Re: [PR] ARIES-2197 Add TLS/MTLS support to TCP Provider [aries-rsa]

Tue, 21 Apr 2026 14:25:32 -0700 


amichair commented on code in PR #60:
URL: https://github.com/apache/aries-rsa/pull/60#discussion_r3120328154


##########
provider/tcp/src/main/java/org/apache/aries/rsa/provider/tcp/TcpProvider.java:
##########
@@ -77,6 +92,50 @@ private static <T> Set<T> union(Collection<T>... 
collections) {
         return union;
     }
 
+    private void initSocketFactories(Config config) {
+        try {
+            mtls = config.isMtls();
+            String keyStore = config.getKeyStore();
+            String trustStore = config.getTrustStore();
+            if (mtls) {
+                // both client and server need the keystore and truststore
+                if (keyStore == null || keyStore.isEmpty() || trustStore == 
null || trustStore.isEmpty())
+                    throw new RuntimeException("MTLS requires keystore and 
truststore");
+                SSLContext context = NetUtil.createSSLContext(
+                        keyStore, config.getKeyStorePassword(),
+                        trustStore, config.getTrustStorePassword(),
+                        config.getKeyAlias());
+                serverSocketFactory = 
NetUtil.createMTLSServerSocketFactory(context);
+                socketFactory = context.getSocketFactory();
+            } else {
+                if (keyStore == null || keyStore.isEmpty()) {
+                    serverSocketFactory = ServerSocketFactory.getDefault(); // 
plain sockets
+                } else {
+                    // server only needs keystore
+                    SSLContext context = NetUtil.createSSLContext(
+                        keyStore, config.getKeyStorePassword(), null, null, 
config.getKeyAlias());
+                    serverSocketFactory = context.getServerSocketFactory();
+                }
+                if (trustStore == null || trustStore.isEmpty()) {
+                    socketFactory = SocketFactory.getDefault(); // plain 
sockets
+                }  else {
+                    // client only needs truststore
+                    SSLContext context = NetUtil.createSSLContext(
+                        null, null, trustStore, 
config.getTrustStorePassword(), null);
+                    socketFactory = context.getSocketFactory();
+                }
+            }
+        } catch (NoSuchAlgorithmException | KeyManagementException | 
UnrecoverableKeyException | IOException |
+                 KeyStoreException | CertificateException e) {
+            throw new RuntimeException("Error initializing SSL Context", e);

Review Comment:
   it's propagated to the activator, so not sure it matters... which exception 
did u have in mind?



##########
provider/tcp/src/main/java/org/apache/aries/rsa/provider/tcp/TcpProvider.java:
##########
@@ -54,14 +65,18 @@
         RemoteConstants.REMOTE_INTENTS_SUPPORTED + "=osgi.basic",
         RemoteConstants.REMOTE_INTENTS_SUPPORTED + "=osgi.async",
         RemoteConstants.REMOTE_CONFIGS_SUPPORTED + "=" + 
TcpProvider.TCP_CONFIG_TYPE //
-})
+        },
+        configurationPid="org.apache.aries.rsa.provider.tcp")

Review Comment:
   ok



##########
provider/tcp/src/test/java/org/apache/aries/rsa/provider/tcp/TcpProviderTLSTest.java:
##########
@@ -0,0 +1,159 @@
+package org.apache.aries.rsa.provider.tcp;
+
+import org.apache.aries.rsa.provider.tcp.myservice.MyService;
+import org.apache.aries.rsa.provider.tcp.myservice.MyServiceImpl;
+import org.apache.aries.rsa.spi.Endpoint;
+import org.apache.aries.rsa.spi.ImportedService;
+import org.apache.aries.rsa.util.EndpointHelper;
+import org.easymock.EasyMock;
+import org.junit.After;
+import org.junit.Test;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceException;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.apache.aries.rsa.provider.tcp.TcpProviderTest.getFreePort;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.StringStartsWith.startsWith;
+import static org.junit.Assert.assertEquals;
+
+public class TcpProviderTLSTest {
+
+    private static String
+            KEYSTORE = 
TcpProviderTest.class.getResource("/keystore.p12").getPath(),
+            KEYSTORE2 = 
TcpProviderTest.class.getResource("/keystore2.p12").getPath(),
+            TRUSTSTORE = 
TcpProviderTest.class.getResource("/truststore.p12").getPath(),
+            KEYSTORE_PASSWORD = "password",
+            TRUSTSTORE_PASSWORD = "password1";
+
+    private MyService myServiceProxy;
+    private Endpoint ep;
+    private ImportedService importedService;
+
+    public void test(Map<String, Object> providerProps) throws IOException {
+        Class<?>[] exportedInterfaces = new Class[] {MyService.class};
+        TcpProvider provider = new TcpProvider();
+        provider.activate(providerProps);
+        Map<String, Object> props = new HashMap<>();
+        EndpointHelper.addObjectClass(props, exportedInterfaces);
+        int port = getFreePort();
+        props.put("aries.rsa.hostname", "localhost");

Review Comment:
   I changed it to use constants... just keep in mind it now doesn't test that 
the constants are correct (as documented) :-)



##########
provider/tcp/src/test/java/org/apache/aries/rsa/provider/tcp/TcpProviderTLSTest.java:
##########
@@ -0,0 +1,159 @@
+package org.apache.aries.rsa.provider.tcp;
+
+import org.apache.aries.rsa.provider.tcp.myservice.MyService;
+import org.apache.aries.rsa.provider.tcp.myservice.MyServiceImpl;
+import org.apache.aries.rsa.spi.Endpoint;
+import org.apache.aries.rsa.spi.ImportedService;
+import org.apache.aries.rsa.util.EndpointHelper;
+import org.easymock.EasyMock;
+import org.junit.After;
+import org.junit.Test;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceException;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.apache.aries.rsa.provider.tcp.TcpProviderTest.getFreePort;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.StringStartsWith.startsWith;
+import static org.junit.Assert.assertEquals;
+
+public class TcpProviderTLSTest {
+
+    private static String
+            KEYSTORE = 
TcpProviderTest.class.getResource("/keystore.p12").getPath(),

Review Comment:
   added keystore generating details



##########
provider/tcp/src/test/java/org/apache/aries/rsa/provider/tcp/TcpProviderTLSTest.java:
##########
@@ -0,0 +1,159 @@
+package org.apache.aries.rsa.provider.tcp;
+
+import org.apache.aries.rsa.provider.tcp.myservice.MyService;
+import org.apache.aries.rsa.provider.tcp.myservice.MyServiceImpl;
+import org.apache.aries.rsa.spi.Endpoint;
+import org.apache.aries.rsa.spi.ImportedService;
+import org.apache.aries.rsa.util.EndpointHelper;
+import org.easymock.EasyMock;
+import org.junit.After;
+import org.junit.Test;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceException;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.apache.aries.rsa.provider.tcp.TcpProviderTest.getFreePort;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.StringStartsWith.startsWith;
+import static org.junit.Assert.assertEquals;
+
+public class TcpProviderTLSTest {
+
+    private static String
+            KEYSTORE = 
TcpProviderTest.class.getResource("/keystore.p12").getPath(),

Review Comment:
   good idea, I'll try to retrace my steps



##########
provider/tcp/src/test/java/org/apache/aries/rsa/provider/tcp/TcpProviderTLSTest.java:
##########
@@ -0,0 +1,159 @@
+package org.apache.aries.rsa.provider.tcp;
+
+import org.apache.aries.rsa.provider.tcp.myservice.MyService;
+import org.apache.aries.rsa.provider.tcp.myservice.MyServiceImpl;
+import org.apache.aries.rsa.spi.Endpoint;
+import org.apache.aries.rsa.spi.ImportedService;
+import org.apache.aries.rsa.util.EndpointHelper;
+import org.easymock.EasyMock;
+import org.junit.After;
+import org.junit.Test;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceException;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.apache.aries.rsa.provider.tcp.TcpProviderTest.getFreePort;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.StringStartsWith.startsWith;
+import static org.junit.Assert.assertEquals;
+
+public class TcpProviderTLSTest {
+
+    private static String
+            KEYSTORE = 
TcpProviderTest.class.getResource("/keystore.p12").getPath(),
+            KEYSTORE2 = 
TcpProviderTest.class.getResource("/keystore2.p12").getPath(),
+            TRUSTSTORE = 
TcpProviderTest.class.getResource("/truststore.p12").getPath(),
+            KEYSTORE_PASSWORD = "password",
+            TRUSTSTORE_PASSWORD = "password1";
+
+    private MyService myServiceProxy;
+    private Endpoint ep;
+    private ImportedService importedService;
+
+    public void test(Map<String, Object> providerProps) throws IOException {

Review Comment:
   hehe... sure



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to