correctly install default ssl socket factory when no key or trust sto…

…re (#13589)
apache · Jul 18, 2024 · 697f58c · 697f58c
1 parent 55f519f
commit 697f58c
Show file tree

Hide file tree

Showing 3 changed files with 391 additions and 351 deletions.
diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/tls/TlsUtils.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/tls/TlsUtils.java
@@ -29,6 +29,7 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.util.concurrent.atomic.AtomicReference;
@@ -60,6 +61,7 @@ public final class TlsUtils {
   private static final String TRUSTSTORE_PATH = "truststore.path";
   private static final String TRUSTSTORE_PASSWORD = "truststore.password";
   private static final String SSL_PROVIDER = "ssl.provider";
+  private static final String SSL_CONTEXT_PROTOCOL = "SSL";
 
   private static final String FILE_SCHEME = "file";
   private static final String FILE_SCHEME_PREFIX = FILE_SCHEME + "://";
@@ -227,19 +229,28 @@ public static void installDefaultSSLSocketFactory(String keyStoreType, String ke
       String trustStoreType, String trustStorePath, String trustStorePassword) {
     try {
       SecureRandom secureRandom = new SecureRandom();
-      SSLFactory sslFactory = RenewableTlsUtils.createSSLFactory(keyStoreType, keyStorePath, keyStorePassword,
-          trustStoreType, trustStorePath, trustStorePassword,
-          "SSL", secureRandom, true, false);
-      if (isKeyOrTrustStorePathNullOrHasFileScheme(keyStorePath)
-          && isKeyOrTrustStorePathNullOrHasFileScheme(trustStorePath)) {
-        RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, keyStoreType, keyStorePath,
-            keyStorePassword, trustStoreType, trustStorePath, trustStorePassword, "SSL", secureRandom,
-            PinotInsecureMode::isPinotInInsecureMode);
+      SSLContext sc;
+      if (keyStorePath == null && trustStorePath == null) {
+        // When neither keyStorePath nor trustStorePath is provided, a SSLFactory cannot be created. create SSLContext
+        // directly and use the default key manager and trust manager.
+        sc = SSLContext.getInstance(SSL_CONTEXT_PROTOCOL);
+        sc.init(null, null, secureRandom);
+      } else {
+        SSLFactory sslFactory =
+            RenewableTlsUtils.createSSLFactory(keyStoreType, keyStorePath, keyStorePassword, trustStoreType,
+                trustStorePath, trustStorePassword, SSL_CONTEXT_PROTOCOL, secureRandom, true, false);
+        if (isKeyOrTrustStorePathNullOrHasFileScheme(keyStorePath) && isKeyOrTrustStorePathNullOrHasFileScheme(
+            trustStorePath)) {
+          RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, keyStoreType, keyStorePath,
+              keyStorePassword, trustStoreType, trustStorePath, trustStorePassword, SSL_CONTEXT_PROTOCOL, secureRandom,
+              PinotInsecureMode::isPinotInInsecureMode);
+        }
+        sc = sslFactory.getSslContext();
       }
       // HttpsURLConnection
-      HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory.getSslSocketFactory());
-      setSslContext(sslFactory.getSslContext());
-    } catch (GenericSSLContextException e) {
+      HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+      setSslContext(sc);
+    } catch (GenericSSLContextException | GeneralSecurityException e) {
       throw new IllegalStateException("Could not initialize SSL support", e);
     }
   }