activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dej...@apache.org
Subject activemq git commit: https://issues.apache.org/jira/browse/AMQ-5008 - certificate revocation list support
Date Mon, 30 Mar 2015 14:39:26 GMT
Repository: activemq
Updated Branches:
  refs/heads/master af1329291 -> 0fd174b92


https://issues.apache.org/jira/browse/AMQ-5008 - certificate revocation list support


Project: http://git-wip-us.apache.org/repos/asf/activemq/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq/commit/0fd174b9
Tree: http://git-wip-us.apache.org/repos/asf/activemq/tree/0fd174b9
Diff: http://git-wip-us.apache.org/repos/asf/activemq/diff/0fd174b9

Branch: refs/heads/master
Commit: 0fd174b928d2b37dcd0279b9e74c8b2a49657af1
Parents: af13292
Author: Dejan Bosanac <dejan@nighttale.net>
Authored: Mon Mar 30 16:39:04 2015 +0200
Committer: Dejan Bosanac <dejan@nighttale.net>
Committed: Mon Mar 30 16:39:15 2015 +0200

----------------------------------------------------------------------
 .../activemq/spring/SpringSslContext.java       |  52 ++++++++++--
 .../org/apache/activemq/security/CRLTest.java   |  84 +++++++++++++++++++
 .../activemq/security/activemq-norevoke.crl     |   9 ++
 .../activemq/security/activemq-revoke.crl       |  10 +++
 .../activemq/security/activemq-revoke.jks       | Bin 0 -> 2228 bytes
 .../activemq/security/activemq-revoke.xml       |  43 ++++++++++
 assembly/src/release/bin/env                    |   1 +
 7 files changed, 193 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq/blob/0fd174b9/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java
----------------------------------------------------------------------
diff --git a/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java
b/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java
index 2fb123f..c74103b 100644
--- a/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java
+++ b/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java
@@ -21,17 +21,18 @@ import java.net.MalformedURLException;
 import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.security.cert.*;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 
 import javax.annotation.PostConstruct;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.*;
 
 import org.apache.activemq.broker.SslContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.core.io.Resource;
 
 /**
  * Extends the SslContext so that it's easier to configure from spring.
@@ -42,6 +43,8 @@ import org.apache.activemq.broker.SslContext;
  */
 public class SpringSslContext extends SslContext {
 
+    private static final transient Logger LOG = LoggerFactory.getLogger(SpringSslContext.class);
+
     private String keyStoreType="jks";
     private String trustStoreType="jks";
 
@@ -56,6 +59,8 @@ public class SpringSslContext extends SslContext {
     private String keyStorePassword;
     private String trustStorePassword;
 
+    private String crlPath;
+
     /**
      * JSR-250 callback wrapper; converts checked exceptions to runtime exceptions
      *
@@ -92,9 +97,23 @@ public class SpringSslContext extends SslContext {
         if( ks ==null ) {
             return new ArrayList<TrustManager>(0);
         }
-
         TrustManagerFactory tmf  = TrustManagerFactory.getInstance(trustStoreAlgorithm);
-        tmf.init(ks);
+        if (crlPath != null) {
+            if (trustStoreAlgorithm.equalsIgnoreCase("PKIX")) {
+                Collection<? extends CRL> crlList = loadCRL();
+
+                if (crlList != null) {
+                    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, null);
+                    pkixParams.setRevocationEnabled(true);
+                    pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList)));
+                    tmf.init(new CertPathTrustManagerParameters(pkixParams));
+                }
+            } else {
+                LOG.warn("Revocation checking is only supported with 'trustStoreAlgorithm=\"PKIX\"'.
Ignoring CRL: " + crlPath);
+            }
+        } else {
+            tmf.init(ks);
+        }
         return Arrays.asList(tmf.getTrustManagers());
     }
 
@@ -219,4 +238,25 @@ public class SpringSslContext extends SslContext {
         this.secureRandomAlgorithm = secureRandomAlgorithm;
     }
 
+    public String getCrlPath() {
+        return crlPath;
+    }
+
+    public void setCrlPath(String crlPath) {
+        this.crlPath = crlPath;
+    }
+
+    private Collection<? extends CRL> loadCRL() throws Exception {
+        if (crlPath == null) {
+            return null;
+        }
+        Resource resource = Utils.resourceFromString(crlPath);
+        InputStream is = resource.getInputStream();
+        try {
+            return CertificateFactory.getInstance("X.509").generateCRLs(is);
+        } finally {
+            is.close();
+        }
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/activemq/blob/0fd174b9/activemq-unit-tests/src/test/java/org/apache/activemq/security/CRLTest.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/security/CRLTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/security/CRLTest.java
new file mode 100644
index 0000000..cab0121
--- /dev/null
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/security/CRLTest.java
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+
+import junit.framework.TestCase;
+import org.apache.activemq.ActiveMQConnectionFactory;
+import org.apache.activemq.broker.BrokerFactory;
+import org.apache.activemq.broker.BrokerService;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.jms.*;
+
+import static junit.framework.TestCase.assertTrue;
+
+public class CRLTest {
+
+    BrokerService broker;
+
+    @Before
+    public void setup() throws Exception {
+        broker = BrokerFactory.createBroker("xbean:src/test/resources/org/apache/activemq/security/activemq-revoke.xml");
+        broker.waitUntilStarted();
+    }
+
+    @After
+    public void after() throws Exception {
+        broker.stop();
+        broker.waitUntilStopped();
+    }
+
+    @Test
+    public void testCRL() throws Exception {
+        System.setProperty("javax.net.ssl.trustStore", "src/test/resources/org/apache/activemq/security/client.ts");
+        System.setProperty("javax.net.ssl.trustStorePassword", "password");
+        System.setProperty("javax.net.ssl.trustStoreType", "jks");
+        System.setProperty("javax.net.ssl.keyStore", "src/test/resources/org/apache/activemq/security/activemq-revoke.jks");
+        System.setProperty("javax.net.ssl.keyStorePassword", "password");
+        System.setProperty("javax.net.ssl.keyStoreType", "jks");
+
+
+        boolean failed = false;
+        try {
+            basicSendReceive("ssl://localhost:61617");
+        } catch (Exception e) {
+            failed = true;
+        }
+
+        assertTrue("Send should have failed", failed);
+    }
+
+    public void basicSendReceive(String uri) throws Exception {
+        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(uri);
+        Connection connection = factory.createConnection();
+        Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        connection.start();
+
+        String body = "hello world!";
+        Queue destination = session.createQueue("TEST");
+        MessageProducer producer = session.createProducer(destination);
+        producer.send(session.createTextMessage(body));
+
+        MessageConsumer consumer = session.createConsumer(destination);
+        Message received = consumer.receive(2000);
+        TestCase.assertEquals(body, ((TextMessage)received).getText());
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/activemq/blob/0fd174b9/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-norevoke.crl
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-norevoke.crl
b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-norevoke.crl
new file mode 100644
index 0000000..5e73f62
--- /dev/null
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-norevoke.crl
@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJBVTETMBEGA1UE
+CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
+MREwDwYDVQQDEwhhY3RpdmVtcRcNMTUwMzI3MTMwMjIwWhcNMTUwNDI2MTMwMjIw
+WjAUMBICAQEXDTE1MDMyNzEzMDEzM1qgDzANMAsGA1UdFAQEAgIQATANBgkqhkiG
+9w0BAQUFAAOBgQBLvpTwNFdjODFkJR1okloK5Qka6+Lzc5AwtqbYBlhQA1wCSpfB
+qzrUh43D97r88+w03mh1FI1PSKACXikHAgm2KZEiZrObIXYwdhJ7t1oSdGM6gPPS
+VQmgnvgbte3Mm8F4BoVhidp1gSe+f8RdRZYv1A+olREcz+lU7LxOIN6CpQ==
+-----END X509 CRL-----

http://git-wip-us.apache.org/repos/asf/activemq/blob/0fd174b9/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.crl
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.crl
b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.crl
new file mode 100644
index 0000000..b7afd9f
--- /dev/null
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.crl
@@ -0,0 +1,10 @@
+-----BEGIN X509 CRL-----
+MIIBWzCBxQIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJBVTETMBEGA1UE
+CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
+MREwDwYDVQQDEwhhY3RpdmVtcRcNMTUwMzMwMDk1ODI5WhcNMTUwNDI5MDk1ODI5
+WjAoMBICAQEXDTE1MDMyNzEzMDEzM1owEgIBAhcNMTUwMzMwMDk1MzU3WqAPMA0w
+CwYDVR0UBAQCAhAFMA0GCSqGSIb3DQEBBQUAA4GBADniQGR0r4x2zc33ozVkKpcm
+RUMD0JWMYzACvBEkP84ymms3x4jZzvaSgnkLtenktlOAWfAF4RSAqKS+2Vk1jaZm
+1drV1cGWnftHsLjvv9e226ROLQgZ+Wey0B3OyeiCubHVoZeyGEERoM4ZVrCxd5Oe
+Lfj+PMhnHGKD9c1MP1rR
+-----END X509 CRL-----

http://git-wip-us.apache.org/repos/asf/activemq/blob/0fd174b9/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.jks
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.jks
b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.jks
new file mode 100644
index 0000000..41de23f
Binary files /dev/null and b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.jks
differ

http://git-wip-us.apache.org/repos/asf/activemq/blob/0fd174b9/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.xml
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.xml
b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.xml
new file mode 100644
index 0000000..54360b8
--- /dev/null
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-revoke.xml
@@ -0,0 +1,43 @@
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- START SNIPPET: example -->
+<beans
+  xmlns="http://www.springframework.org/schema/beans"
+  xmlns:amq="http://activemq.apache.org/schema/core"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+
+  <broker xmlns="http://activemq.apache.org/schema/core" brokerName="broker1" useJmx="false"
persistent="false">
+
+    <sslContext>
+        <sslContext keyStore="org/apache/activemq/security/broker1.ks"
+                    keyStorePassword="password"
+                    trustStore="org/apache/activemq/security/activemq-revoke.jks"
+                    trustStorePassword="password"
+                    crlPath="org/apache/activemq/security/activemq-revoke.crl"/>
+    </sslContext>
+
+    <!-- The transport connectors ActiveMQ will listen to -->
+    <transportConnectors>
+       <transportConnector name="ssl" uri="ssl://0.0.0.0:61617?transport.closeAsync=false&amp;wantClientAuth=true&amp;needClientAuth=true"/>
+    </transportConnectors>
+
+  </broker>
+
+</beans>
+<!-- END SNIPPET: example -->

http://git-wip-us.apache.org/repos/asf/activemq/blob/0fd174b9/assembly/src/release/bin/env
----------------------------------------------------------------------
diff --git a/assembly/src/release/bin/env b/assembly/src/release/bin/env
index 4369293..77781ca 100644
--- a/assembly/src/release/bin/env
+++ b/assembly/src/release/bin/env
@@ -72,6 +72,7 @@ if [ -z "$ACTIVEMQ_QUEUEMANAGERURL" ]; then
 fi
 
 # Set additional JSE arguments
+#ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true -Docsp.enable=true -Docsp.responderURL=http://ocsp.example.net:80"
 ACTIVEMQ_SSL_OPTS=""
 
 # Uncomment to enable remote debugging


Mime
View raw message