Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Added support for keystore/truststore type in order to support non-JKS k... #2

Closed
wants to merge 1 commit into from

3 participants

@jsight

This goes along with QPID-3973 to support keystore type within the QPID Java client libraries.

@jsight jsight Added support for keystore/truststore type in order to support non-JK…
…S keystores. This is necessary for FIPS compliance.
5c2b841
@gemmellr

Hi Jesse,

It looks like these changes were incorporated via https://issues.apache.org/jira/browse/QPID-3973. Could you close this pull request please?

We don't have direct adminstrative rights to the GitHub mirrors and the mirroring process didn't cater for automatic closure of the requests at the time, though it may now, so I would otherwise have to raise a request with the ASF infra team for them to close this.

Thanks,
Robbie

@jfarrell jfarrell closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 8, 2012
  1. @jsight

    Added support for keystore/truststore type in order to support non-JK…

    jsight authored
    …S keystores. This is necessary for FIPS compliance.
This page is out of date. Refresh to see the latest.
View
3  qpid/java/broker/src/main/java/org/apache/qpid/server/Broker.java
@@ -242,8 +242,9 @@ private void startupImpl(final BrokerOptions options) throws Exception
{
final String keystorePath = serverConfig.getConnectorKeyStorePath();
final String keystorePassword = serverConfig.getConnectorKeyStorePassword();
+ final String keystoreType = serverConfig.getConnectorKeyStoreType();
final String keyManagerFactoryAlgorithm = serverConfig.getConnectorKeyManagerFactoryAlgorithm();
- final SSLContext sslContext = SSLContextFactory.buildServerContext(keystorePath, keystorePassword, keyManagerFactoryAlgorithm);
+ final SSLContext sslContext = SSLContextFactory.buildServerContext(keystorePath, keystorePassword, keystoreType, keyManagerFactoryAlgorithm);
for(int sslPort : sslPorts)
{
View
7 qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
@@ -722,7 +722,7 @@ public boolean getSSLOnly()
{
return getBooleanValue("connector.ssl.sslOnly");
}
-
+
public List getSSLPorts()
{
return getListValue("connector.ssl.port", Collections.<Integer>singletonList(DEFAULT_SSL_PORT));
@@ -740,6 +740,11 @@ public String getConnectorKeyStorePassword()
return getStringValue("connector.ssl.keyStorePassword", fallback);
}
+ public String getConnectorKeyStoreType()
+ {
+ return getStringValue("connector.ssl.keyStoreType", "JKS");
+ }
+
public String getConnectorKeyManagerFactoryAlgorithm()
{
final String systemFallback = KeyManagerFactory.getDefaultAlgorithm();
View
2  qpid/java/client/src/main/java/org/apache/qpid/client/AMQConnectionDelegate_8_0.java
@@ -110,9 +110,11 @@ public ProtocolVersion makeBrokerConnection(BrokerDetails brokerDetail) throws A
sslContext = SSLContextFactory.buildClientContext(
settings.getTrustStorePath(),
settings.getTrustStorePassword(),
+ settings.getTrustStoreType(),
settings.getTrustManagerFactoryAlgorithm(),
settings.getKeyStorePath(),
settings.getKeyStorePassword(),
+ settings.getKeyStoreType(),
settings.getKeyManagerFactoryAlgorithm(),
settings.getCertAlias());
}
View
28 qpid/java/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
@@ -48,28 +48,32 @@ private SSLContextFactory()
}
public static SSLContext buildServerContext(final String keyStorePath,
- final String keyStorePassword, final String keyManagerFactoryAlgorithm)
+ final String keyStorePassword, final String keyStoreType,
+ final String keyManagerFactoryAlgorithm)
throws GeneralSecurityException, IOException
{
- return buildContext(null, null, null, keyStorePath, keyStorePassword,
+ return buildContext(null, null, null, null, keyStorePath, keyStorePassword, keyStoreType,
keyManagerFactoryAlgorithm, null);
}
public static SSLContext buildClientContext(final String trustStorePath,
- final String trustStorePassword, final String trustManagerFactoryAlgorithm,
- final String keyStorePath, final String keyStorePassword,
+ final String trustStorePassword, final String trustStoreType,
+ final String trustManagerFactoryAlgorithm, final String keyStorePath,
+ final String keyStorePassword, final String keyStoreType,
final String keyManagerFactoryAlgorithm, final String certAlias)
throws GeneralSecurityException, IOException
{
- return buildContext(trustStorePath, trustStorePassword,
- trustManagerFactoryAlgorithm, keyStorePath, keyStorePassword,
+ return buildContext(trustStorePath, trustStorePassword, trustStoreType,
+ trustManagerFactoryAlgorithm, keyStorePath, keyStorePassword, keyStoreType,
keyManagerFactoryAlgorithm, certAlias);
}
private static SSLContext buildContext(final String trustStorePath,
- final String trustStorePassword, final String trustManagerFactoryAlgorithm,
- final String keyStorePath, final String keyStorePassword,
- final String keyManagerFactoryAlgorithm, final String certAlias)
+ final String trustStorePassword, final String trustStoreType,
+ final String trustManagerFactoryAlgorithm,
+ final String keyStorePath, final String keyStorePassword,
+ final String keyStoreType, final String keyManagerFactoryAlgorithm,
+ final String certAlias)
throws GeneralSecurityException, IOException
{
// Initialize the SSLContext to work with our key managers.
@@ -82,7 +86,7 @@ private static SSLContext buildContext(final String trustStorePath,
if (trustStorePath != null)
{
final KeyStore ts = SSLUtil.getInitializedKeyStore(trustStorePath,
- trustStorePassword);
+ trustStorePassword, trustStoreType);
final TrustManagerFactory tmf = TrustManagerFactory
.getInstance(trustManagerFactoryAlgorithm);
tmf.init(ts);
@@ -99,13 +103,13 @@ private static SSLContext buildContext(final String trustStorePath,
if (certAlias != null)
{
keyManagers = new KeyManager[] { new QpidClientX509KeyManager(
- certAlias, keyStorePath, keyStorePassword,
+ certAlias, keyStorePath, keyStorePassword, keyStoreType,
keyManagerFactoryAlgorithm) };
}
else
{
final KeyStore ks = SSLUtil.getInitializedKeyStore(
- keyStorePath, keyStorePassword);
+ keyStorePath, keyStorePassword, keyStoreType);
char[] keyStoreCharPassword = keyStorePassword == null ? null : keyStorePassword.toCharArray();
// Set up key manager factory to use our key store
View
23 qpid/java/common/src/main/java/org/apache/qpid/transport/ConnectionSettings.java
@@ -31,6 +31,7 @@
import static org.apache.qpid.configuration.ClientProperties.LEGACY_RECEIVE_BUFFER_SIZE_PROP_NAME;
import static org.apache.qpid.configuration.ClientProperties.LEGACY_SEND_BUFFER_SIZE_PROP_NAME;
+import java.security.KeyStore;
import java.util.Map;
import javax.net.ssl.KeyManagerFactory;
@@ -67,10 +68,12 @@
private boolean useSSL;
private String keyStorePath = System.getProperty("javax.net.ssl.keyStore");
private String keyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword");
+ private String keyStoreType = System.getProperty("javax.net.ssl.keyStoreType",KeyStore.getDefaultType());
private String keyManagerFactoryAlgorithm = QpidProperty.stringProperty(KeyManagerFactory.getDefaultAlgorithm(), QPID_SSL_KEY_MANAGER_FACTORY_ALGORITHM_PROP_NAME, QPID_SSL_KEY_STORE_CERT_TYPE_PROP_NAME).get();
private String trustManagerFactoryAlgorithm = QpidProperty.stringProperty(TrustManagerFactory.getDefaultAlgorithm(), QPID_SSL_TRUST_MANAGER_FACTORY_ALGORITHM_PROP_NAME, QPID_SSL_TRUST_STORE_CERT_TYPE_PROP_NAME).get();
- private String trustStorePath = System.getProperty("javax.net.ssl.trustStore");;
- private String trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");;
+ private String trustStorePath = System.getProperty("javax.net.ssl.trustStore");
+ private String trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
+ private String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType",KeyStore.getDefaultType());
private String certAlias;
private boolean verifyHostname;
@@ -262,6 +265,14 @@ public void setKeyStorePassword(String keyStorePassword)
this.keyStorePassword = keyStorePassword;
}
+ public void setKeyStoreType(String keyStoreType) {
+ this.keyStoreType = keyStoreType;
+ }
+
+ public String getKeyStoreType() {
+ return keyStoreType;
+ }
+
public String getTrustStorePath()
{
return trustStorePath;
@@ -322,6 +333,14 @@ public void setTrustManagerFactoryAlgorithm(String trustManagerFactoryAlgorithm)
this.trustManagerFactoryAlgorithm = trustManagerFactoryAlgorithm;
}
+ public String getTrustStoreType() {
+ return trustStoreType;
+ }
+
+ public void setTrustStoreType(String trustStoreType) {
+ this.trustStoreType = trustStoreType;
+ }
+
public int getReadBufferSize()
{
return readBufferSize;
View
2  qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
@@ -78,9 +78,11 @@ public SSLSecurityLayer(ConnectionSettings settings, SecurityLayer layer)
sslCtx = SSLContextFactory
.buildClientContext(settings.getTrustStorePath(),
settings.getTrustStorePassword(),
+ settings.getTrustStoreType(),
settings.getTrustManagerFactoryAlgorithm(),
settings.getKeyStorePath(),
settings.getKeyStorePassword(),
+ settings.getKeyStoreType(),
settings.getKeyManagerFactoryAlgorithm(),
settings.getCertAlias());
}
View
4 qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/QpidClientX509KeyManager.java
@@ -40,11 +40,11 @@
private X509ExtendedKeyManager delegate;
private String alias;
- public QpidClientX509KeyManager(String alias, String keyStorePath,
+ public QpidClientX509KeyManager(String alias, String keyStorePath, String keyStoreType,
String keyStorePassword, String keyManagerFactoryAlgorithmName) throws GeneralSecurityException, IOException
{
this.alias = alias;
- KeyStore ks = SSLUtil.getInitializedKeyStore(keyStorePath,keyStorePassword);
+ KeyStore ks = SSLUtil.getInitializedKeyStore(keyStorePath,keyStorePassword,keyStoreType);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(keyManagerFactoryAlgorithmName);
kmf.init(ks, keyStorePassword.toCharArray());
this.delegate = (X509ExtendedKeyManager)kmf.getKeyManagers()[0];
View
6 qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
@@ -125,9 +125,9 @@ public static String retriveIdentity(SSLEngine engine)
return id.toString();
}
- public static KeyStore getInitializedKeyStore(String storePath, String storePassword) throws GeneralSecurityException, IOException
+ public static KeyStore getInitializedKeyStore(String storePath, String storePassword, String keyStoreType) throws GeneralSecurityException, IOException
{
- KeyStore ks = KeyStore.getInstance("JKS");
+ KeyStore ks = KeyStore.getInstance(keyStoreType);
InputStream in = null;
try
{
@@ -140,7 +140,7 @@ public static KeyStore getInitializedKeyStore(String storePath, String storePass
{
in = Thread.currentThread().getContextClassLoader().getResourceAsStream(storePath);
}
- if (in == null)
+ if (in == null && !"PKCS11".equalsIgnoreCase(keyStoreType)) // PKCS11 will not require an explicit path
{
throw new IOException("Unable to load keystore resource: " + storePath);
}
View
13 qpid/java/common/src/test/java/org/apache/qpid/ssl/SSLContextFactoryTest.java
@@ -31,13 +31,14 @@
private static final String CLIENT_KEYSTORE_PATH = TEST_RESOURCES_DIR + "/ssl/java_client_keystore.jks";
private static final String CLIENT_TRUSTSTORE_PATH = TEST_RESOURCES_DIR + "/ssl/java_client_truststore.jks";
private static final String STORE_PASSWORD = "password";
+ private static final String STORE_TYPE = "JKS";
private static final String DEFAULT_KEY_MANAGER_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
private static final String CERT_ALIAS_APP1 = "app1";
public void testBuildServerContext() throws Exception
{
- SSLContext context = SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM);
+ SSLContext context = SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM);
assertNotNull("SSLContext should not be null", context);
}
@@ -45,7 +46,7 @@ public void testBuildServerContextWithIncorrectPassword() throws Exception
{
try
{
- SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, "sajdklsad", DEFAULT_KEY_MANAGER_ALGORITHM);
+ SSLContextFactory.buildServerContext(BROKER_KEYSTORE_PATH, "sajdklsad", STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM);
fail("Exception was not thrown due to incorrect password");
}
catch (IOException e)
@@ -58,7 +59,7 @@ public void testTrustStoreDoesNotExist() throws Exception
{
try
{
- SSLContextFactory.buildClientContext("/path/to/nothing", STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM, null);
+ SSLContextFactory.buildClientContext("/path/to/nothing", STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM, null);
fail("Exception was not thrown due to incorrect path");
}
catch (IOException e)
@@ -69,19 +70,19 @@ public void testTrustStoreDoesNotExist() throws Exception
public void testBuildClientContextForSSLEncryptionOnly() throws Exception
{
- SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, null, null, null, null);
+ SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, null, null, null, null, null);
assertNotNull("SSLContext should not be null", context);
}
public void testBuildClientContextWithForClientAuth() throws Exception
{
- SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM, null);
+ SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM, null);
assertNotNull("SSLContext should not be null", context);
}
public void testBuildClientContextWithForClientAuthWithCertAlias() throws Exception
{
- SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, DEFAULT_KEY_MANAGER_ALGORITHM, CERT_ALIAS_APP1);
+ SSLContext context = SSLContextFactory.buildClientContext(CLIENT_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_TRUST_MANAGER_ALGORITHM, CLIENT_KEYSTORE_PATH, STORE_PASSWORD, STORE_TYPE, DEFAULT_KEY_MANAGER_ALGORITHM, CERT_ALIAS_APP1);
assertNotNull("SSLContext should not be null", context);
}
}
Something went wrong with that request. Please try again.