Repository: qpid-broker-j
Updated Branches:
  refs/heads/master d9027a0b9 -> efb35e571


QPID-7867: Fix failing tests on IBM JDK due to differences in behaviour of the 
IBMJSSE2 Provider and the Oracle JSSE Provider.


Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/efb35e57
Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/efb35e57
Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/efb35e57

Branch: refs/heads/master
Commit: efb35e571dfe606534005a41a36d07d58eb8c129
Parents: d9027a0
Author: Keith Wall <kw...@apache.org>
Authored: Tue Aug 8 12:46:03 2017 +0100
Committer: Keith Wall <kw...@apache.org>
Committed: Tue Aug 8 12:54:26 2017 +0100

----------------------------------------------------------------------
 .../security/TrustAnchorValidatingTrustManager.java   | 11 +++++++----
 .../qpid/server/security/FileTrustStoreTest.java      | 14 ++++++++++++--
 .../qpid/server/security/NonJavaTrustStoreTest.java   | 14 ++++++++++++--
 test-profiles/IBMJDKExcludes                          |  4 ++++
 4 files changed, 35 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/efb35e57/broker-core/src/main/java/org/apache/qpid/server/security/TrustAnchorValidatingTrustManager.java
----------------------------------------------------------------------
diff --git 
a/broker-core/src/main/java/org/apache/qpid/server/security/TrustAnchorValidatingTrustManager.java
 
b/broker-core/src/main/java/org/apache/qpid/server/security/TrustAnchorValidatingTrustManager.java
index 42434c2..291d11e 100644
--- 
a/broker-core/src/main/java/org/apache/qpid/server/security/TrustAnchorValidatingTrustManager.java
+++ 
b/broker-core/src/main/java/org/apache/qpid/server/security/TrustAnchorValidatingTrustManager.java
@@ -117,8 +117,8 @@ class TrustAnchorValidatingTrustManager implements 
X509TrustManager
                                                                    final 
Set<Certificate> otherCerts)
             throws GeneralSecurityException
     {
-        Set<Certificate> intermediateCerts = new HashSet<>();
-        intermediateCerts.addAll(otherCerts);
+        Set<Certificate> storeCerts = new HashSet<>();
+        storeCerts.addAll(otherCerts);
 
         Iterator<X509Certificate> iterator = 
Arrays.asList(x509Certificates).iterator();
 
@@ -131,17 +131,20 @@ class TrustAnchorValidatingTrustManager implements 
X509TrustManager
         while (iterator.hasNext())
         {
             X509Certificate intermediate = iterator.next();
-            intermediateCerts.add(intermediate);
+            storeCerts.add(intermediate);
         }
 
+
         X509CertSelector selector = new X509CertSelector();
         selector.setCertificate(peerCertificate);
+        // IBM JDK seems to require that the peer's certficate exists in the 
Collection too
+        storeCerts.add(peerCertificate);
 
         PKIXBuilderParameters pkixParams = new 
PKIXBuilderParameters(trustAnchors, selector);
         pkixParams.setRevocationEnabled(false);
 
         CertStore intermediateCertStore = CertStore.getInstance("Collection",
-                                                                new 
CollectionCertStoreParameters(intermediateCerts));
+                                                                new 
CollectionCertStoreParameters(storeCerts));
         pkixParams.addCertStore(intermediateCertStore);
 
         CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/efb35e57/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
----------------------------------------------------------------------
diff --git 
a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
 
b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
index 16d8041..9d184be 100644
--- 
a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
+++ 
b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
@@ -24,6 +24,7 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 import java.security.KeyStore;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
@@ -177,9 +178,18 @@ public class FileTrustStoreTest extends QpidTestCase
             trustManager.checkClientTrusted(new X509Certificate[] 
{certificate}, "NULL");
             fail("Exception not thrown");
         }
-        catch (CertificateExpiredException e)
+        catch (CertificateException e)
         {
-            // PASS
+            if (e instanceof CertificateExpiredException || "Certificate 
expired".equals(e.getMessage()))
+            {
+                // IBMJSSE2 does not throw CertificateExpiredException, it 
throws a CertificateException
+                // PASS
+            }
+            else
+            {
+                throw e;
+            }
+
         }
     }
 

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/efb35e57/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
----------------------------------------------------------------------
diff --git 
a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
 
b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
index 8e999d5..e6276a7 100644
--- 
a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
+++ 
b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
@@ -23,6 +23,7 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 import java.security.KeyStore;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.X509Certificate;
 import java.util.HashMap;
@@ -106,9 +107,18 @@ public class NonJavaTrustStoreTest extends QpidTestCase
             trustManager.checkClientTrusted(new X509Certificate[] 
{certificate}, "NULL");
             fail("Exception not thrown");
         }
-        catch (CertificateExpiredException e)
+        catch (CertificateException e)
         {
-            // PASS
+            if (e instanceof CertificateExpiredException || "Certificate 
expired".equals(e.getMessage()))
+            {
+                // IBMJSSE2 does not throw CertificateExpiredException, it 
throws a CertificateException
+                // PASS
+            }
+            else
+            {
+                throw e;
+            }
+
         }
     }
 

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/efb35e57/test-profiles/IBMJDKExcludes
----------------------------------------------------------------------
diff --git a/test-profiles/IBMJDKExcludes b/test-profiles/IBMJDKExcludes
index bebda18..2836c92 100644
--- a/test-profiles/IBMJDKExcludes
+++ b/test-profiles/IBMJDKExcludes
@@ -21,3 +21,7 @@ org.apache.qpid.server.transport.TCPandSSLTransportTest#*
 
 # Transformer on IBM JDK has different whitespace behaviour
 org.apache.qpid.disttest.results.ResultsXmlWriterTest#*
+
+# THe IBMJSSE2 trust factory (IbmX509) validates the entire certificate chain, 
including trusted certificates.
+# 
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/knowndiffsun.html
+org.apache.qpid.server.security.FileTrustStoreTest#testUseOfExpiredTrustAnchorAllowed


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org

Reply via email to