From 8c0e1e96edd31689018fcba42fac74bea76e3b6f Mon Sep 17 00:00:00 2001 From: "raul.valdoleiros" Date: Tue, 5 Dec 2017 15:57:13 +0000 Subject: [PATCH] ARTEMIS-1548 Support CRL Add support for CRL in client authentication --- .../remoting/impl/netty/NettyConnector.java | 7 +- .../impl/netty/TransportConstants.java | 6 + .../core/remoting/impl/ssl/SSLSupport.java | 77 +++++- .../remoting/impl/netty/NettyAcceptor.java | 7 +- examples/features/standard/pom.xml | 2 + .../standard/ssl-enabled-crl-mqtt/pom.xml | 115 ++++++++ .../standard/ssl-enabled-crl-mqtt/readme.md | 98 +++++++ .../jms/example/MqttCrlEnabledExample.java | 83 ++++++ .../resources/activemq/server0/broker.xml | 36 +++ .../resources/activemq/server0/keystore1.jks | Bin 0 -> 2396 bytes .../resources/activemq/server0/root.crl.pem | 12 + .../resources/activemq/server0/truststore.jks | Bin 0 -> 1003 bytes .../src/main/resources/client_not_revoked.jks | Bin 0 -> 2414 bytes .../src/main/resources/client_revoked.jks | Bin 0 -> 2415 bytes .../src/main/resources/truststore.jks | Bin 0 -> 1003 bytes tests/integration-tests/pom.xml | 9 + .../mqtt/imported/MQTTSecurityCRLTest.java | 247 ++++++++++++++++++ .../src/test/resources/client_not_revoked.jks | Bin 0 -> 2414 bytes .../src/test/resources/client_revoked.jks | Bin 0 -> 2415 bytes .../src/test/resources/keystore1.jks | Bin 0 -> 2396 bytes .../resources/mqttCrl/client0/truststore.jks | Bin 0 -> 1003 bytes .../resources/mqttCrl/client1/truststore.jks | Bin 0 -> 1003 bytes .../src/test/resources/root.crl.pem | 12 + .../src/test/resources/truststore.jks | Bin 0 -> 1003 bytes 24 files changed, 702 insertions(+), 9 deletions(-) create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/pom.xml create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/readme.md create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/keystore1.jks create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/truststore.jks create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_not_revoked.jks create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_revoked.jks create mode 100644 examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/truststore.jks create mode 100644 tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java create mode 100644 tests/integration-tests/src/test/resources/client_not_revoked.jks create mode 100644 tests/integration-tests/src/test/resources/client_revoked.jks create mode 100644 tests/integration-tests/src/test/resources/keystore1.jks create mode 100644 tests/integration-tests/src/test/resources/mqttCrl/client0/truststore.jks create mode 100644 tests/integration-tests/src/test/resources/mqttCrl/client1/truststore.jks create mode 100644 tests/integration-tests/src/test/resources/root.crl.pem create mode 100644 tests/integration-tests/src/test/resources/truststore.jks diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java index 8faa22dbc6..5d3b82d7b5 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java @@ -206,6 +206,8 @@ public class NettyConnector extends AbstractConnector { private String trustStorePassword; + private String crlPath; + private String enabledCipherSuites; private String enabledProtocols; @@ -338,6 +340,8 @@ public class NettyConnector extends AbstractConnector { trustStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec()); + crlPath = ConfigurationHelper.getStringProperty(TransportConstants.CRL_PATH_PROP_NAME, TransportConstants.DEFAULT_CRL_PATH, configuration); + enabledCipherSuites = ConfigurationHelper.getStringProperty(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES, configuration); enabledProtocols = ConfigurationHelper.getStringProperty(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, TransportConstants.DEFAULT_ENABLED_PROTOCOLS, configuration); @@ -358,6 +362,7 @@ public class NettyConnector extends AbstractConnector { trustStoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER; trustStorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH; trustStorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD; + crlPath = TransportConstants.DEFAULT_CRL_PATH; enabledCipherSuites = TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES; enabledProtocols = TransportConstants.DEFAULT_ENABLED_PROTOCOLS; verifyHost = TransportConstants.DEFAULT_VERIFY_HOST; @@ -519,7 +524,7 @@ public class NettyConnector extends AbstractConnector { if (System.getProperty(ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME) != null) { realTrustStorePassword = System.getProperty(ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME); } - context = SSLSupport.createContext(realKeyStoreProvider, realKeyStorePath, realKeyStorePassword, realTrustStoreProvider, realTrustStorePath, realTrustStorePassword, trustAll); + context = SSLSupport.createContext(realKeyStoreProvider, realKeyStorePath, realKeyStorePassword, realTrustStoreProvider, realTrustStorePath, realTrustStorePassword, trustAll, crlPath); } } catch (Exception e) { close(); diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java index 890b508058..efc5eb0748 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java @@ -95,6 +95,8 @@ public class TransportConstants { public static final String TRUSTSTORE_PASSWORD_PROP_NAME = "trustStorePassword"; + public static final String CRL_PATH_PROP_NAME = "crlPath"; + public static final String ENABLED_CIPHER_SUITES_PROP_NAME = "enabledCipherSuites"; public static final String ENABLED_PROTOCOLS_PROP_NAME = "enabledProtocols"; @@ -189,6 +191,8 @@ public class TransportConstants { public static final String DEFAULT_TRUSTSTORE_PASSWORD = null; + public static final String DEFAULT_CRL_PATH = null; + public static final String DEFAULT_ENABLED_CIPHER_SUITES = null; public static final String DEFAULT_ENABLED_PROTOCOLS = null; @@ -310,6 +314,7 @@ public class TransportConstants { allowableAcceptorKeys.add(ActiveMQDefaultConfiguration.getPropMaskPassword()); allowableAcceptorKeys.add(ActiveMQDefaultConfiguration.getPropPasswordCodec()); allowableAcceptorKeys.add(TransportConstants.BACKLOG_PROP_NAME); + allowableAcceptorKeys.add(TransportConstants.CRL_PATH_PROP_NAME); ALLOWABLE_ACCEPTOR_KEYS = Collections.unmodifiableSet(allowableAcceptorKeys); @@ -356,6 +361,7 @@ public class TransportConstants { allowableConnectorKeys.add(TransportConstants.NETTY_CONNECT_TIMEOUT); allowableConnectorKeys.add(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME); allowableConnectorKeys.add(TransportConstants.HANDSHAKE_TIMEOUT); + allowableConnectorKeys.add(TransportConstants.CRL_PATH_PROP_NAME); ALLOWABLE_CONNECTOR_KEYS = Collections.unmodifiableSet(allowableConnectorKeys); diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java index b4d9dbfee3..03b6e08217 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java @@ -16,6 +16,15 @@ */ package org.apache.activemq.artemis.core.remoting.impl.ssl; +import java.security.Security; +import java.security.cert.CRL; +import java.security.cert.CertStore; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.X509CertSelector; +import java.util.Collection; +import javax.net.ssl.CertPathTrustManagerParameters; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; @@ -30,11 +39,11 @@ import java.security.AccessController; import java.security.KeyStore; import java.security.PrivilegedAction; import java.security.SecureRandom; - import org.apache.activemq.artemis.utils.ClassloadingUtil; import io.netty.handler.ssl.util.InsecureTrustManagerFactory; + /** * Please note, this class supports PKCS#11 keystores, but there are no specific tests in the ActiveMQ Artemis test-suite to * validate/verify this works because this requires a functioning PKCS#11 provider which is not available by default @@ -51,7 +60,18 @@ public class SSLSupport { final String trustStorePath, final String trustStorePassword) throws Exception { - return SSLSupport.createContext(keystoreProvider, keystorePath, keystorePassword, trustStoreProvider, trustStorePath, trustStorePassword, false); + return SSLSupport.createContext(keystoreProvider, keystorePath, keystorePassword, trustStoreProvider, trustStorePath, trustStorePassword, false, null); + } + + public static SSLContext createContext(final String keystoreProvider, + final String keystorePath, + final String keystorePassword, + final String trustStoreProvider, + final String trustStorePath, + final String trustStorePassword, + final String crlPath) throws Exception { + + return SSLSupport.createContext(keystoreProvider, keystorePath, keystorePassword, trustStoreProvider, trustStorePath, trustStorePassword, false, crlPath); } public static SSLContext createContext(final String keystoreProvider, @@ -61,9 +81,20 @@ public class SSLSupport { final String trustStorePath, final String trustStorePassword, final boolean trustAll) throws Exception { + return SSLSupport.createContext(keystoreProvider, keystorePath, keystorePassword, trustStoreProvider, trustStorePath, trustStorePassword, trustAll, null); + } + + public static SSLContext createContext(final String keystoreProvider, + final String keystorePath, + final String keystorePassword, + final String trustStoreProvider, + final String trustStorePath, + final String trustStorePassword, + final boolean trustAll, + final String crlPath) throws Exception { SSLContext context = SSLContext.getInstance("TLS"); KeyManager[] keyManagers = SSLSupport.loadKeyManagers(keystoreProvider, keystorePath, keystorePassword); - TrustManager[] trustManagers = SSLSupport.loadTrustManager(trustStoreProvider, trustStorePath, trustStorePassword, trustAll); + TrustManager[] trustManagers = SSLSupport.loadTrustManager(trustStoreProvider, trustStorePath, trustStorePassword, trustAll, crlPath); context.init(keyManagers, trustManagers, new SecureRandom()); return context; } @@ -93,18 +124,50 @@ public class SSLSupport { private static TrustManager[] loadTrustManager(final String trustStoreProvider, final String trustStorePath, final String trustStorePassword, - final boolean trustAll) throws Exception { + final boolean trustAll, + final String crlPath) throws Exception { if (trustAll) { //This is useful for testing but not should be used outside of that purpose return InsecureTrustManagerFactory.INSTANCE.getTrustManagers(); } else if (trustStorePath == null && (trustStoreProvider == null || !"PKCS11".equals(trustStoreProvider.toUpperCase()))) { return null; } else { - TrustManagerFactory trustMgrFactory; + TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); KeyStore trustStore = SSLSupport.loadKeystore(trustStoreProvider, trustStorePath, trustStorePassword); - trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - trustMgrFactory.init(trustStore); + boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable")); + + boolean initialized = false; + if ((ocsp || crlPath != null) && TrustManagerFactory.getDefaultAlgorithm().equalsIgnoreCase("PKIX")) { + PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); + if (crlPath != null) { + pkixParams.setRevocationEnabled(true); + Collection crlList = loadCRL(crlPath); + if (crlList != null) { + pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList))); + } + } + trustMgrFactory.init(new CertPathTrustManagerParameters(pkixParams)); + initialized = true; + } + + if (!initialized) { + trustMgrFactory.init(trustStore); + } + return trustMgrFactory.getTrustManagers(); + + } + } + + private static Collection loadCRL(String crlPath) throws Exception { + if (crlPath == null) { + return null; + } + + URL resource = SSLSupport.validateStoreURL(crlPath); + + try (InputStream is = resource.openStream()) { + return CertificateFactory.getInstance("X.509").generateCRLs(is); } } diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java index 6141d6cda9..52c5b7ea46 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java @@ -156,6 +156,8 @@ public class NettyAcceptor extends AbstractAcceptor { private final String trustStorePassword; + private final String crlPath; + private final String enabledCipherSuites; private final String enabledProtocols; @@ -259,6 +261,8 @@ public class NettyAcceptor extends AbstractAcceptor { trustStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec()); + crlPath = ConfigurationHelper.getStringProperty(TransportConstants.CRL_PATH_PROP_NAME, TransportConstants.DEFAULT_CRL_PATH, configuration); + enabledCipherSuites = ConfigurationHelper.getStringProperty(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES, configuration); enabledProtocols = ConfigurationHelper.getStringProperty(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, TransportConstants.DEFAULT_ENABLED_PROTOCOLS, configuration); @@ -273,6 +277,7 @@ public class NettyAcceptor extends AbstractAcceptor { trustStoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER; trustStorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH; trustStorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD; + crlPath = TransportConstants.DEFAULT_CRL_PATH; enabledCipherSuites = TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES; enabledProtocols = TransportConstants.DEFAULT_ENABLED_PROTOCOLS; needClientAuth = TransportConstants.DEFAULT_NEED_CLIENT_AUTH; @@ -453,7 +458,7 @@ public class NettyAcceptor extends AbstractAcceptor { throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null " + "unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified."); - context = SSLSupport.createContext(keyStoreProvider, keyStorePath, keyStorePassword, trustStoreProvider, trustStorePath, trustStorePassword); + context = SSLSupport.createContext(keyStoreProvider, keyStorePath, keyStorePassword, trustStoreProvider, trustStorePath, trustStorePassword, crlPath); } catch (Exception e) { IllegalStateException ise = new IllegalStateException("Unable to create NettyAcceptor for " + host + ":" + port); ise.initCause(e); diff --git a/examples/features/standard/pom.xml b/examples/features/standard/pom.xml index d254992703..0d77a4e7d5 100644 --- a/examples/features/standard/pom.xml +++ b/examples/features/standard/pom.xml @@ -102,6 +102,7 @@ under the License. xa-heuristic xa-receive xa-send + ssl-enabled-crl-mqtt @@ -173,6 +174,7 @@ under the License. xa-heuristic xa-receive xa-send + ssl-enabled-crl-mqtt diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/pom.xml b/examples/features/standard/ssl-enabled-crl-mqtt/pom.xml new file mode 100644 index 0000000000..1c26f0dd12 --- /dev/null +++ b/examples/features/standard/ssl-enabled-crl-mqtt/pom.xml @@ -0,0 +1,115 @@ + + + + + 4.0.0 + + + org.apache.activemq.examples.broker + jms-examples + 2.5.0-SNAPSHOT + + + ssl-enabled-crl-mqtt + jar + ActiveMQ Artemis Mqtt CRL Example + + + ${project.basedir}/../../../.. + + + + + org.apache.activemq + artemis-jms-client-all + ${project.version} + + + org.fusesource.mqtt-client + mqtt-client + + + + + + + org.apache.activemq + artemis-maven-plugin + + + create + + create + + + ${noServer} + + + + start + + cli + + + ${noServer} + true + tcp://localhost:61616 + consumer + activemq + + run + + + + + runClient + + runClient + + + org.apache.activemq.artemis.jms.example.MqttCrlEnabledExample + + + + stop + + cli + + + ${noServer} + + stop + + + + + + + org.apache.activemq.examples.broker + ssl-enabled-crl-mqtt + ${project.version} + + + + + + + diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/readme.md b/examples/features/standard/ssl-enabled-crl-mqtt/readme.md new file mode 100644 index 0000000000..56be3ceeeb --- /dev/null +++ b/examples/features/standard/ssl-enabled-crl-mqtt/readme.md @@ -0,0 +1,98 @@ +# ActiveMQ Artemis MQTT CRL Example + +To run the example, simply type **mvn verify** from this directory, or **mvn -PnoServer verify** if you want to start and create the server manually. + +This example shows you how to configure 2-way SSL with CRL along with 2 different connections, one with a valid certificate and another with a revoked certificate. + +To configure 2-way SSL with CRL you need to configure the acceptor as follows: + +``` +tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true;sslEnabled=true;keyStorePath=${data.dir}/../etc/keystore1.jks;keyStorePassword=changeit;trustStorePath=${data.dir}/../etc/truststore.jks;keyStorePassword=changeit;crlPath=${data.dir}/../etc/root.crl.pem;needClientAuth=true` +``` + +In the server-side URL, the `keystore1.jks` is the key store file holding the server's key certificate. The `truststore.jks` is the file holding the certificates which the server trusts. The `root.crl.pem` is the file holding the revoked certificates. Notice also the `sslEnabled` and `needClientAuth` parameters which enable SSL and require clients to present their own certificate respectively. + +The various keystore files are generated using the following commands. Keep in mind that each common name should be different and the passwords should be `changeit`. + +``` +openssl genrsa -out ca.key 2048 +openssl req -new -x509 -days 1826 -key ca.key -out ca.crt +touch certindex +echo 01 > certserial +echo 01 > crlnumber +``` + +## Create the ca.conf file: + +``` +[ ca ] +default_ca = myca + +[ crl_ext ] +# issuerAltName=issuer:copy #this would copy the issuer name to altname +authorityKeyIdentifier=keyid:always + +[ myca ] +dir = ./ +new_certs_dir = $dir +unique_subject = no +certificate = $dir/ca.crt +database = $dir/certindex +private_key = $dir/ca.key +serial = $dir/certserial +default_days = 730 +default_md = sha1 +policy = myca_policy +x509_extensions = myca_extensions +crlnumber = $dir/crlnumber +default_crl_days = 730 + +[ myca_policy ] +commonName = supplied +stateOrProvinceName = supplied +countryName = optional +emailAddress = optional +organizationName = supplied +organizationalUnitName = optional + +[ myca_extensions ] +basicConstraints = CA:false +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +keyUsage = digitalSignature,keyEncipherment +extendedKeyUsage = serverAuth, clientAuth +crlDistributionPoints = URI:http://example.com/root.crl +subjectAltName = @alt_names + +[alt_names] +DNS.1 = example.com +DNS.2 = *.example.com` +``` + +## Continue with the following commands: + +``` +openssl genrsa -out keystore1.key 2048 +openssl req -new -key keystore1.key -out keystore1.csr +openssl ca -batch -config ca.conf -notext -in keystore1.csr -out keystore1.crt +openssl genrsa -out client_revoked.key 2048 +openssl req -new -key client_revoked.key -out client_revoked.csr +openssl ca -batch -config ca.conf -notext -in client_revoked.csr -out client_revoked.crt +openssl genrsa -out client_not_revoked.key 2048 +openssl req -new -key client_not_revoked.key -out client_not_revoked.csr +openssl ca -batch -config ca.conf -notext -in client_not_revoked.csr -out client_not_revoked.crt +openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem +openssl ca -config ca.conf -revoke client_revoked.crt -keyfile ca.key -cert ca.crt +openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem + +openssl pkcs12 -export -name client_revoked -in client_revoked.crt -inkey client_revoked.key -out client_revoked.p12 +keytool -importkeystore -destkeystore client_revoked.jks -srckeystore client_revoked.p12 -srcstoretype pkcs12 -alias client_revoked + +openssl pkcs12 -export -name client_not_revoked -in client_not_revoked.crt -inkey client_not_revoked.key -out client_not_revoked.p12 +keytool -importkeystore -destkeystore client_not_revoked.jks -srckeystore client_not_revoked.p12 -srcstoretype pkcs12 -alias client_not_revoked + +openssl pkcs12 -export -name keystore1 -in keystore1.crt -inkey keystore1.key -out keystore1.p12 +keytool -importkeystore -destkeystore keystore1.jks -srckeystore keystore1.p12 -srcstoretype pkcs12 -alias keystore1 + +keytool -import -trustcacerts -alias trust_key -file ca.crt -keystore truststore.jks +``` \ No newline at end of file diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java new file mode 100644 index 0000000000..a4ddf6a6dc --- /dev/null +++ b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java @@ -0,0 +1,83 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.artemis.jms.example; + +import javax.net.ssl.SSLException; +import java.util.concurrent.TimeUnit; + +import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport; +import org.fusesource.mqtt.client.BlockingConnection; +import org.fusesource.mqtt.client.MQTT; +import org.fusesource.mqtt.client.Message; +import org.fusesource.mqtt.client.QoS; +import org.fusesource.mqtt.client.Topic; + +public class MqttCrlEnabledExample { + + public static void main(final String[] args) throws Exception { + boolean exception = false; + try { + callBroker("truststore.jks", "changeit", "client_revoked.jks", "changeit"); + } catch (SSLException e) { + exception = true; + } + if (!exception) { + throw new RuntimeException("The connection should be revoked"); + } + callBroker("truststore.jks", "changeit", "client_not_revoked.jks", "changeit"); + } + + private static void callBroker(String truststorePath, String truststorePass, String keystorePath, String keystorePass) throws Exception { + BlockingConnection connection = null; + + try { + connection = retrieveMQTTConnection("ssl://localhost:1883", truststorePath, truststorePass, keystorePath, keystorePass); + // Subscribe to topics + Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)}; + connection.subscribe(topics); + + // Publish Messages + String payload = "This is message 1"; + + connection.publish("test/1/some/la", payload.getBytes(), QoS.AT_LEAST_ONCE, false); + + Message message = connection.receive(5, TimeUnit.SECONDS); + System.out.println("Message received: " + new String(message.getPayload())); + + } catch (Exception e) { + throw e; + } finally { + if (connection != null) { + connection.disconnect(); + } + } + } + + private static BlockingConnection retrieveMQTTConnection(String host, String truststorePath, String truststorePass, String keystorePath, String keystorePass) throws Exception { + MQTT mqtt = new MQTT(); + mqtt.setConnectAttemptsMax(0); + mqtt.setReconnectAttemptsMax(0); + mqtt.setHost(host); + mqtt.setSslContext(SSLSupport.createContext("JKS", keystorePath, keystorePass, "JKS", truststorePath, truststorePass)); + mqtt.setCleanSession(true); + + BlockingConnection connection = mqtt.blockingConnection(); + connection.connect(); + return connection; + } + +} \ No newline at end of file diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml new file mode 100644 index 0000000000..9877bd57fa --- /dev/null +++ b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml @@ -0,0 +1,36 @@ + + + + + + false + + + tcp://localhost:61616 + tcp://0.0.0.0:1883?protocols=MQTT;sslEnabled=true;keyStorePath=keystore1.jks;keyStorePassword=changeit;trustStorePath=truststore.jks;keyStorePassword=changeit;crlPath=root.crl.pem;needClientAuth=true + + + + true + / + # + + + + + + \ No newline at end of file diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/keystore1.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/keystore1.jks new file mode 100644 index 0000000000000000000000000000000000000000..f1d8857a112a00d1ac93bdd306ced77b2440b307 GIT binary patch literal 2396 zcmah~c{J2}8=v27vW=!BWnV@N#&492E$YgyB8Cj&j*+zqL%PbolfX1i$We!eeS>C^-wiMi7j{4Ws!M=(Y z2ro-*TI7J0dXDb}>5|%A?&pzL_jHVzR5^c((%#>(jsq^uK_;)EhGi4B$2cdG%$hEB z4xZd?i+cOvR>jN5v4X2Fw=N(sYGe6jSI^QzYk7+cW`P`&j!HBB@0#_Ybp=PGTXVy@ zIUY%g`QBQH-Y^`NF#KKbqy~po+pflo$!!6h+OVNZ0)SRHE%JxOyF`L zC#D36hWQSv--e#SY{L>ZX{{D{-KwAe8U*;)JK^+q_IDKy%Nlk?B(4!-1=NA zcSR-cn}+7*gVIFdu3CVY&w6HNI2wgq8N)C=9weBBUxdiU=?Y#=Ke~tFnX|M`G_>%f zC@qr@2&URm#2cxljF)yvm+r;kswR8P)YQxxm?x*?EBS&%tlzBaKc2~tjjN`zyhSmr z#wR{ggdo`Vv#6df#yaHal=9x8JE*dPJ&B1Iz`7h*RWMvrIu;lnoZ^e+dVVZ%_@)M@< z)CB4#bb-~kF(|UII22YzXtEmMI+TachPS2%3@a*-`v>E_10#Pso8Wko@hw{*A!QP| z?kaOmF1B=Zw12dzwB_l1rCV3EL*ss1gerl#>nhCk!nwMRSUkPogq%g2D!*HI-g_t+ zBicl~7Ok!kqMjbE{p!&=(D^2Z6_TY*DuM|JkPtYX7 zHSkTIqSLzslo3V()H)WM;?lVi)jx=q`w*|CwlCo>zbScV>PA=1?WRHIkq%NwEWHFS zU=l(xaOuw{Z4qitP~v=N^!(ky$AP02lBx2~Ok(`hCi{=r ztmxV4`0EXM7#~8o_!StaG<&V86;SJEY#qa3X^N>G6Ft0g`vKj%?*7_opY zPV1}Grwd9tZmwZWFcr)@lnoa;H*w=Hnt14rtlQ(gMaOrq*Ph>LgjFkeIx z==_E5i^~c!$3LpZWSqXa_Ut{{SP4~Fle+aShFD-9yd0jOR5qvY`>_Awwdju#pMH2F z!WyRnszD%dG}{k(!BFTr9R>xUPyhgVk(}5_gUC%@wlg9ipevpmPb<&Omn1B@DiZdcan=o(C|8q;(eV$6Ss18y5>sr5x+#cC2m4_7eoJ;17WZ|H;A$ zs=2xQkQHz~|GT39s`>wy2ZjQYKYyIP6JVhLAB4?wK|=um(m@o69g$3zvVqz2`^}_F z%qxuN=^>+3qT`dX%S&>@=dFDcC2e%Fx3Bf?8waW1(=+P+O(*B;UmTt37d`|(;eM63 zW%|V^1>c4Xd4Rp05eN<#@ShVDRQRqHgJVD`P=YQ-7l{;d zq0w%rD=AU@9X)S&P;g|br;<07O2d)8JwVKNH5x7o3Wsw4Bnaij;(mfZ_nbZK?4ARV zcquvS30TpLTQbfwke@SbSG}^nP<>R-Zs$-(AQ@G!vS>alkD?p<5n06pEDW*7>IBT| z1uBX5T6LR@5^Hff4x5mBGRry3sH@gzwuuE_QTzaSZjhcU_X^Yfd-+I6(tUFY{T)W~ zrkv7L!KY(Yjj&q7&%SjPXV+=ZPP`iRuL&mL#^b^yFQP8w+Pio>e+S$VaFKY1VoHSSvEUN(hWs SY)!S+8(#XuU9b#<9rzpTn*7`V literal 0 HcmV?d00001 diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem new file mode 100644 index 0000000000..8938392af6 --- /dev/null +++ b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIB2DCBwQIBATANBgkqhkiG9w0BAQUFADBpMQswCQYDVQQGEwJBVTETMBEGA1UE +CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRAwDgYDVQQDDAdhc2ZnZGZnMRAwDgYJKoZIhvcNAQkBFgFhFw0xNzEyMTQxODAw +NDVaFw0xOTEyMTQxODAwNDVaMBQwEgIBAhcNMTcxMjE0MTgwMDM2WqAOMAwwCgYD +VR0UBAMCAQIwDQYJKoZIhvcNAQEFBQADggEBACNiLQvZayn+ULeeSTnxcOOPaIku +1E5AGG3M6uUBalECEpstzmXQELdiZvQb2BMRb1hpm1pNJ8uITjrjeT6bf1+KGgeN +6lRMg36AwyQm8LGiE6ry9jF1OCHqERuImQUrRKWRUbL4hT79Fmji1xm9T9CA3RmE +hjN5oHXM5avF+pm6aU2L2bZ03DhU4Ur0rOd1DCXcGWiZc7VJEQicSrG2R8dagFO/ +w0OUFiTahbdxSguNNU5kIuSltm4kfMM7GcFMb9/kMTTz/U+nUarm7ZzZozn7p/Sb +9FjJ39JzFwq0jTT2bK+3WEWagQs9eNWAPjb5F3ofBSUleZ1f3rdhWWCSS+A= +-----END X509 CRL----- diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..5a8d79fc619936373446581330ff07d53c84fa07 GIT binary patch literal 1003 zcmezO_TO6u1_mY|W(3omB}JvhCGpv*l|Ye%Fr&xp46G4)rUsS_49qJHnwXawG%@uq zU}j=uV&Y`DKCAncfm=M20WTY;R+~rLcV0$DZdL|^Ohax1PB!LH7B*of$52CI13?gn zgNG|PKQ~o3xFoS8)lktu9wf-cBjK4>l3J9PTA~o1nUbDaQmhbAQmNoml42-ezz0&o z%)_2ooR*%FmJSwy*~G~x#+YazC(dhVZfIm^VrXt^ZfG1O&TC|Z#HFWGni!Rk1A>v2 zfw_s1pTVGsk&CH`k&$8TC3EhUcY>@RZ#`$-!ty`<;2yR=^Il!vb@*75_P)PQ^jW^G zJ!RZ@*XZS9pN%dSivv#|Ic?*)X~wySU(VmDu0MM$`EtP}j-Twzul>b8_@}KCdBUBt zx>fIVNVUenUk~(KjU0}bHM6RvInJD!d7SlSqmcZg5a9yIb$oBc+q8pLA zk$;|7JI^lr=d^EjPORvMT?|_)H4Rv~-cLT*DOngCr|zJ4=vsHk%kx*>9#c*4_$l*I zOl+#J0=tn=a{ZV4-3$M0-ac!QI&=K@xWCJ#4=xgA@jR$J@Ai*2$;vdZla9e=FL-7% zKa}NP&98Op$uBcA%P+55ueVxxs+bO zS$)7><@l78*7Ys{wWq-eLspqZ!a%G6y8<4Neqk0?17=3X|HxquOnksFXJnXu?5JZ* zn0(-LOE#JQNh<6PJ6RpYj>J8wneFgY|G=?bX65alj=lLBJpIL0-^XFoS0y-PpVM_e zlo#S1Y*0xpyDxbZw2i_+-V6rQ&V> zx4%&SelP6#sqKq--}jprvn}Az*l*+`YI>&Vby(@6x$C=`odVP~w3ei)?(H=fFOK$> ztrGULbNZjPY5SKd8LJ6<*g99YoPV=|p?1o&b+cnF6*lossXVhbuG{SVf<<@F{JJbS z+h{*i{G9RxQB&F43860;d^SpjbZ+|_a8%&}^QRkir;n!{&e`n!S!SNCn02Y)V}^?E dV!Jj2$!*bB8s684Ng1w?m)HHg%J5)l4FC`JcB23Q literal 0 HcmV?d00001 diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_not_revoked.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_not_revoked.jks new file mode 100644 index 0000000000000000000000000000000000000000..7e47443a179f408e08d3ee610df22d0897a10301 GIT binary patch literal 2414 zcmah~2{hDg7oQn3b_ruC#*D4({$pxniKxb!HL?{mW*FNHW{gpmjFNq?7bP>jiRdN8 zI3X$2pp=j-iKuuZBB3nb)O)_~^qupa^PThDbDrOQ?sK1ep8Gq$yEVTx4+4Q8d;|Y7 z>430c5{2$Zq0;@LNDOKyiO4_l_dsL9Kp+?xU_m#59fG1df?z0E8zKb;!$43LbT(jK z`IRWAaUJ)J(9QhHvt?3~XySUOE>P2@K_?P=imzUkBm|lIa*=cQZxviyd4U(nIq-?i ziFZ+pi{*LlK1*@8wuQ()G!6uYjR-}*fj)Y_62Lh8847wt| z<=D&Lx&PGWkWBC8g>g~EUiUfq(M(W;xNVynC9|$<%x@;TcO;7E^yVDdC$fhTBgEzC z-VMm#zf&Zu@#NCd79OZsZh-Y|Shkm4lidw_e8f)qWXT`}+G3Gx5xE6*4Z3Ky=_c-# zv5I?b`b~KncF(96(U9#(?!-;l3&*uOgYV@%80<*zvSO5aTR-xCEnzG!k=aZ~elFH4 z8<9sG^hx||tz4KWHPA!A!7vO>O1o!j&G5#pO3vw}sClfr3ABG1#i0lnW18;?-uK*% zQq4J5o&GjHGZJUMG%(S!^g*lt;D;swbM4Q|RqiW!=GIJ(t~}EGM@3AZ(wT{}*0}LC zQrIl$k5|i)w%N?05W-$=r{06sFRKGN?QrbFPOUMOwpVRNb1$8aPlua~L44N3R>X7c za$@FIW04snRvWqu#{qDJraFOWiF)U$RKr4#_9|`(L+3LF8TuRf>y_eGu8~p^NUxy+e-SnT?6uM zB1cryL?XsF37Q4M?A7I+pxTrVe}=!PGFq=URg5gq`tqDh#d!@$&1)-K%pCTmpqt=p zoZ)EnMg7u59~ySix|H4g2pQtor!dCBxn;C~oC$sYi0;f|Sd3_k_Z{UXRoLN_|d^=M7y+ z@q%vn9}|yZMb`#hgIeHwI;!2iku%&h+upZc$A%0L#VgeE3^ghyr&8|}uC{mC4~e8#P1PsF-YagWvG%LWS^oITFjO+L(k$A?qN9Fr)2lAHH^th; z+xke{~K%&6xHhq6wc zahsQzdIbeiZP1n3Kt^kzlk0-4Nq(jmDerL1!w6;Fz79W`d)e>vlxnKI%efF*CB5q* z!}8X$E6=s)mq@}q_4fnDAP{snUk~K~7G#Sp00BcFU;#ivP((Y$CS_HEuZ%Dd5R4WB zL<9xgp@K3HOLw#kAoUXni;KEZ!%2E>bUdAeRsoPdouc9jwiG%kibA5JP6QK!g6TAr zGd&jNKqsPi@->$qA|Nh=rv(NP1A~5f{{4~&SPqN_l;tJRMrcFyKJ)uZV-qkrJs8j0W^(b(hPHsR8?WhX69G~^H*RPyWV;cvctbew!e zo5`Y*{ah@kL;rqETfDT8zUG1*kACkTJ~SP@EgvT9o?Qbs{}`VdQm2kSLD&*%jO!W( zf?n=t+Be*_oWvjUs?PNo&u`jS)S$&fI&*AZ7?gTxK9i)4Fz#*K?326Ejqc$2s@oql zEW)N?}@s8*L&(pMnU0 zLEt}=o&!lwf6)RV1BCz}0KsnyVh2*#Ku}G)}pa!V0k!(bYBAHH)FflM7G4bIMVI=(kYPdlZl}gtShzbKVenv|{l>sG| z*lz(W32pt~;O{->v!35`FbIb$^YA(ua)5bk(N_ne|Kc8()s zifO`n6Yrml873~+^4>_kSD&R=bvD*myr?rfB&L$NSAv*uP`i~dr+8Fv19^G~7A7+F zMficu%Q{q9%4z$mTR`PZWBGCrT-&q!3!KKuQz5UYssOBQ|G?(Jxw`v4Ujz5VL9_hu zH@YPXI>>A z*yd|demgTdee1AZHt z92`IirFlnEV#0zbz5=(;At-ko215c66I_PSC{axm00J6tNdQ2?KqfdNLA5Br^j2b1 zCV3p=m9sW}xX}+@SH3F{$&5{J)ys>s=rHyH$HxTCD2rS!RP=w%RjQ-tdh1`aYOww!}O(S z>iz0HJF?`zXy4`)txVN!chJ+ztko$1H{nOuFS!i01?G!ys(bTr9o{4SG;-Br`*oj< zOVei_T}m9V{Pjrb2Qqgq*Akf_Cb#>SR6jUfw)LvnD8pDNs-Fn!zwjATyn5+dimQM1 zd2U~;Bdch^>N9=1x~pHEmWSPVPnOY-U6>!Kc$dyK`l|`Q+!_@odik})u7h1)8}9e;BaR== zyR?|DKl04%T7qw1`eFT$q?3V;_{u?4Ld1&$XVOr!6Dui0p)u>T>1D^?b);Tv)HZjO zABdym;=e?{8$&O~D_dzPbL>(dAF$_ugYu$C-6VMvd!qwKt0bd&h?MR+8=P~W%gAom zFIZW18nA8Woz+75fFRPeiBOsnw^AeN<`GR)8a=gVNmRM+7e5LXL}x0DIRDJ`Sjzu| z@l5c!5ue8C@SW_sx5Ey`lb#9_Ytef}ik;eq0eB^em&jIr>_xWYs=>HKt-besIr{#< z_fA)PH!C0AJ2G+n+{%Nxeu-u))sZhPG5lAX?<$*0wAFaEyABO;!-u2qj}KT3YFrs~ z<(fM8GqOJ4y22-T&-RNsMbtVy25$DA;9ERJao>4o2f7P;9^zw3PQ>Fh+ZWeE{OPm# z>xOz8H_Fx`GYAi|KFVG3FrX8=$;-A?$@j~A3bp5QHx1OcHHSOUsyKZA(#*G6&65`8 z3Xk~Lifv_!AzeKq%{xwBHt&L7Y}=AttM<`G{~K?AVP+?>B1J!Ede=l3ru|Xh+r`7p za8dkw;Vx$kuP{w5KGqAX=~kd2GXN>-ookTp6_S#rorbf*K?iDPhYol7vhs;;I;SbW z?`9zB!uk1KY%5j_U(056DBsDpNEJzFDDFSsS~A|fNx32Ho`$5hN)pfSr@2VGlSgx$;tk0Wi%-TTF&QiRXCo`OTLN!#7`tX9 z>tqR0k-YnhR*c3wqI@wj^J9x1F^rd=pQzP6M%J>scFTp*)cGWnh>UO129z8;e z{gi{R>H5Sf-@lWr6gIet{Wl?WeqT$}(VWjH7FK$Dmv>;Iv3TQR)6|#*O)BGqdttDycfVMJY(f6l?TBk~lO4k0IF&hvzc6>*ip&!;qbv=AM4_H{2;jZ1X?z@?wPNY(7hc|<=@77 zH8TvNZ6<#UB+^yK03yI(AXcDAaKV7YQ6d^C)+s;51;{1NCbsA z2%@CnW(RT7kmMQ=UMK1t7DCZ>rjckAoHB%6bBeB$vk9e9B10)OrNaTf)BswPk|Ql% z$)4tmTQAUD0R^#6h!o{V_4T9v_Wb)K5kLkYL5i~CI76HsP9JAzKrn!g2q57P2vKoL zkm5g4WIIoGT#X9WTAPAH{HVb}A+f%Jf~fy9zyG?y|4$ZT0$cuk2Eh-3U;+{_fnOBP z1OV9Z9@$pmtvi~;$I*MLO${9Fz4yHYtc;A$coWxOBuy3 z;gUMeB3GWf@JZ8{2l7m)@f~`mg!r#DS*;>>7fzEj88gh+H9dXiNZ^Zf&)~F-{45rK z{n+EmEo1&ZQ_{DbB%0smdG5aL7$==ZbhZ0F(cb!VXpLpIX)v(?5A@1 z6BQR@%6s>$%K{y11FoN1((4Y*sK}=HgA|cwXva^J^`&q#A%vis_8h`f)Mg^3E zWD++xR6cm)HGSdu1Cy;i=X{fISvoTMAhEUm5+I0xBTN4YrV7eH8&JZ6zZ!`YLID3+ z!6B_RE*4aUR3PP2Y$+yXvpJYM2$ISb)K1(mfyo_Ttz4C zC)ldTqL}VA_P}2D^`@S`H|MmKqWKXG5ji-IG9jsB!qF{NBG+3| z^@;9y%W$NQQ&?R}u6P_uf-wd=>J)0L`}*3IG5A literal 0 HcmV?d00001 diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..5a8d79fc619936373446581330ff07d53c84fa07 GIT binary patch literal 1003 zcmezO_TO6u1_mY|W(3omB}JvhCGpv*l|Ye%Fr&xp46G4)rUsS_49qJHnwXawG%@uq zU}j=uV&Y`DKCAncfm=M20WTY;R+~rLcV0$DZdL|^Ohax1PB!LH7B*of$52CI13?gn zgNG|PKQ~o3xFoS8)lktu9wf-cBjK4>l3J9PTA~o1nUbDaQmhbAQmNoml42-ezz0&o z%)_2ooR*%FmJSwy*~G~x#+YazC(dhVZfIm^VrXt^ZfG1O&TC|Z#HFWGni!Rk1A>v2 zfw_s1pTVGsk&CH`k&$8TC3EhUcY>@RZ#`$-!ty`<;2yR=^Il!vb@*75_P)PQ^jW^G zJ!RZ@*XZS9pN%dSivv#|Ic?*)X~wySU(VmDu0MM$`EtP}j-Twzul>b8_@}KCdBUBt zx>fIVNVUenUk~(KjU0}bHM6RvInJD!d7SlSqmcZg5a9yIb$oBc+q8pLA zk$;|7JI^lr=d^EjPORvMT?|_)H4Rv~-cLT*DOngCr|zJ4=vsHk%kx*>9#c*4_$l*I zOl+#J0=tn=a{ZV4-3$M0-ac!QI&=K@xWCJ#4=xgA@jR$J@Ai*2$;vdZla9e=FL-7% zKa}NP&98Op$uBcA%P+55ueVxxs+bO zS$)7><@l78*7Ys{wWq-eLspqZ!a%G6y8<4Neqk0?17=3X|HxquOnksFXJnXu?5JZ* zn0(-LOE#JQNh<6PJ6RpYj>J8wneFgY|G=?bX65alj=lLBJpIL0-^XFoS0y-PpVM_e zlo#S1Y*0xpyDxbZw2i_+-V6rQ&V> zx4%&SelP6#sqKq--}jprvn}Az*l*+`YI>&Vby(@6x$C=`odVP~w3ei)?(H=fFOK$> ztrGULbNZjPY5SKd8LJ6<*g99YoPV=|p?1o&b+cnF6*lossXVhbuG{SVf<<@F{JJbS z+h{*i{G9RxQB&F43860;d^SpjbZ+|_a8%&}^QRkir;n!{&e`n!S!SNCn02Y)V}^?E dV!Jj2$!*bB8s684Ng1w?m)HHg%J5)l4FC`JcB23Q literal 0 HcmV?d00001 diff --git a/tests/integration-tests/pom.xml b/tests/integration-tests/pom.xml index 1394baee84..0249033b85 100644 --- a/tests/integration-tests/pom.xml +++ b/tests/integration-tests/pom.xml @@ -481,6 +481,15 @@ + + org.apache.maven.plugins + maven-resources-plugin + + + jks + + + diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java new file mode 100644 index 0000000000..4f88661ad5 --- /dev/null +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java @@ -0,0 +1,247 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.artemis.tests.integration.mqtt.imported; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLException; +import java.io.IOException; +import java.util.concurrent.TimeUnit; + +import org.apache.activemq.artemis.api.core.TransportConfiguration; +import org.apache.activemq.artemis.core.config.Configuration; +import org.apache.activemq.artemis.core.config.WildcardConfiguration; +import org.apache.activemq.artemis.core.remoting.impl.netty.NettyAcceptorFactory; +import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants; +import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport; +import org.apache.activemq.artemis.core.server.ActiveMQServer; +import org.apache.activemq.artemis.tests.util.ActiveMQTestBase; +import org.fusesource.mqtt.client.BlockingConnection; +import org.fusesource.mqtt.client.MQTT; +import org.fusesource.mqtt.client.Message; +import org.fusesource.mqtt.client.QoS; +import org.fusesource.mqtt.client.Topic; +import org.junit.Test; + +public class MQTTSecurityCRLTest extends ActiveMQTestBase { + /** + * These artifacts are required for testing mqtt with CRL + *

+ * openssl genrsa -out ca.key 2048 + * openssl req -new -x509 -days 1826 -key ca.key -out ca.crt + * touch certindex + * echo 01 > certserial + * echo 01 > crlnumber + *

+ * Create ca.conf file with + *

+ * [ ca ] + * default_ca = myca + *

+ * [ crl_ext ] + * # issuerAltName=issuer:copy #this would copy the issuer name to altname + * authorityKeyIdentifier=keyid:always + *

+ * [ myca ] + * dir = ./ + * new_certs_dir = $dir + * unique_subject = no + * certificate = $dir/ca.crt + * database = $dir/certindex + * private_key = $dir/ca.key + * serial = $dir/certserial + * default_days = 730 + * default_md = sha1 + * policy = myca_policy + * x509_extensions = myca_extensions + * crlnumber = $dir/crlnumber + * default_crl_days = 730 + *

+ * [ myca_policy ] + * commonName = supplied + * stateOrProvinceName = supplied + * countryName = optional + * emailAddress = optional + * organizationName = supplied + * organizationalUnitName = optional + *

+ * [ myca_extensions ] + * basicConstraints = CA:false + * subjectKeyIdentifier = hash + * authorityKeyIdentifier = keyid:always + * keyUsage = digitalSignature,keyEncipherment + * extendedKeyUsage = serverAuth, clientAuth + * crlDistributionPoints = URI:http://example.com/root.crl + * subjectAltName = @alt_names + *

+ * [alt_names] + * DNS.1 = example.com + * DNS.2 = *.example.com + *

+ * Continue executing the commands: + *

+ * openssl genrsa -out keystore1.key 2048 + * openssl req -new -key keystore1.key -out keystore1.csr + * openssl ca -batch -config ca.conf -notext -in keystore1.csr -out keystore1.crt + * openssl genrsa -out client_revoked.key 2048 + * openssl req -new -key client_revoked.key -out client_revoked.csr + * openssl ca -batch -config ca.conf -notext -in client_revoked.csr -out client_revoked.crt + * openssl genrsa -out client_not_revoked.key 2048 + * openssl req -new -key client_not_revoked.key -out client_not_revoked.csr + * openssl ca -batch -config ca.conf -notext -in client_not_revoked.csr -out client_not_revoked.crt + * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem + * openssl ca -config ca.conf -revoke client_revoked.crt -keyfile ca.key -cert ca.crt + * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem + *

+ * openssl pkcs12 -export -name client_revoked -in client_revoked.crt -inkey client_revoked.key -out client_revoked.p12 + * keytool -importkeystore -destkeystore client_revoked.jks -srckeystore client_revoked.p12 -srcstoretype pkcs12 -alias client_revoked + *

+ * openssl pkcs12 -export -name client_not_revoked -in client_not_revoked.crt -inkey client_not_revoked.key -out client_not_revoked.p12 + * keytool -importkeystore -destkeystore client_not_revoked.jks -srckeystore client_not_revoked.p12 -srcstoretype pkcs12 -alias client_not_revoked + *

+ * openssl pkcs12 -export -name keystore1 -in keystore1.crt -inkey keystore1.key -out keystore1.p12 + * keytool -importkeystore -destkeystore keystore1.jks -srckeystore keystore1.p12 -srcstoretype pkcs12 -alias keystore1 + *

+ * keytool -import -trustcacerts -alias trust_key -file ca.crt -keystore truststore.jks + */ + + @Test(expected = SSLException.class) + public void crlRevokedTest() throws Exception { + + ActiveMQServer server1 = initServer(); + BlockingConnection connection1 = null; + try { + server1.start(); + + while (!server1.isStarted()) { + Thread.sleep(50); + } + + connection1 = retrieveMQTTConnection("ssl://localhost:1883", "truststore.jks", "changeit", "client_revoked.jks", "changeit"); + + // Subscribe to topics + Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)}; + connection1.subscribe(topics); + + // Publish Messages + String payload1 = "This is message 1"; + + connection1.publish("test/1/some/la", payload1.getBytes(), QoS.AT_LEAST_ONCE, false); + + Message message1 = connection1.receive(5, TimeUnit.SECONDS); + + assertEquals(payload1, new String(message1.getPayload())); + + } finally { + if (connection1 != null) { + connection1.disconnect(); + } + if (server1.isStarted()) { + server1.stop(); + } + } + } + + @Test + public void crlNotRevokedTest() throws Exception { + + ActiveMQServer server1 = initServer(); + BlockingConnection connection1 = null; + try { + server1.start(); + + while (!server1.isStarted()) { + Thread.sleep(50); + } + + connection1 = retrieveMQTTConnection("ssl://localhost:1883", "truststore.jks", "changeit", "client_not_revoked.jks", "changeit"); + + // Subscribe to topics + Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)}; + connection1.subscribe(topics); + + // Publish Messages + String payload1 = "This is message 1"; + + connection1.publish("test/1/some/la", payload1.getBytes(), QoS.AT_LEAST_ONCE, false); + + Message message1 = connection1.receive(5, TimeUnit.SECONDS); + + assertEquals(payload1, new String(message1.getPayload())); + + } finally { + if (connection1 != null) { + connection1.disconnect(); + } + if (server1.isStarted()) { + server1.stop(); + } + } + } + + + private ActiveMQServer initServer() throws Exception { + Configuration configuration = createDefaultNettyConfig().setSecurityEnabled(false); + + addMqttTransportConfiguration(configuration); + addWildCardConfiguration(configuration); + + ActiveMQServer server = createServer(true, configuration); + return server; + } + + private void addWildCardConfiguration(Configuration configuration) { + WildcardConfiguration wildcardConfiguration = new WildcardConfiguration(); + wildcardConfiguration.setAnyWords('#'); + wildcardConfiguration.setDelimiter('/'); + wildcardConfiguration.setRoutingEnabled(true); + wildcardConfiguration.setSingleWord('+'); + + configuration.setWildCardConfiguration(wildcardConfiguration); + } + + private void addMqttTransportConfiguration(Configuration configuration) throws IOException { + TransportConfiguration transportConfiguration = new TransportConfiguration(NettyAcceptorFactory.class.getCanonicalName(), null, "mqtt", null); + + transportConfiguration.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); + transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "truststore.jks"); + transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "changeit"); + transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "keystore1.jks"); + transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "changeit"); + transportConfiguration.getParams().put(TransportConstants.CRL_PATH_PROP_NAME, "root.crl.pem"); + transportConfiguration.getParams().put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, "true"); + transportConfiguration.getParams().put(TransportConstants.PORT_PROP_NAME, "1883"); + transportConfiguration.getParams().put(TransportConstants.HOST_PROP_NAME, "localhost"); + transportConfiguration.getParams().put(TransportConstants.PROTOCOLS_PROP_NAME, "MQTT"); + + configuration.getAcceptorConfigurations().add(transportConfiguration); + } + + private BlockingConnection retrieveMQTTConnection(String host, String truststorePath, String truststorePass, String keystorePath, String keystorePass) throws Exception { + MQTT mqtt = new MQTT(); + mqtt.setConnectAttemptsMax(1); + mqtt.setReconnectAttemptsMax(0); + mqtt.setHost(host); + SSLContext sslContext = SSLSupport.createContext(TransportConstants.DEFAULT_KEYSTORE_PROVIDER, keystorePath, keystorePass, TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER, truststorePath, truststorePass); + mqtt.setSslContext(sslContext); + + BlockingConnection connection = mqtt.blockingConnection(); + connection.connect(); + return connection; + } + + +} diff --git a/tests/integration-tests/src/test/resources/client_not_revoked.jks b/tests/integration-tests/src/test/resources/client_not_revoked.jks new file mode 100644 index 0000000000000000000000000000000000000000..7e47443a179f408e08d3ee610df22d0897a10301 GIT binary patch literal 2414 zcmah~2{hDg7oQn3b_ruC#*D4({$pxniKxb!HL?{mW*FNHW{gpmjFNq?7bP>jiRdN8 zI3X$2pp=j-iKuuZBB3nb)O)_~^qupa^PThDbDrOQ?sK1ep8Gq$yEVTx4+4Q8d;|Y7 z>430c5{2$Zq0;@LNDOKyiO4_l_dsL9Kp+?xU_m#59fG1df?z0E8zKb;!$43LbT(jK z`IRWAaUJ)J(9QhHvt?3~XySUOE>P2@K_?P=imzUkBm|lIa*=cQZxviyd4U(nIq-?i ziFZ+pi{*LlK1*@8wuQ()G!6uYjR-}*fj)Y_62Lh8847wt| z<=D&Lx&PGWkWBC8g>g~EUiUfq(M(W;xNVynC9|$<%x@;TcO;7E^yVDdC$fhTBgEzC z-VMm#zf&Zu@#NCd79OZsZh-Y|Shkm4lidw_e8f)qWXT`}+G3Gx5xE6*4Z3Ky=_c-# zv5I?b`b~KncF(96(U9#(?!-;l3&*uOgYV@%80<*zvSO5aTR-xCEnzG!k=aZ~elFH4 z8<9sG^hx||tz4KWHPA!A!7vO>O1o!j&G5#pO3vw}sClfr3ABG1#i0lnW18;?-uK*% zQq4J5o&GjHGZJUMG%(S!^g*lt;D;swbM4Q|RqiW!=GIJ(t~}EGM@3AZ(wT{}*0}LC zQrIl$k5|i)w%N?05W-$=r{06sFRKGN?QrbFPOUMOwpVRNb1$8aPlua~L44N3R>X7c za$@FIW04snRvWqu#{qDJraFOWiF)U$RKr4#_9|`(L+3LF8TuRf>y_eGu8~p^NUxy+e-SnT?6uM zB1cryL?XsF37Q4M?A7I+pxTrVe}=!PGFq=URg5gq`tqDh#d!@$&1)-K%pCTmpqt=p zoZ)EnMg7u59~ySix|H4g2pQtor!dCBxn;C~oC$sYi0;f|Sd3_k_Z{UXRoLN_|d^=M7y+ z@q%vn9}|yZMb`#hgIeHwI;!2iku%&h+upZc$A%0L#VgeE3^ghyr&8|}uC{mC4~e8#P1PsF-YagWvG%LWS^oITFjO+L(k$A?qN9Fr)2lAHH^th; z+xke{~K%&6xHhq6wc zahsQzdIbeiZP1n3Kt^kzlk0-4Nq(jmDerL1!w6;Fz79W`d)e>vlxnKI%efF*CB5q* z!}8X$E6=s)mq@}q_4fnDAP{snUk~K~7G#Sp00BcFU;#ivP((Y$CS_HEuZ%Dd5R4WB zL<9xgp@K3HOLw#kAoUXni;KEZ!%2E>bUdAeRsoPdouc9jwiG%kibA5JP6QK!g6TAr zGd&jNKqsPi@->$qA|Nh=rv(NP1A~5f{{4~&SPqN_l;tJRMrcFyKJ)uZV-qkrJs8j0W^(b(hPHsR8?WhX69G~^H*RPyWV;cvctbew!e zo5`Y*{ah@kL;rqETfDT8zUG1*kACkTJ~SP@EgvT9o?Qbs{}`VdQm2kSLD&*%jO!W( zf?n=t+Be*_oWvjUs?PNo&u`jS)S$&fI&*AZ7?gTxK9i)4Fz#*K?326Ejqc$2s@oql zEW)N?}@s8*L&(pMnU0 zLEt}=o&!lwf6)RV1BCz}0KsnyVh2*#Ku}G)}pa!V0k!(bYBAHH)FflM7G4bIMVI=(kYPdlZl}gtShzbKVenv|{l>sG| z*lz(W32pt~;O{->v!35`FbIb$^YA(ua)5bk(N_ne|Kc8()s zifO`n6Yrml873~+^4>_kSD&R=bvD*myr?rfB&L$NSAv*uP`i~dr+8Fv19^G~7A7+F zMficu%Q{q9%4z$mTR`PZWBGCrT-&q!3!KKuQz5UYssOBQ|G?(Jxw`v4Ujz5VL9_hu zH@YPXI>>A z*yd|demgTdee1AZHt z92`IirFlnEV#0zbz5=(;At-ko215c66I_PSC{axm00J6tNdQ2?KqfdNLA5Br^j2b1 zCV3p=m9sW}xX}+@SH3F{$&5{J)ys>s=rHyH$HxTCD2rS!RP=w%RjQ-tdh1`aYOww!}O(S z>iz0HJF?`zXy4`)txVN!chJ+ztko$1H{nOuFS!i01?G!ys(bTr9o{4SG;-Br`*oj< zOVei_T}m9V{Pjrb2Qqgq*Akf_Cb#>SR6jUfw)LvnD8pDNs-Fn!zwjATyn5+dimQM1 zd2U~;Bdch^>N9=1x~pHEmWSPVPnOY-U6>!Kc$dyK`l|`Q+!_@odik})u7h1)8}9e;BaR== zyR?|DKl04%T7qw1`eFT$q?3V;_{u?4Ld1&$XVOr!6Dui0p)u>T>1D^?b);Tv)HZjO zABdym;=e?{8$&O~D_dzPbL>(dAF$_ugYu$C-6VMvd!qwKt0bd&h?MR+8=P~W%gAom zFIZW18nA8Woz+75fFRPeiBOsnw^AeN<`GR)8a=gVNmRM+7e5LXL}x0DIRDJ`Sjzu| z@l5c!5ue8C@SW_sx5Ey`lb#9_Ytef}ik;eq0eB^em&jIr>_xWYs=>HKt-besIr{#< z_fA)PH!C0AJ2G+n+{%Nxeu-u))sZhPG5lAX?<$*0wAFaEyABO;!-u2qj}KT3YFrs~ z<(fM8GqOJ4y22-T&-RNsMbtVy25$DA;9ERJao>4o2f7P;9^zw3PQ>Fh+ZWeE{OPm# z>xOz8H_Fx`GYAi|KFVG3FrX8=$;-A?$@j~A3bp5QHx1OcHHSOUsyKZA(#*G6&65`8 z3Xk~Lifv_!AzeKq%{xwBHt&L7Y}=AttM<`G{~K?AVP+?>B1J!Ede=l3ru|Xh+r`7p za8dkw;Vx$kuP{w5KGqAX=~kd2GXN>-ookTp6_S#rorbf*K?iDPhYol7vhs;;I;SbW z?`9zB!uk1KY%5j_U(056DBsDpNEJzFDDFSsS~A|fNx32Ho`$5hN)pfSr@2VGlSgx$;tk0Wi%-TTF&QiRXCo`OTLN!#7`tX9 z>tqR0k-YnhR*c3wqI@wj^J9x1F^rd=pQzP6M%J>scFTp*)cGWnh>UO129z8;e z{gi{R>H5Sf-@lWr6gIet{Wl?WeqT$}(VWjH7FK$Dmv>;Iv3TQR)6|#*O)BGqdttDycfVMJY(f6l?TBk~lO4k0IF&hvzc6>*ip&!;qbv=AM4_H{2;jZ1X?z@?wPNY(7hc|<=@77 zH8TvNZ6<#UB+^yK03yI(AXcDAaKV7YQ6d^C)+s;51;{1NCbsA z2%@CnW(RT7kmMQ=UMK1t7DCZ>rjckAoHB%6bBeB$vk9e9B10)OrNaTf)BswPk|Ql% z$)4tmTQAUD0R^#6h!o{V_4T9v_Wb)K5kLkYL5i~CI76HsP9JAzKrn!g2q57P2vKoL zkm5g4WIIoGT#X9WTAPAH{HVb}A+f%Jf~fy9zyG?y|4$ZT0$cuk2Eh-3U;+{_fnOBP z1OV9Z9@$pmtvi~;$I*MLO${9Fz4yHYtc;A$coWxOBuy3 z;gUMeB3GWf@JZ8{2l7m)@f~`mg!r#DS*;>>7fzEj88gh+H9dXiNZ^Zf&)~F-{45rK z{n+EmEo1&ZQ_{DbB%0smdG5aL7$==ZbhZ0F(cb!VXpLpIX)v(?5A@1 z6BQR@%6s>$%K{y11FoN1((4Y*sK}=HgA|cwXva^J^`&q#A%vis_8h`f)Mg^3E zWD++xR6cm)HGSdu1Cy;i=X{fISvoTMAhEUm5+I0xBTN4YrV7eH8&JZ6zZ!`YLID3+ z!6B_RE*4aUR3PP2Y$+yXvpJYM2$ISb)K1(mfyo_Ttz4C zC)ldTqL}VA_P}2D^`@S`H|MmKqWKXG5ji-IG9jsB!qF{NBG+3| z^@;9y%W$NQQ&?R}u6P_uf-wd=>J)0L`}*3IG5A literal 0 HcmV?d00001 diff --git a/tests/integration-tests/src/test/resources/keystore1.jks b/tests/integration-tests/src/test/resources/keystore1.jks new file mode 100644 index 0000000000000000000000000000000000000000..f1d8857a112a00d1ac93bdd306ced77b2440b307 GIT binary patch literal 2396 zcmah~c{J2}8=v27vW=!BWnV@N#&492E$YgyB8Cj&j*+zqL%PbolfX1i$We!eeS>C^-wiMi7j{4Ws!M=(Y z2ro-*TI7J0dXDb}>5|%A?&pzL_jHVzR5^c((%#>(jsq^uK_;)EhGi4B$2cdG%$hEB z4xZd?i+cOvR>jN5v4X2Fw=N(sYGe6jSI^QzYk7+cW`P`&j!HBB@0#_Ybp=PGTXVy@ zIUY%g`QBQH-Y^`NF#KKbqy~po+pflo$!!6h+OVNZ0)SRHE%JxOyF`L zC#D36hWQSv--e#SY{L>ZX{{D{-KwAe8U*;)JK^+q_IDKy%Nlk?B(4!-1=NA zcSR-cn}+7*gVIFdu3CVY&w6HNI2wgq8N)C=9weBBUxdiU=?Y#=Ke~tFnX|M`G_>%f zC@qr@2&URm#2cxljF)yvm+r;kswR8P)YQxxm?x*?EBS&%tlzBaKc2~tjjN`zyhSmr z#wR{ggdo`Vv#6df#yaHal=9x8JE*dPJ&B1Iz`7h*RWMvrIu;lnoZ^e+dVVZ%_@)M@< z)CB4#bb-~kF(|UII22YzXtEmMI+TachPS2%3@a*-`v>E_10#Pso8Wko@hw{*A!QP| z?kaOmF1B=Zw12dzwB_l1rCV3EL*ss1gerl#>nhCk!nwMRSUkPogq%g2D!*HI-g_t+ zBicl~7Ok!kqMjbE{p!&=(D^2Z6_TY*DuM|JkPtYX7 zHSkTIqSLzslo3V()H)WM;?lVi)jx=q`w*|CwlCo>zbScV>PA=1?WRHIkq%NwEWHFS zU=l(xaOuw{Z4qitP~v=N^!(ky$AP02lBx2~Ok(`hCi{=r ztmxV4`0EXM7#~8o_!StaG<&V86;SJEY#qa3X^N>G6Ft0g`vKj%?*7_opY zPV1}Grwd9tZmwZWFcr)@lnoa;H*w=Hnt14rtlQ(gMaOrq*Ph>LgjFkeIx z==_E5i^~c!$3LpZWSqXa_Ut{{SP4~Fle+aShFD-9yd0jOR5qvY`>_Awwdju#pMH2F z!WyRnszD%dG}{k(!BFTr9R>xUPyhgVk(}5_gUC%@wlg9ipevpmPb<&Omn1B@DiZdcan=o(C|8q;(eV$6Ss18y5>sr5x+#cC2m4_7eoJ;17WZ|H;A$ zs=2xQkQHz~|GT39s`>wy2ZjQYKYyIP6JVhLAB4?wK|=um(m@o69g$3zvVqz2`^}_F z%qxuN=^>+3qT`dX%S&>@=dFDcC2e%Fx3Bf?8waW1(=+P+O(*B;UmTt37d`|(;eM63 zW%|V^1>c4Xd4Rp05eN<#@ShVDRQRqHgJVD`P=YQ-7l{;d zq0w%rD=AU@9X)S&P;g|br;<07O2d)8JwVKNH5x7o3Wsw4Bnaij;(mfZ_nbZK?4ARV zcquvS30TpLTQbfwke@SbSG}^nP<>R-Zs$-(AQ@G!vS>alkD?p<5n06pEDW*7>IBT| z1uBX5T6LR@5^Hff4x5mBGRry3sH@gzwuuE_QTzaSZjhcU_X^Yfd-+I6(tUFY{T)W~ zrkv7L!KY(Yjj&q7&%SjPXV+=ZPP`iRuL&mL#^b^yFQP8w+Pio>e+S$VaFKY1VoHSSvEUN(hWs SY)!S+8(#XuU9b#<9rzpTn*7`V literal 0 HcmV?d00001 diff --git a/tests/integration-tests/src/test/resources/mqttCrl/client0/truststore.jks b/tests/integration-tests/src/test/resources/mqttCrl/client0/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..5a8d79fc619936373446581330ff07d53c84fa07 GIT binary patch literal 1003 zcmezO_TO6u1_mY|W(3omB}JvhCGpv*l|Ye%Fr&xp46G4)rUsS_49qJHnwXawG%@uq zU}j=uV&Y`DKCAncfm=M20WTY;R+~rLcV0$DZdL|^Ohax1PB!LH7B*of$52CI13?gn zgNG|PKQ~o3xFoS8)lktu9wf-cBjK4>l3J9PTA~o1nUbDaQmhbAQmNoml42-ezz0&o z%)_2ooR*%FmJSwy*~G~x#+YazC(dhVZfIm^VrXt^ZfG1O&TC|Z#HFWGni!Rk1A>v2 zfw_s1pTVGsk&CH`k&$8TC3EhUcY>@RZ#`$-!ty`<;2yR=^Il!vb@*75_P)PQ^jW^G zJ!RZ@*XZS9pN%dSivv#|Ic?*)X~wySU(VmDu0MM$`EtP}j-Twzul>b8_@}KCdBUBt zx>fIVNVUenUk~(KjU0}bHM6RvInJD!d7SlSqmcZg5a9yIb$oBc+q8pLA zk$;|7JI^lr=d^EjPORvMT?|_)H4Rv~-cLT*DOngCr|zJ4=vsHk%kx*>9#c*4_$l*I zOl+#J0=tn=a{ZV4-3$M0-ac!QI&=K@xWCJ#4=xgA@jR$J@Ai*2$;vdZla9e=FL-7% zKa}NP&98Op$uBcA%P+55ueVxxs+bO zS$)7><@l78*7Ys{wWq-eLspqZ!a%G6y8<4Neqk0?17=3X|HxquOnksFXJnXu?5JZ* zn0(-LOE#JQNh<6PJ6RpYj>J8wneFgY|G=?bX65alj=lLBJpIL0-^XFoS0y-PpVM_e zlo#S1Y*0xpyDxbZw2i_+-V6rQ&V> zx4%&SelP6#sqKq--}jprvn}Az*l*+`YI>&Vby(@6x$C=`odVP~w3ei)?(H=fFOK$> ztrGULbNZjPY5SKd8LJ6<*g99YoPV=|p?1o&b+cnF6*lossXVhbuG{SVf<<@F{JJbS z+h{*i{G9RxQB&F43860;d^SpjbZ+|_a8%&}^QRkir;n!{&e`n!S!SNCn02Y)V}^?E dV!Jj2$!*bB8s684Ng1w?m)HHg%J5)l4FC`JcB23Q literal 0 HcmV?d00001 diff --git a/tests/integration-tests/src/test/resources/mqttCrl/client1/truststore.jks b/tests/integration-tests/src/test/resources/mqttCrl/client1/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..5a8d79fc619936373446581330ff07d53c84fa07 GIT binary patch literal 1003 zcmezO_TO6u1_mY|W(3omB}JvhCGpv*l|Ye%Fr&xp46G4)rUsS_49qJHnwXawG%@uq zU}j=uV&Y`DKCAncfm=M20WTY;R+~rLcV0$DZdL|^Ohax1PB!LH7B*of$52CI13?gn zgNG|PKQ~o3xFoS8)lktu9wf-cBjK4>l3J9PTA~o1nUbDaQmhbAQmNoml42-ezz0&o z%)_2ooR*%FmJSwy*~G~x#+YazC(dhVZfIm^VrXt^ZfG1O&TC|Z#HFWGni!Rk1A>v2 zfw_s1pTVGsk&CH`k&$8TC3EhUcY>@RZ#`$-!ty`<;2yR=^Il!vb@*75_P)PQ^jW^G zJ!RZ@*XZS9pN%dSivv#|Ic?*)X~wySU(VmDu0MM$`EtP}j-Twzul>b8_@}KCdBUBt zx>fIVNVUenUk~(KjU0}bHM6RvInJD!d7SlSqmcZg5a9yIb$oBc+q8pLA zk$;|7JI^lr=d^EjPORvMT?|_)H4Rv~-cLT*DOngCr|zJ4=vsHk%kx*>9#c*4_$l*I zOl+#J0=tn=a{ZV4-3$M0-ac!QI&=K@xWCJ#4=xgA@jR$J@Ai*2$;vdZla9e=FL-7% zKa}NP&98Op$uBcA%P+55ueVxxs+bO zS$)7><@l78*7Ys{wWq-eLspqZ!a%G6y8<4Neqk0?17=3X|HxquOnksFXJnXu?5JZ* zn0(-LOE#JQNh<6PJ6RpYj>J8wneFgY|G=?bX65alj=lLBJpIL0-^XFoS0y-PpVM_e zlo#S1Y*0xpyDxbZw2i_+-V6rQ&V> zx4%&SelP6#sqKq--}jprvn}Az*l*+`YI>&Vby(@6x$C=`odVP~w3ei)?(H=fFOK$> ztrGULbNZjPY5SKd8LJ6<*g99YoPV=|p?1o&b+cnF6*lossXVhbuG{SVf<<@F{JJbS z+h{*i{G9RxQB&F43860;d^SpjbZ+|_a8%&}^QRkir;n!{&e`n!S!SNCn02Y)V}^?E dV!Jj2$!*bB8s684Ng1w?m)HHg%J5)l4FC`JcB23Q literal 0 HcmV?d00001 diff --git a/tests/integration-tests/src/test/resources/root.crl.pem b/tests/integration-tests/src/test/resources/root.crl.pem new file mode 100644 index 0000000000..8938392af6 --- /dev/null +++ b/tests/integration-tests/src/test/resources/root.crl.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIB2DCBwQIBATANBgkqhkiG9w0BAQUFADBpMQswCQYDVQQGEwJBVTETMBEGA1UE +CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRAwDgYDVQQDDAdhc2ZnZGZnMRAwDgYJKoZIhvcNAQkBFgFhFw0xNzEyMTQxODAw +NDVaFw0xOTEyMTQxODAwNDVaMBQwEgIBAhcNMTcxMjE0MTgwMDM2WqAOMAwwCgYD +VR0UBAMCAQIwDQYJKoZIhvcNAQEFBQADggEBACNiLQvZayn+ULeeSTnxcOOPaIku +1E5AGG3M6uUBalECEpstzmXQELdiZvQb2BMRb1hpm1pNJ8uITjrjeT6bf1+KGgeN +6lRMg36AwyQm8LGiE6ry9jF1OCHqERuImQUrRKWRUbL4hT79Fmji1xm9T9CA3RmE +hjN5oHXM5avF+pm6aU2L2bZ03DhU4Ur0rOd1DCXcGWiZc7VJEQicSrG2R8dagFO/ +w0OUFiTahbdxSguNNU5kIuSltm4kfMM7GcFMb9/kMTTz/U+nUarm7ZzZozn7p/Sb +9FjJ39JzFwq0jTT2bK+3WEWagQs9eNWAPjb5F3ofBSUleZ1f3rdhWWCSS+A= +-----END X509 CRL----- diff --git a/tests/integration-tests/src/test/resources/truststore.jks b/tests/integration-tests/src/test/resources/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..5a8d79fc619936373446581330ff07d53c84fa07 GIT binary patch literal 1003 zcmezO_TO6u1_mY|W(3omB}JvhCGpv*l|Ye%Fr&xp46G4)rUsS_49qJHnwXawG%@uq zU}j=uV&Y`DKCAncfm=M20WTY;R+~rLcV0$DZdL|^Ohax1PB!LH7B*of$52CI13?gn zgNG|PKQ~o3xFoS8)lktu9wf-cBjK4>l3J9PTA~o1nUbDaQmhbAQmNoml42-ezz0&o z%)_2ooR*%FmJSwy*~G~x#+YazC(dhVZfIm^VrXt^ZfG1O&TC|Z#HFWGni!Rk1A>v2 zfw_s1pTVGsk&CH`k&$8TC3EhUcY>@RZ#`$-!ty`<;2yR=^Il!vb@*75_P)PQ^jW^G zJ!RZ@*XZS9pN%dSivv#|Ic?*)X~wySU(VmDu0MM$`EtP}j-Twzul>b8_@}KCdBUBt zx>fIVNVUenUk~(KjU0}bHM6RvInJD!d7SlSqmcZg5a9yIb$oBc+q8pLA zk$;|7JI^lr=d^EjPORvMT?|_)H4Rv~-cLT*DOngCr|zJ4=vsHk%kx*>9#c*4_$l*I zOl+#J0=tn=a{ZV4-3$M0-ac!QI&=K@xWCJ#4=xgA@jR$J@Ai*2$;vdZla9e=FL-7% zKa}NP&98Op$uBcA%P+55ueVxxs+bO zS$)7><@l78*7Ys{wWq-eLspqZ!a%G6y8<4Neqk0?17=3X|HxquOnksFXJnXu?5JZ* zn0(-LOE#JQNh<6PJ6RpYj>J8wneFgY|G=?bX65alj=lLBJpIL0-^XFoS0y-PpVM_e zlo#S1Y*0xpyDxbZw2i_+-V6rQ&V> zx4%&SelP6#sqKq--}jprvn}Az*l*+`YI>&Vby(@6x$C=`odVP~w3ei)?(H=fFOK$> ztrGULbNZjPY5SKd8LJ6<*g99YoPV=|p?1o&b+cnF6*lossXVhbuG{SVf<<@F{JJbS z+h{*i{G9RxQB&F43860;d^SpjbZ+|_a8%&}^QRkir;n!{&e`n!S!SNCn02Y)V}^?E dV!Jj2$!*bB8s684Ng1w?m)HHg%J5)l4FC`JcB23Q literal 0 HcmV?d00001