From 9599ad8d95958ca8e2506f6efb46ebdb29a53d4d Mon Sep 17 00:00:00 2001 From: Colm O hEigeartaigh Date: Fri, 27 Mar 2020 08:34:10 +0000 Subject: [PATCH] AMQ-7457 - Support wider password encryption schemes --- .../console/command/DecryptCommand.java | 9 ++++++ .../console/command/EncryptCommand.java | 17 +++++++++++ activemq-jaas/pom.xml | 3 ++ .../activemq/jaas/EncryptionSupport.java | 15 +++++++--- .../activemq/jaas/PropertiesLoader.java | 6 ++++ .../activemq/jaas/ReloadableProperties.java | 2 +- ...EncryptedAESPropertiesLoginModuleTest.java | 25 ++++++++++++++++ .../EncryptedPropertiesLoginModuleTest.java | 30 +++++++++++++++++++ .../jaas/PropertiesLoginModuleTest.java | 10 +++++-- activemq-jaas/src/test/resources/login.config | 17 +++++++++++ .../resources/users-encrypted-aes.properties | 19 ++++++++++++ .../test/resources/users-encrypted.properties | 19 ++++++++++++ activemq-unit-tests/pom.xml | 2 +- .../security/simple-auth-broker-no-users.xml | 2 +- .../activemq/security/simple-auth-broker.xml | 2 +- .../security/simple-auth-separator.xml | 2 +- assembly/pom.xml | 2 +- assembly/src/main/descriptors/common-bin.xml | 2 +- .../examples/conf/activemq-security.xml | 2 +- 19 files changed, 171 insertions(+), 15 deletions(-) create mode 100644 activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedAESPropertiesLoginModuleTest.java create mode 100644 activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedPropertiesLoginModuleTest.java create mode 100644 activemq-jaas/src/test/resources/users-encrypted-aes.properties create mode 100644 activemq-jaas/src/test/resources/users-encrypted.properties diff --git a/activemq-console/src/main/java/org/apache/activemq/console/command/DecryptCommand.java b/activemq-console/src/main/java/org/apache/activemq/console/command/DecryptCommand.java index 675778654c..0809553a03 100644 --- a/activemq-console/src/main/java/org/apache/activemq/console/command/DecryptCommand.java +++ b/activemq-console/src/main/java/org/apache/activemq/console/command/DecryptCommand.java @@ -19,6 +19,7 @@ package org.apache.activemq.console.command; import java.util.List; import org.jasypt.exceptions.EncryptionOperationNotPossibleException; +import org.jasypt.iv.RandomIvGenerator; public class DecryptCommand extends EncryptCommand { @@ -30,6 +31,7 @@ public class DecryptCommand extends EncryptCommand { " --password Password to be used by the encryptor. Defaults to", " the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.", " --input Text to be encrypted.", + " --algorithm Algorithm to use.", " --version Display the version information.", " -h,-?,--help Display the stop broker help information.", "" @@ -55,6 +57,13 @@ public class DecryptCommand extends EncryptCommand { return; } encryptor.setPassword(password); + if (algorithm != null) { + encryptor.setAlgorithm(algorithm); + // From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY" + if (algorithm.startsWith("PBE") && algorithm.contains("AES")) { + encryptor.setIvGenerator(new RandomIvGenerator()); + } + } try { context.print("Decrypted text: " + encryptor.decrypt(input)); } catch (EncryptionOperationNotPossibleException e) { diff --git a/activemq-console/src/main/java/org/apache/activemq/console/command/EncryptCommand.java b/activemq-console/src/main/java/org/apache/activemq/console/command/EncryptCommand.java index ce61ee08ef..7c3ae561a9 100644 --- a/activemq-console/src/main/java/org/apache/activemq/console/command/EncryptCommand.java +++ b/activemq-console/src/main/java/org/apache/activemq/console/command/EncryptCommand.java @@ -19,6 +19,7 @@ package org.apache.activemq.console.command; import java.util.List; import org.jasypt.encryption.pbe.StandardPBEStringEncryptor; +import org.jasypt.iv.RandomIvGenerator; public class EncryptCommand extends AbstractCommand { @@ -30,6 +31,7 @@ public class EncryptCommand extends AbstractCommand { " --password Password to be used by the encryptor. Defaults to", " the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.", " --input Text to be encrypted.", + " --algorithm Algorithm to use.", " --version Display the version information.", " -h,-?,--help Display the stop broker help information.", "" @@ -38,6 +40,7 @@ public class EncryptCommand extends AbstractCommand { StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor(); String input; String password; + String algorithm; @Override public String getName() { @@ -64,6 +67,13 @@ public class EncryptCommand extends AbstractCommand { return; } encryptor.setPassword(password); + if (algorithm != null) { + encryptor.setAlgorithm(algorithm); + // From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY" + if (algorithm.startsWith("PBE") && algorithm.contains("AES")) { + encryptor.setIvGenerator(new RandomIvGenerator()); + } + } context.print("Encrypted text: " + encryptor.encrypt(input)); } @@ -83,6 +93,13 @@ public class EncryptCommand extends AbstractCommand { } password=(String)tokens.remove(0); + } else if (token.startsWith("--algorithm")) { + if (tokens.isEmpty() || ((String)tokens.get(0)).startsWith("-")) { + context.printException(new IllegalArgumentException("algorithm not specified")); + return; + } + + algorithm=(String)tokens.remove(0); } else { super.handleOption(token, tokens); } diff --git a/activemq-jaas/pom.xml b/activemq-jaas/pom.xml index 4dcfeb7908..74e83e213c 100644 --- a/activemq-jaas/pom.xml +++ b/activemq-jaas/pom.xml @@ -56,6 +56,9 @@ --> + + activemq + diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptionSupport.java b/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptionSupport.java index 22d64940e3..d399446f02 100644 --- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptionSupport.java +++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptionSupport.java @@ -19,6 +19,7 @@ package org.apache.activemq.jaas; import org.jasypt.encryption.pbe.StandardPBEStringEncryptor; import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig; import org.jasypt.properties.PropertyValueEncryptionUtils; +import org.jasypt.iv.RandomIvGenerator; import java.util.ArrayList; import java.util.Properties; @@ -28,8 +29,8 @@ import java.util.Properties; */ public class EncryptionSupport { - static public void decrypt(Properties props) { - StandardPBEStringEncryptor encryptor = createEncryptor(); + static public void decrypt(Properties props, String algorithm) { + StandardPBEStringEncryptor encryptor = createEncryptor(algorithm); for (Object k : new ArrayList(props.keySet())) { String key = (String) k; String value = props.getProperty(key); @@ -40,10 +41,16 @@ public class EncryptionSupport { } } - public static StandardPBEStringEncryptor createEncryptor() { + public static StandardPBEStringEncryptor createEncryptor(String algorithm) { StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor(); EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig(); - config.setAlgorithm("PBEWithMD5AndDES"); + if (algorithm != null) { + encryptor.setAlgorithm(algorithm); + // From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY" + if (algorithm.startsWith("PBE") && algorithm.contains("AES")) { + encryptor.setIvGenerator(new RandomIvGenerator()); + } + } config.setPasswordEnvName("ACTIVEMQ_ENCRYPTION_PASSWORD"); encryptor.setConfig(config); return encryptor; diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java b/activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java index 0ed83765eb..d9fcf62f41 100644 --- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java +++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java @@ -53,12 +53,14 @@ public class PropertiesLoader { final boolean reload; private boolean decrypt; private boolean debug; + private String algorithm; public FileNameKey(String nameProperty, String fallbackName, Map options) { this.file = new File(baseDir(options), stringOption(nameProperty, fallbackName, options)); absPath = file.getAbsolutePath(); reload = booleanOption("reload", options); decrypt = booleanOption("decrypt", options); + algorithm = stringOption("algorithm", "PBEWithMD5AndDES", options); } @Override @@ -87,6 +89,10 @@ public class PropertiesLoader { this.decrypt = decrypt; } + public String getAlgorithm() { + return algorithm; + } + private String stringOption(String key, String nameDefault, Map options) { Object result = options.get(key); return result != null ? result.toString() : nameDefault; diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/ReloadableProperties.java b/activemq-jaas/src/main/java/org/apache/activemq/jaas/ReloadableProperties.java index 42427d0a0b..9950bdf0af 100644 --- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/ReloadableProperties.java +++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/ReloadableProperties.java @@ -124,7 +124,7 @@ public class ReloadableProperties { props.load(in); if (key.isDecrypt()) { try { - EncryptionSupport.decrypt(this.props); + EncryptionSupport.decrypt(this.props, key.getAlgorithm()); } catch (NoClassDefFoundError e) { // this Happens whe jasypt is not on the classpath.. key.setDecrypt(false); diff --git a/activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedAESPropertiesLoginModuleTest.java b/activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedAESPropertiesLoginModuleTest.java new file mode 100644 index 0000000000..1c46e2dce0 --- /dev/null +++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedAESPropertiesLoginModuleTest.java @@ -0,0 +1,25 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.jaas; + +public class EncryptedAESPropertiesLoginModuleTest extends EncryptedPropertiesLoginModuleTest { + + @Override + protected String getLoginModule() { + return "EncryptedAESPropertiesLogin"; + } +} diff --git a/activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedPropertiesLoginModuleTest.java b/activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedPropertiesLoginModuleTest.java new file mode 100644 index 0000000000..0ca2014c94 --- /dev/null +++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedPropertiesLoginModuleTest.java @@ -0,0 +1,30 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.jaas; + +public class EncryptedPropertiesLoginModuleTest extends PropertiesLoginModuleTest { + + @Override + protected String getLoginModule() { + return "EncryptedPropertiesLogin"; + } + + @Override + public void testLoginReload() throws Exception { + // Ignore + } +} diff --git a/activemq-jaas/src/test/java/org/apache/activemq/jaas/PropertiesLoginModuleTest.java b/activemq-jaas/src/test/java/org/apache/activemq/jaas/PropertiesLoginModuleTest.java index 478611b5c5..81dab16270 100644 --- a/activemq-jaas/src/test/java/org/apache/activemq/jaas/PropertiesLoginModuleTest.java +++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/PropertiesLoginModuleTest.java @@ -52,7 +52,7 @@ public class PropertiesLoginModuleTest extends TestCase { } public void testLogin() throws LoginException { - LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("first", "secret")); + LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("first", "secret")); context.login(); Subject subject = context.getSubject(); @@ -113,7 +113,7 @@ public class PropertiesLoginModuleTest extends TestCase { } public void testBadUseridLogin() throws Exception { - LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("BAD", "secret")); + LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("BAD", "secret")); try { context.login(); @@ -124,7 +124,7 @@ public class PropertiesLoginModuleTest extends TestCase { } public void testBadPWLogin() throws Exception { - LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("first", "BAD")); + LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("first", "BAD")); try { context.login(); @@ -157,4 +157,8 @@ public class PropertiesLoginModuleTest extends TestCase { } } } + + protected String getLoginModule() { + return "PropertiesLogin"; + } } diff --git a/activemq-jaas/src/test/resources/login.config b/activemq-jaas/src/test/resources/login.config index dee62a52c8..aad35cfd68 100644 --- a/activemq-jaas/src/test/resources/login.config +++ b/activemq-jaas/src/test/resources/login.config @@ -30,6 +30,23 @@ PropertiesLoginReload { org.apache.activemq.jaas.properties.group="groups.properties"; }; +EncryptedPropertiesLogin { + org.apache.activemq.jaas.PropertiesLoginModule required + debug=true + org.apache.activemq.jaas.properties.user="users-encrypted.properties" + org.apache.activemq.jaas.properties.group="groups.properties" + decrypt=true; +}; + +EncryptedAESPropertiesLogin { + org.apache.activemq.jaas.PropertiesLoginModule required + debug=true + org.apache.activemq.jaas.properties.user="users-encrypted-aes.properties" + org.apache.activemq.jaas.properties.group="groups.properties" + algorithm=PBEWITHHMACSHA1ANDAES_128 + decrypt=true; +}; + LDAPLogin { org.apache.activemq.jaas.LDAPLoginModule required debug=true diff --git a/activemq-jaas/src/test/resources/users-encrypted-aes.properties b/activemq-jaas/src/test/resources/users-encrypted-aes.properties new file mode 100644 index 0000000000..da38be20a2 --- /dev/null +++ b/activemq-jaas/src/test/resources/users-encrypted-aes.properties @@ -0,0 +1,19 @@ +## --------------------------------------------------------------------------- +## Licensed to the Apache Software Foundation (ASF) under one or more +## contributor license agreements. See the NOTICE file distributed with +## this work for additional information regarding copyright ownership. +## The ASF licenses this file to You under the Apache License, Version 2.0 +## (the "License"); you may not use this file except in compliance with +## the License. You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. +## --------------------------------------------------------------------------- + +first=ENC(Gk9Rdv1x9AybEf2w2OBIYALTFHbe97eVbOLRkG8btwIDdCtotcdBfnuGsDRmQpDx) +second=ENC(/Z7qx1/BDlA14exodJiQKMaGJi70kJ7GIntyDYvVvVjpDW7j2piwJHEUFTtJ/HVG) diff --git a/activemq-jaas/src/test/resources/users-encrypted.properties b/activemq-jaas/src/test/resources/users-encrypted.properties new file mode 100644 index 0000000000..000fe1432c --- /dev/null +++ b/activemq-jaas/src/test/resources/users-encrypted.properties @@ -0,0 +1,19 @@ +## --------------------------------------------------------------------------- +## Licensed to the Apache Software Foundation (ASF) under one or more +## contributor license agreements. See the NOTICE file distributed with +## this work for additional information regarding copyright ownership. +## The ASF licenses this file to You under the Apache License, Version 2.0 +## (the "License"); you may not use this file except in compliance with +## the License. You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. +## --------------------------------------------------------------------------- + +first=ENC(Z5ZVpKZrgHL8M58yqlVTWA==) +second=ENC(4mCibprDoilo4CHjFkXOTdOOA1jXEx+X) diff --git a/activemq-unit-tests/pom.xml b/activemq-unit-tests/pom.xml index ab619fba57..8b7d0ae226 100644 --- a/activemq-unit-tests/pom.xml +++ b/activemq-unit-tests/pom.xml @@ -222,7 +222,7 @@ org.jasypt - jasypt-spring31 + jasypt-spring4 ${jasypt-version} true diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker-no-users.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker-no-users.xml index a9c62862f3..6dd9570622 100644 --- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker-no-users.xml +++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker-no-users.xml @@ -30,7 +30,7 @@ - + diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker.xml index c53e3f42e7..16558174bc 100644 --- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker.xml +++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker.xml @@ -30,7 +30,7 @@ - + diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-separator.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-separator.xml index d7bee3171e..398fec74bd 100644 --- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-separator.xml +++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-separator.xml @@ -30,7 +30,7 @@ - + diff --git a/assembly/pom.xml b/assembly/pom.xml index f8326d7d0b..4a35d80a43 100644 --- a/assembly/pom.xml +++ b/assembly/pom.xml @@ -400,7 +400,7 @@ org.jasypt - jasypt-spring31 + jasypt-spring4 ${jasypt-version} diff --git a/assembly/src/main/descriptors/common-bin.xml b/assembly/src/main/descriptors/common-bin.xml index b3a15b7a65..b1067c08f7 100644 --- a/assembly/src/main/descriptors/common-bin.xml +++ b/assembly/src/main/descriptors/common-bin.xml @@ -207,7 +207,7 @@ org.apache.velocity:velocity-engine-core org.apache.servicemix.bundles:org.apache.servicemix.bundles.josql org.jasypt:jasypt - org.jasypt:jasypt-spring31 + org.jasypt:jasypt-spring4 javax.jmdns:jmdns org.apache.qpid:proton-j ${pom.groupId}:activemq-runtime-config diff --git a/assembly/src/release/examples/conf/activemq-security.xml b/assembly/src/release/examples/conf/activemq-security.xml index 1fb1422192..3d34dde557 100644 --- a/assembly/src/release/examples/conf/activemq-security.xml +++ b/assembly/src/release/examples/conf/activemq-security.xml @@ -48,7 +48,7 @@ - +