Allow to config no-password truststore (apache#13424)

* Allow to config no-password truststore

conf/broker.conf

@@ -622,7 +622,7 @@ tlsTrustStoreType=JKS
 # TLS TrustStore path in broker
 tlsTrustStore=
 
-# TLS TrustStore password in broker
+# TLS TrustStore password in broker, default value is empty password
 tlsTrustStorePassword=
 
 # Whether internal client use KeyStore type to authenticate with Pulsar brokers

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java

@@ -2389,7 +2389,7 @@ public class ServiceConfiguration implements PulsarConfiguration {
 
     @FieldContext(
             category = CATEGORY_KEYSTORE_TLS,
-            doc = "TLS TrustStore password for broker"
+            doc = "TLS TrustStore password for broker, null means empty password."
     )
     private String tlsTrustStorePassword = null;
 

pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java

@@ -43,6 +43,12 @@ public class KeyStoreTlsTest {
     protected final String CLIENT_TRUSTSTORE_PW = "111111";
     protected final String KEYSTORE_TYPE = "JKS";
 
+    protected final String BROKER_TRUSTSTORE_FILE_NPD_PATH =
+            "./src/test/resources/authentication/keystoretls/pulsar_server_trust_npd.jks";
+
+    protected final String CLIENT_TRUSTSTORE_FILE_NPD_PATH =
+            "./src/test/resources/authentication/keystoretls/pulsar_client_trust_npd.jks";
+
     public static final Provider BC_PROVIDER = getProvider();
 
     @Test(timeOut = 300000)
@@ -78,4 +84,38 @@ public void testValidate() throws Exception {
 
         SSLContextValidatorEngine.validate(clientSSLContext::createSSLEngine, serverSSLContext::createSSLEngine);
     }
+
+    @Test(timeOut = 300000)
+    public void testValidateKeyStoreNoPwd() throws Exception {
+        KeyStoreSSLContext serverSSLContext = new KeyStoreSSLContext(KeyStoreSSLContext.Mode.SERVER,
+                null,
+                KEYSTORE_TYPE,
+                BROKER_KEYSTORE_FILE_PATH,
+                BROKER_KEYSTORE_PW,
+                false,
+                KEYSTORE_TYPE,
+                BROKER_TRUSTSTORE_FILE_NPD_PATH,
+                null,
+                true,
+                null,
+                null);
+        serverSSLContext.createSSLContext();
+
+        KeyStoreSSLContext clientSSLContext = new KeyStoreSSLContext(KeyStoreSSLContext.Mode.CLIENT,
+                null,
+                KEYSTORE_TYPE,
+                CLIENT_KEYSTORE_FILE_PATH,
+                CLIENT_KEYSTORE_PW,
+                false,
+                KEYSTORE_TYPE,
+                CLIENT_TRUSTSTORE_FILE_NPD_PATH,
+                null,
+                false,
+                null,
+                // set client's protocol to TLSv1.2 since SSLContextValidatorEngine.validate doesn't handle TLSv1.3
+                Collections.singleton("TLSv1.2"));
+        clientSSLContext.createSSLContext();
+
+        SSLContextValidatorEngine.validate(clientSSLContext::createSSLEngine, serverSSLContext::createSSLEngine);
+    }
 }

pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java

@@ -105,7 +105,11 @@ public KeyStoreSSLContext(Mode mode,
                 ? DEFAULT_KEYSTORE_TYPE
                 : trustStoreTypeString;
         this.trustStorePath = trustStorePath;
-        this.trustStorePassword = trustStorePassword;
+        if (trustStorePassword == null) {
+            this.trustStorePassword = "";
+        } else {
+            this.trustStorePassword = trustStorePassword;
+        }
         this.needClientAuth = requireTrustedClientCertOnConnect;
 
         if (protocols != null && protocols.size() > 0) {

pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java

@@ -406,7 +406,7 @@ public class ProxyConfiguration implements PulsarConfiguration {
 
     @FieldContext(
             category = CATEGORY_KEYSTORE_TLS,
-            doc = "TLS TrustStore password for proxy"
+            doc = "TLS TrustStore password for proxy, null means empty password."
     )
     private String tlsTrustStorePassword = null;