Java Code Examples for org.apache.hadoop.security.ssl.KeyStoreTestUtil#generateCertificate()

@Before
public void setUp() throws Exception {
  OzoneConfiguration conf = new OzoneConfiguration();
  conf.set(HddsConfigKeys.OZONE_METADATA_DIRS, BASEDIR);
  conf.setBoolean(HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED, true);
  // Create Ozone Master key pair.
  keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  expiryTime = Time.monotonicNow() + 60 * 60 * 24;
  // Create Ozone Master certificate (SCM CA issued cert) and key store.
  SecurityConfig securityConfig = new SecurityConfig(conf);
  x509Certificate = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
  omCertSerialId = x509Certificate.getSerialNumber().toString();
  secretManager = new OzoneBlockTokenSecretManager(securityConfig,
      expiryTime, omCertSerialId);
  client = getCertificateClient(securityConfig);
  client.init();
  secretManager.start(client);
  tokenVerifier = new BlockTokenVerifier(securityConfig, client);

}
 

@BeforeClass
public static void setUp() throws Exception {
  testDir = GenericTestUtils.getRandomizedTestDir();
  conf = new OzoneConfiguration();
  conf.set(HddsConfigKeys.OZONE_METADATA_DIRS, testDir.getPath());
  //conf.set(ScmConfigKeys.OZONE_SCM_NAMES, "localhost");
  String volumeDir = testDir + "/disk1";
  conf.set(DFSConfigKeysLegacy.DFS_DATANODE_DATA_DIR_KEY, volumeDir);

  conf.setBoolean(OZONE_SECURITY_ENABLED_KEY, true);
  conf.setClass(OzoneConfigKeys.HDDS_DATANODE_PLUGINS_KEY,
      TestHddsDatanodeService.MockService.class,
      ServicePlugin.class);
  securityConfig = new SecurityConfig(conf);

  service = HddsDatanodeService.createHddsDatanodeService(args);
  dnLogs = GenericTestUtils.LogCapturer.captureLogs(getLogger());
  callQuietly(() -> {
    service.start(conf);
    return null;
  });
  callQuietly(() -> {
    service.initializeCertificateClient(conf);
    return null;
  });
  certCodec = new CertificateCodec(securityConfig, DN_COMPONENT);
  keyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
  dnLogs.clearOutput();
  privateKey = service.getCertificateClient().getPrivateKey();
  publicKey = service.getCertificateClient().getPublicKey();
  X509Certificate x509Certificate = null;

  x509Certificate = KeyStoreTestUtil.generateCertificate(
      "CN=Test", new KeyPair(publicKey, privateKey), 10,
      securityConfig.getSignatureAlgo());
  certHolder = new X509CertificateHolder(x509Certificate.getEncoded());

}
 

private X509Certificate generateX509Cert(KeyPair keyPair) throws Exception {
  if (keyPair == null) {
    keyPair = generateKeyPairFiles();
  }
  return KeyStoreTestUtil.generateCertificate("CN=Test", keyPair, 30,
      omSecurityConfig.getSignatureAlgo());
}
 

@BeforeClass
public static void setUp() throws Exception {
  File base = new File(BASEDIR);
  FileUtil.fullyDelete(base);
  base.mkdirs();
  expiryTime = Time.monotonicNow() + 60 * 60 * 24;

  // Create Ozone Master key pair.
  keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  // Create Ozone Master certificate (SCM CA issued cert) and key store.
  cert = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
}
 

@Test
public void testAsymmetricTokenPerf() throws NoSuchAlgorithmException,
    CertificateEncodingException, NoSuchProviderException,
    InvalidKeyException, SignatureException {
  final int testTokenCount = 1000;
  List<OzoneBlockTokenIdentifier> tokenIds = new ArrayList<>();
  List<byte[]> tokenPasswordAsym = new ArrayList<>();
  for (int i = 0; i < testTokenCount; i++) {
    tokenIds.add(generateTestToken());
  }

  KeyPair kp = KeyStoreTestUtil.generateKeyPair("RSA");

  // Create Ozone Master certificate (SCM CA issued cert) and key store
  X509Certificate certificate;
  certificate = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster",
      kp, 30, "SHA256withRSA");

  long startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    tokenPasswordAsym.add(
        signTokenAsymmetric(tokenIds.get(i), kp.getPrivate()));
  }
  long duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token sign time with HmacSha256(RSA/1024 key) is {} ns",
      duration / testTokenCount);

  startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    verifyTokenAsymmetric(tokenIds.get(i), tokenPasswordAsym.get(i),
        certificate);
  }
  duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token verify time with HmacSha256(RSA/1024 key) "
      + "is {} ns", duration / testTokenCount);
}
 

@Test
public void testAsymmetricTokenPerf() throws NoSuchAlgorithmException,
    CertificateEncodingException, NoSuchProviderException,
    InvalidKeyException, SignatureException {
  final int testTokenCount = 1000;
  List<OzoneTokenIdentifier> tokenIds = new ArrayList<>();
  List<byte[]> tokenPasswordAsym = new ArrayList<>();
  for (int i = 0; i < testTokenCount; i++) {
    tokenIds.add(generateTestToken());
  }

  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");

  // Create Ozone Master certificate (SCM CA issued cert) and key store
  X509Certificate cert;
  cert = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster",
      keyPair, 30, "SHA256withRSA");

  long startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    tokenPasswordAsym.add(
        signTokenAsymmetric(tokenIds.get(i), keyPair.getPrivate()));
  }
  long duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token sign time with HmacSha256(RSA/1024 key) is {} ns",
      duration/testTokenCount);

  startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    verifyTokenAsymmetric(tokenIds.get(i), tokenPasswordAsym.get(i), cert);
  }
  duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token verify time with HmacSha256(RSA/1024 key) "
      + "is {} ns", duration/testTokenCount);
}
 

/**
 * Helper function to create certificate client.
 * */
private CertificateClient setupCertificateClient() throws Exception {
  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  X509Certificate cert = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");

  return new OMCertificateClient(securityConfig) {
    @Override
    public X509Certificate getCertificate() {
      return cert;
    }

    @Override
    public PrivateKey getPrivateKey() {
      return keyPair.getPrivate();
    }

    @Override
    public PublicKey getPublicKey() {
      return keyPair.getPublic();
    }

    @Override
    public X509Certificate getCertificate(String serialId) {
      return cert;
    }
  };
}
 

@BeforeClass
public static void setUp() throws Exception {
  File base = new File(BASEDIR);
  FileUtil.fullyDelete(base);
  base.mkdirs();
  expiryTime = Time.monotonicNow() + 60 * 60 * 24;

  // Create Ozone Master key pair.
  keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
  // Create Ozone Master certificate (SCM CA issued cert) and key store.
  cert = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
}
 

@Test
public void testAsymmetricTokenPerf() throws NoSuchAlgorithmException,
    CertificateEncodingException, NoSuchProviderException,
    InvalidKeyException, SignatureException {
  final int testTokenCount = 1000;
  List<OzoneBlockTokenIdentifier> tokenIds = new ArrayList<>();
  List<byte[]> tokenPasswordAsym = new ArrayList<>();
  for (int i = 0; i < testTokenCount; i++) {
    tokenIds.add(generateTestToken());
  }

  KeyPair kp = KeyStoreTestUtil.generateKeyPair("RSA");

  // Create Ozone Master certificate (SCM CA issued cert) and key store
  X509Certificate omCert;
  omCert = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster",
      kp, 30, "SHA256withRSA");

  long startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    tokenPasswordAsym.add(
        signTokenAsymmetric(tokenIds.get(i), kp.getPrivate()));
  }
  long duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token sign time with HmacSha256(RSA/1024 key) is {} ns",
      duration / testTokenCount);

  startTime = Time.monotonicNowNanos();
  for (int i = 0; i < testTokenCount; i++) {
    verifyTokenAsymmetric(tokenIds.get(i), tokenPasswordAsym.get(i), omCert);
  }
  duration = Time.monotonicNowNanos() - startTime;
  LOG.info("Average token verify time with HmacSha256(RSA/1024 key) "
      + "is {} ns", duration / testTokenCount);
}
 

private X509Certificate getX509Certificate() throws Exception {
  return KeyStoreTestUtil.generateCertificate(
      "CN=Test", keyPair, 10, securityConfig.getSignatureAlgo());
}
 

/**
 * Test failure cases for secure OM initialization.
 */
@Test
public void testSecureOmInitFailures() throws Exception {
  PrivateKey privateKey;
  PublicKey publicKey;
  LogCapturer omLogs =
      LogCapturer.captureLogs(OzoneManager.getLogger());
  OMStorage omStorage = new OMStorage(conf);
  omStorage.setClusterId(clusterId);
  omStorage.setScmId(scmId);
  omStorage.setOmId(omId);
  omLogs.clearOutput();

  // Case 1: When keypair as well as certificate is missing. Initial keypair
  // boot-up. Get certificate will fail when SCM is not running.
  SecurityConfig securityConfig = new SecurityConfig(conf);
  CertificateClient client = new OMCertificateClient(securityConfig,
      omStorage.getOmCertSerialId());
  Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
  privateKey = client.getPrivateKey();
  publicKey = client.getPublicKey();
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNull(client.getCertificate());

  // Case 2: If key pair already exist than response should be RECOVER.
  client = new OMCertificateClient(securityConfig,
      omStorage.getOmCertSerialId());
  Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNull(client.getCertificate());

  // Case 3: When public key as well as certificate is missing.
  client = new OMCertificateClient(securityConfig);
  FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
      .toString(), securityConfig.getPublicKeyFileName()).toFile());
  Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNull(client.getPublicKey());
  Assert.assertNull(client.getCertificate());

  // Case 4: When private key and certificate is missing.
  client = new OMCertificateClient(securityConfig);
  KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
  keyCodec.writePublicKey(publicKey);
  FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
      .toString(), securityConfig.getPrivateKeyFileName()).toFile());
  Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
  Assert.assertNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNull(client.getCertificate());

  // Case 5: When only certificate is present.
  FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
      .toString(), securityConfig.getPublicKeyFileName()).toFile());
  CertificateCodec certCodec =
      new CertificateCodec(securityConfig, COMPONENT);
  X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate(
      "CN=Test", new KeyPair(publicKey, privateKey), 10,
      securityConfig.getSignatureAlgo());
  certCodec.writeCertificate(new X509CertificateHolder(
      x509Certificate.getEncoded()));
  client = new OMCertificateClient(securityConfig,
      x509Certificate.getSerialNumber().toString());
  omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
  Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
  Assert.assertNull(client.getPrivateKey());
  Assert.assertNull(client.getPublicKey());
  Assert.assertNotNull(client.getCertificate());

  // Case 6: When private key and certificate is present.
  client = new OMCertificateClient(securityConfig,
      x509Certificate.getSerialNumber().toString());
  FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
      .toString(), securityConfig.getPublicKeyFileName()).toFile());
  keyCodec.writePrivateKey(privateKey);
  Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNotNull(client.getCertificate());

  // Case 7 When keypair and certificate is present.
  client = new OMCertificateClient(securityConfig,
      x509Certificate.getSerialNumber().toString());
  Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
  Assert.assertNotNull(client.getPrivateKey());
  Assert.assertNotNull(client.getPublicKey());
  Assert.assertNotNull(client.getCertificate());
}
 

@Test
public void testSignToken() throws GeneralSecurityException, IOException {
  String keystore = new File(KEYSTORES_DIR, "keystore.jks")
      .getAbsolutePath();
  String truststore = new File(KEYSTORES_DIR, "truststore.jks")
      .getAbsolutePath();
  String trustPassword = "trustPass";
  String keyStorePassword = "keyStorePass";
  String keyPassword = "keyPass";

  // Create Ozone Master key pair
  KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");

  // Create Ozone Master certificate (SCM CA issued cert) and key store
  X509Certificate cert = KeyStoreTestUtil
      .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
  KeyStoreTestUtil.createKeyStore(keystore, keyStorePassword, keyPassword,
      "OzoneMaster", keyPair.getPrivate(), cert);

  // Create trust store and put the certificate in the trust store
  Map<String, X509Certificate> certs = Collections.singletonMap("server",
      cert);
  KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);

  // Sign the OzoneMaster Token with Ozone Master private key
  PrivateKey privateKey = keyPair.getPrivate();
  OzoneTokenIdentifier tokenId = new OzoneTokenIdentifier();
  tokenId.setOmCertSerialId("123");
  byte[] signedToken = signTokenAsymmetric(tokenId, privateKey);

  // Verify a valid signed OzoneMaster Token with Ozone Master
  // public key(certificate)
  boolean isValidToken = verifyTokenAsymmetric(tokenId, signedToken, cert);
  LOG.info("{} is {}", tokenId, isValidToken ? "valid." : "invalid.");

  // Verify an invalid signed OzoneMaster Token with Ozone Master
  // public key(certificate)
  tokenId = new OzoneTokenIdentifier(new Text("oozie"),
      new Text("rm"), new Text("client"));
  tokenId.setOmCertSerialId("123");
  LOG.info("Unsigned token {} is {}", tokenId,
      verifyTokenAsymmetric(tokenId, RandomUtils.nextBytes(128), cert));

}