[jira] [Work logged] (ARTEMIS-4528) TLS support PEM format for key and trust store type

ASF GitHub Bot (Jira) Fri, 08 Dec 2023 02:10:04 -0800


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-4528?focusedWorklogId=894657&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-894657
 ]


ASF GitHub Bot logged work on ARTEMIS-4528:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Dec/23 10:09
            Start Date: 08/Dec/23 10:09
    Worklog Time Spent: 10m 
      Work Description: gemmellr commented on code in PR #4706:
URL: https://github.com/apache/activemq-artemis/pull/4706#discussion_r1419413344


##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java:
##########
@@ -351,6 +353,14 @@ private static KeyStore loadKeystore(final String 
keystoreProvider,
       return ks;
    }
 
+   private static void checkPemProviderLoaded(String keystoreType) {
+      if (keystoreType != null && keystoreType.startsWith("PEM")) {
+         if (Security.getProvider("PEM") == null) {
+            Security.insertProviderAt(new PemKeyStoreProvider(), 
Integer.parseInt(System.getProperty("artemis.pemProvider.insertAt", "0"), 10));
+         }
+      }
+   }

Review Comment:
   Do we need to pass the radix literal when parsing the sys prop value? 10 is 
the default. Might be more readable with that parsing on its own line too.
   
   (I assume you added the insertProviderAt usage vs prior addProvider usage, 
in case it was necessary to insertAt earlier than the end for some reason?)



##########
artemis-core-client-osgi/pom.xml:
##########
@@ -74,6 +74,7 @@
                   
<Embed-Dependency>*;scope=compile|runtime;groupId=org.apache.activemq</Embed-Dependency>
                   <Import-Package>
                      org.glassfish.json*;resolution:=optional,
+                     de.dentrassi.crypto.pem;resolution:=optional,

Review Comment:
   This seems a little odd - its not an optional dep on the client or broker, 
but it is an optional dep for both their osgi bits?



##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SslPEMTest.java:
##########
@@ -0,0 +1,150 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.ActiveMQNotConnectedException;
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import 
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See the tests/security-resources/build.sh script for details on the 
security resources used.
+ */
+public class SslPEMTest extends ActiveMQTestBase {
+
+   static {
+      String path = System.getProperty("java.security.auth.login.config");
+      if (path == null) {
+         URL resource = 
SecurityTest.class.getClassLoader().getResource("login.config");
+         if (resource != null) {
+            path = resource.getFile();
+            System.setProperty("java.security.auth.login.config", path);
+         }
+      }
+   }
+
+   private TransportConfiguration tc;
+   private SimpleString QUEUE;
+
+   @Test
+   public void testPemKeyAndTrustStore() throws Exception {
+
+      tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, "PEM");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, 
"client-key-cert.pem");
+      tc.getParams().put(TransportConstants.PORT_PROP_NAME, "61617");
+
+      ServerLocator producerLocator;
+      ClientSessionFactory producerSessionFactory;
+      ClientSession producerSession;
+
+      // first without trust store
+      try {
+         producerLocator = 
addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+         producerSessionFactory = createSessionFactory(producerLocator);
+         producerSessionFactory.createSession(false, true, true);
+      } catch (ActiveMQNotConnectedException expected) {
+      }

Review Comment:
   Better than nothing but not really what I was suggesting. This is more a 
'not even configured in a way that typically ever functions, regardless what 
the new provider does, since the provider isnt even being used' test. Was more 
thinking use the stores with untrusted certs, non-matching server cert name, 
etc. At least its no longer creating all those files and not using any of them. 
I give up.



##########
tests/integration-tests/pom.xml:
##########
@@ -440,6 +440,7 @@
          <artifactId>mockito-core</artifactId>
          <scope>test</scope>
       </dependency>
+

Review Comment:
   Change probably not needed :)



##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SslPEMTest.java:
##########
@@ -0,0 +1,134 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import 
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See the tests/security-resources/build.sh script for details on the 
security resources used.
+ */
+public class SslPEMTest extends ActiveMQTestBase {

Review Comment:
   Seeing things in the past and not testing them doenst tend to stop stuff 
breaking in the future. More tends to be why it isn't noticed.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 894657)
    Time Spent: 2h 20m  (was: 2h 10m)

> TLS support PEM format for key and trust store type
> ---------------------------------------------------
>
>                 Key: ARTEMIS-4528
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4528
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Configuration
>    Affects Versions: 2.31.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>             Fix For: 2.32.0
>
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> managing key and trust store passwords when the credentials are securely 
> stored or managed by other means is a nuisance.
> there is a nice PEM keystore provider at: 
> [https://github.com/ctron/pem-keystore]
> This gives us an intuitive way to easily reference a simple cert or key 
> without a password as is the case with jsk or pkcs12
> <acceptor 
> name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=server-keystore.pem;keyStoreType=PEM</acceptor>
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (ARTEMIS-4528) TLS support PEM format for key and trust store type

Reply via email to