Skip to content
This repository has been archived by the owner on Apr 1, 2024. It is now read-only.

Commit

Permalink
[improve][sec] Support for Elliptic Curve Cryptography (EC, ECC) (cer…
Browse files Browse the repository at this point in the history 
…tificates/private keys) (apache#21621)

(cherry picked from commit e1d06b5)
  • Loading branch information
@mattisonchao
mattisonchao committed Dec 28, 2023
1 parent 01717a0 commit 9546a04
Show file tree
Hide file tree
Showing 36 changed files with 649 additions and 12 deletions.
2 changes: 2 additions & 0 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1488,6 +1488,8 @@ flexible messaging model and an intuitive client API.</description>
<exclude>**/*.crt</exclude>
<exclude>**/*.key</exclude>
<exclude>**/*.csr</exclude>
<exclude>**/*.srl</exclude>
<exclude>**/*.txt</exclude>
<exclude>**/*.pem</exclude>
<exclude>**/*.json</exclude>
<exclude>**/*.htpasswd</exclude>
Expand Down
58 changes: 52 additions & 6 deletions pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockedPulsarServiceBaseTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,13 @@
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.when;
import static org.testng.Assert.assertEquals;

import com.google.common.collect.Sets;
import com.google.common.io.Resources;
import com.google.common.util.concurrent.MoreExecutors;
import io.netty.channel.EventLoopGroup;

import java.io.File;
import java.lang.reflect.Field;
import java.net.InetSocketAddress;
import java.net.URI;
Expand All @@ -43,6 +47,7 @@
import java.util.concurrent.TimeUnit;
import java.util.function.Predicate;
import java.util.function.Supplier;

import org.apache.bookkeeper.client.BookKeeper;
import org.apache.bookkeeper.client.EnsemblePlacementPolicy;
import org.apache.bookkeeper.client.PulsarMockBookKeeper;
Expand Down Expand Up @@ -79,6 +84,7 @@
import org.awaitility.reflect.WhiteboxImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testcontainers.shaded.com.fasterxml.jackson.databind.ObjectMapper;
import org.testng.annotations.DataProvider;

/**
Expand All @@ -94,7 +100,7 @@ public abstract class MockedPulsarServiceBaseTest extends TestRetrySupport {
protected PulsarAdmin admin;
protected PulsarClient pulsarClient;
protected PortForwarder brokerGateway;
protected boolean enableBrokerGateway = false;
protected boolean enableBrokerGateway = false;
protected URL brokerUrl;
protected URL brokerUrlTls;

Expand Down Expand Up @@ -235,7 +241,7 @@ protected final void internalCleanup() throws Exception {
mockZooKeeper.shutdown();
mockZooKeeper = null;
}
if(sameThreadOrderedSafeExecutor != null) {
if (sameThreadOrderedSafeExecutor != null) {
try {
sameThreadOrderedSafeExecutor.shutdownNow();
sameThreadOrderedSafeExecutor.awaitTermination(5, TimeUnit.SECONDS);
Expand All @@ -245,7 +251,7 @@ protected final void internalCleanup() throws Exception {
}
sameThreadOrderedSafeExecutor = null;
}
if(bkExecutor != null) {
if (bkExecutor != null) {
try {
bkExecutor.shutdownNow();
bkExecutor.awaitTermination(5, TimeUnit.SECONDS);
Expand Down Expand Up @@ -394,7 +400,7 @@ public static MockZooKeeper createMockZooKeeper() throws Exception {
}

public static MockZooKeeper createMockZooKeeperGlobal() {
return MockZooKeeper.newInstanceForGlobalZK(MoreExecutors.newDirectExecutorService());
return MockZooKeeper.newInstanceForGlobalZK(MoreExecutors.newDirectExecutorService());
}

public static NonClosableMockBookKeeper createMockBookKeeper(OrderedExecutor executor) throws Exception {
Expand Down Expand Up @@ -512,7 +518,7 @@ protected void setupDefaultTenantAndNamespace() throws Exception {

@DataProvider(name = "invalidPersistentPolicies")
public Object[][] incorrectPersistentPolicies() {
return new Object[][] {
return new Object[][]{
{0, 0, 0},
{1, 0, 0},
{0, 0, 1},
Expand Down Expand Up @@ -541,7 +547,7 @@ protected void deleteNamespaceWithRetry(String ns, boolean force, PulsarAdmin ad
/**
* see {@link MockedPulsarServiceBaseTest#deleteNamespaceWithRetry(String, boolean, PulsarAdmin, Collection)}
*/
public static void deleteNamespaceWithRetry(String ns, boolean force, PulsarAdmin admin, PulsarService...pulsars)
public static void deleteNamespaceWithRetry(String ns, boolean force, PulsarAdmin admin, PulsarService... pulsars)
throws Exception {
deleteNamespaceWithRetry(ns, force, admin, Arrays.asList(pulsars));
}
Expand Down Expand Up @@ -588,4 +594,44 @@ public static class ServiceProducer {
}

private static final Logger log = LoggerFactory.getLogger(MockedPulsarServiceBaseTest.class);


// EC certificate
protected static final String TLS_EC_TRUSTED_CERT_PATH =
getAbsolutePath("certificate-authority/ec/ca.cert.pem");
protected static final String TLS_EC_SERVER_KEY_PATH =
getAbsolutePath("certificate-authority/ec/server.key-pk8.pem");
protected static final String TLS_EC_SERVER_CERT_PATH =
getAbsolutePath("certificate-authority/ec/server.cert.pem");
protected static final String TLS_EC_BROKER_CLIENT_KEY_PATH =
getAbsolutePath("certificate-authority/ec/broker_client.key-pk8.pem");
protected static final String TLS_EC_BROKER_CLIENT_CERT_PATH =
getAbsolutePath("certificate-authority/ec/broker_client.cert.pem");
protected static final String TLS_EC_CLIENT_KEY_PATH =
getAbsolutePath("certificate-authority/ec/client.key-pk8.pem");
protected static final String TLS_EC_CLIENT_CERT_PATH =
getAbsolutePath("certificate-authority/ec/client.cert.pem");

// EC KeyStore
protected static final String TLS_EC_KS_SERVER_STORE =
getAbsolutePath("certificate-authority/ec/jks/server.keystore.jks");
protected static final String TLS_EC_KS_SERVER_PASS = "serverpw";
protected static final String TLS_EC_KS_BROKER_CLIENT_STORE =
getAbsolutePath("certificate-authority/ec/jks/broker_client.keystore.jks");
protected static final String TLS_EC_KS_BROKER_CLIENT_PASS = "brokerclientpw";
protected static final String TLS_EC_KS_CLIENT_STORE =
getAbsolutePath("certificate-authority/ec/jks/client.keystore.jks");
protected static final String TLS_EC_KS_CLIENT_PASS = "clientpw";
protected static final String TLS_EC_KS_TRUSTED_STORE =
getAbsolutePath("certificate-authority/ec/jks/ca.truststore.jks");
protected static final String TLS_EC_KS_TRUSTED_STORE_PASS = "rootpw";

public static String getAbsolutePath(String resourceName) {
// On Windows, URL#getPath might return a string that starts with a disk name, e.g. "/C:/"
// It's invalid to use this path to open a file, so we need to get the absolute path via File.
return new File(Resources.getResource(resourceName).getPath()).getAbsolutePath();

}

protected static final ObjectMapper mapper = new ObjectMapper();
}
130 changes: 130 additions & 0 deletions ...-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.pulsar.security.tls.ec;


import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertNotNull;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import lombok.Cleanup;
import lombok.SneakyThrows;
import org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest;
import org.apache.pulsar.client.admin.PulsarAdmin;
import org.apache.pulsar.client.api.Consumer;
import org.apache.pulsar.client.api.Message;
import org.apache.pulsar.client.api.MessageId;
import org.apache.pulsar.client.api.Producer;
import org.apache.pulsar.client.api.PulsarClient;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.impl.auth.AuthenticationTls;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;


@Test
public class TlsWithECCertificateFileTest extends MockedPulsarServiceBaseTest {

@Override
protected void doInitConf() throws Exception {
super.doInitConf();
conf.setTlsEnabled(true);
conf.setBrokerServicePort(Optional.empty());
conf.setWebServicePort(Optional.empty());
conf.setTlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH);
conf.setTlsCertificateFilePath(TLS_EC_SERVER_CERT_PATH);
conf.setTlsKeyFilePath(TLS_EC_SERVER_KEY_PATH);
conf.setBrokerClientTlsEnabled(true);
conf.setBrokerClientTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH);
conf.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
final Map<String, String> brokerClientAuthParams = new HashMap<>();
brokerClientAuthParams.put("tlsCertFile", TLS_EC_BROKER_CLIENT_CERT_PATH);
brokerClientAuthParams.put("tlsKeyFile", TLS_EC_BROKER_CLIENT_KEY_PATH);
conf.setBrokerClientAuthenticationParameters(mapper.writeValueAsString(brokerClientAuthParams));
conf.setBrokerClientAuthenticationParameters(mapper.writeValueAsString(brokerClientAuthParams));
}

@BeforeClass(alwaysRun = true)
@Override
protected void setup() throws Exception {
init();
admin = pulsar.getAdminClient();
setupDefaultTenantAndNamespace();
}

@AfterClass(alwaysRun = true)
@Override
protected void cleanup() throws Exception {
internalCleanup();
}
@Test(expectedExceptions = PulsarClientException.class)
@SneakyThrows
public void testConnectionFailWithoutCertificate() {
@Cleanup final PulsarClient client = PulsarClient.builder()
.serviceUrl(pulsar.getBrokerServiceUrlTls())
.build();
@Cleanup final Producer<byte[]> producer = client.newProducer()
.topic("should_be_failed")
.create();
}


@Test
@SneakyThrows
public void testConnectionSuccessWithCertificate() {
final AuthenticationTls authentication = new AuthenticationTls(TLS_EC_CLIENT_CERT_PATH, TLS_EC_CLIENT_KEY_PATH);
final String topicName = "persistent://public/default/" + UUID.randomUUID();
final int testMsgNum = 10;
@Cleanup final PulsarAdmin admin = PulsarAdmin.builder()
.authentication(authentication)
.serviceHttpUrl(pulsar.getWebServiceAddressTls())
.tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH)
.build();
admin.topics().createNonPartitionedTopic(topicName);
admin.topics().createSubscription(topicName, "sub-1", MessageId.earliest);
@Cleanup final PulsarClient client = PulsarClient.builder()
.serviceUrl(pulsar.getBrokerServiceUrlTls())
.authentication(authentication)
.tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH)
.build();
@Cleanup final Producer<byte[]> producer = client.newProducer()
.topic(topicName)
.create();
@Cleanup final Consumer<byte[]> consumer = client.newConsumer()
.topic(topicName)
.subscriptionName("sub-1")
.consumerName("cons-1")
.subscribe();
for (int i = 0; i < testMsgNum; i++) {
producer.send((i + "").getBytes(StandardCharsets.UTF_8));
}

for (int i = 0; i < testMsgNum; i++) {
final Message<byte[]> message = consumer.receive();
assertNotNull(message);
final byte[] b = message.getValue();
final String s = new String(b, StandardCharsets.UTF_8);
assertEquals(s, i + "");
}
}
}
Loading

0 comments on commit 9546a04

Please sign in to comment.