apache · anmolnar · Dec 16, 2025 · Aug 14, 2025 · Dec 16, 2025 · Dec 16, 2025
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
@@ -63,20 +63,14 @@ public String getSslProviderProperty() {
 
     public SslContext createNettySslContextForClient(ZKConfig config)
         throws X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
-        String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), "");
-        String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(),
-            getSslKeystorePasswdPathProperty());
-        String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
-
         SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
 
-        if (keyStoreLocation.isEmpty()) {
-            LOG.warn("{} not specified", getSslKeystoreLocationProperty());
-        } else {
-            sslContextBuilder.keyManager(createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType));
+        KeyManager km = buildKeyManager(config);
+        if (km != null) {
+            sslContextBuilder.keyManager(km);
         }
 
-        TrustManager tm = getTrustManager(config);
+        TrustManager tm = buildTrustManager(config);
         if (tm != null) {
             sslContextBuilder.trustManager(tm);
         }
@@ -103,19 +97,12 @@ public SslContext createNettySslContextForClient(ZKConfig config)
 
     public SslContext createNettySslContextForServer(ZKConfig config)
         throws X509Exception.SSLContextException, X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
-        String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), "");
-        String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(),
-            getSslKeystorePasswdPathProperty());
-        String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
-
-        if (keyStoreLocation.isEmpty()) {
+        KeyManager km = buildKeyManager(config);
+        if (km == null) {
             throw new X509Exception.SSLContextException(
                 "Keystore is required for SSL server: " + getSslKeystoreLocationProperty());
         }
-
-        KeyManager km = createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType);
-
-        return createNettySslContextForServer(config, km, getTrustManager(config));
+        return createNettySslContextForServer(config, km, buildTrustManager(config));
     }
 
     public SslContext createNettySslContextForServer(ZKConfig config, KeyManager keyManager, TrustManager trustManager) throws SSLException {
@@ -195,27 +182,4 @@ private Iterable<String> getCipherSuites(final ZKConfig config) {
     public SslProvider getSslProvider(ZKConfig config) {
         return SslProvider.valueOf(config.getProperty(getSslProviderProperty(), "JDK"));
     }
-
-    private TrustManager getTrustManager(ZKConfig config) throws X509Exception.TrustManagerException {
-        String trustStoreLocation = config.getProperty(getSslTruststoreLocationProperty(), "");
-        String trustStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslTruststorePasswdProperty(),
-            getSslTruststorePasswdPathProperty());
-        String trustStoreType = config.getProperty(getSslTruststoreTypeProperty());
-
-        boolean sslCrlEnabled = config.getBoolean(getSslCrlEnabledProperty(), Boolean.getBoolean("com.sun.net.ssl.checkRevocation"));
-        boolean sslOcspEnabled = config.getBoolean(getSslOcspEnabledProperty(), Boolean.parseBoolean(Security.getProperty("ocsp.enable")));
-        boolean sslServerHostnameVerificationEnabled = isServerHostnameVerificationEnabled(config);
-        boolean sslClientHostnameVerificationEnabled = isClientHostnameVerificationEnabled(config);
-        boolean allowReverseDnsLookup = allowReverseDnsLookup(config);
-
-        if (trustStoreLocation.isEmpty()) {
-            LOG.warn("{} not specified", getSslTruststoreLocationProperty());
-            return null;
-        } else {
-            return createTrustManager(trustStoreLocation, trustStorePassword, trustStoreType,
-                sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled,
-                sslClientHostnameVerificationEnabled, allowReverseDnsLookup,
-                getFipsMode(config));
-        }
-    }
 }
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
@@ -378,57 +378,37 @@ public SSLContextAndOptions createSSLContextAndOptions(ZKConfig config) throws S
     }
 
     public SSLContextAndOptions createSSLContextAndOptionsFromConfig(ZKConfig config) throws SSLContextException {
-        KeyManager[] keyManagers = null;
-        TrustManager[] trustManagers = null;
-
-        String keyStoreLocationProp = config.getProperty(sslKeystoreLocationProperty, "");
-        String keyStorePasswordProp = getPasswordFromConfigPropertyOrFile(config, sslKeystorePasswdProperty, sslKeystorePasswdPathProperty);
-        String keyStoreTypeProp = config.getProperty(sslKeystoreTypeProperty);
-
         // There are legal states in some use cases for null KeyManager or TrustManager.
         // But if a user wanna specify one, location is required. Password defaults to empty string if it is not
         // specified by the user.
+        KeyManager[] keyManagers = null;
+        TrustManager[] trustManagers = null;
 
-        if (keyStoreLocationProp.isEmpty()) {
-            LOG.warn("{} not specified", getSslKeystoreLocationProperty());
-        } else {
-            try {
-                keyManagers = new KeyManager[]{createKeyManager(keyStoreLocationProp, keyStorePasswordProp, keyStoreTypeProp)};
-            } catch (KeyManagerException keyManagerException) {
-                throw new SSLContextException("Failed to create KeyManager", keyManagerException);
-            } catch (IllegalArgumentException e) {
-                throw new SSLContextException("Bad value for " + sslKeystoreTypeProperty + ": " + keyStoreTypeProp, e);
+        try {
+            KeyManager km = buildKeyManager(config);
+            if (km != null) {
+                keyManagers = new KeyManager[]{km};
             }
+        } catch (KeyManagerException keyManagerException) {
+            throw new SSLContextException("Failed to create KeyManager", keyManagerException);
+        } catch (IllegalArgumentException e) {
+            String keyStoreTypeProp = config.getProperty(sslKeystoreTypeProperty);
+            throw new SSLContextException("Bad value for " + sslKeystoreTypeProperty + ": " + keyStoreTypeProp, e);
         }
 
-        String trustStoreLocationProp = config.getProperty(sslTruststoreLocationProperty, "");
-        String trustStorePasswordProp = getPasswordFromConfigPropertyOrFile(config, sslTruststorePasswdProperty, sslTruststorePasswdPathProperty);
-        String trustStoreTypeProp = config.getProperty(sslTruststoreTypeProperty);
-
-        boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty, Boolean.getBoolean("com.sun.net.ssl.checkRevocation"));
-        boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty, Boolean.parseBoolean(Security.getProperty("ocsp.enable")));
-
-        boolean sslServerHostnameVerificationEnabled = isServerHostnameVerificationEnabled(config);
-        boolean sslClientHostnameVerificationEnabled = isClientHostnameVerificationEnabled(config);
-        boolean allowReverseDnsLookup = allowReverseDnsLookup(config);
-        boolean fipsMode = getFipsMode(config);
-
-        if (trustStoreLocationProp.isEmpty()) {
-            LOG.warn("{} not specified", getSslTruststoreLocationProperty());
-        } else {
-            try {
-                trustManagers = new TrustManager[]{
-                    createTrustManager(trustStoreLocationProp, trustStorePasswordProp, trustStoreTypeProp, sslCrlEnabled,
-                        sslOcspEnabled, sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled,
-                        allowReverseDnsLookup, fipsMode)};
-            } catch (TrustManagerException trustManagerException) {
-                throw new SSLContextException("Failed to create TrustManager", trustManagerException);
-            } catch (IllegalArgumentException e) {
-                throw new SSLContextException("Bad value for "
-                                              + sslTruststoreTypeProperty
-                                              + ": "
-                                              + trustStoreTypeProp, e);
+        try {
+            TrustManager tm = buildTrustManager(config);
+            if (tm != null) {
+                trustManagers = new TrustManager[]{tm};
             }
+        } catch (TrustManagerException trustManagerException) {
+            throw new SSLContextException("Failed to create TrustManager", trustManagerException);
+        } catch (IllegalArgumentException e) {
+            String trustStoreTypeProp = config.getProperty(sslTruststoreTypeProperty);
+            throw new SSLContextException("Bad value for "
+                    + sslTruststoreTypeProperty
+                    + ": "
+                    + trustStoreTypeProp, e);
         }
 
         String protocol = config.getProperty(sslProtocolProperty, DEFAULT_PROTOCOL);
@@ -487,6 +467,18 @@ public String getPasswordFromConfigPropertyOrFile(final ZKConfig config,
         return value;
     }
 
+    public X509KeyManager buildKeyManager(ZKConfig config) throws KeyManagerException {
+        String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), "");
+        if (keyStoreLocation.isEmpty()) {
+            LOG.warn("{} not specified for X509KeyManager", getSslKeystoreLocationProperty());
+            return null;
+        }
+        String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(),
+                getSslKeystorePasswdPathProperty());
+        String keyStoreType = config.getProperty(getSslKeystoreTypeProperty());
+        return createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType);
+    }
+
     /**
      * Creates a key manager by loading the key store from the given file of
      * the given type, optionally decrypting it using the given password.
@@ -522,6 +514,59 @@ public static X509KeyManager createKeyManager(
         }
     }
 
+    public X509TrustManager buildTrustManager(ZKConfig config) throws TrustManagerException {
+        String trustStoreLocationProp = config.getProperty(sslTruststoreLocationProperty, "");
+        if (trustStoreLocationProp.isEmpty()) {
+            LOG.warn("{} not specified for X509TrustManager", sslTruststoreLocationProperty);
+            return null;
+        }
+
+        String trustStorePasswordProp = getPasswordFromConfigPropertyOrFile(config, sslTruststorePasswdProperty, sslTruststorePasswdPathProperty);
+        String trustStoreTypeProp = config.getProperty(sslTruststoreTypeProperty);
+
+        boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty, Boolean.getBoolean("com.sun.net.ssl.checkRevocation"));
+        boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty, Boolean.parseBoolean(Security.getProperty("ocsp.enable")));
+
+        boolean sslServerHostnameVerificationEnabled = isServerHostnameVerificationEnabled(config);
+        boolean sslClientHostnameVerificationEnabled = isClientHostnameVerificationEnabled(config);
+        boolean allowReverseDnsLookup = allowReverseDnsLookup(config);
+        boolean fipsMode = getFipsMode(config);
+
+        return createTrustManagerInternal(
+                trustStoreLocationProp,
+                trustStorePasswordProp,
+                trustStoreTypeProp,
+                sslCrlEnabled,
+                sslOcspEnabled,
+                sslServerHostnameVerificationEnabled,
+                sslClientHostnameVerificationEnabled,
+                allowReverseDnsLookup,
+                fipsMode);
+    }
+
+    // @VisibleForTesting
+    protected X509TrustManager createTrustManagerInternal(
+            String trustStoreLocation,
+            String trustStorePassword,
+            String trustStoreTypeProp,
+            boolean crlEnabled,
+            boolean ocspEnabled,
+            final boolean serverHostnameVerificationEnabled,
+            final boolean clientHostnameVerificationEnabled,
+            final boolean allowReverseDnsLookup,
+            final boolean fipsMode) throws TrustManagerException {
+        return createTrustManager(
+                trustStoreLocation,
+                trustStorePassword,
+                trustStoreTypeProp,
+                crlEnabled,
+                ocspEnabled,
+                serverHostnameVerificationEnabled,
+                clientHostnameVerificationEnabled,
+                allowReverseDnsLookup,
+                fipsMode);
+    }
+
     /**
      * Creates a trust manager by loading the trust store from the given file
      * of the given type, optionally decrypting it using the given password.

diff --git a/...per-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java b/...per-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
@@ -18,7 +18,6 @@
 
 package org.apache.zookeeper.server.auth;
 
-import java.security.Security;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -80,55 +79,21 @@ public class X509AuthenticationProvider implements AuthenticationProvider {
     public X509AuthenticationProvider() throws X509Exception {
         ZKConfig config = new ZKConfig();
         try (X509Util x509Util = new ClientX509Util()) {
-            String keyStoreLocation = config.getProperty(x509Util.getSslKeystoreLocationProperty(), "");
-            String keyStorePassword = x509Util.getPasswordFromConfigPropertyOrFile(config,
-                    x509Util.getSslKeystorePasswdProperty(),
-                    x509Util.getSslKeystorePasswdPathProperty());
-            String keyStoreTypeProp = config.getProperty(x509Util.getSslKeystoreTypeProperty());
-
-            boolean crlEnabled = config.getBoolean(x509Util.getSslCrlEnabledProperty(), Boolean.getBoolean("com.sun.net.ssl.checkRevocation"));
-            boolean ocspEnabled = config.getBoolean(x509Util.getSslOcspEnabledProperty(), Boolean.parseBoolean(Security.getProperty("ocsp.enable")));
-            boolean hostnameVerificationEnabled = Boolean.parseBoolean(config.getProperty(x509Util.getSslHostnameVerificationEnabledProperty()));
-            boolean clientHostnameVerificationEnabled = x509Util.isClientHostnameVerificationEnabled(config);
-            boolean allowReverseDnsLookup = Boolean.parseBoolean(config.getProperty(x509Util.getSslAllowReverseDnsLookupProperty()));
-
             X509KeyManager km = null;
             X509TrustManager tm = null;
-            if (keyStoreLocation.isEmpty()) {
-                LOG.warn("keystore not specified for client connection");
-            } else {
-                try {
-                    km = X509Util.createKeyManager(keyStoreLocation, keyStorePassword, keyStoreTypeProp);
-                } catch (KeyManagerException e) {
-                    LOG.error("Failed to create key manager", e);
-                }
-            }
 
-            String trustStoreLocation = config.getProperty(x509Util.getSslTruststoreLocationProperty(), "");
-            String trustStorePassword = x509Util.getPasswordFromConfigPropertyOrFile(config,
-                    x509Util.getSslTruststorePasswdProperty(),
-                    x509Util.getSslTruststorePasswdPathProperty());
-            String trustStoreTypeProp = config.getProperty(x509Util.getSslTruststoreTypeProperty());
-            boolean fipsMode = X509Util.getFipsMode(config);
+            try {
+                km = x509Util.buildKeyManager(config);
+            } catch (KeyManagerException e) {
+                LOG.error("Failed to create key manager", e);
+            }
 
-            if (trustStoreLocation.isEmpty()) {
-                LOG.warn("Truststore not specified for client connection");
-            } else {
-                try {
-                    tm = X509Util.createTrustManager(
-                        trustStoreLocation,
-                        trustStorePassword,
-                        trustStoreTypeProp,
-                        crlEnabled,
-                        ocspEnabled,
-                        hostnameVerificationEnabled,
-                        clientHostnameVerificationEnabled,
-                        allowReverseDnsLookup,
-                        fipsMode);
-                } catch (TrustManagerException e) {
-                    LOG.error("Failed to create trust manager", e);
-                }
+            try {
+                tm = x509Util.buildTrustManager(config);
+            } catch (TrustManagerException e) {
+                LOG.error("Failed to create trust manager", e);
             }
+
             this.keyManager = km;
             this.trustManager = tm;
         }