HDDS-13781. Certificate expiry date should consider time zone daylight saving impact (#9209)

Author: ChenSammi

hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java

@@ -28,8 +28,7 @@
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
-import java.time.LocalDateTime;
-import java.time.ZoneId;
+import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
@@ -71,8 +70,8 @@ public final class SelfSignedCertificate {
   private String subject;
   private String clusterID;
   private String scmID;
-  private LocalDateTime beginDate;
-  private LocalDateTime endDate;
+  private ZonedDateTime beginDate;
+  private ZonedDateTime endDate;
   private KeyPair key;
   private SecurityConfig config;
   private List<GeneralName> altNames;
@@ -128,12 +127,10 @@ private X509Certificate generateCertificate(BigInteger caCertSerialId) throws Op
     X500Name name = new X500Name(dnName);
 
     // Valid from the Start of the day when we generate this Certificate.
-    Date validFrom =
-        Date.from(beginDate.atZone(ZoneId.systemDefault()).toInstant());
+    Date validFrom = Date.from(beginDate.toInstant());
 
     // Valid till end day finishes.
-    Date validTill =
-        Date.from(endDate.atZone(ZoneId.systemDefault()).toInstant());
+    Date validTill = Date.from(endDate.toInstant());
 
     X509v3CertificateBuilder builder = new X509v3CertificateBuilder(name,
         serial, validFrom, validTill, name, publicKeyInfo);
@@ -168,8 +165,8 @@ public static class Builder {
     private String subject;
     private String clusterID;
     private String scmID;
-    private LocalDateTime beginDate;
-    private LocalDateTime endDate;
+    private ZonedDateTime beginDate;
+    private ZonedDateTime endDate;
     private KeyPair key;
     private SecurityConfig config;
     private BigInteger caCertSerialId;
@@ -200,12 +197,12 @@ public Builder setScmID(String s) {
       return this;
     }
 
-    public Builder setBeginDate(LocalDateTime date) {
+    public Builder setBeginDate(ZonedDateTime date) {
       this.beginDate = date;
       return this;
     }
 
-    public Builder setEndDate(LocalDateTime date) {
+    public Builder setEndDate(ZonedDateTime date) {
       this.endDate = date;
       return this;
     }

hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java

@@ -42,7 +42,7 @@
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.Callable;
@@ -318,7 +318,7 @@ public void testCertificateRotation() throws Exception {
 
     Duration gracePeriod = securityConfig.getRenewalGracePeriod();
     X509Certificate newCert =
-        generateX509Cert(null, LocalDateTime.now().plus(gracePeriod), Duration.ofSeconds(CERT_LIFETIME));
+        generateX509Cert(null, ZonedDateTime.now().plus(gracePeriod), Duration.ofSeconds(CERT_LIFETIME));
     String pemCert = CertificateCodec.getPEMEncodedString(newCert);
     SCMSecurityProtocolProtos.SCMGetCertResponseProto responseProto =
         SCMSecurityProtocolProtos.SCMGetCertResponseProto
@@ -391,7 +391,7 @@ public void testCertificateRotationRecoverableFailure() throws Exception {
 
     Duration gracePeriod = securityConfig.getRenewalGracePeriod();
     X509Certificate newCert =
-        generateX509Cert(null, LocalDateTime.now().plus(gracePeriod), Duration.ofSeconds(CERT_LIFETIME));
+        generateX509Cert(null, ZonedDateTime.now().plus(gracePeriod), Duration.ofSeconds(CERT_LIFETIME));
     String pemCert = CertificateCodec.getPEMEncodedString(newCert);
     // provide an invalid SCMGetCertResponseProto. Without
     // setX509CACertificate(pemCert), signAndStoreCert will throw exception.
@@ -441,12 +441,12 @@ public void testCertificateRotationRecoverableFailure() throws Exception {
   }
 
   private static X509Certificate generateX509Cert(KeyPair keyPair,
-      LocalDateTime startDate, Duration certLifetime) throws Exception {
+      ZonedDateTime startDate, Duration certLifetime) throws Exception {
     if (keyPair == null) {
       keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
     }
-    LocalDateTime start = startDate == null ? LocalDateTime.now() : startDate;
-    LocalDateTime end = start.plus(certLifetime);
+    ZonedDateTime start = startDate == null ? ZonedDateTime.now() : startDate;
+    ZonedDateTime end = start.plus(certLifetime);
     return SelfSignedCertificate.newBuilder()
         .setBeginDate(start)
         .setEndDate(end)

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java

@@ -34,8 +34,8 @@
 import java.security.cert.CertPath;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.time.LocalDateTime;
-import java.time.ZoneId;
+import java.time.Duration;
+import java.time.ZonedDateTime;
 import java.util.Date;
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
@@ -205,8 +205,7 @@ public Future<CertPath> requestCertificate(
       PKCS10CertificationRequest csr,
       CertificateApprover.ApprovalType approverType, NodeType role,
       String certSerialId) {
-    LocalDateTime beginDate = LocalDateTime.now();
-    LocalDateTime endDate = expiryFor(beginDate, role);
+    Duration certDuration = getDuration(role);
 
     CompletableFuture<Void> csrInspection = approver.inspectCSR(csr);
     CompletableFuture<CertPath> certPathPromise = new CompletableFuture<>();
@@ -224,7 +223,7 @@ public Future<CertPath> requestCertificate(
         break;
       case KERBEROS_TRUSTED:
       case TESTING_AUTOMATIC:
-        X509Certificate signedCertificate = signAndStoreCertificate(beginDate, endDate, csr, role, certSerialId);
+        X509Certificate signedCertificate = signAndStoreCertificate(certDuration, csr, role, certSerialId);
         CertificateCodec codec = new CertificateCodec(config, componentName);
         CertPath certPath = codec.getCertPath();
         CertPath updatedCertPath = codec.prependCertToCertPath(signedCertificate, certPath);
@@ -240,27 +239,30 @@ public Future<CertPath> requestCertificate(
     return certPathPromise;
   }
 
-  private LocalDateTime expiryFor(LocalDateTime beginDate, NodeType role) {
+  private Duration getDuration(NodeType role) {
     // When issuing certificates for sub-ca use the max certificate duration similar to self-signed root certificate.
     if (role == NodeType.SCM) {
-      return beginDate.plus(config.getMaxCertificateDuration());
+      return config.getMaxCertificateDuration();
     }
-    return beginDate.plus(config.getDefaultCertDuration());
+    return config.getDefaultCertDuration();
   }
 
   private X509Certificate signAndStoreCertificate(
-      LocalDateTime beginDate, LocalDateTime endDate, PKCS10CertificationRequest csr, NodeType role, String certSerialId
+      Duration duration, PKCS10CertificationRequest csr, NodeType role, String certSerialId
   ) throws IOException, OperatorCreationException, CertificateException {
 
+    ZonedDateTime beginDate = ZonedDateTime.now();
+    ZonedDateTime endDate = beginDate.plus(duration);
+
     lock.lock();
     X509Certificate xcert;
     try {
       Preconditions.checkState(!Strings.isNullOrEmpty(certSerialId));
       xcert = approver.sign(config,
           getPrivateKey(),
           getCACertificate(),
-          Date.from(beginDate.atZone(ZoneId.systemDefault()).toInstant()),
-          Date.from(endDate.atZone(ZoneId.systemDefault()).toInstant()),
+          Date.from(beginDate.toInstant()),
+          Date.from(endDate.toInstant()),
           csr, scmID, clusterID, certSerialId);
       if (store != null) {
         store.checkValidCertID(xcert.getSerialNumber());
@@ -486,9 +488,8 @@ private void generateRootCertificate(
       SecurityConfig securityConfig, KeyPair key)
       throws IOException, SCMSecurityException {
     Preconditions.checkNotNull(this.config);
-    LocalDateTime beginDate = LocalDateTime.now();
-    LocalDateTime endDate =
-        beginDate.plus(securityConfig.getMaxCertificateDuration());
+    ZonedDateTime beginDate = ZonedDateTime.now();
+    ZonedDateTime endDate = beginDate.plus(securityConfig.getMaxCertificateDuration());
     SelfSignedCertificate.Builder builder = SelfSignedCertificate.newBuilder()
         .setSubject(this.subject)
         .setScmID(this.scmID)

hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java

@@ -44,9 +44,11 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.time.LocalDate;
-import java.time.LocalDateTime;
 import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.util.Date;
 import java.util.List;
+import java.util.TimeZone;
 import java.util.UUID;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Future;
@@ -450,9 +452,64 @@ clusterId, scmId, caStore, new DefaultProfile(),
     }
   }
 
+  @Test
+  public void testDaylightSavingZone() throws Exception {
+    TimeZone defaultTimeZone = TimeZone.getDefault();
+    TimeZone.setDefault(TimeZone.getTimeZone("America/New_York"));
+
+    String scmId = RandomStringUtils.secure().nextAlphabetic(4);
+    String clusterId = RandomStringUtils.secure().nextAlphabetic(4);
+    KeyPair keyPair =
+        new HDDSKeyGenerator(securityConfig).generateKey();
+    //TODO: generateCSR!
+    PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
+        .addDnsName("hadoop.apache.org")
+        .addIpAddress("8.8.8.8")
+        .addServiceName("OzoneMarketingCluster002")
+        .setCA(false)
+        .setClusterID(clusterId)
+        .setScmID(scmId)
+        .setSubject("Ozone Cluster")
+        .setConfiguration(securityConfig)
+        .setKey(keyPair)
+        .build()
+        .generateCSR();
+
+    CertificateServer testCA = new DefaultCAServer("testCA",
+        clusterId, scmId, caStore,
+        new DefaultProfile(),
+        Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
+    testCA.init(securityConfig, CAType.ROOT);
+
+    Future<CertPath> holder = testCA.requestCertificate(
+        csr, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM,
+        String.valueOf(System.nanoTime()));
+    // Right now our calls are synchronous. Eventually this will have to wait.
+    assertTrue(holder.isDone());
+    //Test that the cert path returned contains the CA certificate in proper
+    // place
+    List<? extends Certificate> certBundle = holder.get().getCertificates();
+
+    // verify new created SCM certificate
+    X509Certificate certificate = (X509Certificate) certBundle.get(0);
+    Date startDate = certificate.getNotBefore();
+    Date endDate = certificate.getNotAfter();
+    assertEquals(securityConfig.getMaxCertificateDuration().toMillis(),
+        endDate.toInstant().toEpochMilli() - startDate.toInstant().toEpochMilli());
+
+    // verify root CA
+    List<? extends Certificate> certificateList = testCA.getCaCertPath().getCertificates();
+    certificate = (X509Certificate) certificateList.get(0);
+    startDate = certificate.getNotBefore();
+    endDate = certificate.getNotAfter();
+    assertEquals(securityConfig.getMaxCertificateDuration().toMillis(),
+        endDate.toInstant().toEpochMilli() - startDate.toInstant().toEpochMilli());
+    TimeZone.setDefault(defaultTimeZone);
+  }
+
   private X509Certificate generateExternalCert(KeyPair keyPair) throws Exception {
-    LocalDateTime notBefore = LocalDateTime.now();
-    LocalDateTime notAfter = notBefore.plusYears(1);
+    ZonedDateTime notBefore = ZonedDateTime.now();
+    ZonedDateTime notAfter = notBefore.plusYears(1);
     String clusterID = UUID.randomUUID().toString();
     String scmID = UUID.randomUUID().toString();
     String subject = "testRootCert";

hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClientTestImpl.java

@@ -41,6 +41,7 @@
 import java.time.Duration;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
+import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.HashSet;
@@ -101,10 +102,10 @@ public CertificateClientTestImpl(OzoneConfiguration conf, boolean autoRenew)
     keyGen = new HDDSKeyGenerator(securityConfig);
     keyPair = keyGen.generateKey();
     rootKeyPair = keyGen.generateKey();
-    LocalDateTime start = LocalDateTime.now();
+    ZonedDateTime start = ZonedDateTime.now();
     String rootCACertDuration = conf.get(HDDS_X509_MAX_DURATION,
         HDDS_X509_MAX_DURATION_DEFAULT);
-    LocalDateTime end = start.plus(Duration.parse(rootCACertDuration));
+    ZonedDateTime end = start.plus(Duration.parse(rootCACertDuration));
 
     // Generate RootCA certificate
     rootCert = SelfSignedCertificate.newBuilder()
@@ -134,15 +135,14 @@ public CertificateClientTestImpl(OzoneConfiguration conf, boolean autoRenew)
         .setDigitalSignature(true)
         .setDigitalEncryption(true);
 
-    start = LocalDateTime.now();
+    start = ZonedDateTime.now();
     String certDuration = conf.get(HDDS_X509_DEFAULT_DURATION,
         HDDS_X509_DEFAULT_DURATION_DEFAULT);
     //TODO: generateCSR should not be called...
     x509Certificate = approver.sign(securityConfig, rootKeyPair.getPrivate(),
             rootCert,
-            Date.from(start.atZone(ZoneId.systemDefault()).toInstant()),
-            Date.from(start.plus(Duration.parse(certDuration))
-                .atZone(ZoneId.systemDefault()).toInstant()),
+            Date.from(start.toInstant()),
+            Date.from(start.plus(Duration.parse(certDuration)).toInstant()),
             csrBuilder.build().generateCSR(), "scm1", "cluster1",
             String.valueOf(System.nanoTime()));
     certificateMap.put(x509Certificate.getSerialNumber().toString(),
@@ -259,9 +259,9 @@ public Set<X509Certificate> getAllCaCerts() {
   }
 
   public void renewRootCA() throws Exception {
-    LocalDateTime start = LocalDateTime.now();
+    ZonedDateTime start = ZonedDateTime.now();
     Duration rootCACertDuration = securityConfig.getMaxCertificateDuration();
-    LocalDateTime end = start.plus(rootCACertDuration);
+    ZonedDateTime end = start.plus(rootCACertDuration);
     rootKeyPair = keyGen.generateKey();
     rootCert = SelfSignedCertificate.newBuilder()
         .setBeginDate(start)

hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestRootCaRotationPoller.java

@@ -27,7 +27,7 @@
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -72,7 +72,7 @@ public void setup() {
   public void testPollerDoesNotInvokeRootCaProcessor() throws Exception {
     //Given the root ca poller that knows a set of root ca certificates
     X509Certificate knownCert = generateX509Cert(
-        LocalDateTime.now(), Duration.ofSeconds(50));
+        ZonedDateTime.now(), Duration.ofSeconds(50));
     HashSet<X509Certificate> knownCerts = new HashSet<>();
     knownCerts.add(knownCert);
     List<String> certsFromScm = new ArrayList<>();
@@ -104,9 +104,9 @@ public void testPollerInvokesRootCaProcessors() throws Exception {
     //Given the root ca poller knowing a root ca certificate, and an unknown
     //root ca certificate
     X509Certificate knownCert = generateX509Cert(
-        LocalDateTime.now(), Duration.ofSeconds(50));
+        ZonedDateTime.now(), Duration.ofSeconds(50));
     X509Certificate newRootCa = generateX509Cert(
-        LocalDateTime.now(), Duration.ofSeconds(50));
+        ZonedDateTime.now(), Duration.ofSeconds(50));
     HashSet<X509Certificate> knownCerts = new HashSet<>();
     knownCerts.add(knownCert);
     List<String> certsFromScm = new ArrayList<>();
@@ -137,9 +137,9 @@ public void testPollerRetriesAfterFailure() throws Exception {
     //Given a the root ca poller knowing about a root ca certificate and the
     // SCM providing a new one
     X509Certificate knownCert = generateX509Cert(
-        LocalDateTime.now(), Duration.ofSeconds(50));
+        ZonedDateTime.now(), Duration.ofSeconds(50));
     X509Certificate newRootCa = generateX509Cert(
-        LocalDateTime.now(), Duration.ofSeconds(50));
+        ZonedDateTime.now(), Duration.ofSeconds(50));
     HashSet<X509Certificate> knownCerts = new HashSet<>();
     knownCerts.add(knownCert);
     List<String> certsFromScm = new ArrayList<>();
@@ -174,10 +174,10 @@ public void testPollerRetriesAfterFailure() throws Exception {
   }
 
   private X509Certificate generateX509Cert(
-      LocalDateTime startDate, Duration certLifetime) throws Exception {
+      ZonedDateTime startDate, Duration certLifetime) throws Exception {
     KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
-    LocalDateTime start = startDate == null ? LocalDateTime.now() : startDate;
-    LocalDateTime end = start.plus(certLifetime);
+    ZonedDateTime start = startDate == null ? ZonedDateTime.now() : startDate;
+    ZonedDateTime end = start.plus(certLifetime);
     return SelfSignedCertificate.newBuilder()
         .setBeginDate(start)
         .setEndDate(end)

hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java

@@ -29,7 +29,7 @@
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.hadoop.hdds.conf.OzoneConfiguration;
 import org.apache.hadoop.hdds.security.SecurityConfig;
@@ -185,8 +185,8 @@ public void testMultipleCertReadWrite() throws Exception {
   private X509Certificate generateTestCert() throws Exception {
     HDDSKeyGenerator keyGenerator =
         new HDDSKeyGenerator(securityConfig);
-    LocalDateTime startDate = LocalDateTime.now();
-    LocalDateTime endDate = startDate.plusDays(1);
+    ZonedDateTime startDate = ZonedDateTime.now();
+    ZonedDateTime endDate = startDate.plusDays(1);
     return SelfSignedCertificate.newBuilder()
         .setSubject(RandomStringUtils.secure().nextAlphabetic(4))
         .setClusterID(RandomStringUtils.secure().nextAlphabetic(4))