From 4e2fd3730aecbf8fcaaa3da39ab06d5f5410a31f Mon Sep 17 00:00:00 2001 From: Sammi Chen Date: Mon, 13 Mar 2023 17:37:33 +0800 Subject: [PATCH 1/4] HDDS-8151. Support fine grained lifetime for root CA certificate --- .../x509/certificate/authority/DefaultCAServer.java | 3 +-- .../x509/certificate/authority/TestDefaultCAServer.java | 7 +++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java index a07d86412a64..4b0595f8cab4 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java @@ -566,8 +566,7 @@ private void generateRootCertificate( SecurityConfig securityConfig, KeyPair key) throws IOException, SCMSecurityException { Preconditions.checkNotNull(this.config); - LocalDateTime beginDate = - LocalDateTime.of(LocalDate.now(), LocalTime.MIDNIGHT); + LocalDateTime beginDate = LocalDateTime.now(); LocalDateTime endDate = beginDate.plus(securityConfig.getMaxCertificateDuration()); SelfSignedCertificate.Builder builder = SelfSignedCertificate.newBuilder() diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java index e74aa12e5cfc..22350a3269b7 100644 --- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java +++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java @@ -60,6 +60,7 @@ import java.security.cert.X509Certificate; import java.time.LocalDate; import java.time.LocalDateTime; +import java.time.LocalTime; import java.time.ZoneId; import java.util.ArrayList; import java.util.Collections; @@ -113,6 +114,12 @@ public void testInit() throws SCMSecurityException, CertificateException, testCA.init(securityConfig, CAType.ROOT); X509CertificateHolder second = testCA.getCACertificate(); assertEquals(first, second); + + // Start time doesn't round to MIDNIGHT. + LocalDateTime roundTime = + LocalDateTime.of(LocalDate.now(), LocalTime.MIDNIGHT); + assertTrue(!first.getNotBefore().equals(roundTime) || + LocalDateTime.now().equals(roundTime)); } @Test From 5dcd23a65a79253de26756d9e80d7ba2b5bf1471 Mon Sep 17 00:00:00 2001 From: Sammi Chen Date: Mon, 13 Mar 2023 20:39:51 +0800 Subject: [PATCH 2/4] remove unused imports --- .../security/x509/certificate/authority/DefaultCAServer.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java index 4b0595f8cab4..ddba9eb3165e 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java @@ -55,9 +55,7 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.security.spec.InvalidKeySpecException; -import java.time.LocalDate; import java.time.LocalDateTime; -import java.time.LocalTime; import java.time.ZoneId; import java.util.Date; import java.util.List; From f55dfbeed73032a324b2c4406314708a577bdfea Mon Sep 17 00:00:00 2001 From: Sammi Chen Date: Mon, 13 Mar 2023 22:16:12 +0800 Subject: [PATCH 3/4] solve findbugs issue --- .../x509/certificate/authority/TestDefaultCAServer.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java index 22350a3269b7..6b987eddea61 100644 --- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java +++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java @@ -118,7 +118,9 @@ public void testInit() throws SCMSecurityException, CertificateException, // Start time doesn't round to MIDNIGHT. LocalDateTime roundTime = LocalDateTime.of(LocalDate.now(), LocalTime.MIDNIGHT); - assertTrue(!first.getNotBefore().equals(roundTime) || + LocalDateTime startTime = first.getNotBefore().toInstant() + .atZone(ZoneId.systemDefault()).toLocalDateTime(); + assertTrue(!startTime.equals(roundTime) || LocalDateTime.now().equals(roundTime)); } From d91c1c6f2a3e1d5aded2ca18c09b3f0218dda950 Mon Sep 17 00:00:00 2001 From: Sammi Chen Date: Tue, 14 Mar 2023 11:15:04 +0800 Subject: [PATCH 4/4] remove unnecessary tests --- .../x509/certificate/authority/TestDefaultCAServer.java | 9 --------- 1 file changed, 9 deletions(-) diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java index 6b987eddea61..e74aa12e5cfc 100644 --- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java +++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java @@ -60,7 +60,6 @@ import java.security.cert.X509Certificate; import java.time.LocalDate; import java.time.LocalDateTime; -import java.time.LocalTime; import java.time.ZoneId; import java.util.ArrayList; import java.util.Collections; @@ -114,14 +113,6 @@ public void testInit() throws SCMSecurityException, CertificateException, testCA.init(securityConfig, CAType.ROOT); X509CertificateHolder second = testCA.getCACertificate(); assertEquals(first, second); - - // Start time doesn't round to MIDNIGHT. - LocalDateTime roundTime = - LocalDateTime.of(LocalDate.now(), LocalTime.MIDNIGHT); - LocalDateTime startTime = first.getNotBefore().toInstant() - .atZone(ZoneId.systemDefault()).toLocalDateTime(); - assertTrue(!startTime.equals(roundTime) || - LocalDateTime.now().equals(roundTime)); } @Test