AMQ-7457 - Support wider password encryption schemes

This commit is contained in:
Colm O hEigeartaigh 2020-03-27 08:34:10 +00:00
parent 05c43fe347
commit 9599ad8d95
19 changed files with 171 additions and 15 deletions

View File

@ -19,6 +19,7 @@ package org.apache.activemq.console.command;
import java.util.List; import java.util.List;
import org.jasypt.exceptions.EncryptionOperationNotPossibleException; import org.jasypt.exceptions.EncryptionOperationNotPossibleException;
import org.jasypt.iv.RandomIvGenerator;
public class DecryptCommand extends EncryptCommand { public class DecryptCommand extends EncryptCommand {
@ -30,6 +31,7 @@ public class DecryptCommand extends EncryptCommand {
" --password <password> Password to be used by the encryptor. Defaults to", " --password <password> Password to be used by the encryptor. Defaults to",
" the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.", " the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.",
" --input <input> Text to be encrypted.", " --input <input> Text to be encrypted.",
" --algorithm <algorithm> Algorithm to use.",
" --version Display the version information.", " --version Display the version information.",
" -h,-?,--help Display the stop broker help information.", " -h,-?,--help Display the stop broker help information.",
"" ""
@ -55,6 +57,13 @@ public class DecryptCommand extends EncryptCommand {
return; return;
} }
encryptor.setPassword(password); encryptor.setPassword(password);
if (algorithm != null) {
encryptor.setAlgorithm(algorithm);
// From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY"
if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
encryptor.setIvGenerator(new RandomIvGenerator());
}
}
try { try {
context.print("Decrypted text: " + encryptor.decrypt(input)); context.print("Decrypted text: " + encryptor.decrypt(input));
} catch (EncryptionOperationNotPossibleException e) { } catch (EncryptionOperationNotPossibleException e) {

View File

@ -19,6 +19,7 @@ package org.apache.activemq.console.command;
import java.util.List; import java.util.List;
import org.jasypt.encryption.pbe.StandardPBEStringEncryptor; import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.jasypt.iv.RandomIvGenerator;
public class EncryptCommand extends AbstractCommand { public class EncryptCommand extends AbstractCommand {
@ -30,6 +31,7 @@ public class EncryptCommand extends AbstractCommand {
" --password <password> Password to be used by the encryptor. Defaults to", " --password <password> Password to be used by the encryptor. Defaults to",
" the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.", " the value in the ACTIVEMQ_ENCRYPTION_PASSWORD env variable.",
" --input <input> Text to be encrypted.", " --input <input> Text to be encrypted.",
" --algorithm <algorithm> Algorithm to use.",
" --version Display the version information.", " --version Display the version information.",
" -h,-?,--help Display the stop broker help information.", " -h,-?,--help Display the stop broker help information.",
"" ""
@ -38,6 +40,7 @@ public class EncryptCommand extends AbstractCommand {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor(); StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
String input; String input;
String password; String password;
String algorithm;
@Override @Override
public String getName() { public String getName() {
@ -64,6 +67,13 @@ public class EncryptCommand extends AbstractCommand {
return; return;
} }
encryptor.setPassword(password); encryptor.setPassword(password);
if (algorithm != null) {
encryptor.setAlgorithm(algorithm);
// From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY"
if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
encryptor.setIvGenerator(new RandomIvGenerator());
}
}
context.print("Encrypted text: " + encryptor.encrypt(input)); context.print("Encrypted text: " + encryptor.encrypt(input));
} }
@ -83,6 +93,13 @@ public class EncryptCommand extends AbstractCommand {
} }
password=(String)tokens.remove(0); password=(String)tokens.remove(0);
} else if (token.startsWith("--algorithm")) {
if (tokens.isEmpty() || ((String)tokens.get(0)).startsWith("-")) {
context.printException(new IllegalArgumentException("algorithm not specified"));
return;
}
algorithm=(String)tokens.remove(0);
} else { } else {
super.handleOption(token, tokens); super.handleOption(token, tokens);
} }

View File

@ -56,6 +56,9 @@
</property> </property>
--> -->
</systemProperties> </systemProperties>
<environmentVariables>
<ACTIVEMQ_ENCRYPTION_PASSWORD>activemq</ACTIVEMQ_ENCRYPTION_PASSWORD>
</environmentVariables>
</configuration> </configuration>
</plugin> </plugin>
</plugins> </plugins>

View File

@ -19,6 +19,7 @@ package org.apache.activemq.jaas;
import org.jasypt.encryption.pbe.StandardPBEStringEncryptor; import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig; import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig;
import org.jasypt.properties.PropertyValueEncryptionUtils; import org.jasypt.properties.PropertyValueEncryptionUtils;
import org.jasypt.iv.RandomIvGenerator;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Properties; import java.util.Properties;
@ -28,8 +29,8 @@ import java.util.Properties;
*/ */
public class EncryptionSupport { public class EncryptionSupport {
static public void decrypt(Properties props) { static public void decrypt(Properties props, String algorithm) {
StandardPBEStringEncryptor encryptor = createEncryptor(); StandardPBEStringEncryptor encryptor = createEncryptor(algorithm);
for (Object k : new ArrayList(props.keySet())) { for (Object k : new ArrayList(props.keySet())) {
String key = (String) k; String key = (String) k;
String value = props.getProperty(key); String value = props.getProperty(key);
@ -40,10 +41,16 @@ public class EncryptionSupport {
} }
} }
public static StandardPBEStringEncryptor createEncryptor() { public static StandardPBEStringEncryptor createEncryptor(String algorithm) {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor(); StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig(); EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
config.setAlgorithm("PBEWithMD5AndDES"); if (algorithm != null) {
encryptor.setAlgorithm(algorithm);
// From Jasypt: for PBE-AES-based algorithms, the IV generator is MANDATORY"
if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
encryptor.setIvGenerator(new RandomIvGenerator());
}
}
config.setPasswordEnvName("ACTIVEMQ_ENCRYPTION_PASSWORD"); config.setPasswordEnvName("ACTIVEMQ_ENCRYPTION_PASSWORD");
encryptor.setConfig(config); encryptor.setConfig(config);
return encryptor; return encryptor;

View File

@ -53,12 +53,14 @@ public class PropertiesLoader {
final boolean reload; final boolean reload;
private boolean decrypt; private boolean decrypt;
private boolean debug; private boolean debug;
private String algorithm;
public FileNameKey(String nameProperty, String fallbackName, Map options) { public FileNameKey(String nameProperty, String fallbackName, Map options) {
this.file = new File(baseDir(options), stringOption(nameProperty, fallbackName, options)); this.file = new File(baseDir(options), stringOption(nameProperty, fallbackName, options));
absPath = file.getAbsolutePath(); absPath = file.getAbsolutePath();
reload = booleanOption("reload", options); reload = booleanOption("reload", options);
decrypt = booleanOption("decrypt", options); decrypt = booleanOption("decrypt", options);
algorithm = stringOption("algorithm", "PBEWithMD5AndDES", options);
} }
@Override @Override
@ -87,6 +89,10 @@ public class PropertiesLoader {
this.decrypt = decrypt; this.decrypt = decrypt;
} }
public String getAlgorithm() {
return algorithm;
}
private String stringOption(String key, String nameDefault, Map options) { private String stringOption(String key, String nameDefault, Map options) {
Object result = options.get(key); Object result = options.get(key);
return result != null ? result.toString() : nameDefault; return result != null ? result.toString() : nameDefault;

View File

@ -124,7 +124,7 @@ public class ReloadableProperties {
props.load(in); props.load(in);
if (key.isDecrypt()) { if (key.isDecrypt()) {
try { try {
EncryptionSupport.decrypt(this.props); EncryptionSupport.decrypt(this.props, key.getAlgorithm());
} catch (NoClassDefFoundError e) { } catch (NoClassDefFoundError e) {
// this Happens whe jasypt is not on the classpath.. // this Happens whe jasypt is not on the classpath..
key.setDecrypt(false); key.setDecrypt(false);

View File

@ -0,0 +1,25 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.jaas;
public class EncryptedAESPropertiesLoginModuleTest extends EncryptedPropertiesLoginModuleTest {
@Override
protected String getLoginModule() {
return "EncryptedAESPropertiesLogin";
}
}

View File

@ -0,0 +1,30 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.jaas;
public class EncryptedPropertiesLoginModuleTest extends PropertiesLoginModuleTest {
@Override
protected String getLoginModule() {
return "EncryptedPropertiesLogin";
}
@Override
public void testLoginReload() throws Exception {
// Ignore
}
}

View File

@ -52,7 +52,7 @@ public class PropertiesLoginModuleTest extends TestCase {
} }
public void testLogin() throws LoginException { public void testLogin() throws LoginException {
LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("first", "secret")); LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("first", "secret"));
context.login(); context.login();
Subject subject = context.getSubject(); Subject subject = context.getSubject();
@ -113,7 +113,7 @@ public class PropertiesLoginModuleTest extends TestCase {
} }
public void testBadUseridLogin() throws Exception { public void testBadUseridLogin() throws Exception {
LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("BAD", "secret")); LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("BAD", "secret"));
try { try {
context.login(); context.login();
@ -124,7 +124,7 @@ public class PropertiesLoginModuleTest extends TestCase {
} }
public void testBadPWLogin() throws Exception { public void testBadPWLogin() throws Exception {
LoginContext context = new LoginContext("PropertiesLogin", new UserPassHandler("first", "BAD")); LoginContext context = new LoginContext(getLoginModule(), new UserPassHandler("first", "BAD"));
try { try {
context.login(); context.login();
@ -157,4 +157,8 @@ public class PropertiesLoginModuleTest extends TestCase {
} }
} }
} }
protected String getLoginModule() {
return "PropertiesLogin";
}
} }

View File

@ -30,6 +30,23 @@ PropertiesLoginReload {
org.apache.activemq.jaas.properties.group="groups.properties"; org.apache.activemq.jaas.properties.group="groups.properties";
}; };
EncryptedPropertiesLogin {
org.apache.activemq.jaas.PropertiesLoginModule required
debug=true
org.apache.activemq.jaas.properties.user="users-encrypted.properties"
org.apache.activemq.jaas.properties.group="groups.properties"
decrypt=true;
};
EncryptedAESPropertiesLogin {
org.apache.activemq.jaas.PropertiesLoginModule required
debug=true
org.apache.activemq.jaas.properties.user="users-encrypted-aes.properties"
org.apache.activemq.jaas.properties.group="groups.properties"
algorithm=PBEWITHHMACSHA1ANDAES_128
decrypt=true;
};
LDAPLogin { LDAPLogin {
org.apache.activemq.jaas.LDAPLoginModule required org.apache.activemq.jaas.LDAPLoginModule required
debug=true debug=true

View File

@ -0,0 +1,19 @@
## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
first=ENC(Gk9Rdv1x9AybEf2w2OBIYALTFHbe97eVbOLRkG8btwIDdCtotcdBfnuGsDRmQpDx)
second=ENC(/Z7qx1/BDlA14exodJiQKMaGJi70kJ7GIntyDYvVvVjpDW7j2piwJHEUFTtJ/HVG)

View File

@ -0,0 +1,19 @@
## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
first=ENC(Z5ZVpKZrgHL8M58yqlVTWA==)
second=ENC(4mCibprDoilo4CHjFkXOTdOOA1jXEx+X)

View File

@ -222,7 +222,7 @@
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.jasypt</groupId> <groupId>org.jasypt</groupId>
<artifactId>jasypt-spring31</artifactId> <artifactId>jasypt-spring4</artifactId>
<version>${jasypt-version}</version> <version>${jasypt-version}</version>
<optional>true</optional> <optional>true</optional>
</dependency> </dependency>

View File

@ -30,7 +30,7 @@
<property name="password" value="activemq"/> <property name="password" value="activemq"/>
</bean> </bean>
<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer"> <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
<constructor-arg ref="configurationEncryptor" /> <constructor-arg ref="configurationEncryptor" />
<property name="location" value="classpath:credentials.properties"/> <property name="location" value="classpath:credentials.properties"/>
</bean> </bean>

View File

@ -30,7 +30,7 @@
<property name="password" value="activemq"/> <property name="password" value="activemq"/>
</bean> </bean>
<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer"> <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
<constructor-arg ref="configurationEncryptor" /> <constructor-arg ref="configurationEncryptor" />
<property name="location" value="classpath:credentials.properties"/> <property name="location" value="classpath:credentials.properties"/>
</bean> </bean>

View File

@ -30,7 +30,7 @@
<property name="password" value="activemq"/> <property name="password" value="activemq"/>
</bean> </bean>
<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer"> <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
<constructor-arg ref="configurationEncryptor" /> <constructor-arg ref="configurationEncryptor" />
<property name="location" value="classpath:credentials.properties"/> <property name="location" value="classpath:credentials.properties"/>
</bean> </bean>

View File

@ -400,7 +400,7 @@
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.jasypt</groupId> <groupId>org.jasypt</groupId>
<artifactId>jasypt-spring31</artifactId> <artifactId>jasypt-spring4</artifactId>
<version>${jasypt-version}</version> <version>${jasypt-version}</version>
</dependency> </dependency>
<dependency> <dependency>

View File

@ -207,7 +207,7 @@
<include>org.apache.velocity:velocity-engine-core</include> <include>org.apache.velocity:velocity-engine-core</include>
<include>org.apache.servicemix.bundles:org.apache.servicemix.bundles.josql</include> <include>org.apache.servicemix.bundles:org.apache.servicemix.bundles.josql</include>
<include>org.jasypt:jasypt</include> <include>org.jasypt:jasypt</include>
<include>org.jasypt:jasypt-spring31</include> <include>org.jasypt:jasypt-spring4</include>
<include>javax.jmdns:jmdns</include> <include>javax.jmdns:jmdns</include>
<include>org.apache.qpid:proton-j</include> <include>org.apache.qpid:proton-j</include>
<include>${pom.groupId}:activemq-runtime-config</include> <include>${pom.groupId}:activemq-runtime-config</include>

View File

@ -48,7 +48,7 @@
<property name="config" ref="environmentVariablesConfiguration" /> <property name="config" ref="environmentVariablesConfiguration" />
</bean> </bean>
<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer"> <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
<constructor-arg ref="configurationEncryptor" /> <constructor-arg ref="configurationEncryptor" />
<property name="location" value="file:${activemq.conf}/credentials-enc.properties"/> <property name="location" value="file:${activemq.conf}/credentials-enc.properties"/>
</bean> </bean>