trinodb · ebyhr · Nov 14, 2023 · Nov 14, 2023
diff --git a/plugin/trino-hive/pom.xml b/plugin/trino-hive/pom.xml
@@ -111,11 +111,6 @@
             <artifactId>log</artifactId>
         </dependency>
 
-        <dependency>
-            <groupId>io.airlift</groupId>
-            <artifactId>security</artifactId>
-        </dependency>
-
         <dependency>
             <groupId>io.airlift</groupId>
             <artifactId>stats</artifactId>

diff --git a/.../main/java/io/trino/plugin/hive/metastore/thrift/DefaultThriftMetastoreClientFactory.java b/.../main/java/io/trino/plugin/hive/metastore/thrift/DefaultThriftMetastoreClientFactory.java
@@ -15,38 +15,22 @@
 
 import com.google.common.net.HostAndPort;
 import com.google.inject.Inject;
-import io.airlift.security.pem.PemReader;
 import io.airlift.units.Duration;
 import io.trino.plugin.hive.metastore.thrift.ThriftHiveMetastoreClient.TransportSupplier;
 import io.trino.spi.NodeManager;
 import org.apache.thrift.transport.TTransport;
 import org.apache.thrift.transport.TTransportException;
 
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
-import javax.security.auth.x500.X500Principal;
 
 import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
-import java.io.InputStream;
 import java.security.GeneralSecurityException;
-import java.security.KeyStore;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import static io.trino.plugin.base.ssl.SslUtils.createSSLContext;
 import static java.lang.Math.toIntExact;
-import static java.util.Collections.list;
 import static java.util.Objects.requireNonNull;
 
 public class DefaultThriftMetastoreClientFactory
@@ -95,7 +79,7 @@ public DefaultThriftMetastoreClientFactory(
                         config.isTlsEnabled(),
                         Optional.ofNullable(config.getKeystorePath()),
                         Optional.ofNullable(config.getKeystorePassword()),
-                        config.getTruststorePath(),
+                        Optional.ofNullable(config.getTruststorePath()),
                         Optional.ofNullable(config.getTruststorePassword())),
                 Optional.ofNullable(config.getSocksProxy()),
                 config.getConnectTimeout(),
@@ -137,104 +121,18 @@ private static Optional<SSLContext> buildSslContext(
             boolean tlsEnabled,
             Optional<File> keyStorePath,
             Optional<String> keyStorePassword,
-            File trustStorePath,
+            Optional<File> trustStorePath,
             Optional<String> trustStorePassword)
     {
         if (!tlsEnabled) {
             return Optional.empty();
         }
 
         try {
-            // load KeyStore if configured and get KeyManagers
-            KeyManager[] keyManagers = null;
-            char[] keyManagerPassword = new char[0];
-            if (keyStorePath.isPresent()) {
-                KeyStore keyStore;
-                try {
-                    keyStore = PemReader.loadKeyStore(keyStorePath.get(), keyStorePath.get(), keyStorePassword);
-                }
-                catch (IOException | GeneralSecurityException e) {
-                    keyManagerPassword = keyStorePassword.map(String::toCharArray).orElse(null);
-                    keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-                    try (InputStream in = new FileInputStream(keyStorePath.get())) {
-                        keyStore.load(in, keyManagerPassword);
-                    }
-                }
-                validateCertificates(keyStore);
-                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-                keyManagerFactory.init(keyStore, keyManagerPassword);
-                keyManagers = keyManagerFactory.getKeyManagers();
-            }
-
-            // load TrustStore
-            KeyStore trustStore = loadTrustStore(trustStorePath, trustStorePassword);
-
-            // create TrustManagerFactory
-            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-            trustManagerFactory.init(trustStore);
-
-            // get X509TrustManager
-            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
-            if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
-                throw new RuntimeException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
-            }
-
-            // create SSLContext
-            SSLContext sslContext = SSLContext.getInstance("SSL");
-            sslContext.init(keyManagers, trustManagers, null);
-            return Optional.of(sslContext);
+            return Optional.of(createSSLContext(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword));
         }
         catch (GeneralSecurityException | IOException e) {
             throw new RuntimeException(e);
         }
     }
-
-    private static KeyStore loadTrustStore(File trustStorePath, Optional<String> trustStorePassword)
-            throws IOException, GeneralSecurityException
-    {
-        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
-        try {
-            // attempt to read the trust store as a PEM file
-            List<X509Certificate> certificateChain = PemReader.readCertificateChain(trustStorePath);
-            if (!certificateChain.isEmpty()) {
-                trustStore.load(null, null);
-                for (X509Certificate certificate : certificateChain) {
-                    X500Principal principal = certificate.getSubjectX500Principal();
-                    trustStore.setCertificateEntry(principal.getName(), certificate);
-                }
-                return trustStore;
-            }
-        }
-        catch (IOException | GeneralSecurityException e) {
-        }
-
-        try (InputStream in = new FileInputStream(trustStorePath)) {
-            trustStore.load(in, trustStorePassword.map(String::toCharArray).orElse(null));
-        }
-        return trustStore;
-    }
-
-    private static void validateCertificates(KeyStore keyStore)
-            throws GeneralSecurityException
-    {
-        for (String alias : list(keyStore.aliases())) {
-            if (!keyStore.isKeyEntry(alias)) {
-                continue;
-            }
-            Certificate certificate = keyStore.getCertificate(alias);
-            if (!(certificate instanceof X509Certificate)) {
-                continue;
-            }
-
-            try {
-                ((X509Certificate) certificate).checkValidity();
-            }
-            catch (CertificateExpiredException e) {
-                throw new CertificateExpiredException("KeyStore certificate is expired: " + e.getMessage());
-            }
-            catch (CertificateNotYetValidException e) {
-                throw new CertificateNotYetValidException("KeyStore certificate is not yet valid: " + e.getMessage());
-            }
-        }
-    }
 }