You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2021/09/08 03:08:02 UTC
[james-project] branch master updated: JAMES-3638 Allow use PKCS12
keystore for SSL (#625)
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 3c8bc55 JAMES-3638 Allow use PKCS12 keystore for SSL (#625)
3c8bc55 is described below
commit 3c8bc556c27341e4343660f7692b0dd1c7ea5067
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Wed Sep 8 10:07:58 2021 +0700
JAMES-3638 Allow use PKCS12 keystore for SSL (#625)
In this tread we discuss enhancements to the IMAP/POP3/SMTP cryptography: https://www.mail-archive.com/server-dev@james.apache.org/msg70772.html
The need of having alternatives to the JKS keystore format was expressed and support for PKCS12 format requested.
---
.../servers/pages/distributed/configure/imap.adoc | 2 +-
.../servers/pages/distributed/configure/pop3.adoc | 2 +-
.../servers/pages/distributed/configure/smtp.adoc | 2 +-
.../servers/pages/distributed/configure/ssl.adoc | 20 +++++--
.../sample-configuration/imapserver.xml | 8 ++-
.../sample-configuration/pop3server.xml | 3 +-
.../sample-configuration/smtpserver.xml | 12 ++++
.../sample-configuration/imapserver.xml | 8 ++-
.../sample-configuration/pop3server.xml | 3 +-
.../sample-configuration/smtpserver.xml | 12 ++++
.../jpa-app/sample-configuration/imapserver.xml | 8 ++-
.../jpa-app/sample-configuration/pop3server.xml | 3 +-
.../jpa-app/sample-configuration/smtpserver.xml | 12 ++++
.../sample-configuration/smtpserver.xml | 12 ++++
.../memory-app/sample-configuration/imapserver.xml | 8 ++-
.../memory-app/sample-configuration/pop3server.xml | 3 +-
.../memory-app/sample-configuration/smtpserver.xml | 12 ++++
.../spring-app/src/main/resources/imapserver.xml | 9 +--
.../spring-app/src/main/resources/pop3server.xml | 3 +-
.../spring-app/src/main/resources/smtpserver.xml | 19 ++++---
.../org/apache/james/jmap/draft/JMAPModule.java | 1 +
.../apache/james/modules/TestJMAPServerModule.java | 1 +
.../james/jmap/draft/JMAPDraftConfiguration.java | 17 +++++-
.../james/jmap/draft/crypto/SecurityKeyLoader.java | 4 +-
.../jmap/draft/JMAPDraftConfigurationTest.java | 2 +-
.../james/imapserver/netty/IMAPServerTest.java | 62 ++++++++++++++++++++-
.../src/test/resources/imapServerSslDefaultJKS.xml | 10 ++++
.../src/test/resources/imapServerSslJKS.xml | 11 ++++
.../test/resources/imapServerSslJKSBadPassword.xml | 11 ++++
.../test/resources/imapServerSslJKSNotFound.xml | 11 ++++
.../src/test/resources/imapServerSslNoKeys.xml | 7 +++
.../src/test/resources/imapServerSslPKCS12.xml | 11 ++++
.../resources/imapServerSslPKCS12WrongPassword.xml | 10 ++++
.../src/test/resources/keystore.jks | Bin 0 -> 2581 bytes
.../src/test/resources/keystore.p12 | Bin 0 -> 2581 bytes
.../lib/netty/AbstractConfigurableAsyncServer.java | 4 +-
src/site/xdoc/server/config-imap4.xml | 2 +-
src/site/xdoc/server/config-pop3.xml | 2 +-
src/site/xdoc/server/config-smtp-lmtp.xml | 2 +-
src/site/xdoc/server/config-ssl-tls.xml | 15 ++++-
40 files changed, 294 insertions(+), 50 deletions(-)
diff --git a/docs/modules/servers/pages/distributed/configure/imap.adoc b/docs/modules/servers/pages/distributed/configure/imap.adoc
index 99f9fb2..01ba320 100644
--- a/docs/modules/servers/pages/distributed/configure/imap.adoc
+++ b/docs/modules/servers/pages/distributed/configure/imap.adoc
@@ -68,7 +68,7 @@ will be closed. Negative value disable this behaviour.
| tls
| Set to true to support STARTTLS or SSL for the Socket.
To use this you need to copy sunjce_provider.jar to /path/james/lib directory. To create a new keystore execute:
-`keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore`.
+`keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore`.
Please note that each IMAP server exposed on different port can specify its own keystore, independently from any other
TLS based protocols.
diff --git a/docs/modules/servers/pages/distributed/configure/pop3.adoc b/docs/modules/servers/pages/distributed/configure/pop3.adoc
index 1f8cdfd..73114c4 100644
--- a/docs/modules/servers/pages/distributed/configure/pop3.adoc
+++ b/docs/modules/servers/pages/distributed/configure/pop3.adoc
@@ -33,7 +33,7 @@ port 110 is the well-known/IANA registered port for Standard POP3
| tls
| Set to true to support STARTTLS or SSL for the Socket.
To create a new keystore execute:
-`keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore`
+`keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore`
Please note that each POP3 server exposed on different port can specify its own keystore, independently from any other
TLS based protocols. Read xref:distributed/configure/ssl.adoc[SSL configuration page] for more information.
diff --git a/docs/modules/servers/pages/distributed/configure/smtp.adoc b/docs/modules/servers/pages/distributed/configure/smtp.adoc
index 465a1ad..17eed15 100644
--- a/docs/modules/servers/pages/distributed/configure/smtp.adoc
+++ b/docs/modules/servers/pages/distributed/configure/smtp.adoc
@@ -32,7 +32,7 @@ Port 465 is the well-known/IANA registered port for SMTP over TLS.
| tls
| Set to true to support STARTTLS or SSL for the Socket.
To use this you need to copy sunjce_provider.jar to /path/james/lib directory. To create a new keystore execute:
-`keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore`.
+`keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore`.
The algorithm is optional and only needs to be specified when using something other
than the Sun JCE provider - You could use IbmX509 with IBM Java runtime.
Please note that each SMTP/LMTP server exposed on different port can specify its own keystore, independently from any other
diff --git a/docs/modules/servers/pages/distributed/configure/ssl.adoc b/docs/modules/servers/pages/distributed/configure/ssl.adoc
index ffc6211..83c6d7f 100644
--- a/docs/modules/servers/pages/distributed/configure/ssl.adoc
+++ b/docs/modules/servers/pages/distributed/configure/ssl.adoc
@@ -21,8 +21,9 @@ for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.
You need to add a block in the corresponding configuration file (smtpserver.xml, pop3server.xml, imapserver.xml,..)
....
-<tls socketTLS="false" startTLS="false">
+<tls socketTLS="false" startTLS="true">
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>yoursecret</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
@@ -53,6 +54,17 @@ It is also recommended to change the port number on which the service will liste
You will now need to create your certificate store and place it in the james/conf/ folder with the name you defined in the keystore tag.
+Please note `JKS` keystore format is also supported (default value if no keystore type is specified):
+
+....
+<tls socketTLS="false" startTLS="true">
+ <keystore>file://conf/keystore</keystore>
+ <keystoreType>JKS</keystoreType>
+ <secret>yoursecret</secret>
+ <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
+</tls>
+....
+
== Certificate Keystores
To use TLS/SSL inside James you will need a certificate keystore.
@@ -62,8 +74,8 @@ To use TLS/SSL inside James you will need a certificate keystore.
(Adapted from the Tomcat 4.1 documentation)
-James currently operates only on JKS format keystores. This is Java's standard "Java KeyStore" format, and is the format
-created by the keytool command-line utility. This tool is included in the JDK.
+James currently operates only on JKS or PKCS12 format keystores. This is Java's standard "Java KeyStore" format, and is
+the format created by the keytool command-line utility. This tool is included in the JDK.
To import an existing certificate into a JKS keystore, please read the documentation (in your JDK documentation package)
about keytool.
@@ -72,7 +84,7 @@ To create a new keystore from scratch, containing a single self-signed Certifica
command line:
....
-keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename
+keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore your_keystore_filename
....
(The RSA algorithm should be preferred as a secure algorithm, and this also ensures general compatibility with other
diff --git a/server/apps/cassandra-app/sample-configuration/imapserver.xml b/server/apps/cassandra-app/sample-configuration/imapserver.xml
index e9208cf..87d4c4d 100644
--- a/server/apps/cassandra-app/sample-configuration/imapserver.xml
+++ b/server/apps/cassandra-app/sample-configuration/imapserver.xml
@@ -28,9 +28,10 @@ under the License.
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
- -->
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
@@ -47,9 +48,10 @@ under the License.
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
-->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/cassandra-app/sample-configuration/pop3server.xml b/server/apps/cassandra-app/sample-configuration/pop3server.xml
index 10a2e08..16809bb 100644
--- a/server/apps/cassandra-app/sample-configuration/pop3server.xml
+++ b/server/apps/cassandra-app/sample-configuration/pop3server.xml
@@ -27,9 +27,10 @@
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="false">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
-->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/cassandra-app/sample-configuration/smtpserver.xml b/server/apps/cassandra-app/sample-configuration/smtpserver.xml
index 9200f23..f5e832d 100644
--- a/server/apps/cassandra-app/sample-configuration/smtpserver.xml
+++ b/server/apps/cassandra-app/sample-configuration/smtpserver.xml
@@ -27,7 +27,11 @@
<bind>0.0.0.0:25</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -51,7 +55,11 @@
<bind>0.0.0.0:465</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -79,7 +87,11 @@
<bind>0.0.0.0:587</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
diff --git a/server/apps/distributed-app/sample-configuration/imapserver.xml b/server/apps/distributed-app/sample-configuration/imapserver.xml
index e9208cf..87d4c4d 100644
--- a/server/apps/distributed-app/sample-configuration/imapserver.xml
+++ b/server/apps/distributed-app/sample-configuration/imapserver.xml
@@ -28,9 +28,10 @@ under the License.
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
- -->
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
@@ -47,9 +48,10 @@ under the License.
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
-->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/distributed-app/sample-configuration/pop3server.xml b/server/apps/distributed-app/sample-configuration/pop3server.xml
index 10a2e08..16809bb 100644
--- a/server/apps/distributed-app/sample-configuration/pop3server.xml
+++ b/server/apps/distributed-app/sample-configuration/pop3server.xml
@@ -27,9 +27,10 @@
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="false">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
-->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/distributed-app/sample-configuration/smtpserver.xml b/server/apps/distributed-app/sample-configuration/smtpserver.xml
index 9200f23..f5e832d 100644
--- a/server/apps/distributed-app/sample-configuration/smtpserver.xml
+++ b/server/apps/distributed-app/sample-configuration/smtpserver.xml
@@ -27,7 +27,11 @@
<bind>0.0.0.0:25</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -51,7 +55,11 @@
<bind>0.0.0.0:465</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -79,7 +87,11 @@
<bind>0.0.0.0:587</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
diff --git a/server/apps/jpa-app/sample-configuration/imapserver.xml b/server/apps/jpa-app/sample-configuration/imapserver.xml
index 63d290b..25500e3 100644
--- a/server/apps/jpa-app/sample-configuration/imapserver.xml
+++ b/server/apps/jpa-app/sample-configuration/imapserver.xml
@@ -29,9 +29,10 @@ under the License.
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
- -->
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
@@ -48,9 +49,10 @@ under the License.
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
-->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/jpa-app/sample-configuration/pop3server.xml b/server/apps/jpa-app/sample-configuration/pop3server.xml
index 10a2e08..16809bb 100644
--- a/server/apps/jpa-app/sample-configuration/pop3server.xml
+++ b/server/apps/jpa-app/sample-configuration/pop3server.xml
@@ -27,9 +27,10 @@
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="false">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
-->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/jpa-app/sample-configuration/smtpserver.xml b/server/apps/jpa-app/sample-configuration/smtpserver.xml
index 9200f23..f5e832d 100644
--- a/server/apps/jpa-app/sample-configuration/smtpserver.xml
+++ b/server/apps/jpa-app/sample-configuration/smtpserver.xml
@@ -27,7 +27,11 @@
<bind>0.0.0.0:25</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -51,7 +55,11 @@
<bind>0.0.0.0:465</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -79,7 +87,11 @@
<bind>0.0.0.0:587</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
diff --git a/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml b/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml
index 9200f23..f5e832d 100644
--- a/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml
+++ b/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml
@@ -27,7 +27,11 @@
<bind>0.0.0.0:25</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -51,7 +55,11 @@
<bind>0.0.0.0:465</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -79,7 +87,11 @@
<bind>0.0.0.0:587</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
diff --git a/server/apps/memory-app/sample-configuration/imapserver.xml b/server/apps/memory-app/sample-configuration/imapserver.xml
index 63d290b..25500e3 100644
--- a/server/apps/memory-app/sample-configuration/imapserver.xml
+++ b/server/apps/memory-app/sample-configuration/imapserver.xml
@@ -29,9 +29,10 @@ under the License.
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
- -->
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
@@ -48,9 +49,10 @@ under the License.
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
-->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/memory-app/sample-configuration/pop3server.xml b/server/apps/memory-app/sample-configuration/pop3server.xml
index 10a2e08..16809bb 100644
--- a/server/apps/memory-app/sample-configuration/pop3server.xml
+++ b/server/apps/memory-app/sample-configuration/pop3server.xml
@@ -27,9 +27,10 @@
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="false">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
-->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/memory-app/sample-configuration/smtpserver.xml b/server/apps/memory-app/sample-configuration/smtpserver.xml
index 9200f23..f5e832d 100644
--- a/server/apps/memory-app/sample-configuration/smtpserver.xml
+++ b/server/apps/memory-app/sample-configuration/smtpserver.xml
@@ -27,7 +27,11 @@
<bind>0.0.0.0:25</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -51,7 +55,11 @@
<bind>0.0.0.0:465</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
@@ -79,7 +87,11 @@
<bind>0.0.0.0:587</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
<algorithm>SunX509</algorithm>
diff --git a/server/apps/spring-app/src/main/resources/imapserver.xml b/server/apps/spring-app/src/main/resources/imapserver.xml
index f98b462..fedc97e 100644
--- a/server/apps/spring-app/src/main/resources/imapserver.xml
+++ b/server/apps/spring-app/src/main/resources/imapserver.xml
@@ -47,10 +47,11 @@
To use this you need to copy sunjce_provider.jar to /path/james/lib directory.
-->
<tls socketTLS="false" startTLS="false">
- <!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
- -->
- <keystore>file://conf/keystore</keystore>
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
+ <keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>yoursecret</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/spring-app/src/main/resources/pop3server.xml b/server/apps/spring-app/src/main/resources/pop3server.xml
index 8b411d8..158b97f 100644
--- a/server/apps/spring-app/src/main/resources/pop3server.xml
+++ b/server/apps/spring-app/src/main/resources/pop3server.xml
@@ -46,9 +46,10 @@
-->
<tls socketTLS="false" startTLS="false">
<!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
-->
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
<secret>yoursecret</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
diff --git a/server/apps/spring-app/src/main/resources/smtpserver.xml b/server/apps/spring-app/src/main/resources/smtpserver.xml
index 7e6b01f..197a3f5 100644
--- a/server/apps/spring-app/src/main/resources/smtpserver.xml
+++ b/server/apps/spring-app/src/main/resources/smtpserver.xml
@@ -49,15 +49,16 @@
To use this you need to copy sunjce_provider.jar to /path/james/lib directory.
-->
<tls socketTLS="false" startTLS="false">
- <!-- To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore
- -->
- <keystore>file://conf/keystore</keystore>
- <secret>yoursecret</secret>
- <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
- <!-- The algorithm is optional and only needs to be specified when using something other
- than the Sun JCE provider - You could use IbmX509 with IBM Java runtime. -->
- <algorithm>SunX509</algorithm>
+ <!-- To create a new keystore execute:
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
+ -->
+ <keystore>file://conf/keystore</keystore>
+ <keystoreType>PKCS12</keystoreType>
+ <secret>yoursecret</secret>
+ <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
+ <!-- The algorithm is optional and only needs to be specified when using something other
+ than the Sun JCE provider - You could use IbmX509 with IBM Java runtime. -->
+ <algorithm>SunX509</algorithm>
</tls>
<!-- This is the name used by the server to identify itself in the SMTP -->
diff --git a/server/container/guice/protocols/jmap/src/main/java/org/apache/james/jmap/draft/JMAPModule.java b/server/container/guice/protocols/jmap/src/main/java/org/apache/james/jmap/draft/JMAPModule.java
index 51da7ce..0f6723d 100644
--- a/server/container/guice/protocols/jmap/src/main/java/org/apache/james/jmap/draft/JMAPModule.java
+++ b/server/container/guice/protocols/jmap/src/main/java/org/apache/james/jmap/draft/JMAPModule.java
@@ -199,6 +199,7 @@ public class JMAPModule extends AbstractModule {
return JMAPDraftConfiguration.builder()
.enabled(configuration.getBoolean("enabled", true))
.keystore(configuration.getString("tls.keystoreURL"))
+ .keystoreType(configuration.getString("tls.keystoreType", null))
.secret(configuration.getString("tls.secret"))
.jwtPublicKeyPem(loadPublicKey(fileSystem, Optional.ofNullable(configuration.getString("jwt.publickeypem.url"))))
.build();
diff --git a/server/container/guice/protocols/jmap/src/test/java/org/apache/james/modules/TestJMAPServerModule.java b/server/container/guice/protocols/jmap/src/test/java/org/apache/james/modules/TestJMAPServerModule.java
index da80233..701db58 100644
--- a/server/container/guice/protocols/jmap/src/test/java/org/apache/james/modules/TestJMAPServerModule.java
+++ b/server/container/guice/protocols/jmap/src/test/java/org/apache/james/modules/TestJMAPServerModule.java
@@ -101,6 +101,7 @@ public class TestJMAPServerModule extends AbstractModule {
return JMAPDraftConfiguration.builder()
.enable()
.keystore("keystore")
+ .keystoreType("JKS")
.secret("james72laBalle")
.jwtPublicKeyPem(Optional.of(PUBLIC_PEM_KEY));
}
diff --git a/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/JMAPDraftConfiguration.java b/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/JMAPDraftConfiguration.java
index 54c6343..232a7c2 100644
--- a/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/JMAPDraftConfiguration.java
+++ b/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/JMAPDraftConfiguration.java
@@ -32,6 +32,7 @@ public class JMAPDraftConfiguration {
public static class Builder {
private String keystore;
+ private Optional<String> keystoreType = Optional.empty();
private String secret;
private Optional<Boolean> enabled = Optional.empty();
private Optional<String> jwtPublicKeyPem = Optional.empty();
@@ -45,6 +46,11 @@ public class JMAPDraftConfiguration {
return this;
}
+ public Builder keystoreType(String keystoreType) {
+ this.keystoreType = Optional.ofNullable(keystoreType);
+ return this;
+ }
+
public Builder enabled(boolean enabled) {
this.enabled = Optional.of(enabled);
return this;
@@ -73,20 +79,23 @@ public class JMAPDraftConfiguration {
Preconditions.checkState(enabled.isPresent(), "You should specify if JMAP server should be started");
Preconditions.checkState(!enabled.get() || !Strings.isNullOrEmpty(keystore), "'keystore' is mandatory");
Preconditions.checkState(!enabled.get() || !Strings.isNullOrEmpty(secret), "'secret' is mandatory");
- return new JMAPDraftConfiguration(enabled.get(), keystore, secret, jwtPublicKeyPem);
+
+ return new JMAPDraftConfiguration(enabled.get(), keystore, keystoreType.orElse("JKS"), secret, jwtPublicKeyPem);
}
}
private final boolean enabled;
private final String keystore;
+ private final String keystoreType;
private final String secret;
private final Optional<String> jwtPublicKeyPem;
@VisibleForTesting
- JMAPDraftConfiguration(boolean enabled, String keystore, String secret, Optional<String> jwtPublicKeyPem) {
+ JMAPDraftConfiguration(boolean enabled, String keystore, String keystoreType, String secret, Optional<String> jwtPublicKeyPem) {
this.enabled = enabled;
this.keystore = keystore;
+ this.keystoreType = keystoreType;
this.secret = secret;
this.jwtPublicKeyPem = jwtPublicKeyPem;
}
@@ -99,6 +108,10 @@ public class JMAPDraftConfiguration {
return keystore;
}
+ public String getKeystoreType() {
+ return keystoreType;
+ }
+
public String getSecret() {
return secret;
}
diff --git a/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/crypto/SecurityKeyLoader.java b/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/crypto/SecurityKeyLoader.java
index 6b208ca..4648028 100644
--- a/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/crypto/SecurityKeyLoader.java
+++ b/server/protocols/jmap-draft/src/main/java/org/apache/james/jmap/draft/crypto/SecurityKeyLoader.java
@@ -37,9 +37,7 @@ import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
public class SecurityKeyLoader {
-
private static final String ALIAS = "james";
- private static final String JKS = "JKS";
private final FileSystem fileSystem;
private final JMAPDraftConfiguration jmapDraftConfiguration;
@@ -54,7 +52,7 @@ public class SecurityKeyLoader {
public AsymmetricKeys load() throws Exception {
Preconditions.checkState(jmapDraftConfiguration.isEnabled(), "JMAP is not enabled");
- KeyStore keystore = KeyStore.getInstance(JKS);
+ KeyStore keystore = KeyStore.getInstance(jmapDraftConfiguration.getKeystoreType());
char[] secret;
try (InputStream fis = fileSystem.getResource(jmapDraftConfiguration.getKeystore())) {
secret = jmapDraftConfiguration.getSecret().toCharArray();
diff --git a/server/protocols/jmap-draft/src/test/java/org/apache/james/jmap/draft/JMAPDraftConfigurationTest.java b/server/protocols/jmap-draft/src/test/java/org/apache/james/jmap/draft/JMAPDraftConfigurationTest.java
index 92d9f2e..1b34e67 100644
--- a/server/protocols/jmap-draft/src/test/java/org/apache/james/jmap/draft/JMAPDraftConfigurationTest.java
+++ b/server/protocols/jmap-draft/src/test/java/org/apache/james/jmap/draft/JMAPDraftConfigurationTest.java
@@ -102,7 +102,7 @@ public class JMAPDraftConfigurationTest {
String keystore = null;
String secret = null;
Optional<String> jwtPublicKeyPem = Optional.empty();
- JMAPDraftConfiguration expectedJMAPDraftConfiguration = new JMAPDraftConfiguration(DISABLED, keystore, secret, jwtPublicKeyPem);
+ JMAPDraftConfiguration expectedJMAPDraftConfiguration = new JMAPDraftConfiguration(DISABLED, keystore, "JKS", secret, jwtPublicKeyPem);
JMAPDraftConfiguration jmapDraftConfiguration = JMAPDraftConfiguration.builder()
.disable()
diff --git a/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java b/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java
index 96af4bf..de70f96 100644
--- a/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java
+++ b/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java
@@ -23,8 +23,9 @@ import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatCode;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import java.io.IOException;
import java.io.EOFException;
+import java.io.FileNotFoundException;
+import java.io.IOException;
import java.util.Properties;
import javax.mail.Folder;
@@ -38,6 +39,7 @@ import javax.mail.search.RecipientStringTerm;
import javax.mail.search.SearchTerm;
import javax.mail.search.SubjectTerm;
+import org.apache.commons.configuration2.ex.ConfigurationException;
import org.apache.commons.net.imap.IMAPReply;
import org.apache.commons.net.imap.IMAPSClient;
import org.apache.james.core.Username;
@@ -241,6 +243,64 @@ class IMAPServerTest {
assertThat(imapCode).isEqualTo(IMAPReply.NO);
}
}
+
+ @Nested
+ class Ssl {
+ IMAPServer imapServer;
+
+ @AfterEach
+ void tearDown() {
+ if (imapServer != null) {
+ imapServer.destroy();
+ }
+ }
+
+ @Test
+ void initShouldAcceptJKSFormat() {
+ assertThatCode(() -> imapServer = createImapServer("imapServerSslJKS.xml"))
+ .doesNotThrowAnyException();
+ }
+
+ @Test
+ void initShouldAcceptPKCS12Format() {
+ assertThatCode(() -> imapServer = createImapServer("imapServerSslPKCS12.xml"))
+ .doesNotThrowAnyException();
+ }
+
+ @Test
+ void initShouldAcceptJKSByDefault() {
+ assertThatCode(() -> imapServer = createImapServer("imapServerSslDefaultJKS.xml"))
+ .doesNotThrowAnyException();
+ }
+
+ @Test
+ void initShouldThrowWhenSslEnabledWithoutKeys() {
+ assertThatThrownBy(() -> createImapServer("imapServerSslNoKeys.xml"))
+ .isInstanceOf(ConfigurationException.class)
+ .hasMessage("keystore needs to get configured");
+ }
+
+ @Test
+ void initShouldThrowWhenJKSWithBadPassword() {
+ assertThatThrownBy(() -> createImapServer("imapServerSslJKSBadPassword.xml"))
+ .isInstanceOf(IOException.class)
+ .hasMessage("keystore password was incorrect");
+ }
+
+ @Test
+ void initShouldThrowWhenJKSWenNotFound() {
+ assertThatThrownBy(() -> createImapServer("imapServerSslJKSNotFound.xml"))
+ .isInstanceOf(FileNotFoundException.class)
+ .hasMessage("class path resource [keystore.notfound.jks] cannot be resolved to URL because it does not exist");
+ }
+
+ @Test
+ void initShouldThrowWhenPKCS12WithBadPassword() {
+ assertThatThrownBy(() -> createImapServer("imapServerSslPKCS12WrongPassword.xml"))
+ .isInstanceOf(IOException.class)
+ .hasMessage("keystore password was incorrect");
+ }
+ }
@Nested
class Limit {
diff --git a/server/protocols/protocols-imap4/src/test/resources/imapServerSslDefaultJKS.xml b/server/protocols/protocols-imap4/src/test/resources/imapServerSslDefaultJKS.xml
new file mode 100644
index 0000000..ece713e
--- /dev/null
+++ b/server/protocols/protocols-imap4/src/test/resources/imapServerSslDefaultJKS.xml
@@ -0,0 +1,10 @@
+
+<imapserver enabled="true">
+ <jmxName>imapserver</jmxName>
+ <bind>0.0.0.0:0</bind>
+ <tls socketTLS="false" startTLS="true">
+ <keystore>keystore.jks</keystore>
+ <secret>123456</secret>
+ <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
+ </tls>
+</imapserver>
\ No newline at end of file
diff --git a/server/protocols/protocols-imap4/src/test/resources/imapServerSslJKS.xml b/server/protocols/protocols-imap4/src/test/resources/imapServerSslJKS.xml
new file mode 100644
index 0000000..35d7394
--- /dev/null
+++ b/server/protocols/protocols-imap4/src/test/resources/imapServerSslJKS.xml
@@ -0,0 +1,11 @@
+
+<imapserver enabled="true">
+ <jmxName>imapserver</jmxName>
+ <bind>0.0.0.0:0</bind>
+ <tls socketTLS="false" startTLS="true">
+ <keystore>keystore.jks</keystore>
+ <keystoreType>JKS</keystoreType>
+ <secret>123456</secret>
+ <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
+ </tls>
+</imapserver>
\ No newline at end of file
diff --git a/server/protocols/protocols-imap4/src/test/resources/imapServerSslJKSBadPassword.xml b/server/protocols/protocols-imap4/src/test/resources/imapServerSslJKSBadPassword.xml
new file mode 100644
index 0000000..40b3551
--- /dev/null
+++ b/server/protocols/protocols-imap4/src/test/resources/imapServerSslJKSBadPassword.xml
@@ -0,0 +1,11 @@
+
+<imapserver enabled="true">
+ <jmxName>imapserver</jmxName>
+ <bind>0.0.0.0:0</bind>
+ <tls socketTLS="false" startTLS="true">
+ <keystore>keystore.jks</keystore>
+ <keystoreType>JKS</keystoreType>
+ <secret>badbad</secret>
+ <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
+ </tls>
+</imapserver>
\ No newline at end of file
diff --git a/server/protocols/protocols-imap4/src/test/resources/imapServerSslJKSNotFound.xml b/server/protocols/protocols-imap4/src/test/resources/imapServerSslJKSNotFound.xml
new file mode 100644
index 0000000..66580bc
--- /dev/null
+++ b/server/protocols/protocols-imap4/src/test/resources/imapServerSslJKSNotFound.xml
@@ -0,0 +1,11 @@
+
+<imapserver enabled="true">
+ <jmxName>imapserver</jmxName>
+ <bind>0.0.0.0:0</bind>
+ <tls socketTLS="false" startTLS="true">
+ <keystore>keystore.notfound.jks</keystore>
+ <keystoreType>JKS</keystoreType>
+ <secret>123456</secret>
+ <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
+ </tls>
+</imapserver>
\ No newline at end of file
diff --git a/server/protocols/protocols-imap4/src/test/resources/imapServerSslNoKeys.xml b/server/protocols/protocols-imap4/src/test/resources/imapServerSslNoKeys.xml
new file mode 100644
index 0000000..4c2e3ff
--- /dev/null
+++ b/server/protocols/protocols-imap4/src/test/resources/imapServerSslNoKeys.xml
@@ -0,0 +1,7 @@
+
+<imapserver enabled="true">
+ <jmxName>imapserver</jmxName>
+ <bind>0.0.0.0:0</bind>
+ <tls socketTLS="false" startTLS="true">
+ </tls>
+</imapserver>
\ No newline at end of file
diff --git a/server/protocols/protocols-imap4/src/test/resources/imapServerSslPKCS12.xml b/server/protocols/protocols-imap4/src/test/resources/imapServerSslPKCS12.xml
new file mode 100644
index 0000000..f72e129
--- /dev/null
+++ b/server/protocols/protocols-imap4/src/test/resources/imapServerSslPKCS12.xml
@@ -0,0 +1,11 @@
+
+<imapserver enabled="true">
+ <jmxName>imapserver</jmxName>
+ <bind>0.0.0.0:0</bind>
+ <tls socketTLS="false" startTLS="true">
+ <keystore>keystore.p12</keystore>
+ <keystoreType>PKCS12</keystoreType>
+ <secret>123456</secret>
+ <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
+ </tls>
+</imapserver>
\ No newline at end of file
diff --git a/server/protocols/protocols-imap4/src/test/resources/imapServerSslPKCS12WrongPassword.xml b/server/protocols/protocols-imap4/src/test/resources/imapServerSslPKCS12WrongPassword.xml
new file mode 100644
index 0000000..4496624
--- /dev/null
+++ b/server/protocols/protocols-imap4/src/test/resources/imapServerSslPKCS12WrongPassword.xml
@@ -0,0 +1,10 @@
+<imapserver enabled="true">
+ <jmxName>imapserver</jmxName>
+ <bind>0.0.0.0:0</bind>
+ <tls socketTLS="false" startTLS="true">
+ <keystore>keystore.p12</keystore>
+ <keystoreType>PKCS12</keystoreType>
+ <secret>badbad</secret>
+ <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
+ </tls>
+</imapserver>
\ No newline at end of file
diff --git a/server/protocols/protocols-imap4/src/test/resources/keystore.jks b/server/protocols/protocols-imap4/src/test/resources/keystore.jks
new file mode 100644
index 0000000..f364c8b
Binary files /dev/null and b/server/protocols/protocols-imap4/src/test/resources/keystore.jks differ
diff --git a/server/protocols/protocols-imap4/src/test/resources/keystore.p12 b/server/protocols/protocols-imap4/src/test/resources/keystore.p12
new file mode 100644
index 0000000..c7e253a
Binary files /dev/null and b/server/protocols/protocols-imap4/src/test/resources/keystore.p12 differ
diff --git a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/netty/AbstractConfigurableAsyncServer.java b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/netty/AbstractConfigurableAsyncServer.java
index ab5749a..7bd467d 100644
--- a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/netty/AbstractConfigurableAsyncServer.java
+++ b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/netty/AbstractConfigurableAsyncServer.java
@@ -103,6 +103,7 @@ public abstract class AbstractConfigurableAsyncServer extends AbstractAsyncServe
private String helloName;
private String keystore;
+ private String keystoreType;
private String secret;
@@ -246,6 +247,7 @@ public abstract class AbstractConfigurableAsyncServer extends AbstractAsyncServe
if (useStartTLS || useSSL) {
enabledCipherSuites = config.getStringArray("tls.supportedCipherSuites.cipherSuite");
keystore = config.getString("tls.keystore", null);
+ keystoreType = config.getString("tls.keystoreType", "JKS");
if (keystore == null) {
throw new ConfigurationException("keystore needs to get configured");
}
@@ -391,7 +393,7 @@ public abstract class AbstractConfigurableAsyncServer extends AbstractAsyncServe
if (useStartTLS || useSSL) {
FileInputStream fis = null;
try {
- KeyStore ks = KeyStore.getInstance("JKS");
+ KeyStore ks = KeyStore.getInstance(keystoreType);
fis = new FileInputStream(fileSystem.getFile(keystore));
ks.load(fis, secret.toCharArray());
diff --git a/src/site/xdoc/server/config-imap4.xml b/src/site/xdoc/server/config-imap4.xml
index f9d556d..d4aacd5 100644
--- a/src/site/xdoc/server/config-imap4.xml
+++ b/src/site/xdoc/server/config-imap4.xml
@@ -65,7 +65,7 @@
<dt><strong>tls</strong></dt>
<dd>Set to true to support STARTTLS or SSL for the Socket.
To use this you need to copy sunjce_provider.jar to /path/james/lib directory. To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore<br/>
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore<br/>
Please note that each IMAP server exposed on different port can specify its own keystore, independently from any other
TLS based protocols.</dd>
<dt><strong>handler.helloName</strong></dt>
diff --git a/src/site/xdoc/server/config-pop3.xml b/src/site/xdoc/server/config-pop3.xml
index cf0ef13..7de2635 100644
--- a/src/site/xdoc/server/config-pop3.xml
+++ b/src/site/xdoc/server/config-pop3.xml
@@ -51,7 +51,7 @@
<dt><strong>tls</strong></dt>
<dd>Set to true to support STARTTLS or SSL for the Socket.
To use this you need to copy sunjce_provider.jar to /path/james/lib directory. To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore<br/>
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore<br/>
Please note that each POP3 server exposed on different port can specify its own keystore, independently from any other
TLS based protocols.</dd>
<dt><strong>handler.helloName</strong></dt>
diff --git a/src/site/xdoc/server/config-smtp-lmtp.xml b/src/site/xdoc/server/config-smtp-lmtp.xml
index 7890313..6016442 100644
--- a/src/site/xdoc/server/config-smtp-lmtp.xml
+++ b/src/site/xdoc/server/config-smtp-lmtp.xml
@@ -60,7 +60,7 @@
<dt><strong>tls</strong></dt>
<dd>Set to true to support STARTTLS or SSL for the Socket.
To use this you need to copy sunjce_provider.jar to /path/james/lib directory. To create a new keystore execute:
- keytool -genkey -alias james -keyalg RSA -keystore /path/to/james/conf/keystore. The algorithm is optional and only needs to be specified when using something other
+ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore. The algorithm is optional and only needs to be specified when using something other
than the Sun JCE provider - You could use IbmX509 with IBM Java runtime.<br/>
Please note that each SMTP/LMTP server exposed on different port can specify its own keystore, independently from any other
TLS based protocols.</dd>
diff --git a/src/site/xdoc/server/config-ssl-tls.xml b/src/site/xdoc/server/config-ssl-tls.xml
index e7bb1e6..0c40ed9 100644
--- a/src/site/xdoc/server/config-ssl-tls.xml
+++ b/src/site/xdoc/server/config-ssl-tls.xml
@@ -48,6 +48,7 @@
<source>
<tls socketTLS="false" startTLS="false">
<keystore>file://conf/keystore</keystore>
+ <keystoreType>PKSC12</keystoreType>
<secret>yoursecret</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
@@ -78,7 +79,17 @@
</ul>
<p>You will now need to create your certificate store and place it in the james/conf/ folder with the name you defined in the keystore tag.</p>
-
+
+ <p>Please note <code>JKS</code> keystore format is also supported (default value if no keystore type is specified):</p>
+ <source>
+<tls socketTLS="false" startTLS="false">
+ <keystore>file://conf/keystore</keystore>
+ <keystoreType>JKS</keystoreType>
+ <secret>yoursecret</secret>
+ <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
+</tls>
+</source>
+
</subsection>
<subsection name="Certificate Keystores">
@@ -88,7 +99,7 @@
<p><b>Creating your own Certificate Keystore</b></p>
<p>(Adapted from the Tomcat 4.1 documentation)</p>
- <p>James currently operates only on JKS format keystores. This is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility. This tool is included in the JDK.</p>
+ <p>James currently operates only on JKS and PKCS12 format keystores. This is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility. This tool is included in the JDK.</p>
<p>To import an existing certificate into a JKS keystore, please read the documentation (in your JDK documentation package) about keytool.</p>
<p>To create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:</p>
<p><code>keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename</code></p>
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org