Github user jbertram commented on a diff in the pull request:
https://github.com/apache/activemq-artemis/pull/1715#discussion_r157065620
--- Diff:
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
---
@@ -0,0 +1,357 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.mqtt.imported;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.ProtectionDomain;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.core.config.Configuration;
+import org.apache.activemq.artemis.core.config.WildcardConfiguration;
+import org.apache.activemq.artemis.core.config.impl.FileConfiguration;
+import
org.apache.activemq.artemis.core.remoting.impl.netty.NettyAcceptorFactory;
+import
org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.fusesource.mqtt.client.BlockingConnection;
+import org.fusesource.mqtt.client.MQTT;
+import org.fusesource.mqtt.client.Message;
+import org.fusesource.mqtt.client.QoS;
+import org.fusesource.mqtt.client.Topic;
+import org.junit.Test;
+
+public class MQTTSecurityCRLTest extends ActiveMQTestBase {
+
+
+ /**
+ * These artifacts are required for testing mqtt with CRL
+ * <p>
+ * openssl genrsa -out ca.key 2048
+ * openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
+ * touch certindex
+ * echo 01 > certserial
+ * echo 01 > crlnumber
+ * <p>
+ * Create ca.conf file with
+ * <p>
+ * # Mainly copied from:
+ * # http://swearingscience.com/2009/01/18/openssl-self-signed-ca/
+ * <p>
+ * [ ca ]
+ * default_ca = myca
+ * <p>
+ * [ crl_ext ]
+ * # issuerAltName=issuer:copy #this would copy the issuer name to
altname
+ * authorityKeyIdentifier=keyid:always
+ * <p>
+ * [ myca ]
+ * dir = ./
+ * new_certs_dir = $dir
+ * unique_subject = no
+ * certificate = $dir/ca.crt
+ * database = $dir/certindex
+ * private_key = $dir/ca.key
+ * serial = $dir/certserial
+ * default_days = 730
+ * default_md = sha1
+ * policy = myca_policy
+ * x509_extensions = myca_extensions
+ * crlnumber = $dir/crlnumber
+ * default_crl_days = 730
+ * <p>
+ * [ myca_policy ]
+ * commonName = supplied
+ * stateOrProvinceName = supplied
+ * countryName = optional
+ * emailAddress = optional
+ * organizationName = supplied
+ * organizationalUnitName = optional
+ * <p>
+ * [ myca_extensions ]
+ * basicConstraints = CA:false
+ * subjectKeyIdentifier = hash
+ * authorityKeyIdentifier = keyid:always
+ * keyUsage = digitalSignature,keyEncipherment
+ * extendedKeyUsage = serverAuth, clientAuth
+ * crlDistributionPoints = URI:http://example.com/root.crl
+ * subjectAltName = @alt_names
+ * <p>
+ * [alt_names]
+ * DNS.1 = example.com
+ * DNS.2 = *.example.com
+ * <p>
+ * Continue executing the commands:
+ * <p>
+ * openssl genrsa -out keystore1.key 2048
+ * openssl req -new -key keystore1.key -out keystore1.csr
+ * openssl ca -batch -config ca.conf -notext -in keystore1.csr -out
keystore1.crt
+ * openssl genrsa -out client_revoked.key 2048
+ * openssl req -new -key client_revoked.key -out client_revoked.csr
+ * openssl ca -batch -config ca.conf -notext -in client_revoked.csr
-out client_revoked.crt
+ * openssl genrsa -out client_not_revoked.key 2048
+ * openssl req -new -key client_not_revoked.key -out
client_not_revoked.csr
+ * openssl ca -batch -config ca.conf -notext -in client_not_revoked.csr
-out client_not_revoked.crt
+ * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out
root.crl.pem
+ * openssl ca -config ca.conf -revoke client_revoked.crt -keyfile
ca.key -cert ca.crt
+ * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out
root.crl.pem
+ * <p>
+ * openssl pkcs12 -export -name client_revoked -in client_revoked.crt
-inkey client_revoked.key -out client_revoked.p12
+ * keytool -importkeystore -destkeystore client_revoked.jks
-srckeystore client_revoked.p12 -srcstoretype pkcs12 -alias client_revoked
+ * <p>
+ * openssl pkcs12 -export -name client_not_revoked -in
client_not_revoked.crt -inkey client_not_revoked.key -out client_not_revoked.p12
+ * keytool -importkeystore -destkeystore client_not_revoked.jks
-srckeystore client_not_revoked.p12 -srcstoretype pkcs12 -alias
client_not_revoked
+ * <p>
+ * openssl pkcs12 -export -name keystore1 -in keystore1.crt -inkey
keystore1.key -out keystore1.p12
+ * keytool -importkeystore -destkeystore keystore1.jks -srckeystore
keystore1.p12 -srcstoretype pkcs12 -alias keystore1
+ * <p>
+ * keytool -import -trustcacerts -alias trust_key -file ca.crt
-keystore truststore.jks
+ */
+
+ protected String fullUser = "user";
+ protected String fullPass = "pass";
+
+
+ public File basedir() throws IOException {
+ ProtectionDomain protectionDomain = getClass().getProtectionDomain();
+ return new File(new
File(protectionDomain.getCodeSource().getLocation().getPath()),
"../..").getCanonicalFile();
+ }
+
+ @Test(expected = SSLException.class)
+ public void crlRevokedTest() throws Exception {
+
+ ActiveMQServer server1 = initServer();
+ BlockingConnection connection1 = null;
+ try {
+ server1.start();
+
+ while (!server1.isStarted()) {
+ Thread.sleep(50);
+ }
+
+ String basedir = basedir().getPath() +
"/src/test/resources/mqttCrl/client0/";
+ connection1 = retrieveMQTTConnection("ssl://localhost:1883",
basedir + "truststore.jks", "changeit", basedir + "client_revoked.jks",
"changeit");
+
+ // Subscribe to topics
+ Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)};
+ connection1.subscribe(topics);
+
+ // Publish Messages
+ String payload1 = "This is message 1";
+
+ connection1.publish("test/1/some/la", payload1.getBytes(),
QoS.AT_LEAST_ONCE, false);
+
+ Message message1 = connection1.receive(5, TimeUnit.SECONDS);
+
+ assertEquals(payload1, new String(message1.getPayload()));
+
+ } finally {
+ if (connection1 != null) {
+ connection1.disconnect();
+ }
+ if (server1.isStarted()) {
+ server1.stop();
+ }
+ }
+
+ }
+
+ @Test
+ public void crlNotRevokedTest() throws Exception {
+
+ ActiveMQServer server1 = initServer();
+ BlockingConnection connection1 = null;
+ try {
+ server1.start();
+
+ while (!server1.isStarted()) {
+ Thread.sleep(50);
+ }
+
+ String basedir = basedir().getPath() +
"/src/test/resources/mqttCrl/client1/";
+ connection1 = retrieveMQTTConnection("ssl://localhost:1883",
basedir + "truststore.jks", "changeit", basedir + "client_not_revoked.jks",
"changeit");
+
+ // Subscribe to topics
+ Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)};
+ connection1.subscribe(topics);
+
+ // Publish Messages
+ String payload1 = "This is message 1";
+
+ connection1.publish("test/1/some/la", payload1.getBytes(),
QoS.AT_LEAST_ONCE, false);
+
+ Message message1 = connection1.receive(5, TimeUnit.SECONDS);
+
+ assertEquals(payload1, new String(message1.getPayload()));
+
+ } finally {
+ if (connection1 != null) {
+ connection1.disconnect();
+ }
+ if (server1.isStarted()) {
+ server1.stop();
+ }
+ }
+
+ }
+
+
+ private ActiveMQServer initServer() throws Exception {
+ Configuration configuration = createConfiguration("broker");
+ ActiveMQServer server = createServer(true, configuration);
+ configureBrokerSecurity(server);
+ return server;
+ }
+
+ protected Configuration createConfiguration(String name) throws
Exception {
+ FileConfiguration fc = new FileConfiguration();
--- End diff --
There are already lots of methods in the test-suite to create a config for
a test. Take a look at
org.apache.activemq.artemis.tests.util.ActiveMQTestBase#createDefaultNettyConfig
for example.
---
