trunk/activemq-core/src/test/java/org/apache/activemq/transport/tcp/SslBrokerServiceTest.java - activemq - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.activemq.transport.tcp;

 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.net.SocketException;
 import java.net.UnknownHostException;
 import java.security.KeyStore;

 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;

 import junit.framework.Test;
 import junit.textui.TestRunner;

 import org.apache.activemq.broker.BrokerService;
 import org.apache.activemq.broker.SslBrokerService;
 import org.apache.activemq.broker.SslContext;
 import org.apache.activemq.broker.TransportConnector;
 import org.apache.activemq.transport.TransportBrokerTestSupport;
 import org.apache.activemq.transport.TransportFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 public class SslBrokerServiceTest extends TransportBrokerTestSupport {
     private static final Logger LOG = LoggerFactory.getLogger(SslBrokerServiceTest.class);

     TransportConnector needClientAuthConnector;
     TransportConnector limitedCipherSuites;

     protected String getBindLocation() {
         return "ssl://localhost:0";
     }

     @Override
     protected BrokerService createBroker() throws Exception {

         // http://java.sun.com/javase/javaseforbusiness/docs/TLSReadme.html
         // work around: javax.net.ssl.SSLHandshakeException: renegotiation is not allowed
         System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");

         SslBrokerService service = new SslBrokerService();
         service.setPersistent(false);

         KeyManager[] km = getKeyManager();
         TrustManager[] tm = getTrustManager();
         connector = service.addSslConnector(getBindLocation(), km, tm, null);
         limitedCipherSuites = service.addSslConnector("ssl://localhost:0?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", km, tm, null);
         needClientAuthConnector = service.addSslConnector("ssl://localhost:0?transport.needClientAuth=true", km, tm, null);

         // for client side
         SslTransportFactory sslFactory = new SslTransportFactory();
         SslContext ctx = new SslContext(km, tm, null);
         SslContext.setCurrentSslContext(ctx);
         TransportFactory.registerTransportFactory("ssl", sslFactory);

         return service;
     }

     public void testNeedClientAuth() throws Exception {
         SSLContext context = SSLContext.getInstance("TLS");
         // no client cert
         context.init(null, getTrustManager(), null);

         try {
             makeSSLConnection(context, null, needClientAuthConnector);
             fail("expected failure on no client cert");
         } catch (SSLException expected) {
             expected.printStackTrace();
         }
         // should work with regular connector
         makeSSLConnection(context, null, connector);
     }

     public void testCipherSuitesDisabled() throws Exception {
         SSLContext context = SSLContext.getInstance("TLS");
         context.init(getKeyManager(), getTrustManager(), null);

         // Enable only one cipher suite which is not enabled on the server
         try {
             makeSSLConnection(context, new String[]{ "SSL_RSA_WITH_RC4_128_MD5" }, limitedCipherSuites);
             fail("expected failure on non allowed cipher suite");
         } catch (SSLException expectedOnNotAnAvailableSuite) {
         }

         // ok with the enabled one
         makeSSLConnection(context, new String[]{ "SSL_RSA_WITH_RC4_128_SHA" }, limitedCipherSuites);
     }

     private void makeSSLConnection(SSLContext context, String enabledSuites[], TransportConnector connector) throws Exception,
             UnknownHostException, SocketException {
         SSLSocket sslSocket = (SSLSocket) context.getSocketFactory().createSocket("localhost", connector.getUri().getPort());

         if (enabledSuites != null) {
             sslSocket.setEnabledCipherSuites(enabledSuites);
         }
         sslSocket.setSoTimeout(5000);

         SSLSession session = sslSocket.getSession();
         sslSocket.startHandshake();
         LOG.info("cyphersuite: " + session.getCipherSuite());
         LOG.info("peer port: " + session.getPeerPort());
         LOG.info("peer cert: " + session.getPeerCertificateChain()[0].toString());
     }

     public static TrustManager[] getTrustManager() throws Exception {
         TrustManager[] trustStoreManagers = null;
         KeyStore trustedCertStore = KeyStore.getInstance(SslTransportBrokerTest.KEYSTORE_TYPE);

         trustedCertStore.load(new FileInputStream(SslTransportBrokerTest.TRUST_KEYSTORE), null);
         TrustManagerFactory tmf  =
             TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

         tmf.init(trustedCertStore);
         trustStoreManagers = tmf.getTrustManagers();
         return trustStoreManagers;
     }

     public static KeyManager[] getKeyManager() throws Exception {
         KeyManagerFactory kmf =
             KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
         KeyStore ks = KeyStore.getInstance(SslTransportBrokerTest.KEYSTORE_TYPE);
         KeyManager[] keystoreManagers = null;

         byte[] sslCert = loadClientCredential(SslTransportBrokerTest.SERVER_KEYSTORE);


         if (sslCert != null && sslCert.length > 0) {
             ByteArrayInputStream bin = new ByteArrayInputStream(sslCert);
             ks.load(bin, SslTransportBrokerTest.PASSWORD.toCharArray());
             kmf.init(ks, SslTransportBrokerTest.PASSWORD.toCharArray());
             keystoreManagers = kmf.getKeyManagers();
         }
         return keystoreManagers;
     }

     private static byte[] loadClientCredential(String fileName) throws IOException {
         if (fileName == null) {
             return null;
         }
         FileInputStream in = new FileInputStream(fileName);
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         byte[] buf = new byte[512];
         int i = in.read(buf);
         while (i  > 0) {
             out.write(buf, 0, i);
             i = in.read(buf);
         }
         in.close();
         return out.toByteArray();
     }

     protected void setUp() throws Exception {
         maxWait = 10000;
         super.setUp();
     }

     public static Test suite() {
         return suite(SslBrokerServiceTest.class);
     }

     public static void main(String[] args) {
         TestRunner.run(suite());
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.activemq.transport.tcp;

	import java.io.ByteArrayInputStream;
	import java.io.ByteArrayOutputStream;
	import java.io.FileInputStream;
	import java.io.IOException;
	import java.net.SocketException;
	import java.net.UnknownHostException;
	import java.security.KeyStore;

	import javax.net.ssl.KeyManager;
	import javax.net.ssl.KeyManagerFactory;
	import javax.net.ssl.SSLContext;
	import javax.net.ssl.SSLException;
	import javax.net.ssl.SSLSession;
	import javax.net.ssl.SSLSocket;
	import javax.net.ssl.TrustManager;
	import javax.net.ssl.TrustManagerFactory;

	import junit.framework.Test;
	import junit.textui.TestRunner;

	import org.apache.activemq.broker.BrokerService;
	import org.apache.activemq.broker.SslBrokerService;
	import org.apache.activemq.broker.SslContext;
	import org.apache.activemq.broker.TransportConnector;
	import org.apache.activemq.transport.TransportBrokerTestSupport;
	import org.apache.activemq.transport.TransportFactory;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	public class SslBrokerServiceTest extends TransportBrokerTestSupport {
	private static final Logger LOG = LoggerFactory.getLogger(SslBrokerServiceTest.class);

	TransportConnector needClientAuthConnector;
	TransportConnector limitedCipherSuites;

	protected String getBindLocation() {
	return "ssl://localhost:0";
	}

	@Override
	protected BrokerService createBroker() throws Exception {

	// http://java.sun.com/javase/javaseforbusiness/docs/TLSReadme.html
	// work around: javax.net.ssl.SSLHandshakeException: renegotiation is not allowed
	System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");

	SslBrokerService service = new SslBrokerService();
	service.setPersistent(false);

	KeyManager[] km = getKeyManager();
	TrustManager[] tm = getTrustManager();
	connector = service.addSslConnector(getBindLocation(), km, tm, null);
	limitedCipherSuites = service.addSslConnector("ssl://localhost:0?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", km, tm, null);
	needClientAuthConnector = service.addSslConnector("ssl://localhost:0?transport.needClientAuth=true", km, tm, null);

	// for client side
	SslTransportFactory sslFactory = new SslTransportFactory();
	SslContext ctx = new SslContext(km, tm, null);
	SslContext.setCurrentSslContext(ctx);
	TransportFactory.registerTransportFactory("ssl", sslFactory);

	return service;
	}

	public void testNeedClientAuth() throws Exception {
	SSLContext context = SSLContext.getInstance("TLS");
	// no client cert
	context.init(null, getTrustManager(), null);

	try {
	makeSSLConnection(context, null, needClientAuthConnector);
	fail("expected failure on no client cert");
	} catch (SSLException expected) {
	expected.printStackTrace();
	}
	// should work with regular connector
	makeSSLConnection(context, null, connector);
	}

	public void testCipherSuitesDisabled() throws Exception {
	SSLContext context = SSLContext.getInstance("TLS");
	context.init(getKeyManager(), getTrustManager(), null);

	// Enable only one cipher suite which is not enabled on the server
	try {
	makeSSLConnection(context, new String[]{ "SSL_RSA_WITH_RC4_128_MD5" }, limitedCipherSuites);
	fail("expected failure on non allowed cipher suite");
	} catch (SSLException expectedOnNotAnAvailableSuite) {
	}

	// ok with the enabled one
	makeSSLConnection(context, new String[]{ "SSL_RSA_WITH_RC4_128_SHA" }, limitedCipherSuites);
	}

	private void makeSSLConnection(SSLContext context, String enabledSuites[], TransportConnector connector) throws Exception,
	UnknownHostException, SocketException {
	SSLSocket sslSocket = (SSLSocket) context.getSocketFactory().createSocket("localhost", connector.getUri().getPort());

	if (enabledSuites != null) {
	sslSocket.setEnabledCipherSuites(enabledSuites);
	}
	sslSocket.setSoTimeout(5000);

	SSLSession session = sslSocket.getSession();
	sslSocket.startHandshake();
	LOG.info("cyphersuite: " + session.getCipherSuite());
	LOG.info("peer port: " + session.getPeerPort());
	LOG.info("peer cert: " + session.getPeerCertificateChain()[0].toString());
	}

	public static TrustManager[] getTrustManager() throws Exception {
	TrustManager[] trustStoreManagers = null;
	KeyStore trustedCertStore = KeyStore.getInstance(SslTransportBrokerTest.KEYSTORE_TYPE);

	trustedCertStore.load(new FileInputStream(SslTransportBrokerTest.TRUST_KEYSTORE), null);
	TrustManagerFactory tmf =
	TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

	tmf.init(trustedCertStore);
	trustStoreManagers = tmf.getTrustManagers();
	return trustStoreManagers;
	}

	public static KeyManager[] getKeyManager() throws Exception {
	KeyManagerFactory kmf =
	KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
	KeyStore ks = KeyStore.getInstance(SslTransportBrokerTest.KEYSTORE_TYPE);
	KeyManager[] keystoreManagers = null;

	byte[] sslCert = loadClientCredential(SslTransportBrokerTest.SERVER_KEYSTORE);


	if (sslCert != null && sslCert.length > 0) {
	ByteArrayInputStream bin = new ByteArrayInputStream(sslCert);
	ks.load(bin, SslTransportBrokerTest.PASSWORD.toCharArray());
	kmf.init(ks, SslTransportBrokerTest.PASSWORD.toCharArray());
	keystoreManagers = kmf.getKeyManagers();
	}
	return keystoreManagers;
	}

	private static byte[] loadClientCredential(String fileName) throws IOException {
	if (fileName == null) {
	return null;
	}
	FileInputStream in = new FileInputStream(fileName);
	ByteArrayOutputStream out = new ByteArrayOutputStream();
	byte[] buf = new byte[512];
	int i = in.read(buf);
	while (i > 0) {
	out.write(buf, 0, i);
	i = in.read(buf);
	}
	in.close();
	return out.toByteArray();
	}

	protected void setUp() throws Exception {
	maxWait = 10000;
	super.setUp();
	}

	public static Test suite() {
	return suite(SslBrokerServiceTest.class);
	}

	public static void main(String[] args) {
	TestRunner.run(suite());
	}
	}