[DO NO MERGE] Convert from PKCS#1 to PKCS#8 in Java code

build.gradle

@@ -110,6 +110,9 @@ dependencies {
     compile "io.grpc:grpc-netty:${grpcVersion}"
     compile "io.grpc:grpc-stub:${grpcVersion}"
 
+    testRuntime 'org.bouncycastle:bcprov-jdk15on:1.58'
+    testCompile 'com.github.martinpaljak:esteid:17.11.26.1'
+    testRuntime 'io.netty:netty-tcnative-boringssl-static:2.0.28.Final'
     testCompile "io.opencensus:opencensus-api:${openCensusVersion}"
     testCompile "io.opencensus:opencensus-exporter-trace-jaeger:${openCensusVersion}"
     testRuntime "io.opencensus:opencensus-impl:${openCensusVersion}"

docker-compose2.yml

@@ -0,0 +1,259 @@
+version: "3.5"
+services:
+  zero1:
+    image: dgraph/dgraph:local
+    container_name: zero1
+    working_dir: /data/zero1
+    ports:
+      - 5180:5180
+      - 6180:6180
+    labels:
+      cluster: test
+      service: zero
+    volumes:
+      - type: bind
+        source: $GOPATH/bin
+        target: /gobin
+        read_only: true
+    command: /gobin/dgraph zero -o 100 --my=zero1:5180 --replicas 3 --raft="idx=1" --logtostderr -v=2 --bindall 
+     --expose_trace --profile_mode block --block_rate 10
+
+  zero2:
+    image: dgraph/dgraph:local
+    container_name: zero2
+    working_dir: /data/zero2
+    depends_on:
+      - zero1
+    ports:
+      - 5182:5182
+      - 6182:6182
+    labels:
+      cluster: test
+      service: zero
+    volumes:
+      - type: bind
+        source: $GOPATH/bin
+        target: /gobin
+        read_only: true
+    command: /gobin/dgraph zero -o 102 --my=zero2:5182 --replicas 3 --raft="idx=2" --logtostderr -v=2 --peer=zero1:5180
+
+  zero3:
+    image: dgraph/dgraph:local
+    container_name: zero3
+    working_dir: /data/zero3
+    depends_on:
+      - zero2
+    ports:
+      - 5183:5183
+      - 6183:6183
+    labels:
+      cluster: test
+      service: zero
+    volumes:
+      - type: bind
+        source: $GOPATH/bin
+        target: /gobin
+        read_only: true
+    command: /gobin/dgraph zero -o 103 --my=zero3:5183 --replicas 3 --raft="idx=3" --logtostderr -v=2 --peer=zero1:5180
+
+  alpha1:
+    image: dgraph/dgraph:local
+    container_name: alpha1
+    working_dir: /data/alpha1
+    volumes:
+      - type: bind
+        source: $GOPATH/bin
+        target: /gobin
+        read_only: true
+      - type: bind
+        source: ./docker-test-secret.txt
+        target: /secret/hmac
+        read_only: true
+      - type: bind
+        source: ./enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
+      - type: bind
+        source: ./tls
+        target: /dgraph-tls
+        read_only: true
+    ports:
+      - 8180:8180
+      - 9180:9180
+    labels:
+      cluster: test
+      service: alpha
+    command: /gobin/dgraph alpha --encryption "key-file=/dgraph-enc/enc-key;" --my=alpha1:7180 
+     --zero=zero1:5180 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 
+     --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16  --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl
+      3s --acl_cache_ttl 5s --tls_dir /dgraph-tls --tls_client_auth=REQUIREANDVERIFY 
+
+  alpha2:
+    image: dgraph/dgraph:local
+    container_name: alpha2
+    working_dir: /data/alpha2
+    depends_on:
+      - alpha1
+    volumes:
+      - type: bind
+        source: $GOPATH/bin
+        target: /gobin
+        read_only: true
+      - type: bind
+        source: ./docker-test-secret.txt
+        target: /secret/hmac
+        read_only: true
+      - type: bind
+        source: ./enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
+      - type: bind
+        source: ./tls
+        target: /dgraph-tls
+        read_only: true
+    ports:
+      - 8182:8182
+      - 9182:9182
+    labels:
+      cluster: test
+      service: alpha
+    command: /gobin/dgraph alpha --encryption "key-file=/dgraph-enc/enc-key;" --my=alpha2:7182  
+     --zero=zero1:5180 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2
+     --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s
+      --acl_cache_ttl 5s --tls_dir /dgraph-tls --tls_client_auth=REQUIREANDVERIFY 
+
+  alpha3:
+    image: dgraph/dgraph:local
+    container_name: alpha3
+    working_dir: /data/alpha3
+    depends_on:
+      - alpha2
+    volumes:
+      - type: bind
+        source: $GOPATH/bin
+        target: /gobin
+        read_only: true
+      - type: bind
+        source: ./docker-test-secret.txt
+        target: /secret/hmac
+        read_only: true
+      - type: bind
+        source: ./enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
+      - type: bind
+        source: ./tls
+        target: /dgraph-tls
+        read_only: true
+    ports:
+      - 8183:8183
+      - 9183:9183
+    labels:
+      cluster: test
+      service: alpha
+    command: /gobin/dgraph alpha --encryption "key-file=/dgraph-enc/enc-key;" --my=alpha3:7183  
+     --zero=zero1:5180 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2
+     --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s
+      --acl_cache_ttl 5s --tls_dir /dgraph-tls --tls_client_auth=REQUIREANDVERIFY 
+
+  alpha4:
+    image: dgraph/dgraph:local
+    container_name: alpha4
+    working_dir: /data/alpha4
+    depends_on:
+      - alpha3
+    volumes:
+      - type: bind
+        source: $GOPATH/bin
+        target: /gobin
+        read_only: true
+      - type: bind
+        source: ./docker-test-secret.txt
+        target: /secret/hmac
+        read_only: true
+      - type: bind
+        source: ./enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
+      - type: bind
+        source: ./tls
+        target: /dgraph-tls
+        read_only: true
+    ports:
+      - 8184:8184
+      - 9184:9184
+    labels:
+      cluster: test
+      service: alpha
+    command: /gobin/dgraph alpha --encryption "key-file=/dgraph-enc/enc-key;" --my=alpha4:7184 
+     --zero=zero1:5180 -o 104 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr 
+     -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s
+      --acl_cache_ttl 5s --tls_dir /dgraph-tls --tls_client_auth=REQUIREANDVERIFY 
+
+  alpha5:
+    image: dgraph/dgraph:local
+    container_name: alpha5
+    working_dir: /data/alpha5
+    depends_on:
+      - alpha4
+    volumes:
+      - type: bind
+        source: $GOPATH/bin
+        target: /gobin
+        read_only: true
+      - type: bind
+        source: ./docker-test-secret.txt
+        target: /secret/hmac
+        read_only: true
+      - type: bind
+        source: ./enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
+      - type: bind
+        source: ./tls
+        target: /dgraph-tls
+        read_only: true
+    ports:
+      - 8185:8185
+      - 9185:9185
+    labels:
+      cluster: test
+      service: alpha
+    command: /gobin/dgraph alpha --encryption "key-file=/dgraph-enc/enc-key;" --my=alpha5:7185 
+     --zero=zero1:5180 -o 105 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr 
+     -v=2 --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s
+      --acl_cache_ttl 5s --tls_dir /dgraph-tls --tls_client_auth=REQUIREANDVERIFY 
+
+  alpha6:
+    image: dgraph/dgraph:local
+    container_name: alpha6
+    working_dir: /data/alpha6
+    depends_on:
+      - alpha5
+    volumes:
+      - type: bind
+        source: $GOPATH/bin
+        target: /gobin
+        read_only: true
+      - type: bind
+        source: ./docker-test-secret.txt
+        target: /secret/hmac
+        read_only: true
+      - type: bind
+        source: ./enc-key
+        target: /dgraph-enc/enc-key
+        read_only: true
+      - type: bind
+        source: ./tls
+        target: /dgraph-tls
+        read_only: true
+    ports:
+      - 8186:8186
+      - 9186:9186
+    labels:
+      cluster: test
+      service: alpha
+    command: /gobin/dgraph alpha --encryption "key-file=/dgraph-enc/enc-key;" --my=alpha6:7186  
+     --zero=zero1:5180 -o 106 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 
+     --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --acl_secret_file /dgraph-acl/hmac-secret --acl_access_ttl 3s 
+     --acl_cache_ttl 5s --tls_dir /dgraph-tls --tls_client_auth=REQUIREANDVERIFY 

enc-key

@@ -0,0 +1 @@
+1234567890123456

src/test/java/io/dgraph/DgraphIntegrationTest.java

@@ -20,7 +20,20 @@
 import io.dgraph.DgraphProto.Operation;
 import io.grpc.ManagedChannel;
 import io.grpc.ManagedChannelBuilder;
+import io.grpc.netty.GrpcSslContexts;
+import io.grpc.netty.NettyChannelBuilder;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import java.io.*;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyPair;
+import java.security.PrivateKey;
 import java.util.concurrent.TimeUnit;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemWriter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.testng.annotations.AfterClass;
@@ -35,17 +48,10 @@ public abstract class DgraphIntegrationTest {
   private static ManagedChannel channel1, channel2, channel3;
 
   @BeforeClass
-  public static void beforeClass() throws InterruptedException {
-    channel1 = ManagedChannelBuilder.forAddress("localhost", 9180).usePlaintext().build();
-    DgraphGrpc.DgraphStub stub1 = DgraphGrpc.newStub(channel1);
-
-    channel2 = ManagedChannelBuilder.forAddress("localhost", 9182).usePlaintext().build();
-    DgraphGrpc.DgraphStub stub2 = DgraphGrpc.newStub(channel2);
-
-    channel3 = ManagedChannelBuilder.forAddress("localhost", 9183).usePlaintext().build();
-    DgraphGrpc.DgraphStub stub3 = DgraphGrpc.newStub(channel3);
-
-    dgraphClient = new DgraphClient(stub1, stub2, stub3);
+  public static void beforeClass() throws InterruptedException, IOException {
+    String baseCertPath = "/home/shiva/workspace/dgraph-work/dgraph/tlstest/tls";
+    setupTLSClient(baseCertPath);
+    // setupClient();
 
     boolean succeed = false;
     boolean retry;
@@ -57,8 +63,11 @@ public static void beforeClass() throws InterruptedException {
         // we need to login as groot to perform arbitrary operations
         dgraphClient.login("groot", "password");
         succeed = true;
+        System.out.println("Logged in as groot");
       } catch (RuntimeException e) {
         // check if the error can be retried
+        System.out.println("got in as groot");
+
         Throwable exception = e;
         while (exception != null) {
           if (exception.getMessage().contains("Please retry")) {
@@ -83,6 +92,56 @@ public static void beforeClass() throws InterruptedException {
     dgraphClient.alter(Operation.newBuilder().setDropAll(true).build());
   }
 
+  private static void setupTLSClient(String baseCertPath) throws IOException {
+    // convert PKCS#1 to PKCS#8
+    PEMParser pemParser = new PEMParser(new FileReader(baseCertPath + "/client.acl.key"));
+    JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+    Object object = pemParser.readObject();
+    KeyPair pair = converter.getKeyPair((PEMKeyPair) object);
+    PrivateKey priv = pair.getPrivate();
+    byte[] privBytes = priv.getEncoded();
+
+    // PEM object from PKCS#8
+    PemObject pemObject = new PemObject("RSA PRIVATE KEY", privBytes);
+    StringWriter stringWriter = new StringWriter();
+    PemWriter pemWriter = new PemWriter(stringWriter);
+    pemWriter.writeObject(pemObject);
+    pemWriter.close();
+    String pemString = stringWriter.toString();
+
+    // Setup SSL context with keys and certificates
+    SslContextBuilder builder = GrpcSslContexts.forClient();
+    builder.trustManager(new File(baseCertPath + "/ca.crt"));
+    builder.keyManager(
+        new FileInputStream(baseCertPath + "/client.acl.crt"),
+        new ByteArrayInputStream(pemString.getBytes(StandardCharsets.UTF_8)));
+    SslContext sslContext = builder.build();
+
+    channel1 = NettyChannelBuilder.forAddress("localhost", 9180).sslContext(sslContext).build();
+    DgraphGrpc.DgraphStub stub1 = DgraphGrpc.newStub(channel1);
+
+    channel2 = NettyChannelBuilder.forAddress("localhost", 9182).sslContext(sslContext).build();
+    DgraphGrpc.DgraphStub stub2 = DgraphGrpc.newStub(channel2);
+
+    channel3 = NettyChannelBuilder.forAddress("localhost", 9183).sslContext(sslContext).build();
+    DgraphGrpc.DgraphStub stub3 = DgraphGrpc.newStub(channel3);
+
+    dgraphClient = new DgraphClient(stub1, stub2, stub3);
+  }
+
+  private static void setupClient() {
+    channel1 = ManagedChannelBuilder.forAddress("localhost", 9180).usePlaintext().build();
+    DgraphGrpc.DgraphStub stub1 = DgraphGrpc.newStub(channel1);
+
+    channel2 = ManagedChannelBuilder.forAddress("localhost", 9182).usePlaintext().build();
+    DgraphGrpc.DgraphStub stub2 = DgraphGrpc.newStub(channel2);
+
+    channel3 = ManagedChannelBuilder.forAddress("localhost", 9183).usePlaintext().build();
+    DgraphGrpc.DgraphStub stub3 = DgraphGrpc.newStub(channel3);
+
+    dgraphClient = new DgraphClient(stub1, stub2, stub3);
+  }
+
   @AfterClass
   public static void afterClass() throws InterruptedException {
     // Shutdown channel connections