Merge pull request #520 from coheigea/AMQ-7457

AMQ-7457 - Support wider password encryption schemes

activemq-console/src/main/java/org/apache/activemq/console/command/DecryptCommand.java

@@ -19,6 +19,7 @@ package org.apache.activemq.console.command;
 import java.util.List;
 
 import org.jasypt.exceptions.EncryptionOperationNotPossibleException;
+import org.jasypt.iv.RandomIvGenerator;
 
 public class DecryptCommand extends EncryptCommand {
 
@@ -30,6 +31,7 @@ public class DecryptCommand extends EncryptCommand {
             "    --password <password>      Password to be used by the encryptor.  Defaults to",
             "                               the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.",
             "    --input <input>            Text to be encrypted.",
+            "    --algorithm <algorithm>    Algorithm to use.",
             "    --version                  Display the version information.",
             "    -h,-?,--help               Display the stop broker help information.",
             ""
@@ -55,6 +57,13 @@ public class DecryptCommand extends EncryptCommand {
             return;
         }
         encryptor.setPassword(password);
+        if (algorithm != null) {
+            encryptor.setAlgorithm(algorithm);
+            // From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY"
+            if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
+                encryptor.setIvGenerator(new RandomIvGenerator());
+            }
+        }
         try {
             context.print("Decrypted text: " + encryptor.decrypt(input));
         } catch (EncryptionOperationNotPossibleException e) {

activemq-console/src/main/java/org/apache/activemq/console/command/EncryptCommand.java

@@ -19,6 +19,7 @@ package org.apache.activemq.console.command;
 import java.util.List;
 
 import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
+import org.jasypt.iv.RandomIvGenerator;
 
 public class EncryptCommand extends AbstractCommand {
 
@@ -30,6 +31,7 @@ public class EncryptCommand extends AbstractCommand {
             "    --password <password>      Password to be used by the encryptor.  Defaults to",
             "                               the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.",
             "    --input <input>            Text to be encrypted.",
+            "    --algorithm <algorithm>    Algorithm to use.",
             "    --version                  Display the version information.",
             "    -h,-?,--help               Display the stop broker help information.",
             ""
@@ -38,6 +40,7 @@ public class EncryptCommand extends AbstractCommand {
     StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
     String input;
     String password;
+    String algorithm;
     
     @Override
     public String getName() {
@@ -64,6 +67,13 @@ public class EncryptCommand extends AbstractCommand {
             return;
         }
         encryptor.setPassword(password);
+        if (algorithm != null) {
+             encryptor.setAlgorithm(algorithm);
+             // From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY"
+             if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
+                 encryptor.setIvGenerator(new RandomIvGenerator());
+             }
+        }
         context.print("Encrypted text: " + encryptor.encrypt(input));
     }
 
@@ -83,6 +93,13 @@ public class EncryptCommand extends AbstractCommand {
             }
 
             password=(String)tokens.remove(0);            
+        } else if (token.startsWith("--algorithm")) {
+            if (tokens.isEmpty() || ((String)tokens.get(0)).startsWith("-")) {
+                context.printException(new IllegalArgumentException("algorithm not specified"));
+                return;
+            }
+
+            algorithm=(String)tokens.remove(0);
         } else {
             super.handleOption(token, tokens);
         }

activemq-jaas/pom.xml

@@ -56,6 +56,9 @@
             </property>
             -->
           </systemProperties>
+          <environmentVariables>
+              <ACTIVEMQ_ENCRYPTION_PASSWORD>activemq</ACTIVEMQ_ENCRYPTION_PASSWORD>
+          </environmentVariables>
         </configuration>
       </plugin>
     </plugins>

activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptionSupport.java

@@ -19,6 +19,7 @@ package org.apache.activemq.jaas;
 import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
 import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig;
 import org.jasypt.properties.PropertyValueEncryptionUtils;
+import org.jasypt.iv.RandomIvGenerator;
 
 import java.util.ArrayList;
 import java.util.Properties;
@@ -28,8 +29,8 @@ import java.util.Properties;
  */
 public class EncryptionSupport {
 
-    static public void decrypt(Properties props) {
+    static public void decrypt(Properties props, String algorithm) {
-        StandardPBEStringEncryptor encryptor = createEncryptor();
+        StandardPBEStringEncryptor encryptor = createEncryptor(algorithm);
         for (Object k : new ArrayList(props.keySet())) {
             String key = (String) k;
             String value = props.getProperty(key);
@@ -40,10 +41,16 @@ public class EncryptionSupport {
         }
 
     }
-    public static StandardPBEStringEncryptor createEncryptor() {
+    public static StandardPBEStringEncryptor createEncryptor(String algorithm) {
         StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
         EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
-        config.setAlgorithm("PBEWithMD5AndDES");
+        if (algorithm != null) {
+            encryptor.setAlgorithm(algorithm);
+            // From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY"
+            if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
+                encryptor.setIvGenerator(new RandomIvGenerator());
+            }
+        }
         config.setPasswordEnvName("ACTIVEMQ_ENCRYPTION_PASSWORD");
         encryptor.setConfig(config);
         return encryptor;

activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java

@@ -53,12 +53,14 @@ public class PropertiesLoader {
         final boolean reload;
         private boolean decrypt;
         private boolean debug;
+        private String algorithm;
 
         public FileNameKey(String nameProperty, String fallbackName, Map options) {
             this.file = new File(baseDir(options), stringOption(nameProperty, fallbackName, options));
             absPath = file.getAbsolutePath();
             reload = booleanOption("reload", options);
             decrypt = booleanOption("decrypt", options);
+            algorithm = stringOption("algorithm", "PBEWithMD5AndDES", options);
         }
 
         @Override
@@ -87,6 +89,10 @@ public class PropertiesLoader {
             this.decrypt = decrypt;
         }
 
+        public String getAlgorithm() {
+            return algorithm;
+        }
+
         private String stringOption(String key, String nameDefault, Map options) {
             Object result = options.get(key);
             return result != null ? result.toString() : nameDefault;

activemq-jaas/src/main/java/org/apache/activemq/jaas/ReloadableProperties.java

@@ -124,7 +124,7 @@ public class ReloadableProperties {
             props.load(in);
             if (key.isDecrypt()) {
                 try {
-                    EncryptionSupport.decrypt(this.props);
+                    EncryptionSupport.decrypt(this.props, key.getAlgorithm());
                 } catch (NoClassDefFoundError e) {
                     // this Happens whe jasypt is not on the classpath..
                     key.setDecrypt(false);

activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedAESPropertiesLoginModuleTest.java

@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.jaas;
+
+public class EncryptedAESPropertiesLoginModuleTest extends EncryptedPropertiesLoginModuleTest {
+
+    @Override
+    protected String getLoginModule() {
+        return "EncryptedAESPropertiesLogin";
+    }
+}

activemq-jaas/src/test/java/org/apache/activemq/jaas/EncryptedPropertiesLoginModuleTest.java

@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.jaas;
+
+public class EncryptedPropertiesLoginModuleTest extends PropertiesLoginModuleTest {
+
+    @Override
+    protected String getLoginModule() {
+        return "EncryptedPropertiesLogin";
+    }
+    
+    @Override
+    public void testLoginReload() throws Exception {
+        // Ignore
+    }
+}

activemq-jaas/src/test/java/org/apache/activemq/jaas/PropertiesLoginModuleTest.java

@@ -52,7 +52,7 @@ public class PropertiesLoginModuleTest extends TestCase {
     }
 
     public void testLogin() throws LoginException {
-        LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("first", "secret"));
+        LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("first", "secret"));
         context.login();
 
         Subject subject = context.getSubject();
@@ -113,7 +113,7 @@ public class PropertiesLoginModuleTest extends TestCase {
     }
 
     public void testBadUseridLogin() throws Exception {
-        LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("BAD", "secret"));
+        LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("BAD", "secret"));
 
         try {
             context.login();
@@ -124,7 +124,7 @@ public class PropertiesLoginModuleTest extends TestCase {
     }
 
     public void testBadPWLogin() throws Exception {
-        LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("first", "BAD"));
+        LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("first", "BAD"));
 
         try {
             context.login();
@@ -157,4 +157,8 @@ public class PropertiesLoginModuleTest extends TestCase {
             }
         }
     }
+
+    protected String getLoginModule() {
+        return "PropertiesLogin";
+    }
 }

activemq-jaas/src/test/resources/login.config

@@ -30,6 +30,23 @@ PropertiesLoginReload {
         org.apache.activemq.jaas.properties.group="groups.properties";
 };
 
+EncryptedPropertiesLogin {
+    org.apache.activemq.jaas.PropertiesLoginModule required
+        debug=true
+        org.apache.activemq.jaas.properties.user="users-encrypted.properties"
+        org.apache.activemq.jaas.properties.group="groups.properties"
+        decrypt=true;
+};
+
+EncryptedAESPropertiesLogin {
+    org.apache.activemq.jaas.PropertiesLoginModule required
+        debug=true
+        org.apache.activemq.jaas.properties.user="users-encrypted-aes.properties"
+        org.apache.activemq.jaas.properties.group="groups.properties"
+        algorithm=PBEWITHHMACSHA1ANDAES_128
+        decrypt=true;
+};
+
 LDAPLogin {
     org.apache.activemq.jaas.LDAPLoginModule required
         debug=true

activemq-jaas/src/test/resources/users-encrypted-aes.properties

@@ -0,0 +1,19 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+## 
+## http://www.apache.org/licenses/LICENSE-2.0
+## 
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+first=ENC(Gk9Rdv1x9AybEf2w2OBIYALTFHbe97eVbOLRkG8btwIDdCtotcdBfnuGsDRmQpDx)
+second=ENC(/Z7qx1/BDlA14exodJiQKMaGJi70kJ7GIntyDYvVvVjpDW7j2piwJHEUFTtJ/HVG)

activemq-jaas/src/test/resources/users-encrypted.properties

@@ -0,0 +1,19 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+## 
+## http://www.apache.org/licenses/LICENSE-2.0
+## 
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+first=ENC(Z5ZVpKZrgHL8M58yqlVTWA==)
+second=ENC(4mCibprDoilo4CHjFkXOTdOOA1jXEx+X)

activemq-unit-tests/pom.xml

@@ -222,7 +222,7 @@
     </dependency>
     <dependency>
       <groupId>org.jasypt</groupId>
-      <artifactId>jasypt-spring31</artifactId>
+      <artifactId>jasypt-spring4</artifactId>
       <version>${jasypt-version}</version>
       <optional>true</optional>
     </dependency>

activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker-no-users.xml

@@ -30,7 +30,7 @@
       <property name="password" value="activemq"/>
   </bean>
 
-  <bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
+  <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
       <constructor-arg ref="configurationEncryptor" />
       <property name="location" value="classpath:credentials.properties"/>
   </bean>

activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-broker.xml

@@ -30,7 +30,7 @@
       <property name="password" value="activemq"/> 
   </bean> 
     
-  <bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
+  <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
       <constructor-arg ref="configurationEncryptor" /> 
       <property name="location" value="classpath:credentials.properties"/> 
   </bean> 

activemq-unit-tests/src/test/resources/org/apache/activemq/security/simple-auth-separator.xml

@@ -30,7 +30,7 @@
       <property name="password" value="activemq"/>
   </bean>
 
-  <bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
+  <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
       <constructor-arg ref="configurationEncryptor" />
       <property name="location" value="classpath:credentials.properties"/>
   </bean>

assembly/pom.xml

@@ -400,7 +400,7 @@
     </dependency>
     <dependency>
       <groupId>org.jasypt</groupId>
-      <artifactId>jasypt-spring31</artifactId>
+      <artifactId>jasypt-spring4</artifactId>
       <version>${jasypt-version}</version>
     </dependency>
     <dependency>

assembly/src/main/descriptors/common-bin.xml

@@ -207,7 +207,7 @@
         <include>org.apache.velocity:velocity-engine-core</include>
         <include>org.apache.servicemix.bundles:org.apache.servicemix.bundles.josql</include>
         <include>org.jasypt:jasypt</include>
-        <include>org.jasypt:jasypt-spring31</include>
+        <include>org.jasypt:jasypt-spring4</include>
         <include>javax.jmdns:jmdns</include>
         <include>org.apache.qpid:proton-j</include>
         <include>${pom.groupId}:activemq-runtime-config</include>

assembly/src/release/examples/conf/activemq-security.xml

@@ -48,7 +48,7 @@
     <property name="config" ref="environmentVariablesConfiguration" />
   </bean>  
     
-  <bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
+  <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
       <constructor-arg ref="configurationEncryptor" /> 
       <property name="location" value="file:${activemq.conf}/credentials-enc.properties"/> 
   </bean>