Cipher params not work in KeyStoreSSLContext (#13322)

### Motivation The Cipher params not work in KeyStoreSSLContext. ### Modifications - if cipher params is null, use `sslEngine.getSupportedCipherSuites()`, else use the cipher params - make fields final - remove unused throw exception (cherry picked from commit 8625ffe)
apache · Dec 22, 2021 · ac89c7e · ac89c7e
1 parent 4a406e0
commit ac89c7e
Showing 1 changed file with 25 additions and 25 deletions.
diff --git a/...ar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java b/...ar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java
@@ -22,7 +22,6 @@
 import com.google.common.base.Strings;
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
@@ -35,7 +34,6 @@
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLException;
 import javax.net.ssl.TrustManagerFactory;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
@@ -66,22 +64,22 @@ public enum Mode {
     @Getter
     private final Mode mode;
 
-    private String sslProviderString;
-    private String keyStoreTypeString;
-    private String keyStorePath;
-    private String keyStorePassword;
-    private boolean allowInsecureConnection;
-    private String trustStoreTypeString;
-    private String trustStorePath;
-    private String trustStorePassword;
-    private boolean needClientAuth;
-    private Set<String> ciphers;
-    private Set<String> protocols;
+    private final String sslProviderString;
+    private final String keyStoreTypeString;
+    private final String keyStorePath;
+    private final String keyStorePassword;
+    private final boolean allowInsecureConnection;
+    private final String trustStoreTypeString;
+    private final String trustStorePath;
+    private final String trustStorePassword;
+    private final boolean needClientAuth;
+    private final Set<String> ciphers;
+    private final Set<String> protocols;
     private SSLContext sslContext;
 
-    private String protocol = DEFAULT_SSL_PROTOCOL;
-    private String kmfAlgorithm = DEFAULT_SSL_KEYMANGER_ALGORITHM;
-    private String tmfAlgorithm = DEFAULT_SSL_TRUSTMANAGER_ALGORITHM;
+    private final String protocol = DEFAULT_SSL_PROTOCOL;
+    private final String kmfAlgorithm = DEFAULT_SSL_KEYMANGER_ALGORITHM;
+    private final String tmfAlgorithm = DEFAULT_SSL_TRUSTMANAGER_ALGORITHM;
 
     // only init vars, before using it, need to call createSSLContext to create ssl context.
     public KeyStoreSSLContext(Mode mode,
@@ -109,8 +107,6 @@ public KeyStoreSSLContext(Mode mode,
         this.trustStorePath = trustStorePath;
         this.trustStorePassword = trustStorePassword;
         this.needClientAuth = requireTrustedClientCertOnConnect;
-        this.ciphers = ciphers;
-        this.protocols = protocols;
 
         if (protocols != null && protocols.size() > 0) {
             this.protocols = protocols;
@@ -189,7 +185,11 @@ public SSLEngine createSSLEngine(String peerHost, int peerPort) {
 
     private SSLEngine configureSSLEngine(SSLEngine sslEngine) {
         sslEngine.setEnabledProtocols(protocols.toArray(new String[0]));
-        sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites());
+        if (this.ciphers == null) {
+            sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites());
+        } else {
+            sslEngine.setEnabledCipherSuites(this.ciphers.toArray(new String[0]));
+        }
 
         if (this.mode == Mode.SERVER) {
             sslEngine.setNeedClientAuth(this.needClientAuth);
@@ -210,7 +210,7 @@ public static KeyStoreSSLContext createClientKeyStoreSslContext(String sslProvid
                                                             String trustStorePassword,
                                                             Set<String> ciphers,
                                                             Set<String> protocols)
-            throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
+            throws GeneralSecurityException, IOException {
         KeyStoreSSLContext keyStoreSSLContext = new KeyStoreSSLContext(Mode.CLIENT,
                 sslProviderString,
                 keyStoreTypeString,
@@ -240,7 +240,7 @@ public static KeyStoreSSLContext createServerKeyStoreSslContext(String sslProvid
                                                     boolean requireTrustedClientCertOnConnect,
                                                     Set<String> ciphers,
                                                     Set<String> protocols)
-            throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
+            throws GeneralSecurityException, IOException {
         KeyStoreSSLContext keyStoreSSLContext = new KeyStoreSSLContext(Mode.SERVER,
                 sslProviderString,
                 keyStoreTypeString,
@@ -268,7 +268,7 @@ public static SSLContext createServerSslContext(String sslProviderString,
                                                     String trustStorePath,
                                                     String trustStorePassword,
                                                     boolean requireTrustedClientCertOnConnect)
-            throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
+            throws GeneralSecurityException, IOException {
 
         return createServerKeyStoreSslContext(
                 sslProviderString,
@@ -295,7 +295,7 @@ public static SSLContext createClientSslContext(String sslProviderString,
                                                     String trustStorePassword,
                                                     Set<String> ciphers,
                                                     Set<String> protocol)
-            throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
+            throws GeneralSecurityException, IOException {
         KeyStoreSSLContext keyStoreSSLContext = new KeyStoreSSLContext(Mode.CLIENT,
                 sslProviderString,
                 keyStoreTypeString,
@@ -319,7 +319,7 @@ public static SSLContext createClientSslContext(String keyStoreTypeString,
                                                     String trustStoreTypeString,
                                                     String trustStorePath,
                                                     String trustStorePassword)
-            throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
+            throws GeneralSecurityException, IOException {
         KeyStoreSSLContext keyStoreSSLContext = new KeyStoreSSLContext(Mode.CLIENT,
                 null,
                 keyStoreTypeString,
@@ -347,7 +347,7 @@ public static SslContextFactory createSslContextFactory(String sslProviderString
                                                             String trustStorePassword,
                                                             boolean requireTrustedClientCertOnConnect,
                                                             long certRefreshInSec)
-            throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
+            throws GeneralSecurityException, IOException {
         SslContextFactory sslCtxFactory;
 
         if (sslProviderString == null) {