From f1fec060a62c43ee8544e0730b453452cedcf32d Mon Sep 17 00:00:00 2001
From: Haitao Zhang <haitao@startree.ai>
Date: Mon, 22 Jan 2024 12:28:49 -0800
Subject: [PATCH] Support runtime reload for TLS resources (#12277)

* build swappable tls resource bundle when possible

* fix format

* remove the limitation that secrets are from files

* simplify logic
---
 pinot-common/pom.xml                          |   4 +
 .../apache/pinot/common/utils/TlsUtils.java   | 114 +++++++++-----
 .../common/utils/grpc/GrpcQueryClient.java    |  14 +-
 .../pinot/common/utils/TlsUtilsTest.java      | 143 ++++++++++++++++++
 .../src/test/resources/tls/keystore.p12       | Bin 0 -> 2581 bytes
 .../src/test/resources/tls/truststore.p12     | Bin 0 -> 1186 bytes
 .../core/transport/grpc/GrpcQueryServer.java  |   8 +-
 .../pinot/core/util/ListenerConfigUtil.java   |   2 +-
 pom.xml                                       |   7 +
 9 files changed, 242 insertions(+), 50 deletions(-)
 create mode 100644 pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
 create mode 100644 pinot-common/src/test/resources/tls/keystore.p12
 create mode 100644 pinot-common/src/test/resources/tls/truststore.p12

diff --git a/pinot-common/pom.xml b/pinot-common/pom.xml
index 3fb09c734012..d5b3ee6a7e04 100644
--- a/pinot-common/pom.xml
+++ b/pinot-common/pom.xml
@@ -397,6 +397,10 @@
       <groupId>com.github.seancfoley</groupId>
       <artifactId>ipaddress</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.github.hakky54</groupId>
+      <artifactId>sslcontext-kickstart-for-netty</artifactId>
+    </dependency>
   </dependencies>
   <profiles>
     <profile>
diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
index 6504bdf5ce50..f883b88fcfa1 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
@@ -18,6 +18,7 @@
  */
 package org.apache.pinot.common.utils;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import io.netty.handler.ssl.ClientAuth;
 import io.netty.handler.ssl.SslContext;
@@ -28,15 +29,15 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
-import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.security.SecureRandom;
 import java.util.concurrent.atomic.AtomicReference;
 import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.exception.GenericSSLContextException;
 import org.apache.commons.lang.StringUtils;
 import org.apache.http.ssl.SSLContexts;
 import org.apache.pinot.common.config.TlsConfig;
@@ -60,6 +61,10 @@ public final class TlsUtils {
   private static final String TRUSTSTORE_PASSWORD = "truststore.password";
   private static final String SSL_PROVIDER = "ssl.provider";
 
+  private static final String FILE_SCHEME = "file";
+  private static final String FILE_SCHEME_PREFIX = FILE_SCHEME + "://";
+  private static final String FILE_SCHEME_PREFIX_WITHOUT_SLASH = FILE_SCHEME + ":";
+
   private static final AtomicReference<SSLContext> SSL_CONTEXT_REF = new AtomicReference<>();
 
   private TlsUtils() {
@@ -136,7 +141,7 @@ public static KeyManagerFactory createKeyManagerFactory(String keyStorePath, Str
 
     try {
       KeyStore keyStore = KeyStore.getInstance(keyStoreType);
-      try (InputStream is = makeKeyStoreUrl(keyStorePath).openStream()) {
+      try (InputStream is = makeKeyOrTrustStoreUrl(keyStorePath).openStream()) {
         keyStore.load(is, keyStorePassword.toCharArray());
       }
 
@@ -176,7 +181,7 @@ public static TrustManagerFactory createTrustManagerFactory(String trustStorePat
 
     try {
       KeyStore keyStore = KeyStore.getInstance(trustStoreType);
-      try (InputStream is = makeKeyStoreUrl(trustStorePath).openStream()) {
+      try (InputStream is = makeKeyOrTrustStoreUrl(trustStorePath).openStream()) {
         keyStore.load(is, trustStorePassword.toCharArray());
       }
 
@@ -213,25 +218,14 @@ public static void installDefaultSSLSocketFactory(TlsConfig tlsConfig) {
    */
   public static void installDefaultSSLSocketFactory(String keyStoreType, String keyStorePath, String keyStorePassword,
       String trustStoreType, String trustStorePath, String trustStorePassword) {
-    KeyManager[] keyManagers = null;
-    if (keyStorePath != null) {
-      keyManagers = createKeyManagerFactory(keyStorePath, keyStorePassword, keyStoreType).getKeyManagers();
-    }
-
-    TrustManager[] trustManagers = null;
-    if (trustStorePath != null) {
-      trustManagers = createTrustManagerFactory(trustStorePath, trustStorePassword, trustStoreType).getTrustManagers();
-    }
-
     try {
-      SSLContext sc = SSLContext.getInstance("SSL");
-      sc.init(keyManagers, trustManagers, new java.security.SecureRandom());
-
+      SSLFactory sslFactory = createSSLFactory(keyStoreType, keyStorePath, keyStorePassword,
+          trustStoreType, trustStorePath, trustStorePassword,
+          "SSL", new java.security.SecureRandom());
       // HttpsURLConnection
-      HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
-
-      setSslContext(sc);
-    } catch (GeneralSecurityException e) {
+      HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory.getSslSocketFactory());
+      setSslContext(sslFactory.getSslContext());
+    } catch (GenericSSLContextException e) {
       throw new IllegalStateException("Could not initialize SSL support", e);
     }
   }
@@ -240,14 +234,14 @@ private static String key(String namespace, String suffix) {
     return namespace + "." + suffix;
   }
 
-  public static URL makeKeyStoreUrl(String storePath)
+  public static URL makeKeyOrTrustStoreUrl(String storePath)
       throws URISyntaxException, MalformedURLException {
     URI inputUri = new URI(storePath);
     if (StringUtils.isBlank(inputUri.getScheme())) {
       if (storePath.startsWith("/")) {
-        return new URL("file://" + storePath);
+        return new URL(FILE_SCHEME_PREFIX + storePath);
       }
-      return new URL("file://./" + storePath);
+      return new URL(FILE_SCHEME_PREFIX + "./" + storePath);
     }
     return inputUri.toURL();
   }
@@ -293,14 +287,11 @@ private static final class SSLContextHolder {
    * @param tlsConfig TLS config
    */
   public static SslContext buildClientContext(TlsConfig tlsConfig) {
+    SSLFactory sslFactory = createSSLFactory(tlsConfig);
     SslContextBuilder sslContextBuilder =
         SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
-    if (tlsConfig.getKeyStorePath() != null) {
-      sslContextBuilder.keyManager(createKeyManagerFactory(tlsConfig));
-    }
-    if (tlsConfig.getTrustStorePath() != null) {
-      sslContextBuilder.trustManager(createTrustManagerFactory(tlsConfig));
-    }
+    sslFactory.getKeyManagerFactory().ifPresent(sslContextBuilder::keyManager);
+    sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
     try {
       return sslContextBuilder.build();
     } catch (Exception e) {
@@ -317,11 +308,10 @@ public static SslContext buildServerContext(TlsConfig tlsConfig) {
     if (tlsConfig.getKeyStorePath() == null) {
       throw new IllegalArgumentException("Must provide key store path for secured server");
     }
-    SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(createKeyManagerFactory(tlsConfig))
+    SSLFactory sslFactory = createSSLFactory(tlsConfig);
+    SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(sslFactory.getKeyManagerFactory().get())
         .sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
-    if (tlsConfig.getTrustStorePath() != null) {
-      sslContextBuilder.trustManager(createTrustManagerFactory(tlsConfig));
-    }
+    sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
     if (tlsConfig.isClientAuthEnabled()) {
       sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
     }
@@ -331,4 +321,58 @@ public static SslContext buildServerContext(TlsConfig tlsConfig) {
       throw new RuntimeException(e);
     }
   }
+
+  /**
+   * Create a {@link SSLFactory} instance with identity material and trust material swappable for a given TlsConfig
+   * @param tlsConfig {@link TlsConfig}
+   * @return a {@link SSLFactory} instance with identity material and trust material swappable
+   */
+  public static SSLFactory createSSLFactory(TlsConfig tlsConfig) {
+    return createSSLFactory(
+        tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(),
+        tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword(),
+        null, null);
+  }
+
+  @VisibleForTesting
+  static SSLFactory createSSLFactory(
+      String keyStoreType, String keyStorePath, String keyStorePassword,
+      String trustStoreType, String trustStorePath, String trustStorePassword,
+      String sslContextProtocol, SecureRandom secureRandom) {
+    try {
+      SSLFactory.Builder sslFactoryBuilder = SSLFactory.builder();
+      InputStream keyStoreStream = null;
+      InputStream trustStoreStream = null;
+      if (keyStorePath != null) {
+        Preconditions.checkNotNull(keyStorePassword, "key store password must not be null");
+        keyStoreStream = makeKeyOrTrustStoreUrl(keyStorePath).openStream();
+        sslFactoryBuilder
+            .withSwappableIdentityMaterial()
+            .withIdentityMaterial(keyStoreStream, keyStorePassword.toCharArray(), keyStoreType);
+      }
+      if (trustStorePath != null) {
+        Preconditions.checkNotNull(trustStorePassword, "trust store password must not be null");
+        trustStoreStream = makeKeyOrTrustStoreUrl(trustStorePath).openStream();
+        sslFactoryBuilder
+            .withSwappableTrustMaterial()
+            .withTrustMaterial(trustStoreStream, trustStorePassword.toCharArray(), trustStoreType);
+      }
+      if (sslContextProtocol != null) {
+        sslFactoryBuilder.withSslContextAlgorithm(sslContextProtocol);
+      }
+      if (secureRandom != null) {
+        sslFactoryBuilder.withSecureRandom(secureRandom);
+      }
+      SSLFactory sslFactory = sslFactoryBuilder.build();
+      if (keyStoreStream != null) {
+        keyStoreStream.close();
+      }
+      if (trustStoreStream != null) {
+        trustStoreStream.close();
+      }
+      return sslFactory;
+    } catch (Exception e) {
+      throw new IllegalStateException(e);
+    }
+  }
 }
diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
index 88611f427d85..7194d454ca2a 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
@@ -27,9 +27,8 @@
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.concurrent.TimeUnit;
-import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLException;
-import javax.net.ssl.TrustManagerFactory;
+import nl.altindag.ssl.SSLFactory;
 import org.apache.pinot.common.config.GrpcConfig;
 import org.apache.pinot.common.proto.PinotQueryServerGrpc;
 import org.apache.pinot.common.proto.Server;
@@ -56,15 +55,10 @@ public GrpcQueryClient(String host, int port, GrpcConfig config) {
               .usePlaintext().build();
     } else {
       try {
+        SSLFactory sslFactory = TlsUtils.createSSLFactory(config.getTlsConfig());
         SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
-        if (config.getTlsConfig().getKeyStorePath() != null) {
-          KeyManagerFactory keyManagerFactory = TlsUtils.createKeyManagerFactory(config.getTlsConfig());
-          sslContextBuilder.keyManager(keyManagerFactory);
-        }
-        if (config.getTlsConfig().getTrustStorePath() != null) {
-          TrustManagerFactory trustManagerFactory = TlsUtils.createTrustManagerFactory(config.getTlsConfig());
-          sslContextBuilder.trustManager(trustManagerFactory);
-        }
+        sslFactory.getKeyManagerFactory().ifPresent(sslContextBuilder::keyManager);
+        sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
         if (config.getTlsConfig().getSslProvider() != null) {
           sslContextBuilder =
               GrpcSslContexts.configure(sslContextBuilder, SslProvider.valueOf(config.getTlsConfig().getSslProvider()));
diff --git a/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java b/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
new file mode 100644
index 000000000000..b674af0debd2
--- /dev/null
+++ b/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
@@ -0,0 +1,143 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pinot.common.utils;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URISyntaxException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardCopyOption;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
+import nl.altindag.ssl.SSLFactory;
+import org.apache.commons.io.FileUtils;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+import static org.testng.Assert.assertEquals;
+
+
+public class TlsUtilsTest {
+  private static final String TLS_RESOURCE_FOLDER = "tls/";
+  private static final String TLS_KEYSTORE_FILE = "keystore.p12";
+  private static final String TLS_TRUSTSTORE_FILE = "truststore.p12";
+  private static final String[] TLS_RESOURCE_FILES = {TLS_KEYSTORE_FILE, TLS_TRUSTSTORE_FILE};
+  private static final String PASSWORD = "changeit";
+  private static final String KEYSTORE_TYPE = "PKCS12";
+  private static final String TRUSTSTORE_TYPE = "PKCS12";
+  private static final String DEFAULT_TEST_TLS_DIR
+      = new File(FileUtils.getTempDirectoryPath(), "test-tls-dir" + System.currentTimeMillis()).getAbsolutePath();
+
+  @BeforeClass
+  public void setUp()
+      throws IOException, URISyntaxException {
+    copyResourceFilesToTempFolder();
+  }
+
+  private static void copyResourceFilesToTempFolder()
+      throws URISyntaxException, IOException {
+    // Create the destination folder if it doesn't exist
+    Files.createDirectories(Paths.get(DEFAULT_TEST_TLS_DIR));
+    for (String fileName : TLS_RESOURCE_FILES) {
+      // Use the class loader to get the InputStream of the resource file
+      try (InputStream resourceStream
+          = TlsUtilsTest.class.getClassLoader().getResourceAsStream(TLS_RESOURCE_FOLDER + fileName)) {
+        if (resourceStream == null) {
+          throw new IOException("Resource file not found: " + fileName);
+        }
+        // Specify the destination path
+        Path destinationPath = Paths.get(DEFAULT_TEST_TLS_DIR, fileName);
+        // Use Files.copy to copy the file to the destination folder
+        Files.copy(resourceStream, destinationPath, StandardCopyOption.REPLACE_EXISTING);
+      } catch (IOException e) {
+        e.printStackTrace(); // Handle the exception as needed
+      }
+    }
+  }
+
+  @AfterClass
+  public void tearDown() {
+    FileUtils.deleteQuietly(new File(DEFAULT_TEST_TLS_DIR));
+  }
+
+  @Test
+  public void swappableSSLFactoryHasSameAsStaticOnes()
+      throws NoSuchAlgorithmException, KeyManagementException, IOException, URISyntaxException {
+    SecureRandom secureRandom = new SecureRandom();
+    KeyManagerFactory keyManagerFactory =
+        TlsUtils.createKeyManagerFactory(DEFAULT_TEST_TLS_DIR + "/" + TLS_KEYSTORE_FILE, PASSWORD,
+            KEYSTORE_TYPE);
+    TrustManagerFactory trustManagerFactory =
+        TlsUtils.createTrustManagerFactory(DEFAULT_TEST_TLS_DIR + "/" + TLS_TRUSTSTORE_FILE, PASSWORD,
+            TRUSTSTORE_TYPE);
+    SSLContext sslContext = SSLContext.getInstance("TLS");
+    sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), secureRandom);
+    SSLFactory sslFactory =
+        TlsUtils.createSSLFactory(KEYSTORE_TYPE, DEFAULT_TEST_TLS_DIR + "/" + TLS_KEYSTORE_FILE, PASSWORD,
+            TRUSTSTORE_TYPE, DEFAULT_TEST_TLS_DIR + "/" + TLS_TRUSTSTORE_FILE, PASSWORD,
+            "TLS", secureRandom);
+    KeyManagerFactory swappableKeyManagerFactory = sslFactory.getKeyManagerFactory().get();
+    assertEquals(swappableKeyManagerFactory.getKeyManagers().length, keyManagerFactory.getKeyManagers().length);
+    assertEquals(swappableKeyManagerFactory.getKeyManagers().length, 1);
+    assertSSLKeyManagersEqual(swappableKeyManagerFactory.getKeyManagers()[0], keyManagerFactory.getKeyManagers()[0]);
+    TrustManagerFactory swappableTrustManagerFactory = sslFactory.getTrustManagerFactory().get();
+    assertEquals(swappableTrustManagerFactory.getTrustManagers().length,
+        trustManagerFactory.getTrustManagers().length);
+    assertEquals(swappableTrustManagerFactory.getTrustManagers().length, 1);
+    assertSSLTrustManagersEqual(swappableTrustManagerFactory.getTrustManagers()[0],
+        trustManagerFactory.getTrustManagers()[0]);
+    SSLContext swappableSSLContext = sslFactory.getSslContext();
+    assertEquals(swappableSSLContext.getProtocol(), sslContext.getProtocol());
+    assertEquals(swappableSSLContext.getProvider(), sslContext.getProvider());
+  }
+
+  private static void assertSSLKeyManagersEqual(KeyManager km1, KeyManager km2) {
+    X509KeyManager x509KeyManager1 = (X509KeyManager) km1;
+    X509KeyManager x509KeyManager2 = (X509KeyManager) km2;
+    assertEquals(x509KeyManager1.getPrivateKey("mykey"), x509KeyManager2.getPrivateKey("mykey"));
+
+    Certificate[] certs1 = x509KeyManager1.getCertificateChain("mykey");
+    Certificate[] certs2 = x509KeyManager2.getCertificateChain("mykey");
+    assertEquals(certs1.length, certs2.length);
+    assertEquals(certs1.length, 1);
+    assertEquals(certs1[0], certs2[0]);
+  }
+
+  private static void assertSSLTrustManagersEqual(TrustManager tm1, TrustManager tm2) {
+    X509TrustManager x509TrustManager1 = (X509TrustManager) tm1;
+    X509TrustManager x509TrustManager2 = (X509TrustManager) tm2;
+
+    assertEquals(x509TrustManager1.getAcceptedIssuers().length, x509TrustManager2.getAcceptedIssuers().length);
+    assertEquals(x509TrustManager1.getAcceptedIssuers().length, 1);
+    assertEquals(x509TrustManager1.getAcceptedIssuers()[0], x509TrustManager2.getAcceptedIssuers()[0]);
+  }
+}
diff --git a/pinot-common/src/test/resources/tls/keystore.p12 b/pinot-common/src/test/resources/tls/keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..d2a87e5dc63933dbd313db40c87e38d9b8ec2f12
GIT binary patch
literal 2581
zcmY+EX*d*$8pmgqu`gp^!cf^~j1ebW7-=v__K1t@yJU}vQG~J^Q}zj25}hQnB{3p|
zkzFE^eHn!7-sj$Pp7Y^--sk!K|L^<pha@m@f`DKo0oKC+lOY-q_gH~vfCU8DTL=O6
z`V`k82~f9xL{Mu80ebxuo1Tsl1M~l`SeSsI0s`a^Nr3Djr5Tw1k58WqLEs{hIWGHQ
zF-wW$_;{Vo(Ohnrc@_u^=rDy4ARqT(BlyRBsQeUvR^;pf>$intXTxKs$vNdz=Xdso
zM2?8T)|3kr=KAytV}_`*aaG`_Jb=bHlVu%Gy93Tpg}$m#MrjQ0=q$?b-;!l7pE;Ky
zf08YDt?vMy<VWhHFD_qhZE%;uKHCZWY7vlh{(X&uQd(K3TJHAHLS^(U`E2xe+>Z`t
z)A?X5G>(p4nR#{lZRhtB?xD0M?S7W@jDGodV^M^6Qc}hlSG&z7#hgtOcA4?aO;Tb_
zIMKKO^y*pz4|CKJX`I>MQ>RiPeSf-lwxdm+v@E}=4y-s#JxcegB`Mn1<UI1!@$efk
z^%oEFdY?|oRx_3$axE!AU0#_V4wRt1AVlstj~c~wJyhUeeQEH6gS3qHQIaQ<&@wuA
z#p#o=U6@OWtdR=%NsAB|dh@6pzHXd4Ps~NhnIhO7(`jWQPlJ9{aF{tJf28Cz)eFdY
zMYBjVViJ@;qD!OIu8u@(l+GjUN`(@S8}GVwN7mEG<U8tE?eOrN=VEdIf#lkUy})au
zgx+(7bk2uJQN5(V+YBhFLNS(nd<&epALg^myZr`;fx)?qYTcaj@0(naTI97?i`T%5
z`FB0X;jU=hB}#k=gUk-3eI|5PhLh<xO3guEV|^Qo<1xt;T-`uMh+(vL^k}h?)z^2C
zRnh_j%%AWrvE0Z$i9g_E@ggMfN_*j2xs}*R&JFwUbjr!J1#{h1?`YM`*14?}u&Kew
z(ty>qMpkSO&SKcG%s=-FxN^hcC5~hHE_kS~A>?+moLc!0E3LvpMUSV5*p0*YS9z2J
z4@QQAc!kz5v;8V9lR+}2zjZ8}kKBcp_iTj2XQK6IjO8;uLa~zFMcvoxpNMPVIb4&`
z7~gZ8aZA<N*%oV`1k%Zj68U?2?Df&EkJT#@E@l-C7SP!BUClh>>Y|{H4Z$^}v?0ah
zab(Vz=ulHvWt35r%}SzXnsNV;#+<}<4yVo`f4$`d-L@HVG2=^ZB)irnFU?|i#P)E@
z#oMVL+&0+K?%MGt7V+g(SwyE=>$86ttjcuAAq8|a<F*x91}Z#%!<&La*}#Q}*@+_I
z7pmTUJ1^W!9+Ik!mH3KI%*?X(Y;@ZmPFZ-p#o(%g66oby({>H*9}9BD>D^P_wZS~Y
z<2P0zqFSPy@uNOwAK-_D%g?gfbFeIxLf+y{&Fa(I{=J$<PhkpE$-Wb-KP6R<og{at
zLKU@z8;|OCe?V)lhw|&a$)qVG=Jn{;-9Gzb3ar;coT(a<?LNB(?`sI7@}U6%)GEC<
zN#_+l#wx9xDWb+Vx~DrWcd@^2>!r|YceA7tSPD8DJB!%TCC;H}I{>)!q6F)bE+u>M
zGZ#xjAOB_60$zDnohPPmZuo`l-6={@0Zz#J1~4xSR(>7^(b!CWXE`uornld_x%b4q
zf~n8TwzNFnMcvbh(^t;_*&Q@~Poetm0y^uMb$vP23SZs&{bt<gdNEqB&&0<sU`QYL
zsJ{q1yom<sX#pt3jP|NG%&K?6IVLo--?+05Nv{Be#B1$V`%$w-o-!?dz#-e}n}+yC
z|5CFXw&Ay=h24JFk(a9D@@5KNeYbO`^=rfRyU<xuQ(|toUq@djujfgyQQIjfO{BnI
zs)WH&ETT*RA3zwu3*ZU}LyG?$@u1)kuInB?u41T*NDLCCrh-<zh(w>NQ}3_R8HQ7v
zVonhX1O%KenZFa@Km5w@AHQDKWW@R056!I|054ZOjop=B|APFlUt<X1^#d8XvJzQA
z+qqno3}Y~Y*~U=eU|0E54aZhng``2VY2V_gZi`Xj#?Wx0`h`6w5t?S0vF*Odg^=Wk
z!@bLYXrtv-*V63laQBAFSN3n6=}!+DL@PdikeTT1LzJ{RiJrK}+vA(K#i_|(%2?<i
z?dNE@DJ(tV>BbSL#}fv!7^gp?mTNp0Dc#|02j5?{wYFJ)M{0MgkqFKj(d+u=iXV+1
zTo3e(ShqbNla+0d&%Zy2=<#1q+(&L+#Wuj^__=kh*!hm#elZ#VoTyZZG4qY3M_3Ba
z_N}A}lKz@Eqdt=OZr?DFk|vyOFWpKm4wQ_tfT*a9AXNqUO*gQ@oa!<Ex>u51^}1NR
zJ0}i!N$V222lO)>vpIrTxtbUf$VGoMhSIRp@$nB)yDv08=U<tiE2?1iQh93R=}feU
zi_q~UVIn}0x7)hAk4$BH;p#yTC2Ao%e4BqcvdhD-G{(jRhxtZ`q%eG!!qCLFBaqIF
z;dE=hohRTcua%=;*gHF|vVsF!Rll+=K5&$d(-tPbD2mx|xRv<06k#IBvpiLRrOHd4
z(9u$5mJB*ohw&^!b&FX7)R$Z|m$rW$cnb#tAn(gsOtpd6zFlP7yEFF_;HVzswRj@=
zw#<AbV=HUI=Kei*b0@`+F%oY8%Ebn1Tq5{-IOUVXj0$UMa<B_mi{NXGgtdmVRR9VC
z?Y{rH)p+yI-3qJ)ov1c#qB3vkFS43I6%+6VMfyQu5@(?|2~RE!87-86pGvpS-Bq>F
zddOk(EI0e(pJhwMqOW7ywHFz6b#nthaJjE4J**7q?bVSB|4B++Zapi*^k`#2USWJA
z^s-}8-|UW=eN{f%54j*_bAMIAHkg%<E9@Kt23s*|UoHnELt_D$zGtf><1eZLcjAT1
zGO8*(+FzzLEpwlb5rn7k9O1ilC%$xVH@QVv3v?8lt2z<YlJ}}M;kv$FPA0YSNy;ql
zzmg^A4fFFki5cJ@eWSDEit8k9zgg^aB0IiLlNX%wF;81C?}9(~pG%T4w~m!O+T{Ld
zc+(6ja%8a0TLWl@90<lmYJHol4RJSw4_2R~q>G)u5j%eXh^s)H@x6sA(Vmk^WLuk&
zc}Lb>Q<$A(9}_))1wTEd@N2r<WcQolK)<_uvvRuS@3Py!eepisJ%I|B;m|g$xO*i8
zd*&5)Cd`^liEr!02ie;i%X%*VeCa_%*yk*CF+88o5q}VjRlG2U)ZbQV^|7a}t;C9j
z43^M4eZ9SS)%t`ZK_ttbuJy^2-UzR+3T7p%nX1#q?7QX(^`+nV-VnFwXQ@61w4sZL
zx3zWfE{W<{J@KHR9Hb^v90_B9%Cdn$f=~bi?gYso^Ec8^T~s+rl#)^+Mx*Q(1a99s
bNtMBqYUYi6)%_NY9vCz=v4g-sV!^)wM$EP_

literal 0
HcmV?d00001

diff --git a/pinot-common/src/test/resources/tls/truststore.p12 b/pinot-common/src/test/resources/tls/truststore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..98c97bb079533e0737018c78fb64f099fc344988
GIT binary patch
literal 1186
zcmV;T1YP?uf&`ud0Ru3C1Xl(LDuzgg_YDCD0ic2eNCbieL@<H`Krn&?JO&9WhDe6@
z4FLxRpn?P~FoFar0s#Opf&?N42`Yw2hW8Bt2LUiC1_~;MNQU<f0So~KFdGCEv&y;4
z(PE}sRtJPwXf*`&)l*%!0s{cUP=JC1=)-i^j@u$3uZ;U)3%qj{+tg~ba!US;s0*DP
zj`{dhs{>#z)=k>=uOjGWdI8N2C@Oi!Fzy2~B0t2D{-AeHs(4U0N7irQM#WNWsd&13
z4hZRfH)6+hd@2vR+dC}o8-V^4p^?;ky7N04gA^aLcp(|O#Xds{uPc;@R|npUTgW{p
z4O5xy+(H;{vno8ERm@IM07rNdL>|V%CHzFF@Vyb|K466~;^DD?)?)roo|0?}?}=X>
zsU`HRfrm_^4N6Hbdxh#KyET}Ez2_Z>Ee)rLK|}1MC@Y)~&d|)*fd`BcPAbv|gr#?g
zDoL-KfJglC0~eE*zGnji#@+bEIaS`^%+TerB>FI2fW%Bi+AW3nvP~_0ZdDVBr$y|u
zn?ul%;2pI4^4w7~#_woz^7duuX`raj)w-?I6x-;b6I$p^uZgj_Cfro{RWGbLg|yry
z1>xwG8<xzQzy?%Qv-EDd<VlE3I}<4Pfe&BSj>?Y8cQn~1r4kV8*mm;(3ISJ*7*-Vi
zY5M~y;9sC;s=~s?O)<Xscirjhc~Zs~pOxkQw({yfNb4mJw|%g3Zo!)W9)iLk(7xs@
z9(_%H@AgO>9h|j+Aan-*X<PQCk`s(=azif!vs@4y&$CS?^g+hbKq#&o@&@5u@-0YY
zHIU7O0*a0LZw^4%@&b?E8DIPb0t#0>F&*g;Q!&6KP6csEY5e!ZG1kBFnsH)0+dKvA
z)=~ZV_Z;vmv|SH8jJ$sS5S7hO7Nl@~%)th^*2KVmqH5+&Kg$!Oh$O099Rx$-l-r=j
z&e;pK5-$gaR`=huxI~5v@Wa%sK@&Ua1=q);l8y4s+;oaY13_If5t74VXwP810HrZ&
z+vEb=)2?H7hOyRfB}rYykv-SYnGuG<v@Ugv2Iw8er7;@sZM)d^J8&B&z<82B=EIKM
zY0wA?xUN@QDYn6H9pzQ*uz@DzYE14=ChXzSz{zB}4C<@#NpOS*gb8}~7X2<tFWtk*
zYD|BvP^nB)_x&M@5j0!uQceQ{BnpwBiOGTlO)74+cPxiX4AeO*jL+)G=)WuUCvcb;
zGa~WTj+YI2M-Mx`?L2PMJ%6<3$G9LxPm209cy1qW<SNz#WoE70SBw1VOo5`bpSJTY
z3?8&Ny>Gn*Q{@xrDSqk*(w1aj)wOxY6A}k@NwIbyb$O+u*YzT5_mfp4#(|$th1P`M
zez6xE&{3&f$mH5jL)k8be-5F96JF22ann7$rL{1aow$1(9>;1U!i8F!IvO&`UnmFs
zISHx>BjnzpCcDt*@!%5s-&00er=M%QdAwDE5}$<5;b=Ambud0KAutIB1uG5%0vZJX
z1QaxAab<)mlM+2*ejcBbt>PJeKUV}4sOtp77rkN6Z*g{c6T)k3%R<_H0s{etppuO$
AbN~PV

literal 0
HcmV?d00001

diff --git a/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java b/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
index b238d7de0c4a..7ac88bb6ba94 100644
--- a/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
+++ b/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
@@ -31,6 +31,7 @@
 import java.io.IOException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
+import nl.altindag.ssl.SSLFactory;
 import org.apache.pinot.common.config.GrpcConfig;
 import org.apache.pinot.common.config.TlsConfig;
 import org.apache.pinot.common.datatable.DataTable;
@@ -89,11 +90,10 @@ private SslContext buildGRpcSslContext(TlsConfig tlsConfig)
     if (tlsConfig.getKeyStorePath() == null) {
       throw new IllegalArgumentException("Must provide key store path for secured gRpc server");
     }
-    SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(TlsUtils.createKeyManagerFactory(tlsConfig))
+    SSLFactory sslFactory = TlsUtils.createSSLFactory(tlsConfig);
+    SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(sslFactory.getKeyManagerFactory().get())
         .sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
-    if (tlsConfig.getTrustStorePath() != null) {
-      sslContextBuilder.trustManager(TlsUtils.createTrustManagerFactory(tlsConfig));
-    }
+    sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
     if (tlsConfig.isClientAuthEnabled()) {
       sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
     }
diff --git a/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java b/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
index 93b729845a71..a75f62060048 100644
--- a/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
+++ b/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
@@ -304,7 +304,7 @@ public static String toString(Collection<? extends ListenerConfig> listenerConfi
 
   private static File cacheInTempFile(String sourceUrl) {
     try {
-      URL url = TlsUtils.makeKeyStoreUrl(sourceUrl);
+      URL url = TlsUtils.makeKeyOrTrustStoreUrl(sourceUrl);
       if ("file".equals(url.getProtocol())) {
         return new File(url.getPath());
       }
diff --git a/pom.xml b/pom.xml
index bcee2e06afc0..99fd00dd94c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -163,6 +163,7 @@
     <joda-time.version>2.12.5</joda-time.version>
     <testng.version>7.8.0</testng.version>
     <woodstox.version>6.4.0</woodstox.version>
+    <sslcontext.kickstart.version>8.2.0</sslcontext.kickstart.version>
 
     <!-- Sets the VM argument line used when unit tests are run. -->
     <argLine>-Xms4g -Xmx4g</argLine>
@@ -1414,6 +1415,12 @@
       </dependency>
       <!-- Lucene dependencies end -->
 
+      <dependency>
+        <groupId>io.github.hakky54</groupId>
+        <artifactId>sslcontext-kickstart-for-netty</artifactId>
+        <version>${sslcontext.kickstart.version}</version>
+      </dependency>
+
     </dependencies>
   </dependencyManagement>
   <build>