.init(keyStore, keyManagerPassword); - keyManagers = keyManagerFactory.getKeyManagers(); - } - - // load TrustStore - KeyStore trustStore = loadTrustStore(trustStorePath, trustStorePassword); - - // create TrustManagerFactory - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - trustManagerFactory.init(trustStore); - - // get X509TrustManager - TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); - if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) { - throw new RuntimeException("Unexpected default trust managers:" + Arrays.toString(trustManagers)); - } - - // create SSLContext - SSLContext sslContext = SSLContext.getInstance("SSL"); - sslContext.init(keyManagers, trustManagers, null); - return Optional.of(sslContext); + return Optional.of(createSSLContext(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword)); } catch (GeneralSecurityException | IOException e) { throw new RuntimeException(e); } } - - private static KeyStore loadTrustStore(File trustStorePath, Optional trustStorePassword) - throws IOException, GeneralSecurityException - { - KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); - try { - // attempt to read the trust store as a PEM file - List certificateChain = PemReader.readCertificateChain(trustStorePath); - if (!certificateChain.isEmpty()) { - trustStore.load(null, null); - for (X509Certificate certificate : certificateChain) { - X500Principal principal = certificate.getSubjectX500Principal(); - trustStore.setCertificateEntry(principal.getName(), certificate); - } - return trustStore; - } - } - catch (IOException | GeneralSecurityException e) { - } - - try (InputStream in = new FileInputStream(trustStorePath)) { - trustStore.load(in, trustStorePassword.map(String::toCharArray).orElse(null)); - } - return trustStore; - } - - private static void validateCertificates(KeyStore keyStore) - throws GeneralSecurityException - { - for (String alias : list(keyStore.aliases())) { - if (!keyStore.isKeyEntry(alias)) { - continue; - } - Certificate certificate = keyStore.getCertificate(alias); - if (!(certificate instanceof X509Certificate)) { - continue; - } - - try { - ((X509Certificate) certificate).checkValidity(); - } - catch (CertificateExpiredException e) { - throw new CertificateExpiredException("KeyStore certificate is expired: " + e.getMessage()); - } - catch (CertificateNotYetValidException e) { - throw new CertificateNotYetValidException("KeyStore certificate is not yet valid: " + e.getMessage()); - } - } - } }