From 53ad936b28035a7ae81e80c12e924b3f03a573e9 Mon Sep 17 00:00:00 2001
From: ZhangJian He <shoothzj@gmail.com>
Date: Thu, 6 Jan 2022 10:15:27 +0800
Subject: [PATCH] Allow to config no-password truststore (#13424)

* Allow to config no-password truststore
---
 conf/broker.conf                              |   2 +-
 .../pulsar/broker/ServiceConfiguration.java   |   2 +-
 .../pulsar/client/impl/KeyStoreTlsTest.java   |  40 ++++++++++++++++++
 .../keystoretls/pulsar_client_trust_npd.jks   | Bin 0 -> 838 bytes
 .../keystoretls/pulsar_server_trust_npd.jks   | Bin 0 -> 838 bytes
 .../util/keystoretls/KeyStoreSSLContext.java  |   6 ++-
 .../proxy/server/ProxyConfiguration.java      |   2 +-
 7 files changed, 48 insertions(+), 4 deletions(-)
 create mode 100644 pulsar-broker/src/test/resources/authentication/keystoretls/pulsar_client_trust_npd.jks
 create mode 100644 pulsar-broker/src/test/resources/authentication/keystoretls/pulsar_server_trust_npd.jks

diff --git a/conf/broker.conf b/conf/broker.conf
index e46f0ca6028bb..54432ecb92365 100644
--- a/conf/broker.conf
+++ b/conf/broker.conf
@@ -622,7 +622,7 @@ tlsTrustStoreType=JKS
 # TLS TrustStore path in broker
 tlsTrustStore=
 
-# TLS TrustStore password in broker
+# TLS TrustStore password in broker, default value is empty password
 tlsTrustStorePassword=
 
 # Whether internal client use KeyStore type to authenticate with Pulsar brokers
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
index ed89818509de6..9ba3f52ae36bc 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
@@ -2389,7 +2389,7 @@ public class ServiceConfiguration implements PulsarConfiguration {
 
     @FieldContext(
             category = CATEGORY_KEYSTORE_TLS,
-            doc = "TLS TrustStore password for broker"
+            doc = "TLS TrustStore password for broker, null means empty password."
     )
     private String tlsTrustStorePassword = null;
 
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java
index 897496241bfc7..2e839b93f194f 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java
@@ -43,6 +43,12 @@ public class KeyStoreTlsTest {
     protected final String CLIENT_TRUSTSTORE_PW = "111111";
     protected final String KEYSTORE_TYPE = "JKS";
 
+    protected final String BROKER_TRUSTSTORE_FILE_NPD_PATH =
+            "./src/test/resources/authentication/keystoretls/pulsar_server_trust_npd.jks";
+
+    protected final String CLIENT_TRUSTSTORE_FILE_NPD_PATH =
+            "./src/test/resources/authentication/keystoretls/pulsar_client_trust_npd.jks";
+
     public static final Provider BC_PROVIDER = getProvider();
 
     @Test(timeOut = 300000)
@@ -78,4 +84,38 @@ public void testValidate() throws Exception {
 
         SSLContextValidatorEngine.validate(clientSSLContext::createSSLEngine, serverSSLContext::createSSLEngine);
     }
+
+    @Test(timeOut = 300000)
+    public void testValidateKeyStoreNoPwd() throws Exception {
+        KeyStoreSSLContext serverSSLContext = new KeyStoreSSLContext(KeyStoreSSLContext.Mode.SERVER,
+                null,
+                KEYSTORE_TYPE,
+                BROKER_KEYSTORE_FILE_PATH,
+                BROKER_KEYSTORE_PW,
+                false,
+                KEYSTORE_TYPE,
+                BROKER_TRUSTSTORE_FILE_NPD_PATH,
+                null,
+                true,
+                null,
+                null);
+        serverSSLContext.createSSLContext();
+
+        KeyStoreSSLContext clientSSLContext = new KeyStoreSSLContext(KeyStoreSSLContext.Mode.CLIENT,
+                null,
+                KEYSTORE_TYPE,
+                CLIENT_KEYSTORE_FILE_PATH,
+                CLIENT_KEYSTORE_PW,
+                false,
+                KEYSTORE_TYPE,
+                CLIENT_TRUSTSTORE_FILE_NPD_PATH,
+                null,
+                false,
+                null,
+                // set client's protocol to TLSv1.2 since SSLContextValidatorEngine.validate doesn't handle TLSv1.3
+                Collections.singleton("TLSv1.2"));
+        clientSSLContext.createSSLContext();
+
+        SSLContextValidatorEngine.validate(clientSSLContext::createSSLEngine, serverSSLContext::createSSLEngine);
+    }
 }
diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/pulsar_client_trust_npd.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/pulsar_client_trust_npd.jks
new file mode 100644
index 0000000000000000000000000000000000000000..48b299cb7c1ff2ce1fbdc963ae90bb216756ae37
GIT binary patch
literal 838
zcmezO_TO6u1_mY|W(3o0$%#ez`6WPZ#ozERfefq>dZq@J3=GWd22IS&22G5w7cet1
zGBJq=GyIebTPh>A^V7XjMSh`l(~>{j2E1&XT5TR}-+37sxmg(u1P%FtLd>Bo%sgz)
zjzK_k4dldmjSLM;jEoJ;3@nU{qQrTPL0m&97n_zQMkQo}8Ce;an;7{SfNtSpYGPz$
z*tJ5Zi%;On(f9dE0-K%piL8)&?z~D;e9|_@|1E;gd^UCV8K>`>Z>y(}kbJ~^zsZY3
z;a6LuB4!wTnD^I^jrl|Lndc8J@?LUOJfA3i*Cvm_vWV{)tIxh~txB=afBqEZnZ{+Z
zfBghj^Xc~M<{k}qisUU&Iq*(TsN{5>bLZa;2GQ=JS}IQ*1Z@^@=k4k3%sF?0MS*A5
z1p`}|662^73tyg|^<{3@qbo-gob6wq|L!SV!yX~U^!i&T*MrdFxG7}{=LMGcL>~!Q
zSMFiY8+kADq8)>k=B$Z|-`gf`_ByQQ+j&GOt39gsTGIP<0-_F=ZU_7>|B$=x(60jh
z_IW;j8EG3_teKb@85kD_8w4820>fICk420{M9qJ(JxjZFX~oKyB{jc_1rG&pDKwA=
zNh`BR7>G4sSHKTaAk4`4pM}+c8Au@qJ1{<h!OqBF+}6#1^Vu2>*UJ(I&)WM$eSgOL
zxbC~2omEGNL7_;*qayR0%A4n#pIFcRx@OJMCjrtgQg*G`Dz!NOoUUbm<&(P}Q_q&n
zujj5`f5gDzL6q~_i3UuEQ$5a|&`J*zlUAKt-Tf?lPU)69H@S~{V-Lk$64E}nQ1W81
z#YfhCowGvT^zHAw{=WK+_pZn_tFvNuN=Ak~w@I$p_q>NMljr*qn@_VGzL%LVxHNAT
zXVK2hK`E?Pg)~pFXZ%k7vZw#%!>D@4M@7<0n1aG{Z*!gee@952S-e`mG57L{WnLPU
zTp5!}dDP~3US~bt|7KopZs|IC-}6V=|Md$LzpdYQasFcQvjLoq5B&>{e_Z;o<MlP|
Pn{#$Z?O(Qb7Ow#S6U<8!

literal 0
HcmV?d00001

diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/pulsar_server_trust_npd.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/pulsar_server_trust_npd.jks
new file mode 100644
index 0000000000000000000000000000000000000000..9697ecdcc70524d4c63d754ef67510a6a35139ad
GIT binary patch
literal 838
zcmezO_TO6u1_mY|W(3o0$%#ez`6WPZ#ozER-xydU^h^yb85o$^4Vsvl4VoBVFJNY3
zWMUE#X80)=wp2!J=cjw6iu^+9rX_#44S3l&wc0$|zVk9Na<eiR2paMOg_uKGn0eTo
z9fN@88pw(B8W|dx7#SOw8CVz@MTzqogSduJE;cPqj7rD`GqN%;H!<=v0NujH)Wpch
zuxo`*7oWhDqwn*T1U5VG6Imhm+<BFx_@r%)|62r~`E2U!Gfv+%-&Ri{A^C{;ev=o6
z!mqYQMa(exFz>G+8}o<gGtVDd<h|smcs^13u1y|;Wf9*qR-b*}T9sm-|NJS+GmXn+
z|N056=F{!h%{?0K6v<nla^RhwP|4{$=gz+y45HmbwN#!s2-+;*&fC-5nRD(0ivrKA
z3kJ3_CB{)F7QQ?^>&x7*M^}z0INQHI|J_r#hCM=x>Giixt_PvTaZ}0^&I>H>i9Qmr
zuH3_(H}YQQMLPy7%~=x_zqd`?>~&bpxATZnR(n+MwWRm!1VkM!-46I&{vmhWp<f01
z?el#6GSW7<STiv*GB7R<HV8D31%|aOABz}^h?@UmdzN<V(u$QYOKN@<3myvIQfMF#
zl2&GsFc53Nu7Dq;K$wy7KMSh?Gmt_Kc3^x0gPoDVxUHN2=Cd^%u9qbap0)Rh`u>df
zaou-4JFAWkgF=yrM@8m0l{e2fKe3+sb<LWiPXeT0r0iO=RcdkmIbF;C$|rX{rk*XC
zU(a2?{)mCagDB^<6AhRSr+S<_p_LvcCapTPy8Bu9oYF0IZgL;@#vY2hB&2<Cq2$G2
zi;t}PI%kEv>D%9V{eATt?_H5=R%gZRl#C2}Zj)TG?|BbjCeQaJHlJoWd@nO!aB1Ew
z&Z3>0gHl+p3Td8T&-k7EWl#Ujhf(#8kBX$1Fa?F@-sU>_|BjG4vv{?BWA5b@%e*uy
zxiTh|@~F-6yv};O|INJI+|qUOzUPm!|LYehep|oq;{3(pX9GAJAAW05Nqy+?<L5J%
PUm{cM0!~%gewhdW712x8

literal 0
HcmV?d00001

diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java
index 987a32b216cbc..f48872fbf8291 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java
@@ -105,7 +105,11 @@ public KeyStoreSSLContext(Mode mode,
                 ? DEFAULT_KEYSTORE_TYPE
                 : trustStoreTypeString;
         this.trustStorePath = trustStorePath;
-        this.trustStorePassword = trustStorePassword;
+        if (trustStorePassword == null) {
+            this.trustStorePassword = "";
+        } else {
+            this.trustStorePassword = trustStorePassword;
+        }
         this.needClientAuth = requireTrustedClientCertOnConnect;
 
         if (protocols != null && protocols.size() > 0) {
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java
index 41ec92f2e9ae1..155fcf5541012 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java
@@ -406,7 +406,7 @@ public class ProxyConfiguration implements PulsarConfiguration {
 
     @FieldContext(
             category = CATEGORY_KEYSTORE_TLS,
-            doc = "TLS TrustStore password for proxy"
+            doc = "TLS TrustStore password for proxy, null means empty password."
     )
     private String tlsTrustStorePassword = null;