[
https://issues.apache.org/jira/browse/ARTEMIS-4528?focusedWorklogId=894663&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-894663
]
ASF GitHub Bot logged work on ARTEMIS-4528:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 08/Dec/23 10:33
Start Date: 08/Dec/23 10:33
Worklog Time Spent: 10m
Work Description: gtully commented on code in PR #4706:
URL: https://github.com/apache/activemq-artemis/pull/4706#discussion_r1420250254
##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SslPEMTest.java:
##########
@@ -0,0 +1,150 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.ActiveMQNotConnectedException;
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See the tests/security-resources/build.sh script for details on the
security resources used.
+ */
+public class SslPEMTest extends ActiveMQTestBase {
+
+ static {
+ String path = System.getProperty("java.security.auth.login.config");
+ if (path == null) {
+ URL resource =
SecurityTest.class.getClassLoader().getResource("login.config");
+ if (resource != null) {
+ path = resource.getFile();
+ System.setProperty("java.security.auth.login.config", path);
+ }
+ }
+ }
+
+ private TransportConfiguration tc;
+ private SimpleString QUEUE;
+
+ @Test
+ public void testPemKeyAndTrustStore() throws Exception {
+
+ tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, "PEM");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME,
"client-key-cert.pem");
+ tc.getParams().put(TransportConstants.PORT_PROP_NAME, "61617");
+
+ ServerLocator producerLocator;
+ ClientSessionFactory producerSessionFactory;
+ ClientSession producerSession;
+
+ // first without trust store
+ try {
+ producerLocator =
addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+ producerSessionFactory = createSessionFactory(producerLocator);
+ producerSessionFactory.createSession(false, true, true);
+ } catch (ActiveMQNotConnectedException expected) {
+ }
Review Comment:
there are two ends at play, the PEM on the server and on the client, leaving
out one side verifies that the other side is doing the right thing. It is not
exhaustive i agree, but this is a format/store wrapper issue. the contents are
still being verified by TLS. The keys are all the same keys we validate/verify
in the other tests.
we can agree to differ, but don't give up!
Issue Time Tracking
-------------------
Worklog Id: (was: 894663)
Time Spent: 2h 50m (was: 2h 40m)
> TLS support PEM format for key and trust store type
> ---------------------------------------------------
>
> Key: ARTEMIS-4528
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4528
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Configuration
> Affects Versions: 2.31.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Fix For: 2.32.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> managing key and trust store passwords when the credentials are securely
> stored or managed by other means is a nuisance.
> there is a nice PEM keystore provider at:
> [https://github.com/ctron/pem-keystore]
> This gives us an intuitive way to easily reference a simple cert or key
> without a password as is the case with jsk or pkcs12
> <acceptor
> name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=server-keystore.pem;keyStoreType=PEM</acceptor>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
