You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by rg...@apache.org on 2015/06/03 18:22:36 UTC
svn commit: r1683385 - in /qpid/java/trunk:
broker-core/src/main/java/org/apache/qpid/server/security/
client/src/main/java/org/apache/qpid/client/
client/src/main/java/org/apache/qpid/jms/
common/src/main/java/org/apache/qpid/transport/ doc/book/src/j...
Author: rgodfrey
Date: Wed Jun 3 16:22:35 2015
New Revision: 1683385
URL: http://svn.apache.org/r1683385
Log:
QPID-6552 : [Java Client] Allow client to use certificate file for TLS trust store
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
qpid/java/trunk/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java
qpid/java/trunk/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/ConnectionSettings.java
qpid/java/trunk/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java?rev=1683385&r1=1683384&r2=1683385&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java Wed Jun 3 16:22:35 2015
@@ -65,6 +65,7 @@ import org.apache.qpid.server.model.Trus
import org.apache.qpid.server.model.VirtualHost;
import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
@ManagedObject( category = false )
public class NonJavaTrustStoreImpl
@@ -176,7 +177,7 @@ public class NonJavaTrustStoreImpl
{
try
{
- return readCertificates(getUrlFromString(getCertificatesUrl()));
+ return SSLUtil.readCertificates(getUrlFromString(getCertificatesUrl()));
}
catch (IOException e)
{
@@ -261,7 +262,7 @@ public class NonJavaTrustStoreImpl
{
try
{
- readCertificates(getUrlFromString(keyStore.getCertificatesUrl()));
+ SSLUtil.readCertificates(getUrlFromString(keyStore.getCertificatesUrl()));
}
catch (IOException | GeneralSecurityException e)
{
@@ -276,7 +277,7 @@ public class NonJavaTrustStoreImpl
{
if (_certificatesUrl != null)
{
- X509Certificate[] certs = readCertificates(getUrlFromString(_certificatesUrl));
+ X509Certificate[] certs = SSLUtil.readCertificates(getUrlFromString(_certificatesUrl));
java.security.KeyStore inMemoryKeyStore = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
inMemoryKeyStore.load(null, null);
@@ -318,27 +319,6 @@ public class NonJavaTrustStoreImpl
return url;
}
- public static X509Certificate[] readCertificates(URL certFile)
- throws IOException, GeneralSecurityException
- {
- List<X509Certificate> crt = new ArrayList<>();
- try (InputStream is = certFile.openStream())
- {
- do
- {
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- crt.add( (X509Certificate) cf.generateCertificate(is));
- } while(is.available() != 0);
- }
- catch(CertificateException e)
- {
- if(crt.isEmpty())
- {
- throw e;
- }
- }
- return crt.toArray(new X509Certificate[crt.size()]);
- }
@Override
public boolean isExposedAsMessageSource()
Modified: qpid/java/trunk/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java?rev=1683385&r1=1683384&r2=1683385&view=diff
==============================================================================
--- qpid/java/trunk/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java (original)
+++ qpid/java/trunk/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java Wed Jun 3 16:22:35 2015
@@ -496,6 +496,11 @@ public class AMQBrokerDetails implements
getProperty(BrokerDetails.OPTIONS_CLIENT_CERT_INTERMEDIARY_CERT_PATH));
}
+ if (getProperty(BrokerDetails.OPTIONS_TRUSTED_CERTIFICATES_PATH) != null)
+ {
+ conSettings.setTrustedCertificatesFile(
+ getProperty(BrokerDetails.OPTIONS_TRUSTED_CERTIFICATES_PATH));
+ }
// ----------------------------
boolean defaultSSLVerifyHostName = Boolean.parseBoolean(
Modified: qpid/java/trunk/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java?rev=1683385&r1=1683384&r2=1683385&view=diff
==============================================================================
--- qpid/java/trunk/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java (original)
+++ qpid/java/trunk/client/src/main/java/org/apache/qpid/jms/BrokerDetails.java Wed Jun 3 16:22:35 2015
@@ -53,6 +53,7 @@ public interface BrokerDetails
String OPTIONS_CLIENT_CERT_PRIV_KEY_PATH = "client_cert_priv_key_path";
String OPTIONS_CLIENT_CERT_PATH = "client_cert_path";
String OPTIONS_CLIENT_CERT_INTERMEDIARY_CERT_PATH = "client_cert_intermediary_cert_path" ;
+ String OPTIONS_TRUSTED_CERTIFICATES_PATH = "trusted_certs_path";
public static final int DEFAULT_PORT = 5672;
Modified: qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/ConnectionSettings.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/ConnectionSettings.java?rev=1683385&r1=1683384&r2=1683385&view=diff
==============================================================================
--- qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/ConnectionSettings.java (original)
+++ qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/ConnectionSettings.java Wed Jun 3 16:22:35 2015
@@ -46,6 +46,7 @@ import java.security.GeneralSecurityExce
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.SecureRandom;
+import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
@@ -107,6 +108,7 @@ public class ConnectionSettings
private String _clientCertificatePrivateKeyPath;
private String _clientCertificatePath;
private String _clientCertificateIntermediateCertsPath;
+ private String _trustedCertificatesFile;
// SASL props
private String saslMechs = System.getProperty("qpid.sasl_mechs", null);
@@ -449,6 +451,16 @@ public class ConnectionSettings
_clientCertificateIntermediateCertsPath = clientCertificateIntermediateCertsPath;
}
+ public String getTrustedCertificatesFile()
+ {
+ return _trustedCertificatesFile;
+ }
+
+ public void setTrustedCertificatesFile(final String trustedCertificatesFile)
+ {
+ _trustedCertificatesFile = trustedCertificatesFile;
+ }
+
public int getConnectTimeout()
{
return connectTimeout;
@@ -503,13 +515,22 @@ public class ConnectionSettings
public TrustManager[] getTrustManagers()
throws GeneralSecurityException, IOException
{
- final TrustManager[] trustManagers;
- trustManagers =
- SSLContextFactory.getTrustManagers(getTrustStorePath(),
- getTrustStorePassword(),
- getTrustStoreType(),
- getTrustManagerFactoryAlgorithm());
- return trustManagers;
+ if(getTrustStorePath() != null)
+ {
+ return SSLContextFactory.getTrustManagers(getTrustStorePath(),
+ getTrustStorePassword(),
+ getTrustStoreType(),
+ getTrustManagerFactoryAlgorithm());
+ }
+ else if(getTrustedCertificatesFile() != null)
+ {
+ return getTrustManagers(getTrustedCertificatesFile());
+ }
+ else
+ {
+ return null;
+ }
+
}
private KeyManager[] getKeyManagers(String privateKeyFile,
@@ -517,12 +538,6 @@ public class ConnectionSettings
String intermediateFile,
String keyManagerFactoryAlgorithm) throws GeneralSecurityException, IOException
{
- System.err.println("**** RG : in getKeyManagers[] privateKey: "
- + privateKeyFile
- + " ; certFile: "
- + certFile
- + " ; intermediate: "
- + intermediateFile);
try (FileInputStream privateKeyStream = new FileInputStream(privateKeyFile);
FileInputStream certFileStream = new FileInputStream(certFile))
{
@@ -537,7 +552,6 @@ public class ConnectionSettings
certs = allCerts.toArray(new X509Certificate[allCerts.size()]);
}
}
- System.err.println("*** RG : cert count - " + certs.length);
java.security.KeyStore inMemoryKeyStore =
java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
@@ -555,4 +569,26 @@ public class ConnectionSettings
keyManagerFactoryAlgorithm)};
}
}
+
+ private TrustManager[] getTrustManagers(String certFile) throws GeneralSecurityException, IOException
+ {
+ try(FileInputStream input = new FileInputStream(certFile))
+ {
+ X509Certificate[] certs = SSLUtil.readCertificates(input);
+ java.security.KeyStore inMemoryKeyStore =
+ java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
+
+ inMemoryKeyStore.load(null, null);
+ int i = 1;
+ for (Certificate cert : certs)
+ {
+ inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert);
+ }
+
+
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ tmf.init(inMemoryKeyStore);
+ return tmf.getTrustManagers();
+ }
+ }
}
Modified: qpid/java/trunk/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml
URL: http://svn.apache.org/viewvc/qpid/java/trunk/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml?rev=1683385&r1=1683384&r2=1683385&view=diff
==============================================================================
--- qpid/java/trunk/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml (original)
+++ qpid/java/trunk/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml Wed Jun 3 16:22:35 2015
@@ -277,6 +277,13 @@
<entry> String </entry>
<entry> Trust store password. Password used to open the trust store. </entry>
</row>
+ <row id="JMS-Client-0-8-Connection-URL-BrokerOptions-TrustedCertsPath">
+ <entry> trusted_certs_path </entry>
+ <entry> String </entry>
+ <entry> Path to a file containing trusted peer certificates(in PEM or DER format).
+ Used when supplying the trust information for TLS client auth using PEM/DER
+ files rather than a Java KeyStore. </entry>
+ </row>
<row id="JMS-Client-0-8-Connection-URL-BrokerOptions-KeyStore">
<entry> key_store </entry>
<entry> String </entry>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org