Search in sources :

Example 1 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class NonJavaTrustStoreTest method testUseOfExpiredTrustAnchorDenied.

@Test
public void testUseOfExpiredTrustAnchorDenied() throws Exception {
    final KeyCertificatePair keyCertPair = createExpiredCertificate();
    final Path certificatePath = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
    Map<String, Object> attributes = new HashMap<>();
    attributes.put(NonJavaTrustStore.NAME, NAME);
    attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
    attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificatePath.toFile().getAbsolutePath());
    attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
    TrustStore<?> trustStore = createTestTrustStore(attributes);
    TrustManager[] trustManagers = trustStore.getTrustManagers();
    assertNotNull(trustManagers);
    assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
    final boolean condition = trustManagers[0] instanceof X509TrustManager;
    assertTrue("Unexpected trust manager type", condition);
    X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
    try {
        trustManager.checkClientTrusted(new X509Certificate[] { keyCertPair.getCertificate() }, "NULL");
        fail("Exception not thrown");
    } catch (CertificateException e) {
        if (e instanceof CertificateExpiredException || "Certificate expired".equals(e.getMessage())) {
        // IBMJSSE2 does not throw CertificateExpiredException, it throws a CertificateException
        // PASS
        } else {
            throw e;
        }
    }
}
Also used : KeyCertificatePair(org.apache.qpid.test.utils.tls.KeyCertificatePair) Path(java.nio.file.Path) CertificateExpiredException(java.security.cert.CertificateExpiredException) HashMap(java.util.HashMap) CertificateException(java.security.cert.CertificateException) TrustManager(javax.net.ssl.TrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) Test(org.junit.Test)

Example 2 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class FileTrustStoreTest method generateTrustStoreAndCrl.

private StoreAndCrl<Path> generateTrustStoreAndCrl() throws Exception {
    final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
    final KeyCertificatePair keyCertPair1 = TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, caPair);
    final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, caPair);
    final Path keyStoreFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERTIFICATE_ALIAS_A, keyCertPair1.getCertificate()), new CertificateEntry(CERTIFICATE_ALIAS_B, keyCertPair2.getCertificate()));
    final Path clrFile = TLS_RESOURCE.createCrl(caPair, keyCertPair2.getCertificate());
    return new StoreAndCrl<>(keyStoreFile, clrFile, caPair);
}
Also used : KeyCertificatePair(org.apache.qpid.test.utils.tls.KeyCertificatePair) Path(java.nio.file.Path) CertificateEntry(org.apache.qpid.test.utils.tls.CertificateEntry)

Example 3 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class NonJavaKeyStoreTest method testUpdateKeyStoreToNonMatchingCertificate.

@Test
public void testUpdateKeyStoreToNonMatchingCertificate() throws Exception {
    final Map<String, Object> attributes = new HashMap<>();
    attributes.put(NonJavaKeyStore.NAME, getTestName());
    attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL, getPrivateKeyAsDataUrl(_keyCertPair.getPrivateKey()));
    attributes.put(NonJavaKeyStore.CERTIFICATE_URL, getCertificateAsDataUrl(_keyCertPair.getCertificate()));
    attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
    final KeyStore<?> trustStore = createTestKeyStore(attributes);
    final KeyCertificatePair keyCertPair2 = generateSelfSignedCertificate();
    try {
        final String certUrl = getCertificateAsDataUrl(keyCertPair2.getCertificate());
        trustStore.setAttributes(Collections.singletonMap("certificateUrl", certUrl));
        fail("Created key store from invalid certificate");
    } catch (IllegalConfigurationException e) {
    // pass
    }
}
Also used : KeyCertificatePair(org.apache.qpid.test.utils.tls.KeyCertificatePair) HashMap(java.util.HashMap) IllegalConfigurationException(org.apache.qpid.server.configuration.IllegalConfigurationException) Test(org.junit.Test)

Example 4 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class PortTest method setUp.

@Before
public void setUp() throws Exception {
    _portName = getTestName();
    _authenticationProvider = _portName + "AuthenticationProvider";
    _keyStoreName = _portName + "KeyStore";
    createAnonymousAuthenticationProvider();
    final KeyCertificatePair keyCertPair = generateSelfSignedCertificate();
    final X509Certificate certificate = keyCertPair.getCertificate();
    submitKeyStoreAttributes(_keyStoreName, SC_CREATED, keyCertPair);
    _storeFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERTIFICATE_ALIAS, certificate)).toFile();
    getBrokerAdmin().createQueue(QUEUE_NAME);
}
Also used : KeyCertificatePair(org.apache.qpid.test.utils.tls.KeyCertificatePair) CertificateEntry(org.apache.qpid.test.utils.tls.CertificateEntry) X509Certificate(java.security.cert.X509Certificate) Before(org.junit.Before)

Example 5 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class AuthenticationTest method buildTlsResources.

private static void buildTlsResources() throws Exception {
    final String crlUri = String.format(CRL_TEMPLATE, crlHttpPort, _crlFile.toFile().getName());
    final String emptyCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _emptyCrlFile.toFile().getName());
    final String intermediateCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _intermediateCrlFile.toFile().getName());
    final String nonExistingCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, "not/a/crl");
    final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
    final KeyPair brokerKeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate brokerCertificate = TlsResourceBuilder.createCertificateForServerAuthorization(brokerKeyPair, caPair, DN_BROKER);
    _brokerKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("java-broker", brokerKeyPair.getPrivate(), brokerCertificate, caPair.getCertificate()), new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
    _brokerTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
    final KeyPair clientApp1KeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientApp1Certificate = TlsResourceBuilder.createCertificateForClientAuthorization(clientApp1KeyPair, caPair, DN_CLIENT_APP1);
    _brokerPeerStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(DN_CLIENT_APP1, clientApp1Certificate)).toFile().getAbsolutePath();
    final KeyPair clientApp2KeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientApp2Certificate = TlsResourceBuilder.createCertificateForClientAuthorization(clientApp2KeyPair, caPair, DN_CLIENT_APP2);
    final KeyPair clientAllowedKeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientAllowedCertificate = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientAllowedKeyPair, caPair, DN_CLIENT_ALLOWED, crlUri);
    final KeyPair clientRevokedKeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientRevokedCertificate = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientRevokedKeyPair, caPair, DN_CLIENT_REVOKED, crlUri);
    final KeyPair clientKeyPairRevokedByEmpty = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientCertificateRevokedByEmpty = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairRevokedByEmpty, caPair, DN_CLIENT_REVOKED_BY_EMPTY, emptyCrlUri);
    final KeyPair clientKeyPairInvalidClr = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientCertificateInvalidClr = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairInvalidClr, caPair, DN_CLIENT_REVOKED_INVALID_CRL, nonExistingCrlUri);
    final KeyCertificatePair intermediateCA = TlsResourceBuilder.createKeyPairAndIntermediateCA(DN_INTERMEDIATE, caPair, crlUri);
    final KeyPair clientKeyPairIntermediate = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientCertificateIntermediate = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairIntermediate, intermediateCA, DN_CLIENT_INT, intermediateCrlUri);
    final KeyPair clientKeyPairExpired = TlsResourceBuilder.createRSAKeyPair();
    final Instant from = Instant.now().minus(10, ChronoUnit.DAYS);
    final Instant to = Instant.now().minus(5, ChronoUnit.DAYS);
    final X509Certificate clientCertificateExpired = TlsResourceBuilder.createCertificate(clientKeyPairExpired, caPair, "CN=user1", from, to);
    _clientExpiredKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("user1", clientKeyPairExpired.getPrivate(), clientCertificateExpired, caPair.getCertificate())).toFile().getAbsolutePath();
    _clientKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry(CERT_ALIAS_APP1, clientApp1KeyPair.getPrivate(), clientApp1Certificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_APP2, clientApp2KeyPair.getPrivate(), clientApp2Certificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_ALLOWED, clientAllowedKeyPair.getPrivate(), clientAllowedCertificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_REVOKED, clientRevokedKeyPair.getPrivate(), clientRevokedCertificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_REVOKED_EMPTY_CRL, clientKeyPairRevokedByEmpty.getPrivate(), clientCertificateRevokedByEmpty, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_REVOKED_INVALID_CRL_PATH, clientKeyPairInvalidClr.getPrivate(), clientCertificateInvalidClr, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE, clientKeyPairIntermediate.getPrivate(), clientCertificateIntermediate, intermediateCA.getCertificate(), caPair.getCertificate()), new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
    _clientTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
    final Path crl = TLS_RESOURCE.createCrlAsDer(caPair, clientRevokedCertificate, intermediateCA.getCertificate());
    Files.copy(crl, _crlFile, StandardCopyOption.REPLACE_EXISTING);
    final Path emptyCrl = TLS_RESOURCE.createCrlAsDer(caPair);
    Files.copy(emptyCrl, _emptyCrlFile, StandardCopyOption.REPLACE_EXISTING);
    final Path intermediateCrl = TLS_RESOURCE.createCrlAsDer(caPair);
    Files.copy(intermediateCrl, _intermediateCrlFile, StandardCopyOption.REPLACE_EXISTING);
    final KeyCertificatePair clientKeyPairUntrusted = TlsResourceBuilder.createSelfSigned(DN_CLIENT_UNTRUSTED);
    _clientUntrustedKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry(CERT_ALIAS_APP1, clientKeyPairUntrusted.getPrivateKey(), clientKeyPairUntrusted.getCertificate())).toFile().getAbsolutePath();
}
Also used : KeyCertificatePair(org.apache.qpid.test.utils.tls.KeyCertificatePair) Path(java.nio.file.Path) KeyPair(java.security.KeyPair) Instant(java.time.Instant) CertificateEntry(org.apache.qpid.test.utils.tls.CertificateEntry) PrivateKeyEntry(org.apache.qpid.test.utils.tls.PrivateKeyEntry) X509Certificate(java.security.cert.X509Certificate)

Aggregations

KeyCertificatePair (org.apache.qpid.test.utils.tls.KeyCertificatePair)18 HashMap (java.util.HashMap)8 Path (java.nio.file.Path)7 Test (org.junit.Test)7 CertificateEntry (org.apache.qpid.test.utils.tls.CertificateEntry)4 X509Certificate (java.security.cert.X509Certificate)3 TrustManager (javax.net.ssl.TrustManager)3 X509TrustManager (javax.net.ssl.X509TrustManager)3 KeyPair (java.security.KeyPair)2 Before (org.junit.Before)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1 File (java.io.File)1 PrivateKey (java.security.PrivateKey)1 CertificateException (java.security.cert.CertificateException)1 CertificateExpiredException (java.security.cert.CertificateExpiredException)1 Instant (java.time.Instant)1 ArrayDeque (java.util.ArrayDeque)1 Collections.singletonMap (java.util.Collections.singletonMap)1 Map (java.util.Map)1 IllegalConfigurationException (org.apache.qpid.server.configuration.IllegalConfigurationException)1