You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by lh...@apache.org on 2022/06/01 07:56:16 UTC
[pulsar] 01/02: Switch to rely on Netty for Hostname Verification (#15824)
This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 0cdf66ab7fc1a3681edf5776fe9bf817274bad96
Author: Michael Marshall <mm...@apache.org>
AuthorDate: Wed Jun 1 00:00:01 2022 -0500
Switch to rely on Netty for Hostname Verification (#15824)
* Switch to relying on Netty for Hostname Verification
- Add "subjectAltName = DNS:localhost, IP:127.0.0.1" to unit test certs
Co-authored-by: Lari Hotari <lh...@apache.org>
(cherry picked from commit aa7700dbf45303fab8c874bd9e5fcf95745d2777)
---
.../resources/authentication/tls/broker-cert.pem | 74 +++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++-----------
.../resources/authentication/tls/client-cert.pem | 74 +++++++-------
build/regenerate_certs_for_tests.sh | 25 +++--
.../AuthenticationTlsHostnameVerificationTest.java | 34 +++----
.../admin/internal/http/AsyncHttpConnector.java | 9 +-
.../org/apache/pulsar/client/impl/ClientCnx.java | 48 ---------
.../org/apache/pulsar/client/impl/HttpClient.java | 1 +
.../client/impl/PulsarChannelInitializer.java | 7 ++
.../util/NettyClientSslContextRefresher.java | 3 +-
.../apache/pulsar/common/util/SecurityUtility.java | 10 ++
.../pulsar/proxy/server/AdminProxyHandler.java | 7 +-
.../pulsar/proxy/server/DirectProxyHandler.java | 101 +++++++++++++------
.../pulsar/proxy/server/ProxyConnection.java | 9 +-
.../proxy/server/ServiceChannelInitializer.java | 66 +------------
.../proxy/server/ProxyWithAuthorizationTest.java | 70 +++++++------
.../ProxyWithAuthorizationTest/broker-cacert.pem | 110 ++++++++++-----------
.../tls/ProxyWithAuthorizationTest/broker-cert.pem | 74 +++++++-------
.../ProxyWithAuthorizationTest/client-cacert.pem | 110 ++++++++++-----------
.../tls/ProxyWithAuthorizationTest/client-cert.pem | 74 +++++++-------
.../ProxyWithAuthorizationTest/proxy-cacert.pem | 110 ++++++++++-----------
.../tls/ProxyWithAuthorizationTest/proxy-cert.pem | 74 +++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++-----------
.../resources/authentication/tls/client-cert.pem | 74 +++++++-------
.../resources/authentication/tls/server-cert.pem | 74 +++++++-------
25 files changed, 714 insertions(+), 744 deletions(-)
diff --git a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
index 7f9effa6e92..e9be840d3a0 100644
--- a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
+++ b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:76
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:05
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
a0:1a:81:9d:d2:e1:66:dd:c4:cc:fc:63:04:ac:ec:
a7:35
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 3a:38:c8:85:48:ed:84:c9:f4:bc:ef:b4:4b:a1:46:9c:97:9b:
- 5f:7e:1a:ff:9b:dc:93:0e:7e:ab:de:09:21:30:1f:7f:2a:f7:
- 94:d1:b3:07:3d:b1:71:4f:72:90:1f:41:3d:fe:34:14:ac:5a:
- 39:02:f1:a4:8a:d1:d3:c0:48:da:6f:37:dc:b5:1d:60:29:e6:
- c5:b0:ce:b4:52:8d:f6:6b:59:0b:e4:c8:f1:1a:40:3a:4f:bd:
- e2:dd:32:2f:21:3c:33:d7:61:5f:86:cd:94:31:31:f1:ff:c6:
- 08:9e:67:bc:8f:9d:bf:38:a8:8c:ff:3f:1f:fb:24:ab:bb:7c:
- fb:1b:c3:1b:62:b4:dd:21:d3:7b:19:92:16:b7:7d:f6:95:ee:
- 14:a0:83:de:c5:05:d8:af:44:1d:f7:eb:32:e2:03:ac:c9:12:
- df:11:b6:af:f8:b9:24:ae:55:3e:25:ae:2a:b2:d3:b6:6a:e9:
- f9:28:e6:e0:46:98:66:2c:0d:a3:fe:c7:82:48:13:80:f2:b2:
- d1:5c:7d:bb:11:1c:60:62:1b:f7:1a:11:e1:ee:29:70:f1:95:
- c1:67:c4:f1:e2:d5:f4:24:49:0d:6e:2f:65:7b:48:cd:40:f9:
- c9:26:a3:c7:41:20:d1:6e:2c:38:8e:1b:bc:93:fa:22:39:3d:
- 2a:f6:ba:77
+ 88:1d:a7:42:a1:1c:87:45:4a:e6:5e:aa:9c:7b:71:2e:5c:9e:
+ 11:85:0f:a3:c5:b4:ea:73:9e:b7:61:9d:4a:e9:cd:1a:c5:2e:
+ 03:be:a3:2b:b6:12:6a:15:03:04:3f:fb:4a:09:0d:84:0e:dd:
+ c0:63:2b:0f:13:fb:1f:98:64:49:48:e7:96:d5:41:c4:ca:94:
+ bf:ab:c5:ea:80:2c:ee:1f:ab:12:54:74:f1:f1:56:ea:03:c0:
+ 1c:0d:8d:b9:6e:b0:d0:5f:21:c1:d3:e3:45:df:cf:64:69:13:
+ 6c:54:79:06:7d:53:46:77:3c:21:cc:c4:6a:5f:f9:9a:07:0f:
+ a5:95:20:f0:0e:93:07:48:96:a9:2c:28:50:21:d7:f8:13:4f:
+ b8:ca:aa:1f:a6:41:7c:71:1f:ad:11:3f:3d:1e:e9:81:3c:86:
+ c1:af:2d:39:a0:13:9f:99:ec:9a:47:44:df:28:02:a7:1d:6a:
+ 8d:c0:1e:24:e8:19:fc:1d:dc:67:29:04:be:0a:d6:c5:81:59:
+ 27:2c:f5:e5:df:ba:0b:c6:50:e5:b3:bd:73:12:3e:2c:ef:a6:
+ 8a:ed:eb:86:9a:45:45:52:a3:44:78:12:60:17:e2:3a:32:92:
+ 03:6e:89:89:16:c5:e0:bc:be:a7:cb:93:4b:d8:56:33:a0:a0:
+ 53:b2:0d:a5
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ2MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvv7ctmK2d9tqjE9RiD5i+HKKJIrpv
-1f0fZ+ORA5iAgQ7t2PZwfyw2aD1T6lg6ptWJZku9HldxE21LEeVApXaEJJJAWICW
-yR8sxFXro3lzcFw3montL7pr44J8aUoCVIuBXjy/TIrL6ixeg+e3EAhfglijidHa
-kroqKO4wKD9brhBxlsfhEsWwGq1Eb0Q6EUqaPA+NBoB7NO8/bPRexURUHsjdx4CF
-gNlo5sZTA3fh/hhhB3cFTO1ZvF1BOGrvXaGyYJjUSCiVAooO/c97G9IRzBAMUHPX
-zDhsg915JqqQyJuEhrxZ6WJp9JgbxIB4fqAagZ3S4WbdxMz8YwSs7Kc1AgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBADo4yIVI7YTJ9LzvtEuhRpyXm19+Gv+b3JMOfqve
-CSEwH38q95TRswc9sXFPcpAfQT3+NBSsWjkC8aSK0dPASNpvN9y1HWAp5sWwzrRS
-jfZrWQvkyPEaQDpPveLdMi8hPDPXYV+GzZQxMfH/xgieZ7yPnb84qIz/Px/7JKu7
-fPsbwxtitN0h03sZkha3ffaV7hSgg97FBdivRB336zLiA6zJEt8Rtq/4uSSuVT4l
-riqy07Zq6fko5uBGmGYsDaP+x4JIE4DystFcfbsRHGBiG/caEeHuKXDxlcFnxPHi
-1fQkSQ1uL2V7SM1A+ckmo8dBINFuLDiOG7yT+iI5PSr2unc=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+/ty2YrZ322qMT1GIPmL4c
+ookium/V/R9n45EDmICBDu3Y9nB/LDZoPVPqWDqm1YlmS70eV3ETbUsR5UCldoQk
+kkBYgJbJHyzEVeujeXNwXDeaie0vumvjgnxpSgJUi4FePL9MisvqLF6D57cQCF+C
+WKOJ0dqSuioo7jAoP1uuEHGWx+ESxbAarURvRDoRSpo8D40GgHs07z9s9F7FRFQe
+yN3HgIWA2WjmxlMDd+H+GGEHdwVM7Vm8XUE4au9dobJgmNRIKJUCig79z3sb0hHM
+EAxQc9fMOGyD3XkmqpDIm4SGvFnpYmn0mBvEgHh+oBqBndLhZt3EzPxjBKzspzUC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCIHadCoRyHRUrmXqqce3EuXJ4RhQ+jxbTqc563YZ1K6c0axS4DvqMr
+thJqFQMEP/tKCQ2EDt3AYysPE/sfmGRJSOeW1UHEypS/q8XqgCzuH6sSVHTx8Vbq
+A8AcDY25brDQXyHB0+NF389kaRNsVHkGfVNGdzwhzMRqX/maBw+llSDwDpMHSJap
+LChQIdf4E0+4yqofpkF8cR+tET89HumBPIbBry05oBOfmeyaR0TfKAKnHWqNwB4k
+6Bn8HdxnKQS+CtbFgVknLPXl37oLxlDls71zEj4s76aK7euGmkVFUqNEeBJgF+I6
+MpIDbomJFsXgvL6ny5NL2FYzoKBTsg2l
-----END CERTIFICATE-----
diff --git a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
index 90fbb9b8898..21bbaba213f 100644
--- a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
+++ b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 10:50:a0:5c:8e:cf:88:33:b6:b5:d2:1e:38:bf:78:56:2a:f1:09:22
+ 70:4c:6b:e0:aa:cc:01:77:f2:1f:04:8c:d4:72:03:a5:32:5f:c7:be
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:c4:92:ca:40:ce:8d:71:dd:e9:2b:e3:3b:b7:17:
- 1d:25:bf:12:66:c0:cb:32:18:32:3e:24:ea:e1:26:
- 1a:97:e8:85:4b:19:8e:c0:0a:da:a6:57:ec:31:a6:
- a8:68:d9:8e:5c:a2:00:54:30:11:47:a6:0e:84:0d:
- 6d:e3:48:a8:a6:e3:42:63:97:ef:91:c0:3a:bc:db:
- 77:77:3b:d0:45:fc:c5:a8:3a:74:dc:82:4e:83:ed:
- f9:9d:a0:30:11:0c:d9:20:7b:a6:04:60:a1:9c:41:
- 33:c6:04:d2:a7:e8:b1:46:e6:35:5e:fd:ca:2e:42:
- 2f:f4:0c:f7:6e:8d:60:f5:cf:82:7a:e3:eb:ed:d0:
- a1:51:a9:78:8d:14:2d:ca:ea:cc:fa:ae:a9:f9:6c:
- df:5c:cb:83:4a:42:22:5c:48:3e:a6:63:70:43:63:
- ff:3f:d8:1f:88:e1:91:7b:49:b9:67:10:8a:60:51:
- 24:68:db:68:24:5f:10:a5:a2:b3:95:83:7e:3c:88:
- 9c:1c:52:6a:2c:03:52:aa:90:90:85:21:78:a7:20:
- b0:e2:dc:79:b4:b7:57:f0:be:df:3b:fc:21:23:ee:
- ff:63:5d:0b:0d:3d:ab:61:54:8c:2d:96:44:7b:42:
- 10:60:3b:1d:a8:ab:33:01:e7:96:74:08:a6:f9:9d:
- ba:cf
+ 00:dc:9c:01:30:5f:c5:42:48:10:78:30:5d:66:20:
+ 0e:74:61:f6:82:74:9f:6f:b2:ed:00:9e:6c:21:b6:
+ 83:21:6b:54:34:e8:a9:dc:81:83:7a:0e:9f:cc:3d:
+ eb:97:ee:cf:ca:0e:5f:96:81:dc:e7:75:88:91:2f:
+ d5:65:74:c2:d8:67:58:d8:41:6a:5f:a9:79:dc:29:
+ 36:4a:b8:39:20:d2:f8:a8:59:9f:e3:be:f9:61:80:
+ 1b:ce:63:bb:12:56:06:b9:77:4e:6a:40:65:9b:bf:
+ 5b:f8:27:88:f5:ff:40:ee:47:bc:2d:8e:c3:a6:62:
+ 0d:18:76:d1:f5:af:1a:6b:25:4e:d4:55:15:f0:e3:
+ 97:1b:68:eb:75:b8:80:ea:64:ef:7e:e2:f0:5c:da:
+ 6d:d6:16:7b:0f:5e:ae:72:47:5a:df:0b:8a:e0:74:
+ c1:b7:82:0d:97:41:d7:84:16:51:40:37:15:a1:eb:
+ 70:0c:f1:5a:26:39:11:1e:97:b9:36:32:ce:16:b9:
+ 42:ad:31:5b:1e:89:f5:3e:07:0e:d6:fc:9a:46:8e:
+ 87:89:90:5c:f3:00:e4:9b:ce:7b:93:fe:9a:d8:65:
+ ec:49:5c:e8:eb:41:3d:53:bc:ce:e8:6d:44:ec:76:
+ 3f:e6:9b:13:e4:f8:d0:1c:00:e6:4f:73:e1:b0:27:
+ 6f:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- C6:91:71:A0:C9:1F:A9:5A:87:7B:E5:10:FB:9A:2A:12:90:44:7D:A0
+ 8B:30:D2:81:7C:BE:AB:4D:76:37:19:2B:69:5E:DB:F7:81:95:73:F5
X509v3 Authority Key Identifier:
- keyid:C6:91:71:A0:C9:1F:A9:5A:87:7B:E5:10:FB:9A:2A:12:90:44:7D:A0
+ keyid:8B:30:D2:81:7C:BE:AB:4D:76:37:19:2B:69:5E:DB:F7:81:95:73:F5
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- 5d:c2:68:9e:66:fb:67:39:fc:5e:2f:ba:4c:f0:20:3f:f9:4a:
- e2:b9:05:56:d6:5e:da:01:c7:8b:1a:70:e6:67:61:84:71:67:
- a8:11:bc:7c:4d:58:d0:52:44:71:19:47:87:60:cb:16:12:25:
- b2:b0:95:13:ff:52:00:36:78:2d:d3:ce:4e:c6:7d:1b:e5:8e:
- 37:23:8a:ef:c2:44:88:e2:bc:47:c4:ef:23:f5:8b:6d:fc:39:
- 3c:cb:7e:70:7c:60:51:33:5a:38:3a:fd:cc:8f:2c:08:d5:07:
- 06:f9:89:77:96:8e:60:21:e5:05:98:37:d6:c4:b7:a3:43:9e:
- 87:13:9d:12:c4:8f:6a:ad:a9:67:c4:3a:7e:14:77:c3:75:72:
- 95:e6:25:a2:14:e7:77:4d:8f:dd:45:ae:f0:f6:f3:fe:2b:cf:
- ea:0e:f8:61:66:45:db:9f:6b:e4:5e:b8:d4:04:41:68:e9:7c:
- a4:7e:c8:1c:4d:ec:49:49:57:a4:46:95:e8:0f:55:ea:08:2e:
- b9:7a:62:e2:be:05:00:d5:81:5f:60:60:58:4e:19:bc:24:ee:
- 0e:17:63:da:fd:40:44:c2:5f:7d:e9:26:b4:80:4d:db:88:4f:
- 31:a4:16:93:fd:a8:70:94:50:f1:23:92:20:fb:26:c3:9a:71:
- b1:9c:c9:db
+ 02:4c:80:4f:a4:b5:f4:70:be:82:cf:3a:ed:40:f9:97:17:22:
+ 07:5d:e0:9b:4e:54:f8:4b:64:99:f5:07:7f:87:5b:9c:60:ec:
+ 9f:69:e6:00:97:5a:cd:14:59:31:45:be:b7:bd:c4:ce:57:82:
+ 1a:4a:62:ce:8e:c8:59:d5:62:43:8b:94:c0:ab:c2:cc:3a:a0:
+ 69:d3:65:15:82:35:de:85:64:e6:7b:d9:3a:22:12:77:f7:71:
+ 82:86:d7:6c:e5:69:d5:3a:f2:a7:25:f7:dc:f3:6f:cb:eb:85:
+ 48:44:63:e2:6d:3c:82:eb:3a:c0:e1:bd:9d:3a:12:11:66:1f:
+ 05:8f:49:65:31:d6:cf:26:06:46:ba:73:c7:ad:61:fc:14:5f:
+ 68:d1:ee:02:5f:4b:98:b6:5b:0c:98:4e:61:7b:cb:35:ee:44:
+ a1:ce:e1:00:a2:56:f0:0d:72:3b:58:66:e8:9a:dc:62:d5:95:
+ 3e:5a:48:21:a8:7c:f8:1f:5a:13:db:53:33:11:3e:e6:14:39:
+ cd:2b:3f:77:5b:ee:f7:0c:59:69:2f:46:9a:34:56:89:05:8e:
+ 40:94:94:3f:95:f6:fa:f9:1a:e8:1a:80:7b:1d:f7:0c:a1:be:
+ e2:38:98:fd:0f:e7:68:4d:7d:fe:ae:5f:e3:32:c6:5d:37:77:
+ 7a:28:ce:cc
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUEFCgXI7PiDO2tdIeOL94VirxCSIwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAxJLKQM6Ncd3pK+M7txcdJb8SZsDLMhgyPiTq4SYal+iFSxmOwAra
-plfsMaaoaNmOXKIAVDARR6YOhA1t40iopuNCY5fvkcA6vNt3dzvQRfzFqDp03IJO
-g+35naAwEQzZIHumBGChnEEzxgTSp+ixRuY1Xv3KLkIv9Az3bo1g9c+CeuPr7dCh
-Ual4jRQtyurM+q6p+WzfXMuDSkIiXEg+pmNwQ2P/P9gfiOGRe0m5ZxCKYFEkaNto
-JF8QpaKzlYN+PIicHFJqLANSqpCQhSF4pyCw4tx5tLdX8L7fO/whI+7/Y10LDT2r
-YVSMLZZEe0IQYDsdqKszAeeWdAim+Z26zwIDAQABo1MwUTAdBgNVHQ4EFgQUxpFx
-oMkfqVqHe+UQ+5oqEpBEfaAwHwYDVR0jBBgwFoAUxpFxoMkfqVqHe+UQ+5oqEpBE
-faAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAXcJonmb7Zzn8
-Xi+6TPAgP/lK4rkFVtZe2gHHixpw5mdhhHFnqBG8fE1Y0FJEcRlHh2DLFhIlsrCV
-E/9SADZ4LdPOTsZ9G+WONyOK78JEiOK8R8TvI/WLbfw5PMt+cHxgUTNaODr9zI8s
-CNUHBvmJd5aOYCHlBZg31sS3o0OehxOdEsSPaq2pZ8Q6fhR3w3VyleYlohTnd02P
-3UWu8Pbz/ivP6g74YWZF259r5F641ARBaOl8pH7IHE3sSUlXpEaV6A9V6gguuXpi
-4r4FANWBX2BgWE4ZvCTuDhdj2v1ARMJffekmtIBN24hPMaQWk/2ocJRQ8SOSIPsm
-w5pxsZzJ2w==
+MIIDAzCCAeugAwIBAgIUcExr4KrMAXfyHwSM1HIDpTJfx74wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA3JwBMF/FQkgQeDBdZiAOdGH2gnSfb7LtAJ5sIbaDIWtUNOip3IGD
+eg6fzD3rl+7Pyg5floHc53WIkS/VZXTC2GdY2EFqX6l53Ck2Srg5INL4qFmf4775
+YYAbzmO7ElYGuXdOakBlm79b+CeI9f9A7ke8LY7DpmINGHbR9a8aayVO1FUV8OOX
+G2jrdbiA6mTvfuLwXNpt1hZ7D16uckda3wuK4HTBt4INl0HXhBZRQDcVoetwDPFa
+JjkRHpe5NjLOFrlCrTFbHon1PgcO1vyaRo6HiZBc8wDkm857k/6a2GXsSVzo60E9
+U7zO6G1E7HY/5psT5PjQHADmT3PhsCdvmQIDAQABo1MwUTAdBgNVHQ4EFgQUizDS
+gXy+q012NxkraV7b94GVc/UwHwYDVR0jBBgwFoAUizDSgXy+q012NxkraV7b94GV
+c/UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAkyAT6S19HC+
+gs867UD5lxciB13gm05U+EtkmfUHf4dbnGDsn2nmAJdazRRZMUW+t73EzleCGkpi
+zo7IWdViQ4uUwKvCzDqgadNlFYI13oVk5nvZOiISd/dxgobXbOVp1TrypyX33PNv
+y+uFSERj4m08gus6wOG9nToSEWYfBY9JZTHWzyYGRrpzx61h/BRfaNHuAl9LmLZb
+DJhOYXvLNe5Eoc7hAKJW8A1yO1hm6JrcYtWVPlpIIah8+B9aE9tTMxE+5hQ5zSs/
+d1vu9wxZaS9GmjRWiQWOQJSUP5X2+vka6BqAex33DKG+4jiY/Q/naE19/q5f4zLG
+XTd3eijOzA==
-----END CERTIFICATE-----
diff --git a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
index e79bac70987..e5d9e6e74b2 100644
--- a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
+++ b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:77
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = superUser
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
b6:98:ef:dd:03:82:58:a3:32:dc:90:a1:b6:a6:1e:
e1:0b
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 6f:c2:2f:41:a4:a0:45:10:33:61:20:27:d2:74:40:f9:80:3b:
- 06:88:91:c3:b8:4d:1a:c4:fd:39:9e:3a:c8:41:de:31:4e:ef:
- 8b:06:ce:17:e2:8e:b5:ee:43:92:0a:44:3d:55:e9:85:81:49:
- c9:19:44:15:f1:bd:ec:1e:cb:34:44:b1:01:c0:96:49:30:a4:
- 5a:64:44:6e:59:d9:b1:17:bf:01:13:b7:45:53:8c:8d:a7:79:
- fc:19:b4:a9:b5:9b:6f:16:8e:b3:de:5e:2a:db:01:f2:3e:b0:
- 8f:23:4f:8f:49:ee:d5:b7:98:54:6e:b5:be:8b:fc:05:87:e3:
- 8b:2e:70:28:2c:75:75:c3:76:a4:0d:5e:71:67:30:ec:69:cc:
- 2b:43:69:3b:e8:78:89:51:98:07:cb:21:e9:7a:76:a9:b3:e8:
- e6:19:e7:32:ae:3a:b8:24:c4:20:d8:c2:dc:91:99:d1:9b:8f:
- 77:3c:e7:a8:53:ee:91:fe:ed:2b:86:18:0a:55:44:46:78:a1:
- 78:41:a5:e9:fe:8b:db:bb:10:2e:72:52:b7:54:81:84:8b:f7:
- 29:f3:86:29:7f:f8:e2:d8:51:d8:b2:3c:c2:78:7c:a4:11:9c:
- 0a:42:64:1b:13:cc:91:1a:08:d9:ed:f1:23:5f:fd:b3:89:bb:
- 7a:cc:96:8d
+ 90:62:ba:7b:6f:45:95:7a:71:2f:e7:88:0c:64:b8:6c:05:86:
+ 7f:47:08:ce:d6:e2:5a:32:13:0c:82:ad:a7:af:f0:a2:f7:86:
+ 79:87:1a:89:78:95:b1:9f:be:c5:8b:39:fd:12:94:b6:e1:69:
+ ff:fa:1e:c3:82:d8:6c:03:80:45:ac:1c:06:70:bb:77:c3:41:
+ 5f:b6:9d:fe:36:6f:ae:23:6c:bf:43:79:8e:74:85:8e:96:89:
+ a9:c4:6d:d9:fa:05:ba:a8:11:7c:82:45:94:3d:9f:b6:7c:2f:
+ 4e:6d:37:c3:fb:79:7e:0c:d2:15:fa:0e:ea:2d:c9:24:f3:34:
+ 13:6f:db:d7:55:e1:0c:2f:7e:fe:4c:3b:fa:7e:03:26:0f:6a:
+ 95:d2:22:ce:27:71:6a:97:ac:36:0a:20:ec:19:a0:78:23:0c:
+ 54:f3:b1:dd:33:36:7c:b7:61:23:70:8f:7f:c8:5f:e8:9e:b5:
+ 02:31:4d:b3:40:b0:7b:b2:ee:14:a7:69:22:8b:38:85:5d:04:
+ 6e:d5:44:41:31:a7:4b:71:86:fb:81:cd:3d:db:96:23:0b:bc:
+ e1:67:46:0e:87:86:91:4e:1a:35:37:af:a4:ac:9a:de:e3:4f:
+ 82:47:f1:c4:16:58:11:8f:76:d2:4d:df:a1:c6:a2:8f:33:6d:
+ 72:15:28:76
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ3MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlzdXBlclVzZXIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNQ32YQPmwW7yu28ALrSaQluBiOO1o
-sXBGO95E+RRRhhDrypDniOj5kYXg3bW0FLl444bVVG1o7BSStPgiWwU97TElZQgF
-hMrmDCESWDLHGmCjT9JKnigZfEWEAIyJ3N6K5U+Ikcyk8YFFTH3C/+LBicYSc5Xi
-Nr3brotaaGqQUd4riF+qZ/So42PcvhmCzJ1/5o37gr4iAT1WEztbBLToxRjmLg36
-ukqN6MZaoVGaSmLXr920/OLVza6ZbFxhVgvXDBp3XPU6alS1njOsqXUomnav0HpX
-ABuREzH9QoghRwUQAS9Zu8c62eFYTBtscbaY790DglijMtyQobamHuELAgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBAG/CL0GkoEUQM2EgJ9J0QPmAOwaIkcO4TRrE/Tme
-OshB3jFO74sGzhfijrXuQ5IKRD1V6YWBSckZRBXxveweyzREsQHAlkkwpFpkRG5Z
-2bEXvwETt0VTjI2nefwZtKm1m28WjrPeXirbAfI+sI8jT49J7tW3mFRutb6L/AWH
-44sucCgsdXXDdqQNXnFnMOxpzCtDaTvoeIlRmAfLIel6dqmz6OYZ5zKuOrgkxCDY
-wtyRmdGbj3c856hT7pH+7SuGGApVREZ4oXhBpen+i9u7EC5yUrdUgYSL9ynzhil/
-+OLYUdiyPMJ4fKQRnApCZBsTzJEaCNnt8SNf/bOJu3rMlo0=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgYwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCXN1cGVyVXNlcjCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1DfZhA+bBbvK7bwAutJpCW
+4GI47WixcEY73kT5FFGGEOvKkOeI6PmRheDdtbQUuXjjhtVUbWjsFJK0+CJbBT3t
+MSVlCAWEyuYMIRJYMscaYKNP0kqeKBl8RYQAjInc3orlT4iRzKTxgUVMfcL/4sGJ
+xhJzleI2vduui1poapBR3iuIX6pn9KjjY9y+GYLMnX/mjfuCviIBPVYTO1sEtOjF
+GOYuDfq6So3oxlqhUZpKYtev3bT84tXNrplsXGFWC9cMGndc9TpqVLWeM6ypdSia
+dq/QelcAG5ETMf1CiCFHBRABL1m7xzrZ4VhMG2xxtpjv3QOCWKMy3JChtqYe4QsC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCQYrp7b0WVenEv54gMZLhsBYZ/RwjO1uJaMhMMgq2nr/Ci94Z5hxqJ
+eJWxn77Fizn9EpS24Wn/+h7DgthsA4BFrBwGcLt3w0Fftp3+Nm+uI2y/Q3mOdIWO
+lompxG3Z+gW6qBF8gkWUPZ+2fC9ObTfD+3l+DNIV+g7qLckk8zQTb9vXVeEML37+
+TDv6fgMmD2qV0iLOJ3Fql6w2CiDsGaB4IwxU87HdMzZ8t2EjcI9/yF/onrUCMU2z
+QLB7su4Up2kiiziFXQRu1URBMadLcYb7gc0925YjC7zhZ0YOh4aRTho1N6+krJre
+40+CR/HEFlgRj3bSTd+hxqKPM21yFSh2
-----END CERTIFICATE-----
diff --git a/build/regenerate_certs_for_tests.sh b/build/regenerate_certs_for_tests.sh
index 7e4cf8474e2..fb0274cc193 100755
--- a/build/regenerate_certs_for_tests.sh
+++ b/build/regenerate_certs_for_tests.sh
@@ -34,7 +34,7 @@ function reissue_certificate() {
keyfile=$1
certfile=$2
openssl x509 -x509toreq -in $certfile -signkey $keyfile -out ${certfile}.csr
- openssl x509 -req -CA ca-cert.pem -CAkey ca-key -in ${certfile}.csr -text -outform pem -out $certfile -days 3650 -CAcreateserial
+ openssl x509 -req -CA ca-cert.pem -CAkey ca-key -in ${certfile}.csr -text -outform pem -out $certfile -days 3650 -CAcreateserial -extfile <(printf "subjectAltName = DNS:localhost, IP:127.0.0.1")
}
generate_ca
@@ -44,6 +44,16 @@ reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls
reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/server-key.pem \
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
+# use same CA key and cert for ProxyWithAuthorizationTest/client-cacert.pem
+cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
+reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-key.pem \
+ $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
+
+# use same CA key and cert for ProxyWithAuthorizationTest/proxy-cacert.pem
+cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
+reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-key.pem \
+ $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
+
generate_ca
cp ca-cert.pem $ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
reissue_certificate $ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-key.pem \
@@ -56,18 +66,5 @@ cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/Prox
reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-key.pem \
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
-generate_ca
-cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
-reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-key.pem \
- $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
-
-generate_ca
-cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
-reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-key.pem \
- $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
-
-
-
-
cd $ROOT_DIR
rm -rf /tmp/keygendir$$
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
index bb8a02143e5..157b35a8aa9 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
@@ -18,8 +18,7 @@
*/
package org.apache.pulsar.client.api;
-import static org.mockito.Mockito.spy;
-
+import com.google.common.collect.Sets;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.HashSet;
@@ -27,16 +26,12 @@ import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
-
import org.apache.pulsar.broker.authentication.AuthenticationProviderBasic;
import org.apache.pulsar.broker.authentication.AuthenticationProviderTls;
-import org.apache.pulsar.client.admin.PulsarAdmin;
import org.apache.pulsar.client.impl.auth.AuthenticationTls;
-import org.apache.pulsar.common.policies.data.ClusterData;
import org.apache.pulsar.common.tls.PublicSuffixMatcher;
import org.apache.pulsar.common.tls.TlsHostnameVerifier;
import org.apache.pulsar.common.policies.data.ClusterDataImpl;
-import org.apache.pulsar.common.policies.data.TenantInfoImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testng.Assert;
@@ -44,8 +39,6 @@ import org.testng.annotations.AfterMethod;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
-import com.google.common.collect.Sets;
-
@Test(groups = "broker-api")
public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerBase {
private static final Logger log = LoggerFactory.getLogger(AuthenticationTlsHostnameVerificationTest.class);
@@ -65,8 +58,13 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
private final String BASIC_CONF_FILE_PATH = "./src/test/resources/authentication/basic/.htpasswd";
private boolean hostnameVerificationEnabled = true;
+ private String clientTrustCertFilePath = TLS_TRUST_CERT_FILE_PATH;
protected void setup() throws Exception {
+ super.internalSetup();
+ super.producerBaseSetup();
+ super.stopBroker();
+
if (methodName.equals("testAnonymousSyncProducerAndConsumer")) {
conf.setAnonymousUserRole("anonymousUser");
}
@@ -74,7 +72,7 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
conf.setAuthenticationEnabled(true);
conf.setAuthorizationEnabled(true);
- conf.setTlsAllowInsecureConnection(true);
+ conf.setTlsAllowInsecureConnection(false);
Set<String> superUserRoles = new HashSet<>();
superUserRoles.add("localhost");
@@ -96,7 +94,7 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
conf.setClusterName("test");
conf.setNumExecutorThreadPoolSize(5);
- super.init();
+ startBroker();
setupClient();
}
@@ -109,22 +107,11 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
- admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString())
- .tlsTrustCertsFilePath(TLS_MIM_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
- .authentication(authTls).build());
replacePulsarClient(PulsarClient.builder()
.serviceUrl(pulsar.getBrokerServiceUrlTls())
.statsInterval(0, TimeUnit.SECONDS)
- .tlsTrustCertsFilePath(TLS_MIM_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(clientTrustCertFilePath)
.authentication(authTls).enableTls(true).enableTlsHostnameVerification(hostnameVerificationEnabled));
-
- admin.clusters().createCluster("test", ClusterData.builder()
- .serviceUrl(brokerUrl.toString())
- .build());
-
- admin.tenants().createTenant("my-property",
- new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("test")));
- admin.namespaces().createNamespace("my-property/my-ns", Sets.newHashSet("test"));
}
@AfterMethod(alwaysRun = true)
@@ -157,10 +144,11 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
log.info("-- Starting {} test --", methodName);
this.hostnameVerificationEnabled = hostnameVerificationEnabled;
+ clientTrustCertFilePath = TLS_MIM_TRUST_CERT_FILE_PATH;
// setup broker cert which has CN = "pulsar" different than broker's hostname="localhost"
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsTrustCertsFilePath(TLS_MIM_TRUST_CERT_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
conf.setTlsCertificateFilePath(TLS_MIM_SERVER_CERT_FILE_PATH);
conf.setTlsKeyFilePath(TLS_MIM_SERVER_KEY_FILE_PATH);
conf.setBrokerClientAuthenticationParameters(
diff --git a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
index 95ea0717b97..2b08bfc0048 100644
--- a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
+++ b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
@@ -129,7 +129,7 @@ public class AsyncHttpConnector implements Connector {
params != null ? params.getKeyStoreType() : null,
params != null ? params.getKeyStorePath() : null,
params != null ? params.getKeyStorePassword() : null,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustStoreType(),
conf.getTlsTrustStorePath(),
conf.getTlsTrustStorePassword(),
@@ -148,12 +148,12 @@ public class AsyncHttpConnector implements Connector {
sslCtx = authData.getTlsTrustStoreStream() == null
? SecurityUtility.createAutoRefreshSslContextForClient(
sslProvider,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(), authData.getTlsCerificateFilePath(),
authData.getTlsPrivateKeyFilePath(), null, autoCertRefreshTimeSeconds, delayer)
: SecurityUtility.createNettySslContextForClient(
sslProvider,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
authData.getTlsPrivateKey(),
conf.getTlsCiphers(),
@@ -161,7 +161,7 @@ public class AsyncHttpConnector implements Connector {
} else {
sslCtx = SecurityUtility.createNettySslContextForClient(
sslProvider,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(),
conf.getTlsCiphers(),
conf.getTlsProtocols());
@@ -169,6 +169,7 @@ public class AsyncHttpConnector implements Connector {
confBuilder.setSslContext(sslCtx);
}
}
+ confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
}
httpClient = new DefaultAsyncHttpClient(confBuilder.build());
this.readTimeout = Duration.ofMillis(readTimeoutMs);
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java
index 3b71f6a6222..20325ade4f6 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java
@@ -26,12 +26,10 @@ import static org.apache.pulsar.common.util.Runnables.catchingAndLoggingThrowabl
import com.google.common.collect.Queues;
import io.netty.buffer.ByteBuf;
import io.netty.channel.Channel;
-import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.EventLoopGroup;
import io.netty.channel.unix.Errors.NativeIoException;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
-import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Promise;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
@@ -48,7 +46,6 @@ import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.Semaphore;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicIntegerFieldUpdater;
-import javax.net.ssl.SSLSession;
import lombok.Getter;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.commons.lang3.tuple.Pair;
@@ -156,9 +153,6 @@ public class ClientCnx extends PulsarHandler {
protected String proxyToTargetBrokerAddress = null;
// Remote hostName with which client is connected
protected String remoteHostName = null;
- private boolean isTlsHostnameVerificationEnable;
-
- private static final TlsHostnameVerifier HOSTNAME_VERIFIER = new TlsHostnameVerifier();
private ScheduledFuture<?> timeoutTask;
private SocketAddress localAddress;
@@ -224,7 +218,6 @@ public class ClientCnx extends PulsarHandler {
this.maxNumberOfRejectedRequestPerConnection = conf.getMaxNumberOfRejectedRequestPerConnection();
this.operationTimeoutMs = conf.getOperationTimeoutMs();
this.state = State.None;
- this.isTlsHostnameVerificationEnable = conf.isTlsHostnameVerificationEnable();
this.protocolVersion = protocolVersion;
}
@@ -325,14 +318,6 @@ public class ClientCnx extends PulsarHandler {
@Override
protected void handleConnected(CommandConnected connected) {
-
- if (isTlsHostnameVerificationEnable && remoteHostName != null && !verifyTlsHostName(remoteHostName, ctx)) {
- // close the connection if host-verification failed with the broker
- log.warn("[{}] Failed to verify hostname of {}", ctx.channel(), remoteHostName);
- ctx.close();
- return;
- }
-
checkArgument(state == State.SentConnectFrame || state == State.Connecting);
if (connected.hasMaxMessageSize()) {
if (log.isDebugEnabled()) {
@@ -1084,39 +1069,6 @@ public class ClientCnx extends PulsarHandler {
}
}
- /**
- * verifies host name provided in x509 Certificate in tls session
- *
- * it matches hostname with below scenarios
- *
- * <pre>
- * 1. Supports IPV4 and IPV6 host matching
- * 2. Supports wild card matching for DNS-name
- * eg:
- * HostName CN Result
- * 1. localhost localhost PASS
- * 2. localhost local* PASS
- * 3. pulsar1-broker.com pulsar*.com PASS
- * </pre>
- *
- * @param ctx
- * @return true if hostname is verified else return false
- */
- private boolean verifyTlsHostName(String hostname, ChannelHandlerContext ctx) {
- ChannelHandler sslHandler = ctx.channel().pipeline().get("tls");
-
- SSLSession sslSession = null;
- if (sslHandler != null) {
- sslSession = ((SslHandler) sslHandler).engine().getSession();
- if (log.isDebugEnabled()) {
- log.debug("Verifying HostName for {}, Cipher {}, Protocols {}", hostname, sslSession.getCipherSuite(),
- sslSession.getProtocol());
- }
- return HOSTNAME_VERIFIER.verify(hostname, sslSession);
- }
- return false;
- }
-
void registerConsumer(final long consumerId, final ConsumerImpl<?> consumer) {
consumers.put(consumerId, consumer);
}
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
index 285a7202c72..323f3bcad5e 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
@@ -137,6 +137,7 @@ public class HttpClient implements Closeable {
}
confBuilder.setUseInsecureTrustManager(conf.isTlsAllowInsecureConnection());
+ confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
} catch (GeneralSecurityException e) {
throw new PulsarClientException.InvalidConfigurationException(e);
} catch (Exception e) {
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
index 497793d792d..bac1cd9ba41 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
@@ -51,6 +51,7 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
private final Supplier<ClientCnx> clientCnxSupplier;
@Getter
private final boolean tlsEnabled;
+ private final boolean tlsHostnameVerificationEnabled;
private final boolean tlsEnabledWithKeyStore;
private final InetSocketAddress socks5ProxyAddress;
private final String socks5ProxyUsername;
@@ -66,6 +67,7 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
super();
this.clientCnxSupplier = clientCnxSupplier;
this.tlsEnabled = conf.isUseTls();
+ this.tlsHostnameVerificationEnabled = conf.isTlsHostnameVerificationEnable();
this.socks5ProxyAddress = conf.getSocks5ProxyAddress();
this.socks5ProxyUsername = conf.getSocks5ProxyUsername();
this.socks5ProxyPassword = conf.getSocks5ProxyPassword();
@@ -167,6 +169,11 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
? new SslHandler(nettySSLContextAutoRefreshBuilder.get()
.createSSLEngine(sniHost.getHostString(), sniHost.getPort()))
: sslContextSupplier.get().newHandler(ch.alloc(), sniHost.getHostString(), sniHost.getPort());
+
+ if (tlsHostnameVerificationEnabled) {
+ SecurityUtility.configureSSLHandler(handler);
+ }
+
ch.pipeline().addFirst(TLS_HANDLER, handler);
initTlsFuture.complete(ch);
} catch (Throwable t) {
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
index e1fef9aaa9b..9e050b7058d 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
@@ -49,8 +49,7 @@ public class NettyClientSslContextRefresher extends SslContextAutoRefreshBuilder
AuthenticationDataProvider authData,
Set<String> ciphers,
Set<String> protocols,
- long delayInSeconds)
- throws IOException, GeneralSecurityException {
+ long delayInSeconds) {
super(delayInSeconds);
this.tlsAllowInsecureConnection = allowInsecure;
this.tlsTrustCertsFilePath = new FileModifiedTimeUpdater(trustCertsFilePath);
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
index 6b715bbf6dc..5abad5924c4 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
@@ -21,6 +21,7 @@ package org.apache.pulsar.common.util;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.BufferedReader;
@@ -57,7 +58,9 @@ import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import lombok.extern.slf4j.Slf4j;
@@ -549,6 +552,13 @@ public class SecurityUtility {
}
}
+ public static void configureSSLHandler(SslHandler handler) {
+ SSLEngine sslEngine = handler.engine();
+ SSLParameters sslParameters = sslEngine.getSSLParameters();
+ sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+ sslEngine.setSSLParameters(sslParameters);
+ }
+
public static Provider resolveProvider(String providerName) throws NoSuchAlgorithmException {
Provider provider = null;
if (!StringUtils.isEmpty(providerName)) {
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
index d4eb4774268..bd1bad27b2b 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
@@ -280,10 +280,11 @@ class AdminProxyHandler extends ProxyServlet {
);
}
-
- SslContextFactory contextFactory = new SslContextFactory.Client(true);
+ SslContextFactory contextFactory = new SslContextFactory.Client();
contextFactory.setSslContext(sslCtx);
-
+ if (!config.isTlsHostnameVerificationEnabled()) {
+ contextFactory.setEndpointIdentificationAlgorithm(null);
+ }
return new JettyHttpClient(contextFactory);
} catch (Exception e) {
LOG.error("new jetty http client exception ", e);
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
index 24802f60a3d..8ffcdb0acd5 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
@@ -21,13 +21,13 @@ package org.apache.pulsar.proxy.server;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkState;
+import static org.apache.commons.lang3.StringUtils.isEmpty;
import io.netty.bootstrap.Bootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.Channel;
import io.netty.channel.ChannelFuture;
import io.netty.channel.ChannelFutureListener;
-import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.ChannelOption;
@@ -37,18 +37,19 @@ import io.netty.handler.codec.haproxy.HAProxyCommand;
import io.netty.handler.codec.haproxy.HAProxyMessage;
import io.netty.handler.codec.haproxy.HAProxyProtocolVersion;
import io.netty.handler.codec.haproxy.HAProxyProxiedProtocol;
+import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
import io.netty.handler.timeout.ReadTimeoutHandler;
import io.netty.util.CharsetUtil;
import java.net.InetSocketAddress;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
-import java.util.function.Supplier;
-import javax.net.ssl.SSLSession;
import lombok.Getter;
import org.apache.pulsar.PulsarVersion;
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
+import org.apache.pulsar.client.api.AuthenticationFactory;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.common.allocator.PulsarByteBufAllocator;
import org.apache.pulsar.common.api.AuthData;
@@ -57,7 +58,10 @@ import org.apache.pulsar.common.api.proto.CommandConnected;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.common.protocol.PulsarDecoder;
import org.apache.pulsar.common.stats.Rate;
-import org.apache.pulsar.common.tls.TlsHostnameVerifier;
+import org.apache.pulsar.common.util.NettyClientSslContextRefresher;
+import org.apache.pulsar.common.util.SecurityUtility;
+import org.apache.pulsar.common.util.SslContextAutoRefreshBuilder;
+import org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -79,6 +83,11 @@ public class DirectProxyHandler {
private AuthenticationDataProvider authenticationDataProvider;
private final ProxyService service;
private final Runnable onHandshakeCompleteAction;
+ private final boolean tlsHostnameVerificationEnabled;
+ private final boolean tlsEnabledWithKeyStore;
+ private final boolean tlsEnabledWithBroker;
+ private final SslContextAutoRefreshBuilder<SslContext> clientSslCtxRefresher;
+ private final NettySSLContextAutoRefreshBuilder clientSSLContextAutoRefreshBuilder;
public DirectProxyHandler(ProxyService service, ProxyConnection proxyConnection) {
this.service = service;
@@ -89,11 +98,59 @@ public class DirectProxyHandler {
this.originalPrincipal = proxyConnection.clientAuthRole;
this.clientAuthData = proxyConnection.clientAuthData;
this.clientAuthMethod = proxyConnection.clientAuthMethod;
+ this.tlsEnabledWithBroker = service.getConfiguration().isTlsEnabledWithBroker();
+ this.tlsHostnameVerificationEnabled = service.getConfiguration().isTlsHostnameVerificationEnabled();
+ this.tlsEnabledWithKeyStore = service.getConfiguration().isTlsEnabledWithKeyStore();
this.onHandshakeCompleteAction = proxyConnection::cancelKeepAliveTask;
+ ProxyConfiguration config = service.getConfiguration();
+
+ if (tlsEnabledWithBroker) {
+ AuthenticationDataProvider authData = null;
+
+ if (!isEmpty(config.getBrokerClientAuthenticationPlugin())) {
+ try {
+ authData = AuthenticationFactory.create(config.getBrokerClientAuthenticationPlugin(),
+ config.getBrokerClientAuthenticationParameters()).getAuthData();
+ } catch (PulsarClientException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ if (tlsEnabledWithKeyStore) {
+ clientSSLContextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(
+ config.getBrokerClientSslProvider(),
+ config.isTlsAllowInsecureConnection(),
+ config.getBrokerClientTlsTrustStoreType(),
+ config.getBrokerClientTlsTrustStore(),
+ config.getBrokerClientTlsTrustStorePassword(),
+ config.getBrokerClientTlsCiphers(),
+ config.getBrokerClientTlsProtocols(),
+ config.getTlsCertRefreshCheckDurationSec(),
+ authData);
+ clientSslCtxRefresher = null;
+ } else {
+ SslProvider sslProvider = null;
+ if (config.getBrokerClientSslProvider() != null) {
+ sslProvider = SslProvider.valueOf(config.getBrokerClientSslProvider());
+ }
+ clientSslCtxRefresher = new NettyClientSslContextRefresher(
+ sslProvider,
+ config.isTlsAllowInsecureConnection(),
+ config.getBrokerClientTrustCertsFilePath(),
+ authData,
+ config.getBrokerClientTlsCiphers(),
+ config.getBrokerClientTlsProtocols(),
+ config.getTlsCertRefreshCheckDurationSec()
+ );
+ clientSSLContextAutoRefreshBuilder = null;
+ }
+ } else {
+ clientSSLContextAutoRefreshBuilder = null;
+ clientSslCtxRefresher = null;
+ }
}
- public void connect(String brokerHostAndPort, InetSocketAddress targetBrokerAddress,
- int protocolVersion, Supplier<SslHandler> sslHandlerSupplier) {
+ public void connect(String brokerHostAndPort, InetSocketAddress targetBrokerAddress, int protocolVersion) {
ProxyConfiguration config = service.getConfiguration();
// Start the connection attempt.
@@ -121,8 +178,16 @@ public class DirectProxyHandler {
b.handler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) {
- if (sslHandlerSupplier != null) {
- ch.pipeline().addLast(TLS_HANDLER, sslHandlerSupplier.get());
+ if (tlsEnabledWithBroker) {
+ String host = targetBrokerAddress.getHostString();
+ int port = targetBrokerAddress.getPort();
+ SslHandler handler = tlsEnabledWithKeyStore
+ ? new SslHandler(clientSSLContextAutoRefreshBuilder.get().createSSLEngine(host, port))
+ : clientSslCtxRefresher.get().newHandler(ch.alloc(), host, port);
+ if (tlsHostnameVerificationEnabled) {
+ SecurityUtility.configureSSLHandler(handler);
+ }
+ ch.pipeline().addLast(TLS_HANDLER, handler);
}
int brokerProxyReadTimeoutMs = service.getConfiguration().getBrokerProxyReadTimeoutMs();
if (brokerProxyReadTimeoutMs > 0) {
@@ -338,15 +403,6 @@ public class DirectProxyHandler {
log.debug("[{}] [{}] Received Connected from broker", inboundChannel, outboundChannel);
}
- if (config.isTlsHostnameVerificationEnabled() && remoteHostName != null
- && !verifyTlsHostName(remoteHostName, ctx)) {
- // close the connection if host-verification failed with the
- // broker
- log.warn("[{}] Failed to verify hostname of {}", ctx.channel(), remoteHostName);
- ctx.close();
- return;
- }
-
state = BackendState.HandshakeCompleted;
onHandshakeCompleteAction.run();
@@ -409,17 +465,6 @@ public class DirectProxyHandler {
log.warn("[{}] [{}] Caught exception: {}", inboundChannel, outboundChannel, cause.getMessage(), cause);
ctx.close();
}
-
- private boolean verifyTlsHostName(String hostname, ChannelHandlerContext ctx) {
- ChannelHandler sslHandler = ctx.channel().pipeline().get("tls");
-
- SSLSession sslSession;
- if (sslHandler != null) {
- sslSession = ((SslHandler) sslHandler).engine().getSession();
- return (new TlsHostnameVerifier()).verify(hostname, sslSession);
- }
- return false;
- }
}
private static final Logger log = LoggerFactory.getLogger(DirectProxyHandler.class);
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
index eeabced97b0..d9f0f5db38f 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
@@ -82,7 +82,6 @@ public class ProxyConnection extends PulsarHandler {
private final DnsAddressResolverGroup dnsAddressResolverGroup;
AuthenticationDataSource authenticationData;
private State state;
- private final Supplier<SslHandler> sslHandlerSupplier;
private LookupProxyHandler lookupProxyHandler = null;
@Getter
@@ -131,13 +130,11 @@ public class ProxyConnection extends PulsarHandler {
return connectionPool;
}
- public ProxyConnection(ProxyService proxyService, Supplier<SslHandler> sslHandlerSupplier,
- DnsAddressResolverGroup dnsAddressResolverGroup) {
+ public ProxyConnection(ProxyService proxyService, DnsAddressResolverGroup dnsAddressResolverGroup) {
super(30, TimeUnit.SECONDS);
this.service = proxyService;
this.dnsAddressResolverGroup = dnsAddressResolverGroup;
this.state = State.Init;
- this.sslHandlerSupplier = sslHandlerSupplier;
this.brokerProxyValidator = service.getBrokerProxyValidator();
}
@@ -360,8 +357,7 @@ public class ProxyConnection extends PulsarHandler {
private void connectToBroker(InetSocketAddress brokerAddress) {
checkState(ctx.executor().inEventLoop(), "This method should be called in the event loop");
DirectProxyHandler directProxyHandler = new DirectProxyHandler(service, this);
- directProxyHandler.connect(proxyToBrokerUrl, brokerAddress,
- protocolVersionToAdvertise, sslHandlerSupplier);
+ directProxyHandler.connect(proxyToBrokerUrl, brokerAddress, protocolVersionToAdvertise);
}
public void brokerConnected(DirectProxyHandler directProxyHandler, CommandConnected connected) {
@@ -531,6 +527,7 @@ public class ProxyConnection extends PulsarHandler {
clientConf.setAuthentication(this.getClientAuthentication());
if (proxyConfig.isTlsEnabledWithBroker()) {
clientConf.setUseTls(true);
+ clientConf.setTlsHostnameVerificationEnable(proxyConfig.isTlsHostnameVerificationEnabled());
if (proxyConfig.isBrokerClientTlsEnabledWithKeyStore()) {
clientConf.setUseKeyStoreTls(true);
clientConf.setTlsTrustStoreType(proxyConfig.getBrokerClientTlsTrustStoreType());
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
index 2ce2a93819f..db2574f0df1 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
@@ -18,18 +18,13 @@
*/
package org.apache.pulsar.proxy.server;
-import static org.apache.commons.lang3.StringUtils.isEmpty;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.timeout.ReadTimeoutHandler;
import java.util.concurrent.TimeUnit;
-import java.util.function.Supplier;
-import org.apache.pulsar.client.api.AuthenticationDataProvider;
-import org.apache.pulsar.client.api.AuthenticationFactory;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.common.protocol.OptionalProxyProtocolDecoder;
-import org.apache.pulsar.common.util.NettyClientSslContextRefresher;
import org.apache.pulsar.common.util.NettyServerSslContextBuilder;
import io.netty.channel.ChannelInitializer;
@@ -52,9 +47,7 @@ public class ServiceChannelInitializer extends ChannelInitializer<SocketChannel>
private final int brokerProxyReadTimeoutMs;
private SslContextAutoRefreshBuilder<SslContext> serverSslCtxRefresher;
- private SslContextAutoRefreshBuilder<SslContext> clientSslCtxRefresher;
private NettySSLContextAutoRefreshBuilder serverSSLContextAutoRefreshBuilder;
- private NettySSLContextAutoRefreshBuilder clientSSLContextAutoRefreshBuilder;
public ServiceChannelInitializer(ProxyService proxyService, ProxyConfiguration serviceConfig, boolean enableTls)
throws Exception {
@@ -95,44 +88,6 @@ public class ServiceChannelInitializer extends ChannelInitializer<SocketChannel>
} else {
this.serverSslCtxRefresher = null;
}
-
- if (serviceConfig.isTlsEnabledWithBroker()) {
- AuthenticationDataProvider authData = null;
-
- if (!isEmpty(serviceConfig.getBrokerClientAuthenticationPlugin())) {
- authData = AuthenticationFactory.create(serviceConfig.getBrokerClientAuthenticationPlugin(),
- serviceConfig.getBrokerClientAuthenticationParameters()).getAuthData();
- }
-
- if (tlsEnabledWithKeyStore) {
- clientSSLContextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(
- serviceConfig.getBrokerClientSslProvider(),
- serviceConfig.isTlsAllowInsecureConnection(),
- serviceConfig.getBrokerClientTlsTrustStoreType(),
- serviceConfig.getBrokerClientTlsTrustStore(),
- serviceConfig.getBrokerClientTlsTrustStorePassword(),
- serviceConfig.getBrokerClientTlsCiphers(),
- serviceConfig.getBrokerClientTlsProtocols(),
- serviceConfig.getTlsCertRefreshCheckDurationSec(),
- authData);
- } else {
- SslProvider sslProvider = null;
- if (serviceConfig.getBrokerClientSslProvider() != null) {
- sslProvider = SslProvider.valueOf(serviceConfig.getBrokerClientSslProvider());
- }
- clientSslCtxRefresher = new NettyClientSslContextRefresher(
- sslProvider,
- serviceConfig.isTlsAllowInsecureConnection(),
- serviceConfig.getBrokerClientTrustCertsFilePath(),
- authData,
- serviceConfig.getBrokerClientTlsCiphers(),
- serviceConfig.getBrokerClientTlsProtocols(),
- serviceConfig.getTlsCertRefreshCheckDurationSec()
- );
- }
- } else {
- this.clientSslCtxRefresher = null;
- }
}
@Override
@@ -156,25 +111,6 @@ public class ServiceChannelInitializer extends ChannelInitializer<SocketChannel>
ch.pipeline().addLast("frameDecoder", new LengthFieldBasedFrameDecoder(
Commands.DEFAULT_MAX_MESSAGE_SIZE + Commands.MESSAGE_SIZE_FRAME_PADDING, 0, 4, 0, 4));
- Supplier<SslHandler> sslHandlerSupplier = null;
- if (clientSslCtxRefresher != null) {
- sslHandlerSupplier = new Supplier<SslHandler>() {
- @Override
- public SslHandler get() {
- return clientSslCtxRefresher.get().newHandler(ch.alloc());
- }
- };
- } else if (clientSSLContextAutoRefreshBuilder != null) {
- sslHandlerSupplier = new Supplier<SslHandler>() {
- @Override
- public SslHandler get() {
- return new SslHandler(clientSSLContextAutoRefreshBuilder.get().createSSLEngine());
- }
- };
- }
-
- ch.pipeline().addLast("handler",
- new ProxyConnection(proxyService, sslHandlerSupplier, proxyService.getDnsAddressResolverGroup()));
-
+ ch.pipeline().addLast("handler", new ProxyConnection(proxyService, proxyService.getDnsAddressResolverGroup()));
}
}
diff --git a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
index d813777f7eb..dd06f33b79a 100644
--- a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
+++ b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
@@ -19,15 +19,13 @@
package org.apache.pulsar.proxy.server;
import static org.mockito.Mockito.spy;
-
import com.google.common.collect.Sets;
-
+import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
-
import lombok.Cleanup;
import org.apache.pulsar.broker.authentication.AuthenticationProviderTls;
import org.apache.pulsar.broker.authentication.AuthenticationService;
@@ -145,20 +143,24 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
};
}
- @BeforeMethod
@Override
- protected void setup() throws Exception {
-
+ protected void doInitConf() throws Exception {
+ super.doInitConf();
// enable tls and auth&auth at broker
conf.setAuthenticationEnabled(true);
conf.setAuthorizationEnabled(true);
+ conf.setTopicLevelPoliciesEnabled(false);
+ conf.setProxyRoles(Collections.singleton("Proxy"));
+ conf.setAdvertisedAddress(null);
conf.setBrokerServicePortTls(Optional.of(0));
+ conf.setBrokerServicePort(Optional.empty());
conf.setWebServicePortTls(Optional.of(0));
+ conf.setWebServicePort(Optional.empty());
conf.setTlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH);
conf.setTlsCertificateFilePath(TLS_BROKER_CERT_FILE_PATH);
conf.setTlsKeyFilePath(TLS_BROKER_KEY_FILE_PATH);
- conf.setTlsAllowInsecureConnection(true);
+ conf.setTlsAllowInsecureConnection(false);
Set<String> superUserRoles = new HashSet<>();
superUserRoles.add("superUser");
@@ -168,20 +170,24 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
conf.setBrokerClientAuthenticationParameters(
"tlsCertFile:" + TLS_BROKER_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_BROKER_KEY_FILE_PATH);
conf.setBrokerClientTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH);
- Set<String> providers = new HashSet<>();
- providers.add(AuthenticationProviderTls.class.getName());
- conf.setAuthenticationProviders(providers);
+ conf.setAuthenticationProviders(Collections.singleton(AuthenticationProviderTls.class.getName()));
conf.setClusterName("proxy-authorization");
conf.setNumExecutorThreadPoolSize(5);
+ }
+ @BeforeMethod
+ @Override
+ protected void setup() throws Exception {
super.init();
// start proxy service
proxyConfig.setAuthenticationEnabled(true);
proxyConfig.setAuthorizationEnabled(false);
+ proxyConfig.setForwardAuthorizationCredentials(true);
proxyConfig.setBrokerServiceURL(pulsar.getBrokerServiceUrl());
proxyConfig.setBrokerServiceURLTLS(pulsar.getBrokerServiceUrlTls());
+ proxyConfig.setAdvertisedAddress(null);
proxyConfig.setServicePort(Optional.of(0));
proxyConfig.setBrokerProxyAllowedTargetPorts("*");
@@ -198,7 +204,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
proxyConfig.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
proxyConfig.setBrokerClientAuthenticationParameters(
"tlsCertFile:" + TLS_PROXY_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_PROXY_KEY_FILE_PATH);
- proxyConfig.setAuthenticationProviders(providers);
+ proxyConfig.setAuthenticationProviders(Collections.singleton(AuthenticationProviderTls.class.getName()));
proxyService = Mockito.spy(new ProxyService(proxyConfig,
new AuthenticationService(
@@ -240,11 +246,11 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
@Cleanup
PulsarClient proxyClient = createPulsarClient(proxyService.getServiceUrlTls(), PulsarClient.builder());
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrlTls(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -254,11 +260,11 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
Consumer<byte[]> consumer = proxyClient.newConsumer()
- .topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ .topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
Producer<byte[]> producer = proxyClient.newProducer(Schema.BYTES)
- .topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").create();
+ .topic("persistent://my-tenant/my-ns/my-topic1").create();
final int msgs = 10;
for (int i = 0; i < msgs; i++) {
String message = "my-message-" + i;
@@ -294,11 +300,11 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
PulsarClient proxyClient = createPulsarClient(proxyService.getServiceUrlTls(),
PulsarClient.builder().enableTlsHostnameVerification(hostnameVerificationEnabled));
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -308,7 +314,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
try {
- proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ proxyClient.newConsumer().topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
if (hostnameVerificationEnabled) {
Assert.fail("Connection should be failed due to hostnameVerification enabled");
@@ -344,13 +350,13 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
// create a client which connects to proxy over tls and pass authData
@Cleanup
PulsarClient proxyClient = createPulsarClient(proxyService.getServiceUrlTls(),
- PulsarClient.builder().operationTimeout(1, TimeUnit.SECONDS));
+ PulsarClient.builder().operationTimeout(15, TimeUnit.SECONDS));
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrlTls(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -360,7 +366,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
try {
- proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ proxyClient.newConsumer().topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
if (hostnameVerificationEnabled) {
Assert.fail("Connection should be failed due to hostnameVerification enabled");
@@ -382,12 +388,12 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
public void tlsCiphersAndProtocols(Set<String> tlsCiphers, Set<String> tlsProtocols, boolean expectFailure)
throws Exception {
log.info("-- Starting {} test --", methodName);
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
createAdminClient();
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -399,8 +405,10 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
ProxyConfiguration proxyConfig = new ProxyConfiguration();
proxyConfig.setAuthenticationEnabled(true);
proxyConfig.setAuthorizationEnabled(false);
+ proxyConfig.setForwardAuthorizationCredentials(true);
proxyConfig.setBrokerServiceURL(pulsar.getBrokerServiceUrl());
proxyConfig.setBrokerServiceURLTLS(pulsar.getBrokerServiceUrlTls());
+ proxyConfig.setAdvertisedAddress(null);
proxyConfig.setServicePort(Optional.of(0));
proxyConfig.setBrokerProxyAllowedTargetPorts("*");
@@ -447,7 +455,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
@Cleanup
PulsarClient proxyClient = createPulsarClient("pulsar://localhost:" + proxyService.getListenPortTls().get(), PulsarClient.builder());
Consumer<byte[]> consumer = proxyClient.newConsumer()
- .topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ .topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
if (expectFailure) {
@@ -469,7 +477,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
authParams.put("tlsKeyFile", TLS_SUPERUSER_CLIENT_KEY_FILE_PATH);
admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString())
- .tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH)
.authentication(AuthenticationTls.class.getName(), authParams).build());
}
@@ -483,7 +491,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
authTls.configure(authParams);
return clientBuilder.serviceUrl(proxyServiceUrl).statsInterval(0, TimeUnit.SECONDS)
- .tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH)
.authentication(authTls).enableTls(true)
.operationTimeout(1000, TimeUnit.MILLISECONDS).build();
}
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
index df21a4968bf..7d2d58d8d7a 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 37:55:7a:ae:71:6b:5f:f0:0d:f7:11:df:b5:f9:ce:e1:65:a4:0c:a4
+ 40:cd:a5:a5:35:76:ee:02:57:8b:30:8f:2a:12:34:03:45:c5:96:8c
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:ce:29:c8:45:af:07:8e:79:1e:55:66:7b:93:af:
- 09:2c:72:fd:d5:33:38:30:a9:b5:50:92:90:33:b0:
- 55:b0:c4:6b:37:4a:ba:5b:76:4d:52:0b:9f:58:b2:
- c5:95:8c:47:6d:2b:07:0a:f5:74:43:ec:7d:36:bf:
- 3e:8c:d6:13:31:ce:fc:d1:77:b0:ac:3c:ae:69:4b:
- bd:5d:93:bd:84:57:51:a7:ef:03:2e:ae:3e:93:73:
- 8b:1e:39:90:8b:32:e2:0a:dd:b8:20:83:98:76:91:
- 75:d6:d5:db:43:7b:f4:c9:4e:23:52:e3:11:55:05:
- 48:b8:82:47:ea:32:0b:56:1b:07:11:f3:06:c7:4a:
- d5:6b:87:c2:2e:e2:9a:8c:9d:54:ca:5e:96:08:02:
- 5d:17:42:4d:73:86:08:ab:6e:2e:f3:a8:c3:a3:c1:
- bd:88:63:5e:69:7e:fa:af:31:8d:3a:49:ed:e8:cf:
- 80:15:ca:d4:2b:fe:84:3d:aa:27:7e:98:36:48:4f:
- 3b:27:90:1d:c1:fe:4e:13:b0:5e:a5:32:6e:16:38:
- 2e:b7:d1:f3:6b:18:a5:3e:b6:d7:07:42:21:c7:d9:
- 8e:d6:8c:a5:bf:25:9e:5c:fc:c7:12:18:59:23:b9:
- 3d:39:45:3d:1c:81:e2:f2:29:91:05:20:46:b2:52:
- 06:51
+ 00:d8:d5:00:e0:6b:4f:4e:8a:67:08:e9:e3:3f:23:
+ ef:15:1d:82:10:85:f3:3b:77:9c:96:c1:aa:eb:90:
+ 41:0b:5b:ae:77:d9:a3:f1:cf:2a:32:40:78:33:6a:
+ 81:b9:c2:cd:91:36:98:df:41:84:c0:62:8a:a1:03:
+ 89:8d:2b:b8:91:49:a9:e8:a2:90:ad:b9:cd:23:84:
+ bc:60:1f:6f:b5:81:9f:9c:cf:d5:26:a8:a5:b6:4d:
+ 59:5f:5c:7f:da:e8:1d:3d:04:f3:b8:ef:f8:d5:73:
+ c6:fd:6a:b1:91:ae:16:b7:45:21:9a:1a:1a:76:74:
+ 01:40:ee:fc:3c:67:be:6a:7f:f4:a3:82:37:ee:43:
+ 41:f5:67:d5:d5:64:9c:d8:53:75:34:4d:23:80:b5:
+ 59:13:c2:27:47:8e:20:32:6f:f6:b3:70:bf:5e:15:
+ 08:7e:d1:bf:aa:4d:06:6b:0d:17:21:eb:95:47:52:
+ fa:d7:97:ef:1a:5d:63:26:17:36:01:20:ac:57:50:
+ 34:f0:57:49:38:3d:9c:68:6a:87:91:38:b6:76:9d:
+ bc:e9:4e:c2:58:54:8d:8a:32:05:9e:ba:cb:f0:d0:
+ ec:91:67:1d:77:bf:d5:02:77:d4:22:78:94:f4:9a:
+ 49:fa:ef:b2:9b:30:1a:8a:f0:a7:9a:2b:e5:e9:c7:
+ 36:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- EF:DA:58:74:AA:21:F9:9E:19:7E:44:2B:84:32:93:F4:0F:79:18:3B
+ DD:AC:A0:40:6E:E9:2B:49:F2:35:DB:B4:E9:98:AD:58:7B:37:6B:55
X509v3 Authority Key Identifier:
- keyid:EF:DA:58:74:AA:21:F9:9E:19:7E:44:2B:84:32:93:F4:0F:79:18:3B
+ keyid:DD:AC:A0:40:6E:E9:2B:49:F2:35:DB:B4:E9:98:AD:58:7B:37:6B:55
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- 2e:f5:b6:f7:fc:50:89:16:1e:ea:8c:ec:57:54:f6:ca:d3:19:
- 65:fe:da:c5:73:53:f6:d0:1e:26:96:f2:d3:03:55:8d:6e:c4:
- cd:8c:2d:7a:ea:fa:38:6c:ed:fa:d5:23:b8:52:c1:e3:52:04:
- 3d:46:8c:2d:b6:b2:47:68:41:92:f6:47:24:50:78:47:5e:2a:
- 9b:df:85:a8:92:0d:49:17:eb:51:e8:b2:69:3c:4a:f3:9f:5f:
- ea:fd:b2:08:3c:30:1a:93:be:d3:c3:b3:c7:60:7c:ea:f4:15:
- 43:bd:3f:b1:d0:69:3c:84:5b:05:01:55:d7:d5:87:fb:58:53:
- 03:d8:91:5f:e8:e0:37:88:82:ea:dc:1c:2d:a0:8d:82:68:65:
- 6e:ea:0d:2a:e1:aa:cc:b3:d1:ce:a8:2b:2d:ed:e4:ba:0f:7f:
- 51:48:d2:4b:2f:7c:eb:02:01:4f:2c:b6:06:c1:9a:97:2c:b7:
- 6c:b7:06:86:d1:8b:cc:d6:d4:c3:ff:b5:65:c5:92:eb:9c:68:
- 6d:99:d8:4a:6d:7a:ac:fe:dc:f3:12:f8:bb:2b:0a:b9:d8:1e:
- 87:b6:e9:8b:51:32:f3:7b:0b:1a:29:57:4c:7d:5a:b6:9c:83:
- 23:e5:35:2b:98:83:aa:7c:ef:24:3a:74:a8:86:22:32:06:fb:
- 03:b7:01:9d
+ 07:0c:90:05:fa:2c:c9:4e:05:ec:6b:7d:99:9c:52:2a:20:34:
+ 46:ac:8d:24:81:f9:a7:f3:1d:03:32:45:82:9a:61:af:1f:63:
+ 25:6b:97:ca:93:78:e5:d7:87:81:b6:29:22:d4:0d:8d:ed:0e:
+ bd:85:80:6c:38:e9:86:3c:bd:ee:ff:26:78:0a:f0:a7:54:0b:
+ af:27:9e:8b:83:b7:10:e9:44:0d:4a:7e:a8:e2:aa:1c:06:f8:
+ 18:f1:c4:c9:e4:bb:17:41:59:94:b4:dc:78:53:fb:1b:43:57:
+ 82:59:de:6c:03:52:9a:28:cb:e4:9e:ea:c5:00:93:e0:27:b4:
+ 4b:e6:b3:c5:88:2d:14:33:10:ff:b0:23:4e:5d:ea:17:97:7d:
+ f4:e2:c8:fe:c3:4a:77:83:64:ef:c9:b6:3e:77:64:32:07:91:
+ bd:e1:58:9a:e1:38:ab:eb:d2:e3:cb:05:7c:c7:f3:2b:47:bf:
+ 36:64:7e:32:5a:62:44:07:c8:8e:9d:55:1a:99:c4:14:5a:66:
+ ed:5f:8b:ab:dd:eb:36:28:cd:77:47:84:00:ae:a7:34:0e:0d:
+ 77:df:67:72:08:94:75:52:1b:4a:71:4d:31:5d:aa:1b:aa:b6:
+ e0:d6:86:52:7c:26:ae:1f:96:ab:06:32:cb:7a:f3:bb:76:3e:
+ 08:53:9f:64
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUN1V6rnFrX/AN9xHftfnO4WWkDKQwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAzinIRa8HjnkeVWZ7k68JLHL91TM4MKm1UJKQM7BVsMRrN0q6W3ZN
-UgufWLLFlYxHbSsHCvV0Q+x9Nr8+jNYTMc780XewrDyuaUu9XZO9hFdRp+8DLq4+
-k3OLHjmQizLiCt24IIOYdpF11tXbQ3v0yU4jUuMRVQVIuIJH6jILVhsHEfMGx0rV
-a4fCLuKajJ1Uyl6WCAJdF0JNc4YIq24u86jDo8G9iGNeaX76rzGNOknt6M+AFcrU
-K/6EPaonfpg2SE87J5Adwf5OE7BepTJuFjgut9HzaxilPrbXB0Ihx9mO1oylvyWe
-XPzHEhhZI7k9OUU9HIHi8imRBSBGslIGUQIDAQABo1MwUTAdBgNVHQ4EFgQU79pY
-dKoh+Z4ZfkQrhDKT9A95GDswHwYDVR0jBBgwFoAU79pYdKoh+Z4ZfkQrhDKT9A95
-GDswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEALvW29/xQiRYe
-6ozsV1T2ytMZZf7axXNT9tAeJpby0wNVjW7EzYwteur6OGzt+tUjuFLB41IEPUaM
-LbayR2hBkvZHJFB4R14qm9+FqJINSRfrUeiyaTxK859f6v2yCDwwGpO+08Ozx2B8
-6vQVQ70/sdBpPIRbBQFV19WH+1hTA9iRX+jgN4iC6twcLaCNgmhlbuoNKuGqzLPR
-zqgrLe3kug9/UUjSSy986wIBTyy2BsGalyy3bLcGhtGLzNbUw/+1ZcWS65xobZnY
-Sm16rP7c8xL4uysKudgeh7bpi1Ey83sLGilXTH1atpyDI+U1K5iDqnzvJDp0qIYi
-Mgb7A7cBnQ==
+MIIDAzCCAeugAwIBAgIUQM2lpTV27gJXizCPKhI0A0XFlowwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA2NUA4GtPTopnCOnjPyPvFR2CEIXzO3eclsGq65BBC1uud9mj8c8q
+MkB4M2qBucLNkTaY30GEwGKKoQOJjSu4kUmp6KKQrbnNI4S8YB9vtYGfnM/VJqil
+tk1ZX1x/2ugdPQTzuO/41XPG/Wqxka4Wt0UhmhoadnQBQO78PGe+an/0o4I37kNB
+9WfV1WSc2FN1NE0jgLVZE8InR44gMm/2s3C/XhUIftG/qk0Gaw0XIeuVR1L615fv
+Gl1jJhc2ASCsV1A08FdJOD2caGqHkTi2dp286U7CWFSNijIFnrrL8NDskWcdd7/V
+AnfUIniU9JpJ+u+ymzAaivCnmivl6cc2xQIDAQABo1MwUTAdBgNVHQ4EFgQU3ayg
+QG7pK0nyNdu06ZitWHs3a1UwHwYDVR0jBBgwFoAU3aygQG7pK0nyNdu06ZitWHs3
+a1UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEABwyQBfosyU4F
+7Gt9mZxSKiA0RqyNJIH5p/MdAzJFgpphrx9jJWuXypN45deHgbYpItQNje0OvYWA
+bDjphjy97v8meArwp1QLryeei4O3EOlEDUp+qOKqHAb4GPHEyeS7F0FZlLTceFP7
+G0NXglnebANSmijL5J7qxQCT4Ce0S+azxYgtFDMQ/7AjTl3qF5d99OLI/sNKd4Nk
+78m2PndkMgeRveFYmuE4q+vS48sFfMfzK0e/NmR+MlpiRAfIjp1VGpnEFFpm7V+L
+q93rNijNd0eEAK6nNA4Nd99ncgiUdVIbSnFNMV2qG6q24NaGUnwmrh+WqwYyy3rz
+u3Y+CFOfZA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
index edd9a025176..31743d06846 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:78
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:07
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache Pulsar, OU = Broker, CN = Broker
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
07:f0:b0:06:4f:2c:4c:75:c2:37:ff:35:0d:b1:42:
06:0b
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 46:84:81:7e:4a:91:2a:c0:d7:0c:5a:a2:fb:6e:a2:e1:66:15:
- b9:b3:50:1c:93:8c:68:ba:90:42:07:2c:d1:d9:22:53:c4:e7:
- 74:a9:ac:0c:25:cb:ae:c9:a1:c9:35:49:5d:10:c6:ee:08:2a:
- 23:f3:a4:87:24:92:c4:4e:35:b8:23:8e:be:ad:8c:5b:25:df:
- 25:d4:49:8c:d6:11:bf:79:43:a2:88:7f:70:87:8c:fb:51:9a:
- 4c:73:8d:10:e7:5b:fa:fb:76:f9:88:7a:6a:d0:bf:0f:65:1e:
- 26:22:87:57:31:9a:c9:4c:62:cf:ef:00:2b:4e:2f:ee:d4:d8:
- 0d:2f:7f:2e:14:21:d5:c3:25:ce:29:a3:f0:ee:c6:3d:d2:dc:
- 7b:80:34:57:50:97:e7:79:d9:ca:39:10:73:2d:46:f4:98:de:
- ec:be:98:1a:17:12:c3:9e:1f:0d:25:c8:4e:17:a1:4a:8d:6a:
- 21:11:42:56:1a:16:79:12:e2:db:39:e1:5d:c4:2e:03:31:54:
- d9:97:53:21:bc:f0:60:e1:ba:ff:f6:a5:4b:c1:39:4f:e1:87:
- b7:63:9a:63:fa:a2:83:1c:b5:8e:fd:48:be:d5:50:40:0b:69:
- 34:81:1e:d1:ca:c5:34:ff:bc:c3:ec:22:a5:3e:ca:31:fe:43:
- 39:00:79:72
+ 8d:1d:69:d2:44:1f:af:68:30:80:c1:91:b2:2f:9a:7e:ca:ff:
+ 38:46:8e:28:59:02:2d:e7:74:c4:3c:b3:ac:b3:22:53:e9:54:
+ 3a:e2:4d:4d:65:63:47:dd:38:86:ec:d1:7d:4f:fe:5d:c6:c8:
+ c8:10:b8:33:5a:4d:9e:83:e3:92:97:c5:f1:d8:e3:97:6d:01:
+ 50:03:de:25:d8:e4:de:62:70:b8:c4:55:5b:9f:8c:61:b8:d7:
+ f0:8f:6c:2d:80:cc:b8:7b:8b:b4:54:9a:d6:e1:f9:7f:52:99:
+ 7b:ef:23:88:61:e5:7c:85:5c:57:98:cc:a6:98:4b:71:84:5c:
+ ab:5e:82:48:5a:da:5f:d6:84:b5:52:43:df:3c:0f:95:06:29:
+ 00:94:f8:98:94:6d:1c:c8:76:21:7a:2f:61:34:ab:bd:27:59:
+ d1:41:99:91:69:68:f7:b6:65:21:e8:9a:b1:9b:ac:72:12:17:
+ 54:0b:56:08:bd:9d:6b:0e:35:4a:f8:97:b6:83:00:55:96:0c:
+ 66:13:06:c9:27:5f:cc:d0:81:4b:3e:6e:d2:85:cd:79:7a:8c:
+ a0:1e:d8:9b:e4:da:e9:ba:51:f1:29:0f:69:00:df:24:a0:55:
+ 5e:cd:d0:84:c9:4a:a8:b4:12:33:29:6f:8a:8c:d7:a1:b4:8b:
+ 4a:7d:a2:30
-----BEGIN CERTIFICATE-----
-MIIC7DCCAdQCFAwmFd+PcR1qMdDar2TvgN6smkZ4MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEChMNQXBhY2hlIFB1
-bHNhcjEPMA0GA1UECxMGQnJva2VyMQ8wDQYDVQQDEwZCcm9rZXIwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKd9wqEyUkyyliBhJfqJLJU9Y/B8qqCl9y
-ks236kVHcfBjT1gaPfrOpnOQwKn3JfB2de2yAxe+2IpW809qTH4DZZXlReuNR+hg
-Xp44dFBUZaDs2FxlYDQbloN9cdRdf+NiWWfo8NYkfcBuNwNUTD0MMzmbM+FSRMVD
-2uruLPMcFi5GTHyfXU1u/owjnvd+nznBcQZS9CaaItTPxSU5qdLkJMbYSkii7nYl
-yzzwv80Qd/+BEUMhzDvMEHoHhPzMAqJF3pEta9HtFxrQRvSufbOJ+DF3leVGsakx
-1tjjRwCygYHbihzZ8c3jTTX2OJEN6gfwsAZPLEx1wjf/NQ2xQgYLAgMBAAEwDQYJ
-KoZIhvcNAQELBQADggEBAEaEgX5KkSrA1wxaovtuouFmFbmzUByTjGi6kEIHLNHZ
-IlPE53SprAwly67Jock1SV0Qxu4IKiPzpIckksRONbgjjr6tjFsl3yXUSYzWEb95
-Q6KIf3CHjPtRmkxzjRDnW/r7dvmIemrQvw9lHiYih1cxmslMYs/vACtOL+7U2A0v
-fy4UIdXDJc4po/Duxj3S3HuANFdQl+d52co5EHMtRvSY3uy+mBoXEsOeHw0lyE4X
-oUqNaiERQlYaFnkS4ts54V3ELgMxVNmXUyG88GDhuv/2pUvBOU/hh7djmmP6ooMc
-tY79SL7VUEALaTSBHtHKxTT/vMPsIqU+yjH+QzkAeXI=
+MIIDETCCAfmgAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgcwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQKEw1BcGFj
+aGUgUHVsc2FyMQ8wDQYDVQQLEwZCcm9rZXIxDzANBgNVBAMTBkJyb2tlcjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp33CoTJSTLKWIGEl+okslT1j8H
+yqoKX3KSzbfqRUdx8GNPWBo9+s6mc5DAqfcl8HZ17bIDF77YilbzT2pMfgNlleVF
+641H6GBenjh0UFRloOzYXGVgNBuWg31x1F1/42JZZ+jw1iR9wG43A1RMPQwzOZsz
+4VJExUPa6u4s8xwWLkZMfJ9dTW7+jCOe936fOcFxBlL0Jpoi1M/FJTmp0uQkxthK
+SKLudiXLPPC/zRB3/4ERQyHMO8wQegeE/MwCokXekS1r0e0XGtBG9K59s4n4MXeV
+5UaxqTHW2ONHALKBgduKHNnxzeNNNfY4kQ3qB/CwBk8sTHXCN/81DbFCBgsCAwEA
+AaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUA
+A4IBAQCNHWnSRB+vaDCAwZGyL5p+yv84Ro4oWQIt53TEPLOssyJT6VQ64k1NZWNH
+3TiG7NF9T/5dxsjIELgzWk2eg+OSl8Xx2OOXbQFQA94l2OTeYnC4xFVbn4xhuNfw
+j2wtgMy4e4u0VJrW4fl/Upl77yOIYeV8hVxXmMymmEtxhFyrXoJIWtpf1oS1UkPf
+PA+VBikAlPiYlG0cyHYhei9hNKu9J1nRQZmRaWj3tmUh6Jqxm6xyEhdUC1YIvZ1r
+DjVK+Je2gwBVlgxmEwbJJ1/M0IFLPm7Shc15eoygHtib5NrpulHxKQ9pAN8koFVe
+zdCEyUqotBIzKW+KjNehtItKfaIw
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
index dc75fe9506e..127f56dd777 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 33:a3:2e:28:58:0b:7a:7b:3c:71:4e:51:1d:1d:16:f5:72:3d:99:01
+ 77:4f:f6:cf:99:ca:77:e8:a7:6e:1e:fd:e2:cf:ac:a9:da:68:d2:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:d9:06:95:38:4a:ed:0d:ef:57:12:26:5e:2f:ea:
- 3c:05:78:1e:36:90:6c:d6:8d:dc:18:e7:e0:24:d7:
- 72:ae:d3:af:6a:ff:32:1f:ee:d8:93:9e:f4:53:88:
- 0f:5d:d6:56:41:03:b9:1e:d7:d4:0d:d5:ae:27:20:
- d8:8f:e3:7d:65:79:d3:00:c9:cc:f4:ef:f5:c9:f6:
- 83:a4:45:b4:6d:11:ac:fc:55:f2:94:6b:75:74:d9:
- f7:23:b2:5a:ba:a3:21:b4:6e:5a:2d:fc:84:32:ef:
- 78:f5:d7:22:7c:e8:a8:15:aa:1d:9f:53:63:fd:77:
- f4:d7:20:cc:21:34:1c:7a:22:a9:6a:de:90:06:ae:
- 10:ff:96:21:61:9e:6d:21:f5:66:37:ef:a0:5a:a8:
- 51:5f:22:24:9f:a9:a9:b3:21:10:f4:7a:d9:ee:c3:
- 20:73:c3:48:0a:c7:98:7c:5f:04:7a:e1:eb:8c:d6:
- f0:18:d7:e9:0c:11:cd:a1:81:f4:d4:67:c0:72:0f:
- e3:90:86:92:97:bd:bc:44:df:b1:b3:6d:85:4f:6b:
- fa:bf:9e:6a:1d:9c:77:23:3b:6f:89:38:fb:45:ff:
- f5:76:b3:19:f7:7c:59:2b:07:ff:6a:4a:f5:93:4a:
- 62:ef:18:3b:ea:54:8f:2d:c2:34:c8:a3:6f:ee:f8:
- f2:a3
+ 00:b8:5e:c2:60:ed:c4:ee:3c:5b:ab:fc:64:52:f3:
+ 30:41:fc:10:5a:ac:a6:9b:0a:93:d0:d0:c9:bf:96:
+ 14:a7:cf:5c:3e:23:91:7e:54:ec:fe:2d:9f:c9:34:
+ d1:4e:95:2f:85:9c:cc:be:90:a3:a4:cb:4d:a4:72:
+ d2:84:e0:c7:42:c4:bf:70:b6:fa:d2:45:8b:83:66:
+ 1e:a4:e9:0e:06:a3:46:ea:a7:18:cd:33:b9:f1:ff:
+ 76:91:72:8f:cd:f9:93:43:c3:6e:17:1f:2d:86:df:
+ b6:fb:2d:d6:be:2d:98:ad:de:00:c7:de:f9:68:b5:
+ 40:40:56:49:ae:23:e5:a1:3b:5f:15:5a:44:50:da:
+ fb:02:d3:42:c6:87:0d:c0:8d:3a:e6:e2:aa:73:31:
+ ab:79:58:51:cd:03:80:f3:12:ce:2f:35:04:8b:39:
+ 5f:b0:cc:b8:41:99:47:c1:17:96:8b:c2:44:84:b5:
+ 21:8a:15:52:fe:1a:5a:f9:88:cc:11:17:ee:48:dd:
+ ba:bf:ed:67:6e:27:35:42:cf:07:5e:b1:8b:81:55:
+ 92:01:8e:61:fd:8e:82:74:b1:70:7a:3d:52:1f:16:
+ 78:12:bb:b5:09:62:ce:6d:18:4a:e9:f5:27:19:bc:
+ 93:4e:ed:dd:53:a8:c1:bb:48:b7:18:20:7b:79:48:
+ 48:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 86:1F:20:03:1D:EA:65:52:AA:D7:38:B7:A7:B1:DC:0A:02:F9:F2:02
+ 0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Authority Key Identifier:
- keyid:86:1F:20:03:1D:EA:65:52:AA:D7:38:B7:A7:B1:DC:0A:02:F9:F2:02
+ keyid:0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- c3:8a:4d:5b:3a:01:28:08:cc:cd:8b:cc:37:0d:0b:0c:45:dd:
- c0:44:ee:36:9c:1d:7d:1f:b9:5a:a7:fd:9a:19:34:0f:8c:09:
- 9d:24:f1:7b:a2:22:ef:7f:f3:4f:31:e2:b8:a5:f2:ec:d5:32:
- 02:f3:10:c4:82:c4:a0:33:b0:50:53:b7:2e:3d:78:30:8e:b3:
- c1:f8:51:4d:30:5b:40:65:6f:ad:b8:99:be:d8:cc:3b:43:00:
- 2b:16:5c:9c:bd:83:24:a0:48:0d:cd:2e:29:74:a8:e6:bc:df:
- f0:7c:2c:1f:03:72:f4:47:4d:88:e6:8f:53:77:25:23:57:0a:
- 84:fb:38:e7:b0:84:57:2b:4d:5a:f0:94:34:8a:48:ca:dc:f7:
- 08:b5:d5:1e:64:b4:03:c9:f3:3d:dd:f5:27:ac:f8:2b:d5:80:
- ab:b5:b1:37:8e:ae:2f:03:c2:19:4d:37:d6:e2:76:24:a2:98:
- ed:c8:c5:d0:65:29:4d:ce:0a:bf:d0:a3:3f:f6:03:47:fa:75:
- 8c:06:22:fe:8a:13:9a:9c:17:f5:35:71:7d:66:b9:cd:ca:ac:
- 1e:c3:09:c6:76:b0:6c:2b:45:fd:5b:a9:02:7b:e8:fa:65:32:
- e3:8e:7d:25:6e:06:db:bc:fd:5b:ad:78:d3:e0:09:df:3d:9c:
- 3b:56:c5:69
+ 91:e8:d8:c4:32:2e:80:5c:d4:cb:24:7a:81:43:a9:c7:95:90:
+ 1a:2e:7a:d3:0c:5d:b6:21:05:67:4d:98:5a:0d:71:ea:80:01:
+ 95:42:fe:fa:f1:7c:dc:bd:76:ff:05:26:3b:f0:94:b3:09:2c:
+ 34:dd:43:56:46:2b:15:35:99:d9:94:54:22:cf:a6:68:b0:d1:
+ 79:e2:f0:9f:0b:02:7c:cf:1f:bd:d0:f6:49:c6:82:28:a5:c6:
+ ae:94:65:cf:fd:ad:a8:6c:c2:17:da:db:f3:be:30:1a:1b:b4:
+ 2c:fa:08:71:9d:64:09:45:02:92:02:ad:eb:15:47:14:43:5b:
+ a8:2d:1a:ec:14:93:dc:ff:bb:51:33:a3:d5:4d:e2:77:ca:e1:
+ a5:98:5c:7a:b6:10:19:d3:d7:f5:14:a5:d5:08:f1:97:18:3d:
+ 5f:a6:4e:a2:4a:0d:4b:d4:bb:56:6b:a8:44:35:62:c5:d8:c6:
+ 67:11:93:1c:22:64:3e:aa:15:08:dc:87:39:dd:f6:e0:a0:d5:
+ 00:db:27:79:3d:f4:35:7c:46:a9:fa:0c:fa:fc:74:f5:bf:f4:
+ fe:71:40:45:33:22:35:83:f7:1a:96:2a:fc:b2:33:e0:1a:e8:
+ 24:48:91:5d:90:5c:4c:93:33:4c:40:de:26:bb:24:ac:48:9b:
+ ae:fe:19:34
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUM6MuKFgLens8cU5RHR0W9XI9mQEwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA2QaVOErtDe9XEiZeL+o8BXgeNpBs1o3cGOfgJNdyrtOvav8yH+7Y
-k570U4gPXdZWQQO5HtfUDdWuJyDYj+N9ZXnTAMnM9O/1yfaDpEW0bRGs/FXylGt1
-dNn3I7JauqMhtG5aLfyEMu949dcifOioFaodn1Nj/Xf01yDMITQceiKpat6QBq4Q
-/5YhYZ5tIfVmN++gWqhRXyIkn6mpsyEQ9HrZ7sMgc8NICseYfF8EeuHrjNbwGNfp
-DBHNoYH01GfAcg/jkIaSl728RN+xs22FT2v6v55qHZx3IztviTj7Rf/1drMZ93xZ
-Kwf/akr1k0pi7xg76lSPLcI0yKNv7vjyowIDAQABo1MwUTAdBgNVHQ4EFgQUhh8g
-Ax3qZVKq1zi3p7HcCgL58gIwHwYDVR0jBBgwFoAUhh8gAx3qZVKq1zi3p7HcCgL5
-8gIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAw4pNWzoBKAjM
-zYvMNw0LDEXdwETuNpwdfR+5Wqf9mhk0D4wJnSTxe6Ii73/zTzHiuKXy7NUyAvMQ
-xILEoDOwUFO3Lj14MI6zwfhRTTBbQGVvrbiZvtjMO0MAKxZcnL2DJKBIDc0uKXSo
-5rzf8HwsHwNy9EdNiOaPU3clI1cKhPs457CEVytNWvCUNIpIytz3CLXVHmS0A8nz
-Pd31J6z4K9WAq7WxN46uLwPCGU031uJ2JKKY7cjF0GUpTc4Kv9CjP/YDR/p1jAYi
-/ooTmpwX9TVxfWa5zcqsHsMJxnawbCtF/VupAnvo+mUy4459JW4G27z9W6140+AJ
-3z2cO1bFaQ==
+MIIDAzCCAeugAwIBAgIUd0/2z5nKd+inbh794s+sqdpo0kIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuF7CYO3E7jxbq/xkUvMwQfwQWqymmwqT0NDJv5YUp89cPiORflTs
+/i2fyTTRTpUvhZzMvpCjpMtNpHLShODHQsS/cLb60kWLg2YepOkOBqNG6qcYzTO5
+8f92kXKPzfmTQ8NuFx8tht+2+y3Wvi2Yrd4Ax975aLVAQFZJriPloTtfFVpEUNr7
+AtNCxocNwI065uKqczGreVhRzQOA8xLOLzUEizlfsMy4QZlHwReWi8JEhLUhihVS
+/hpa+YjMERfuSN26v+1nbic1Qs8HXrGLgVWSAY5h/Y6CdLFwej1SHxZ4Eru1CWLO
+bRhK6fUnGbyTTu3dU6jBu0i3GCB7eUhInQIDAQABo1MwUTAdBgNVHQ4EFgQUD0Zh
+Pm9xIuYfMjd8soGmzNud9XwwHwYDVR0jBBgwFoAUD0ZhPm9xIuYfMjd8soGmzNud
+9XwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkejYxDIugFzU
+yyR6gUOpx5WQGi560wxdtiEFZ02YWg1x6oABlUL++vF83L12/wUmO/CUswksNN1D
+VkYrFTWZ2ZRUIs+maLDReeLwnwsCfM8fvdD2ScaCKKXGrpRlz/2tqGzCF9rb874w
+Ghu0LPoIcZ1kCUUCkgKt6xVHFENbqC0a7BST3P+7UTOj1U3id8rhpZhcerYQGdPX
+9RSl1Qjxlxg9X6ZOokoNS9S7VmuoRDVixdjGZxGTHCJkPqoVCNyHOd324KDVANsn
+eT30NXxGqfoM+vx09b/0/nFARTMiNYP3GpYq/LIz4BroJEiRXZBcTJMzTEDeJrsk
+rEibrv4ZNA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
index 0ac579026ef..1a21d9d4138 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:79
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache Pulsar, OU = Client, CN = Client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
8e:18:48:4c:5f:19:e9:b0:7b:22:d3:bc:42:32:45:
9a:d1
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- a4:bb:d2:e4:ba:17:1f:07:13:26:ac:e1:71:df:1e:d4:d7:a7:
- 31:dd:df:ce:e6:bb:11:fb:cf:a5:66:d2:fb:0e:26:90:fd:94:
- 0d:d2:d6:91:f3:65:75:ae:16:b6:92:2e:0a:41:b5:fc:ba:33:
- 57:85:92:e8:a3:30:97:d9:26:dc:e0:37:da:c5:bd:5f:e9:dd:
- db:81:cb:38:96:99:6e:d2:a5:6d:92:a8:6d:be:03:6f:a9:48:
- 4a:a1:4b:91:f9:c3:11:85:79:1e:4e:77:98:ff:43:dd:e0:f9:
- 8e:95:fe:f3:e2:eb:48:72:cf:04:fe:3d:78:b3:a8:ee:56:c8:
- 12:c8:0a:3d:70:f4:86:42:d2:b9:54:4d:07:8c:45:ad:af:b9:
- 43:c8:f9:ee:fc:5d:96:a2:b6:d5:d9:48:57:4e:b5:7d:c7:8c:
- 35:21:99:13:9a:60:42:1f:39:4a:3a:1b:3b:e5:ab:1d:91:59:
- 8a:e1:82:9e:70:79:f9:9a:6e:bb:a9:99:30:4d:93:c8:bf:95:
- 91:a1:03:a3:ac:d8:cd:80:db:89:82:a7:e6:74:8d:53:b3:a6:
- 7a:b9:ca:93:14:a2:01:08:bd:9f:4e:2d:0d:50:b3:aa:e8:a6:
- a8:43:b5:d6:a4:1c:2f:62:7a:1f:1b:92:6b:2d:fa:12:c3:1a:
- ed:8b:11:fe
+ 8b:88:90:00:1a:15:fa:11:f2:f0:35:6f:0f:f2:76:74:fc:8d:
+ bc:03:ee:a5:c5:21:17:c9:01:6b:58:93:fa:3e:7b:e0:0d:6d:
+ db:1f:2a:48:fa:15:34:66:b7:cb:be:82:c6:28:91:99:42:5a:
+ 36:b6:0b:2f:bb:85:14:88:a9:ea:dd:0a:7a:be:c4:e7:b2:2d:
+ 82:a9:37:bc:d9:5c:aa:03:2e:54:68:b1:b7:e8:d6:45:a5:8f:
+ 48:45:2c:9c:7a:55:0a:4a:07:1b:30:8a:49:6d:f4:62:b1:9e:
+ 92:0e:d9:34:44:6c:6d:e7:a3:18:bb:85:58:6d:da:20:83:d5:
+ ca:65:63:1e:3b:e6:df:7b:97:40:4f:b1:59:63:a9:b5:80:6f:
+ 97:51:53:a1:d3:29:1f:1a:26:05:17:59:3e:16:4f:5f:38:36:
+ 76:30:c6:bf:1e:3e:ed:39:83:91:31:58:01:13:59:5c:c5:e9:
+ d6:61:e0:f3:5f:c7:47:8a:5f:af:23:98:89:7b:b4:e6:f6:51:
+ 98:a0:26:31:c8:67:91:6d:d5:68:75:3d:4d:48:44:5f:3b:9c:
+ df:a7:87:a0:11:02:d2:13:5f:c1:4c:3f:3e:09:59:2e:fc:cb:
+ c2:c5:f0:f8:91:df:c3:dd:ad:c8:fc:44:23:9b:78:0d:3b:f2:
+ 82:f6:02:82
-----BEGIN CERTIFICATE-----
-MIIC7DCCAdQCFAwmFd+PcR1qMdDar2TvgN6smkZ5MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEChMNQXBhY2hlIFB1
-bHNhcjEPMA0GA1UECxMGQ2xpZW50MQ8wDQYDVQQDEwZDbGllbnQwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeHhC9ZBPBbHpJhgE7q6sd7LKTQWxsIfLm
-FRtRzq1n/Rg+f3pkomJfLgtZtO3ZFw63vFBmQbfjxHHJc3M92G00gPLjuZiPK1QU
-lbNRG9aRhc23NKJQtvGGbgcw+q5VoF35fByRUGJ9uxSGkgqsKT4oG5nKMGPcqV8F
-+Dg+MBACn8yU10fgGvQcaJY9El5YIUEs7JatnghWg3qSX0vmvQEWcCivqicdxP6y
-Cb+ltEfZWEv+QYEOokZXwTl8jeSxpyXmtN3zniTJ58CMGrSr3bkzvxHLvrsi9/yt
-xEBB1+83CBqVRR/bFF8L+Ej/QSTLXI4YSExfGemweyLTvEIyRZrRAgMBAAEwDQYJ
-KoZIhvcNAQELBQADggEBAKS70uS6Fx8HEyas4XHfHtTXpzHd387muxH7z6Vm0vsO
-JpD9lA3S1pHzZXWuFraSLgpBtfy6M1eFkuijMJfZJtzgN9rFvV/p3duByziWmW7S
-pW2SqG2+A2+pSEqhS5H5wxGFeR5Od5j/Q93g+Y6V/vPi60hyzwT+PXizqO5WyBLI
-Cj1w9IZC0rlUTQeMRa2vuUPI+e78XZaittXZSFdOtX3HjDUhmROaYEIfOUo6Gzvl
-qx2RWYrhgp5wefmabrupmTBNk8i/lZGhA6Os2M2A24mCp+Z0jVOzpnq5ypMUogEI
-vZ9OLQ1Qs6ropqhDtdakHC9ieh8bkmst+hLDGu2LEf4=
+MIIDETCCAfmgAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgMwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQKEw1BcGFj
+aGUgUHVsc2FyMQ8wDQYDVQQLEwZDbGllbnQxDzANBgNVBAMTBkNsaWVudDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4eEL1kE8FsekmGATurqx3sspNB
+bGwh8uYVG1HOrWf9GD5/emSiYl8uC1m07dkXDre8UGZBt+PEcclzcz3YbTSA8uO5
+mI8rVBSVs1Eb1pGFzbc0olC28YZuBzD6rlWgXfl8HJFQYn27FIaSCqwpPigbmcow
+Y9ypXwX4OD4wEAKfzJTXR+Aa9Bxolj0SXlghQSzslq2eCFaDepJfS+a9ARZwKK+q
+Jx3E/rIJv6W0R9lYS/5BgQ6iRlfBOXyN5LGnJea03fOeJMnnwIwatKvduTO/Ecu+
+uyL3/K3EQEHX7zcIGpVFH9sUXwv4SP9BJMtcjhhITF8Z6bB7ItO8QjJFmtECAwEA
+AaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUA
+A4IBAQCLiJAAGhX6EfLwNW8P8nZ0/I28A+6lxSEXyQFrWJP6PnvgDW3bHypI+hU0
+ZrfLvoLGKJGZQlo2tgsvu4UUiKnq3Qp6vsTnsi2CqTe82VyqAy5UaLG36NZFpY9I
+RSycelUKSgcbMIpJbfRisZ6SDtk0RGxt56MYu4VYbdogg9XKZWMeO+bfe5dAT7FZ
+Y6m1gG+XUVOh0ykfGiYFF1k+Fk9fODZ2MMa/Hj7tOYORMVgBE1lcxenWYeDzX8dH
+il+vI5iJe7Tm9lGYoCYxyGeRbdVodT1NSERfO5zfp4egEQLSE1/BTD8+CVku/MvC
+xfD4kd/D3a3I/EQjm3gNO/KC9gKC
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
index cb22ab50573..127f56dd777 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 2d:fc:78:73:ca:55:1e:32:12:3e:ef:08:24:cf:63:95:1e:ad:ea:ae
+ 77:4f:f6:cf:99:ca:77:e8:a7:6e:1e:fd:e2:cf:ac:a9:da:68:d2:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:c3:e0:f7:5d:bb:9a:76:ee:84:c6:2d:79:3f:a6:
- 4b:3b:1f:32:31:d9:65:80:d3:02:13:23:2a:f1:2f:
- e6:ac:bc:24:d1:cb:b9:5b:ed:cb:63:fe:31:e4:e6:
- b8:f3:13:72:be:48:57:cb:d1:70:0f:67:16:6d:26:
- bc:23:1c:64:30:ee:c8:0e:0e:68:d9:43:7e:42:74:
- 7a:d4:59:a4:76:67:70:9f:85:aa:f3:9f:6c:e6:a1:
- b5:06:3c:1d:46:38:45:05:df:88:cc:3a:ad:6c:72:
- 96:69:55:d0:b2:a8:ed:fd:b8:07:6b:5c:6d:1c:0d:
- 98:c2:88:3f:59:3c:d6:6c:ab:df:dd:3a:c0:5c:fe:
- 86:74:38:bc:00:d4:f0:50:ea:f0:e6:74:23:48:6d:
- 63:77:c7:f6:e2:94:f8:1b:0f:51:98:f6:fb:e0:20:
- 58:c1:b6:a0:58:08:6f:ad:05:f7:71:90:b3:1a:5b:
- 24:88:0b:ed:71:26:aa:84:c2:21:97:76:e7:d5:77:
- 30:62:15:d4:30:5e:f9:aa:bc:7f:1f:50:5e:92:47:
- f2:92:c0:85:cf:ce:33:07:24:e9:ee:b7:04:0d:b7:
- 9f:82:ae:a0:b6:73:51:8f:fe:bd:2c:f3:b5:76:61:
- 3c:da:c6:c0:bd:44:46:6f:43:9d:47:b6:0a:80:a5:
- fe:3b
+ 00:b8:5e:c2:60:ed:c4:ee:3c:5b:ab:fc:64:52:f3:
+ 30:41:fc:10:5a:ac:a6:9b:0a:93:d0:d0:c9:bf:96:
+ 14:a7:cf:5c:3e:23:91:7e:54:ec:fe:2d:9f:c9:34:
+ d1:4e:95:2f:85:9c:cc:be:90:a3:a4:cb:4d:a4:72:
+ d2:84:e0:c7:42:c4:bf:70:b6:fa:d2:45:8b:83:66:
+ 1e:a4:e9:0e:06:a3:46:ea:a7:18:cd:33:b9:f1:ff:
+ 76:91:72:8f:cd:f9:93:43:c3:6e:17:1f:2d:86:df:
+ b6:fb:2d:d6:be:2d:98:ad:de:00:c7:de:f9:68:b5:
+ 40:40:56:49:ae:23:e5:a1:3b:5f:15:5a:44:50:da:
+ fb:02:d3:42:c6:87:0d:c0:8d:3a:e6:e2:aa:73:31:
+ ab:79:58:51:cd:03:80:f3:12:ce:2f:35:04:8b:39:
+ 5f:b0:cc:b8:41:99:47:c1:17:96:8b:c2:44:84:b5:
+ 21:8a:15:52:fe:1a:5a:f9:88:cc:11:17:ee:48:dd:
+ ba:bf:ed:67:6e:27:35:42:cf:07:5e:b1:8b:81:55:
+ 92:01:8e:61:fd:8e:82:74:b1:70:7a:3d:52:1f:16:
+ 78:12:bb:b5:09:62:ce:6d:18:4a:e9:f5:27:19:bc:
+ 93:4e:ed:dd:53:a8:c1:bb:48:b7:18:20:7b:79:48:
+ 48:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 4E:9B:EB:E2:41:17:D1:24:AF:39:02:BC:42:D6:81:B7:62:6D:E3:57
+ 0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Authority Key Identifier:
- keyid:4E:9B:EB:E2:41:17:D1:24:AF:39:02:BC:42:D6:81:B7:62:6D:E3:57
+ keyid:0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- 16:01:53:ab:85:57:5f:92:b9:24:85:c5:70:02:fa:fe:ae:ff:
- e9:3e:36:24:6e:9e:34:dd:7c:56:f9:31:a1:d1:ae:63:af:3c:
- 2c:e5:8e:47:34:df:b0:1c:33:48:3f:e7:32:fd:a8:38:99:a6:
- ef:e1:7b:65:92:80:1e:68:e5:98:db:c5:50:4a:35:53:e5:86:
- 89:56:85:0c:6e:da:64:28:68:33:dc:29:3f:41:8b:cf:9c:ec:
- fc:74:15:19:ff:da:0a:ef:d0:51:67:97:ad:2f:e4:8a:94:52:
- 96:18:bd:77:b3:2b:79:9a:f8:de:af:0f:a2:65:c4:f2:88:3a:
- 57:79:18:e1:d8:7c:e0:52:da:35:8c:dd:d9:75:0d:72:e9:e8:
- d0:a7:a6:0b:49:88:6d:ed:86:45:25:72:15:4e:2a:0b:6f:9c:
- 2f:48:75:28:b0:aa:cd:15:7f:ae:b3:b7:ec:75:d9:63:c8:46:
- 8f:84:49:1c:e2:db:95:7b:3d:bb:fd:98:45:53:56:3c:3c:de:
- 60:16:f9:14:b8:7e:27:37:be:f0:69:b5:a0:18:bc:83:1e:c1:
- 3a:11:9b:a3:1d:1f:a6:9c:7e:c9:aa:7c:53:44:9e:1d:cb:ca:
- c8:22:7f:cc:ad:e6:fa:51:54:4d:b5:a1:e6:e3:04:4e:49:1e:
- 67:9c:93:30
+ 91:e8:d8:c4:32:2e:80:5c:d4:cb:24:7a:81:43:a9:c7:95:90:
+ 1a:2e:7a:d3:0c:5d:b6:21:05:67:4d:98:5a:0d:71:ea:80:01:
+ 95:42:fe:fa:f1:7c:dc:bd:76:ff:05:26:3b:f0:94:b3:09:2c:
+ 34:dd:43:56:46:2b:15:35:99:d9:94:54:22:cf:a6:68:b0:d1:
+ 79:e2:f0:9f:0b:02:7c:cf:1f:bd:d0:f6:49:c6:82:28:a5:c6:
+ ae:94:65:cf:fd:ad:a8:6c:c2:17:da:db:f3:be:30:1a:1b:b4:
+ 2c:fa:08:71:9d:64:09:45:02:92:02:ad:eb:15:47:14:43:5b:
+ a8:2d:1a:ec:14:93:dc:ff:bb:51:33:a3:d5:4d:e2:77:ca:e1:
+ a5:98:5c:7a:b6:10:19:d3:d7:f5:14:a5:d5:08:f1:97:18:3d:
+ 5f:a6:4e:a2:4a:0d:4b:d4:bb:56:6b:a8:44:35:62:c5:d8:c6:
+ 67:11:93:1c:22:64:3e:aa:15:08:dc:87:39:dd:f6:e0:a0:d5:
+ 00:db:27:79:3d:f4:35:7c:46:a9:fa:0c:fa:fc:74:f5:bf:f4:
+ fe:71:40:45:33:22:35:83:f7:1a:96:2a:fc:b2:33:e0:1a:e8:
+ 24:48:91:5d:90:5c:4c:93:33:4c:40:de:26:bb:24:ac:48:9b:
+ ae:fe:19:34
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIULfx4c8pVHjISPu8IJM9jlR6t6q4wDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAw+D3Xbuadu6Exi15P6ZLOx8yMdllgNMCEyMq8S/mrLwk0cu5W+3L
-Y/4x5Oa48xNyvkhXy9FwD2cWbSa8IxxkMO7IDg5o2UN+QnR61Fmkdmdwn4Wq859s
-5qG1BjwdRjhFBd+IzDqtbHKWaVXQsqjt/bgHa1xtHA2Ywog/WTzWbKvf3TrAXP6G
-dDi8ANTwUOrw5nQjSG1jd8f24pT4Gw9RmPb74CBYwbagWAhvrQX3cZCzGlskiAvt
-cSaqhMIhl3bn1XcwYhXUMF75qrx/H1BekkfyksCFz84zByTp7rcEDbefgq6gtnNR
-j/69LPO1dmE82sbAvURGb0OdR7YKgKX+OwIDAQABo1MwUTAdBgNVHQ4EFgQUTpvr
-4kEX0SSvOQK8QtaBt2Jt41cwHwYDVR0jBBgwFoAUTpvr4kEX0SSvOQK8QtaBt2Jt
-41cwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFgFTq4VXX5K5
-JIXFcAL6/q7/6T42JG6eNN18VvkxodGuY688LOWORzTfsBwzSD/nMv2oOJmm7+F7
-ZZKAHmjlmNvFUEo1U+WGiVaFDG7aZChoM9wpP0GLz5zs/HQVGf/aCu/QUWeXrS/k
-ipRSlhi9d7MreZr43q8PomXE8og6V3kY4dh84FLaNYzd2XUNcuno0KemC0mIbe2G
-RSVyFU4qC2+cL0h1KLCqzRV/rrO37HXZY8hGj4RJHOLblXs9u/2YRVNWPDzeYBb5
-FLh+Jze+8Gm1oBi8gx7BOhGbox0fppx+yap8U0SeHcvKyCJ/zK3m+lFUTbWh5uME
-TkkeZ5yTMA==
+MIIDAzCCAeugAwIBAgIUd0/2z5nKd+inbh794s+sqdpo0kIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuF7CYO3E7jxbq/xkUvMwQfwQWqymmwqT0NDJv5YUp89cPiORflTs
+/i2fyTTRTpUvhZzMvpCjpMtNpHLShODHQsS/cLb60kWLg2YepOkOBqNG6qcYzTO5
+8f92kXKPzfmTQ8NuFx8tht+2+y3Wvi2Yrd4Ax975aLVAQFZJriPloTtfFVpEUNr7
+AtNCxocNwI065uKqczGreVhRzQOA8xLOLzUEizlfsMy4QZlHwReWi8JEhLUhihVS
+/hpa+YjMERfuSN26v+1nbic1Qs8HXrGLgVWSAY5h/Y6CdLFwej1SHxZ4Eru1CWLO
+bRhK6fUnGbyTTu3dU6jBu0i3GCB7eUhInQIDAQABo1MwUTAdBgNVHQ4EFgQUD0Zh
+Pm9xIuYfMjd8soGmzNud9XwwHwYDVR0jBBgwFoAUD0ZhPm9xIuYfMjd8soGmzNud
+9XwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkejYxDIugFzU
+yyR6gUOpx5WQGi560wxdtiEFZ02YWg1x6oABlUL++vF83L12/wUmO/CUswksNN1D
+VkYrFTWZ2ZRUIs+maLDReeLwnwsCfM8fvdD2ScaCKKXGrpRlz/2tqGzCF9rb874w
+Ghu0LPoIcZ1kCUUCkgKt6xVHFENbqC0a7BST3P+7UTOj1U3id8rhpZhcerYQGdPX
+9RSl1Qjxlxg9X6ZOokoNS9S7VmuoRDVixdjGZxGTHCJkPqoVCNyHOd324KDVANsn
+eT30NXxGqfoM+vx09b/0/nFARTMiNYP3GpYq/LIz4BroJEiRXZBcTJMzTEDeJrsk
+rEibrv4ZNA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
index a4c03e3c2ea..e2c1e5a230c 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:7a
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache Pulsar, OU = Proxy, CN = Proxy
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
29:e1:23:c4:ed:a0:1c:f6:2a:ed:dc:c0:df:97:a9:
f3:8d
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 7b:27:a8:2a:54:35:76:e5:f8:a7:60:8d:e7:35:12:69:38:f3:
- 32:af:25:0f:69:1a:b1:af:79:e5:7c:94:5c:8f:aa:76:95:54:
- 35:b4:bb:64:20:1a:91:1e:b3:e4:d1:06:72:24:c3:35:bd:9c:
- f6:54:61:d9:39:22:99:42:08:d4:97:aa:7d:82:46:fc:77:58:
- df:93:29:03:6c:ba:1c:13:d1:42:49:32:f1:38:09:d3:3e:43:
- 89:1b:61:c4:40:f3:ac:4c:c1:36:2f:28:bd:57:a0:de:35:82:
- c9:da:93:5f:09:d6:e8:5b:cd:15:45:b3:28:22:7d:48:00:c4:
- 55:0f:f6:de:d9:c2:0a:39:5e:69:a4:50:9b:3f:e1:06:44:8a:
- 13:af:0b:56:8d:70:c4:9f:d1:a2:b4:25:09:8b:19:47:e8:d2:
- 98:49:2a:a0:8b:fe:8c:cb:23:d8:f8:e6:28:c6:d9:0b:10:7c:
- d3:ce:48:07:8d:c7:56:bb:c9:e8:d7:a8:a1:24:93:bf:5f:d2:
- a9:f1:35:b7:40:ad:08:bf:89:63:e5:49:40:13:e7:1e:6a:77:
- 7f:9a:5b:07:0c:eb:80:77:b0:ac:fa:8a:9d:b8:83:53:a1:1e:
- 0e:14:2b:c9:50:96:81:c2:c0:0b:d1:c6:b6:2e:ea:98:3e:7b:
- ee:5f:09:f7
+ 8d:b6:2c:5f:87:13:06:a8:66:ce:11:2a:2c:20:1e:c7:ee:50:
+ 75:a7:d1:7c:ad:c6:ec:d1:18:d0:fa:aa:00:fa:08:f9:0f:cc:
+ df:59:9a:6b:1c:18:07:15:84:d0:9a:24:8d:dd:46:79:9c:dc:
+ 9e:3e:97:10:24:b2:9d:d4:f6:c5:79:58:87:7c:a6:af:cf:69:
+ 23:fb:43:7a:0f:4d:26:e0:e9:66:c5:ad:fa:88:e2:c5:6e:6a:
+ ce:70:0c:8f:73:01:d6:fd:a9:1f:31:49:41:17:45:22:cc:a6:
+ 71:e4:f4:0f:0f:2e:3e:49:0b:5f:04:94:36:49:fa:72:42:c9:
+ 25:75:84:9a:dc:16:cb:69:44:44:e5:3a:ff:26:f6:44:42:4c:
+ 6c:e2:56:d6:3e:bc:f2:8b:83:de:e2:91:70:65:b9:d0:dd:a3:
+ d1:de:53:27:77:13:2d:86:27:c3:40:2f:c1:a5:50:1c:5a:44:
+ 51:b4:29:11:c3:30:9d:1a:96:25:7a:d6:05:70:ad:06:0d:f2:
+ 9b:b1:b6:82:39:06:c7:7c:b2:49:04:19:e4:7e:87:b8:d8:42:
+ 1d:ab:ed:d0:b0:7f:79:6b:89:75:2f:6a:26:67:3d:33:57:5f:
+ 5a:49:52:98:3b:2a:e5:43:d7:f9:97:ca:75:cd:6f:e9:e4:66:
+ b6:d6:c2:c7
-----BEGIN CERTIFICATE-----
-MIIC6jCCAdICFAwmFd+PcR1qMdDar2TvgN6smkZ6MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEChMNQXBhY2hlIFB1
-bHNhcjEOMAwGA1UECxMFUHJveHkxDjAMBgNVBAMTBVByb3h5MIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1zFrRfc9NTE6hxgWiRGE9nPwM2DLi+CcOXg
-jTO9lbXPxvBU1Y29hw1ibB0/UmZ0/wYzHDzV7S5j2ZbG8ZiCx5RKvGTymzpU7IGZ
-vBSCQ4cMa9oDjKoLQdf+J8T5iIE0sf8q4G3QR93BEaVUqVMyzY/2dViOBeTZsaxp
-/rZUw602BKJ39VO2dIPVagHglrWir1CPtdedp8K9+DGGCV98CrLbNOGAJRdffW+L
-3I7V+c/P9faPav4+lgDJVrDQ40beuaaKXpuOf+oZzKJbdSI8HTZI5PIaAZVhwfB6
-J52DlnTMqQRCCFM0mC6344P58qMp4SPE7aAc9irt3MDfl6nzjQIDAQABMA0GCSqG
-SIb3DQEBCwUAA4IBAQB7J6gqVDV25finYI3nNRJpOPMyryUPaRqxr3nlfJRcj6p2
-lVQ1tLtkIBqRHrPk0QZyJMM1vZz2VGHZOSKZQgjUl6p9gkb8d1jfkykDbLocE9FC
-STLxOAnTPkOJG2HEQPOsTME2Lyi9V6DeNYLJ2pNfCdboW80VRbMoIn1IAMRVD/be
-2cIKOV5ppFCbP+EGRIoTrwtWjXDEn9GitCUJixlH6NKYSSqgi/6MyyPY+OYoxtkL
-EHzTzkgHjcdWu8no16ihJJO/X9Kp8TW3QK0Iv4lj5UlAE+ceand/mlsHDOuAd7Cs
-+oqduINToR4OFCvJUJaBwsAL0ca2LuqYPnvuXwn3
+MIIDDzCCAfegAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgQwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowUjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQKEw1BcGFj
+aGUgUHVsc2FyMQ4wDAYDVQQLEwVQcm94eTEOMAwGA1UEAxMFUHJveHkwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDXMWtF9z01MTqHGBaJEYT2c/AzYMu
+L4Jw5eCNM72Vtc/G8FTVjb2HDWJsHT9SZnT/BjMcPNXtLmPZlsbxmILHlEq8ZPKb
+OlTsgZm8FIJDhwxr2gOMqgtB1/4nxPmIgTSx/yrgbdBH3cERpVSpUzLNj/Z1WI4F
+5NmxrGn+tlTDrTYEonf1U7Z0g9VqAeCWtaKvUI+1152nwr34MYYJX3wKsts04YAl
+F199b4vcjtX5z8/19o9q/j6WAMlWsNDjRt65popem45/6hnMolt1IjwdNkjk8hoB
+lWHB8HonnYOWdMypBEIIUzSYLrfjg/nyoynhI8TtoBz2Ku3cwN+XqfONAgMBAAGj
+HjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAjbYsX4cTBqhmzhEqLCAex+5QdafRfK3G7NEY0PqqAPoI+Q/M31maaxwYBxWE
+0Jokjd1GeZzcnj6XECSyndT2xXlYh3ymr89pI/tDeg9NJuDpZsWt+ojixW5qznAM
+j3MB1v2pHzFJQRdFIsymceT0Dw8uPkkLXwSUNkn6ckLJJXWEmtwWy2lEROU6/yb2
+REJMbOJW1j688ouD3uKRcGW50N2j0d5TJ3cTLYYnw0AvwaVQHFpEUbQpEcMwnRqW
+JXrWBXCtBg3ym7G2gjkGx3yySQQZ5H6HuNhCHavt0LB/eWuJdS9qJmc9M1dfWklS
+mDsq5UPX+ZfKdc1v6eRmttbCxw==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
index b607fb9d131..127f56dd777 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 7f:c3:12:28:23:73:86:8e:bb:d6:e6:21:43:e3:72:e8:01:17:3e:d1
+ 77:4f:f6:cf:99:ca:77:e8:a7:6e:1e:fd:e2:cf:ac:a9:da:68:d2:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:b3:6a:94:67:7c:33:90:4e:db:b9:94:b0:a6:1a:
- 69:77:bb:33:31:fe:3c:8b:6d:8a:f1:cf:07:d9:87:
- 86:ad:45:cf:4c:e3:e7:35:d5:4b:a3:76:27:9b:30:
- b1:82:3f:57:29:c9:f0:be:25:49:25:16:64:58:cc:
- b0:f1:01:2e:19:69:52:c8:38:64:61:16:b4:a7:ba:
- 76:2b:54:e6:a5:80:6c:b6:6c:8a:3c:c1:06:c2:e1:
- c1:f3:18:6b:87:08:4b:bb:54:f4:b3:72:1d:f2:ce:
- 47:18:5f:82:d3:88:c9:39:7b:71:fc:71:1a:aa:7e:
- 55:6c:35:7f:83:c1:60:e7:7d:b1:80:d0:17:7a:ed:
- e7:0d:87:8b:59:e3:18:47:e9:cf:de:0d:0e:c6:3e:
- 5c:eb:6e:f4:43:95:31:01:2d:e8:f2:ba:8a:bf:ed:
- 82:0c:7c:14:14:13:0e:fb:ae:f0:3a:7c:29:ee:55:
- 29:ca:46:7a:be:05:9f:fa:75:65:4c:f5:fb:cf:fe:
- 92:8d:78:e2:e1:41:55:32:2c:36:a2:ac:96:43:aa:
- e2:60:5a:ff:a6:e2:3f:5b:fc:d4:d3:af:cf:78:45:
- b5:e7:6e:7d:b6:fa:c4:05:84:a6:49:a7:ac:16:8e:
- b2:17:ac:75:76:f0:29:df:c8:da:a2:01:05:25:08:
- 4d:8f
+ 00:b8:5e:c2:60:ed:c4:ee:3c:5b:ab:fc:64:52:f3:
+ 30:41:fc:10:5a:ac:a6:9b:0a:93:d0:d0:c9:bf:96:
+ 14:a7:cf:5c:3e:23:91:7e:54:ec:fe:2d:9f:c9:34:
+ d1:4e:95:2f:85:9c:cc:be:90:a3:a4:cb:4d:a4:72:
+ d2:84:e0:c7:42:c4:bf:70:b6:fa:d2:45:8b:83:66:
+ 1e:a4:e9:0e:06:a3:46:ea:a7:18:cd:33:b9:f1:ff:
+ 76:91:72:8f:cd:f9:93:43:c3:6e:17:1f:2d:86:df:
+ b6:fb:2d:d6:be:2d:98:ad:de:00:c7:de:f9:68:b5:
+ 40:40:56:49:ae:23:e5:a1:3b:5f:15:5a:44:50:da:
+ fb:02:d3:42:c6:87:0d:c0:8d:3a:e6:e2:aa:73:31:
+ ab:79:58:51:cd:03:80:f3:12:ce:2f:35:04:8b:39:
+ 5f:b0:cc:b8:41:99:47:c1:17:96:8b:c2:44:84:b5:
+ 21:8a:15:52:fe:1a:5a:f9:88:cc:11:17:ee:48:dd:
+ ba:bf:ed:67:6e:27:35:42:cf:07:5e:b1:8b:81:55:
+ 92:01:8e:61:fd:8e:82:74:b1:70:7a:3d:52:1f:16:
+ 78:12:bb:b5:09:62:ce:6d:18:4a:e9:f5:27:19:bc:
+ 93:4e:ed:dd:53:a8:c1:bb:48:b7:18:20:7b:79:48:
+ 48:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 09:93:47:8E:5F:F3:BD:19:A2:77:FD:09:BA:13:A9:B6:C6:75:4E:B0
+ 0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Authority Key Identifier:
- keyid:09:93:47:8E:5F:F3:BD:19:A2:77:FD:09:BA:13:A9:B6:C6:75:4E:B0
+ keyid:0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- a1:52:44:1e:c0:a1:73:48:98:dd:91:b9:a7:e1:da:c5:48:65:
- d2:6d:38:77:b5:fa:f6:f7:c5:e4:b7:51:28:ea:f1:6c:9e:82:
- 80:6d:6f:56:9c:3b:31:b8:71:0e:ad:17:f9:8e:c6:7e:87:a9:
- 5f:30:1c:0e:17:c8:c7:c2:3c:96:3d:7d:01:a9:ce:d0:cd:c3:
- 55:6b:ce:64:35:53:93:c6:8c:4c:3d:0d:38:01:17:7b:e2:d8:
- b3:a5:78:46:77:fc:7e:da:16:f8:96:d0:72:35:89:c3:15:8c:
- 38:37:8b:7f:ff:01:f9:84:b2:e9:8d:11:64:82:36:e7:ef:86:
- a6:de:11:d9:78:b4:07:6c:18:89:aa:d6:6d:a2:d8:24:98:40:
- 85:5d:ba:5c:36:75:ad:e8:25:03:2d:94:69:d1:ce:d9:8f:9b:
- fd:79:5d:4b:30:7a:de:18:08:5a:54:e9:7b:7d:e2:cb:20:65:
- 99:4c:5a:31:de:c8:2c:01:b1:c8:d1:30:1d:33:bd:ef:9b:43:
- 4d:ac:7d:20:1f:c3:10:53:2e:1a:99:d5:6c:62:0e:15:b3:bd:
- 3c:88:58:88:0c:4f:06:21:b7:a4:8c:eb:9f:63:2e:5e:1d:c8:
- 91:39:9a:2b:e3:bf:e4:0a:bd:6e:4d:71:15:4d:e1:af:01:15:
- 99:38:25:12
+ 91:e8:d8:c4:32:2e:80:5c:d4:cb:24:7a:81:43:a9:c7:95:90:
+ 1a:2e:7a:d3:0c:5d:b6:21:05:67:4d:98:5a:0d:71:ea:80:01:
+ 95:42:fe:fa:f1:7c:dc:bd:76:ff:05:26:3b:f0:94:b3:09:2c:
+ 34:dd:43:56:46:2b:15:35:99:d9:94:54:22:cf:a6:68:b0:d1:
+ 79:e2:f0:9f:0b:02:7c:cf:1f:bd:d0:f6:49:c6:82:28:a5:c6:
+ ae:94:65:cf:fd:ad:a8:6c:c2:17:da:db:f3:be:30:1a:1b:b4:
+ 2c:fa:08:71:9d:64:09:45:02:92:02:ad:eb:15:47:14:43:5b:
+ a8:2d:1a:ec:14:93:dc:ff:bb:51:33:a3:d5:4d:e2:77:ca:e1:
+ a5:98:5c:7a:b6:10:19:d3:d7:f5:14:a5:d5:08:f1:97:18:3d:
+ 5f:a6:4e:a2:4a:0d:4b:d4:bb:56:6b:a8:44:35:62:c5:d8:c6:
+ 67:11:93:1c:22:64:3e:aa:15:08:dc:87:39:dd:f6:e0:a0:d5:
+ 00:db:27:79:3d:f4:35:7c:46:a9:fa:0c:fa:fc:74:f5:bf:f4:
+ fe:71:40:45:33:22:35:83:f7:1a:96:2a:fc:b2:33:e0:1a:e8:
+ 24:48:91:5d:90:5c:4c:93:33:4c:40:de:26:bb:24:ac:48:9b:
+ ae:fe:19:34
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUf8MSKCNzho671uYhQ+Ny6AEXPtEwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAs2qUZ3wzkE7buZSwphppd7szMf48i22K8c8H2YeGrUXPTOPnNdVL
-o3YnmzCxgj9XKcnwviVJJRZkWMyw8QEuGWlSyDhkYRa0p7p2K1TmpYBstmyKPMEG
-wuHB8xhrhwhLu1T0s3Id8s5HGF+C04jJOXtx/HEaqn5VbDV/g8Fg532xgNAXeu3n
-DYeLWeMYR+nP3g0Oxj5c6270Q5UxAS3o8rqKv+2CDHwUFBMO+67wOnwp7lUpykZ6
-vgWf+nVlTPX7z/6SjXji4UFVMiw2oqyWQ6riYFr/puI/W/zU06/PeEW15259tvrE
-BYSmSaesFo6yF6x1dvAp38jaogEFJQhNjwIDAQABo1MwUTAdBgNVHQ4EFgQUCZNH
-jl/zvRmid/0JuhOptsZ1TrAwHwYDVR0jBBgwFoAUCZNHjl/zvRmid/0JuhOptsZ1
-TrAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoVJEHsChc0iY
-3ZG5p+HaxUhl0m04d7X69vfF5LdRKOrxbJ6CgG1vVpw7MbhxDq0X+Y7GfoepXzAc
-DhfIx8I8lj19AanO0M3DVWvOZDVTk8aMTD0NOAEXe+LYs6V4Rnf8ftoW+JbQcjWJ
-wxWMODeLf/8B+YSy6Y0RZII25++Gpt4R2Xi0B2wYiarWbaLYJJhAhV26XDZ1regl
-Ay2UadHO2Y+b/XldSzB63hgIWlTpe33iyyBlmUxaMd7ILAGxyNEwHTO975tDTax9
-IB/DEFMuGpnVbGIOFbO9PIhYiAxPBiG3pIzrn2MuXh3IkTmaK+O/5Aq9bk1xFU3h
-rwEVmTglEg==
+MIIDAzCCAeugAwIBAgIUd0/2z5nKd+inbh794s+sqdpo0kIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuF7CYO3E7jxbq/xkUvMwQfwQWqymmwqT0NDJv5YUp89cPiORflTs
+/i2fyTTRTpUvhZzMvpCjpMtNpHLShODHQsS/cLb60kWLg2YepOkOBqNG6qcYzTO5
+8f92kXKPzfmTQ8NuFx8tht+2+y3Wvi2Yrd4Ax975aLVAQFZJriPloTtfFVpEUNr7
+AtNCxocNwI065uKqczGreVhRzQOA8xLOLzUEizlfsMy4QZlHwReWi8JEhLUhihVS
+/hpa+YjMERfuSN26v+1nbic1Qs8HXrGLgVWSAY5h/Y6CdLFwej1SHxZ4Eru1CWLO
+bRhK6fUnGbyTTu3dU6jBu0i3GCB7eUhInQIDAQABo1MwUTAdBgNVHQ4EFgQUD0Zh
+Pm9xIuYfMjd8soGmzNud9XwwHwYDVR0jBBgwFoAUD0ZhPm9xIuYfMjd8soGmzNud
+9XwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkejYxDIugFzU
+yyR6gUOpx5WQGi560wxdtiEFZ02YWg1x6oABlUL++vF83L12/wUmO/CUswksNN1D
+VkYrFTWZ2ZRUIs+maLDReeLwnwsCfM8fvdD2ScaCKKXGrpRlz/2tqGzCF9rb874w
+Ghu0LPoIcZ1kCUUCkgKt6xVHFENbqC0a7BST3P+7UTOj1U3id8rhpZhcerYQGdPX
+9RSl1Qjxlxg9X6ZOokoNS9S7VmuoRDVixdjGZxGTHCJkPqoVCNyHOd324KDVANsn
+eT30NXxGqfoM+vx09b/0/nFARTMiNYP3GpYq/LIz4BroJEiRXZBcTJMzTEDeJrsk
+rEibrv4ZNA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
index 0fc458dbe53..192d686246f 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:74
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = superUser
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
b6:98:ef:dd:03:82:58:a3:32:dc:90:a1:b6:a6:1e:
e1:0b
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 33:40:2a:38:48:99:a0:fe:68:4d:07:3b:08:ae:af:a1:7c:ea:
- 70:ab:a7:c8:32:b4:ff:9f:5a:51:3b:2b:a2:aa:21:75:44:7d:
- be:e7:fb:08:b9:81:e5:4c:cf:01:86:f9:06:63:4f:ce:7a:1d:
- cb:1e:9e:8f:d5:0a:54:53:69:91:05:10:2c:b0:4f:d4:3a:b5:
- 25:0e:25:4c:eb:67:64:d7:85:29:77:63:30:da:2a:77:3f:59:
- c2:8c:e9:02:57:49:93:3a:51:91:1a:b2:59:4d:d5:69:c9:9d:
- cc:e2:4f:b2:6c:5b:ba:45:68:c7:f5:18:f4:1d:b8:0c:eb:fd:
- 0a:cf:10:5d:dc:3e:26:49:03:33:37:40:f7:96:88:82:99:5c:
- 38:8d:cc:3b:de:b5:b9:ee:f9:ac:ae:ce:03:9a:1e:a7:f8:02:
- 73:2e:af:e7:b0:22:cb:3d:a3:ca:85:16:e9:e6:e2:d6:bf:1c:
- 1a:4c:ea:14:49:52:84:67:38:97:c7:b3:30:72:cc:c6:08:e5:
- 40:0a:87:da:19:98:26:4f:0b:54:43:a2:a0:ea:51:b2:23:88:
- d2:b4:0e:82:4f:02:92:a4:fb:27:e2:06:15:76:e7:27:f2:a2:
- e4:23:7b:24:ca:e6:80:93:2b:cd:54:ca:1b:9b:fd:d9:59:d1:
- 96:31:25:7b
+ 96:c2:23:2d:46:d0:3d:23:0e:ab:3d:b6:1e:31:96:00:eb:ae:
+ 17:ac:6e:c0:d4:1a:8d:0f:36:63:27:02:49:4e:24:cf:d3:80:
+ 88:3a:4f:d0:f1:e5:1c:df:2d:8a:ab:ae:8d:48:77:a0:d0:dc:
+ d5:80:1c:a1:3d:0d:49:64:bf:cb:39:84:c9:f3:5d:e0:2d:ba:
+ a0:f2:ac:03:85:44:a1:97:6b:0b:de:ed:a7:49:19:46:b2:18:
+ 49:21:62:43:52:36:6f:47:6c:21:6b:5e:41:85:28:71:6c:22:
+ 27:35:76:82:ed:ac:ad:d7:fa:9d:4c:7d:6f:44:7e:06:dd:8a:
+ 11:32:0c:d9:d0:f6:63:2a:40:ae:0d:5a:df:9e:d7:91:8a:db:
+ 2d:95:f3:19:f0:8f:1e:34:e3:b2:31:67:38:74:fd:3f:e6:49:
+ 5e:53:eb:88:ae:b1:45:71:0e:67:97:3c:99:4e:c7:ea:1e:02:
+ 67:b4:54:ef:4f:10:55:4a:70:c0:eb:41:e4:50:d4:48:5e:70:
+ c5:0f:79:f2:06:3d:35:ea:ce:5d:13:8e:14:65:fc:98:21:16:
+ 2d:5d:6d:f8:e0:6b:c7:c6:e4:8a:ca:c9:38:1f:93:27:86:28:
+ ef:96:e7:ad:6c:4a:9e:10:78:48:00:f4:4a:43:dc:87:1d:e3:
+ d3:39:53:68
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ0MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlzdXBlclVzZXIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNQ32YQPmwW7yu28ALrSaQluBiOO1o
-sXBGO95E+RRRhhDrypDniOj5kYXg3bW0FLl444bVVG1o7BSStPgiWwU97TElZQgF
-hMrmDCESWDLHGmCjT9JKnigZfEWEAIyJ3N6K5U+Ikcyk8YFFTH3C/+LBicYSc5Xi
-Nr3brotaaGqQUd4riF+qZ/So42PcvhmCzJ1/5o37gr4iAT1WEztbBLToxRjmLg36
-ukqN6MZaoVGaSmLXr920/OLVza6ZbFxhVgvXDBp3XPU6alS1njOsqXUomnav0HpX
-ABuREzH9QoghRwUQAS9Zu8c62eFYTBtscbaY790DglijMtyQobamHuELAgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBADNAKjhImaD+aE0HOwiur6F86nCrp8gytP+fWlE7
-K6KqIXVEfb7n+wi5geVMzwGG+QZjT856Hcseno/VClRTaZEFECywT9Q6tSUOJUzr
-Z2TXhSl3YzDaKnc/WcKM6QJXSZM6UZEasllN1WnJncziT7JsW7pFaMf1GPQduAzr
-/QrPEF3cPiZJAzM3QPeWiIKZXDiNzDvetbnu+ayuzgOaHqf4AnMur+ewIss9o8qF
-Funm4ta/HBpM6hRJUoRnOJfHszByzMYI5UAKh9oZmCZPC1RDoqDqUbIjiNK0DoJP
-ApKk+yfiBhV25yfyouQjeyTK5oCTK81Uyhub/dlZ0ZYxJXs=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgEwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCXN1cGVyVXNlcjCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1DfZhA+bBbvK7bwAutJpCW
+4GI47WixcEY73kT5FFGGEOvKkOeI6PmRheDdtbQUuXjjhtVUbWjsFJK0+CJbBT3t
+MSVlCAWEyuYMIRJYMscaYKNP0kqeKBl8RYQAjInc3orlT4iRzKTxgUVMfcL/4sGJ
+xhJzleI2vduui1poapBR3iuIX6pn9KjjY9y+GYLMnX/mjfuCviIBPVYTO1sEtOjF
+GOYuDfq6So3oxlqhUZpKYtev3bT84tXNrplsXGFWC9cMGndc9TpqVLWeM6ypdSia
+dq/QelcAG5ETMf1CiCFHBRABL1m7xzrZ4VhMG2xxtpjv3QOCWKMy3JChtqYe4QsC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCWwiMtRtA9Iw6rPbYeMZYA664XrG7A1BqNDzZjJwJJTiTP04CIOk/Q
+8eUc3y2Kq66NSHeg0NzVgByhPQ1JZL/LOYTJ813gLbqg8qwDhUShl2sL3u2nSRlG
+shhJIWJDUjZvR2wha15BhShxbCInNXaC7ayt1/qdTH1vRH4G3YoRMgzZ0PZjKkCu
+DVrfnteRitstlfMZ8I8eNOOyMWc4dP0/5kleU+uIrrFFcQ5nlzyZTsfqHgJntFTv
+TxBVSnDA60HkUNRIXnDFD3nyBj016s5dE44UZfyYIRYtXW344GvHxuSKysk4H5Mn
+hijvluetbEqeEHhIAPRKQ9yHHePTOVNo
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
index 0f8bc17b9ed..c09434c85d2 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:75
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:02
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
a0:1a:81:9d:d2:e1:66:dd:c4:cc:fc:63:04:ac:ec:
a7:35
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 81:a7:27:69:49:e6:1b:c0:f2:a6:10:c2:ef:c7:64:27:69:53:
- 3c:bd:8e:7c:b7:b8:bd:2a:02:d4:ab:4b:f3:7b:25:e8:1e:d8:
- 3d:88:00:04:6c:a0:da:67:57:65:5d:a2:b6:1d:9a:8c:c7:bd:
- 27:53:78:6a:61:3f:61:c1:23:d5:34:65:f1:49:ec:20:5d:f1:
- 01:90:99:e8:e6:99:17:ae:c3:ed:e5:da:c4:f1:8c:89:e8:38:
- c1:01:e0:84:27:bf:01:f5:ee:62:87:55:6c:63:fc:45:12:d3:
- 2f:f7:e2:b9:f0:33:d0:84:1e:6b:23:7b:3e:ae:25:f6:ff:11:
- 12:f4:12:63:b6:88:5d:01:aa:ce:c9:e4:d8:78:a2:2d:4c:9a:
- 50:4d:57:80:6a:4b:2d:19:4c:61:21:6a:7a:06:2b:cf:82:ae:
- f3:61:b0:ef:62:ae:3b:2d:2d:0d:c8:da:75:49:72:5a:1c:8b:
- 15:c2:bb:07:5b:37:81:f6:42:e4:84:29:4c:cb:fc:4d:e1:86:
- 9b:86:af:1f:03:08:58:b0:15:4c:72:fd:e6:62:e2:b2:37:ca:
- eb:a4:67:ec:12:8f:95:57:d7:e7:cf:fe:b5:f9:4a:55:66:c4:
- 2f:af:e9:65:a9:54:a8:9d:1a:1e:9a:9e:ec:60:bf:b5:ef:2b:
- b6:d5:02:e9
+ 88:89:d7:52:b3:61:49:73:7d:ee:aa:6f:47:11:cd:52:f1:ef:
+ 9a:63:5f:43:a9:4f:66:c8:36:dd:44:24:ba:4f:c3:6c:94:90:
+ 85:5e:29:fb:65:cf:03:3b:37:16:5e:88:07:70:97:54:93:f0:
+ f3:09:d7:65:60:09:00:fd:7f:dd:6a:ab:25:3a:30:c4:89:34:
+ 43:82:f6:f5:f4:2d:39:3d:21:90:c4:00:27:c5:6a:23:41:20:
+ c6:42:35:56:91:17:fa:31:90:09:6a:4c:e4:a7:53:ae:61:b6:
+ d3:5b:82:71:08:d0:0b:af:34:0f:9b:bd:bc:8c:1c:31:43:43:
+ 97:82:9a:ac:2a:53:ca:11:ce:6f:64:ac:86:c1:f0:62:14:aa:
+ c3:dd:15:5b:1c:02:6f:bb:40:87:17:b7:e5:9d:93:9a:51:c9:
+ 1e:7a:8c:d1:22:75:44:f1:9d:90:4b:3e:1f:6c:ab:6f:e3:be:
+ cd:c7:15:9d:04:84:4a:1b:a7:ac:64:5d:d7:3e:23:98:b9:49:
+ dd:85:dd:80:4c:46:08:9b:f5:df:eb:19:c8:57:70:ac:43:f9:
+ d6:9c:1b:1b:2a:94:cf:c1:35:56:a2:f4:b1:00:5d:9e:1e:36:
+ 54:72:ab:aa:ef:49:b2:f0:dc:cf:5b:22:51:bf:e4:c9:57:dc:
+ d0:48:0d:f2
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ1MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvv7ctmK2d9tqjE9RiD5i+HKKJIrpv
-1f0fZ+ORA5iAgQ7t2PZwfyw2aD1T6lg6ptWJZku9HldxE21LEeVApXaEJJJAWICW
-yR8sxFXro3lzcFw3montL7pr44J8aUoCVIuBXjy/TIrL6ixeg+e3EAhfglijidHa
-kroqKO4wKD9brhBxlsfhEsWwGq1Eb0Q6EUqaPA+NBoB7NO8/bPRexURUHsjdx4CF
-gNlo5sZTA3fh/hhhB3cFTO1ZvF1BOGrvXaGyYJjUSCiVAooO/c97G9IRzBAMUHPX
-zDhsg915JqqQyJuEhrxZ6WJp9JgbxIB4fqAagZ3S4WbdxMz8YwSs7Kc1AgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBAIGnJ2lJ5hvA8qYQwu/HZCdpUzy9jny3uL0qAtSr
-S/N7Jege2D2IAARsoNpnV2VdorYdmozHvSdTeGphP2HBI9U0ZfFJ7CBd8QGQmejm
-mReuw+3l2sTxjInoOMEB4IQnvwH17mKHVWxj/EUS0y/34rnwM9CEHmsjez6uJfb/
-ERL0EmO2iF0Bqs7J5Nh4oi1MmlBNV4BqSy0ZTGEhanoGK8+CrvNhsO9irjstLQ3I
-2nVJclocixXCuwdbN4H2QuSEKUzL/E3hhpuGrx8DCFiwFUxy/eZi4rI3yuukZ+wS
-j5VX1+fP/rX5SlVmxC+v6WWpVKidGh6anuxgv7XvK7bVAuk=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+/ty2YrZ322qMT1GIPmL4c
+ookium/V/R9n45EDmICBDu3Y9nB/LDZoPVPqWDqm1YlmS70eV3ETbUsR5UCldoQk
+kkBYgJbJHyzEVeujeXNwXDeaie0vumvjgnxpSgJUi4FePL9MisvqLF6D57cQCF+C
+WKOJ0dqSuioo7jAoP1uuEHGWx+ESxbAarURvRDoRSpo8D40GgHs07z9s9F7FRFQe
+yN3HgIWA2WjmxlMDd+H+GGEHdwVM7Vm8XUE4au9dobJgmNRIKJUCig79z3sb0hHM
+EAxQc9fMOGyD3XkmqpDIm4SGvFnpYmn0mBvEgHh+oBqBndLhZt3EzPxjBKzspzUC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCIiddSs2FJc33uqm9HEc1S8e+aY19DqU9myDbdRCS6T8NslJCFXin7
+Zc8DOzcWXogHcJdUk/DzCddlYAkA/X/daqslOjDEiTRDgvb19C05PSGQxAAnxWoj
+QSDGQjVWkRf6MZAJakzkp1OuYbbTW4JxCNALrzQPm728jBwxQ0OXgpqsKlPKEc5v
+ZKyGwfBiFKrD3RVbHAJvu0CHF7flnZOaUckeeozRInVE8Z2QSz4fbKtv477NxxWd
+BIRKG6esZF3XPiOYuUndhd2ATEYIm/Xf6xnIV3CsQ/nWnBsbKpTPwTVWovSxAF2e
+HjZUcquq70my8NzPWyJRv+TJV9zQSA3y
-----END CERTIFICATE-----