Skip to content

Add Keystore support to OSS JDBC Driver#830

Merged
madhav-db merged 12 commits into
mainfrom
sslkeystore2
Jun 11, 2025
Merged

Add Keystore support to OSS JDBC Driver#830
madhav-db merged 12 commits into
mainfrom
sslkeystore2

Conversation

@madhav-db

@madhav-db madhav-db commented May 17, 2025
edited
Loading

Copy link
Copy Markdown
Collaborator

Description

This PR implements SSL client certificate authentication support in the JDBC driver. The key implementation changes include:

  1. Added a new loadKeystoreOrNull method to load client keystores from the specified path, with proper validation and error handling.

  2. Added a createKeyManagers method to generate key managers from the keystores, necessary for client certificate authentication in the SSL handshake.

  3. Enhanced createSocketFactoryRegistry to support both server certificate validation (trust managers) and client certificate authentication (key managers).

  4. Modified the createRegistryFromTrustAnchors method to integrate keystore functionality with the existing truststore handling.

Testing

Unit tests
Manual testing:
Manually created a keystore file (manual-test.jks) using the keytool command line utility.
Wrote a simple Java test that attempted to establish a connection using a validly-formatted JDBC URL pointing to localhost.
The test validated several scenarios:
A successful connection attempt with the correct keystore path and password.
A failed attempt with an incorrect password, expecting a specific exception.
A failed attempt with a non-existent keystore file, expecting a different specific exception.

Additional Notes to the Reviewer

@madhav-db
Add support for SSL client certificate authentication
12c8fb5 
- Implemented client certificate authentication via keystore configuration parameters.
- Updated `ConfiguratorUtils` to handle loading and managing keystores.
- Enhanced unit tests to cover keystore loading and client certificate scenarios.
@madhav-db
- Removed redundant null check for the keystore in createKeyManagers …
dbc1144 
…method.

- Simplified key entry verification by replacing Enumeration with a stream-based approach for better readability and performance.
@madhav-db madhav-db requested a review from gopalldb May 20, 2025 07:16
@gopalldb gopalldb requested a review from vikrantpuppala May 21, 2025 06:41
gopalldb
gopalldb reviewed May 21, 2025
View reviewed changes
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
gopalldb
gopalldb reviewed May 21, 2025
View reviewed changes
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
gopalldb
gopalldb reviewed Jun 5, 2025
View reviewed changes
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
gopalldb
gopalldb reviewed Jun 5, 2025
View reviewed changes
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
gopalldb
gopalldb reviewed Jun 5, 2025
View reviewed changes
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
gopalldb
gopalldb reviewed Jun 5, 2025
View reviewed changes
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
vikrantpuppala
vikrantpuppala reviewed Jun 6, 2025
View reviewed changes

@vikrantpuppala vikrantpuppala left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add more testing details in description on how you verified the actual key store works, i don't think just unit tests would be enough

Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
Comment thread src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java Outdated
Comment thread src/test/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtilsTest.java
@madhav-db
Refactor HTTP exception handling to use DatabricksSSLException for SS…
e3ad637 
…L/TLS errors. Update relevant classes and tests to replace DatabricksHttpException with DatabricksSSLException, ensuring proper error handling during SSL configuration and handshake processes.
@madhav-db
Update error message in DatabricksClientConfiguratorManager to reflec…
ea15c6a 
…t SSL error handling instead of HTTP error. This change enhances clarity in logging and exception management related to SSL configuration failures.
vikrantpuppala
vikrantpuppala approved these changes Jun 9, 2025
View reviewed changes

@vikrantpuppala vikrantpuppala left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add testing details in the description, lgtm otherwise

@madhav-db madhav-db merged commit 333801c into databricks:main Jun 11, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vikrantpuppala vikrantpuppala vikrantpuppala approved these changes

@gopalldb gopalldb Awaiting requested review from gopalldb

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@madhav-db @vikrantpuppala @gopalldb