From 993d561947cd92aee879d34e77ee36c2cfb175a7 Mon Sep 17 00:00:00 2001 From: Dejan Bosanac Date: Fri, 1 Apr 2016 13:07:09 +0200 Subject: [PATCH] https://issues.apache.org/jira/browse/AMQ-6118 - CRL Checking via OCSP --- .../activemq/spring/SpringSslContext.java | 19 +++++++++---------- assembly/src/release/bin/env | 6 ++++-- assembly/src/release/conf/java.security | 19 +++++++++++++++++++ 3 files changed, 32 insertions(+), 12 deletions(-) create mode 100644 assembly/src/release/conf/java.security diff --git a/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java b/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java index 57cc1d7334..42b7a15c21 100644 --- a/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java +++ b/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java @@ -21,6 +21,7 @@ import java.net.MalformedURLException; import java.security.KeyStore; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; +import java.security.Security; import java.security.cert.*; import java.util.ArrayList; import java.util.Arrays; @@ -93,27 +94,25 @@ public class SpringSslContext extends SslContext { } private Collection createTrustManagers() throws Exception { + boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable")); + KeyStore ks = createTrustManagerKeyStore(); if( ks ==null ) { return new ArrayList(0); } TrustManagerFactory tmf = TrustManagerFactory.getInstance(trustStoreAlgorithm); boolean initialized = false; - if (crlPath != null) { - if (trustStoreAlgorithm.equalsIgnoreCase("PKIX")) { + if ((ocsp || crlPath != null) && trustStoreAlgorithm.equalsIgnoreCase("PKIX")) { + PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, new X509CertSelector()); + if (crlPath != null) { + pkixParams.setRevocationEnabled(true); Collection crlList = loadCRL(); - if (crlList != null) { - PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, null); - pkixParams.setRevocationEnabled(true); pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList))); - tmf.init(new CertPathTrustManagerParameters(pkixParams)); - initialized = true; } - - } else { - LOG.warn("Revocation checking is only supported with 'trustStoreAlgorithm=\"PKIX\"'. Ignoring CRL: " + crlPath); } + tmf.init(new CertPathTrustManagerParameters(pkixParams)); + initialized = true; } if (!initialized) { diff --git a/assembly/src/release/bin/env b/assembly/src/release/bin/env index e467d7dcef..2b8431d94d 100644 --- a/assembly/src/release/bin/env +++ b/assembly/src/release/bin/env @@ -82,8 +82,10 @@ if [ -z "$ACTIVEMQ_QUEUEMANAGERURL" ]; then fi # Set additional JSE arguments -#ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true -Docsp.enable=true -Docsp.responderURL=http://ocsp.example.net:80" -ACTIVEMQ_SSL_OPTS="" +if [ -z "$ACTIVEMQ_SSL_OPTS" ] ; then + #ACTIVEMQ_SSL_OPTS="-Djava.security.properties=$ACTIVEMQ_CONF/java.security" + ACTIVEMQ_SSL_OPTS="" +fi # Uncomment to enable remote debugging #ACTIVEMQ_DEBUG_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005" diff --git a/assembly/src/release/conf/java.security b/assembly/src/release/conf/java.security new file mode 100644 index 0000000000..86a0fd1bc8 --- /dev/null +++ b/assembly/src/release/conf/java.security @@ -0,0 +1,19 @@ +## --------------------------------------------------------------------------- +## Licensed to the Apache Software Foundation (ASF) under one or more +## contributor license agreements. See the NOTICE file distributed with +## this work for additional information regarding copyright ownership. +## The ASF licenses this file to You under the Apache License, Version 2.0 +## (the "License"); you may not use this file except in compliance with +## the License. You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. +## --------------------------------------------------------------------------- + +ocsp.enable=true +ocsp.responderURL=http://ocsp.example.net:80 \ No newline at end of file