This is an automated email from the ASF dual-hosted git repository.
robbie pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new 2fff47b135 ARTEMIS-5340 ensure PEM provider is truly optional
2fff47b135 is described below
commit 2fff47b135cf6f0fb2bc25d315496c5913af35d3
Author: Justin Bertram <[email protected]>
AuthorDate: Wed Mar 5 12:59:09 2025 -0600
ARTEMIS-5340 ensure PEM provider is truly optional
---
.../artemis/core/remoting/impl/ssl/PemSupport.java | 26 +++++++
.../artemis/core/remoting/impl/ssl/SSLSupport.java | 7 +-
.../core/remoting/impl/netty/PemProviderTest.java | 81 ++++++++++++++++++++++
3 files changed, 112 insertions(+), 2 deletions(-)
diff --git
a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/PemSupport.java
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/PemSupport.java
new file mode 100644
index 0000000000..83db884594
--- /dev/null
+++
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/PemSupport.java
@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.core.remoting.impl.ssl;
+
+import java.security.Security;
+
+public class PemSupport {
+
+ public static void loadProvider() {
+ Security.insertProviderAt(new
de.dentrassi.crypto.pem.PemKeyStoreProvider(),
Integer.parseInt(System.getProperty("artemis.pemProvider.insertAt", "0")));
+ }
+}
diff --git
a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
index 7dee7e0379..8af1d5266a 100644
---
a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
+++
b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java
@@ -352,11 +352,14 @@ public class SSLSupport {
return ks;
}
+ /**
+ * This method calls out to a separate class in order to avoid a hard
dependency on the provider's implementation.
+ * This allows folks who don't use PEM to avoid using the corresponding
dependency.
+ */
public static void checkPemProviderLoaded(String keystoreType) {
if (keystoreType != null && keystoreType.startsWith("PEM")) {
if (Security.getProvider("PEM") == null) {
- Security.insertProviderAt(new
de.dentrassi.crypto.pem.PemKeyStoreProvider(),
-
Integer.parseInt(System.getProperty("artemis.pemProvider.insertAt", "0")));
+ PemSupport.loadProvider();
}
}
}
diff --git
a/artemis-core-client/src/test/java/org/apache/activemq/artemis/core/remoting/impl/netty/PemProviderTest.java
b/artemis-core-client/src/test/java/org/apache/activemq/artemis/core/remoting/impl/netty/PemProviderTest.java
new file mode 100644
index 0000000000..d2766db811
--- /dev/null
+++
b/artemis-core-client/src/test/java/org/apache/activemq/artemis/core/remoting/impl/netty/PemProviderTest.java
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.core.remoting.impl.netty;
+
+import de.dentrassi.crypto.pem.PemKeyStoreProvider;
+import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport;
+import org.junit.jupiter.api.MethodOrderer.OrderAnnotation;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestMethodOrder;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+/**
+ * Order is important here because we don't want to load the PEM provider
class before we test that it isn't loaded.
+ */
+@TestMethodOrder(OrderAnnotation.class)
+public class PemProviderTest {
+
+ // use a literal to avoid implicitly loading the actual package/class
+ static final String PEM_PROVIDER_PACKAGE = "de.dentrassi.crypto.pem";
+
+ @Test
+ @Order(1)
+ public void testPemProviderNotLoadedOnSSLSupportStaticUse() {
+ // ensure the PEM provider isn't already loaded (e.g. by another test)
+
assertNull(ClassLoader.getSystemClassLoader().getDefinedPackage(PEM_PROVIDER_PACKAGE));
+
+ // use a static method from SSLSupport to force the JVM to load it as
well as any hard dependencies it has
+ SSLSupport.parseCommaSeparatedListIntoArray("");
+
+
assertNull(ClassLoader.getSystemClassLoader().getDefinedPackage(PEM_PROVIDER_PACKAGE));
+ }
+
+ @Test
+ @Order(2)
+ public void testPemProviderNotLoadedOnLoadingNonPemKeystore() throws
Exception {
+ // ensure the PEM provider isn't already loaded (e.g. by another test)
+
assertNull(ClassLoader.getSystemClassLoader().getDefinedPackage(PEM_PROVIDER_PACKAGE));
+
+ SSLSupport.loadKeystore(null, "JKS", "", "");
+
+
assertNull(ClassLoader.getSystemClassLoader().getDefinedPackage(PEM_PROVIDER_PACKAGE));
+ }
+
+ @Test
+ @Order(3)
+ public void testPemProviderLoadedOnLoadingPemKeystore() throws Exception {
+ // ensure the PEM provider isn't already loaded (e.g. by another test)
+
assertNull(ClassLoader.getSystemClassLoader().getDefinedPackage(PEM_PROVIDER_PACKAGE));
+
+ SSLSupport.loadKeystore(null, "PEM", "", "");
+
+
assertNotNull(ClassLoader.getSystemClassLoader().getDefinedPackage(PEM_PROVIDER_PACKAGE));
+ }
+
+ /**
+ * This test simply verifies that we're using the right literal for the PEM
provider implementation.
+ */
+ @Test
+ @Order(4)
+ public void testPemProviderPackageName() {
+ assertEquals(PEM_PROVIDER_PACKAGE,
PemKeyStoreProvider.class.getPackageName());
+ }
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
