You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Davy De Waele (JIRA)" <ji...@apache.org> on 2014/12/22 14:22:13 UTC

[jira] [Updated] (AMQ-5495) ActiveMQSslConnectionFactory should support different keystore and key passwords

     [ https://issues.apache.org/jira/browse/AMQ-5495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Davy De Waele updated AMQ-5495:
-------------------------------
    Description: 
The current ActiveMQSslConnectionFactory allows us to specify

- trustStore
- trustStorePassword
- keyStore
- keyStorePassword

In case the passphrase of the key contained in the keystore is different from the password of the keystore itself this connection factory cannot be used.

What we're missing is the following field

- keyStoreKeyPassword

In the ActiveMQ configuration such a setup is supported (via the [SpringSslContext|https://svn.apache.org/repos/asf/activemq/trunk/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java]), however for accessing ActiveMQ via the ActiveMQSslConnectionFactory it is not.

Adding a keyStoreKeyPassword field and changing the createKeyManager slightly would fix this:

{noformat}
    protected KeyManager[] createKeyManager() throws Exception {
    	
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        KeyStore ks = KeyStore.getInstance("jks");
        KeyManager[] keystoreManagers = null;
        if (keyStore != null) {
            byte[] sslCert = loadClientCredential(keyStore);

            if (sslCert != null && sslCert.length > 0) {
                ByteArrayInputStream bin = new ByteArrayInputStream(sslCert);
                ks.load(bin, keyStorePassword.toCharArray());
                kmf.init(ks, keyStoreKeyPassword !=null ? keyStoreKeyPassword.toCharArray() : keyStorePassword.toCharArray());
                keystoreManagers = kmf.getKeyManagers();
            }
        }
        return keystoreManagers;
    }
{noformat}

  was:
The current ActiveMQSslConnectionFactory allows us to specify

- trustStore
- trustStorePassword
- keyStore
- keyStorePassword

In case the passphrase of the key contained in the keystore is different from the password of the keystore itself this connection factory cannot be used.

What we're missing is the following field

- keyStoreKeyPassword

In the ActiveMQ configuration such a setup is supported (via the SpringSslContext), however for accessing ActiveMQ via the ActiveMQSslConnectionFactory it is not.

Adding a keyStoreKeyPassword field and changing the createKeyManager slightly would fix this:

{noformat}
    protected KeyManager[] createKeyManager() throws Exception {
    	
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        KeyStore ks = KeyStore.getInstance("jks");
        KeyManager[] keystoreManagers = null;
        if (keyStore != null) {
            byte[] sslCert = loadClientCredential(keyStore);

            if (sslCert != null && sslCert.length > 0) {
                ByteArrayInputStream bin = new ByteArrayInputStream(sslCert);
                ks.load(bin, keyStorePassword.toCharArray());
                kmf.init(ks, keyStoreKeyPassword !=null ? keyStoreKeyPassword.toCharArray() : keyStorePassword.toCharArray());
                keystoreManagers = kmf.getKeyManagers();
            }
        }
        return keystoreManagers;
    }
{noformat}


> ActiveMQSslConnectionFactory should support different keystore and key passwords
> --------------------------------------------------------------------------------
>
>                 Key: AMQ-5495
>                 URL: https://issues.apache.org/jira/browse/AMQ-5495
>             Project: ActiveMQ
>          Issue Type: Improvement
>          Components: Broker
>    Affects Versions: 5.10.0
>            Reporter: Davy De Waele
>
> The current ActiveMQSslConnectionFactory allows us to specify
> - trustStore
> - trustStorePassword
> - keyStore
> - keyStorePassword
> In case the passphrase of the key contained in the keystore is different from the password of the keystore itself this connection factory cannot be used.
> What we're missing is the following field
> - keyStoreKeyPassword
> In the ActiveMQ configuration such a setup is supported (via the [SpringSslContext|https://svn.apache.org/repos/asf/activemq/trunk/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java]), however for accessing ActiveMQ via the ActiveMQSslConnectionFactory it is not.
> Adding a keyStoreKeyPassword field and changing the createKeyManager slightly would fix this:
> {noformat}
>     protected KeyManager[] createKeyManager() throws Exception {
>     	
>         KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
>         KeyStore ks = KeyStore.getInstance("jks");
>         KeyManager[] keystoreManagers = null;
>         if (keyStore != null) {
>             byte[] sslCert = loadClientCredential(keyStore);
>             if (sslCert != null && sslCert.length > 0) {
>                 ByteArrayInputStream bin = new ByteArrayInputStream(sslCert);
>                 ks.load(bin, keyStorePassword.toCharArray());
>                 kmf.init(ks, keyStoreKeyPassword !=null ? keyStoreKeyPassword.toCharArray() : keyStorePassword.toCharArray());
>                 keystoreManagers = kmf.getKeyManagers();
>             }
>         }
>         return keystoreManagers;
>     }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)