Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add a comment to warn that it is not secure #317

Open
wants to merge 5 commits into
base: trunk
Choose a base branch
from
Open

add a comment to warn that it is not secure #317

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
36e8ae2
add a comment to warn that it is not secure
YYTVicky Mar 1, 2020
33c8a84
Update NettyAvroRpcClient.java
YYTVicky May 5, 2020
959177a
Update NettyAvroRpcClient.java
YYTVicky May 5, 2020
e9ad5d8
Update NettyAvroRpcClient.java
YYTVicky May 5, 2020
80d2a98
Update NettyAvroRpcClient.java
YYTVicky May 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 78 additions & 1 deletion flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -759,7 +759,84 @@ public SocketChannel newChannel(ChannelPipeline pipeline) {
}

/**
* Permissive trust manager accepting any certificate
* Permissive trust manager accepting any certificate,
* it is not secure
* new X509TrustManager() {
*
* @Override public void checkClientTrusted(
* X509Certificate[] chain,
* String authType)
* throws CertificateException {
* KeyStore ts = KeyStore.getInstance("JKS");
* // load your local cert path and specify your password
* ts.load(new FileInputStream(path), password);
* // choose the algrithm to match your cert
* TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
* tmf.init(ts);
* // refer to https://lightbend.github.io/ssl-config/WSQuickStart.html
* // for detailed steps
* TrustManager[] trustManagers = tmf.getTrustManagers();
* for (final X509TrustManager trustManager : trustManagers) {
* try {
* trustManager.checkClientTrusted(chain, authType);
* return;
* } catch (final CertificateException e) {
* //LOGGER.debug(e.getMessage(), e);
* }
* }
* throw new CertificateException(
* "None of the TrustManagers trust this certificate chain"
* );
* <p>
* }
* @Override public X509Certificate[] getAcceptedIssuers() {
* return new X509Certificate[0];
* }
* @Override public void checkServerTrusted(
* X509Certificate[] chain, String authType
* ) throws CertificateException{
* if (chain == null) {
* throw new IllegalArgumentException("
* checkServerTrusted:x509Certificate array is null
* ");
* }
* <p>
* if (!(chain.length > 0)) {
* throw new IllegalArgumentException(
* "checkServerTrusted: X509Certificate is empty"
* );
* }
* <p>
* if (!(null != authType && authType.equalsIgnoreCase("RSA"))) {
* throw new CertificateException("
* checkServerTrusted: AuthType is not RSA
* ");
* }
* <p>
* <p>
* try {
* // choose algorithm to match your code
* TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
* tmf.init((KeyStore) null);
* for (TrustManager trustManager : tmf.getTrustManagers()) {
* ((X509TrustManager) trustManager).checkServerTrusted(chain, authType);
* }
* } catch (Exception e) {
* throw new CertificateException(e);
* }
* <p>
* <p>
* RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey();
* String encoded = new BigInteger(1 , pubkey.getEncoded()).toString(16);
* final boolean expected = PUB_KEY.equalsIgnoreCase(encoded);
* <p>
* if (!expected) {
* throw new CertificateException("checkServerTrusted: Expected public key: "
* + PUB_KEY + ", got public key:" + encoded);
* }
* }
* <p>
* };
*/
private static class PermissiveTrustManager implements X509TrustManager {
@Override
Expand Down