use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.
the class TrustManagerTest method testQpidMultipleTrustManagerWithRegularTrustStore.
/**
* Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
* regular TrustManager against the broker truststore.
*/
public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception {
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD, STORE_TYPE);
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
tmf.init(ts);
final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
boolean trustManagerAdded = false;
for (final TrustManager tm : delegateTrustManagers) {
if (tm instanceof X509TrustManager) {
// add broker's trust manager
mulTrustManager.addTrustManager((X509TrustManager) tm);
trustManagerAdded = true;
}
}
assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
try {
// verify the CA-trusted app1 cert (should succeed)
mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
} catch (CertificateException ex) {
fail("Trusted client's validation against the broker's multi store manager failed.");
}
try {
// verify the CA-trusted app2 cert (should succeed)
mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
} catch (CertificateException ex) {
fail("Trusted client's validation against the broker's multi store manager failed.");
}
try {
// verify the untrusted cert (should fail)
mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.UNTRUSTED_KEYSTORE, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
} catch (CertificateException ex) {
// expected
}
}
use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.
the class TrustManagerTest method testQpidMultipleTrustManagerWithPeerStore.
/**
* Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
* QpidPeersOnlyTrustManager against the broker peerstore.
*/
public void testQpidMultipleTrustManagerWithPeerStore() throws Exception {
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.BROKER_PEERSTORE_PASSWORD, STORE_TYPE);
final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
pmf.init(ps);
final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
boolean peerManagerAdded = false;
for (final TrustManager tm : delegatePeerManagers) {
if (tm instanceof X509TrustManager) {
// add broker's peer manager
mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm));
peerManagerAdded = true;
}
}
assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", peerManagerAdded);
try {
// verify the trusted app1 cert (should succeed as the key is in the peerstore)
mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
} catch (CertificateException ex) {
fail("Trusted client's validation against the broker's multi store manager failed.");
}
try {
// verify the untrusted app2 cert (should fail as the key is not in the peerstore)
mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
} catch (CertificateException ex) {
// expected
}
try {
// verify the untrusted cert (should fail as the key is not in the peerstore)
mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.UNTRUSTED_KEYSTORE, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
} catch (CertificateException ex) {
// expected
}
}
use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.
the class FileTrustStoreImpl method createTrustManagers.
private TrustManager[] createTrustManagers(final KeyStore ts) throws NoSuchAlgorithmException, KeyStoreException {
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
tmf.init(ts);
TrustManager[] delegateManagers = tmf.getTrustManagers();
if (delegateManagers.length == 0) {
throw new IllegalStateException("Truststore " + this + " defines no trust managers");
} else if (delegateManagers.length == 1) {
if (_peersOnly && delegateManagers[0] instanceof X509TrustManager) {
return new TrustManager[] { new QpidPeersOnlyTrustManager(ts, ((X509TrustManager) delegateManagers[0])) };
} else {
return delegateManagers;
}
} else {
final Collection<TrustManager> trustManagersCol = new ArrayList<>();
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
for (TrustManager tm : delegateManagers) {
if (tm instanceof X509TrustManager) {
if (_peersOnly) {
mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ts, (X509TrustManager) tm));
} else {
mulTrustManager.addTrustManager((X509TrustManager) tm);
}
} else {
trustManagersCol.add(tm);
}
}
if (!mulTrustManager.isEmpty()) {
trustManagersCol.add(mulTrustManager);
}
return trustManagersCol.toArray(new TrustManager[trustManagersCol.size()]);
}
}
use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.
the class ManagedPeerCertificateTrustStoreImpl method updateTrustManagers.
@SuppressWarnings("unused")
private void updateTrustManagers() {
try {
java.security.KeyStore inMemoryKeyStore = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
inMemoryKeyStore.load(null, null);
int i = 1;
for (Certificate cert : _storedCertificates) {
inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert);
}
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(inMemoryKeyStore);
final Collection<TrustManager> trustManagersCol = new ArrayList<>();
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
TrustManager[] delegateManagers = tmf.getTrustManagers();
for (TrustManager tm : delegateManagers) {
if (tm instanceof X509TrustManager) {
// truststore is supposed to trust only clients which peers certificates
// are directly in the store. CA signing will not be considered.
mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(inMemoryKeyStore, (X509TrustManager) tm));
} else {
trustManagersCol.add(tm);
}
}
if (!mulTrustManager.isEmpty()) {
trustManagersCol.add(mulTrustManager);
}
if (trustManagersCol.isEmpty()) {
_trustManagers = null;
} else {
_trustManagers = trustManagersCol.toArray(new TrustManager[trustManagersCol.size()]);
}
} catch (IOException | GeneralSecurityException e) {
throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
}
}
use of org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager in project qpid-broker-j by apache.
the class TrustManagerTest method testQpidMultipleTrustManagerWithTrustAndPeerStores.
/**
* Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
* QpidPeersOnlyTrustManager against the broker peerstore, a regular TrustManager
* against the broker truststore.
*/
public void testQpidMultipleTrustManagerWithTrustAndPeerStores() throws Exception {
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD, STORE_TYPE);
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
tmf.init(ts);
final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
boolean trustManagerAdded = false;
for (final TrustManager tm : delegateTrustManagers) {
if (tm instanceof X509TrustManager) {
// add broker's trust manager
mulTrustManager.addTrustManager((X509TrustManager) tm);
trustManagerAdded = true;
}
}
assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.BROKER_PEERSTORE_PASSWORD, STORE_TYPE);
final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
pmf.init(ps);
final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
boolean peerManagerAdded = false;
for (final TrustManager tm : delegatePeerManagers) {
if (tm instanceof X509TrustManager) {
// add broker's peer manager
mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm));
peerManagerAdded = true;
}
}
assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", peerManagerAdded);
try {
// verify the CA-trusted app1 cert (should succeed)
mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
} catch (CertificateException ex) {
fail("Trusted client's validation against the broker's multi store manager failed.");
}
try {
// verify the CA-trusted app2 cert (should succeed)
mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
} catch (CertificateException ex) {
fail("Trusted client's validation against the broker's multi store manager failed.");
}
try {
// verify the untrusted cert (should fail)
mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.UNTRUSTED_KEYSTORE, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
} catch (CertificateException ex) {
// expected
}
}
Aggregations