Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Added support for keystore/truststore type in order to support non-JKS k... #2

Closed
wants to merge 1 commit into from

3 participants

Jesse Sightler Robbie Gemmell jfarrell
Jesse Sightler

This goes along with QPID-3973 to support keystore type within the QPID Java client libraries.

Jesse Sightler jsight Added support for keystore/truststore type in order to support non-JK…
…S keystores. This is necessary for FIPS compliance.
5c2b841
Robbie Gemmell

Hi Jesse,

It looks like these changes were incorporated via https://issues.apache.org/jira/browse/QPID-3973. Could you close this pull request please?

We don't have direct adminstrative rights to the GitHub mirrors and the mirroring process didn't cater for automatic closure of the requests at the time, though it may now, so I would otherwise have to raise a request with the ASF infra team for them to close this.

Thanks,
Robbie

jfarrell jfarrell closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 8, 2012
  1. Jesse Sightler

    Added support for keystore/truststore type in order to support non-JK…

    jsight authored
    …S keystores. This is necessary for FIPS compliance.
This page is out of date. Refresh to see the latest.
3  qpid/java/broker/src/main/java/org/apache/qpid/server/Broker.java
View
@@ -242,8 +242,9 @@ private void startupImpl(final BrokerOptions options) throws Exception
{
final String keystorePath = serverConfig.getConnectorKeyStorePath();
final String keystorePassword = serverConfig.getConnectorKeyStorePassword();
+ final String keystoreType = serverConfig.getConnectorKeyStoreType();
final String keyManagerFactoryAlgorithm = serverConfig.getConnectorKeyManagerFactoryAlgorithm();
- final SSLContext sslContext = SSLContextFactory.buildServerContext(keystorePath, keystorePassword, keyManagerFactoryAlgorithm);
+ final SSLContext sslContext = SSLContextFactory.buildServerContext(keystorePath, keystorePassword, keystoreType, keyManagerFactoryAlgorithm);
for(int sslPort : sslPorts)
{
7 qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
View
@@ -722,7 +722,7 @@ public boolean getSSLOnly()
{
return getBooleanValue("connector.ssl.sslOnly");
}
-
+
public List getSSLPorts()
{
return getListValue("connector.ssl.port", Collections.<Integer>singletonList(DEFAULT_SSL_PORT));
@@ -740,6 +740,11 @@ public String getConnectorKeyStorePassword()
return getStringValue("connector.ssl.keyStorePassword", fallback);
}
+ public String getConnectorKeyStoreType()
+ {
+ return getStringValue("connector.ssl.keyStoreType", "JKS");
+ }
+
public String getConnectorKeyManagerFactoryAlgorithm()
{
final String systemFallback = KeyManagerFactory.getDefaultAlgorithm();
2  qpid/java/client/src/main/java/org/apache/qpid/client/AMQConnectionDelegate_8_0.java
View
@@ -110,9 +110,11 @@ public ProtocolVersion makeBrokerConnection(BrokerDetails brokerDetail) throws A
sslContext = SSLContextFactory.buildClientContext(
settings.getTrustStorePath(),
settings.getTrustStorePassword(),
+ settings.getTrustStoreType(),
settings.getTrustManagerFactoryAlgorithm(),
settings.getKeyStorePath(),
settings.getKeyStorePassword(),
+ settings.getKeyStoreType(),
settings.getKeyManagerFactoryAlgorithm(),
settings.getCertAlias());
}
28 qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
View
@@ -48,28 +48,32 @@ private SSLContextFactory()
}
public static SSLContext buildServerContext(final String keyStorePath,
- final String keyStorePassword, final String keyManagerFactoryAlgorithm)
+ final String keyStorePassword, final String keyStoreType,
+ final String keyManagerFactoryAlgorithm)
throws GeneralSecurityException, IOException
{
- return buildContext(null, null, null, keyStorePath, keyStorePassword,
+ return buildContext(null, null, null, null, keyStorePath, keyStorePassword, keyStoreType,
keyManagerFactoryAlgorithm, null);
}
public static SSLContext buildClientContext(final String trustStorePath,
- final String trustStorePassword, final String trustManagerFactoryAlgorithm,
- final String keyStorePath, final String keyStorePassword,
+ final String trustStorePassword, final String trustStoreType,
+ final String trustManagerFactoryAlgorithm, final String keyStorePath,
+ final String keyStorePassword, final String keyStoreType,
final String keyManagerFactoryAlgorithm, final String certAlias)
throws GeneralSecurityException, IOException
{
- return buildContext(trustStorePath, trustStorePassword,
- trustManagerFactoryAlgorithm, keyStorePath, keyStorePassword,
+ return buildContext(trustStorePath, trustStorePassword, trustStoreType,
+ trustManagerFactoryAlgorithm, keyStorePath, keyStorePassword, keyStoreType,
keyManagerFactoryAlgorithm, certAlias);
}
private static SSLContext buildContext(final String trustStorePath,
- final String trustStorePassword, final String trustManagerFactoryAlgorithm,
- final String keyStorePath, final String keyStorePassword,
- final String keyManagerFactoryAlgorithm, final String certAlias)
+ final String trustStorePassword, final String trustStoreType,
+ final String trustManagerFactoryAlgorithm,
+ final String keyStorePath, final String keyStorePassword,
+ final String keyStoreType, final String keyManagerFactoryAlgorithm,
+ final String certAlias)
throws GeneralSecurityException, IOException
{
// Initialize the SSLContext to work with our key managers.
@@ -82,7 +86,7 @@ private static SSLContext buildContext(final String trustStorePath,
if (trustStorePath != null)
{
final KeyStore ts = SSLUtil.getInitializedKeyStore(trustStorePath,
- trustStorePassword);
+ trustStorePassword, trustStoreType);
final TrustManagerFactory tmf = TrustManagerFactory
.getInstance(trustManagerFactoryAlgorithm);
tmf.init(ts);
@@ -99,13 +103,13 @@ private static SSLContext buildContext(final String trustStorePath,
if (certAlias != null)
{
keyManagers = new KeyManager[] { new QpidClientX509KeyManager(
- certAlias, keyStorePath, keyStorePassword,
+ certAlias, keyStorePath, keyStorePassword, keyStoreType,
keyManagerFactoryAlgorithm) };
}
else
{
final KeyStore ks = SSLUtil.getInitializedKeyStore(
- keyStorePath, keyStorePassword);
+ keyStorePath, keyStorePassword, keyStoreType);
char[] keyStoreCharPassword = keyStorePassword == null ? null : keyStorePassword.toCharArray();
// Set up key manager factory to use our key store
23 qpid/java/common/src/main/java/org/apache/qpid/transport/ConnectionSettings.java
View
@@ -31,6 +31,7 @@
import static org.apache.qpid.configuration.ClientProperties.LEGACY_RECEIVE_BUFFER_SIZE_PROP_NAME;
import static org.apache.qpid.configuration.ClientProperties.LEGACY_SEND_BUFFER_SIZE_PROP_NAME;
+import java.security.KeyStore;
import java.util.Map;
import javax.net.ssl.KeyManagerFactory;
@@ -67,10 +68,12 @@
private boolean useSSL;
private String keyStorePath = System.getProperty("javax.net.ssl.keyStore");
private String keyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword");
+ private String keyStoreType = System.getProperty("javax.net.ssl.keyStoreType",KeyStore.getDefaultType());
private String keyManagerFactoryAlgorithm = QpidProperty.stringProperty(KeyManagerFactory.getDefaultAlgorithm(), QPID_SSL_KEY_MANAGER_FACTORY_ALGORITHM_PROP_NAME, QPID_SSL_KEY_STORE_CERT_TYPE_PROP_NAME).get();
private String trustManagerFactoryAlgorithm = QpidProperty.stringProperty(TrustManagerFactory.getDefaultAlgorithm(), QPID_SSL_TRUST_MANAGER_FACTORY_ALGORITHM_PROP_NAME, QPID_SSL_TRUST_STORE_CERT_TYPE_PROP_NAME).get();
- private String trustStorePath = System.getProperty("javax.net.ssl.trustStore");;
- private String trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");;
+ private String trustStorePath = System.getProperty("javax.net.ssl.trustStore");
+ private String trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
+ private String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType",KeyStore.getDefaultType());
private String certAlias;
private boolean verifyHostname;
@@ -262,6 +265,14 @@ public void setKeyStorePassword(String keyStorePassword)
this.keyStorePassword = keyStorePassword;
}
+ public void setKeyStoreType(String keyStoreType) {
+ this.keyStoreType = keyStoreType;
+ }
+
+ public String getKeyStoreType() {
+ return keyStoreType;
+ }
+
public String getTrustStorePath()
{
return trustStorePath;
@@ -322,6 +333,14 @@ public void setTrustManagerFactoryAlgorithm(String trustManagerFactoryAlgorithm)
this.trustManagerFactoryAlgorithm = trustManagerFactoryAlgorithm;
}
+ public String getTrustStoreType() {
+ return trustStoreType;
+ }
+
+ public void setTrustStoreType(String trustStoreType) {
+ this.trustStoreType = trustStoreType;
+ }
+
public int getReadBufferSize()
{
return readBufferSize;
2  qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
View
@@ -78,9 +78,11 @@ public SSLSecurityLayer(ConnectionSettings settings, SecurityLayer layer)
sslCtx = SSLContextFactory
.buildClientContext(settings.getTrustStorePath(),
settings.getTrustStorePassword(),
+ settings.getTrustStoreType(),
settings.getTrustManagerFactoryAlgorithm(),
settings.getKeyStorePath(),
settings.getKeyStorePassword(),
+ settings.getKeyStoreType(),
settings.getKeyManagerFactoryAlgorithm(),
settings.getCertAlias());
}
4 qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/QpidClientX509KeyManager.java
View
@@ -40,11 +40,11 @@
private X509ExtendedKeyManager delegate;
private String alias;
- public QpidClientX509KeyManager(String alias, String keyStorePath,
+ public QpidClientX509KeyManager(String alias, String keyStorePath, String keyStoreType,
String keyStorePassword, String keyManagerFactoryAlgorithmName) throws GeneralSecurityException, IOException
{
this.alias = alias;
- KeyStore ks = SSLUtil.getInitializedKeyStore(keyStorePath,keyStorePassword);
+ KeyStore ks = SSLUtil.getInitializedKeyStore(keyStorePath,keyStorePassword,keyStoreType);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(keyManagerFactoryAlgorithmName);
kmf.init(ks, keyStorePassword.toCharArray());
this.delegate = (X509ExtendedKeyManager)kmf.getKeyManagers()[0];
6 qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
View
@@ -125,9 +125,9 @@ public static String retriveIdentity(SSLEngine engine)
return id.toString();
}
- public static KeyStore getInitializedKeyStore(String storePath, String storePassword) throws GeneralSecurityException, IOException
+ public static KeyStore getInitializedKeyStore(String storePath, String storePassword, String keyStoreType) throws GeneralSecurityException, IOException
{
- KeyStore ks = KeyStore.getInstance("JKS");
+ KeyStore ks = KeyStore.getInstance(keyStoreType);
InputStream in = null;
try
{
@@ -140,7 +140,7 @@ public static KeyStore getInitializedKeyStore(String storePath, String storePass
{
in = Thread.currentThread().getContextClassLoader().getResourceAsStream(storePath);
}
- if (in == null)
+ if (in == null && !"PKCS11".equalsIgnoreCase(keyStoreType)) // PKCS11 will not require an explicit path
{
throw new IOException("Unable to load keystore resource: " + storePath);
}
13 qpid/java/common/src/test/java/org/apache/qpid/ssl/SSLContextFactoryTest.java
View
@@ -31,13 +31,14 @@
private static final String CLIENT_KEYSTORE_PATH = TEST_RESOURCES_DIR + "/ssl/java_client_keystore.jks";
private static final String CLIENT_TRUSTSTORE_PATH = TEST_RESOURCES_DIR + "/ssl/java_client_truststore.jks";
private static final String STORE_PASSWORD = "password";
+ private static final String STORE_TYPE = "JKS";
private static final String DEFAULT_KEY_MANAGER_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
private static final String CERT_ALIAS_APP1 = "app1";
public void testBuildServerContext() throws Exception
{
- SSLContext context = SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM);
+ SSLContext context = SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM);
assertNotNull("SSLContext should not be null", context);
}
@@ -45,7 +46,7 @@ public void testBuildServerContextWithIncorrectPassword() throws Exception
{
try
{
- SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, "sajdklsad", DEFAULT_KEY_MANAGER_ALGORITHM);
+ SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, "sajdklsad", STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM);
fail("Exception was not thrown due to incorrect password");
}
catch (IOException e)
@@ -58,7 +59,7 @@ public void testTrustStoreDoesNotExist() throws Exception
{
try
{
- SSLContextFactory.buildClientContext("/path/to/nothing", STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM, null);
+ SSLContextFactory.buildClientContext("/path/to/nothing", STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM, null);
fail("Exception was not thrown due to incorrect path");
}
catch (IOException e)
@@ -69,19 +70,19 @@ public void testTrustStoreDoesNotExist() throws Exception
public void testBuildClientContextForSSLEncryptionOnly() throws Exception
{
- SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, null, null, null, null);
+ SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, null, null, null, null, null);
assertNotNull("SSLContext should not be null", context);
}
public void testBuildClientContextWithForClientAuth() throws Exception
{
- SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM, null);
+ SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM, null);
assertNotNull("SSLContext should not be null", context);
}
public void testBuildClientContextWithForClientAuthWithCertAlias() throws Exception
{
- SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM, CERT_ALIAS_APP1);
+ SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM, CERT_ALIAS_APP1);
assertNotNull("SSLContext should not be null", context);
}
}
Something went wrong with that request. Please try again.