use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.
the class NonJavaTrustStoreTest method testUseOfExpiredTrustAnchorDenied.
@Test
public void testUseOfExpiredTrustAnchorDenied() throws Exception {
final KeyCertificatePair keyCertPair = createExpiredCertificate();
final Path certificatePath = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
Map<String, Object> attributes = new HashMap<>();
attributes.put(NonJavaTrustStore.NAME, NAME);
attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificatePath.toFile().getAbsolutePath());
attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
TrustStore<?> trustStore = createTestTrustStore(attributes);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
final boolean condition = trustManagers[0] instanceof X509TrustManager;
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
try {
trustManager.checkClientTrusted(new X509Certificate[] { keyCertPair.getCertificate() }, "NULL");
fail("Exception not thrown");
} catch (CertificateException e) {
if (e instanceof CertificateExpiredException || "Certificate expired".equals(e.getMessage())) {
// IBMJSSE2 does not throw CertificateExpiredException, it throws a CertificateException
// PASS
} else {
throw e;
}
}
}
use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.
the class FileTrustStoreTest method generateTrustStoreAndCrl.
private StoreAndCrl<Path> generateTrustStoreAndCrl() throws Exception {
final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
final KeyCertificatePair keyCertPair1 = TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, caPair);
final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, caPair);
final Path keyStoreFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERTIFICATE_ALIAS_A, keyCertPair1.getCertificate()), new CertificateEntry(CERTIFICATE_ALIAS_B, keyCertPair2.getCertificate()));
final Path clrFile = TLS_RESOURCE.createCrl(caPair, keyCertPair2.getCertificate());
return new StoreAndCrl<>(keyStoreFile, clrFile, caPair);
}
use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.
the class NonJavaKeyStoreTest method testUpdateKeyStoreToNonMatchingCertificate.
@Test
public void testUpdateKeyStoreToNonMatchingCertificate() throws Exception {
final Map<String, Object> attributes = new HashMap<>();
attributes.put(NonJavaKeyStore.NAME, getTestName());
attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL, getPrivateKeyAsDataUrl(_keyCertPair.getPrivateKey()));
attributes.put(NonJavaKeyStore.CERTIFICATE_URL, getCertificateAsDataUrl(_keyCertPair.getCertificate()));
attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
final KeyStore<?> trustStore = createTestKeyStore(attributes);
final KeyCertificatePair keyCertPair2 = generateSelfSignedCertificate();
try {
final String certUrl = getCertificateAsDataUrl(keyCertPair2.getCertificate());
trustStore.setAttributes(Collections.singletonMap("certificateUrl", certUrl));
fail("Created key store from invalid certificate");
} catch (IllegalConfigurationException e) {
// pass
}
}
use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.
the class PortTest method setUp.
@Before
public void setUp() throws Exception {
_portName = getTestName();
_authenticationProvider = _portName + "AuthenticationProvider";
_keyStoreName = _portName + "KeyStore";
createAnonymousAuthenticationProvider();
final KeyCertificatePair keyCertPair = generateSelfSignedCertificate();
final X509Certificate certificate = keyCertPair.getCertificate();
submitKeyStoreAttributes(_keyStoreName, SC_CREATED, keyCertPair);
_storeFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERTIFICATE_ALIAS, certificate)).toFile();
getBrokerAdmin().createQueue(QUEUE_NAME);
}
use of org.apache.qpid.test.utils.tls.KeyCertificatePair in project qpid-broker-j by apache.
the class AuthenticationTest method buildTlsResources.
private static void buildTlsResources() throws Exception {
final String crlUri = String.format(CRL_TEMPLATE, crlHttpPort, _crlFile.toFile().getName());
final String emptyCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _emptyCrlFile.toFile().getName());
final String intermediateCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _intermediateCrlFile.toFile().getName());
final String nonExistingCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, "not/a/crl");
final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
final KeyPair brokerKeyPair = TlsResourceBuilder.createRSAKeyPair();
final X509Certificate brokerCertificate = TlsResourceBuilder.createCertificateForServerAuthorization(brokerKeyPair, caPair, DN_BROKER);
_brokerKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("java-broker", brokerKeyPair.getPrivate(), brokerCertificate, caPair.getCertificate()), new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
_brokerTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
final KeyPair clientApp1KeyPair = TlsResourceBuilder.createRSAKeyPair();
final X509Certificate clientApp1Certificate = TlsResourceBuilder.createCertificateForClientAuthorization(clientApp1KeyPair, caPair, DN_CLIENT_APP1);
_brokerPeerStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(DN_CLIENT_APP1, clientApp1Certificate)).toFile().getAbsolutePath();
final KeyPair clientApp2KeyPair = TlsResourceBuilder.createRSAKeyPair();
final X509Certificate clientApp2Certificate = TlsResourceBuilder.createCertificateForClientAuthorization(clientApp2KeyPair, caPair, DN_CLIENT_APP2);
final KeyPair clientAllowedKeyPair = TlsResourceBuilder.createRSAKeyPair();
final X509Certificate clientAllowedCertificate = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientAllowedKeyPair, caPair, DN_CLIENT_ALLOWED, crlUri);
final KeyPair clientRevokedKeyPair = TlsResourceBuilder.createRSAKeyPair();
final X509Certificate clientRevokedCertificate = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientRevokedKeyPair, caPair, DN_CLIENT_REVOKED, crlUri);
final KeyPair clientKeyPairRevokedByEmpty = TlsResourceBuilder.createRSAKeyPair();
final X509Certificate clientCertificateRevokedByEmpty = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairRevokedByEmpty, caPair, DN_CLIENT_REVOKED_BY_EMPTY, emptyCrlUri);
final KeyPair clientKeyPairInvalidClr = TlsResourceBuilder.createRSAKeyPair();
final X509Certificate clientCertificateInvalidClr = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairInvalidClr, caPair, DN_CLIENT_REVOKED_INVALID_CRL, nonExistingCrlUri);
final KeyCertificatePair intermediateCA = TlsResourceBuilder.createKeyPairAndIntermediateCA(DN_INTERMEDIATE, caPair, crlUri);
final KeyPair clientKeyPairIntermediate = TlsResourceBuilder.createRSAKeyPair();
final X509Certificate clientCertificateIntermediate = TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairIntermediate, intermediateCA, DN_CLIENT_INT, intermediateCrlUri);
final KeyPair clientKeyPairExpired = TlsResourceBuilder.createRSAKeyPair();
final Instant from = Instant.now().minus(10, ChronoUnit.DAYS);
final Instant to = Instant.now().minus(5, ChronoUnit.DAYS);
final X509Certificate clientCertificateExpired = TlsResourceBuilder.createCertificate(clientKeyPairExpired, caPair, "CN=user1", from, to);
_clientExpiredKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("user1", clientKeyPairExpired.getPrivate(), clientCertificateExpired, caPair.getCertificate())).toFile().getAbsolutePath();
_clientKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry(CERT_ALIAS_APP1, clientApp1KeyPair.getPrivate(), clientApp1Certificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_APP2, clientApp2KeyPair.getPrivate(), clientApp2Certificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_ALLOWED, clientAllowedKeyPair.getPrivate(), clientAllowedCertificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_REVOKED, clientRevokedKeyPair.getPrivate(), clientRevokedCertificate, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_REVOKED_EMPTY_CRL, clientKeyPairRevokedByEmpty.getPrivate(), clientCertificateRevokedByEmpty, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_REVOKED_INVALID_CRL_PATH, clientKeyPairInvalidClr.getPrivate(), clientCertificateInvalidClr, caPair.getCertificate()), new PrivateKeyEntry(CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE, clientKeyPairIntermediate.getPrivate(), clientCertificateIntermediate, intermediateCA.getCertificate(), caPair.getCertificate()), new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
_clientTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
final Path crl = TLS_RESOURCE.createCrlAsDer(caPair, clientRevokedCertificate, intermediateCA.getCertificate());
Files.copy(crl, _crlFile, StandardCopyOption.REPLACE_EXISTING);
final Path emptyCrl = TLS_RESOURCE.createCrlAsDer(caPair);
Files.copy(emptyCrl, _emptyCrlFile, StandardCopyOption.REPLACE_EXISTING);
final Path intermediateCrl = TLS_RESOURCE.createCrlAsDer(caPair);
Files.copy(intermediateCrl, _intermediateCrlFile, StandardCopyOption.REPLACE_EXISTING);
final KeyCertificatePair clientKeyPairUntrusted = TlsResourceBuilder.createSelfSigned(DN_CLIENT_UNTRUSTED);
_clientUntrustedKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry(CERT_ALIAS_APP1, clientKeyPairUntrusted.getPrivateKey(), clientKeyPairUntrusted.getCertificate())).toFile().getAbsolutePath();
}
Aggregations