All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.hadoop.yarn.server.webproxy.ProxyCA Maven / Gradle / Ivy

The newest version!
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.yarn.server.webproxy;

import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.util.PublicSuffixMatcherLoader;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.Random;
import java.util.UUID;

/**
 * Allows for the generation and acceptance of specialized HTTPS Certificates to
 * be used for HTTPS communication between the AMs and the RM Proxy.
 */
@InterfaceAudience.Private
@InterfaceStability.Unstable
public class ProxyCA {
  private static final Logger LOG = LoggerFactory.getLogger(ProxyCA.class);

  private X509Certificate caCert;
  private KeyPair caKeyPair;
  private KeyStore childTrustStore;
  private final Random srand;
  private X509TrustManager defaultTrustManager;
  private X509KeyManager x509KeyManager;
  private HostnameVerifier hostnameVerifier;
  private static final AlgorithmIdentifier SIG_ALG_ID =
      new DefaultSignatureAlgorithmIdentifierFinder().find("SHA512WITHRSA");

  public ProxyCA() {
    srand = new SecureRandom();

    // This only has to be done once
    Security.addProvider(new BouncyCastleProvider());
  }

  public void init() throws GeneralSecurityException, IOException {
    createCACertAndKeyPair();
    initInternal();
  }

  public void init(X509Certificate caCert, PrivateKey caPrivateKey)
      throws GeneralSecurityException, IOException {
    if (caCert == null || caPrivateKey == null
        || !verifyCertAndKeys(caCert, caPrivateKey)) {
      LOG.warn("Could not verify Certificate, Public Key, and Private Key: " +
          "regenerating");
      createCACertAndKeyPair();
    } else {
      this.caCert = caCert;
      this.caKeyPair = new KeyPair(caCert.getPublicKey(), caPrivateKey);
    }
    initInternal();
  }

  private void initInternal() throws GeneralSecurityException, IOException {
    defaultTrustManager = null;
    TrustManagerFactory factory = TrustManagerFactory.getInstance(
        TrustManagerFactory.getDefaultAlgorithm());
    factory.init((KeyStore) null);
    for (TrustManager manager : factory.getTrustManagers()) {
      if (manager instanceof X509TrustManager) {
        defaultTrustManager = (X509TrustManager) manager;
        break;
      }
    }
    if (defaultTrustManager == null) {
      throw new YarnRuntimeException(
          "Could not find default X509 Trust Manager");
    }

    this.x509KeyManager = createKeyManager();
    this.hostnameVerifier = createHostnameVerifier();
    this.childTrustStore = createTrustStore("client", caCert);
  }

  private X509Certificate createCert(boolean isCa, String issuerStr,
      String subjectStr, Date from, Date to, PublicKey publicKey,
      PrivateKey privateKey) throws GeneralSecurityException, IOException {
    X500Name issuer = new X500Name(issuerStr);
    X500Name subject = new X500Name(subjectStr);
    SubjectPublicKeyInfo subPubKeyInfo =
        SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
    X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
        issuer, new BigInteger(64, srand), from, to, subject, subPubKeyInfo);
    AlgorithmIdentifier digAlgId =
        new DefaultDigestAlgorithmIdentifierFinder().find(SIG_ALG_ID);
    ContentSigner contentSigner;
    try {
      contentSigner = new BcRSAContentSignerBuilder(SIG_ALG_ID, digAlgId)
          .build(PrivateKeyFactory.createKey(privateKey.getEncoded()));
    } catch (OperatorCreationException oce) {
      throw new GeneralSecurityException(oce);
    }
    if (isCa) {
      // BasicConstraints(0) indicates a CA and a path length of 0.  This is
      // important to indicate that child certificates can't issue additional
      // grandchild certificates
      certBuilder.addExtension(Extension.basicConstraints, true,
          new BasicConstraints(0));
    } else {
      // BasicConstraints(false) indicates this is not a CA
      certBuilder.addExtension(Extension.basicConstraints, true,
          new BasicConstraints(false));
      certBuilder.addExtension(Extension.authorityKeyIdentifier, false,
          new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(caCert));
    }
    X509CertificateHolder certHolder = certBuilder.build(contentSigner);
    X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC")
        .getCertificate(certHolder);
    LOG.info("Created Certificate for {}", subject);
    return cert;
  }

  private void createCACertAndKeyPair()
      throws GeneralSecurityException, IOException {
    Date from = new Date();
    Date to = new GregorianCalendar(2037, Calendar.DECEMBER, 31).getTime();
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    keyGen.initialize(2048);
    caKeyPair = keyGen.genKeyPair();
    String subject = "OU=YARN-" + UUID.randomUUID();
    caCert = createCert(true, subject, subject, from, to,
        caKeyPair.getPublic(), caKeyPair.getPrivate());
    LOG.debug("CA Certificate: \n{}", caCert);
  }

  public byte[] createChildKeyStore(ApplicationId appId, String ksPassword)
      throws Exception {
    // We don't check the expiration date, and this will provide further reason
    // for outside users to not accept these certificates
    Date from = new Date();
    Date to = from;
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    keyGen.initialize(2048);
    KeyPair keyPair = keyGen.genKeyPair();
    String issuer = caCert.getSubjectX500Principal().getName();
    String subject = "CN=" + appId;
    X509Certificate cert = createCert(false, issuer, subject, from, to,
        keyPair.getPublic(), caKeyPair.getPrivate());
    if (LOG.isTraceEnabled()) {
      LOG.trace("Certificate for {}: \n{}", appId, cert);
    }

    KeyStore keyStore = createChildKeyStore(ksPassword, "server",
        keyPair.getPrivate(), cert);
    return keyStoreToBytes(keyStore, ksPassword);
  }

  public byte[] getChildTrustStore(String password)
      throws GeneralSecurityException, IOException {
    return keyStoreToBytes(childTrustStore, password);
  }

  private KeyStore createEmptyKeyStore()
      throws GeneralSecurityException, IOException {
    KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(null, null); // initialize
    return ks;
  }

  private KeyStore createChildKeyStore(String password, String alias,
      Key privateKey, Certificate cert)
      throws GeneralSecurityException, IOException {
    KeyStore ks = createEmptyKeyStore();
    ks.setKeyEntry(alias, privateKey, password.toCharArray(),
        new Certificate[]{cert, caCert});
    return ks;
  }

  public String generateKeyStorePassword() {
    return RandomStringUtils.random(16, 0, 0, true, true, null, srand);
  }

  private byte[] keyStoreToBytes(KeyStore ks, String password)
      throws GeneralSecurityException, IOException {
    try (ByteArrayOutputStream out = new ByteArrayOutputStream()) {
      ks.store(out, password.toCharArray());
      return out.toByteArray();
    }
  }

  private KeyStore createTrustStore(String alias, Certificate cert)
      throws GeneralSecurityException, IOException {
    KeyStore ks = createEmptyKeyStore();
    ks.setCertificateEntry(alias, cert);
    return ks;
  }

  public SSLContext createSSLContext(ApplicationId appId)
      throws GeneralSecurityException {
    // We need the normal TrustManager, plus our custom one.  While the
    // SSLContext accepts an array of TrustManagers, the docs indicate that only
    // the first instance of any particular implementation type is used
    // (e.g. X509KeyManager) - this means that simply putting both TrustManagers
    // in won't work.  We need to have ours do both.
    TrustManager[] trustManagers = new TrustManager[] {
        createTrustManager(appId)};
    KeyManager[] keyManagers = new KeyManager[]{x509KeyManager};

    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(keyManagers, trustManagers, new SecureRandom());
    return sc;
  }

  @VisibleForTesting
  X509TrustManager createTrustManager(ApplicationId appId) {
    return new X509TrustManager() {
      @Override
      public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return defaultTrustManager.getAcceptedIssuers();
      }

      @Override
      public void checkClientTrusted(
          java.security.cert.X509Certificate[] certs, String authType) {
        // not used
      }

      @Override
      public void checkServerTrusted(
          java.security.cert.X509Certificate[] certs, String authType)
          throws CertificateException {
        // Our certs will always have 2 in the chain, with 0 being the app's
        // cert and 1 being the RM's cert
        boolean issuedByRM = false;
        if (certs.length == 2) {
          try {
            // We can verify both certs using the CA cert's public key - the
            // child cert's info is not needed
            certs[0].verify(caKeyPair.getPublic());
            certs[1].verify(caKeyPair.getPublic());
            issuedByRM = true;
          } catch (CertificateException | NoSuchAlgorithmException
              | InvalidKeyException | NoSuchProviderException
              | SignatureException e) {
            // Fall back to the default trust manager
            LOG.debug("Could not verify certificate with RM CA, falling " +
                "back to default", e);
            defaultTrustManager.checkServerTrusted(certs, authType);
          }
        } else {
          LOG.debug("Certificate not issued by RM CA, falling back to " +
              "default");
          defaultTrustManager.checkServerTrusted(certs, authType);
        }
        if (issuedByRM) {
          // Check that it has the correct App ID
          if (!certs[0].getSubjectX500Principal().getName()
              .equals("CN=" + appId)) {
            throw new CertificateException(
                "Expected to find Subject X500 Principal with CN="
                    + appId + " but found "
                    + certs[0].getSubjectX500Principal().getName());
          }
          LOG.debug("Verified certificate signed by RM CA");
        }
      }
    };
  }

  @VisibleForTesting
  X509KeyManager getX509KeyManager() {
    return x509KeyManager;
  }

  private X509KeyManager createKeyManager() {
    return new X509KeyManager() {
      @Override
      public String[] getClientAliases(String s, Principal[] principals) {
        return new String[]{"client"};
      }

      @Override
      public String chooseClientAlias(String[] strings,
          Principal[] principals, Socket socket) {
        return "client";
      }

      @Override
      public String[] getServerAliases(String s, Principal[] principals) {
        return null;
      }

      @Override
      public String chooseServerAlias(String s, Principal[] principals,
          Socket socket) {
        return null;
      }

      @Override
      public X509Certificate[] getCertificateChain(String s) {
        return new X509Certificate[]{caCert};
      }

      @Override
      public PrivateKey getPrivateKey(String s) {
        return caKeyPair.getPrivate();
      }
    };
  }

  public HostnameVerifier getHostnameVerifier() {
    return hostnameVerifier;
  }

  private HostnameVerifier createHostnameVerifier() {
    HostnameVerifier defaultHostnameVerifier =
        new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault());
    return new HostnameVerifier() {
      @Override
      public boolean verify(String host, SSLSession sslSession) {
        try {
          Certificate[] certs = sslSession.getPeerCertificates();
          if (certs.length == 2) {
            // Make sure this is one of our certs.  More thorough checking would
            // have already been done by the SSLContext
            certs[0].verify(caKeyPair.getPublic());
            LOG.debug("Verified certificate signed by RM CA, " +
                "skipping hostname verification");
            return true;
          }
        } catch (SSLPeerUnverifiedException e) {
          // No certificate
          return false;
        } catch (CertificateException | NoSuchAlgorithmException
            | InvalidKeyException | SignatureException
            | NoSuchProviderException e) {
          // fall back to normal verifier below
          LOG.debug("Could not verify certificate with RM CA, " +
              "falling back to default hostname verification", e);
        }
        return defaultHostnameVerifier.verify(host, sslSession);
      }
    };
  }

  @VisibleForTesting
  void setDefaultTrustManager(X509TrustManager trustManager) {
    this.defaultTrustManager = trustManager;
  }

  @VisibleForTesting
  public X509Certificate getCaCert() {
    return caCert;
  }

  @VisibleForTesting
  public KeyPair getCaKeyPair() {
    return caKeyPair;
  }

  private boolean verifyCertAndKeys(X509Certificate cert,
      PrivateKey privateKey) throws GeneralSecurityException {
    PublicKey publicKey = cert.getPublicKey();
    byte[] data = new byte[2000];
    srand.nextBytes(data);
    Signature signer = Signature.getInstance("SHA512withRSA");
    signer.initSign(privateKey);
    signer.update(data);
    byte[] sig = signer.sign();
    signer = Signature.getInstance("SHA512withRSA");
    signer.initVerify(publicKey);
    signer.update(data);
    return signer.verify(sig);
  }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy