Java Code Examples for org.apache.hadoop.security.ssl.KeyStoreTestUtil#generateCertificate()

The following examples show how to use org.apache.hadoop.security.ssl.KeyStoreTestUtil#generateCertificate() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: TestOzoneBlockTokenSecretManager.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
@Before
public void setUp() throws Exception {
  OzoneConfiguration conf = new OzoneConfiguration();
  conf.set(HddsConfigKeys.OZONE_METADATA_DIRS, BASEDIR);
  conf.setBoolean(HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED, true);
  // Create Ozone Master key pair.
  keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  expiryTime = Time.monotonicNow() + 60 * 60 * 24;
  // Create Ozone Master certificate (SCM CA issued cert) and key store.
  SecurityConfig securityConfig = new SecurityConfig(conf);
  x509Certificate = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
  omCertSerialId = x509Certificate.getSerialNumber().toString();
  secretManager = new OzoneBlockTokenSecretManager(securityConfig,
      expiryTime, omCertSerialId);
  client = getCertificateClient(securityConfig);
  client.init();
  secretManager.start(client);
  tokenVerifier = new BlockTokenVerifier(securityConfig, client);

}
 
Example 2
Source File: TestHddsSecureDatanodeInit.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void setUp() throws Exception {
  testDir = GenericTestUtils.getRandomizedTestDir();
  conf = new OzoneConfiguration();
  conf.set(HddsConfigKeys.OZONE_METADATA_DIRS, testDir.getPath());
  //conf.set(ScmConfigKeys.OZONE_SCM_NAMES, "localhost");
  String volumeDir = testDir + "/disk1";
  conf.set(DFSConfigKeysLegacy.DFS_DATANODE_DATA_DIR_KEY, volumeDir);

  conf.setBoolean(OZONE_SECURITY_ENABLED_KEY, true);
  conf.setClass(OzoneConfigKeys.HDDS_DATANODE_PLUGINS_KEY,
      TestHddsDatanodeService.MockService.class,
      ServicePlugin.class);
  securityConfig = new SecurityConfig(conf);

  service = HddsDatanodeService.createHddsDatanodeService(args);
  dnLogs = GenericTestUtils.LogCapturer.captureLogs(getLogger());
  callQuietly(() -> {
    service.start(conf);
    return null;
  });
  callQuietly(() -> {
    service.initializeCertificateClient(conf);
    return null;
  });
  certCodec = new CertificateCodec(securityConfig, DN_COMPONENT);
  keyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
  dnLogs.clearOutput();
  privateKey = service.getCertificateClient().getPrivateKey();
  publicKey = service.getCertificateClient().getPublicKey();
  X509Certificate x509Certificate = null;

  x509Certificate = KeyStoreTestUtil.generateCertificate(
      "CN=Test", new KeyPair(publicKey, privateKey), 10,
      securityConfig.getSignatureAlgo());
  certHolder = new X509CertificateHolder(x509Certificate.getEncoded());

}
 
Example 3
Source File: TestDefaultCertificateClient.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
private X509Certificate generateX509Cert(KeyPair keyPair) throws Exception {
  if (keyPair == null) {
    keyPair = generateKeyPairFiles();
  }
  return KeyStoreTestUtil.generateCertificate("CN=Test", keyPair, 30,
      omSecurityConfig.getSignatureAlgo());
}
 
Example 4
Source File: TestOzoneBlockTokenIdentifier.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void setUp() throws Exception {
  File base = new File(BASEDIR);
  FileUtil.fullyDelete(base);
  base.mkdirs();
  expiryTime = Time.monotonicNow() + 60 * 60 * 24;

  // Create Ozone Master key pair.
  keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  // Create Ozone Master certificate (SCM CA issued cert) and key store.
  cert = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
}
 
Example 5
Source File: TestOzoneBlockTokenIdentifier.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
@Test
public void testAsymmetricTokenPerf() throws NoSuchAlgorithmException,
    CertificateEncodingException, NoSuchProviderException,
    InvalidKeyException, SignatureException {
  final int testTokenCount = 1000;
  List<OzoneBlockTokenIdentifier> tokenIds = new ArrayList<>();
  List<byte[]> tokenPasswordAsym = new ArrayList<>();
  for (int i = 0; i < testTokenCount; i++) {
    tokenIds.add(generateTestToken());
  }

  KeyPair kp = KeyStoreTestUtil.generateKeyPair("RSA");

  // Create Ozone Master certificate (SCM CA issued cert) and key store
  X509Certificate certificate;
  certificate = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster",
      kp, 30, "SHA256withRSA");

  long startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    tokenPasswordAsym.add(
        signTokenAsymmetric(tokenIds.get(i), kp.getPrivate()));
  }
  long duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token sign time with HmacSha256(RSA/1024 key) is {} ns",
      duration / testTokenCount);

  startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    verifyTokenAsymmetric(tokenIds.get(i), tokenPasswordAsym.get(i),
        certificate);
  }
  duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token verify time with HmacSha256(RSA/1024 key) "
      + "is {} ns", duration / testTokenCount);
}
 
Example 6
Source File: TestOzoneTokenIdentifier.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
@Test
public void testAsymmetricTokenPerf() throws NoSuchAlgorithmException,
    CertificateEncodingException, NoSuchProviderException,
    InvalidKeyException, SignatureException {
  final int testTokenCount = 1000;
  List<OzoneTokenIdentifier> tokenIds = new ArrayList<>();
  List<byte[]> tokenPasswordAsym = new ArrayList<>();
  for (int i = 0; i < testTokenCount; i++) {
    tokenIds.add(generateTestToken());
  }

  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");

  // Create Ozone Master certificate (SCM CA issued cert) and key store
  X509Certificate cert;
  cert = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster",
      keyPair, 30, "SHA256withRSA");

  long startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    tokenPasswordAsym.add(
        signTokenAsymmetric(tokenIds.get(i), keyPair.getPrivate()));
  }
  long duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token sign time with HmacSha256(RSA/1024 key) is {} ns",
      duration/testTokenCount);

  startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    verifyTokenAsymmetric(tokenIds.get(i), tokenPasswordAsym.get(i), cert);
  }
  duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token verify time with HmacSha256(RSA/1024 key) "
      + "is {} ns", duration/testTokenCount);
}
 
Example 7
Source File: TestOzoneDelegationTokenSecretManager.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
/**
 * Helper function to create certificate client.
 * */
private CertificateClient setupCertificateClient() throws Exception {
  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  X509Certificate cert = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");

  return new OMCertificateClient(securityConfig) {
    @Override
    public X509Certificate getCertificate() {
      return cert;
    }

    @Override
    public PrivateKey getPrivateKey() {
      return keyPair.getPrivate();
    }

    @Override
    public PublicKey getPublicKey() {
      return keyPair.getPublic();
    }

    @Override
    public X509Certificate getCertificate(String serialId) {
      return cert;
    }
  };
}
 
Example 8
Source File: TestOzoneManagerBlockToken.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void setUp() throws Exception {
  File base = new File(BASEDIR);
  FileUtil.fullyDelete(base);
  base.mkdirs();
  expiryTime = Time.monotonicNow() + 60 * 60 * 24;

  // Create Ozone Master key pair.
  keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  // Create Ozone Master certificate (SCM CA issued cert) and key store.
  cert = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
}
 
Example 9
Source File: TestOzoneManagerBlockToken.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
@Test
public void testAsymmetricTokenPerf() throws NoSuchAlgorithmException,
    CertificateEncodingException, NoSuchProviderException,
    InvalidKeyException, SignatureException {
  final int testTokenCount = 1000;
  List<OzoneBlockTokenIdentifier> tokenIds = new ArrayList<>();
  List<byte[]> tokenPasswordAsym = new ArrayList<>();
  for (int i = 0; i < testTokenCount; i++) {
    tokenIds.add(generateTestToken());
  }

  KeyPair kp = KeyStoreTestUtil.generateKeyPair("RSA");

  // Create Ozone Master certificate (SCM CA issued cert) and key store
  X509Certificate omCert;
  omCert = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster",
      kp, 30, "SHA256withRSA");

  long startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    tokenPasswordAsym.add(
        signTokenAsymmetric(tokenIds.get(i), kp.getPrivate()));
  }
  long duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token sign time with HmacSha256(RSA/1024 key) is {} ns",
      duration / testTokenCount);

  startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    verifyTokenAsymmetric(tokenIds.get(i), tokenPasswordAsym.get(i), omCert);
  }
  duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token verify time with HmacSha256(RSA/1024 key) "
      + "is {} ns", duration / testTokenCount);
}
 
Example 10
Source File: TestCertificateClientInit.java    From hadoop-ozone with Apache License 2.0 4 votes vote down vote up
private X509Certificate getX509Certificate() throws Exception {
  return KeyStoreTestUtil.generateCertificate(
      "CN=Test", keyPair, 10, securityConfig.getSignatureAlgo());
}
 
Example 11
Source File: TestSecureOzoneManager.java    From hadoop-ozone with Apache License 2.0 4 votes vote down vote up
/**
 * Test failure cases for secure OM initialization.
 */
@Test
public void testSecureOmInitFailures() throws Exception {
  PrivateKey privateKey;
  PublicKey publicKey;
  LogCapturer omLogs =
      LogCapturer.captureLogs(OzoneManager.getLogger());
  OMStorage omStorage = new OMStorage(conf);
  omStorage.setClusterId(clusterId);
  omStorage.setScmId(scmId);
  omStorage.setOmId(omId);
  omLogs.clearOutput();

  // Case 1: When keypair as well as certificate is missing. Initial keypair
  // boot-up. Get certificate will fail when SCM is not running.
  SecurityConfig securityConfig = new SecurityConfig(conf);
  CertificateClient client = new OMCertificateClient(securityConfig,
      omStorage.getOmCertSerialId());
  Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
  privateKey = client.getPrivateKey();
  publicKey = client.getPublicKey();
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNull(client.getCertificate());

  // Case 2: If key pair already exist than response should be RECOVER.
  client = new OMCertificateClient(securityConfig,
      omStorage.getOmCertSerialId());
  Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNull(client.getCertificate());

  // Case 3: When public key as well as certificate is missing.
  client = new OMCertificateClient(securityConfig);
  FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
      .toString(), securityConfig.getPublicKeyFileName()).toFile());
  Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNull(client.getPublicKey());
  Assert.assertNull(client.getCertificate());

  // Case 4: When private key and certificate is missing.
  client = new OMCertificateClient(securityConfig);
  KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
  keyCodec.writePublicKey(publicKey);
  FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
      .toString(), securityConfig.getPrivateKeyFileName()).toFile());
  Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
  Assert.assertNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNull(client.getCertificate());

  // Case 5: When only certificate is present.
  FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
      .toString(), securityConfig.getPublicKeyFileName()).toFile());
  CertificateCodec certCodec =
      new CertificateCodec(securityConfig, COMPONENT);
  X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate(
      "CN=Test", new KeyPair(publicKey, privateKey), 10,
      securityConfig.getSignatureAlgo());
  certCodec.writeCertificate(new X509CertificateHolder(
      x509Certificate.getEncoded()));
  client = new OMCertificateClient(securityConfig,
      x509Certificate.getSerialNumber().toString());
  omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
  Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
  Assert.assertNull(client.getPrivateKey());
  Assert.assertNull(client.getPublicKey());
  Assert.assertNotNull(client.getCertificate());

  // Case 6: When private key and certificate is present.
  client = new OMCertificateClient(securityConfig,
      x509Certificate.getSerialNumber().toString());
  FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
      .toString(), securityConfig.getPublicKeyFileName()).toFile());
  keyCodec.writePrivateKey(privateKey);
  Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNotNull(client.getCertificate());

  // Case 7 When keypair and certificate is present.
  client = new OMCertificateClient(securityConfig,
      x509Certificate.getSerialNumber().toString());
  Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNotNull(client.getCertificate());
}
 
Example 12
Source File: TestOzoneTokenIdentifier.java    From hadoop-ozone with Apache License 2.0 4 votes vote down vote up
@Test
public void testSignToken() throws GeneralSecurityException, IOException {
  String keystore = new File(KEYSTORES_DIR, "keystore.jks")
      .getAbsolutePath();
  String truststore = new File(KEYSTORES_DIR, "truststore.jks")
      .getAbsolutePath();
  String trustPassword = "trustPass";
  String keyStorePassword = "keyStorePass";
  String keyPassword = "keyPass";

  // Create Ozone Master key pair
  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");

  // Create Ozone Master certificate (SCM CA issued cert) and key store
  X509Certificate cert = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
  KeyStoreTestUtil.createKeyStore(keystore, keyStorePassword, keyPassword,
      "OzoneMaster", keyPair.getPrivate(), cert);

  // Create trust store and put the certificate in the trust store
  Map<String, X509Certificate> certs = Collections.singletonMap("server",
      cert);
  KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);

  // Sign the OzoneMaster Token with Ozone Master private key
  PrivateKey privateKey = keyPair.getPrivate();
  OzoneTokenIdentifier tokenId = new OzoneTokenIdentifier();
  tokenId.setOmCertSerialId("123");
  byte[] signedToken = signTokenAsymmetric(tokenId, privateKey);

  // Verify a valid signed OzoneMaster Token with Ozone Master
  // public key(certificate)
  boolean isValidToken = verifyTokenAsymmetric(tokenId, signedToken, cert);
  LOG.info("{} is {}", tokenId, isValidToken ? "valid." : "invalid.");

  // Verify an invalid signed OzoneMaster Token with Ozone Master
  // public key(certificate)
  tokenId = new OzoneTokenIdentifier(new Text("oozie"),
      new Text("rm"), new Text("client"));
  tokenId.setOmCertSerialId("123");
  LOG.info("Unsigned token {} is {}", tokenId,
      verifyTokenAsymmetric(tokenId, RandomUtils.nextBytes(128), cert));

}