gemmellr commented on code in PR #4706:
URL: https://github.com/apache/activemq-artemis/pull/4706#discussion_r1419413344
##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java:
##########
@@ -351,6 +353,14 @@ private static KeyStore loadKeystore(final String
keystoreProvider,
return ks;
}
+ private static void checkPemProviderLoaded(String keystoreType) {
+ if (keystoreType != null && keystoreType.startsWith("PEM")) {
+ if (Security.getProvider("PEM") == null) {
+ Security.insertProviderAt(new PemKeyStoreProvider(),
Integer.parseInt(System.getProperty("artemis.pemProvider.insertAt", "0"), 10));
+ }
+ }
+ }
Review Comment:
Do we need to pass the radix literal when parsing the sys prop value? 10 is
the default. Might be more readable with that parsing on its own line too.
(I assume you added the insertProviderAt usage vs prior addProvider usage,
in case it was necessary to insertAt earlier than the end for some reason?)
##########
artemis-core-client-osgi/pom.xml:
##########
@@ -74,6 +74,7 @@
<Embed-Dependency>*;scope=compile|runtime;groupId=org.apache.activemq</Embed-Dependency>
<Import-Package>
org.glassfish.json*;resolution:=optional,
+ de.dentrassi.crypto.pem;resolution:=optional,
Review Comment:
This seems a little odd - its not an optional dep on the client or broker,
but it is an optional dep for both their osgi bits?
##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SslPEMTest.java:
##########
@@ -0,0 +1,150 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.ActiveMQNotConnectedException;
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See the tests/security-resources/build.sh script for details on the
security resources used.
+ */
+public class SslPEMTest extends ActiveMQTestBase {
+
+ static {
+ String path = System.getProperty("java.security.auth.login.config");
+ if (path == null) {
+ URL resource =
SecurityTest.class.getClassLoader().getResource("login.config");
+ if (resource != null) {
+ path = resource.getFile();
+ System.setProperty("java.security.auth.login.config", path);
+ }
+ }
+ }
+
+ private TransportConfiguration tc;
+ private SimpleString QUEUE;
+
+ @Test
+ public void testPemKeyAndTrustStore() throws Exception {
+
+ tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, "PEM");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME,
"client-key-cert.pem");
+ tc.getParams().put(TransportConstants.PORT_PROP_NAME, "61617");
+
+ ServerLocator producerLocator;
+ ClientSessionFactory producerSessionFactory;
+ ClientSession producerSession;
+
+ // first without trust store
+ try {
+ producerLocator =
addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+ producerSessionFactory = createSessionFactory(producerLocator);
+ producerSessionFactory.createSession(false, true, true);
+ } catch (ActiveMQNotConnectedException expected) {
+ }
Review Comment:
Better than nothing but not really what I was suggesting. This is more a
'not even configured in a way that typically ever functions, regardless what
the new provider does, since the provider isnt even being used' test. Was more
thinking use the stores with untrusted certs, non-matching server cert name,
etc. At least its no longer creating all those files and not using any of them.
I give up.
##########
tests/integration-tests/pom.xml:
##########
@@ -440,6 +440,7 @@
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
+
Review Comment:
Change probably not needed :)
##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SslPEMTest.java:
##########
@@ -0,0 +1,134 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See the tests/security-resources/build.sh script for details on the
security resources used.
+ */
+public class SslPEMTest extends ActiveMQTestBase {
Review Comment:
Seeing things in the past and not testing them doenst tend to stop stuff
breaking in the future. More tends to be why it isn't noticed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
