HBASE-27346 Autodetect key/truststore file type from file extension (apache#4757)

Signed-off-by: Duo Zhang <[email protected]>
Signed-off-by: Bryan Beaudreault <[email protected]>

Author: anmolnar

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/BCFKSFileLoader.java

@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+/**
+ * Implementation of {@link FileKeyStoreLoader} that loads from BCKFS files.
+ * <p/>
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see <a href=
+ *      "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/BCFKSFileLoader.java">Base
+ *      revision</a>
+ */
+final class BCFKSFileLoader extends StandardTypeFileKeyStoreLoader {
+  private BCFKSFileLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
+    char[] trustStorePassword) {
+    super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword,
+      SupportedStandardKeyFormat.BCFKS);
+  }
+
+  static class Builder extends FileKeyStoreLoader.Builder<BCFKSFileLoader> {
+    @Override
+    BCFKSFileLoader build() {
+      return new BCFKSFileLoader(keyStorePath, trustStorePath, keyStorePassword,
+        trustStorePassword);
+    }
+  }
+}

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/FileKeyStoreLoader.java

@@ -0,0 +1,80 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+import java.util.Objects;
+
+/**
+ * Base class for instances of {@link KeyStoreLoader} which load the key/trust stores from files on
+ * a filesystem.
+ * <p/>
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see <a href=
+ *      "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoader.java">Base
+ *      revision</a>
+ */
+abstract class FileKeyStoreLoader implements KeyStoreLoader {
+  final String keyStorePath;
+  final String trustStorePath;
+  final char[] keyStorePassword;
+  final char[] trustStorePassword;
+
+  FileKeyStoreLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
+    char[] trustStorePassword) {
+    this.keyStorePath = keyStorePath;
+    this.trustStorePath = trustStorePath;
+    this.keyStorePassword = keyStorePassword;
+    this.trustStorePassword = trustStorePassword;
+  }
+
+  /**
+   * Base class for builder pattern used by subclasses.
+   * @param <T> the subtype of FileKeyStoreLoader created by the Builder.
+   */
+  static abstract class Builder<T extends FileKeyStoreLoader> {
+    String keyStorePath;
+    String trustStorePath;
+    char[] keyStorePassword;
+    char[] trustStorePassword;
+
+    Builder() {
+    }
+
+    Builder<T> setKeyStorePath(String keyStorePath) {
+      this.keyStorePath = Objects.requireNonNull(keyStorePath);
+      return this;
+    }
+
+    Builder<T> setTrustStorePath(String trustStorePath) {
+      this.trustStorePath = Objects.requireNonNull(trustStorePath);
+      return this;
+    }
+
+    Builder<T> setKeyStorePassword(char[] keyStorePassword) {
+      this.keyStorePassword = Objects.requireNonNull(keyStorePassword);
+      return this;
+    }
+
+    Builder<T> setTrustStorePassword(char[] trustStorePassword) {
+      this.trustStorePassword = Objects.requireNonNull(trustStorePassword);
+      return this;
+    }
+
+    abstract T build();
+  }
+}

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/FileKeyStoreLoaderBuilderProvider.java

@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+import java.util.Objects;
+
+/**
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see <a href=
+ *      "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/FileKeyStoreLoaderBuilderProvider.java">Base
+ *      revision</a>
+ */
+final class FileKeyStoreLoaderBuilderProvider {
+  /**
+   * Returns a {@link FileKeyStoreLoader.Builder} that can build a loader which loads keys and certs
+   * from files of the given {@link KeyStoreFileType}.
+   * @param type the file type to load keys/certs from.
+   * @return a new Builder.
+   */
+  static FileKeyStoreLoader.Builder<? extends FileKeyStoreLoader>
+    getBuilderForKeyStoreFileType(KeyStoreFileType type) {
+    switch (Objects.requireNonNull(type)) {
+      case JKS:
+        return new JKSFileLoader.Builder();
+      case PEM:
+        return new PEMFileLoader.Builder();
+      case PKCS12:
+        return new PKCS12FileLoader.Builder();
+      case BCFKS:
+        return new BCFKSFileLoader.Builder();
+      default:
+        throw new AssertionError("Unexpected StoreFileType: " + type.name());
+    }
+  }
+
+  private FileKeyStoreLoaderBuilderProvider() {
+    // disabled
+  }
+}

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/JKSFileLoader.java

@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+/**
+ * Implementation of {@link FileKeyStoreLoader} that loads from JKS files.
+ * <p/>
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see <a href=
+ *      "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/JKSFileLoader.java">Base
+ *      revision</a>
+ */
+final class JKSFileLoader extends StandardTypeFileKeyStoreLoader {
+  private JKSFileLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
+    char[] trustStorePassword) {
+    super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword,
+      SupportedStandardKeyFormat.JKS);
+  }
+
+  static class Builder extends FileKeyStoreLoader.Builder<JKSFileLoader> {
+    @Override
+    JKSFileLoader build() {
+      return new JKSFileLoader(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
+    }
+  }
+}

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/KeyStoreLoader.java

@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+
+/**
+ * An interface for an object that can load key stores or trust stores.
+ * <p/>
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see <a href=
+ *      "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/KeyStoreLoader.java">Base
+ *      revision</a>
+ */
+interface KeyStoreLoader {
+  /**
+   * Loads a KeyStore which contains at least one private key and the associated X509 cert chain.
+   * @return a new KeyStore
+   * @throws IOException              if loading the key store fails due to an IO error, such as
+   *                                  "file not found".
+   * @throws GeneralSecurityException if loading the key store fails due to a security error, such
+   *                                  as "unsupported crypto algorithm".
+   */
+  KeyStore loadKeyStore() throws IOException, GeneralSecurityException;
+
+  /**
+   * Loads a KeyStore which contains at least one X509 cert chain for a trusted Certificate
+   * Authority (CA).
+   * @return a new KeyStore
+   * @throws IOException              if loading the trust store fails due to an IO error, such as
+   *                                  "file not found".
+   * @throws GeneralSecurityException if loading the trust store fails due to a security error, such
+   *                                  as "unsupported crypto algorithm".
+   */
+  KeyStore loadTrustStore() throws IOException, GeneralSecurityException;
+}

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/PEMFileLoader.java

@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+
+/**
+ * Implementation of {@link FileKeyStoreLoader} that loads from PEM files.
+ * <p/>
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see <a href=
+ *      "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/PEMFileLoader.java">Base
+ *      revision</a>
+ */
+final class PEMFileLoader extends FileKeyStoreLoader {
+  private PEMFileLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
+    char[] trustStorePassword) {
+    super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
+  }
+
+  @Override
+  public KeyStore loadKeyStore() throws IOException, GeneralSecurityException {
+    File file = new File(keyStorePath);
+    return PemReader.loadKeyStore(file, file, keyStorePassword);
+  }
+
+  @Override
+  public KeyStore loadTrustStore() throws IOException, GeneralSecurityException {
+    return PemReader.loadTrustStore(new File(trustStorePath));
+  }
+
+  static class Builder extends FileKeyStoreLoader.Builder<PEMFileLoader> {
+    @Override
+    PEMFileLoader build() {
+      return new PEMFileLoader(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword);
+    }
+  }
+}

hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/PKCS12FileLoader.java

@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+/**
+ * Implementation of {@link FileKeyStoreLoader} that loads from PKCS12 files.
+ * <p/>
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see <a href=
+ *      "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/PKCS12FileLoader.java">Base
+ *      revision</a>
+ */
+final class PKCS12FileLoader extends StandardTypeFileKeyStoreLoader {
+  private PKCS12FileLoader(String keyStorePath, String trustStorePath, char[] keyStorePassword,
+    char[] trustStorePassword) {
+    super(keyStorePath, trustStorePath, keyStorePassword, trustStorePassword,
+      SupportedStandardKeyFormat.PKCS12);
+  }
+
+  static class Builder extends FileKeyStoreLoader.Builder<PKCS12FileLoader> {
+    @Override
+    PKCS12FileLoader build() {
+      return new PKCS12FileLoader(keyStorePath, trustStorePath, keyStorePassword,
+        trustStorePassword);
+    }
+  }
+}