You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2021/03/24 13:08:43 UTC
[activemq-artemis] branch master updated (7bd2a4d -> 186481b)
This is an automated email from the ASF dual-hosted git repository.
clebertsuconic pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git.
from 7bd2a4d ARTEMIS-3045 NettyConnection should null-check Netty buffer
new 4f4231f ARTEMIS-3156 Better support for PKCS #11
new 186481b ARTEMIS-3155 differentiate SSL store type and provider
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../artemis/cli/factory/jmx/ManagementFactory.java | 6 +
.../FederationDownstreamConfiguration.java | 2 +
.../core/impl/BackwardsCompatibilityUtils.java | 6 +
.../core/remoting/impl/netty/NettyConnector.java | 32 +-
.../remoting/impl/netty/TransportConstants.java | 16 +-
.../artemis/core/remoting/impl/ssl/SSLSupport.java | 45 ++-
.../spi/core/remoting/ssl/SSLContextConfig.java | 54 +++-
.../spi/core/remoting/ssl/SSLContextFactory.java | 9 +-
.../remoting/ssl/SSLContextFactoryProvider.java | 4 +-
.../activemq/artemis/dto/JMXConnectorDTO.java | 14 +
.../core/config/JMXConnectorConfiguration.java | 24 +-
.../core/remoting/impl/netty/NettyAcceptor.java | 44 ++-
.../artemis/core/server/ActiveMQServerLogger.java | 5 +
.../server/management/ConnectorServerFactory.java | 22 ++
.../server/management/ManagementConnector.java | 2 +
docs/user-manual/en/configuring-transports.md | 47 ++-
.../integration/jms/SimpleJNDIClientTest.java | 4 +
.../tests/integration/security/SecurityTest.java | 2 +-
.../ssl/CoreClientOverOneWaySSLTest.java | 141 ++++++---
.../ssl/CoreClientOverTwoWayOpenSSLServerTest.java | 319 -------------------
.../ssl/CoreClientOverTwoWayOpenSSLTest.java | 351 ---------------------
.../ssl/CoreClientOverTwoWaySSLTest.java | 150 +++++++--
.../tests/integration/ssl/SSLProviderTest.java | 2 +-
.../integration/ssl/SSLProviderTwoWayTest.java | 4 +-
.../artemis/tests/integration/ssl/SSLTestBase.java | 2 +-
.../core/remoting/impl/ssl/SSLSupportTest.java | 89 ++++--
.../test/resources/bad-client-side-keystore.jks | Bin 1277 -> 2226 bytes
.../src/test/resources/client-side-keystore.jceks | Bin 1277 -> 2233 bytes
.../src/test/resources/client-side-keystore.jks | Bin 1303 -> 2253 bytes
.../src/test/resources/client-side-keystore.p12 | Bin 2589 -> 2589 bytes
.../test/resources/client-side-truststore.jceks | Bin 897 -> 963 bytes
.../src/test/resources/client-side-truststore.jks | Bin 963 -> 963 bytes
.../src/test/resources/client-side-truststore.p12 | Bin 1194 -> 1194 bytes
.../resources/openssl-client-side-keystore.jceks | Bin 683 -> 684 bytes
.../resources/openssl-client-side-keystore.jks | Bin 706 -> 706 bytes
.../resources/openssl-client-side-keystore.p12 | Bin 0 -> 1034 bytes
.../resources/openssl-client-side-truststore.jceks | Bin 572 -> 571 bytes
.../resources/openssl-client-side-truststore.jks | Bin 572 -> 572 bytes
.../resources/openssl-client-side-truststore.p12 | Bin 0 -> 802 bytes
.../resources/openssl-server-side-keystore.jceks | Bin 684 -> 685 bytes
.../resources/openssl-server-side-keystore.jks | Bin 707 -> 707 bytes
.../resources/openssl-server-side-keystore.p12 | Bin 0 -> 1034 bytes
.../resources/openssl-server-side-truststore.jceks | Bin 571 -> 570 bytes
.../resources/openssl-server-side-truststore.jks | Bin 571 -> 571 bytes
.../resources/openssl-server-side-truststore.p12 | Bin 0 -> 802 bytes
.../resources/other-client-side-truststore.jceks | Bin 908 -> 975 bytes
.../resources/other-client-side-truststore.jks | Bin 975 -> 975 bytes
.../resources/other-client-side-truststore.p12 | Bin 1202 -> 1202 bytes
.../resources/other-server-side-keystore.jceks | Bin 1288 -> 2245 bytes
.../test/resources/other-server-side-keystore.jks | Bin 2264 -> 2265 bytes
.../test/resources/other-server-side-keystore.p12 | Bin 2605 -> 2605 bytes
.../src/test/resources/server-side-keystore.jceks | Bin 1277 -> 2233 bytes
.../src/test/resources/server-side-keystore.jks | Bin 2253 -> 2254 bytes
.../src/test/resources/server-side-keystore.p12 | Bin 2589 -> 2589 bytes
.../test/resources/server-side-truststore.jceks | Bin 897 -> 963 bytes
.../src/test/resources/server-side-truststore.jks | Bin 1732 -> 1866 bytes
.../src/test/resources/server-side-truststore.p12 | Bin 1194 -> 1194 bytes
.../resources/verified-client-side-keystore.jceks | Bin 2222 -> 2222 bytes
.../resources/verified-client-side-keystore.jks | Bin 2242 -> 2270 bytes
.../resources/verified-client-side-keystore.p12 | Bin 2581 -> 2581 bytes
.../verified-client-side-truststore.jceks | Bin 868 -> 935 bytes
.../resources/verified-client-side-truststore.jks | Bin 935 -> 935 bytes
.../resources/verified-client-side-truststore.p12 | Bin 1162 -> 1162 bytes
.../verified-openssl-client-side-keystore.jceks | Bin 674 -> 673 bytes
.../verified-openssl-client-side-keystore.jks | Bin 695 -> 695 bytes
.../verified-openssl-client-side-keystore.p12 | Bin 0 -> 1026 bytes
.../verified-openssl-server-side-truststore.jceks | Bin 560 -> 559 bytes
.../verified-openssl-server-side-truststore.jks | Bin 560 -> 560 bytes
.../verified-openssl-server-side-truststore.p12 | Bin 0 -> 794 bytes
.../resources/verified-server-side-keystore.jceks | Bin 1248 -> 2205 bytes
.../resources/verified-server-side-keystore.jks | Bin 2225 -> 2227 bytes
.../resources/verified-server-side-keystore.p12 | Bin 2565 -> 2565 bytes
.../verified-server-side-truststore.jceks | Bin 952 -> 952 bytes
.../resources/verified-server-side-truststore.jks | Bin 952 -> 980 bytes
.../resources/verified-server-side-truststore.p12 | Bin 1186 -> 1186 bytes
75 files changed, 580 insertions(+), 816 deletions(-)
delete mode 100644 tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java
delete mode 100644 tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java
create mode 100644 tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12
create mode 100644 tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12
create mode 100644 tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12
create mode 100644 tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12
create mode 100644 tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12
create mode 100644 tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12
[activemq-artemis] 01/02: ARTEMIS-3156 Better support for PKCS #11
Posted by cl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
clebertsuconic pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
commit 4f4231f6297e05b9c23cf61053def796ff4e729d
Author: dhawkins <dh...@redhat.com>
AuthorDate: Sat Feb 13 19:00:31 2021 -0500
ARTEMIS-3156 Better support for PKCS #11
---
.../artemis/core/remoting/impl/ssl/SSLSupport.java | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
index 8e59b06..1fc14ac 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
@@ -52,10 +52,12 @@ import org.apache.activemq.artemis.utils.ClassloadingUtil;
/**
* Please note, this class supports PKCS#11 keystores, but there are no specific tests in the ActiveMQ Artemis test-suite to
* validate/verify this works because this requires a functioning PKCS#11 provider which is not available by default
- * (see java.security.Security#getProviders()). The main thing to keep in mind is that PKCS#11 keystores will have a
- * null keystore path.
+ * (see java.security.Security#getProviders()). The main thing to keep in mind is that PKCS#11 keystores will either use
+ * null, and empty string, or NONE for their keystore path.
*/
public class SSLSupport {
+
+ public static final String NONE = "NONE";
private String keystoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
private String keystorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
private String keystorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
@@ -222,7 +224,7 @@ public class SSLSupport {
} else if (trustAll) {
//This is useful for testing but not should be used outside of that purpose
return InsecureTrustManagerFactory.INSTANCE;
- } else if (truststorePath == null && (truststoreProvider == null || !"PKCS11".equals(truststoreProvider.toUpperCase()))) {
+ } else if ((truststorePath == null || truststorePath.isEmpty() || truststorePath.equalsIgnoreCase(NONE)) && (truststoreProvider == null || !truststoreProvider.toUpperCase().contains("PKCS11"))) {
return null;
} else {
TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
@@ -271,10 +273,16 @@ public class SSLSupport {
private static KeyStore loadKeystore(final String keystoreProvider,
final String keystorePath,
final String keystorePassword) throws Exception {
- KeyStore ks = KeyStore.getInstance(keystoreProvider);
+ KeyStore ks;
+ if (keystorePath == null|| keystorePath.isEmpty() || keystorePath.equalsIgnoreCase(NONE)) {
+ ks = KeyStore.getInstance(keystoreProvider, "PKCS11");
+ } else {
+ ks = KeyStore.getInstance(keystoreProvider);
+ }
+
InputStream in = null;
try {
- if (keystorePath != null) {
+ if (keystorePath != null && !keystorePath.isEmpty() && !keystorePath.equalsIgnoreCase(NONE)) {
URL keystoreURL = SSLSupport.validateStoreURL(keystorePath);
in = keystoreURL.openStream();
}
@@ -299,7 +307,7 @@ public class SSLSupport {
}
private KeyManagerFactory loadKeyManagerFactory() throws Exception {
- if (keystorePath == null && (keystoreProvider == null || !"PKCS11".equals(keystoreProvider.toUpperCase()))) {
+ if ((keystorePath == null || keystorePath.isEmpty() || keystorePath.equalsIgnoreCase(NONE)) && (keystoreProvider == null || !keystoreProvider.toUpperCase().contains("PKCS11"))) {
return null;
} else {
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
[activemq-artemis] 02/02: ARTEMIS-3155 differentiate SSL store type
and provider
Posted by cl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
clebertsuconic pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
commit 186481bbe8e79274eb009f63052b1d0528d0249d
Author: Justin Bertram <jb...@apache.org>
AuthorDate: Thu Feb 18 23:30:03 2021 -0500
ARTEMIS-3155 differentiate SSL store type and provider
The provider of an SSL key/trust store is different from that store's
type. However, the broker currently doesn't differentiate these and uses
the provider for both. Changing this *may* potentially break existing
users who are setting the provider, but I don't see any way to avoid
that. This is a bug that needs to be fixed in order to support use-cases
like PKCS#11.
Change summary:
- Added documentation.
- Consolidated several 2-way SSL tests classes into a single
parameterized test class. All these classes were essentially the same
except for a few key test parameters. Consolidating them avoided
having to update the same code in multiple places.
- Expanded tests to include different providers & types.
- Regenerated all SSL artifacts to allow tests to pass with new
constraints.
- Improved logging for when SSL handler initialization fails.
---
.../artemis/cli/factory/jmx/ManagementFactory.java | 6 +
.../FederationDownstreamConfiguration.java | 2 +
.../core/impl/BackwardsCompatibilityUtils.java | 6 +
.../core/remoting/impl/netty/NettyConnector.java | 32 +-
.../remoting/impl/netty/TransportConstants.java | 16 +-
.../artemis/core/remoting/impl/ssl/SSLSupport.java | 39 ++-
.../spi/core/remoting/ssl/SSLContextConfig.java | 54 +++-
.../spi/core/remoting/ssl/SSLContextFactory.java | 9 +-
.../remoting/ssl/SSLContextFactoryProvider.java | 4 +-
.../activemq/artemis/dto/JMXConnectorDTO.java | 14 +
.../core/config/JMXConnectorConfiguration.java | 24 +-
.../core/remoting/impl/netty/NettyAcceptor.java | 44 ++-
.../artemis/core/server/ActiveMQServerLogger.java | 5 +
.../server/management/ConnectorServerFactory.java | 22 ++
.../server/management/ManagementConnector.java | 2 +
docs/user-manual/en/configuring-transports.md | 47 ++-
.../integration/jms/SimpleJNDIClientTest.java | 4 +
.../tests/integration/security/SecurityTest.java | 2 +-
.../ssl/CoreClientOverOneWaySSLTest.java | 141 ++++++---
.../ssl/CoreClientOverTwoWayOpenSSLServerTest.java | 319 -------------------
.../ssl/CoreClientOverTwoWayOpenSSLTest.java | 351 ---------------------
.../ssl/CoreClientOverTwoWaySSLTest.java | 150 +++++++--
.../tests/integration/ssl/SSLProviderTest.java | 2 +-
.../integration/ssl/SSLProviderTwoWayTest.java | 4 +-
.../artemis/tests/integration/ssl/SSLTestBase.java | 2 +-
.../core/remoting/impl/ssl/SSLSupportTest.java | 89 ++++--
.../test/resources/bad-client-side-keystore.jks | Bin 1277 -> 2226 bytes
.../src/test/resources/client-side-keystore.jceks | Bin 1277 -> 2233 bytes
.../src/test/resources/client-side-keystore.jks | Bin 1303 -> 2253 bytes
.../src/test/resources/client-side-keystore.p12 | Bin 2589 -> 2589 bytes
.../test/resources/client-side-truststore.jceks | Bin 897 -> 963 bytes
.../src/test/resources/client-side-truststore.jks | Bin 963 -> 963 bytes
.../src/test/resources/client-side-truststore.p12 | Bin 1194 -> 1194 bytes
.../resources/openssl-client-side-keystore.jceks | Bin 683 -> 684 bytes
.../resources/openssl-client-side-keystore.jks | Bin 706 -> 706 bytes
.../resources/openssl-client-side-keystore.p12 | Bin 0 -> 1034 bytes
.../resources/openssl-client-side-truststore.jceks | Bin 572 -> 571 bytes
.../resources/openssl-client-side-truststore.jks | Bin 572 -> 572 bytes
.../resources/openssl-client-side-truststore.p12 | Bin 0 -> 802 bytes
.../resources/openssl-server-side-keystore.jceks | Bin 684 -> 685 bytes
.../resources/openssl-server-side-keystore.jks | Bin 707 -> 707 bytes
.../resources/openssl-server-side-keystore.p12 | Bin 0 -> 1034 bytes
.../resources/openssl-server-side-truststore.jceks | Bin 571 -> 570 bytes
.../resources/openssl-server-side-truststore.jks | Bin 571 -> 571 bytes
.../resources/openssl-server-side-truststore.p12 | Bin 0 -> 802 bytes
.../resources/other-client-side-truststore.jceks | Bin 908 -> 975 bytes
.../resources/other-client-side-truststore.jks | Bin 975 -> 975 bytes
.../resources/other-client-side-truststore.p12 | Bin 1202 -> 1202 bytes
.../resources/other-server-side-keystore.jceks | Bin 1288 -> 2245 bytes
.../test/resources/other-server-side-keystore.jks | Bin 2264 -> 2265 bytes
.../test/resources/other-server-side-keystore.p12 | Bin 2605 -> 2605 bytes
.../src/test/resources/server-side-keystore.jceks | Bin 1277 -> 2233 bytes
.../src/test/resources/server-side-keystore.jks | Bin 2253 -> 2254 bytes
.../src/test/resources/server-side-keystore.p12 | Bin 2589 -> 2589 bytes
.../test/resources/server-side-truststore.jceks | Bin 897 -> 963 bytes
.../src/test/resources/server-side-truststore.jks | Bin 1732 -> 1866 bytes
.../src/test/resources/server-side-truststore.p12 | Bin 1194 -> 1194 bytes
.../resources/verified-client-side-keystore.jceks | Bin 2222 -> 2222 bytes
.../resources/verified-client-side-keystore.jks | Bin 2242 -> 2270 bytes
.../resources/verified-client-side-keystore.p12 | Bin 2581 -> 2581 bytes
.../verified-client-side-truststore.jceks | Bin 868 -> 935 bytes
.../resources/verified-client-side-truststore.jks | Bin 935 -> 935 bytes
.../resources/verified-client-side-truststore.p12 | Bin 1162 -> 1162 bytes
.../verified-openssl-client-side-keystore.jceks | Bin 674 -> 673 bytes
.../verified-openssl-client-side-keystore.jks | Bin 695 -> 695 bytes
.../verified-openssl-client-side-keystore.p12 | Bin 0 -> 1026 bytes
.../verified-openssl-server-side-truststore.jceks | Bin 560 -> 559 bytes
.../verified-openssl-server-side-truststore.jks | Bin 560 -> 560 bytes
.../verified-openssl-server-side-truststore.p12 | Bin 0 -> 794 bytes
.../resources/verified-server-side-keystore.jceks | Bin 1248 -> 2205 bytes
.../resources/verified-server-side-keystore.jks | Bin 2225 -> 2227 bytes
.../resources/verified-server-side-keystore.p12 | Bin 2565 -> 2565 bytes
.../verified-server-side-truststore.jceks | Bin 952 -> 952 bytes
.../resources/verified-server-side-truststore.jks | Bin 952 -> 980 bytes
.../resources/verified-server-side-truststore.p12 | Bin 1186 -> 1186 bytes
75 files changed, 573 insertions(+), 817 deletions(-)
diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
index b41a1ef..3b05115 100644
--- a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
+++ b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
@@ -112,6 +112,9 @@ public class ManagementFactory {
if (jmxConnector.getKeyStoreProvider() != null) {
jmxConnectorConfiguration.setKeyStoreProvider(jmxConnector.getKeyStoreProvider());
}
+ if (jmxConnector.getKeyStoreType() != null) {
+ jmxConnectorConfiguration.setKeyStoreType(jmxConnector.getKeyStoreType());
+ }
if (jmxConnector.getKeyStorePassword() != null) {
jmxConnectorConfiguration.setKeyStorePassword(jmxConnector.getKeyStorePassword());
}
@@ -121,6 +124,9 @@ public class ManagementFactory {
if (jmxConnector.getTrustStoreProvider() != null) {
jmxConnectorConfiguration.setTrustStoreProvider(jmxConnector.getTrustStoreProvider());
}
+ if (jmxConnector.getTrustStoreType() != null) {
+ jmxConnectorConfiguration.setTrustStoreType(jmxConnector.getTrustStoreType());
+ }
if (jmxConnector.getTrustStorePassword() != null) {
jmxConnectorConfiguration.setTrustStorePassword(jmxConnector.getTrustStorePassword());
}
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
index 7e8c5cf..b85de11 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/config/federation/FederationDownstreamConfiguration.java
@@ -52,9 +52,11 @@ public class FederationDownstreamConfiguration extends FederationStreamConfigura
params.remove(TransportConstants.KEYSTORE_PATH_PROP_NAME);
params.remove(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
params.remove(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
+ params.remove(TransportConstants.KEYSTORE_TYPE_PROP_NAME);
params.remove(TransportConstants.TRUSTSTORE_PATH_PROP_NAME);
params.remove(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME);
params.remove(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME);
+ params.remove(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME);
this.upstreamConfiguration = new TransportConfiguration(transportConfiguration.getFactoryClassName(), params,
transportConfiguration.getName(), transportConfiguration.getExtraParams());
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/protocol/core/impl/BackwardsCompatibilityUtils.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/protocol/core/impl/BackwardsCompatibilityUtils.java
index c441fc0..1dec42c 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/protocol/core/impl/BackwardsCompatibilityUtils.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/protocol/core/impl/BackwardsCompatibilityUtils.java
@@ -70,12 +70,16 @@ public class BackwardsCompatibilityUtils {
public static final String KEYSTORE_PROVIDER_PROP_NAME = "key-store-provider";
+ public static final String KEYSTORE_TYPE_PROP_NAME = "key-store-type";
+
public static final String KEYSTORE_PATH_PROP_NAME = "key-store-path";
public static final String KEYSTORE_PASSWORD_PROP_NAME = "key-store-password";
public static final String TRUSTSTORE_PROVIDER_PROP_NAME = "trust-store-provider";
+ public static final String TRUSTSTORE_TYPE_PROP_NAME = "trust-store-type";
+
public static final String TRUSTSTORE_PATH_PROP_NAME = "trust-store-path";
public static final String TRUSTSTORE_PASSWORD_PROP_NAME = "trust-store-password";
@@ -121,9 +125,11 @@ public class BackwardsCompatibilityUtils {
OLD_PARAMETERS_MAP.put(TransportConstants.LOCAL_ADDRESS_PROP_NAME, LOCAL_ADDRESS_PROP_NAME);
OLD_PARAMETERS_MAP.put(TransportConstants.LOCAL_PORT_PROP_NAME, LOCAL_PORT_PROP_NAME);
OLD_PARAMETERS_MAP.put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, KEYSTORE_PROVIDER_PROP_NAME);
+ OLD_PARAMETERS_MAP.put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, KEYSTORE_TYPE_PROP_NAME);
OLD_PARAMETERS_MAP.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, KEYSTORE_PATH_PROP_NAME);
OLD_PARAMETERS_MAP.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, KEYSTORE_PASSWORD_PROP_NAME);
OLD_PARAMETERS_MAP.put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, TRUSTSTORE_PROVIDER_PROP_NAME);
+ OLD_PARAMETERS_MAP.put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, TRUSTSTORE_TYPE_PROP_NAME);
OLD_PARAMETERS_MAP.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, TRUSTSTORE_PATH_PROP_NAME);
OLD_PARAMETERS_MAP.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, TRUSTSTORE_PASSWORD_PROP_NAME);
OLD_PARAMETERS_MAP.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, NEED_CLIENT_AUTH_PROP_NAME);
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
index 5592293..79ff84c 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
@@ -138,14 +138,18 @@ public class NettyConnector extends AbstractConnector {
// Constants -----------------------------------------------------
public static final String JAVAX_KEYSTORE_PATH_PROP_NAME = "javax.net.ssl.keyStore";
public static final String JAVAX_KEYSTORE_PASSWORD_PROP_NAME = "javax.net.ssl.keyStorePassword";
- public static final String JAVAX_KEYSTORE_PROVIDER_PROP_NAME = "javax.net.ssl.keyStoreType";
+ public static final String JAVAX_KEYSTORE_TYPE_PROP_NAME = "javax.net.ssl.keyStoreType";
+ public static final String JAVAX_KEYSTORE_PROVIDER_PROP_NAME = "javax.net.ssl.keyStoreProvider";
public static final String JAVAX_TRUSTSTORE_PATH_PROP_NAME = "javax.net.ssl.trustStore";
public static final String JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME = "javax.net.ssl.trustStorePassword";
- public static final String JAVAX_TRUSTSTORE_PROVIDER_PROP_NAME = "javax.net.ssl.trustStoreType";
+ public static final String JAVAX_TRUSTSTORE_TYPE_PROP_NAME = "javax.net.ssl.trustStoreType";
+ public static final String JAVAX_TRUSTSTORE_PROVIDER_PROP_NAME = "javax.net.ssl.trustStoreProvider";
public static final String ACTIVEMQ_KEYSTORE_PROVIDER_PROP_NAME = "org.apache.activemq.ssl.keyStoreProvider";
+ public static final String ACTIVEMQ_KEYSTORE_TYPE_PROP_NAME = "org.apache.activemq.ssl.keyStoreType";
public static final String ACTIVEMQ_KEYSTORE_PATH_PROP_NAME = "org.apache.activemq.ssl.keyStore";
public static final String ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME = "org.apache.activemq.ssl.keyStorePassword";
public static final String ACTIVEMQ_TRUSTSTORE_PROVIDER_PROP_NAME = "org.apache.activemq.ssl.trustStoreProvider";
+ public static final String ACTIVEMQ_TRUSTSTORE_TYPE_PROP_NAME = "org.apache.activemq.ssl.trustStoreType";
public static final String ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME = "org.apache.activemq.ssl.trustStore";
public static final String ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME = "org.apache.activemq.ssl.trustStorePassword";
@@ -228,12 +232,16 @@ public class NettyConnector extends AbstractConnector {
private String keyStoreProvider;
+ private String keyStoreType;
+
private String keyStorePath;
private String keyStorePassword;
private String trustStoreProvider;
+ private String trustStoreType;
+
private String trustStorePath;
private String trustStorePassword;
@@ -394,12 +402,16 @@ public class NettyConnector extends AbstractConnector {
if (sslEnabled) {
keyStoreProvider = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_PROVIDER, configuration);
+ keyStoreType = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_TYPE_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_TYPE, configuration);
+
keyStorePath = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_PATH_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_PATH, configuration);
keyStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec());
trustStoreProvider = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER, configuration);
+ trustStoreType = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_TYPE, configuration);
+
trustStorePath = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PATH, configuration);
trustStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec());
@@ -427,9 +439,11 @@ public class NettyConnector extends AbstractConnector {
trustManagerFactoryPlugin = ConfigurationHelper.getStringProperty(TransportConstants.TRUST_MANAGER_FACTORY_PLUGIN_PROP_NAME, TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN, configuration);
} else {
keyStoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
+ keyStoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
keyStorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
keyStorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
trustStoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
+ trustStoreType = TransportConstants.DEFAULT_TRUSTSTORE_TYPE;
trustStorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
trustStorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD;
crlPath = TransportConstants.DEFAULT_CRL_PATH;
@@ -562,33 +576,41 @@ public class NettyConnector extends AbstractConnector {
final String realKeyStorePath;
final String realKeyStoreProvider;
+ final String realKeyStoreType;
final String realKeyStorePassword;
final String realTrustStorePath;
final String realTrustStoreProvider;
+ final String realTrustStoreType;
final String realTrustStorePassword;
if (sslEnabled) {
if (forceSSLParameters) {
realKeyStorePath = keyStorePath;
realKeyStoreProvider = keyStoreProvider;
+ realKeyStoreType = keyStoreType;
realKeyStorePassword = keyStorePassword;
realTrustStorePath = trustStorePath;
realTrustStoreProvider = trustStoreProvider;
+ realTrustStoreType = trustStoreType;
realTrustStorePassword = trustStorePassword;
} else {
realKeyStorePath = Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME), System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME), keyStorePath).map(v -> useDefaultSslContext ? keyStorePath : v).filter(Objects::nonNull).findFirst().orElse(null);
realKeyStorePassword = Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME), System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v -> useDefaultSslContext ? keyStorePassword : v).filter(Objects::nonNull).findFirst().orElse(null);
- realKeyStoreProvider = Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PROVIDER_PROP_NAME), keyStoreProvider).map(v -> useDefaultSslContext ? keyStoreProvider : v).filter(Objects::nonNull).findFirst().orElse(null);
+ realKeyStoreProvider = Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PROVIDER_PROP_NAME), System.getProperty(JAVAX_KEYSTORE_PROVIDER_PROP_NAME), keyStoreProvider).map(v -> useDefaultSslContext ? keyStoreProvider : v).filter(Objects::nonNull).findFirst().orElse(null);
+ realKeyStoreType = Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_TYPE_PROP_NAME), System.getProperty(JAVAX_KEYSTORE_TYPE_PROP_NAME), keyStoreType).map(v -> useDefaultSslContext ? keyStoreType : v).filter(Objects::nonNull).findFirst().orElse(null);
realTrustStorePath = Stream.of(System.getProperty(ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME), System.getProperty(JAVAX_TRUSTSTORE_PATH_PROP_NAME), trustStorePath).map(v -> useDefaultSslContext ? trustStorePath : v).filter(Objects::nonNull).findFirst().orElse(null);
realTrustStorePassword = Stream.of(System.getProperty(ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME), System.getProperty(JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME), trustStorePassword).map(v -> useDefaultSslContext ? trustStorePassword : v).filter(Objects::nonNull).findFirst().orElse(null);
- realTrustStoreProvider = Stream.of(System.getProperty(ACTIVEMQ_TRUSTSTORE_PROVIDER_PROP_NAME), trustStoreProvider).map(v -> useDefaultSslContext ? trustStoreProvider : v).filter(Objects::nonNull).findFirst().orElse(null);
+ realTrustStoreProvider = Stream.of(System.getProperty(ACTIVEMQ_TRUSTSTORE_PROVIDER_PROP_NAME), System.getProperty(JAVAX_TRUSTSTORE_PROVIDER_PROP_NAME), trustStoreProvider).map(v -> useDefaultSslContext ? trustStoreProvider : v).filter(Objects::nonNull).findFirst().orElse(null);
+ realTrustStoreType = Stream.of(System.getProperty(ACTIVEMQ_TRUSTSTORE_TYPE_PROP_NAME), System.getProperty(JAVAX_TRUSTSTORE_TYPE_PROP_NAME), trustStoreType).map(v -> useDefaultSslContext ? trustStoreType : v).filter(Objects::nonNull).findFirst().orElse(null);
}
} else {
realKeyStorePath = null;
realKeyStoreProvider = null;
+ realKeyStoreType = null;
realKeyStorePassword = null;
realTrustStorePath = null;
realTrustStoreProvider = null;
+ realTrustStoreType = null;
realTrustStorePassword = null;
}
@@ -625,9 +647,11 @@ public class NettyConnector extends AbstractConnector {
final SSLContextConfig sslContextConfig = SSLContextConfig.builder()
.keystoreProvider(realKeyStoreProvider)
.keystorePath(realKeyStorePath)
+ .keystoreType(realKeyStoreType)
.keystorePassword(realKeyStorePassword)
.truststoreProvider(realTrustStoreProvider)
.truststorePath(realTrustStorePath)
+ .truststoreType(realTrustStoreType)
.truststorePassword(realTrustStorePassword)
.trustManagerFactoryPlugin(trustManagerFactoryPlugin)
.crlPath(crlPath)
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
index 726d28d..82ae944 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
@@ -93,12 +93,16 @@ public class TransportConstants {
public static final String KEYSTORE_PROVIDER_PROP_NAME = "keyStoreProvider";
+ public static final String KEYSTORE_TYPE_PROP_NAME = "keyStoreType";
+
public static final String KEYSTORE_PATH_PROP_NAME = "keyStorePath";
public static final String KEYSTORE_PASSWORD_PROP_NAME = "keyStorePassword";
public static final String TRUSTSTORE_PROVIDER_PROP_NAME = "trustStoreProvider";
+ public static final String TRUSTSTORE_TYPE_PROP_NAME = "trustStoreType";
+
public static final String TRUSTSTORE_PATH_PROP_NAME = "trustStorePath";
public static final String TRUSTSTORE_PASSWORD_PROP_NAME = "trustStorePassword";
@@ -216,13 +220,17 @@ public class TransportConstants {
public static final int DEFAULT_STOMP_PORT = 61613;
- public static final String DEFAULT_KEYSTORE_PROVIDER = "JKS";
+ public static final String DEFAULT_KEYSTORE_PROVIDER = null;
+
+ public static final String DEFAULT_KEYSTORE_TYPE = "JKS";
public static final String DEFAULT_KEYSTORE_PATH = null;
public static final String DEFAULT_KEYSTORE_PASSWORD = null;
- public static final String DEFAULT_TRUSTSTORE_PROVIDER = "JKS";
+ public static final String DEFAULT_TRUSTSTORE_PROVIDER = null;
+
+ public static final String DEFAULT_TRUSTSTORE_TYPE = "JKS";
public static final String DEFAULT_TRUSTSTORE_PATH = null;
@@ -381,9 +389,11 @@ public class TransportConstants {
allowableAcceptorKeys.add(TransportConstants.HOST_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.PORT_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
+ allowableAcceptorKeys.add(TransportConstants.KEYSTORE_TYPE_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.KEYSTORE_PATH_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME);
+ allowableAcceptorKeys.add(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.TRUSTSTORE_PATH_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME);
@@ -449,9 +459,11 @@ public class TransportConstants {
allowableConnectorKeys.add(TransportConstants.LOCAL_ADDRESS_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.LOCAL_PORT_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
+ allowableConnectorKeys.add(TransportConstants.KEYSTORE_TYPE_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.KEYSTORE_PATH_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME);
+ allowableConnectorKeys.add(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.TRUSTSTORE_PATH_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME);
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
index 1fc14ac..696ddde 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
@@ -59,9 +59,11 @@ public class SSLSupport {
public static final String NONE = "NONE";
private String keystoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
+ private String keystoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
private String keystorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
private String keystorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
private String truststoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
+ private String truststoreType = TransportConstants.DEFAULT_TRUSTSTORE_TYPE;
private String truststorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
private String truststorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD;
private String crlPath = TransportConstants.DEFAULT_CRL_PATH;
@@ -75,9 +77,11 @@ public class SSLSupport {
public SSLSupport(final SSLContextConfig config) {
keystoreProvider = config.getKeystoreProvider();
keystorePath = config.getKeystorePath();
+ keystoreType = config.getKeystoreType();
keystorePassword = config.getKeystorePassword();
truststoreProvider = config.getTruststoreProvider();
truststorePath = config.getTruststorePath();
+ truststoreType = config.getTruststoreType();
truststorePassword = config.getTruststorePassword();
crlPath = config.getCrlPath();
trustAll = config.isTrustAll();
@@ -93,6 +97,15 @@ public class SSLSupport {
return this;
}
+ public String getKeystoreType() {
+ return keystoreType;
+ }
+
+ public SSLSupport setKeystoreType(String keystoreType) {
+ this.keystoreType = keystoreType;
+ return this;
+ }
+
public String getKeystorePath() {
return keystorePath;
}
@@ -120,6 +133,15 @@ public class SSLSupport {
return this;
}
+ public String getTruststoreType() {
+ return truststoreType;
+ }
+
+ public SSLSupport setTruststoreType(String truststoreType) {
+ this.truststoreType = truststoreType;
+ return this;
+ }
+
public String getTruststorePath() {
return truststorePath;
}
@@ -183,14 +205,14 @@ public class SSLSupport {
}
public SslContext createNettyContext() throws Exception {
- KeyStore keyStore = SSLSupport.loadKeystore(keystoreProvider, keystorePath, keystorePassword);
+ KeyStore keyStore = SSLSupport.loadKeystore(keystoreProvider, keystoreType, keystorePath, keystorePassword);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keystorePassword.toCharArray());
return SslContextBuilder.forServer(keyManagerFactory).sslProvider(SslProvider.valueOf(sslProvider)).trustManager(loadTrustManagerFactory()).build();
}
public SslContext createNettyClientContext() throws Exception {
- KeyStore keyStore = SSLSupport.loadKeystore(keystoreProvider, keystorePath, keystorePassword);
+ KeyStore keyStore = SSLSupport.loadKeystore(keystoreProvider, keystoreType, keystorePath, keystorePassword);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keystorePassword == null ? null : keystorePassword.toCharArray());
return SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(sslProvider)).keyManager(keyManagerFactory).trustManager(loadTrustManagerFactory()).build();
@@ -228,7 +250,7 @@ public class SSLSupport {
return null;
} else {
TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- KeyStore trustStore = SSLSupport.loadKeystore(truststoreProvider, truststorePath, truststorePassword);
+ KeyStore trustStore = SSLSupport.loadKeystore(truststoreProvider, truststoreType, truststorePath, truststorePassword);
boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable"));
boolean initialized = false;
@@ -271,15 +293,10 @@ public class SSLSupport {
}
private static KeyStore loadKeystore(final String keystoreProvider,
+ final String keystoreType,
final String keystorePath,
final String keystorePassword) throws Exception {
- KeyStore ks;
- if (keystorePath == null|| keystorePath.isEmpty() || keystorePath.equalsIgnoreCase(NONE)) {
- ks = KeyStore.getInstance(keystoreProvider, "PKCS11");
- } else {
- ks = KeyStore.getInstance(keystoreProvider);
- }
-
+ KeyStore ks = keystoreProvider == null ? KeyStore.getInstance(keystoreType) : KeyStore.getInstance(keystoreType, keystoreProvider);
InputStream in = null;
try {
if (keystorePath != null && !keystorePath.isEmpty() && !keystorePath.equalsIgnoreCase(NONE)) {
@@ -311,7 +328,7 @@ public class SSLSupport {
return null;
} else {
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- KeyStore ks = SSLSupport.loadKeystore(keystoreProvider, keystorePath, keystorePassword);
+ KeyStore ks = SSLSupport.loadKeystore(keystoreProvider, keystoreType, keystorePath, keystorePassword);
kmf.init(ks, keystorePassword == null ? null : keystorePassword.toCharArray());
return kmf;
}
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java
index 12b79e8..83bbb0a 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java
@@ -29,9 +29,11 @@ public final class SSLContextConfig {
public static final class Builder {
private String keystorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
+ private String keystoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
private String keystorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
private String keystoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
private String truststorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
+ private String truststoreType = TransportConstants.DEFAULT_TRUSTSTORE_TYPE;
private String truststorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD;
private String truststoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
private String crlPath = TransportConstants.DEFAULT_CRL_PATH;
@@ -46,9 +48,11 @@ public final class SSLContextConfig {
return this;
keystorePath = config.getKeystorePath();
+ keystoreType = config.getKeystoreType();
keystorePassword = config.getKeystorePassword();
keystoreProvider = config.getKeystoreProvider();
truststorePath = config.getTruststorePath();
+ truststoreType = config.getTruststoreType();
truststorePassword = config.getTruststorePassword();
crlPath = config.getCrlPath();
truststoreProvider = config.getTruststoreProvider();
@@ -58,8 +62,8 @@ public final class SSLContextConfig {
public SSLContextConfig build() {
return new SSLContextConfig(
- keystoreProvider, keystorePath, keystorePassword,
- truststoreProvider, truststorePath, truststorePassword,
+ keystoreProvider, keystorePath, keystoreType, keystorePassword,
+ truststoreProvider, truststorePath, truststoreType, truststorePassword,
crlPath, trustManagerFactoryPlugin, trustAll
);
}
@@ -69,6 +73,11 @@ public final class SSLContextConfig {
return this;
}
+ public Builder keystoreType(final String keystoreType) {
+ this.keystoreType = keystoreType;
+ return this;
+ }
+
public Builder keystorePassword(final String keystorePassword) {
this.keystorePassword = keystorePassword;
return this;
@@ -84,6 +93,11 @@ public final class SSLContextConfig {
return this;
}
+ public Builder truststoreType(final String truststoreType) {
+ this.truststoreType = truststoreType;
+ return this;
+ }
+
public Builder truststorePassword(final String truststorePassword) {
this.truststorePassword = truststorePassword;
return this;
@@ -115,9 +129,11 @@ public final class SSLContextConfig {
}
private final String keystorePath;
+ private final String keystoreType;
private final String keystorePassword;
private final String keystoreProvider;
private final String truststorePath;
+ private final String truststoreType;
private final String truststorePassword;
private final String truststoreProvider;
private final String trustManagerFactoryPlugin;
@@ -125,23 +141,31 @@ public final class SSLContextConfig {
private final boolean trustAll;
private final int hashCode;
- private SSLContextConfig(
- final String keystoreProvider, final String keystorePath, final String keystorePassword,
- final String truststoreProvider, final String truststorePath, final String truststorePassword,
- final String crlPath, final String trustManagerFactoryPlugin, final boolean trustAll
- ) {
+ private SSLContextConfig(final String keystoreProvider,
+ final String keystorePath,
+ final String keystoreType,
+ final String keystorePassword,
+ final String truststoreProvider,
+ final String truststorePath,
+ final String truststoreType,
+ final String truststorePassword,
+ final String crlPath,
+ final String trustManagerFactoryPlugin,
+ final boolean trustAll) {
this.keystorePath = keystorePath;
+ this.keystoreType = keystoreType;
this.keystoreProvider = keystoreProvider;
this.keystorePassword = keystorePassword;
this.truststorePath = truststorePath;
+ this.truststoreType = truststoreType;
this.truststorePassword = truststorePassword;
this.truststoreProvider = truststoreProvider;
this.trustManagerFactoryPlugin = trustManagerFactoryPlugin;
this.crlPath = crlPath;
this.trustAll = trustAll;
hashCode = Objects.hash(
- keystorePath, keystoreProvider,
- truststorePath, truststoreProvider,
+ keystorePath, keystoreType, keystoreProvider,
+ truststorePath, truststoreType, truststoreProvider,
crlPath, trustManagerFactoryPlugin, trustAll
);
}
@@ -154,8 +178,10 @@ public final class SSLContextConfig {
return false;
final SSLContextConfig other = (SSLContextConfig) obj;
return Objects.equals(keystorePath, other.keystorePath)
+ && Objects.equals(keystoreType, other.keystoreType)
&& Objects.equals(keystoreProvider, other.keystoreProvider)
&& Objects.equals(truststorePath, other.truststorePath)
+ && Objects.equals(truststoreType, other.truststoreType)
&& Objects.equals(truststoreProvider, other.truststoreProvider)
&& Objects.equals(crlPath, other.crlPath)
&& Objects.equals(trustManagerFactoryPlugin, other.trustManagerFactoryPlugin)
@@ -174,6 +200,10 @@ public final class SSLContextConfig {
return keystorePath;
}
+ public String getKeystoreType() {
+ return keystoreType;
+ }
+
public String getKeystoreProvider() {
return keystoreProvider;
}
@@ -190,6 +220,10 @@ public final class SSLContextConfig {
return truststorePath;
}
+ public String getTruststoreType() {
+ return truststoreType;
+ }
+
public String getTruststoreProvider() {
return truststoreProvider;
}
@@ -208,9 +242,11 @@ public final class SSLContextConfig {
return "SSLSupport [" +
"keystoreProvider=" + keystoreProvider +
", keystorePath=" + keystorePath +
+ ", keystoreType=" + keystoreType +
", keystorePassword=" + (keystorePassword == null ? null : "******") +
", truststoreProvider=" + truststoreProvider +
", truststorePath=" + truststorePath +
+ ", truststoreType=" + truststoreType +
", truststorePassword=" + (truststorePassword == null ? null : "******") +
", crlPath=" + crlPath +
", trustAll=" + trustAll +
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextFactory.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextFactory.java
index 389e9eb..b8f3a72 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextFactory.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextFactory.java
@@ -37,13 +37,14 @@ public interface SSLContextFactory extends Comparable<SSLContextFactory> {
@SuppressWarnings("unused")
@Deprecated
default SSLContext getSSLContext(Map<String, Object> configuration,
- String keystoreProvider, String keystorePath, String keystorePassword,
- String truststoreProvider, String truststorePath, String truststorePassword,
+ String keystoreProvider, String keystorePath, String keystoreType, String keystorePassword,
+ String truststoreProvider, String truststorePath, String truststoreType, String truststorePassword,
String crlPath, String trustManagerFactoryPlugin, boolean trustAll) throws Exception {
final SSLContextConfig sslContextConfig = SSLContextConfig.builder()
.keystoreProvider(keystoreProvider)
.keystorePath(keystorePath)
+ .keystoreType(keystoreType)
.keystorePassword(keystorePassword)
.truststoreProvider(truststoreProvider)
.truststorePath(truststorePath)
@@ -62,8 +63,8 @@ public interface SSLContextFactory extends Comparable<SSLContextFactory> {
*/
default SSLContext getSSLContext(SSLContextConfig config, Map<String, Object> additionalOpts) throws Exception {
return getSSLContext(additionalOpts,
- config.getKeystoreProvider(), config.getKeystorePath(), config.getKeystorePassword(),
- config.getTruststoreProvider(), config.getTruststorePath(), config.getTruststorePassword(),
+ config.getKeystoreProvider(), config.getKeystorePath(), config.getKeystoreType(), config.getKeystorePassword(),
+ config.getTruststoreProvider(), config.getTruststorePath(), config.getTruststoreType(), config.getTruststorePassword(),
config.getCrlPath(), config.getTrustManagerFactoryPlugin(), config.isTrustAll()
);
}
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextFactoryProvider.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextFactoryProvider.java
index 2b6cf2a..9ccceab 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextFactoryProvider.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextFactoryProvider.java
@@ -36,8 +36,8 @@ public class SSLContextFactoryProvider {
factory = new SSLContextFactory() {
@Override
public SSLContext getSSLContext(Map<String, Object> configuration,
- String keystoreProvider, String keystorePath, String keystorePassword,
- String truststoreProvider, String truststorePath, String truststorePassword,
+ String keystoreProvider, String keystoreType, String keystorePath, String keystorePassword,
+ String truststoreProvider, String truststoreType, String truststorePath, String truststorePassword,
String crlPath, String trustManagerFactoryPlugin, boolean trustAll) throws Exception {
return SSLContext.getDefault();
}
diff --git a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
index 4805551..cefd090 100644
--- a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
+++ b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
@@ -52,6 +52,9 @@ public class JMXConnectorDTO {
@XmlAttribute (name = "key-store-provider")
String keyStoreProvider;
+ @XmlAttribute (name = "key-store-type")
+ String keyStoreType;
+
@XmlAttribute (name = "key-store-path")
String keyStorePath;
@@ -61,6 +64,9 @@ public class JMXConnectorDTO {
@XmlAttribute (name = "trust-store-provider")
String trustStoreProvider;
+ @XmlAttribute (name = "trust-store-type")
+ String trustStoreType;
+
@XmlAttribute (name = "trust-store-path")
String trustStorePath;
@@ -102,6 +108,10 @@ public class JMXConnectorDTO {
return keyStoreProvider;
}
+ public String getKeyStoreType() {
+ return keyStoreType;
+ }
+
public String getKeyStorePath() {
return keyStorePath;
}
@@ -114,6 +124,10 @@ public class JMXConnectorDTO {
return trustStoreProvider;
}
+ public String getTrustStoreType() {
+ return trustStoreType;
+ }
+
public String getTrustStorePath() {
return trustStorePath;
}
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/JMXConnectorConfiguration.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/JMXConnectorConfiguration.java
index b47acf5..28fb767 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/JMXConnectorConfiguration.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/JMXConnectorConfiguration.java
@@ -16,7 +16,7 @@
*/
package org.apache.activemq.artemis.core.config;
-import java.security.KeyStore;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
public class JMXConnectorConfiguration {
private int rmiRegistryPort;
@@ -29,10 +29,12 @@ public class JMXConnectorConfiguration {
private String objectName = "connector:name=rmi";
private String authenticatorType = "password";
private boolean secured = false;
- private String keyStoreProvider = KeyStore.getDefaultType();
+ private String keyStoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
+ private String keyStoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
private String keyStorePath;
private String keyStorePassword;
- private String trustStoreProvider = KeyStore.getDefaultType();
+ private String trustStoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
+ private String trustStoreType = TransportConstants.DEFAULT_TRUSTSTORE_TYPE;
private String trustStorePath;
private String trustStorePassword;
@@ -97,6 +99,14 @@ public class JMXConnectorConfiguration {
this.keyStoreProvider = keyStoreProvider;
}
+ public String getKeyStoreType() {
+ return keyStoreType;
+ }
+
+ public void setKeyStoreType(String keyStoreType) {
+ this.keyStoreType = keyStoreType;
+ }
+
public String getKeyStorePath() {
return keyStorePath;
}
@@ -121,6 +131,14 @@ public class JMXConnectorConfiguration {
this.trustStoreProvider = trustStoreProvider;
}
+ public String getTrustStoreType() {
+ return trustStoreType;
+ }
+
+ public void setTrustStoreType(String trustStoreType) {
+ this.trustStoreType = trustStoreType;
+ }
+
public String getTrustStorePath() {
return trustStorePath;
}
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
index 8cb43d3..8b76cbe 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
@@ -156,6 +156,8 @@ public class NettyAcceptor extends AbstractAcceptor {
private final String keyStoreProvider;
+ private final String keyStoreType;
+
// non-final for testing purposes
private String keyStorePath;
@@ -163,6 +165,8 @@ public class NettyAcceptor extends AbstractAcceptor {
private final String trustStoreProvider;
+ private final String trustStoreType;
+
private final String trustStorePath;
private final String trustStorePassword;
@@ -285,12 +289,16 @@ public class NettyAcceptor extends AbstractAcceptor {
if (sslEnabled) {
keyStoreProvider = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_PROVIDER, configuration);
+ keyStoreType = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_TYPE_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_TYPE, configuration);
+
keyStorePath = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_PATH_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_PATH, configuration);
keyStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec());
trustStoreProvider = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER, configuration);
+ trustStoreType = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_TYPE, configuration);
+
trustStorePath = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PATH, configuration);
trustStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec());
@@ -316,18 +324,22 @@ public class NettyAcceptor extends AbstractAcceptor {
sslContextConfig = SSLContextConfig.builder()
.keystoreProvider(keyStoreProvider)
.keystorePath(keyStorePath)
+ .keystoreType(keyStoreType)
.keystorePassword(keyStorePassword)
.truststoreProvider(trustStoreProvider)
.truststorePath(trustStorePath)
+ .truststoreType(trustStoreType)
.truststorePassword(trustStorePassword)
.trustManagerFactoryPlugin(trustManagerFactoryPlugin)
.crlPath(crlPath)
.build();
} else {
keyStoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
+ keyStoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
keyStorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
keyStorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
trustStoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
+ trustStoreType = TransportConstants.DEFAULT_TRUSTSTORE_TYPE;
trustStorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
trustStorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD;
crlPath = TransportConstants.DEFAULT_CRL_PATH;
@@ -424,8 +436,18 @@ public class NettyAcceptor extends AbstractAcceptor {
ChannelPipeline pipeline = channel.pipeline();
Pair<String, Integer> peerInfo = getPeerInfo(channel);
if (sslEnabled) {
- pipeline.addLast("ssl", getSslHandler(channel.alloc(), peerInfo.getA(), peerInfo.getB()));
- pipeline.addLast("sslHandshakeExceptionHandler", new SslHandshakeExceptionHandler());
+ try {
+ pipeline.addLast("ssl", getSslHandler(channel.alloc(), peerInfo.getA(), peerInfo.getB()));
+ pipeline.addLast("sslHandshakeExceptionHandler", new SslHandshakeExceptionHandler());
+ } catch (Exception e) {
+ Throwable rootCause = getRootCause(e);
+ ActiveMQServerLogger.LOGGER.gettingSslHandlerFailed(channel.remoteAddress().toString(), rootCause.getClass().getName() + ": " + rootCause.getMessage());
+
+ if (ActiveMQServerLogger.LOGGER.isDebugEnabled()) {
+ ActiveMQServerLogger.LOGGER.debug("Getting SSL handler failed", e);
+ }
+ throw e;
+ }
}
pipeline.addLast(protocolHandler.getProtocolDecoder());
}
@@ -651,8 +673,8 @@ public class NettyAcceptor extends AbstractAcceptor {
if (configuration.containsKey(TransportConstants.SSL_CONTEXT_PROP_NAME)) {
return;
}
- if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider)) {
- throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null " + "unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
+ if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_KEYSTORE_PROVIDER.equals(keyStoreProvider)) {
+ throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME + "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
}
}
@@ -1014,15 +1036,15 @@ public class NettyAcceptor extends AbstractAcceptor {
}
}
}
+ }
- private Throwable getRootCause(Throwable throwable) {
- List<Throwable> list = new ArrayList<>();
- while (throwable != null && list.contains(throwable) == false) {
- list.add(throwable);
- throwable = throwable.getCause();
- }
- return (list.size() < 2 ? throwable : list.get(list.size() - 1));
+ private Throwable getRootCause(Throwable throwable) {
+ List<Throwable> list = new ArrayList<>();
+ while (throwable != null && list.contains(throwable) == false) {
+ list.add(throwable);
+ throwable = throwable.getCause();
}
+ return (list.size() < 2 ? throwable : list.get(list.size() - 1));
}
public boolean isAutoStart() {
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQServerLogger.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQServerLogger.java
index 632c76e..ea2d2c8 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQServerLogger.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQServerLogger.java
@@ -1725,6 +1725,11 @@ public interface ActiveMQServerLogger extends BasicLogger {
@Message(id = 222299, value = "No bootstrap credentials found. User management may not function.", format = Message.Format.MESSAGE_FORMAT)
void noBootstrapCredentialsFound();
+ @LogMessage(level = Logger.Level.WARN)
+ @Message(id = 222300, value = "Getting SSL handler failed when serving client from {0}: {1}.",
+ format = Message.Format.MESSAGE_FORMAT)
+ void gettingSslHandlerFailed(String clientAddress, String cause);
+
@LogMessage(level = Logger.Level.ERROR)
@Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
void initializationError(@Cause Throwable e);
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ConnectorServerFactory.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ConnectorServerFactory.java
index 4ae7e3e..326ae1b 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ConnectorServerFactory.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ConnectorServerFactory.java
@@ -43,6 +43,10 @@ public class ConnectorServerFactory {
this.keyStoreProvider = keyStoreProvider;
}
+ public void setkeyStoreType(String keyStoreType) {
+ this.keyStoreType = keyStoreType;
+ }
+
public void setKeyStorePassword(String keyStorePassword) {
this.keyStorePassword = keyStorePassword;
}
@@ -55,6 +59,10 @@ public class ConnectorServerFactory {
this.trustStoreProvider = trustStoreProvider;
}
+ public void setTrustStoreType(String trustStoreType) {
+ this.trustStoreType = trustStoreType;
+ }
+
public void setTrustStorePassword(String trustStorePassword) {
this.trustStorePassword = trustStorePassword;
}
@@ -74,12 +82,16 @@ public class ConnectorServerFactory {
private String keyStoreProvider;
+ private String keyStoreType;
+
private String keyStorePath;
private String keyStorePassword;
private String trustStoreProvider;
+ private String trustStoreType;
+
private String trustStorePath;
private String trustStorePassword;
@@ -89,6 +101,10 @@ public class ConnectorServerFactory {
return keyStoreProvider;
}
+ public String getKeyStoreType() {
+ return keyStoreType;
+ }
+
public String getKeyStorePath() {
return keyStorePath;
}
@@ -105,6 +121,10 @@ public class ConnectorServerFactory {
return trustStoreProvider;
}
+ public String getTrustStoreType() {
+ return trustStoreType;
+ }
+
public String getTrustStorePath() {
return trustStorePath;
}
@@ -234,9 +254,11 @@ public class ConnectorServerFactory {
private void setupSsl() throws Exception {
SSLContext context = new SSLSupport()
.setKeystoreProvider(keyStoreProvider)
+ .setKeystoreType(keyStoreType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(trustStoreProvider)
+ .setTruststoreType(trustStoreType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ManagementConnector.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ManagementConnector.java
index a73c3f1..c212775 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ManagementConnector.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ManagementConnector.java
@@ -82,9 +82,11 @@ public class ManagementConnector implements ActiveMQComponent {
connectorServerFactory.setSecured(configuration.isSecured());
connectorServerFactory.setKeyStorePath(configuration.getKeyStorePath());
connectorServerFactory.setkeyStoreProvider(configuration.getKeyStoreProvider());
+ connectorServerFactory.setkeyStoreType(configuration.getKeyStoreType());
connectorServerFactory.setKeyStorePassword(configuration.getKeyStorePassword());
connectorServerFactory.setTrustStorePath(configuration.getTrustStorePath());
connectorServerFactory.setTrustStoreProvider(configuration.getTrustStoreProvider());
+ connectorServerFactory.setTrustStoreType(configuration.getTrustStoreType());
connectorServerFactory.setTrustStorePassword(configuration.getTrustStorePassword());
connectorServerFactory.init();
} catch (Exception e) {
diff --git a/docs/user-manual/en/configuring-transports.md b/docs/user-manual/en/configuring-transports.md
index f596653..9467183 100644
--- a/docs/user-manual/en/configuring-transports.md
+++ b/docs/user-manual/en/configuring-transports.md
@@ -343,8 +343,8 @@ additional properties:
override the server-side setting by either using the customary
"javax.net.ssl.keyStore" system property or the ActiveMQ-specific
"org.apache.activemq.ssl.keyStore" system property. The ActiveMQ-specific
- system property is useful if another component on client is already making use
- of the standard, Java system property.
+ system property is useful if another component on the client is already making
+ use of the standard Java system property.
- `keyStorePassword`
@@ -358,9 +358,27 @@ additional properties:
setting by either using the customary "javax.net.ssl.keyStorePassword" system
property or the ActiveMQ-specific "org.apache.activemq.ssl.keyStorePassword"
system property. The ActiveMQ-specific system property is useful if another
- component on client is already making use of the standard, Java system
+ component on the client is already making use of the standard Java system
property.
+- `keyStoreType`
+
+ The type of keystore being used. For example, `JKS`, `JCEKS`, `PKCS12`, etc.
+ This value can also be set via the "javax.net.ssl.keyStoreType" system property
+ or the ActiveMQ-specific "org.apache.activemq.ssl.keyStoreType" system property.
+ The ActiveMQ-specific system property is useful if another component on the
+ client is already making use of the standard Java system property. Default is
+ `JKS`.
+
+- `keyStoreProvider`
+
+ The provider used for the keystore. For example, `SUN`, `SunJCE`, etc. This
+ value can also be set via the "javax.net.ssl.keyStoreProvider" system property
+ or the ActiveMQ-specific "org.apache.activemq.ssl.keyStoreProvider" system
+ property. The ActiveMQ-specific system property is useful if another component
+ on the client is already making use of the standard Java system property.
+ Default is `null`.
+
- `trustStorePath`
When used on an `acceptor` this is the path to the server-side SSL key store
@@ -375,8 +393,8 @@ additional properties:
then it can override the server-side setting by either using the customary
"javax.net.ssl.trustStore" system property or the ActiveMQ-specific
"org.apache.activemq.ssl.trustStore" system property. The ActiveMQ-specific
- system property is useful if another component on client is already making use
- of the standard, Java system property.
+ system property is useful if another component on the client is already making
+ use of the standard Java system property.
- `trustStorePassword`
@@ -391,9 +409,26 @@ additional properties:
setting by either using the customary "javax.net.ssl.trustStorePassword" system
property or the ActiveMQ-specific "org.apache.activemq.ssl.trustStorePassword"
system property. The ActiveMQ-specific system property is useful if another
- component on client is already making use of the standard, Java system
+ component on the client is already making use of the standard Java system
property.
+- `trustStoreType`
+
+ The type of truststore being used. For example, `JKS`, `JCEKS`, `PKCS12`, etc.
+ This value can also be set via the "javax.net.ssl.trustStoreType" system property
+ or the ActiveMQ-specific "org.apache.activemq.ssl.trustStoreType" system property.
+ The ActiveMQ-specific system property is useful if another component on the client
+ is already making use of the standard Java system property. Default is `JKS`.
+
+- `trustStoreProvider`
+
+ The provider used for the truststore. For example, `SUN`, `SunJCE`, etc. This
+ value can also be set via the "javax.net.ssl.trustStoreProvider" system property
+ or the ActiveMQ-specific "org.apache.activemq.ssl.trustStoreProvider" system
+ property. The ActiveMQ-specific system property is useful if another component
+ on the client is already making use of the standard Java system property.
+ Default is `null`.
+
- `enabledCipherSuites`
Whether used on an `acceptor` or `connector` this is a comma separated list
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/jms/SimpleJNDIClientTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/jms/SimpleJNDIClientTest.java
index 26dbef2..954dd46 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/jms/SimpleJNDIClientTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/jms/SimpleJNDIClientTest.java
@@ -371,9 +371,11 @@ public class SimpleJNDIClientTest extends ActiveMQTestBase {
TransportConstants.LOCAL_ADDRESS_PROP_NAME + "=myLocalAddressPropValue&" +
TransportConstants.LOCAL_PORT_PROP_NAME + "=myLocalPortPropValue&" +
TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "=myKeystoreProviderPropValue&" +
+ TransportConstants.KEYSTORE_TYPE_PROP_NAME + "=myKeystoreTypePropValue&" +
TransportConstants.KEYSTORE_PATH_PROP_NAME + "=myKeystorePathPropValue&" +
TransportConstants.KEYSTORE_PASSWORD_PROP_NAME + "=myKeystorePasswordPropValue&" +
TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME + "=myTruststoreProviderPropValue&" +
+ TransportConstants.TRUSTSTORE_TYPE_PROP_NAME + "=myTruststoreTypePropValue&" +
TransportConstants.TRUSTSTORE_PATH_PROP_NAME + "=myTruststorePathPropValue&" +
TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME + "=myTruststorePasswordPropValue&" +
TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME + "=myEnabledCipherSuitesPropValue&" +
@@ -406,9 +408,11 @@ public class SimpleJNDIClientTest extends ActiveMQTestBase {
Assert.assertEquals(parametersFromJNDI.get(TransportConstants.LOCAL_ADDRESS_PROP_NAME), "myLocalAddressPropValue");
Assert.assertEquals(parametersFromJNDI.get(TransportConstants.LOCAL_PORT_PROP_NAME), "myLocalPortPropValue");
Assert.assertEquals(parametersFromJNDI.get(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME), "myKeystoreProviderPropValue");
+ Assert.assertEquals(parametersFromJNDI.get(TransportConstants.KEYSTORE_TYPE_PROP_NAME), "myKeystoreTypePropValue");
Assert.assertEquals(parametersFromJNDI.get(TransportConstants.KEYSTORE_PATH_PROP_NAME), "myKeystorePathPropValue");
Assert.assertEquals(parametersFromJNDI.get(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME), "myKeystorePasswordPropValue");
Assert.assertEquals(parametersFromJNDI.get(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME), "myTruststoreProviderPropValue");
+ Assert.assertEquals(parametersFromJNDI.get(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME), "myTruststoreTypePropValue");
Assert.assertEquals(parametersFromJNDI.get(TransportConstants.TRUSTSTORE_PATH_PROP_NAME), "myTruststorePathPropValue");
Assert.assertEquals(parametersFromJNDI.get(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME), "myTruststorePasswordPropValue");
Assert.assertEquals(parametersFromJNDI.get(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME), "myEnabledCipherSuitesPropValue");
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
index 6c3d2af..9da281c 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
@@ -381,7 +381,7 @@ public class SecurityTest extends ActiveMQTestBase {
* This test requires a client-side certificate that will be trusted by the server but whose dname will be rejected
* by the CertLogin login module. I created this cert with the follow commands:
*
- * keytool -genkey -keystore bad-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=Bad Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
+ * keytool -genkey -keystore bad-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=Bad Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
* keytool -export -keystore bad-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
* keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt -alias bad
*/
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
index 785e55b..3853d63 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
@@ -57,12 +57,18 @@ import org.junit.runners.Parameterized;
public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String suffix = "";
- @Parameterized.Parameters(name = "storeType={0}")
+ @Parameterized.Parameters(name = "storeProvider={0}, storeType={1}")
public static Collection getParameters() {
- return Arrays.asList(new Object[][]{{"JCEKS"}, {"JKS"}, {"PKCS12"}});
+ return Arrays.asList(new Object[][]{
+ {TransportConstants.DEFAULT_KEYSTORE_PROVIDER, TransportConstants.DEFAULT_KEYSTORE_TYPE},
+ {"SunJCE", "JCEKS"},
+ {"SUN", "JKS"},
+ {"SunJSSE", "PKCS12"}
+ });
}
- public CoreClientOverOneWaySSLTest(String storeType) {
+ public CoreClientOverOneWaySSLTest(String storeProvider, String storeType) {
+ this.storeProvider = storeProvider;
this.storeType = storeType;
suffix = storeType.toLowerCase();
// keytool expects PKCS12 stores to use the extension "p12"
@@ -92,15 +98,15 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
* keytool -import -keystore verified-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
*
* Commands to create the JCEKS artifacts:
- * keytool -genkey -keystore server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
+ * keytool -genkey -keystore server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
* keytool -export -keystore server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
* keytool -import -keystore client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
*
- * keytool -genkey -keystore other-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=Other ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
+ * keytool -genkey -keystore other-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=Other ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
* keytool -export -keystore other-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
* keytool -import -keystore other-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
*
- * keytool -genkey -keystore verified-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
+ * keytool -genkey -keystore verified-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
* keytool -export -keystore verified-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
* keytool -import -keystore verified-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
*
@@ -117,6 +123,7 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
* keytool -export -keystore verified-server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
* keytool -import -keystore verified-client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
*/
+ private String storeProvider;
private String storeType;
private String SERVER_SIDE_KEYSTORE;
private String CLIENT_SIDE_TRUSTSTORE;
@@ -132,7 +139,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -159,7 +167,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.SNIHOST_PROP_NAME, "myhost.com");
@@ -186,7 +195,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
createCustomSslServer("myhost\\.com");
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.SNIHOST_PROP_NAME, "badhost.com");
@@ -206,7 +216,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator("tcp://127.0.0.1:61616?" +
TransportConstants.SSL_ENABLED_PROP_NAME + "=true;" +
- TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME + "=" + storeType + ";" +
+ TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME + "=" + storeProvider + ";" +
+ TransportConstants.TRUSTSTORE_TYPE_PROP_NAME + "=" + storeType + ";" +
TransportConstants.TRUSTSTORE_PATH_PROP_NAME + "=" + CLIENT_SIDE_TRUSTSTORE + ";" +
TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME + "=" + PASSWORD + ";" +
TransportConstants.SNIHOST_PROP_NAME + "=badhost.com"));
@@ -225,7 +236,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.SNIHOST_PROP_NAME, "myhost.com");
@@ -253,7 +265,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -280,7 +293,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -309,7 +323,15 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
createCustomSslServer();
String text = RandomUtil.randomString();
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator("tcp://127.0.0.1:61616?sslEnabled=true;trustStoreProvider=" + storeType + ";trustStorePath=" + CLIENT_SIDE_TRUSTSTORE + ";trustStorePassword=" + PASSWORD));
+ String url = "tcp://127.0.0.1:61616?sslEnabled=true;trustStorePath=" + CLIENT_SIDE_TRUSTSTORE + ";trustStorePassword=" + PASSWORD;
+ if (!storeType.equals(TransportConstants.DEFAULT_TRUSTSTORE_TYPE)) {
+ url += ";trustStoreProvider=" + storeProvider;
+ }
+ if (storeProvider != null && !storeProvider.equals(TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER)) {
+ url += ";trustStoreType=" + storeType;
+ }
+ ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator(url));
+
ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
ClientSession session = addClientSession(sf.createSession(false, true, true));
session.createQueue(new QueueConfiguration(CoreClientOverOneWaySSLTest.QUEUE).setDurable(false));
@@ -336,8 +358,14 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
codec.init(params);
String masked = codec.encode(PASSWORD);
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator("tcp://127.0.0.1:61616?sslEnabled=true;trustStoreProvider=" + storeType + ";trustStorePath=" + CLIENT_SIDE_TRUSTSTORE + ";trustStorePassword=" + masked + ";activemq.usemaskedpassword=true"));
+ String url = "tcp://127.0.0.1:61616?sslEnabled=true;trustStorePath=" + CLIENT_SIDE_TRUSTSTORE + ";trustStorePassword=" + masked + ";activemq.usemaskedpassword=true";
+ if (!storeType.equals(TransportConstants.DEFAULT_TRUSTSTORE_TYPE)) {
+ url += ";trustStoreProvider=" + storeProvider;
+ }
+ if (storeProvider != null && !storeProvider.equals(TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER)) {
+ url += ";trustStoreType=" + storeType;
+ }
+ ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator(url));
ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
ClientSession session = addClientSession(sf.createSession(false, true, true));
session.createQueue(new QueueConfiguration(CoreClientOverOneWaySSLTest.QUEUE).setDurable(false));
@@ -365,7 +393,15 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String masked = codec.encode(PASSWORD);
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator("tcp://127.0.0.1:61616?sslEnabled=true;trustStoreProvider=" + storeType + ";trustStorePath=" + CLIENT_SIDE_TRUSTSTORE + ";trustStorePassword=ENC(" + masked + ")"));
+ String url = "tcp://127.0.0.1:61616?sslEnabled=true;trustStorePath=" + CLIENT_SIDE_TRUSTSTORE + ";trustStorePassword=ENC(" + masked + ")";
+ if (!storeType.equals(TransportConstants.DEFAULT_TRUSTSTORE_TYPE)) {
+ url += ";trustStoreProvider=" + storeProvider;
+ }
+ if (storeProvider != null && !storeProvider.equals(TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER)) {
+ url += ";trustStoreType=" + storeType;
+ }
+ ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator(url));
+// ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator("tcp://127.0.0.1:61616?sslEnabled=true;trustStoreProvider=" + storeProvider + ";trustStoreType=" + storeType + ";trustStorePath=" + CLIENT_SIDE_TRUSTSTORE + ";trustStorePassword=ENC(" + masked + ")"));
ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
ClientSession session = addClientSession(sf.createSession(false, true, true));
session.createQueue(new QueueConfiguration(CoreClientOverOneWaySSLTest.QUEUE).setDurable(false));
@@ -391,7 +427,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
tc.getParams().put(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, true);
SSLContext.setDefault(new SSLSupport()
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(CLIENT_SIDE_TRUSTSTORE)
.setTruststorePassword(PASSWORD)
.createContext());
@@ -419,7 +456,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "verified-" + CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
@@ -447,7 +485,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
@@ -470,7 +509,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
// create a valid SSL connection and keep it for use later
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -482,7 +522,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
// create an invalid SSL connection
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "other-client-side-truststore." + suffix);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -526,7 +567,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
public void testOneWaySSLWithBadClientCipherSuite() throws Exception {
createCustomSslServer();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, "myBadCipherSuite");
@@ -544,7 +586,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
public void testOneWaySSLWithBadServerCipherSuite() throws Exception {
createCustomSslServer("myBadCipherSuite", null);
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -561,7 +604,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
public void testOneWaySSLWithMismatchedCipherSuites() throws Exception {
createCustomSslServer(getEnabledCipherSuites()[0], "TLSv1.2");
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getEnabledCipherSuites()[1]);
@@ -580,7 +624,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
public void testOneWaySSLWithBadClientProtocol() throws Exception {
createCustomSslServer();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "myBadProtocol");
@@ -598,7 +643,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
public void testOneWaySSLWithBadServerProtocol() throws Exception {
createCustomSslServer(null, "myBadProtocol");
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -615,7 +661,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
public void testOneWaySSLWithMismatchedProtocols() throws Exception {
createCustomSslServer(null, "TLSv1");
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "TLSv1.2");
@@ -634,7 +681,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
public void testPOODLE() throws Exception {
createCustomSslServer(null, "SSLv3");
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3");
@@ -654,7 +702,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, getSuitableCipherSuite());
@@ -689,7 +738,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "TLSv1.2");
@@ -723,7 +773,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "TLSv1");
@@ -758,7 +809,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -791,7 +843,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String[] suites = getEnabledCipherSuites();
- /** The JKS certs are generated using Java keytool using RSA and not ECDSA but the JVM prefers ECDSA over RSA so we have
+ /**
+ * The JKS certs are generated using Java keytool using RSA and not ECDSA but the JVM prefers ECDSA over RSA so we have
* to look through the cipher suites until we find one that's suitable for us.
* If the JVM running this test is version 7 from Oracle then this cipher suite will will almost certainly require
* TLSv1.2 (which is not enabled on the client by default).
@@ -799,14 +852,12 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
* preferred cipher suites.
*/
- /** JCEKS is much more sensitive to the cipher suite for some reason. I have only gotten it to work with:
- * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
- * TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
+ /**
+ * JCEKS is essentially the same story as JKS
*/
for (int i = 0; i < suites.length; i++) {
String suite = suites[i];
- if ((storeType.equals("JCEKS") && suite.contains("DHE_DSS_WITH")) || (!storeType.equals("JCEKS") && !suite.contains("ECDSA") && suite.contains("RSA"))) {
+ if ((storeType.equals("JCEKS") && suite.contains("RSA") && !suite.contains("ECDH_")) || (!storeType.equals("JCEKS") && !suite.contains("ECDSA") && suite.contains("RSA"))) {
result = suite;
break;
}
@@ -817,10 +868,12 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
public String[] getEnabledCipherSuites() throws Exception {
SSLContext context = new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(SERVER_SIDE_KEYSTORE)
.setKeystorePassword(PASSWORD)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(CLIENT_SIDE_TRUSTSTORE)
.setTruststorePassword(PASSWORD)
.createContext();
@@ -848,7 +901,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
public void testOneWaySSLWithIncorrectTrustStorePassword() throws Exception {
createCustomSslServer();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "invalid password");
@@ -938,7 +992,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String trustManagerFactoryPlugin) throws Exception {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
+ params.put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeProvider);
+ params.put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, storeType);
if (sniHost != null) {
params.put(TransportConstants.SNIHOST_PROP_NAME, sniHost);
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java
deleted file mode 100644
index d9c36b3..0000000
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java
+++ /dev/null
@@ -1,319 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.activemq.artemis.tests.integration.ssl;
-
-import io.netty.handler.ssl.SslHandler;
-import org.apache.activemq.artemis.api.core.ActiveMQException;
-import org.apache.activemq.artemis.api.core.ActiveMQNotConnectedException;
-import org.apache.activemq.artemis.api.core.Interceptor;
-import org.apache.activemq.artemis.api.core.QueueConfiguration;
-import org.apache.activemq.artemis.api.core.SimpleString;
-import org.apache.activemq.artemis.api.core.TransportConfiguration;
-import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
-import org.apache.activemq.artemis.api.core.client.ClientConsumer;
-import org.apache.activemq.artemis.api.core.client.ClientMessage;
-import org.apache.activemq.artemis.api.core.client.ClientProducer;
-import org.apache.activemq.artemis.api.core.client.ClientSession;
-import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
-import org.apache.activemq.artemis.api.core.client.ServerLocator;
-import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
-import org.apache.activemq.artemis.core.protocol.core.Packet;
-import org.apache.activemq.artemis.core.protocol.core.impl.PacketImpl;
-import org.apache.activemq.artemis.core.remoting.impl.netty.NettyAcceptor;
-import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnection;
-import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
-import org.apache.activemq.artemis.core.server.ActiveMQServer;
-import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;
-import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
-import org.apache.activemq.artemis.utils.RandomUtil;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.junit.runners.Parameterized;
-
-import javax.net.ssl.SSLPeerUnverifiedException;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * Test connecting to a server running with OpenSSL TLS from a client that is running with JDK TLS
- */
-@RunWith(value = Parameterized.class)
-public class CoreClientOverTwoWayOpenSSLServerTest extends ActiveMQTestBase {
-
- @Parameterized.Parameters(name = "storeType={0}")
- public static Collection getParameters() {
- return Arrays.asList(new Object[][]{{"JCEKS"}, {"JKS"}});
- }
-
- public CoreClientOverTwoWayOpenSSLServerTest(String storeType) {
- this.storeType = storeType;
- SERVER_SIDE_KEYSTORE = "openssl-server-side-keystore." + storeType.toLowerCase();
- SERVER_SIDE_TRUSTSTORE = "openssl-server-side-truststore." + storeType.toLowerCase();
- CLIENT_SIDE_TRUSTSTORE = "openssl-client-side-truststore." + storeType.toLowerCase();
- CLIENT_SIDE_KEYSTORE = "openssl-client-side-keystore." + storeType.toLowerCase();
- }
-
- public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
-
- /**
- * See {@link CoreClientOverTwoWayOpenSSLTest} for details about the SSL artifacts needed for this test.
- */
-
- private String storeType;
- private String SERVER_SIDE_KEYSTORE;
- private String SERVER_SIDE_TRUSTSTORE;
- private String CLIENT_SIDE_TRUSTSTORE;
- private String CLIENT_SIDE_KEYSTORE;
- private final String PASSWORD = "secureexample";
-
- private ActiveMQServer server;
-
- private TransportConfiguration tc;
-
- private class MyInterceptor implements Interceptor {
-
- @Override
- public boolean intercept(final Packet packet, final RemotingConnection connection) throws ActiveMQException {
- if (packet.getType() == PacketImpl.SESS_SEND) {
- try {
- if (connection.getTransportConnection() instanceof NettyConnection) {
- NettyConnection nettyConnection = (NettyConnection) connection.getTransportConnection();
- SslHandler sslHandler = (SslHandler) nettyConnection.getChannel().pipeline().get("ssl");
- Assert.assertNotNull(sslHandler);
- Assert.assertNotNull(sslHandler.engine().getSession());
- Assert.assertNotNull(sslHandler.engine().getSession().getPeerCertificateChain());
- }
- } catch (SSLPeerUnverifiedException e) {
- Assert.fail(e.getMessage());
- }
- }
- return true;
- }
- }
-
- @Test
- public void testTwoWaySSL() throws Exception {
- String text = RandomUtil.randomString();
-
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
- //tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- ClientSessionFactory sf = createSessionFactory(locator);
- ClientSession session = sf.createSession(false, true, true);
- session.createQueue(new QueueConfiguration(CoreClientOverTwoWayOpenSSLServerTest.QUEUE).setDurable(false));
- ClientProducer producer = session.createProducer(CoreClientOverTwoWayOpenSSLServerTest.QUEUE);
-
- ClientMessage message = createTextMessage(session, text);
- producer.send(message);
-
- ClientConsumer consumer = session.createConsumer(CoreClientOverTwoWayOpenSSLServerTest.QUEUE);
- session.start();
-
- ClientMessage m = consumer.receive(1000);
- Assert.assertNotNull(m);
- Assert.assertEquals(text, m.getBodyBuffer().readString());
- }
-
- @Test
- public void testTwoWaySSLVerifyClientHost() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
- acceptor.getConfiguration().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "verified-" + SERVER_SIDE_TRUSTSTORE);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- String text = RandomUtil.randomString();
-
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "verified-" + CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- ClientSessionFactory sf = createSessionFactory(locator);
- ClientSession session = sf.createSession(false, true, true);
- session.createQueue(new QueueConfiguration(CoreClientOverTwoWayOpenSSLServerTest.QUEUE).setDurable(false));
- ClientProducer producer = session.createProducer(CoreClientOverTwoWayOpenSSLServerTest.QUEUE);
-
- ClientMessage message = createTextMessage(session, text);
- producer.send(message);
-
- ClientConsumer consumer = session.createConsumer(CoreClientOverTwoWayOpenSSLServerTest.QUEUE);
- session.start();
-
- ClientMessage m = consumer.receive(1000);
- Assert.assertNotNull(m);
- Assert.assertEquals(text, m.getBodyBuffer().readString());
- }
-
- @Test
- public void testTwoWaySSLVerifyClientHostNegative() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- try {
- ClientSessionFactory sf = createSessionFactory(locator);
- fail("Creating a session here should fail due to a certificate with a CN that doesn't match the host name.");
- } catch (ActiveMQNotConnectedException se) {
- // ignore
- }
- }
-
- @Test
- public void testTwoWaySSLVerifyClientTrustAllTrue() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- //Set trust all so this should work even with no trust store set
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUST_ALL_PROP_NAME, true);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- ClientSessionFactory sf = createSessionFactory(locator);
- sf.close();
- }
-
- @Test
- public void testTwoWaySSLVerifyClientTrustAllTrueByURI() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- //Set trust all so this should work even with no trust store set
- StringBuilder uri = new StringBuilder("tcp://" + tc.getParams().get(TransportConstants.HOST_PROP_NAME).toString()
- + ":" + tc.getParams().get(TransportConstants.PORT_PROP_NAME).toString());
-
- uri.append("?").append(TransportConstants.SSL_ENABLED_PROP_NAME).append("=true");
- uri.append("&").append(TransportConstants.TRUST_ALL_PROP_NAME).append("=true");
- uri.append("&").append(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME).append("=").append(storeType);
- uri.append("&").append(TransportConstants.KEYSTORE_PATH_PROP_NAME).append("=").append(CLIENT_SIDE_KEYSTORE);
- uri.append("&").append(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME).append("=").append(PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator(uri.toString()));
- ClientSessionFactory sf = createSessionFactory(locator);
- sf.close();
- }
-
- @Test
- public void testTwoWaySSLVerifyClientTrustAllFalse() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- //Trust all defaults to false so this should fail with no trust store set
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- try {
- ClientSessionFactory sf = createSessionFactory(locator);
- fail("Creating a session here should fail due to no trust store being set");
- } catch (ActiveMQNotConnectedException se) {
- // ignore
- }
- }
-
- @Test
- public void testTwoWaySSLWithoutClientKeyStore() throws Exception {
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- try {
- createSessionFactory(locator);
- Assert.fail();
- } catch (ActiveMQNotConnectedException se) {
- //ok
- } catch (ActiveMQException e) {
- Assert.fail("Invalid Exception type:" + e.getType());
- }
- }
-
- @Override
- @Before
- public void setUp() throws Exception {
- super.setUp();
- Map<String, Object> params = new HashMap<>();
- params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, SERVER_SIDE_TRUSTSTORE);
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
- params.put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- params.put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
- ConfigurationImpl config = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params, "nettySSL"));
- server = createServer(false, config);
- server.start();
- waitForServerToStart(server);
- tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
- }
-}
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java
deleted file mode 100644
index 78f3caa..0000000
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java
+++ /dev/null
@@ -1,351 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.activemq.artemis.tests.integration.ssl;
-
-import io.netty.handler.ssl.SslHandler;
-import org.apache.activemq.artemis.api.core.ActiveMQException;
-import org.apache.activemq.artemis.api.core.ActiveMQNotConnectedException;
-import org.apache.activemq.artemis.api.core.Interceptor;
-import org.apache.activemq.artemis.api.core.QueueConfiguration;
-import org.apache.activemq.artemis.api.core.SimpleString;
-import org.apache.activemq.artemis.api.core.TransportConfiguration;
-import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
-import org.apache.activemq.artemis.api.core.client.ClientConsumer;
-import org.apache.activemq.artemis.api.core.client.ClientMessage;
-import org.apache.activemq.artemis.api.core.client.ClientProducer;
-import org.apache.activemq.artemis.api.core.client.ClientSession;
-import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
-import org.apache.activemq.artemis.api.core.client.ServerLocator;
-import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
-import org.apache.activemq.artemis.core.protocol.core.Packet;
-import org.apache.activemq.artemis.core.protocol.core.impl.PacketImpl;
-import org.apache.activemq.artemis.core.remoting.impl.netty.NettyAcceptor;
-import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnection;
-import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
-import org.apache.activemq.artemis.core.server.ActiveMQServer;
-import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;
-import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
-import org.apache.activemq.artemis.utils.RandomUtil;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.junit.runners.Parameterized;
-
-import javax.net.ssl.SSLPeerUnverifiedException;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * Testing connection where client and server are running OpenSSL TLS
- */
-@RunWith(value = Parameterized.class)
-public class CoreClientOverTwoWayOpenSSLTest extends ActiveMQTestBase {
-
- @Parameterized.Parameters(name = "storeType={0}")
- public static Collection getParameters() {
- return Arrays.asList(new Object[][]{{"JCEKS"}, {"JKS"}});
- }
-
- public CoreClientOverTwoWayOpenSSLTest(String storeType) {
- this.storeType = storeType;
- SERVER_SIDE_KEYSTORE = "openssl-server-side-keystore." + storeType.toLowerCase();
- SERVER_SIDE_TRUSTSTORE = "openssl-server-side-truststore." + storeType.toLowerCase();
- CLIENT_SIDE_TRUSTSTORE = "openssl-client-side-truststore." + storeType.toLowerCase();
- CLIENT_SIDE_KEYSTORE = "openssl-client-side-keystore." + storeType.toLowerCase();
- }
-
- public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
-
- /**
- * These artifacts are required for testing 2-way SSL with open SSL - note the EC key and ECDSA signature to comply with what OpenSSL offers
- *
- * Commands to create the JKS artifacts:
- * keytool -genkey -keystore openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore openssl-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore openssl-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
- * keytool -export -keystore verified-openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore verified-openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * Commands to create the JCEKS artifacts:
- * keytool -genkey -keystore openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore openssl-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore openssl-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
- * keytool -export -keystore verified-openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore verified-openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- */
-
- private String storeType;
- private String SERVER_SIDE_KEYSTORE;
- private String SERVER_SIDE_TRUSTSTORE;
- private String CLIENT_SIDE_TRUSTSTORE;
- private String CLIENT_SIDE_KEYSTORE;
- private final String PASSWORD = "secureexample";
-
- private ActiveMQServer server;
-
- private TransportConfiguration tc;
-
- private class MyInterceptor implements Interceptor {
-
- @Override
- public boolean intercept(final Packet packet, final RemotingConnection connection) throws ActiveMQException {
- if (packet.getType() == PacketImpl.SESS_SEND) {
- try {
- if (connection.getTransportConnection() instanceof NettyConnection) {
- NettyConnection nettyConnection = (NettyConnection) connection.getTransportConnection();
- SslHandler sslHandler = (SslHandler) nettyConnection.getChannel().pipeline().get("ssl");
- Assert.assertNotNull(sslHandler);
- Assert.assertNotNull(sslHandler.engine().getSession());
- Assert.assertNotNull(sslHandler.engine().getSession().getPeerCertificateChain());
- }
- } catch (SSLPeerUnverifiedException e) {
- Assert.fail(e.getMessage());
- }
- }
- return true;
- }
- }
-
- @Test
- public void testTwoWaySSL() throws Exception {
- String text = RandomUtil.randomString();
-
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
- //tc.getParams().put(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- ClientSessionFactory sf = createSessionFactory(locator);
- ClientSession session = sf.createSession(false, true, true);
- session.createQueue(new QueueConfiguration(CoreClientOverTwoWayOpenSSLTest.QUEUE).setDurable(false));
- ClientProducer producer = session.createProducer(CoreClientOverTwoWayOpenSSLTest.QUEUE);
-
- ClientMessage message = createTextMessage(session, text);
- producer.send(message);
-
- ClientConsumer consumer = session.createConsumer(CoreClientOverTwoWayOpenSSLTest.QUEUE);
- session.start();
-
- ClientMessage m = consumer.receive(1000);
- Assert.assertNotNull(m);
- Assert.assertEquals(text, m.getBodyBuffer().readString());
- }
-
- @Test
- public void testTwoWaySSLVerifyClientHost() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
- acceptor.getConfiguration().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "verified-" + SERVER_SIDE_TRUSTSTORE);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- String text = RandomUtil.randomString();
-
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "verified-" + CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- ClientSessionFactory sf = createSessionFactory(locator);
- ClientSession session = sf.createSession(false, true, true);
- session.createQueue(new QueueConfiguration(CoreClientOverTwoWayOpenSSLTest.QUEUE).setDurable(false));
- ClientProducer producer = session.createProducer(CoreClientOverTwoWayOpenSSLTest.QUEUE);
-
- ClientMessage message = createTextMessage(session, text);
- producer.send(message);
-
- ClientConsumer consumer = session.createConsumer(CoreClientOverTwoWayOpenSSLTest.QUEUE);
- session.start();
-
- ClientMessage m = consumer.receive(1000);
- Assert.assertNotNull(m);
- Assert.assertEquals(text, m.getBodyBuffer().readString());
- }
-
- @Test
- public void testTwoWaySSLVerifyClientHostNegative() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- try {
- ClientSessionFactory sf = createSessionFactory(locator);
- fail("Creating a session here should fail due to a certificate with a CN that doesn't match the host name.");
- } catch (ActiveMQException ignore) {
- // ignore
- }
- }
-
- @Test
- public void testTwoWaySSLVerifyClientTrustAllTrue() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- //Set trust all so this should work even with no trust store set
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER);
- tc.getParams().put(TransportConstants.TRUST_ALL_PROP_NAME, true);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- ClientSessionFactory sf = createSessionFactory(locator);
- sf.close();
- }
-
- @Test
- public void testTwoWaySSLVerifyClientTrustAllTrueByURI() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- //Set trust all so this should work even with no trust store set
- StringBuilder uri = new StringBuilder("tcp://" + tc.getParams().get(TransportConstants.HOST_PROP_NAME).toString()
- + ":" + tc.getParams().get(TransportConstants.PORT_PROP_NAME).toString());
-
- uri.append("?").append(TransportConstants.SSL_ENABLED_PROP_NAME).append("=true");
- uri.append("&").append(TransportConstants.SSL_PROVIDER).append("=").append(TransportConstants.OPENSSL_PROVIDER);
- uri.append("&").append(TransportConstants.TRUST_ALL_PROP_NAME).append("=true");
- uri.append("&").append(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME).append("=").append(storeType);
- uri.append("&").append(TransportConstants.KEYSTORE_PATH_PROP_NAME).append("=").append(CLIENT_SIDE_KEYSTORE);
- uri.append("&").append(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME).append("=").append(PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator(uri.toString()));
- ClientSessionFactory sf = createSessionFactory(locator);
- sf.close();
- }
-
- @Test
- public void testTwoWaySSLVerifyClientTrustAllFalse() throws Exception {
- NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.getConfiguration().put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
- server.getRemotingService().stop(false);
- server.getRemotingService().start();
- server.getRemotingService().startAcceptors();
-
- //Trust all defaults to false so this should fail with no trust store set
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- try {
- ClientSessionFactory sf = createSessionFactory(locator);
- fail("Creating a session here should fail due to no trust store being set");
- } catch (ActiveMQNotConnectedException se) {
- // ignore
- }
- }
-
- @Test
- public void testTwoWaySSLWithoutClientKeyStore() throws Exception {
- tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
-
- ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
- try {
- createSessionFactory(locator);
- Assert.fail();
- } catch (ActiveMQNotConnectedException se) {
- //ok
- } catch (ActiveMQException e) {
- Assert.fail("Invalid Exception type:" + e.getType());
- }
- }
-
- @Override
- @Before
- public void setUp() throws Exception {
- super.setUp();
- Map<String, Object> params = new HashMap<>();
- params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, SERVER_SIDE_TRUSTSTORE);
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
- params.put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- params.put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
- ConfigurationImpl config = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params, "nettySSL"));
- server = createServer(false, config);
- server.start();
- waitForServerToStart(server);
- tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
- }
-}
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
index e759739..20c4ba3 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
@@ -23,6 +23,7 @@ import java.util.Map;
import javax.net.ssl.SSLPeerUnverifiedException;
+import org.apache.activemq.artemis.api.core.ActiveMQConnectionTimedOutException;
import org.apache.activemq.artemis.api.core.ActiveMQException;
import org.apache.activemq.artemis.api.core.ActiveMQNotConnectedException;
import org.apache.activemq.artemis.api.core.Interceptor;
@@ -57,22 +58,48 @@ import io.netty.handler.ssl.SslHandler;
@RunWith(value = Parameterized.class)
public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
- @Parameterized.Parameters(name = "storeType={0}")
+ @Parameterized.Parameters(name = "storeProvider={0}, storeType={1}, clientSSLProvider={2}, serverSSLProvider={3}")
public static Collection getParameters() {
- return Arrays.asList(new Object[][]{{"JCEKS"}, {"JKS"}, {"PKCS12"}});
+ return Arrays.asList(new Object[][]{
+ {TransportConstants.DEFAULT_KEYSTORE_PROVIDER, TransportConstants.DEFAULT_KEYSTORE_TYPE, TransportConstants.OPENSSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER},
+ {TransportConstants.DEFAULT_KEYSTORE_PROVIDER, TransportConstants.DEFAULT_KEYSTORE_TYPE, TransportConstants.OPENSSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER},
+ {TransportConstants.DEFAULT_KEYSTORE_PROVIDER, TransportConstants.DEFAULT_KEYSTORE_TYPE, TransportConstants.DEFAULT_SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER},
+ {TransportConstants.DEFAULT_KEYSTORE_PROVIDER, TransportConstants.DEFAULT_KEYSTORE_TYPE, TransportConstants.DEFAULT_SSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER},
+ {"SunJCE", "JCEKS", TransportConstants.OPENSSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER},
+ {"SunJCE", "JCEKS", TransportConstants.OPENSSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER},
+ {"SunJCE", "JCEKS", TransportConstants.DEFAULT_SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER},
+ {"SunJCE", "JCEKS", TransportConstants.DEFAULT_SSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER},
+ {"SUN", "JKS", TransportConstants.OPENSSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER},
+ {"SUN", "JKS", TransportConstants.OPENSSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER},
+ {"SUN", "JKS", TransportConstants.DEFAULT_SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER},
+ {"SUN", "JKS", TransportConstants.DEFAULT_SSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER},
+ {"SunJSSE", "PKCS12", TransportConstants.OPENSSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER},
+ {"SunJSSE", "PKCS12", TransportConstants.OPENSSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER},
+ {"SunJSSE", "PKCS12", TransportConstants.DEFAULT_SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER},
+ {"SunJSSE", "PKCS12", TransportConstants.DEFAULT_SSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER}
+ });
}
- public CoreClientOverTwoWaySSLTest(String storeType) {
+ public CoreClientOverTwoWaySSLTest(String storeProvider, String storeType, String clientSSLProvider, String serverSSLProvider) {
+ this.storeProvider = storeProvider;
this.storeType = storeType;
+ this.clientSSLProvider = clientSSLProvider;
+ this.serverSSLProvider = serverSSLProvider;
+
String suffix = storeType.toLowerCase();
// keytool expects PKCS12 stores to use the extension "p12"
if (storeType.equals("PKCS12")) {
suffix = "p12";
}
- SERVER_SIDE_KEYSTORE = "server-side-keystore." + suffix;
- SERVER_SIDE_TRUSTSTORE = "server-side-truststore." + suffix;
- CLIENT_SIDE_TRUSTSTORE = "client-side-truststore." + suffix;
- CLIENT_SIDE_KEYSTORE = "client-side-keystore." + suffix;
+
+ String prefix = "";
+ if (TransportConstants.OPENSSL_PROVIDER.equals(clientSSLProvider) || TransportConstants.OPENSSL_PROVIDER.equals(serverSSLProvider)) {
+ prefix = "openssl-";
+ }
+ SERVER_SIDE_KEYSTORE = prefix + "server-side-keystore." + suffix;
+ SERVER_SIDE_TRUSTSTORE = prefix + "server-side-truststore." + suffix;
+ CLIENT_SIDE_TRUSTSTORE = prefix + "client-side-truststore." + suffix;
+ CLIENT_SIDE_KEYSTORE = prefix + "client-side-keystore." + suffix;
}
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
@@ -106,9 +133,53 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
* keytool -genkey -keystore verified-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
* keytool -export -keystore verified-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
* keytool -import -keystore verified-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
+ *
+ * These artifacts are required for testing 2-way SSL with Open SSL - note the EC key and ECDSA signature to comply with what OpenSSL offers
+ *
+ * Commands to create the OpenSSL JKS artifacts:
+ * keytool -genkey -keystore openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
+ * keytool -export -keystore openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
+ * keytool -import -keystore openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
+ *
+ * keytool -genkey -keystore openssl-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
+ * keytool -export -keystore openssl-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
+ * keytool -import -keystore openssl-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
+ *
+ * keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
+ * keytool -export -keystore verified-openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
+ * keytool -import -keystore verified-openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
+ *
+ * Commands to create the OpenSSL JCEKS artifacts:
+ * keytool -genkey -keystore openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
+ * keytool -export -keystore openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
+ * keytool -import -keystore openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
+ *
+ * keytool -genkey -keystore openssl-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
+ * keytool -export -keystore openssl-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
+ * keytool -import -keystore openssl-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
+ *
+ * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
+ * keytool -export -keystore verified-openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
+ * keytool -import -keystore verified-openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
+ *
+ * Commands to create the OpenSSL PKCS12 artifacts:
+ * keytool -genkey -keystore openssl-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
+ * keytool -export -keystore openssl-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
+ * keytool -import -keystore openssl-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
+ *
+ * keytool -genkey -keystore openssl-server-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
+ * keytool -export -keystore openssl-server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
+ * keytool -import -keystore openssl-client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
+ *
+ * keytool -genkey -keystore verified-openssl-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
+ * keytool -export -keystore verified-openssl-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
+ * keytool -import -keystore verified-openssl-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
*/
private String storeType;
+ private String storeProvider;
+ private String clientSSLProvider;
+ private String serverSSLProvider;
private String SERVER_SIDE_KEYSTORE;
private String SERVER_SIDE_TRUSTSTORE;
private String CLIENT_SIDE_TRUSTSTORE;
@@ -145,13 +216,18 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+ tc.getParams().put(TransportConstants.SSL_PROVIDER, clientSSLProvider);
+
+ tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+
server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
@@ -183,10 +259,15 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.SSL_PROVIDER, clientSSLProvider);
+
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+
+ tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "verified-" + CLIENT_SIDE_KEYSTORE);
tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -218,16 +299,20 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
server.getRemotingService().startAcceptors();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ tc.getParams().put(TransportConstants.SSL_PROVIDER, clientSSLProvider);
+
tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+
+ tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+ locator.setCallTimeout(1000);
try {
ClientSessionFactory sf = createSessionFactory(locator);
fail("Creating a session here should fail due to a certificate with a CN that doesn't match the host name.");
@@ -246,8 +331,11 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
//Set trust all so this should work even with no trust store set
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ tc.getParams().put(TransportConstants.SSL_PROVIDER, clientSSLProvider);
tc.getParams().put(TransportConstants.TRUST_ALL_PROP_NAME, true);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
+
+ tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -271,8 +359,14 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
+ ":" + tc.getParams().get(TransportConstants.PORT_PROP_NAME).toString());
uri.append("?").append(TransportConstants.SSL_ENABLED_PROP_NAME).append("=true");
+ uri.append("&").append(TransportConstants.SSL_PROVIDER).append("=").append(clientSSLProvider);
uri.append("&").append(TransportConstants.TRUST_ALL_PROP_NAME).append("=true");
- uri.append("&").append(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME).append("=").append(storeType);
+ if (storeProvider != null && !storeProvider.equals(TransportConstants.DEFAULT_KEYSTORE_PROVIDER)) {
+ uri.append("&").append(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME).append("=").append(storeProvider);
+ }
+ if (!storeType.equals(TransportConstants.DEFAULT_KEYSTORE_TYPE)) {
+ uri.append("&").append(TransportConstants.KEYSTORE_TYPE_PROP_NAME).append("=").append(storeType);
+ }
uri.append("&").append(TransportConstants.KEYSTORE_PATH_PROP_NAME).append("=").append(CLIENT_SIDE_KEYSTORE);
uri.append("&").append(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME).append("=").append(PASSWORD);
@@ -293,7 +387,10 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
//Trust all defaults to false so this should fail with no trust store set
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.SSL_PROVIDER, clientSSLProvider);
+
+ tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
@@ -311,16 +408,22 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
@Test
public void testTwoWaySSLWithoutClientKeyStore() throws Exception {
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+ tc.getParams().put(TransportConstants.SSL_PROVIDER, clientSSLProvider);
+
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+ locator.setCallTimeout(1000);
try {
createSessionFactory(locator);
Assert.fail();
} catch (ActiveMQNotConnectedException se) {
//ok
+ } catch (ActiveMQConnectionTimedOutException te) {
+ //ok
} catch (ActiveMQException e) {
Assert.fail("Invalid Exception type:" + e.getType());
}
@@ -334,13 +437,20 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
super.setUp();
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ params.put(TransportConstants.SSL_PROVIDER, serverSSLProvider);
+
params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
+ params.put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeProvider);
+ params.put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, storeType);
+
params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, SERVER_SIDE_TRUSTSTORE);
params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
- params.put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
- params.put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
+ params.put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
+ params.put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
+
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
+
ConfigurationImpl config = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params, "nettySSL"));
server = createServer(false, config);
server.start();
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLProviderTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLProviderTest.java
index 6b3d996..9e673ef 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLProviderTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLProviderTest.java
@@ -59,7 +59,7 @@ public class SSLProviderTest extends SSLTestBase {
uri.append("?").append(TransportConstants.SSL_ENABLED_PROP_NAME).append("=true");
uri.append("&").append(TransportConstants.SSL_PROVIDER).append("=").append(clientSslProvider);
- uri.append("&").append(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME).append("=JKS");
+ uri.append("&").append(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME).append("=JKS");
uri.append("&").append(TransportConstants.TRUSTSTORE_PATH_PROP_NAME).append("=").append(CLIENT_SIDE_TRUSTSTORE);
uri.append("&").append(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME).append("=").append(PASSWORD);
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLProviderTwoWayTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLProviderTwoWayTest.java
index 85836cb..9e9d1e3 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLProviderTwoWayTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLProviderTwoWayTest.java
@@ -71,10 +71,10 @@ public class SSLProviderTwoWayTest extends SSLTestBase {
uri.append("?").append(TransportConstants.SSL_ENABLED_PROP_NAME).append("=true");
uri.append("&").append(TransportConstants.SSL_PROVIDER).append("=").append(clientSslProvider);
- uri.append("&").append(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME).append("=").append("JKS");
+ uri.append("&").append(TransportConstants.KEYSTORE_TYPE_PROP_NAME).append("=").append("JKS");
uri.append("&").append(TransportConstants.KEYSTORE_PATH_PROP_NAME).append("=").append(CLIENT_SIDE_KEYSTORE);
uri.append("&").append(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME).append("=").append(PASSWORD);
- uri.append("&").append(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME).append("=JKS");
+ uri.append("&").append(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME).append("=JKS");
uri.append("&").append(TransportConstants.TRUSTSTORE_PATH_PROP_NAME).append("=").append(CLIENT_SIDE_TRUSTSTORE);
uri.append("&").append(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME).append("=").append(PASSWORD);
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java
index 75ec9f8..72db844 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java
@@ -85,7 +85,7 @@ public abstract class SSLTestBase extends ActiveMQTestBase {
protected void configureSSLParameters(Map<String, Object> params) {
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
params.put(TransportConstants.SSL_PROVIDER, sslProvider);
- params.put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, "JKS");
+ params.put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, "JKS");
params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
params.put(TransportConstants.HOST_PROP_NAME, "localhost");
diff --git a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
index 256be64..663139a 100644
--- a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
+++ b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
@@ -21,6 +21,7 @@ import java.net.URL;
import java.util.Arrays;
import java.util.Collection;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport;
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.junit.Assert;
@@ -32,17 +33,29 @@ import org.junit.runners.Parameterized;
@RunWith(value = Parameterized.class)
public class SSLSupportTest extends ActiveMQTestBase {
- @Parameterized.Parameters(name = "storeType={0}")
+ @Parameterized.Parameters(name = "storeProvider={0}, storeType={1}")
public static Collection getParameters() {
- return Arrays.asList(new Object[][]{{"JCEKS"}, {"JKS"}});
+ return Arrays.asList(new Object[][]{
+ {TransportConstants.DEFAULT_KEYSTORE_PROVIDER, TransportConstants.DEFAULT_KEYSTORE_TYPE},
+ {"SunJCE", "JCEKS"},
+ {"SUN", "JKS"},
+ {"SunJSSE", "PKCS12"}
+ });
}
- public SSLSupportTest(String storeType) {
+ public SSLSupportTest(String storeProvider, String storeType) {
+ this.storeProvider = storeProvider;
this.storeType = storeType;
- keyStorePath = "server-side-keystore." + storeType.toLowerCase();
- trustStorePath = "server-side-truststore." + storeType.toLowerCase();
+ String suffix = storeType.toLowerCase();
+ if (storeType.equals("PKCS12")) {
+ suffix = "p12";
+ }
+ keyStorePath = "server-side-keystore." + suffix;
+ trustStorePath = "server-side-truststore." + suffix;
}
+ private String storeProvider;
+
private String storeType;
private String keyStorePath;
@@ -74,10 +87,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
@Test
public void testContextWithRightParameters() throws Exception {
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
@@ -93,10 +108,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
public void testContextWithKeyStorePathAsURL() throws Exception {
URL url = Thread.currentThread().getContextClassLoader().getResource(keyStorePath);
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(url.toString())
.setKeystorePassword(keyStorePassword)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
@@ -107,10 +124,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
URL url = Thread.currentThread().getContextClassLoader().getResource(keyStorePath);
File file = new File(url.toURI());
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(file.getAbsolutePath())
.setKeystorePassword(keyStorePassword)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
@@ -120,10 +139,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
public void testContextWithBadKeyStorePath() throws Exception {
try {
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath("not a keystore")
.setKeystorePassword(keyStorePassword)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
@@ -136,10 +157,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
public void testContextWithNullKeyStorePath() throws Exception {
try {
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(null)
.setKeystorePassword(keyStorePassword)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
@@ -158,10 +181,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
}
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath("src/test/resources/" + keyStorePath)
.setKeystorePassword(keyStorePassword)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
@@ -171,10 +196,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
public void testContextWithBadKeyStorePassword() throws Exception {
try {
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword("bad password")
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
@@ -187,10 +214,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
public void testContextWithNullKeyStorePassword() throws Exception {
try {
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(null)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword(trustStorePassword)
.createContext();
@@ -204,10 +233,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
public void testContextWithBadTrustStorePath() throws Exception {
try {
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath("not a trust store")
.setTruststorePassword(trustStorePassword)
.createContext();
@@ -220,10 +251,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
public void testContextWithBadTrustStorePassword() throws Exception {
try {
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword("bad passord")
.createContext();
@@ -237,10 +270,12 @@ public class SSLSupportTest extends ActiveMQTestBase {
//This is using a bad password but should not fail because the trust store should be ignored with
//the trustAll flag set to true
new SSLSupport()
- .setKeystoreProvider(storeType)
+ .setKeystoreProvider(storeProvider)
+ .setKeystoreType(storeType)
.setKeystorePath(keyStorePath)
.setKeystorePassword(keyStorePassword)
- .setTruststoreProvider(storeType)
+ .setTruststoreProvider(storeProvider)
+ .setTruststoreType(storeType)
.setTruststorePath(trustStorePath)
.setTruststorePassword("bad passord")
.setTrustAll(true)
diff --git a/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks b/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks
index c7f7812..ee0de7b 100644
Binary files a/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks and b/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks differ
diff --git a/tests/unit-tests/src/test/resources/client-side-keystore.jceks b/tests/unit-tests/src/test/resources/client-side-keystore.jceks
index 5c223a1..3bebbf4 100644
Binary files a/tests/unit-tests/src/test/resources/client-side-keystore.jceks and b/tests/unit-tests/src/test/resources/client-side-keystore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/client-side-keystore.jks b/tests/unit-tests/src/test/resources/client-side-keystore.jks
index cb65a44..0949d20 100644
Binary files a/tests/unit-tests/src/test/resources/client-side-keystore.jks and b/tests/unit-tests/src/test/resources/client-side-keystore.jks differ
diff --git a/tests/unit-tests/src/test/resources/client-side-keystore.p12 b/tests/unit-tests/src/test/resources/client-side-keystore.p12
index f36af7c..fd4055f 100644
Binary files a/tests/unit-tests/src/test/resources/client-side-keystore.p12 and b/tests/unit-tests/src/test/resources/client-side-keystore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/client-side-truststore.jceks b/tests/unit-tests/src/test/resources/client-side-truststore.jceks
index 161154e..20884de 100644
Binary files a/tests/unit-tests/src/test/resources/client-side-truststore.jceks and b/tests/unit-tests/src/test/resources/client-side-truststore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/client-side-truststore.jks b/tests/unit-tests/src/test/resources/client-side-truststore.jks
index 7eb1d56..3218d73 100644
Binary files a/tests/unit-tests/src/test/resources/client-side-truststore.jks and b/tests/unit-tests/src/test/resources/client-side-truststore.jks differ
diff --git a/tests/unit-tests/src/test/resources/client-side-truststore.p12 b/tests/unit-tests/src/test/resources/client-side-truststore.p12
index de15aa4..229e6ec 100644
Binary files a/tests/unit-tests/src/test/resources/client-side-truststore.p12 and b/tests/unit-tests/src/test/resources/client-side-truststore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks
index 7872137..f69d19f 100644
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks and b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks
index fd64456..674681d 100644
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks and b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12
new file mode 100644
index 0000000..098abe7
Binary files /dev/null and b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks
index 9881ceb..83685c6 100644
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks and b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks
index 3ef44dc..30c92b4 100644
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks and b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12 b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12
new file mode 100644
index 0000000..ce77bd6
Binary files /dev/null and b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks
index d543101..7e86947 100644
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks and b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks
index 0a26208..85a560a 100644
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks and b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12 b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12
new file mode 100644
index 0000000..8aa49b6
Binary files /dev/null and b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks
index 9ebd0c7..d09d0a0 100644
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks and b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks
index 89217a3..54cc5a4 100644
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks and b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12
new file mode 100644
index 0000000..2937f28
Binary files /dev/null and b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks b/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks
index 91c4caf..c1d1a5b 100644
Binary files a/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks and b/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/other-client-side-truststore.jks b/tests/unit-tests/src/test/resources/other-client-side-truststore.jks
index 9098d3b..b3c907b 100644
Binary files a/tests/unit-tests/src/test/resources/other-client-side-truststore.jks and b/tests/unit-tests/src/test/resources/other-client-side-truststore.jks differ
diff --git a/tests/unit-tests/src/test/resources/other-client-side-truststore.p12 b/tests/unit-tests/src/test/resources/other-client-side-truststore.p12
index 4f06c03..f573785 100644
Binary files a/tests/unit-tests/src/test/resources/other-client-side-truststore.p12 and b/tests/unit-tests/src/test/resources/other-client-side-truststore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks b/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks
index be26131..acf1603 100644
Binary files a/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks and b/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/other-server-side-keystore.jks b/tests/unit-tests/src/test/resources/other-server-side-keystore.jks
index 8e8d1c9..98276fd 100644
Binary files a/tests/unit-tests/src/test/resources/other-server-side-keystore.jks and b/tests/unit-tests/src/test/resources/other-server-side-keystore.jks differ
diff --git a/tests/unit-tests/src/test/resources/other-server-side-keystore.p12 b/tests/unit-tests/src/test/resources/other-server-side-keystore.p12
index 40384bf..7c6eb65 100644
Binary files a/tests/unit-tests/src/test/resources/other-server-side-keystore.p12 and b/tests/unit-tests/src/test/resources/other-server-side-keystore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/server-side-keystore.jceks b/tests/unit-tests/src/test/resources/server-side-keystore.jceks
index dd9962b..9d8c27c 100644
Binary files a/tests/unit-tests/src/test/resources/server-side-keystore.jceks and b/tests/unit-tests/src/test/resources/server-side-keystore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/server-side-keystore.jks b/tests/unit-tests/src/test/resources/server-side-keystore.jks
index 6089c6e..f1fd537 100644
Binary files a/tests/unit-tests/src/test/resources/server-side-keystore.jks and b/tests/unit-tests/src/test/resources/server-side-keystore.jks differ
diff --git a/tests/unit-tests/src/test/resources/server-side-keystore.p12 b/tests/unit-tests/src/test/resources/server-side-keystore.p12
index f9f4dab..3cb6d28 100644
Binary files a/tests/unit-tests/src/test/resources/server-side-keystore.p12 and b/tests/unit-tests/src/test/resources/server-side-keystore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/server-side-truststore.jceks b/tests/unit-tests/src/test/resources/server-side-truststore.jceks
index 9a9206c..1387739 100644
Binary files a/tests/unit-tests/src/test/resources/server-side-truststore.jceks and b/tests/unit-tests/src/test/resources/server-side-truststore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/server-side-truststore.jks b/tests/unit-tests/src/test/resources/server-side-truststore.jks
index 0b7e224..e8e8311 100644
Binary files a/tests/unit-tests/src/test/resources/server-side-truststore.jks and b/tests/unit-tests/src/test/resources/server-side-truststore.jks differ
diff --git a/tests/unit-tests/src/test/resources/server-side-truststore.p12 b/tests/unit-tests/src/test/resources/server-side-truststore.p12
index f8daaa3..fcdafdb 100644
Binary files a/tests/unit-tests/src/test/resources/server-side-truststore.p12 and b/tests/unit-tests/src/test/resources/server-side-truststore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks
index b8dad47..f8b23be 100644
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks and b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks
index e9980c3..492aee8 100644
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks and b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12
index 2ece21e..5b88b94 100644
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 and b/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks
index ad63172..4d53b3e 100644
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks and b/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks
index 1d992c7..0adc640 100644
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks and b/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12
index d95f854..7e2c6f0 100644
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12 and b/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks
index d2f4128..12682df 100644
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks and b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks
index 5c25213..8a7b077 100644
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks and b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12
new file mode 100644
index 0000000..3d07421
Binary files /dev/null and b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks
index d1b2122..63c03c2 100644
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks and b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks
index 6be63f5..af8a987 100644
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks and b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12
new file mode 100644
index 0000000..be0c8f0
Binary files /dev/null and b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks
index 7a46162..ee7992f 100644
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks and b/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks
index 55c7603..79b7cff 100644
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks and b/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12
index fcf3969..b218430 100644
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12 and b/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12 differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks
index 54fbaa7..671c21e 100644
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks and b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks
index ec96e7b..a861b27 100644
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks and b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12
index 5da5615..eef6db5 100644
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 and b/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 differ