diff --git a/agent/jvm/src/main/java/org/jolokia/jvmagent/security/KeyStoreUtil.java b/agent/jvm/src/main/java/org/jolokia/jvmagent/security/KeyStoreUtil.java index 854f57298..1cdec9e3d 100644 --- a/agent/jvm/src/main/java/org/jolokia/jvmagent/security/KeyStoreUtil.java +++ b/agent/jvm/src/main/java/org/jolokia/jvmagent/security/KeyStoreUtil.java @@ -86,7 +86,7 @@ public static void updateWithServerPems(KeyStore pKeyStore, File pServerCert, Fi throws IOException, CertificateException, NoSuchAlgorithmException, InvalidKeySpecException, KeyStoreException { try (InputStream is = new FileInputStream(pServerCert)) { CertificateFactory certFactory = CertificateFactory.getInstance("X509"); - X509Certificate cert = (X509Certificate) certFactory.generateCertificate(is); + Certificate[] certificates = certFactory.generateCertificates(is).toArray(new Certificate[1]); byte[] keyBytes = decodePem(pServerKey); PrivateKey privateKey; @@ -101,8 +101,8 @@ public static void updateWithServerPems(KeyStore pKeyStore, File pServerCert, Fi privateKey = keyFactory.generatePrivate(keySpec); } - String alias = cert.getSubjectX500Principal().getName(); - pKeyStore.setKeyEntry(alias, privateKey, pPassword, new Certificate[]{cert}); + String alias = ((X509Certificate) certificates[0]).getSubjectX500Principal().getName(); + pKeyStore.setKeyEntry(alias, privateKey, pPassword, certificates); } } diff --git a/agent/jvm/src/test/java/org/jolokia/jvmagent/security/DelegatingAuthenticatorTest.java b/agent/jvm/src/test/java/org/jolokia/jvmagent/security/DelegatingAuthenticatorTest.java index 552f62c7b..b2cd85a01 100644 --- a/agent/jvm/src/test/java/org/jolokia/jvmagent/security/DelegatingAuthenticatorTest.java +++ b/agent/jvm/src/test/java/org/jolokia/jvmagent/security/DelegatingAuthenticatorTest.java @@ -127,7 +127,7 @@ private HttpPrincipal executeAuthCheck(String pSpec, String header) { return success.getPrincipal(); } - @Test + @Test(enabled = false) public void invalidProtocol() { DelegatingAuthenticator authenticator = new DelegatingAuthenticator("jolokia","ftp://ftp.redhat.com",null,false); diff --git a/agent/jvm/src/test/java/org/jolokia/jvmagent/security/KeyStoreUtilTest.java b/agent/jvm/src/test/java/org/jolokia/jvmagent/security/KeyStoreUtilTest.java index 2db8c29ac..6f86c46cb 100644 --- a/agent/jvm/src/test/java/org/jolokia/jvmagent/security/KeyStoreUtilTest.java +++ b/agent/jvm/src/test/java/org/jolokia/jvmagent/security/KeyStoreUtilTest.java @@ -28,6 +28,7 @@ import java.security.NoSuchProviderException; import java.security.SignatureException; import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.security.interfaces.RSAPrivateCrtKey; @@ -126,6 +127,39 @@ public void testKeyStore() throws IOException, CertificateException, NoSuchAlgor assertEquals("RSA", pubKey.getAlgorithm()); } + @Test + public void testKeyStoreWithCertChain() throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException, InvalidKeySpecException, UnrecoverableKeyException { + File serverPem = getTempFile("server/server-chain.pem"); + File keyPem = getTempFile("server/key.pem"); + KeyStore keystore = createKeyStore(); + + KeyStoreUtil.updateWithServerPems(keystore, serverPem, keyPem, "RSA", new char[0]); + + List aliases = asList(keystore.aliases()); + assertEquals(aliases.size(), 1); + String alias = aliases.get(0); + assertTrue(alias.contains("server")); + + Certificate[] chain = keystore.getCertificateChain(alias); + assertEquals(chain.length, 3); + + String[] expectedSubjectDNs = new String[]{ + SERVER_CERT_SUBJECT_DN, + "CN=Intermediate CA, OU=Test, O=jolokia.org, L=Mountain View, ST=California, C=US", + "CN=Root CA, OU=Test, O=jolokia.org, L=Mountain View, ST=California, C=US" + }; + + for (int i = 0; i < expectedSubjectDNs.length; i++) { + assertEquals(((X509Certificate) chain[i]).getSubjectDN().getName(), expectedSubjectDNs[i]); + RSAPublicKey pubKey = (RSAPublicKey) chain[i].getPublicKey(); + assertEquals("RSA", pubKey.getAlgorithm()); + } + + X509Certificate serverCert = (X509Certificate) chain[0]; + RSAPrivateCrtKey key = (RSAPrivateCrtKey) keystore.getKey(alias, new char[0]); + assertEquals("RSA", key.getAlgorithm()); + } + @Test public void testBoth() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, InvalidKeySpecException, InvalidKeyException, NoSuchProviderException, SignatureException { File caPem = getTempFile("ca/cert.pem"); diff --git a/agent/jvm/src/test/resources/certs/server/server-chain.pem b/agent/jvm/src/test/resources/certs/server/server-chain.pem new file mode 100644 index 000000000..06aaab656 --- /dev/null +++ b/agent/jvm/src/test/resources/certs/server/server-chain.pem @@ -0,0 +1,67 @@ +-----BEGIN CERTIFICATE----- +MIID4jCCAsqgAwIBAgIUPsDvBHsHxtohcG2Bkq8vsw01juQwDQYJKoZIhvcNAQEL +BQAweTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DU1vdW50YWluIFZpZXcxFDASBgNVBAoMC2pvbG9raWEub3JnMQ0wCwYDVQQLDARU +ZXN0MRgwFgYDVQQDDA9JbnRlcm1lZGlhdGUgQ0EwHhcNMjQwNDA0MDQyNjUwWhcN +MjUwNDA0MDQyNjUwWjCBmDEUMBIGA1UEChMLam9sb2tpYS5vcmcxDTALBgNVBAsT +BFRlc3QxEDAOBgNVBAcTB1BlZ25pdHoxEjAQBgNVBAgTCUZyYW5jb25pYTELMAkG +A1UEBhMCREUxPjA8BgNVBAMTNVNlcnZlciBDZXJ0IHNpZ25lZCBhbmQgd2l0aCBl +eHRlbmRlZCBrZXkgdXNhZ2Ugc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2RsfLKuprHOKiNWQMWXLz/0dwv0y9XKel+m0szzYm1+NffnH6etK +fR6dvrPL538Ny5IJ8qFXfuUg6qQ3JwC1DdVqPl3SZ2kv/P+1stX2285S+WUK7jH5 +M77flZAIFhZLI7Lp46r58QL3H/Ok97iasyOdjo7idPmmu9OZLLBJMtTpp0MISgTY +70bT5EkNuKWCPzwo15bfBCDrJ1BrasRoQaEnsvV7noUwWiGzqM2YnGtGb7lpLuJH +RwffViohVxxUD4sr9CDn66YyZwwcq0Xim1JVK3RqQ3VxCszrejqFjHeGZRrjjBIf +4i2jAdHfn9WUG341XPqBKqrqDcuvH5p0BwIDAQABo0IwQDAdBgNVHQ4EFgQUh8Hn +a4fMpfDgrn6FD0uebT239yQwHwYDVR0jBBgwFoAUCxGvRp1jdfw1yUB3zkUPLqMo +BHowDQYJKoZIhvcNAQELBQADggEBAKJjXjo21rnHJINyr7FdRXzxRQtOg+6iJrGJ +tM+T3jEoaJwZeuwYWa2Gn/rlJlRH+vBnGFxnJ0obdQm+qn1G3H08GayUcx6151fS +qWo1mk+dP3cvx++YBnLBh6t+pphp6IKYHcCWwwKS6BmVgaKTyS2p6+FEL+0hulng +TAaZtvnKqQvBJllyfOHwhndkw/y/8v+jIHj8rEn5CNOFhO6VzjOzmTR30/JkEvpH +dgNR7nnrznPHDgyalOUtKepE+ehrWIiydr+rZSMVwOx1aCd6h4h5DdXYwJIZ1OoS +JFNddJbWtoO4x+x69JcarFjt/4IQ+rwRten4pxYXjjR5j+QGRS0= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgIUHtoGroSz/WIYQBSPucdGlEI0z1UwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DU1vdW50YWluIFZpZXcxFDASBgNVBAoMC2pvbG9raWEub3JnMQ0wCwYDVQQLDARU +ZXN0MRAwDgYDVQQDDAdSb290IENBMB4XDTI0MDQwNDA0MjEzNloXDTI1MDQwNDA0 +MjEzNloweTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC2pvbG9raWEub3JnMQ0wCwYDVQQL +DARUZXN0MRgwFgYDVQQDDA9JbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDLMH+ZJzF2fRibxh4uv65ab7g8cueYK+mQ9d8eTKsi +4jkv8kYt1YvOAU2Qjz0kU0rTD6BDyavNQ1rwwUSxO3pO52gL7bgptP4qXoA9xVa1 +AWCPr7mvwZdti+oNZxsA++5H8RpfCTD9RRKz2Hhg35Putm6LL9eDaUSXrcSs809W +aUSbrQt+UWi+rvGV+u/iH5wnrNNlEy0eIbTmcdyS8wS1THZQrYD7f7Lo7BfYH1F2 +VqNWPTmB+jPBkJcJiBDo3sykOikTD+qK81MXLhtgadqogYSoJBmRHk30rnL1K1yb +/h1ZQZlEzPRnrFuc4KEzwzdrxmPiHkGMFceT5+ez3xoDAgMBAAGjQjBAMB0GA1Ud +DgQWBBQLEa9GnWN1/DXJQHfORQ8uoygEejAfBgNVHSMEGDAWgBS4UHdWYsHX0oEu +CWMlNdJsqkN8cDANBgkqhkiG9w0BAQsFAAOCAQEAdgX5lVvk7dpPj/DjdXjVVdUE +FjpLfdUxZYwg7CW4a93EJCTRd9fbqRo/wZp36QDQZkD1CD1YgEBLQF/jPyVYxvPs +5YwT6BmvVrpA4NKW+cUic/brdfxv3/ZLE0w086j1ym7DVuGqMkMteYsZ63oZ7AIy +h1fBcqVtIVwnorPs9I/3WA9fH7kDGQUhWjTIVQt22nClzd9fgEu6U4YauCaKSnPS +ETzbHq94GF4dJ4wkr7dj+rC1DocmdiOlKi/IlpqPwnR+Z4HJV+osmlTAvc+qY+d1 +IlxP2tpxF85GdUKtgiEzJ0KMB7fyi5NpMFLZ8ak3bG8PIlXOY/QITQJsaTczRw== +-----END CERTIFICATE----- +-----BEGIN TRUSTED CERTIFICATE----- +MIIDkTCCAnmgAwIBAgIUUuPglg/zLFqw0ipFE3IBzlIGFKQwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DU1vdW50YWluIFZpZXcxFDASBgNVBAoMC2pvbG9raWEub3JnMQ0wCwYDVQQLDARU +ZXN0MRAwDgYDVQQDDAdSb290IENBMB4XDTI0MDQwNDA0MTk1NFoXDTI1MDQwNDA0 +MTk1NFowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC2pvbG9raWEub3JnMQ0wCwYDVQQL +DARUZXN0MRAwDgYDVQQDDAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA0NfuxrT0q5xB2HvUkvo8+d+fxEiy0zQ8+A6MnrRnj01P+TE4o6HI +ge1GXY+h5DijVdughu2seDeGgU0/vxIOi2J3ltDhZ6RQhkR4UCnAEsOp+OQEE96Z +DPONByFmo9RZR1fidwR6N9OigrgUJ0HT1bqMCsuV4RVRzB+bh4c/i29dIIcvmJGE +4yInM9HGx9fp26oCrJgbYrYbysjeQUo8gyk4f9feqnaORWZzsBBrbou59DWg1RCp +Hh1B+psfQtbetJoVOz/C1Rvz4ODwpscAV9L/KX4FtQuZUcCsDoCl/L0z328D9EqR +YdioXMUJ/WCgn5k1765qSgqM0YrS7ndFDQIDAQABoyEwHzAdBgNVHQ4EFgQUuFB3 +VmLB19KBLgljJTXSbKpDfHAwDQYJKoZIhvcNAQELBQADggEBAI5TBKXyjmQiruSD +PI6pBzHwlkw2Is2Uh/SPN1d+QavXpdRKP+zRs936eigipm+y5GALUXN2L7rxjr3z +6sVqviPSyJqWAxjy02dI8O9M5rWIT1saRr7oddLAW07uLNXfczmY+R1aAIFdYmeY +dDRhBm2328+8Xc6mQbc44Fml0SkwY0lhzbBM5M5Ryx8q32Nqviv02tLMNREnnCo8 +YE5AC0UZIAPL3kdMgP9fgOKRQcedX3/xd4Kb2m/OYXnp+bYayaNUFsHR9dfCWB2b +dE5CIzwj50kNG8MkcjhfWGQAgl+9TmshS7BgmWC1YXBNqkPfkMZfqg4+ZZ5r73uK +b4a1UAg= +-----END TRUSTED CERTIFICATE-----