Search in sources :

Example 1 with QpidMultipleTrustManager

use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.

the class TrustManagerTest method testQpidMultipleTrustManagerWithRegularTrustStore.

/**
 * Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
 * regular TrustManager against the broker truststore.
 */
public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception {
    final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
    final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD, STORE_TYPE);
    final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
    tmf.init(ts);
    final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
    boolean trustManagerAdded = false;
    for (final TrustManager tm : delegateTrustManagers) {
        if (tm instanceof X509TrustManager) {
            // add broker's trust manager
            mulTrustManager.addTrustManager((X509TrustManager) tm);
            trustManagerAdded = true;
        }
    }
    assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
    try {
        // verify the CA-trusted app1 cert (should succeed)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
    } catch (CertificateException ex) {
        fail("Trusted client's validation against the broker's multi store manager failed.");
    }
    try {
        // verify the CA-trusted app2 cert (should succeed)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
    } catch (CertificateException ex) {
        fail("Trusted client's validation against the broker's multi store manager failed.");
    }
    try {
        // verify the untrusted cert (should fail)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.UNTRUSTED_KEYSTORE, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
        fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    } catch (CertificateException ex) {
    // expected
    }
}
Also used : QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) CertificateException(java.security.cert.CertificateException) KeyStore(java.security.KeyStore) TrustManager(javax.net.ssl.TrustManager) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)

Example 2 with QpidMultipleTrustManager

use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.

the class TrustManagerTest method testQpidMultipleTrustManagerWithPeerStore.

/**
 * Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
 * QpidPeersOnlyTrustManager against the broker peerstore.
 */
public void testQpidMultipleTrustManagerWithPeerStore() throws Exception {
    final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
    final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.BROKER_PEERSTORE_PASSWORD, STORE_TYPE);
    final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
    pmf.init(ps);
    final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
    boolean peerManagerAdded = false;
    for (final TrustManager tm : delegatePeerManagers) {
        if (tm instanceof X509TrustManager) {
            // add broker's peer manager
            mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm));
            peerManagerAdded = true;
        }
    }
    assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", peerManagerAdded);
    try {
        // verify the trusted app1 cert (should succeed as the key is in the peerstore)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
    } catch (CertificateException ex) {
        fail("Trusted client's validation against the broker's multi store manager failed.");
    }
    try {
        // verify the untrusted app2 cert (should fail as the key is not in the peerstore)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
        fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    } catch (CertificateException ex) {
    // expected
    }
    try {
        // verify the untrusted cert (should fail as the key is not in the peerstore)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.UNTRUSTED_KEYSTORE, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
        fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    } catch (CertificateException ex) {
    // expected
    }
}
Also used : QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) CertificateException(java.security.cert.CertificateException) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) KeyStore(java.security.KeyStore) TrustManager(javax.net.ssl.TrustManager) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)

Example 3 with QpidMultipleTrustManager

use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.

the class FileTrustStoreImpl method createTrustManagers.

private TrustManager[] createTrustManagers(final KeyStore ts) throws NoSuchAlgorithmException, KeyStoreException {
    final TrustManagerFactory tmf = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
    tmf.init(ts);
    TrustManager[] delegateManagers = tmf.getTrustManagers();
    if (delegateManagers.length == 0) {
        throw new IllegalStateException("Truststore " + this + " defines no trust managers");
    } else if (delegateManagers.length == 1) {
        if (_peersOnly && delegateManagers[0] instanceof X509TrustManager) {
            return new TrustManager[] { new QpidPeersOnlyTrustManager(ts, ((X509TrustManager) delegateManagers[0])) };
        } else {
            return delegateManagers;
        }
    } else {
        final Collection<TrustManager> trustManagersCol = new ArrayList<>();
        final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
        for (TrustManager tm : delegateManagers) {
            if (tm instanceof X509TrustManager) {
                if (_peersOnly) {
                    mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ts, (X509TrustManager) tm));
                } else {
                    mulTrustManager.addTrustManager((X509TrustManager) tm);
                }
            } else {
                trustManagersCol.add(tm);
            }
        }
        if (!mulTrustManager.isEmpty()) {
            trustManagersCol.add(mulTrustManager);
        }
        return trustManagersCol.toArray(new TrustManager[trustManagersCol.size()]);
    }
}
Also used : QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) Collection(java.util.Collection) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) TrustManager(javax.net.ssl.TrustManager) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)

Example 4 with QpidMultipleTrustManager

use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.

the class ManagedPeerCertificateTrustStoreImpl method updateTrustManagers.

@SuppressWarnings("unused")
private void updateTrustManagers() {
    try {
        java.security.KeyStore inMemoryKeyStore = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
        inMemoryKeyStore.load(null, null);
        int i = 1;
        for (Certificate cert : _storedCertificates) {
            inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert);
        }
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(inMemoryKeyStore);
        final Collection<TrustManager> trustManagersCol = new ArrayList<>();
        final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
        TrustManager[] delegateManagers = tmf.getTrustManagers();
        for (TrustManager tm : delegateManagers) {
            if (tm instanceof X509TrustManager) {
                // truststore is supposed to trust only clients which peers certificates
                // are directly in the store. CA signing will not be considered.
                mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(inMemoryKeyStore, (X509TrustManager) tm));
            } else {
                trustManagersCol.add(tm);
            }
        }
        if (!mulTrustManager.isEmpty()) {
            trustManagersCol.add(mulTrustManager);
        }
        if (trustManagersCol.isEmpty()) {
            _trustManagers = null;
        } else {
            _trustManagers = trustManagersCol.toArray(new TrustManager[trustManagersCol.size()]);
        }
    } catch (IOException | GeneralSecurityException e) {
        throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
    }
}
Also used : GeneralSecurityException(java.security.GeneralSecurityException) ArrayList(java.util.ArrayList) IllegalConfigurationException(org.apache.qpid.server.configuration.IllegalConfigurationException) IOException(java.io.IOException) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) TrustManager(javax.net.ssl.TrustManager) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager) QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 5 with QpidMultipleTrustManager

use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.

the class TrustManagerTest method testQpidMultipleTrustManagerWithTrustAndPeerStores.

/**
 * Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
 * QpidPeersOnlyTrustManager against the broker peerstore, a regular TrustManager
 * against the broker truststore.
 */
public void testQpidMultipleTrustManagerWithTrustAndPeerStores() throws Exception {
    final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
    final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD, STORE_TYPE);
    final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
    tmf.init(ts);
    final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
    boolean trustManagerAdded = false;
    for (final TrustManager tm : delegateTrustManagers) {
        if (tm instanceof X509TrustManager) {
            // add broker's trust manager
            mulTrustManager.addTrustManager((X509TrustManager) tm);
            trustManagerAdded = true;
        }
    }
    assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
    final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.BROKER_PEERSTORE_PASSWORD, STORE_TYPE);
    final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
    pmf.init(ps);
    final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
    boolean peerManagerAdded = false;
    for (final TrustManager tm : delegatePeerManagers) {
        if (tm instanceof X509TrustManager) {
            // add broker's peer manager
            mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm));
            peerManagerAdded = true;
        }
    }
    assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", peerManagerAdded);
    try {
        // verify the CA-trusted app1 cert (should succeed)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
    } catch (CertificateException ex) {
        fail("Trusted client's validation against the broker's multi store manager failed.");
    }
    try {
        // verify the CA-trusted app2 cert (should succeed)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
    } catch (CertificateException ex) {
        fail("Trusted client's validation against the broker's multi store manager failed.");
    }
    try {
        // verify the untrusted cert (should fail)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.UNTRUSTED_KEYSTORE, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
        fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    } catch (CertificateException ex) {
    // expected
    }
}
Also used : QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) CertificateException(java.security.cert.CertificateException) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) KeyStore(java.security.KeyStore) TrustManager(javax.net.ssl.TrustManager) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)

Aggregations

TrustManager (javax.net.ssl.TrustManager)5 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)5 X509TrustManager (javax.net.ssl.X509TrustManager)5 QpidMultipleTrustManager (org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)5 QpidPeersOnlyTrustManager (org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)5 KeyStore (java.security.KeyStore)3 CertificateException (java.security.cert.CertificateException)3 IOException (java.io.IOException)1 GeneralSecurityException (java.security.GeneralSecurityException)1 Certificate (java.security.cert.Certificate)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 Collection (java.util.Collection)1 IllegalConfigurationException (org.apache.qpid.server.configuration.IllegalConfigurationException)1