From cebe36cf0b16a3fc3dbfb3acd2074fc0618a472f Mon Sep 17 00:00:00 2001 From: Lishen Yao Date: Fri, 4 Nov 2022 16:59:31 +0800 Subject: [PATCH 1/5] [improve][test] Simplify conscrypt warn log when using unsupported os target env --- .../apache/pulsar/common/util/SecurityUtility.java | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java index ac1e3cad52fb3..af218588ecc5e 100644 --- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java +++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java @@ -124,7 +124,12 @@ private static Provider loadConscryptProvider() { conscryptClazz = Class.forName("org.conscrypt.Conscrypt"); conscryptClazz.getMethod("checkAvailability").invoke(null); } catch (Throwable e) { - log.warn("Conscrypt isn't available. Using JDK default security provider.", e); + if (e.getCause().getClass().getName().equals("java.lang.UnsatisfiedLinkError")) { + log.warn("Conscrypt isn't available for {} {}. Using JDK default security provider.", + System.getProperty("os.name"), System.getProperty("os.arch")); + } else { + log.warn("Conscrypt isn't available. Using JDK default security provider.", e); + } return null; } @@ -448,7 +453,7 @@ public static X509Certificate[] loadCertificatesFromPemFile(String certFilePath) return certificates; } - public static X509Certificate[] loadCertificatesFromPemStream(InputStream inStream) throws KeyManagementException { + public static X509Certificate[] loadCertificatesFromPemStream(InputStream inStream) throws KeyManagementException { if (inStream == null) { return null; } @@ -546,7 +551,7 @@ private static void setupProtocols(SslContextBuilder builder, Set protoc } private static void setupClientAuthentication(SslContextBuilder builder, - boolean requireTrustedClientCertOnConnect) { + boolean requireTrustedClientCertOnConnect) { if (requireTrustedClientCertOnConnect) { builder.clientAuth(ClientAuth.REQUIRE); } else { From 1e7b698d6fc8402d0ca3921aedb6f70019581681 Mon Sep 17 00:00:00 2001 From: Lishen Yao Date: Fri, 4 Nov 2022 17:01:33 +0800 Subject: [PATCH 2/5] [improve][test] Simplify conscrypt warn log when using unsupported os target env --- .../apache/pulsar/common/util/SecurityUtility.java | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java index af218588ecc5e..df57c6f58f41a 100644 --- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java +++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java @@ -91,8 +91,8 @@ public static boolean isBCFIPS() { /** * Get Bouncy Castle provider, and call Security.addProvider(provider) if success. - * 1. try get from classpath. - * 2. try get from Nar. + * 1. try get from classpath. + * 2. try get from Nar. */ public static Provider getProvider() { boolean isProviderInstalled = @@ -219,7 +219,8 @@ public static SslContext createNettySslContextForClient(SslProvider sslProvider, } public static SSLContext createSslContext(boolean allowInsecureConnection, String trustCertsFilePath, - String certFilePath, String keyFilePath, String providerName) throws GeneralSecurityException { + String certFilePath, String keyFilePath, String providerName) + throws GeneralSecurityException { X509Certificate[] trustCertificates = loadCertificatesFromPemFile(trustCertsFilePath); X509Certificate[] certificates = loadCertificatesFromPemFile(certFilePath); PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath); @@ -228,6 +229,7 @@ public static SSLContext createSslContext(boolean allowInsecureConnection, Strin /** * Creates {@link SslContext} with capability to do auto-cert refresh. + * * @param allowInsecureConnection * @param trustCertsFilePath * @param certFilePath @@ -521,7 +523,7 @@ public static PrivateKey loadPrivateKeyFromPemStream(InputStream inStream) throw } private static void setupTrustCerts(SslContextBuilder builder, boolean allowInsecureConnection, - InputStream trustCertsStream) throws IOException, FileNotFoundException { + InputStream trustCertsStream) throws IOException, FileNotFoundException { if (allowInsecureConnection) { builder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { @@ -534,7 +536,7 @@ private static void setupTrustCerts(SslContextBuilder builder, boolean allowInse } private static void setupKeyManager(SslContextBuilder builder, PrivateKey privateKey, - X509Certificate[] certificates) { + X509Certificate[] certificates) { builder.keyManager(privateKey, (X509Certificate[]) certificates); } From 8a45eac478407648ce574f3948ea515e1fa41ce4 Mon Sep 17 00:00:00 2001 From: Lishen Yao Date: Fri, 4 Nov 2022 17:02:40 +0800 Subject: [PATCH 3/5] [improve][test] Simplify conscrypt warn log when using unsupported os target env --- .../pulsar/common/util/SecurityUtility.java | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java index df57c6f58f41a..1065823088740 100644 --- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java +++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java @@ -91,8 +91,8 @@ public static boolean isBCFIPS() { /** * Get Bouncy Castle provider, and call Security.addProvider(provider) if success. - * 1. try get from classpath. - * 2. try get from Nar. + * 1. try get from classpath. + * 2. try get from Nar. */ public static Provider getProvider() { boolean isProviderInstalled = @@ -219,8 +219,7 @@ public static SslContext createNettySslContextForClient(SslProvider sslProvider, } public static SSLContext createSslContext(boolean allowInsecureConnection, String trustCertsFilePath, - String certFilePath, String keyFilePath, String providerName) - throws GeneralSecurityException { + String certFilePath, String keyFilePath, String providerName) throws GeneralSecurityException { X509Certificate[] trustCertificates = loadCertificatesFromPemFile(trustCertsFilePath); X509Certificate[] certificates = loadCertificatesFromPemFile(certFilePath); PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath); @@ -229,7 +228,6 @@ public static SSLContext createSslContext(boolean allowInsecureConnection, Strin /** * Creates {@link SslContext} with capability to do auto-cert refresh. - * * @param allowInsecureConnection * @param trustCertsFilePath * @param certFilePath @@ -455,7 +453,7 @@ public static X509Certificate[] loadCertificatesFromPemFile(String certFilePath) return certificates; } - public static X509Certificate[] loadCertificatesFromPemStream(InputStream inStream) throws KeyManagementException { + public static X509Certificate[] loadCertificatesFromPemStream(InputStream inStream) throws KeyManagementException { if (inStream == null) { return null; } @@ -523,7 +521,7 @@ public static PrivateKey loadPrivateKeyFromPemStream(InputStream inStream) throw } private static void setupTrustCerts(SslContextBuilder builder, boolean allowInsecureConnection, - InputStream trustCertsStream) throws IOException, FileNotFoundException { + InputStream trustCertsStream) throws IOException, FileNotFoundException { if (allowInsecureConnection) { builder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { @@ -536,7 +534,7 @@ private static void setupTrustCerts(SslContextBuilder builder, boolean allowInse } private static void setupKeyManager(SslContextBuilder builder, PrivateKey privateKey, - X509Certificate[] certificates) { + X509Certificate[] certificates) { builder.keyManager(privateKey, (X509Certificate[]) certificates); } @@ -553,7 +551,7 @@ private static void setupProtocols(SslContextBuilder builder, Set protoc } private static void setupClientAuthentication(SslContextBuilder builder, - boolean requireTrustedClientCertOnConnect) { + boolean requireTrustedClientCertOnConnect) { if (requireTrustedClientCertOnConnect) { builder.clientAuth(ClientAuth.REQUIRE); } else { From 35167273ba1d267582a9486d84bf6ed0fb267bac Mon Sep 17 00:00:00 2001 From: Lishen Yao Date: Sat, 5 Nov 2022 06:58:10 +0800 Subject: [PATCH 4/5] [improve][test] Simplify conscrypt warn log when using unsupported os target env --- .../java/org/apache/pulsar/common/util/SecurityUtility.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java index 1065823088740..406c712301bf8 100644 --- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java +++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java @@ -124,7 +124,7 @@ private static Provider loadConscryptProvider() { conscryptClazz = Class.forName("org.conscrypt.Conscrypt"); conscryptClazz.getMethod("checkAvailability").invoke(null); } catch (Throwable e) { - if (e.getCause().getClass().getName().equals("java.lang.UnsatisfiedLinkError")) { + if (e.getCause() != null && e.getCause().getClass().getName().equals("java.lang.UnsatisfiedLinkError")) { log.warn("Conscrypt isn't available for {} {}. Using JDK default security provider.", System.getProperty("os.name"), System.getProperty("os.arch")); } else { From d96b6045309386f4d4d661252c29e57dae93bca5 Mon Sep 17 00:00:00 2001 From: Lishen Yao Date: Mon, 7 Nov 2022 20:11:15 +0800 Subject: [PATCH 5/5] Update pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java Co-authored-by: Cong Zhao --- .../java/org/apache/pulsar/common/util/SecurityUtility.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java index 406c712301bf8..12ab9ae0b0bc9 100644 --- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java +++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java @@ -124,7 +124,7 @@ private static Provider loadConscryptProvider() { conscryptClazz = Class.forName("org.conscrypt.Conscrypt"); conscryptClazz.getMethod("checkAvailability").invoke(null); } catch (Throwable e) { - if (e.getCause() != null && e.getCause().getClass().getName().equals("java.lang.UnsatisfiedLinkError")) { + if (e.getCause() instanceof UnsatisfiedLinkError) { log.warn("Conscrypt isn't available for {} {}. Using JDK default security provider.", System.getProperty("os.name"), System.getProperty("os.arch")); } else {