Examples with KeyCertificatePair org.apache.qpid.test.utils.tls.KeyCertificatePair used on opensource projects

Example 1 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class NonJavaTrustStoreTest method testUseOfExpiredTrustAnchorDenied.

@Test
public void testUseOfExpiredTrustAnchorDenied() throws Exception {
    final KeyCertificatePair keyCertPair = createExpiredCertificate();
    final Path certificatePath = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
    Map<String, Object> attributes = new HashMap<>();
    attributes.put(NonJavaTrustStore.NAME, NAME);
    attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
    attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificatePath.toFile().getAbsolutePath());
    attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
    TrustStore<?> trustStore = createTestTrustStore(attributes);
    TrustManager[] trustManagers = trustStore.getTrustManagers();
    assertNotNull(trustManagers);
    assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
    final boolean condition = trustManagers[0] instanceof X509TrustManager;
    assertTrue("Unexpected trust manager type", condition);
    X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
    try {
        trustManager.checkClientTrusted(new X509Certificate[] { keyCertPair.getCertificate() }, "NULL");
        fail("Exception not thrown");
    } catch (CertificateException e) {
        if (e instanceof CertificateExpiredException || "Certificate expired".equals(e.getMessage())) {
        // IBMJSSE2 does not throw CertificateExpiredException, it throws a CertificateException
        // PASS
        } else {
            throw e;
        }
    }
}

Example 2 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class FileTrustStoreTest method generateTrustStoreAndCrl.

private StoreAndCrl<Path> generateTrustStoreAndCrl() throws Exception {
    final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
    final KeyCertificatePair keyCertPair1 = TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, caPair);
    final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, caPair);
    final Path keyStoreFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERTIFICATE_ALIAS_A, keyCertPair1.getCertificate()), new CertificateEntry(CERTIFICATE_ALIAS_B, keyCertPair2.getCertificate()));
    final Path clrFile = TLS_RESOURCE.createCrl(caPair, keyCertPair2.getCertificate());
    return new StoreAndCrl<>(keyStoreFile, clrFile, caPair);
}

Example 3 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class NonJavaKeyStoreTest method testUpdateKeyStoreToNonMatchingCertificate.

@Test
public void testUpdateKeyStoreToNonMatchingCertificate() throws Exception {
    final Map<String, Object> attributes = new HashMap<>();
    attributes.put(NonJavaKeyStore.NAME, getTestName());
    attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL, getPrivateKeyAsDataUrl(_keyCertPair.getPrivateKey()));
    attributes.put(NonJavaKeyStore.CERTIFICATE_URL, getCertificateAsDataUrl(_keyCertPair.getCertificate()));
    attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
    final KeyStore<?> trustStore = createTestKeyStore(attributes);
    final KeyCertificatePair keyCertPair2 = generateSelfSignedCertificate();
    try {
        final String certUrl = getCertificateAsDataUrl(keyCertPair2.getCertificate());
        trustStore.setAttributes(Collections.singletonMap("certificateUrl", certUrl));
        fail("Created key store from invalid certificate");
    } catch (IllegalConfigurationException e) {
    // pass
    }
}

Example 4 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class PortTest method setUp.

@Before
public void setUp() throws Exception {
    _portName = getTestName();
    _authenticationProvider = _portName + "AuthenticationProvider";
    _keyStoreName = _portName + "KeyStore";
    createAnonymousAuthenticationProvider();
    final KeyCertificatePair keyCertPair = generateSelfSignedCertificate();
    final X509Certificate certificate = keyCertPair.getCertificate();
    submitKeyStoreAttributes(_keyStoreName, SC_CREATED, keyCertPair);
    _storeFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERTIFICATE_ALIAS, certificate)).toFile();
    getBrokerAdmin().createQueue(QUEUE_NAME);
}

Example 5 with KeyCertificatePair

use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.

the class AuthenticationTest method buildTlsResources.

private static void buildTlsResources() throws Exception {
    final String crlUri = String.format(CRL_TEMPLATE, crlHttpPort, _crlFile.toFile().getName());
    final String emptyCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _emptyCrlFile.toFile().getName());
    final String intermediateCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _intermediateCrlFile.toFile().getName());
    final String nonExistingCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, "not/a/crl");
    final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
    final KeyPair brokerKeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate brokerCertificate = TlsResourceBuilder.createCertificateForServerAuthorization(brokerKeyPair, caPair, DN_BROKER);
    _brokerKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("java-broker", brokerKeyPair.getPrivate(), brokerCertificate, caPair.getCertificate()), new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
    _brokerTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
    final KeyPair clientApp1KeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientApp1Certificate = TlsResourceBuilder.createCertificateForClientAuthorization(clientApp1KeyPair, caPair, DN_CLIENT_APP1);
    _brokerPeerStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(DN_CLIENT_APP1, clientApp1Certificate)).toFile().getAbsolutePath();
    final KeyPair clientApp2KeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientApp2Certificate = TlsResourceBuilder.createCertificateForClientAuthorization(clientApp2KeyPair, caPair, DN_CLIENT_APP2);
    final KeyPair clientAllowedKeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientAllowedCertificate = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientAllowedKeyPair, caPair, DN_CLIENT_ALLOWED, crlUri);
    final KeyPair clientRevokedKeyPair = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientRevokedCertificate = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientRevokedKeyPair, caPair, DN_CLIENT_REVOKED, crlUri);
    final KeyPair clientKeyPairRevokedByEmpty = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientCertificateRevokedByEmpty = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairRevokedByEmpty, caPair, DN_CLIENT_REVOKED_BY_EMPTY, emptyCrlUri);
    final KeyPair clientKeyPairInvalidClr = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientCertificateInvalidClr = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairInvalidClr, caPair, DN_CLIENT_REVOKED_INVALID_CRL, nonExistingCrlUri);
    final KeyCertificatePair intermediateCA = TlsResourceBuilder.createKeyPairAndIntermediateCA(DN_INTERMEDIATE, caPair, crlUri);
    final KeyPair clientKeyPairIntermediate = TlsResourceBuilder.createRSAKeyPair();
    final X509Certificate clientCertificateIntermediate = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairIntermediate, intermediateCA, DN_CLIENT_INT, intermediateCrlUri);
    final KeyPair clientKeyPairExpired = TlsResourceBuilder.createRSAKeyPair();
    final Instant from = Instant.now().minus(10, ChronoUnit.DAYS);
    final Instant to = Instant.now().minus(5, ChronoUnit.DAYS);
    final X509Certificate clientCertificateExpired = TlsResourceBuilder.createCertificate(clientKeyPairExpired, caPair, "CN=user1", from, to);
    _clientExpiredKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("user1", clientKeyPairExpired.getPrivate(), clientCertificateExpired, caPair.getCertificate())).toFile().getAbsolutePath();
    _clientKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry(CERT_ALIAS_APP1, clientApp1KeyPair.getPrivate(), clientApp1Certificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_APP2, clientApp2KeyPair.getPrivate(), clientApp2Certificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_ALLOWED, clientAllowedKeyPair.getPrivate(), clientAllowedCertificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_REVOKED, clientRevokedKeyPair.getPrivate(), clientRevokedCertificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_REVOKED_EMPTY_CRL, clientKeyPairRevokedByEmpty.getPrivate(), clientCertificateRevokedByEmpty, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_REVOKED_INVALID_CRL_PATH, clientKeyPairInvalidClr.getPrivate(), clientCertificateInvalidClr, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE, clientKeyPairIntermediate.getPrivate(), clientCertificateIntermediate, intermediateCA.getCertificate(), caPair.getCertificate()), new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
    _clientTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
    final Path crl = TLS_RESOURCE.createCrlAsDer(caPair, clientRevokedCertificate, intermediateCA.getCertificate());
    Files.copy(crl, _crlFile, StandardCopyOption.REPLACE_EXISTING);
    final Path emptyCrl = TLS_RESOURCE.createCrlAsDer(caPair);
    Files.copy(emptyCrl, _emptyCrlFile, StandardCopyOption.REPLACE_EXISTING);
    final Path intermediateCrl = TLS_RESOURCE.createCrlAsDer(caPair);
    Files.copy(intermediateCrl, _intermediateCrlFile, StandardCopyOption.REPLACE_EXISTING);
    final KeyCertificatePair clientKeyPairUntrusted = TlsResourceBuilder.createSelfSigned(DN_CLIENT_UNTRUSTED);
    _clientUntrustedKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry(CERT_ALIAS_APP1, clientKeyPairUntrusted.getPrivateKey(), clientKeyPairUntrusted.getCertificate())).toFile().getAbsolutePath();
}