mirror of https://github.com/apache/activemq.git
https://issues.apache.org/jira/browse/AMQ-6118 - CRL Checking via OCSP
This commit is contained in:
parent
a9a1498d27
commit
993d561947
|
@ -21,6 +21,7 @@ import java.net.MalformedURLException;
|
|||
import java.security.KeyStore;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.SecureRandom;
|
||||
import java.security.Security;
|
||||
import java.security.cert.*;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
|
@ -93,27 +94,25 @@ public class SpringSslContext extends SslContext {
|
|||
}
|
||||
|
||||
private Collection<TrustManager> createTrustManagers() throws Exception {
|
||||
boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable"));
|
||||
|
||||
KeyStore ks = createTrustManagerKeyStore();
|
||||
if( ks ==null ) {
|
||||
return new ArrayList<TrustManager>(0);
|
||||
}
|
||||
TrustManagerFactory tmf = TrustManagerFactory.getInstance(trustStoreAlgorithm);
|
||||
boolean initialized = false;
|
||||
if (crlPath != null) {
|
||||
if (trustStoreAlgorithm.equalsIgnoreCase("PKIX")) {
|
||||
if ((ocsp || crlPath != null) && trustStoreAlgorithm.equalsIgnoreCase("PKIX")) {
|
||||
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, new X509CertSelector());
|
||||
if (crlPath != null) {
|
||||
pkixParams.setRevocationEnabled(true);
|
||||
Collection<? extends CRL> crlList = loadCRL();
|
||||
|
||||
if (crlList != null) {
|
||||
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, null);
|
||||
pkixParams.setRevocationEnabled(true);
|
||||
pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList)));
|
||||
tmf.init(new CertPathTrustManagerParameters(pkixParams));
|
||||
initialized = true;
|
||||
}
|
||||
|
||||
} else {
|
||||
LOG.warn("Revocation checking is only supported with 'trustStoreAlgorithm=\"PKIX\"'. Ignoring CRL: " + crlPath);
|
||||
}
|
||||
tmf.init(new CertPathTrustManagerParameters(pkixParams));
|
||||
initialized = true;
|
||||
}
|
||||
|
||||
if (!initialized) {
|
||||
|
|
|
@ -82,8 +82,10 @@ if [ -z "$ACTIVEMQ_QUEUEMANAGERURL" ]; then
|
|||
fi
|
||||
|
||||
# Set additional JSE arguments
|
||||
#ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true -Docsp.enable=true -Docsp.responderURL=http://ocsp.example.net:80"
|
||||
ACTIVEMQ_SSL_OPTS=""
|
||||
if [ -z "$ACTIVEMQ_SSL_OPTS" ] ; then
|
||||
#ACTIVEMQ_SSL_OPTS="-Djava.security.properties=$ACTIVEMQ_CONF/java.security"
|
||||
ACTIVEMQ_SSL_OPTS=""
|
||||
fi
|
||||
|
||||
# Uncomment to enable remote debugging
|
||||
#ACTIVEMQ_DEBUG_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
## ---------------------------------------------------------------------------
|
||||
## Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
## contributor license agreements. See the NOTICE file distributed with
|
||||
## this work for additional information regarding copyright ownership.
|
||||
## The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
## (the "License"); you may not use this file except in compliance with
|
||||
## the License. You may obtain a copy of the License at
|
||||
##
|
||||
## http://www.apache.org/licenses/LICENSE-2.0
|
||||
##
|
||||
## Unless required by applicable law or agreed to in writing, software
|
||||
## distributed under the License is distributed on an "AS IS" BASIS,
|
||||
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
## See the License for the specific language governing permissions and
|
||||
## limitations under the License.
|
||||
## ---------------------------------------------------------------------------
|
||||
|
||||
ocsp.enable=true
|
||||
ocsp.responderURL=http://ocsp.example.net:80
|
Loading…
Reference in New Issue