Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ARTEMIS-1926 refactor SSLSupport

This commit is contained in:
Justin Bertram 2018-06-12 15:27:48 -05:00 committed by Clebert Suconic
parent 16b2bcba68
commit 57ed5b0530
10 changed files with 296 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
View File

@ -533,7 +533,7 @@ public class NettyConnector extends AbstractConnector {
if (sslProvider.equals(TransportConstants.OPENSSL_PROVIDER)) { if (sslProvider.equals(TransportConstants.OPENSSL_PROVIDER)) {
engine = loadOpenSslEngine(channel.alloc(), realKeyStoreProvider, realKeyStorePath, realKeyStorePassword, realTrustStoreProvider, realTrustStorePath, realTrustStorePassword); engine = loadOpenSslEngine(channel.alloc(), realKeyStoreProvider, realKeyStorePath, realKeyStorePassword, realTrustStoreProvider, realTrustStorePath, realTrustStorePassword);
} else { } else {
engine = loadJdkSslEngine(useDefaultSslContext, realKeyStoreProvider, realKeyStorePath, realKeyStorePassword, realTrustStoreProvider, realTrustStorePath, realTrustStorePassword); engine = loadJdkSslEngine(realKeyStoreProvider, realKeyStorePath, realKeyStorePassword, realTrustStoreProvider, realTrustStorePath, realTrustStorePassword);
} }
engine.setUseClientMode(true); engine.setUseClientMode(true);
@ -607,18 +607,26 @@ public class NettyConnector extends AbstractConnector {
ActiveMQClientLogger.LOGGER.startedNettyConnector(connectorType, TransportConstants.NETTY_VERSION, host, port); ActiveMQClientLogger.LOGGER.startedNettyConnector(connectorType, TransportConstants.NETTY_VERSION, host, port);
} }
private SSLEngine loadJdkSslEngine(boolean useDefaultSslContext, private SSLEngine loadJdkSslEngine(String keystoreProvider,
String realKeyStoreProvider, String keystorePath,
String realKeyStorePath, String keystorePassword,
String realKeyStorePassword, String truststoreProvider,
String realTrustStoreProvider, String truststorePath,
String realTrustStorePath, String truststorePassword) throws Exception {
String realTrustStorePassword) throws Exception {
SSLContext context; SSLContext context;
if (useDefaultSslContext) { if (useDefaultSslContext) {
context = SSLContext.getDefault(); context = SSLContext.getDefault();
} else { } else {
context = SSLSupport.createContext(realKeyStoreProvider, realKeyStorePath, realKeyStorePassword, realTrustStoreProvider, realTrustStorePath, realTrustStorePassword, trustAll, crlPath); context = new SSLSupport()
.setKeystoreProvider(keystoreProvider)
.setKeystorePath(keystorePath)
.setKeystorePassword(keystorePassword)
.setTruststoreProvider(truststoreProvider)
.setTruststorePath(truststorePath)
.setTruststorePassword(truststorePassword)
.setTrustAll(trustAll)
.setCrlPath(crlPath)
.createContext();
} }
Subject subject = null; Subject subject = null;
if (kerb5Config != null) { if (kerb5Config != null) {
@ -642,14 +650,24 @@ public class NettyConnector extends AbstractConnector {
} }
private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc,
String realKeyStoreProvider, String keystoreProvider,
String realKeyStorePath, String keystorePath,
String realKeyStorePassword, String keystorePassword,
String realTrustStoreProvider, String truststoreProvider,
String realTrustStorePath, String truststorePath,
String realTrustStorePassword) throws Exception { String truststorePassword) throws Exception {
SslContext context = SSLSupport.createNettyClientContext(realKeyStoreProvider, realKeyStorePath, realKeyStorePassword, realTrustStoreProvider, realTrustStorePath, realTrustStorePassword, sslProvider, trustAll);
SslContext context = new SSLSupport()
.setKeystoreProvider(keystoreProvider)
.setKeystorePath(keystorePath)
.setKeystorePassword(keystorePassword)
.setTruststoreProvider(truststoreProvider)
.setTruststorePath(truststorePath)
.setTruststorePassword(truststorePassword)
.setSslProvider(sslProvider)
.setTrustAll(trustAll)
.createNettyClientContext();
Subject subject = null; Subject subject = null;
if (kerb5Config != null) { if (kerb5Config != null) {

187
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
View File

@ -44,6 +44,7 @@ import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider; import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory; import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
import org.apache.activemq.artemis.utils.ClassloadingUtil; import org.apache.activemq.artemis.utils.ClassloadingUtil;
/** /**
@ -53,80 +54,117 @@ import org.apache.activemq.artemis.utils.ClassloadingUtil;
* null keystore path. * null keystore path.
*/ */
public class SSLSupport { public class SSLSupport {
// Public -------------------------------------------------------- private String keystoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
private String keystorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
private String keystorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
private String truststoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
private String truststorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
private String truststorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD;
private String crlPath = TransportConstants.DEFAULT_CRL_PATH;
private String sslProvider = TransportConstants.DEFAULT_SSL_PROVIDER;
private boolean trustAll = TransportConstants.DEFAULT_TRUST_ALL;
public static SSLContext createContext(final String keystoreProvider, public String getKeystoreProvider() {
final String keystorePath, return keystoreProvider;
final String keystorePassword,
final String trustStoreProvider,
final String trustStorePath,
final String trustStorePassword) throws Exception {
return SSLSupport.createContext(keystoreProvider, keystorePath, keystorePassword, trustStoreProvider, trustStorePath, trustStorePassword, false, null);
} }
public static SSLContext createContext(final String keystoreProvider, public SSLSupport setKeystoreProvider(String keystoreProvider) {
final String keystorePath, this.keystoreProvider = keystoreProvider;
final String keystorePassword, return this;
final String trustStoreProvider,
final String trustStorePath,
final String trustStorePassword,
final String crlPath) throws Exception {
return SSLSupport.createContext(keystoreProvider, keystorePath, keystorePassword, trustStoreProvider, trustStorePath, trustStorePassword, false, crlPath);
} }
public static SSLContext createContext(final String keystoreProvider, public String getKeystorePath() {
final String keystorePath, return keystorePath;
final String keystorePassword,
final String trustStoreProvider,
final String trustStorePath,
final String trustStorePassword,
final boolean trustAll) throws Exception {
return SSLSupport.createContext(keystoreProvider, keystorePath, keystorePassword, trustStoreProvider, trustStorePath, trustStorePassword, trustAll, null);
} }
public static SSLContext createContext(final String keystoreProvider, public SSLSupport setKeystorePath(String keystorePath) {
final String keystorePath, this.keystorePath = keystorePath;
final String keystorePassword, return this;
final String trustStoreProvider, }
final String trustStorePath,
final String trustStorePassword, public String getKeystorePassword() {
final boolean trustAll, return keystorePassword;
final String crlPath) throws Exception { }
public SSLSupport setKeystorePassword(String keystorePassword) {
this.keystorePassword = keystorePassword;
return this;
}
public String getTruststoreProvider() {
return truststoreProvider;
}
public SSLSupport setTruststoreProvider(String truststoreProvider) {
this.truststoreProvider = truststoreProvider;
return this;
}
public String getTruststorePath() {
return truststorePath;
}
public SSLSupport setTruststorePath(String truststorePath) {
this.truststorePath = truststorePath;
return this;
}
public String getTruststorePassword() {
return truststorePassword;
}
public SSLSupport setTruststorePassword(String truststorePassword) {
this.truststorePassword = truststorePassword;
return this;
}
public String getCrlPath() {
return crlPath;
}
public SSLSupport setCrlPath(String crlPath) {
this.crlPath = crlPath;
return this;
}
public String getSslProvider() {
return sslProvider;
}
public SSLSupport setSslProvider(String sslProvider) {
this.sslProvider = sslProvider;
return this;
}
public boolean isTrustAll() {
return trustAll;
}
public SSLSupport setTrustAll(boolean trustAll) {
this.trustAll = trustAll;
return this;
}
public SSLContext createContext() throws Exception {
SSLContext context = SSLContext.getInstance("TLS"); SSLContext context = SSLContext.getInstance("TLS");
KeyManager[] keyManagers = SSLSupport.loadKeyManagers(keystoreProvider, keystorePath, keystorePassword); KeyManager[] keyManagers = loadKeyManagers();
TrustManager[] trustManagers = SSLSupport.loadTrustManager(trustStoreProvider, trustStorePath, trustStorePassword, trustAll, crlPath); TrustManager[] trustManagers = loadTrustManagers();
context.init(keyManagers, trustManagers, new SecureRandom()); context.init(keyManagers, trustManagers, new SecureRandom());
return context; return context;
} }
public static SslContext createNettyContext(final String keystoreProvider, public SslContext createNettyContext() throws Exception {
final String keystorePath,
final String keystorePassword,
final String trustStoreProvider,
final String trustStorePath,
final String trustStorePassword,
final String sslProvider) throws Exception {
KeyStore keyStore = SSLSupport.loadKeystore(keystoreProvider, keystorePath, keystorePassword); KeyStore keyStore = SSLSupport.loadKeystore(keystoreProvider, keystorePath, keystorePassword);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keystorePassword.toCharArray()); keyManagerFactory.init(keyStore, keystorePassword.toCharArray());
return SslContextBuilder.forServer(keyManagerFactory).sslProvider(SslProvider.valueOf(sslProvider)).trustManager(SSLSupport.loadTrustManagerFactory(trustStoreProvider, trustStorePath, trustStorePassword, false, null)).build(); return SslContextBuilder.forServer(keyManagerFactory).sslProvider(SslProvider.valueOf(sslProvider)).trustManager(loadTrustManagerFactory()).build();
} }
public static SslContext createNettyClientContext(final String keystoreProvider, public SslContext createNettyClientContext() throws Exception {
final String keystorePath,
final String keystorePassword,
final String trustStoreProvider,
final String trustStorePath,
final String trustStorePassword,
final String sslProvider,
final boolean trustAll ) throws Exception {
KeyStore keyStore = SSLSupport.loadKeystore(keystoreProvider, keystorePath, keystorePassword); KeyStore keyStore = SSLSupport.loadKeystore(keystoreProvider, keystorePath, keystorePassword);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keystorePassword == null ? null : keystorePassword.toCharArray()); keyManagerFactory.init(keyStore, keystorePassword == null ? null : keystorePassword.toCharArray());
return SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(sslProvider)).keyManager(keyManagerFactory).trustManager(SSLSupport.loadTrustManagerFactory(trustStoreProvider, trustStorePath, trustStorePassword, trustAll, null)).build(); return SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(sslProvider)).keyManager(keyManagerFactory).trustManager(loadTrustManagerFactory()).build();
} }
@ -151,19 +189,15 @@ public class SSLSupport {
} }
// Private ------------------------------------------------------- // Private -------------------------------------------------------
private static TrustManagerFactory loadTrustManagerFactory(final String trustStoreProvider, private TrustManagerFactory loadTrustManagerFactory() throws Exception {
final String trustStorePath,
final String trustStorePassword,
final boolean trustAll,
final String crlPath) throws Exception {
if (trustAll) { if (trustAll) {
//This is useful for testing but not should be used outside of that purpose //This is useful for testing but not should be used outside of that purpose
return InsecureTrustManagerFactory.INSTANCE; return InsecureTrustManagerFactory.INSTANCE;
} else if (trustStorePath == null && (trustStoreProvider == null || !"PKCS11".equals(trustStoreProvider.toUpperCase()))) { } else if (truststorePath == null && (truststoreProvider == null || !"PKCS11".equals(truststoreProvider.toUpperCase()))) {
return null; return null;
} else { } else {
TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore trustStore = SSLSupport.loadKeystore(trustStoreProvider, trustStorePath, trustStorePassword); KeyStore trustStore = SSLSupport.loadKeystore(truststoreProvider, truststorePath, truststorePassword);
boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable")); boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable"));
boolean initialized = false; boolean initialized = false;
@ -171,7 +205,7 @@ public class SSLSupport {
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
if (crlPath != null) { if (crlPath != null) {
pkixParams.setRevocationEnabled(true); pkixParams.setRevocationEnabled(true);
Collection<? extends CRL> crlList = loadCRL(crlPath); Collection<? extends CRL> crlList = loadCRL();
if (crlList != null) { if (crlList != null) {
pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList))); pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList)));
} }
@ -187,25 +221,19 @@ public class SSLSupport {
} }
} }
private static TrustManager[] loadTrustManager(final String trustStoreProvider, private TrustManager[] loadTrustManagers() throws Exception {
final String trustStorePath, TrustManagerFactory trustManagerFactory = loadTrustManagerFactory();
final String trustStorePassword,
final boolean trustAll,
final String crlPath) throws Exception {
TrustManagerFactory trustManagerFactory = loadTrustManagerFactory(trustStoreProvider, trustStorePath, trustStorePassword, trustAll, crlPath);
if (trustManagerFactory == null) { if (trustManagerFactory == null) {
return null; return null;
} }
return trustManagerFactory.getTrustManagers(); return trustManagerFactory.getTrustManagers();
} }
private static Collection<? extends CRL> loadCRL(String crlPath) throws Exception { private Collection<? extends CRL> loadCRL() throws Exception {
if (crlPath == null) { if (crlPath == null) {
return null; return null;
} }
URL resource = validateStoreURL(crlPath);
URL resource = SSLSupport.validateStoreURL(crlPath);
try (InputStream is = resource.openStream()) { try (InputStream is = resource.openStream()) {
return CertificateFactory.getInstance("X.509").generateCRLs(is); return CertificateFactory.getInstance("X.509").generateCRLs(is);
} }
@ -233,25 +261,20 @@ public class SSLSupport {
return ks; return ks;
} }
private static KeyManager[] loadKeyManagers(final String keyStoreProvider, private KeyManager[] loadKeyManagers() throws Exception {
final String keystorePath, KeyManagerFactory factory = loadKeyManagerFactory();
final String keystorePassword) throws Exception {
KeyManagerFactory factory = loadKeyManagerFactory(keyStoreProvider, keystorePath, keystorePassword);
if (factory == null) { if (factory == null) {
return null; return null;
} }
return factory.getKeyManagers(); return factory.getKeyManagers();
} }
private static KeyManagerFactory loadKeyManagerFactory(final String keyStoreProvider, private KeyManagerFactory loadKeyManagerFactory() throws Exception {
final String keystorePath, if (keystorePath == null && (keystoreProvider == null || !"PKCS11".equals(keystoreProvider.toUpperCase()))) {
final String keystorePassword) throws Exception {
if (keystorePath == null && (keyStoreProvider == null || !"PKCS11".equals(keyStoreProvider.toUpperCase()))) {
return null; return null;
} else { } else {
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore ks = SSLSupport.loadKeystore(keyStoreProvider, keystorePath, keystorePassword); KeyStore ks = SSLSupport.loadKeystore(keystoreProvider, keystorePath, keystorePassword);
kmf.init(ks, keystorePassword == null ? null : keystorePassword.toCharArray()); kmf.init(ks, keystorePassword == null ? null : keystorePassword.toCharArray());
return kmf; return kmf;
} }

20
artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
View File

@ -542,7 +542,15 @@ public class NettyAcceptor extends AbstractAcceptor {
try { try {
if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider)) if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider))
throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null " + "unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified."); throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null " + "unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
context = SSLSupport.createContext(keyStoreProvider, keyStorePath, keyStorePassword, trustStoreProvider, trustStorePath, trustStorePassword, crlPath); context = new SSLSupport()
.setKeystoreProvider(keyStoreProvider)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(trustStoreProvider)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.setCrlPath(crlPath)
.createContext();
} catch (Exception e) { } catch (Exception e) {
IllegalStateException ise = new IllegalStateException("Unable to create NettyAcceptor for " + host + ":" + port); IllegalStateException ise = new IllegalStateException("Unable to create NettyAcceptor for " + host + ":" + port);
ise.initCause(e); ise.initCause(e);
@ -573,7 +581,15 @@ public class NettyAcceptor extends AbstractAcceptor {
try { try {
if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider)) if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider))
throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null " + "unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified."); throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null " + "unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
context = SSLSupport.createNettyContext(keyStoreProvider, keyStorePath, keyStorePassword, trustStoreProvider, trustStorePath, trustStorePassword, sslProvider); context = new SSLSupport()
.setKeystoreProvider(keyStoreProvider)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(trustStoreProvider)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.setSslProvider(sslProvider)
.createNettyContext();
} catch (Exception e) { } catch (Exception e) {
IllegalStateException ise = new IllegalStateException("Unable to create NettyAcceptor for " + host + ":" + port); IllegalStateException ise = new IllegalStateException("Unable to create NettyAcceptor for " + host + ":" + port);
ise.initCause(e); ise.initCause(e);

9
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ConnectorServerFactory.java
View File

@ -232,7 +232,14 @@ public class ConnectorServerFactory {
//todo fix //todo fix
private void setupSsl() throws Exception { private void setupSsl() throws Exception {
SSLContext context = SSLSupport.createContext(keyStoreProvider, keyStorePath, keyStorePassword, trustStoreProvider, trustStorePath, trustStorePassword); SSLContext context = new SSLSupport()
.setKeystoreProvider(keyStoreProvider)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(trustStoreProvider)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
SSLServerSocketFactory sssf = context.getServerSocketFactory(); SSLServerSocketFactory sssf = context.getServerSocketFactory();
RMIServerSocketFactory rssf = new ArtemisSslRMIServerSocketFactory(sssf, this.isClientAuth(), rmiServerHost); RMIServerSocketFactory rssf = new ArtemisSslRMIServerSocketFactory(sssf, this.isClientAuth(), rmiServerHost);
RMIClientSocketFactory rcsf = new SslRMIClientSocketFactory(); RMIClientSocketFactory rcsf = new SslRMIClientSocketFactory();

16
artemis-web/src/test/java/org/apache/activemq/cli/test/WebServerComponentTest.java
View File

@ -177,9 +177,13 @@ public class WebServerComponentTest extends Assert {
webServerComponent.start(); webServerComponent.start();
final int port = webServerComponent.getPort(); final int port = webServerComponent.getPort();
// Make the connection attempt. // Make the connection attempt.
String keyStoreProvider = "JKS";
SSLContext context = SSLSupport.createContext(keyStoreProvider, webServerDTO.keyStorePath, webServerDTO.getKeyStorePassword(), keyStoreProvider, webServerDTO.keyStorePath, webServerDTO.getKeyStorePassword()); SSLContext context = new SSLSupport()
.setKeystorePath(webServerDTO.keyStorePath)
.setKeystorePassword(webServerDTO.getKeyStorePassword())
.setTruststorePath(webServerDTO.keyStorePath)
.setTruststorePassword(webServerDTO.getKeyStorePassword())
.createContext();
SSLEngine engine = context.createSSLEngine(); SSLEngine engine = context.createSSLEngine();
engine.setUseClientMode(true); engine.setUseClientMode(true);
@ -233,9 +237,13 @@ public class WebServerComponentTest extends Assert {
webServerComponent.start(); webServerComponent.start();
final int port = webServerComponent.getPort(); final int port = webServerComponent.getPort();
// Make the connection attempt. // Make the connection attempt.
String keyStoreProvider = "JKS";
SSLContext context = SSLSupport.createContext(keyStoreProvider, webServerDTO.keyStorePath, webServerDTO.getKeyStorePassword(), keyStoreProvider, webServerDTO.trustStorePath, webServerDTO.getTrustStorePassword()); SSLContext context = new SSLSupport()
.setKeystorePath(webServerDTO.keyStorePath)
.setKeystorePassword(webServerDTO.getKeyStorePassword())
.setTruststorePath(webServerDTO.trustStorePath)
.setTruststorePassword(webServerDTO.getTrustStorePassword())
.createContext();
SSLEngine engine = context.createSSLEngine(); SSLEngine engine = context.createSSLEngine();
engine.setUseClientMode(true); engine.setUseClientMode(true);

7
examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java
View File

@ -72,7 +72,12 @@ public class MqttCrlEnabledExample {
mqtt.setConnectAttemptsMax(0); mqtt.setConnectAttemptsMax(0);
mqtt.setReconnectAttemptsMax(0); mqtt.setReconnectAttemptsMax(0);
mqtt.setHost(host); mqtt.setHost(host);
mqtt.setSslContext(SSLSupport.createContext("JKS", keystorePath, keystorePass, "JKS", truststorePath, truststorePass)); mqtt.setSslContext(new SSLSupport()
.setKeystorePath(keystorePath)
.setKeystorePassword(keystorePass)
.setTruststorePath(truststorePath)
.setTruststorePassword(truststorePass)
.createContext());
mqtt.setCleanSession(true); mqtt.setCleanSession(true);
BlockingConnection connection = mqtt.blockingConnection(); BlockingConnection connection = mqtt.blockingConnection();

7
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
View File

@ -235,7 +235,12 @@ public class MQTTSecurityCRLTest extends ActiveMQTestBase {
mqtt.setConnectAttemptsMax(1); mqtt.setConnectAttemptsMax(1);
mqtt.setReconnectAttemptsMax(0); mqtt.setReconnectAttemptsMax(0);
mqtt.setHost(host); mqtt.setHost(host);
SSLContext sslContext = SSLSupport.createContext(TransportConstants.DEFAULT_KEYSTORE_PROVIDER, keystorePath, keystorePass, TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER, truststorePath, truststorePass); SSLContext sslContext = new SSLSupport()
.setKeystorePath(keystorePath)
.setKeystorePassword(keystorePass)
.setTruststorePath(truststorePath)
.setTruststorePassword(truststorePass)
.createContext();
mqtt.setSslContext(sslContext); mqtt.setSslContext(sslContext);
BlockingConnection connection = mqtt.blockingConnection(); BlockingConnection connection = mqtt.blockingConnection();

15
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
View File

@ -239,7 +239,11 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
tc.getParams().put(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, true); tc.getParams().put(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, true);
SSLContext.setDefault(SSLSupport.createContext(TransportConstants.DEFAULT_KEYSTORE_PROVIDER, TransportConstants.DEFAULT_KEYSTORE_PATH, TransportConstants.DEFAULT_KEYSTORE_PASSWORD, storeType, CLIENT_SIDE_TRUSTSTORE, PASSWORD)); SSLContext.setDefault(new SSLSupport()
.setTruststoreProvider(storeType)
.setTruststorePath(CLIENT_SIDE_TRUSTSTORE)
.setTruststorePassword(PASSWORD)
.createContext());
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)); ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator)); ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
@ -662,7 +666,14 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
} }
public String[] getEnabledCipherSuites() throws Exception { public String[] getEnabledCipherSuites() throws Exception {
SSLContext context = SSLSupport.createContext(storeType, SERVER_SIDE_KEYSTORE, PASSWORD, storeType, CLIENT_SIDE_TRUSTSTORE, PASSWORD); SSLContext context = new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(SERVER_SIDE_KEYSTORE)
.setKeystorePassword(PASSWORD)
.setTruststoreProvider(storeType)
.setTruststorePath(CLIENT_SIDE_TRUSTSTORE)
.setTruststorePassword(PASSWORD)
.createContext();
SSLEngine engine = context.createSSLEngine(); SSLEngine engine = context.createSSLEngine();
return engine.getEnabledCipherSuites(); return engine.getEnabledCipherSuites();
} }

5
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/transports/netty/NettyConnectorWithHTTPUpgradeTest.java
View File

@ -210,7 +210,10 @@ public class NettyConnectorWithHTTPUpgradeTest extends ActiveMQTestBase {
ServerBootstrap b = new ServerBootstrap(); ServerBootstrap b = new ServerBootstrap();
final SSLContext context; final SSLContext context;
if (useSSL) { if (useSSL) {
context = SSLSupport.createContext("JKS", SERVER_SIDE_KEYSTORE, PASSWORD, null, null, null); context = new SSLSupport()
.setKeystorePath(SERVER_SIDE_KEYSTORE)
.setKeystorePassword(PASSWORD)
.createContext();
} else { } else {
context = null; context = null;
} }

102
tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
View File

@ -73,32 +73,60 @@ public class SSLSupportTest extends ActiveMQTestBase {
@Test @Test
public void testContextWithRightParameters() throws Exception { public void testContextWithRightParameters() throws Exception {
SSLSupport.createContext(storeType, keyStorePath, keyStorePassword, storeType, trustStorePath, trustStorePassword); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
} }
// This is valid as it will create key and trust managers with system defaults // This is valid as it will create key and trust managers with system defaults
@Test @Test
public void testContextWithNullParameters() throws Exception { public void testContextWithNullParameters() throws Exception {
SSLSupport.createContext(null, null, null, null, null, null); new SSLSupport().createContext();
} }
@Test @Test
public void testContextWithKeyStorePathAsURL() throws Exception { public void testContextWithKeyStorePathAsURL() throws Exception {
URL url = Thread.currentThread().getContextClassLoader().getResource(keyStorePath); URL url = Thread.currentThread().getContextClassLoader().getResource(keyStorePath);
SSLSupport.createContext(storeType, url.toString(), keyStorePassword, storeType, trustStorePath, trustStorePassword); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(url.toString())
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
} }
@Test @Test
public void testContextWithKeyStorePathAsFile() throws Exception { public void testContextWithKeyStorePathAsFile() throws Exception {
URL url = Thread.currentThread().getContextClassLoader().getResource(keyStorePath); URL url = Thread.currentThread().getContextClassLoader().getResource(keyStorePath);
File file = new File(url.toURI()); File file = new File(url.toURI());
SSLSupport.createContext(storeType, file.getAbsolutePath(), keyStorePassword, storeType, trustStorePath, trustStorePassword); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(file.getAbsolutePath())
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
} }
@Test @Test
public void testContextWithBadKeyStorePath() throws Exception { public void testContextWithBadKeyStorePath() throws Exception {
try { try {
SSLSupport.createContext(storeType, "not a keystore", keyStorePassword, storeType, trustStorePath, trustStorePassword); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath("not a keystore")
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
Assert.fail(); Assert.fail();
} catch (Exception e) { } catch (Exception e) {
} }
@ -107,7 +135,14 @@ public class SSLSupportTest extends ActiveMQTestBase {
@Test @Test
public void testContextWithNullKeyStorePath() throws Exception { public void testContextWithNullKeyStorePath() throws Exception {
try { try {
SSLSupport.createContext(storeType, null, keyStorePassword, storeType, trustStorePath, trustStorePassword); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(null)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
} catch (Exception e) { } catch (Exception e) {
Assert.fail(); Assert.fail();
} }
@ -122,13 +157,27 @@ public class SSLSupportTest extends ActiveMQTestBase {
return; return;
} }
SSLSupport.createContext(storeType, "src/test/resources/" + keyStorePath, keyStorePassword, storeType, trustStorePath, trustStorePassword); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath("src/test/resources/" + keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
} }
@Test @Test
public void testContextWithBadKeyStorePassword() throws Exception { public void testContextWithBadKeyStorePassword() throws Exception {
try { try {
SSLSupport.createContext(storeType, keyStorePath, "bad password", storeType, trustStorePath, trustStorePassword); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword("bad password")
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
Assert.fail(); Assert.fail();
} catch (Exception e) { } catch (Exception e) {
} }
@ -137,7 +186,14 @@ public class SSLSupportTest extends ActiveMQTestBase {
@Test @Test
public void testContextWithNullKeyStorePassword() throws Exception { public void testContextWithNullKeyStorePassword() throws Exception {
try { try {
SSLSupport.createContext(storeType, keyStorePath, null, storeType, trustStorePath, trustStorePassword); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(null)
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
Assert.fail(); Assert.fail();
} catch (Exception e) { } catch (Exception e) {
assertFalse(e instanceof NullPointerException); assertFalse(e instanceof NullPointerException);
@ -147,7 +203,14 @@ public class SSLSupportTest extends ActiveMQTestBase {
@Test @Test
public void testContextWithBadTrustStorePath() throws Exception { public void testContextWithBadTrustStorePath() throws Exception {
try { try {
SSLSupport.createContext(storeType, keyStorePath, keyStorePassword, storeType, "not a trust store", trustStorePassword); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeType)
.setTruststorePath("not a trust store")
.setTruststorePassword(trustStorePassword)
.createContext();
Assert.fail(); Assert.fail();
} catch (Exception e) { } catch (Exception e) {
} }
@ -156,7 +219,14 @@ public class SSLSupportTest extends ActiveMQTestBase {
@Test @Test
public void testContextWithBadTrustStorePassword() throws Exception { public void testContextWithBadTrustStorePassword() throws Exception {
try { try {
SSLSupport.createContext(storeType, keyStorePath, keyStorePassword, storeType, trustStorePath, "bad passord"); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword("bad passord")
.createContext();
Assert.fail(); Assert.fail();
} catch (Exception e) { } catch (Exception e) {
} }
@ -166,6 +236,14 @@ public class SSLSupportTest extends ActiveMQTestBase {
public void testContextWithTrustAll() throws Exception { public void testContextWithTrustAll() throws Exception {
//This is using a bad password but should not fail because the trust store should be ignored with //This is using a bad password but should not fail because the trust store should be ignored with
//the trustAll flag set to true //the trustAll flag set to true
SSLSupport.createContext(storeType, keyStorePath, keyStorePassword, storeType, trustStorePath, "bad passord", true); new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword("bad passord")
.setTrustAll(true)
.createContext();
} }
} }