From 9cc6f6e97d7a43f201cd7325d273f7e43dd0e965 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andor=20Moln=C3=A1r?= Date: Tue, 7 Oct 2025 07:38:42 -0500 Subject: [PATCH 1/2] ZOOKEEPER-4986: Disable reverse DNS lookup in TLS client and server Reviewers: kezhuw Author: anmolnar Closes #2325 from anmolnar/ZOOKEEPER-4986 --- .../main/resources/markdown/zookeeperAdmin.md | 10 ++ .../zookeeper/common/ClientX509Util.java | 9 +- .../zookeeper/common/QuorumX509Util.java | 4 + .../org/apache/zookeeper/common/X509Util.java | 17 +++- .../org/apache/zookeeper/common/ZKConfig.java | 1 + .../zookeeper/common/ZKTrustManager.java | 52 +++++++--- .../auth/X509AuthenticationProvider.java | 2 + .../apache/zookeeper/common/X509UtilTest.java | 11 ++ .../zookeeper/common/ZKTrustManagerTest.java | 96 ++++++++++++++---- .../server/quorum/QuorumSSLTest.java | 12 ++- .../src/test/resources/data/ssl/README.md | 15 +++ .../test/resources/data/ssl/testKeyStore.jks | Bin 2250 -> 2772 bytes .../resources/data/ssl/testTrustStore.jks | Bin 960 -> 1302 bytes 13 files changed, 188 insertions(+), 41 deletions(-) diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md index 4e7d81888cc..c90de4f305d 100644 --- a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md +++ b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md @@ -1759,6 +1759,16 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp This option requires the corresponding *hostnameVerification* option to be `true`, or it will be ignored. Default: true for quorum, false for clients +* *ssl.allowReverseDnsLookup* and *ssl.quorum.allowReverseDnsLookup* : + (Java system properties: **zookeeper.ssl.allowReverseDnsLookup** and **zookeeper.ssl.quorum.allowReverseDnsLookup**) + **New in 3.9.5:** + Allow reverse DNS lookup in both server- and client hostname verifications if the hostname verification is enabled in + `ZKTrustManager`. Supported in both quorum and client TLS protocols. Not supported in FIPS mode. Reverse DNS lookups are + expensive and unnecessary in most cases. Make sure that certificates are created with all required Subject Alternative + Names (SAN) for successful identity verification. It's recommended to add SAN:IP entries for identity verification + of client certificates. + Default: false (for Client connections), true (for Quorum connections) + * *ssl.crl* and *ssl.quorum.crl* : (Java system properties: **zookeeper.ssl.crl** and **zookeeper.ssl.quorum.crl**) **New in 3.5.5:** diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java index 178994545e7..f1d1b164bcf 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java @@ -52,6 +52,11 @@ protected boolean shouldVerifyClientHostname() { return false; } + @Override + protected boolean shouldAllowReverseDnsLookup() { + return false; + } + public String getSslAuthProviderProperty() { return sslAuthProviderProperty; } @@ -202,6 +207,7 @@ private TrustManager getTrustManager(ZKConfig config) throws X509Exception.Trust boolean sslOcspEnabled = config.getBoolean(getSslOcspEnabledProperty()); boolean sslServerHostnameVerificationEnabled = isServerHostnameVerificationEnabled(config); boolean sslClientHostnameVerificationEnabled = isClientHostnameVerificationEnabled(config); + boolean allowReverseDnsLookup = allowReverseDnsLookup(config); if (trustStoreLocation.isEmpty()) { LOG.warn("{} not specified", getSslTruststoreLocationProperty()); @@ -209,7 +215,8 @@ private TrustManager getTrustManager(ZKConfig config) throws X509Exception.Trust } else { return createTrustManager(trustStoreLocation, trustStorePassword, trustStoreType, sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled, - sslClientHostnameVerificationEnabled, getFipsMode(config)); + sslClientHostnameVerificationEnabled, allowReverseDnsLookup, + getFipsMode(config)); } } } diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/QuorumX509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/QuorumX509Util.java index af3ee1bdeab..b0d17309fed 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/QuorumX509Util.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/QuorumX509Util.java @@ -33,4 +33,8 @@ protected boolean shouldVerifyClientHostname() { return true; } + @Override + protected boolean shouldAllowReverseDnsLookup() { + return true; + } } diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java index 17818207e9e..4cc54d605a1 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java @@ -198,6 +198,7 @@ public io.netty.handler.ssl.ClientAuth toNettyClientAuth() { private final String sslContextSupplierClassProperty = getConfigPrefix() + "context.supplier.class"; private final String sslHostnameVerificationEnabledProperty = getConfigPrefix() + "hostnameVerification"; private final String sslClientHostnameVerificationEnabledProperty = getConfigPrefix() + "clientHostnameVerification"; + private final String sslAllowReverseDnsLookupProperty = getConfigPrefix() + "allowReverseDnsLookup"; private final String sslCrlEnabledProperty = getConfigPrefix() + "crl"; private final String sslOcspEnabledProperty = getConfigPrefix() + "ocsp"; private final String sslClientAuthProperty = getConfigPrefix() + "clientAuth"; @@ -216,6 +217,8 @@ public X509Util() { protected abstract boolean shouldVerifyClientHostname(); + protected abstract boolean shouldAllowReverseDnsLookup(); + public String getSslProtocolProperty() { return sslProtocolProperty; } @@ -276,6 +279,10 @@ public String getSslClientHostnameVerificationEnabledProperty() { return sslClientHostnameVerificationEnabledProperty; } + public String getSslAllowReverseDnsLookupProperty() { + return sslAllowReverseDnsLookupProperty; + } + public String getSslCrlEnabledProperty() { return sslCrlEnabledProperty; } @@ -315,6 +322,10 @@ public boolean isClientHostnameVerificationEnabled(ZKConfig config) { && config.getBoolean(this.getSslClientHostnameVerificationEnabledProperty(), shouldVerifyClientHostname()); } + public boolean allowReverseDnsLookup(ZKConfig config) { + return config.getBoolean(this.getSslAllowReverseDnsLookupProperty(), shouldAllowReverseDnsLookup()); + } + public SSLContext getDefaultSSLContext() throws X509Exception.SSLContextException { return getDefaultSSLContextAndOptions().getSSLContext(); } @@ -432,6 +443,7 @@ public SSLContextAndOptions createSSLContextAndOptionsFromConfig(ZKConfig config boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty); boolean sslServerHostnameVerificationEnabled = isServerHostnameVerificationEnabled(config); boolean sslClientHostnameVerificationEnabled = isClientHostnameVerificationEnabled(config); + boolean allowReverseDnsLookup = allowReverseDnsLookup(config); boolean fipsMode = getFipsMode(config); if (trustStoreLocationProp.isEmpty()) { @@ -441,7 +453,7 @@ public SSLContextAndOptions createSSLContextAndOptionsFromConfig(ZKConfig config trustManagers = new TrustManager[]{ createTrustManager(trustStoreLocationProp, trustStorePasswordProp, trustStoreTypeProp, sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled, - fipsMode)}; + allowReverseDnsLookup, fipsMode)}; } catch (TrustManagerException trustManagerException) { throw new SSLContextException("Failed to create TrustManager", trustManagerException); } catch (IllegalArgumentException e) { @@ -577,6 +589,7 @@ public static X509TrustManager createTrustManager( boolean ocspEnabled, final boolean serverHostnameVerificationEnabled, final boolean clientHostnameVerificationEnabled, + final boolean allowReverseDnsLookup, final boolean fipsMode) throws TrustManagerException { if (trustStorePassword == null) { trustStorePassword = ""; @@ -611,7 +624,7 @@ public static X509TrustManager createTrustManager( LOG.debug("FIPS mode is OFF: creating ZKTrustManager"); } return new ZKTrustManager((X509ExtendedTrustManager) tm, serverHostnameVerificationEnabled, - clientHostnameVerificationEnabled); + clientHostnameVerificationEnabled, allowReverseDnsLookup); } } throw new TrustManagerException("Couldn't find X509TrustManager"); diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java index 47fd943860c..f6221eeb7f4 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java @@ -151,6 +151,7 @@ private void putSSLProperties(X509Util x509Util) { properties.put(x509Util.getSslContextSupplierClassProperty(), System.getProperty(x509Util.getSslContextSupplierClassProperty())); properties.put(x509Util.getSslClientHostnameVerificationEnabledProperty(), System.getProperty(x509Util.getSslClientHostnameVerificationEnabledProperty())); properties.put(x509Util.getSslHostnameVerificationEnabledProperty(), System.getProperty(x509Util.getSslHostnameVerificationEnabledProperty())); + properties.put(x509Util.getSslAllowReverseDnsLookupProperty(), System.getProperty(x509Util.getSslAllowReverseDnsLookupProperty())); properties.put(x509Util.getSslCrlEnabledProperty(), System.getProperty(x509Util.getSslCrlEnabledProperty())); properties.put(x509Util.getSslOcspEnabledProperty(), System.getProperty(x509Util.getSslOcspEnabledProperty())); properties.put(x509Util.getSslClientAuthProperty(), System.getProperty(x509Util.getSslClientAuthProperty())); diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKTrustManager.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKTrustManager.java index cbadd1e0af9..e2af9f6f077 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKTrustManager.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKTrustManager.java @@ -42,6 +42,7 @@ public class ZKTrustManager extends X509ExtendedTrustManager { private final X509ExtendedTrustManager x509ExtendedTrustManager; private final boolean serverHostnameVerificationEnabled; private final boolean clientHostnameVerificationEnabled; + private final boolean allowReverseDnsLookup; private final ZKHostnameVerifier hostnameVerifier; @@ -57,22 +58,26 @@ public class ZKTrustManager extends X509ExtendedTrustManager { ZKTrustManager( X509ExtendedTrustManager x509ExtendedTrustManager, boolean serverHostnameVerificationEnabled, - boolean clientHostnameVerificationEnabled) { + boolean clientHostnameVerificationEnabled, + boolean allowReverseDnsLookup) { this(x509ExtendedTrustManager, serverHostnameVerificationEnabled, clientHostnameVerificationEnabled, - new ZKHostnameVerifier()); + new ZKHostnameVerifier(), + allowReverseDnsLookup); } ZKTrustManager( X509ExtendedTrustManager x509ExtendedTrustManager, boolean serverHostnameVerificationEnabled, boolean clientHostnameVerificationEnabled, - ZKHostnameVerifier hostnameVerifier) { + ZKHostnameVerifier hostnameVerifier, + boolean allowReverseDnsLookup) { this.x509ExtendedTrustManager = x509ExtendedTrustManager; this.serverHostnameVerificationEnabled = serverHostnameVerificationEnabled; this.clientHostnameVerificationEnabled = clientHostnameVerificationEnabled; this.hostnameVerifier = hostnameVerifier; + this.allowReverseDnsLookup = allowReverseDnsLookup; } @Override @@ -166,31 +171,46 @@ public void checkServerTrusted(X509Certificate[] chain, String authType) throws * @param certificate Peer's certificate * @throws CertificateException Thrown if the provided certificate doesn't match the peer hostname. */ - private void performHostVerification( - InetAddress inetAddress, - X509Certificate certificate - ) throws CertificateException { + private void performHostVerification(InetAddress inetAddress, X509Certificate certificate) + throws CertificateException { String hostAddress = ""; String hostName = ""; try { hostAddress = inetAddress.getHostAddress(); - if (LOG.isDebugEnabled()) { - LOG.debug("Trying to verify host address first: {}", hostAddress); - } hostnameVerifier.verify(hostAddress, certificate); } catch (SSLException addressVerificationException) { + // If we fail with hostAddress, we should try the hostname. + // The inetAddress may have been created with a hostname, in which case getHostName() will + // return quickly below. If not, a reverse lookup will happen, which can be expensive. + // We provide the option to skip the reverse lookup if preferring to fail fast. + + // Handle logging here to aid debugging. The easiest way to check for an existing + // hostname is through toString, see javadoc. + String inetAddressString = inetAddress.toString(); + if (!inetAddressString.startsWith("/")) { + LOG.debug( + "Failed to verify host address: {}, but inetAddress {} has a hostname, trying that", + hostAddress, inetAddressString, addressVerificationException); + } else if (allowReverseDnsLookup) { + LOG.debug( + "Failed to verify host address: {}, attempting to verify host name with reverse dns", + hostAddress, addressVerificationException); + } else { + LOG.debug("Failed to verify host address: {}, but reverse dns lookup is disabled", + hostAddress, addressVerificationException); + throw new CertificateException( + "Failed to verify host address, and reverse lookup is disabled", + addressVerificationException); + } + try { hostName = inetAddress.getHostName(); - if (LOG.isDebugEnabled()) { - LOG.debug( - "Failed to verify host address: {}, trying to verify host name: {}", - hostAddress, hostName); - } hostnameVerifier.verify(hostName, certificate); } catch (SSLException hostnameVerificationException) { LOG.error("Failed to verify host address: {}", hostAddress, addressVerificationException); LOG.error("Failed to verify hostname: {}", hostName, hostnameVerificationException); - throw new CertificateException("Failed to verify both host address and host name", hostnameVerificationException); + throw new CertificateException("Failed to verify both host address and host name", + hostnameVerificationException); } } } diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java index 4ea925320f6..1c8edcb8658 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java @@ -88,6 +88,7 @@ public X509AuthenticationProvider() throws X509Exception { boolean crlEnabled = Boolean.parseBoolean(config.getProperty(x509Util.getSslCrlEnabledProperty())); boolean ocspEnabled = Boolean.parseBoolean(config.getProperty(x509Util.getSslOcspEnabledProperty())); boolean hostnameVerificationEnabled = Boolean.parseBoolean(config.getProperty(x509Util.getSslHostnameVerificationEnabledProperty())); + boolean allowReverseDnsLookup = Boolean.parseBoolean(config.getProperty(x509Util.getSslAllowReverseDnsLookupProperty())); X509KeyManager km = null; X509TrustManager tm = null; @@ -120,6 +121,7 @@ public X509AuthenticationProvider() throws X509Exception { ocspEnabled, hostnameVerificationEnabled, false, + allowReverseDnsLookup, fipsMode); } catch (TrustManagerException e) { LOG.error("Failed to create trust manager", e); diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java index 827d80a9aec..fe9eea34810 100644 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java @@ -381,6 +381,7 @@ public void testLoadPEMTrustStore( false, true, true, + false, false); } @@ -402,6 +403,7 @@ public void testLoadPEMTrustStoreNullPassword( false, true, true, + false, false); } @@ -421,6 +423,7 @@ public void testLoadPEMTrustStoreAutodetectStoreFileType( false, true, true, + false, false); } @@ -496,6 +499,7 @@ public void testLoadJKSTrustStore( true, true, true, + false, false); } @@ -517,6 +521,7 @@ public void testLoadJKSTrustStoreNullPassword( false, true, true, + false, false); } @@ -535,6 +540,7 @@ public void testLoadJKSTrustStoreAutodetectStoreFileType( true, true, true, + false, false); } @@ -554,6 +560,7 @@ public void testLoadJKSTrustStoreWithWrongPassword( true, true, true, + false, false); }); } @@ -629,6 +636,7 @@ public void testLoadPKCS12TrustStore( true, true, true, + false, false); } @@ -650,6 +658,7 @@ public void testLoadPKCS12TrustStoreNullPassword( false, true, true, + false, false); } @@ -668,6 +677,7 @@ public void testLoadPKCS12TrustStoreAutodetectStoreFileType( true, true, true, + false, false); } @@ -687,6 +697,7 @@ public void testLoadPKCS12TrustStoreWithWrongPassword( true, true, true, + false, false); }); } diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTrustManagerTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTrustManagerTest.java index 7b4e8783ee3..cfdd112ec0d 100644 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTrustManagerTest.java +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTrustManagerTest.java @@ -19,6 +19,7 @@ package org.apache.zookeeper.common; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.times; @@ -27,13 +28,16 @@ import java.math.BigInteger; import java.net.InetAddress; import java.net.Socket; +import java.net.UnknownHostException; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.Security; +import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; import java.util.Calendar; +import java.util.Collections; import java.util.Date; import java.util.LinkedHashMap; import java.util.List; @@ -61,10 +65,10 @@ import org.burningwave.tools.net.HostResolutionRequestInterceptor; import org.burningwave.tools.net.MappedHostResolver; import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import org.mockito.invocation.InvocationOnMock; import org.mockito.stubbing.Answer; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -113,16 +117,14 @@ public static void removeBouncyCastleProvider() throws Exception { @BeforeEach public void setup() throws Exception { mockX509ExtendedTrustManager = mock(X509ExtendedTrustManager.class); + mockSocket = createSocketWithHostname(); + } - InetAddress mockInetAddress = InetAddress.getByName(HOSTNAME); - - mockSocket = mock(Socket.class); - when(mockSocket.getInetAddress()).thenAnswer(new Answer() { - @Override - public Object answer(InvocationOnMock invocationOnMock) throws Throwable { - return mockInetAddress; - } - }); + @AfterEach + public void tearDown() throws Exception { + if (mockSocket != null) { + mockSocket.close(); + } } private X509Certificate[] createSelfSignedCertifcateChain(String ipAddress, String hostname) throws Exception { @@ -161,7 +163,7 @@ private X509Certificate[] createSelfSignedCertifcateChain(String ipAddress, Stri public void testServerHostnameVerificationWithHostnameVerificationDisabled() throws Exception { VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, false, false, - hostnameVerifier); + hostnameVerifier, false); X509Certificate[] certificateChain = createSelfSignedCertifcateChain(IP_ADDRESS, HOSTNAME); zkTrustManager.checkServerTrusted(certificateChain, null, mockSocket); @@ -175,7 +177,7 @@ public void testServerHostnameVerificationWithHostnameVerificationDisabled() thr public void testServerHostnameVerificationWithHostnameVerificationDisabledAndClientHostnameVerificationEnabled() throws Exception { VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, false, true, - hostnameVerifier); + hostnameVerifier, false); X509Certificate[] certificateChain = createSelfSignedCertifcateChain(IP_ADDRESS, HOSTNAME); zkTrustManager.checkServerTrusted(certificateChain, null, mockSocket); @@ -190,7 +192,7 @@ public void testServerHostnameVerificationWithHostnameVerificationDisabledAndCli public void testServerHostnameVerificationWithIPAddress() throws Exception { VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, false, - hostnameVerifier); + hostnameVerifier, false); X509Certificate[] certificateChain = createSelfSignedCertifcateChain(IP_ADDRESS, null); zkTrustManager.checkServerTrusted(certificateChain, null, mockSocket); @@ -205,7 +207,7 @@ public void testServerHostnameVerificationWithIPAddress() throws Exception { public void testServerHostnameVerificationWithHostname() throws Exception { VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, false, - hostnameVerifier); + hostnameVerifier, false); X509Certificate[] certificateChain = createSelfSignedCertifcateChain(null, HOSTNAME); zkTrustManager.checkServerTrusted(certificateChain, null, mockSocket); @@ -220,7 +222,7 @@ public void testServerHostnameVerificationWithHostname() throws Exception { public void testClientHostnameVerificationWithHostnameVerificationDisabled() throws Exception { VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, false, true, - hostnameVerifier); + hostnameVerifier, false); X509Certificate[] certificateChain = createSelfSignedCertifcateChain(null, HOSTNAME); zkTrustManager.checkClientTrusted(certificateChain, null, mockSocket); @@ -235,7 +237,7 @@ public void testClientHostnameVerificationWithHostnameVerificationDisabled() thr public void testClientHostnameVerificationWithClientHostnameVerificationDisabled() throws Exception { VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, - false, hostnameVerifier); + false, hostnameVerifier, false); X509Certificate[] certificateChain = createSelfSignedCertifcateChain(null, HOSTNAME); zkTrustManager.checkClientTrusted(certificateChain, null, mockSocket); @@ -250,7 +252,7 @@ public void testClientHostnameVerificationWithClientHostnameVerificationDisabled public void testClientHostnameVerificationWithIPAddress() throws Exception { VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, true, - hostnameVerifier); + hostnameVerifier, false); X509Certificate[] certificateChain = createSelfSignedCertifcateChain(IP_ADDRESS, null); zkTrustManager.checkClientTrusted(certificateChain, null, mockSocket); @@ -265,7 +267,7 @@ public void testClientHostnameVerificationWithIPAddress() throws Exception { public void testClientHostnameVerificationWithHostname() throws Exception { VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, true, - hostnameVerifier); + hostnameVerifier, false); X509Certificate[] certificateChain = createSelfSignedCertifcateChain(null, HOSTNAME); zkTrustManager.checkClientTrusted(certificateChain, null, mockSocket); @@ -276,6 +278,64 @@ public void testClientHostnameVerificationWithHostname() throws Exception { verify(mockX509ExtendedTrustManager, times(1)).checkClientTrusted(certificateChain, null, mockSocket); } + @Test + public void testClientHostnameVerificationWithIpAddress_CertHostnameSan_NoReverseLookup_Fail() throws Exception { + VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); + ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, true, + hostnameVerifier, false); + + X509Certificate[] certificateChain = createSelfSignedCertificateChain(null, HOSTNAME); + try (Socket s = createSocketWithIpAddress()) { + assertThrows(CertificateException.class, () -> zkTrustManager.checkClientTrusted(certificateChain, null, s)); + verify(s, times(1)).getInetAddress(); + assertEquals(Collections.singletonList(IP_ADDRESS), hostnameVerifier.hosts); + verify(mockX509ExtendedTrustManager, times(1)).checkClientTrusted(certificateChain, null, s); + } + } + + @Test + public void testClientHostnameVerificationWithIpAddress_CertHostnameSan_WithReverseLookup() throws Exception { + VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); + ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, true, + hostnameVerifier, true); + + X509Certificate[] certificateChain = createSelfSignedCertificateChain(null, HOSTNAME); + try (Socket s = createSocketWithIpAddress()) { + zkTrustManager.checkClientTrusted(certificateChain, null, s); + verify(s, times(1)).getInetAddress(); + assertEquals(Arrays.asList(IP_ADDRESS, HOSTNAME), hostnameVerifier.hosts); + verify(mockX509ExtendedTrustManager, times(1)).checkClientTrusted(certificateChain, null, s); + } + } + + @Test + public void testClientHostnameVerificationWithIpAddress_CertIpSan() throws Exception { + VerifiableHostnameVerifier hostnameVerifier = new VerifiableHostnameVerifier(); + ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, true, + hostnameVerifier, false); + + X509Certificate[] certificateChain = createSelfSignedCertificateChain(IP_ADDRESS, null); + try (Socket s = createSocketWithIpAddress()) { + zkTrustManager.checkClientTrusted(certificateChain, null, s); + verify(s, times(1)).getInetAddress(); + assertEquals(Collections.singletonList(IP_ADDRESS), hostnameVerifier.hosts); + verify(mockX509ExtendedTrustManager, times(1)).checkClientTrusted(certificateChain, null, s); + } + } + + private Socket createSocketWithHostname() throws UnknownHostException { + InetAddress mockInetAddress = InetAddress.getByName(HOSTNAME); + Socket s = mock(Socket.class); + when(s.getInetAddress()).thenAnswer((Answer) invocationOnMock -> mockInetAddress); + return s; + } + + private Socket createSocketWithIpAddress() throws UnknownHostException { + InetAddress mockInetAddress = InetAddress.getByName(IP_ADDRESS); + Socket s = mock(Socket.class); + when(s.getInetAddress()).thenAnswer((Answer) invocationOnMock -> mockInetAddress); + return s; + } static class VerifiableHostnameVerifier extends ZKHostnameVerifier { diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumSSLTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumSSLTest.java index 5a3c5541302..3177024f525 100644 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumSSLTest.java +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumSSLTest.java @@ -142,6 +142,7 @@ public class QuorumSSLTest extends QuorumPeerTestBase { private static final char[] PASSWORD = "testpass".toCharArray(); private static final String HOSTNAME = "localhost"; + private static final String IPADDRESS = "127.0.0.1"; private QuorumX509Util quorumX509Util; @@ -487,6 +488,7 @@ private void clearSSLSystemProperties() { System.clearProperty(quorumX509Util.getSslTruststorePasswdProperty()); System.clearProperty(quorumX509Util.getSslTruststorePasswdPathProperty()); System.clearProperty(quorumX509Util.getSslHostnameVerificationEnabledProperty()); + System.clearProperty(quorumX509Util.getSslAllowReverseDnsLookupProperty()); System.clearProperty(quorumX509Util.getSslOcspEnabledProperty()); System.clearProperty(quorumX509Util.getSslCrlEnabledProperty()); System.clearProperty(quorumX509Util.getCipherSuitesProperty()); @@ -700,6 +702,8 @@ public void testHostnameVerificationForInvalidMultiAddressServerConfig(boolean f @Timeout(value = 5, unit = TimeUnit.MINUTES) public void testHostnameVerificationWithInvalidIpAddressAndValidHostname(boolean fipsEnabled) throws Exception { System.setProperty(quorumX509Util.getFipsModeProperty(), Boolean.toString(fipsEnabled)); + // We need reverse DNS lookup to get this working, because quorum is connecting via ip addresses + System.setProperty(quorumX509Util.getSslAllowReverseDnsLookupProperty(), Boolean.toString(true)); String badhostnameKeystorePath = tmpDir + "/badhost.jks"; X509Certificate badHostCert = buildEndEntityCert( @@ -805,7 +809,7 @@ public void testCertificateRevocationList(boolean fipsEnabled) throws Exception rootCertificate, rootKeyPair.getPrivate(), HOSTNAME, - null, + IPADDRESS, crlPath, null); writeKeystore(revokedInCRLCert, defaultKeyPair, revokedInCRLKeystorePath); @@ -835,7 +839,7 @@ public void testCertificateRevocationList(boolean fipsEnabled) throws Exception rootCertificate, rootKeyPair.getPrivate(), HOSTNAME, - null, + IPADDRESS, crlPath, null); writeKeystore(validCertificate, defaultKeyPair, validKeystorePath); @@ -874,7 +878,7 @@ public void testOCSP(boolean fipsEnabled) throws Exception { rootCertificate, rootKeyPair.getPrivate(), HOSTNAME, - null, + IPADDRESS, null, ocspPort); writeKeystore(revokedInOCSPCert, defaultKeyPair, revokedInOCSPKeystorePath); @@ -908,7 +912,7 @@ public void testOCSP(boolean fipsEnabled) throws Exception { rootCertificate, rootKeyPair.getPrivate(), HOSTNAME, - null, + IPADDRESS, null, ocspPort); writeKeystore(validCertificate, defaultKeyPair, validKeystorePath); diff --git a/zookeeper-server/src/test/resources/data/ssl/README.md b/zookeeper-server/src/test/resources/data/ssl/README.md index b8823d8a3de..26d4d0b6fff 100644 --- a/zookeeper-server/src/test/resources/data/ssl/README.md +++ b/zookeeper-server/src/test/resources/data/ssl/README.md @@ -1,6 +1,21 @@ SSL test data =================== +Create keystore with certificate +``` +keytool -genkeypair -alias test -keyalg RSA -keysize 2048 -dname "CN=localhost,OU=ZooKeeper,O=Apache,L=Unknown,ST=Unknown,C=Unknown" -keypass testpass -keystore keystore.jks -storepass testpass -ext SAN=DNS:localhost,IP:127.0.0.1 +``` + +Export certificate to file +``` +keytool -exportcert -alias test -keystore keystore.jks -file test.cer -rfc +``` + +Create truststore +``` +keytool -importcert -alias test -file test.cer -keystore truststore.jks -storepass testpass +``` + testKeyStore.jks --- Testing keystore, password is "testpass". diff --git a/zookeeper-server/src/test/resources/data/ssl/testKeyStore.jks b/zookeeper-server/src/test/resources/data/ssl/testKeyStore.jks index 40a7d0b7eae24b40c42e0f0e5410ef5caed30e4e..60e5d52b656ec638e9cce0ce631b049d46f27e94 100644 GIT binary patch literal 2772 zcma);X*d*$8pmf>mQ03G*5O397#jP&QzjW>&5-ONGcxwjkO*ZtlE|QAJs3t!_N{DX z&C;=D3nP(TS#o;ry-(-4pYHweKJWAX{_p?&_?V~1fwaep|F!uu_m#596%Oe zE``+_LSgmziCxeXXz71R&@2cAn(-5-{j5hYw*R=;S%IKj3RLGO)IhucazHuIc4(D< zMs~C`gu62kig$?!JTrtySnDP^-VzRo@CSj;!$Ck4njLoH-xonAp#ZcX?Bw-W6QCOy z0+fQlonBer{!V0DzMzu5sa*X;A3}i)Y%cb1o5)M!i2V-M818l%XXCck0cX?XAKq#z z!rh)0=vfYrs;GXhq!gnYE5}n70jFI{2j@h6*_ql{s&r}mMf3YpIioQ2K5}-b(Xl9q zzpTLvx;8V}Q!@C101&pJIkGMH>ZZM3Z&R4_%5K0f;6rCgSF|rINPPzOSkBfNl2=S| zM@iyOUPdl^`03_J*Llte5;RjC9r;_)DMvWH@7rD6Y8GDs>kd8K7al2ff`w~E<6i>~ zu!6Z_@$+mg_5&w+h}i6-&lY~(eBX{U%^VDQD)1G^)YutA5Z~_ws$~+*T0Ww5^wALKFcr;TjFM3RUdu}*t_(~O07kEHQ2Q7>P*}UkR2`3iRaR_za8+bpc5(Eve3VB0~e#0-=j)!H_i_^@7odB5=tnzQ|0a2t!) zF4IW0;YF)?*hYg{ZSVD%*Fp5EhpDGD1umosFCf?&(`R7aq>!t8MyikQtHRk@Tb0RbG?MQasPAx*VG?OIKe`1TaDpxG%R( zUe_sho?<-U8vSvVz*XL~vQl4etWGyjjUXDS-&HfAw~KT*{kDops>P*`L|To+b((v7 z-mM-BbRI}Do$KN9F`s8sOUJNzmfV+Vezhti*jr)mK? zx@q`z8}VI)fQ3=LcSrnKL*cc%`E$pz2`QR6d={w2UU|6+k#I!go_M0}57+OF{Z&Sc z7+DZDQQWee_$a_ffRRc(th*FyRZYEh_OQ!9ONE^jZn=JktO~7GCb!M zIt1gCe)vEC!>7H7?GK#wuzlH?Bs-&!J$F?z(u8n#km7X|XW9+5;dAyGw~ckQ?-w20 zpQQbO4=Y>>#Co54su=Wf5EL-rt|rH>FAYPAD2!F(W(vt)g<$?2&3%B2`hzw+^3!tU z&x;X9kdAW&N9(Q(Xa@0dgFGR?x1b(AedtSBpbAM=7*GJMQ#!tB0Xv>R$iY~yPzc;;y9899Pbl{ zf??$2jWxo@%sZ}G-<9E?|Oa=w>Tk?Qd+8fG<9M?Hgl{JoAiA4 zaM!6uL0$vR`ztO_a?7&{od5&?+yJ)$0ceqb1Ri;A2p8VV*9|4Ftf-=-h*42dQBb~! zra-EGEwR9IDUkf1C@fQ5>&wfHe-0^MFJMi#+P1D@42XEmG z_c2MldeGouaoc07>Fc*Fb6`Z0<6!=jVG49Azhgzmfu~6!5gJAv-9CKipD~rs_xyv| z4Fx+eV+Mv_zV&444vU|b^gV63I{i;{94m7#gGVUN#;GlHuR zgM@A9DolQxZAVz+&vv>+*j{}=Y1~bRF70o3BAE|P8EjR%dv#V)m?B#K6>@i+Ih*uKaup0d`#jZ5oV2 z@2UM1U5;cJ~^+ib4Ok{s2J1+(5; z7+I8Roib&rb6+%Lyl2v{TGl(NU|i@cYmpQS`^+V4xAYMLQ@RS9m*QXk$z@E=}QmjLI=s;XIo%H_aUcZl(^E|)S!pfiWZ<&(30B84=eTp^A01?K+Q$MU5( z+Zn~cVebc8K{FDC4vXHJ$YS9fzdUbp+3}+xkk1oMZ}U$F@nLU~y19IZd@76NZVjcK zg%6n`uK}C-p>}rDF@y53{gh&<98m$umN=<~%p(^ro$!{?U9AyV8BVY9DPB~}4vSi% zLUj6h2wt=l2~`V^&jEaSy(mXH{<(R=W4WRfshEXuTOAiLMtq`WvVZ-neJCe#Ki`Eo zTP<@5J)O!N?I=Q!E+ycH3d*&bYu6Zw*9;Y}Rj*~%?DET_=zo2c|HwMz1=GixO zE^AlB=Z%>M1yv8NQ2hYSyB&pun^Q1tQzZvUfYI?zN#NsypK z?8GMfo%Z>IX!w*$+9@XcHSKz)wXh=&-bCJ$m7!+5*OlukZrGX=;;Yz+crzk7`2Z$L zE_pG--n}5K_G#S{qbkY~SnJ&Vz7;7-N&_3RMW}`@@ydWk|1#P6La*#IP|J58f*(Sq z@{#9ilJz7AQG*ASTTRS2aH(k2_h;va$r-y-_pL~PM(6asG6N0=*AE=FB>sG+p>z$k z8b=C=+(I-<*O*jd4ygGDGD+&2NnAIBGuIcJ(F}5|#Wzlf3YRS+bs56FNXe=4VDMBmRk-lI?mGl+zSR6zMEwm4p#)d} literal 2250 zcmchYcTm%58pqRtPy*6LN+?PVzfeUf1`w&zq=SGG0|%QR1acJR2%%VLt02-@P-)=+ ziHe~kO?qDu#6=(yiXcsnw%pF`+|Jzp_s28yyq}rpnP0)RzV;TtY$ zC7(R3^tB$=fk1EwK!qIvduCX*<@{y3*qGpy z+uDRgnXo37NS(pr>m6s_Eg(Yj~&O}VTK4!bre_A;*pH(*AdNOpVYk3J!AF0vS^djK%a&^ z%{uNVzh~-polN7rjT0If5mM4y!{ez#xVQ#a*PlRRguuHl>*hPEE;~}pxvW{zTI+OdGowlft>sY)L3AagmpddJW*WvdMm{d zAqA>dba^K>_gk(UL!=faEHc1`U#vI}>AqDJNi=^DrJ%=A-_@D&wA!he??v+0>E!s# z-pTMPO27YS7P5hz(Bw0;ZB%Mm^7nEQd{lBH1W`RR%tf@zTXDFRs05x*dO}m8yhHs< zJ@*|`dWppZ!kwFJS&v84JB?2(jYGYDA|+69*OJ#bn8-DQdr}3cvEr@%=hhrwdItyB zYIof4F|wPln|me_Hlvtc@*WXI$V$3Yg6K0egX~z7y)(-R^PX|A)c4saS!Lxs#yv>d zSx5xjom7T$mMsxMg%7n<0~RknDs_e`((S~8K5LnTW^lI`fI2)>Y^Gn?E3aNKok%b; z$#d^y+vdF*PAq@awa5yWDSG-`ZTv#O=EBQ-9tzv$TaqxZo7q%g)1F!MU~`P^w+C$R z5d7Wm|CArbIACh!TEEu_d|fZKWc?5=u0buS+l~&s?RzCExKp8#(Py?C@l*VB%REc_r2a*`tz6FdUBfMRIkV9%TC+Mpd$Ry3tzTbzqq-2zD%=D zW!}lz|4zGI*vlZTCS*W>b|H%SigL^s@srrohr}z>7289nj-;N8P3IBm+>|mgFZu9ml5G7`xoVZ%%A!6@Z>XfM zr$M_+dfVblCB0+0@tN9LJ-=reI0movzD@N(pOJh@-6JF?$*$m!y9js1Xajm65Ht>; zLSq0bgir{DfFTfAs1^eO@FKXB6U-BKdBI?AI0ztN`A<$J)Cq*& z2*-a3>Lk%g6jBg@3--O~kH?+@`2P*K1-aZwBr7~V7$5Q{g9>s5k#711`IAD)fQ%?F zRvW--0@(A~x|)Ey80y5;1~dTO|A7C0NmQ`xUu8M@HK0^53ItHWNC*`S2K|EOye@DF zNazWQBGfP4)zzy%h%vtKkyzM~;4tyXfBtGM_GGU_?a5Q#$<7R7oM8jhOQKshCEEok zTUkcv_6w62wni%3C#VObD1Bf`wWD-B4r*!r>{FyLVq6O8Gm@8^T?*Lqox$@tdlZWL zAjZDypqO1(?xfA%1h1#J3bUSW#tgvMYLoHS!3H2z$K1Pt-q$Ye8=ESzOjry3{pP}# zQTJ-pF^q!P*{Yv=_>8<{o-~_54Y!1Ksx_ML)5n@B2^*5zwWPJBQH8rP$KK9HXOwH0 zhpfbC9UUMz=QouJxq|VBhN|N^RNQ))W0#TaPss4qjDLXe_?kx$C>R7TMg!7-AMO{znJ3F1U!shoa zR|Y$@f+Gh5*;=$F&d97qgH_2n65^v=1&%&GEBW(Q9{ezRt;sU+&BoD|N5nLJ*VKT( z8F?{%(mld7bFzsK*X{Quv0YK1Vp?ary0TGSM3PwKpy0kjqRZTNm$)^?``qGnn8`aD zw^e1MNVuyCNBrD|sjw7bSYI&IU2OuvT{Oyd_gm6lJ6{R^6*k_he_fBQ?skT=VXx1l zhp8?j9{YrWX8M%qaR%X(?Q7ak7eD;5N*G#OaR4jNOO4cNg-+kqk}tbTp&!1a@U}&^ z;CK22^2E#C1l#lI-oA@%V(SY<7C6SY{B$1eT#j?{I80l6Zu&;Il)TbXnKM_Z-|rT; B+9Ln} diff --git a/zookeeper-server/src/test/resources/data/ssl/testTrustStore.jks b/zookeeper-server/src/test/resources/data/ssl/testTrustStore.jks index 33f09c11dfaa303e3054be774923b8fe8c87bdf6..bced986e430b0542d942d1d87c4b050f09cc5e91 100644 GIT binary patch literal 1302 zcmV+x1?l=Qf&~%+0Ru3C1iS_bDuzgg_YDCD0ic2etptJusW5^Br7(g7p#}*mhDe6@ z4FLxRpn?RFFoFb*0s#Opf&_;K2`Yw2hW8Bt2LUi<1_>&LNQU+thDZTr0|Wso1P}%NNY3CfLkxiim9uPXGs1v^1Q5<56WTNua7Ti>FJh=ANYk7I zaUuq38TZOld3GWACG@{u6hukTYaYWVuX-VBkDs%QL6M=6_KucPztr3R?L&}h8N5lJyk4D2CXX=PjkWiL#~hdDjw7-+WqK#w@O z$q{>beQs(#>Do8y>d15tQ_{m(Fr}mNb4vXs^4SQ;)Zym4T6fJRTzis3J_uCgpo4$d z@0m3J?aia8ljclzWn>AG2Ue*6mpy*8Pv~yuJLBSx1^M_A7Ho>xNIiGm>mrWBh7&8- zu>lw0Y7`8UuxWD9{no=8>{ZL@gU?$!v-htaC#~JYfki5bGD4H$^3V#xdJ-^n47dNf ztYHv(FpW4rGb|UEywSo@$%?ga3cu00{{_3(6TeVG`0Kc6 z_IV9jNjDA5SJE_W=lJ>pl}xN*j2%@cY`UUN4v)cVJN`^F_g(`blE|ogaQueP%452e zFZvB8p!a^b^B(@~F*Nu<64*_VJw-1&tTv^vsrSD4O410E7n$DqAbGjar0;g(WxFyz zv_K(*>DXrr14v+%F5`D{Svn?FSZB^i2RqNXJs`>o4D)9eR@TOU@bs_*=!h1Mu`!KN z6XVLKp?gwPUK389?XKPFKV}HN=N6Aq6bowaqt1+Wqzdwq#i8Qw3~97;hXQFZ}KB)6w;6xt;d$&Ma;AqY|!fU7H_40lF#dU3kJG_46dEe)ywx-xEfZV>oYZxZ(+6K zp>uN&U9-uq)jlow`e;WA*+9U!Boo1Lih7^p_r3@mM8vVuM4D|L4s_}qI>T~09_rVX zAOqwy8q8q!@lCvI^j`NQs!tw^WIg-fz3^#Wj^=w;$do1+={?gqfG@!$203bgp=MCZ z=N8#xTPG>7tkEZFEwf&(buvO_yiJCl`sDQU4NbBk(W?gXI{Y)eUx$&CukGh!x$nra zq8{Y=Y%zsi)upSYp__|E?CKP-PmcHm?OHIpp48@$!;j)o%9(st)G6{|+ zEQlxzE@SoKdJujnf>^Y)djBDFT%sNJV_B$uDVorG?;NC9O71OfpC z00bZ_xcVFAaV(aVpm$VG#T{0{|L|>=(IcJ{{iLS0IAV1K6m&yFUNU_3;FAGpLlvhp M^EMW`HUa`C5KKT|Fjt0)(AaQ14{-5=4OK?=6ZuBrt}5OOpHuS zEX5{U*$jBuIJMe5+P?ELGIFyr7~~rY81S(%hqABBO}8iMUFT@2ZOeg zIo0VqU)Gsh?)+2lWOX}l!O^y$Ym+mc_-!)0uCa_;8-rUqM^}7kX7=(~dap{9?W!DC!lk)$X00#?P_`2uw~E*o>P|{AL8)a$wl+I z^Yf=?&w7Zu@^^03*V{V3@&39=C;9AS6{hcZW48MuYPP{>f7jY8`_`m?l>NFX|J}>W zs&)1M!*_CxJ!%JZ-G*y&uI-Q@V8H2Ao^QZ857+o=rh&!T)Lp9>BJ|f@$L(-trg85yKc zWSce1YM95!*M2+JvS9zI1McUKniN!>&wgdnvX7%`#xvWuvXAoFZY!^LTzmDt?4&Pq zS^w6&+vnB3+FavZe+Hy)N+-1FmY z`h|CIf*7@)$X(iEQhcY*L}jI4`P#pm%Xtq~9Z3ClMsTj=sz~9(bJxZvK074w;psw8 i$F1+@P2@41^Um9F1>-ph;maAXGcx@a=o~s4V+sJO#ADR} From 4f96739d5ccd52b9d2a620b000a83a9f50584b7b Mon Sep 17 00:00:00 2001 From: Andor Molnar Date: Tue, 14 Oct 2025 17:17:47 -0500 Subject: [PATCH 2/2] ZOOKEEPER-4986: Typo in method name not fixed on this branch --- .../org/apache/zookeeper/common/ZKTrustManagerTest.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTrustManagerTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTrustManagerTest.java index cfdd112ec0d..a2753b29bc6 100644 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTrustManagerTest.java +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTrustManagerTest.java @@ -284,7 +284,7 @@ public void testClientHostnameVerificationWithIpAddress_CertHostnameSan_NoRevers ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, true, hostnameVerifier, false); - X509Certificate[] certificateChain = createSelfSignedCertificateChain(null, HOSTNAME); + X509Certificate[] certificateChain = createSelfSignedCertifcateChain(null, HOSTNAME); try (Socket s = createSocketWithIpAddress()) { assertThrows(CertificateException.class, () -> zkTrustManager.checkClientTrusted(certificateChain, null, s)); verify(s, times(1)).getInetAddress(); @@ -299,7 +299,7 @@ public void testClientHostnameVerificationWithIpAddress_CertHostnameSan_WithReve ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, true, hostnameVerifier, true); - X509Certificate[] certificateChain = createSelfSignedCertificateChain(null, HOSTNAME); + X509Certificate[] certificateChain = createSelfSignedCertifcateChain(null, HOSTNAME); try (Socket s = createSocketWithIpAddress()) { zkTrustManager.checkClientTrusted(certificateChain, null, s); verify(s, times(1)).getInetAddress(); @@ -314,7 +314,7 @@ public void testClientHostnameVerificationWithIpAddress_CertIpSan() throws Excep ZKTrustManager zkTrustManager = new ZKTrustManager(mockX509ExtendedTrustManager, true, true, hostnameVerifier, false); - X509Certificate[] certificateChain = createSelfSignedCertificateChain(IP_ADDRESS, null); + X509Certificate[] certificateChain = createSelfSignedCertifcateChain(IP_ADDRESS, null); try (Socket s = createSocketWithIpAddress()) { zkTrustManager.checkClientTrusted(certificateChain, null, s); verify(s, times(1)).getInetAddress();