[
https://issues.apache.org/jira/browse/ARTEMIS-4528?focusedWorklogId=894412&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-894412
]
ASF GitHub Bot logged work on ARTEMIS-4528:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 06/Dec/23 22:57
Start Date: 06/Dec/23 22:57
Worklog Time Spent: 10m
Work Description: gemmellr commented on code in PR #4706:
URL: https://github.com/apache/activemq-artemis/pull/4706#discussion_r1417743646
##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java:
##########
@@ -472,6 +474,8 @@ public ActiveMQServerImpl(Configuration configuration,
ConfigurationUtils.validateConfiguration(configuration);
}
+ Security.addProvider(new PemKeyStoreProvider());
Review Comment:
Ick. Should this be static like the call itself, or otherwise gated, to
avoid doing it repeatedly given it can only succeed once? Checking the return
to see whether it wasnt installed if it already was and maybe log it didnt add?
Also, this functionality is essentially broker-only unless you happen to
coincidentally be in the same JVM after it starts? The test or docs (which
apply to the client too) dont make that clear.
##########
tests/security-resources/build.sh:
##########
@@ -153,6 +153,10 @@ keytool -storetype pkcs12 -keystore
unknown-client-keystore.p12 -storepass $STOR
keytool -importkeystore -srckeystore unknown-client-keystore.p12 -destkeystore
unknown-client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks
-srcstorepass securepass -deststorepass securepass
keytool -importkeystore -srckeystore unknown-client-keystore.p12 -destkeystore
unknown-client-keystore.jks -srcstoretype pkcs12 -deststoretype jks
-srcstorepass securepass -deststorepass securepass
+# PEM versions
+openssl pkcs12 -in server-keystore.p12 -out server-key-cert.pem -nodes
-password pass:$STORE_PASS
+openssl pkcs12 -in client-keystore.p12 -out client-key-cert.pem -nodes
-password pass:$STORE_PASS
+
# Clean up working files
# -----------------------
-rm -f *.crt *.csr openssl-*
+rm -f *.csr openssl-*
Review Comment:
This adds/leaves a bunch of intermediate files that we dont use, and so
always deleted previously. Avoidable?
##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SslPEMTest.java:
##########
@@ -0,0 +1,134 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See the tests/security-resources/build.sh script for details on the
security resources used.
+ */
+public class SslPEMTest extends ActiveMQTestBase {
+
+ public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
+
+ static {
+ String path = System.getProperty("java.security.auth.login.config");
+ if (path == null) {
+ URL resource =
SecurityTest.class.getClassLoader().getResource("login.config");
+ if (resource != null) {
+ path = resource.getFile();
+ System.setProperty("java.security.auth.login.config", path);
+ }
+ }
+ }
+
+ private TransportConfiguration tc;
+
+ @Test
+ public void testPemKeyAndTrustStore() throws Exception {
+
+ tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, "PEM");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,
"server-ca.crt");
+ tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, "PEM");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME,
"client-key-cert.pem");
+ tc.getParams().put(TransportConstants.PORT_PROP_NAME, "61617");
+
+ ServerLocator producerLocator =
addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+ ClientSessionFactory producerSessionFactory =
createSessionFactory(producerLocator);
+ ClientSession producerSession =
producerSessionFactory.createSession(false, true, true);
+ producerSession.createQueue(new
QueueConfiguration(SslPEMTest.QUEUE).setDurable(false));
+ ClientProducer producer =
producerSession.createProducer(SslPEMTest.QUEUE);
+
+ ClientMessage message = createTextMessage(producerSession,
RandomUtil.randomString());
+ producer.send(message);
+
+ ServerLocator consumerLocator =
addServerLocator(ActiveMQClient.createServerLocator("tcp://localhost:61616"));
+ ClientSessionFactory consumerSessionFactory =
createSessionFactory(consumerLocator);
+ ClientSession consumerSession =
consumerSessionFactory.createSession("consumer", "consumerPassword", false,
true, true, consumerLocator.isPreAcknowledge(),
consumerLocator.getAckBatchSize());
+ ClientConsumer consumer =
consumerSession.createConsumer(SslPEMTest.QUEUE);
+ consumerSession.start();
Review Comment:
So this is testing something with the client, that cant actually work for a
user, unless the embedded broker has been started in the JVM first (which in
this case it fortunately has been, many times)?
##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SslPEMTest.java:
##########
@@ -0,0 +1,134 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See the tests/security-resources/build.sh script for details on the
security resources used.
+ */
+public class SslPEMTest extends ActiveMQTestBase {
+
+ public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
Review Comment:
getName() during a test returns the test name, which is typically be a
better suited name anyway.
##########
tests/integration-tests/pom.xml:
##########
@@ -440,6 +440,18 @@
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
+
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk18on</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk18on</artifactId>
+ <scope>test</scope>
+ </dependency>
Review Comment:
Doesnt seem like these should be needed, arent they brought in by the broker?
##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SslPEMTest.java:
##########
@@ -0,0 +1,134 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See the tests/security-resources/build.sh script for details on the
security resources used.
+ */
+public class SslPEMTest extends ActiveMQTestBase {
Review Comment:
The single test here only tests a single positive use case with client
certs. I'd expect e.g a use without client certs as well, and also some
negative testing to verify the trust stuff is actually doing anything at all.
##########
docs/user-manual/configuring-transports.adoc:
##########
@@ -316,7 +316,7 @@ The ActiveMQ-specific system property is useful if another
component on the clie
keyStoreType::
The type of keystore being used.
-For example, `JKS`, `JCEKS`, `PKCS12`, etc.
+For example, `JKS`, `JCEKS`, `PKCS12`, `PEM` etc.
Review Comment:
This doc doesnt say anything about needing to add deps or install providers,
which clients this applies to would need to do (if without the embedded broker
starting first in the same JVM).
You didnt update the related trustStoreType option doc.
Issue Time Tracking
-------------------
Worklog Id: (was: 894412)
Time Spent: 40m (was: 0.5h)
> TLS support PEM format for key and trust store type
> ---------------------------------------------------
>
> Key: ARTEMIS-4528
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4528
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Configuration
> Affects Versions: 2.31.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Fix For: 2.32.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> managing key and trust store passwords when the credentials are securely
> stored or managed by other means is a nuisance.
> there is a nice PEM keystore provider at:
> [https://github.com/ctron/pem-keystore]
> This gives us an intuitive way to easily reference a simple cert or key
> without a password as is the case with jsk or pkcs12
> <acceptor
> name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=server-keystore.pem;keyStoreType=PEM</acceptor>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
