From commits-return-49432-archive-asf-public=cust-asf.ponee.io@qpid.apache.org Tue Jan 28 15:44:10 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id B79FC180658 for ; Tue, 28 Jan 2020 16:44:07 +0100 (CET) Received: (qmail 63298 invoked by uid 500); 28 Jan 2020 15:44:07 -0000 Mailing-List: contact commits-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@qpid.apache.org Delivered-To: mailing list commits@qpid.apache.org Received: (qmail 63289 invoked by uid 99); 28 Jan 2020 15:44:06 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Jan 2020 15:44:06 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 926CB8D845; Tue, 28 Jan 2020 15:44:06 +0000 (UTC) Date: Tue, 28 Jan 2020 15:44:06 +0000 To: "commits@qpid.apache.org" Subject: [qpid-broker-j] branch master updated: QPID-8367: Add certificate revocation MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <158022624645.14101.4504574305644760299@gitbox.apache.org> From: orudyy@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: qpid-broker-j X-Git-Refname: refs/heads/master X-Git-Reftype: branch X-Git-Oldrev: 5330ba51e9c48eaec15b8886ca14746ae093671a X-Git-Newrev: 5ea315776fad7b4892b25150cc930af390af5bb9 X-Git-Rev: 5ea315776fad7b4892b25150cc930af390af5bb9 X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git The following commit(s) were added to refs/heads/master by this push: new 5ea3157 QPID-8367: Add certificate revocation 5ea3157 is described below commit 5ea315776fad7b4892b25150cc930af390af5bb9 Author: Tomas Vavricka AuthorDate: Thu Jan 16 11:47:56 2020 +0100 QPID-8367: Add certificate revocation This closes #44 --- .../qpid/server/model/AttributeValueConverter.java | 17 +- .../org/apache/qpid/server/model/TrustStore.java | 39 +- .../qpid/server/security/AbstractTrustStore.java | 218 ++++++++ .../AutoGeneratedSelfSignedKeyStoreImpl.java | 4 +- .../qpid/server/security/FileTrustStore.java | 4 +- .../qpid/server/security/FileTrustStoreImpl.java | 25 +- .../ManagedPeerCertificateTrustStoreImpl.java | 13 +- .../server/security/NonJavaTrustStoreImpl.java | 33 +- .../security/SiteSpecificTrustStoreImpl.java | 14 +- .../transport/network/security/ssl/SSLUtil.java | 29 +- .../qpid/server/security/FileKeyStoreTest.java | 294 ++++------- .../qpid/server/security/FileTrustStoreTest.java | 334 ++++++------ ...toreTestHelper.java => KeyStoreTestHelper.java} | 27 +- .../qpid/server/security/NonJavaKeyStoreTest.java | 93 ++-- .../server/security/NonJavaTrustStoreTest.java | 121 +++-- .../security/SiteSpecificTrustStoreTest.java | 145 +++--- .../manager/oauth2/OAuth2MockEndpointHolder.java | 14 +- .../apache/qpid/server/ssl/TrustManagerTest.java | 69 ++- broker-core/src/test/resources/ssl/expired.crt | 17 - broker-core/src/test/resources/ssl/java_broker.crt | 21 - broker-core/src/test/resources/ssl/java_broker.req | 18 - .../ssl/java_broker_expired_truststore.pkcs12 | Bin 1002 -> 0 bytes .../test/resources/ssl/java_broker_keystore.pkcs12 | Bin 4425 -> 0 bytes .../resources/ssl/java_broker_peerstore.pkcs12 | Bin 1162 -> 0 bytes .../resources/ssl/java_broker_truststore.pkcs12 | Bin 1082 -> 0 bytes .../ssl/java_client_expired_keystore.pkcs12 | Bin 2397 -> 0 bytes .../test/resources/ssl/java_client_keystore.pkcs12 | Bin 7641 -> 0 bytes .../resources/ssl/java_client_truststore.pkcs12 | Bin 1082 -> 0 bytes .../ssl/java_client_untrusted_keystore.pkcs12 | Bin 2467 -> 0 bytes .../resources/ssl/test_cert_only_keystore.pkcs12 | Bin 1106 -> 0 bytes .../src/test/resources/ssl/test_empty_keystore.jks | Bin 88 -> 0 bytes .../src/test/resources/ssl/test_keystore.jks | Bin 6361 -> 0 bytes .../resources/ssl/test_pk_only_keystore.pkcs12 | Bin 3521 -> 0 bytes .../ssl/test_symmetric_key_keystore.pkcs12 | Bin 4637 -> 0 bytes .../resources/js/qpid/management/TrustStore.js | 18 +- .../java/resources/js/qpid/management/addStore.js | 3 +- .../src/main/java/resources/showTrustStore.html | 24 + .../src/main/java/resources/store/truststore.html | 90 +++- ...Java-Broker-Management-Managing-Truststores.xml | 34 +- qpid-test-utils/pom.xml | 1 - .../apache/qpid/test/utils/TestSSLConstants.java | 91 +++- .../main/resources/ssl/certificates/MyRootCA.crl | Bin 0 -> 501 bytes .../resources/ssl/certificates/MyRootCA.crl.pem | 13 + .../main/resources/ssl/certificates/MyRootCA.crt | 21 + .../resources/ssl/certificates/MyRootCA.empty.crl | Bin 0 -> 415 bytes .../ssl/certificates/MyRootCA.empty.crl.pem | 11 + .../main/resources/ssl/certificates/MyRootCA.key | 30 ++ .../resources/ssl/certificates/allowed_by_ca.crt | 80 +++ .../resources/ssl/certificates/allowed_by_ca.csr | 17 + .../resources/ssl/certificates/allowed_by_ca.jks | Bin 0 -> 3496 bytes .../ssl/certificates/allowed_by_ca.self.crt | 22 + .../ssl/certificates/allowed_by_ca.self.key | 30 ++ .../allowed_by_ca_with_intermediate.crt | 81 +++ .../allowed_by_ca_with_intermediate.csr | 17 + .../allowed_by_ca_with_intermediate.jks | Bin 0 -> 4628 bytes .../allowed_by_ca_with_intermediate.self.crt | 23 + .../allowed_by_ca_with_intermediate.self.key | 30 ++ .../src/main/resources/ssl/certificates/app1.crt | 74 +++ .../src/main/resources/ssl/certificates/app1.csr | 17 + .../src/main/resources/ssl/certificates/app1.jks | Bin 0 -> 3398 bytes .../main/resources/ssl/certificates/app1.self.crt | 22 + .../main/resources/ssl/certificates/app1.self.key | 30 ++ .../src/main/resources/ssl/certificates/app2.crt | 74 +++ .../src/main/resources/ssl/certificates/app2.csr | 17 + .../src/main/resources/ssl/certificates/app2.jks | Bin 0 -> 3398 bytes .../main/resources/ssl/certificates/app2.self.crt | 22 + .../main/resources/ssl/certificates/app2.self.key | 30 ++ .../src/main/resources/ssl/certificates/broker.crt | 74 +++ .../src/main/resources/ssl/certificates/broker.csr | 17 + .../src/main/resources/ssl/certificates/broker.jks | Bin 0 -> 3410 bytes .../resources/ssl/certificates/broker.self.crt | 22 + .../resources/ssl/certificates/broker.self.key | 30 ++ .../ssl/certificates/broker_expired_truststore.jks | Bin 0 -> 1002 bytes .../resources/ssl/certificates/broker_keystore.jks | Bin 0 -> 4503 bytes .../ssl/certificates/broker_peerstore.jks | Bin 0 -> 1122 bytes .../ssl/certificates/broker_truststore.jks | Bin 0 -> 1162 bytes .../ssl/certificates/chain_with_intermediate.crt | 105 ++++ .../resources/ssl/certificates/client_expired.crt | 17 + .../ssl/certificates/client_expired_keystore.jks | Bin 0 -> 2397 bytes .../resources/ssl/certificates/client_keystore.jks | Bin 0 -> 26195 bytes .../ssl/certificates/client_truststore.jks | Bin 0 -> 1162 bytes .../ssl/certificates/client_untrusted_keystore.jks | Bin 0 -> 2467 bytes .../resources/ssl/certificates/intermediate_ca.crl | Bin 0 -> 458 bytes .../ssl/certificates/intermediate_ca.crl.pem | 12 + .../resources/ssl/certificates/intermediate_ca.crt | 84 +++ .../resources/ssl/certificates/intermediate_ca.csr | 17 + .../resources/ssl/certificates/intermediate_ca.jks | Bin 0 -> 3564 bytes .../ssl/certificates/intermediate_ca.self.crt | 22 + .../ssl/certificates/intermediate_ca.self.key | 30 ++ .../resources/ssl/certificates/revoked_by_ca.crt | 80 +++ .../resources/ssl/certificates/revoked_by_ca.csr | 17 + .../resources/ssl/certificates/revoked_by_ca.jks | Bin 0 -> 3496 bytes .../ssl/certificates/revoked_by_ca.self.crt | 22 + .../ssl/certificates/revoked_by_ca.self.key | 30 ++ .../ssl/certificates/revoked_by_ca_empty_crl.crt | 80 +++ .../ssl/certificates/revoked_by_ca_empty_crl.csr | 17 + .../ssl/certificates/revoked_by_ca_empty_crl.jks | Bin 0 -> 3548 bytes .../certificates/revoked_by_ca_empty_crl.self.crt | 23 + .../certificates/revoked_by_ca_empty_crl.self.key | 30 ++ .../revoked_by_ca_invalid_crl_path.crt | 80 +++ .../revoked_by_ca_invalid_crl_path.csr | 17 + .../revoked_by_ca_invalid_crl_path.jks | Bin 0 -> 3578 bytes .../revoked_by_ca_invalid_crl_path.self.crt | 23 + .../revoked_by_ca_invalid_crl_path.self.key | 30 ++ .../ssl/certificates/test_cert_only_keystore.jks | Bin 0 -> 1186 bytes .../ssl/certificates/test_empty_keystore.jks | Bin 0 -> 88 bytes .../resources/ssl/certificates/test_keystore.jks | Bin 0 -> 6375 bytes .../ssl/certificates/test_pk_only_keystore.jks | Bin 0 -> 3535 bytes .../certificates/test_symmetric_key_keystore.jks | Bin 0 -> 4739 bytes .../main/resources/ssl/generate_certificates.sh | 370 ++++++++++++++ .../src/main/resources/ssl/openssl.conf | 380 ++++++++++++++ .../qpid/tests/http/endtoend/port/PortTest.java | 2 +- .../extensions/management/AmqpManagementTest.java | 12 +- .../extensions/sasl/AuthenticationTest.java | 564 ++++++++++++++------- .../systests/jms_1_1/extensions/tls/TlsTest.java | 109 ++-- test-profiles/test_resources/ssl/CA_db/cert9.db | Bin 28672 -> 0 bytes test-profiles/test_resources/ssl/CA_db/key4.db | Bin 36864 -> 0 bytes test-profiles/test_resources/ssl/CA_db/pkcs11.txt | 5 - test-profiles/test_resources/ssl/CA_db/rootca.crt | 19 - test-profiles/test_resources/ssl/app1.crt | 21 - test-profiles/test_resources/ssl/app1.req | 18 - test-profiles/test_resources/ssl/app2.crt | 21 - test-profiles/test_resources/ssl/app2.req | 18 - test-profiles/test_resources/ssl/expired.crt | 17 - .../test_resources/ssl/generate-java-keystores.sh | 129 ----- .../test_resources/ssl/generate-root-ca.sh | 49 -- test-profiles/test_resources/ssl/java_broker.crt | 21 - test-profiles/test_resources/ssl/java_broker.req | 18 - .../ssl/java_broker_expired_truststore.jks | Bin 1002 -> 0 bytes .../test_resources/ssl/java_broker_keystore.jks | Bin 4425 -> 0 bytes .../test_resources/ssl/java_broker_peerstore.jks | Bin 1162 -> 0 bytes .../test_resources/ssl/java_broker_truststore.jks | Bin 1082 -> 0 bytes .../ssl/java_client_expired_keystore.jks | Bin 2397 -> 0 bytes .../test_resources/ssl/java_client_keystore.jks | Bin 7641 -> 0 bytes .../test_resources/ssl/java_client_truststore.jks | Bin 1082 -> 0 bytes .../ssl/java_client_untrusted_keystore.jks | Bin 2467 -> 0 bytes test-profiles/test_resources/ssl/pfile | 1 - .../test_resources/ssl/server_db/cert9.db | Bin 28672 -> 0 bytes test-profiles/test_resources/ssl/server_db/key4.db | Bin 36864 -> 0 bytes .../test_resources/ssl/server_db/pkcs11.txt | 5 - .../test_resources/ssl/server_db/server.crt | 20 - .../test_resources/ssl/server_db/server.req | 26 - 142 files changed, 3725 insertions(+), 1450 deletions(-) diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java index 43fe10e..13f951b 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java +++ b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java @@ -35,7 +35,6 @@ import java.nio.charset.StandardCharsets; import java.security.Principal; import java.security.cert.Certificate; import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; import java.time.LocalDate; import java.time.LocalDateTime; import java.time.LocalTime; @@ -64,6 +63,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.google.common.base.Defaults; import org.apache.qpid.server.model.preferences.GenericPrincipal; +import org.apache.qpid.server.transport.network.security.ssl.SSLUtil; import org.apache.qpid.server.util.ServerScopedRuntimeException; import org.apache.qpid.server.util.Strings; @@ -192,19 +192,6 @@ abstract class AttributeValueConverter static final AttributeValueConverter CERTIFICATE_CONVERTER = new AttributeValueConverter() { - private final CertificateFactory _certFactory; - - { - try - { - _certFactory = CertificateFactory.getInstance("X.509"); - } - catch (CertificateException e) - { - throw new ServerScopedRuntimeException(e); - } - } - @Override public Certificate convert(final Object value, final ConfiguredObject object) { @@ -216,7 +203,7 @@ abstract class AttributeValueConverter { try(ByteArrayInputStream is = new ByteArrayInputStream((byte[])value)) { - return _certFactory.generateCertificate(is); + return SSLUtil.getCertificateFactory().generateCertificate(is); } catch (IOException | CertificateException e) { diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java index 768d26a..e35d5da 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java +++ b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java @@ -48,23 +48,54 @@ public interface TrustStore> extends ConfiguredObject @ManagedContextDefault(name = "qpid.truststore.trustAnchorValidityEnforced") boolean DEFAULT_TRUST_ANCHOR_VALIDITY_ENFORCED = false; + String CERTIFICATE_REVOCATION_CHECK_ENABLED = "certificateRevocationCheckEnabled"; + String CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES = + "certificateRevocationCheckWithIgnoringSoftFailures"; + String CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST = + "certificateRevocationCheckWithPreferringCertificateRevocationList"; + String CERTIFICATE_REVOCATION_CHECK_WITH_NO_FALLBACK = "certificateRevocationCheckWithNoFallback"; + String CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES = + "certificateRevocationCheckOfOnlyEndEntityCertificates"; + String CERTIFICATE_REVOCATION_LIST_URL = "certificateRevocationListUrl"; + @Override @ManagedAttribute(immutable = true) String getName(); - @ManagedAttribute( defaultValue = "false", description = "If true the Trust Store will expose its certificates as a special artificial message source.") + @ManagedAttribute(defaultValue = "false", description = "If true the Trust Store will expose its certificates as a special artificial message source.") boolean isExposedAsMessageSource(); - @ManagedAttribute( defaultValue = "[]", description = "If 'exposedAsMessageSource' is true, the trust store will expose its certificates only to VirtualHostNodes in this list or if this list is empty to all VirtualHostNodes who are not in the 'excludedVirtualHostNodeMessageSources' list." ) + @ManagedAttribute(defaultValue = "[]", description = "If 'exposedAsMessageSource' is true, the trust store will expose its certificates only to VirtualHostNodes in this list or if this list is empty to all VirtualHostNodes who are not in the 'excludedVirtualHostNodeMessageSources' list." ) List> getIncludedVirtualHostNodeMessageSources(); - @ManagedAttribute( defaultValue = "[]", description = "If 'exposedAsMessageSource' is true and 'includedVirtualHostNodeMessageSources' is empty, the trust store will expose its certificates only to VirtualHostNodes who are not in this list." ) + @ManagedAttribute(defaultValue = "[]", description = "If 'exposedAsMessageSource' is true and 'includedVirtualHostNodeMessageSources' is empty, the trust store will expose its certificates only to VirtualHostNodes who are not in this list." ) List> getExcludedVirtualHostNodeMessageSources(); - @ManagedAttribute( defaultValue = "${qpid.truststore.trustAnchorValidityEnforced}", + @ManagedAttribute(defaultValue = "${qpid.truststore.trustAnchorValidityEnforced}", description = "If true, the trust anchor's validity dates will be enforced.") boolean isTrustAnchorValidityEnforced(); + @ManagedAttribute(defaultValue = "false", description = "If true, enable certificates revocation.") + boolean isCertificateRevocationCheckEnabled(); + + @ManagedAttribute(defaultValue = "false", description = "If true, check the revocation status of only end-entity certificates.") + boolean isCertificateRevocationCheckOfOnlyEndEntityCertificates(); + + @ManagedAttribute(defaultValue = "true", description = "If true, prefer CRL (specified in certificate distribution points) to OCSP, if false prefer OCSP to CRL.") + boolean isCertificateRevocationCheckWithPreferringCertificateRevocationList(); + + @ManagedAttribute(defaultValue = "true", description = "If true, disable fallback to CRL/OCSP (if 'certificateRevocationCheckWithPreferringCertificateRevocationList' set to true, disable fallback to OCSP, otherwise disable fallback to CRL in certificate distribution points).") + boolean isCertificateRevocationCheckWithNoFallback(); + + @ManagedAttribute(defaultValue = "false", description = "If true, revocation check will succeed if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns internalError or tryLater.") + boolean isCertificateRevocationCheckWithIgnoringSoftFailures(); + + @ManagedAttribute(oversize = true, description = "If set, certificates will be validated only against CRL file (CRL in distribution points and OCSP will be ignored).", oversizedAltText = OVER_SIZED_ATTRIBUTE_ALTERNATIVE_TEXT) + String getCertificateRevocationListUrl(); + + @DerivedAttribute + String getCertificateRevocationListPath(); + @DerivedAttribute(description = "List of details about the certificates like validity dates, SANs, issuer and subject names, etc.") List getCertificateDetails(); diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java index 4d19ada..7285aa8 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java +++ b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java @@ -19,16 +19,35 @@ */ package org.apache.qpid.server.security; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.net.MalformedURLException; +import java.net.URL; import java.security.GeneralSecurityException; +import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.SignatureException; +import java.security.cert.CRL; +import java.security.cert.CRLException; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathParameters; +import java.security.cert.CertStore; import java.security.cert.Certificate; import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateNotYetValidException; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXRevocationChecker; import java.security.cert.TrustAnchor; +import java.security.cert.X509CertSelector; import java.security.cert.X509Certificate; import java.util.Arrays; +import java.util.Collection; import java.util.Collections; import java.util.Date; import java.util.HashSet; @@ -39,12 +58,15 @@ import java.util.concurrent.ScheduledFuture; import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; +import javax.net.ssl.CertPathTrustManagerParameters; import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import com.google.common.collect.Sets; import com.google.common.util.concurrent.Futures; import com.google.common.util.concurrent.ListenableFuture; +import org.apache.qpid.server.transport.network.security.ssl.SSLUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -78,6 +100,19 @@ public abstract class AbstractTrustStore> private List> _excludedVirtualHostNodeMessageSources; @ManagedAttributeField private boolean _trustAnchorValidityEnforced; + @ManagedAttributeField + private boolean _certificateRevocationCheckEnabled; + @ManagedAttributeField + private boolean _certificateRevocationCheckOfOnlyEndEntityCertificates; + @ManagedAttributeField + private boolean _certificateRevocationCheckWithPreferringCertificateRevocationList; + @ManagedAttributeField + private boolean _certificateRevocationCheckWithNoFallback; + @ManagedAttributeField + private boolean _certificateRevocationCheckWithIgnoringSoftFailures; + @ManagedAttributeField(afterSet = "postSetCertificateRevocationListUrl") + private volatile String _certificateRevocationListUrl; + private volatile String _certificateRevocationListPath; private ScheduledFuture _checkExpiryTaskFuture; @@ -100,6 +135,34 @@ public abstract class AbstractTrustStore> return _eventLogger; } + protected abstract void initialize(); + + @Override + protected void changeAttributes(final Map attributes) + { + super.changeAttributes(attributes); + if (attributes.containsKey(CERTIFICATE_REVOCATION_LIST_URL)) + { + initialize(); + } + } + + @Override + public void onValidate() + { + super.onValidate(); + getCRLs(); + } + + protected void validateChange(final ConfiguredObject proxyForValidation, final Set changedAttributes) + { + super.validateChange(proxyForValidation, changedAttributes); + if (changedAttributes.contains(CERTIFICATE_REVOCATION_LIST_URL)) + { + getCRLs((String) proxyForValidation.getAttribute(CERTIFICATE_REVOCATION_LIST_URL)); + } + } + @Override protected ListenableFuture onClose() { @@ -252,6 +315,106 @@ public abstract class AbstractTrustStore> protected abstract TrustManager[] getTrustManagersInternal() throws GeneralSecurityException; + protected TrustManager[] getTrustManagers(KeyStore ts) + { + try + { + final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + tmf.init(new CertPathTrustManagerParameters(getParameters(ts))); + return tmf.getTrustManagers(); + } + catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) + { + throw new IllegalConfigurationException("Cannot create trust manager factory for truststore '" + + getName() + "' :" + e, e); + } + } + + private CertPathParameters getParameters(KeyStore trustStore) + { + try + { + final PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustStore, new X509CertSelector()); + parameters.setRevocationEnabled(_certificateRevocationCheckEnabled); + if (_certificateRevocationCheckEnabled) + { + if (_certificateRevocationListUrl != null) + { + parameters.addCertStore( + CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs()))); + } + final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder + .getInstance(TrustManagerFactory.getDefaultAlgorithm()).getRevocationChecker(); + final Set options = new HashSet<>(); + if (_certificateRevocationCheckOfOnlyEndEntityCertificates) + { + options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY); + } + if (_certificateRevocationCheckWithPreferringCertificateRevocationList) + { + options.add(PKIXRevocationChecker.Option.PREFER_CRLS); + } + if (_certificateRevocationCheckWithNoFallback) + { + options.add(PKIXRevocationChecker.Option.NO_FALLBACK); + } + if (_certificateRevocationCheckWithIgnoringSoftFailures) + { + options.add(PKIXRevocationChecker.Option.SOFT_FAIL); + } + revocationChecker.setOptions(options); + parameters.addCertPathChecker(revocationChecker); + } + return parameters; + } + catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException e) + { + throw new IllegalConfigurationException("Cannot create trust manager factory parameters for truststore '" + + getName() + "' :" + e, e); + } + } + + private Collection getCRLs() + { + return getCRLs(_certificateRevocationListUrl); + } + + /** + * Load the collection of CRLs. + */ + private Collection getCRLs(String crlUrl) + { + Collection crls = Collections.emptyList(); + if (crlUrl != null) + { + try (InputStream is = getUrlFromString(crlUrl).openStream()) + { + crls = SSLUtil.getCertificateFactory().generateCRLs(is); + } + catch (IOException | CRLException e) + { + throw new IllegalConfigurationException("Unable to load certificate revocation list '" + crlUrl + + "' for truststore '" + getName() + "' :" + e, e); + } + } + return crls; + } + + protected static URL getUrlFromString(String urlString) throws MalformedURLException + { + URL url; + try + { + url = new URL(urlString); + } + catch (MalformedURLException e) + { + final File file = new File(urlString); + url = file.toURI().toURL(); + } + return url; + } + @Override public final int getCertificateExpiryWarnPeriod() { @@ -289,6 +452,61 @@ public abstract class AbstractTrustStore> } @Override + public boolean isCertificateRevocationCheckEnabled() + { + return _certificateRevocationCheckEnabled; + } + + @Override + public boolean isCertificateRevocationCheckOfOnlyEndEntityCertificates() + { + return _certificateRevocationCheckOfOnlyEndEntityCertificates; + } + + @Override + public boolean isCertificateRevocationCheckWithPreferringCertificateRevocationList() + { + return _certificateRevocationCheckWithPreferringCertificateRevocationList; + } + + @Override + public boolean isCertificateRevocationCheckWithNoFallback() + { + return _certificateRevocationCheckWithNoFallback; + } + + @Override + public boolean isCertificateRevocationCheckWithIgnoringSoftFailures() + { + return _certificateRevocationCheckWithIgnoringSoftFailures; + } + + @Override + public String getCertificateRevocationListUrl() + { + return _certificateRevocationListUrl; + } + + @Override + public String getCertificateRevocationListPath() + { + return _certificateRevocationListPath; + } + + @SuppressWarnings(value = "unused") + private void postSetCertificateRevocationListUrl() + { + if (_certificateRevocationListUrl != null && !_certificateRevocationListUrl.startsWith("data:")) + { + _certificateRevocationListPath = _certificateRevocationListUrl; + } + else + { + _certificateRevocationListPath = null; + } + } + + @Override public boolean isExposedAsMessageSource() { return _exposedAsMessageSource; diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java index f5feecf..1ff9803 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java +++ b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java @@ -40,7 +40,6 @@ import java.security.SecureRandom; import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.spec.InvalidKeySpecException; import java.util.Arrays; @@ -184,8 +183,7 @@ public class AutoGeneratedSelfSignedKeyStoreImpl try(ByteArrayInputStream input = new ByteArrayInputStream(certificateEncoded)) { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - _certificate = (X509Certificate) cf.generateCertificate(input); + _certificate = (X509Certificate) SSLUtil.getCertificateFactory().generateCertificate(input); } catch (CertificateException | IOException e) { diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java index 6842130..9f73700 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java +++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java @@ -22,7 +22,7 @@ package org.apache.qpid.server.security; import static org.apache.qpid.server.model.Initialization.materialize; -import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.TrustManagerFactory; import org.apache.qpid.server.model.DerivedAttribute; import org.apache.qpid.server.model.ManagedAttribute; @@ -42,7 +42,7 @@ public interface FileTrustStore> extends TrustStore< String DEFAULT_TRUSTSTORE_TYPE = java.security.KeyStore.getDefaultType(); @ManagedContextDefault(name = "trustStoreFile.trustManagerFactoryAlgorithm") - String DEFAULT_TRUST_MANAGER_FACTORY_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm(); + String DEFAULT_TRUST_MANAGER_FACTORY_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm(); String PEERS_ONLY = "peersOnly"; @Override diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java index 508e464..161c8d4 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java +++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java @@ -259,22 +259,6 @@ public class FileTrustStoreImpl extends AbstractTrustStore i return certificates == null ? new Certificate[0] : Arrays.copyOf(certificates, certificates.length); } - private static URL getUrlFromString(String urlString) throws MalformedURLException - { - URL url; - try - { - url = new URL(urlString); - } - catch (MalformedURLException e) - { - File file = new File(urlString); - url = file.toURI().toURL(); - - } - return url; - } - @SuppressWarnings(value = "unused") private void postSetStoreUrl() { @@ -288,7 +272,7 @@ public class FileTrustStoreImpl extends AbstractTrustStore i } } - private void initialize() + protected void initialize() { try { @@ -304,12 +288,9 @@ public class FileTrustStoreImpl extends AbstractTrustStore i } } - private TrustManager[] createTrustManagers(final KeyStore ts) throws NoSuchAlgorithmException, KeyStoreException + private TrustManager[] createTrustManagers(final KeyStore ts) throws KeyStoreException { - final TrustManagerFactory tmf = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); - tmf.init(ts); - - TrustManager[] delegateManagers = tmf.getTrustManagers(); + final TrustManager[] delegateManagers = getTrustManagers(ts); if (delegateManagers.length == 0) { throw new IllegalStateException("Truststore " + this + " defines no trust managers"); diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java index 5361ba0..616fb2d 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java +++ b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java @@ -38,7 +38,6 @@ import java.util.Map; import java.util.Set; import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import com.google.common.util.concurrent.Futures; @@ -64,7 +63,7 @@ public class ManagedPeerCertificateTrustStoreImpl private volatile TrustManager[] _trustManagers = new TrustManager[0]; - @ManagedAttributeField( afterSet = "updateTrustManagers") + @ManagedAttributeField(afterSet = "initialize") private final List _storedCertificates = new ArrayList<>(); @ManagedObjectFactoryConstructor @@ -100,7 +99,7 @@ public class ManagedPeerCertificateTrustStoreImpl } @SuppressWarnings("unused") - private void updateTrustManagers() + protected void initialize() { try { @@ -114,14 +113,10 @@ public class ManagedPeerCertificateTrustStoreImpl inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert); } - - TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(inMemoryKeyStore); - final Collection trustManagersCol = new ArrayList<>(); final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager(); - TrustManager[] delegateManagers = tmf.getTrustManagers(); - for (TrustManager tm : delegateManagers) + final TrustManager[] delegateManagers = getTrustManagers(inMemoryKeyStore); + for (final TrustManager tm : delegateManagers) { if (tm instanceof X509TrustManager) { diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java index be0836e..be5a1a7 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java +++ b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java @@ -28,15 +28,10 @@ import java.security.GeneralSecurityException; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.Arrays; -import java.util.Collections; -import java.util.Date; -import java.util.List; import java.util.Map; import java.util.Set; -import java.util.stream.Collectors; import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; import com.google.common.util.concurrent.Futures; import com.google.common.util.concurrent.ListenableFuture; @@ -51,7 +46,6 @@ import org.apache.qpid.server.model.ManagedObject; import org.apache.qpid.server.model.ManagedObjectFactoryConstructor; import org.apache.qpid.server.model.State; import org.apache.qpid.server.model.StateTransition; -import org.apache.qpid.server.model.VirtualHostNode; import org.apache.qpid.server.transport.network.security.ssl.SSLUtil; import org.apache.qpid.server.util.urlstreamhandler.data.Handler; @@ -66,7 +60,7 @@ public class NonJavaTrustStoreImpl Handler.register(); } - @ManagedAttributeField( afterSet = "updateTrustManagers" ) + @ManagedAttributeField( afterSet = "initialize" ) private String _certificatesUrl; private volatile TrustManager[] _trustManagers = new TrustManager[0]; @@ -139,7 +133,7 @@ public class NonJavaTrustStoreImpl } @SuppressWarnings("unused") - private void updateTrustManagers() + protected void initialize() { try { @@ -155,11 +149,7 @@ public class NonJavaTrustStoreImpl inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert); } - - - TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(inMemoryKeyStore); - _trustManagers = tmf.getTrustManagers(); + _trustManagers = getTrustManagers(inMemoryKeyStore); _certificates = certs; } @@ -169,21 +159,4 @@ public class NonJavaTrustStoreImpl throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e); } } - - private URL getUrlFromString(String urlString) throws MalformedURLException - { - URL url; - - try - { - url = new URL(urlString); - } - catch (MalformedURLException e) - { - File file = new File(urlString); - url = file.toURI().toURL(); - - } - return url; - } } diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java index 983a2a1..211d9e6 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java +++ b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java @@ -29,7 +29,6 @@ import java.security.GeneralSecurityException; import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Base64; @@ -42,7 +41,6 @@ import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import com.google.common.util.concurrent.FutureCallback; @@ -85,6 +83,11 @@ public class SiteSpecificTrustStoreImpl super(attributes, broker); } + protected void initialize() + { + generateTrustManagers(); + } + @Override public String getSiteUrl() { @@ -287,8 +290,7 @@ public class SiteSpecificTrustStoreImpl try(ByteArrayInputStream input = new ByteArrayInputStream(certificateEncoded)) { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - _x509Certificate = (X509Certificate) cf.generateCertificate(input); + _x509Certificate = (X509Certificate) SSLUtil.getCertificateFactory().generateCertificate(input); } catch (CertificateException | IOException e) { @@ -306,9 +308,7 @@ public class SiteSpecificTrustStoreImpl inMemoryKeyStore.load(null, null); inMemoryKeyStore.setCertificateEntry("1", _x509Certificate); - TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(inMemoryKeyStore); - _trustManagers = tmf.getTrustManagers(); + _trustManagers = getTrustManagers(inMemoryKeyStore);; } catch (IOException | GeneralSecurityException e) diff --git a/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java b/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java index 01c11d3..e664c2e 100644 --- a/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java +++ b/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java @@ -75,6 +75,7 @@ import javax.net.ssl.StandardConstants; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; +import org.apache.qpid.server.util.ServerScopedRuntimeException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -106,11 +107,10 @@ public class SSLUtil private static final Method SET_EXTENSION_METHOD; private static final Method EXTENSION_GET_NAME_METHOD; private static final boolean CAN_GENERATE_CERTS; - + private static final CertificateFactory CERTIFICATE_FACTORY; static { - Constructor constructor = null; Method generateMethod = null; Method getPrivateKeyMethod = null; @@ -125,7 +125,8 @@ public class SSLUtil Constructor certificateExtensionsConstructor = null; Method setExtensionMethod = null; Method extensionGetNameMethod = null; - boolean canGenerateCerrts = false; + boolean canGenerateCerts = false; + CertificateFactory certificateFactory = null; try { @@ -160,10 +161,10 @@ public class SSLUtil certificateExtensionsConstructor = certificateExtensionsClass.getConstructor(); setExtensionMethod = certificateExtensionsClass.getMethod("set", String.class, Object.class); extensionGetNameMethod = extensionClass.getMethod("getName"); - canGenerateCerrts = true; - + canGenerateCerts = true; + certificateFactory = CertificateFactory.getInstance("X.509"); } - catch (ClassNotFoundException | LinkageError | NoSuchMethodException e) + catch (ClassNotFoundException | LinkageError | CertificateException | NoSuchMethodException e) { // ignore } @@ -181,14 +182,23 @@ public class SSLUtil CERTIFICATE_EXTENSIONS_CONSTRUCTOR = certificateExtensionsConstructor; SET_EXTENSION_METHOD = setExtensionMethod; EXTENSION_GET_NAME_METHOD = extensionGetNameMethod; - CAN_GENERATE_CERTS = canGenerateCerrts; + CAN_GENERATE_CERTS = canGenerateCerts; + CERTIFICATE_FACTORY = certificateFactory; } - private SSLUtil() { } + public static CertificateFactory getCertificateFactory() + { + if (CERTIFICATE_FACTORY == null) + { + throw new ServerScopedRuntimeException("Certificate factory is null"); + } + return CERTIFICATE_FACTORY; + } + public static void verifyHostname(SSLEngine engine,String hostnameExpected) { try @@ -456,8 +466,7 @@ public class SSLUtil { do { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - crt.add( (X509Certificate) cf.generateCertificate(input)); + crt.add( (X509Certificate) getCertificateFactory().generateCertificate(input)); } while(input.available() != 0); } catch(CertificateException e) diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java index 18b2d37..834531c 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java @@ -20,9 +20,7 @@ package org.apache.qpid.server.security; -import static org.apache.qpid.server.security.FileTrustStoreTest.SYMMETRIC_KEY_KEYSTORE_RESOURCE; import static org.apache.qpid.server.security.FileTrustStoreTest.createDataUrlForFile; -import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE; import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.assertEquals; @@ -31,80 +29,47 @@ import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; import static org.junit.Assume.assumeThat; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; import java.io.File; -import java.net.URL; -import java.security.cert.Certificate; -import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.List; import java.util.Map; import javax.net.ssl.KeyManager; -import org.junit.Before; -import org.junit.Test; - -import org.apache.qpid.server.configuration.IllegalConfigurationException; -import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor; -import org.apache.qpid.server.configuration.updater.TaskExecutor; -import org.apache.qpid.server.logging.EventLogger; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.BrokerModel; +import org.apache.qpid.server.model.BrokerTestHelper; import org.apache.qpid.server.model.ConfiguredObjectFactory; +import org.apache.qpid.test.utils.UnitTestBase; +import org.junit.Test; + +import org.apache.qpid.server.configuration.IllegalConfigurationException; import org.apache.qpid.server.model.KeyStore; -import org.apache.qpid.server.model.Model; import org.apache.qpid.server.transport.network.security.ssl.SSLUtil; import org.apache.qpid.server.util.DataUrlUtils; import org.apache.qpid.test.utils.TestFileUtils; import org.apache.qpid.test.utils.TestSSLConstants; -import org.apache.qpid.test.utils.UnitTestBase; public class FileKeyStoreTest extends UnitTestBase { - static final String EMPTY_KEYSTORE_RESOURCE = "/ssl/test_empty_keystore.jks"; - private static final String KEYSTORE_CERTIFICATE_ONLY_RESOURCE = "/ssl/test_cert_only_keystore.pkcs12"; - private static final String BROKER_KEYSTORE = "ssl/java_broker_keystore.pkcs12"; - private static final String BROKER_KEYSTORE_PATH = "classpath:" + BROKER_KEYSTORE; - private static final String BROKER_KEYSTORE_PASSWORD = TestSSLConstants.BROKER_KEYSTORE_PASSWORD; - private static final String CLIENT_KEYSTORE_PATH = "classpath:ssl/java_client_keystore.pkcs12"; - private static final String CLIENT_KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD; - private static final String BROKER_KEYSTORE_ALIAS = TestSSLConstants.BROKER_KEYSTORE_ALIAS; - - private final Broker _broker = mock(Broker.class); - private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance(); - private final Model _model = BrokerModel.getInstance(); - private final ConfiguredObjectFactory _factory = _model.getObjectFactory(); - - - @Before - public void setUp() throws Exception - { - - when(_broker.getTaskExecutor()).thenReturn(_taskExecutor); - when(_broker.getChildExecutor()).thenReturn(_taskExecutor); - when(_broker.getModel()).thenReturn(_model); - when(_broker.getCategoryClass()).thenReturn(Broker.class); - when(_broker.getEventLogger()).thenReturn(new EventLogger()); - when(_broker.getTypeClass()).thenReturn(Broker.class); - } + private static final Broker BROKER = BrokerTestHelper.createBrokerMock(); + private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory(); @Test public void testCreateKeyStoreFromFile_Success() throws Exception { Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker); + FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER); KeyManager[] keyManager = fileKeyStore.getKeyManagers(); assertNotNull(keyManager); - assertEquals("Unexpected number of key managers", (long) 1, (long) keyManager.length); + assertEquals("Unexpected number of key managers", 1, keyManager.length); assertNotNull("Key manager unexpected null", keyManager[0]); } @@ -113,272 +78,192 @@ public class FileKeyStoreTest extends UnitTestBase { Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.CERTIFICATE_ALIAS, BROKER_KEYSTORE_ALIAS); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker); + FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER); KeyManager[] keyManager = fileKeyStore.getKeyManagers(); assertNotNull(keyManager); - assertEquals("Unexpected number of key managers", (long) 1, (long) keyManager.length); + assertEquals("Unexpected number of key managers", 1, keyManager.length); assertNotNull("Key manager unexpected null", keyManager[0]); } @Test - public void testCreateKeyStoreFromFile_WrongPassword() throws Exception + public void testCreateKeyStoreFromFile_WrongPassword() { Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE); attributes.put(FileKeyStore.PASSWORD, "wrong"); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); - - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("Check key store password")); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "Check key store password"); } @Test - public void testCreateKeyStoreFromFile_UnknownAlias() throws Exception + public void testCreateKeyStoreFromFile_UnknownAlias() { Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.STORE_URL, CLIENT_KEYSTORE_PATH); - attributes.put(FileKeyStore.PASSWORD, CLIENT_KEYSTORE_PASSWORD); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown"); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("Cannot find a certificate with alias 'notknown' in key store")); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "Cannot find a certificate with alias 'notknown' in key store"); } @Test - public void testCreateKeyStoreFromFile_NonKeyAlias() throws Exception + public void testCreateKeyStoreFromFile_NonKeyAlias() { Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.STORE_URL, CLIENT_KEYSTORE_PATH); - attributes.put(FileKeyStore.PASSWORD, CLIENT_KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "rootca"); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.CERT_ALIAS_ROOT_CA); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("does not identify a private key")); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "does not identify a private key"); } @Test public void testCreateKeyStoreFromDataUrl_Success() throws Exception { - String trustStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE); + String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE); Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker); + FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER); KeyManager[] keyManagers = fileKeyStore.getKeyManagers(); assertNotNull(keyManagers); - assertEquals("Unexpected number of key managers", (long) 1, (long) keyManagers.length); + assertEquals("Unexpected number of key managers", 1, keyManagers.length); assertNotNull("Key manager unexpected null", keyManagers[0]); } @Test public void testCreateKeyStoreWithAliasFromDataUrl_Success() throws Exception { - String trustStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE); + String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE); Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.CERTIFICATE_ALIAS, BROKER_KEYSTORE_ALIAS); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker); + FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER); KeyManager[] keyManagers = fileKeyStore.getKeyManagers(); assertNotNull(keyManagers); - assertEquals("Unexpected number of key managers", (long) 1, (long) keyManagers.length); + assertEquals("Unexpected number of key managers", 1, keyManagers.length); assertNotNull("Key manager unexpected null", keyManagers[0]); } @Test public void testCreateKeyStoreFromDataUrl_WrongPassword() throws Exception { - String keyStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE); + String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE); Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); attributes.put(FileKeyStore.PASSWORD, "wrong"); attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("Check key store password")); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "Check key store password"); } @Test - public void testCreateKeyStoreFromDataUrl_BadKeystoreBytes() throws Exception + public void testCreateKeyStoreFromDataUrl_BadKeystoreBytes() { String keyStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes()); Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("Cannot instantiate key store")); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "Cannot instantiate key store"); } @Test public void testCreateKeyStoreFromDataUrl_UnknownAlias() throws Exception { - String keyStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE); + String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE); Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl); attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown"); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("Cannot find a certificate with alias 'notknown' in key store")); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "Cannot find a certificate with alias 'notknown' in key store"); } @Test - public void testEmptyKeystoreRejected() throws Exception + public void testEmptyKeystoreRejected() { - final URL emptyKeystore = getClass().getResource(EMPTY_KEYSTORE_RESOURCE); - assertNotNull("Empty keystore not found", emptyKeystore); - Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.STORE_URL, emptyKeystore); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - // pass - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "must contain at least one private key"); } @Test public void testKeystoreWithNoPrivateKeyRejected() { - final URL keystoreUrl = getClass().getResource(KEYSTORE_CERTIFICATE_ONLY_RESOURCE); - assertNotNull("Keystore not found", keystoreUrl); - Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, getTestName()); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.STORE_URL, keystoreUrl); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_CERT_ONLY_KEYSTORE); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("must contain at least one private key")); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "must contain at least one private key"); } @Test public void testSymmetricKeysIgnored() { - final URL keystoreUrl = getClass().getResource(SYMMETRIC_KEY_KEYSTORE_RESOURCE); - assertNotNull("Keystore not found", keystoreUrl); - Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.STORE_URL, keystoreUrl); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - KeyStore keyStore = _factory.create(KeyStore.class, attributes, _broker); + KeyStore keyStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER); assertNotNull(keyStore); } @Test - public void testUpdateKeyStore_Success() throws Exception + public void testUpdateKeyStore_Success() { Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); - attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH); - attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker); + FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER); assertNull("Unexpected alias value before change", fileKeyStore.getCertificateAlias()); @@ -390,9 +275,9 @@ public class FileKeyStoreTest extends UnitTestBase fileKeyStore.setAttributes(unacceptableAttributes); fail("Exception not thrown"); } - catch (IllegalConfigurationException ice) + catch (IllegalConfigurationException e) { - String message = ice.getMessage(); + String message = e.getMessage(); assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot find a certificate with alias 'notknown' in key store")); } @@ -400,13 +285,12 @@ public class FileKeyStoreTest extends UnitTestBase assertNull("Unexpected alias value after failed change", fileKeyStore.getCertificateAlias()); Map changedAttributes = new HashMap<>(); - changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, BROKER_KEYSTORE_ALIAS); + changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS); fileKeyStore.setAttributes(changedAttributes); assertEquals("Unexpected alias value after change that is expected to be successful", - BROKER_KEYSTORE_ALIAS, - fileKeyStore.getCertificateAlias()); + TestSSLConstants.BROKER_KEYSTORE_ALIAS, fileKeyStore.getCertificateAlias()); } @@ -415,8 +299,8 @@ public class FileKeyStoreTest extends UnitTestBase { assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true))); - final SSLUtil.KeyCertPair selfSigned1 = KeystoreTestHelper.generateSelfSigned("CN=foo"); - final SSLUtil.KeyCertPair selfSigned2 = KeystoreTestHelper.generateSelfSigned("CN=bar"); + final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo"); + final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar"); final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks"); final String dummy = "changit"; @@ -426,7 +310,7 @@ public class FileKeyStoreTest extends UnitTestBase try { final java.security.KeyStore keyStore = - KeystoreTestHelper.saveKeyStore(selfSigned1, certificateAlias, keyAlias, pass, keyStoreFile); + KeyStoreTestHelper.saveKeyStore(selfSigned1, certificateAlias, keyAlias, pass, keyStoreFile); final Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, getTestName()); @@ -434,14 +318,14 @@ public class FileKeyStoreTest extends UnitTestBase attributes.put(FileKeyStore.PASSWORD, dummy); attributes.put(FileKeyStore.KEY_STORE_TYPE, keyStore.getType()); - final FileKeyStore keyStoreObject = (FileKeyStore) _factory.create(KeyStore.class, attributes, _broker); + final FileKeyStore keyStoreObject = (FileKeyStore) FACTORY.create(KeyStore.class, attributes, BROKER); final CertificateDetails certificate = getCertificate(keyStoreObject); assertEquals("CN=foo", certificate.getIssuerName()); assertTrue(keyStoreFile.delete()); assertTrue(keyStoreFile.createNewFile());keyStoreFile.deleteOnExit(); - KeystoreTestHelper.saveKeyStore(selfSigned2, certificateAlias, keyAlias, pass, keyStoreFile); + KeyStoreTestHelper.saveKeyStore(selfSigned2, certificateAlias, keyAlias, pass, keyStoreFile); keyStoreObject.reload(); @@ -454,7 +338,7 @@ public class FileKeyStoreTest extends UnitTestBase } } - public CertificateDetails getCertificate(final FileKeyStore keyStore) throws java.security.GeneralSecurityException + public CertificateDetails getCertificate(final FileKeyStore keyStore) { final List certificates = keyStore.getCertificateDetails(); diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java index 427e0b7..6ca59a8 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java @@ -20,10 +20,8 @@ package org.apache.qpid.server.security; -import static org.apache.qpid.server.security.FileKeyStoreTest.EMPTY_KEYSTORE_RESOURCE; import static org.apache.qpid.server.transport.network.security.ssl.SSLUtil.getInitializedKeyStore; import static org.apache.qpid.test.utils.JvmVendor.IBM; -import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE; import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.CoreMatchers.not; @@ -32,14 +30,11 @@ import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; import static org.junit.Assume.assumeThat; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; -import java.net.URL; import java.security.KeyStore; import java.security.cert.Certificate; import java.security.cert.CertificateException; @@ -53,99 +48,69 @@ import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import com.google.common.io.ByteStreams; -import org.junit.Before; -import org.junit.Test; - -import org.apache.qpid.server.configuration.IllegalConfigurationException; -import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor; -import org.apache.qpid.server.configuration.updater.TaskExecutor; -import org.apache.qpid.server.logging.EventLogger; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.BrokerModel; +import org.apache.qpid.server.model.BrokerTestHelper; import org.apache.qpid.server.model.ConfiguredObjectFactory; -import org.apache.qpid.server.model.Model; +import org.apache.qpid.test.utils.UnitTestBase; +import org.junit.Test; + +import org.apache.qpid.server.configuration.IllegalConfigurationException; import org.apache.qpid.server.model.TrustStore; import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager; import org.apache.qpid.server.transport.network.security.ssl.SSLUtil; import org.apache.qpid.server.util.DataUrlUtils; import org.apache.qpid.test.utils.TestFileUtils; import org.apache.qpid.test.utils.TestSSLConstants; -import org.apache.qpid.test.utils.UnitTestBase; public class FileTrustStoreTest extends UnitTestBase { - static final String SYMMETRIC_KEY_KEYSTORE_RESOURCE = "/ssl/test_symmetric_key_keystore.pkcs12"; - private static final String KEYSTORE_PK_ONLY_RESOURCE = "/ssl/test_pk_only_keystore.pkcs12"; - private static final String TRUSTSTORE_PASSWORD = TestSSLConstants.TRUSTSTORE_PASSWORD; - private static final String PEER_STORE_PASSWORD = TestSSLConstants.BROKER_PEERSTORE_PASSWORD; - private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD; - private static final String KEYSTORE_RESOURCE = "/ssl/test_keystore.jks"; - private static final String TRUST_STORE_PATH = "classpath:ssl/java_client_truststore.pkcs12"; - private static final String PEER_STORE_PATH = "classpath:ssl/java_broker_peerstore.pkcs12"; - private static final String EXPIRED_TRUST_STORE_PATH = "classpath:ssl/java_broker_expired_truststore.pkcs12"; - private static final String EXPIRED_KEYSTORE_PATH = "ssl/java_client_expired_keystore.pkcs12"; - private static final String TRUST_STORE = "ssl/java_client_truststore.pkcs12"; - private static final String BROKER_TRUST_STORE_PATH = "classpath:ssl/java_broker_truststore.pkcs12"; - private static final String BROKER_TRUST_STORE_PASSWORD = TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD; - private static final String BROKER_KEYSTORE_PASSWORD = TestSSLConstants.BROKER_KEYSTORE_PASSWORD; - - - private final Broker _broker = mock(Broker.class); - private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance(); - private final Model _model = BrokerModel.getInstance(); - private final ConfiguredObjectFactory _factory = _model.getObjectFactory(); - - @Before - public void setUp() throws Exception - { - - when(_broker.getTaskExecutor()).thenReturn(_taskExecutor); - when(_broker.getChildExecutor()).thenReturn(_taskExecutor); - - when(_broker.getModel()).thenReturn(_model); - when(_broker.getCategoryClass()).thenReturn(Broker.class); - when(_broker.getEventLogger()).thenReturn(new EventLogger()); - when(_broker.getTypeClass()).thenReturn(Broker.class); - } + private static final Broker BROKER = BrokerTestHelper.createBrokerMock(); + private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory(); @Test public void testCreateTrustStoreFromFile_Success() throws Exception { Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); - attributes.put(FileTrustStore.STORE_URL, TRUST_STORE_PATH); - attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); - TrustStore fileTrustStore = _factory.create(TrustStore.class, attributes, _broker); + TrustStore fileTrustStore = FACTORY.create(TrustStore.class, attributes, BROKER); TrustManager[] trustManagers = fileTrustStore.getTrustManagers(); assertNotNull(trustManagers); - assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); assertNotNull("Trust manager unexpected null", trustManagers[0]); } @Test - public void testCreateTrustStoreFromFile_WrongPassword() throws Exception + public void testCreateTrustStoreFromFile_WrongPassword() { Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); - attributes.put(FileTrustStore.STORE_URL, TRUST_STORE_PATH); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE); attributes.put(FileTrustStore.PASSWORD, "wrong"); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - try - { - _factory.create(TrustStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("Check trust store password")); + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "Check trust store password"); + } - } + @Test + public void testCreateTrustStoreFromFile_MissingCrlFile() + { + Map attributes = new HashMap<>(); + attributes.put(FileTrustStore.NAME, "myFileTrustStore"); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl"); + + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "Unable to load certificate revocation list '/not/a/crl' for truststore 'myFileTrustStore'"); } @Test @@ -153,16 +118,18 @@ public class FileTrustStoreTest extends UnitTestBase { Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); - attributes.put(FileTrustStore.STORE_URL, PEER_STORE_PATH); - attributes.put(FileTrustStore.PASSWORD, PEER_STORE_PASSWORD); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); attributes.put(FileTrustStore.PEERS_ONLY, true); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); - TrustStore fileTrustStore = _factory.create(TrustStore.class, attributes, _broker); + TrustStore fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); TrustManager[] trustManagers = fileTrustStore.getTrustManagers(); assertNotNull(trustManagers); - assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); assertNotNull("Trust manager unexpected null", trustManagers[0]); final boolean condition = trustManagers[0] instanceof QpidPeersOnlyTrustManager; assertTrue("Trust manager unexpected null", condition); @@ -178,22 +145,22 @@ public class FileTrustStoreTest extends UnitTestBase Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); - attributes.put(FileTrustStore.STORE_URL, EXPIRED_TRUST_STORE_PATH); - attributes.put(FileTrustStore.PASSWORD, BROKER_TRUST_STORE_PASSWORD); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker); + TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); TrustManager[] trustManagers = trustStore.getTrustManagers(); assertNotNull(trustManagers); - assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); final boolean condition = trustManagers[0] instanceof X509TrustManager; assertTrue("Unexpected trust manager type", condition); X509TrustManager trustManager = (X509TrustManager) trustManagers[0]; - KeyStore clientStore = getInitializedKeyStore(EXPIRED_KEYSTORE_PATH, - KEYSTORE_PASSWORD, - JAVA_KEYSTORE_TYPE); + KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE, + TestSSLConstants.PASSWORD, + TestSSLConstants.JAVA_KEYSTORE_TYPE); String alias = clientStore.aliases().nextElement(); X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias); @@ -205,23 +172,23 @@ public class FileTrustStoreTest extends UnitTestBase { Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); - attributes.put(FileTrustStore.STORE_URL, EXPIRED_TRUST_STORE_PATH); - attributes.put(FileTrustStore.PASSWORD, BROKER_TRUST_STORE_PASSWORD); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); attributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker); + TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); TrustManager[] trustManagers = trustStore.getTrustManagers(); assertNotNull(trustManagers); - assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); final boolean condition = trustManagers[0] instanceof X509TrustManager; assertTrue("Unexpected trust manager type", condition); X509TrustManager trustManager = (X509TrustManager) trustManagers[0]; - KeyStore clientStore = getInitializedKeyStore(EXPIRED_KEYSTORE_PATH, - KEYSTORE_PASSWORD, - JAVA_KEYSTORE_TYPE); + KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE, + TestSSLConstants.PASSWORD, + TestSSLConstants.JAVA_KEYSTORE_TYPE); String alias = clientStore.aliases().nextElement(); X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias); @@ -248,83 +215,70 @@ public class FileTrustStoreTest extends UnitTestBase @Test public void testCreateTrustStoreFromDataUrl_Success() throws Exception { - String trustStoreAsDataUrl = createDataUrlForFile(TRUST_STORE); + String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE); + String crlAsDataUrl = createDataUrlForFile(TestSSLConstants.CA_CRL); Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl); - attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, crlAsDataUrl); - TrustStore fileTrustStore = _factory.create(TrustStore.class, attributes, _broker); + TrustStore fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); TrustManager[] trustManagers = fileTrustStore.getTrustManagers(); assertNotNull(trustManagers); - assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); assertNotNull("Trust manager unexpected null", trustManagers[0]); } @Test public void testCreateTrustStoreFromDataUrl_WrongPassword() throws Exception { - String trustStoreAsDataUrl = createDataUrlForFile(TRUST_STORE); + String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE); Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); attributes.put(FileTrustStore.PASSWORD, "wrong"); attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - try - { - _factory.create(TrustStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("Check trust store password")); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "Check trust store password"); } @Test - public void testCreateTrustStoreFromDataUrl_BadTruststoreBytes() throws Exception + public void testCreateTrustStoreFromDataUrl_BadTruststoreBytes() { String trustStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes()); Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); - attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - try - { - _factory.create(TrustStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("Cannot instantiate trust store")); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "Cannot instantiate trust store"); } @Test - public void testUpdateTrustStore_Success() throws Exception + public void testUpdateTrustStore_Success() { Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); - attributes.put(FileTrustStore.STORE_URL, TRUST_STORE_PATH); - attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); - FileTrustStore fileTrustStore = (FileTrustStore) _factory.create(TrustStore.class, attributes, _broker); + FileTrustStore fileTrustStore = (FileTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); assertEquals("Unexpected path value before change", - TRUST_STORE_PATH, + TestSSLConstants.CLIENT_TRUSTSTORE, fileTrustStore.getStoreUrl()); @@ -336,114 +290,112 @@ public class FileTrustStoreTest extends UnitTestBase fileTrustStore.setAttributes(unacceptableAttributes); fail("Exception not thrown"); } - catch (IllegalConfigurationException ice) + catch (IllegalConfigurationException e) { - String message = ice.getMessage(); + String message = e.getMessage(); assertTrue("Exception text not as unexpected:" + message, message.contains("Cannot instantiate trust store")); } - assertEquals("Unexpected path value after failed change", - TRUST_STORE_PATH, - fileTrustStore.getStoreUrl()); + assertEquals("Unexpected keystore path value after failed change", + TestSSLConstants.CLIENT_TRUSTSTORE, + fileTrustStore.getStoreUrl()); + + try + { + Map unacceptableAttributes = new HashMap<>(); + unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl"); + + fileTrustStore.setAttributes(unacceptableAttributes); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException e) + { + String message = e.getMessage(); + assertTrue("Exception text not as unexpected:" + message, + message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore " + + "'myFileTrustStore'")); + } + + assertEquals("Unexpected CRL path value after failed change", + TestSSLConstants.CA_CRL, + fileTrustStore.getCertificateRevocationListUrl()); Map changedAttributes = new HashMap<>(); - changedAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUST_STORE_PATH); - changedAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUST_STORE_PASSWORD); + changedAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE); + changedAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY); fileTrustStore.setAttributes(changedAttributes); - assertEquals("Unexpected path value after change that is expected to be successful", - BROKER_TRUST_STORE_PATH, + assertEquals("Unexpected keystore path value after change that is expected to be successful", + TestSSLConstants.BROKER_TRUSTSTORE, fileTrustStore.getStoreUrl()); + assertEquals("Unexpected CRL path value after change that is expected to be successful", + TestSSLConstants.CA_CRL_EMPTY, + fileTrustStore.getCertificateRevocationListUrl()); } @Test public void testEmptyTrustStoreRejected() { - final URL emptyKeystore = getClass().getResource(EMPTY_KEYSTORE_RESOURCE); - assertNotNull("Empty keystore not found", emptyKeystore); - Map attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileTrustStore"); - attributes.put(FileKeyStore.PASSWORD, KEYSTORE_PASSWORD); - attributes.put(FileKeyStore.STORE_URL, emptyKeystore); + attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE); attributes.put(FileTrustStore.TRUST_STORE_TYPE, "jks"); - try - { - _factory.create(TrustStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - // pass - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "must contain at least one certificate"); } @Test public void testTrustStoreWithNoCertificateRejected() { - final URL keystoreUrl = getClass().getResource(KEYSTORE_PK_ONLY_RESOURCE); - assertNotNull("Keystore not found", keystoreUrl); - Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, getTestName()); - attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD); - attributes.put(FileTrustStore.STORE_URL, keystoreUrl); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_PK_ONLY_KEYSTORE); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - try - { - _factory.create(TrustStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException ice) - { - String message = ice.getMessage(); - assertTrue("Exception text not as unexpected:" + message, - message.contains("must contain at least one certificate")); - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "must contain at least one certificate"); } @Test public void testSymmetricKeyEntryIgnored() throws Exception { - final URL keystoreUrl = getClass().getResource(SYMMETRIC_KEY_KEYSTORE_RESOURCE); - assertNotNull("Symmetric key keystore not found", keystoreUrl); - Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, getTestName()); - attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD); - attributes.put(FileTrustStore.STORE_URL, keystoreUrl); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker); + TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); Certificate[] certificates = trustStore.getCertificates(); assertEquals("Unexpected number of certificates", - (long) getNumberOfCertificates(keystoreUrl, JAVA_KEYSTORE_TYPE), - (long) certificates.length); + getNumberOfCertificates(TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE, + TestSSLConstants.JAVA_KEYSTORE_TYPE), + certificates.length); } @Test public void testPrivateKeyEntryIgnored() throws Exception { - final URL keystoreUrl = getClass().getResource(KEYSTORE_RESOURCE); - assertNotNull("Keystore not found", keystoreUrl); - Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, getTestName()); - attributes.put(FileTrustStore.PASSWORD, BROKER_KEYSTORE_PASSWORD); - attributes.put(FileTrustStore.STORE_URL, keystoreUrl); - attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE); + attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_KEYSTORE); + attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); - TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker); + TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); Certificate[] certificates = trustStore.getCertificates(); assertEquals("Unexpected number of certificates", - (long) getNumberOfCertificates(keystoreUrl, JAVA_KEYSTORE_TYPE), - (long) certificates.length); + getNumberOfCertificates(TestSSLConstants.TEST_KEYSTORE, + TestSSLConstants.JAVA_KEYSTORE_TYPE), + certificates.length); } @Test @@ -451,8 +403,8 @@ public class FileTrustStoreTest extends UnitTestBase { assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true))); - final SSLUtil.KeyCertPair selfSigned1 = KeystoreTestHelper.generateSelfSigned("CN=foo"); - final SSLUtil.KeyCertPair selfSigned2 = KeystoreTestHelper.generateSelfSigned("CN=bar"); + final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo"); + final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar"); final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks"); final String dummy = "changit"; @@ -461,7 +413,7 @@ public class FileTrustStoreTest extends UnitTestBase try { final java.security.KeyStore keyStore = - KeystoreTestHelper.saveKeyStore(alias, selfSigned1.getCertificate(), pass, keyStoreFile); + KeyStoreTestHelper.saveKeyStore(alias, selfSigned1.getCertificate(), pass, keyStoreFile); final Map attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, getTestName()); @@ -469,12 +421,12 @@ public class FileTrustStoreTest extends UnitTestBase attributes.put(FileTrustStore.STORE_URL, keyStoreFile.getAbsolutePath()); attributes.put(FileTrustStore.TRUST_STORE_TYPE, keyStore.getType()); - final FileTrustStore trustStore = (FileTrustStore) _factory.create(TrustStore.class, attributes, _broker); + final FileTrustStore trustStore = (FileTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); final X509Certificate certificate = getCertificate(trustStore); assertEquals("CN=foo", certificate.getIssuerX500Principal().getName()); - KeystoreTestHelper.saveKeyStore(alias, selfSigned2.getCertificate(), pass, keyStoreFile); + KeyStoreTestHelper.saveKeyStore(alias, selfSigned2.getCertificate(), pass, keyStoreFile); trustStore.reload(); @@ -499,12 +451,12 @@ public class FileTrustStoreTest extends UnitTestBase return (X509Certificate)certificate; } - private int getNumberOfCertificates(URL url, String type) throws Exception + private int getNumberOfCertificates(String keystore, String type) throws Exception { KeyStore ks = KeyStore.getInstance(type); - try(InputStream is = url.openStream()) + try(InputStream is = new FileInputStream(keystore)) { - ks.load(is, BROKER_KEYSTORE_PASSWORD.toCharArray()); + ks.load(is, TestSSLConstants.PASSWORD.toCharArray()); } int result = 0; diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/KeystoreTestHelper.java b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java similarity index 82% rename from broker-core/src/test/java/org/apache/qpid/server/security/KeystoreTestHelper.java rename to broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java index 6278f33..d2324dd 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/KeystoreTestHelper.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java @@ -32,10 +32,17 @@ import java.time.Duration; import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Collections; +import java.util.Map; +import org.apache.qpid.server.configuration.IllegalConfigurationException; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.ConfiguredObjectFactory; import org.apache.qpid.server.transport.network.security.ssl.SSLUtil; -public class KeystoreTestHelper +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +public class KeyStoreTestHelper { public static KeyStore saveKeyStore(final String alias, final X509Certificate certificate, @@ -78,6 +85,24 @@ public class KeystoreTestHelper Collections.emptySet()); } + public static void checkExceptionThrownDuringKeyStoreCreation(ConfiguredObjectFactory factory, Broker broker, + Class keystoreClass, Map attributes, + String expectedExceptionMessage) + { + try + { + factory.create(keystoreClass, attributes, broker); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException e) + { + final String message = e.getMessage(); + assertTrue("Exception text not as expected:" + message, + message.contains(expectedExceptionMessage)); + + } + } + private static File saveKeyStore(final KeyStore ks, final char[] pass, final File storeFile) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java index d4d6390..6df02d7 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java @@ -21,8 +21,6 @@ package org.apache.qpid.server.security; import static java.nio.charset.StandardCharsets.UTF_8; -import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE; -import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD; import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; @@ -38,6 +36,7 @@ import static org.mockito.Mockito.when; import static org.mockito.internal.verification.VerificationModeFactory.times; import java.io.File; +import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.InputStream; import java.security.Key; @@ -57,6 +56,12 @@ import java.util.concurrent.TimeUnit; import javax.net.ssl.KeyManager; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.BrokerModel; +import org.apache.qpid.server.model.BrokerTestHelper; +import org.apache.qpid.server.model.ConfiguredObjectFactory; +import org.apache.qpid.test.utils.TestSSLConstants; +import org.apache.qpid.test.utils.UnitTestBase; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -67,21 +72,16 @@ import org.apache.qpid.server.logging.EventLogger; import org.apache.qpid.server.logging.LogMessage; import org.apache.qpid.server.logging.MessageLogger; import org.apache.qpid.server.logging.messages.KeyStoreMessages; -import org.apache.qpid.server.model.Broker; -import org.apache.qpid.server.model.BrokerTestHelper; -import org.apache.qpid.server.model.ConfiguredObjectFactory; import org.apache.qpid.server.model.KeyStore; import org.apache.qpid.server.transport.network.security.ssl.SSLUtil; import org.apache.qpid.server.util.DataUrlUtils; import org.apache.qpid.test.utils.TestFileUtils; import org.apache.qpid.test.utils.TestSSLUtils; -import org.apache.qpid.test.utils.UnitTestBase; public class NonJavaKeyStoreTest extends UnitTestBase { - private static final String KEYSTORE = "/ssl/java_broker_keystore.pkcs12"; - private Broker _broker; - private ConfiguredObjectFactory _factory; + private static final Broker BROKER = BrokerTestHelper.createBrokerMock(); + private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory(); private List _testResources; private MessageLogger _messageLogger; @@ -89,9 +89,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase public void setUp() throws Exception { _messageLogger = mock(MessageLogger.class); - _broker = BrokerTestHelper.createBrokerMock(); - when(_broker.getEventLogger()).thenReturn(new EventLogger(_messageLogger)); - _factory = _broker.getObjectFactory(); + when(BROKER.getEventLogger()).thenReturn(new EventLogger(_messageLogger)); _testResources = new ArrayList<>(); } @@ -113,17 +111,17 @@ public class NonJavaKeyStoreTest extends UnitTestBase private File[] extractResourcesFromTestKeyStore(boolean pem, final String storeResource) throws Exception { - java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE); - try(InputStream is = getClass().getResourceAsStream(storeResource)) + java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE); + try(InputStream is = new FileInputStream(storeResource)) { - ks.load(is, KEYSTORE_PASSWORD.toCharArray() ); + ks.load(is, TestSSLConstants.PASSWORD.toCharArray()); } File privateKeyFile = TestFileUtils.createTempFile(this, ".private-key.der"); try(FileOutputStream kos = new FileOutputStream(privateKeyFile)) { - Key pvt = ks.getKey("java-broker", KEYSTORE_PASSWORD.toCharArray()); + Key pvt = ks.getKey(TestSSLConstants.BROKER_KEYSTORE_ALIAS, TestSSLConstants.PASSWORD.toCharArray()); if (pem) { kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8)); @@ -139,7 +137,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase try(FileOutputStream cos = new FileOutputStream(certificateFile)) { - Certificate pub = ks.getCertificate("java-broker"); + Certificate pub = ks.getCertificate(TestSSLConstants.BROKER_KEYSTORE_ALIAS); if (pem) { cos.write(TestSSLUtils.certificateToPEM(pub).getBytes(UTF_8)); @@ -168,7 +166,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase private void runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(boolean isPEM)throws Exception { - File[] resources = extractResourcesFromTestKeyStore(isPEM, KEYSTORE); + File[] resources = extractResourcesFromTestKeyStore(isPEM, TestSSLConstants.BROKER_KEYSTORE); _testResources.addAll(Arrays.asList(resources)); Map attributes = new HashMap<>(); @@ -178,18 +176,18 @@ public class NonJavaKeyStoreTest extends UnitTestBase attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore"); NonJavaKeyStoreImpl fileTrustStore = - (NonJavaKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker); + (NonJavaKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER); KeyManager[] keyManagers = fileTrustStore.getKeyManagers(); assertNotNull(keyManagers); - assertEquals("Unexpected number of key managers", (long) 1, (long) keyManagers.length); + assertEquals("Unexpected number of key managers", 1, keyManagers.length); assertNotNull("Key manager is null", keyManagers[0]); } @Test public void testCreationOfTrustStoreFromValidPrivateKeyAndInvalidCertificate()throws Exception { - File[] resources = extractResourcesFromTestKeyStore(true, KEYSTORE); + File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE); _testResources.addAll(Arrays.asList(resources)); File invalidCertificate = TestFileUtils.createTempFile(this, ".invalid.cert", "content"); @@ -201,21 +199,15 @@ public class NonJavaKeyStoreTest extends UnitTestBase attributes.put("certificateUrl", invalidCertificate.toURI().toURL().toExternalForm()); attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore"); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Created key store from invalid certificate"); - } - catch(IllegalConfigurationException e) - { - // pass - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "Cannot load private key or certificate(s): java.security.cert.CertificateException: " + + "Could not parse certificate: java.io.IOException: Empty input"); } @Test public void testCreationOfTrustStoreFromInvalidPrivateKeyAndValidCertificate()throws Exception { - File[] resources = extractResourcesFromTestKeyStore(true, KEYSTORE); + File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE); _testResources.addAll(Arrays.asList(resources)); File invalidPrivateKey = TestFileUtils.createTempFile(this, ".invalid.pk", "content"); @@ -227,15 +219,9 @@ public class NonJavaKeyStoreTest extends UnitTestBase attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm()); attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore"); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Created key store from invalid certificate"); - } - catch(IllegalConfigurationException e) - { - // pass - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "Cannot load private key or certificate(s): java.security.spec.InvalidKeySpecException: " + + "Unable to parse key as PKCS#1 format"); } @Test @@ -258,15 +244,15 @@ public class NonJavaKeyStoreTest extends UnitTestBase private void doCertExpiryChecking(final int expiryOffset) throws Exception { - when(_broker.scheduleHouseKeepingTask(anyLong(), any(TimeUnit.class), any(Runnable.class))).thenReturn(mock(ScheduledFuture.class)); + when(BROKER.scheduleHouseKeepingTask(anyLong(), any(TimeUnit.class), any(Runnable.class))).thenReturn(mock(ScheduledFuture.class)); - java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE); - final String storeLocation = KEYSTORE; - try(InputStream is = getClass().getResourceAsStream(storeLocation)) + java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE); + final String storeLocation = TestSSLConstants.BROKER_KEYSTORE; + try(InputStream is = new FileInputStream(storeLocation)) { - ks.load(is, KEYSTORE_PASSWORD.toCharArray() ); + ks.load(is, TestSSLConstants.PASSWORD.toCharArray()); } - X509Certificate cert = (X509Certificate) ks.getCertificate("rootca"); + X509Certificate cert = (X509Certificate) ks.getCertificate(TestSSLConstants.CERT_ALIAS_ROOT_CA); int expiryDays = (int)((cert.getNotAfter().getTime() - System.currentTimeMillis()) / (24l * 60l * 60l * 1000l)); File[] resources = extractResourcesFromTestKeyStore(false, storeLocation); @@ -278,7 +264,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm()); attributes.put("context", Collections.singletonMap(KeyStore.CERTIFICATE_EXPIRY_WARN_PERIOD, expiryDays + expiryOffset)); attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore"); - _factory.create(KeyStore.class, attributes, _broker); + FACTORY.create(KeyStore.class, attributes, BROKER); } @Test @@ -297,15 +283,8 @@ public class NonJavaKeyStoreTest extends UnitTestBase DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8))); attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore"); - try - { - _factory.create(KeyStore.class, attributes, _broker); - fail("Created key store from invalid certificate"); - } - catch(IllegalConfigurationException e) - { - // pass - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes, + "Private key does not match certificate"); } @Test @@ -324,7 +303,7 @@ public class NonJavaKeyStoreTest extends UnitTestBase DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair.getCertificate()).getBytes(UTF_8))); attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore"); - final KeyStore trustStore = _factory.create(KeyStore.class, attributes, _broker); + final KeyStore trustStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER); try { final String certUrl = DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8)); diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java index 69262dc..6ac9699 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java @@ -19,13 +19,10 @@ package org.apache.qpid.server.security; -import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; import java.security.KeyStore; import java.security.cert.CertificateException; @@ -37,79 +34,101 @@ import java.util.Map; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; -import org.junit.Before; -import org.junit.Test; - import org.apache.qpid.server.configuration.IllegalConfigurationException; -import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor; -import org.apache.qpid.server.configuration.updater.TaskExecutor; -import org.apache.qpid.server.logging.EventLogger; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.BrokerModel; +import org.apache.qpid.server.model.BrokerTestHelper; import org.apache.qpid.server.model.ConfiguredObjectFactory; -import org.apache.qpid.server.model.Model; +import org.apache.qpid.test.utils.UnitTestBase; +import org.junit.Test; + import org.apache.qpid.server.model.TrustStore; import org.apache.qpid.server.transport.network.security.ssl.SSLUtil; import org.apache.qpid.test.utils.TestSSLConstants; -import org.apache.qpid.test.utils.UnitTestBase; public class NonJavaTrustStoreTest extends UnitTestBase { - private static final String EXPIRED_KEYSTORE = "ssl/java_client_expired_keystore.pkcs12"; - private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD; - private final Broker _broker = mock(Broker.class); - private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance(); - private final Model _model = BrokerModel.getInstance(); - private final ConfiguredObjectFactory _factory = _model.getObjectFactory(); - - @Before - public void setUp() throws Exception - { - - when(_broker.getTaskExecutor()).thenReturn(_taskExecutor); - when(_broker.getChildExecutor()).thenReturn(_taskExecutor); - when(_broker.getModel()).thenReturn(_model); - when(_broker.getEventLogger()).thenReturn(new EventLogger()); - when(((Broker) _broker).getCategoryClass()).thenReturn(Broker.class); - } + private static final Broker BROKER = BrokerTestHelper.createBrokerMock(); + private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory(); @Test public void testCreationOfTrustStoreFromValidCertificate() throws Exception { Map attributes = new HashMap<>(); attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore"); - attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/ssl/java_broker.crt").toExternalForm()); + attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT); attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore"); + attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); - TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker); + TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); TrustManager[] trustManagers = trustStore.getTrustManagers(); assertNotNull(trustManagers); - assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); assertNotNull("Trust manager unexpected null", trustManagers[0]); } @Test + public void testChangeOfCrlInTrustStoreFromValidCertificate() + { + Map attributes = new HashMap<>(); + attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore"); + attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT); + attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore"); + attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); + + TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); + + try + { + Map unacceptableAttributes = new HashMap<>(); + unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl"); + + trustStore.setAttributes(unacceptableAttributes); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException e) + { + String message = e.getMessage(); + assertTrue("Exception text not as unexpected:" + message, + message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'")); + } + + assertEquals("Unexpected CRL path value after failed change", + TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl()); + + Map changedAttributes = new HashMap<>(); + changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY); + + trustStore.setAttributes(changedAttributes); + + assertEquals("Unexpected CRL path value after change that is expected to be successful", + TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl()); + } + + @Test public void testUseOfExpiredTrustAnchorDenied() throws Exception { Map attributes = new HashMap<>(); attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore"); attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true); - attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/ssl/expired.crt").toExternalForm()); + attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.CLIENT_EXPIRED_CRT); attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore"); - TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker); + TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); TrustManager[] trustManagers = trustStore.getTrustManagers(); assertNotNull(trustManagers); - assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length); + assertEquals("Unexpected number of trust managers", 1, trustManagers.length); final boolean condition = trustManagers[0] instanceof X509TrustManager; assertTrue("Unexpected trust manager type", condition); X509TrustManager trustManager = (X509TrustManager) trustManagers[0]; - KeyStore clientStore = SSLUtil.getInitializedKeyStore(EXPIRED_KEYSTORE, - KEYSTORE_PASSWORD, - JAVA_KEYSTORE_TYPE); + KeyStore clientStore = SSLUtil.getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE, + TestSSLConstants.PASSWORD, + TestSSLConstants.JAVA_KEYSTORE_TYPE); String alias = clientStore.aliases().nextElement(); X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias); @@ -134,22 +153,28 @@ public class NonJavaTrustStoreTest extends UnitTestBase } @Test - public void testCreationOfTrustStoreFromNonCertificate() throws Exception + public void testCreationOfTrustStoreFromNonCertificate() { Map attributes = new HashMap<>(); attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore"); - attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/ssl/java_broker.req").toExternalForm()); + attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CSR); attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore"); - try - { - _factory.create(TrustStore.class, attributes, _broker); - fail("Trust store is created from certificate request file"); - } - catch (IllegalConfigurationException e) - { - // pass - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "Cannot load certificate(s)"); } + @Test + public void testCreationOfTrustStoreFromValidCertificate_MissingCrlFile() + { + Map attributes = new HashMap<>(); + attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore"); + attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT); + attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore"); + attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl"); + + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'"); + } } diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java index bca9b79..d7a0454 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java @@ -21,13 +21,12 @@ package org.apache.qpid.server.security; -import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; import java.io.Closeable; +import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.net.ServerSocket; @@ -46,47 +45,34 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLServerSocketFactory; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - import org.apache.qpid.server.configuration.IllegalConfigurationException; -import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor; -import org.apache.qpid.server.configuration.updater.TaskExecutor; -import org.apache.qpid.server.logging.EventLogger; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.BrokerModel; +import org.apache.qpid.server.model.BrokerTestHelper; import org.apache.qpid.server.model.ConfiguredObjectFactory; -import org.apache.qpid.server.model.Model; import org.apache.qpid.server.model.TrustStore; -import org.apache.qpid.test.utils.TestSSLConstants; import org.apache.qpid.test.utils.UnitTestBase; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import org.apache.qpid.test.utils.TestSSLConstants; public class SiteSpecificTrustStoreTest extends UnitTestBase { - private static final String EXPECTED_SUBJECT = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown"; + private static final Broker BROKER = BrokerTestHelper.createBrokerMock(); + private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory(); + private static final String EXPECTED_SUBJECT = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=CA"; private static final String EXPECTED_ISSUER = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA"; - private static final String KEYSTORE = "/ssl/java_broker_keystore.pkcs12"; - private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD; - private final Broker _broker = mock(Broker.class); - private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance(); - private final Model _model = BrokerModel.getInstance(); - private final ConfiguredObjectFactory _factory = _model.getObjectFactory(); private TestPeer _testPeer; @Before - public void setUp() throws Exception + public void setUpSiteSpecificTrustStore() { int connectTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.connectTimeout", 1000); int readTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.readTimeout", 1000); setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_CONNECT_TIMEOUT, String.valueOf(connectTimeout)); setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_READ_TIMEOUT, String.valueOf(readTimeout)); - - when(_broker.getTaskExecutor()).thenReturn(_taskExecutor); - when(_broker.getChildExecutor()).thenReturn(_taskExecutor); - when(_broker.getModel()).thenReturn(_model); - when(_broker.getEventLogger()).thenReturn(new EventLogger()); - when(((Broker) _broker).getCategoryClass()).thenReturn(Broker.class); } @After @@ -105,41 +91,27 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase } @Test - public void testMalformedSiteUrl() throws Exception + public void testMalformedSiteUrl() { Map attributes = new HashMap<>(); attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore"); attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore"); attributes.put("siteUrl", "notaurl:541"); - try - { - _factory.create(TrustStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException e) - { - // PASS - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "'notaurl:541' is not a valid URL"); } @Test - public void testSiteUrlDoesNotSupplyHostPort() throws Exception + public void testSiteUrlDoesNotSupplyHostPort() { Map attributes = new HashMap<>(); attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore"); attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore"); attributes.put("siteUrl", "file:/not/a/host"); - try - { - _factory.create(TrustStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException e) - { - // PASS - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "URL 'file:/not/a/host' does not provide a hostname and port number"); } @Test @@ -148,18 +120,10 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase _testPeer = new TestPeer(); _testPeer.setAccept(false); int listeningPort = _testPeer.start(); - Map attributes = getTrustStoreAttributes(listeningPort); - try - { - _factory.create(TrustStore.class, attributes, _broker); - fail("Exception not thrown"); - } - catch (IllegalConfigurationException e) - { - // PASS - } + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "Unable to get certificate for 'mySiteSpecificTrustStore' from"); } @Test @@ -169,12 +133,14 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase int listeningPort = _testPeer.start(); Map attributes = getTrustStoreAttributes(listeningPort); + attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); final SiteSpecificTrustStore trustStore = - (SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker); + (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); List certDetails = trustStore.getCertificateDetails(); - assertEquals("Unexpected number of certificates", (long) 1, (long) certDetails.size()); + assertEquals("Unexpected number of certificates", 1, certDetails.size()); CertificateDetails certificateDetails = certDetails.get(0); assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, certificateDetails.getSubjectName()); @@ -182,6 +148,59 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase } @Test + public void testChangeOfCrlInValidSiteUrl() throws Exception + { + _testPeer = new TestPeer(); + int listeningPort = _testPeer.start(); + + Map attributes = getTrustStoreAttributes(listeningPort); + attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); + + final SiteSpecificTrustStore trustStore = + (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); + + try + { + Map unacceptableAttributes = new HashMap<>(); + unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl"); + + trustStore.setAttributes(unacceptableAttributes); + fail("Exception not thrown"); + } + catch (IllegalConfigurationException e) + { + String message = e.getMessage(); + assertTrue("Exception text not as unexpected:" + message, + message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'")); + } + + assertEquals("Unexpected CRL path value after failed change", + TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl()); + + Map changedAttributes = new HashMap<>(); + changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY); + + trustStore.setAttributes(changedAttributes); + + assertEquals("Unexpected CRL path value after change that is expected to be successful", + TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl()); + } + + @Test + public void testValidSiteUrl_MissingCrlFile() throws Exception + { + _testPeer = new TestPeer(); + int listeningPort = _testPeer.start(); + Map attributes = getTrustStoreAttributes(listeningPort); + attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl"); + + KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes, + "Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'"); + } + + @Test public void testRefreshCertificate() throws Exception { _testPeer = new TestPeer(); @@ -190,10 +209,10 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase Map attributes = getTrustStoreAttributes(listeningPort); final SiteSpecificTrustStore trustStore = - (SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker); + (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER); List certDetails = trustStore.getCertificateDetails(); - assertEquals("Unexpected number of certificates", (long) 1, (long) certDetails.size()); + assertEquals("Unexpected number of certificates", 1, certDetails.size()); CertificateDetails certificateDetails = certDetails.get(0); @@ -260,10 +279,10 @@ public class SiteSpecificTrustStoreTest extends UnitTestBase private ServerSocket createTestSSLServerSocket() throws Exception { - char[] keyPassword = KEYSTORE_PASSWORD.toCharArray(); - try(InputStream inputStream = getClass().getResourceAsStream(KEYSTORE)) + char[] keyPassword = TestSSLConstants.PASSWORD.toCharArray(); + try(InputStream inputStream = new FileInputStream(TestSSLConstants.BROKER_KEYSTORE)) { - KeyStore keyStore = KeyStore.getInstance(JAVA_KEYSTORE_TYPE); + KeyStore keyStore = KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyStore.load(inputStream, keyPassword); keyManagerFactory.init(keyStore, keyPassword); diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java index afd4c4d..0dc987a 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java +++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java @@ -21,7 +21,6 @@ package org.apache.qpid.server.security.auth.manager.oauth2; import static java.nio.charset.StandardCharsets.UTF_8; -import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE; import java.io.IOException; import java.util.Arrays; @@ -37,6 +36,7 @@ import javax.servlet.http.HttpServletResponse; import com.fasterxml.jackson.core.type.TypeReference; import com.fasterxml.jackson.databind.ObjectMapper; import junit.framework.TestCase; +import org.apache.qpid.test.utils.TestSSLConstants; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; @@ -49,18 +49,16 @@ import org.apache.qpid.server.transport.network.security.ssl.SSLUtil; class OAuth2MockEndpointHolder { - private static final String KEYSTORE_PASSWORD = "password"; - private static final String KEYSTORE_RESOURCE = "ssl/test_keystore.jks"; private final Server _server; private final ServerConnector _connector; private volatile Map _endpoints; - OAuth2MockEndpointHolder() + OAuth2MockEndpointHolder() throws IOException { this(Collections.emptyMap()); } - OAuth2MockEndpointHolder(final Map endpoints) + OAuth2MockEndpointHolder(final Map endpoints) throws IOException { _endpoints = endpoints; final List protocolWhiteList = @@ -87,9 +85,9 @@ class OAuth2MockEndpointHolder SSLUtil.updateEnabledTlsProtocols(sslEngine, protocolWhiteList, protocolBlackList); } }; - sslContextFactory.setKeyStorePassword(KEYSTORE_PASSWORD); - sslContextFactory.setKeyStoreResource(Resource.newClassPathResource(KEYSTORE_RESOURCE)); - sslContextFactory.setKeyStoreType(JAVA_KEYSTORE_TYPE); + sslContextFactory.setKeyStorePassword(TestSSLConstants.PASSWORD); + sslContextFactory.setKeyStoreResource(Resource.newResource(TestSSLConstants.TEST_KEYSTORE)); + sslContextFactory.setKeyStoreType(TestSSLConstants.JAVA_KEYSTORE_TYPE); // override default jetty excludes as valid IBM JDK are excluded // causing SSL handshake failure (due to default exclude '^SSL_.*$') diff --git a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java index df2611d..191d7cf 100644 --- a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java +++ b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java @@ -43,27 +43,16 @@ import org.apache.qpid.test.utils.UnitTestBase; public class TrustManagerTest extends UnitTestBase { - private static final String STORE_TYPE = TestSSLConstants.JAVA_KEYSTORE_TYPE; private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm(); - private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD; - private static final String PEER_STORE = "ssl/java_broker_peerstore.pkcs12"; - private static final String PEER_STORE_PASSWORD = TestSSLConstants.BROKER_PEERSTORE_PASSWORD; - private static final String KEYSTORE = "ssl/java_client_keystore.pkcs12"; - private static final String CERT_ALIAS_APP_1 = TestSSLConstants.CERT_ALIAS_APP1; - private static final String CERT_ALIAS_APP_2 = TestSSLConstants.CERT_ALIAS_APP2; - private static final String TRUST_STORE = "ssl/java_broker_truststore.pkcs12"; - private static final String TRUST_STORE_PASSWORD = TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD; - private static final String CERT_ALIAS_UNTRUSTED_CLIENT = TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT; - private static final String UNTRUSTED_KEYSTORE = "ssl/java_client_untrusted_keystore.pkcs12"; // retrieves the client certificate's chain from store and returns it as an array private X509Certificate[] getClientChain(final String storePath, final String alias) throws Exception { - final KeyStore ks = SSLUtil.getInitializedKeyStore(storePath, KEYSTORE_PASSWORD, STORE_TYPE); + final KeyStore ks = SSLUtil.getInitializedKeyStore(storePath, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE); final Certificate[] chain = ks.getCertificateChain(alias); return Arrays.copyOf(chain, chain.length, X509Certificate[].class); } - + // verifies that peer store is loaded only with client's (peer's) app1 certificate (no CA) private void noCAinPeerStore(final KeyStore ps) throws KeyStoreException { @@ -71,7 +60,7 @@ public class TrustManagerTest extends UnitTestBase while (aliases.hasMoreElements()) { final String alias = aliases.nextElement(); - if (!alias.equalsIgnoreCase(CERT_ALIAS_APP_1)) + if (!alias.equalsIgnoreCase(TestSSLConstants.CERT_ALIAS_APP1)) { fail("Broker's peer store contains other certificate than client's app1 public key"); } @@ -86,7 +75,7 @@ public class TrustManagerTest extends UnitTestBase public void testQpidPeersOnlyTrustManager() throws Exception { // first let's check that peer manager loaded with the PEERstore succeeds - final KeyStore ps = SSLUtil.getInitializedKeyStore(PEER_STORE, PEER_STORE_PASSWORD, STORE_TYPE); + final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE); this.noCAinPeerStore(ps); final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM); pmf.init(ps); @@ -106,7 +95,7 @@ public class TrustManagerTest extends UnitTestBase try { // since broker's peerstore contains the client's app1 certificate, the check should succeed - peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA"); + peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA"); } catch (CertificateException e) { @@ -116,7 +105,7 @@ public class TrustManagerTest extends UnitTestBase try { // since broker's peerstore does not contain the client's app2 certificate, the check should fail - peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA"); + peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA"); fail("Untrusted client's validation against the broker's peer store manager succeeded."); } catch (CertificateException e) @@ -127,7 +116,7 @@ public class TrustManagerTest extends UnitTestBase // now let's check that peer manager loaded with the brokers TRUSTstore fails because // it does not have the clients certificate in it (though it does have a CA-cert that // would otherwise trust the client cert when using the regular trust manager). - final KeyStore ts = SSLUtil.getInitializedKeyStore(TRUST_STORE, TRUST_STORE_PASSWORD, STORE_TYPE); + final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE); final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM); tmf.init(ts); final TrustManager[] delegateTrustManagers = tmf.getTrustManagers(); @@ -147,7 +136,7 @@ public class TrustManagerTest extends UnitTestBase { // since broker's truststore doesn't contain the client's app1 certificate, the check should fail // despite the fact that the truststore does have a CA that would otherwise trust the cert - peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA"); + peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA"); fail("Client's validation against the broker's peer store manager didn't fail."); } catch (CertificateException e) @@ -159,7 +148,7 @@ public class TrustManagerTest extends UnitTestBase { // since broker's truststore doesn't contain the client's app2 certificate, the check should fail // despite the fact that the truststore does have a CA that would otherwise trust the cert - peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA"); + peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA"); fail("Client's validation against the broker's peer store manager didn't fail."); } catch (CertificateException e) @@ -176,7 +165,7 @@ public class TrustManagerTest extends UnitTestBase public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception { final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager(); - final KeyStore ts = SSLUtil.getInitializedKeyStore(TRUST_STORE, TRUST_STORE_PASSWORD, STORE_TYPE); + final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE); final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM); tmf.init(ts); final TrustManager[] delegateTrustManagers = tmf.getTrustManagers(); @@ -195,7 +184,7 @@ public class TrustManagerTest extends UnitTestBase try { // verify the CA-trusted app1 cert (should succeed) - mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA"); + mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA"); } catch (CertificateException ex) { @@ -205,7 +194,7 @@ public class TrustManagerTest extends UnitTestBase try { // verify the CA-trusted app2 cert (should succeed) - mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA"); + mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA"); } catch (CertificateException ex) { @@ -215,8 +204,8 @@ public class TrustManagerTest extends UnitTestBase try { // verify the untrusted cert (should fail) - mulTrustManager.checkClientTrusted(this.getClientChain(UNTRUSTED_KEYSTORE, - CERT_ALIAS_UNTRUSTED_CLIENT), "RSA"); + mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE, + TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA"); fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed."); } catch (CertificateException ex) @@ -233,7 +222,7 @@ public class TrustManagerTest extends UnitTestBase public void testQpidMultipleTrustManagerWithPeerStore() throws Exception { final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager(); - final KeyStore ps = SSLUtil.getInitializedKeyStore(PEER_STORE, PEER_STORE_PASSWORD, STORE_TYPE); + final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE); final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM); pmf.init(ps); final TrustManager[] delegatePeerManagers = pmf.getTrustManagers(); @@ -252,8 +241,8 @@ public class TrustManagerTest extends UnitTestBase try { // verify the trusted app1 cert (should succeed as the key is in the peerstore) - mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, - CERT_ALIAS_APP_1), "RSA"); + mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, + TestSSLConstants.CERT_ALIAS_APP1), "RSA"); } catch (CertificateException ex) { @@ -263,8 +252,8 @@ public class TrustManagerTest extends UnitTestBase try { // verify the untrusted app2 cert (should fail as the key is not in the peerstore) - mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, - CERT_ALIAS_APP_2), "RSA"); + mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, + TestSSLConstants.CERT_ALIAS_APP2), "RSA"); fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed."); } catch (CertificateException ex) @@ -275,8 +264,8 @@ public class TrustManagerTest extends UnitTestBase try { // verify the untrusted cert (should fail as the key is not in the peerstore) - mulTrustManager.checkClientTrusted(this.getClientChain(UNTRUSTED_KEYSTORE, - CERT_ALIAS_UNTRUSTED_CLIENT), "RSA"); + mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE, + TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA"); fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed."); } catch (CertificateException ex) @@ -294,7 +283,7 @@ public class TrustManagerTest extends UnitTestBase public void testQpidMultipleTrustManagerWithTrustAndPeerStores() throws Exception { final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager(); - final KeyStore ts = SSLUtil.getInitializedKeyStore(TRUST_STORE, TRUST_STORE_PASSWORD, STORE_TYPE); + final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE); final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM); tmf.init(ts); final TrustManager[] delegateTrustManagers = tmf.getTrustManagers(); @@ -310,7 +299,7 @@ public class TrustManagerTest extends UnitTestBase } assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded); - final KeyStore ps = SSLUtil.getInitializedKeyStore(PEER_STORE, PEER_STORE_PASSWORD, STORE_TYPE); + final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE); final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM); pmf.init(ps); final TrustManager[] delegatePeerManagers = pmf.getTrustManagers(); @@ -329,8 +318,8 @@ public class TrustManagerTest extends UnitTestBase try { // verify the CA-trusted app1 cert (should succeed) - mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, - CERT_ALIAS_APP_1), "RSA"); + mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, + TestSSLConstants.CERT_ALIAS_APP1), "RSA"); } catch (CertificateException ex) { @@ -340,8 +329,8 @@ public class TrustManagerTest extends UnitTestBase try { // verify the CA-trusted app2 cert (should succeed) - mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, - CERT_ALIAS_APP_2), "RSA"); + mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, + TestSSLConstants.CERT_ALIAS_APP2), "RSA"); } catch (CertificateException ex) { @@ -351,8 +340,8 @@ public class TrustManagerTest extends UnitTestBase try { // verify the untrusted cert (should fail) - mulTrustManager.checkClientTrusted(this.getClientChain(UNTRUSTED_KEYSTORE, - CERT_ALIAS_UNTRUSTED_CLIENT), "RSA"); + mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE, + TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA"); fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed."); } catch (CertificateException ex) diff --git a/broker-core/src/test/resources/ssl/expired.crt b/broker-core/src/test/resources/ssl/expired.crt deleted file mode 100644 index 933330a..0000000 --- a/broker-core/src/test/resources/ssl/expired.crt +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICvzCCAaegAwIBAgIEAjtn8zANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV -U0VSMTAeFw0xMDAxMDEyMjQ0MjVaFw0xMDAxMDIyMjQ0MjVaMBAxDjAMBgNVBAMT -BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj2wa5um63bXJ -j7jv3pfhDgkvwE9hfM/DLv1rmkq2Psepefb40VJng61WiTeLNWdXrAJ+ui5iHTCn -8n+iqaucaPv4mOwH3j57CCLRvFrFSp/cUx2oZ3Zx1DfaSgfIc5F8AJQvYrtCxa6m -eYCoUJ3BZqARiKc6fk/RtACB1YI9mCDYOgnntNhEwMkRTuPqholyaL1fmw51EDGH -iGCQwsxj+YMLkuK2aQAs498NcA6fzui0Ey3MJ6LmLYbOSKqZ1cBzC4YfSGH921Ic -4YDgsvQ1io1zN4AJFHj8ld5rlDCTElgUFmkm2wCLvQAQ9+5MB4fDVLFldpHHBgX2 -0097qFSAEwIDAQABoyEwHzAdBgNVHQ4EFgQUZ30jJvIgSSRkltqIKv7UgEYnlvUw -DQYJKoZIhvcNAQENBQADggEBABYZ+ZwbRnJvfjnFq9c+GV5/7FJOTlO0SVAVZrYJ -HzquTr3mFDkhOc6aDlaNGiFAJcs6Udj3MvV7J+Uuai9oJDmVCt94HZL3k09G+z1b -A3BorBKWDYm2L9CKpjUgD0VY40Tc2yNVyrzCbdjVnBkrLKiAirSrb5NJK2lnJg4Y -TB7TiAnSydfRWUyUo8/wEMgIo4o0vuB7AnBQFhCd0XRmxBNoBZ19f+R041I6CQ0L -9jc172XWHL1o111/RS7M8qLcWxi11DN62p6IKNT32DnhVV0RFnfVTQDaQ9qsPFmg -Dngy+2weYwc6hEKhnunGrv0LNoqp6lQbOZO4c4v0/ynBHf4= ------END CERTIFICATE----- diff --git a/broker-core/src/test/resources/ssl/java_broker.crt b/broker-core/src/test/resources/ssl/java_broker.crt deleted file mode 100644 index 4e5c086..0000000 --- a/broker-core/src/test/resources/ssl/java_broker.crt +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDbzCCAlegAwIBAgIFALBcS4MwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UEBhMC -Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15 -Um9vdENBMB4XDTE5MDIyNzE2MDY0M1oXDTI0MDIyNzE2MDY0M1owbjEQMA4GA1UE -BhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQ -MA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjESMBAGA1UEAxMJbG9j -YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1zWGLqSHqno -In5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllzy4JTCiXBen3l3YhpSxqGYccyEYee -UlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUirvotaBQP71X1V+05AFxFhWfgdINw -Kzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj3as0dX2bOu0qbqk4izDqqV1uiyUP -Udn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pfPxvIw2OsqsKeh+I7RUoGBxDUdDvj -lbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwcRJYDAq5eBhgK59WcwKPIqlOLismQ -wjN4ZxxvqQIDAQABo0EwPzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJsw -CQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC -AQEAjFSD0UPN7ZqMKA0Sk2oailI+AU11VEmwIw18sXSEFMWSH8uAgkyTOvNQv4Nu -WHgNOx20r18bYVrTqTznRa9oM7xemtR2pKqJYUQKqvk9vcF8mY7ibK1AH1vlm/gh -7EfEmobfwHutXyTbUppgqf4QLn9AYLokD/w0la1mxDQ5Qc5FefgxLGaN2DZALFOc -8lcpA9E2hTau2znxMlqqrG73E6R2XoE7BVMHVemVAAvusBuuP9OW/iC/KTPDFNoy -NnDViQfIh03aBH2N5XCcnsdsxDULh6pjdZWf9FB+8OBDKyajNdFZku7AFLkt+QIa -FVo105jdjqfMxt8FRNuQ05vYEQ== ------END CERTIFICATE----- diff --git a/broker-core/src/test/resources/ssl/java_broker.req b/broker-core/src/test/resources/ssl/java_broker.req deleted file mode 100644 index c618dd3..0000000 --- a/broker-core/src/test/resources/ssl/java_broker.req +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN NEW CERTIFICATE REQUEST----- -MIIC4zCCAcsCAQAwbjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93 -bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH -VW5rbm93bjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAq1zWGLqSHqnoIn5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllz -y4JTCiXBen3l3YhpSxqGYccyEYeeUlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUi -rvotaBQP71X1V+05AFxFhWfgdINwKzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj -3as0dX2bOu0qbqk4izDqqV1uiyUPUdn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pf -PxvIw2OsqsKeh+I7RUoGBxDUdDvjlbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwc -RJYDAq5eBhgK59WcwKPIqlOLismQwjN4ZxxvqQIDAQABoDAwLgYJKoZIhvcNAQkO -MSEwHzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJswDQYJKoZIhvcNAQEN -BQADggEBAHsfAScjTeIM+Mkmq7z29wl0+NdWyoDKt0PjG0/WffExGXG1FD6JrbP7 -UEeBY60WdypO9/Nx7I/sw/UOsOH297NuCMkFDitAk5/5XDVSYpywBi85XK72ODmv -hWYn2MGP9YnfL3qOd75kpNgVBKt9+IVFFNgdUMfzDQpTQgmzdaRepM4HUuxJnNGN -jcjA6b7rT0XQu7EJqM/Q1beJTVmwtv/3ZsBduJfksr2+fyC7wd344Equ8kfhZtd9 -YocJYdlZ//0RjWMv10hXNMD2Y+Nk4ldoFOXwv93JMcBn4Uy0TeZ9O/eI/jETT5TL -FZUUWdHvGqN2/9L4EZ0rAyH87HpHV7I= ------END NEW CERTIFICATE REQUEST----- diff --git a/broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12 deleted file mode 100644 index 9bfe301..0000000 Binary files a/broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12 deleted file mode 100644 index b45991f..0000000 Binary files a/broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12 deleted file mode 100644 index a5b307f..0000000 Binary files a/broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12 deleted file mode 100644 index 4184adf..0000000 Binary files a/broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12 deleted file mode 100644 index cb9b876..0000000 Binary files a/broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/java_client_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_keystore.pkcs12 deleted file mode 100644 index 9422d9a..0000000 Binary files a/broker-core/src/test/resources/ssl/java_client_keystore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/java_client_truststore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_truststore.pkcs12 deleted file mode 100644 index 1b45a23..0000000 Binary files a/broker-core/src/test/resources/ssl/java_client_truststore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12 deleted file mode 100644 index 8b0b023..0000000 Binary files a/broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 b/broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 deleted file mode 100644 index f480819..0000000 Binary files a/broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/test_empty_keystore.jks b/broker-core/src/test/resources/ssl/test_empty_keystore.jks deleted file mode 100644 index ed88075..0000000 Binary files a/broker-core/src/test/resources/ssl/test_empty_keystore.jks and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/test_keystore.jks b/broker-core/src/test/resources/ssl/test_keystore.jks deleted file mode 100644 index afa9d02..0000000 Binary files a/broker-core/src/test/resources/ssl/test_keystore.jks and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 b/broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 deleted file mode 100644 index 64ca340..0000000 Binary files a/broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 and /dev/null differ diff --git a/broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 b/broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 deleted file mode 100644 index f39dcf4..0000000 Binary files a/broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 and /dev/null differ diff --git a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js index 8e5dfcd..9f8e1d1 100644 --- a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js +++ b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js @@ -126,7 +126,11 @@ define(["dojo/_base/lang", } } - storeNodes(["name", "type", "state", "exposedAsMessageSource", "trustAnchorValidityEnforced"]); + storeNodes(["name", "type", "state", "exposedAsMessageSource", "trustAnchorValidityEnforced", + "certificateRevocationCheckEnabled", "certificateRevocationCheckOfOnlyEndEntityCertificates", + "certificateRevocationCheckWithPreferringCertificateRevocationList", + "certificateRevocationCheckWithNoFallback", "certificateRevocationCheckWithIgnoringSoftFailures", + "certificateRevocationListUrl"]); } @@ -139,6 +143,18 @@ define(["dojo/_base/lang", entities.encode(String(this.trustStoreData["exposedAsMessageSource"])); this.trustAnchorValidityEnforced.innerHTML = entities.encode(String(this.trustStoreData["trustAnchorValidityEnforced"])); + this.certificateRevocationCheckEnabled.innerHTML = + entities.encode(String(this.trustStoreData["certificateRevocationCheckEnabled"])); + this.certificateRevocationCheckOfOnlyEndEntityCertificates.innerHTML = + entities.encode(String(this.trustStoreData["certificateRevocationCheckOfOnlyEndEntityCertificates"])); + this.certificateRevocationCheckWithPreferringCertificateRevocationList.innerHTML = + entities.encode(String(this.trustStoreData["certificateRevocationCheckWithPreferringCertificateRevocationList"])); + this.certificateRevocationCheckWithNoFallback.innerHTML = + entities.encode(String(this.trustStoreData["certificateRevocationCheckWithNoFallback"])); + this.certificateRevocationCheckWithIgnoringSoftFailures.innerHTML = + entities.encode(String(this.trustStoreData["certificateRevocationCheckWithIgnoringSoftFailures"])); + this.certificateRevocationListUrl.innerHTML = this.trustStoreData["certificateRevocationListUrl"] ? + entities.encode(String(this.trustStoreData["certificateRevocationListUrl"])) : ""; }; KeyStoreUpdater.prototype.update = function (callback) diff --git a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js index 42329dd..f98a947 100644 --- a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js +++ b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js @@ -114,6 +114,7 @@ define(["dojo/_base/lang", this.storeType.set("disabled", !!initialData); if (!effectiveData) { + this.initialData = {}; this.dialog.set("title", "Add " + this.category); } else @@ -164,7 +165,7 @@ define(["dojo/_base/lang", var storeData = util.getFormWidgetValues(this.storeForm, this.initialData); - if (this.initialData) + if (this.initialData && this.initialData.id) { // update request this.management.update(this.modelObj, storeData) diff --git a/broker-plugins/management-http/src/main/java/resources/showTrustStore.html b/broker-plugins/management-http/src/main/java/resources/showTrustStore.html index eb82307..e3a5b5c 100644 --- a/broker-plugins/management-http/src/main/java/resources/showTrustStore.html +++ b/broker-plugins/management-http/src/main/java/resources/showTrustStore.html @@ -40,6 +40,30 @@
+
Revocation Enabled:
+
+
+
+
Revocation Check Of Only End Entity:
+
+
+
+
Revocation Check With Preferring CRL:
+
+
+
+
Revocation Check With No Fallback:
+
+
+
+
Revocation Check With Ignoring Soft Failures:
+
+
+
+
Certificate Revocation List URL:
+
+
+
diff --git a/broker-plugins/management-http/src/main/java/resources/store/truststore.html b/broker-plugins/management-http/src/main/java/resources/store/truststore.html index 8c3047b..439f7fc 100644 --- a/broker-plugins/management-http/src/main/java/resources/store/truststore.html +++ b/broker-plugins/management-http/src/main/java/resources/store/truststore.html @@ -24,8 +24,7 @@
+ data-dojo-props="name: 'exposedAsMessageSource'" />
@@ -36,12 +35,95 @@
+ data-dojo-props="name: 'trustAnchorValidityEnforced'" />
+
+
+ Revocation +
+
Enabled:
+
+ +
+
+
+
+
+
Only End Entity:
+
+ +
+
+
+
+
+
Prefer CRLs:
+
+ +
+
+
+
+
+
No Fallback:
+
+ +
+
+
+
+
+
Ignore Soft Failures:
+
+ +
+
+
+
+
+
Server CRL Path Or Upload:
+
+ +
+
+
+
+
diff --git a/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml b/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml index 3c03019..18e36c6 100644 --- a/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml +++ b/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml @@ -78,7 +78,7 @@ Exposed as Message Source. If enabled, the Broker - will distribute certificates contained within the trustore to clients. + will distribute certificates contained within the truststore to clients. Used by the end to end message encryption feature. @@ -87,6 +87,38 @@ + Revocation attributes. + + + + Enabled. If set to true certificate revocation check is performed when + client tries to connect. + + + Only End Entity. If enabled, check only the revocation status of + end-entity certificates. + + + Prefer CRLs. If enabled, prefer CRL (specified in certificate + distribution points) to OCSP, if disabled prefer OCSP to CRL. + + + No Fallback. If enabled, disable fallback to CRL/OCSP (if + Prefer CRLs set to true, disable fallback to OCSP, + otherwise disable fallback to CRL in certificate distribution points). + + + Ignore Soft Failures. If enabled, revocation check will succeed + if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns + internalError or tryLater. + + + Server CRL Path Or Upload. Path to Certificate Revocation List file. + If set, certificate revocation check uses only set CRL file and ignores CRL Distribution Points + in certificate. + + + The following attributes apply to File Trust Stores only. diff --git a/qpid-test-utils/pom.xml b/qpid-test-utils/pom.xml index 5e8bd75..d3faf81 100644 --- a/qpid-test-utils/pom.xml +++ b/qpid-test-utils/pom.xml @@ -56,5 +56,4 @@ guava - diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java index 9bdb282..329920b 100644 --- a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java +++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java @@ -18,27 +18,82 @@ */ package org.apache.qpid.test.utils; -public interface TestSSLConstants -{ - String KEYSTORE = "test-profiles/test_resources/ssl/java_client_keystore.jks"; - String EXPIRED_KEYSTORE = "test-profiles/test_resources/ssl/java_client_expired_keystore.jks"; - String KEYSTORE_PASSWORD = "password"; - String TRUSTSTORE = "test-profiles/test_resources/ssl/java_client_truststore.jks"; - String TRUSTSTORE_PASSWORD = "password"; +import java.nio.file.Paths; - String CERT_ALIAS_APP1 = "app1"; - String CERT_ALIAS_APP2 = "app2"; - String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client"; +public final class TestSSLConstants +{ + public static final String JAVA_KEYSTORE_TYPE = "pkcs12"; + public static final String PASSWORD = "password"; + private static final String TEST_CERTIFICATES_DIRECTORY; + static + { + final String testCertificatesDirectoryPrefix; + if (System.getProperty("user.dir").contains("systests")) + { + testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..", "..").toString(); + } + else if (System.getProperty("user.dir").contains("..")) + { + testCertificatesDirectoryPrefix = System.getProperty("user.dir"); + } + else + { + testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..").toString(); + } + TEST_CERTIFICATES_DIRECTORY = + Paths.get(testCertificatesDirectoryPrefix, + "qpid-test-utils", "src", "main", "resources", "ssl", "certificates").toString(); + } + public static final String CLIENT_KEYSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_keystore.jks").toString(); + public static final String CLIENT_TRUSTSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_truststore.jks").toString(); + public static final String CLIENT_EXPIRED_KEYSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired_keystore.jks").toString(); + public static final String CLIENT_EXPIRED_CRT = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired.crt").toString(); + public static final String CLIENT_UNTRUSTED_KEYSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_untrusted_keystore.jks").toString(); - String BROKER_KEYSTORE = "test-profiles/test_resources/ssl/java_broker_keystore.jks"; - String BROKER_KEYSTORE_PASSWORD = "password"; - String BROKER_KEYSTORE_ALIAS = "java-broker"; + public static final String CERT_ALIAS_ROOT_CA = "rootca"; + public static final String CERT_ALIAS_APP1 = "app1"; + public static final String CERT_ALIAS_APP2 = "app2"; + public static final String CERT_ALIAS_ALLOWED = "allowed_by_ca"; + public static final String CERT_ALIAS_REVOKED = "revoked_by_ca"; + public static final String CERT_ALIAS_REVOKED_EMPTY_CRL = "revoked_by_ca_empty_crl"; + public static final String CERT_ALIAS_REVOKED_INVALID_CRL_PATH = "revoked_by_ca_invalid_crl_path"; + public static final String CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE = "allowed_by_ca_with_intermediate"; + public static final String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client"; - String BROKER_PEERSTORE = "test-profiles/test_resources/ssl/java_broker_peerstore.jks"; - String BROKER_PEERSTORE_PASSWORD = "password"; + public static final String BROKER_KEYSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_keystore.jks").toString(); + public static final String BROKER_CRT = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.crt").toString(); + public static final String BROKER_CSR = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.csr").toString(); + public static final String BROKER_TRUSTSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_truststore.jks").toString(); + public static final String BROKER_PEERSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_peerstore.jks").toString(); + public static final String BROKER_EXPIRED_TRUSTSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_expired_truststore.jks").toString(); + public static final String BROKER_KEYSTORE_ALIAS = "broker"; - String BROKER_TRUSTSTORE = "test-profiles/test_resources/ssl/java_broker_truststore.jks"; - String BROKER_TRUSTSTORE_PASSWORD = "password"; + public static final String TEST_EMPTY_KEYSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_empty_keystore.jks").toString(); + public static final String TEST_KEYSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_keystore.jks").toString(); + public static final String TEST_CERT_ONLY_KEYSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_cert_only_keystore.jks").toString(); + public static final String TEST_PK_ONLY_KEYSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_pk_only_keystore.jks").toString(); + public static final String TEST_SYMMETRIC_KEY_KEYSTORE = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_symmetric_key_keystore.jks").toString(); - String JAVA_KEYSTORE_TYPE = "pkcs12"; + public static final String CA_CRL_EMPTY = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.empty.crl").toString(); + public static final String CA_CRL = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.crl").toString(); + public static final String INTERMEDIATE_CA_CRL = + Paths.get(TEST_CERTIFICATES_DIRECTORY, "intermediate_ca.crl").toString(); } diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl new file mode 100644 index 0000000..2d7b8d9 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem new file mode 100644 index 0000000..0430e10 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem @@ -0,0 +1,13 @@ +-----BEGIN X509 CRL----- +MIIB8TCB2gIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE +CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw +MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1owVDATAgISOBcNMjAwMTE3MTIxNDAz +WjATAgISORcNMjAwMTE3MTIxNDAzWjATAgISOxcNMjAwMTE3MTIxNDAzWjATAgIS +PBcNMjAwMTE3MTIxNDAzWqAPMA0wCwYDVR0UBAQCAhI2MA0GCSqGSIb3DQEBCwUA +A4IBAQCP9fF88j+7OLHZqq6kkxB8IZSN0lCRXXk590V3rx/NWJYmhGjlOjvEe+dG +fiTFYUxtYuGU/rsYOezMg2/uO9l+PdPq2blWcYKvDvBK89oHaFnX0U1vCiOLD/H0 +09a70Lo3p7tHRBiPcaximmq3DA2dZRSRlo3oRoHAQ1tdMbbAm+D+N6uEu6xARycH +OmAkx1ofx1SW+Up02R/56QINfYKG+Teqk+g/2uj+fbCx7Hdt+ocoPH8D3FrPv/QQ +wmDlvPktb552EyOAHuhv/VSYhBB9yLKeqxb4/K7+lSCibM7gO0aPpzr33eykftbR +aMRSNPr1t5tw2psBHoQ63U920dXu +-----END X509 CRL----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt new file mode 100644 index 0000000..0614c37 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN +BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD +TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy +MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM +BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4 +UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr +XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI +bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif +9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O +9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy +TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/ +5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y +Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr +qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B +eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3 +zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG +9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo +VPvWVRUaVA== +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl new file mode 100644 index 0000000..7c4a5df Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem new file mode 100644 index 0000000..88a02d0 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem @@ -0,0 +1,11 @@ +-----BEGIN X509 CRL----- +MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE +CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw +MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1qgDzANMAsGA1UdFAQEAgISNTANBgkq +hkiG9w0BAQsFAAOCAQEAvXMYfesUZM9b/MRG36pyFXdW6Ntn7KcldzYphHMeUiw9 +L+SI2kSzQrfvMFC5URAMpchnKZWzNcjoERpaFmt/io9W+GxFfrfUDPgu14p3n1b9 +Z4xQx/f+ZbEuw4Xuv5TPdGYzkxtaMCabHrcZbJvYcT+6ogshsxIqduiqx9EEnyYY +WhrsOyAhjhEAeU+CaNjL0xo+71xpzyRbV2BRxwyNNJEVTc9SGUtwro2jdCSB72KM +S85RSUshg5aWEXz99jV41w1Zx1UWfwAN9K5aJxwNp3x06C/SxHc2yMfN9h3BIr/f +kdBgB/Larrwq+luogS4e9JA522/V3yYeYajuxH7JEQ== +-----END X509 CRL----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key new file mode 100644 index 0000000..742071d --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIoKxdp44hlPICAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIjUETc4sXyDBIIEyMQ/YTalgLpr +OcHUsyfkMGThRYoMvDC1TT8SYR5iqm0ARFxIh6tnU1Y0JvWMdzQgR4qzZXbyZLwm +L/0xeL4ErEkhgfc6UUv7ldv5uja3dKUbTZaxD/Pl/w7ZboVWj62RfiSMmoNmvMaw +0c7BIFxXACdrVSjBN11cJOYI9nKwqge5WWEgTVYSyKGC0zf6BdSSRmaFX5mQ7E0D +9tuegWmes57TEZXh9ObzsrKegFC6FJ26DUXZ7h7lAOkHrjRm+5pvY+YOHtGgBLCz +h1DkssCQ9uyE+39REcdX4cEkY2L4kqirJ69v6YdT6u7NwF2eGCJwANDCI5+1WFO2 +Prc2SNAgA4TtASnwi6vE7z/Vg2Ah+WUx41m4kp5zw4rUIA6w9pvUnuZBhACEcqtt +HncoVRr0dxX7tN7Hxsw5I2Wx0szuHCpSXt9den/4rcyl4dpVViNOc7lah0C8uS2t +tt1DE4JdA1gm0uKVUkS+57049R0ojMisjMmJBs3V0+lPvRwHGZ+UGer4lw1FPMXr +fDLXuOCs5V9pR2d5OtHttFNKVGwcRtPElSKCvJjxvl/frBTfng97S/jIAUJc4NMQ +tBoI18TeNnALRp/JWtJf5VqQFyNvp/Th/Qk2VgUa6x5jKE6ksLlaVDxZ4rZbFyfl +WkVbJ3OABNfEzrucOEFoncqHPM8BT1unTkRTOlsJMbgzJYby+RLznMzKwGS20A6P +f2f4L840zqHSFHfD/HhW0CZ5ZwXbW6Kta6D0+DWDzHzA/6GMFtggpXtMXKbi/2dV +wPR7sHQwxE+Qbq4SxxAx7CYhiz6L2x/EMX/BehAJic6XTQJEmluaiq3o1954OuTZ +eUAnOV9iv2iEKf02D06yCJsyLop4CtN88HenGD7EiZ71IuF7U/VDoy2lVcbiW0DT +efTsbns5euSqe335SHafd9OGIe8p7shsSsoh6smfUpYdYlKq+wG2P+h7CSMoIGh6 +bKq0k3xnyi4CH22Ukyt3IIg0REGTvFgdZGRuwJe2cylzYeuj+KJclVLTmJ2jQJ2D +xd1M5gNqbZOzihCNOnG6Owik93RJBi6qynhfhOt6YHBeUmeIFx+ygLQqtNjlX/V9 ++rsBtovzMZhfFK6ozSm0fQG+2rB5QrnsEw3gzzZ22fBPy+SQ1GPK2FJNNHO3REaD ++5Yt0Iny4jFA9UiveR8pxvYdPwoPEiEii1VfOAkR+0dcEeKX1gQvCF84XNRSiMXw +ITHOI9QmmYqyjTAv1ZMB7TV3dnxQuyifHZciEFK5R7Kkn0Z78diXxFjWvPVVhsLG +yzFHArQs0lDUsRlZxJ68SkwJ3dw2m8XpwUPkWlTZ5SoJTSN0JOa9fn5Htm7X1ZYK +A4x80z3t6oeTGJxmDxQHOL+NCkeRQv1fN/JS4b7I6p9sQT+60gT5dJ0R6/CU2Vpf +xM+DcHGW8oo8yQ2CjSOaf1Bp+Sp/arcrK0KOP6sbABlnXeTeRgWOb3xwRnwWP0am +wAooVJgifFOAnEA7rfi7XgnQkALtwki4TPhy2g+eoHDo2PiX5j0QxdVpGlfzZVkC +9j8fgea3hy5Y78Ju8N/fhZWgYIoyosVnFhXHtHpebPdDpktseOR388PNvMEa+6vT +nKxFX9Uw8/IoAkO1WGG+rg== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt new file mode 100644 index 0000000..171ec80 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4663 (0x1237) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA + Validity + Not Before: Jan 17 12:14:00 2020 GMT + Not After : Jan 17 12:14:00 2024 GMT + Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca@acme.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ae:43:c8:3b:d5:08:7c:69:6f:48:96:bd:ae:cf: + d9:ab:f6:3a:68:64:e6:f5:57:14:45:42:40:e5:c5: + 7f:97:6d:13:4f:d1:26:28:14:0d:30:e5:9e:55:67: + b8:3a:7d:d8:8d:b4:9e:07:f0:62:e4:95:63:41:b9: + 04:2b:53:51:86:46:36:25:6f:82:60:74:e0:81:73: + c3:ce:1c:76:3e:97:35:da:82:28:22:cc:ac:62:22: + d7:0d:8d:38:44:c0:de:29:ca:15:b9:13:39:81:04: + 4b:0d:71:9f:ff:1c:36:4e:2e:57:54:85:83:f4:f4: + a8:f9:bb:f5:a5:66:b1:9a:40:a2:1a:33:5e:b2:37: + 31:a5:73:fb:f4:39:fe:d1:52:ec:f2:b1:fc:84:1a: + c7:2b:98:81:e3:62:ae:51:e6:5b:6e:c4:f9:ff:c0: + e4:64:88:3a:c1:a2:20:95:3c:71:c6:eb:da:d3:de: + aa:42:98:1f:e9:da:06:fc:f9:0d:23:1c:8b:ae:3e: + ee:6c:b8:ac:a1:a3:da:c9:21:8d:c4:48:26:23:8e: + 40:44:55:dc:0b:fc:b8:a7:0c:c8:4b:f6:21:7a:1e: + 57:ff:1c:ce:a7:e3:8a:c4:26:02:93:f3:e8:4a:45: + a5:3e:02:5b:25:6b:f8:58:1b:ce:18:3e:da:62:86: + 34:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://localhost:8186/MyRootCA.crl + + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Signature Algorithm: sha512WithRSAEncryption + c8:28:31:d7:11:ba:e1:ea:b0:18:ec:74:6b:66:7d:da:31:1f: + 2a:a2:c4:e8:af:a2:ba:92:56:d9:7b:f4:fe:e1:20:5c:5c:5e: + 3f:39:31:0a:b3:a5:19:f0:60:86:ef:98:eb:e1:c7:1a:1d:0a: + 51:d6:25:9b:29:a4:71:9d:da:d6:cf:96:82:07:ca:38:71:62: + 93:6b:b1:44:87:49:42:28:66:53:34:f1:fa:3e:48:49:ed:2a: + ed:56:b2:49:cb:5b:0c:46:59:68:2d:d9:95:47:c4:0c:fa:57: + 93:e1:0b:52:ed:75:2a:fe:a9:e7:e7:a3:c8:68:7a:fc:14:92: + 8b:8b:34:94:28:f1:23:7b:2c:bd:26:48:fe:bf:6e:ec:71:9b: + 43:e8:e3:64:48:36:af:9e:8e:bd:e5:c7:b2:76:a5:c6:ca:98: + 22:6b:aa:93:82:fd:cf:6b:08:df:40:43:fc:03:1a:12:12:85: + 8e:dc:d2:06:80:cd:d9:ba:fd:f8:4e:3f:8a:99:46:db:df:67: + c2:67:b5:39:96:a5:71:12:be:03:f1:99:c0:b9:df:51:b5:37: + dd:a7:5a:75:32:a0:da:d7:09:83:1b:96:30:81:0e:b4:9d:10: + 81:cc:05:65:a8:e6:3f:2a:de:b5:d3:6e:d3:ed:4a:a0:e3:a2: + 56:ea:ef:3a +-----BEGIN CERTIFICATE----- +MIIDdjCCAl6gAwIBAgICEjcwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex +EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v +dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC +Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l +MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr +9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GG +RjYlb4JgdOCBc8POHHY+lzXagigizKxiItcNjThEwN4pyhW5EzmBBEsNcZ//HDZO +LldUhYP09Kj5u/WlZrGaQKIaM16yNzGlc/v0Of7RUuzysfyEGscrmIHjYq5R5ltu +xPn/wORkiDrBoiCVPHHG69rT3qpCmB/p2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYj +jkBEVdwL/LinDMhL9iF6Hlf/HM6n44rEJgKT8+hKRaU+Alsla/hYG84YPtpihjT/ +AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4 +Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN +AQENBQADggEBAMgoMdcRuuHqsBjsdGtmfdoxHyqixOivorqSVtl79P7hIFxcXj85 +MQqzpRnwYIbvmOvhxxodClHWJZsppHGd2tbPloIHyjhxYpNrsUSHSUIoZlM08fo+ +SEntKu1WsknLWwxGWWgt2ZVHxAz6V5PhC1LtdSr+qefno8hoevwUkouLNJQo8SN7 +LL0mSP6/buxxm0Po42RINq+ejr3lx7J2pcbKmCJrqpOC/c9rCN9AQ/wDGhIShY7c +0gaAzdm6/fhOP4qZRtvfZ8JntTmWpXESvgPxmcC531G1N92nWnUyoNrXCYMbljCB +DrSdEIHMBWWo5j8q3rXTbtPtSqDjolbq7zo= +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr new file mode 100644 index 0000000..f2a51e4 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH +DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM +FmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w +5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GGRjYlb4JgdOCBc8POHHY+lzXagigizKxi +ItcNjThEwN4pyhW5EzmBBEsNcZ//HDZOLldUhYP09Kj5u/WlZrGaQKIaM16yNzGl +c/v0Of7RUuzysfyEGscrmIHjYq5R5ltuxPn/wORkiDrBoiCVPHHG69rT3qpCmB/p +2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYjjkBEVdwL/LinDMhL9iF6Hlf/HM6n44rE +JgKT8+hKRaU+Alsla/hYG84YPtpihjT/AgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC +AQEABftyaBKWipsliFRs8LYjFnKbGkc1vOJNHfr1Upa0JhxhEXXOr0fJ+q1moY6a +9QdYOuZ3iM5M3B3L7aYM9wXSKkSyujRl/S2hDlaMuXVXHYvL+e6t1REe4lSCKZRV +OfdpPWUCW35WhuE9M0h6hAnb+HLsxc3OPQo8KH4yQkSyh4aPj20X0WXp1QrvfpVL +fzicwCaxJET8rcu3gduXqysD2IkHnbx4OX0JsqgDuVnjRRtL800UJ/YDJcuobUpp +/euptiVCaO+q6W2l46GA2e6bQuCxv1+o5M4U2JH0Chldx2yTMnAgFtV+E1JtrzVS +jObVTUz819aBFrzwL6OIcQEvUw== +-----END CERTIFICATE REQUEST----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks new file mode 100644 index 0000000..dae314d Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt new file mode 100644 index 0000000..7129f68 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUA/JhLTYgfW18ejOVXRiPJdhGoFswDQYJKoZIhvcNAQEN +BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv +MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRf +YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq +MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL +BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWYWxsb3dlZF9ieV9j +YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5DyDvV +CHxpb0iWva7P2av2Omhk5vVXFEVCQOXFf5dtE0/RJigUDTDlnlVnuDp92I20ngfw +YuSVY0G5BCtTUYZGNiVvgmB04IFzw84cdj6XNdqCKCLMrGIi1w2NOETA3inKFbkT +OYEESw1xn/8cNk4uV1SFg/T0qPm79aVmsZpAohozXrI3MaVz+/Q5/tFS7PKx/IQa +xyuYgeNirlHmW27E+f/A5GSIOsGiIJU8ccbr2tPeqkKYH+naBvz5DSMci64+7my4 +rKGj2skhjcRIJiOOQERV3Av8uKcMyEv2IXoeV/8czqfjisQmApPz6EpFpT4CWyVr ++Fgbzhg+2mKGNP8CAwEAAaNTMFEwHQYDVR0OBBYEFBqvhbkUgk3fCKONHHOGxRLU +FefzMB8GA1UdIwQYMBaAFBqvhbkUgk3fCKONHHOGxRLUFefzMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAEgQYqFZBnZ3PJN/LP/S9dR3PDYp2YkW +n8DSwpj+cP+Gt4kPydRSKl5DdV+eYd6cZ4xF2P6/peZCKYgYZkmbEWIYD87C7J+T +rpcT1M4u7ACk5QfwoGAZFbTqy6iK3yFqQ/V7YvTjLAx8wqICqrDoed8GTgJ1AmWE +GCIz3D/8e/ml+Sp+MVRi4KNVfA6zK/e29oswmQxYXmMCXswwHuAmsDoXKS9PYvX7 +Ho035mFmR+yhBnPHX9deuAsTifiiw1TCczq1K4SPX6exXw38nZwLVHErYnaypqP0 +pJNqTIBGlr6K0tryTA83tQVAIJqL2fVlfNUKxuHPOVyGkJcGlCPxjKw= +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key new file mode 100644 index 0000000..c465086 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIWa+PHUaIhGECAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEV7nV0bqTYVBIIEyNROaXQgS6RZ +mSJcMeFAINaeZytR/Fq/vdlYE8qsnToVuySFqVft76Q1ZIs5ZsmwAPZxF6rAQZ9z +9WsIVV7ZTZPCndP7R3/V1h11YGJpklu/wFDNPgkhJiP39A4gv99nWqdjPh3k6rJk +5rshuHiVuPQ+lQxCJMnNNBzse1NAf7aCq3DONUAYrbxOPQODGAk9ilZtSirVNeCK +8s9TwPi5vWaxkdgMkb8l+CtXKAYMIGXwslr4cs/02pOSSKMeSYn118aE05yRVI5a +QrF6yk07huT94ZnVd7DS5sts1/igJk72mGc4zqAP7k2USYkvvzQ6/Lzt6jmdxlaV +ovTnMpvrnS8Vt/27+XxH64cSC2of8a1N7nHKR/mjwzXwFfCqx36AAKNsnGpbX2vE +PYgsMCAJrZY8DTgGnBKzJZTSbjfpeVDcWKrZtCIpcUCtHfzibwwo7FoFVi9f4Exq +S+FkK1VX4JnWWxhNXKbUWWV24se/1NejY5op8TvunrT4xamV81v+Y3rAhORxZzZo +QooLLY0EZVVGRA0qbg4TQZ87G4wxTKbeLv/vkJYt4+ElEkJZEm+f1U3OBKzBVC2h +sA0bSo+vB7n322VMZQkGVXi3MCiJBlQYM2Dcp4+gC0GfkJhuNStp/QvfRIjjo+tR ++aP0/8dkdDaUSe7gUp+1du+bA4YhcdX06diHD0VZrFKOhfR9EJ4lGjlObCA/V6aA +WGtinv/yglGv1ajX1/9PcKsbFh3uP9eDM2U1wGbkJIYbw9ttABS9IEGi2Gr7QcLh +273v5H346t9aXOCk0D14qEe3fRZCHWYsFkIytSQy9iHFmn67XnROoAicKIktUtSK +j5rnGz8NcY7lQNElcEdAcogd50vyBy8Xn/Y29vl8CcyP6Mh6WIgnF/QuJo0+A6lH +T57lmQ7aQYQuqNk3TeSSpRU2ADY6OldxrUIarrhoV+K3CLNhoI/Ch/7jbPfv6Z2s +IwfOr7uOsA1YoLYHuV4hn8X2EMOONpcH57zNnQdCDzMJO6E92ElpqmyKkos5uDe7 +dIVFEpQ/9oeLgc00izZtQjkiI6ar1Dk7jkqAUAELsPcw8pwklqVy90ku1wgUl4BQ +TR/Sk+HqOj9epQfUOBWi0zz3F8kkOo6Y/1JtzMFp9xauInr4oFssJ0A+kRypLL4V +LrPi59SgHwwNTacivYjoeT2UH2mTCc7MfS6z3czwn/Ds/c6WfKYxNA4WLlOTJV+v +4Y4aE0a9GTlGIXYTyP+l7T40MaDhTLfnhqi74TBN8QQNnxcLLcVY9sUREdJHbDgQ +o5GjffduqezL94D1ENLO2ekIspjgpsGnFp1Us9A53CeDdo/P0/OcLeNfUlun8yWm +fKG7vwW/lQw3jc6G5xKTO70HR3V3VLWP297gdMMZBiD1byY6Sk52Xz9hShr7DoEg +l5L0vkhK1MjGYfxmlL4j94XZ1VhE/xni/rDeq/mK+MjmJ68G1yBn6dv62py3g5Qk +tnl6Rg2tho6M6IOr9KGJxkooqjj/ruyWqp+NePYqFq9hU0wwQ7kuJ6ASulkJRShD +fcg59h1HkTkCpnPPA3fmkxdDy3umOW7maZnLVjf0Nmt0BOA+jg2V0KK83kuJCqlz +cBTyMqk8rkW1zR2YuVr+TQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt new file mode 100644 index 0000000..f884155 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt @@ -0,0 +1,81 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4666 (0x123a) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org + Validity + Not Before: Jan 17 12:14:01 2020 GMT + Not After : Jan 17 12:14:01 2024 GMT + Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca_with_intermediate@acme.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c9:ec:61:2e:56:70:b4:b4:32:52:6b:62:c6:cd: + 64:87:65:e1:71:3b:87:fb:eb:dd:77:98:8e:44:aa: + 6d:df:2d:22:78:0a:9a:54:87:bf:23:28:cd:9e:64: + fa:2d:40:ef:e3:09:37:be:12:65:aa:3f:4e:ef:2e: + 85:f1:19:42:00:79:51:95:a7:84:7a:9b:be:64:e3: + f8:96:a7:5c:7a:ec:4b:4d:89:28:b2:2c:4f:e2:77: + fd:26:48:84:07:63:db:e9:70:dc:aa:8e:74:05:23: + 89:db:9d:79:20:5a:83:bd:bb:a8:1e:1e:e8:38:8a: + c8:2e:19:5d:47:0f:ee:0c:7a:88:d7:15:62:60:73: + b0:cb:a7:a0:c2:89:0a:7e:33:89:67:f3:93:3c:d2: + 6b:90:f6:a6:6d:af:be:9d:38:2c:ae:b1:af:f0:23: + 19:3e:2c:90:a2:ad:77:8e:d6:40:e7:65:40:54:2f: + 5d:66:56:77:a1:71:47:13:d1:6d:d9:70:f9:14:c0: + b4:5d:5d:32:7f:a2:af:49:45:7b:7c:44:c8:39:53: + 61:0d:25:c7:1e:a0:a4:7d:d0:21:60:22:7f:ec:55: + 36:af:87:30:fc:27:c5:a1:34:2a:a7:2a:b1:a3:9d: + d8:18:88:d0:7e:53:49:2f:ea:6f:03:da:54:79:0c: + 26:e3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://localhost:8186/intermediate_ca.crl + + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Signature Algorithm: sha512WithRSAEncryption + 17:7d:7c:c2:32:03:78:c5:76:87:37:54:38:c6:1f:f1:c6:05: + 96:48:fb:f1:ad:da:41:76:7b:d0:cb:ee:7b:5d:78:9d:a6:b3: + 75:32:85:37:91:d2:58:aa:a5:27:ac:71:4c:12:01:6c:14:19: + 23:52:09:b9:13:3d:17:4d:a2:b0:56:95:38:66:a7:39:f2:b8: + 78:50:2a:1d:12:63:46:1f:5e:d4:12:4b:f2:88:72:44:d9:43: + 29:da:80:a0:14:0e:dd:d3:69:f3:ad:05:0e:bb:5a:5b:f4:aa: + 06:5a:f5:8c:7f:78:ba:d3:50:e0:68:9f:11:b0:33:3c:f9:5c: + 22:cd:70:68:ba:8c:39:92:e3:c4:88:1f:85:79:b5:1c:94:e1: + 79:c9:56:4e:2c:1e:41:e8:fd:40:0e:61:46:dc:74:4b:f0:bf: + 6d:e7:c1:34:fa:6a:fc:51:72:c5:a4:46:e0:db:94:09:4d:14: + eb:88:41:bb:82:63:e2:8d:c8:f1:a3:69:49:1b:89:12:d7:f8: + c1:7e:cc:90:70:80:2e:9d:e7:69:7f:80:46:f9:af:a2:19:ba: + 02:40:1b:dc:b7:9f:ab:3e:06:b5:33:7b:61:57:8a:4a:b0:57: + 2b:77:50:13:11:78:5f:62:45:b9:9b:21:2c:28:9b:44:2b:ef: + 7f:e0:f4:18 +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgICEjowDQYJKoZIhvcNAQENBQAwbDELMAkGA1UEBhMCQ0Ex +CzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQww +CgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzAe +Fw0yMDAxMTcxMjE0MDFaFw0yNDAxMTcxMjE0MDFaMHwxCzAJBgNVBAYTAkNBMQsw +CQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoG +A1UECwwDYXJ0MTEwLwYDVQQDDChhbGxvd2VkX2J5X2NhX3dpdGhfaW50ZXJtZWRp +YXRlQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyexh +LlZwtLQyUmtixs1kh2XhcTuH++vdd5iORKpt3y0ieAqaVIe/IyjNnmT6LUDv4wk3 +vhJlqj9O7y6F8RlCAHlRlaeEepu+ZOP4lqdceuxLTYkosixP4nf9JkiEB2Pb6XDc +qo50BSOJ2515IFqDvbuoHh7oOIrILhldRw/uDHqI1xViYHOwy6egwokKfjOJZ/OT +PNJrkPamba++nTgsrrGv8CMZPiyQoq13jtZA52VAVC9dZlZ3oXFHE9Ft2XD5FMC0 +XV0yf6KvSUV7fETIOVNhDSXHHqCkfdAhYCJ/7FU2r4cw/CfFoTQqpyqxo53YGIjQ +flNJL+pvA9pUeQwm4wIDAQABo1YwVDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v +bG9jYWxob3N0OjgxODYvaW50ZXJtZWRpYXRlX2NhLmNybDAJBgNVHRMEAjAAMAsG +A1UdDwQEAwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAF318wjIDeMV2hzdUOMYf8cYF +lkj78a3aQXZ70Mvue114naazdTKFN5HSWKqlJ6xxTBIBbBQZI1IJuRM9F02isFaV +OGanOfK4eFAqHRJjRh9e1BJL8ohyRNlDKdqAoBQO3dNp860FDrtaW/SqBlr1jH94 +utNQ4GifEbAzPPlcIs1waLqMOZLjxIgfhXm1HJTheclWTiweQej9QA5hRtx0S/C/ +befBNPpq/FFyxaRG4NuUCU0U64hBu4Jj4o3I8aNpSRuJEtf4wX7MkHCALp3naX+A +Rvmvohm6AkAb3Lefqz4GtTN7YVeKSrBXK3dQExF4X2JFuZshLCibRCvvf+D0GA== +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr new file mode 100644 index 0000000..8ddce61 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICwTCCAakCAQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH +DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMM +KGFsbG93ZWRfYnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ7GEuVnC0tDJSa2LGzWSHZeFxO4f7 +6913mI5Eqm3fLSJ4CppUh78jKM2eZPotQO/jCTe+EmWqP07vLoXxGUIAeVGVp4R6 +m75k4/iWp1x67EtNiSiyLE/id/0mSIQHY9vpcNyqjnQFI4nbnXkgWoO9u6geHug4 +isguGV1HD+4MeojXFWJgc7DLp6DCiQp+M4ln85M80muQ9qZtr76dOCyusa/wIxk+ +LJCirXeO1kDnZUBUL11mVnehcUcT0W3ZcPkUwLRdXTJ/oq9JRXt8RMg5U2ENJcce +oKR90CFgIn/sVTavhzD8J8WhNCqnKrGjndgYiNB+U0kv6m8D2lR5DCbjAgMBAAGg +ADANBgkqhkiG9w0BAQ0FAAOCAQEAd3e3VVDF9/DEkkN2OblChD35ElxBO10cn9/h +JdtcDLa6DRK/ke4wpA2GfXdyGTez/tsCaVFLC/D6toxPYYtqW60OqavVNwAB/pwY +NpdU7b9MNP3m0Xl3Kecevj8l5y+2dqzQdccqpPZxagArbp6Q1Jq9IE/NTFrcJFOl +3TUK5xlunjLUxc3z9wCInDWAJukLzjhWR4VLMyHSXnI9nrA71rkss0Jnp5CHPk16 +fal0DF35awqwThnHXjtHxxLpNutYdfQNLMc5ROzVPeJkRQ3M4N3nQLmm1Cya3z/B +GfIKmFM17FRVnpV7UmuStRmvMWAceObm6onE4ZFEIVZKnZgCdw== +-----END CERTIFICATE REQUEST----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks new file mode 100644 index 0000000..b4e40d8 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt new file mode 100644 index 0000000..e124e38 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID2TCCAsGgAwIBAgIUNnlaQs0dlbECoaCEl6BoAMhbdRYwDQYJKoZIhvcNAQEN +BQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv +MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMMKGFsbG93ZWRf +YnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAx +WhcNMjAwMjE2MTIxNDAxWjB8MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAO +BgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDExMC8G +A1UEAwwoYWxsb3dlZF9ieV9jYV93aXRoX2ludGVybWVkaWF0ZUBhY21lLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnsYS5WcLS0MlJrYsbNZIdl +4XE7h/vr3XeYjkSqbd8tIngKmlSHvyMozZ5k+i1A7+MJN74SZao/Tu8uhfEZQgB5 +UZWnhHqbvmTj+JanXHrsS02JKLIsT+J3/SZIhAdj2+lw3KqOdAUjidudeSBag727 +qB4e6DiKyC4ZXUcP7gx6iNcVYmBzsMunoMKJCn4ziWfzkzzSa5D2pm2vvp04LK6x +r/AjGT4skKKtd47WQOdlQFQvXWZWd6FxRxPRbdlw+RTAtF1dMn+ir0lFe3xEyDlT +YQ0lxx6gpH3QIWAif+xVNq+HMPwnxaE0KqcqsaOd2BiI0H5TSS/qbwPaVHkMJuMC +AwEAAaNTMFEwHQYDVR0OBBYEFPjCNnLHyR9AJfM6BRMuGgmFF3dPMB8GA1UdIwQY +MBaAFPjCNnLHyR9AJfM6BRMuGgmFF3dPMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQENBQADggEBAMZES6PIFa3+peqB18Af82We4bxIHDSMnpkU518Uf/cSwKLl +LKdSGbIX2dr2uiqJuNQwrSbQwe0O24WBeuFnv8VWwjQrHPqX7et7LT3mBthaW3qP +beRz0CHvYg09plniqWaaxZ0o+XDoG5/vs1rwSXhKdB89hBLBgdXWnIu05ISicj3Q +wFv7Aad8s+29qd83ZTq3GPiAGAlHzBZoGfORxgw8Zkl5J8wpDY2IzHoFK65TltIg +vEhmxsaY2q9ogDPU1g3vXOryobUcZXCk6Wmq7/AQ8Yb6pVOHU+B1GBWlDK+88RkI +sejtPiVWiQixQbZsgjF0kzcXdW+v83vnK9C7Ehs= +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key new file mode 100644 index 0000000..9768e71 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvh0cf2QI9TkCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECNBC7yqVSYFxBIIEyK44083ll8aW +4B3wIWPEVbHexUgeHhPnyv8N89VB+sgl5ndKlm60/n83O2COdXEFrbUbyEaxEMII +VvNVbY4G0BAbsY5qJfmiRNCKRc2OO4HRBI0dLrzcIYETtAtunmta3CbngRpSgNv2 +zPPGp06jEcrh285NGmL6+k4OkDkdOhLBIlSQadibNOWPpRSSmp93pjPUFSVdUarU +2qZi1Xxd65iu8iNG00E9mYHvIesN2tGvWqH7+pAFWKLz2PxEMBjKS/wz0r2sqpAi +u605tebtg2mKB16VpPLKHkGHjAJNehfBPAWpjrLLj+cdpAC6gU8hQZseZJRh4kr3 +DZvS6hSNPXKE6+mDosrj1CuyMOfOaqezgixY/3AihqGt/qgZXu5Fs4WepWPACDtH +hHBPAc0DXFlC4E6B3Xb+HQWI0ADqI//sSip/UsDMpp5Z99EqA/0UgG6xNEcvyMJo +/jHpSBeJZbKB+UXsPpwQQzMHzlqLZ0b0egB8U2Q383bNctNtWX5GOgs9WzHbrvXe +Ia29s7kCima1r5JO+/fNzhRlgoENbxa31APNzdNfvHzvRRN7JGE1yS57aL8ZVXv5 +I+rg1ct71nIJ8SpfeP3fmib9NDw8QuwFZ1KfXuEp+Q2nHP7QGIpCbMJJqY7aAr0H +m2KRUEQqrGv3XycU8VDveOPj2UR9JQANSZK5pwwcgL+jtEYo9AJxtnThePaPLi0f +KNjkqd1/BictpdNu+o+jQS+REOVxqKR01XcjIsKe9b19qIBgxLwcaOMfaxulOe8e +SOBUqsHOJmYxZ6IjeEVG2dGxDADdmFPBrfIQnAbRBEwgjSBMCP/h6elo0MRQ3LaX +lmDmjCNlY1FHuSaAX5xWJ87Ui8y1Sx8vljOOYA6b2zoWoj8pmz7lZy4ChZaFb7sW +WAE0O0e7DrwLvVfluVwRdQ6KcWBkILzVw+VLrQE1s8yAVc0mPtAyEpjaMpqlWpeE +CngpUa1yaBcY17R/30aAYXGVxc2qoZBQuGkr4q2TQoElBk7ERyQ51a8TJ+bQ4DAp +lLED5xLmED1F/TL8PaQhQuDVkaoIUPKwAnXjRWf11DImmuUm8ens9w9np0Na334P +XcJ5zZq00FyXsUoYnuyvXulqRo+Sps67kcGjlK7t0cpvAaG5CbzEkJ3IcAzOcldA +Nq1W/yd+RBdCqbcDUIFYWhdtJ6zDg0jTa8vUm/Pn8DZMQOB2tOn5TDvrT+4iy5Ng +Y5xbvvWyXCWy4JdyoFoXjzXLChQA5YNd+P37UfJUT+R/l7GD84SiGdNtHsxP+Hnr +KRDu4v0p32jKjY27U2GHRBVNPjR+GUgVcKa4WE84DAPfaJY2mep2gxhmYMg2YNR5 +/evAYC6AfVqrKahnXvAZ6cWLIAbdhOg+dbyj1KITuIZ7VUfpVrIeAx4/IBJ5nJbJ +EC9/8uaswGXKqPdLM8sR9FEbq9r2WBVSuaVmMqwV7wcQwO+KBemeUPoeY/aEm6bj +jD7AaMSFl67ouabm2pZdWz8as1qNImn0aR/3AW/Rusi/mVOweGd+WcC/GlIv5T0E +eKnyOExk94ddyBqasKCewSPx0BV4ki1fX77yUbaDeJ4w8Ppw1dfJCc4VaQhJ5gNn +uMU30mtTpiOBN9muNRrYCg== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt new file mode 100644 index 0000000..867005d --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt @@ -0,0 +1,74 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4660 (0x1234) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA + Validity + Not Before: Jan 17 12:13:51 2020 GMT + Not After : Jan 17 12:13:51 2024 GMT + Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app1@acme.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d9:72:36:d1:3a:19:ce:4a:c0:58:95:21:1a:9f: + 90:e5:48:b9:06:e5:47:0c:8c:59:7d:45:9b:df:a7: + 5f:5d:42:e9:62:c6:95:d6:63:e2:03:ae:29:1c:3f: + a2:c5:89:32:72:b7:34:22:c8:fa:b5:c8:e4:59:47: + 3d:3c:4d:cf:c6:00:bd:76:69:d7:b7:a0:1f:4c:ea: + a3:fa:54:4d:cb:d8:c4:af:2c:57:5e:bf:c0:5a:a6: + 58:bb:4d:c5:46:41:e3:ec:c8:0e:f3:2c:28:ce:37: + 66:b9:7c:02:a1:7c:cd:95:16:96:b6:0d:9a:50:ed: + e7:a0:25:c7:88:59:bb:46:dc:9e:61:8c:46:5f:8e: + 6b:e4:ac:b2:4f:95:b2:b3:71:e5:5a:b9:2c:52:24: + 15:d8:57:98:aa:b5:17:2c:58:61:9f:cb:79:83:1d: + 2f:1f:73:37:b9:7a:ce:7d:f6:0c:74:26:24:fd:40: + 7e:a9:4d:69:21:30:8f:1d:5d:40:98:54:33:44:4c: + ae:14:f2:94:ab:d8:9f:93:9b:43:c4:12:96:0a:89: + 65:b7:de:37:0c:69:16:96:89:91:45:85:20:b3:50: + 44:89:29:ae:c9:8b:04:4b:a8:85:cd:6b:e6:7b:94: + 44:2b:02:ad:8e:42:c3:3a:41:2d:60:d4:13:0c:6a: + 47:73 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Signature Algorithm: sha512WithRSAEncryption + 48:74:83:6d:ee:96:77:ec:05:03:0d:63:9f:a7:4b:61:f9:c2: + c7:06:3e:ca:5f:db:1d:2b:0f:d2:06:5d:13:e7:a6:9b:9c:28: + 9a:d9:7b:e2:70:00:6b:f1:7c:a3:ce:82:84:c8:a8:cf:15:0c: + b2:03:8e:ab:c1:47:4c:c4:d2:6e:2f:e6:f7:60:f1:f9:92:d2: + f7:a5:60:a3:86:6b:a5:3f:95:ba:25:7a:2f:5c:b3:b2:30:44: + c5:df:e4:fd:74:c0:44:f3:c6:43:a7:fd:06:ed:b9:ab:a5:fb: + ce:9b:f2:5e:64:52:bc:bf:88:df:ca:d4:d5:e2:07:e9:86:15: + ea:40:01:4f:6d:e4:ed:5b:25:dc:30:28:c5:e4:98:e3:ba:e5: + 90:7a:4c:b5:d4:7c:ee:31:4d:64:bf:e9:c7:94:bb:87:88:3d: + c5:e3:6c:ab:96:26:de:a9:a3:af:fa:ca:e0:04:e0:50:d1:a0: + 40:79:26:8a:8e:bd:cd:f8:8d:58:14:2f:cf:17:48:5c:62:14: + 02:c4:5f:61:18:1a:b3:6e:c4:a0:03:5d:33:00:5a:e7:09:74: + 25:c9:9d:4a:cf:d3:5d:fe:4a:33:06:d7:ab:37:02:4f:5e:f3: + 8e:82:cc:1a:5b:6e:99:b6:96:0e:b7:f9:d8:03:91:04:a6:f3: + 22:84:85:b9 +-----BEGIN CERTIFICATE----- +MIIDODCCAiCgAwIBAgICEjQwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex +EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v +dENBMB4XDTIwMDExNzEyMTM1MVoXDTI0MDExNzEyMTM1MVowYTELMAkGA1UEBhMC +Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l +MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNtZS5vcmcwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZcjbROhnOSsBYlSEan5DlSLkG5UcMjFl9 +RZvfp19dQulixpXWY+IDrikcP6LFiTJytzQiyPq1yORZRz08Tc/GAL12ade3oB9M +6qP6VE3L2MSvLFdev8Bapli7TcVGQePsyA7zLCjON2a5fAKhfM2VFpa2DZpQ7eeg +JceIWbtG3J5hjEZfjmvkrLJPlbKzceVauSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5 +es599gx0JiT9QH6pTWkhMI8dXUCYVDNETK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaW +iZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQrAq2OQsM6QS1g1BMMakdzAgMBAAGjGjAY +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQBIdINt +7pZ37AUDDWOfp0th+cLHBj7KX9sdKw/SBl0T56abnCia2XvicABr8XyjzoKEyKjP +FQyyA46rwUdMxNJuL+b3YPH5ktL3pWCjhmulP5W6JXovXLOyMETF3+T9dMBE88ZD +p/0G7bmrpfvOm/JeZFK8v4jfytTV4gfphhXqQAFPbeTtWyXcMCjF5JjjuuWQeky1 +1HzuMU1kv+nHlLuHiD3F42yrlibeqaOv+srgBOBQ0aBAeSaKjr3N+I1YFC/PF0hc +YhQCxF9hGBqzbsSgA10zAFrnCXQlyZ1Kz9Nd/kozBterNwJPXvOOgswaW26ZtpYO +t/nYA5EEpvMihIW5 +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr new file mode 100644 index 0000000..4fdf611 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH +DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM +DWFwcDFAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ +cjbROhnOSsBYlSEan5DlSLkG5UcMjFl9RZvfp19dQulixpXWY+IDrikcP6LFiTJy +tzQiyPq1yORZRz08Tc/GAL12ade3oB9M6qP6VE3L2MSvLFdev8Bapli7TcVGQePs +yA7zLCjON2a5fAKhfM2VFpa2DZpQ7eegJceIWbtG3J5hjEZfjmvkrLJPlbKzceVa +uSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5es599gx0JiT9QH6pTWkhMI8dXUCYVDNE +TK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaWiZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQr +Aq2OQsM6QS1g1BMMakdzAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAg+tk9HSB +Gyf0fBAsiIO7+eMbZF0tlefffheB9PpqqiIs1/JodRTGqRVYLbtDCXH1TJwdUOvt +7Gl/mvsatHtQdjnErBCdJP5y0xCzilv1hUIxWlq2yyu1hkXuPmRzqsUYKGMX0v45 +/U/ZpzMsBMtKi7wJIl66JCmXpYvT81ZVhQgVMhHzmiEpm/4KlTeeEWf7Jxj3UjRf ++9aO2OQuOPSpHr+G6uNqGTWRV7NydA810cjBb18NEg9/XIcJj4/2TarX0SyDzBGv +r6+gQRbf22hcyaDmcgt9vlw8SFs7TYwNXy4ictWd8MHYxGHiPe9D+MhzkJUTrBma +1zG8+NNJ0DygLw== +-----END CERTIFICATE REQUEST----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks new file mode 100644 index 0000000..b421e69 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt new file mode 100644 index 0000000..63b33ae --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDozCCAougAwIBAgIUYSaDt/eFmu0ZczpaY+2K7kJc4eEwDQYJKoZIhvcNAQEN +BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv +MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNt +ZS5vcmcwHhcNMjAwMTE3MTIxMzUxWhcNMjAwMjE2MTIxMzUxWjBhMQswCQYDVQQG +EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj +bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMUBhY21lLm9yZzCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBANlyNtE6Gc5KwFiVIRqfkOVIuQblRwyM +WX1Fm9+nX11C6WLGldZj4gOuKRw/osWJMnK3NCLI+rXI5FlHPTxNz8YAvXZp17eg +H0zqo/pUTcvYxK8sV16/wFqmWLtNxUZB4+zIDvMsKM43Zrl8AqF8zZUWlrYNmlDt +56Alx4hZu0bcnmGMRl+Oa+Sssk+VsrNx5Vq5LFIkFdhXmKq1FyxYYZ/LeYMdLx9z +N7l6zn32DHQmJP1AfqlNaSEwjx1dQJhUM0RMrhTylKvYn5ObQ8QSlgqJZbfeNwxp +FpaJkUWFILNQRIkprsmLBEuohc1r5nuURCsCrY5CwzpBLWDUEwxqR3MCAwEAAaNT +MFEwHQYDVR0OBBYEFDYEXqxKZ8d1O/lU0TTKZlwxBGPQMB8GA1UdIwQYMBaAFDYE +XqxKZ8d1O/lU0TTKZlwxBGPQMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN +BQADggEBALif7Y38a6ReCr+T/ZinfDpBySzVSFQXIqtz//hevSnkTHeVDlVl3Hn9 +gySwZvZ1pppJJVa8e16ogi1ohZI/EigxL39LxTKF+KdPldM2CCTT9BXu1COacjwD +nSvwoCHWy9i92H5IUL9OTh5fbpJ4Ju+pwKa/7/1B23azmQ/IPuAHe8/p16pLpcUF +yYSX+h72gP2MKzKFojMwM4qV0UtJwAk9+F0697laptLuKqO8chAP5BJIRWf9H8nk +RVXym7gWu5WOrzzqQwsKDQk++QypGrP+TF2CurPPgv2sr2p0SsNjmxvw6D06s/7Z +PQPRnjhce4CF3krMgMp8Nhp2faQS8Ko= +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key new file mode 100644 index 0000000..8fe81d7 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIMs/xmAFq910CAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECFQMuA97cPERBIIEyAdrCuP9AqXI +BbH4JYW+D602QDOVO6xxi2FEhVyhd8k8ClQzSf0/G504i6uJu9WDYytjHYYqK5VR +ZMIHBnjJQ2DDFRn0A0wrWutzAbN4eYgbCUoMqKOv+GoV6kc6KOXuEXfZIDgPVPGT +qSD7gBX/UZMRHbs507Z88xHlKvT0bdHfMG0lRryJqKskT7ryx5baWT5uPJKlskx/ +e7xvwmyfLBGiyA2DohXtUZiD+I4/jVdYvf/Fv8+oA1XW8rwhVhFB/+GigOmMHoqG +CF10bbnlwq2S9/LyuNfnVBGX3qGiWcV6n7gGz0G3dx0hgcGWGzsIsx225DaL2ncO +4mQ/1y1aUb6xfXdsvI6awyGbqSrkp/55uQGJz91b0s4nPi6wnxQiGKx01WGdb0bO +wgZJWKS2sfWjOfoBIUe8tuebKbMUH8aZ5eQH1Ltd3PHDaSjRGVLJNSLiTJYmvNvi +qh+A6zzxtJDLfBRNV0llAliTWXA1R9b/FOZiVS+nTEZGzuhSRt5EWMooLVe9amLf +NcughTy/WguIQ3YfIsqkBfbMMmGPAf+ZPx25MpLL03vOUP33kZnyWIO+NMDmmhbx +oHyxdAcVYZOPv2wf5hsEULn3gLNtODBoeYMovlBTni7peYZisgtiwoJGijIHsCYH +vTnrsZx7yysY02U4PRou6XYt4NWikmPQQO1Jc8IDmfnn6mh0tTJDWRtO2Q7MGvMk +aZzwB2Im6/+HA78g5uI+gIoTeVyCXfwoMslnfmhfbb5k3V4NdJF/4nyJi1UlpDuY +rpJxSjbM9vObUcPTV8yM8zk3cOXjClqmWvv7uOW160pYHTjIyGY+RSKoZ4Hw+USo +igfkucH2EGiDljmRjmfS4qvTxT/4Vexqj7Rxnz7qQ1enOpVtGwM67eKFiY77VXIF +Ubm+GraXpNdoe+IJOH8ZlH/9fQO2qsu+d3k/7Gd8yl1nlagzDQSf9lGcCAvzWAD0 +FlbPJWxsMV7uAFtwNsk33VGOmVGiat7+E4o2UXa3LMGz9xwj0N5nSwWsUdVpbWtx +fim2PvcOmDex0ERPkD7I2gI0MF5YEGJ/UQwIeOOfnrgtI87W19yZMBH5CtyKIs4d +cQLhQUsQpc9QUA0eplH41wDJeSPoLiP1/4drOd/t9tOBU9TQLcOk5SiuTlvL7SII +gw1clk1LGhDkqbVTG1dDyNFlJ4yiqYJ9SfW1vCTAAQvpa0t1aVISVEDqyAxdgtyL +710+Nta62J1U2ErX8cXVUA+C1IWSYvR19KIAMArDYEHc7g5nsuOQ2PBKNqYUkXv5 +hBH1L+eYjuvxyy/K2ZizhELaCoZ5PSd18B0FbO2mt2qTe8RHPMgN83iUXoIXpaDw +67s9h2lrYUWNWjOsDv0r7e7l7TwiODNU9IojKBPmzWcIi4ghmsN15SsvWcVeqm26 +mRK/cs5tChLEtllmzuxzZJ1BRE7XbghuWk9y69mbTaEc0o3zjyJFWHNSNCjq/iKc +HSIauh/LPnHiFJmRxWwlDqUt1hbjlVp+1nFmMMbHlPZkW9dA+4O7rjG5b+8eA1zw +cp98RXTesA8Sg45+uwUHr2MlH88TQNenaxW0RsJJALl2zuqUt3VZIu122ccXcj3Q +Z2GhZP3EKpwXmoQEeiTwFg== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt new file mode 100644 index 0000000..564fd86 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt @@ -0,0 +1,74 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4661 (0x1235) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA + Validity + Not Before: Jan 17 12:13:52 2020 GMT + Not After : Jan 17 12:13:52 2024 GMT + Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app2@acme.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b7:16:85:6e:de:f5:77:42:63:ec:72:b8:e3:a9: + 2f:b3:34:1a:68:5b:39:1b:74:8d:52:08:42:2f:a7: + 30:84:10:96:7c:83:13:52:f3:ef:47:23:8e:25:4f: + 32:2f:b8:1d:55:ec:fb:fb:95:75:9a:b5:04:83:67: + 7b:58:0a:29:71:c7:2d:ee:9c:44:02:90:62:dc:1e: + e4:d4:9e:c9:ac:3b:3e:74:cb:97:9f:c0:1b:ff:75: + 36:9b:4c:db:da:3f:eb:40:6e:f8:1c:a9:01:54:02: + f9:2f:1c:59:51:61:84:51:68:b0:64:2c:11:0c:2b: + 08:22:9f:c1:00:06:36:15:02:bb:ad:9c:3b:b8:93: + 15:59:cd:d7:62:80:9f:20:a4:a2:7d:46:a5:00:98: + 16:20:48:49:be:08:d7:b2:9d:cf:40:3b:e2:a0:2d: + be:bb:3d:e1:2b:cc:e4:f8:29:f0:a8:5b:cc:18:35: + f7:13:a8:2e:16:32:65:35:94:73:7e:34:a3:97:65: + 53:42:41:85:73:eb:36:8f:88:fc:4e:2d:79:ac:12: + df:60:fc:49:d9:71:3f:88:f3:b4:21:66:4e:34:91: + 6e:ca:5f:93:81:c6:f6:b8:b0:55:fd:73:bb:3f:4b: + d3:2a:a9:d9:57:88:d1:4b:14:10:1e:d3:eb:fb:0c: + b9:d3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Signature Algorithm: sha512WithRSAEncryption + f0:b6:a8:e1:86:fd:b9:2c:1b:72:d1:0f:8c:10:97:d0:15:e5: + cd:aa:4a:c0:71:fd:3d:48:fc:ca:d9:1e:53:06:c2:7f:a6:f8: + 57:02:c3:7c:a9:1b:7c:17:d6:2e:48:50:8a:6b:ff:90:2e:19: + 03:c7:b7:31:27:04:ce:8c:e0:2d:43:6d:ca:d6:bd:b3:c9:ea: + 66:6e:48:d8:ca:1c:ca:ee:2c:41:58:40:08:55:0e:4c:38:4d: + f6:16:14:fd:78:30:c6:73:88:cd:ba:ce:5d:25:df:cf:79:45: + d7:b8:51:b9:c6:9d:db:8a:82:35:ac:09:ee:2e:73:7e:86:8d: + 23:d0:39:16:40:5e:10:4b:ba:d9:63:18:b3:40:43:19:35:49: + 5d:7b:55:0a:9e:3a:f3:ae:33:0e:9b:4f:d1:07:16:33:32:d7: + 4f:c2:43:35:31:4d:e6:39:f2:8a:12:fa:6b:ab:4b:dc:aa:18: + cb:db:df:b5:9f:58:ff:54:bc:de:af:c9:55:04:6a:60:47:68: + 4d:18:15:51:2b:87:c3:aa:d9:86:f0:2d:42:ea:23:f8:30:59: + c7:4f:5d:84:e9:b0:5c:35:a6:63:c4:e0:66:c7:d8:fa:2c:17: + 50:af:59:a9:38:9a:d8:3b:53:e6:3e:ea:bd:c0:51:d3:e3:fd: + 9d:3b:94:51 +-----BEGIN CERTIFICATE----- +MIIDODCCAiCgAwIBAgICEjUwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex +EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v +dENBMB4XDTIwMDExNzEyMTM1MloXDTI0MDExNzEyMTM1MlowYTELMAkGA1UEBhMC +Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l +MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNtZS5vcmcwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1S +CEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLc +HuTUnsmsOz50y5efwBv/dTabTNvaP+tAbvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgi +n8EABjYVArutnDu4kxVZzddigJ8gpKJ9RqUAmBYgSEm+CNeync9AO+KgLb67PeEr +zOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOXZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I +87QhZk40kW7KX5OBxva4sFX9c7s/S9MqqdlXiNFLFBAe0+v7DLnTAgMBAAGjGjAY +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQDwtqjh +hv25LBty0Q+MEJfQFeXNqkrAcf09SPzK2R5TBsJ/pvhXAsN8qRt8F9YuSFCKa/+Q +LhkDx7cxJwTOjOAtQ23K1r2zyepmbkjYyhzK7ixBWEAIVQ5MOE32FhT9eDDGc4jN +us5dJd/PeUXXuFG5xp3bioI1rAnuLnN+ho0j0DkWQF4QS7rZYxizQEMZNUlde1UK +njrzrjMOm0/RBxYzMtdPwkM1MU3mOfKKEvprq0vcqhjL29+1n1j/VLzer8lVBGpg +R2hNGBVRK4fDqtmG8C1C6iP4MFnHT12E6bBcNaZjxOBmx9j6LBdQr1mpOJrYO1Pm +Puq9wFHT4/2dO5RR +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr new file mode 100644 index 0000000..d97b9ff --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH +DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM +DWFwcDJAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3 +FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1SCEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V +7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLcHuTUnsmsOz50y5efwBv/dTabTNvaP+tA +bvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgin8EABjYVArutnDu4kxVZzddigJ8gpKJ9 +RqUAmBYgSEm+CNeync9AO+KgLb67PeErzOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOX +ZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I87QhZk40kW7KX5OBxva4sFX9c7s/S9Mq +qdlXiNFLFBAe0+v7DLnTAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAYykrDIFO +fbRXKcoh07aCAkW2KBX1L+wkCDWBQO2NQH0uvRducLHLQTF7EYjTUQ2WbOXDJLCT +1NbtANvxU5xNJsforHGTZCGvQqMSMMlwe8mr82ttCMcQwGkmpq8FlGsD+3JpYZPI +Yb20yvmXk2jIvCK44axyMgHUgHMdoT6BrX5YFC993gjfKu3CpEEIMuFidulM/vEY +WiNhnlBBpHN3ijrWn8BVc81VI6jP0z23nKMYgayaGIZ7GQOI3Rmk/WIowU68D+Ac +X4AhDZaofAGejybD2yABPE07/2IPHEXotWgKSHwDJCLU6VpUX3MePqLwDjA8tW8y +jfmnHdB1vIy8NQ== +-----END CERTIFICATE REQUEST----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks new file mode 100644 index 0000000..56d2a8a Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt new file mode 100644 index 0000000..c472d16 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDozCCAougAwIBAgIULw9lb2weHwTmE11idVFtoGtBm+YwDQYJKoZIhvcNAQEN +BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv +MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNt +ZS5vcmcwHhcNMjAwMTE3MTIxMzUyWhcNMjAwMjE2MTIxMzUyWjBhMQswCQYDVQQG +EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj +bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMkBhY21lLm9yZzCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALcWhW7e9XdCY+xyuOOpL7M0GmhbORt0 +jVIIQi+nMIQQlnyDE1Lz70cjjiVPMi+4HVXs+/uVdZq1BINne1gKKXHHLe6cRAKQ +Ytwe5NSeyaw7PnTLl5/AG/91NptM29o/60Bu+BypAVQC+S8cWVFhhFFosGQsEQwr +CCKfwQAGNhUCu62cO7iTFVnN12KAnyCkon1GpQCYFiBISb4I17Kdz0A74qAtvrs9 +4SvM5Pgp8KhbzBg19xOoLhYyZTWUc340o5dlU0JBhXPrNo+I/E4teawS32D8Sdlx +P4jztCFmTjSRbspfk4HG9riwVf1zuz9L0yqp2VeI0UsUEB7T6/sMudMCAwEAAaNT +MFEwHQYDVR0OBBYEFGRnSSgAdfPDfjACvy7JWsifafjeMB8GA1UdIwQYMBaAFGRn +SSgAdfPDfjACvy7JWsifafjeMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN +BQADggEBADAWS3rkEAo9y3hsXRMy9nfEx0LIRzMILeRSCc87QlUKKxYGph9AQ0QJ +JWljYjM0Dg11ByrNVBODL7E62MX3hWKxYRPv44J6jQgbg9pBINdxFR1MwvtRSYtz +069YduP0Ws8FVB35U8dvSFOgOBWhXCh5QTPznkAmopPr/QQxcjQnPWWpmadjNc3x +EBDwoHyigne+zBcUVQiaKgN2YbvTbB7WzEidHWrPOcXv7JH/PbZNfwGrG4SJLH92 +uvgBwyOi/dwplcTAfDE+PuRDLOBAyht30XCwpWHjG2HINx0N2esvG8g/v5J3USRo +jU0wSLthobqjv6/mJkIAfdbkPSrY9p0= +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key new file mode 100644 index 0000000..64544a9 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIEndyItP4BKwCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECBjmbsUCrUCTBIIEyDtTeDzGARWT +w5X6wVjcwmvf/Vw2cczX8MUBWNkIHGSNTDHv6IlFxYA6SXCMy12OpaJiHr6CGp9A +juyBn6C8AsKHxSgoMrImSt5RGRCQSSkq9bCpPGQR7/l6X+Z5yVG9XJYRxK6vXIG4 +mfkcIq2E5sV89v79aISvotXvTeVUfd++6CPahzpf6zZ6rKLp7AWIcZF5qQG+5Gdk +1q5iOCcZtT04LQsAcEJCM8GQoXNDNTHwDvWi9DZ+yry0kTn0Lz8QMXOhVqf8gJKa +/vded9cixbXk5QNQgFswZOSeEB7hWpT88VLoKl6VJOCGPERtyUMhwal/IvMX98Ad +LDUBGd13WjP3EA3yAOI/W4V3TPJVJZD4xKgqhU+gnohfl1XU+evOu5+HxbDczAp1 +QyN0ni325c/jgXfcihN9AZrAviMz4GZLj55uTSmtCUaug8CCwRu5uxdmmA4BJCl1 +iFJmZzZIvqw5R9BIsu63/xHZYiYAvNDdIvBmJqPz2ka+vSWbGRT1bqkrpos/6LtU +griby3OtfvyvNbWokQymDBHVxYZokio26UIrc4Z2IUsS0354J+GyOiZ0oFe1DfTs +1taEQGgTWsfJpRs+xNjaImhPN5AJZRKLgzsOqXLZofYiv/Rexq1AaZTGMzr6xt3Y +QL0+q7KJ3DBAQxkST4ARo6bVNb9MPgOjXDpvvjJOfbuwR1jlgSHBFM4OBEEI5xV3 +avurI3pE+GnXY+lJCeuSwATnxeUJoHzcUn6QmdkB8Li20ovzXJs8PgBq/dD2rG4d +tkMUnwsd0dwmYaDVstM9awkP1+EvzZ2O3wiHzqE2jE1bRNIj+8bKSWxSCrF9tGi1 +YCDLCGk0BTaNCaaIFFxNTxgE81GsrgqQvfLCsUljF04Lbj/ZvzcLdW82FkFSjUBa +Z7sXwq8NOJsGjVp8Akwf4Z702PZVnj/lV25PLj53ayRcvnO2PLkLdwdVLJyFt6ES +CelAz1d2ejww1NKj+ipJuQ9Yun1d+21HBLQGYCnST/rzet+JcuQMw0QIQBvVioLZ +KS1V/yi/u5Rvos7x3RQyIJITY4HP9tvTKftdIW3M5nEkMNuHHAcZUrv83YJkzt1T +1Sd/qVOupGHA/DYvUVPn0v48XxRjWF/jpf1Jdd4EeuYIYRmZH0I3wRvuc0qyT6nV +CxoART7gzaLeWYLx67gaSguojYbCzWRnBSBAq/Wy2fcHMKZ7DywMWJwn0dqofeuM +ZABB2jWKGuHLrM3wfzcGJLIlaHG0RESn8ThqwMODRaqTgxQP0y4E2CabDSeco6fK +g8InlTKlHxB6u2AcDpPTeBh9om7AXvs7iT0rWrhEU7FxCr7NjAHaQBMmltS4uv9q +wNZ0uqg++s5wIr9dzkBNjEJvk89HKtkLwYQgie9OdbaQEz0xV3S06ChvaH0nXtQu ++/K4Gw2yR8mLA3TCHSlNe/q5daRNhjXzmX2erK5u8UsZFU6Ln6M+kvbYvtlG6rSR +N7njPcUwCa+juvP8LxQEJUE3OgWeLM/0S2LiJz69XnCHz886VAoMETIs7sgfI0lP +I2qgD/sB7eFgsPPstZyIf41PVssf+03vZ8lCLUqnZuDLLZO/l//CDRdBWIZvJ8pk +pRdP0ZJdSqZryf9eSBfnRQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt new file mode 100644 index 0000000..ca6dc2f --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt @@ -0,0 +1,74 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4662 (0x1236) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA + Validity + Not Before: Jan 17 12:13:57 2020 GMT + Not After : Jan 17 12:13:57 2024 GMT + Subject: C=CA, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=localhost + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d2:28:a5:31:6e:85:97:8a:39:c0:8a:21:ab:bf: + cf:93:39:03:cb:63:6b:f3:47:6d:3f:50:24:06:bb: + 3d:25:14:cc:b2:d3:50:62:1a:71:18:5a:98:97:8f: + fa:45:70:ca:b8:98:9c:60:78:03:c8:a7:2a:b2:d7: + 53:e3:b2:71:52:b0:7a:0f:12:42:63:a7:2f:d9:c0: + bc:50:da:5b:3c:52:ac:bf:fa:6e:c4:80:f7:b7:e2: + e9:53:53:55:95:24:72:de:63:2f:59:dd:8e:8a:13: + 11:17:44:03:41:c0:95:f9:8b:dc:05:e9:1e:ab:3b: + 72:e8:b1:5c:c0:0a:ed:c9:11:6e:30:79:65:71:e8: + 3d:2c:c0:0a:5c:dc:92:22:1b:f7:06:2e:f4:7d:1f: + ea:c5:a5:57:91:1d:f2:f6:44:f1:bd:25:f2:1d:fe: + a0:68:d1:38:7e:5f:0a:5d:37:47:f9:ca:9b:c0:0c: + a9:ae:7f:e4:0b:cd:85:e5:8b:91:6e:35:74:f7:6b: + 04:a3:10:67:1c:fd:bf:c2:1c:2a:dc:a7:04:93:98: + 48:03:cc:8f:fc:d7:65:8c:d1:9f:07:63:0b:04:86: + 01:d7:37:c7:a2:6d:4e:04:cb:a0:2f:ea:23:2a:59: + ff:f0:b7:16:fc:fb:56:9c:4a:2f:e2:8b:3f:ad:25: + 53:19 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Signature Algorithm: sha512WithRSAEncryption + dc:c9:fd:ca:91:81:b8:18:33:c5:bb:0d:f0:cf:88:ba:92:21: + 73:1f:9d:bb:98:9b:e6:09:fd:92:ff:c2:58:23:01:97:a4:09: + 8b:d7:63:b6:63:f4:fd:96:f7:ef:5a:f3:be:15:92:72:15:2c: + 7c:e7:d5:e1:13:cc:70:19:87:c5:c9:13:83:7c:28:ad:02:16: + 11:6a:ab:b6:80:41:ca:6e:5b:89:48:42:27:74:e3:44:a1:51: + 3b:f3:e0:b9:11:45:75:f8:d1:eb:9a:1d:04:7c:e1:26:be:55: + b5:98:d5:0b:38:24:67:78:3e:f0:52:5a:2c:72:77:02:0a:78: + f5:73:24:26:73:c6:1a:62:8c:e1:5d:61:71:40:e7:1f:de:f6: + 39:a4:c5:84:c8:b6:d8:2f:b1:1d:19:bf:25:75:9f:1f:a9:7d: + 09:52:80:dc:6c:8a:40:d9:cc:cb:99:db:e8:85:6b:dc:49:fd: + 68:2e:71:d1:a8:ad:10:cb:28:1a:cd:04:c6:63:cf:11:30:18: + 7c:4f:71:f3:70:84:ed:8d:e8:b8:2e:df:b2:a3:7d:68:64:28: + 26:5c:1f:ec:1e:db:90:09:7f:40:cd:55:bd:1b:27:bd:34:6f: + 82:9b:a9:83:fb:0a:67:66:50:32:5d:c6:06:82:cc:83:35:22: + ee:88:7d:b8 +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgICEjYwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex +EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v +dENBMB4XDTIwMDExNzEyMTM1N1oXDTI0MDExNzEyMTM1N1owaTELMAkGA1UEBhMC +Q0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vua25vd24xEDAOBgNVBAoM +B1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNVBAMMCWxvY2FsaG9zdDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANIopTFuhZeKOcCKIau/z5M5 +A8tja/NHbT9QJAa7PSUUzLLTUGIacRhamJeP+kVwyriYnGB4A8inKrLXU+OycVKw +eg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi6VNTVZUkct5jL1ndjooTERdEA0HAlfmL +3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzAClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l +8h3+oGjROH5fCl03R/nKm8AMqa5/5AvNheWLkW41dPdrBKMQZxz9v8IcKtynBJOY +SAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTLoC/qIypZ//C3Fvz7VpxKL+KLP60lUxkC +AwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQENBQAD +ggEBANzJ/cqRgbgYM8W7DfDPiLqSIXMfnbuYm+YJ/ZL/wlgjAZekCYvXY7Zj9P2W +9+9a874VknIVLHzn1eETzHAZh8XJE4N8KK0CFhFqq7aAQcpuW4lIQid040ShUTvz +4LkRRXX40euaHQR84Sa+VbWY1Qs4JGd4PvBSWixydwIKePVzJCZzxhpijOFdYXFA +5x/e9jmkxYTIttgvsR0ZvyV1nx+pfQlSgNxsikDZzMuZ2+iFa9xJ/WgucdGorRDL +KBrNBMZjzxEwGHxPcfNwhO2N6Lgu37KjfWhkKCZcH+we25AJf0DNVb0bJ700b4Kb +qYP7CmdmUDJdxgaCzIM1Iu6Ifbg= +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr b/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr new file mode 100644 index 0000000..d459aab --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAO +BgNVBAcMB1Vua25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25v +d24xEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBANIopTFuhZeKOcCKIau/z5M5A8tja/NHbT9QJAa7PSUUzLLTUGIacRha +mJeP+kVwyriYnGB4A8inKrLXU+OycVKweg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi +6VNTVZUkct5jL1ndjooTERdEA0HAlfmL3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzA +ClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l8h3+oGjROH5fCl03R/nKm8AMqa5/5AvN +heWLkW41dPdrBKMQZxz9v8IcKtynBJOYSAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTL +oC/qIypZ//C3Fvz7VpxKL+KLP60lUxkCAwEAAaAAMA0GCSqGSIb3DQEBDQUAA4IB +AQCteBfB/t9udR7E2RYZHdSICnrrXC7oOcMbNXv/eq2FtHV5XnqglvGsyzzHkE2/ +aGqZUvyOJqrA+m2QCg0Qtq6WvDV10Qbaebr921tQMlVQxeLd/AkGBZOC0Z9Wi+ne +r/9ODUm/MBp3PbiKOdEhb3gXIsa+CqSHl6qaCtwIcGtY2UW/jr078H0eTML0rh6C ++BW275y6ApXSiSS5IKrCd6Dfto7Vh0ZakCIOmz3cCM3+VGTn0cXF6mFDyu7bA6gw +8QdBET9nzbyrwfnH/vSVh5YxNHIj+A1NZlphHyJslYaW4lg2GAbGsdqAK1dW11Ph +OGI7Qjr59HrsFYjFRr4+42Se +-----END CERTIFICATE REQUEST----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks new file mode 100644 index 0000000..af8d5d2 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt new file mode 100644 index 0000000..03db86e --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDszCCApugAwIBAgIUOJtin1zcTHJQCk3RtZJyDaL0O+QwDQYJKoZIhvcNAQEL +BQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu +a25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yMDAxMTcxMjEzNTdaFw0yMDAyMTYxMjEzNTdaMGkx +CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdVbmtub3duMRAwDgYDVQQHDAdVbmtub3du +MRAwDgYDVQQKDAdVbmtub3duMRAwDgYDVQQLDAdVbmtub3duMRIwEAYDVQQDDAls +b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSKKUxboWX +ijnAiiGrv8+TOQPLY2vzR20/UCQGuz0lFMyy01BiGnEYWpiXj/pFcMq4mJxgeAPI +pyqy11PjsnFSsHoPEkJjpy/ZwLxQ2ls8Uqy/+m7EgPe34ulTU1WVJHLeYy9Z3Y6K +ExEXRANBwJX5i9wF6R6rO3LosVzACu3JEW4weWVx6D0swApc3JIiG/cGLvR9H+rF +pVeRHfL2RPG9JfId/qBo0Th+XwpdN0f5ypvADKmuf+QLzYXli5FuNXT3awSjEGcc +/b/CHCrcpwSTmEgDzI/812WM0Z8HYwsEhgHXN8eibU4Ey6Av6iMqWf/wtxb8+1ac +Si/iiz+tJVMZAgMBAAGjUzBRMB0GA1UdDgQWBBR++4fRzlzZ2FNRkZ4QomvvNKVS +ITAfBgNVHSMEGDAWgBR++4fRzlzZ2FNRkZ4QomvvNKVSITAPBgNVHRMBAf8EBTAD +AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb0ajrigWwT+KZwq2vfuZX8Xt4XQGclH8E +PoNgT3johckZMmTYUccCPN/+qWbNigmOWpo8VKHAAAqHU+RoGG4/eVdd6Il4Q10b +wgHVY1JA3LOmDmjGEV6kVNOiIuCEhoiN5YLG9THUY9a/SJj+MGMsKpmdDUmmX02b +9PHOgc6pAwCm3/hO/XyUjQZxuaB7aDUpaL+pA//6lEVk/n5PzG8IAi33Cp9AEMlZ ++6/eCb/eMZ4yoR5cQNi+l6l3ifONEDe6uJ+Wk7ahSbKTi5Maoddt5BER2jmRCDbr +yNfRBcK2iMHVtTPMI3P9OOmudEYSFOJOdRUZpmGmAuTeuCganQjb +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key new file mode 100644 index 0000000..5ccb683 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIuBQNMa898kwCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCeLmeQ7xDnuBIIEyMsJVjaLP/XS +nEhHrGp0Xr0AkP0ZhqN8ZUPoaL8RQCXe14tYY4LjB3NANSxCLO8i6yKyvlG6KZyK +e5vyqlH4q41AUG5lo4Q3fDFNMP0ilgKusFE06ju1UhKf4TiElO6xxhq+ZuOsunME +y2akyYz4khl6YrqQl6vDIN0/WYFprbh0iT66WCwe8/Bc0JBCn053pwWiqUNJXoXn +EXytxqTYVP2H/H87M/I0vrweu5rZyxnk3HvBoJbyBrJTsZn4VFS+cIC2E4YADjD7 +qfq7iIyv94/EdqvJmQH5XttfZ/7amj+XvxLOoYtyuOOagSWrlDJm6vATSJd7G1mj +soxHdd5hGZ4lpvFFrXjWR35PeBUUqihfkZ1cnGs4TRJZL3T+bvYdcfAEA3oxdSLh +QKwbsY3j/LJRqGHIAzE4z82F/nEltHTHohwYKDE0D5nn58wqhD1IImHmd2uQu6SJ +kGmHLlzbZiFz4mvqk1Tk63zoeKwioQgXj0OA2KJSV7Oz5nPB4O+/5jfu7jiL31Hh +FEleRvTfBslTwnF6NSR74uVGSQt/CsWDOR/Ok70oSa2Ddy8Lty9e4LXSmhNGqaf1 +fFAt1E35ZQrZ5TIMjwlU2AgOS8znhMBLuAfZdCPogSbmPYMAI5b7yYwPih/2qywc +Qxq9SBdqGditdyTliBYPpmJrx8lrhcO6aXjFVuUH5X5NGXs+xiY2V6ppFdlVepXa +c5WfZzLqYrNdGp5nd8n831/7m1LS9zqXSgb3uz3axppIgT94BSamlyBLPv2xKVaZ +wxZlh5rtgV9Udl2ocFyOUnXBLRapMEje57e44ShcoLr8F1S7Yi5q7gCg7eqfnrm2 +AOqJ3ZpYnDPRvo3PyW1mg6q/k/RF6BEdXcb8lM+KhGBRwufC8ym12RKwjcI8EK5w +OB5LxjpH6we5RpVdTPnpJl0TvBEqh2LiWMpshHoK7NWCtr7vNI4KAn4nu01uofwC +lEYFdr57I+0SawADff/ENRNqXgMsAbPvwFsaoq9cLZc71ugu4vrD+drkPrwO9eXR +ailGVJfdgp6UqreLuVvDuQIQNr3Qagj0ujWw10usrBK9qdtpN60Eeuhch2l4ajLh +WjwzJrRZ6g1bC5hH9U94XW0mJ7f/6BMzdGKDoBQ7zbxLSrsc/oTpTFaki5ICW9Mv +WhF9yRCVS0Gcxu+sOZcvjZsVqGV5zqSRtWnjURMDddX79XGPEvAOSubsYjOhK49U +78R/m/4FfrRQl4pTuTCGYUqDnLXPTxWMJJ5vEDrWTx26cGrBTsiBg7/gbn5CqSAA +l0vDfpFNCJ9vyHoeEhEc8aBRz9hklHCDm1wIWXfwYnsE4L3V2qp/0WKvj9NHXE5C +6FWYzr33ImsqEuavLXsFer2ZVF/Y38f8HNj9z5hg77YTbZNCg5jHYfMPunEGikCo +B5jwen7DSt6zZOH91dncir8XcgGOXY0XocE6aalDGit01lFDPFPNc0aGsyA2m6Be +4CNxVbfNkHZBtY8A4Q+Invij7vVUG0Afc7vDc595JsJ4m0sHmkQ3xLJVfhV8APXD +pQXbv9o0HDPjb45irIex8WMitj/lU60FuSMjDd0DElA18ImR+4tBPWjXvxZeRkgd +k/8a1P4XOl42rFaN1YOWhw== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks new file mode 100644 index 0000000..077274a Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks new file mode 100644 index 0000000..e789738 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks new file mode 100644 index 0000000..b306a9f Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks new file mode 100644 index 0000000..2bc0f4f Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt new file mode 100644 index 0000000..f9dd3e3 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt @@ -0,0 +1,105 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4665 (0x1239) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA + Validity + Not Before: Jan 17 12:14:01 2020 GMT + Not After : Jan 17 12:14:01 2024 GMT + Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8: + 31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14: + 90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4: + 6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95: + 47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01: + 58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c: + fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17: + 87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73: + 9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39: + 02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33: + 44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0: + 90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af: + f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56: + 50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b: + b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53: + 00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf: + 82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75: + d4:0b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://localhost:8186/MyRootCA.crl + + X509v3 Subject Key Identifier: + FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2 + X509v3 Authority Key Identifier: + keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha512WithRSAEncryption + 4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72: + a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7: + cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4: + c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32: + d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87: + c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54: + cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4: + b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2: + 30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2: + d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf: + 7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e: + b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4: + 71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97: + 68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed: + 15:cc:57:ee +-----BEGIN CERTIFICATE----- +MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex +EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v +dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC +Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l +MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y +ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY +MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV +16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd +InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO +iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD +Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1 +1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0 +OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U +4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD +AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB +AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV +UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL +RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En +hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx +qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN +BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD +TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy +MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM +BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4 +UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr +XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI +bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif +9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O +9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy +TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/ +5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y +Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr +qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B +eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3 +zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG +9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo +VPvWVRUaVA== +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt new file mode 100644 index 0000000..7bc29f1 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvzCCAaegAwIBAgIETVtknTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV +U0VSMTAeFw0xMDAxMDExMTAwMDBaFw0xNDAxMDExMTAwMDBaMBAxDjAMBgNVBAMT +BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmNDDbMbSISBF +2ztm8e3Gp02s0rW8pjG7sEYKLMgkXNVRMX6nOFQ1Tuj6yuBk/qlBuSyYigfTPjNx +qjz0pxLXPbFQfzaTzLQx+AIx1JRhdpHxY//M7vfIJaLOj7MvngWvjFX6MwwKlvkG +z/H6+R4S3QE852XkUQvvxMVa7kHuUdzDUx7ARhsUME28/XzsJldEGiuPJZYLPpdg +GAvJPO47+gr9zUWksL4fjXgYV2lZiAWcb1WcL6/zssBLnseRkQe/g+b7q0tT0FAX +rqCfVaVZSRntrLu4AK88JUWfQkEKDRux2XZ5cAYofelZiiIikRBubuHlhlt0bqwo +AJiAh4ANowIDAQABoyEwHzAdBgNVHQ4EFgQUTHUNeU67sKZ+bWeh521ZpK/wzckw +DQYJKoZIhvcNAQENBQADggEBAIs6DQA+3v8L+TdVEHlk8eTOUo46Z0e9fpQgSfLb +0aM/gpdq1ZBxP/RkDouSvZpDBxZnWZNo8I9/cQ2tc7K8rWv4lyq6tDbSgIuRIBk8 +v50ujPMPiKSeTdJXTVi1f2TAsYwnG4cSxDBF0Gu7qXEckRtktDs6uHC0D1Rzcirr +3gANGDk/S3yS6vumooRKZ22AOiBp6uE0awa1jTZAyLvC+LY47XKfFUTf/9+E0umz +3a3sIzET20YSf8xrK6kFBIrqAM7sF3303+nHsfx12BIA19tUjlHKBTbCCrL1u2GL +gD0wA9jYPAhbtKSh8GbZtNhDhJxfopwhIuFFSfcKbO8OeUY= +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks new file mode 100644 index 0000000..a3c29eb Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks new file mode 100644 index 0000000..1d21f01 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks new file mode 100644 index 0000000..51593d6 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks new file mode 100644 index 0000000..b788861 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl new file mode 100644 index 0000000..d32bdf9 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem new file mode 100644 index 0000000..ded7194 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIBxjCBrwIBATANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJDQTELMAkGA1UE +CAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsM +A2FydDEhMB8GA1UEAwwYaW50ZXJtZWRpYXRlX2NhQGFjbWUub3JnFw0yMDAxMTcx +MjE0MDFaFw0yMDAyMTYxMjE0MDFaoA8wDTALBgNVHRQEBAICEjQwDQYJKoZIhvcN +AQELBQADggEBAI31QLg89gCYaB3yGaPAJG45ENz4L6sKf8X7H6sZfnnEECIfMDeF +Wuu5ummkvSKyHVDj5m5FT9W6mKj8JkXUfGS64ssR361BixlBfmsVj5y3upXmuEta +x03Ewqp888NaZyxK749J+1pfo5XOq0OUTe0+J1gTrS+JSWO3194MohtqkOQ11FHc +9nDqZo49Bi+gqvulu+t1uPfM7i2RHgVl3e+gMc7XuguC1obGyuSoFSCW3IcqjuOt +d1xTz/p/Cx3TqlMFI0uGzXzl11jLu/CDHtMvax5YJ65lV1wK86z6tpENR3Din4X1 +tHZMxga+hGrJikOeu/WZrw2cC1hx9OZU4Fw= +-----END X509 CRL----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt new file mode 100644 index 0000000..19d97a9 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt @@ -0,0 +1,84 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4665 (0x1239) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA + Validity + Not Before: Jan 17 12:14:01 2020 GMT + Not After : Jan 17 12:14:01 2024 GMT + Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8: + 31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14: + 90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4: + 6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95: + 47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01: + 58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c: + fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17: + 87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73: + 9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39: + 02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33: + 44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0: + 90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af: + f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56: + 50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b: + b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53: + 00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf: + 82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75: + d4:0b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://localhost:8186/MyRootCA.crl + + X509v3 Subject Key Identifier: + FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2 + X509v3 Authority Key Identifier: + keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha512WithRSAEncryption + 4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72: + a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7: + cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4: + c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32: + d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87: + c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54: + cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4: + b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2: + 30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2: + d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf: + 7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e: + b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4: + 71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97: + 68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed: + 15:cc:57:ee +-----BEGIN CERTIFICATE----- +MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex +EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v +dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC +Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l +MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y +ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY +MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV +16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd +InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO +iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD +Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1 +1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0 +OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U +4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD +AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB +AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV +UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL +RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En +hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx +qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr new file mode 100644 index 0000000..31d625f --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH +DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMM +GGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAM0bA827VhkRRwC98mDYMTSeBs+cHlknwZnAc7MUkAnFizz6J19U ++woMSRz0b36Ci8nYo2ujmw30TOyVR/FV16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzu +WyCc/lWXCJlShizQblrbbRQXh+Tg2eydInwEidRftP1zn4Ipkpcwx5xz0aKLCgI5 +An7CxscFHRaX50BUi8szREGwRFtkxiGOiXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA +7hAYaiDKytkReI9WUIwEASik2vTU0VADRz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JN +qkkEgau1l8a/ggKU7wS3vUNQJsxT66t11AsCAwEAAaAAMA0GCSqGSIb3DQEBDQUA +A4IBAQDE2KIYrHiujyjWAJAWkJFwaxjeM0MojdOmdzpTEwwcWIWhSvDIGylAIjs+ +s/xZidCBLlmH5Fu4G/P/ZmAe/PSRULn5RNh+Vr/2rvBwrO6o1tr/iqN+Iu9D9gpD +xsVqy03M3Dda/4hJ1fd14Nvw/3ipQCX0ODKQQnCEN6YDDMII7NNHhThJ9JXtmsDK +aCWM5s6V1VcEHmsOaghuuEe0CSLNyIoKGqm/Go/sZ6beXiq6lzPOSW+Ugvb1j+yd +Kb89oZy871V7c8BQJgYAZNm81TFpwS4XEa7tO12hxrEndMdKqjW5S2E7TVQPcTud +1T3W7szSBmOf3sPFToLx3oOky0a9 +-----END CERTIFICATE REQUEST----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks new file mode 100644 index 0000000..251089d Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt new file mode 100644 index 0000000..d4d1fad --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuTCCAqGgAwIBAgIUU+PWvuydNdPTMUerarnvKb2eT74wDQYJKoZIhvcNAQEN +BQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv +MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVk +aWF0ZV9jYUBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDFaFw0yMDAyMTYxMjE0MDFa +MGwxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEN +MAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MSEwHwYDVQQDDBhpbnRlcm1lZGlh +dGVfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN +GwPNu1YZEUcAvfJg2DE0ngbPnB5ZJ8GZwHOzFJAJxYs8+idfVPsKDEkc9G9+govJ +2KNro5sN9EzslUfxVdej42EP3TIHz9ntAViqT9i+ChjNCPZs7lsgnP5VlwiZUoYs +0G5a220UF4fk4NnsnSJ8BInUX7T9c5+CKZKXMMecc9GiiwoCOQJ+wsbHBR0Wl+dA +VIvLM0RBsERbZMYhjol1HcKEoJBIxpurNrUGzMRI1mTGr/jBQO4QGGogysrZEXiP +VlCMBAEopNr01NFQA0c/m7Vb5iWfhU0rtq0hTZfSUwC/UWPCTapJBIGrtZfGv4IC +lO8Et71DUCbMU+urddQLAgMBAAGjUzBRMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+M +QrAV3G/U4jAfBgNVHSMEGDAWgBT/ahkF/xqbF3xyX5+MQrAV3G/U4jAPBgNVHRMB +Af8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBNx3DvYk5rFFz7gtRSMpINJuoI +thCEsFT43at08M98PrFHmZvfvdxwsIO0aJYVsTnEf4tqjXKQ6c3+eV9u3aWKuJYs +PHJ4oxLlVwWWZLP/QC5SknscQlu5b6lhje328qKSYFzi8EE75FpG7sehvymNQhLS +IU4r52VUqzZ6bBaQpPV4psG3yC6ONGppiy2QSP1s0jqmH1EDDp2qAQEME4bPYCAg +Tryp2EjUmBpCuiwreY3Wsy9Zj6fQdFuxUiE4XWbsoNx1oDj9M8OuAeKQ5magJysm +j/f2SF6cuNsg5AwuPg3DX+QC+WckLe+3M4uXfZa65bf/EJgKjJc1WjrDG16x +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key new file mode 100644 index 0000000..f2392c8 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIrFQQzoVuNVgCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIWesfDR2OA7BIIEyB+WEIidNRox +k5SvY9Hyi77Y1Jh/u1WJVWmQalZvWOAX8lnhQTDMVlCZ9zOku+0CWPIfEPcTBPbc +WkTdNFmnlpUwrrjZ+ijwyv9eF6WaIvAyBAlSXDUULkkiaweKT22KGmCKWGY92UJq +UtnsyZupQ95oWRcJ6x8/83dhaQM9yVf8a2jZzpIkCM5bdNXrSSObM2Oz1WhpcPEg +yJzVceZTxASB3BnvIayNqFvMMiFQR4QcDTMkudBWGro3q5qm+LINQrG3nXmTwDvp +u3PXxP8c0nEXxQYB9PPDL3qWQ5QkjaZWm5QUFWvUFGYc3bbuNXkzivBFp9W478wY +W41x9WI6DVDkcrTv5n5X268xh3Gs5/nYERjuB657rGC3R5mNeL4unohPBsamyhrE +ZFgzaMB0hhh0w57suFoVbrqkcKWQx7vhNwvOqbyiOg/qLk5sHrNAVdZtKA5iHux3 +JMbzHzG73wduXCWOOJcBYZD5cA7ifNwmNAz7sg9z2CY1XGHRrm+l9QZK5SLrQGIC +p17ZREm2rnUMmZFqmIdRYyWUmfZmZ1eejT7Nf93GyutdabLNc1ROANY/mElW68qK +RlEszYEJskw9vclg8PogulnGVND5ES5zxG4qUWJtkvx7QM1NqgUq77rK93Q/1AkC +tB2A2/wwZmmPQMYR/7qSr0HLkTLYqmtEC5FVXB9STVdHYEgs4G7yNArY1a10ApaS +Avf+TJD+SH8ZJMc4xVOJwc/NyKqaI+LFc64m/8oC+Mt6wpos5nvPoGqIGW10Oqcv +N4IREavDgHEcbfRsj4Cdt55YaAk0C7MNn21PvTRI7aS8aWScTD5sMlJZDFe/V2ZL +IxdW4LnZfyRt/s2qsx6mrbrKsaBB+o4BKC0AQax/o6GNTP89aug4OIUr3h7qGf1C +oKLGLHjXuZcw0NKK+ufRqimvgHz6segsfgxLBsLoZ2EkhHqdWxyVI6dB/TdB2+Mu +x3I0iQ/lC22Ky+hGpcb2iU0eB1NYA6/Wns880EJGd6/w6vmJOjG+BG0zoOELgLXH +j0nGK2gh/2fxg2i+UjMvK7lGLjyiit/rPgH5B0e7QqJrwC0KHkxQO/dIp9aQ5BZD +7PyGEX3ThaBSXyor3JoRtF0sLFhib2vqws7WNke7kJqDcoi9AZEQJ8gl2DLUqWbl +ci0s32YNxXKQWB20eKJDhiLOPxZmwfQlyFAnJQrYOEhKG/BJD/O+q7MtBwJ674kG +TcJ3AxKJhw6rOM8tjvuUfbBBNG8O0ngkbNPN36EYDkWb7ro1W4+MDayFt0P8nXgt ++liJEFp9yFDm3OMiMrHJmihZKGqr7VC9sDm+EjFMpa/Er7KWBBzvWip3pIZslHrv +HIYILJS8C6OgiwQF24+pW9O7tqUVKrjpZ5Tl/QuR4Qm4L3kWO/63nFMH+PP/ODYQ +0cB/g8cEGVWClUlxp/2D7IrNh6d59mQuvhrF+fkMoNV8AeU9+IinDlF3ik00n9cF +5U9shoMgSuyj5d9L2FCJi/t67LiAWsp3aGwcfHPfanSIpS/EvpCyvT9py1zE0IFC +Hzz76V2V5VrRkYGwT2M8b+RtgHUles5e8sXxkWTW9AvbtfJtADit5mEX0eXJJAfP +aRZsBte7k0++5afbuVkCug== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt new file mode 100644 index 0000000..dd4073e --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4664 (0x1238) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA + Validity + Not Before: Jan 17 12:14:00 2020 GMT + Not After : Jan 17 12:14:00 2024 GMT + Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca@acme.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ab:54:29:44:85:72:57:4f:8d:9f:60:77:5c:77: + b0:45:bd:34:7a:e5:37:9f:0f:26:ac:e1:68:1a:b3: + 86:bf:55:48:82:ad:31:df:ed:89:a9:7e:25:b8:4d: + 5c:95:c1:4a:9e:b2:a3:51:57:e8:dd:18:75:e5:db: + f0:aa:ea:eb:5f:0f:e0:09:e2:7c:a6:1c:5c:e5:db: + 2c:c1:f2:d7:40:21:f7:fa:ef:e0:3e:f5:3d:10:52: + ec:b7:cd:9a:d8:3d:36:9a:3f:cd:1a:1f:e7:de:09: + c3:8f:08:4f:c1:c4:cb:d3:65:81:c4:e3:28:ed:f4: + a9:43:f2:c6:84:d9:16:22:65:55:17:e3:8b:7a:45: + 9d:5f:7d:e5:87:d6:a5:fb:fe:0f:86:c0:d4:e0:9b: + 2c:3a:99:df:4d:42:df:30:38:56:2d:f3:e5:8b:0f: + fc:99:e3:1f:62:cb:85:78:a3:40:43:d6:42:3b:bc: + e8:6c:45:19:3d:ca:43:86:1a:4b:ae:e9:3b:51:b0: + 0d:0a:bb:de:26:34:b3:cf:dc:fc:99:c8:7e:42:7d: + 2c:67:ea:2c:7d:2e:bf:ff:7f:21:9a:17:f1:87:1d: + aa:d6:a4:06:bb:c1:65:ac:7d:7a:51:fd:3f:d0:ac: + 9b:85:17:51:5b:99:16:b8:c7:72:00:2d:0b:54:78: + 16:5b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://localhost:8186/MyRootCA.crl + + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Signature Algorithm: sha512WithRSAEncryption + 3a:d1:40:59:30:54:80:6a:b6:a9:76:f3:d1:05:c9:a1:d7:b0: + ff:70:48:65:1d:1c:e5:82:b9:c5:62:78:eb:7a:0f:77:2d:26: + 8d:a7:16:34:a5:57:4e:da:51:b5:3e:65:a3:db:a4:ba:43:70: + 93:d4:d5:82:e4:c8:59:f0:f9:2c:7f:d6:d9:87:b8:5e:a9:4c: + a5:cc:c3:ac:87:c8:3e:46:7e:6d:40:c1:bf:9f:03:68:ea:e1: + 97:30:43:bf:d7:a4:1a:58:e2:72:cf:0d:6f:31:1b:4a:72:4d: + 42:6d:7b:21:42:23:c0:7a:50:14:b9:f9:a5:95:53:77:c1:89: + ff:3e:a0:1a:b2:88:69:13:93:c8:14:c4:c5:24:47:a0:9e:43: + 70:9d:ac:0e:7f:a6:b5:45:47:35:f9:e9:6d:32:15:54:26:81: + 84:ae:d8:27:c9:f3:65:64:7a:72:14:02:9f:8a:73:cf:04:c0: + 53:a8:01:56:a6:a6:b8:fe:06:b1:71:c0:cc:64:07:d5:33:a8: + 69:01:5e:06:b8:24:ec:1e:c4:9e:58:45:60:2b:70:d4:db:7a: + 8c:42:21:e6:e6:33:c9:66:35:6c:06:ad:0f:47:74:24:cb:65: + af:e1:a6:d0:b3:06:4a:97:5f:b2:83:cf:ac:0d:81:c2:07:7a: + 06:c1:45:90 +-----BEGIN CERTIFICATE----- +MIIDdjCCAl6gAwIBAgICEjgwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex +EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v +dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC +Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l +MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRfYnlfY2FAYWNtZS5vcmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrVClEhXJXT42fYHdcd7BF +vTR65TefDyas4Wgas4a/VUiCrTHf7YmpfiW4TVyVwUqesqNRV+jdGHXl2/Cq6utf +D+AJ4nymHFzl2yzB8tdAIff67+A+9T0QUuy3zZrYPTaaP80aH+feCcOPCE/BxMvT +ZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1ffeWH1qX7/g+GwNTgmyw6md9NQt8wOFYt +8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5C +fSxn6ix9Lr//fyGaF/GHHarWpAa7wWWsfXpR/T/QrJuFF1FbmRa4x3IALQtUeBZb +AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4 +Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN +AQENBQADggEBADrRQFkwVIBqtql289EFyaHXsP9wSGUdHOWCucVieOt6D3ctJo2n +FjSlV07aUbU+ZaPbpLpDcJPU1YLkyFnw+Sx/1tmHuF6pTKXMw6yHyD5Gfm1Awb+f +A2jq4ZcwQ7/XpBpY4nLPDW8xG0pyTUJteyFCI8B6UBS5+aWVU3fBif8+oBqyiGkT +k8gUxMUkR6CeQ3CdrA5/prVFRzX56W0yFVQmgYSu2CfJ82VkenIUAp+Kc88EwFOo +AVamprj+BrFxwMxkB9UzqGkBXga4JOwexJ5YRWArcNTbeoxCIebmM8lmNWwGrQ9H +dCTLZa/hptCzBkqXX7KDz6wNgcIHegbBRZA= +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr new file mode 100644 index 0000000..7a8a730 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH +DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM +FnJldm9rZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCrVClEhXJXT42fYHdcd7BFvTR65TefDyas4Wgas4a/VUiCrTHf7Ymp +fiW4TVyVwUqesqNRV+jdGHXl2/Cq6utfD+AJ4nymHFzl2yzB8tdAIff67+A+9T0Q +Uuy3zZrYPTaaP80aH+feCcOPCE/BxMvTZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1f +feWH1qX7/g+GwNTgmyw6md9NQt8wOFYt8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9 +ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5CfSxn6ix9Lr//fyGaF/GHHarWpAa7wWWs +fXpR/T/QrJuFF1FbmRa4x3IALQtUeBZbAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC +AQEAle9ozcWOV+gW4zVToxUl/Cumqe3zqg7YE1SV4/QssVEVfJjb4s4/2JnjDQvQ +BExP4yeiLVtIjjEaFy+fu4LZ7Qx7+GlhBCOaBuS/hNRmuJPNv+GwommABYkDvx86 +QeztX5oU/Gcn9tx+IjiBfn6pUsF4tX1Qd9ueucPUDR7xHMAFBBNnC1ahhki6rOVB +9fxbduViyr2RKl9gDao650PsVn3+9MtKaU/oHluuyOjbCsrdjY5uGTWGJjWXGWBv +whtYRomEofuvZk7vsmhBtJUixFuo4mVXA3Q6jCH3nre57YsQFR8+oFkIDogtXUNj +rOtgaueA6Rd50L4j8hoQKBAkFA== +-----END CERTIFICATE REQUEST----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks new file mode 100644 index 0000000..cd38ca0 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt new file mode 100644 index 0000000..47696f6 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUHVCN1hW4l8SlUG15T552XxvHr4owDQYJKoZIhvcNAQEN +BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv +MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRf +YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq +MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL +BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWcmV2b2tlZF9ieV9j +YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtUKUSF +cldPjZ9gd1x3sEW9NHrlN58PJqzhaBqzhr9VSIKtMd/tial+JbhNXJXBSp6yo1FX +6N0YdeXb8Krq618P4AnifKYcXOXbLMHy10Ah9/rv4D71PRBS7LfNmtg9Npo/zRof +594Jw48IT8HEy9NlgcTjKO30qUPyxoTZFiJlVRfji3pFnV995YfWpfv+D4bA1OCb +LDqZ301C3zA4Vi3z5YsP/JnjH2LLhXijQEPWQju86GxFGT3KQ4YaS67pO1GwDQq7 +3iY0s8/c/JnIfkJ9LGfqLH0uv/9/IZoX8YcdqtakBrvBZax9elH9P9Csm4UXUVuZ +FrjHcgAtC1R4FlsCAwEAAaNTMFEwHQYDVR0OBBYEFMU9e8zrbXHC342Uby8gqhgM +YvLxMB8GA1UdIwQYMBaAFMU9e8zrbXHC342Uby8gqhgMYvLxMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAB/EApL8yOgY/Moi9zfCG22GRosPydBS +87rlGBuWieIuHTUjZfo4Cso/Gss7BKNPVpS68g6QXh5t/mlWLes8lXVHj8V2RHUg +JMJZ6FZVXGaR/3wvRT8i5xag4kYye585P52ovvzI8TyWRf2f4UQhNXIH6If8fYkJ +CI/bp7Wd+b2+Vrnacx8gc5uzYXSsbUujd0b7X//gAu0YBPVqdkiJGpB1N4XPFhaF +NPauaic9wtzETHc2ETmvKWoqxW0mwX8AuDY/GVa04s/jiy1JuH0uqfQCiGi1dkRF +yYXQNXuPWiQ5K8Eg2bPaSSnCpQZgH4DG7315ne6XFaSQK/iJU9p05cA= +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key new file mode 100644 index 0000000..2bed0ac --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIHVqo76e8ifcCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECKGXAXrxjyphBIIEyEJR6oHjGXr+ +PoIs2CnsQucjXIqQuEltc+xiLetRV6VQ0fytpC1qw6gTcMYYqmXC0oeBZqbux+hj +Uj91rd2PnIhQ1t3uLkCCwR3hAOrFLHC6eg1HmgAfAI8HUoHeiSQor0rLHA2PKTgT +LtNV573XyBh0bbrQZnMh2zb+RZ8dFHE5Fu7OiTYYFAIkH3EyB0QRUuskGhmMvgT1 +6LlzmaSRfSx9x6YBW0AH3649hAZj6sf7axXm9sScrIFpha7FJzKV/EUScDfBzTld +5LqTUoF+W6b95PzvF/ylpbUM43FgTaI0KqyGSxtMr5CQjxuVUD+LsT6vc6lVQ2iQ +GtqFAooBatfDXlm4HBNTFznDoYa50TUK1af6+0X4uQrETnIWA8iw49L+BownU6+M +yfuMJ689IggheL9n+EBoJ5+LhjBlcxjcaIZBKgxVAxpSxnVY7H0R5JHYTHSy5GjA +xtGmOkqGPgRlPXzYtSrih47tUAkO7MTiIUE5Xuned2pTFWAhsS/kpdc6K1IKhDAG +ARG5dIADIZH+b3dYpxo/MXBQYusm6Q1KaLE1cG98QoiWdTwXNN4jNH6IiUg52Pcg +nD/AAOdEcCA7wXFXLTBvYMGvetCDkrXf9DSOguGlvgfeZN/6P0QdN/TErTW9lHSV +DioKOfDSpvS2X3X/1pDBYK29d+JqwW8sgRtyeJtSVzPnm+PFyz/1oDwIk7muhAs5 ++Ruf2mh/k01InahsJ9aBwBneCDvRibQGMv8wl/8Lz5NmpPjfYv/Jws0rS7rDNLOi +yGSNBL8rOfLl3C7z3R+2xJocplccb7S42I8lSHNu7lwKPAPLkTtz+SymtAQJvqoR +2SmoYtodPttQDXLMVwzQ87sBQ/wN9sw3BCRSL6BfBIsYavLMLnZ8hChpA9RF7Okm +l8jNSs8HNN851G3XrKnI3CNsTKEQdEDw/Y68hJ0sSFRhICW2vKGJ6Lp1IPF4mngI +BzGnpQrsOBfrMOpfqwgxFFZRFbBbOl2IPRcvz8GYyfXToGgS53Nz0TkHTtsTFIoo +afUE6cOm0EzYn4rtNaB5K8gIxLhWZMsS6CH/nfEVi7sOFeUdkxoEUvnRTEy0pj7Q +h085aWIFHHAtgBCdzqsmu0Q8z7Xp6G+S5nrJCnewRAGKKyGTkZsSjZXpB+nauYDM +B4ZpoWZTS9AtPmCM9nV13fYTFWXz9DXtYAuMLZhYyBVNBlubpDwzV66+ygLqaTIz +OkC/EjmA1OOZlaI0TfH5rvFdKsqmXxmvlH9aCOzMxytTSOd52MwJN72nAslKz9xI +RoO/RE0EYLMOT81S44QzfWGZ2CP7oRTfT3IoktTUm9Snp2qjebcfhRrti8aEZCm+ +mtssZ0IiqLPje6GJ2kOUmU4+KZ+cNswPZmV+zm4NJcu5XBG13wHqyLac6iQPDXie +4IuzbLEOjYr+ZLGnBpw11jn6R1yxbOiKUbg/eEp8/688XJbVdSaCd4w7JwxL8dlI +h7y8UTG0BI3nZk4kdpusz5f18F8EoX+RIDP7Ev3qPt/8eYkSZggkrrnIaCIeXEOL +VwmtXIe7Fo2E7zRTSgJXU42iTYwp4tWmB83qxKVaQQpgmX1hs845GdWbfcSZh9eZ +50gsztDpcC1mAtp3brgOig== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt new file mode 100644 index 0000000..7a80d78 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4667 (0x123b) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA + Validity + Not Before: Jan 17 12:14:02 2020 GMT + Not After : Jan 17 12:14:02 2024 GMT + Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_empty_crl@acme.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:cd:03:6c:76:ba:58:04:33:52:0c:45:ba:80:87: + be:ce:3d:94:76:45:79:29:b1:15:15:c9:95:e0:5e: + 03:34:a5:5f:ab:b6:8a:03:57:b4:60:2d:fe:2e:27: + c1:51:7f:bd:25:fe:0d:d3:48:72:0a:09:ed:ef:df: + 18:98:17:e1:bf:44:07:6f:f5:72:98:73:0a:ca:7c: + 7f:a6:8e:1b:e1:f5:e9:cc:d5:37:96:1e:8b:f1:8b: + cb:4f:3b:ad:e5:b9:73:b2:6f:2c:e2:70:c9:a7:28: + ee:d2:4e:79:02:ef:11:f0:8d:77:41:46:d4:98:72: + cd:73:66:a4:f2:ea:81:42:b5:e1:95:0c:d3:23:e7: + dc:0e:2c:02:cf:bc:8f:dd:53:ea:2c:08:1d:8b:07: + 52:47:25:dd:9d:99:5c:56:86:2d:38:2a:2f:15:57: + dd:e2:c0:79:a5:aa:e6:3f:c3:b9:78:97:cf:47:fa: + c6:9f:55:73:42:cb:27:17:35:b3:5c:91:bd:f9:f0: + 00:a6:d2:5b:eb:34:2e:43:6a:ca:38:f6:14:32:4c: + c8:35:92:b7:4c:f7:da:86:70:55:0c:ca:67:82:5e: + 31:7f:e1:d2:76:22:d8:92:03:d6:47:df:43:55:33: + 29:e3:44:d0:2e:45:b4:e5:fb:78:95:53:3e:21:33: + 01:3d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://localhost:8186/MyRootCA.empty.crl + + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Signature Algorithm: sha512WithRSAEncryption + bf:be:61:4f:7a:a3:ff:9f:76:1a:d5:80:57:e8:29:d5:7b:31: + f2:15:de:11:a2:f4:67:97:05:70:52:84:0c:6d:aa:bc:b4:f1: + ed:92:f7:e3:ca:0f:4e:19:c4:82:38:e2:f1:30:74:42:8e:c8: + 7e:9f:b5:df:59:8b:e7:70:84:4d:fc:6b:4e:25:33:65:ac:f6: + da:3e:a4:32:fd:cb:f7:dc:f3:5a:3f:e3:8b:85:8d:9b:5a:e1: + f4:17:3c:d5:67:13:25:78:d0:3f:9d:cc:b8:1f:3c:9c:55:11: + 12:1f:13:2f:55:4b:3d:e0:cf:bf:10:ce:de:04:a3:b1:60:26: + 3e:41:bf:8f:3b:86:ef:7f:69:4b:5b:2e:45:a2:5a:b5:34:2e: + ff:28:01:81:15:03:53:86:31:77:ac:41:f5:b3:c1:54:e9:ab: + cf:d3:3f:36:94:4e:ed:07:39:4e:ad:fb:0c:26:87:62:30:51: + da:70:8a:f2:9b:9f:9f:a4:25:d8:df:90:27:ab:0e:b6:81:fc: + a1:24:16:4d:aa:91:d7:c9:0b:f0:49:1a:80:7c:86:7f:0f:4e: + 32:59:86:41:32:92:00:b1:f0:32:50:84:72:35:f3:b2:7f:c1: + 2a:69:6c:9e:74:43:8e:d0:15:b3:0d:ed:34:b9:14:fe:24:17: + f7:4c:e0:0f +-----BEGIN CERTIFICATE----- +MIIDhjCCAm6gAwIBAgICEjswDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex +EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v +dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowdDELMAkGA1UEBhMC +Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l +MQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRfYnlfY2FfZW1wdHlfY3Js +QGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpY +BDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVfq7aKA1e0YC3+LifBUX+9Jf4N00hy +Cgnt798YmBfhv0QHb/VymHMKynx/po4b4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJ +pyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdS +RyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb +6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4xf+HSdiLYkgPWR99DVTMp40TQLkW0 +5ft4lVM+ITMBPQIDAQABo1UwUzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vbG9j +YWxob3N0OjgxODYvTXlSb290Q0EuZW1wdHkuY3JsMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQC/vmFPeqP/n3Ya1YBX6CnVezHyFd4R +ovRnlwVwUoQMbaq8tPHtkvfjyg9OGcSCOOLxMHRCjsh+n7XfWYvncIRN/GtOJTNl +rPbaPqQy/cv33PNaP+OLhY2bWuH0FzzVZxMleNA/ncy4HzycVRESHxMvVUs94M+/ +EM7eBKOxYCY+Qb+PO4bvf2lLWy5Folq1NC7/KAGBFQNThjF3rEH1s8FU6avP0z82 +lE7tBzlOrfsMJodiMFHacIrym5+fpCXY35Anqw62gfyhJBZNqpHXyQvwSRqAfIZ/ +D04yWYZBMpIAsfAyUIRyNfOyf8EqaWyedEOO0BWzDe00uRT+JBf3TOAP +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr new file mode 100644 index 0000000..7275fc2 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICuTCCAaECAQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH +DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMM +IHJldm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4D +NKVfq7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b +4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqB +QrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5 +eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpn +gl4xf+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABoAAwDQYJKoZI +hvcNAQENBQADggEBAIclK9KXAk1U1l9zzy9FpjqZYXzqCF5vBD9yDDk6DODqLAfa +twBoA90Ae5z5wEY2Gtj2p39P4FvWHV2tKMe3M6Wnf9b0IE2VYZ8aIuK/dzMY17pX +caDKJEhG/hVa4qIyKbh5y0gITfoFTx10ip0DoSAzkjbG6fsSplX5x/r0DS1ZVGQj +aTqKor1pBW9rBGkgDaKetl+0/x9EcwXM8Vlv2uidofK1HRrBijdzj/vaVERatNGf +IMfBGnTfF+CAKN/kR8F1jhcM4XXOA/lvtWkmmsuBweEM4iTh5T7/L/rbUr7WpFjT +J8yrjAyUM4e9UR+lif/RXN2zvAvUh9wUin/rvlk= +-----END CERTIFICATE REQUEST----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks new file mode 100644 index 0000000..7e0ab14 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt new file mode 100644 index 0000000..876f462 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDyTCCArGgAwIBAgIURa7KfSxOy6INMZLGbza+/AKlMMgwDQYJKoZIhvcNAQEN +BQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv +MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRf +YnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMB4XDTIwMDExNzEyMTQwMloXDTIwMDIx +NjEyMTQwMlowdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdU +b3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJl +dm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVf +q7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b4fXp +zNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXh +lQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfP +R/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4x +f+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABo1MwUTAdBgNVHQ4E +FgQUJBs8fXPCO0HfB5qCdnNIr+LKofAwHwYDVR0jBBgwFoAUJBs8fXPCO0HfB5qC +dnNIr+LKofAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEAKlMt +n4ZrNl91i2HJUhy1qQEed6r2IFzTiVCIlV5tL/e3JyOksKxHeoV8JcN4mFNDzVZM +vk+ZuCty1wJQLs6OOCfdXwSekSJblV/IXqKosvJj+RN6EHLeEYUoVJlKkU1E/wXZ +LbjioYtv7LAdDXuZro3P5W9IBiNGPitOWqdZYTkYgrDdyn9MBucm7UMTftvS8buK +sBjOhKQNO4Q34VJlOgKjoPEQr/R/JnNFbFh3dKYfDFABwy3dgp6kehzazb68An+j +K/qljEqmAGwn92pSQDxNW/opQ3iMMjTiUie7f5PpCphFD/noIXgSyVutV8dFEBtw +uTTPMl1O2ogZSriu3A== +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key new file mode 100644 index 0000000..9576760 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIFZ8yTs+qbG0CAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCIuCWBoRzWlBIIEyEJvOIUqC7LU +XAcbfwBQgC+6bmxO+2A+KGmMoWua1om7bO7YkzoTesXg1sDN5xO8S0T02/laHE+n +h4SKtG+Ocvc75hznd2dkz+QrvUHfxYBWS5zayDYvO/V2GjbI/LUhBxTh17KRRGwD +FvJmfYyQ7C4jguscRrTpnKxknuIbQYQMUlTVquB3htAtf9ORQSC34QiKl6Ahm2F9 +S5iRxOQI3y5+g6BXVTktBjFMg+EIlVgi7UrOtplj/GAC6m0tF+G2Cl2R+IYcU4Uj +iZO6XBeVGUaDCy6b5jdeiBXTbqYWrLaMrCQabZTfw3utJQHAPFaBE+y25Wq4SdJ7 +/S8BmCDa1x9doH7ShJ8ykync1PfOIaTbzqWMx4zIgAFQ2/azZD2aB6GWo8lpQWOp ++yRRNQsYQNiVZ8895KVfsLJvf7nEZ0gtrKYxUiwdzIXspNdt2ymzhcKf1bYeG8TX +XgegkqB2zzp/BviBlGWo5RSGDyaXTHrdWK3yJBkuP4oGMrk71+W/kDUzTCR++AqM +1TpbYXLIbqMlE5DEHejgYYOclx3pmMBYcJJsPW8mKd2C7G3fj67lUQwXr+iLS1Fl +Zekh3ZcaQSptQyUaJ6XXaa8A5qx42FpEGIxTLF3YktyT/u3rMsYD62hohR7zCNUK +J8Wsmjmeu78OoPv68DxD8Hi88rcYg/cKTELjBx+GQOKGite7ogxPcdfFIrprVNTQ +WLYLk9STn42RhUELKt2uKYmVJ6GzfBf7Lfgmsi9QVIPbswZE02fF/pC5Gcl1FEA8 +X0wcxcv9MAbFm497CMkdw9wxj4rV7XruBrUAB24QRj/r3Hsk4LS/0MI8/OawzaP+ +UAXYExWPuOremVl4/esbXOi5UXPcz/4aDtYyo3/PYOS8TWGnhJ0P3VykdTQ2a6Cq +A/qI5c1HN0Llg918Eff/Lrw3WDpe7tcuQz0UZDUw9wEdglMTl1xQ9tZPQcMmKc08 +32dUUxPNX+wsKM1k5VBYRx/Vltr+odNaW4eTgVhsQ68D1vvA+AHLrHOUTGMknVTh +89ZTtycV908axGVot7fz0wpc+n0nF/d6Q75NpqTwGQdwe6LMyYed6dOotYn9rWAV +rPIxw9gsT3AGFyzos/ZB4RehHWIX/uumPw3H67vG2q+A2q2zzJFmH72mgMIpf/hY +1SoCO3Uhlv58zbASfchyIFlMNNxSN9+6uffXbB9kR/C3ClKZB9vDwyhpMFU/LMqz +2/ffsESVa5KSRdzwJuzbHQC/cymQZYoe3SayObmKoTIzo6lQoTCX7yREUFaT346A +XkjN40YsO4dQ64r4qKdCRmhK1GHo3zXzT/50maVxzUsJafhuARvLxckpidq0mdT9 +2zBl5aM7GTwqCs9eqV1EJJASeBoFdu2iAKOI5O0Y7uVKNRZbiElnroR9IgfINepc +7OenXrQbwrXD0PYORY04axr3hfM7GEy90TC+9WGLZWBTyKRdTdIdNCTvh1q84OZo +Qp4zEhWsHT6C1FKmpu+uhPKHEqgqrgWFfsSr21uYFuEybXY2B9euyB222wYjX8K4 +u9C1+YGNQIhDcfqaefLdIBfgUErK/xjTDBP8Xk85NJIxab98aJkhclH0k8qOv6pr +35/tH3UEUjR1FlIgzU46cg== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt new file mode 100644 index 0000000..35b1e6a --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4668 (0x123c) + Signature Algorithm: sha512WithRSAEncryption + Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA + Validity + Not Before: Jan 17 12:14:02 2020 GMT + Not After : Jan 17 12:14:02 2024 GMT + Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_invalid_crl_path@acme.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:cc:e3:11:32:ee:d9:ba:67:5b:0b:e2:52:4b:9c: + e7:54:d7:e4:c7:a9:92:7e:6a:39:e0:bb:d3:cc:9f: + 6f:38:73:96:c5:62:bf:bc:8d:69:e5:e8:67:3f:18: + d8:aa:ab:67:93:cb:c1:71:ac:7d:1e:7e:40:a7:d6: + 0a:8a:d2:17:7e:3b:be:d0:0e:1b:54:7c:be:0f:de: + 46:9b:4c:5a:64:de:87:08:45:b9:4f:32:df:26:6c: + 42:66:06:bd:61:cb:95:ae:a7:94:ee:4f:61:ff:da: + 18:b5:4a:41:9a:c5:c4:bd:2b:ae:8f:9d:13:82:04: + df:23:31:4a:5d:62:2c:0f:83:87:18:4a:7c:ce:12: + bc:02:67:b4:1e:d9:9b:4c:9a:33:ab:0c:34:eb:dc: + 8e:36:0a:54:ac:c1:88:84:26:15:9e:a5:08:0b:e2: + 95:ef:3b:71:29:d9:c7:39:79:05:ef:4e:dd:52:ea: + 42:05:b3:7b:2b:b4:ee:3e:da:4f:78:a7:e3:39:da: + 6e:56:2e:74:52:27:7f:e5:e9:c3:11:79:c9:5f:6f: + ae:58:31:d0:d1:89:b3:01:09:01:5d:44:53:6b:21: + af:fc:07:e6:68:9e:76:ab:c9:56:b0:20:5d:36:fe: + e0:06:8c:bb:70:6c:e3:3b:92:a0:5b:0d:e9:ce:e4: + fb:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 CRL Distribution Points: + + Full Name: + URI:http://localhost:8186/not/a/crl + + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Signature Algorithm: sha512WithRSAEncryption + 70:bd:f9:c8:9e:b5:40:c4:cd:af:33:9a:35:10:25:ef:2d:00: + c1:e3:7a:b3:54:f3:e7:86:b5:a7:3a:7c:4e:c3:fe:c3:b3:f6: + e9:e1:4b:48:27:40:dc:36:e1:18:cc:79:93:44:c8:96:78:1c: + c2:e3:3c:58:a3:3e:4c:d7:68:7e:e3:83:c4:40:f1:2a:d1:17: + a5:89:5f:5d:72:b9:3f:9e:75:7a:a2:d9:73:82:09:4d:45:40: + 84:ed:e7:9a:15:81:e2:3e:43:eb:c4:f8:ff:40:a4:b9:1c:d0: + 3f:e9:c4:17:26:74:10:86:52:c5:34:b8:a7:d4:1c:b5:53:ac: + af:35:35:61:c7:7c:f0:ce:bb:4e:24:49:01:3b:88:57:70:73: + ad:19:52:ee:b0:57:5e:01:ac:18:1a:ab:73:d5:12:c1:55:0c: + 7b:42:33:ad:5c:a9:5a:75:61:dc:65:08:b0:b5:ab:d0:56:2f: + 1b:fa:88:2f:53:2f:04:bb:e3:d6:42:73:0a:03:a3:28:79:a9: + ba:45:4e:ac:65:9e:0f:6a:f2:b7:9a:3a:df:fd:07:cb:4b:78: + 6a:32:91:59:d4:f6:ea:aa:0d:71:da:21:14:cf:b9:73:bd:c6: + f2:b3:8b:b2:30:7a:83:3a:7f:09:d3:11:ef:13:dd:da:1d:b9: + 01:11:fe:ad +-----BEGIN CERTIFICATE----- +MIIDhDCCAmygAwIBAgICEjwwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex +EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v +dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowezELMAkGA1UEBhMC +Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l +MQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRfYnlfY2FfaW52YWxpZF9j +cmxfcGF0aEBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMzjETLu2bpnWwviUkuc51TX5Mepkn5qOeC708yfbzhzlsViv7yNaeXoZz8Y2Kqr +Z5PLwXGsfR5+QKfWCorSF347vtAOG1R8vg/eRptMWmTehwhFuU8y3yZsQmYGvWHL +la6nlO5PYf/aGLVKQZrFxL0rro+dE4IE3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0ya +M6sMNOvcjjYKVKzBiIQmFZ6lCAvile87cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in +4znablYudFInf+XpwxF5yV9vrlgx0NGJswEJAV1EU2shr/wH5miedqvJVrAgXTb+ +4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaNMMEowMAYDVR0fBCkwJzAloCOgIYYfaHR0 +cDovL2xvY2FsaG9zdDo4MTg2L25vdC9hL2NybDAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAcL35yJ61QMTNrzOaNRAl7y0AweN6s1Tz +54a1pzp8TsP+w7P26eFLSCdA3DbhGMx5k0TIlngcwuM8WKM+TNdofuODxEDxKtEX +pYlfXXK5P551eqLZc4IJTUVAhO3nmhWB4j5D68T4/0CkuRzQP+nEFyZ0EIZSxTS4 +p9QctVOsrzU1Ycd88M67TiRJATuIV3BzrRlS7rBXXgGsGBqrc9USwVUMe0IzrVyp +WnVh3GUIsLWr0FYvG/qIL1MvBLvj1kJzCgOjKHmpukVOrGWeD2ryt5o63/0Hy0t4 +ajKRWdT26qoNcdohFM+5c73G8rOLsjB6gzp/CdMR7xPd2h25ARH+rQ== +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr new file mode 100644 index 0000000..5c04ce9 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICwDCCAagCAQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH +DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMM +J3Jldm9rZWRfYnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzjETLu2bpnWwviUkuc51TX5Mepkn5q +OeC708yfbzhzlsViv7yNaeXoZz8Y2KqrZ5PLwXGsfR5+QKfWCorSF347vtAOG1R8 +vg/eRptMWmTehwhFuU8y3yZsQmYGvWHLla6nlO5PYf/aGLVKQZrFxL0rro+dE4IE +3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0yaM6sMNOvcjjYKVKzBiIQmFZ6lCAvile87 +cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in4znablYudFInf+XpwxF5yV9vrlgx0NGJ +swEJAV1EU2shr/wH5miedqvJVrAgXTb+4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaAA +MA0GCSqGSIb3DQEBDQUAA4IBAQAMYJv3za9w6iCfl3/X17EWRpCxfB2uylVoF+Qn +pk6cAaPZtPNLmzyGGsZ5Vpvm9LuISuU5ZcPCL+ocZ9yjghtiEUg5tslujuuhXyfE +KhTj0UzSrWAKjm6KJcMu5dtxyM97sToVuU7MBR44KVdSxnzFWgL4afiVULxuJFFb +DwTDgZZWYSeh2WeQt4bRL8dwhqvh0J+/Xilwh8kvY2yv8TXa0jgbguzPPtfcOJLN +N9N4VvkrIXgkZSKut2U1G4eESWnCG9PP638I6j9ntA/cHbJ8TC46cEdQcYl1pPPG +C5FC+aOr2NN/wVME/8Iib5FUKUcHJNZBrBZ3FHf1qjJcbuso +-----END CERTIFICATE REQUEST----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks new file mode 100644 index 0000000..a61e890 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt new file mode 100644 index 0000000..c7418d2 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1zCCAr+gAwIBAgIUBlNXdtg4SxQN24k7fss2AhXXmcQwDQYJKoZIhvcNAQEN +BQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv +MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRf +YnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDJa +Fw0yMDAyMTYxMjE0MDJaMHsxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4G +A1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MTAwLgYD +VQQDDCdyZXZva2VkX2J5X2NhX2ludmFsaWRfY3JsX3BhdGhAYWNtZS5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM4xEy7tm6Z1sL4lJLnOdU1+TH +qZJ+ajngu9PMn284c5bFYr+8jWnl6Gc/GNiqq2eTy8FxrH0efkCn1gqK0hd+O77Q +DhtUfL4P3kabTFpk3ocIRblPMt8mbEJmBr1hy5Wup5TuT2H/2hi1SkGaxcS9K66P +nROCBN8jMUpdYiwPg4cYSnzOErwCZ7Qe2ZtMmjOrDDTr3I42ClSswYiEJhWepQgL +4pXvO3Ep2cc5eQXvTt1S6kIFs3srtO4+2k94p+M52m5WLnRSJ3/l6cMReclfb65Y +MdDRibMBCQFdRFNrIa/8B+ZonnaryVawIF02/uAGjLtwbOM7kqBbDenO5Pv/AgMB +AAGjUzBRMB0GA1UdDgQWBBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAfBgNVHSMEGDAW +gBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBDQUAA4IBAQCWVNzJRocgQdD7JYE1X7eoet9ex2luAlu8zZVZfeNKv27QjeRg +1n3Jz1eXMXoVlcRtuXSX6Pw1qZLtAZ07/vPPHBTnMKi5Tvc+4ho/P+UZ1vhVViV9 +Qg0+qNZ0HqiTX9i/gYhUSj8L28iOW01PYP89WDJYhh8kQJhXQbbwE84Y+r75NX7y +TUZ+ozXJqM2dxrVVnr46bh0qTmTPlWIBKnlkemWe0VlNFFtJlDOXqEkZBaaTqKrE +iKcxAy1wrlAyvLS69LzZnt2UrR68oQXAQITtdbY4VWSfyxOh9i56OVgw2E6seUuG +ZdWX9oXeI01B9vV6EqFLiPn6eTPPYOukkjGg +-----END CERTIFICATE----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key new file mode 100644 index 0000000..cfaeb30 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIkqodAjKk8vECAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAO1t0BIS+B/BIIEyMK0wAf8UrpJ +YTJ31fURI5LQ44dkuyvRWu/lIRD/kA081HXXm5eFMW3F4CvKpfbKQKHOEWYjlBbo +tfsbZyPA2rRT3SAWZY1OZw4zLW5hXlX7yrTTEMWzrKF6i8Fia+cVTRR9D4g0aiEu +/1RKQPoehCJm7QNKG7mxSzmUoZ/WjSmVIYTCH9cXKnbZE18Hlcc+fDIOlAxWO0nt +n+IK+U8QzCy5Nk2LvVZSQZMPBFM/ZpTSwrTJe9iP6q+LCv59z3bzgX1i1MZJNTp/ +nYt7+C0JnFcIcnuuOWuKCkRK6txu94AxeZq3JQHRgMmdpmKvsOJ54Um2qSIblphH +F+7D21ag/ebBLDHRnwkPzlhbP8CLR0J4XZ2KvEjhZjFGV+CokeYRcZI1fAqw7C9r +V9EWCZxsqjPIKZd3W44TWVUrk8ij21sYJ/l3wVLeTUNCiEub1gDpWtlctGEKL6mU +guCfMIK8ZZ04KQjKHqeiPmSEdJoHWrT6EyFzi+ZOL/bjeJ5uA5jrgYDWuy0Nhii4 +DbMVCm3EItAKDUq0bDJEGkDSiP7gVEiLThc++skeM/kqqECAwFNRiNPCI/XLuUoe +JEGoubfc4XTfUPwJbfgrXE+QsgP/k5m38LjOITmkIsevzUxDV1ymHE6J9aQFwh6T +lUeRq9zy7RsGze4letY7OXgoq2ISwPwqvgUfDBE3Upo1ZzLtfwlGkAgbyUmqA0oF +fC3UU6QZizk1qh/OnjaIpElRjGnEnH0yo/jasypZ2V3zUaAJ1UJh2Q5OQrBkyzGM +C7LNcRPC1o18LrO19rtgtk6ysHG21oqwXe5W/xxwif5ouL880vJYsq2fEHLHkcfw +u9tG02p1dtZUSbgBoLRlhP/S5gwf9mzIKgtOL10zliTw0fiklh+dDsWij5s56jLr +IuIm1s9XrQFaSAJEEw1xtMNGkasKnXDZjvfSqBOLaXn6AhqrJRknTDsJr6bbVTiY +SL6Gjo9Jpjcqo6rKN0cutFqGx7JfNsjwaVEwi0UkpJ7NuF6AKuHqZP0WWDLOWUgB +f2ocal3AzCRienQRWhqwIaVnt0jTWwOTx69dHeaHSwsH7B9Ka8w61dcCLnE4bQHQ +qpxDqDMh1T0G4nwodcR0ZBA88IBbx59lSvvIKFtJJ2CTcwDibhjs14iWopIP6DHR +aiS8xxjlVhBnn2GuKSKs8hJn0+JxUJquh8C0zp0PWE0HC9gUBNfx4Y1i2qL/dd6n +5vtWaq7mjpaXR6Nk+EPQ4kGBelx5ELzSbhc2bS0dnyWtGzTrMu3m3J89bBMFPLe1 +QaU5b/1hRDCJdLAnsAg6P6ekpC+NSECRQhd18PQqgWexEM99O31+aWz6+JTXkCxY +PutnAU4OwcW+80h1Xt0tXrshMEJJ9U6DnvJ30yP0pClp+jhA4mPggMf4Rabo4VGq +jI2P6l2ksxe8WEquwpw5AbpKS9pYjjo52nFVzKF7G3T88eWcfaX3lYyN13iXh2EA +BcH+ad2Ux1eOPtSVrCLyWd2MXehZ5gmdeUsOnwccOB3gppTQNAK9Cq2mqfRx0foO +GDC+Bpl5xdzEkg3YQ9n+aXYmY7vCGO9B3nWDp31J6JVv3x2m1UdCXzr35xIXE2K5 +5nrg58gwOIVCLeQlazWIeA== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks new file mode 100644 index 0000000..a4648a0 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks new file mode 100644 index 0000000..4eebca7 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks new file mode 100644 index 0000000..c6dd178 Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks new file mode 100644 index 0000000..6e7fc6c Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks new file mode 100644 index 0000000..129593a Binary files /dev/null and b/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks differ diff --git a/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh b/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh new file mode 100755 index 0000000..636d6d5 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh @@ -0,0 +1,370 @@ +#!/bin/sh +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +MY_PATH="$(dirname "$(readlink -f "$0")")" +CRL_HTTP_PORT=8186 +PASSWORD=password +ROOT_CA=MyRootCA +INTERMEDIATE_CA=intermediate_ca +OPENSSL_DIR="$MY_PATH/openssl" +OPENSSL_CONF="$OPENSSL_DIR/openssl.conf" +CERTIFICATES_DIR="$MY_PATH/certificates" +VALID_DAYS=1461 + +CLIENT_KEYSTORE="$CERTIFICATES_DIR/client_keystore.jks" +CLIENT_TRUSTSTORE="$CERTIFICATES_DIR/client_truststore.jks" +CLIENT_EXPIRED_KEYSTORE="$CERTIFICATES_DIR/client_expired_keystore.jks" +CLIENT_EXPIRED_CRT="$CERTIFICATES_DIR/client_expired.crt" +CLIENT_UNTRUSTED_KEYSTORE="$CERTIFICATES_DIR/client_untrusted_keystore.jks" + +BROKER_KEYSTORE="$CERTIFICATES_DIR/broker_keystore.jks" +BROKER_TRUSTSTORE="$CERTIFICATES_DIR/broker_truststore.jks" +BROKER_PEERSTORE="$CERTIFICATES_DIR/broker_peerstore.jks" +BROKER_EXPIRED_TRUSTSTORE="$CERTIFICATES_DIR/broker_expired_truststore.jks" +BROKER_CRT="$CERTIFICATES_DIR/broker.crt" +BROKER_CSR="$CERTIFICATES_DIR/broker.csr" +BROKER_ALIAS="broker" + +TEST_KEYSTORE="$CERTIFICATES_DIR/test_keystore.jks" +TEST_PK_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_pk_only_keystore.jks" +TEST_CERT_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_cert_only_keystore.jks" +TEST_SYMMETRIC_KEY_KEYSTORE="$CERTIFICATES_DIR/test_symmetric_key_keystore.jks" +TEST_EMPTY_KEYSTORE="$CERTIFICATES_DIR/test_empty_keystore.jks" + +# set to true for debug +DEBUG=false + +generate_selfsigned_ca() +{ + echo "Generating selfsigned CA certificate" + openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$ROOT_CA.key" -out "$CERTIFICATES_DIR/$ROOT_CA.crt" -days 1461 -subj '/C=CA/ST=Ontario/O=ACME/CN=MyRootCA' -passout pass:$PASSWORD -sha512 && \ + keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_KEYSTORE" && \ + keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_TRUSTSTORE" && \ + keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_KEYSTORE" && \ + keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_TRUSTSTORE" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "Selfsigned CA certificate successfully generated" + else + echo "Failed to generate selfsigned CA certificate" >&2 + fi + return $_rc +} + +prepare_openssl_environment() +{ + echo "Preparing openssl environment" + rm -rf "$CERTIFICATES_DIR" && \ + mkdir "$CERTIFICATES_DIR" && \ + rm -rf "$OPENSSL_DIR" && \ + mkdir "$OPENSSL_DIR" && \ + cp "$MY_PATH/openssl.conf" "$OPENSSL_DIR" && \ + sed -i "s|^dir = .|dir = $OPENSSL_DIR|" "$OPENSSL_CONF" && \ + echo 1234 > "$OPENSSL_DIR"/serial && \ + echo 1234 > "$OPENSSL_DIR"/crlnumber && \ + touch "$OPENSSL_DIR"/index.txt && \ + echo "unique_subject = no" > "$OPENSSL_DIR"/index.txt.attr && \ + mkdir "$OPENSSL_DIR"/newcerts + _rc=$? + if [ $_rc -eq 0 ]; then + echo "Openssl environment successfully prepared" + else + echo "Failed to prepare openssl environment" >&2 + fi + return $_rc +} + +# $1 - alias +generate_signed_certificate() +{ + _alias=$1 + _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org" + echo "Generating CA signed certificate '$_alias'" + openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \ + openssl req -config "$OPENSSL_CONF" -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \ + openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \ + openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \ + keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "CA signed certificate '$_alias' successfully generated" + else + echo "Failed to generate CA signed certificate '$_alias'" >&2 + fi + return $_rc +} + +# $1 - certificate alias +generate_signed_certificate_with_intermediate_signed_certificate() +{ + _alias=$1 + _intermediate_ca_subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$INTERMEDIATE_CA@acme.org" + _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org" + echo "Generating CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'" + openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.crt" -subj "$_intermediate_ca_subject" -sha512 -passout pass:$PASSWORD && \ + openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" -sha512 -subj "$_intermediate_ca_subject" -passin pass:$PASSWORD && \ + openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_ca -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" && \ + openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -inkey "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.jks" -name $INTERMEDIATE_CA -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" + echo "Generating CA signed certificate for '$_alias'" && \ + openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \ + openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \ + openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \ + cat "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" "$CERTIFICATES_DIR/$ROOT_CA.crt" > "$CERTIFICATES_DIR/chain_with_intermediate.crt" + openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/chain_with_intermediate.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \ + keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA' successfully generated" + else + echo "Failed to generate CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'" >&2 + fi + return $_rc +} + +generate_expired_certificate() +{ + _alias=user1 + echo "Generating expired certificate '$_alias'" + keytool -genkeypair -alias $_alias -dname CN=USER1 -startdate "2010/01/01 12:00:00" -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_EXPIRED_KEYSTORE" && \ + keytool -exportcert -keystore "$CLIENT_EXPIRED_KEYSTORE" -storepass "$PASSWORD" -alias $_alias -rfc -file "$CLIENT_EXPIRED_CRT" && \ + keytool -import -alias $_alias -file "$CLIENT_EXPIRED_CRT" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$BROKER_EXPIRED_TRUSTSTORE" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "Expired certificate '$_alias' successfully generated" + else + echo "Failed to generate expired certificate '$_alias'" >&2 + fi + return $_rc +} + +generate_signed_broker_certificate() +{ + _subject="/C=CA/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost" + echo "Generating CA signed certificate '$BROKER_ALIAS'" + openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.self.crt" -subj "$_subject" -passout pass:$PASSWORD && \ + openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$BROKER_CSR" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \ + openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$BROKER_CRT" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$BROKER_CSR" && \ + openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$BROKER_CRT" -inkey "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -name $BROKER_ALIAS -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \ + keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $BROKER_ALIAS -deststoretype PKCS12 -destkeystore "$BROKER_KEYSTORE" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "CA signed certificate '$BROKER_ALIAS' successfully generated" + else + echo "Failed to generate CA signed certificate '$BROKER_ALIAS'" >&2 + fi + return $_rc +} + +# $1 - certificate alias +# $2 - keystore where certificate will be imported +import_to_keystore() +{ + _alias=$1 + _keystore="$2" + + echo "Importing certificate '$_alias' to keystore '$_keystore'" + keytool -import -alias $_alias -file "$CERTIFICATES_DIR/$_alias.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$_keystore" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "Certificate '$_alias' successfully imported to keystore '$_keystore'" + else + echo "Failed to import certificate '$_alias' to keystore '$_keystore'" >&2 + fi + return $_rc +} + +generate_untrusted_client_certificate() +{ + _alias=untrusted_client + + echo "Generating untrusted certificate '$_alias'" + keytool -genkeypair -alias $_alias -dname CN=$_alias -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_UNTRUSTED_KEYSTORE" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "Untrusted certificate '$_alias' successfully generated" + else + echo "Failed to generate untrusted certificate '$_alias'" >&2 + fi + return $_rc +} + +add_certificate_crl_distribution_point() +{ + echo "Add CRL distribution points to openssl configuration" + sed -i "/\[ v3_req \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF" && \ + sed -i "/\[ v3_ca \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "CRL distribution points successfully addded" + else + echo "Failed to add CRL distribution points" >&2 + fi + return $_rc +} + +set_certificate_crl_distribution_point_to_intermediate_ca() +{ + echo "Setting CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'" + sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|" "$OPENSSL_CONF" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA' successfully set" + else + echo "Failed to set CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'" >&2 + fi + return $_rc +} + +set_certificate_crl_distribution_point_to_empty_crl() +{ + echo "Setting CRL distribution point to empty CRL" + sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|" "$OPENSSL_CONF" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "CRL distribution point to empty CRL successfully set" + else + echo "Failed to set CRL distribution to empty CRL" >&2 + fi + return $_rc +} + +set_certificate_crl_distribution_point_to_invalid_crl_path() +{ + echo "Setting CRL distribution point to invalid CRL path" + sed -i "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/not/a/crl|" "$OPENSSL_CONF" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "CRL distribution point to invalid CRL path successfully set" + else + echo "Failed to set CRL distribution to invalid CRL path" >&2 + fi + return $_rc +} + +generate_intermediate_crl() +{ + echo "Generating intermediate CA certificate '$INTERMEDIATE_CA' CRL" + openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" && \ + openssl crl -inform PEM -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" -outform DER -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "Intermediate CA certificate '$INTERMEDIATE_CA' CRL successfully generated" + else + echo "Failed to generate intermediate CA certificate '$INTERMEDIATE_CA' CRL" >&2 + fi + return $_rc +} + + +# $1 - part of CRL file name +generate_crl() +{ + _crl_name_part=$1 + _crl_path_prefix= + if [ -n "$_crl_name_part" ]; then + _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA.$_crl_name_part" + else + _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA" + fi + + echo "Generating certificate '$ROOT_CA' CRL to '$_crl_path_prefix'" + openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -out "$_crl_path_prefix.crl.pem" && \ + openssl crl -inform PEM -in "$_crl_path_prefix.crl.pem" -outform DER -out "$_crl_path_prefix.crl" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "Certificate '$ROOT_CA' CRL successfully generated to '$_crl_path_prefix'" + else + echo "Failed to generate certificate '$ROOT_CA' CRL to '$_crl_path_prefix'" >&2 + fi + return $_rc +} + +revoke_certificate() +{ + _alias=$1 + + echo "Revoking certificate '$_alias'" + openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -revoke "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" + _rc=$? + if [ $_rc -eq 0 ]; then + echo "Certificate '$_alias' successfully revoked" + else + echo "Failed to revoke certificate '$_alias'" >&2 + fi + return $_rc +} + +prepare_test_keystores() +{ + echo "Preparing test keystores" + cp "$BROKER_KEYSTORE" "$TEST_KEYSTORE" && \ + import_to_keystore "app1" "$TEST_KEYSTORE" && \ + import_to_keystore "app2" "$TEST_KEYSTORE" && \ + cp "$BROKER_KEYSTORE" "$TEST_PK_ONLY_KEYSTORE" && \ + keytool -delete -v -alias rootca -storepass password -keystore "$TEST_PK_ONLY_KEYSTORE" && \ + cp "$BROKER_KEYSTORE" "$TEST_CERT_ONLY_KEYSTORE" && \ + keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_CERT_ONLY_KEYSTORE" && \ + cp "$BROKER_KEYSTORE" "$TEST_SYMMETRIC_KEY_KEYSTORE" && \ + keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype PKCS12 -storepass "$PASSWORD" -keystore "$TEST_SYMMETRIC_KEY_KEYSTORE" && \ + cp "$TEST_PK_ONLY_KEYSTORE" "$TEST_EMPTY_KEYSTORE" + keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_EMPTY_KEYSTORE" && \ + _rc=$? + if [ $_rc -eq 0 ]; then + echo "Test keystores prepared" + else + echo "Failed to prepare keystores" >&2 + fi + return $_rc +} + +main() +{ + prepare_openssl_environment && \ + generate_selfsigned_ca && \ + generate_signed_certificate "app1" && \ + generate_signed_certificate "app2" && \ + generate_expired_certificate && \ + generate_signed_broker_certificate && \ + import_to_keystore "app1" "$BROKER_PEERSTORE" && \ + generate_untrusted_client_certificate && \ + add_certificate_crl_distribution_point && \ + generate_signed_certificate "allowed_by_ca" && \ + generate_signed_certificate "revoked_by_ca" && \ + set_certificate_crl_distribution_point_to_intermediate_ca && \ + generate_signed_certificate_with_intermediate_signed_certificate "allowed_by_ca_with_intermediate" && \ + generate_intermediate_crl && \ + set_certificate_crl_distribution_point_to_empty_crl && \ + generate_signed_certificate "revoked_by_ca_empty_crl" && \ + set_certificate_crl_distribution_point_to_invalid_crl_path && \ + generate_signed_certificate "revoked_by_ca_invalid_crl_path" && \ + generate_crl "empty" && \ + revoke_certificate "$INTERMEDIATE_CA" && \ + revoke_certificate "revoked_by_ca" && \ + revoke_certificate "revoked_by_ca_empty_crl" && \ + revoke_certificate "revoked_by_ca_invalid_crl_path" && \ + generate_crl && \ + prepare_test_keystores +} + +if [ "$DEBUG" = true ]; then + main +else + main 2>/dev/null 1>&2 +fi diff --git a/qpid-test-utils/src/main/resources/ssl/openssl.conf b/qpid-test-utils/src/main/resources/ssl/openssl.conf new file mode 100644 index 0000000..ad224d7 --- /dev/null +++ b/qpid-test-utils/src/main/resources/ssl/openssl.conf @@ -0,0 +1,380 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# System default +openssl_conf = default_conf + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = . +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + +# Extensions for a typical CA + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha512 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) +[default_conf] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +MinProtocol = TLSv1.2 +CipherString = DEFAULT@SECLEVEL=2 diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java index 81d7881..5302ea3 100644 --- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java +++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java @@ -333,7 +333,7 @@ public class PortTest extends HttpTestBase final java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE); ks.load(null); ks.setCertificateEntry("certificate", certificate); - final File storeFile = File.createTempFile(getTestName(), ".pkcs12"); + final File storeFile = File.createTempFile(getTestName(), ".jks"); try (FileOutputStream fos = new FileOutputStream(storeFile)) { ks.store(fos, PASS.toCharArray()); diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java index d6aa747..6b55c87 100644 --- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java +++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java @@ -22,9 +22,6 @@ package org.apache.qpid.systests.jms_1_1.extensions.management; import static java.nio.charset.StandardCharsets.UTF_8; import static org.apache.qpid.server.model.Queue.ALERT_THRESHOLD_QUEUE_DEPTH_MESSAGES; -import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.TRUSTSTORE; -import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE; -import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD; import static org.hamcrest.CoreMatchers.is; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; @@ -55,6 +52,7 @@ import javax.jms.Session; import javax.naming.NamingException; import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.qpid.test.utils.TestSSLConstants; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; @@ -81,8 +79,8 @@ public class AmqpManagementTest extends JmsTestBase // legacy client keystore/truststore types can only be configured with JVM settings if (getProtocol() != Protocol.AMQP_1_0) { - System.setProperty("javax.net.ssl.trustStoreType", JAVA_KEYSTORE_TYPE); - System.setProperty("javax.net.ssl.keyStoreType", JAVA_KEYSTORE_TYPE); + System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); + System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); } } @@ -693,8 +691,8 @@ public class AmqpManagementTest extends JmsTestBase Connection connection = getConnectionBuilder().setTls(true) .setPort(tlsPort) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); try { diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java index e5f033f..c808b45 100644 --- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java +++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java @@ -20,21 +20,6 @@ */ package org.apache.qpid.systests.jms_1_1.extensions.sasl; -import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.BROKER_KEYSTORE; -import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.BROKER_TRUSTSTORE; -import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.KEYSTORE; -import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.TEST_PROFILE_RESOURCE_BASE; -import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.TRUSTSTORE; -import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_KEYSTORE_PASSWORD; -import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_PEERSTORE; -import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_PEERSTORE_PASSWORD; -import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD; -import static org.apache.qpid.test.utils.TestSSLConstants.CERT_ALIAS_APP1; -import static org.apache.qpid.test.utils.TestSSLConstants.CERT_ALIAS_APP2; -import static org.apache.qpid.test.utils.TestSSLConstants.EXPIRED_KEYSTORE; -import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD; -import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD; -import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE; import static org.hamcrest.CoreMatchers.anyOf; import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.is; @@ -44,6 +29,11 @@ import static org.junit.Assert.assertNotNull; import static org.junit.Assert.fail; import static org.junit.Assume.assumeThat; +import java.io.IOException; +import java.io.OutputStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -53,7 +43,17 @@ import javax.jms.Connection; import javax.jms.JMSException; import javax.jms.Session; import javax.jms.TemporaryQueue; - +import javax.naming.NamingException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.qpid.server.security.FileTrustStoreTest; +import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.server.ServerConnector; +import org.eclipse.jetty.server.handler.AbstractHandler; +import org.eclipse.jetty.server.handler.ContextHandler; +import org.eclipse.jetty.server.handler.HandlerCollection; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; @@ -81,6 +81,11 @@ public class AuthenticationTest extends JmsTestBase private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationTest.class); private static final String USER = "user"; private static final String USER_PASSWORD = "user"; + // see how port is specified when certificates are generated in script + // test-profiles/test_resources/ssl/generate_certificates.sh + private static final int CRL_HTTP_PORT = 8186; + private static final Server CRL_SERVER = new Server(); + private static final HandlerCollection HANDLERS = new HandlerCollection(); @BeforeClass public static void setUp() throws Exception @@ -96,9 +101,18 @@ public class AuthenticationTest extends JmsTestBase // legacy client keystore/truststore types can only be configured with JVM settings if (getProtocol() != Protocol.AMQP_1_0) { - System.setProperty("javax.net.ssl.trustStoreType", JAVA_KEYSTORE_TYPE); - System.setProperty("javax.net.ssl.keyStoreType", JAVA_KEYSTORE_TYPE); - } + System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); + System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); + } + final ServerConnector connector = new ServerConnector(CRL_SERVER); + connector.setPort(CRL_HTTP_PORT); + connector.setHost("localhost"); + CRL_SERVER.addConnector(connector); + createContext(Paths.get(TestSSLConstants.CA_CRL)); + createContext(Paths.get(TestSSLConstants.CA_CRL_EMPTY)); + createContext(Paths.get(TestSSLConstants.INTERMEDIATE_CA_CRL)); + CRL_SERVER.setHandler(HANDLERS); + CRL_SERVER.start(); } @AfterClass @@ -115,6 +129,7 @@ public class AuthenticationTest extends JmsTestBase System.clearProperty("javax.net.ssl.trustStoreType"); System.clearProperty("javax.net.ssl.keyStoreType"); } + CRL_SERVER.stop(); } @@ -125,49 +140,49 @@ public class AuthenticationTest extends JmsTestBase getProtocol(), is(not(equalTo(Protocol.AMQP_1_0)))); - int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5", USER, USER_PASSWORD); + final int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5", USER, USER_PASSWORD); - assertConnectivity(port, USER, USER_PASSWORD, CramMd5HashedNegotiator.MECHANISM); + assertPlainConnectivity(port, USER, USER_PASSWORD, CramMd5HashedNegotiator.MECHANISM); } @Test public void sha256() throws Exception { - int port = createAuthenticationProviderAndUserAndPort(getTestName(), + final int port = createAuthenticationProviderAndUserAndPort(getTestName(), ScramSHA256AuthenticationManager.PROVIDER_TYPE, USER, USER_PASSWORD); - assertConnectivity(port, USER, USER_PASSWORD, ScramSHA256AuthenticationManager.MECHANISM); + assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA256AuthenticationManager.MECHANISM); } @Test public void sha1() throws Exception { - int port = createAuthenticationProviderAndUserAndPort(getTestName(), + final int port = createAuthenticationProviderAndUserAndPort(getTestName(), ScramSHA1AuthenticationManager.PROVIDER_TYPE, USER, USER_PASSWORD); - assertConnectivity(port, USER, USER_PASSWORD, ScramSHA1AuthenticationManager.MECHANISM); + assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA1AuthenticationManager.MECHANISM); } @Test public void external() throws Exception { - int port = createExternalProviderAndTlsPort(); + final int port = createExternalProviderAndTlsPort(); Connection connection = getConnectionBuilder().setPort(port) .setTls(true) .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE) + .setKeyStorePassword(TestSSLConstants.PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); try { - Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); + final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); assertNotNull("Temporary queue was not created", session.createTemporaryQueue()); } finally @@ -176,30 +191,191 @@ public class AuthenticationTest extends JmsTestBase } } + public void externalWithRevocationWithDataUrlCrlFileAndAllowedCertificate() throws Exception + { + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, + FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL)); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED); + } + @Test - public void externalDeniesUntrustedClientCert() throws Exception + public void externalWithRevocationWithDataUrlCrlFileAndRevokedCertificate() throws Exception { - assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, + FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL)); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED); + } - int port = createExternalProviderAndTlsPort(); + @Test + public void externalWithRevocationWithCrlFileAndAllowedCertificate() throws Exception + { + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED); + } - try - { - getConnectionBuilder().setPort(port) - .setTls(true) - .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) - .setKeyAlias(TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT) - .build(); - fail("Connection should not succeed"); - } - catch (JMSException e) - { - // pass - } + @Test + public void externalWithRevocationWithCrlFileAndAllowedCertificateWithoutPreferCrls() throws Exception + { + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED); + } + + @Test + public void externalWithRevocationWithCrlFileAndRevokedCertificate() throws Exception + { + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED); + } + + @Test + public void externalWithRevocationWithEmptyCrlFileAndRevokedCertificate() throws Exception + { + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED); + } + + @Test + public void externalWithRevocationAndAllowedCertificateWithCrlUrl() throws Exception + { + assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'", + CRL_SERVER, is(not(equalTo(null)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED); + } + + @Test + public void externalWithRevocationAndRevokedCertificateWithCrlUrl() throws Exception + { + assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'", + CRL_SERVER, is(not(equalTo(null)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED); + } + + @Test + public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithEmptyCrl() throws Exception + { + assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'", + CRL_SERVER, is(not(equalTo(null)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_EMPTY_CRL); + } + + @Test + public void externalWithRevocationDisabledWithCrlFileAndRevokedCertificate() throws Exception + { + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED); + } + + @Test + public void externalWithRevocationDisabledWithCrlUrlInRevokedCertificate() throws Exception + { + assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'", + CRL_SERVER, is(not(equalTo(null)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED); + } + + @Test + public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithSoftFail() throws Exception + { + assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'", + CRL_SERVER, is(not(equalTo(null)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_INVALID_CRL_PATH); + } + + @Test + public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrls() throws Exception + { + assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'", + CRL_SERVER, is(not(equalTo(null)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED); + } + + @Test + public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrlsWithFallback() throws Exception + { + assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'", + CRL_SERVER, is(not(equalTo(null)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_NO_FALLBACK, false); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED); + } + + @Test + public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrl() throws Exception + { + assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'", + CRL_SERVER, is(not(equalTo(null)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, false); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE); + } + + @Test + public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrlOnlyEndEntity() throws Exception + { + assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'", + CRL_SERVER, is(not(equalTo(null)))); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, true); + trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE); + } + + @Test + public void externalDeniesUntrustedClientCert() throws Exception + { + assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10)))); + final int port = createExternalProviderAndTlsPort(); + assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT); } @Test @@ -207,21 +383,21 @@ public class AuthenticationTest extends JmsTestBase { assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10)))); - Map trustStoreAttributes = new HashMap<>(); - trustStoreAttributes.put(FileTrustStore.STORE_URL, TEST_PROFILE_RESOURCE_BASE + BROKER_PEERSTORE); - trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_PEERSTORE_PASSWORD); + final Map trustStoreAttributes = new HashMap<>(); + trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE); + trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); trustStoreAttributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true); - int port = createExternalProviderAndTlsPort(trustStoreAttributes); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); try { getConnectionBuilder().setPort(port) .setTls(true) .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) - .setKeyStoreLocation(TEST_PROFILE_RESOURCE_BASE + EXPIRED_KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setKeyStoreLocation(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE) + .setKeyStorePassword(TestSSLConstants.PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); fail("Connection should not succeed"); } @@ -234,64 +410,27 @@ public class AuthenticationTest extends JmsTestBase @Test public void externalWithPeersOnlyTrustStore() throws Exception { - Map trustStoreAttributes = new HashMap<>(); - trustStoreAttributes.put(FileTrustStore.STORE_URL, TEST_PROFILE_RESOURCE_BASE + BROKER_PEERSTORE); - trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_PEERSTORE_PASSWORD); + final Map trustStoreAttributes = new HashMap<>(); + trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE); + trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true); - int port = createExternalProviderAndTlsPort(trustStoreAttributes); - - Connection connection = getConnectionBuilder().setPort(port) - .setTls(true) - .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) - .setKeyAlias(CERT_ALIAS_APP1) - .build(); - try - { - connection.createSession(false, Session.AUTO_ACKNOWLEDGE).close(); - } - finally - { - connection.close(); - } + final int port = createExternalProviderAndTlsPort(trustStoreAttributes); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1); assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10)))); - try - { - - getConnectionBuilder().setPort(port) - .setTls(true) - .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) - .setKeyAlias(CERT_ALIAS_APP2) - .build(); - fail("app2 certificate is NOT in the peerstore"); - } - catch (JMSException e) - { - // pass - } - + assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2); } @Test public void externalWithRegularAndPeersOnlyTrustStores() throws Exception { - String trustStoreName = getTestName() + "RegularTrustStore"; - Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build(); + final String trustStoreName = getTestName() + "RegularTrustStore"; + final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build(); try { brokerConnection.start(); - Map trustStoreAttributes = new HashMap<>(); - trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE); - trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); trustStoreAttributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE); createEntity(trustStoreName, @@ -305,68 +444,32 @@ public class AuthenticationTest extends JmsTestBase brokerConnection.close(); } - Map trustStoreAttributes = new HashMap<>(); - trustStoreAttributes.put(FileTrustStore.STORE_URL, TEST_PROFILE_RESOURCE_BASE + BROKER_PEERSTORE); - trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_PEERSTORE_PASSWORD); + final Map trustStoreAttributes = new HashMap<>(); + trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE); + trustStoreAttributes.put(FileTrustStore.PASSWORD,TestSSLConstants.PASSWORD); trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true); - int port = createExternalProviderAndTlsPort(trustStoreAttributes, trustStoreName, false); - - Connection connection = getConnectionBuilder().setPort(port) - .setTls(true) - .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) - .setKeyAlias(CERT_ALIAS_APP1) - .build(); - try - { - connection.createSession(false, Session.AUTO_ACKNOWLEDGE).close(); - } - finally - { - connection.close(); - } + final int port = createExternalProviderAndTlsPort(trustStoreAttributes, trustStoreName, false); + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1); //use the app2 cert, which is NOT in the peerstore (but is signed by the same CA as app1) - Connection connection2 = getConnectionBuilder().setPort(port) - .setTls(true) - .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) - .setKeyAlias(CERT_ALIAS_APP2) - .build(); - - try - { - connection2.createSession(false, Session.AUTO_ACKNOWLEDGE).createTemporaryQueue(); - } - finally - { - connection2.close(); - } + assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2); } @Test public void externalUsernameAsDN() throws Exception { - Map trustStoreAttributes = new HashMap<>(); - trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE); - trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); - String clientId = getTestName(); - int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, true); - Connection connection = getConnectionBuilder().setPort(port) + final String clientId = getTestName(); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, true); + final Connection connection = getConnectionBuilder().setPort(port) .setTls(true) .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) - .setKeyAlias(CERT_ALIAS_APP2) + .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE) + .setKeyStorePassword(TestSSLConstants.PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) + .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2) .setClientId(clientId) .build(); try @@ -386,20 +489,18 @@ public class AuthenticationTest extends JmsTestBase @Test public void externalUsernameAsCN() throws Exception { - Map trustStoreAttributes = new HashMap<>(); - trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE); - trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD); + final Map trustStoreAttributes = getBrokerTrustStoreAttributes(); - String clientId = getTestName(); - int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false); - Connection connection = getConnectionBuilder().setPort(port) + final String clientId = getTestName(); + final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false); + final Connection connection = getConnectionBuilder().setPort(port) .setTls(true) .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) - .setKeyAlias(CERT_ALIAS_APP2) + .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE) + .setKeyStorePassword(TestSSLConstants.PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) + .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2) .setClientId(clientId) .build(); try @@ -418,17 +519,17 @@ public class AuthenticationTest extends JmsTestBase private void assertConnectionPrincipal(final String clientId, final String expectedPrincipal) throws Exception { - Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build(); + final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build(); try { brokerConnection.start(); String principal = null; - List> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection", brokerConnection); - for (Map connection : connections) + final List> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection", brokerConnection); + for (final Map connection : connections) { - String name = String.valueOf(connection.get(ConfiguredObject.NAME)); - Map attributes; + final String name = String.valueOf(connection.get(ConfiguredObject.NAME)); + final Map attributes; try { attributes = readEntityUsingAmqpManagement( @@ -460,12 +561,17 @@ public class AuthenticationTest extends JmsTestBase } } + private Map getBrokerTrustStoreAttributes() + { + final Map trustStoreAttributes = new HashMap<>(); + trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE); + trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD); + return trustStoreAttributes; + } + private int createExternalProviderAndTlsPort() throws Exception { - Map trustStoreAttributes = new HashMap<>(); - trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE); - trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD); - return createExternalProviderAndTlsPort(trustStoreAttributes); + return createExternalProviderAndTlsPort(getBrokerTrustStoreAttributes()); } private int createExternalProviderAndTlsPort(final Map trustStoreAttributes) throws Exception @@ -478,12 +584,12 @@ public class AuthenticationTest extends JmsTestBase final boolean useFullDN) throws Exception { final String providerName = getTestName(); - Connection connection = getConnectionBuilder().setVirtualHost("$management").build(); + final Connection connection = getConnectionBuilder().setVirtualHost("$management").build(); try { connection.start(); - Map providerAttributes = new HashMap<>(); + final Map providerAttributes = new HashMap<>(); providerAttributes.put("qpid-type", ExternalAuthenticationManager.PROVIDER_TYPE); providerAttributes.put(ExternalAuthenticationManager.ATTRIBUTE_USE_FULL_DN, useFullDN); createEntity(providerName, @@ -492,8 +598,8 @@ public class AuthenticationTest extends JmsTestBase connection); final Map keyStoreAttributes = new HashMap<>(); - keyStoreAttributes.put("storeUrl", BROKER_KEYSTORE); - keyStoreAttributes.put("password", BROKER_KEYSTORE_PASSWORD); + keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE); + keyStoreAttributes.put("password", TestSSLConstants.PASSWORD); keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); final String keyStoreName = providerName + "KeyStore"; @@ -502,7 +608,7 @@ public class AuthenticationTest extends JmsTestBase keyStoreAttributes, connection); - Map trustStoreSettings = new HashMap<>(trustStoreAttributes); + final Map trustStoreSettings = new HashMap<>(trustStoreAttributes); trustStoreSettings.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); final String trustStoreName = providerName + "TrustStore"; createEntity(trustStoreName, @@ -510,8 +616,8 @@ public class AuthenticationTest extends JmsTestBase trustStoreSettings, connection); - String portName = getPortName(); - Map sslPortAttributes = new HashMap<>(); + final String portName = getPortName(); + final Map sslPortAttributes = new HashMap<>(); sslPortAttributes.put(Port.TRANSPORTS, "[\"SSL\"]"); sslPortAttributes.put(Port.PORT, 0); sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName); @@ -519,7 +625,7 @@ public class AuthenticationTest extends JmsTestBase sslPortAttributes.put(Port.WANT_CLIENT_AUTH, false); sslPortAttributes.put(Port.NAME, portName); sslPortAttributes.put(Port.KEY_STORE, keyStoreName); - String trustStores = additionalTrustStore == null + final String trustStores = additionalTrustStore == null ? "[\"" + trustStoreName + "\"]" : "[\"" + trustStoreName + "\",\"" + additionalTrustStore + "\"]"; sslPortAttributes.put(Port.TRUST_STORES, trustStores); @@ -529,7 +635,7 @@ public class AuthenticationTest extends JmsTestBase sslPortAttributes, connection); - Map portEffectiveAttributes = + final Map portEffectiveAttributes = readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection); if (portEffectiveAttributes.containsKey("boundPort")) { @@ -553,7 +659,7 @@ public class AuthenticationTest extends JmsTestBase final String userName, final String userPassword) throws Exception { - Connection connection = getConnectionBuilder().setVirtualHost("$management").build(); + final Connection connection = getConnectionBuilder().setVirtualHost("$management").build(); try { connection.start(); @@ -568,13 +674,13 @@ public class AuthenticationTest extends JmsTestBase userAttributes.put("object-path", providerName); createEntity(userName, User.class.getName(), userAttributes, connection); - String portName = providerName + "Port"; + final String portName = providerName + "Port"; final Map portAttributes = new HashMap<>(); portAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName); portAttributes.put(Port.PORT, 0); createEntity(portName, "org.apache.qpid.AmqpPort", portAttributes, connection); - Map portEffectiveAttributes = + final Map portEffectiveAttributes = readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection); if (portEffectiveAttributes.containsKey("boundPort")) { @@ -588,20 +694,60 @@ public class AuthenticationTest extends JmsTestBase } } - private void assertConnectivity(final int port, - final String userName, - final String userPassword, - final String mechanism) throws Exception + private Connection getConnection(int port, String certificateAlias) throws NamingException, JMSException { - Connection connection = getConnectionBuilder().setPort(port) + return getConnectionBuilder().setPort(port) + .setTls(true) + .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME) + .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE) + .setKeyStorePassword(TestSSLConstants.PASSWORD) + .setKeyAlias(certificateAlias) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) + .build(); + } + + private void assertTlsConnectivity(int port, String certificateAlias) throws NamingException, JMSException + { + final Connection connection = getConnection(port, certificateAlias); + try + { + Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); + assertNotNull("Temporary queue was not created", session.createTemporaryQueue()); + } + finally + { + connection.close(); + } + } + + private void assertNoTlsConnectivity(int port, String certificateAlias) throws NamingException + { + try + { + getConnection(port, certificateAlias); + fail("Connection should not succeed"); + } + catch (JMSException e) + { + // pass + } + } + + private void assertPlainConnectivity(final int port, + final String userName, + final String userPassword, + final String mechanism) throws Exception + { + final Connection connection = getConnectionBuilder().setPort(port) .setUsername(userName) .setPassword(userPassword) .setSaslMechanisms(mechanism) .build(); try { - Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); - TemporaryQueue queue = session.createTemporaryQueue(); + final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); + final TemporaryQueue queue = session.createTemporaryQueue(); assertNotNull("Temporary queue was not created", queue); } finally @@ -637,4 +783,32 @@ public class AuthenticationTest extends JmsTestBase // pass } } + + private static void createContext(Path crlPath) + { + final ContextHandler contextHandler = new ContextHandler(); + contextHandler.setContextPath("/" + crlPath.getFileName()); + contextHandler.setHandler(new CrlServerHandler(crlPath)); + HANDLERS.addHandler(contextHandler); + } + + private static class CrlServerHandler extends AbstractHandler + { + final Path crlPath; + public CrlServerHandler(Path crlPath) + { + this.crlPath = crlPath; + } + + @Override + public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) + throws IOException + { + final byte[] crlBytes = Files.readAllBytes(crlPath); + response.setStatus(HttpServletResponse.SC_OK); + final OutputStream responseBody = response.getOutputStream(); + responseBody.write(crlBytes); + responseBody.close(); + } + } } diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java index 01d69f3..da61319 100644 --- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java +++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java @@ -21,11 +21,6 @@ package org.apache.qpid.systests.jms_1_1.extensions.tls; import static java.nio.charset.StandardCharsets.UTF_8; -import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE; -import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_KEYSTORE_PASSWORD; -import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD; -import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD; -import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD; import static org.hamcrest.CoreMatchers.anyOf; import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.is; @@ -72,18 +67,8 @@ import org.apache.qpid.tests.utils.BrokerAdmin; public class TlsTest extends JmsTestBase { - public static final String TEST_PROFILE_RESOURCE_BASE = System.getProperty("java.io.tmpdir") + "/"; - public static final String BROKER_KEYSTORE = - TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.BROKER_KEYSTORE; - public static final String BROKER_TRUSTSTORE = - TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.BROKER_TRUSTSTORE; - public static final String KEYSTORE = - TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE; - public static final String TRUSTSTORE = - TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE; - @BeforeClass - public static void setUp() throws Exception + public static void setUp() { System.setProperty("javax.net.debug", "ssl"); @@ -96,13 +81,13 @@ public class TlsTest extends JmsTestBase // legacy client keystore/truststore types can only be configured with JVM settings if (getProtocol() != Protocol.AMQP_1_0) { - System.setProperty("javax.net.ssl.trustStoreType", JAVA_KEYSTORE_TYPE); - System.setProperty("javax.net.ssl.keyStoreType", JAVA_KEYSTORE_TYPE); + System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); + System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); } } @AfterClass - public static void tearDown() throws Exception + public static void tearDown() { System.clearProperty("javax.net.debug"); if (getProtocol() != Protocol.AMQP_1_0) @@ -127,10 +112,10 @@ public class TlsTest extends JmsTestBase Connection connection = getConnectionBuilder().setPort(port) .setHost(brokerAddress.getHostName()) .setTls(true) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE) + .setKeyStorePassword(TestSSLConstants.PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); try { @@ -208,10 +193,10 @@ public class TlsTest extends JmsTestBase getConnectionBuilder().setPort(port) .setHost("127.0.0.1") .setTls(true) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE) + .setKeyStorePassword(TestSSLConstants.PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); fail("Exception not thrown"); } @@ -223,10 +208,10 @@ public class TlsTest extends JmsTestBase Connection connection = getConnectionBuilder().setPort(port) .setHost("127.0.0.1") .setTls(true) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE) + .setKeyStorePassword(TestSSLConstants.PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .setVerifyHostName(false) .build(); try @@ -372,8 +357,8 @@ public class TlsTest extends JmsTestBase Connection connection = getConnectionBuilder().setPort(port) .setHost(brokerAddress.getHostName()) .setTls(true) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); try { @@ -398,8 +383,8 @@ public class TlsTest extends JmsTestBase getConnectionBuilder().setPort(port) .setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName()) .setTls(true) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); fail("Connection was established successfully"); } @@ -419,8 +404,8 @@ public class TlsTest extends JmsTestBase Connection connection = getConnectionBuilder().setPort(port) .setHost(brokerAddress.getHostName()) .setTls(true) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); try { @@ -444,8 +429,8 @@ public class TlsTest extends JmsTestBase getConnectionBuilder().setPort(port) .setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName()) .setTls(true) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); fail("Connection was established successfully"); } @@ -466,10 +451,10 @@ public class TlsTest extends JmsTestBase Connection connection = getConnectionBuilder().setPort(port) .setHost(brokerAddress.getHostName()) .setTls(true) - .setKeyStoreLocation(KEYSTORE) - .setKeyStorePassword(KEYSTORE_PASSWORD) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE) + .setKeyStorePassword(TestSSLConstants.PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .build(); try { @@ -516,8 +501,8 @@ public class TlsTest extends JmsTestBase Connection connection = getConnectionBuilder().setPort(port) .setHost(brokerAddress.getHostName()) .setTls(true) - .setTrustStoreLocation(TRUSTSTORE) - .setTrustStorePassword(TRUSTSTORE_PASSWORD) + .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE) + .setTrustStorePassword(TestSSLConstants.PASSWORD) .setVerifyHostName(false) .setOptions(options) .build(); @@ -600,9 +585,9 @@ public class TlsTest extends JmsTestBase try { final Map keyStoreAttributes = new HashMap<>(); - keyStoreAttributes.put("storeUrl", BROKER_KEYSTORE); - keyStoreAttributes.put("password", BROKER_KEYSTORE_PASSWORD); - keyStoreAttributes.put("keyStoreType", JAVA_KEYSTORE_TYPE); + keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE); + keyStoreAttributes.put("password", TestSSLConstants.PASSWORD); + keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); managementFacade.createEntityAndAssertResponse(keyStoreName, FileKeyStore.class.getName(), keyStoreAttributes, @@ -617,9 +602,9 @@ public class TlsTest extends JmsTestBase try { final Map trustStoreAttributes = new HashMap<>(); - trustStoreAttributes.put("storeUrl", BROKER_TRUSTSTORE); - trustStoreAttributes.put("password", BROKER_TRUSTSTORE_PASSWORD); - trustStoreAttributes.put("trustStoreType", JAVA_KEYSTORE_TYPE); + trustStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_TRUSTSTORE); + trustStoreAttributes.put("password", TestSSLConstants.PASSWORD); + trustStoreAttributes.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE); managementFacade.createEntityAndAssertResponse(trustStoreName, FileTrustStore.class.getName(), trustStoreAttributes, @@ -680,10 +665,10 @@ public class TlsTest extends JmsTestBase private void setSslStoreSystemProperties() { - System.setProperty("javax.net.ssl.keyStore", KEYSTORE); - System.setProperty("javax.net.ssl.keyStorePassword", KEYSTORE_PASSWORD); - System.setProperty("javax.net.ssl.trustStore", TRUSTSTORE); - System.setProperty("javax.net.ssl.trustStorePassword", TRUSTSTORE_PASSWORD); + System.setProperty("javax.net.ssl.keyStore", TestSSLConstants.CLIENT_KEYSTORE); + System.setProperty("javax.net.ssl.keyStorePassword", TestSSLConstants.PASSWORD); + System.setProperty("javax.net.ssl.trustStore", TestSSLConstants.CLIENT_TRUSTSTORE); + System.setProperty("javax.net.ssl.trustStorePassword", TestSSLConstants.PASSWORD); } private void clearSslStoreSystemProperties() @@ -696,16 +681,16 @@ public class TlsTest extends JmsTestBase private File[] extractResourcesFromTestKeyStore() throws Exception { - java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE); - try (InputStream is = new FileInputStream(KEYSTORE)) + java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE); + try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_KEYSTORE)) { - ks.load(is, KEYSTORE_PASSWORD.toCharArray()); + ks.load(is, TestSSLConstants.PASSWORD.toCharArray()); } File privateKeyFile = Files.createTempFile(getTestName(), ".private-key.der").toFile(); try (FileOutputStream kos = new FileOutputStream(privateKeyFile)) { - Key pvt = ks.getKey(TestSSLConstants.CERT_ALIAS_APP1, KEYSTORE_PASSWORD.toCharArray()); + Key pvt = ks.getKey(TestSSLConstants.CERT_ALIAS_APP1, TestSSLConstants.PASSWORD.toCharArray()); kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8)); } @@ -725,10 +710,10 @@ public class TlsTest extends JmsTestBase private File extractCertFileFromTestTrustStore() throws Exception { - java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE); - try (InputStream is = new FileInputStream(TRUSTSTORE)) + java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE); + try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_TRUSTSTORE)) { - ks.load(is, TRUSTSTORE_PASSWORD.toCharArray()); + ks.load(is, TestSSLConstants.PASSWORD.toCharArray()); } File certificateFile = Files.createTempFile(getTestName(), ".crt").toFile(); diff --git a/test-profiles/test_resources/ssl/CA_db/cert9.db b/test-profiles/test_resources/ssl/CA_db/cert9.db deleted file mode 100644 index 2bed63c..0000000 Binary files a/test-profiles/test_resources/ssl/CA_db/cert9.db and /dev/null differ diff --git a/test-profiles/test_resources/ssl/CA_db/key4.db b/test-profiles/test_resources/ssl/CA_db/key4.db deleted file mode 100644 index 4562b1a..0000000 Binary files a/test-profiles/test_resources/ssl/CA_db/key4.db and /dev/null differ diff --git a/test-profiles/test_resources/ssl/CA_db/pkcs11.txt b/test-profiles/test_resources/ssl/CA_db/pkcs11.txt deleted file mode 100644 index beb8e0f..0000000 --- a/test-profiles/test_resources/ssl/CA_db/pkcs11.txt +++ /dev/null @@ -1,5 +0,0 @@ -library= -name=NSS Internal PKCS #11 Module -parameters=configdir='CA_db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' -NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) - diff --git a/test-profiles/test_resources/ssl/CA_db/rootca.crt b/test-profiles/test_resources/ssl/CA_db/rootca.crt deleted file mode 100644 index b9356b6..0000000 --- a/test-profiles/test_resources/ssl/CA_db/rootca.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDETCCAfmgAwIBAgIFALBcSiAwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC -Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15 -Um9vdENBMB4XDTE5MDIyNzE2MDM1OVoXDTI0MDIyNzE2MDM1OVowQTELMAkGA1UE -BhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMT -CE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx7wfxIsA -yM7HhpEfHy0rEBrhfwCTf/dO/x6DFKjYfxKuhbFcHuBWHhq60mn04Wfo0kwCSZSE -sabJvba5iHAztzHUeLBTyg9fy57tlNs0sQMqXCD3bwa1HBGgMt5A05zSmi9ZklwH -xrfB8nbSePD/V1tmwjXvWYx/G2xnRHZbs8dS000DteI2yq8O1i/NJst8KrifxgE2 -RzfNqSLxrmEzZAe5lt2eGIxr+UatR/AKXFixfKEK523Rq9CnJ7Fdgzt0WebbhUwg -4A0AIJk4h6WKTB+RwdWT9Dgzc+qSkjHco9vqToF92QfQOygPjDSjWKHwPyTskuYf -W9EohouHZWjsXQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUA -A4IBAQCYi9vsfbIRihVyVQ8R1xBD+v7HZ31Se4v3ODQ9xD4DBE4qcE4kYTmFdRoD -5WIm9O2w20Iz4icVr1iyOlund9psL3CSklPVUqGIGQXfzxfI9Dgi+NicIWDFhHra -hfeYl2Tg4lkkodTewVMdiigh7MBdWnr3j/xEIWxcvD3x5ymXPV6PU9mzn8r/tcNC -A+07I0eCqcAYHDTEQxumiTBObymnnABYr0lDa+baWrW2YuLx+I5I+rHFEnuy9vDn -rN0kZuG32V5cIAavDZWkUrxR87TsJ0gxv/cbFU+J2x4Z6X8ryI2HhLujxqXmTzSH -5Bq18bki5O4kqJFY4CA/N+035Yta ------END CERTIFICATE----- diff --git a/test-profiles/test_resources/ssl/app1.crt b/test-profiles/test_resources/ssl/app1.crt deleted file mode 100644 index edc890f..0000000 --- a/test-profiles/test_resources/ssl/app1.crt +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDYjCCAkqgAwIBAgIFALBcS8MwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC -Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15 -Um9vdENBMB4XDTE5MDIyNzE2MDcxNloXDTI0MDIyNzE2MDcxNlowYTELMAkGA1UE -BhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMQ0wCwYDVQQKEwRh -Y21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMMDWFwcDFAYWNtZS5vcmcwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXNdGrF7GBnVVvkrwzu9xo7scIEUll -82cRZ2yQ+Ua4dkg+mmrVwZjSN/fkUNsrecruhfx4jcmaEXwdixuDpCnw1fZ1xfC7 -AO2FdZrGtdFeaBfVyZ6g2hihcWK2FPlJRhvG2Fm6FlZAwQyhfagnA4VBxthFlhGw -D7su+rp3bVGHXh0RYtc6eCE5FK9/tnGQgLVBVnENmdCg4Xd3WtnPV/boWSUR6Obk -M7CfDOkFDz4DrJmUEaMMzGScustNsZuU/qZ2ei1eaY0GMnRquW4hyYYw8JXVO3Ji -JtchVlUo7SL2gDuGmpk+/yceitJWn2e482lgURuVRFSwSgSqEkZrjCSpAgMBAAGj -QTA/MB0GA1UdDgQWBBTDC6GBKI/QRwIZlVC8SJN6V/6OxDAJBgNVHRMEAjAAMBMG -A1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBDQUAA4IBAQBjNo/6CYFVU21q -TWW88eG1J/I6e+vv9hjNWuxtsOuWUzoepNFAa7gY1C5jMHMe1hXl9hK4mHm/D1o2 -5i3FERDyLz5x6a0oQP6T8F+BLfg8YGfbrcCuZPInPKgw5bc2xRVJc8zaZM5EBw1+ -U80+o5Er2XU/MSfJ6vfsNjZ7aGOo/ssQwBarKGHUwQTazgwRy+kVh9aZf+Vadbnx -u3mtV6md9EMLfRzOKfTrdlHrS1CgUTKn+LmwSsBNomxXJcW0gpWIx4hoCd07vJCj -WAvAeHdzAVSiAKkJ42ikOd7g5pXUFkpcNlIyfLpJGwTZYNSCx0eXuSUt3cLA+7V/ -2wXQNMED ------END CERTIFICATE----- diff --git a/test-profiles/test_resources/ssl/app1.req b/test-profiles/test_resources/ssl/app1.req deleted file mode 100644 index f1f90e0..0000000 --- a/test-profiles/test_resources/ssl/app1.req +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN NEW CERTIFICATE REQUEST----- -MIIC1jCCAb4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQH -EwdUb3JvbnRvMQ0wCwYDVQQKEwRhY21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMM -DWFwcDFAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCX -NdGrF7GBnVVvkrwzu9xo7scIEUll82cRZ2yQ+Ua4dkg+mmrVwZjSN/fkUNsrecru -hfx4jcmaEXwdixuDpCnw1fZ1xfC7AO2FdZrGtdFeaBfVyZ6g2hihcWK2FPlJRhvG -2Fm6FlZAwQyhfagnA4VBxthFlhGwD7su+rp3bVGHXh0RYtc6eCE5FK9/tnGQgLVB -VnENmdCg4Xd3WtnPV/boWSUR6ObkM7CfDOkFDz4DrJmUEaMMzGScustNsZuU/qZ2 -ei1eaY0GMnRquW4hyYYw8JXVO3JiJtchVlUo7SL2gDuGmpk+/yceitJWn2e482lg -URuVRFSwSgSqEkZrjCSpAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQW -BBTDC6GBKI/QRwIZlVC8SJN6V/6OxDANBgkqhkiG9w0BAQ0FAAOCAQEAVQ6eZDo+ -aW/JjTsK1duwqkpxWcGWyNApOaEETnunCFUsTYcN3zId7107gNMlKSQrQOztYFNc -OKjDOicKHSoYoh+qRxprB4CPrhdNMXrtjFUOCDA+eLvf7kHn9hcOzg8XkgDOFVOs -x61krLsN5jo2pfqdiPj13ilas7lBy4/WjEnazg/g/ckWAbYp2Rec47UnAGi5LB9h -cgO/+vZUpmCCfHCURBC1qwk9UdbXlaDZcbITszvR86PZ6ztkDO9dxbDDvCHydvcD -jaEHdvpSlC2WiWc4R/Tjq+xYQkRayPHYzHF1w3YYEbpuQOZwiuzYlQrZnOyH+oVC -/0qy57VDVqP/HA== ------END NEW CERTIFICATE REQUEST----- diff --git a/test-profiles/test_resources/ssl/app2.crt b/test-profiles/test_resources/ssl/app2.crt deleted file mode 100644 index 5693e43..0000000 --- a/test-profiles/test_resources/ssl/app2.crt +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDZTCCAk2gAwIBAgIFALBcS6owDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC -Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15 -Um9vdENBMB4XDTE5MDIyNzE2MDcwM1oXDTI0MDIyNzE2MDcwM1owYTELMAkGA1UE -BhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMQ0wCwYDVQQKEwRh -Y21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMMDWFwcDJAYWNtZS5vcmcwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXMCZtW+a6JxuA2fN45Ta/0ilUqfme -r+aGG2yTtwdRkduUssBogCYq1Pxk+l4nDgNWjscgGhtxeY9nw3u+NaxFJxuQrKLu -nnsdh+htzTUsq/iWKwcU6A4MX1aC++Ic6poTeunv6MHVdujehJOCph6zDEANjT2f -gHHjxBMPO+fe0mEtsWwezp+xJJAOCAkMivoziQ0OopIqFSF/FhFZDK4bJFruAJJc -0CZNBM7Ox2sNAK1cX8mxZhzWfUGQs2hfobri9J/GUlnXmN9nk6v5FybDjH6u9jcd -9bY2f03PC9whclIzar5TiWLfg7MZHctUv2MZZWy1c7hfzktCvjW5Y7R7AgMBAAGj -RDBCMB0GA1UdDgQWBBTzMIzbe9uahZhnVxRWUyelP3jc9TAMBgNVHRMBAf8EAjAA -MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBDQUAA4IBAQAJMyC3QdIH -ZwdUYKiwAl7W89CarMjCEH960fhHAcyliGYTtRj7aMEkWpFvR16yuRHfbiE4XZ71 -ClySvZxVl9DBcpSx69PBiRELd1wpRk5YP/1mxPtS85JlRCMVG92dizL0jSvugDcp -pfTR9ifCK9skHrHMRvsmh7w4L2YX1IJXSORjzTHTOpqLM1vDERximf16C5ZPMhbJ -F3jP8+k74/o3gDTttR/89M8bg5Xi/7VW4CWcBZTWnp43y8UlncbWRRwYMnJ7UAva -7Dg0un/Nu4K/ggALmzsB3x4XBMvzIFf0orhRuFqS7BCqFg5ZavpMPHwDX7dFEjIC -BsUjFnrzaxHI ------END CERTIFICATE----- diff --git a/test-profiles/test_resources/ssl/app2.req b/test-profiles/test_resources/ssl/app2.req deleted file mode 100644 index 61235b0..0000000 --- a/test-profiles/test_resources/ssl/app2.req +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN NEW CERTIFICATE REQUEST----- -MIIC1jCCAb4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQH -EwdUb3JvbnRvMQ0wCwYDVQQKEwRhY21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMM -DWFwcDJAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCX -MCZtW+a6JxuA2fN45Ta/0ilUqfmer+aGG2yTtwdRkduUssBogCYq1Pxk+l4nDgNW -jscgGhtxeY9nw3u+NaxFJxuQrKLunnsdh+htzTUsq/iWKwcU6A4MX1aC++Ic6poT -eunv6MHVdujehJOCph6zDEANjT2fgHHjxBMPO+fe0mEtsWwezp+xJJAOCAkMivoz -iQ0OopIqFSF/FhFZDK4bJFruAJJc0CZNBM7Ox2sNAK1cX8mxZhzWfUGQs2hfobri -9J/GUlnXmN9nk6v5FybDjH6u9jcd9bY2f03PC9whclIzar5TiWLfg7MZHctUv2MZ -ZWy1c7hfzktCvjW5Y7R7AgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQW -BBTzMIzbe9uahZhnVxRWUyelP3jc9TANBgkqhkiG9w0BAQ0FAAOCAQEAKstPTwyn -rn7dC+5SeP1ww6bMp77+KdQFu7aJ3Ul2xt6ICp0GkH5motvFx+dw5im8la4NH6Y7 -ZQS9eeoT6Zfi76Ve1wSVE2Gu0k9KgGXXW8ZodKml5vK89jf/3Fsy/058coOjsUDI -iZqGajqiZshpmIpCJP3PPGA1Db30RY93U3iJAEwJCAXhGEd7EXV5iP3HA8wzuwws -7osIz2oixsM/6Btf0+7FBt7AtqkknuDcw1Z/ZoUc5iIpMnGTtoajXnpNs7VgpngU -bjMhgJSEOyjZrPn1VxtP23KVWm3+aAs/3gGW058ku3NYXg9H8FLysUNackZlnxqz -dvTNaLl4FIUgiw== ------END NEW CERTIFICATE REQUEST----- diff --git a/test-profiles/test_resources/ssl/expired.crt b/test-profiles/test_resources/ssl/expired.crt deleted file mode 100644 index 933330a..0000000 --- a/test-profiles/test_resources/ssl/expired.crt +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICvzCCAaegAwIBAgIEAjtn8zANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV -U0VSMTAeFw0xMDAxMDEyMjQ0MjVaFw0xMDAxMDIyMjQ0MjVaMBAxDjAMBgNVBAMT -BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj2wa5um63bXJ -j7jv3pfhDgkvwE9hfM/DLv1rmkq2Psepefb40VJng61WiTeLNWdXrAJ+ui5iHTCn -8n+iqaucaPv4mOwH3j57CCLRvFrFSp/cUx2oZ3Zx1DfaSgfIc5F8AJQvYrtCxa6m -eYCoUJ3BZqARiKc6fk/RtACB1YI9mCDYOgnntNhEwMkRTuPqholyaL1fmw51EDGH -iGCQwsxj+YMLkuK2aQAs498NcA6fzui0Ey3MJ6LmLYbOSKqZ1cBzC4YfSGH921Ic -4YDgsvQ1io1zN4AJFHj8ld5rlDCTElgUFmkm2wCLvQAQ9+5MB4fDVLFldpHHBgX2 -0097qFSAEwIDAQABoyEwHzAdBgNVHQ4EFgQUZ30jJvIgSSRkltqIKv7UgEYnlvUw -DQYJKoZIhvcNAQENBQADggEBABYZ+ZwbRnJvfjnFq9c+GV5/7FJOTlO0SVAVZrYJ -HzquTr3mFDkhOc6aDlaNGiFAJcs6Udj3MvV7J+Uuai9oJDmVCt94HZL3k09G+z1b -A3BorBKWDYm2L9CKpjUgD0VY40Tc2yNVyrzCbdjVnBkrLKiAirSrb5NJK2lnJg4Y -TB7TiAnSydfRWUyUo8/wEMgIo4o0vuB7AnBQFhCd0XRmxBNoBZ19f+R041I6CQ0L -9jc172XWHL1o111/RS7M8qLcWxi11DN62p6IKNT32DnhVV0RFnfVTQDaQ9qsPFmg -Dngy+2weYwc6hEKhnunGrv0LNoqp6lQbOZO4c4v0/ynBHf4= ------END CERTIFICATE----- diff --git a/test-profiles/test_resources/ssl/generate-java-keystores.sh b/test-profiles/test_resources/ssl/generate-java-keystores.sh deleted file mode 100755 index f6c8e82..0000000 --- a/test-profiles/test_resources/ssl/generate-java-keystores.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/usr/bin/env bash -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -echo "Remove existing keystore for Apache Qpid Broker-J " -rm java_broker_keystore.jks -echo "Re-create keystore for Apache Qpid Broker-J by importing RootCA certificate" -keytool -importcert -v -keystore java_broker_keystore.jks -keysize 2048 -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt -echo "Generate certificate key 'java-broker'" -keytool -genkey -alias java-broker -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_broker_keystore.jks -storepass password -dname "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -storetype pkcs12 -echo "Export certificate signing request" -keytool -certreq -alias java-broker -sigalg SHA512withRSA -keystore java_broker_keystore.jks -storepass password -v -file java_broker.req -storetype pkcs12 -echo "Sign certificate by entering:" -echo " n for 'Is this a CA certificate [y/N]?'" -echo " [Enter] for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'" -echo " n for 'Is this a critical extension [y/N]?'" -echo " password which was specified on creation root CA database." -certutil -C -d CA_db -c "MyRootCA" -a -i java_broker.req -o java_broker.crt -2 -6 --extKeyUsage serverAuth -v 60 -g 4096 -echo "Import signed certificate" -keytool -importcert -v -alias java-broker -keystore java_broker_keystore.jks -storepass password -file java_broker.crt -storetype pkcs12 -noprompt -echo "List keystore entries" -keytool --list --keystore java_broker_keystore.jks -storepass password -storetype pkcs12 - -read -p "Press [Enter] key to continue..." -echo "Remove existing client keystore" -rm java_client_keystore.jks -echo "Re-create client keystore by importing RootCA certificate" -keytool -importcert -v -keystore java_client_keystore.jks -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt - -echo "Generate key for certificate 'app2'" -keytool -genkey -alias app2 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password -dname "CN=app2@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA" -storetype pkcs12 -echo "Export certificate signing request for 'app2'" -keytool -certreq -alias app2 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app2.req -storetype pkcs12 -echo "Sign certificate 'app2' by entering:" -echo " n for 'Is this a CA certificate [y/N]?'" -echo " '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'" -echo " n for 'Is this a critical extension [y/N]?'" -echo " password which was specified on creation root CA database." -certutil -C -d CA_db -c "MyRootCA" -a -i app2.req -o app2.crt -2 -6 --extKeyUsage clientAuth -v 60 -Z SHA512 -echo "Import signed certificate 'app2'" -keytool -importcert -v -alias app2 -keystore java_client_keystore.jks -storepass password -file app2.crt -storetype pkcs12 -noprompt - -echo "Generate key for certificate 'app1'" -keytool -genkey -alias app1 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password -dname "CN=app1@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA" -storetype pkcs12 -echo "Export certificate signing request for 'app1'" -keytool -certreq -alias app1 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app1.req -echo "Sign certificate 'app1' by entering:" -echo " n for 'Is this a CA certificate [y/N]?'" -echo " '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'" -echo " n for 'Is this a critical extension [y/N]?'" -echo " password which was specified on creation of root CA database." -certutil -C -d CA_db -c "MyRootCA" -a -i app1.req -o app1.crt -2 -6 --extKeyUsage clientAuth -v 60 -Z SHA512 -echo "Import signed certificate 'app1'" -keytool -importcert -v -alias app1 -keystore java_client_keystore.jks -storepass password -file app1.crt -storetype pkcs12 -noprompt -echo "List entries in client keystore" -keytool --list --keystore java_client_keystore.jks -storepass password - -read -p "Press [Enter] key to continue..." -echo "Remove existing client truststore" -rm java_client_truststore.jks -echo "Re-create client truststore by importing RootCA certificate" -keytool -importcert -v -keystore java_client_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt -echo "List entries in client trusttore" -keytool --list --keystore java_client_truststore.jks -storepass password -storetype pkcs12 - -read -p "Press [Enter] key to continue..." -echo "Remove existing broker truststore" -rm java_broker_truststore.jks -echo "Re-create broker truststore by importing RootCA certificate" -keytool -importcert -v -keystore java_broker_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt -echo "List entries in broker truststore" -keytool --list --keystore java_broker_truststore.jks -storepass password -storetype pkcs12 - -read -p "Press [Enter] key to continue..." -echo "Remove existing broker peerstore" -rm java_broker_peerstore.jks -echo "Re-create broker peerstore by importing app1 certificate" -keytool -importcert -v -keystore java_broker_peerstore.jks -storepass password -alias app1 -file app1.crt -storetype pkcs12 -noprompt -echo "List entries in broker peerstore" -keytool --list --keystore java_broker_peerstore.jks -storepass password -storetype pkcs12 - -cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_keystore.jks -keytool -importcert -v -alias app1 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app1.crt -storetype pkcs12 -noprompt -keytool -importcert -v -alias app2 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app2.crt -storetype pkcs12 -noprompt - -cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 -keytool -delete -v -alias rootca -keystore ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 -storepass password - -cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 -keytool -delete -v -alias java-broker -keystore ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 -storepass password - -cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 -keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype pkcs12 -keystore ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 -storepass password - -cp java_broker.req ../../../broker-core/src/test/resources/ssl/java_broker.req -cp java_broker.crt ../../../broker-core/src/test/resources/ssl/java_broker.crt - -cp expired.crt ../../../broker-core/src/test/resources/ssl/expired.crt -cp java_client_expired_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12 -cp java_broker_expired_truststore.jks ../../../broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12 - -cp java_broker_peerstore.jks ../../../broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12 -cp java_broker_truststore.jks ../../../broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12 -cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12 -cp java_broker_keystore.jks ../../../systests/qpid-systests-http-management/src/main/resources/java_broker_keystore.jks -cp java_client_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_keystore.pkcs12 -cp java_client_truststore.jks ../../../broker-core/src/test/resources/ssl/java_client_truststore.pkcs12 - -rm java_client_untrusted_keystore.jks -keytool -genkey -keystore java_client_untrusted_keystore.jks -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -alias untrusted_client -storepass password -storetype pkcs12 -dname "CN=untrusted_client" -cp java_client_untrusted_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12 - - diff --git a/test-profiles/test_resources/ssl/generate-root-ca.sh b/test-profiles/test_resources/ssl/generate-root-ca.sh deleted file mode 100755 index 14d760c..0000000 --- a/test-profiles/test_resources/ssl/generate-root-ca.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env bash -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -echo "Create a new certificate database for root CA" -rm -fr CA_db; mkdir CA_db -certutil -N -d CA_db - -echo "Create the self-signed Root CA certificate by entering:" -echo " password which was specified on creation of root CA database." -echo " y for 'Is this a CA certificate [y/N]?'" -echo " [Enter] for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'" -echo " n for 'Is this a critical extension [y/N]?'" -certutil -S -d CA_db -n "MyRootCA" -s "CN=MyRootCA,O=ACME,ST=Ontario,C=CA" -t "CT,," -x -2 -Z SHA512 -v 60 -g 2048 -echo "Extract the CA certificate from the CA’s certificate database to a file." -certutil -L -d CA_db -n "MyRootCA" -a -o CA_db/rootca.crt - - -echo "Create a certificate database for the Qpid Broker." -rm -fr server_db; mkdir server_db -certutil -N -d server_db -echo "Import the CA certificate into the broker’s certificate database" -certutil -A -d server_db -n "MyRootCA" -t "TC,," -a -i CA_db/rootca.crt -echo "Create the server certificate request" -certutil -R -d server_db -s "CN=localhost.localdomain,O=ACME,ST=Ontario,C=CA" -a -o server_db/server.req -Z SHA512 -echo "Sign and issue a new server certificate by entering:" -echo " n for 'Is this a CA certificate [y/N]?'" -echo " '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'" -echo " n for 'Is this a critical extension [y/N]?'" -echo " password which was specified on creation of root CA database." -certutil -C -d CA_db -c "MyRootCA" -a -i server_db/server.req -o server_db/server.crt -2 -6 --extKeyUsage serverAuth -v 60 -Z SHA512 -g 2048 -echo "Import signed certificate to the broker’s certificate database" -certutil -A -d server_db -n localhost.localdomain -a -i server_db/server.crt -t ",," diff --git a/test-profiles/test_resources/ssl/java_broker.crt b/test-profiles/test_resources/ssl/java_broker.crt deleted file mode 100644 index 4e5c086..0000000 --- a/test-profiles/test_resources/ssl/java_broker.crt +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDbzCCAlegAwIBAgIFALBcS4MwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UEBhMC -Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15 -Um9vdENBMB4XDTE5MDIyNzE2MDY0M1oXDTI0MDIyNzE2MDY0M1owbjEQMA4GA1UE -BhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQ -MA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjESMBAGA1UEAxMJbG9j -YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1zWGLqSHqno -In5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllzy4JTCiXBen3l3YhpSxqGYccyEYee -UlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUirvotaBQP71X1V+05AFxFhWfgdINw -Kzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj3as0dX2bOu0qbqk4izDqqV1uiyUP -Udn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pfPxvIw2OsqsKeh+I7RUoGBxDUdDvj -lbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwcRJYDAq5eBhgK59WcwKPIqlOLismQ -wjN4ZxxvqQIDAQABo0EwPzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJsw -CQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC -AQEAjFSD0UPN7ZqMKA0Sk2oailI+AU11VEmwIw18sXSEFMWSH8uAgkyTOvNQv4Nu -WHgNOx20r18bYVrTqTznRa9oM7xemtR2pKqJYUQKqvk9vcF8mY7ibK1AH1vlm/gh -7EfEmobfwHutXyTbUppgqf4QLn9AYLokD/w0la1mxDQ5Qc5FefgxLGaN2DZALFOc -8lcpA9E2hTau2znxMlqqrG73E6R2XoE7BVMHVemVAAvusBuuP9OW/iC/KTPDFNoy -NnDViQfIh03aBH2N5XCcnsdsxDULh6pjdZWf9FB+8OBDKyajNdFZku7AFLkt+QIa -FVo105jdjqfMxt8FRNuQ05vYEQ== ------END CERTIFICATE----- diff --git a/test-profiles/test_resources/ssl/java_broker.req b/test-profiles/test_resources/ssl/java_broker.req deleted file mode 100644 index c618dd3..0000000 --- a/test-profiles/test_resources/ssl/java_broker.req +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN NEW CERTIFICATE REQUEST----- -MIIC4zCCAcsCAQAwbjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93 -bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH -VW5rbm93bjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAq1zWGLqSHqnoIn5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllz -y4JTCiXBen3l3YhpSxqGYccyEYeeUlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUi -rvotaBQP71X1V+05AFxFhWfgdINwKzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj -3as0dX2bOu0qbqk4izDqqV1uiyUPUdn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pf -PxvIw2OsqsKeh+I7RUoGBxDUdDvjlbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwc -RJYDAq5eBhgK59WcwKPIqlOLismQwjN4ZxxvqQIDAQABoDAwLgYJKoZIhvcNAQkO -MSEwHzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJswDQYJKoZIhvcNAQEN -BQADggEBAHsfAScjTeIM+Mkmq7z29wl0+NdWyoDKt0PjG0/WffExGXG1FD6JrbP7 -UEeBY60WdypO9/Nx7I/sw/UOsOH297NuCMkFDitAk5/5XDVSYpywBi85XK72ODmv -hWYn2MGP9YnfL3qOd75kpNgVBKt9+IVFFNgdUMfzDQpTQgmzdaRepM4HUuxJnNGN -jcjA6b7rT0XQu7EJqM/Q1beJTVmwtv/3ZsBduJfksr2+fyC7wd344Equ8kfhZtd9 -YocJYdlZ//0RjWMv10hXNMD2Y+Nk4ldoFOXwv93JMcBn4Uy0TeZ9O/eI/jETT5TL -FZUUWdHvGqN2/9L4EZ0rAyH87HpHV7I= ------END NEW CERTIFICATE REQUEST----- diff --git a/test-profiles/test_resources/ssl/java_broker_expired_truststore.jks b/test-profiles/test_resources/ssl/java_broker_expired_truststore.jks deleted file mode 100644 index 9bfe301..0000000 Binary files a/test-profiles/test_resources/ssl/java_broker_expired_truststore.jks and /dev/null differ diff --git a/test-profiles/test_resources/ssl/java_broker_keystore.jks b/test-profiles/test_resources/ssl/java_broker_keystore.jks deleted file mode 100644 index b45991f..0000000 Binary files a/test-profiles/test_resources/ssl/java_broker_keystore.jks and /dev/null differ diff --git a/test-profiles/test_resources/ssl/java_broker_peerstore.jks b/test-profiles/test_resources/ssl/java_broker_peerstore.jks deleted file mode 100644 index a5b307f..0000000 Binary files a/test-profiles/test_resources/ssl/java_broker_peerstore.jks and /dev/null differ diff --git a/test-profiles/test_resources/ssl/java_broker_truststore.jks b/test-profiles/test_resources/ssl/java_broker_truststore.jks deleted file mode 100644 index 4184adf..0000000 Binary files a/test-profiles/test_resources/ssl/java_broker_truststore.jks and /dev/null differ diff --git a/test-profiles/test_resources/ssl/java_client_expired_keystore.jks b/test-profiles/test_resources/ssl/java_client_expired_keystore.jks deleted file mode 100644 index cb9b876..0000000 Binary files a/test-profiles/test_resources/ssl/java_client_expired_keystore.jks and /dev/null differ diff --git a/test-profiles/test_resources/ssl/java_client_keystore.jks b/test-profiles/test_resources/ssl/java_client_keystore.jks deleted file mode 100644 index 9422d9a..0000000 Binary files a/test-profiles/test_resources/ssl/java_client_keystore.jks and /dev/null differ diff --git a/test-profiles/test_resources/ssl/java_client_truststore.jks b/test-profiles/test_resources/ssl/java_client_truststore.jks deleted file mode 100644 index 1b45a23..0000000 Binary files a/test-profiles/test_resources/ssl/java_client_truststore.jks and /dev/null differ diff --git a/test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks b/test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks deleted file mode 100644 index 8b0b023..0000000 Binary files a/test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks and /dev/null differ diff --git a/test-profiles/test_resources/ssl/pfile b/test-profiles/test_resources/ssl/pfile deleted file mode 100644 index f3097ab..0000000 --- a/test-profiles/test_resources/ssl/pfile +++ /dev/null @@ -1 +0,0 @@ -password diff --git a/test-profiles/test_resources/ssl/server_db/cert9.db b/test-profiles/test_resources/ssl/server_db/cert9.db deleted file mode 100644 index 9a5f864..0000000 Binary files a/test-profiles/test_resources/ssl/server_db/cert9.db and /dev/null differ diff --git a/test-profiles/test_resources/ssl/server_db/key4.db b/test-profiles/test_resources/ssl/server_db/key4.db deleted file mode 100644 index f08d318..0000000 Binary files a/test-profiles/test_resources/ssl/server_db/key4.db and /dev/null differ diff --git a/test-profiles/test_resources/ssl/server_db/pkcs11.txt b/test-profiles/test_resources/ssl/server_db/pkcs11.txt deleted file mode 100644 index 440f523..0000000 --- a/test-profiles/test_resources/ssl/server_db/pkcs11.txt +++ /dev/null @@ -1,5 +0,0 @@ -library= -name=NSS Internal PKCS #11 Module -parameters=configdir='server_db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' -NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) - diff --git a/test-profiles/test_resources/ssl/server_db/server.crt b/test-profiles/test_resources/ssl/server_db/server.crt deleted file mode 100644 index fb51ff1..0000000 --- a/test-profiles/test_resources/ssl/server_db/server.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMDCCAhigAwIBAgIFALBcSo0wDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC -Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15 -Um9vdENBMB4XDTE5MDIyNzE2MDQzNFoXDTI0MDIyNzE2MDQzNFowTjELMAkGA1UE -BhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxHjAcBgNVBAMT -FWxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBAMZvr9ZVPPPPgXlL/3tN57SmQRD8KKbK6F2DxPKPpV3FuhPxKRLVbDTp -VgJ6geTSQXWlcCzZ7pr+J1Z7jU8tFb963i+kpFD21Z4xcaLTaHQvyiXMXgYJ/AU+ -0AQDrQN16Bkx/nbvXCtnfahp6Li3KUffEYjjLleuP5WwUSZJQ3oR74YQOKFZiDMU -p5iUBiFWJ6Svey5usHOzycAeQVJYF8cdbTo3BL1mNFV8Q0aFD/qOsZoKNHZR8vb1 -ioBs1P9TdNO/fai/YZVkqq3I/wY9JoN7OmSPTtThuwZniSvOqsy2zkkEqG26HOnl -BlRWshzyPaket8j4CrxZeVB4xmIbHvcCAwEAAaMiMCAwCQYDVR0TBAIwADATBgNV -HSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQ0FAAOCAQEASvcXQIq2cyhujhoh -DKZhenA1MqGTpWsrAo41obxVpzch/z7qrQsGUG/7qXm7XIQ8wPXKUJhQd5+ga5U0 -YV/QNu8Kz+5rxgCxv/hqHaajNfeOs8C3Oxk1IIg+9OC2bIRmR9SF84XBM2YrJuTe -BlGszTNnOXQGoR0gOMl2EH+4kh00vVnRwrsSGHEWNqNprPFgauZ14bvCeeFJhsYd -IjmrQgbGvt4463Kaw4gUstSrwQGOTGjqhEcUR6MER83HzDu0qoAHtQLNXh1NJ3M0 -BQg6Aaral1kfgWKbB88SgAAPMHBzIqG1ubYmRykEf+G6OOgBACp1CSiCskbJ59Wc -2tbblQ== ------END CERTIFICATE----- diff --git a/test-profiles/test_resources/ssl/server_db/server.req b/test-profiles/test_resources/ssl/server_db/server.req deleted file mode 100644 index f2042ce..0000000 --- a/test-profiles/test_resources/ssl/server_db/server.req +++ /dev/null @@ -1,26 +0,0 @@ - -Certificate request generated by Netscape certutil -Phone: (not specified) - -Common Name: localhost.localdomain -Email: (not specified) -Organization: ACME -State: Ontario -Country: CA - ------BEGIN NEW CERTIFICATE REQUEST----- -MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTAL -BgNVBAoTBEFDTUUxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZvr9ZVPPPPgXlL/3tN57SmQRD8 -KKbK6F2DxPKPpV3FuhPxKRLVbDTpVgJ6geTSQXWlcCzZ7pr+J1Z7jU8tFb963i+k -pFD21Z4xcaLTaHQvyiXMXgYJ/AU+0AQDrQN16Bkx/nbvXCtnfahp6Li3KUffEYjj -LleuP5WwUSZJQ3oR74YQOKFZiDMUp5iUBiFWJ6Svey5usHOzycAeQVJYF8cdbTo3 -BL1mNFV8Q0aFD/qOsZoKNHZR8vb1ioBs1P9TdNO/fai/YZVkqq3I/wY9JoN7OmSP -TtThuwZniSvOqsy2zkkEqG26HOnlBlRWshzyPaket8j4CrxZeVB4xmIbHvcCAwEA -AaAAMA0GCSqGSIb3DQEBDQUAA4IBAQB65l4W5FqmHN0KIPS81qwdpncPw0XLM5Wf -dVY8Q0GZ9AWm5pTBl472AdoL/2FtQEsLnIfDDR9WFDfREqP2grO+98vbMPofNLPH -es9dOEXRAGMziqFUhFofyWIXZUBQI9nWn9kuNZRtK2JfftG+eMtT8KlibFgVdaHc -C8/HwlnmoQVtXQeqnEMYK8hN1+4hp9OzwkiwSMBpTNtB9jejnYQe4U2DnWpWD1ko -w0kAQpb36zSOkZZ0ZMaT7aTLpDmsOvj6bAj6nUxjcGFvSqVIaxyQb2y0JflM+IN7 -K0PL2I1Wi2AGA3WlBs/nY+Ol2NfcD/nsdZdtVNn6WV9DsfnyfS6L ------END NEW CERTIFICATE REQUEST----- --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org For additional commands, e-mail: commits-help@qpid.apache.org