From 36e8ae26ec7b23455eb1b5080abd2df77770547c Mon Sep 17 00:00:00 2001 From: YYTVicky <61596169+YYTVicky@users.noreply.github.com> Date: Sat, 29 Feb 2020 18:11:36 -0800 Subject: [PATCH 1/5] add a comment to warn that it is not secure --- .../src/main/java/org/apache/flume/api/NettyAvroRpcClient.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java index e657735385..6f387936b3 100644 --- a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java +++ b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java @@ -759,7 +759,8 @@ public SocketChannel newChannel(ChannelPipeline pipeline) { } /** - * Permissive trust manager accepting any certificate + * Permissive trust manager accepting any certificate, + * it is not secure */ private static class PermissiveTrustManager implements X509TrustManager { @Override From 33c8a84991562f7e9f1ba900b2eec97b693c26b2 Mon Sep 17 00:00:00 2001 From: YYTVicky <61596169+YYTVicky@users.noreply.github.com> Date: Mon, 4 May 2020 23:06:34 -0400 Subject: [PATCH 2/5] Update NettyAvroRpcClient.java --- .../apache/flume/api/NettyAvroRpcClient.java | 66 ++++++++++++++++++- 1 file changed, 63 insertions(+), 3 deletions(-) diff --git a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java index 6f387936b3..bdb93503ee 100644 --- a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java +++ b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java @@ -759,9 +759,69 @@ public SocketChannel newChannel(ChannelPipeline pipeline) { } /** - * Permissive trust manager accepting any certificate, - * it is not secure - */ + * Permissive trust manager accepting any certificate, + * it is not secure + * new X509TrustManager() { + *@Override + *public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + * KeyStore ts = KeyStore.getInstance("JKS"); + * ts.load(new FileInputStream(path), password); // load your local cert path and specify your password + * TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); // choose the algrithm to match your cert + * tmf.init(ts); + * TrustManager[] trustManagers = tmf.getTrustManagers(); // refer to https://lightbend.github.io/ssl-config/WSQuickStart.html for detailed steps + * for (final X509TrustManager trustManager : trustManagers) { + * try { + * trustManager.checkClientTrusted(chain, authType); + * return; + * } catch (final CertificateException e) { + * //LOGGER.debug(e.getMessage(), e); + * } + * } + * throw new CertificateException("None of the TrustManagers trust this certificate chain"); + * + * } + * @Override + * public X509Certificate[] getAcceptedIssuers() { + * return new X509Certificate[0]; + * } + *@Override + *public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{ + * if (chain == null) { + * throw new IllegalArgumentException("checkServerTrusted:x509Certificate array isnull"); + * } + * + * if (!(chain.length > 0)) { + * throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty"); + * } + * + * if (!(null != authType && authType.equalsIgnoreCase("RSA"))) { + * throw new CertificateException("checkServerTrusted: AuthType is not RSA"); + * } + * + * + * try { + * TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); // choose algorithm to match your code + * tmf.init((KeyStore) null); + * for (TrustManager trustManager : tmf.getTrustManagers()) { + * ((X509TrustManager) trustManager).checkServerTrusted(chain, authType); + * } + * } catch (Exception e) { + * throw new CertificateException(e); + * } + * + * + * RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey(); + * String encoded = new BigInteger(1 , pubkey.getEncoded()).toString(16); + * final boolean expected = PUB_KEY.equalsIgnoreCase(encoded); + * + * if (!expected) { + * throw new CertificateException("checkServerTrusted: Expected public key: " + * + PUB_KEY + ", got public key:" + encoded); + * } + * } + * + *}; + */ private static class PermissiveTrustManager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] certs, String s) { From 959177a562751eaf795376d8efae0c0867a8a1fb Mon Sep 17 00:00:00 2001 From: YYTVicky <61596169+YYTVicky@users.noreply.github.com> Date: Mon, 4 May 2020 23:28:25 -0400 Subject: [PATCH 3/5] Update NettyAvroRpcClient.java --- .../apache/flume/api/NettyAvroRpcClient.java | 126 +++++++++--------- 1 file changed, 62 insertions(+), 64 deletions(-) diff --git a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java index bdb93503ee..c056d8c963 100644 --- a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java +++ b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java @@ -758,70 +758,68 @@ public SocketChannel newChannel(ChannelPipeline pipeline) { } } - /** - * Permissive trust manager accepting any certificate, - * it is not secure - * new X509TrustManager() { - *@Override - *public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { - * KeyStore ts = KeyStore.getInstance("JKS"); - * ts.load(new FileInputStream(path), password); // load your local cert path and specify your password - * TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); // choose the algrithm to match your cert - * tmf.init(ts); - * TrustManager[] trustManagers = tmf.getTrustManagers(); // refer to https://lightbend.github.io/ssl-config/WSQuickStart.html for detailed steps - * for (final X509TrustManager trustManager : trustManagers) { - * try { - * trustManager.checkClientTrusted(chain, authType); - * return; - * } catch (final CertificateException e) { - * //LOGGER.debug(e.getMessage(), e); - * } - * } - * throw new CertificateException("None of the TrustManagers trust this certificate chain"); - * - * } - * @Override - * public X509Certificate[] getAcceptedIssuers() { - * return new X509Certificate[0]; - * } - *@Override - *public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{ - * if (chain == null) { - * throw new IllegalArgumentException("checkServerTrusted:x509Certificate array isnull"); - * } - * - * if (!(chain.length > 0)) { - * throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty"); - * } - * - * if (!(null != authType && authType.equalsIgnoreCase("RSA"))) { - * throw new CertificateException("checkServerTrusted: AuthType is not RSA"); - * } - * - * - * try { - * TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); // choose algorithm to match your code - * tmf.init((KeyStore) null); - * for (TrustManager trustManager : tmf.getTrustManagers()) { - * ((X509TrustManager) trustManager).checkServerTrusted(chain, authType); - * } - * } catch (Exception e) { - * throw new CertificateException(e); - * } - * - * - * RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey(); - * String encoded = new BigInteger(1 , pubkey.getEncoded()).toString(16); - * final boolean expected = PUB_KEY.equalsIgnoreCase(encoded); - * - * if (!expected) { - * throw new CertificateException("checkServerTrusted: Expected public key: " - * + PUB_KEY + ", got public key:" + encoded); - * } - * } - * - *}; - */ + /** + * Permissive trust manager accepting any certificate, + * it is not secure + * new X509TrustManager() { + * + * @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + * KeyStore ts = KeyStore.getInstance("JKS"); + * ts.load(new FileInputStream(path), password); // load your local cert path and specify your password + * TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); // choose the algrithm to match your cert + * tmf.init(ts); + * TrustManager[] trustManagers = tmf.getTrustManagers(); // refer to https://lightbend.github.io/ssl-config/WSQuickStart.html for detailed steps + * for (final X509TrustManager trustManager : trustManagers) { + * try { + * trustManager.checkClientTrusted(chain, authType); + * return; + * } catch (final CertificateException e) { + * //LOGGER.debug(e.getMessage(), e); + * } + * } + * throw new CertificateException("None of the TrustManagers trust this certificate chain"); + *

+ * } + * @Override public X509Certificate[] getAcceptedIssuers() { + * return new X509Certificate[0]; + * } + * @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{ + * if (chain == null) { + * throw new IllegalArgumentException("checkServerTrusted:x509Certificate array isnull"); + * } + *

+ * if (!(chain.length > 0)) { + * throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty"); + * } + *

+ * if (!(null != authType && authType.equalsIgnoreCase("RSA"))) { + * throw new CertificateException("checkServerTrusted: AuthType is not RSA"); + * } + *

+ *

+ * try { + * TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); // choose algorithm to match your code + * tmf.init((KeyStore) null); + * for (TrustManager trustManager : tmf.getTrustManagers()) { + * ((X509TrustManager) trustManager).checkServerTrusted(chain, authType); + * } + * } catch (Exception e) { + * throw new CertificateException(e); + * } + *

+ *

+ * RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey(); + * String encoded = new BigInteger(1 , pubkey.getEncoded()).toString(16); + * final boolean expected = PUB_KEY.equalsIgnoreCase(encoded); + *

+ * if (!expected) { + * throw new CertificateException("checkServerTrusted: Expected public key: " + * + PUB_KEY + ", got public key:" + encoded); + * } + * } + *

+ * }; + */ private static class PermissiveTrustManager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] certs, String s) { From e9ad5d88a9a55152d8a8a84e26a6801bbf720552 Mon Sep 17 00:00:00 2001 From: YYTVicky <61596169+YYTVicky@users.noreply.github.com> Date: Mon, 4 May 2020 23:40:49 -0400 Subject: [PATCH 4/5] Update NettyAvroRpcClient.java --- .../apache/flume/api/NettyAvroRpcClient.java | 124 +++++++++--------- 1 file changed, 62 insertions(+), 62 deletions(-) diff --git a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java index c056d8c963..683c0eef2e 100644 --- a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java +++ b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java @@ -758,68 +758,68 @@ public SocketChannel newChannel(ChannelPipeline pipeline) { } } - /** - * Permissive trust manager accepting any certificate, - * it is not secure - * new X509TrustManager() { - * - * @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { - * KeyStore ts = KeyStore.getInstance("JKS"); - * ts.load(new FileInputStream(path), password); // load your local cert path and specify your password - * TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); // choose the algrithm to match your cert - * tmf.init(ts); - * TrustManager[] trustManagers = tmf.getTrustManagers(); // refer to https://lightbend.github.io/ssl-config/WSQuickStart.html for detailed steps - * for (final X509TrustManager trustManager : trustManagers) { - * try { - * trustManager.checkClientTrusted(chain, authType); - * return; - * } catch (final CertificateException e) { - * //LOGGER.debug(e.getMessage(), e); - * } - * } - * throw new CertificateException("None of the TrustManagers trust this certificate chain"); - *

- * } - * @Override public X509Certificate[] getAcceptedIssuers() { - * return new X509Certificate[0]; - * } - * @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{ - * if (chain == null) { - * throw new IllegalArgumentException("checkServerTrusted:x509Certificate array isnull"); - * } - *

- * if (!(chain.length > 0)) { - * throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty"); - * } - *

- * if (!(null != authType && authType.equalsIgnoreCase("RSA"))) { - * throw new CertificateException("checkServerTrusted: AuthType is not RSA"); - * } - *

- *

- * try { - * TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); // choose algorithm to match your code - * tmf.init((KeyStore) null); - * for (TrustManager trustManager : tmf.getTrustManagers()) { - * ((X509TrustManager) trustManager).checkServerTrusted(chain, authType); - * } - * } catch (Exception e) { - * throw new CertificateException(e); - * } - *

- *

- * RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey(); - * String encoded = new BigInteger(1 , pubkey.getEncoded()).toString(16); - * final boolean expected = PUB_KEY.equalsIgnoreCase(encoded); - *

- * if (!expected) { - * throw new CertificateException("checkServerTrusted: Expected public key: " - * + PUB_KEY + ", got public key:" + encoded); - * } - * } - *

- * }; - */ + /** + * Permissive trust manager accepting any certificate, + * it is not secure + * new X509TrustManager() { + * + * @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + * KeyStore ts = KeyStore.getInstance("JKS"); + * ts.load(new FileInputStream(path), password); // load your local cert path and specify your password + * TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); // choose the algrithm to match your cert + * tmf.init(ts); + * TrustManager[] trustManagers = tmf.getTrustManagers(); // refer to https://lightbend.github.io/ssl-config/WSQuickStart.html for detailed steps + * for (final X509TrustManager trustManager : trustManagers) { + * try { + * trustManager.checkClientTrusted(chain, authType); + * return; + * } catch (final CertificateException e) { + * //LOGGER.debug(e.getMessage(), e); + * } + * } + * throw new CertificateException("None of the TrustManagers trust this certificate chain"); + *

+ * } + * @Override public X509Certificate[] getAcceptedIssuers() { + * return new X509Certificate[0]; + * } + * @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{ + * if (chain == null) { + * throw new IllegalArgumentException("checkServerTrusted:x509Certificate array isnull"); + * } + *

+ * if (!(chain.length > 0)) { + * throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty"); + * } + *

+ * if (!(null != authType && authType.equalsIgnoreCase("RSA"))) { + * throw new CertificateException("checkServerTrusted: AuthType is not RSA"); + * } + *

+ *

+ * try { + * TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); // choose algorithm to match your code + * tmf.init((KeyStore) null); + * for (TrustManager trustManager : tmf.getTrustManagers()) { + * ((X509TrustManager) trustManager).checkServerTrusted(chain, authType); + * } + * } catch (Exception e) { + * throw new CertificateException(e); + * } + *

+ *

+ * RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey(); + * String encoded = new BigInteger(1 , pubkey.getEncoded()).toString(16); + * final boolean expected = PUB_KEY.equalsIgnoreCase(encoded); + *

+ * if (!expected) { + * throw new CertificateException("checkServerTrusted: Expected public key: " + * + PUB_KEY + ", got public key:" + encoded); + * } + * } + *

+ * }; + */ private static class PermissiveTrustManager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] certs, String s) { From 80d2a988e967876316ad7dcb392031f272daffae Mon Sep 17 00:00:00 2001 From: YYTVicky <61596169+YYTVicky@users.noreply.github.com> Date: Mon, 4 May 2020 23:51:01 -0400 Subject: [PATCH 5/5] Update NettyAvroRpcClient.java --- .../apache/flume/api/NettyAvroRpcClient.java | 38 ++++++++++++++----- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java index 683c0eef2e..b61732f17f 100644 --- a/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java +++ b/flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java @@ -763,12 +763,19 @@ public SocketChannel newChannel(ChannelPipeline pipeline) { * it is not secure * new X509TrustManager() { * - * @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + * @Override public void checkClientTrusted( + * X509Certificate[] chain, + * String authType) + * throws CertificateException { * KeyStore ts = KeyStore.getInstance("JKS"); - * ts.load(new FileInputStream(path), password); // load your local cert path and specify your password - * TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); // choose the algrithm to match your cert + * // load your local cert path and specify your password + * ts.load(new FileInputStream(path), password); + * // choose the algrithm to match your cert + * TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); * tmf.init(ts); - * TrustManager[] trustManagers = tmf.getTrustManagers(); // refer to https://lightbend.github.io/ssl-config/WSQuickStart.html for detailed steps + * // refer to https://lightbend.github.io/ssl-config/WSQuickStart.html + * // for detailed steps + * TrustManager[] trustManagers = tmf.getTrustManagers(); * for (final X509TrustManager trustManager : trustManagers) { * try { * trustManager.checkClientTrusted(chain, authType); @@ -777,28 +784,39 @@ public SocketChannel newChannel(ChannelPipeline pipeline) { * //LOGGER.debug(e.getMessage(), e); * } * } - * throw new CertificateException("None of the TrustManagers trust this certificate chain"); + * throw new CertificateException( + * "None of the TrustManagers trust this certificate chain" + * ); *

* } * @Override public X509Certificate[] getAcceptedIssuers() { * return new X509Certificate[0]; * } - * @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{ + * @Override public void checkServerTrusted( + * X509Certificate[] chain, String authType + * ) throws CertificateException{ * if (chain == null) { - * throw new IllegalArgumentException("checkServerTrusted:x509Certificate array isnull"); + * throw new IllegalArgumentException(" + * checkServerTrusted:x509Certificate array is null + * "); * } *

* if (!(chain.length > 0)) { - * throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty"); + * throw new IllegalArgumentException( + * "checkServerTrusted: X509Certificate is empty" + * ); * } *

* if (!(null != authType && authType.equalsIgnoreCase("RSA"))) { - * throw new CertificateException("checkServerTrusted: AuthType is not RSA"); + * throw new CertificateException(" + * checkServerTrusted: AuthType is not RSA + * "); * } *

*

* try { - * TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); // choose algorithm to match your code + * // choose algorithm to match your code + * TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); * tmf.init((KeyStore) null); * for (TrustManager trustManager : tmf.getTrustManagers()) { * ((X509TrustManager) trustManager).checkServerTrusted(chain, authType);