activemq-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ARTEMIS-1548) Support CRL
Date Thu, 14 Dec 2017 21:20:01 GMT

    [ https://issues.apache.org/jira/browse/ARTEMIS-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16291624#comment-16291624
] 

ASF GitHub Bot commented on ARTEMIS-1548:
-----------------------------------------

Github user jbertram commented on a diff in the pull request:

    https://github.com/apache/activemq-artemis/pull/1715#discussion_r157064556
  
    --- Diff: tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
---
    @@ -0,0 +1,357 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + * <p>
    + * http://www.apache.org/licenses/LICENSE-2.0
    + * <p>
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.activemq.artemis.tests.integration.mqtt.imported;
    +
    +import java.io.ByteArrayInputStream;
    +import java.io.ByteArrayOutputStream;
    +import java.io.File;
    +import java.io.FileInputStream;
    +import java.io.IOException;
    +import java.security.KeyStore;
    +import java.security.ProtectionDomain;
    +import java.util.HashSet;
    +import java.util.Set;
    +import java.util.concurrent.TimeUnit;
    +import javax.net.ssl.KeyManager;
    +import javax.net.ssl.KeyManagerFactory;
    +import javax.net.ssl.SSLContext;
    +import javax.net.ssl.SSLException;
    +import javax.net.ssl.TrustManager;
    +import javax.net.ssl.TrustManagerFactory;
    +import org.apache.activemq.artemis.api.core.TransportConfiguration;
    +import org.apache.activemq.artemis.core.config.Configuration;
    +import org.apache.activemq.artemis.core.config.WildcardConfiguration;
    +import org.apache.activemq.artemis.core.config.impl.FileConfiguration;
    +import org.apache.activemq.artemis.core.remoting.impl.netty.NettyAcceptorFactory;
    +import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
    +import org.apache.activemq.artemis.core.security.Role;
    +import org.apache.activemq.artemis.core.server.ActiveMQServer;
    +import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
    +import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
    +import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
    +import org.fusesource.mqtt.client.BlockingConnection;
    +import org.fusesource.mqtt.client.MQTT;
    +import org.fusesource.mqtt.client.Message;
    +import org.fusesource.mqtt.client.QoS;
    +import org.fusesource.mqtt.client.Topic;
    +import org.junit.Test;
    +
    +public class MQTTSecurityCRLTest extends ActiveMQTestBase {
    +
    +
    +   /**
    +    * These artifacts are required for testing mqtt with CRL
    +    * <p>
    +    * openssl genrsa -out ca.key 2048
    +    * openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
    +    * touch certindex
    +    * echo 01 > certserial
    +    * echo 01 > crlnumber
    +    * <p>
    +    * Create ca.conf file with
    +    * <p>
    +    * # Mainly copied from:
    +    * # http://swearingscience.com/2009/01/18/openssl-self-signed-ca/
    +    * <p>
    +    * [ ca ]
    +    * default_ca = myca
    +    * <p>
    +    * [ crl_ext ]
    +    * # issuerAltName=issuer:copy #this would copy the issuer name to altname
    +    * authorityKeyIdentifier=keyid:always
    +    * <p>
    +    * [ myca ]
    +    * dir = ./
    +    * new_certs_dir = $dir
    +    * unique_subject = no
    +    * certificate = $dir/ca.crt
    +    * database = $dir/certindex
    +    * private_key = $dir/ca.key
    +    * serial = $dir/certserial
    +    * default_days = 730
    +    * default_md = sha1
    +    * policy = myca_policy
    +    * x509_extensions = myca_extensions
    +    * crlnumber = $dir/crlnumber
    +    * default_crl_days = 730
    +    * <p>
    +    * [ myca_policy ]
    +    * commonName = supplied
    +    * stateOrProvinceName = supplied
    +    * countryName = optional
    +    * emailAddress = optional
    +    * organizationName = supplied
    +    * organizationalUnitName = optional
    +    * <p>
    +    * [ myca_extensions ]
    +    * basicConstraints = CA:false
    +    * subjectKeyIdentifier = hash
    +    * authorityKeyIdentifier = keyid:always
    +    * keyUsage = digitalSignature,keyEncipherment
    +    * extendedKeyUsage = serverAuth, clientAuth
    +    * crlDistributionPoints = URI:http://example.com/root.crl
    +    * subjectAltName = @alt_names
    +    * <p>
    +    * [alt_names]
    +    * DNS.1 = example.com
    +    * DNS.2 = *.example.com
    +    * <p>
    +    * Continue executing the commands:
    +    * <p>
    +    * openssl genrsa -out keystore1.key 2048
    +    * openssl req -new -key keystore1.key -out keystore1.csr
    +    * openssl ca -batch -config ca.conf -notext -in keystore1.csr -out keystore1.crt
    +    * openssl genrsa -out client_revoked.key 2048
    +    * openssl req -new -key client_revoked.key -out client_revoked.csr
    +    * openssl ca -batch -config ca.conf -notext -in client_revoked.csr -out client_revoked.crt
    +    * openssl genrsa -out client_not_revoked.key 2048
    +    * openssl req -new -key client_not_revoked.key -out client_not_revoked.csr
    +    * openssl ca -batch -config ca.conf -notext -in client_not_revoked.csr -out client_not_revoked.crt
    +    * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
    +    * openssl ca -config ca.conf -revoke client_revoked.crt -keyfile ca.key -cert ca.crt
    +    * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
    +    * <p>
    +    * openssl pkcs12 -export -name client_revoked -in client_revoked.crt -inkey client_revoked.key
-out client_revoked.p12
    +    * keytool -importkeystore -destkeystore client_revoked.jks -srckeystore client_revoked.p12
-srcstoretype pkcs12 -alias client_revoked
    +    * <p>
    +    * openssl pkcs12 -export -name client_not_revoked -in client_not_revoked.crt -inkey
client_not_revoked.key -out client_not_revoked.p12
    +    * keytool -importkeystore -destkeystore client_not_revoked.jks -srckeystore client_not_revoked.p12
-srcstoretype pkcs12 -alias client_not_revoked
    +    * <p>
    +    * openssl pkcs12 -export -name keystore1 -in keystore1.crt -inkey keystore1.key -out
keystore1.p12
    +    * keytool -importkeystore -destkeystore keystore1.jks -srckeystore keystore1.p12
-srcstoretype pkcs12 -alias keystore1
    +    * <p>
    +    * keytool -import -trustcacerts -alias trust_key -file ca.crt -keystore truststore.jks
    +    */
    +
    +   protected String fullUser = "user";
    +   protected String fullPass = "pass";
    +
    +
    +   public File basedir() throws IOException {
    +      ProtectionDomain protectionDomain = getClass().getProtectionDomain();
    +      return new File(new File(protectionDomain.getCodeSource().getLocation().getPath()),
"../..").getCanonicalFile();
    +   }
    +
    +   @Test(expected = SSLException.class)
    +   public void crlRevokedTest() throws Exception {
    +
    +      ActiveMQServer server1 = initServer();
    +      BlockingConnection connection1 = null;
    +      try {
    +         server1.start();
    +
    +         while (!server1.isStarted()) {
    +            Thread.sleep(50);
    +         }
    +
    +         String basedir = basedir().getPath() + "/src/test/resources/mqttCrl/client0/";
    +         connection1 = retrieveMQTTConnection("ssl://localhost:1883", basedir + "truststore.jks",
"changeit", basedir + "client_revoked.jks", "changeit");
    +
    +         // Subscribe to topics
    +         Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)};
    +         connection1.subscribe(topics);
    +
    +         // Publish Messages
    +         String payload1 = "This is message 1";
    +
    +         connection1.publish("test/1/some/la", payload1.getBytes(), QoS.AT_LEAST_ONCE,
false);
    +
    +         Message message1 = connection1.receive(5, TimeUnit.SECONDS);
    +
    +         assertEquals(payload1, new String(message1.getPayload()));
    +
    +      } finally {
    +         if (connection1 != null) {
    +            connection1.disconnect();
    +         }
    +         if (server1.isStarted()) {
    +            server1.stop();
    +         }
    +      }
    +
    +   }
    +
    +   @Test
    +   public void crlNotRevokedTest() throws Exception {
    +
    +      ActiveMQServer server1 = initServer();
    +      BlockingConnection connection1 = null;
    +      try {
    +         server1.start();
    +
    +         while (!server1.isStarted()) {
    +            Thread.sleep(50);
    +         }
    +
    +         String basedir = basedir().getPath() + "/src/test/resources/mqttCrl/client1/";
    +         connection1 = retrieveMQTTConnection("ssl://localhost:1883", basedir + "truststore.jks",
"changeit", basedir + "client_not_revoked.jks", "changeit");
    +
    +         // Subscribe to topics
    +         Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)};
    +         connection1.subscribe(topics);
    +
    +         // Publish Messages
    +         String payload1 = "This is message 1";
    +
    +         connection1.publish("test/1/some/la", payload1.getBytes(), QoS.AT_LEAST_ONCE,
false);
    +
    +         Message message1 = connection1.receive(5, TimeUnit.SECONDS);
    +
    +         assertEquals(payload1, new String(message1.getPayload()));
    +
    +      } finally {
    +         if (connection1 != null) {
    +            connection1.disconnect();
    +         }
    +         if (server1.isStarted()) {
    +            server1.stop();
    +         }
    +      }
    +
    +   }
    +
    +
    +   private ActiveMQServer initServer() throws Exception {
    +      Configuration configuration = createConfiguration("broker");
    +      ActiveMQServer server = createServer(true, configuration);
    +      configureBrokerSecurity(server);
    +      return server;
    +   }
    +
    +   protected Configuration createConfiguration(String name) throws Exception {
    +      FileConfiguration fc = new FileConfiguration();
    +
    +      // we need this otherwise the data folder will be located under activemq-server
and not on the temporary directory
    +      fc.setPagingDirectory(getTestDir() + "/" + name + "/" + fc.getPagingDirectory());
    +      fc.setLargeMessagesDirectory(getTestDir() + "/" + name + "/" + fc.getLargeMessagesDirectory());
    +      fc.setJournalDirectory(getTestDir() + "/" + name + "/" + fc.getJournalDirectory());
    +      fc.setBindingsDirectory(getTestDir() + "/" + name + "/" + fc.getBindingsDirectory());
    +
    +      addMqttTransportConfiguration(fc);
    +      addWildCardConfiguration(fc);
    +      fc.setSecurityEnabled(true);
    --- End diff --
    
    Is enabling security really necessary?  Isn't this test simply exercising the CRL functionality
which happens at the transport layer (i.e. SSL handshake) and not at the broker's security
layer?


> Support CRL
> -----------
>
>                 Key: ARTEMIS-1548
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1548
>             Project: ActiveMQ Artemis
>          Issue Type: New Feature
>            Reporter: Justin Bertram
>            Assignee: Justin Bertram
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message