Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Added support for keystore/truststore type in order to support non-JKS k... #2

Closed
wants to merge 1 commit into from

3 participants

Jesse Sightler Robbie Gemmell
Jesse Sightler
jsight commented May 08, 2012

This goes along with QPID-3973 to support keystore type within the QPID Java client libraries.

Jesse Sightler Added support for keystore/truststore type in order to support non-JK…
…S keystores. This is necessary for FIPS compliance.
5c2b841
Robbie Gemmell

Hi Jesse,

It looks like these changes were incorporated via https://issues.apache.org/jira/browse/QPID-3973. Could you close this pull request please?

We don't have direct adminstrative rights to the GitHub mirrors and the mirroring process didn't cater for automatic closure of the requests at the time, though it may now, so I would otherwise have to raise a request with the ASF infra team for them to close this.

Thanks,
Robbie

jfarrell closed this January 31, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

May 08, 2012
Jesse Sightler Added support for keystore/truststore type in order to support non-JK…
…S keystores. This is necessary for FIPS compliance.
5c2b841
This page is out of date. Refresh to see the latest.
3  qpid/java/broker/src/main/java/org/apache/qpid/server/Broker.java
@@ -242,8 +242,9 @@ private void startupImpl(final BrokerOptions options) throws Exception
242 242
             {
243 243
                 final String keystorePath = serverConfig.getConnectorKeyStorePath();
244 244
                 final String keystorePassword = serverConfig.getConnectorKeyStorePassword();
  245
+                final String keystoreType = serverConfig.getConnectorKeyStoreType();
245 246
                 final String keyManagerFactoryAlgorithm = serverConfig.getConnectorKeyManagerFactoryAlgorithm();
246  
-                final SSLContext sslContext = SSLContextFactory.buildServerContext(keystorePath, keystorePassword, keyManagerFactoryAlgorithm);
  247
+                final SSLContext sslContext = SSLContextFactory.buildServerContext(keystorePath, keystorePassword, keystoreType, keyManagerFactoryAlgorithm);
247 248
 
248 249
                 for(int sslPort : sslPorts)
249 250
                 {
7  qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
@@ -722,7 +722,7 @@ public boolean getSSLOnly()
722 722
     {
723 723
         return getBooleanValue("connector.ssl.sslOnly");
724 724
     }
725  
-
  725
+    
726 726
     public List getSSLPorts()
727 727
     {
728 728
         return getListValue("connector.ssl.port", Collections.<Integer>singletonList(DEFAULT_SSL_PORT));
@@ -740,6 +740,11 @@ public String getConnectorKeyStorePassword()
740 740
         return getStringValue("connector.ssl.keyStorePassword", fallback);
741 741
     }
742 742
 
  743
+    public String getConnectorKeyStoreType()
  744
+    {
  745
+        return getStringValue("connector.ssl.keyStoreType", "JKS");
  746
+    }
  747
+
743 748
     public String getConnectorKeyManagerFactoryAlgorithm()
744 749
     {
745 750
         final String systemFallback = KeyManagerFactory.getDefaultAlgorithm();
2  qpid/java/client/src/main/java/org/apache/qpid/client/AMQConnectionDelegate_8_0.java
@@ -110,9 +110,11 @@ public ProtocolVersion makeBrokerConnection(BrokerDetails brokerDetail) throws A
110 110
                 sslContext = SSLContextFactory.buildClientContext(
111 111
                                 settings.getTrustStorePath(),
112 112
                                 settings.getTrustStorePassword(),
  113
+                                settings.getTrustStoreType(),
113 114
                                 settings.getTrustManagerFactoryAlgorithm(),
114 115
                                 settings.getKeyStorePath(),
115 116
                                 settings.getKeyStorePassword(),
  117
+                                settings.getKeyStoreType(),
116 118
                                 settings.getKeyManagerFactoryAlgorithm(),
117 119
                                 settings.getCertAlias());
118 120
             }
28  qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
@@ -48,28 +48,32 @@ private SSLContextFactory()
48 48
     }
49 49
 
50 50
     public static SSLContext buildServerContext(final String keyStorePath,
51  
-            final String keyStorePassword, final String keyManagerFactoryAlgorithm)
  51
+            final String keyStorePassword, final String keyStoreType,
  52
+            final String keyManagerFactoryAlgorithm)
52 53
             throws GeneralSecurityException, IOException
53 54
     {
54  
-        return buildContext(null, null, null, keyStorePath, keyStorePassword,
  55
+        return buildContext(null, null, null, null, keyStorePath, keyStorePassword, keyStoreType,
55 56
                 keyManagerFactoryAlgorithm, null);
56 57
     }
57 58
 
58 59
     public static SSLContext buildClientContext(final String trustStorePath,
59  
-            final String trustStorePassword, final String trustManagerFactoryAlgorithm,
60  
-            final String keyStorePath, final String keyStorePassword,
  60
+            final String trustStorePassword, final String trustStoreType,
  61
+            final String trustManagerFactoryAlgorithm, final String keyStorePath, 
  62
+            final String keyStorePassword, final String keyStoreType, 
61 63
             final String keyManagerFactoryAlgorithm, final String certAlias)
62 64
             throws GeneralSecurityException, IOException
63 65
     {
64  
-        return buildContext(trustStorePath, trustStorePassword,
65  
-                trustManagerFactoryAlgorithm, keyStorePath, keyStorePassword,
  66
+        return buildContext(trustStorePath, trustStorePassword, trustStoreType,
  67
+                trustManagerFactoryAlgorithm, keyStorePath, keyStorePassword, keyStoreType,
66 68
                 keyManagerFactoryAlgorithm, certAlias);
67 69
     }
68 70
     
69 71
     private static SSLContext buildContext(final String trustStorePath,
70  
-            final String trustStorePassword, final String trustManagerFactoryAlgorithm,
71  
-            final String keyStorePath, final String keyStorePassword,
72  
-            final String keyManagerFactoryAlgorithm, final String certAlias)
  72
+            final String trustStorePassword, final String trustStoreType,
  73
+            final String trustManagerFactoryAlgorithm,
  74
+            final String keyStorePath, final String keyStorePassword, 
  75
+            final String keyStoreType, final String keyManagerFactoryAlgorithm,
  76
+            final String certAlias)
73 77
             throws GeneralSecurityException, IOException
74 78
     {
75 79
         // Initialize the SSLContext to work with our key managers.
@@ -82,7 +86,7 @@ private static SSLContext buildContext(final String trustStorePath,
82 86
         if (trustStorePath != null)
83 87
         {
84 88
             final KeyStore ts = SSLUtil.getInitializedKeyStore(trustStorePath,
85  
-                    trustStorePassword);
  89
+                    trustStorePassword, trustStoreType);
86 90
             final TrustManagerFactory tmf = TrustManagerFactory
87 91
                     .getInstance(trustManagerFactoryAlgorithm);
88 92
             tmf.init(ts);
@@ -99,13 +103,13 @@ private static SSLContext buildContext(final String trustStorePath,
99 103
             if (certAlias != null)
100 104
             {
101 105
                 keyManagers = new KeyManager[] { new QpidClientX509KeyManager(
102  
-                        certAlias, keyStorePath, keyStorePassword,
  106
+                        certAlias, keyStorePath, keyStorePassword, keyStoreType,
103 107
                         keyManagerFactoryAlgorithm) };
104 108
             }
105 109
             else
106 110
             {
107 111
                 final KeyStore ks = SSLUtil.getInitializedKeyStore(
108  
-                        keyStorePath, keyStorePassword);
  112
+                        keyStorePath, keyStorePassword, keyStoreType);
109 113
 
110 114
                 char[] keyStoreCharPassword = keyStorePassword == null ? null : keyStorePassword.toCharArray();
111 115
                 // Set up key manager factory to use our key store
23  qpid/java/common/src/main/java/org/apache/qpid/transport/ConnectionSettings.java
@@ -31,6 +31,7 @@
31 31
 import static org.apache.qpid.configuration.ClientProperties.LEGACY_RECEIVE_BUFFER_SIZE_PROP_NAME;
32 32
 import static org.apache.qpid.configuration.ClientProperties.LEGACY_SEND_BUFFER_SIZE_PROP_NAME;
33 33
 
  34
+import java.security.KeyStore;
34 35
 import java.util.Map;
35 36
 
36 37
 import javax.net.ssl.KeyManagerFactory;
@@ -67,10 +68,12 @@
67 68
     private boolean useSSL;
68 69
     private String keyStorePath = System.getProperty("javax.net.ssl.keyStore");
69 70
     private String keyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword");
  71
+    private String keyStoreType = System.getProperty("javax.net.ssl.keyStoreType",KeyStore.getDefaultType());
70 72
     private String keyManagerFactoryAlgorithm = QpidProperty.stringProperty(KeyManagerFactory.getDefaultAlgorithm(), QPID_SSL_KEY_MANAGER_FACTORY_ALGORITHM_PROP_NAME, QPID_SSL_KEY_STORE_CERT_TYPE_PROP_NAME).get();
71 73
     private String trustManagerFactoryAlgorithm = QpidProperty.stringProperty(TrustManagerFactory.getDefaultAlgorithm(), QPID_SSL_TRUST_MANAGER_FACTORY_ALGORITHM_PROP_NAME, QPID_SSL_TRUST_STORE_CERT_TYPE_PROP_NAME).get();
72  
-    private String trustStorePath = System.getProperty("javax.net.ssl.trustStore");;
73  
-    private String trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");;
  74
+    private String trustStorePath = System.getProperty("javax.net.ssl.trustStore");
  75
+    private String trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
  76
+    private String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType",KeyStore.getDefaultType());
74 77
     private String certAlias;
75 78
     private boolean verifyHostname;
76 79
     
@@ -262,6 +265,14 @@ public void setKeyStorePassword(String keyStorePassword)
262 265
         this.keyStorePassword = keyStorePassword;
263 266
     }
264 267
 
  268
+    public void setKeyStoreType(String keyStoreType) {
  269
+        this.keyStoreType = keyStoreType;
  270
+    }
  271
+
  272
+    public String getKeyStoreType() {
  273
+        return keyStoreType;
  274
+    }
  275
+
265 276
     public String getTrustStorePath()
266 277
     {
267 278
         return trustStorePath;
@@ -322,6 +333,14 @@ public void setTrustManagerFactoryAlgorithm(String trustManagerFactoryAlgorithm)
322 333
         this.trustManagerFactoryAlgorithm = trustManagerFactoryAlgorithm;
323 334
     }
324 335
 
  336
+    public String getTrustStoreType() {
  337
+        return trustStoreType;
  338
+    }
  339
+
  340
+    public void setTrustStoreType(String trustStoreType) {
  341
+        this.trustStoreType = trustStoreType;
  342
+    }
  343
+
325 344
     public int getReadBufferSize()
326 345
     {
327 346
         return readBufferSize;
2  qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
@@ -78,9 +78,11 @@ public SSLSecurityLayer(ConnectionSettings settings, SecurityLayer layer)
78 78
                 sslCtx = SSLContextFactory
79 79
                         .buildClientContext(settings.getTrustStorePath(),
80 80
                                 settings.getTrustStorePassword(),
  81
+                                settings.getTrustStoreType(),
81 82
                                 settings.getTrustManagerFactoryAlgorithm(),
82 83
                                 settings.getKeyStorePath(),
83 84
                                 settings.getKeyStorePassword(),
  85
+                                settings.getKeyStoreType(),
84 86
                                 settings.getKeyManagerFactoryAlgorithm(),
85 87
                                 settings.getCertAlias());
86 88
             }
4  qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/QpidClientX509KeyManager.java
@@ -40,11 +40,11 @@
40 40
     private X509ExtendedKeyManager delegate;
41 41
     private String alias;
42 42
     
43  
-    public QpidClientX509KeyManager(String alias, String keyStorePath,
  43
+    public QpidClientX509KeyManager(String alias, String keyStorePath, String keyStoreType,
44 44
                            String keyStorePassword, String keyManagerFactoryAlgorithmName) throws GeneralSecurityException, IOException
45 45
     {
46 46
         this.alias = alias;    
47  
-        KeyStore ks = SSLUtil.getInitializedKeyStore(keyStorePath,keyStorePassword);
  47
+        KeyStore ks = SSLUtil.getInitializedKeyStore(keyStorePath,keyStorePassword,keyStoreType);
48 48
         KeyManagerFactory kmf = KeyManagerFactory.getInstance(keyManagerFactoryAlgorithmName);
49 49
         kmf.init(ks, keyStorePassword.toCharArray());
50 50
         this.delegate = (X509ExtendedKeyManager)kmf.getKeyManagers()[0];
6  qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
@@ -125,9 +125,9 @@ public static String retriveIdentity(SSLEngine engine)
125 125
         return id.toString();
126 126
     }
127 127
     
128  
-    public static KeyStore getInitializedKeyStore(String storePath, String storePassword) throws GeneralSecurityException, IOException
  128
+    public static KeyStore getInitializedKeyStore(String storePath, String storePassword, String keyStoreType) throws GeneralSecurityException, IOException
129 129
     {
130  
-        KeyStore ks = KeyStore.getInstance("JKS");
  130
+        KeyStore ks = KeyStore.getInstance(keyStoreType);
131 131
         InputStream in = null;
132 132
         try
133 133
         {
@@ -140,7 +140,7 @@ public static KeyStore getInitializedKeyStore(String storePath, String storePass
140 140
             {
141 141
                 in = Thread.currentThread().getContextClassLoader().getResourceAsStream(storePath);
142 142
             }
143  
-            if (in == null)
  143
+            if (in == null && !"PKCS11".equalsIgnoreCase(keyStoreType)) // PKCS11 will not require an explicit path
144 144
             {
145 145
                 throw new IOException("Unable to load keystore resource: " + storePath);
146 146
             }
13  qpid/java/common/src/test/java/org/apache/qpid/ssl/SSLContextFactoryTest.java
@@ -31,13 +31,14 @@
31 31
     private static final String CLIENT_KEYSTORE_PATH = TEST_RESOURCES_DIR + "/ssl/java_client_keystore.jks";
32 32
     private static final String CLIENT_TRUSTSTORE_PATH = TEST_RESOURCES_DIR + "/ssl/java_client_truststore.jks";
33 33
     private static final String STORE_PASSWORD = "password";
  34
+    private static final String STORE_TYPE = "JKS";
34 35
     private static final String DEFAULT_KEY_MANAGER_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
35 36
     private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
36 37
     private static final String CERT_ALIAS_APP1 = "app1";
37 38
 
38 39
     public void testBuildServerContext() throws Exception
39 40
     {
40  
-        SSLContext context = SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM);
  41
+        SSLContext context = SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM);
41 42
         assertNotNull("SSLContext should not be null", context);
42 43
     }
43 44
 
@@ -45,7 +46,7 @@ public void testBuildServerContextWithIncorrectPassword() throws Exception
45 46
     {
46 47
         try
47 48
         {
48  
-            SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, "sajdklsad", DEFAULT_KEY_MANAGER_ALGORITHM);
  49
+            SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, "sajdklsad", STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM);
49 50
             fail("Exception was not thrown due to incorrect password");
50 51
         }
51 52
         catch (IOException e)
@@ -58,7 +59,7 @@ public void testTrustStoreDoesNotExist() throws Exception
58 59
     {
59 60
         try
60 61
         {
61  
-            SSLContextFactory.buildClientContext("/path/to/nothing", STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM, null);
  62
+            SSLContextFactory.buildClientContext("/path/to/nothing", STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM, null);
62 63
             fail("Exception was not thrown due to incorrect path");
63 64
         }
64 65
         catch (IOException e)
@@ -69,19 +70,19 @@ public void testTrustStoreDoesNotExist() throws Exception
69 70
 
70 71
     public void testBuildClientContextForSSLEncryptionOnly() throws Exception
71 72
     {
72  
-        SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, null, null, null, null);
  73
+        SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, null, null, null, null, null);
73 74
         assertNotNull("SSLContext should not be null", context);
74 75
     }
75 76
 
76 77
     public void testBuildClientContextWithForClientAuth() throws Exception
77 78
     {
78  
-        SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM, null);
  79
+        SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM, null);
79 80
         assertNotNull("SSLContext should not be null", context);
80 81
     }
81 82
     
82 83
     public void testBuildClientContextWithForClientAuthWithCertAlias() throws Exception
83 84
     {
84  
-        SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM, CERT_ALIAS_APP1);
  85
+        SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM, CERT_ALIAS_APP1);
85 86
         assertNotNull("SSLContext should not be null", context);
86 87
     }
87 88
 }
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.