[
https://issues.apache.org/jira/browse/ARTEMIS-3794?focusedWorklogId=787646&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-787646
]
ASF GitHub Bot logged work on ARTEMIS-3794:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 04/Jul/22 15:08
Start Date: 04/Jul/22 15:08
Worklog Time Spent: 10m
Work Description: ryan-highley commented on code in PR #4135:
URL: https://github.com/apache/activemq-artemis/pull/4135#discussion_r913089507
##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java:
##########
@@ -584,15 +585,15 @@ public synchronized void start() {
realTrustStorePassword = trustStorePassword;
} else {
realKeyStorePath =
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME), keyStorePath).map(v ->
useDefaultSslContext ? keyStorePath :
v).filter(Objects::nonNull).findFirst().orElse(null);
- realKeyStorePassword =
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v
-> useDefaultSslContext ? keyStorePassword :
v).filter(Objects::nonNull).findFirst().orElse(null);
+ realKeyStorePassword =
processSslPasswordProperty(Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v
-> useDefaultSslContext ? keyStorePassword :
v).filter(Objects::nonNull).findFirst().orElse(null));
Review Comment:
The stream processing logic is identical to the previous code--I just
wrapped the stream result in a method call to handle the possibility of an
encrypted system property. However, the encrypted password logic should only be
invoked when the value is not the keyStorePassword or trustStorePassword
captured with ConfigurationHelper#getPasswordProperty(...) previously as that
value has already been decrypted if necessary.
I've tweaked the logic to call processSslPasswordProperty(...) only when the
existing stream processing result is one of the system properties, not a query
string value.
Issue Time Tracking
-------------------
Worklog Id: (was: 787646)
Time Spent: 1h 40m (was: 1.5h)
> "org.apache.activemq.ssl.keyStorePassword" and
> "org.apache.activemq.ssl.trustStorePassword" system properties should support
> ENC(...) format
> --------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-3794
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3794
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Configuration
> Affects Versions: 2.19.1
> Reporter: Apache Dev
> Priority: Major
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> In order to set client keyStore/trustStore passwords, overriding those
> obtained by topology updates from brokers (see ARTEMIS-1157), we need to set
> system properties.
> Such properties could be logged in traces or be present in dumps.
> It would be a more secure practice to handle ENC(...) format to mask them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
