Merge remote-tracking branches 'upstream/pr/3702' and 'upstream/pr/36…

…74' into HEAD

core-feature-pack/src/main/resources/modules/system/layers/base/sun/jdk/main/module.xml

@@ -43,6 +43,7 @@
                 <path name="com/sun/net/ssl/internal/ssl"/>
                 <path name="com/sun/crypto/provider"/>
                 <path name="sun/security/action"/>
+                <path name="sun/security/ssl"/>
                 <path name="sun/security/pkcs"/>
                 <path name="sun/security/x509"/>
                 <path name="sun/invoke"/>

elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java

@@ -563,7 +563,7 @@ static ResourceDefinition getTrustManagerDefinition() {
                 ModelNode crlNode = CERTIFICATE_REVOCATION_LIST.resolveModelAttribute(context, model);
 
                 if (crlNode.isDefined()) {
-                    return createX509CRLExtendedTrustManager(serviceBuilder, context, algorithm, providerName, providersInjector, keyStoreInjector, crlNode);
+                    return createX509CRLExtendedTrustManager(serviceBuilder, context, algorithm, providerName, providersInjector, keyStoreInjector, crlNode, aliasFilter);
                 }
 
                 DelegatingTrustManager delegatingTrustManager = new DelegatingTrustManager();
@@ -601,7 +601,7 @@ static ResourceDefinition getTrustManagerDefinition() {
                 };
             }
 
-            private ValueSupplier<TrustManager> createX509CRLExtendedTrustManager(ServiceBuilder<TrustManager> serviceBuilder, OperationContext context, String algorithm, String providerName, InjectedValue<Provider[]> providersInjector, InjectedValue<KeyStore> keyStoreInjector, ModelNode crlNode) throws OperationFailedException {
+            private ValueSupplier<TrustManager> createX509CRLExtendedTrustManager(ServiceBuilder<TrustManager> serviceBuilder, OperationContext context, String algorithm, String providerName, InjectedValue<Provider[]> providersInjector, InjectedValue<KeyStore> keyStoreInjector, ModelNode crlNode, String aliasFilter) throws OperationFailedException {
                 String crlPath = PATH.resolveModelAttribute(context, crlNode).asStringOrNull();
                 String crlRelativeTo = RELATIVE_TO.resolveModelAttribute(context, crlNode).asStringOrNull();
                 int certPath = MAXIMUM_CERT_PATH.resolveModelAttribute(context, crlNode).asInt();
@@ -618,6 +618,14 @@ static ResourceDefinition getTrustManagerDefinition() {
                     TrustManagerFactory trustManagerFactory = createTrustManagerFactory(providersInjector.getOptionalValue(), providerName, algorithm);
                     KeyStore keyStore = keyStoreInjector.getOptionalValue();
 
+                    if (aliasFilter != null) {
+                        try {
+                            keyStore = FilteringKeyStore.filteringKeyStore(keyStore, AliasFilter.fromString(aliasFilter));
+                        } catch (Exception e) {
+                            throw new StartException(e);
+                        }
+                    }
+
                     if (crlPath != null) {
                         try {
                             X509CRLExtendedTrustManager trustManager = new X509CRLExtendedTrustManager(keyStore, trustManagerFactory, new FileInputStream(resolveFileLocation(crlPath, crlRelativeTo, pathManagerInjector)), certPath, null);

elytron/src/test/java/org/wildfly/extension/elytron/CertificateAuthoritiesTestCase.java

@@ -142,7 +142,12 @@ public Void run() {
 
     @Before
     public void init() throws Exception {
-        String subsystemXml = System.getProperty("java.vendor").startsWith("IBM") ? "tls-ibm.xml" : "tls-sun.xml";
+        String subsystemXml;
+        if (JdkUtils.isIbmJdk()) {
+            subsystemXml = "tls-ibm.xml";
+        } else {
+            subsystemXml = JdkUtils.getJavaSpecVersion() <= 12 ? "tls-sun.xml" : "tls-oracle13plus.xml";
+        }
         services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource(subsystemXml).build();
         if (!services.isSuccessfulBoot()) {
             Assert.fail(services.getBootError().toString());

elytron/src/test/java/org/wildfly/extension/elytron/JdkUtils.java

@@ -0,0 +1,39 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2019 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wildfly.extension.elytron;
+
+/**
+ * @author <a href="mailto:ropalka@redhat.com">Richard Opalka</a>
+ */
+final class JdkUtils {
+
+    private static final String javaSpecVersion = System.getProperty("java.specification.version");
+    private static final String javaVendor = System.getProperty("java.vendor");
+
+    private JdkUtils() {}
+
+    static int getJavaSpecVersion() {
+        if ("1.8".equals(javaSpecVersion)) return 8;
+        return Integer.parseInt(javaSpecVersion);
+    }
+
+    static boolean isIbmJdk() {
+        return javaVendor.startsWith("IBM");
+    }
+
+}

elytron/src/test/java/org/wildfly/extension/elytron/KeyStoresTestCase.java

@@ -394,7 +394,12 @@ public Void run() {
 
     @Before
     public void init() throws Exception {
-        String subsystemXml = System.getProperty("java.vendor").startsWith("IBM") ? "tls-ibm.xml" : "tls-sun.xml";
+        String subsystemXml;
+        if (JdkUtils.isIbmJdk()) {
+            subsystemXml = "tls-ibm.xml";
+        } else {
+            subsystemXml = JdkUtils.getJavaSpecVersion() <= 12 ? "tls-sun.xml" : "tls-oracle13plus.xml";
+        }
         services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource(subsystemXml).build();
         if (!services.isSuccessfulBoot()) {
             Assert.fail(services.getBootError().toString());

elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java

@@ -302,7 +302,12 @@ public static void cleanUpTests() {
     @Before
     public void prepare() throws Throwable {
         if (services != null) return;
-        String subsystemXml = System.getProperty("java.vendor").startsWith("IBM") ? "tls-ibm.xml" : "tls-sun.xml";
+        String subsystemXml;
+        if (JdkUtils.isIbmJdk()) {
+            subsystemXml = "tls-ibm.xml";
+        } else {
+            subsystemXml = JdkUtils.getJavaSpecVersion() <= 12 ? "tls-sun.xml" : "tls-oracle13plus.xml";
+        }
         services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource(subsystemXml).build();
         if (!services.isSuccessfulBoot()) {
             Assert.fail(services.getBootError().toString());

elytron/src/test/resources/org/wildfly/extension/elytron/tls-oracle13plus.xml

@@ -0,0 +1,86 @@
+<!-- for needs of SaslTestCase and KeyStoresTestCase -->
+<subsystem xmlns="urn:wildfly:elytron:7.0" default-ssl-context="ClientSslContextNoAuth">
+    <providers>
+        <provider-loader name="ManagerProviderLoader" class-names="sun.security.ssl.SunJSSE"/>
+    </providers>
+    <security-domains>
+        <security-domain name="MyDomain" default-realm="FileRealm">
+            <realm name="FileRealm"/>
+        </security-domain>
+    </security-domains>
+    <security-realms>
+        <filesystem-realm name="FileRealm" levels="2">
+            <file path="filesystem-realm" relative-to="jboss.server.config.dir" />
+        </filesystem-realm>
+    </security-realms>
+    <credential-stores>
+        <credential-store name="test" location="target/tlstest.keystore">
+            <implementation-properties>
+                <property name="keyStoreType" value="JCEKS"/>
+            </implementation-properties>
+            <credential-reference clear-text="super_secret"/>
+        </credential-store>
+    </credential-stores>
+    <tls>
+        <key-stores>
+            <key-store name="FireflyKeystore" >
+                <credential-reference store="test" alias="master-password-alias"/>
+                <implementation type="JKS" />
+                <file path="firefly.keystore" relative-to="jboss.server.config.dir"/>
+            </key-store>
+            <key-store name="LocalhostKeystore" >
+                <credential-reference store="test" alias="master-password-alias"/>
+                <implementation type="JKS" />
+                <file path="localhost.keystore" relative-to="jboss.server.config.dir" required="true"/>
+            </key-store>
+            <key-store name="ElytronCaTruststore" >
+                <credential-reference clear-text="Elytron"/>
+                <implementation type="JKS" />
+                <file path="target/test-classes/org/wildfly/extension/elytron/ca.truststore"/>
+            </key-store>
+            <key-store name="NewKeyStore" >
+                <credential-reference clear-text="Elytron"/>
+                <implementation type="JKS" />
+                <file path="target/not-existing.keystore" required="false"/>
+            </key-store>
+            <key-store name="AutomaticKeystore" >
+                <credential-reference clear-text="Elytron"/>
+                <implementation/>
+                <file path="firefly.keystore" relative-to="jboss.server.config.dir"/>
+            </key-store>
+            <filtering-key-store name="FilteringKeyStore" key-store="FireflyKeystore" alias-filter="NONE:+firefly"/>
+        </key-stores>
+        <key-managers>
+            <key-manager name="ServerKeyManager" algorithm="SunX509" key-store="LocalhostKeystore" alias-filter="NONE:+localhost">
+                <credential-reference store="test" alias="the-key-alias"/>
+            </key-manager>
+            <key-manager name="ClientKeyManager" algorithm="SunX509" key-store="FireflyKeystore">
+                <credential-reference clear-text="Elytron"/>
+            </key-manager>
+            <key-manager name="MyKeyManager" algorithm="SunX509" key-store="FireflyKeystore" providers="ManagerProviderLoader" provider-name="SunJSSE">
+                <credential-reference store="test" alias="the-key-alias"/>
+            </key-manager>
+        </key-managers>
+        <trust-managers>
+            <trust-manager name="CaTrustManager" algorithm="SunX509" key-store="ElytronCaTruststore" alias-filter="NONE:+mykey"/>
+            <trust-manager name="MyTrustManager" algorithm="SunX509" key-store="ElytronCaTruststore" providers="ManagerProviderLoader" provider-name="SunJSSE"/>
+            <trust-manager name="ProviderTrustManager" algorithm="SunX509" key-store="ElytronCaTruststore" providers="ManagerProviderLoader" provider-name="SunJSSE"/>
+            <trust-manager name="trust-with-crl" algorithm="PKIX" key-store="ElytronCaTruststore">
+                <certificate-revocation-list path="crl.pem" relative-to="jboss.server.config.dir" maximum-cert-path="2"/>
+            </trust-manager>
+            <trust-manager name="trust-with-crl-dp" algorithm="PKIX" key-store="ElytronCaTruststore">
+                <certificate-revocation-list />
+            </trust-manager>
+        </trust-managers>
+        <server-ssl-contexts>
+            <server-ssl-context name="ServerSslContextNoAuth" key-manager="ServerKeyManager" trust-manager="CaTrustManager"/>
+            <server-ssl-context name="ServerSslContextAuth" protocols="TLSv1.3 TLSv1.2 TLSv1.1" key-manager="ServerKeyManager" trust-manager="CaTrustManager"
+                                want-client-auth="true" need-client-auth="true" authentication-optional="false" use-cipher-suites-order="false"
+                                providers="ManagerProviderLoader" provider-name="SunJSSE" session-timeout="321" maximum-session-cache-size="123"/>
+        </server-ssl-contexts>
+        <client-ssl-contexts>
+            <client-ssl-context name="ClientSslContextNoAuth" trust-manager="CaTrustManager" />
+            <client-ssl-context name="ClientSslContextAuth" protocols="SSLv2 SSLv3 TLSv1 TLSv1.3 TLSv1.2" key-manager="ClientKeyManager" trust-manager="CaTrustManager" providers="ManagerProviderLoader"/>
+        </client-ssl-contexts>
+    </tls>
+</subsystem>