Example 1 with QpidPeersOnlyTrustManager
use of org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager in project qpid-broker-j by apache.
the class TrustManagerTest method createPeerManager.
private X509TrustManager createPeerManager(final X509Certificate certificate) throws Exception {
final KeyStore ps = createKeyStore(certificate);
final X509TrustManager tm = createTrustManager(certificate);
return new QpidPeersOnlyTrustManager(ps, tm);
}
Also used :
X509TrustManager(javax.net.ssl.X509TrustManager)
QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)
KeyStore(java.security.KeyStore)
Example 2 with QpidPeersOnlyTrustManager
use of org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager in project qpid-broker-j by apache.
the class TrustManagerTest method testQpidMultipleTrustManagerWithPeerStore.
/**
* Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
* QpidPeersOnlyTrustManager against the peer certificate
*/
@Test
public void testQpidMultipleTrustManagerWithPeerStore() throws Exception {
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
final KeyStore ps = createKeyStore(_app1);
final X509TrustManager tm = getX509TrustManager(ps);
assertNotNull("The regular trust manager for the trust store was not found", tm);
mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, tm));
try {
// verify the trusted app1 cert (should succeed as the key is in the peerstore)
mulTrustManager.checkClientTrusted(new X509Certificate[] { _app1, _ca }, "RSA");
} catch (CertificateException ex) {
fail("Trusted client's validation against the broker's multi store manager failed.");
}
try {
// verify the untrusted app2 cert (should fail as the key is not in the peerstore)
mulTrustManager.checkClientTrusted(new X509Certificate[] { _app2, _ca }, "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
} catch (CertificateException ex) {
// expected
}
try {
// verify the untrusted cert (should fail as the key is not in the peerstore)
mulTrustManager.checkClientTrusted(new X509Certificate[] { _untrusted }, "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
} catch (CertificateException ex) {
// expected
}
}
Also used :
QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
CertificateException(java.security.cert.CertificateException)
QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)
KeyStore(java.security.KeyStore)
Test(org.junit.Test)
Example 3 with QpidPeersOnlyTrustManager
use of org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager in project qpid-broker-j by apache.
the class FileTrustStoreImpl method createTrustManagers.
private TrustManager[] createTrustManagers(final KeyStore ts) throws NoSuchAlgorithmException, KeyStoreException {
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
tmf.init(ts);
TrustManager[] delegateManagers = tmf.getTrustManagers();
if (delegateManagers.length == 0) {
throw new IllegalStateException("Truststore " + this + " defines no trust managers");
} else if (delegateManagers.length == 1) {
if (_peersOnly && delegateManagers[0] instanceof X509TrustManager) {
return new TrustManager[] { new QpidPeersOnlyTrustManager(ts, ((X509TrustManager) delegateManagers[0])) };
} else {
return delegateManagers;
}
} else {
final Collection<TrustManager> trustManagersCol = new ArrayList<>();
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
for (TrustManager tm : delegateManagers) {
if (tm instanceof X509TrustManager) {
if (_peersOnly) {
mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ts, (X509TrustManager) tm));
} else {
mulTrustManager.addTrustManager((X509TrustManager) tm);
}
} else {
trustManagersCol.add(tm);
}
}
if (!mulTrustManager.isEmpty()) {
trustManagersCol.add(mulTrustManager);
}
return trustManagersCol.toArray(new TrustManager[trustManagersCol.size()]);
}
}
Also used :
QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
Collection(java.util.Collection)
QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)
TrustManager(javax.net.ssl.TrustManager)
QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)
Example 4 with QpidPeersOnlyTrustManager
use of org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager in project qpid-broker-j by apache.
the class ManagedPeerCertificateTrustStoreImpl method updateTrustManagers.
@SuppressWarnings("unused")
private void updateTrustManagers() {
try {
java.security.KeyStore inMemoryKeyStore = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
inMemoryKeyStore.load(null, null);
int i = 1;
for (Certificate cert : _storedCertificates) {
inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert);
}
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(inMemoryKeyStore);
final Collection<TrustManager> trustManagersCol = new ArrayList<>();
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
TrustManager[] delegateManagers = tmf.getTrustManagers();
for (TrustManager tm : delegateManagers) {
if (tm instanceof X509TrustManager) {
// truststore is supposed to trust only clients which peers certificates
// are directly in the store. CA signing will not be considered.
mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(inMemoryKeyStore, (X509TrustManager) tm));
} else {
trustManagersCol.add(tm);
}
}
if (!mulTrustManager.isEmpty()) {
trustManagersCol.add(mulTrustManager);
}
if (trustManagersCol.isEmpty()) {
_trustManagers = null;
} else {
_trustManagers = trustManagersCol.toArray(new TrustManager[trustManagersCol.size()]);
}
} catch (IOException | GeneralSecurityException e) {
throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
}
}
Also used :
GeneralSecurityException(java.security.GeneralSecurityException)
ArrayList(java.util.ArrayList)
IllegalConfigurationException(org.apache.qpid.server.configuration.IllegalConfigurationException)
IOException(java.io.IOException)
QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)
TrustManager(javax.net.ssl.TrustManager)
QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)
QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 5 with QpidPeersOnlyTrustManager
use of org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager in project qpid-broker-j by apache.
the class ManagedPeerCertificateTrustStoreImpl method initialize.
@SuppressWarnings("unused")
protected void initialize() {
try {
java.security.KeyStore inMemoryKeyStore = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
inMemoryKeyStore.load(null, null);
int i = 1;
for (Certificate cert : _storedCertificates) {
inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert);
}
final Collection<TrustManager> trustManagersCol = new ArrayList<>();
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
final TrustManager[] delegateManagers = getTrustManagers(inMemoryKeyStore);
for (final TrustManager tm : delegateManagers) {
if (tm instanceof X509TrustManager) {
// truststore is supposed to trust only clients which peers certificates
// are directly in the store. CA signing will not be considered.
mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(inMemoryKeyStore, (X509TrustManager) tm));
} else {
trustManagersCol.add(tm);
}
}
if (!mulTrustManager.isEmpty()) {
trustManagersCol.add(mulTrustManager);
}
if (trustManagersCol.isEmpty()) {
_trustManagers = null;
} else {
_trustManagers = trustManagersCol.toArray(new TrustManager[trustManagersCol.size()]);
}
} catch (IOException | GeneralSecurityException e) {
throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
}
}
Also used :
GeneralSecurityException(java.security.GeneralSecurityException)
ArrayList(java.util.ArrayList)
IllegalConfigurationException(org.apache.qpid.server.configuration.IllegalConfigurationException)
IOException(java.io.IOException)
QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)
TrustManager(javax.net.ssl.TrustManager)
QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)
QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Aggregations
X509TrustManager (javax.net.ssl.X509TrustManager)7
QpidPeersOnlyTrustManager (org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager)7
QpidMultipleTrustManager (org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)5
TrustManager (javax.net.ssl.TrustManager)4
KeyStore (java.security.KeyStore)3
Test (org.junit.Test)3
IOException (java.io.IOException)2
GeneralSecurityException (java.security.GeneralSecurityException)2
Certificate (java.security.cert.Certificate)2
CertificateException (java.security.cert.CertificateException)2
X509Certificate (java.security.cert.X509Certificate)2
ArrayList (java.util.ArrayList)2
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)2
IllegalConfigurationException (org.apache.qpid.server.configuration.IllegalConfigurationException)2
Path (java.nio.file.Path)1
Collection (java.util.Collection)1
HashMap (java.util.HashMap)1
KeyCertificatePair (org.apache.qpid.test.utils.tls.KeyCertificatePair)1
