Permalink
Browse files

[HORNETQ-1329] Make it possible for an alternative security provider …

…to be specified for the key and trust stores used by NettyConnector and NettyAcceptor.

Amongst other things this makes it possible for a PKCS#11 provider to be specified.
  • Loading branch information...
1 parent a990d50 commit 9d1bceca6b4205d8811d14cc8d1b7b38b2999cdd @darranl darranl committed Feb 21, 2014
@@ -125,8 +125,10 @@
public static final String JAVAX_KEYSTORE_PASSWORD_PROP_NAME = "javax.net.ssl.keyStorePassword";
public static final String JAVAX_TRUSTSTORE_PATH_PROP_NAME = "javax.net.ssl.trustStore";
public static final String JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME = "javax.net.ssl.trustStorePassword";
+ public static final String HORNETQ_KEYSTORE_PROVIDER_PROP_NAME = "org.hornetq.ssl.keyStoreProvider";
public static final String HORNETQ_KEYSTORE_PATH_PROP_NAME = "org.hornetq.ssl.keyStore";
public static final String HORNETQ_KEYSTORE_PASSWORD_PROP_NAME = "org.hornetq.ssl.keyStorePassword";
+ public static final String HORNETQ_TRUSTSTORE_PROVIDER_PROP_NAME = "org.hornetq.ssl.trustStoreProvider";
public static final String HORNETQ_TRUSTSTORE_PATH_PROP_NAME = "org.hornetq.ssl.trustStore";
public static final String HORNETQ_TRUSTSTORE_PASSWORD_PROP_NAME = "org.hornetq.ssl.trustStorePassword";
@@ -183,10 +185,14 @@
private final int localPort;
+ private final String keyStoreProvider;
+
private final String keyStorePath;
private final String keyStorePassword;
+ private final String trustStoreProvider;
+
private final String trustStorePath;
private final String trustStorePassword;
@@ -309,18 +315,28 @@ public NettyConnector(final Map<String, Object> configuration,
configuration);
if (sslEnabled)
{
+ keyStoreProvider = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME,
+ TransportConstants.DEFAULT_KEYSTORE_PROVIDER,
+ configuration);
+
keyStorePath = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_PATH_PROP_NAME,
TransportConstants.DEFAULT_KEYSTORE_PATH,
configuration);
+
keyStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME,
TransportConstants.DEFAULT_KEYSTORE_PASSWORD,
configuration,
HornetQDefaultConfiguration.getPropMaskPassword(),
HornetQDefaultConfiguration.getPropMaskPassword());
+ trustStoreProvider = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME,
+ TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER,
+ configuration);
+
trustStorePath = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,
TransportConstants.DEFAULT_TRUSTSTORE_PATH,
configuration);
+
trustStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME,
TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD,
configuration,
@@ -337,8 +353,10 @@ public NettyConnector(final Map<String, Object> configuration,
}
else
{
+ keyStoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
keyStorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
keyStorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
+ trustStoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
trustStorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
trustStorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD;
enabledCipherSuites = TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES;
@@ -453,6 +471,7 @@ public synchronized void start()
{
// HORNETQ-680 - override the server-side config if client-side system properties are set
String realKeyStorePath = keyStorePath;
+ String realKeyStoreProvider = keyStoreProvider;
String realKeyStorePassword = keyStorePassword;
if (System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME) != null)
{
@@ -463,6 +482,10 @@ public synchronized void start()
realKeyStorePassword = System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME);
}
+ if (System.getProperty(HORNETQ_KEYSTORE_PROVIDER_PROP_NAME) != null)
+ {
+ realKeyStoreProvider = System.getProperty(HORNETQ_KEYSTORE_PROVIDER_PROP_NAME);
+ }
if (System.getProperty(HORNETQ_KEYSTORE_PATH_PROP_NAME) != null)
{
realKeyStorePath = System.getProperty(HORNETQ_KEYSTORE_PATH_PROP_NAME);
@@ -473,6 +496,7 @@ public synchronized void start()
}
String realTrustStorePath = trustStorePath;
+ String realTrustStoreProvider = trustStoreProvider;
String realTrustStorePassword = trustStorePassword;
if (System.getProperty(JAVAX_TRUSTSTORE_PATH_PROP_NAME) != null)
{
@@ -483,6 +507,10 @@ public synchronized void start()
realTrustStorePassword = System.getProperty(JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME);
}
+ if (System.getProperty(HORNETQ_TRUSTSTORE_PROVIDER_PROP_NAME) != null)
+ {
+ realTrustStoreProvider = System.getProperty(HORNETQ_TRUSTSTORE_PROVIDER_PROP_NAME);
+ }
if (System.getProperty(HORNETQ_TRUSTSTORE_PATH_PROP_NAME) != null)
{
realTrustStorePath = System.getProperty(HORNETQ_TRUSTSTORE_PATH_PROP_NAME);
@@ -491,7 +519,7 @@ public synchronized void start()
{
realTrustStorePassword = System.getProperty(HORNETQ_TRUSTSTORE_PASSWORD_PROP_NAME);
}
- context = SSLSupport.createContext(realKeyStorePath, realKeyStorePassword, realTrustStorePath, realTrustStorePassword);
+ context = SSLSupport.createContext(realKeyStoreProvider, realKeyStorePath, realKeyStorePassword, realTrustStoreProvider, realTrustStorePath, realTrustStorePassword);
}
catch (Exception e)
{
@@ -66,10 +66,14 @@
public static final String LOCAL_PORT_PROP_NAME = "local-port";
+ public static final String KEYSTORE_PROVIDER_PROP_NAME = "key-store-provider";
+
public static final String KEYSTORE_PATH_PROP_NAME = "key-store-path";
public static final String KEYSTORE_PASSWORD_PROP_NAME = "key-store-password";
+ public static final String TRUSTSTORE_PROVIDER_PROP_NAME = "trust-store-provider";
+
public static final String TRUSTSTORE_PATH_PROP_NAME = "trust-store-path";
public static final String TRUSTSTORE_PASSWORD_PROP_NAME = "trust-store-password";
@@ -130,10 +134,14 @@
public static final int DEFAULT_STOMP_PORT = 61613;
+ public static final String DEFAULT_KEYSTORE_PROVIDER = "JKS";
+
public static final String DEFAULT_KEYSTORE_PATH = null;
public static final String DEFAULT_KEYSTORE_PASSWORD = null;
+ public static final String DEFAULT_TRUSTSTORE_PROVIDER = "JKS";
+
public static final String DEFAULT_TRUSTSTORE_PATH = null;
public static final String DEFAULT_TRUSTSTORE_PASSWORD = null;
@@ -197,8 +205,10 @@
allowableAcceptorKeys.add(TransportConstants.PROTOCOLS_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.HOST_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.PORT_PROP_NAME);
+ allowableAcceptorKeys.add(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.KEYSTORE_PATH_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
+ allowableAcceptorKeys.add(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.TRUSTSTORE_PATH_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME);
allowableAcceptorKeys.add(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME);
@@ -236,8 +246,10 @@
allowableConnectorKeys.add(TransportConstants.PORT_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.LOCAL_ADDRESS_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.LOCAL_PORT_PROP_NAME);
+ allowableConnectorKeys.add(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.KEYSTORE_PATH_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
+ allowableConnectorKeys.add(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.TRUSTSTORE_PATH_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME);
allowableConnectorKeys.add(TransportConstants.ENABLED_CIPHER_SUITES_PROP_NAME);
@@ -47,11 +47,12 @@
// Public --------------------------------------------------------
- public static SSLContext createContext(final String keystorePath, final String keystorePassword, final String trustStorePath, final String trustStorePassword) throws Exception
+ public static SSLContext createContext(final String keystoreProvider, final String keystorePath, final String keystorePassword,
+ final String trustStoreProvider, final String trustStorePath, final String trustStorePassword) throws Exception
{
SSLContext context = SSLContext.getInstance("TLS");
- KeyManager[] keyManagers = SSLSupport.loadKeyManagers(keystorePath, keystorePassword);
- TrustManager[] trustManagers = SSLSupport.loadTrustManager(trustStorePath, trustStorePassword);
+ KeyManager[] keyManagers = SSLSupport.loadKeyManagers(keystoreProvider, keystorePath, keystorePassword);
+ TrustManager[] trustManagers = SSLSupport.loadTrustManager(trustStoreProvider, trustStorePath, trustStorePassword);
context.init(keyManagers, trustManagers, new SecureRandom());
return context;
}
@@ -86,34 +87,38 @@ public static String parseArrayIntoCommandSeparatedList(String[] suites)
// Private -------------------------------------------------------
- private static TrustManager[] loadTrustManager(final String trustStorePath,
+ private static TrustManager[] loadTrustManager(final String trustStoreProvider,
+ final String trustStorePath,
final String trustStorePassword) throws Exception
{
- if (trustStorePath == null)
+ if (trustStorePath == null && ("JKS".equals(trustStoreProvider) || trustStoreProvider == null))
{
return null;
}
else
{
TrustManagerFactory trustMgrFactory;
- KeyStore trustStore = SSLSupport.loadKeystore(trustStorePath, trustStorePassword);
+ KeyStore trustStore = SSLSupport.loadKeystore(trustStoreProvider, trustStorePath, trustStorePassword);
trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustMgrFactory.init(trustStore);
return trustMgrFactory.getTrustManagers();
}
}
- private static KeyStore loadKeystore(final String keystorePath, final String keystorePassword) throws Exception
+ private static KeyStore loadKeystore(final String keystoreProvider, final String keystorePath, final String keystorePassword) throws Exception
{
- assert keystorePath != null;
+ assert keystorePath != null || "JKS".equals(keystoreProvider) == false;
assert keystorePassword != null;
- KeyStore ks = KeyStore.getInstance("JKS");
+ KeyStore ks = KeyStore.getInstance(keystoreProvider);
InputStream in = null;
try
{
- URL keystoreURL = SSLSupport.validateStoreURL(keystorePath);
- in = keystoreURL.openStream();
+ if ("JKS".equals(keystoreProvider))
+ {
+ URL keystoreURL = SSLSupport.validateStoreURL(keystorePath);
+ in = keystoreURL.openStream();
+ }
ks.load(in, keystorePassword.toCharArray());
}
finally
@@ -132,16 +137,16 @@ private static KeyStore loadKeystore(final String keystorePath, final String key
return ks;
}
- private static KeyManager[] loadKeyManagers(final String keystorePath, final String keystorePassword) throws Exception
+ private static KeyManager[] loadKeyManagers(final String keyStoreProvider, final String keystorePath, final String keystorePassword) throws Exception
{
- if (keystorePath == null)
+ if (keystorePath == null && ("JKS".equals(keyStoreProvider) || keyStoreProvider == null))
{
return null;
}
else
{
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- KeyStore ks = SSLSupport.loadKeystore(keystorePath, keystorePassword);
+ KeyStore ks = SSLSupport.loadKeystore(keyStoreProvider, keystorePath, keystorePassword);
kmf.init(ks, keystorePassword.toCharArray());
return kmf.getKeyManagers();
@@ -14,6 +14,7 @@
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.AccessController;
@@ -46,6 +47,7 @@
import io.netty.util.ResourceLeakDetector;
import io.netty.util.concurrent.GenericFutureListener;
import io.netty.util.concurrent.GlobalEventExecutor;
+
import org.hornetq.api.config.HornetQDefaultConfiguration;
import org.hornetq.api.core.HornetQException;
import org.hornetq.api.core.SimpleString;
@@ -116,10 +118,14 @@
private final int port;
+ private final String keyStoreProvider;
+
private final String keyStorePath;
private final String keyStorePassword;
+ private final String trustStoreProvider;
+
private final String trustStorePath;
private final String trustStorePassword;
@@ -202,17 +208,28 @@ public NettyAcceptor(final String name,
configuration);
if (sslEnabled)
{
+ keyStoreProvider = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME,
+ TransportConstants.DEFAULT_KEYSTORE_PROVIDER,
+ configuration);
+
keyStorePath = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_PATH_PROP_NAME,
TransportConstants.DEFAULT_KEYSTORE_PATH,
configuration);
+
keyStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME,
TransportConstants.DEFAULT_KEYSTORE_PASSWORD,
configuration,
HornetQDefaultConfiguration.getPropMaskPassword(),
HornetQDefaultConfiguration.getPropMaskPassword());
+
+ trustStoreProvider = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME,
+ TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER,
+ configuration);
+
trustStorePath = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,
TransportConstants.DEFAULT_TRUSTSTORE_PATH,
configuration);
+
trustStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME,
TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD,
configuration,
@@ -233,8 +250,10 @@ public NettyAcceptor(final String name,
}
else
{
+ keyStoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
keyStorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
keyStorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
+ trustStoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
trustStorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
trustStorePassword = TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD;
enabledCipherSuites = TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES;
@@ -306,10 +325,11 @@ public synchronized void start() throws Exception
{
try
{
- if (keyStorePath == null)
+ if (keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider))
throw new IllegalArgumentException("If \"" + TransportConstants.SSL_ENABLED_PROP_NAME +
- "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null");
- context = SSLSupport.createContext(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword);
+ "\" is true then \"" + TransportConstants.KEYSTORE_PATH_PROP_NAME + "\" must be non-null " +
+ "unless an alternative \"" + TransportConstants.KEYSTORE_PROVIDER_PROP_NAME + "\" has been specified.");
+ context = SSLSupport.createContext(keyStoreProvider, keyStorePath, keyStorePassword, trustStoreProvider, trustStorePath, trustStorePassword);
}
catch (Exception e)
{
@@ -389,7 +389,7 @@ public static String getSuitableCipherSuite() throws Exception
public static String[] getEnabledCipherSuites() throws Exception
{
- SSLContext context = SSLSupport.createContext(SERVER_SIDE_KEYSTORE, PASSWORD, CLIENT_SIDE_TRUSTSTORE, PASSWORD);
+ SSLContext context = SSLSupport.createContext("JKS", SERVER_SIDE_KEYSTORE, PASSWORD, "JKS", CLIENT_SIDE_TRUSTSTORE, PASSWORD);
SSLEngine engine = context.createSSLEngine();
return engine.getEnabledCipherSuites();
}
Oops, something went wrong.

0 comments on commit 9d1bcec

Please sign in to comment.