QPID-8402: [Broker-J] Generate TLS resources on the fly
diff --git a/broker-core/pom.xml b/broker-core/pom.xml
index 04aa668..32dc4f3 100644
--- a/broker-core/pom.xml
+++ b/broker-core/pom.xml
@@ -94,7 +94,67 @@
<dependency>
<groupId>org.apache.directory.server</groupId>
- <artifactId>apacheds-all</artifactId>
+ <artifactId>apacheds-core</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-core-annotations</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-core-api</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-interceptor-kerberos</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-kerberos-codec</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-kerberos</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-ldap</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-shared</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-server-annotations</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-server-config</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-test-framework</artifactId>
<scope>test</scope>
</dependency>
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
index 834531c..4281201 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
@@ -20,52 +20,63 @@
package org.apache.qpid.server.security;
-import static org.apache.qpid.server.security.FileTrustStoreTest.createDataUrlForFile;
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
-import static org.junit.Assume.assumeThat;
-import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.net.ssl.KeyManager;
+import org.junit.ClassRule;
+import org.junit.Test;
+
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.Test;
-
-import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.KeyStore;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.SecretKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.server.util.DataUrlUtils;
-import org.apache.qpid.test.utils.TestFileUtils;
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
public class FileKeyStoreTest extends UnitTestBase
{
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
+ private static final String DN_FOO = "CN=foo";
+ private static final String DN_BAR = "CN=bar";
+ private static final String NAME = "myFileKeyStore";
+ private static final String SECRET_KEY_ALIAS = "secret-key-alias";
@Test
public void testCreateKeyStoreFromFile_Success() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+ final KeyStore<?> fileKeyStore = createFileKeyStore(attributes);
KeyManager[] keyManager = fileKeyStore.getKeyManagers();
assertNotNull(keyManager);
@@ -76,14 +87,15 @@
@Test
public void testCreateKeyStoreWithAliasFromFile_Success() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TLS_RESOURCE.getPrivateKeyAlias());
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+ final KeyStore<?> fileKeyStore = createFileKeyStore(attributes);
KeyManager[] keyManager = fileKeyStore.getKeyManagers();
assertNotNull(keyManager);
@@ -92,58 +104,69 @@
}
@Test
- public void testCreateKeyStoreFromFile_WrongPassword()
+ public void testCreateKeyStoreFromFile_WrongPassword() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
- attributes.put(FileKeyStore.PASSWORD, "wrong");
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret() + "_");
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
- KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
- "Check key store password");
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+ BROKER,
+ KeyStore.class, attributes,
+ "Check key store password");
}
@Test
- public void testCreateKeyStoreFromFile_UnknownAlias()
+ public void testCreateKeyStoreFromFile_UnknownAlias() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE);
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+ final String unknownAlias = TLS_RESOURCE.getPrivateKeyAlias() + "_";
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.CERTIFICATE_ALIAS, unknownAlias);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
- KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
- "Cannot find a certificate with alias 'notknown' in key store");
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+ BROKER,
+ KeyStore.class,
+ attributes,
+ String.format(
+ "Cannot find a certificate with alias '%s' in key store",
+ unknownAlias));
}
@Test
- public void testCreateKeyStoreFromFile_NonKeyAlias()
+ public void testCreateKeyStoreFromFile_NonKeyAlias() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE);
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.CERT_ALIAS_ROOT_CA);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TLS_RESOURCE.getCertificateAlias());
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
- "does not identify a private key");
+ "does not identify a private key");
}
@Test
public void testCreateKeyStoreFromDataUrl_Success() throws Exception
{
- String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
+ final String keyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+ final KeyStore<?> fileKeyStore = createFileKeyStore(attributes);
KeyManager[] keyManagers = fileKeyStore.getKeyManagers();
assertNotNull(keyManagers);
@@ -154,16 +177,16 @@
@Test
public void testCreateKeyStoreWithAliasFromDataUrl_Success() throws Exception
{
- String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
+ final String keyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TLS_RESOURCE.getPrivateKeyAlias());
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+ final KeyStore<?> fileKeyStore = createFileKeyStore(attributes);
KeyManager[] keyManagers = fileKeyStore.getKeyManagers();
assertNotNull(keyManagers);
@@ -174,16 +197,15 @@
@Test
public void testCreateKeyStoreFromDataUrl_WrongPassword() throws Exception
{
- String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
+ final String keyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.PASSWORD, "wrong");
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret() + "_");
attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
- "Check key store password");
+ "Check key store password");
}
@Test
@@ -191,87 +213,105 @@
{
String keyStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
- "Cannot instantiate key store");
+ "Cannot instantiate key store");
}
@Test
public void testCreateKeyStoreFromDataUrl_UnknownAlias() throws Exception
{
- String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
+ final String keyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
+ final String unknownAlias = TLS_RESOURCE.getPrivateKeyAlias() + "_";
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
- attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.CERTIFICATE_ALIAS, unknownAlias);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
- KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
- "Cannot find a certificate with alias 'notknown' in key store");
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+ BROKER,
+ KeyStore.class,
+ attributes,
+ String.format(
+ "Cannot find a certificate with alias '%s' in key store",
+ unknownAlias));
}
@Test
- public void testEmptyKeystoreRejected()
+ public void testEmptyKeystoreRejected() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE);
+ final Path keyStoreFile = TLS_RESOURCE.createKeyStore();
- KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
- "must contain at least one private key");
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+ BROKER,
+ KeyStore.class,
+ attributes,
+ "must contain at least one private key");
}
@Test
- public void testKeystoreWithNoPrivateKeyRejected()
+ public void testKeystoreWithNoPrivateKeyRejected() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
+
+ Map<String, Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, getTestName());
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_CERT_ONLY_KEYSTORE);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
- "must contain at least one private key");
+ "must contain at least one private key");
}
@Test
- public void testSymmetricKeysIgnored()
+ public void testSymmetricKeysIgnored() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final String keyStoreType = "jceks"; // or jks
+ final Path keyStoreFile = createSelfSignedKeyStoreWithSecretKeyAndCertificate(keyStoreType, DN_FOO);
- KeyStore keyStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.STORE_URL, keyStoreFile);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, keyStoreType);
+
+ KeyStore<?> keyStore = createFileKeyStore(attributes);
assertNotNull(keyStore);
}
@Test
- public void testUpdateKeyStore_Success()
+ public void testUpdateKeyStore_Success() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+ attributes.put(FileKeyStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+
+ final FileKeyStore<?> fileKeyStore = createFileKeyStore(attributes);
assertNull("Unexpected alias value before change", fileKeyStore.getCertificateAlias());
+ String unknownAlias = TLS_RESOURCE.getSecret() + "_";
+ Map<String, Object> unacceptableAttributes = new HashMap<>();
+ unacceptableAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, unknownAlias);
try
{
- Map<String,Object> unacceptableAttributes = new HashMap<>();
- unacceptableAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
-
fileKeyStore.setAttributes(unacceptableAttributes);
fail("Exception not thrown");
}
@@ -279,66 +319,52 @@
{
String message = e.getMessage();
assertTrue("Exception text not as unexpected:" + message,
- message.contains("Cannot find a certificate with alias 'notknown' in key store"));
+ message.contains(String.format("Cannot find a certificate with alias '%s' in key store",
+ unknownAlias)));
}
assertNull("Unexpected alias value after failed change", fileKeyStore.getCertificateAlias());
- Map<String,Object> changedAttributes = new HashMap<>();
- changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
+ Map<String, Object> changedAttributes = new HashMap<>();
+ changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, TLS_RESOURCE.getPrivateKeyAlias());
fileKeyStore.setAttributes(changedAttributes);
assertEquals("Unexpected alias value after change that is expected to be successful",
- TestSSLConstants.BROKER_KEYSTORE_ALIAS, fileKeyStore.getCertificateAlias());
-
+ TLS_RESOURCE.getPrivateKeyAlias(),
+ fileKeyStore.getCertificateAlias());
}
@Test
public void testReloadKeystore() throws Exception
{
- assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
+ final Path keyStorePath = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_FOO);
+ final Path keyStorePath2 = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_BAR);
+ final Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, getTestName());
+ attributes.put(FileKeyStore.STORE_URL, keyStorePath.toFile().getAbsolutePath());
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
- final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo");
- final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar");
+ final FileKeyStore<?> keyStoreObject = createFileKeyStore(attributes);
- final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks");
- final String dummy = "changit";
- final char[] pass = dummy.toCharArray();
- final String certificateAlias = "test1";
- final String keyAlias = "test2";
- try
- {
- final java.security.KeyStore keyStore =
- KeyStoreTestHelper.saveKeyStore(selfSigned1, certificateAlias, keyAlias, pass, keyStoreFile);
+ final CertificateDetails certificate = getCertificate(keyStoreObject);
+ assertEquals(DN_FOO, certificate.getIssuerName());
- final Map<String, Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, getTestName());
- attributes.put(FileKeyStore.STORE_URL, keyStoreFile.getAbsolutePath());
- attributes.put(FileKeyStore.PASSWORD, dummy);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, keyStore.getType());
+ Files.copy(keyStorePath2, keyStorePath, StandardCopyOption.REPLACE_EXISTING);
- final FileKeyStore keyStoreObject = (FileKeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
+ keyStoreObject.reload();
- final CertificateDetails certificate = getCertificate(keyStoreObject);
- assertEquals("CN=foo", certificate.getIssuerName());
-
- assertTrue(keyStoreFile.delete());
- assertTrue(keyStoreFile.createNewFile());keyStoreFile.deleteOnExit();
- KeyStoreTestHelper.saveKeyStore(selfSigned2, certificateAlias, keyAlias, pass, keyStoreFile);
-
- keyStoreObject.reload();
-
- final CertificateDetails certificate2 = getCertificate(keyStoreObject);
- assertEquals("CN=bar", certificate2.getIssuerName());
- }
- finally
- {
- assertTrue(keyStoreFile.delete());
- }
+ final CertificateDetails certificate2 = getCertificate(keyStoreObject);
+ assertEquals(DN_BAR, certificate2.getIssuerName());
}
- public CertificateDetails getCertificate(final FileKeyStore keyStore)
+ @SuppressWarnings("unchecked")
+ private FileKeyStore<?> createFileKeyStore(final Map<String, Object> attributes)
+ {
+ return (FileKeyStore<?>) FACTORY.create(KeyStore.class, attributes, BROKER);
+ }
+
+ private CertificateDetails getCertificate(final FileKeyStore<?> keyStore)
{
final List<CertificateDetails> certificates = keyStore.getCertificateDetails();
@@ -347,4 +373,17 @@
return certificates.get(0);
}
+
+
+ public Path createSelfSignedKeyStoreWithSecretKeyAndCertificate(final String keyStoreType, final String dn)
+ throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+
+ return TLS_RESOURCE.createKeyStore(keyStoreType, new PrivateKeyEntry(TLS_RESOURCE.getPrivateKeyAlias(),
+ keyCertPair.getPrivateKey(),
+ keyCertPair.getCertificate()),
+ new CertificateEntry(TLS_RESOURCE.getCertificateAlias(), keyCertPair.getCertificate()),
+ new SecretKeyEntry(SECRET_KEY_ALIAS, TlsResourceHelper.createAESSecretKey()));
+ }
}
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
index 6ca59a8..c5cf7a1 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
@@ -31,15 +31,19 @@
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeThat;
-import java.io.File;
import java.io.FileInputStream;
-import java.io.IOException;
import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
@@ -47,38 +51,55 @@
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
-import com.google.common.io.ByteStreams;
+import org.junit.ClassRule;
+import org.junit.Test;
+
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.Test;
-
-import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.SecretKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.apache.qpid.server.util.DataUrlUtils;
-import org.apache.qpid.test.utils.TestFileUtils;
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
public class FileTrustStoreTest extends UnitTestBase
{
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
+ private static final String DN_FOO = "CN=foo";
+ private static final String DN_BAR = "CN=bar";
+ private static final String DN_CA = "CN=CA";
+ private static final String CERTIFICATE_ALIAS_A = "a";
+ private static final String CERTIFICATE_ALIAS_B = "b";
+ private static final String NOT_A_CRL = "/not/a/crl";
+ private static final String NAME = "myFileTrustStore";
+ private static final String NOT_A_TRUSTSTORE = "/not/a/truststore";
+ private static final String SECRET_KEY_ALIAS = "secret-key-alias";
@Test
- public void testCreateTrustStoreFromFile_Success() throws Exception
+ public void testCreateFileTrustStoreWithoutCRL() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
- TrustStore<?> fileTrustStore = FACTORY.create(TrustStore.class, attributes, BROKER);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
+
+ final FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
assertNotNull(trustManagers);
@@ -87,45 +108,75 @@
}
@Test
- public void testCreateTrustStoreFromFile_WrongPassword()
+ public void testCreateFileTrustStoreFromWithExplicitlySetCRL() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
- attributes.put(FileTrustStore.PASSWORD, "wrong");
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final StoreAndCrl<Path> data = generateTrustStoreAndCrl();
- KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "Check trust store password");
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.STORE_URL, data.getStore().toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl().toFile().getPath());
+
+ final FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
+
+ TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
+ assertNotNull(trustManagers);
+ assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
+ assertNotNull("Trust manager unexpected null", trustManagers[0]);
}
@Test
- public void testCreateTrustStoreFromFile_MissingCrlFile()
+ public void testCreateTrustStoreFromFile_WrongPassword() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
+
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret() + "_");
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "Unable to load certificate revocation list '/not/a/crl' for truststore 'myFileTrustStore'");
+ "Check trust store password");
+ }
+
+ @Test
+ public void testCreateTrustStoreFromFile_MissingCrlFile() throws Exception
+ {
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
+
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, NOT_A_CRL);
+
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+ BROKER,
+ TrustStore.class,
+ attributes,
+ String.format(
+ "Unable to load certificate revocation list '%s' for truststore 'myFileTrustStore'",
+ NOT_A_CRL));
}
@Test
public void testCreatePeersOnlyTrustStoreFromFile_Success() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.PEERS_ONLY, true);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ final KeyCertificatePair keyPairAndRootCA = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+ final Path keyStoreFile = TLS_RESOURCE.createTrustStore(DN_FOO, keyPairAndRootCA);
- TrustStore<?> fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.PEERS_ONLY, true);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+
+ final FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
assertNotNull(trustManagers);
@@ -140,16 +191,18 @@
{
// https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-
assumeThat("IBMJSSE2 trust factory (IbmX509) validates the entire chain, including trusted certificates.",
- getJvmVendor(),
- is(not(equalTo(IBM))));
+ getJvmVendor(),
+ is(not(equalTo(IBM))));
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final Path keyStoreFile = createTrustStoreWithExpiredCertificate();
- TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+
+ FileTrustStore<?> trustStore = createFileTrustStore(attributes);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
@@ -158,26 +211,29 @@
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
- KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
- TestSSLConstants.PASSWORD,
- TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ KeyStore clientStore = getInitializedKeyStore(keyStoreFile.toFile().getAbsolutePath(),
+ TLS_RESOURCE.getSecret(),
+ TLS_RESOURCE.getKeyStoreType());
+
String alias = clientStore.aliases().nextElement();
X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
- trustManager.checkClientTrusted(new X509Certificate[] {certificate}, "NULL");
+ trustManager.checkClientTrusted(new X509Certificate[]{certificate}, "NULL");
}
@Test
public void testUseOfExpiredTrustAnchorDenied() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final Path keyStoreFile = createTrustStoreWithExpiredCertificate();
- TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
+ attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+
+ final TrustStore<?> trustStore = createFileTrustStore(attributes);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
@@ -186,15 +242,15 @@
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
- KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
- TestSSLConstants.PASSWORD,
- TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ KeyStore clientStore = getInitializedKeyStore(keyStoreFile.toFile().getAbsolutePath(),
+ TLS_RESOURCE.getSecret(),
+ TLS_RESOURCE.getKeyStoreType());
String alias = clientStore.aliases().nextElement();
X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
try
{
- trustManager.checkClientTrusted(new X509Certificate[] {certificate}, "NULL");
+ trustManager.checkClientTrusted(new X509Certificate[]{certificate}, "NULL");
fail("Exception not thrown");
}
catch (CertificateException e)
@@ -202,31 +258,29 @@
if (e instanceof CertificateExpiredException || "Certificate expired".equals(e.getMessage()))
{
// IBMJSSE2 does not throw CertificateExpiredException, it throws a CertificateException
- // PASS
+ // ignore
}
else
{
throw e;
}
-
}
}
@Test
public void testCreateTrustStoreFromDataUrl_Success() throws Exception
{
- String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE);
- String crlAsDataUrl = createDataUrlForFile(TestSSLConstants.CA_CRL);
+ final StoreAndCrl<String> data = generateTrustStoreAndCrlAsDataUrl();
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.STORE_URL, data.getStore());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, crlAsDataUrl);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl());
- TrustStore<?> fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
assertNotNull(trustManagers);
@@ -237,16 +291,16 @@
@Test
public void testCreateTrustStoreFromDataUrl_WrongPassword() throws Exception
{
- String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE);
+ String trustStoreAsDataUrl = TLS_RESOURCE.createSelfSignedTrustStoreAsDataUrl(DN_FOO);
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.PASSWORD, "wrong");
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret() + "_");
attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "Check trust store password");
+ "Check trust store password");
}
@Test
@@ -254,192 +308,192 @@
{
String trustStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "Cannot instantiate trust store");
+ "Cannot instantiate trust store");
}
@Test
- public void testUpdateTrustStore_Success()
+ public void testUpdateTrustStore_Success() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ final StoreAndCrl<Path> data = generateTrustStoreAndCrl();
- FileTrustStore<?> fileTrustStore = (FileTrustStore<?>) FACTORY.create(TrustStore.class, attributes, BROKER);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, NAME);
+ attributes.put(FileTrustStore.STORE_URL, data.getStore().toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl().toFile().getAbsolutePath());
+
+ final FileTrustStore<?> fileTrustStore = createFileTrustStore(attributes);
assertEquals("Unexpected path value before change",
- TestSSLConstants.CLIENT_TRUSTSTORE,
- fileTrustStore.getStoreUrl());
-
+ data.getStore().toFile().getAbsolutePath(),
+ fileTrustStore.getStoreUrl());
try
{
- Map<String,Object> unacceptableAttributes = new HashMap<>();
- unacceptableAttributes.put(FileTrustStore.STORE_URL, "/not/a/truststore");
-
- fileTrustStore.setAttributes(unacceptableAttributes);
+ fileTrustStore.setAttributes(Collections.singletonMap(FileTrustStore.STORE_URL, NOT_A_TRUSTSTORE));
fail("Exception not thrown");
}
catch (IllegalConfigurationException e)
{
String message = e.getMessage();
assertTrue("Exception text not as unexpected:" + message,
- message.contains("Cannot instantiate trust store"));
+ message.contains("Cannot instantiate trust store"));
}
assertEquals("Unexpected keystore path value after failed change",
- TestSSLConstants.CLIENT_TRUSTSTORE,
- fileTrustStore.getStoreUrl());
+ data.getStore().toFile().getAbsolutePath(),
+ fileTrustStore.getStoreUrl());
try
{
- Map<String,Object> unacceptableAttributes = new HashMap<>();
- unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
- fileTrustStore.setAttributes(unacceptableAttributes);
+ fileTrustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, NOT_A_CRL));
fail("Exception not thrown");
}
catch (IllegalConfigurationException e)
{
String message = e.getMessage();
assertTrue("Exception text not as unexpected:" + message,
- message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore " +
- "'myFileTrustStore'"));
+ message.contains(String.format(
+ "Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME)));
}
assertEquals("Unexpected CRL path value after failed change",
- TestSSLConstants.CA_CRL,
- fileTrustStore.getCertificateRevocationListUrl());
+ data.getCrl().toFile().getAbsolutePath(),
+ fileTrustStore.getCertificateRevocationListUrl());
- Map<String,Object> changedAttributes = new HashMap<>();
- changedAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE);
- changedAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+ assertEquals("Unexpected path value after failed change",
+ data.getStore().toFile().getAbsolutePath(),
+ fileTrustStore.getStoreUrl());
+
+ final Path keyStoreFile2 = TLS_RESOURCE.createTrustStore(DN_FOO, data.getCa());
+ final Path emptyCrl = TLS_RESOURCE.createCrl(data.getCa());
+
+ Map<String, Object> changedAttributes = new HashMap<>();
+ changedAttributes.put(FileTrustStore.STORE_URL, keyStoreFile2.toFile().getAbsolutePath());
+ changedAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, emptyCrl.toFile().getAbsolutePath());
fileTrustStore.setAttributes(changedAttributes);
assertEquals("Unexpected keystore path value after change that is expected to be successful",
- TestSSLConstants.BROKER_TRUSTSTORE,
- fileTrustStore.getStoreUrl());
+ keyStoreFile2.toFile().getAbsolutePath(),
+ fileTrustStore.getStoreUrl());
assertEquals("Unexpected CRL path value after change that is expected to be successful",
- TestSSLConstants.CA_CRL_EMPTY,
- fileTrustStore.getCertificateRevocationListUrl());
+ emptyCrl.toFile().getAbsolutePath(),
+ fileTrustStore.getCertificateRevocationListUrl());
}
@Test
- public void testEmptyTrustStoreRejected()
+ public void testEmptyTrustStoreRejected() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(FileKeyStore.NAME, "myFileTrustStore");
- attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, "jks");
+
+ final Path path = TLS_RESOURCE.createKeyStore();
+
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileKeyStore.NAME, NAME);
+ attributes.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileKeyStore.STORE_URL, path.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "must contain at least one certificate");
+ "must contain at least one certificate");
}
@Test
- public void testTrustStoreWithNoCertificateRejected()
+ public void testTrustStoreWithNoCertificateRejected() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
+ final Path path = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
+
+ Map<String, Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, getTestName());
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_PK_ONLY_KEYSTORE);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.STORE_URL, path.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "must contain at least one certificate");
+ "must contain at least one certificate");
}
@Test
public void testSymmetricKeyEntryIgnored() throws Exception
{
+ final String keyStoreType = "jceks";
+ final Path keyStoreFile = createSelfSignedKeyStoreWithSecretKeyAndCertificate(keyStoreType, DN_FOO);
Map<String, Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, getTestName());
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, keyStoreType);
- TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ FileTrustStore<?> trustStore = createFileTrustStore(attributes);
Certificate[] certificates = trustStore.getCertificates();
assertEquals("Unexpected number of certificates",
- getNumberOfCertificates(TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE,
- TestSSLConstants.JAVA_KEYSTORE_TYPE),
- certificates.length);
+ (long) getNumberOfCertificates(keyStoreFile, keyStoreType),
+ (long) certificates.length);
}
@Test
public void testPrivateKeyEntryIgnored() throws Exception
{
+ final Path keyStoreFile = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_FOO);
+
Map<String, Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, getTestName());
- attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
- attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_KEYSTORE);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
- TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ FileTrustStore<?> trustStore = createFileTrustStore(attributes);
Certificate[] certificates = trustStore.getCertificates();
assertEquals("Unexpected number of certificates",
- getNumberOfCertificates(TestSSLConstants.TEST_KEYSTORE,
- TestSSLConstants.JAVA_KEYSTORE_TYPE),
- certificates.length);
+ (long) getNumberOfCertificates(keyStoreFile, TLS_RESOURCE.getKeyStoreType()),
+ (long) certificates.length);
}
@Test
public void testReloadKeystore() throws Exception
{
- assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
+ final Path keyStorePath = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_FOO);
+ final Path keyStorePath2 = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_BAR);
- final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo");
- final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar");
+ final Map<String, Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, getTestName());
+ attributes.put(FileTrustStore.STORE_URL, keyStorePath.toFile().getAbsolutePath());
+ attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
- final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks");
- final String dummy = "changit";
- final char[] pass = dummy.toCharArray();
- final String alias = "test";
- try
- {
- final java.security.KeyStore keyStore =
- KeyStoreTestHelper.saveKeyStore(alias, selfSigned1.getCertificate(), pass, keyStoreFile);
+ final FileTrustStore<?> trustStoreObject = createFileTrustStore(attributes);
- final Map<String, Object> attributes = new HashMap<>();
- attributes.put(FileTrustStore.NAME, getTestName());
- attributes.put(FileTrustStore.PASSWORD, dummy);
- attributes.put(FileTrustStore.STORE_URL, keyStoreFile.getAbsolutePath());
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, keyStore.getType());
+ final X509Certificate certificate = getCertificate(trustStoreObject);
+ assertEquals(DN_FOO, certificate.getIssuerX500Principal().getName());
- final FileTrustStore trustStore = (FileTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ Files.copy(keyStorePath2, keyStorePath, StandardCopyOption.REPLACE_EXISTING);
- final X509Certificate certificate = getCertificate(trustStore);
- assertEquals("CN=foo", certificate.getIssuerX500Principal().getName());
+ trustStoreObject.reload();
- KeyStoreTestHelper.saveKeyStore(alias, selfSigned2.getCertificate(), pass, keyStoreFile);
-
- trustStore.reload();
-
- final X509Certificate certificate2 = getCertificate(trustStore);
- assertEquals("CN=bar", certificate2.getIssuerX500Principal().getName());
- }
- finally
- {
- assertTrue(keyStoreFile.delete());
- }
+ final X509Certificate certificate2 = getCertificate(trustStoreObject);
+ assertEquals(DN_BAR, certificate2.getIssuerX500Principal().getName());
}
- public X509Certificate getCertificate(final FileTrustStore trustStore) throws java.security.GeneralSecurityException
+ @SuppressWarnings("unchecked")
+ private FileTrustStore<?> createFileTrustStore(final Map<String, Object> attributes)
+ {
+ return (FileTrustStore<?>) FACTORY.create(TrustStore.class, attributes, BROKER);
+ }
+
+ private X509Certificate getCertificate(final FileTrustStore trustStore)
+ throws java.security.GeneralSecurityException
{
Certificate[] certificates = trustStore.getCertificates();
@@ -448,15 +502,15 @@
Certificate certificate = certificates[0];
assertTrue(certificate instanceof X509Certificate);
- return (X509Certificate)certificate;
+ return (X509Certificate) certificate;
}
- private int getNumberOfCertificates(String keystore, String type) throws Exception
+ private int getNumberOfCertificates(Path keystore, String type) throws Exception
{
KeyStore ks = KeyStore.getInstance(type);
- try(InputStream is = new FileInputStream(keystore))
+ try (InputStream is = new FileInputStream(keystore.toFile()))
{
- ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
+ ks.load(is, TLS_RESOURCE.getSecret().toCharArray());
}
int result = 0;
@@ -472,29 +526,85 @@
return result;
}
- public static String createDataUrlForFile(String filename) throws IOException
+ private Path createTrustStoreWithExpiredCertificate() throws Exception
{
- InputStream in = null;
- try
+ final Instant from = Instant.now().minus(10, ChronoUnit.DAYS);
+ final Instant to = Instant.now().minus(5, ChronoUnit.DAYS);
+ return TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO, from, to);
+ }
+
+ public Path createSelfSignedKeyStoreWithSecretKeyAndCertificate(final String keyStoreType, final String dn)
+ throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+
+ return TLS_RESOURCE.createKeyStore(keyStoreType, new PrivateKeyEntry(TLS_RESOURCE.getPrivateKeyAlias(),
+ keyCertPair.getPrivateKey(),
+ keyCertPair.getCertificate()),
+ new CertificateEntry(TLS_RESOURCE.getCertificateAlias(), keyCertPair.getCertificate()),
+ new SecretKeyEntry(SECRET_KEY_ALIAS, TlsResourceHelper.createAESSecretKey()));
+ }
+
+
+ private StoreAndCrl<Path> generateTrustStoreAndCrl() throws Exception
+ {
+ final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+ final KeyCertificatePair keyCertPair1 = TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, caPair);
+ final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, caPair);
+ final Path keyStoreFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(
+ CERTIFICATE_ALIAS_A,
+ keyCertPair1.getCertificate()),
+ new CertificateEntry(
+ CERTIFICATE_ALIAS_B,
+ keyCertPair2.getCertificate()));
+
+ final Path clrFile = TLS_RESOURCE.createCrl(caPair, keyCertPair2.getCertificate());
+ return new StoreAndCrl<>(keyStoreFile, clrFile, caPair);
+ }
+
+ private StoreAndCrl<String> generateTrustStoreAndCrlAsDataUrl() throws Exception
+ {
+ final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+ final KeyCertificatePair keyCertPair1 = TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, caPair);
+ final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, caPair);
+ final String trustStoreAsDataUrl =
+ TLS_RESOURCE.createKeyStoreAsDataUrl(new CertificateEntry(
+ CERTIFICATE_ALIAS_A,
+ keyCertPair1.getCertificate()),
+ new CertificateEntry(
+ CERTIFICATE_ALIAS_B,
+ keyCertPair2.getCertificate()));
+
+ final String crlAsDataUrl = TLS_RESOURCE.createCrlAsDataUrl(caPair, keyCertPair2.getCertificate());
+ return new StoreAndCrl<>(trustStoreAsDataUrl, crlAsDataUrl, caPair);
+ }
+
+ private static class StoreAndCrl<T>
+ {
+ private T _store;
+ private T _crl;
+ private KeyCertificatePair _ca;
+
+ private StoreAndCrl(final T store, final T crl, KeyCertificatePair ca)
{
- File f = new File(filename);
- if (f.exists())
- {
- in = new FileInputStream(f);
- }
- else
- {
- in = Thread.currentThread().getContextClassLoader().getResourceAsStream(filename);
- }
- byte[] fileAsBytes = ByteStreams.toByteArray(in);
- return DataUrlUtils.getDataUrlForBytes(fileAsBytes);
+ _store = store;
+ _crl = crl;
+ _ca = ca;
}
- finally
+
+ T getStore()
{
- if (in != null)
- {
- in.close();
- }
+ return _store;
+ }
+
+ T getCrl()
+ {
+ return _crl;
+ }
+
+ KeyCertificatePair getCa()
+ {
+ return _ca;
}
}
}
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
index d2324dd..91c92ce 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
@@ -19,75 +19,22 @@
package org.apache.qpid.server.security;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.lang.reflect.InvocationTargetException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.Collections;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
import java.util.Map;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
public class KeyStoreTestHelper
{
- public static KeyStore saveKeyStore(final String alias,
- final X509Certificate certificate,
- final char[] pass,
- final File file)
- throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
- {
- final KeyStore ks = createEmptyKeyStore();
- ks.setCertificateEntry(alias, certificate);
- saveKeyStore(ks, pass, file);
- return ks;
- }
-
- public static KeyStore saveKeyStore(final SSLUtil.KeyCertPair keyCertPair,
- final String keyAlias,
- final String certificateAlias,
- final char[] pass,
- final File file)
- throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
- {
- final KeyStore ks = createKeyStore(keyCertPair, keyAlias, certificateAlias, pass);
- saveKeyStore(ks, pass, file);
- return ks;
- }
-
-
- public static SSLUtil.KeyCertPair generateSelfSigned(final String cn)
- throws IllegalAccessException, InvocationTargetException, InstantiationException
- {
- return SSLUtil.generateSelfSignedCertificate("RSA",
- "SHA256WithRSA",
- 2048,
- Instant.now()
- .minus(1, ChronoUnit.DAYS)
- .toEpochMilli(),
- Duration.of(365, ChronoUnit.DAYS)
- .getSeconds(),
- cn,
- Collections.emptySet(),
- Collections.emptySet());
- }
-
- public static void checkExceptionThrownDuringKeyStoreCreation(ConfiguredObjectFactory factory, Broker broker,
- Class keystoreClass, Map<String, Object> attributes,
- String expectedExceptionMessage)
+ public static void checkExceptionThrownDuringKeyStoreCreation(ConfiguredObjectFactory factory,
+ Broker broker,
+ Class keystoreClass,
+ Map<String, Object> attributes,
+ String expectedExceptionMessage)
{
try
{
@@ -98,42 +45,8 @@
{
final String message = e.getMessage();
assertTrue("Exception text not as expected:" + message,
- message.contains(expectedExceptionMessage));
-
+ message.contains(expectedExceptionMessage));
}
}
-
- private static File saveKeyStore(final KeyStore ks, final char[] pass, final File storeFile)
- throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
- {
- try (FileOutputStream fos = new FileOutputStream(storeFile))
- {
- ks.store(fos, pass);
- }
- return storeFile;
- }
-
- private static KeyStore createKeyStore(final SSLUtil.KeyCertPair keyCertPair,
- final String keyAlias,
- final String certificateAlias,
- final char[] pass)
- throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
- {
- final KeyStore ks = createEmptyKeyStore();
- ks.setCertificateEntry(certificateAlias, keyCertPair.getCertificate());
- ks.setKeyEntry(keyAlias,
- keyCertPair.getPrivateKey(),
- pass,
- new X509Certificate[]{keyCertPair.getCertificate()});
- return ks;
- }
-
- private static KeyStore createEmptyKeyStore()
- throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
- {
- final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
- ks.load(null);
- return ks;
- }
}
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
index 6df02d7..1908f0c 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
@@ -21,11 +21,9 @@
import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.fail;
-import static org.junit.Assume.assumeThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyLong;
import static org.mockito.ArgumentMatchers.argThat;
@@ -35,35 +33,22 @@
import static org.mockito.Mockito.when;
import static org.mockito.internal.verification.VerificationModeFactory.times;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.security.Key;
-import java.security.cert.Certificate;
+import java.nio.file.Path;
+import java.security.PrivateKey;
+import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
-import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
-import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
-import java.util.List;
import java.util.Map;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.BrokerModel;
-import org.apache.qpid.server.model.BrokerTestHelper;
-import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.After;
import org.junit.Before;
+import org.junit.ClassRule;
import org.junit.Test;
import org.mockito.ArgumentMatcher;
@@ -72,111 +57,64 @@
import org.apache.qpid.server.logging.LogMessage;
import org.apache.qpid.server.logging.MessageLogger;
import org.apache.qpid.server.logging.messages.KeyStoreMessages;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
+import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.KeyStore;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.apache.qpid.server.util.DataUrlUtils;
-import org.apache.qpid.test.utils.TestFileUtils;
-import org.apache.qpid.test.utils.TestSSLUtils;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
public class NonJavaKeyStoreTest extends UnitTestBase
{
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+ private static final String DN_FOO = "CN=foo";
+ private static final String NAME = "myTestTrustStore";
+ private static final String NON_JAVA_KEY_STORE = "NonJavaKeyStore";
private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
- private List<File> _testResources;
private MessageLogger _messageLogger;
+ private KeyCertificatePair _keyCertPair;
@Before
public void setUp() throws Exception
{
_messageLogger = mock(MessageLogger.class);
when(BROKER.getEventLogger()).thenReturn(new EventLogger(_messageLogger));
- _testResources = new ArrayList<>();
- }
-
- @After
- public void tearDown() throws Exception
- {
- for (File resource: _testResources)
- {
- try
- {
- resource.delete();
- }
- catch (Exception e)
- {
- e.printStackTrace();
- }
- }
- }
-
- private File[] extractResourcesFromTestKeyStore(boolean pem, final String storeResource) throws Exception
- {
- java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try(InputStream is = new FileInputStream(storeResource))
- {
- ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
- }
-
-
- File privateKeyFile = TestFileUtils.createTempFile(this, ".private-key.der");
- try(FileOutputStream kos = new FileOutputStream(privateKeyFile))
- {
- Key pvt = ks.getKey(TestSSLConstants.BROKER_KEYSTORE_ALIAS, TestSSLConstants.PASSWORD.toCharArray());
- if (pem)
- {
- kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8));
- }
- else
- {
- kos.write(pvt.getEncoded());
- }
- kos.flush();
- }
-
- File certificateFile = TestFileUtils.createTempFile(this, ".certificate.der");
-
- try(FileOutputStream cos = new FileOutputStream(certificateFile))
- {
- Certificate pub = ks.getCertificate(TestSSLConstants.BROKER_KEYSTORE_ALIAS);
- if (pem)
- {
- cos.write(TestSSLUtils.certificateToPEM(pub).getBytes(UTF_8));
- }
- else
- {
- cos.write(pub.getEncoded());
- }
- cos.flush();
- }
-
- return new File[]{privateKeyFile,certificateFile};
+ _keyCertPair = generateSelfSignedCertificate();
}
@Test
public void testCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDERFormat() throws Exception
{
- runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(false);
+ final Path privateKeyFile = TLS_RESOURCE.savePrivateKeyAsDer(_keyCertPair.getPrivateKey());
+ final Path certificateFile = TLS_RESOURCE.saveCertificateAsDer(_keyCertPair.getCertificate());
+ assertCreationOfTrustStoreFromValidPrivateKeyAndCertificate(privateKeyFile, certificateFile);
}
@Test
public void testCreationOfTrustStoreFromValidPrivateKeyAndCertificateInPEMFormat() throws Exception
{
- runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(true);
+ final Path privateKeyFile = TLS_RESOURCE.savePrivateKeyAsPem(_keyCertPair.getPrivateKey());
+ final Path certificateFile = TLS_RESOURCE.saveCertificateAsPem(_keyCertPair.getCertificate());
+ assertCreationOfTrustStoreFromValidPrivateKeyAndCertificate(privateKeyFile, certificateFile);
}
- private void runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(boolean isPEM)throws Exception
+ private void assertCreationOfTrustStoreFromValidPrivateKeyAndCertificate(Path privateKeyFile, Path certificateFile) throws Exception
{
- File[] resources = extractResourcesFromTestKeyStore(isPEM, TestSSLConstants.BROKER_KEYSTORE);
- _testResources.addAll(Arrays.asList(resources));
-
Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
- attributes.put("privateKeyUrl", resources[0].toURI().toURL().toExternalForm());
- attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
- attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+ attributes.put(NonJavaKeyStore.NAME, NAME);
+ attributes.put("privateKeyUrl", privateKeyFile.toFile().getAbsolutePath());
+ attributes.put("certificateUrl", certificateFile.toFile().getAbsolutePath());
+ attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
- NonJavaKeyStoreImpl fileTrustStore =
- (NonJavaKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
+ final NonJavaKeyStore<?> fileTrustStore = (NonJavaKeyStore<?>) createTestKeyStore(attributes);
KeyManager[] keyManagers = fileTrustStore.getKeyManagers();
assertNotNull(keyManagers);
@@ -187,17 +125,14 @@
@Test
public void testCreationOfTrustStoreFromValidPrivateKeyAndInvalidCertificate()throws Exception
{
- File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE);
- _testResources.addAll(Arrays.asList(resources));
-
- File invalidCertificate = TestFileUtils.createTempFile(this, ".invalid.cert", "content");
- _testResources.add(invalidCertificate);
+ final Path privateKeyFile = TLS_RESOURCE.savePrivateKeyAsPem(_keyCertPair.getPrivateKey());
+ final Path certificateFile = TLS_RESOURCE.createFile(".cer");
Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
- attributes.put("privateKeyUrl", resources[0].toURI().toURL().toExternalForm());
- attributes.put("certificateUrl", invalidCertificate.toURI().toURL().toExternalForm());
- attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+ attributes.put(NonJavaKeyStore.NAME, NAME);
+ attributes.put("privateKeyUrl", privateKeyFile.toFile().getAbsolutePath());
+ attributes.put("certificateUrl", certificateFile.toFile().getAbsolutePath());
+ attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
"Cannot load private key or certificate(s): java.security.cert.CertificateException: " +
@@ -207,17 +142,14 @@
@Test
public void testCreationOfTrustStoreFromInvalidPrivateKeyAndValidCertificate()throws Exception
{
- File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE);
- _testResources.addAll(Arrays.asList(resources));
-
- File invalidPrivateKey = TestFileUtils.createTempFile(this, ".invalid.pk", "content");
- _testResources.add(invalidPrivateKey);
+ final Path privateKeyFile = TLS_RESOURCE.createFile(".pk");
+ final Path certificateFile = TLS_RESOURCE.saveCertificateAsPem(_keyCertPair.getCertificate());
Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
- attributes.put("privateKeyUrl", invalidPrivateKey.toURI().toURL().toExternalForm());
- attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
- attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+ attributes.put(NonJavaKeyStore.NAME, NAME);
+ attributes.put("privateKeyUrl", privateKeyFile.toFile().getAbsolutePath());
+ attributes.put("certificateUrl", certificateFile.toFile().getAbsolutePath());
+ attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
"Cannot load private key or certificate(s): java.security.spec.InvalidKeySpecException: " +
@@ -246,42 +178,29 @@
{
when(BROKER.scheduleHouseKeepingTask(anyLong(), any(TimeUnit.class), any(Runnable.class))).thenReturn(mock(ScheduledFuture.class));
- java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
- final String storeLocation = TestSSLConstants.BROKER_KEYSTORE;
- try(InputStream is = new FileInputStream(storeLocation))
- {
- ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
- }
- X509Certificate cert = (X509Certificate) ks.getCertificate(TestSSLConstants.CERT_ALIAS_ROOT_CA);
- int expiryDays = (int)((cert.getNotAfter().getTime() - System.currentTimeMillis()) / (24l * 60l * 60l * 1000l));
-
- File[] resources = extractResourcesFromTestKeyStore(false, storeLocation);
- _testResources.addAll(Arrays.asList(resources));
+ final Path privateKeyFile = TLS_RESOURCE.savePrivateKeyAsDer(_keyCertPair.getPrivateKey());
+ final Path certificateFile = TLS_RESOURCE.saveCertificateAsDer(_keyCertPair.getCertificate());
+ final long expiryDays = ChronoUnit.DAYS.between(Instant.now(), _keyCertPair.getCertificate().getNotAfter().toInstant());
Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
- attributes.put("privateKeyUrl", resources[0].toURI().toURL().toExternalForm());
- attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
+ attributes.put(NonJavaKeyStore.NAME, NAME);
+ attributes.put("privateKeyUrl", privateKeyFile.toFile().getAbsolutePath());
+ attributes.put("certificateUrl", certificateFile.toFile().getAbsolutePath());
attributes.put("context", Collections.singletonMap(KeyStore.CERTIFICATE_EXPIRY_WARN_PERIOD, expiryDays + expiryOffset));
- attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
- FACTORY.create(KeyStore.class, attributes, BROKER);
+ attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
+ createTestKeyStore(attributes);
}
@Test
public void testCreationOfKeyStoreWithNonMatchingPrivateKeyAndCertificate()throws Exception
{
- assumeThat(SSLUtil.canGenerateCerts(), is(true));
-
- final SSLUtil.KeyCertPair keyCertPair = generateSelfSignedCertificate();
- final SSLUtil.KeyCertPair keyCertPair2 = generateSelfSignedCertificate();
+ final KeyCertificatePair keyCertPair2 = generateSelfSignedCertificate();
final Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaKeyStore.NAME, "myTestTrustStore");
- attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL,
- DataUrlUtils.getDataUrlForBytes(TestSSLUtils.privateKeyToPEM(keyCertPair.getPrivateKey()).getBytes(UTF_8)));
- attributes.put(NonJavaKeyStore.CERTIFICATE_URL,
- DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8)));
- attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+ attributes.put(NonJavaKeyStore.NAME, NAME);
+ attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL, getPrivateKeyAsDataUrl(_keyCertPair.getPrivateKey()));
+ attributes.put(NonJavaKeyStore.CERTIFICATE_URL, getCertificateAsDataUrl(keyCertPair2.getCertificate()));
+ attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
"Private key does not match certificate");
@@ -290,23 +209,18 @@
@Test
public void testUpdateKeyStoreToNonMatchingCertificate()throws Exception
{
- assumeThat(SSLUtil.canGenerateCerts(), is(true));
-
- final SSLUtil.KeyCertPair keyCertPair = generateSelfSignedCertificate();
- final SSLUtil.KeyCertPair keyCertPair2 = generateSelfSignedCertificate();
-
final Map<String,Object> attributes = new HashMap<>();
attributes.put(NonJavaKeyStore.NAME, getTestName());
- attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL,
- DataUrlUtils.getDataUrlForBytes(TestSSLUtils.privateKeyToPEM(keyCertPair.getPrivateKey()).getBytes(UTF_8)));
- attributes.put(NonJavaKeyStore.CERTIFICATE_URL,
- DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair.getCertificate()).getBytes(UTF_8)));
- attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
+ attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL, getPrivateKeyAsDataUrl(_keyCertPair.getPrivateKey()));
+ attributes.put(NonJavaKeyStore.CERTIFICATE_URL, getCertificateAsDataUrl(_keyCertPair.getCertificate()));
+ attributes.put(NonJavaKeyStore.TYPE, NON_JAVA_KEY_STORE);
- final KeyStore trustStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
+ final KeyStore<?> trustStore = createTestKeyStore(attributes);
+
+ final KeyCertificatePair keyCertPair2 = generateSelfSignedCertificate();
try
{
- final String certUrl = DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8));
+ final String certUrl = getCertificateAsDataUrl(keyCertPair2.getCertificate());
trustStore.setAttributes(Collections.singletonMap("certificateUrl", certUrl));
fail("Created key store from invalid certificate");
}
@@ -316,19 +230,25 @@
}
}
- private SSLUtil.KeyCertPair generateSelfSignedCertificate() throws Exception
+ @SuppressWarnings("unchecked")
+ private KeyStore<?> createTestKeyStore(final Map<String, Object> attributes)
{
- return SSLUtil.generateSelfSignedCertificate("RSA",
- "SHA256WithRSA",
- 2048,
- Instant.now()
- .minus(1, ChronoUnit.DAYS)
- .toEpochMilli(),
- Duration.of(365, ChronoUnit.DAYS)
- .getSeconds(),
- "CN=foo",
- Collections.emptySet(),
- Collections.emptySet());
+ return (KeyStore<?>) FACTORY.create(KeyStore.class, attributes, BROKER);
+ }
+
+ private String getCertificateAsDataUrl(final X509Certificate certificate) throws CertificateEncodingException
+ {
+ return DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(certificate).getBytes(UTF_8));
+ }
+
+ private String getPrivateKeyAsDataUrl(final PrivateKey privateKey)
+ {
+ return DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(privateKey).getBytes(UTF_8));
+ }
+
+ private KeyCertificatePair generateSelfSignedCertificate() throws Exception
+ {
+ return TlsResourceBuilder.createSelfSigned(DN_FOO);
}
private static class LogMessageArgumentMatcher implements ArgumentMatcher<LogMessage>
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
index 6ac9699..f94430d 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
@@ -24,44 +24,82 @@
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
-import java.security.KeyStore;
+import java.io.File;
+import java.nio.file.Path;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
+import org.junit.ClassRule;
+import org.junit.Test;
+
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.Test;
-
import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.UnitTestBase;
public class NonJavaTrustStoreTest extends UnitTestBase
{
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
+ private static final String NAME = "myTestTrustStore";
+ private static final String NON_JAVA_TRUST_STORE = "NonJavaTrustStore";
+ private static final String DN_FOO = "CN=foo";
+ private static final String DN_CA = "CN=CA";
+ private static final String DN_BAR = "CN=bar";
+ private static final String NOT_A_CRL = "/not/a/crl";
+
+ @Test
+ public void testCreationOfTrustStoreWithoutCRL() throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(DN_FOO);
+ final Path certificateFile = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
+
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(NonJavaTrustStore.NAME, NAME);
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificateFile.toFile().getAbsolutePath());
+ attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
+
+ TrustStore<?> trustStore = createTestTrustStore(attributes);
+
+ TrustManager[] trustManagers = trustStore.getTrustManagers();
+ assertNotNull(trustManagers);
+ assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
+ assertNotNull("Trust manager unexpected null", trustManagers[0]);
+ }
+
@Test
public void testCreationOfTrustStoreFromValidCertificate() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
- attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
- attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
- attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ final CertificateAndCrl<File> data = generateCertificateAndCrl();
- TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(NonJavaTrustStore.NAME, NAME);
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, data.getCertificate().getAbsolutePath());
+ attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl().getAbsolutePath());
+
+ TrustStore<?> trustStore = createTestTrustStore(attributes);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
@@ -70,54 +108,59 @@
}
@Test
- public void testChangeOfCrlInTrustStoreFromValidCertificate()
+ public void testChangeOfCrlInTrustStoreFromValidCertificate() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
- attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
- attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
- attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ final CertificateAndCrl<File> data = generateCertificateAndCrl();
- TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(NonJavaTrustStore.NAME, NAME);
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, data.getCertificate().getAbsolutePath());
+ attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, data.getCrl().getAbsolutePath());
+
+ TrustStore<?> trustStore = createTestTrustStore(attributes);
try
{
- Map<String,Object> unacceptableAttributes = new HashMap<>();
- unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
-
- trustStore.setAttributes(unacceptableAttributes);
+ trustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+ NOT_A_CRL));
fail("Exception not thrown");
}
catch (IllegalConfigurationException e)
{
String message = e.getMessage();
assertTrue("Exception text not as unexpected:" + message,
- message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'"));
+ message.contains(String.format(
+ "Unable to load certificate revocation list '%s' for truststore '%s'",
+ NOT_A_CRL,
+ NAME)));
}
assertEquals("Unexpected CRL path value after failed change",
- TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl());
+ data.getCrl().getAbsolutePath(), trustStore.getCertificateRevocationListUrl());
- Map<String,Object> changedAttributes = new HashMap<>();
- changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
-
- trustStore.setAttributes(changedAttributes);
+ final Path emptyCrl = TLS_RESOURCE.createCrl(data.getCa());
+ trustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+ emptyCrl.toFile().getAbsolutePath()));
assertEquals("Unexpected CRL path value after change that is expected to be successful",
- TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl());
+ emptyCrl.toFile().getAbsolutePath(), trustStore.getCertificateRevocationListUrl());
}
@Test
public void testUseOfExpiredTrustAnchorDenied() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
- attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
- attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.CLIENT_EXPIRED_CRT);
- attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+ final KeyCertificatePair keyCertPair = createExpiredCertificate();
+ final Path certificatePath = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
- TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(NonJavaTrustStore.NAME, NAME);
+ attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificatePath.toFile().getAbsolutePath());
+ attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
+
+ TrustStore<?> trustStore = createTestTrustStore(attributes);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
@@ -126,15 +169,9 @@
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
- KeyStore clientStore = SSLUtil.getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
- TestSSLConstants.PASSWORD,
- TestSSLConstants.JAVA_KEYSTORE_TYPE);
- String alias = clientStore.aliases().nextElement();
- X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
-
try
{
- trustManager.checkClientTrusted(new X509Certificate[] {certificate}, "NULL");
+ trustManager.checkClientTrusted(new X509Certificate[]{keyCertPair.getCertificate()}, "NULL");
fail("Exception not thrown");
}
catch (CertificateException e)
@@ -148,33 +185,93 @@
{
throw e;
}
-
}
}
@Test
- public void testCreationOfTrustStoreFromNonCertificate()
+ public void testCreationOfTrustStoreWithoutCertificate() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
- attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CSR);
- attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+ final CertificateAndCrl<File> data = generateCertificateAndCrl();
+
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(NonJavaTrustStore.NAME, NAME);
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, data.getCrl().getAbsolutePath());
+ attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "Cannot load certificate(s)");
+ "Cannot load certificate(s)");
}
@Test
- public void testCreationOfTrustStoreFromValidCertificate_MissingCrlFile()
+ public void testCreationOfTrustStoreFromValidCertificate_MissingCrlFile() throws Exception
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
- attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
- attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(DN_FOO);
+ final Path certificateFile = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
+
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(NonJavaTrustStore.NAME, NAME);
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificateFile.toFile().getAbsolutePath());
+ attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, NOT_A_CRL);
KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'");
+ String.format(
+ "Unable to load certificate revocation list '%s' for truststore '%s'",
+ NOT_A_CRL,
+ NAME));
+ }
+
+ private KeyCertificatePair createExpiredCertificate() throws Exception
+ {
+ final Instant from = Instant.now().minus(10, ChronoUnit.DAYS);
+ final Instant to = Instant.now().minus(5, ChronoUnit.DAYS);
+ return TlsResourceBuilder.createSelfSigned(DN_FOO, from, to);
+ }
+
+ @SuppressWarnings("unchecked")
+ private NonJavaTrustStore<?> createTestTrustStore(final Map<String, Object> attributes)
+ {
+ return (NonJavaTrustStore<?>) FACTORY.create(TrustStore.class, attributes, BROKER);
+ }
+
+ private CertificateAndCrl<File> generateCertificateAndCrl() throws Exception
+ {
+ final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+ final KeyCertificatePair keyCertPair1 = TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, caPair);
+ final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, caPair);
+ final Path clrFile =
+ TLS_RESOURCE.createCrl(caPair, keyCertPair1.getCertificate(), keyCertPair2.getCertificate());
+ final Path caCertificateFile = TLS_RESOURCE.saveCertificateAsPem(caPair.getCertificate());
+ return new CertificateAndCrl<>(caCertificateFile.toFile(), clrFile.toFile(), caPair);
+ }
+
+ private static class CertificateAndCrl<T>
+ {
+ private T _certificate;
+ private T _crl;
+ private KeyCertificatePair _ca;
+
+ private CertificateAndCrl(final T certificate, final T crl, KeyCertificatePair ca)
+ {
+ _certificate = certificate;
+ _crl = crl;
+ _ca = ca;
+ }
+
+ T getCertificate()
+ {
+ return _certificate;
+ }
+
+ T getCrl()
+ {
+ return _crl;
+ }
+
+ KeyCertificatePair getCa()
+ {
+ return _ca;
+ }
}
}
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
index d7a0454..1da3c38 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
@@ -26,13 +26,13 @@
import static org.junit.Assert.fail;
import java.io.Closeable;
-import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.ServerSocket;
import java.net.Socket;
-import java.security.KeyStore;
+import java.nio.file.Path;
import java.security.SecureRandom;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -45,6 +45,11 @@
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocketFactory;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Test;
+
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
@@ -52,66 +57,89 @@
import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.test.utils.UnitTestBase;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
public class SiteSpecificTrustStoreTest extends UnitTestBase
{
+
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+
private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
- private static final String EXPECTED_SUBJECT = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=CA";
- private static final String EXPECTED_ISSUER = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
+ private static final String EXPECTED_SUBJECT = "CN=localhost";
+ private static final String EXPECTED_ISSUER = "CN=MyRootCA";
+ private static final String DN_BAR = "CN=bar";
+ private static final String NAME = "mySiteSpecificTrustStore";
+ private static final String SITE_SPECIFIC_TRUST_STORE = "SiteSpecificTrustStore";
+ private static final String NOT_SUPPORTED_URL = "file:/not/a/host";
+ private static final String INVALID_URL = "notaurl:541";
+ private static final String NOT_A_CRL = "/not/a/crl";
private TestPeer _testPeer;
+ private String _clrUrl;
+ private KeyCertificatePair _caKeyCertPair;
+ private KeyCertificatePair _keyCertPair;
@Before
- public void setUpSiteSpecificTrustStore()
+ public void setUpSiteSpecificTrustStore() throws Exception
{
int connectTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.connectTimeout", 1000);
int readTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.readTimeout", 1000);
- setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_CONNECT_TIMEOUT, String.valueOf(connectTimeout));
- setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_READ_TIMEOUT, String.valueOf(readTimeout));
+ setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_CONNECT_TIMEOUT,
+ String.valueOf(connectTimeout));
+ setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_READ_TIMEOUT,
+ String.valueOf(readTimeout));
+
+ _caKeyCertPair = TlsResourceBuilder.createKeyPairAndRootCA(EXPECTED_ISSUER);
+ _keyCertPair = TlsResourceBuilder.createKeyPairAndCertificate(EXPECTED_SUBJECT, _caKeyCertPair);
+ final KeyCertificatePair keyCertPair2 = TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, _caKeyCertPair);
+ _clrUrl = TLS_RESOURCE.createCrlAsDataUrl(_caKeyCertPair, keyCertPair2.getCertificate());
}
@After
public void tearDown() throws Exception
{
- try
+ if (_testPeer != null)
{
- }
- finally
- {
- if (_testPeer != null)
- {
- _testPeer.close();
- }
+ _testPeer.close();
}
}
@Test
public void testMalformedSiteUrl()
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
- attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
- attributes.put("siteUrl", "notaurl:541");
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(SiteSpecificTrustStore.NAME, NAME);
+ attributes.put(SiteSpecificTrustStore.TYPE, SITE_SPECIFIC_TRUST_STORE);
+ attributes.put("siteUrl", INVALID_URL);
- KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "'notaurl:541' is not a valid URL");
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY,
+ BROKER,
+ TrustStore.class,
+ attributes,
+ String.format("'%s' is not a valid URL",
+ INVALID_URL));
}
@Test
public void testSiteUrlDoesNotSupplyHostPort()
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
- attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
- attributes.put("siteUrl", "file:/not/a/host");
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(SiteSpecificTrustStore.NAME, NAME);
+ attributes.put(SiteSpecificTrustStore.TYPE, SITE_SPECIFIC_TRUST_STORE);
+ attributes.put("siteUrl", NOT_SUPPORTED_URL);
- KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "URL 'file:/not/a/host' does not provide a hostname and port number");
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER,
+ TrustStore.class,
+ attributes,
+ String.format(
+ "URL '%s' does not provide a hostname and port number",
+ NOT_SUPPORTED_URL));
}
@Test
@@ -122,8 +150,11 @@
int listeningPort = _testPeer.start();
Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
- KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "Unable to get certificate for 'mySiteSpecificTrustStore' from");
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER,
+ TrustStore.class,
+ attributes,
+ String.format(
+ "Unable to get certificate for '%s' from", NAME));
}
@Test
@@ -134,10 +165,9 @@
Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _clrUrl);
- final SiteSpecificTrustStore trustStore =
- (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ final SiteSpecificTrustStore<?> trustStore = createTestTrustStore(attributes);
List<CertificateDetails> certDetails = trustStore.getCertificateDetails();
assertEquals("Unexpected number of certificates", 1, certDetails.size());
@@ -155,36 +185,34 @@
Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _clrUrl);
- final SiteSpecificTrustStore trustStore =
- (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ final SiteSpecificTrustStore<?> trustStore = createTestTrustStore(attributes);
try
{
- Map<String,Object> unacceptableAttributes = new HashMap<>();
- unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
-
- trustStore.setAttributes(unacceptableAttributes);
+ trustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+ NOT_A_CRL));
fail("Exception not thrown");
}
catch (IllegalConfigurationException e)
{
String message = e.getMessage();
assertTrue("Exception text not as unexpected:" + message,
- message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'"));
+ message.contains(
+ String.format("Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME)));
}
assertEquals("Unexpected CRL path value after failed change",
- TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl());
+ _clrUrl, trustStore.getCertificateRevocationListUrl());
- Map<String,Object> changedAttributes = new HashMap<>();
- changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+ final Path emptyCrl = TLS_RESOURCE.createCrl(_caKeyCertPair);
+ trustStore.setAttributes(Collections.singletonMap(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+ emptyCrl.toFile().getAbsolutePath()));
- trustStore.setAttributes(changedAttributes);
assertEquals("Unexpected CRL path value after change that is expected to be successful",
- TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl());
+ emptyCrl.toFile().getAbsolutePath(), trustStore.getCertificateRevocationListUrl());
}
@Test
@@ -194,10 +222,13 @@
int listeningPort = _testPeer.start();
Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+ attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, NOT_A_CRL);
- KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
- "Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'");
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER,
+ TrustStore.class,
+ attributes,
+ String.format(
+ "Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME));
}
@Test
@@ -208,8 +239,7 @@
Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
- final SiteSpecificTrustStore trustStore =
- (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ final SiteSpecificTrustStore<?> trustStore = createTestTrustStore(attributes);
List<CertificateDetails> certDetails = trustStore.getCertificateDetails();
assertEquals("Unexpected number of certificates", 1, certDetails.size());
@@ -228,11 +258,17 @@
assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, certificateDetails.getIssuerName());
}
+ @SuppressWarnings("unchecked")
+ private SiteSpecificTrustStore createTestTrustStore(final Map<String, Object> attributes)
+ {
+ return (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+ }
+
private Map<String, Object> getTrustStoreAttributes(final int listeningPort)
{
- Map<String,Object> attributes = new HashMap<>();
- attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
- attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
+ Map<String, Object> attributes = new HashMap<>();
+ attributes.put(SiteSpecificTrustStore.NAME, NAME);
+ attributes.put(SiteSpecificTrustStore.TYPE, SITE_SPECIFIC_TRUST_STORE);
attributes.put("siteUrl", String.format("https://localhost:%d", listeningPort));
return attributes;
}
@@ -279,22 +315,24 @@
private ServerSocket createTestSSLServerSocket() throws Exception
{
- char[] keyPassword = TestSSLConstants.PASSWORD.toCharArray();
- try(InputStream inputStream = new FileInputStream(TestSSLConstants.BROKER_KEYSTORE))
- {
- KeyStore keyStore = KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
- KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- keyStore.load(inputStream, keyPassword);
- keyManagerFactory.init(keyStore, keyPassword);
- KeyManager keyManagers[] = keyManagerFactory.getKeyManagers();
- SSLContext sslContext = SSLContext.getInstance("SSL");
- sslContext.init(keyManagers, null, new SecureRandom());
- SSLServerSocketFactory socketFactory = sslContext.getServerSocketFactory();
- ServerSocket serverSocket = socketFactory.createServerSocket(0);
- serverSocket.setSoTimeout(100);
+ char[] secret = "".toCharArray();
- return serverSocket;
- }
+ java.security.KeyStore inMemoryKeyStore =
+ TlsResourceHelper.createKeyStore(java.security.KeyStore.getDefaultType(),
+ secret,
+ new PrivateKeyEntry("1",
+ _keyCertPair.getPrivateKey(),
+ _keyCertPair.getCertificate()));
+
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ kmf.init(inMemoryKeyStore, secret);
+ KeyManager[] keyManagers = kmf.getKeyManagers();
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(keyManagers, null, new SecureRandom());
+ SSLServerSocketFactory socketFactory = sslContext.getServerSocketFactory();
+ ServerSocket serverSocket = socketFactory.createServerSocket(0);
+ serverSocket.setSoTimeout(100);
+ return serverSocket;
}
private class AcceptingRunnable implements Runnable
@@ -309,6 +347,7 @@
final InputStream inputStream = sock.getInputStream();
while (inputStream.read() != -1)
{
+ // ignore
}
}
catch (IOException e)
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java
index f4348dd..e52942b 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.java
@@ -26,6 +26,7 @@
import static org.mockito.Mockito.when;
import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
@@ -39,6 +40,7 @@
import org.junit.After;
import org.junit.Before;
+import org.junit.ClassRule;
import org.junit.Test;
import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
@@ -53,10 +55,14 @@
import org.apache.qpid.server.security.auth.manager.oauth2.cloudfoundry.CloudFoundryOAuth2IdentityResolverService;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.oauth2.OAuth2Negotiator;
+import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.test.utils.UnitTestBase;
public class OAuth2AuthenticationProviderImplTest extends UnitTestBase
{
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
static final String UTF8 = StandardCharsets.UTF_8.name();
private static final String TEST_ENDPOINT_HOST = "localhost";
@@ -90,7 +96,10 @@
@Before
public void setUp() throws Exception
{
- _server = new OAuth2MockEndpointHolder();
+ Path keyStore = TLS_RESOURCE.createSelfSignedKeyStore("CN=foo");
+ _server = new OAuth2MockEndpointHolder(keyStore.toFile().getAbsolutePath(),
+ TLS_RESOURCE.getSecret(),
+ TLS_RESOURCE.getKeyStoreType());
_server.start();
Broker broker = BrokerTestHelper.createBrokerMock();
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
index 0dc987a..636def9 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
@@ -36,7 +36,6 @@
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import junit.framework.TestCase;
-import org.apache.qpid.test.utils.TestSSLConstants;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
@@ -53,12 +52,15 @@
private final ServerConnector _connector;
private volatile Map<String, OAuth2MockEndpoint> _endpoints;
- OAuth2MockEndpointHolder() throws IOException
+ OAuth2MockEndpointHolder(final String keyStorePath, final String keyStorePassword, final String keyStoreType) throws IOException
{
- this(Collections.<String, OAuth2MockEndpoint>emptyMap());
+ this(Collections.emptyMap(), keyStorePath, keyStorePassword, keyStoreType);
}
- OAuth2MockEndpointHolder(final Map<String, OAuth2MockEndpoint> endpoints) throws IOException
+ private OAuth2MockEndpointHolder(final Map<String, OAuth2MockEndpoint> endpoints,
+ final String keyStorePath,
+ final String keyStorePassword,
+ final String keyStoreType) throws IOException
{
_endpoints = endpoints;
final List<String> protocolWhiteList =
@@ -85,9 +87,9 @@
SSLUtil.updateEnabledTlsProtocols(sslEngine, protocolWhiteList, protocolBlackList);
}
};
- sslContextFactory.setKeyStorePassword(TestSSLConstants.PASSWORD);
- sslContextFactory.setKeyStoreResource(Resource.newResource(TestSSLConstants.TEST_KEYSTORE));
- sslContextFactory.setKeyStoreType(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ sslContextFactory.setKeyStorePassword(keyStorePassword);
+ sslContextFactory.setKeyStoreResource(Resource.newResource(keyStorePath));
+ sslContextFactory.setKeyStoreType(keyStoreType);
// override default jetty excludes as valid IBM JDK are excluded
// causing SSL handshake failure (due to default exclude '^SSL_.*$')
diff --git a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
index 191d7cf..4c493d0 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
@@ -18,84 +18,74 @@
package org.apache.qpid.server.ssl;
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.fail;
+import java.security.KeyPair;
import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.Enumeration;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
+import org.junit.BeforeClass;
import org.junit.Test;
import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.test.utils.TestSSLConstants;
import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
public class TrustManagerTest extends UnitTestBase
{
private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
- // retrieves the client certificate's chain from store and returns it as an array
- private X509Certificate[] getClientChain(final String storePath, final String alias) throws Exception
+ private static final String TEST_ALIAS = "test";
+ private static final String DN_CA = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
+ private static final String DN_APP1 = "CN=app1@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_APP2 = "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_UNTRUSTED = "CN=untrusted_client";
+
+ private static X509Certificate _ca;
+ private static X509Certificate _app1;
+ private static X509Certificate _app2;
+ private static X509Certificate _untrusted;
+
+ @BeforeClass
+ public static void setUp() throws Exception
{
- final KeyStore ks = SSLUtil.getInitializedKeyStore(storePath, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- final Certificate[] chain = ks.getCertificateChain(alias);
- return Arrays.copyOf(chain, chain.length, X509Certificate[].class);
+ final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+ final KeyPair keyPair1 = TlsResourceBuilder.createRSAKeyPair();
+ final KeyPair keyPair2 = TlsResourceBuilder.createRSAKeyPair();
+ final KeyCertificatePair untrustedKeyCertPair = TlsResourceBuilder.createSelfSigned(DN_UNTRUSTED);
+
+ _ca = caPair.getCertificate();
+ _app1 = TlsResourceBuilder.createCertificateForClientAuthorization(keyPair1, caPair, DN_APP1);
+ _app2 = TlsResourceBuilder.createCertificateForClientAuthorization(keyPair2, caPair, DN_APP2);
+ _untrusted = untrustedKeyCertPair.getCertificate();
}
- // verifies that peer store is loaded only with client's (peer's) app1 certificate (no CA)
- private void noCAinPeerStore(final KeyStore ps) throws KeyStoreException
- {
- final Enumeration<String> aliases = ps.aliases();
- while (aliases.hasMoreElements())
- {
- final String alias = aliases.nextElement();
- if (!alias.equalsIgnoreCase(TestSSLConstants.CERT_ALIAS_APP1))
- {
- fail("Broker's peer store contains other certificate than client's app1 public key");
- }
- }
- }
/**
* Tests that the QpidPeersOnlyTrustManager gives the expected behaviour when loaded separately
- * with the broker peerstore and truststore.
+ * with the peer certificate and CA root certificate.
*/
@Test
public void testQpidPeersOnlyTrustManager() throws Exception
{
- // first let's check that peer manager loaded with the PEERstore succeeds
- final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- this.noCAinPeerStore(ps);
- final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
- pmf.init(ps);
- final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
-
- X509TrustManager peerManager = null;
- for (final TrustManager tm : delegatePeerManagers)
- {
- if (tm instanceof X509TrustManager)
- {
- // peer manager is supposed to trust only clients which peers certificates
- // are directly in the store. CA signing will not be considered.
- peerManager = new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm);
- }
- }
+ // peer manager is supposed to trust only clients which peers certificates
+ // are directly in the store. CA signing will not be considered.
+ X509TrustManager peerManager = createPeerManager(_app1);
try
{
- // since broker's peerstore contains the client's app1 certificate, the check should succeed
- peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+ // since peer manager contains the client's app1 certificate, the check should succeed
+ peerManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
}
catch (CertificateException e)
{
@@ -104,8 +94,8 @@
try
{
- // since broker's peerstore does not contain the client's app2 certificate, the check should fail
- peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+ // since peer manager does not contain the client's app2 certificate, the check should fail
+ peerManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
fail("Untrusted client's validation against the broker's peer store manager succeeded.");
}
catch (CertificateException e)
@@ -113,30 +103,16 @@
//expected
}
- // now let's check that peer manager loaded with the brokers TRUSTstore fails because
+ // now let's check that peer manager loaded with the CA certificate fails because
// it does not have the clients certificate in it (though it does have a CA-cert that
// would otherwise trust the client cert when using the regular trust manager).
- final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
- tmf.init(ts);
- final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
-
- peerManager = null;
- for (final TrustManager tm : delegateTrustManagers)
- {
- if (tm instanceof X509TrustManager)
- {
- // peer manager is supposed to trust only clients which peers certificates
- // are directly in the store. CA signing will not be considered.
- peerManager = new QpidPeersOnlyTrustManager(ts, (X509TrustManager) tm);
- }
- }
+ peerManager = createPeerManager(_ca);
try
{
- // since broker's truststore doesn't contain the client's app1 certificate, the check should fail
+ // since trust manager doesn't contain the client's app1 certificate, the check should fail
// despite the fact that the truststore does have a CA that would otherwise trust the cert
- peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+ peerManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
fail("Client's validation against the broker's peer store manager didn't fail.");
}
catch (CertificateException e)
@@ -146,9 +122,9 @@
try
{
- // since broker's truststore doesn't contain the client's app2 certificate, the check should fail
+ // since trust manager doesn't contain the client's app2 certificate, the check should fail
// despite the fact that the truststore does have a CA that would otherwise trust the cert
- peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+ peerManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
fail("Client's validation against the broker's peer store manager didn't fail.");
}
catch (CertificateException e)
@@ -159,32 +135,21 @@
/**
* Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
- * regular TrustManager against the broker truststore.
+ * regular CA root certificate.
*/
@Test
public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception
{
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
- final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
- tmf.init(ts);
- final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
- boolean trustManagerAdded = false;
- for (final TrustManager tm : delegateTrustManagers)
- {
- if (tm instanceof X509TrustManager)
- {
- // add broker's trust manager
- mulTrustManager.addTrustManager((X509TrustManager) tm);
- trustManagerAdded = true;
- }
- }
- assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
+ final X509TrustManager tm = createTrustManager(_ca);
+ assertNotNull("The regular trust manager for the trust store was not found", tm);
+
+ mulTrustManager.addTrustManager(tm);
try
{
// verify the CA-trusted app1 cert (should succeed)
- mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+ mulTrustManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
}
catch (CertificateException ex)
{
@@ -194,7 +159,7 @@
try
{
// verify the CA-trusted app2 cert (should succeed)
- mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+ mulTrustManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
}
catch (CertificateException ex)
{
@@ -204,8 +169,7 @@
try
{
// verify the untrusted cert (should fail)
- mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
- TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+ mulTrustManager.checkClientTrusted(new X509Certificate[]{_untrusted}, "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
}
catch (CertificateException ex)
@@ -216,33 +180,21 @@
/**
* Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
- * QpidPeersOnlyTrustManager against the broker peerstore.
+ * QpidPeersOnlyTrustManager against the peer certificate
*/
@Test
public void testQpidMultipleTrustManagerWithPeerStore() throws Exception
{
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
- final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
- pmf.init(ps);
- final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
- boolean peerManagerAdded = false;
- for (final TrustManager tm : delegatePeerManagers)
- {
- if (tm instanceof X509TrustManager)
- {
- // add broker's peer manager
- mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm));
- peerManagerAdded = true;
- }
- }
- assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", peerManagerAdded);
+ final KeyStore ps = createKeyStore(_app1);
+ final X509TrustManager tm = getX509TrustManager(ps);
+ assertNotNull("The regular trust manager for the trust store was not found", tm);
+ mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, tm));
try
{
// verify the trusted app1 cert (should succeed as the key is in the peerstore)
- mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
- TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+ mulTrustManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
}
catch (CertificateException ex)
{
@@ -252,8 +204,7 @@
try
{
// verify the untrusted app2 cert (should fail as the key is not in the peerstore)
- mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
- TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+ mulTrustManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
}
catch (CertificateException ex)
@@ -264,8 +215,7 @@
try
{
// verify the untrusted cert (should fail as the key is not in the peerstore)
- mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
- TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+ mulTrustManager.checkClientTrusted(new X509Certificate[]{_untrusted }, "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
}
catch (CertificateException ex)
@@ -276,50 +226,28 @@
/**
* Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
- * QpidPeersOnlyTrustManager against the broker peerstore, a regular TrustManager
- * against the broker truststore.
+ * QpidPeersOnlyTrustManager against the peer certificate, a regular TrustManager
+ * against the CA root certificate.
*/
@Test
public void testQpidMultipleTrustManagerWithTrustAndPeerStores() throws Exception
{
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
- final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
- tmf.init(ts);
- final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
- boolean trustManagerAdded = false;
- for (final TrustManager tm : delegateTrustManagers)
- {
- if (tm instanceof X509TrustManager)
- {
- // add broker's trust manager
- mulTrustManager.addTrustManager((X509TrustManager) tm);
- trustManagerAdded = true;
- }
- }
- assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
+ final KeyStore ts = createKeyStore(_ca);
+ final X509TrustManager tm = getX509TrustManager(ts);
+ assertNotNull("The regular trust manager for the trust store was not found", tm);
- final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
- pmf.init(ps);
- final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
- boolean peerManagerAdded = false;
- for (final TrustManager tm : delegatePeerManagers)
- {
- if (tm instanceof X509TrustManager)
- {
- // add broker's peer manager
- mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm));
- peerManagerAdded = true;
- }
- }
- assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", peerManagerAdded);
+ mulTrustManager.addTrustManager(tm);
+
+ final KeyStore ps = createKeyStore(_app1);
+ final X509TrustManager tm2 = getX509TrustManager(ts);
+ assertNotNull("The regular trust manager for the peer store was not found", tm2);
+ mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, tm2));
try
{
// verify the CA-trusted app1 cert (should succeed)
- mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
- TestSSLConstants.CERT_ALIAS_APP1), "RSA");
+ mulTrustManager.checkClientTrusted(new X509Certificate[]{_app1, _ca }, "RSA");
}
catch (CertificateException ex)
{
@@ -329,8 +257,7 @@
try
{
// verify the CA-trusted app2 cert (should succeed)
- mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
- TestSSLConstants.CERT_ALIAS_APP2), "RSA");
+ mulTrustManager.checkClientTrusted(new X509Certificate[]{_app2, _ca }, "RSA");
}
catch (CertificateException ex)
{
@@ -340,8 +267,7 @@
try
{
// verify the untrusted cert (should fail)
- mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
- TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+ mulTrustManager.checkClientTrusted(new X509Certificate[]{_untrusted }, "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
}
catch (CertificateException ex)
@@ -349,4 +275,40 @@
// expected
}
}
+
+ private KeyStore createKeyStore(X509Certificate certificate)
+ throws Exception
+ {
+ return TlsResourceHelper.createKeyStore(KeyStore.getDefaultType(),
+ new char[]{},
+ new CertificateEntry(TEST_ALIAS, certificate));
+ }
+
+ private X509TrustManager createTrustManager(final X509Certificate certificate) throws Exception
+ {
+ return getX509TrustManager(createKeyStore(certificate));
+ }
+
+ private X509TrustManager getX509TrustManager(final KeyStore ps) throws Exception
+ {
+ final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
+ pmf.init(ps);
+ final TrustManager[] delegateTrustManagers = pmf.getTrustManagers();
+ X509TrustManager trustManager = null;
+ for (final TrustManager tm : delegateTrustManagers)
+ {
+ if (tm instanceof X509TrustManager)
+ {
+ trustManager = (X509TrustManager) tm;
+ }
+ }
+ return trustManager;
+ }
+
+ private X509TrustManager createPeerManager(final X509Certificate certificate) throws Exception
+ {
+ final KeyStore ps = createKeyStore(certificate);
+ final X509TrustManager tm = createTrustManager(certificate);
+ return new QpidPeersOnlyTrustManager(ps, tm);
+ }
}
diff --git a/broker-core/src/test/java/org/apache/qpid/server/transport/SNITest.java b/broker-core/src/test/java/org/apache/qpid/server/transport/SNITest.java
index 8039e5a..6a08ee4 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/transport/SNITest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/transport/SNITest.java
@@ -23,11 +23,9 @@
import static org.junit.Assert.assertEquals;
import java.io.File;
-import java.io.FileOutputStream;
import java.net.InetSocketAddress;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
-import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Collections;
@@ -46,6 +44,7 @@
import com.fasterxml.jackson.databind.ObjectMapper;
import org.junit.After;
import org.junit.Before;
+import org.junit.ClassRule;
import org.junit.Test;
import org.apache.qpid.server.SystemLauncher;
@@ -62,19 +61,26 @@
import org.apache.qpid.server.security.FileKeyStore;
import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil.KeyCertPair;
import org.apache.qpid.test.utils.TestFileUtils;
import org.apache.qpid.test.utils.UnitTestBase;
+import org.apache.qpid.test.utils.tls.AltNameType;
+import org.apache.qpid.test.utils.tls.AlternativeName;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
public class SNITest extends UnitTestBase
{
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
private static final int SOCKET_TIMEOUT = 10000;
- private static final String KEYSTORE_PASSWORD = "password";
private File _keyStoreFile;
- private KeyCertPair _fooValid;
- private KeyCertPair _fooInvalid;
- private KeyCertPair _barInvalid;
+ private KeyCertificatePair _fooValid;
+ private KeyCertificatePair _fooInvalid;
+ private KeyCertificatePair _barInvalid;
private SystemLauncher _systemLauncher;
private Broker<?> _broker;
private int _boundPort;
@@ -83,85 +89,47 @@
@Before
public void setUp() throws Exception
{
- if(SSLUtil.canGenerateCerts())
- {
+ final Instant yesterday = Instant.now().minus(1, ChronoUnit.DAYS);
+ final Instant inOneHour = Instant.now().plus(1, ChronoUnit.HOURS);
+ _fooValid = TlsResourceBuilder.createSelfSigned("CN=foo",
+ yesterday,
+ yesterday.plus(365, ChronoUnit.DAYS));
+ _fooInvalid = TlsResourceBuilder.createSelfSigned("CN=foo",
+ inOneHour,
+ inOneHour.plus(365, ChronoUnit.DAYS));
- _fooValid = SSLUtil.generateSelfSignedCertificate("RSA",
- "SHA256WithRSA",
- 2048,
- Instant.now().minus(1, ChronoUnit.DAYS).toEpochMilli(),
- Duration.of(365, ChronoUnit.DAYS).getSeconds(),
- "CN=foo",
- Collections.emptySet(),
- Collections.emptySet());
- _fooInvalid = SSLUtil.generateSelfSignedCertificate("RSA",
- "SHA256WithRSA",
- 2048,
- Instant.now().plus(1, ChronoUnit.HOURS).toEpochMilli(),
- Duration.of(365, ChronoUnit.DAYS).getSeconds(),
- "CN=foo",
- Collections.emptySet(),
- Collections.emptySet());
+ _barInvalid = TlsResourceBuilder.createSelfSigned("CN=Qpid",
+ inOneHour,
+ inOneHour.plus(365, ChronoUnit.DAYS),
+ new AlternativeName(
+ AltNameType.DNS_NAME, "bar"));
- _barInvalid = SSLUtil.generateSelfSignedCertificate("RSA",
- "SHA256WithRSA",
- 2048,
- Instant.now().plus(1, ChronoUnit.HOURS).toEpochMilli(),
- Duration.of(365, ChronoUnit.DAYS).getSeconds(),
- "CN=Qpid",
- Collections.singleton("bar"),
- Collections.emptySet());
- java.security.KeyStore inMemoryKeyStore =
- java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
- inMemoryKeyStore.load(null, KEYSTORE_PASSWORD.toCharArray());
- inMemoryKeyStore.setKeyEntry("foovalid",
- _fooValid.getPrivateKey(),
- KEYSTORE_PASSWORD.toCharArray(),
- new X509Certificate[]{_fooValid.getCertificate()});
- inMemoryKeyStore.setKeyEntry("fooinvalid",
- _fooInvalid.getPrivateKey(),
- KEYSTORE_PASSWORD.toCharArray(),
- new X509Certificate[]{_fooInvalid.getCertificate()});
-
- inMemoryKeyStore.setKeyEntry("barinvalid",
- _barInvalid.getPrivateKey(),
- KEYSTORE_PASSWORD.toCharArray(),
- new X509Certificate[]{_barInvalid.getCertificate()});
-
- _keyStoreFile = File.createTempFile("keyStore", "jks");
- try (FileOutputStream os = new FileOutputStream(_keyStoreFile))
- {
- inMemoryKeyStore.store(os, KEYSTORE_PASSWORD.toCharArray());
- }
- }
+ _keyStoreFile = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("foovalid",
+ _fooValid.getPrivateKey(),
+ _fooValid.getCertificate()),
+ new PrivateKeyEntry("fooinvalid",
+ _fooInvalid.getPrivateKey(),
+ _fooInvalid.getCertificate()),
+ new PrivateKeyEntry("barinvalid",
+ _barInvalid.getPrivateKey(),
+ _barInvalid.getCertificate())).toFile();
}
@After
public void tearDown() throws Exception
{
- try
+ if (_systemLauncher != null)
{
- if (_systemLauncher != null)
- {
- _systemLauncher.shutdown();
- }
-
- if (_brokerWork != null)
- {
- _brokerWork.delete();
- }
- if (_keyStoreFile != null)
- {
- _keyStoreFile.delete();
- }
- }
- finally
- {
+ _systemLauncher.shutdown();
}
+ if (_brokerWork != null)
+ {
+ _brokerWork.delete();
+ }
}
@Test
@@ -192,10 +160,8 @@
private void performTest(final boolean useMatching,
final String defaultAlias,
final String sniHostName,
- final KeyCertPair expectedCert) throws Exception
+ final KeyCertificatePair expectedCert) throws Exception
{
- if (SSLUtil.canGenerateCerts())
- {
doBrokerStartup(useMatching, defaultAlias);
SSLContext context = SSLUtil.tryGetSSLContext();
context.init(null,
@@ -238,7 +204,6 @@
assertEquals((long) 1, (long) certs.length);
assertEquals(expectedCert.getCertificate(), certs[0]);
}
- }
}
private void doBrokerStartup(boolean useMatching, String defaultAlias) throws Exception
@@ -272,7 +237,7 @@
Map<String, Object> keyStoreAttr = new HashMap<>();
keyStoreAttr.put(FileKeyStore.NAME, "myKeyStore");
keyStoreAttr.put(FileKeyStore.STORE_URL, _keyStoreFile.toURI().toURL().toString());
- keyStoreAttr.put(FileKeyStore.PASSWORD, KEYSTORE_PASSWORD);
+ keyStoreAttr.put(FileKeyStore.PASSWORD, TLS_RESOURCE.getSecret());
keyStoreAttr.put(FileKeyStore.USE_HOST_NAME_MATCHING, useMatching);
keyStoreAttr.put(FileKeyStore.CERTIFICATE_ALIAS, defaultAlias);
diff --git a/pom.xml b/pom.xml
index def3997..4f8aa0e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -154,6 +154,8 @@
<h2.version>1.4.199</h2.version>
<apache-directory-version>2.0.0-M23</apache-directory-version>
<kerby-version>1.0.1</kerby-version>
+ <bcprov-version>1.64</bcprov-version>
+ <bcpkix-version>1.64</bcpkix-version>
</properties>
<modules>
@@ -726,23 +728,85 @@
<artifactId>maven-resolver-transport-http</artifactId>
<version>${maven-resolver-version}</version>
</dependency>
- <!-- apacheds test dependency -->
+
+ <!-- apacheds test dependencies -->
<dependency>
<groupId>org.apache.directory.server</groupId>
- <artifactId>apacheds-all</artifactId>
+ <artifactId>apacheds-core</artifactId>
<version>${apache-directory-version}</version>
<scope>test</scope>
- <exclusions>
- <exclusion>
- <groupId>org.apache.directory.shared</groupId>
- <artifactId>shared-ldap-schema</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.directory.api</groupId>
- <artifactId>api-ldap-schema-data</artifactId>
- </exclusion>
- </exclusions>
</dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-core-annotations</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-core-api</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-interceptor-kerberos</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-kerberos-codec</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-kerberos</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-ldap</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-shared</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-server-annotations</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-server-config</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-test-framework</artifactId>
+ <version>${apache-directory-version}</version>
+ <scope>test</scope>
+ </dependency>
+
<!-- kerby test dependency -->
<dependency>
<groupId>org.apache.kerby</groupId>
@@ -750,6 +814,18 @@
<scope>test</scope>
<version>${kerby-version}</version>
</dependency>
+
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ <version>${bcprov-version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk15on</artifactId>
+ <version>${bcpkix-version}</version>
+ </dependency>
</dependencies>
</dependencyManagement>
diff --git a/qpid-test-utils/pom.xml b/qpid-test-utils/pom.xml
index b06fd29..b31fca3 100644
--- a/qpid-test-utils/pom.xml
+++ b/qpid-test-utils/pom.xml
@@ -55,6 +55,16 @@
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>
+
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk15on</artifactId>
+ </dependency>
</dependencies>
<build>
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
deleted file mode 100644
index 329920b..0000000
--- a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.qpid.test.utils;
-
-import java.nio.file.Paths;
-
-public final class TestSSLConstants
-{
- public static final String JAVA_KEYSTORE_TYPE = "pkcs12";
- public static final String PASSWORD = "password";
- private static final String TEST_CERTIFICATES_DIRECTORY;
- static
- {
- final String testCertificatesDirectoryPrefix;
- if (System.getProperty("user.dir").contains("systests"))
- {
- testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..", "..").toString();
- }
- else if (System.getProperty("user.dir").contains(".."))
- {
- testCertificatesDirectoryPrefix = System.getProperty("user.dir");
- }
- else
- {
- testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..").toString();
- }
- TEST_CERTIFICATES_DIRECTORY =
- Paths.get(testCertificatesDirectoryPrefix,
- "qpid-test-utils", "src", "main", "resources", "ssl", "certificates").toString();
- }
- public static final String CLIENT_KEYSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_keystore.jks").toString();
- public static final String CLIENT_TRUSTSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_truststore.jks").toString();
- public static final String CLIENT_EXPIRED_KEYSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired_keystore.jks").toString();
- public static final String CLIENT_EXPIRED_CRT =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired.crt").toString();
- public static final String CLIENT_UNTRUSTED_KEYSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_untrusted_keystore.jks").toString();
-
- public static final String CERT_ALIAS_ROOT_CA = "rootca";
- public static final String CERT_ALIAS_APP1 = "app1";
- public static final String CERT_ALIAS_APP2 = "app2";
- public static final String CERT_ALIAS_ALLOWED = "allowed_by_ca";
- public static final String CERT_ALIAS_REVOKED = "revoked_by_ca";
- public static final String CERT_ALIAS_REVOKED_EMPTY_CRL = "revoked_by_ca_empty_crl";
- public static final String CERT_ALIAS_REVOKED_INVALID_CRL_PATH = "revoked_by_ca_invalid_crl_path";
- public static final String CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE = "allowed_by_ca_with_intermediate";
- public static final String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client";
-
- public static final String BROKER_KEYSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_keystore.jks").toString();
- public static final String BROKER_CRT =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.crt").toString();
- public static final String BROKER_CSR =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.csr").toString();
- public static final String BROKER_TRUSTSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_truststore.jks").toString();
- public static final String BROKER_PEERSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_peerstore.jks").toString();
- public static final String BROKER_EXPIRED_TRUSTSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_expired_truststore.jks").toString();
- public static final String BROKER_KEYSTORE_ALIAS = "broker";
-
- public static final String TEST_EMPTY_KEYSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_empty_keystore.jks").toString();
- public static final String TEST_KEYSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_keystore.jks").toString();
- public static final String TEST_CERT_ONLY_KEYSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_cert_only_keystore.jks").toString();
- public static final String TEST_PK_ONLY_KEYSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_pk_only_keystore.jks").toString();
- public static final String TEST_SYMMETRIC_KEY_KEYSTORE =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_symmetric_key_keystore.jks").toString();
-
- public static final String CA_CRL_EMPTY =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.empty.crl").toString();
- public static final String CA_CRL =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.crl").toString();
- public static final String INTERMEDIATE_CA_CRL =
- Paths.get(TEST_CERTIFICATES_DIRECTORY, "intermediate_ca.crl").toString();
-}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLUtils.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLUtils.java
deleted file mode 100644
index fedf4ca..0000000
--- a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLUtils.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.qpid.test.utils;
-
-import java.security.Key;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateEncodingException;
-import java.util.Base64;
-
-public class TestSSLUtils
-{
- public static String certificateToPEM(final Certificate pub) throws CertificateEncodingException
- {
- return toPEM(pub.getEncoded(), "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----");
- }
-
- public static String privateKeyToPEM(final Key key)
- {
- return toPEM(key.getEncoded(), "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----");
- }
-
- private static String toPEM(final byte[] bytes, final String header, final String footer)
- {
- StringBuilder pem = new StringBuilder();
- pem.append(header).append("\n");
- String base64encoded = Base64.getEncoder().encodeToString(bytes);
- while (base64encoded.length() > 76)
- {
- pem.append(base64encoded, 0, 76).append("\n");
- base64encoded = base64encoded.substring(76);
- }
- pem.append(base64encoded).append("\n");
- pem.append(footer).append("\n");
- return pem.toString();
- }
-}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AltNameType.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AltNameType.java
new file mode 100644
index 0000000..8bdf490
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AltNameType.java
@@ -0,0 +1,35 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+public enum AltNameType
+{
+ OTHER_NAME,
+ RFC822_NAME,
+ DNS_NAME,
+ X400_ADDRESS,
+ DIRECTORY_NAME,
+ EDI_PARTY_NAME,
+ UNIFORM_RESOURCE_IDENTIFIER,
+ IP_ADDRESS,
+ REGISTERED_ID
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AlternativeName.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AlternativeName.java
new file mode 100644
index 0000000..c7b9c47
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/AlternativeName.java
@@ -0,0 +1,52 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+public class AlternativeName
+{
+ private final AltNameType _type;
+ private final String _name;
+
+ public AlternativeName(final AltNameType type, final String name)
+ {
+ _type = type;
+ _name = name;
+ }
+
+ public AltNameType getType()
+ {
+ return _type;
+ }
+
+ public String getName()
+ {
+ return _name;
+ }
+
+ @Override
+ public String toString()
+ {
+ return "AlternativeName{" +
+ "_type=" + _type +
+ ", _name='" + _name + '\'' +
+ '}';
+ }
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/CertificateEntry.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/CertificateEntry.java
new file mode 100644
index 0000000..c5ac4b2
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/CertificateEntry.java
@@ -0,0 +1,54 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.Certificate;
+
+public final class CertificateEntry implements KeyStoreEntry
+{
+ private final String _alias;
+ private final Certificate _certificate;
+
+ public CertificateEntry(final String alias, final Certificate certificate)
+ {
+ _alias = alias;
+ _certificate = certificate;
+ }
+
+ String getAlias()
+ {
+ return _alias;
+ }
+
+ @Override
+ public void addEntryToKeyStore(final KeyStore keyStore, final char[] secret) throws KeyStoreException
+ {
+ keyStore.setCertificateEntry(getAlias(), getCertificate());
+ }
+
+ Certificate getCertificate()
+ {
+ return _certificate;
+ }
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyCertificatePair.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyCertificatePair.java
new file mode 100644
index 0000000..80a847c
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyCertificatePair.java
@@ -0,0 +1,46 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+public class KeyCertificatePair
+{
+ private final PrivateKey _privateKey;
+ private final X509Certificate _certificate;
+
+ public KeyCertificatePair(final PrivateKey privateKey, final X509Certificate certificate)
+ {
+ _privateKey = privateKey;
+ _certificate = certificate;
+ }
+
+ public PrivateKey getPrivateKey()
+ {
+ return _privateKey;
+ }
+
+ public X509Certificate getCertificate()
+ {
+ return _certificate;
+ }
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyStoreEntry.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyStoreEntry.java
new file mode 100644
index 0000000..f824429
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/KeyStoreEntry.java
@@ -0,0 +1,30 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+public interface KeyStoreEntry
+{
+ void addEntryToKeyStore(final KeyStore keyStore, final char[] secret) throws KeyStoreException;
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/PrivateKeyEntry.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/PrivateKeyEntry.java
new file mode 100644
index 0000000..46dec17
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/PrivateKeyEntry.java
@@ -0,0 +1,66 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+
+public final class PrivateKeyEntry implements KeyStoreEntry
+{
+ private final String _alias;
+ private final PrivateKey _privateKey;
+ private final Certificate[] _certificates;
+
+ public PrivateKeyEntry(final String alias, final PrivateKey privateKey, Certificate... certificate)
+ {
+ _alias = alias;
+ _privateKey = privateKey;
+ _certificates = certificate;
+ }
+
+ String getAlias()
+ {
+ return _alias;
+ }
+
+ @Override
+ public void addEntryToKeyStore(final KeyStore keyStore, final char[] secret) throws KeyStoreException
+ {
+ keyStore.setKeyEntry(getAlias(),
+ getPrivateKey(),
+ secret,
+ getCertificates());
+ }
+
+ PrivateKey getPrivateKey()
+ {
+ return _privateKey;
+ }
+
+ Certificate[] getCertificates()
+ {
+ return _certificates;
+ }
+
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/SecretKeyEntry.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/SecretKeyEntry.java
new file mode 100644
index 0000000..6d72d07
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/SecretKeyEntry.java
@@ -0,0 +1,55 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+import javax.crypto.SecretKey;
+
+public class SecretKeyEntry implements KeyStoreEntry
+{
+ private final String _alias;
+ private final SecretKey _secretKey;
+
+ public SecretKeyEntry(final String alias, final SecretKey secretKey)
+ {
+ _alias = alias;
+ _secretKey = secretKey;
+ }
+
+ @Override
+ public void addEntryToKeyStore(final KeyStore keyStore, char[] secret) throws KeyStoreException
+ {
+ keyStore.setKeyEntry(getAlias(), getSecretKey(), secret, null);
+ }
+
+ public String getAlias()
+ {
+ return _alias;
+ }
+
+ public SecretKey getSecretKey()
+ {
+ return _secretKey;
+ }
+
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResource.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResource.java
new file mode 100644
index 0000000..be8fc1d
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResource.java
@@ -0,0 +1,284 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.util.Comparator;
+
+import org.junit.rules.ExternalResource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+public class TlsResource extends ExternalResource
+{
+ private static final String PRIVATE_KEY_ALIAS = "private-key-alias";
+ private static final String CERTIFICATE_ALIAS = "certificate-alias";
+ private static final String SECRET = "secret";
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(TlsResource.class);
+
+ private Path _keystoreDirectory;
+
+ private final String _privateKeyAlias;
+ private final String _certificateAlias;
+ private final String _secret;
+ private final String _keyStoreType;
+
+ public TlsResource()
+ {
+ this(PRIVATE_KEY_ALIAS, CERTIFICATE_ALIAS, SECRET, KeyStore.getDefaultType());
+ }
+
+ public TlsResource(final String privateKeyAlias,
+ final String certificateAlias,
+ final String secret,
+ final String defaultType)
+ {
+ _privateKeyAlias = privateKeyAlias;
+ _certificateAlias = certificateAlias;
+ _secret = secret;
+ _keyStoreType = defaultType;
+ }
+
+ @Override
+ public void before() throws Exception
+ {
+ final Path targetDir = FileSystems.getDefault().getPath("target");
+ _keystoreDirectory = Files.createTempDirectory(targetDir, "test-tls-resources-");
+ LOGGER.debug("Test keystore directory is created : '{}'", _keystoreDirectory);
+ }
+
+ @Override
+ public void after()
+ {
+ try
+ {
+ Files.walk(_keystoreDirectory).sorted(Comparator.reverseOrder())
+ .map(Path::toFile)
+ .forEach(f -> {
+ if (!f.delete())
+ {
+ LOGGER.warn("Could not delete file at {}", f.getAbsolutePath());
+ }
+ });
+ }
+ catch (Exception e)
+ {
+ LOGGER.warn("Failure to clean up test resources", e);
+ }
+ }
+
+ public String getSecret()
+ {
+ return _secret;
+ }
+
+ public char[] getSecretAsCharacters()
+ {
+ return _secret == null ? new char[]{} : _secret.toCharArray();
+ }
+
+ public String getPrivateKeyAlias()
+ {
+ return _privateKeyAlias;
+ }
+
+ public String getCertificateAlias()
+ {
+ return _certificateAlias;
+ }
+
+
+ public String getKeyStoreType()
+ {
+ return _keyStoreType;
+ }
+
+
+ public Path createKeyStore(KeyStoreEntry... entries) throws Exception
+ {
+ return createKeyStore(getKeyStoreType(), entries);
+ }
+
+ public Path createKeyStore(final String keyStoreType, final KeyStoreEntry... entries)
+ throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException
+ {
+ final KeyStore ks = TlsResourceHelper.createKeyStore(keyStoreType, getSecretAsCharacters(), entries);
+ return saveKeyStore(keyStoreType, ks);
+ }
+
+ public String createKeyStoreAsDataUrl(KeyStoreEntry... entries) throws Exception
+ {
+ return TlsResourceHelper.createKeyStoreAsDataUrl(getKeyStoreType(), getSecretAsCharacters(), entries);
+ }
+
+ public Path createSelfSignedKeyStore(String dn) throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+ return createKeyStore(new PrivateKeyEntry(_privateKeyAlias,
+ keyCertPair.getPrivateKey(),
+ keyCertPair.getCertificate()));
+ }
+
+ public String createSelfSignedKeyStoreAsDataUrl(String dn) throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+ return createKeyStoreAsDataUrl(new PrivateKeyEntry(_privateKeyAlias,
+ keyCertPair.getPrivateKey(),
+ keyCertPair.getCertificate()));
+ }
+
+ public Path createSelfSignedTrustStore(final String dn) throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+ return createKeyStore(new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+ }
+
+ public Path createSelfSignedTrustStore(final String dn, Instant from, Instant to) throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn, from, to);
+ return createKeyStore(new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+ }
+
+ public String createSelfSignedTrustStoreAsDataUrl(String dn) throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+ return createKeyStoreAsDataUrl(new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+ }
+
+ public Path createTrustStore(final String dn, KeyCertificatePair ca) throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createKeyPairAndCertificate(dn, ca);
+ final String keyStoreType = getKeyStoreType();
+ return createKeyStore(keyStoreType, new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+ }
+
+ public Path createSelfSignedKeyStoreWithCertificate(final String dn) throws Exception
+ {
+ final KeyCertificatePair keyCertPair = TlsResourceBuilder.createSelfSigned(dn);
+ return createKeyStore(new PrivateKeyEntry(_privateKeyAlias,
+ keyCertPair.getPrivateKey(),
+ keyCertPair.getCertificate()),
+ new CertificateEntry(_certificateAlias, keyCertPair.getCertificate()));
+ }
+
+ public Path createCrl(final KeyCertificatePair caPair, final X509Certificate... certificate) throws CRLException
+ {
+ final X509CRL crl = TlsResourceBuilder.createCertificateRevocationList(caPair, certificate);
+
+ try
+ {
+ final Path pkFile = createFile(".crl");
+ try (FileOutputStream out = new FileOutputStream(pkFile.toFile()))
+ {
+ TlsResourceHelper.saveCrlAsPem(out, crl);
+ }
+ return pkFile;
+ }
+ catch (IOException e)
+ {
+ throw new CRLException(e);
+ }
+ }
+
+ public Path createCrlAsDer(final KeyCertificatePair caPair, final X509Certificate... certificate)
+ throws CRLException, IOException
+ {
+ final X509CRL crl = TlsResourceBuilder.createCertificateRevocationList(caPair, certificate);
+ return saveBytes(crl.getEncoded(), ".crl");
+ }
+
+ public String createCrlAsDataUrl(final KeyCertificatePair caPair, final X509Certificate... certificate)
+ throws CRLException
+ {
+ final X509CRL crl = TlsResourceBuilder.createCertificateRevocationList(caPair, certificate);
+ return TlsResourceHelper.getDataUrlForBytes(crl.getEncoded());
+ }
+
+ public Path savePrivateKeyAsPem(final PrivateKey privateKey) throws IOException
+ {
+ final Path pkFile = createFile(".pk.pem");
+ try (FileOutputStream out = new FileOutputStream(pkFile.toFile()))
+ {
+ TlsResourceHelper.savePrivateKeyAsPem(out, privateKey);
+ }
+ return pkFile;
+ }
+
+ public Path saveCertificateAsPem(final X509Certificate... certificate)
+ throws IOException, CertificateEncodingException
+ {
+ final Path certificateFile = createFile(".cer.pem");
+ try (FileOutputStream out = new FileOutputStream(certificateFile.toFile()))
+ {
+ TlsResourceHelper.saveCertificateAsPem(out, certificate);
+ }
+ return certificateFile;
+ }
+
+ public Path savePrivateKeyAsDer(final PrivateKey privateKey) throws IOException
+ {
+ return saveBytes(privateKey.getEncoded(), ".pk.der");
+ }
+
+ public Path saveCertificateAsDer(final X509Certificate certificate) throws CertificateEncodingException, IOException
+ {
+ return saveBytes(certificate.getEncoded(), ".cer.der");
+ }
+
+ public Path createFile(String suffix) throws IOException
+ {
+ return Files.createTempFile(_keystoreDirectory, "tls", suffix);
+ }
+
+ private Path saveBytes(final byte[] bytes, final String extension) throws IOException
+ {
+ final Path pkFile = createFile(extension);
+ try (FileOutputStream out = new FileOutputStream(pkFile.toFile()))
+ {
+ out.write(bytes);
+ }
+ return pkFile;
+ }
+
+ private Path saveKeyStore(final String keyStoreType, final KeyStore ks)
+ throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
+ {
+ final Path storeFile = createFile("." + keyStoreType);
+ TlsResourceHelper.saveKeyStoreIntoFile(ks, getSecretAsCharacters(), storeFile.toFile());
+ return storeFile;
+ }
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceBuilder.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceBuilder.java
new file mode 100644
index 0000000..1d2fff4
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceBuilder.java
@@ -0,0 +1,533 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Arrays;
+import java.util.Date;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.RFC4519Style;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.CRLDistPoint;
+import org.bouncycastle.asn1.x509.CRLNumber;
+import org.bouncycastle.asn1.x509.DistributionPoint;
+import org.bouncycastle.asn1.x509.DistributionPointName;
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.cert.X509CRLHolder;
+import org.bouncycastle.cert.X509v2CRLBuilder;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.OperatorException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+
+public class TlsResourceBuilder
+{
+ private static final int RSA_KEY_SIZE = 2048;
+ private static final int VALIDITY_DURATION = 365;
+ private static final String SIGNATURE_ALGORITHM_SHA_512_WITH_RSA = "SHA512WithRSA";
+
+ static
+ {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ private TlsResourceBuilder()
+ {
+ super();
+ }
+
+ public static KeyPair createRSAKeyPair()
+ {
+ KeyPairGenerator keyPairGenerator;
+ try
+ {
+ keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+ }
+ catch (NoSuchAlgorithmException e)
+ {
+ throw new IllegalStateException("RSA generator is not found");
+ }
+
+ keyPairGenerator.initialize(RSA_KEY_SIZE);
+ return keyPairGenerator.genKeyPair();
+ }
+
+ public static KeyCertificatePair createKeyPairAndRootCA(final String dn) throws CertificateException
+ {
+ return createKeyPairAndRootCA(dn, createValidityPeriod());
+ }
+
+ public static KeyCertificatePair createKeyPairAndIntermediateCA(final String dn,
+ final KeyCertificatePair rootCA,
+ final String crlUri)
+ throws CertificateException
+ {
+ return createKeyPairAndIntermediateCA(dn, createValidityPeriod(), rootCA, crlUri);
+ }
+
+ public static KeyCertificatePair createSelfSigned(final String dn,
+ final Instant validFrom,
+ final Instant validTo,
+ final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ return createSelfSigned(dn, new ValidityPeriod(validFrom, validTo), alternativeName);
+ }
+
+ public static KeyCertificatePair createSelfSigned(final String dn, final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ return createSelfSigned(dn, createValidityPeriod(), alternativeName);
+ }
+
+ public static KeyCertificatePair createKeyPairAndCertificate(final String dn,
+ final KeyCertificatePair ca,
+ final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ return createKeyPairAndCertificate(dn, createValidityPeriod(), ca, alternativeName);
+ }
+
+ public static X509Certificate createCertificate(final KeyPair keyPair,
+ final KeyCertificatePair ca,
+ final String dn,
+ final Instant from,
+ final Instant to,
+ final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ return createCertificate(keyPair,
+ ca,
+ dn,
+ new ValidityPeriod(from, to),
+ createKeyUsageExtension(),
+ createAlternateNamesExtension(alternativeName));
+ }
+
+
+ public static X509Certificate createCertificateForClientAuthorization(final KeyPair keyPair,
+ final KeyCertificatePair ca,
+ final String dn,
+ final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ return createCertificate(keyPair,
+ ca,
+ dn,
+ createValidityPeriod(),
+ createExtendedUsageExtension(new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth})),
+ createAuthorityKeyExtension(ca.getCertificate().getPublicKey()),
+ createSubjectKeyExtension(keyPair.getPublic()),
+ createAlternateNamesExtension(alternativeName));
+ }
+
+ public static X509Certificate createCertificateForServerAuthorization(final KeyPair keyPair,
+ final KeyCertificatePair ca,
+ final String dn,
+ final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ return createCertificate(keyPair,
+ ca,
+ dn,
+ createValidityPeriod(),
+ createExtendedUsageExtension(new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth})),
+ createAuthorityKeyExtension(ca.getCertificate().getPublicKey()),
+ createSubjectKeyExtension(keyPair.getPublic()),
+ createAlternateNamesExtension(alternativeName));
+ }
+
+ public static X509Certificate createCertificateWithCrlDistributionPoint(final KeyPair keyPair,
+ final KeyCertificatePair caPair,
+ final String dn,
+ final String crlUri)
+ throws CertificateException
+ {
+ return createCertificate(keyPair,
+ caPair,
+ dn,
+ createValidityPeriod(),
+ createKeyUsageExtension(),
+ createDistributionPointExtension(crlUri));
+ }
+
+ private static X509Certificate createCertificate(final KeyPair keyPair,
+ final KeyCertificatePair ca,
+ final String dn,
+ final ValidityPeriod validityPeriod,
+ final Extension... extensions)
+ throws CertificateException
+ {
+ try
+ {
+ final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+ ca.getCertificate(),
+ generateSerialNumber(),
+ new Date(validityPeriod.getFrom().toEpochMilli()),
+ new Date(validityPeriod.getTo().toEpochMilli()),
+ new X500Name(RFC4519Style.INSTANCE, dn),
+ keyPair.getPublic());
+
+ builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
+ for (Extension e : extensions)
+ {
+ builder.addExtension(e);
+ }
+ return buildX509Certificate(builder, ca.getPrivateKey());
+ }
+ catch (OperatorException | IOException e)
+ {
+ throw new CertificateException(e);
+ }
+ }
+
+ private static X509Certificate createSelfSignedCertificate(final KeyPair keyPair,
+ final String dn,
+ final ValidityPeriod period,
+ final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ try
+ {
+ final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+ new X500Name(RFC4519Style.INSTANCE, dn),
+ generateSerialNumber(),
+ new Date(period.getFrom().toEpochMilli()),
+ new Date(period.getTo().toEpochMilli()),
+ new X500Name(RFC4519Style.INSTANCE, dn),
+ keyPair.getPublic());
+ builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
+ builder.addExtension(createKeyUsageExtension());
+ builder.addExtension(createSubjectKeyExtension(keyPair.getPublic()));
+ builder.addExtension(createAlternateNamesExtension(alternativeName));
+ return buildX509Certificate(builder, keyPair.getPrivate());
+ }
+ catch (OperatorException | IOException e)
+ {
+ throw new CertificateException(e);
+ }
+ }
+
+ static X509CRL createCertificateRevocationList(final KeyCertificatePair ca, X509Certificate... certificate)
+ throws CRLException
+ {
+ try
+ {
+ final X500Name issuerName = X500Name.getInstance(RFC4519Style.INSTANCE,
+ ca.getCertificate()
+ .getSubjectX500Principal()
+ .getEncoded());
+
+ final Instant nextUpdate = Instant.now().plus(10, ChronoUnit.DAYS);
+
+ final Date now = new Date();
+ final X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerName, now);
+ crlBuilder.setNextUpdate(new Date(nextUpdate.toEpochMilli()));
+
+ for (X509Certificate c : certificate)
+ {
+ // crlBuilder.addCRLEntry(c.getSerialNumber(), now, CRLReason.privilegeWithdrawn);
+ crlBuilder.addCRLEntry(c.getSerialNumber(), now, 0);
+ }
+
+ crlBuilder.addExtension(createAuthorityKeyExtension(ca.getCertificate().getPublicKey()));
+ crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(generateSerialNumber()));
+
+ final ContentSigner contentSigner = createContentSigner(ca.getPrivateKey());
+ final X509CRLHolder crl = crlBuilder.build(contentSigner);
+
+ return new JcaX509CRLConverter().getCRL(crl);
+
+
+ /*
+
+ JcaContentSignerBuilder contentSignerBuilder =
+ new JcaContentSignerBuilder(SIGNATURE_ALGORITHM_SHA_512_WITH_RSA); //"SHA256WithRSAEncryption"
+
+ contentSignerBuilder.setProvider("BC");
+
+ X509CRLHolder crlHolder = crlBuilder.build(contentSignerBuilder.build(ca.getPrivateKey()));
+
+ JcaX509CRLConverter converter = new JcaX509CRLConverter();
+
+ converter.setProvider("BC");
+
+ return converter.getCRL(crlHolder);
+ */
+ }
+ catch (OperatorException | IOException | CertificateException e)
+ {
+ throw new CRLException(e);
+ }
+ }
+
+ private static X509Certificate createRootCACertificate(final KeyPair keyPair,
+ final String dn,
+ final ValidityPeriod validityPeriod)
+ throws CertificateException
+ {
+ try
+ {
+ final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+ new X500Name(RFC4519Style.INSTANCE, dn),
+ generateSerialNumber(),
+ new Date(validityPeriod.getFrom().toEpochMilli()),
+ new Date(validityPeriod.getTo().toEpochMilli()),
+ new X500Name(RFC4519Style.INSTANCE, dn),
+ keyPair.getPublic());
+
+ builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
+ builder.addExtension(createSubjectKeyExtension(keyPair.getPublic()));
+ builder.addExtension(createAuthorityKeyExtension(keyPair.getPublic()));
+ return buildX509Certificate(builder, keyPair.getPrivate());
+ }
+ catch (OperatorException | IOException e)
+ {
+ throw new CertificateException(e);
+ }
+ }
+
+ private static X509Certificate generateIntermediateCertificate(final KeyPair keyPair,
+ final KeyCertificatePair rootCA,
+ final String dn,
+ final ValidityPeriod validityPeriod,
+ final String crlUri)
+ throws CertificateException
+ {
+ try
+ {
+ final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+ rootCA.getCertificate(),
+ generateSerialNumber(),
+ new Date(validityPeriod.getFrom().toEpochMilli()),
+ new Date(validityPeriod.getTo().toEpochMilli()),
+ new X500Name(RFC4519Style.INSTANCE, dn),
+ keyPair.getPublic());
+ //builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign));
+ builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
+ builder.addExtension(createSubjectKeyExtension(keyPair.getPublic()));
+ builder.addExtension(createAuthorityKeyExtension(rootCA.getCertificate().getPublicKey()));
+ if (crlUri != null)
+ {
+ builder.addExtension(createDistributionPointExtension(crlUri));
+ }
+
+ return buildX509Certificate(builder, rootCA.getPrivateKey());
+ }
+ catch (OperatorException | IOException e)
+ {
+ throw new CertificateException(e);
+ }
+ }
+
+ private static KeyCertificatePair createKeyPairAndRootCA(final String dn,
+ final ValidityPeriod validityPeriod)
+ throws CertificateException
+ {
+ final KeyPair keyPair = createRSAKeyPair();
+ final X509Certificate rootCA = createRootCACertificate(keyPair, dn, validityPeriod);
+ return new KeyCertificatePair(keyPair.getPrivate(), rootCA);
+ }
+
+ private static KeyCertificatePair createKeyPairAndIntermediateCA(final String dn,
+ final ValidityPeriod validityPeriod,
+ final KeyCertificatePair rootCA,
+ final String crlUri)
+ throws CertificateException
+ {
+ final KeyPair keyPair = createRSAKeyPair();
+ final X509Certificate intermediateCA = generateIntermediateCertificate(keyPair, rootCA, dn, validityPeriod, crlUri);
+ return new KeyCertificatePair(keyPair.getPrivate(), intermediateCA);
+ }
+
+ private static KeyCertificatePair createKeyPairAndCertificate(final String dn,
+ final ValidityPeriod validityPeriod,
+ final KeyCertificatePair ca,
+ final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ final KeyPair keyPair = createRSAKeyPair();
+ final X509Certificate certificate = createCertificate(keyPair, ca, dn, validityPeriod, alternativeName);
+ return new KeyCertificatePair(keyPair.getPrivate(), certificate);
+ }
+
+ private static X509Certificate createCertificate(final KeyPair keyPair,
+ final KeyCertificatePair ca,
+ final String dn,
+ final ValidityPeriod validityPeriod,
+ final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ return createCertificate(keyPair,
+ ca,
+ dn,
+ validityPeriod,
+ createKeyUsageExtension(),
+ createAlternateNamesExtension(alternativeName));
+ }
+
+ private static KeyCertificatePair createSelfSigned(final String dn,
+ final ValidityPeriod validityPeriod,
+ final AlternativeName... alternativeName)
+ throws CertificateException
+ {
+ final KeyPair keyPair = createRSAKeyPair();
+ final X509Certificate certificate = createSelfSignedCertificate(keyPair, dn, validityPeriod, alternativeName);
+ return new KeyCertificatePair(keyPair.getPrivate(), certificate);
+ }
+
+ private static ValidityPeriod createValidityPeriod()
+ {
+ final Instant from = Instant.now().minus(1, ChronoUnit.DAYS);
+ final Instant to = from.plus(VALIDITY_DURATION, ChronoUnit.DAYS);
+ return new ValidityPeriod(from, to);
+ }
+
+ private static Extension createAuthorityKeyExtension(final PublicKey publicKey)
+ throws CertificateException
+ {
+ try
+ {
+ return new Extension(Extension.authorityKeyIdentifier,
+ false,
+ new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(publicKey).getEncoded());
+ }
+ catch (IOException | NoSuchAlgorithmException e)
+ {
+ throw new CertificateException(e);
+ }
+ }
+
+ private static Extension createSubjectKeyExtension(final PublicKey publicKey)
+ throws CertificateException
+ {
+ try
+ {
+ return new Extension(Extension.subjectKeyIdentifier,
+ false,
+ new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey).getEncoded());
+ }
+ catch (IOException | NoSuchAlgorithmException e)
+ {
+ throw new CertificateException(e);
+ }
+ }
+
+ private static Extension createExtendedUsageExtension(final ExtendedKeyUsage extendedKeyUsage)
+ throws CertificateException
+ {
+ try
+ {
+ return new Extension(Extension.extendedKeyUsage, false, extendedKeyUsage.getEncoded());
+ }
+ catch (IOException e)
+ {
+ throw new CertificateException(e);
+ }
+ }
+
+ private static Extension createKeyUsageExtension()
+ {
+ return new Extension(Extension.keyUsage,
+ false,
+ new KeyUsage(KeyUsage.digitalSignature
+ | KeyUsage.nonRepudiation
+ | KeyUsage.keyEncipherment).getBytes());
+ }
+
+ private static Extension createDistributionPointExtension(final String crlUri) throws CertificateException
+ {
+ try
+ {
+ final GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, crlUri);
+ final DistributionPointName pointName = new DistributionPointName(new GeneralNames(generalName));
+ final DistributionPoint[] points = new DistributionPoint[]{new DistributionPoint(pointName, null, null)};
+ return new Extension(Extension.cRLDistributionPoints, false, new CRLDistPoint(points).getEncoded());
+ }
+ catch (IOException e)
+ {
+ throw new CertificateException(e);
+ }
+ }
+
+ private static Extension createAlternateNamesExtension(final AlternativeName[] alternativeName)
+ throws CertificateException
+ {
+ try
+ {
+ final GeneralName[] generalNames = Arrays.stream(alternativeName)
+ .map(an -> new GeneralName(an.getType().ordinal(),
+ an.getName()))
+ .toArray(GeneralName[]::new);
+ return new Extension(Extension.subjectAlternativeName,
+ false,
+ new GeneralNames(generalNames).getEncoded());
+ }
+ catch (IOException e)
+ {
+ throw new CertificateException(e);
+ }
+ }
+
+ private static BigInteger generateSerialNumber()
+ {
+ return new BigInteger(64, new SecureRandom());
+ }
+
+ private static X509Certificate buildX509Certificate(final X509v3CertificateBuilder builder, final PrivateKey pk)
+ throws OperatorCreationException, CertificateException
+ {
+ ContentSigner contentSigner = createContentSigner(pk);
+ return new JcaX509CertificateConverter().getCertificate(builder.build(contentSigner));
+ }
+
+ private static ContentSigner createContentSigner(final PrivateKey privateKey)
+ throws OperatorCreationException
+ {
+ return new JcaContentSignerBuilder(SIGNATURE_ALGORITHM_SHA_512_WITH_RSA).setProvider("BC").build(privateKey);
+ }
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceHelper.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceHelper.java
new file mode 100644
index 0000000..559e102
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/TlsResourceHelper.java
@@ -0,0 +1,163 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.test.utils.tls;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.CRLException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+
+public class TlsResourceHelper
+{
+ private static final byte[] LINE_SEPARATOR = new byte[]{'\r', '\n'};
+ private static final String BEGIN_X_509_CRL = "-----BEGIN X509 CRL-----";
+ private static final String END_X_509_CRL = "-----END X509 CRL-----";
+ private static final String BEGIN_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----";
+ private static final String END_PRIVATE_KEY = "-----END PRIVATE KEY-----";
+ private static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----";
+ private static final String END_CERTIFICATE = "-----END CERTIFICATE-----";
+ private static final int PEM_LINE_LENGTH = 76;
+
+ public static KeyStore createKeyStore(final String keyStoreType, char[] secret, final KeyStoreEntry... entries)
+ throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException
+ {
+ final KeyStore ks = createKeyStoreOfType(keyStoreType);
+ for (KeyStoreEntry e : entries)
+ {
+ e.addEntryToKeyStore(ks, secret);
+ }
+ return ks;
+ }
+
+ public static String createKeyStoreAsDataUrl(final String keyStoreType, char[] secret, KeyStoreEntry... entries) throws Exception
+ {
+ final KeyStore ks = createKeyStore(keyStoreType, secret, entries);
+ return toDataUrl(ks, secret);
+ }
+
+ public static KeyStore createKeyStoreOfType(final String keyStoreType)
+ throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
+ {
+ final KeyStore ks = KeyStore.getInstance(keyStoreType);
+ ks.load(null, null);
+ return ks;
+ }
+
+ public static void saveKeyStoreIntoFile(final KeyStore ks, final char[] secret, final File storeFile)
+ throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
+ {
+ try (FileOutputStream fos = new FileOutputStream(storeFile))
+ {
+ ks.store(fos, secret);
+ }
+ }
+
+ public static String toDataUrl(final KeyStore ks, char[] secret)
+ throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
+ {
+ final String result;
+ try (ByteArrayOutputStream os = new ByteArrayOutputStream())
+ {
+ ks.store(os, secret);
+ result = getDataUrlForBytes(os.toByteArray());
+ }
+ return result;
+ }
+
+ public static String getDataUrlForBytes(final byte[] bytes)
+ {
+ return new StringBuilder("data:;base64,").append(Base64.getEncoder().encodeToString(bytes)).toString();
+ }
+
+ public static SecretKey createAESSecretKey() throws NoSuchAlgorithmException
+ {
+ KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+ keyGen.init(256);
+ return keyGen.generateKey();
+ }
+
+ public static void saveBytesAsPem(final byte[] bytes, final String header, final String footer, final OutputStream out)
+ throws IOException
+ {
+ out.write(header.getBytes(UTF_8));
+ out.write(LINE_SEPARATOR);
+ out.write(Base64.getMimeEncoder(PEM_LINE_LENGTH, LINE_SEPARATOR).encode(bytes));
+ out.write(LINE_SEPARATOR);
+ out.write(footer.getBytes(UTF_8));
+ out.write(LINE_SEPARATOR);
+ }
+
+ public static void saveCertificateAsPem(final OutputStream os, final X509Certificate... certificate) throws IOException,
+ CertificateEncodingException
+ {
+ for (X509Certificate b : certificate)
+ {
+ saveBytesAsPem(b.getEncoded(), BEGIN_CERTIFICATE, END_CERTIFICATE, os);
+ }
+ }
+
+ public static void savePrivateKeyAsPem(final OutputStream os, final PrivateKey key) throws IOException
+ {
+ saveBytesAsPem(key.getEncoded(), BEGIN_PRIVATE_KEY, END_PRIVATE_KEY, os);
+ }
+
+ public static void saveCrlAsPem(final OutputStream os, final X509CRL crl) throws CRLException, IOException
+ {
+ saveBytesAsPem(crl.getEncoded(), BEGIN_X_509_CRL, END_X_509_CRL, os);
+ }
+
+
+ public static String toPEM(final Certificate pub) throws CertificateEncodingException
+ {
+ return toPEM(pub.getEncoded(), BEGIN_CERTIFICATE, END_CERTIFICATE);
+ }
+
+ public static String toPEM(final PrivateKey key)
+ {
+ return toPEM(key.getEncoded(), BEGIN_PRIVATE_KEY, END_PRIVATE_KEY);
+ }
+
+ private static String toPEM(final byte[] bytes, final String header, final String footer)
+ {
+ final StringBuilder pem = new StringBuilder();
+ pem.append(header).append(new String(LINE_SEPARATOR, UTF_8));
+ pem.append(Base64.getMimeEncoder(PEM_LINE_LENGTH, LINE_SEPARATOR).encodeToString(bytes));
+ pem.append(new String(LINE_SEPARATOR, UTF_8)).append(footer).append(new String(LINE_SEPARATOR, UTF_8));
+ return pem.toString();
+ }
+}
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/ValidityPeriod.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/ValidityPeriod.java
new file mode 100644
index 0000000..c661b84
--- /dev/null
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/tls/ValidityPeriod.java
@@ -0,0 +1,92 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.test.utils.tls;
+
+import java.time.Instant;
+
+class ValidityPeriod
+{
+ private final Instant _from;
+ private final Instant _to;
+
+ ValidityPeriod(final Instant from, final Instant to)
+ {
+ if (from == null || to == null)
+ {
+ throw new IllegalArgumentException("Both 'to' and 'from' parameters cannot be null");
+ }
+ if (to.compareTo(from) < 0)
+ {
+ throw new IllegalArgumentException("Parameter 'to' cannot be less than 'from' value");
+ }
+ _from = from;
+ _to = to;
+ }
+
+ public Instant getFrom()
+ {
+ return _from;
+ }
+
+ public Instant getTo()
+ {
+ return _to;
+ }
+
+ @Override
+ public boolean equals(final Object o)
+ {
+ if (this == o)
+ {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass())
+ {
+ return false;
+ }
+
+ final ValidityPeriod that = (ValidityPeriod) o;
+
+ if (!_from.equals(that._from))
+ {
+ return false;
+ }
+ return _to.equals(that._to);
+ }
+
+ @Override
+ public int hashCode()
+ {
+ int result = _from.hashCode();
+ result = 31 * result + _to.hashCode();
+ return result;
+ }
+
+ @Override
+ public String toString()
+ {
+ return "ValidityPeriod{" +
+ "_from=" + _from +
+ ", _to=" + _to +
+ '}';
+ }
+}
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl
deleted file mode 100644
index 2d7b8d9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem
deleted file mode 100644
index 0430e10..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN X509 CRL-----
-MIIB8TCB2gIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE
-CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw
-MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1owVDATAgISOBcNMjAwMTE3MTIxNDAz
-WjATAgISORcNMjAwMTE3MTIxNDAzWjATAgISOxcNMjAwMTE3MTIxNDAzWjATAgIS
-PBcNMjAwMTE3MTIxNDAzWqAPMA0wCwYDVR0UBAQCAhI2MA0GCSqGSIb3DQEBCwUA
-A4IBAQCP9fF88j+7OLHZqq6kkxB8IZSN0lCRXXk590V3rx/NWJYmhGjlOjvEe+dG
-fiTFYUxtYuGU/rsYOezMg2/uO9l+PdPq2blWcYKvDvBK89oHaFnX0U1vCiOLD/H0
-09a70Lo3p7tHRBiPcaximmq3DA2dZRSRlo3oRoHAQ1tdMbbAm+D+N6uEu6xARycH
-OmAkx1ofx1SW+Up02R/56QINfYKG+Teqk+g/2uj+fbCx7Hdt+ocoPH8D3FrPv/QQ
-wmDlvPktb552EyOAHuhv/VSYhBB9yLKeqxb4/K7+lSCibM7gO0aPpzr33eykftbR
-aMRSNPr1t5tw2psBHoQ63U920dXu
------END X509 CRL-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt
deleted file mode 100644
index 0614c37..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN
-BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD
-TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy
-MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM
-BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4
-UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr
-XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI
-bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif
-9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O
-9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy
-TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/
-5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y
-Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr
-qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B
-eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3
-zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG
-9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo
-VPvWVRUaVA==
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl
deleted file mode 100644
index 7c4a5df..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem
deleted file mode 100644
index 88a02d0..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE
-CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw
-MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1qgDzANMAsGA1UdFAQEAgISNTANBgkq
-hkiG9w0BAQsFAAOCAQEAvXMYfesUZM9b/MRG36pyFXdW6Ntn7KcldzYphHMeUiw9
-L+SI2kSzQrfvMFC5URAMpchnKZWzNcjoERpaFmt/io9W+GxFfrfUDPgu14p3n1b9
-Z4xQx/f+ZbEuw4Xuv5TPdGYzkxtaMCabHrcZbJvYcT+6ogshsxIqduiqx9EEnyYY
-WhrsOyAhjhEAeU+CaNjL0xo+71xpzyRbV2BRxwyNNJEVTc9SGUtwro2jdCSB72KM
-S85RSUshg5aWEXz99jV41w1Zx1UWfwAN9K5aJxwNp3x06C/SxHc2yMfN9h3BIr/f
-kdBgB/Larrwq+luogS4e9JA522/V3yYeYajuxH7JEQ==
------END X509 CRL-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key
deleted file mode 100644
index 742071d..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIoKxdp44hlPICAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIjUETc4sXyDBIIEyMQ/YTalgLpr
-OcHUsyfkMGThRYoMvDC1TT8SYR5iqm0ARFxIh6tnU1Y0JvWMdzQgR4qzZXbyZLwm
-L/0xeL4ErEkhgfc6UUv7ldv5uja3dKUbTZaxD/Pl/w7ZboVWj62RfiSMmoNmvMaw
-0c7BIFxXACdrVSjBN11cJOYI9nKwqge5WWEgTVYSyKGC0zf6BdSSRmaFX5mQ7E0D
-9tuegWmes57TEZXh9ObzsrKegFC6FJ26DUXZ7h7lAOkHrjRm+5pvY+YOHtGgBLCz
-h1DkssCQ9uyE+39REcdX4cEkY2L4kqirJ69v6YdT6u7NwF2eGCJwANDCI5+1WFO2
-Prc2SNAgA4TtASnwi6vE7z/Vg2Ah+WUx41m4kp5zw4rUIA6w9pvUnuZBhACEcqtt
-HncoVRr0dxX7tN7Hxsw5I2Wx0szuHCpSXt9den/4rcyl4dpVViNOc7lah0C8uS2t
-tt1DE4JdA1gm0uKVUkS+57049R0ojMisjMmJBs3V0+lPvRwHGZ+UGer4lw1FPMXr
-fDLXuOCs5V9pR2d5OtHttFNKVGwcRtPElSKCvJjxvl/frBTfng97S/jIAUJc4NMQ
-tBoI18TeNnALRp/JWtJf5VqQFyNvp/Th/Qk2VgUa6x5jKE6ksLlaVDxZ4rZbFyfl
-WkVbJ3OABNfEzrucOEFoncqHPM8BT1unTkRTOlsJMbgzJYby+RLznMzKwGS20A6P
-f2f4L840zqHSFHfD/HhW0CZ5ZwXbW6Kta6D0+DWDzHzA/6GMFtggpXtMXKbi/2dV
-wPR7sHQwxE+Qbq4SxxAx7CYhiz6L2x/EMX/BehAJic6XTQJEmluaiq3o1954OuTZ
-eUAnOV9iv2iEKf02D06yCJsyLop4CtN88HenGD7EiZ71IuF7U/VDoy2lVcbiW0DT
-efTsbns5euSqe335SHafd9OGIe8p7shsSsoh6smfUpYdYlKq+wG2P+h7CSMoIGh6
-bKq0k3xnyi4CH22Ukyt3IIg0REGTvFgdZGRuwJe2cylzYeuj+KJclVLTmJ2jQJ2D
-xd1M5gNqbZOzihCNOnG6Owik93RJBi6qynhfhOt6YHBeUmeIFx+ygLQqtNjlX/V9
-+rsBtovzMZhfFK6ozSm0fQG+2rB5QrnsEw3gzzZ22fBPy+SQ1GPK2FJNNHO3REaD
-+5Yt0Iny4jFA9UiveR8pxvYdPwoPEiEii1VfOAkR+0dcEeKX1gQvCF84XNRSiMXw
-ITHOI9QmmYqyjTAv1ZMB7TV3dnxQuyifHZciEFK5R7Kkn0Z78diXxFjWvPVVhsLG
-yzFHArQs0lDUsRlZxJ68SkwJ3dw2m8XpwUPkWlTZ5SoJTSN0JOa9fn5Htm7X1ZYK
-A4x80z3t6oeTGJxmDxQHOL+NCkeRQv1fN/JS4b7I6p9sQT+60gT5dJ0R6/CU2Vpf
-xM+DcHGW8oo8yQ2CjSOaf1Bp+Sp/arcrK0KOP6sbABlnXeTeRgWOb3xwRnwWP0am
-wAooVJgifFOAnEA7rfi7XgnQkALtwki4TPhy2g+eoHDo2PiX5j0QxdVpGlfzZVkC
-9j8fgea3hy5Y78Ju8N/fhZWgYIoyosVnFhXHtHpebPdDpktseOR388PNvMEa+6vT
-nKxFX9Uw8/IoAkO1WGG+rg==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt
deleted file mode 100644
index 171ec80..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt
+++ /dev/null
@@ -1,80 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4663 (0x1237)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
- Validity
- Not Before: Jan 17 12:14:00 2020 GMT
- Not After : Jan 17 12:14:00 2024 GMT
- Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca@acme.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:ae:43:c8:3b:d5:08:7c:69:6f:48:96:bd:ae:cf:
- d9:ab:f6:3a:68:64:e6:f5:57:14:45:42:40:e5:c5:
- 7f:97:6d:13:4f:d1:26:28:14:0d:30:e5:9e:55:67:
- b8:3a:7d:d8:8d:b4:9e:07:f0:62:e4:95:63:41:b9:
- 04:2b:53:51:86:46:36:25:6f:82:60:74:e0:81:73:
- c3:ce:1c:76:3e:97:35:da:82:28:22:cc:ac:62:22:
- d7:0d:8d:38:44:c0:de:29:ca:15:b9:13:39:81:04:
- 4b:0d:71:9f:ff:1c:36:4e:2e:57:54:85:83:f4:f4:
- a8:f9:bb:f5:a5:66:b1:9a:40:a2:1a:33:5e:b2:37:
- 31:a5:73:fb:f4:39:fe:d1:52:ec:f2:b1:fc:84:1a:
- c7:2b:98:81:e3:62:ae:51:e6:5b:6e:c4:f9:ff:c0:
- e4:64:88:3a:c1:a2:20:95:3c:71:c6:eb:da:d3:de:
- aa:42:98:1f:e9:da:06:fc:f9:0d:23:1c:8b:ae:3e:
- ee:6c:b8:ac:a1:a3:da:c9:21:8d:c4:48:26:23:8e:
- 40:44:55:dc:0b:fc:b8:a7:0c:c8:4b:f6:21:7a:1e:
- 57:ff:1c:ce:a7:e3:8a:c4:26:02:93:f3:e8:4a:45:
- a5:3e:02:5b:25:6b:f8:58:1b:ce:18:3e:da:62:86:
- 34:ff
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 CRL Distribution Points:
-
- Full Name:
- URI:http://localhost:8186/MyRootCA.crl
-
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- Signature Algorithm: sha512WithRSAEncryption
- c8:28:31:d7:11:ba:e1:ea:b0:18:ec:74:6b:66:7d:da:31:1f:
- 2a:a2:c4:e8:af:a2:ba:92:56:d9:7b:f4:fe:e1:20:5c:5c:5e:
- 3f:39:31:0a:b3:a5:19:f0:60:86:ef:98:eb:e1:c7:1a:1d:0a:
- 51:d6:25:9b:29:a4:71:9d:da:d6:cf:96:82:07:ca:38:71:62:
- 93:6b:b1:44:87:49:42:28:66:53:34:f1:fa:3e:48:49:ed:2a:
- ed:56:b2:49:cb:5b:0c:46:59:68:2d:d9:95:47:c4:0c:fa:57:
- 93:e1:0b:52:ed:75:2a:fe:a9:e7:e7:a3:c8:68:7a:fc:14:92:
- 8b:8b:34:94:28:f1:23:7b:2c:bd:26:48:fe:bf:6e:ec:71:9b:
- 43:e8:e3:64:48:36:af:9e:8e:bd:e5:c7:b2:76:a5:c6:ca:98:
- 22:6b:aa:93:82:fd:cf:6b:08:df:40:43:fc:03:1a:12:12:85:
- 8e:dc:d2:06:80:cd:d9:ba:fd:f8:4e:3f:8a:99:46:db:df:67:
- c2:67:b5:39:96:a5:71:12:be:03:f1:99:c0:b9:df:51:b5:37:
- dd:a7:5a:75:32:a0:da:d7:09:83:1b:96:30:81:0e:b4:9d:10:
- 81:cc:05:65:a8:e6:3f:2a:de:b5:d3:6e:d3:ed:4a:a0:e3:a2:
- 56:ea:ef:3a
------BEGIN CERTIFICATE-----
-MIIDdjCCAl6gAwIBAgICEjcwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr
-9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GG
-RjYlb4JgdOCBc8POHHY+lzXagigizKxiItcNjThEwN4pyhW5EzmBBEsNcZ//HDZO
-LldUhYP09Kj5u/WlZrGaQKIaM16yNzGlc/v0Of7RUuzysfyEGscrmIHjYq5R5ltu
-xPn/wORkiDrBoiCVPHHG69rT3qpCmB/p2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYj
-jkBEVdwL/LinDMhL9iF6Hlf/HM6n44rEJgKT8+hKRaU+Alsla/hYG84YPtpihjT/
-AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4
-Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
-AQENBQADggEBAMgoMdcRuuHqsBjsdGtmfdoxHyqixOivorqSVtl79P7hIFxcXj85
-MQqzpRnwYIbvmOvhxxodClHWJZsppHGd2tbPloIHyjhxYpNrsUSHSUIoZlM08fo+
-SEntKu1WsknLWwxGWWgt2ZVHxAz6V5PhC1LtdSr+qefno8hoevwUkouLNJQo8SN7
-LL0mSP6/buxxm0Po42RINq+ejr3lx7J2pcbKmCJrqpOC/c9rCN9AQ/wDGhIShY7c
-0gaAzdm6/fhOP4qZRtvfZ8JntTmWpXESvgPxmcC531G1N92nWnUyoNrXCYMbljCB
-DrSdEIHMBWWo5j8q3rXTbtPtSqDjolbq7zo=
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr
deleted file mode 100644
index f2a51e4..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM
-FmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w
-5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GGRjYlb4JgdOCBc8POHHY+lzXagigizKxi
-ItcNjThEwN4pyhW5EzmBBEsNcZ//HDZOLldUhYP09Kj5u/WlZrGaQKIaM16yNzGl
-c/v0Of7RUuzysfyEGscrmIHjYq5R5ltuxPn/wORkiDrBoiCVPHHG69rT3qpCmB/p
-2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYjjkBEVdwL/LinDMhL9iF6Hlf/HM6n44rE
-JgKT8+hKRaU+Alsla/hYG84YPtpihjT/AgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC
-AQEABftyaBKWipsliFRs8LYjFnKbGkc1vOJNHfr1Upa0JhxhEXXOr0fJ+q1moY6a
-9QdYOuZ3iM5M3B3L7aYM9wXSKkSyujRl/S2hDlaMuXVXHYvL+e6t1REe4lSCKZRV
-OfdpPWUCW35WhuE9M0h6hAnb+HLsxc3OPQo8KH4yQkSyh4aPj20X0WXp1QrvfpVL
-fzicwCaxJET8rcu3gduXqysD2IkHnbx4OX0JsqgDuVnjRRtL800UJ/YDJcuobUpp
-/euptiVCaO+q6W2l46GA2e6bQuCxv1+o5M4U2JH0Chldx2yTMnAgFtV+E1JtrzVS
-jObVTUz819aBFrzwL6OIcQEvUw==
------END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks
deleted file mode 100644
index dae314d..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt
deleted file mode 100644
index 7129f68..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIUA/JhLTYgfW18ejOVXRiPJdhGoFswDQYJKoZIhvcNAQEN
-BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRf
-YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq
-MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL
-BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWYWxsb3dlZF9ieV9j
-YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5DyDvV
-CHxpb0iWva7P2av2Omhk5vVXFEVCQOXFf5dtE0/RJigUDTDlnlVnuDp92I20ngfw
-YuSVY0G5BCtTUYZGNiVvgmB04IFzw84cdj6XNdqCKCLMrGIi1w2NOETA3inKFbkT
-OYEESw1xn/8cNk4uV1SFg/T0qPm79aVmsZpAohozXrI3MaVz+/Q5/tFS7PKx/IQa
-xyuYgeNirlHmW27E+f/A5GSIOsGiIJU8ccbr2tPeqkKYH+naBvz5DSMci64+7my4
-rKGj2skhjcRIJiOOQERV3Av8uKcMyEv2IXoeV/8czqfjisQmApPz6EpFpT4CWyVr
-+Fgbzhg+2mKGNP8CAwEAAaNTMFEwHQYDVR0OBBYEFBqvhbkUgk3fCKONHHOGxRLU
-FefzMB8GA1UdIwQYMBaAFBqvhbkUgk3fCKONHHOGxRLUFefzMA8GA1UdEwEB/wQF
-MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAEgQYqFZBnZ3PJN/LP/S9dR3PDYp2YkW
-n8DSwpj+cP+Gt4kPydRSKl5DdV+eYd6cZ4xF2P6/peZCKYgYZkmbEWIYD87C7J+T
-rpcT1M4u7ACk5QfwoGAZFbTqy6iK3yFqQ/V7YvTjLAx8wqICqrDoed8GTgJ1AmWE
-GCIz3D/8e/ml+Sp+MVRi4KNVfA6zK/e29oswmQxYXmMCXswwHuAmsDoXKS9PYvX7
-Ho035mFmR+yhBnPHX9deuAsTifiiw1TCczq1K4SPX6exXw38nZwLVHErYnaypqP0
-pJNqTIBGlr6K0tryTA83tQVAIJqL2fVlfNUKxuHPOVyGkJcGlCPxjKw=
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key
deleted file mode 100644
index c465086..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIWa+PHUaIhGECAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEV7nV0bqTYVBIIEyNROaXQgS6RZ
-mSJcMeFAINaeZytR/Fq/vdlYE8qsnToVuySFqVft76Q1ZIs5ZsmwAPZxF6rAQZ9z
-9WsIVV7ZTZPCndP7R3/V1h11YGJpklu/wFDNPgkhJiP39A4gv99nWqdjPh3k6rJk
-5rshuHiVuPQ+lQxCJMnNNBzse1NAf7aCq3DONUAYrbxOPQODGAk9ilZtSirVNeCK
-8s9TwPi5vWaxkdgMkb8l+CtXKAYMIGXwslr4cs/02pOSSKMeSYn118aE05yRVI5a
-QrF6yk07huT94ZnVd7DS5sts1/igJk72mGc4zqAP7k2USYkvvzQ6/Lzt6jmdxlaV
-ovTnMpvrnS8Vt/27+XxH64cSC2of8a1N7nHKR/mjwzXwFfCqx36AAKNsnGpbX2vE
-PYgsMCAJrZY8DTgGnBKzJZTSbjfpeVDcWKrZtCIpcUCtHfzibwwo7FoFVi9f4Exq
-S+FkK1VX4JnWWxhNXKbUWWV24se/1NejY5op8TvunrT4xamV81v+Y3rAhORxZzZo
-QooLLY0EZVVGRA0qbg4TQZ87G4wxTKbeLv/vkJYt4+ElEkJZEm+f1U3OBKzBVC2h
-sA0bSo+vB7n322VMZQkGVXi3MCiJBlQYM2Dcp4+gC0GfkJhuNStp/QvfRIjjo+tR
-+aP0/8dkdDaUSe7gUp+1du+bA4YhcdX06diHD0VZrFKOhfR9EJ4lGjlObCA/V6aA
-WGtinv/yglGv1ajX1/9PcKsbFh3uP9eDM2U1wGbkJIYbw9ttABS9IEGi2Gr7QcLh
-273v5H346t9aXOCk0D14qEe3fRZCHWYsFkIytSQy9iHFmn67XnROoAicKIktUtSK
-j5rnGz8NcY7lQNElcEdAcogd50vyBy8Xn/Y29vl8CcyP6Mh6WIgnF/QuJo0+A6lH
-T57lmQ7aQYQuqNk3TeSSpRU2ADY6OldxrUIarrhoV+K3CLNhoI/Ch/7jbPfv6Z2s
-IwfOr7uOsA1YoLYHuV4hn8X2EMOONpcH57zNnQdCDzMJO6E92ElpqmyKkos5uDe7
-dIVFEpQ/9oeLgc00izZtQjkiI6ar1Dk7jkqAUAELsPcw8pwklqVy90ku1wgUl4BQ
-TR/Sk+HqOj9epQfUOBWi0zz3F8kkOo6Y/1JtzMFp9xauInr4oFssJ0A+kRypLL4V
-LrPi59SgHwwNTacivYjoeT2UH2mTCc7MfS6z3czwn/Ds/c6WfKYxNA4WLlOTJV+v
-4Y4aE0a9GTlGIXYTyP+l7T40MaDhTLfnhqi74TBN8QQNnxcLLcVY9sUREdJHbDgQ
-o5GjffduqezL94D1ENLO2ekIspjgpsGnFp1Us9A53CeDdo/P0/OcLeNfUlun8yWm
-fKG7vwW/lQw3jc6G5xKTO70HR3V3VLWP297gdMMZBiD1byY6Sk52Xz9hShr7DoEg
-l5L0vkhK1MjGYfxmlL4j94XZ1VhE/xni/rDeq/mK+MjmJ68G1yBn6dv62py3g5Qk
-tnl6Rg2tho6M6IOr9KGJxkooqjj/ruyWqp+NePYqFq9hU0wwQ7kuJ6ASulkJRShD
-fcg59h1HkTkCpnPPA3fmkxdDy3umOW7maZnLVjf0Nmt0BOA+jg2V0KK83kuJCqlz
-cBTyMqk8rkW1zR2YuVr+TQ==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt
deleted file mode 100644
index f884155..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt
+++ /dev/null
@@ -1,81 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4666 (0x123a)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
- Validity
- Not Before: Jan 17 12:14:01 2020 GMT
- Not After : Jan 17 12:14:01 2024 GMT
- Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca_with_intermediate@acme.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:c9:ec:61:2e:56:70:b4:b4:32:52:6b:62:c6:cd:
- 64:87:65:e1:71:3b:87:fb:eb:dd:77:98:8e:44:aa:
- 6d:df:2d:22:78:0a:9a:54:87:bf:23:28:cd:9e:64:
- fa:2d:40:ef:e3:09:37:be:12:65:aa:3f:4e:ef:2e:
- 85:f1:19:42:00:79:51:95:a7:84:7a:9b:be:64:e3:
- f8:96:a7:5c:7a:ec:4b:4d:89:28:b2:2c:4f:e2:77:
- fd:26:48:84:07:63:db:e9:70:dc:aa:8e:74:05:23:
- 89:db:9d:79:20:5a:83:bd:bb:a8:1e:1e:e8:38:8a:
- c8:2e:19:5d:47:0f:ee:0c:7a:88:d7:15:62:60:73:
- b0:cb:a7:a0:c2:89:0a:7e:33:89:67:f3:93:3c:d2:
- 6b:90:f6:a6:6d:af:be:9d:38:2c:ae:b1:af:f0:23:
- 19:3e:2c:90:a2:ad:77:8e:d6:40:e7:65:40:54:2f:
- 5d:66:56:77:a1:71:47:13:d1:6d:d9:70:f9:14:c0:
- b4:5d:5d:32:7f:a2:af:49:45:7b:7c:44:c8:39:53:
- 61:0d:25:c7:1e:a0:a4:7d:d0:21:60:22:7f:ec:55:
- 36:af:87:30:fc:27:c5:a1:34:2a:a7:2a:b1:a3:9d:
- d8:18:88:d0:7e:53:49:2f:ea:6f:03:da:54:79:0c:
- 26:e3
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 CRL Distribution Points:
-
- Full Name:
- URI:http://localhost:8186/intermediate_ca.crl
-
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- Signature Algorithm: sha512WithRSAEncryption
- 17:7d:7c:c2:32:03:78:c5:76:87:37:54:38:c6:1f:f1:c6:05:
- 96:48:fb:f1:ad:da:41:76:7b:d0:cb:ee:7b:5d:78:9d:a6:b3:
- 75:32:85:37:91:d2:58:aa:a5:27:ac:71:4c:12:01:6c:14:19:
- 23:52:09:b9:13:3d:17:4d:a2:b0:56:95:38:66:a7:39:f2:b8:
- 78:50:2a:1d:12:63:46:1f:5e:d4:12:4b:f2:88:72:44:d9:43:
- 29:da:80:a0:14:0e:dd:d3:69:f3:ad:05:0e:bb:5a:5b:f4:aa:
- 06:5a:f5:8c:7f:78:ba:d3:50:e0:68:9f:11:b0:33:3c:f9:5c:
- 22:cd:70:68:ba:8c:39:92:e3:c4:88:1f:85:79:b5:1c:94:e1:
- 79:c9:56:4e:2c:1e:41:e8:fd:40:0e:61:46:dc:74:4b:f0:bf:
- 6d:e7:c1:34:fa:6a:fc:51:72:c5:a4:46:e0:db:94:09:4d:14:
- eb:88:41:bb:82:63:e2:8d:c8:f1:a3:69:49:1b:89:12:d7:f8:
- c1:7e:cc:90:70:80:2e:9d:e7:69:7f:80:46:f9:af:a2:19:ba:
- 02:40:1b:dc:b7:9f:ab:3e:06:b5:33:7b:61:57:8a:4a:b0:57:
- 2b:77:50:13:11:78:5f:62:45:b9:9b:21:2c:28:9b:44:2b:ef:
- 7f:e0:f4:18
------BEGIN CERTIFICATE-----
-MIIDujCCAqKgAwIBAgICEjowDQYJKoZIhvcNAQENBQAwbDELMAkGA1UEBhMCQ0Ex
-CzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQww
-CgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzAe
-Fw0yMDAxMTcxMjE0MDFaFw0yNDAxMTcxMjE0MDFaMHwxCzAJBgNVBAYTAkNBMQsw
-CQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoG
-A1UECwwDYXJ0MTEwLwYDVQQDDChhbGxvd2VkX2J5X2NhX3dpdGhfaW50ZXJtZWRp
-YXRlQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyexh
-LlZwtLQyUmtixs1kh2XhcTuH++vdd5iORKpt3y0ieAqaVIe/IyjNnmT6LUDv4wk3
-vhJlqj9O7y6F8RlCAHlRlaeEepu+ZOP4lqdceuxLTYkosixP4nf9JkiEB2Pb6XDc
-qo50BSOJ2515IFqDvbuoHh7oOIrILhldRw/uDHqI1xViYHOwy6egwokKfjOJZ/OT
-PNJrkPamba++nTgsrrGv8CMZPiyQoq13jtZA52VAVC9dZlZ3oXFHE9Ft2XD5FMC0
-XV0yf6KvSUV7fETIOVNhDSXHHqCkfdAhYCJ/7FU2r4cw/CfFoTQqpyqxo53YGIjQ
-flNJL+pvA9pUeQwm4wIDAQABo1YwVDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v
-bG9jYWxob3N0OjgxODYvaW50ZXJtZWRpYXRlX2NhLmNybDAJBgNVHRMEAjAAMAsG
-A1UdDwQEAwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAF318wjIDeMV2hzdUOMYf8cYF
-lkj78a3aQXZ70Mvue114naazdTKFN5HSWKqlJ6xxTBIBbBQZI1IJuRM9F02isFaV
-OGanOfK4eFAqHRJjRh9e1BJL8ohyRNlDKdqAoBQO3dNp860FDrtaW/SqBlr1jH94
-utNQ4GifEbAzPPlcIs1waLqMOZLjxIgfhXm1HJTheclWTiweQej9QA5hRtx0S/C/
-befBNPpq/FFyxaRG4NuUCU0U64hBu4Jj4o3I8aNpSRuJEtf4wX7MkHCALp3naX+A
-Rvmvohm6AkAb3Lefqz4GtTN7YVeKSrBXK3dQExF4X2JFuZshLCibRCvvf+D0GA==
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr
deleted file mode 100644
index 8ddce61..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICwTCCAakCAQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMM
-KGFsbG93ZWRfYnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ7GEuVnC0tDJSa2LGzWSHZeFxO4f7
-6913mI5Eqm3fLSJ4CppUh78jKM2eZPotQO/jCTe+EmWqP07vLoXxGUIAeVGVp4R6
-m75k4/iWp1x67EtNiSiyLE/id/0mSIQHY9vpcNyqjnQFI4nbnXkgWoO9u6geHug4
-isguGV1HD+4MeojXFWJgc7DLp6DCiQp+M4ln85M80muQ9qZtr76dOCyusa/wIxk+
-LJCirXeO1kDnZUBUL11mVnehcUcT0W3ZcPkUwLRdXTJ/oq9JRXt8RMg5U2ENJcce
-oKR90CFgIn/sVTavhzD8J8WhNCqnKrGjndgYiNB+U0kv6m8D2lR5DCbjAgMBAAGg
-ADANBgkqhkiG9w0BAQ0FAAOCAQEAd3e3VVDF9/DEkkN2OblChD35ElxBO10cn9/h
-JdtcDLa6DRK/ke4wpA2GfXdyGTez/tsCaVFLC/D6toxPYYtqW60OqavVNwAB/pwY
-NpdU7b9MNP3m0Xl3Kecevj8l5y+2dqzQdccqpPZxagArbp6Q1Jq9IE/NTFrcJFOl
-3TUK5xlunjLUxc3z9wCInDWAJukLzjhWR4VLMyHSXnI9nrA71rkss0Jnp5CHPk16
-fal0DF35awqwThnHXjtHxxLpNutYdfQNLMc5ROzVPeJkRQ3M4N3nQLmm1Cya3z/B
-GfIKmFM17FRVnpV7UmuStRmvMWAceObm6onE4ZFEIVZKnZgCdw==
------END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks
deleted file mode 100644
index b4e40d8..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt
deleted file mode 100644
index e124e38..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID2TCCAsGgAwIBAgIUNnlaQs0dlbECoaCEl6BoAMhbdRYwDQYJKoZIhvcNAQEN
-BQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMMKGFsbG93ZWRf
-YnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAx
-WhcNMjAwMjE2MTIxNDAxWjB8MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAO
-BgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDExMC8G
-A1UEAwwoYWxsb3dlZF9ieV9jYV93aXRoX2ludGVybWVkaWF0ZUBhY21lLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnsYS5WcLS0MlJrYsbNZIdl
-4XE7h/vr3XeYjkSqbd8tIngKmlSHvyMozZ5k+i1A7+MJN74SZao/Tu8uhfEZQgB5
-UZWnhHqbvmTj+JanXHrsS02JKLIsT+J3/SZIhAdj2+lw3KqOdAUjidudeSBag727
-qB4e6DiKyC4ZXUcP7gx6iNcVYmBzsMunoMKJCn4ziWfzkzzSa5D2pm2vvp04LK6x
-r/AjGT4skKKtd47WQOdlQFQvXWZWd6FxRxPRbdlw+RTAtF1dMn+ir0lFe3xEyDlT
-YQ0lxx6gpH3QIWAif+xVNq+HMPwnxaE0KqcqsaOd2BiI0H5TSS/qbwPaVHkMJuMC
-AwEAAaNTMFEwHQYDVR0OBBYEFPjCNnLHyR9AJfM6BRMuGgmFF3dPMB8GA1UdIwQY
-MBaAFPjCNnLHyR9AJfM6BRMuGgmFF3dPMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQENBQADggEBAMZES6PIFa3+peqB18Af82We4bxIHDSMnpkU518Uf/cSwKLl
-LKdSGbIX2dr2uiqJuNQwrSbQwe0O24WBeuFnv8VWwjQrHPqX7et7LT3mBthaW3qP
-beRz0CHvYg09plniqWaaxZ0o+XDoG5/vs1rwSXhKdB89hBLBgdXWnIu05ISicj3Q
-wFv7Aad8s+29qd83ZTq3GPiAGAlHzBZoGfORxgw8Zkl5J8wpDY2IzHoFK65TltIg
-vEhmxsaY2q9ogDPU1g3vXOryobUcZXCk6Wmq7/AQ8Yb6pVOHU+B1GBWlDK+88RkI
-sejtPiVWiQixQbZsgjF0kzcXdW+v83vnK9C7Ehs=
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key
deleted file mode 100644
index 9768e71..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvh0cf2QI9TkCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECNBC7yqVSYFxBIIEyK44083ll8aW
-4B3wIWPEVbHexUgeHhPnyv8N89VB+sgl5ndKlm60/n83O2COdXEFrbUbyEaxEMII
-VvNVbY4G0BAbsY5qJfmiRNCKRc2OO4HRBI0dLrzcIYETtAtunmta3CbngRpSgNv2
-zPPGp06jEcrh285NGmL6+k4OkDkdOhLBIlSQadibNOWPpRSSmp93pjPUFSVdUarU
-2qZi1Xxd65iu8iNG00E9mYHvIesN2tGvWqH7+pAFWKLz2PxEMBjKS/wz0r2sqpAi
-u605tebtg2mKB16VpPLKHkGHjAJNehfBPAWpjrLLj+cdpAC6gU8hQZseZJRh4kr3
-DZvS6hSNPXKE6+mDosrj1CuyMOfOaqezgixY/3AihqGt/qgZXu5Fs4WepWPACDtH
-hHBPAc0DXFlC4E6B3Xb+HQWI0ADqI//sSip/UsDMpp5Z99EqA/0UgG6xNEcvyMJo
-/jHpSBeJZbKB+UXsPpwQQzMHzlqLZ0b0egB8U2Q383bNctNtWX5GOgs9WzHbrvXe
-Ia29s7kCima1r5JO+/fNzhRlgoENbxa31APNzdNfvHzvRRN7JGE1yS57aL8ZVXv5
-I+rg1ct71nIJ8SpfeP3fmib9NDw8QuwFZ1KfXuEp+Q2nHP7QGIpCbMJJqY7aAr0H
-m2KRUEQqrGv3XycU8VDveOPj2UR9JQANSZK5pwwcgL+jtEYo9AJxtnThePaPLi0f
-KNjkqd1/BictpdNu+o+jQS+REOVxqKR01XcjIsKe9b19qIBgxLwcaOMfaxulOe8e
-SOBUqsHOJmYxZ6IjeEVG2dGxDADdmFPBrfIQnAbRBEwgjSBMCP/h6elo0MRQ3LaX
-lmDmjCNlY1FHuSaAX5xWJ87Ui8y1Sx8vljOOYA6b2zoWoj8pmz7lZy4ChZaFb7sW
-WAE0O0e7DrwLvVfluVwRdQ6KcWBkILzVw+VLrQE1s8yAVc0mPtAyEpjaMpqlWpeE
-CngpUa1yaBcY17R/30aAYXGVxc2qoZBQuGkr4q2TQoElBk7ERyQ51a8TJ+bQ4DAp
-lLED5xLmED1F/TL8PaQhQuDVkaoIUPKwAnXjRWf11DImmuUm8ens9w9np0Na334P
-XcJ5zZq00FyXsUoYnuyvXulqRo+Sps67kcGjlK7t0cpvAaG5CbzEkJ3IcAzOcldA
-Nq1W/yd+RBdCqbcDUIFYWhdtJ6zDg0jTa8vUm/Pn8DZMQOB2tOn5TDvrT+4iy5Ng
-Y5xbvvWyXCWy4JdyoFoXjzXLChQA5YNd+P37UfJUT+R/l7GD84SiGdNtHsxP+Hnr
-KRDu4v0p32jKjY27U2GHRBVNPjR+GUgVcKa4WE84DAPfaJY2mep2gxhmYMg2YNR5
-/evAYC6AfVqrKahnXvAZ6cWLIAbdhOg+dbyj1KITuIZ7VUfpVrIeAx4/IBJ5nJbJ
-EC9/8uaswGXKqPdLM8sR9FEbq9r2WBVSuaVmMqwV7wcQwO+KBemeUPoeY/aEm6bj
-jD7AaMSFl67ouabm2pZdWz8as1qNImn0aR/3AW/Rusi/mVOweGd+WcC/GlIv5T0E
-eKnyOExk94ddyBqasKCewSPx0BV4ki1fX77yUbaDeJ4w8Ppw1dfJCc4VaQhJ5gNn
-uMU30mtTpiOBN9muNRrYCg==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt
deleted file mode 100644
index 867005d..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt
+++ /dev/null
@@ -1,74 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4660 (0x1234)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
- Validity
- Not Before: Jan 17 12:13:51 2020 GMT
- Not After : Jan 17 12:13:51 2024 GMT
- Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app1@acme.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:d9:72:36:d1:3a:19:ce:4a:c0:58:95:21:1a:9f:
- 90:e5:48:b9:06:e5:47:0c:8c:59:7d:45:9b:df:a7:
- 5f:5d:42:e9:62:c6:95:d6:63:e2:03:ae:29:1c:3f:
- a2:c5:89:32:72:b7:34:22:c8:fa:b5:c8:e4:59:47:
- 3d:3c:4d:cf:c6:00:bd:76:69:d7:b7:a0:1f:4c:ea:
- a3:fa:54:4d:cb:d8:c4:af:2c:57:5e:bf:c0:5a:a6:
- 58:bb:4d:c5:46:41:e3:ec:c8:0e:f3:2c:28:ce:37:
- 66:b9:7c:02:a1:7c:cd:95:16:96:b6:0d:9a:50:ed:
- e7:a0:25:c7:88:59:bb:46:dc:9e:61:8c:46:5f:8e:
- 6b:e4:ac:b2:4f:95:b2:b3:71:e5:5a:b9:2c:52:24:
- 15:d8:57:98:aa:b5:17:2c:58:61:9f:cb:79:83:1d:
- 2f:1f:73:37:b9:7a:ce:7d:f6:0c:74:26:24:fd:40:
- 7e:a9:4d:69:21:30:8f:1d:5d:40:98:54:33:44:4c:
- ae:14:f2:94:ab:d8:9f:93:9b:43:c4:12:96:0a:89:
- 65:b7:de:37:0c:69:16:96:89:91:45:85:20:b3:50:
- 44:89:29:ae:c9:8b:04:4b:a8:85:cd:6b:e6:7b:94:
- 44:2b:02:ad:8e:42:c3:3a:41:2d:60:d4:13:0c:6a:
- 47:73
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- Signature Algorithm: sha512WithRSAEncryption
- 48:74:83:6d:ee:96:77:ec:05:03:0d:63:9f:a7:4b:61:f9:c2:
- c7:06:3e:ca:5f:db:1d:2b:0f:d2:06:5d:13:e7:a6:9b:9c:28:
- 9a:d9:7b:e2:70:00:6b:f1:7c:a3:ce:82:84:c8:a8:cf:15:0c:
- b2:03:8e:ab:c1:47:4c:c4:d2:6e:2f:e6:f7:60:f1:f9:92:d2:
- f7:a5:60:a3:86:6b:a5:3f:95:ba:25:7a:2f:5c:b3:b2:30:44:
- c5:df:e4:fd:74:c0:44:f3:c6:43:a7:fd:06:ed:b9:ab:a5:fb:
- ce:9b:f2:5e:64:52:bc:bf:88:df:ca:d4:d5:e2:07:e9:86:15:
- ea:40:01:4f:6d:e4:ed:5b:25:dc:30:28:c5:e4:98:e3:ba:e5:
- 90:7a:4c:b5:d4:7c:ee:31:4d:64:bf:e9:c7:94:bb:87:88:3d:
- c5:e3:6c:ab:96:26:de:a9:a3:af:fa:ca:e0:04:e0:50:d1:a0:
- 40:79:26:8a:8e:bd:cd:f8:8d:58:14:2f:cf:17:48:5c:62:14:
- 02:c4:5f:61:18:1a:b3:6e:c4:a0:03:5d:33:00:5a:e7:09:74:
- 25:c9:9d:4a:cf:d3:5d:fe:4a:33:06:d7:ab:37:02:4f:5e:f3:
- 8e:82:cc:1a:5b:6e:99:b6:96:0e:b7:f9:d8:03:91:04:a6:f3:
- 22:84:85:b9
------BEGIN CERTIFICATE-----
-MIIDODCCAiCgAwIBAgICEjQwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTM1MVoXDTI0MDExNzEyMTM1MVowYTELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNtZS5vcmcwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZcjbROhnOSsBYlSEan5DlSLkG5UcMjFl9
-RZvfp19dQulixpXWY+IDrikcP6LFiTJytzQiyPq1yORZRz08Tc/GAL12ade3oB9M
-6qP6VE3L2MSvLFdev8Bapli7TcVGQePsyA7zLCjON2a5fAKhfM2VFpa2DZpQ7eeg
-JceIWbtG3J5hjEZfjmvkrLJPlbKzceVauSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5
-es599gx0JiT9QH6pTWkhMI8dXUCYVDNETK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaW
-iZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQrAq2OQsM6QS1g1BMMakdzAgMBAAGjGjAY
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQBIdINt
-7pZ37AUDDWOfp0th+cLHBj7KX9sdKw/SBl0T56abnCia2XvicABr8XyjzoKEyKjP
-FQyyA46rwUdMxNJuL+b3YPH5ktL3pWCjhmulP5W6JXovXLOyMETF3+T9dMBE88ZD
-p/0G7bmrpfvOm/JeZFK8v4jfytTV4gfphhXqQAFPbeTtWyXcMCjF5JjjuuWQeky1
-1HzuMU1kv+nHlLuHiD3F42yrlibeqaOv+srgBOBQ0aBAeSaKjr3N+I1YFC/PF0hc
-YhQCxF9hGBqzbsSgA10zAFrnCXQlyZ1Kz9Nd/kozBterNwJPXvOOgswaW26ZtpYO
-t/nYA5EEpvMihIW5
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr
deleted file mode 100644
index 4fdf611..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM
-DWFwcDFAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ
-cjbROhnOSsBYlSEan5DlSLkG5UcMjFl9RZvfp19dQulixpXWY+IDrikcP6LFiTJy
-tzQiyPq1yORZRz08Tc/GAL12ade3oB9M6qP6VE3L2MSvLFdev8Bapli7TcVGQePs
-yA7zLCjON2a5fAKhfM2VFpa2DZpQ7eegJceIWbtG3J5hjEZfjmvkrLJPlbKzceVa
-uSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5es599gx0JiT9QH6pTWkhMI8dXUCYVDNE
-TK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaWiZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQr
-Aq2OQsM6QS1g1BMMakdzAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAg+tk9HSB
-Gyf0fBAsiIO7+eMbZF0tlefffheB9PpqqiIs1/JodRTGqRVYLbtDCXH1TJwdUOvt
-7Gl/mvsatHtQdjnErBCdJP5y0xCzilv1hUIxWlq2yyu1hkXuPmRzqsUYKGMX0v45
-/U/ZpzMsBMtKi7wJIl66JCmXpYvT81ZVhQgVMhHzmiEpm/4KlTeeEWf7Jxj3UjRf
-+9aO2OQuOPSpHr+G6uNqGTWRV7NydA810cjBb18NEg9/XIcJj4/2TarX0SyDzBGv
-r6+gQRbf22hcyaDmcgt9vlw8SFs7TYwNXy4ictWd8MHYxGHiPe9D+MhzkJUTrBma
-1zG8+NNJ0DygLw==
------END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks
deleted file mode 100644
index b421e69..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt
deleted file mode 100644
index 63b33ae..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDozCCAougAwIBAgIUYSaDt/eFmu0ZczpaY+2K7kJc4eEwDQYJKoZIhvcNAQEN
-BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNt
-ZS5vcmcwHhcNMjAwMTE3MTIxMzUxWhcNMjAwMjE2MTIxMzUxWjBhMQswCQYDVQQG
-EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj
-bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMUBhY21lLm9yZzCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBANlyNtE6Gc5KwFiVIRqfkOVIuQblRwyM
-WX1Fm9+nX11C6WLGldZj4gOuKRw/osWJMnK3NCLI+rXI5FlHPTxNz8YAvXZp17eg
-H0zqo/pUTcvYxK8sV16/wFqmWLtNxUZB4+zIDvMsKM43Zrl8AqF8zZUWlrYNmlDt
-56Alx4hZu0bcnmGMRl+Oa+Sssk+VsrNx5Vq5LFIkFdhXmKq1FyxYYZ/LeYMdLx9z
-N7l6zn32DHQmJP1AfqlNaSEwjx1dQJhUM0RMrhTylKvYn5ObQ8QSlgqJZbfeNwxp
-FpaJkUWFILNQRIkprsmLBEuohc1r5nuURCsCrY5CwzpBLWDUEwxqR3MCAwEAAaNT
-MFEwHQYDVR0OBBYEFDYEXqxKZ8d1O/lU0TTKZlwxBGPQMB8GA1UdIwQYMBaAFDYE
-XqxKZ8d1O/lU0TTKZlwxBGPQMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN
-BQADggEBALif7Y38a6ReCr+T/ZinfDpBySzVSFQXIqtz//hevSnkTHeVDlVl3Hn9
-gySwZvZ1pppJJVa8e16ogi1ohZI/EigxL39LxTKF+KdPldM2CCTT9BXu1COacjwD
-nSvwoCHWy9i92H5IUL9OTh5fbpJ4Ju+pwKa/7/1B23azmQ/IPuAHe8/p16pLpcUF
-yYSX+h72gP2MKzKFojMwM4qV0UtJwAk9+F0697laptLuKqO8chAP5BJIRWf9H8nk
-RVXym7gWu5WOrzzqQwsKDQk++QypGrP+TF2CurPPgv2sr2p0SsNjmxvw6D06s/7Z
-PQPRnjhce4CF3krMgMp8Nhp2faQS8Ko=
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key
deleted file mode 100644
index 8fe81d7..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIMs/xmAFq910CAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECFQMuA97cPERBIIEyAdrCuP9AqXI
-BbH4JYW+D602QDOVO6xxi2FEhVyhd8k8ClQzSf0/G504i6uJu9WDYytjHYYqK5VR
-ZMIHBnjJQ2DDFRn0A0wrWutzAbN4eYgbCUoMqKOv+GoV6kc6KOXuEXfZIDgPVPGT
-qSD7gBX/UZMRHbs507Z88xHlKvT0bdHfMG0lRryJqKskT7ryx5baWT5uPJKlskx/
-e7xvwmyfLBGiyA2DohXtUZiD+I4/jVdYvf/Fv8+oA1XW8rwhVhFB/+GigOmMHoqG
-CF10bbnlwq2S9/LyuNfnVBGX3qGiWcV6n7gGz0G3dx0hgcGWGzsIsx225DaL2ncO
-4mQ/1y1aUb6xfXdsvI6awyGbqSrkp/55uQGJz91b0s4nPi6wnxQiGKx01WGdb0bO
-wgZJWKS2sfWjOfoBIUe8tuebKbMUH8aZ5eQH1Ltd3PHDaSjRGVLJNSLiTJYmvNvi
-qh+A6zzxtJDLfBRNV0llAliTWXA1R9b/FOZiVS+nTEZGzuhSRt5EWMooLVe9amLf
-NcughTy/WguIQ3YfIsqkBfbMMmGPAf+ZPx25MpLL03vOUP33kZnyWIO+NMDmmhbx
-oHyxdAcVYZOPv2wf5hsEULn3gLNtODBoeYMovlBTni7peYZisgtiwoJGijIHsCYH
-vTnrsZx7yysY02U4PRou6XYt4NWikmPQQO1Jc8IDmfnn6mh0tTJDWRtO2Q7MGvMk
-aZzwB2Im6/+HA78g5uI+gIoTeVyCXfwoMslnfmhfbb5k3V4NdJF/4nyJi1UlpDuY
-rpJxSjbM9vObUcPTV8yM8zk3cOXjClqmWvv7uOW160pYHTjIyGY+RSKoZ4Hw+USo
-igfkucH2EGiDljmRjmfS4qvTxT/4Vexqj7Rxnz7qQ1enOpVtGwM67eKFiY77VXIF
-Ubm+GraXpNdoe+IJOH8ZlH/9fQO2qsu+d3k/7Gd8yl1nlagzDQSf9lGcCAvzWAD0
-FlbPJWxsMV7uAFtwNsk33VGOmVGiat7+E4o2UXa3LMGz9xwj0N5nSwWsUdVpbWtx
-fim2PvcOmDex0ERPkD7I2gI0MF5YEGJ/UQwIeOOfnrgtI87W19yZMBH5CtyKIs4d
-cQLhQUsQpc9QUA0eplH41wDJeSPoLiP1/4drOd/t9tOBU9TQLcOk5SiuTlvL7SII
-gw1clk1LGhDkqbVTG1dDyNFlJ4yiqYJ9SfW1vCTAAQvpa0t1aVISVEDqyAxdgtyL
-710+Nta62J1U2ErX8cXVUA+C1IWSYvR19KIAMArDYEHc7g5nsuOQ2PBKNqYUkXv5
-hBH1L+eYjuvxyy/K2ZizhELaCoZ5PSd18B0FbO2mt2qTe8RHPMgN83iUXoIXpaDw
-67s9h2lrYUWNWjOsDv0r7e7l7TwiODNU9IojKBPmzWcIi4ghmsN15SsvWcVeqm26
-mRK/cs5tChLEtllmzuxzZJ1BRE7XbghuWk9y69mbTaEc0o3zjyJFWHNSNCjq/iKc
-HSIauh/LPnHiFJmRxWwlDqUt1hbjlVp+1nFmMMbHlPZkW9dA+4O7rjG5b+8eA1zw
-cp98RXTesA8Sg45+uwUHr2MlH88TQNenaxW0RsJJALl2zuqUt3VZIu122ccXcj3Q
-Z2GhZP3EKpwXmoQEeiTwFg==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt
deleted file mode 100644
index 564fd86..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt
+++ /dev/null
@@ -1,74 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4661 (0x1235)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
- Validity
- Not Before: Jan 17 12:13:52 2020 GMT
- Not After : Jan 17 12:13:52 2024 GMT
- Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app2@acme.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:b7:16:85:6e:de:f5:77:42:63:ec:72:b8:e3:a9:
- 2f:b3:34:1a:68:5b:39:1b:74:8d:52:08:42:2f:a7:
- 30:84:10:96:7c:83:13:52:f3:ef:47:23:8e:25:4f:
- 32:2f:b8:1d:55:ec:fb:fb:95:75:9a:b5:04:83:67:
- 7b:58:0a:29:71:c7:2d:ee:9c:44:02:90:62:dc:1e:
- e4:d4:9e:c9:ac:3b:3e:74:cb:97:9f:c0:1b:ff:75:
- 36:9b:4c:db:da:3f:eb:40:6e:f8:1c:a9:01:54:02:
- f9:2f:1c:59:51:61:84:51:68:b0:64:2c:11:0c:2b:
- 08:22:9f:c1:00:06:36:15:02:bb:ad:9c:3b:b8:93:
- 15:59:cd:d7:62:80:9f:20:a4:a2:7d:46:a5:00:98:
- 16:20:48:49:be:08:d7:b2:9d:cf:40:3b:e2:a0:2d:
- be:bb:3d:e1:2b:cc:e4:f8:29:f0:a8:5b:cc:18:35:
- f7:13:a8:2e:16:32:65:35:94:73:7e:34:a3:97:65:
- 53:42:41:85:73:eb:36:8f:88:fc:4e:2d:79:ac:12:
- df:60:fc:49:d9:71:3f:88:f3:b4:21:66:4e:34:91:
- 6e:ca:5f:93:81:c6:f6:b8:b0:55:fd:73:bb:3f:4b:
- d3:2a:a9:d9:57:88:d1:4b:14:10:1e:d3:eb:fb:0c:
- b9:d3
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- Signature Algorithm: sha512WithRSAEncryption
- f0:b6:a8:e1:86:fd:b9:2c:1b:72:d1:0f:8c:10:97:d0:15:e5:
- cd:aa:4a:c0:71:fd:3d:48:fc:ca:d9:1e:53:06:c2:7f:a6:f8:
- 57:02:c3:7c:a9:1b:7c:17:d6:2e:48:50:8a:6b:ff:90:2e:19:
- 03:c7:b7:31:27:04:ce:8c:e0:2d:43:6d:ca:d6:bd:b3:c9:ea:
- 66:6e:48:d8:ca:1c:ca:ee:2c:41:58:40:08:55:0e:4c:38:4d:
- f6:16:14:fd:78:30:c6:73:88:cd:ba:ce:5d:25:df:cf:79:45:
- d7:b8:51:b9:c6:9d:db:8a:82:35:ac:09:ee:2e:73:7e:86:8d:
- 23:d0:39:16:40:5e:10:4b:ba:d9:63:18:b3:40:43:19:35:49:
- 5d:7b:55:0a:9e:3a:f3:ae:33:0e:9b:4f:d1:07:16:33:32:d7:
- 4f:c2:43:35:31:4d:e6:39:f2:8a:12:fa:6b:ab:4b:dc:aa:18:
- cb:db:df:b5:9f:58:ff:54:bc:de:af:c9:55:04:6a:60:47:68:
- 4d:18:15:51:2b:87:c3:aa:d9:86:f0:2d:42:ea:23:f8:30:59:
- c7:4f:5d:84:e9:b0:5c:35:a6:63:c4:e0:66:c7:d8:fa:2c:17:
- 50:af:59:a9:38:9a:d8:3b:53:e6:3e:ea:bd:c0:51:d3:e3:fd:
- 9d:3b:94:51
------BEGIN CERTIFICATE-----
-MIIDODCCAiCgAwIBAgICEjUwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTM1MloXDTI0MDExNzEyMTM1MlowYTELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNtZS5vcmcwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1S
-CEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLc
-HuTUnsmsOz50y5efwBv/dTabTNvaP+tAbvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgi
-n8EABjYVArutnDu4kxVZzddigJ8gpKJ9RqUAmBYgSEm+CNeync9AO+KgLb67PeEr
-zOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOXZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I
-87QhZk40kW7KX5OBxva4sFX9c7s/S9MqqdlXiNFLFBAe0+v7DLnTAgMBAAGjGjAY
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQDwtqjh
-hv25LBty0Q+MEJfQFeXNqkrAcf09SPzK2R5TBsJ/pvhXAsN8qRt8F9YuSFCKa/+Q
-LhkDx7cxJwTOjOAtQ23K1r2zyepmbkjYyhzK7ixBWEAIVQ5MOE32FhT9eDDGc4jN
-us5dJd/PeUXXuFG5xp3bioI1rAnuLnN+ho0j0DkWQF4QS7rZYxizQEMZNUlde1UK
-njrzrjMOm0/RBxYzMtdPwkM1MU3mOfKKEvprq0vcqhjL29+1n1j/VLzer8lVBGpg
-R2hNGBVRK4fDqtmG8C1C6iP4MFnHT12E6bBcNaZjxOBmx9j6LBdQr1mpOJrYO1Pm
-Puq9wFHT4/2dO5RR
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr
deleted file mode 100644
index d97b9ff..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM
-DWFwcDJAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
-FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1SCEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V
-7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLcHuTUnsmsOz50y5efwBv/dTabTNvaP+tA
-bvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgin8EABjYVArutnDu4kxVZzddigJ8gpKJ9
-RqUAmBYgSEm+CNeync9AO+KgLb67PeErzOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOX
-ZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I87QhZk40kW7KX5OBxva4sFX9c7s/S9Mq
-qdlXiNFLFBAe0+v7DLnTAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAYykrDIFO
-fbRXKcoh07aCAkW2KBX1L+wkCDWBQO2NQH0uvRducLHLQTF7EYjTUQ2WbOXDJLCT
-1NbtANvxU5xNJsforHGTZCGvQqMSMMlwe8mr82ttCMcQwGkmpq8FlGsD+3JpYZPI
-Yb20yvmXk2jIvCK44axyMgHUgHMdoT6BrX5YFC993gjfKu3CpEEIMuFidulM/vEY
-WiNhnlBBpHN3ijrWn8BVc81VI6jP0z23nKMYgayaGIZ7GQOI3Rmk/WIowU68D+Ac
-X4AhDZaofAGejybD2yABPE07/2IPHEXotWgKSHwDJCLU6VpUX3MePqLwDjA8tW8y
-jfmnHdB1vIy8NQ==
------END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks
deleted file mode 100644
index 56d2a8a..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt
deleted file mode 100644
index c472d16..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDozCCAougAwIBAgIULw9lb2weHwTmE11idVFtoGtBm+YwDQYJKoZIhvcNAQEN
-BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNt
-ZS5vcmcwHhcNMjAwMTE3MTIxMzUyWhcNMjAwMjE2MTIxMzUyWjBhMQswCQYDVQQG
-EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj
-bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMkBhY21lLm9yZzCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALcWhW7e9XdCY+xyuOOpL7M0GmhbORt0
-jVIIQi+nMIQQlnyDE1Lz70cjjiVPMi+4HVXs+/uVdZq1BINne1gKKXHHLe6cRAKQ
-Ytwe5NSeyaw7PnTLl5/AG/91NptM29o/60Bu+BypAVQC+S8cWVFhhFFosGQsEQwr
-CCKfwQAGNhUCu62cO7iTFVnN12KAnyCkon1GpQCYFiBISb4I17Kdz0A74qAtvrs9
-4SvM5Pgp8KhbzBg19xOoLhYyZTWUc340o5dlU0JBhXPrNo+I/E4teawS32D8Sdlx
-P4jztCFmTjSRbspfk4HG9riwVf1zuz9L0yqp2VeI0UsUEB7T6/sMudMCAwEAAaNT
-MFEwHQYDVR0OBBYEFGRnSSgAdfPDfjACvy7JWsifafjeMB8GA1UdIwQYMBaAFGRn
-SSgAdfPDfjACvy7JWsifafjeMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN
-BQADggEBADAWS3rkEAo9y3hsXRMy9nfEx0LIRzMILeRSCc87QlUKKxYGph9AQ0QJ
-JWljYjM0Dg11ByrNVBODL7E62MX3hWKxYRPv44J6jQgbg9pBINdxFR1MwvtRSYtz
-069YduP0Ws8FVB35U8dvSFOgOBWhXCh5QTPznkAmopPr/QQxcjQnPWWpmadjNc3x
-EBDwoHyigne+zBcUVQiaKgN2YbvTbB7WzEidHWrPOcXv7JH/PbZNfwGrG4SJLH92
-uvgBwyOi/dwplcTAfDE+PuRDLOBAyht30XCwpWHjG2HINx0N2esvG8g/v5J3USRo
-jU0wSLthobqjv6/mJkIAfdbkPSrY9p0=
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key
deleted file mode 100644
index 64544a9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIEndyItP4BKwCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECBjmbsUCrUCTBIIEyDtTeDzGARWT
-w5X6wVjcwmvf/Vw2cczX8MUBWNkIHGSNTDHv6IlFxYA6SXCMy12OpaJiHr6CGp9A
-juyBn6C8AsKHxSgoMrImSt5RGRCQSSkq9bCpPGQR7/l6X+Z5yVG9XJYRxK6vXIG4
-mfkcIq2E5sV89v79aISvotXvTeVUfd++6CPahzpf6zZ6rKLp7AWIcZF5qQG+5Gdk
-1q5iOCcZtT04LQsAcEJCM8GQoXNDNTHwDvWi9DZ+yry0kTn0Lz8QMXOhVqf8gJKa
-/vded9cixbXk5QNQgFswZOSeEB7hWpT88VLoKl6VJOCGPERtyUMhwal/IvMX98Ad
-LDUBGd13WjP3EA3yAOI/W4V3TPJVJZD4xKgqhU+gnohfl1XU+evOu5+HxbDczAp1
-QyN0ni325c/jgXfcihN9AZrAviMz4GZLj55uTSmtCUaug8CCwRu5uxdmmA4BJCl1
-iFJmZzZIvqw5R9BIsu63/xHZYiYAvNDdIvBmJqPz2ka+vSWbGRT1bqkrpos/6LtU
-griby3OtfvyvNbWokQymDBHVxYZokio26UIrc4Z2IUsS0354J+GyOiZ0oFe1DfTs
-1taEQGgTWsfJpRs+xNjaImhPN5AJZRKLgzsOqXLZofYiv/Rexq1AaZTGMzr6xt3Y
-QL0+q7KJ3DBAQxkST4ARo6bVNb9MPgOjXDpvvjJOfbuwR1jlgSHBFM4OBEEI5xV3
-avurI3pE+GnXY+lJCeuSwATnxeUJoHzcUn6QmdkB8Li20ovzXJs8PgBq/dD2rG4d
-tkMUnwsd0dwmYaDVstM9awkP1+EvzZ2O3wiHzqE2jE1bRNIj+8bKSWxSCrF9tGi1
-YCDLCGk0BTaNCaaIFFxNTxgE81GsrgqQvfLCsUljF04Lbj/ZvzcLdW82FkFSjUBa
-Z7sXwq8NOJsGjVp8Akwf4Z702PZVnj/lV25PLj53ayRcvnO2PLkLdwdVLJyFt6ES
-CelAz1d2ejww1NKj+ipJuQ9Yun1d+21HBLQGYCnST/rzet+JcuQMw0QIQBvVioLZ
-KS1V/yi/u5Rvos7x3RQyIJITY4HP9tvTKftdIW3M5nEkMNuHHAcZUrv83YJkzt1T
-1Sd/qVOupGHA/DYvUVPn0v48XxRjWF/jpf1Jdd4EeuYIYRmZH0I3wRvuc0qyT6nV
-CxoART7gzaLeWYLx67gaSguojYbCzWRnBSBAq/Wy2fcHMKZ7DywMWJwn0dqofeuM
-ZABB2jWKGuHLrM3wfzcGJLIlaHG0RESn8ThqwMODRaqTgxQP0y4E2CabDSeco6fK
-g8InlTKlHxB6u2AcDpPTeBh9om7AXvs7iT0rWrhEU7FxCr7NjAHaQBMmltS4uv9q
-wNZ0uqg++s5wIr9dzkBNjEJvk89HKtkLwYQgie9OdbaQEz0xV3S06ChvaH0nXtQu
-+/K4Gw2yR8mLA3TCHSlNe/q5daRNhjXzmX2erK5u8UsZFU6Ln6M+kvbYvtlG6rSR
-N7njPcUwCa+juvP8LxQEJUE3OgWeLM/0S2LiJz69XnCHz886VAoMETIs7sgfI0lP
-I2qgD/sB7eFgsPPstZyIf41PVssf+03vZ8lCLUqnZuDLLZO/l//CDRdBWIZvJ8pk
-pRdP0ZJdSqZryf9eSBfnRQ==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt
deleted file mode 100644
index ca6dc2f..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt
+++ /dev/null
@@ -1,74 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4662 (0x1236)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
- Validity
- Not Before: Jan 17 12:13:57 2020 GMT
- Not After : Jan 17 12:13:57 2024 GMT
- Subject: C=CA, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=localhost
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:d2:28:a5:31:6e:85:97:8a:39:c0:8a:21:ab:bf:
- cf:93:39:03:cb:63:6b:f3:47:6d:3f:50:24:06:bb:
- 3d:25:14:cc:b2:d3:50:62:1a:71:18:5a:98:97:8f:
- fa:45:70:ca:b8:98:9c:60:78:03:c8:a7:2a:b2:d7:
- 53:e3:b2:71:52:b0:7a:0f:12:42:63:a7:2f:d9:c0:
- bc:50:da:5b:3c:52:ac:bf:fa:6e:c4:80:f7:b7:e2:
- e9:53:53:55:95:24:72:de:63:2f:59:dd:8e:8a:13:
- 11:17:44:03:41:c0:95:f9:8b:dc:05:e9:1e:ab:3b:
- 72:e8:b1:5c:c0:0a:ed:c9:11:6e:30:79:65:71:e8:
- 3d:2c:c0:0a:5c:dc:92:22:1b:f7:06:2e:f4:7d:1f:
- ea:c5:a5:57:91:1d:f2:f6:44:f1:bd:25:f2:1d:fe:
- a0:68:d1:38:7e:5f:0a:5d:37:47:f9:ca:9b:c0:0c:
- a9:ae:7f:e4:0b:cd:85:e5:8b:91:6e:35:74:f7:6b:
- 04:a3:10:67:1c:fd:bf:c2:1c:2a:dc:a7:04:93:98:
- 48:03:cc:8f:fc:d7:65:8c:d1:9f:07:63:0b:04:86:
- 01:d7:37:c7:a2:6d:4e:04:cb:a0:2f:ea:23:2a:59:
- ff:f0:b7:16:fc:fb:56:9c:4a:2f:e2:8b:3f:ad:25:
- 53:19
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- Signature Algorithm: sha512WithRSAEncryption
- dc:c9:fd:ca:91:81:b8:18:33:c5:bb:0d:f0:cf:88:ba:92:21:
- 73:1f:9d:bb:98:9b:e6:09:fd:92:ff:c2:58:23:01:97:a4:09:
- 8b:d7:63:b6:63:f4:fd:96:f7:ef:5a:f3:be:15:92:72:15:2c:
- 7c:e7:d5:e1:13:cc:70:19:87:c5:c9:13:83:7c:28:ad:02:16:
- 11:6a:ab:b6:80:41:ca:6e:5b:89:48:42:27:74:e3:44:a1:51:
- 3b:f3:e0:b9:11:45:75:f8:d1:eb:9a:1d:04:7c:e1:26:be:55:
- b5:98:d5:0b:38:24:67:78:3e:f0:52:5a:2c:72:77:02:0a:78:
- f5:73:24:26:73:c6:1a:62:8c:e1:5d:61:71:40:e7:1f:de:f6:
- 39:a4:c5:84:c8:b6:d8:2f:b1:1d:19:bf:25:75:9f:1f:a9:7d:
- 09:52:80:dc:6c:8a:40:d9:cc:cb:99:db:e8:85:6b:dc:49:fd:
- 68:2e:71:d1:a8:ad:10:cb:28:1a:cd:04:c6:63:cf:11:30:18:
- 7c:4f:71:f3:70:84:ed:8d:e8:b8:2e:df:b2:a3:7d:68:64:28:
- 26:5c:1f:ec:1e:db:90:09:7f:40:cd:55:bd:1b:27:bd:34:6f:
- 82:9b:a9:83:fb:0a:67:66:50:32:5d:c6:06:82:cc:83:35:22:
- ee:88:7d:b8
------BEGIN CERTIFICATE-----
-MIIDQDCCAiigAwIBAgICEjYwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTM1N1oXDTI0MDExNzEyMTM1N1owaTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vua25vd24xEDAOBgNVBAoM
-B1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNVBAMMCWxvY2FsaG9zdDCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANIopTFuhZeKOcCKIau/z5M5
-A8tja/NHbT9QJAa7PSUUzLLTUGIacRhamJeP+kVwyriYnGB4A8inKrLXU+OycVKw
-eg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi6VNTVZUkct5jL1ndjooTERdEA0HAlfmL
-3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzAClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l
-8h3+oGjROH5fCl03R/nKm8AMqa5/5AvNheWLkW41dPdrBKMQZxz9v8IcKtynBJOY
-SAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTLoC/qIypZ//C3Fvz7VpxKL+KLP60lUxkC
-AwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQENBQAD
-ggEBANzJ/cqRgbgYM8W7DfDPiLqSIXMfnbuYm+YJ/ZL/wlgjAZekCYvXY7Zj9P2W
-9+9a874VknIVLHzn1eETzHAZh8XJE4N8KK0CFhFqq7aAQcpuW4lIQid040ShUTvz
-4LkRRXX40euaHQR84Sa+VbWY1Qs4JGd4PvBSWixydwIKePVzJCZzxhpijOFdYXFA
-5x/e9jmkxYTIttgvsR0ZvyV1nx+pfQlSgNxsikDZzMuZ2+iFa9xJ/WgucdGorRDL
-KBrNBMZjzxEwGHxPcfNwhO2N6Lgu37KjfWhkKCZcH+we25AJf0DNVb0bJ700b4Kb
-qYP7CmdmUDJdxgaCzIM1Iu6Ifbg=
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr b/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr
deleted file mode 100644
index d459aab..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAO
-BgNVBAcMB1Vua25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25v
-d24xEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBANIopTFuhZeKOcCKIau/z5M5A8tja/NHbT9QJAa7PSUUzLLTUGIacRha
-mJeP+kVwyriYnGB4A8inKrLXU+OycVKweg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi
-6VNTVZUkct5jL1ndjooTERdEA0HAlfmL3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzA
-ClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l8h3+oGjROH5fCl03R/nKm8AMqa5/5AvN
-heWLkW41dPdrBKMQZxz9v8IcKtynBJOYSAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTL
-oC/qIypZ//C3Fvz7VpxKL+KLP60lUxkCAwEAAaAAMA0GCSqGSIb3DQEBDQUAA4IB
-AQCteBfB/t9udR7E2RYZHdSICnrrXC7oOcMbNXv/eq2FtHV5XnqglvGsyzzHkE2/
-aGqZUvyOJqrA+m2QCg0Qtq6WvDV10Qbaebr921tQMlVQxeLd/AkGBZOC0Z9Wi+ne
-r/9ODUm/MBp3PbiKOdEhb3gXIsa+CqSHl6qaCtwIcGtY2UW/jr078H0eTML0rh6C
-+BW275y6ApXSiSS5IKrCd6Dfto7Vh0ZakCIOmz3cCM3+VGTn0cXF6mFDyu7bA6gw
-8QdBET9nzbyrwfnH/vSVh5YxNHIj+A1NZlphHyJslYaW4lg2GAbGsdqAK1dW11Ph
-OGI7Qjr59HrsFYjFRr4+42Se
------END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks
deleted file mode 100644
index af8d5d2..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt
deleted file mode 100644
index 03db86e..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDszCCApugAwIBAgIUOJtin1zcTHJQCk3RtZJyDaL0O+QwDQYJKoZIhvcNAQEL
-BQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu
-a25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNV
-BAMMCWxvY2FsaG9zdDAeFw0yMDAxMTcxMjEzNTdaFw0yMDAyMTYxMjEzNTdaMGkx
-CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdVbmtub3duMRAwDgYDVQQHDAdVbmtub3du
-MRAwDgYDVQQKDAdVbmtub3duMRAwDgYDVQQLDAdVbmtub3duMRIwEAYDVQQDDAls
-b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSKKUxboWX
-ijnAiiGrv8+TOQPLY2vzR20/UCQGuz0lFMyy01BiGnEYWpiXj/pFcMq4mJxgeAPI
-pyqy11PjsnFSsHoPEkJjpy/ZwLxQ2ls8Uqy/+m7EgPe34ulTU1WVJHLeYy9Z3Y6K
-ExEXRANBwJX5i9wF6R6rO3LosVzACu3JEW4weWVx6D0swApc3JIiG/cGLvR9H+rF
-pVeRHfL2RPG9JfId/qBo0Th+XwpdN0f5ypvADKmuf+QLzYXli5FuNXT3awSjEGcc
-/b/CHCrcpwSTmEgDzI/812WM0Z8HYwsEhgHXN8eibU4Ey6Av6iMqWf/wtxb8+1ac
-Si/iiz+tJVMZAgMBAAGjUzBRMB0GA1UdDgQWBBR++4fRzlzZ2FNRkZ4QomvvNKVS
-ITAfBgNVHSMEGDAWgBR++4fRzlzZ2FNRkZ4QomvvNKVSITAPBgNVHRMBAf8EBTAD
-AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb0ajrigWwT+KZwq2vfuZX8Xt4XQGclH8E
-PoNgT3johckZMmTYUccCPN/+qWbNigmOWpo8VKHAAAqHU+RoGG4/eVdd6Il4Q10b
-wgHVY1JA3LOmDmjGEV6kVNOiIuCEhoiN5YLG9THUY9a/SJj+MGMsKpmdDUmmX02b
-9PHOgc6pAwCm3/hO/XyUjQZxuaB7aDUpaL+pA//6lEVk/n5PzG8IAi33Cp9AEMlZ
-+6/eCb/eMZ4yoR5cQNi+l6l3ifONEDe6uJ+Wk7ahSbKTi5Maoddt5BER2jmRCDbr
-yNfRBcK2iMHVtTPMI3P9OOmudEYSFOJOdRUZpmGmAuTeuCganQjb
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key
deleted file mode 100644
index 5ccb683..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIuBQNMa898kwCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCeLmeQ7xDnuBIIEyMsJVjaLP/XS
-nEhHrGp0Xr0AkP0ZhqN8ZUPoaL8RQCXe14tYY4LjB3NANSxCLO8i6yKyvlG6KZyK
-e5vyqlH4q41AUG5lo4Q3fDFNMP0ilgKusFE06ju1UhKf4TiElO6xxhq+ZuOsunME
-y2akyYz4khl6YrqQl6vDIN0/WYFprbh0iT66WCwe8/Bc0JBCn053pwWiqUNJXoXn
-EXytxqTYVP2H/H87M/I0vrweu5rZyxnk3HvBoJbyBrJTsZn4VFS+cIC2E4YADjD7
-qfq7iIyv94/EdqvJmQH5XttfZ/7amj+XvxLOoYtyuOOagSWrlDJm6vATSJd7G1mj
-soxHdd5hGZ4lpvFFrXjWR35PeBUUqihfkZ1cnGs4TRJZL3T+bvYdcfAEA3oxdSLh
-QKwbsY3j/LJRqGHIAzE4z82F/nEltHTHohwYKDE0D5nn58wqhD1IImHmd2uQu6SJ
-kGmHLlzbZiFz4mvqk1Tk63zoeKwioQgXj0OA2KJSV7Oz5nPB4O+/5jfu7jiL31Hh
-FEleRvTfBslTwnF6NSR74uVGSQt/CsWDOR/Ok70oSa2Ddy8Lty9e4LXSmhNGqaf1
-fFAt1E35ZQrZ5TIMjwlU2AgOS8znhMBLuAfZdCPogSbmPYMAI5b7yYwPih/2qywc
-Qxq9SBdqGditdyTliBYPpmJrx8lrhcO6aXjFVuUH5X5NGXs+xiY2V6ppFdlVepXa
-c5WfZzLqYrNdGp5nd8n831/7m1LS9zqXSgb3uz3axppIgT94BSamlyBLPv2xKVaZ
-wxZlh5rtgV9Udl2ocFyOUnXBLRapMEje57e44ShcoLr8F1S7Yi5q7gCg7eqfnrm2
-AOqJ3ZpYnDPRvo3PyW1mg6q/k/RF6BEdXcb8lM+KhGBRwufC8ym12RKwjcI8EK5w
-OB5LxjpH6we5RpVdTPnpJl0TvBEqh2LiWMpshHoK7NWCtr7vNI4KAn4nu01uofwC
-lEYFdr57I+0SawADff/ENRNqXgMsAbPvwFsaoq9cLZc71ugu4vrD+drkPrwO9eXR
-ailGVJfdgp6UqreLuVvDuQIQNr3Qagj0ujWw10usrBK9qdtpN60Eeuhch2l4ajLh
-WjwzJrRZ6g1bC5hH9U94XW0mJ7f/6BMzdGKDoBQ7zbxLSrsc/oTpTFaki5ICW9Mv
-WhF9yRCVS0Gcxu+sOZcvjZsVqGV5zqSRtWnjURMDddX79XGPEvAOSubsYjOhK49U
-78R/m/4FfrRQl4pTuTCGYUqDnLXPTxWMJJ5vEDrWTx26cGrBTsiBg7/gbn5CqSAA
-l0vDfpFNCJ9vyHoeEhEc8aBRz9hklHCDm1wIWXfwYnsE4L3V2qp/0WKvj9NHXE5C
-6FWYzr33ImsqEuavLXsFer2ZVF/Y38f8HNj9z5hg77YTbZNCg5jHYfMPunEGikCo
-B5jwen7DSt6zZOH91dncir8XcgGOXY0XocE6aalDGit01lFDPFPNc0aGsyA2m6Be
-4CNxVbfNkHZBtY8A4Q+Invij7vVUG0Afc7vDc595JsJ4m0sHmkQ3xLJVfhV8APXD
-pQXbv9o0HDPjb45irIex8WMitj/lU60FuSMjDd0DElA18ImR+4tBPWjXvxZeRkgd
-k/8a1P4XOl42rFaN1YOWhw==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks
deleted file mode 100644
index 077274a..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks
deleted file mode 100644
index e789738..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks
deleted file mode 100644
index b306a9f..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks
deleted file mode 100644
index 2bc0f4f..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt
deleted file mode 100644
index f9dd3e3..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt
+++ /dev/null
@@ -1,105 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4665 (0x1239)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
- Validity
- Not Before: Jan 17 12:14:01 2020 GMT
- Not After : Jan 17 12:14:01 2024 GMT
- Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8:
- 31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14:
- 90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4:
- 6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95:
- 47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01:
- 58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c:
- fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17:
- 87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73:
- 9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39:
- 02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33:
- 44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0:
- 90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af:
- f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56:
- 50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b:
- b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53:
- 00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf:
- 82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75:
- d4:0b
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 CRL Distribution Points:
-
- Full Name:
- URI:http://localhost:8186/MyRootCA.crl
-
- X509v3 Subject Key Identifier:
- FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2
- X509v3 Authority Key Identifier:
- keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC
-
- X509v3 Basic Constraints: critical
- CA:TRUE
- Signature Algorithm: sha512WithRSAEncryption
- 4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72:
- a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7:
- cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4:
- c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32:
- d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87:
- c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54:
- cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4:
- b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2:
- 30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2:
- d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf:
- 7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e:
- b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4:
- 71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97:
- 68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed:
- 15:cc:57:ee
------BEGIN CERTIFICATE-----
-MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y
-ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY
-MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV
-16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd
-InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO
-iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD
-Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1
-1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
-OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U
-4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD
-AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB
-AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV
-UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL
-RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En
-hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx
-qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN
-BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD
-TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy
-MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM
-BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4
-UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr
-XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI
-bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif
-9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O
-9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy
-TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/
-5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y
-Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr
-qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B
-eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3
-zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG
-9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo
-VPvWVRUaVA==
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt
deleted file mode 100644
index 7bc29f1..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICvzCCAaegAwIBAgIETVtknTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV
-U0VSMTAeFw0xMDAxMDExMTAwMDBaFw0xNDAxMDExMTAwMDBaMBAxDjAMBgNVBAMT
-BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmNDDbMbSISBF
-2ztm8e3Gp02s0rW8pjG7sEYKLMgkXNVRMX6nOFQ1Tuj6yuBk/qlBuSyYigfTPjNx
-qjz0pxLXPbFQfzaTzLQx+AIx1JRhdpHxY//M7vfIJaLOj7MvngWvjFX6MwwKlvkG
-z/H6+R4S3QE852XkUQvvxMVa7kHuUdzDUx7ARhsUME28/XzsJldEGiuPJZYLPpdg
-GAvJPO47+gr9zUWksL4fjXgYV2lZiAWcb1WcL6/zssBLnseRkQe/g+b7q0tT0FAX
-rqCfVaVZSRntrLu4AK88JUWfQkEKDRux2XZ5cAYofelZiiIikRBubuHlhlt0bqwo
-AJiAh4ANowIDAQABoyEwHzAdBgNVHQ4EFgQUTHUNeU67sKZ+bWeh521ZpK/wzckw
-DQYJKoZIhvcNAQENBQADggEBAIs6DQA+3v8L+TdVEHlk8eTOUo46Z0e9fpQgSfLb
-0aM/gpdq1ZBxP/RkDouSvZpDBxZnWZNo8I9/cQ2tc7K8rWv4lyq6tDbSgIuRIBk8
-v50ujPMPiKSeTdJXTVi1f2TAsYwnG4cSxDBF0Gu7qXEckRtktDs6uHC0D1Rzcirr
-3gANGDk/S3yS6vumooRKZ22AOiBp6uE0awa1jTZAyLvC+LY47XKfFUTf/9+E0umz
-3a3sIzET20YSf8xrK6kFBIrqAM7sF3303+nHsfx12BIA19tUjlHKBTbCCrL1u2GL
-gD0wA9jYPAhbtKSh8GbZtNhDhJxfopwhIuFFSfcKbO8OeUY=
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks
deleted file mode 100644
index a3c29eb..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks
deleted file mode 100644
index 1d21f01..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks
deleted file mode 100644
index 51593d6..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks
deleted file mode 100644
index b788861..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl
deleted file mode 100644
index d32bdf9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem
deleted file mode 100644
index ded7194..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBxjCBrwIBATANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJDQTELMAkGA1UE
-CAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsM
-A2FydDEhMB8GA1UEAwwYaW50ZXJtZWRpYXRlX2NhQGFjbWUub3JnFw0yMDAxMTcx
-MjE0MDFaFw0yMDAyMTYxMjE0MDFaoA8wDTALBgNVHRQEBAICEjQwDQYJKoZIhvcN
-AQELBQADggEBAI31QLg89gCYaB3yGaPAJG45ENz4L6sKf8X7H6sZfnnEECIfMDeF
-Wuu5ummkvSKyHVDj5m5FT9W6mKj8JkXUfGS64ssR361BixlBfmsVj5y3upXmuEta
-x03Ewqp888NaZyxK749J+1pfo5XOq0OUTe0+J1gTrS+JSWO3194MohtqkOQ11FHc
-9nDqZo49Bi+gqvulu+t1uPfM7i2RHgVl3e+gMc7XuguC1obGyuSoFSCW3IcqjuOt
-d1xTz/p/Cx3TqlMFI0uGzXzl11jLu/CDHtMvax5YJ65lV1wK86z6tpENR3Din4X1
-tHZMxga+hGrJikOeu/WZrw2cC1hx9OZU4Fw=
------END X509 CRL-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt
deleted file mode 100644
index 19d97a9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt
+++ /dev/null
@@ -1,84 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4665 (0x1239)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
- Validity
- Not Before: Jan 17 12:14:01 2020 GMT
- Not After : Jan 17 12:14:01 2024 GMT
- Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8:
- 31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14:
- 90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4:
- 6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95:
- 47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01:
- 58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c:
- fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17:
- 87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73:
- 9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39:
- 02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33:
- 44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0:
- 90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af:
- f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56:
- 50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b:
- b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53:
- 00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf:
- 82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75:
- d4:0b
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 CRL Distribution Points:
-
- Full Name:
- URI:http://localhost:8186/MyRootCA.crl
-
- X509v3 Subject Key Identifier:
- FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2
- X509v3 Authority Key Identifier:
- keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC
-
- X509v3 Basic Constraints: critical
- CA:TRUE
- Signature Algorithm: sha512WithRSAEncryption
- 4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72:
- a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7:
- cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4:
- c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32:
- d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87:
- c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54:
- cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4:
- b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2:
- 30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2:
- d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf:
- 7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e:
- b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4:
- 71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97:
- 68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed:
- 15:cc:57:ee
------BEGIN CERTIFICATE-----
-MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y
-ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY
-MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV
-16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd
-InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO
-iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD
-Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1
-1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
-OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U
-4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD
-AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB
-AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV
-UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL
-RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En
-hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx
-qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr
deleted file mode 100644
index 31d625f..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMM
-GGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAM0bA827VhkRRwC98mDYMTSeBs+cHlknwZnAc7MUkAnFizz6J19U
-+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzu
-WyCc/lWXCJlShizQblrbbRQXh+Tg2eydInwEidRftP1zn4Ipkpcwx5xz0aKLCgI5
-An7CxscFHRaX50BUi8szREGwRFtkxiGOiXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA
-7hAYaiDKytkReI9WUIwEASik2vTU0VADRz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JN
-qkkEgau1l8a/ggKU7wS3vUNQJsxT66t11AsCAwEAAaAAMA0GCSqGSIb3DQEBDQUA
-A4IBAQDE2KIYrHiujyjWAJAWkJFwaxjeM0MojdOmdzpTEwwcWIWhSvDIGylAIjs+
-s/xZidCBLlmH5Fu4G/P/ZmAe/PSRULn5RNh+Vr/2rvBwrO6o1tr/iqN+Iu9D9gpD
-xsVqy03M3Dda/4hJ1fd14Nvw/3ipQCX0ODKQQnCEN6YDDMII7NNHhThJ9JXtmsDK
-aCWM5s6V1VcEHmsOaghuuEe0CSLNyIoKGqm/Go/sZ6beXiq6lzPOSW+Ugvb1j+yd
-Kb89oZy871V7c8BQJgYAZNm81TFpwS4XEa7tO12hxrEndMdKqjW5S2E7TVQPcTud
-1T3W7szSBmOf3sPFToLx3oOky0a9
------END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks
deleted file mode 100644
index 251089d..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt
deleted file mode 100644
index d4d1fad..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDuTCCAqGgAwIBAgIUU+PWvuydNdPTMUerarnvKb2eT74wDQYJKoZIhvcNAQEN
-BQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVk
-aWF0ZV9jYUBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDFaFw0yMDAyMTYxMjE0MDFa
-MGwxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEN
-MAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MSEwHwYDVQQDDBhpbnRlcm1lZGlh
-dGVfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN
-GwPNu1YZEUcAvfJg2DE0ngbPnB5ZJ8GZwHOzFJAJxYs8+idfVPsKDEkc9G9+govJ
-2KNro5sN9EzslUfxVdej42EP3TIHz9ntAViqT9i+ChjNCPZs7lsgnP5VlwiZUoYs
-0G5a220UF4fk4NnsnSJ8BInUX7T9c5+CKZKXMMecc9GiiwoCOQJ+wsbHBR0Wl+dA
-VIvLM0RBsERbZMYhjol1HcKEoJBIxpurNrUGzMRI1mTGr/jBQO4QGGogysrZEXiP
-VlCMBAEopNr01NFQA0c/m7Vb5iWfhU0rtq0hTZfSUwC/UWPCTapJBIGrtZfGv4IC
-lO8Et71DUCbMU+urddQLAgMBAAGjUzBRMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+M
-QrAV3G/U4jAfBgNVHSMEGDAWgBT/ahkF/xqbF3xyX5+MQrAV3G/U4jAPBgNVHRMB
-Af8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBNx3DvYk5rFFz7gtRSMpINJuoI
-thCEsFT43at08M98PrFHmZvfvdxwsIO0aJYVsTnEf4tqjXKQ6c3+eV9u3aWKuJYs
-PHJ4oxLlVwWWZLP/QC5SknscQlu5b6lhje328qKSYFzi8EE75FpG7sehvymNQhLS
-IU4r52VUqzZ6bBaQpPV4psG3yC6ONGppiy2QSP1s0jqmH1EDDp2qAQEME4bPYCAg
-Tryp2EjUmBpCuiwreY3Wsy9Zj6fQdFuxUiE4XWbsoNx1oDj9M8OuAeKQ5magJysm
-j/f2SF6cuNsg5AwuPg3DX+QC+WckLe+3M4uXfZa65bf/EJgKjJc1WjrDG16x
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key
deleted file mode 100644
index f2392c8..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIrFQQzoVuNVgCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIWesfDR2OA7BIIEyB+WEIidNRox
-k5SvY9Hyi77Y1Jh/u1WJVWmQalZvWOAX8lnhQTDMVlCZ9zOku+0CWPIfEPcTBPbc
-WkTdNFmnlpUwrrjZ+ijwyv9eF6WaIvAyBAlSXDUULkkiaweKT22KGmCKWGY92UJq
-UtnsyZupQ95oWRcJ6x8/83dhaQM9yVf8a2jZzpIkCM5bdNXrSSObM2Oz1WhpcPEg
-yJzVceZTxASB3BnvIayNqFvMMiFQR4QcDTMkudBWGro3q5qm+LINQrG3nXmTwDvp
-u3PXxP8c0nEXxQYB9PPDL3qWQ5QkjaZWm5QUFWvUFGYc3bbuNXkzivBFp9W478wY
-W41x9WI6DVDkcrTv5n5X268xh3Gs5/nYERjuB657rGC3R5mNeL4unohPBsamyhrE
-ZFgzaMB0hhh0w57suFoVbrqkcKWQx7vhNwvOqbyiOg/qLk5sHrNAVdZtKA5iHux3
-JMbzHzG73wduXCWOOJcBYZD5cA7ifNwmNAz7sg9z2CY1XGHRrm+l9QZK5SLrQGIC
-p17ZREm2rnUMmZFqmIdRYyWUmfZmZ1eejT7Nf93GyutdabLNc1ROANY/mElW68qK
-RlEszYEJskw9vclg8PogulnGVND5ES5zxG4qUWJtkvx7QM1NqgUq77rK93Q/1AkC
-tB2A2/wwZmmPQMYR/7qSr0HLkTLYqmtEC5FVXB9STVdHYEgs4G7yNArY1a10ApaS
-Avf+TJD+SH8ZJMc4xVOJwc/NyKqaI+LFc64m/8oC+Mt6wpos5nvPoGqIGW10Oqcv
-N4IREavDgHEcbfRsj4Cdt55YaAk0C7MNn21PvTRI7aS8aWScTD5sMlJZDFe/V2ZL
-IxdW4LnZfyRt/s2qsx6mrbrKsaBB+o4BKC0AQax/o6GNTP89aug4OIUr3h7qGf1C
-oKLGLHjXuZcw0NKK+ufRqimvgHz6segsfgxLBsLoZ2EkhHqdWxyVI6dB/TdB2+Mu
-x3I0iQ/lC22Ky+hGpcb2iU0eB1NYA6/Wns880EJGd6/w6vmJOjG+BG0zoOELgLXH
-j0nGK2gh/2fxg2i+UjMvK7lGLjyiit/rPgH5B0e7QqJrwC0KHkxQO/dIp9aQ5BZD
-7PyGEX3ThaBSXyor3JoRtF0sLFhib2vqws7WNke7kJqDcoi9AZEQJ8gl2DLUqWbl
-ci0s32YNxXKQWB20eKJDhiLOPxZmwfQlyFAnJQrYOEhKG/BJD/O+q7MtBwJ674kG
-TcJ3AxKJhw6rOM8tjvuUfbBBNG8O0ngkbNPN36EYDkWb7ro1W4+MDayFt0P8nXgt
-+liJEFp9yFDm3OMiMrHJmihZKGqr7VC9sDm+EjFMpa/Er7KWBBzvWip3pIZslHrv
-HIYILJS8C6OgiwQF24+pW9O7tqUVKrjpZ5Tl/QuR4Qm4L3kWO/63nFMH+PP/ODYQ
-0cB/g8cEGVWClUlxp/2D7IrNh6d59mQuvhrF+fkMoNV8AeU9+IinDlF3ik00n9cF
-5U9shoMgSuyj5d9L2FCJi/t67LiAWsp3aGwcfHPfanSIpS/EvpCyvT9py1zE0IFC
-Hzz76V2V5VrRkYGwT2M8b+RtgHUles5e8sXxkWTW9AvbtfJtADit5mEX0eXJJAfP
-aRZsBte7k0++5afbuVkCug==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt
deleted file mode 100644
index dd4073e..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt
+++ /dev/null
@@ -1,80 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4664 (0x1238)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
- Validity
- Not Before: Jan 17 12:14:00 2020 GMT
- Not After : Jan 17 12:14:00 2024 GMT
- Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca@acme.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:ab:54:29:44:85:72:57:4f:8d:9f:60:77:5c:77:
- b0:45:bd:34:7a:e5:37:9f:0f:26:ac:e1:68:1a:b3:
- 86:bf:55:48:82:ad:31:df:ed:89:a9:7e:25:b8:4d:
- 5c:95:c1:4a:9e:b2:a3:51:57:e8:dd:18:75:e5:db:
- f0:aa:ea:eb:5f:0f:e0:09:e2:7c:a6:1c:5c:e5:db:
- 2c:c1:f2:d7:40:21:f7:fa:ef:e0:3e:f5:3d:10:52:
- ec:b7:cd:9a:d8:3d:36:9a:3f:cd:1a:1f:e7:de:09:
- c3:8f:08:4f:c1:c4:cb:d3:65:81:c4:e3:28:ed:f4:
- a9:43:f2:c6:84:d9:16:22:65:55:17:e3:8b:7a:45:
- 9d:5f:7d:e5:87:d6:a5:fb:fe:0f:86:c0:d4:e0:9b:
- 2c:3a:99:df:4d:42:df:30:38:56:2d:f3:e5:8b:0f:
- fc:99:e3:1f:62:cb:85:78:a3:40:43:d6:42:3b:bc:
- e8:6c:45:19:3d:ca:43:86:1a:4b:ae:e9:3b:51:b0:
- 0d:0a:bb:de:26:34:b3:cf:dc:fc:99:c8:7e:42:7d:
- 2c:67:ea:2c:7d:2e:bf:ff:7f:21:9a:17:f1:87:1d:
- aa:d6:a4:06:bb:c1:65:ac:7d:7a:51:fd:3f:d0:ac:
- 9b:85:17:51:5b:99:16:b8:c7:72:00:2d:0b:54:78:
- 16:5b
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 CRL Distribution Points:
-
- Full Name:
- URI:http://localhost:8186/MyRootCA.crl
-
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- Signature Algorithm: sha512WithRSAEncryption
- 3a:d1:40:59:30:54:80:6a:b6:a9:76:f3:d1:05:c9:a1:d7:b0:
- ff:70:48:65:1d:1c:e5:82:b9:c5:62:78:eb:7a:0f:77:2d:26:
- 8d:a7:16:34:a5:57:4e:da:51:b5:3e:65:a3:db:a4:ba:43:70:
- 93:d4:d5:82:e4:c8:59:f0:f9:2c:7f:d6:d9:87:b8:5e:a9:4c:
- a5:cc:c3:ac:87:c8:3e:46:7e:6d:40:c1:bf:9f:03:68:ea:e1:
- 97:30:43:bf:d7:a4:1a:58:e2:72:cf:0d:6f:31:1b:4a:72:4d:
- 42:6d:7b:21:42:23:c0:7a:50:14:b9:f9:a5:95:53:77:c1:89:
- ff:3e:a0:1a:b2:88:69:13:93:c8:14:c4:c5:24:47:a0:9e:43:
- 70:9d:ac:0e:7f:a6:b5:45:47:35:f9:e9:6d:32:15:54:26:81:
- 84:ae:d8:27:c9:f3:65:64:7a:72:14:02:9f:8a:73:cf:04:c0:
- 53:a8:01:56:a6:a6:b8:fe:06:b1:71:c0:cc:64:07:d5:33:a8:
- 69:01:5e:06:b8:24:ec:1e:c4:9e:58:45:60:2b:70:d4:db:7a:
- 8c:42:21:e6:e6:33:c9:66:35:6c:06:ad:0f:47:74:24:cb:65:
- af:e1:a6:d0:b3:06:4a:97:5f:b2:83:cf:ac:0d:81:c2:07:7a:
- 06:c1:45:90
------BEGIN CERTIFICATE-----
-MIIDdjCCAl6gAwIBAgICEjgwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRfYnlfY2FAYWNtZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrVClEhXJXT42fYHdcd7BF
-vTR65TefDyas4Wgas4a/VUiCrTHf7YmpfiW4TVyVwUqesqNRV+jdGHXl2/Cq6utf
-D+AJ4nymHFzl2yzB8tdAIff67+A+9T0QUuy3zZrYPTaaP80aH+feCcOPCE/BxMvT
-ZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1ffeWH1qX7/g+GwNTgmyw6md9NQt8wOFYt
-8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5C
-fSxn6ix9Lr//fyGaF/GHHarWpAa7wWWsfXpR/T/QrJuFF1FbmRa4x3IALQtUeBZb
-AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4
-Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
-AQENBQADggEBADrRQFkwVIBqtql289EFyaHXsP9wSGUdHOWCucVieOt6D3ctJo2n
-FjSlV07aUbU+ZaPbpLpDcJPU1YLkyFnw+Sx/1tmHuF6pTKXMw6yHyD5Gfm1Awb+f
-A2jq4ZcwQ7/XpBpY4nLPDW8xG0pyTUJteyFCI8B6UBS5+aWVU3fBif8+oBqyiGkT
-k8gUxMUkR6CeQ3CdrA5/prVFRzX56W0yFVQmgYSu2CfJ82VkenIUAp+Kc88EwFOo
-AVamprj+BrFxwMxkB9UzqGkBXga4JOwexJ5YRWArcNTbeoxCIebmM8lmNWwGrQ9H
-dCTLZa/hptCzBkqXX7KDz6wNgcIHegbBRZA=
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr
deleted file mode 100644
index 7a8a730..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM
-FnJldm9rZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCrVClEhXJXT42fYHdcd7BFvTR65TefDyas4Wgas4a/VUiCrTHf7Ymp
-fiW4TVyVwUqesqNRV+jdGHXl2/Cq6utfD+AJ4nymHFzl2yzB8tdAIff67+A+9T0Q
-Uuy3zZrYPTaaP80aH+feCcOPCE/BxMvTZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1f
-feWH1qX7/g+GwNTgmyw6md9NQt8wOFYt8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9
-ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5CfSxn6ix9Lr//fyGaF/GHHarWpAa7wWWs
-fXpR/T/QrJuFF1FbmRa4x3IALQtUeBZbAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC
-AQEAle9ozcWOV+gW4zVToxUl/Cumqe3zqg7YE1SV4/QssVEVfJjb4s4/2JnjDQvQ
-BExP4yeiLVtIjjEaFy+fu4LZ7Qx7+GlhBCOaBuS/hNRmuJPNv+GwommABYkDvx86
-QeztX5oU/Gcn9tx+IjiBfn6pUsF4tX1Qd9ueucPUDR7xHMAFBBNnC1ahhki6rOVB
-9fxbduViyr2RKl9gDao650PsVn3+9MtKaU/oHluuyOjbCsrdjY5uGTWGJjWXGWBv
-whtYRomEofuvZk7vsmhBtJUixFuo4mVXA3Q6jCH3nre57YsQFR8+oFkIDogtXUNj
-rOtgaueA6Rd50L4j8hoQKBAkFA==
------END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks
deleted file mode 100644
index cd38ca0..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt
deleted file mode 100644
index 47696f6..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIUHVCN1hW4l8SlUG15T552XxvHr4owDQYJKoZIhvcNAQEN
-BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRf
-YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq
-MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL
-BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWcmV2b2tlZF9ieV9j
-YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtUKUSF
-cldPjZ9gd1x3sEW9NHrlN58PJqzhaBqzhr9VSIKtMd/tial+JbhNXJXBSp6yo1FX
-6N0YdeXb8Krq618P4AnifKYcXOXbLMHy10Ah9/rv4D71PRBS7LfNmtg9Npo/zRof
-594Jw48IT8HEy9NlgcTjKO30qUPyxoTZFiJlVRfji3pFnV995YfWpfv+D4bA1OCb
-LDqZ301C3zA4Vi3z5YsP/JnjH2LLhXijQEPWQju86GxFGT3KQ4YaS67pO1GwDQq7
-3iY0s8/c/JnIfkJ9LGfqLH0uv/9/IZoX8YcdqtakBrvBZax9elH9P9Csm4UXUVuZ
-FrjHcgAtC1R4FlsCAwEAAaNTMFEwHQYDVR0OBBYEFMU9e8zrbXHC342Uby8gqhgM
-YvLxMB8GA1UdIwQYMBaAFMU9e8zrbXHC342Uby8gqhgMYvLxMA8GA1UdEwEB/wQF
-MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAB/EApL8yOgY/Moi9zfCG22GRosPydBS
-87rlGBuWieIuHTUjZfo4Cso/Gss7BKNPVpS68g6QXh5t/mlWLes8lXVHj8V2RHUg
-JMJZ6FZVXGaR/3wvRT8i5xag4kYye585P52ovvzI8TyWRf2f4UQhNXIH6If8fYkJ
-CI/bp7Wd+b2+Vrnacx8gc5uzYXSsbUujd0b7X//gAu0YBPVqdkiJGpB1N4XPFhaF
-NPauaic9wtzETHc2ETmvKWoqxW0mwX8AuDY/GVa04s/jiy1JuH0uqfQCiGi1dkRF
-yYXQNXuPWiQ5K8Eg2bPaSSnCpQZgH4DG7315ne6XFaSQK/iJU9p05cA=
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key
deleted file mode 100644
index 2bed0ac..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIHVqo76e8ifcCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECKGXAXrxjyphBIIEyEJR6oHjGXr+
-PoIs2CnsQucjXIqQuEltc+xiLetRV6VQ0fytpC1qw6gTcMYYqmXC0oeBZqbux+hj
-Uj91rd2PnIhQ1t3uLkCCwR3hAOrFLHC6eg1HmgAfAI8HUoHeiSQor0rLHA2PKTgT
-LtNV573XyBh0bbrQZnMh2zb+RZ8dFHE5Fu7OiTYYFAIkH3EyB0QRUuskGhmMvgT1
-6LlzmaSRfSx9x6YBW0AH3649hAZj6sf7axXm9sScrIFpha7FJzKV/EUScDfBzTld
-5LqTUoF+W6b95PzvF/ylpbUM43FgTaI0KqyGSxtMr5CQjxuVUD+LsT6vc6lVQ2iQ
-GtqFAooBatfDXlm4HBNTFznDoYa50TUK1af6+0X4uQrETnIWA8iw49L+BownU6+M
-yfuMJ689IggheL9n+EBoJ5+LhjBlcxjcaIZBKgxVAxpSxnVY7H0R5JHYTHSy5GjA
-xtGmOkqGPgRlPXzYtSrih47tUAkO7MTiIUE5Xuned2pTFWAhsS/kpdc6K1IKhDAG
-ARG5dIADIZH+b3dYpxo/MXBQYusm6Q1KaLE1cG98QoiWdTwXNN4jNH6IiUg52Pcg
-nD/AAOdEcCA7wXFXLTBvYMGvetCDkrXf9DSOguGlvgfeZN/6P0QdN/TErTW9lHSV
-DioKOfDSpvS2X3X/1pDBYK29d+JqwW8sgRtyeJtSVzPnm+PFyz/1oDwIk7muhAs5
-+Ruf2mh/k01InahsJ9aBwBneCDvRibQGMv8wl/8Lz5NmpPjfYv/Jws0rS7rDNLOi
-yGSNBL8rOfLl3C7z3R+2xJocplccb7S42I8lSHNu7lwKPAPLkTtz+SymtAQJvqoR
-2SmoYtodPttQDXLMVwzQ87sBQ/wN9sw3BCRSL6BfBIsYavLMLnZ8hChpA9RF7Okm
-l8jNSs8HNN851G3XrKnI3CNsTKEQdEDw/Y68hJ0sSFRhICW2vKGJ6Lp1IPF4mngI
-BzGnpQrsOBfrMOpfqwgxFFZRFbBbOl2IPRcvz8GYyfXToGgS53Nz0TkHTtsTFIoo
-afUE6cOm0EzYn4rtNaB5K8gIxLhWZMsS6CH/nfEVi7sOFeUdkxoEUvnRTEy0pj7Q
-h085aWIFHHAtgBCdzqsmu0Q8z7Xp6G+S5nrJCnewRAGKKyGTkZsSjZXpB+nauYDM
-B4ZpoWZTS9AtPmCM9nV13fYTFWXz9DXtYAuMLZhYyBVNBlubpDwzV66+ygLqaTIz
-OkC/EjmA1OOZlaI0TfH5rvFdKsqmXxmvlH9aCOzMxytTSOd52MwJN72nAslKz9xI
-RoO/RE0EYLMOT81S44QzfWGZ2CP7oRTfT3IoktTUm9Snp2qjebcfhRrti8aEZCm+
-mtssZ0IiqLPje6GJ2kOUmU4+KZ+cNswPZmV+zm4NJcu5XBG13wHqyLac6iQPDXie
-4IuzbLEOjYr+ZLGnBpw11jn6R1yxbOiKUbg/eEp8/688XJbVdSaCd4w7JwxL8dlI
-h7y8UTG0BI3nZk4kdpusz5f18F8EoX+RIDP7Ev3qPt/8eYkSZggkrrnIaCIeXEOL
-VwmtXIe7Fo2E7zRTSgJXU42iTYwp4tWmB83qxKVaQQpgmX1hs845GdWbfcSZh9eZ
-50gsztDpcC1mAtp3brgOig==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt
deleted file mode 100644
index 7a80d78..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt
+++ /dev/null
@@ -1,80 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4667 (0x123b)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
- Validity
- Not Before: Jan 17 12:14:02 2020 GMT
- Not After : Jan 17 12:14:02 2024 GMT
- Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_empty_crl@acme.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:cd:03:6c:76:ba:58:04:33:52:0c:45:ba:80:87:
- be:ce:3d:94:76:45:79:29:b1:15:15:c9:95:e0:5e:
- 03:34:a5:5f:ab:b6:8a:03:57:b4:60:2d:fe:2e:27:
- c1:51:7f:bd:25:fe:0d:d3:48:72:0a:09:ed:ef:df:
- 18:98:17:e1:bf:44:07:6f:f5:72:98:73:0a:ca:7c:
- 7f:a6:8e:1b:e1:f5:e9:cc:d5:37:96:1e:8b:f1:8b:
- cb:4f:3b:ad:e5:b9:73:b2:6f:2c:e2:70:c9:a7:28:
- ee:d2:4e:79:02:ef:11:f0:8d:77:41:46:d4:98:72:
- cd:73:66:a4:f2:ea:81:42:b5:e1:95:0c:d3:23:e7:
- dc:0e:2c:02:cf:bc:8f:dd:53:ea:2c:08:1d:8b:07:
- 52:47:25:dd:9d:99:5c:56:86:2d:38:2a:2f:15:57:
- dd:e2:c0:79:a5:aa:e6:3f:c3:b9:78:97:cf:47:fa:
- c6:9f:55:73:42:cb:27:17:35:b3:5c:91:bd:f9:f0:
- 00:a6:d2:5b:eb:34:2e:43:6a:ca:38:f6:14:32:4c:
- c8:35:92:b7:4c:f7:da:86:70:55:0c:ca:67:82:5e:
- 31:7f:e1:d2:76:22:d8:92:03:d6:47:df:43:55:33:
- 29:e3:44:d0:2e:45:b4:e5:fb:78:95:53:3e:21:33:
- 01:3d
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 CRL Distribution Points:
-
- Full Name:
- URI:http://localhost:8186/MyRootCA.empty.crl
-
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- Signature Algorithm: sha512WithRSAEncryption
- bf:be:61:4f:7a:a3:ff:9f:76:1a:d5:80:57:e8:29:d5:7b:31:
- f2:15:de:11:a2:f4:67:97:05:70:52:84:0c:6d:aa:bc:b4:f1:
- ed:92:f7:e3:ca:0f:4e:19:c4:82:38:e2:f1:30:74:42:8e:c8:
- 7e:9f:b5:df:59:8b:e7:70:84:4d:fc:6b:4e:25:33:65:ac:f6:
- da:3e:a4:32:fd:cb:f7:dc:f3:5a:3f:e3:8b:85:8d:9b:5a:e1:
- f4:17:3c:d5:67:13:25:78:d0:3f:9d:cc:b8:1f:3c:9c:55:11:
- 12:1f:13:2f:55:4b:3d:e0:cf:bf:10:ce:de:04:a3:b1:60:26:
- 3e:41:bf:8f:3b:86:ef:7f:69:4b:5b:2e:45:a2:5a:b5:34:2e:
- ff:28:01:81:15:03:53:86:31:77:ac:41:f5:b3:c1:54:e9:ab:
- cf:d3:3f:36:94:4e:ed:07:39:4e:ad:fb:0c:26:87:62:30:51:
- da:70:8a:f2:9b:9f:9f:a4:25:d8:df:90:27:ab:0e:b6:81:fc:
- a1:24:16:4d:aa:91:d7:c9:0b:f0:49:1a:80:7c:86:7f:0f:4e:
- 32:59:86:41:32:92:00:b1:f0:32:50:84:72:35:f3:b2:7f:c1:
- 2a:69:6c:9e:74:43:8e:d0:15:b3:0d:ed:34:b9:14:fe:24:17:
- f7:4c:e0:0f
------BEGIN CERTIFICATE-----
-MIIDhjCCAm6gAwIBAgICEjswDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowdDELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRfYnlfY2FfZW1wdHlfY3Js
-QGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpY
-BDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVfq7aKA1e0YC3+LifBUX+9Jf4N00hy
-Cgnt798YmBfhv0QHb/VymHMKynx/po4b4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJ
-pyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdS
-RyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb
-6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4xf+HSdiLYkgPWR99DVTMp40TQLkW0
-5ft4lVM+ITMBPQIDAQABo1UwUzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vbG9j
-YWxob3N0OjgxODYvTXlSb290Q0EuZW1wdHkuY3JsMAkGA1UdEwQCMAAwCwYDVR0P
-BAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQC/vmFPeqP/n3Ya1YBX6CnVezHyFd4R
-ovRnlwVwUoQMbaq8tPHtkvfjyg9OGcSCOOLxMHRCjsh+n7XfWYvncIRN/GtOJTNl
-rPbaPqQy/cv33PNaP+OLhY2bWuH0FzzVZxMleNA/ncy4HzycVRESHxMvVUs94M+/
-EM7eBKOxYCY+Qb+PO4bvf2lLWy5Folq1NC7/KAGBFQNThjF3rEH1s8FU6avP0z82
-lE7tBzlOrfsMJodiMFHacIrym5+fpCXY35Anqw62gfyhJBZNqpHXyQvwSRqAfIZ/
-D04yWYZBMpIAsfAyUIRyNfOyf8EqaWyedEOO0BWzDe00uRT+JBf3TOAP
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr
deleted file mode 100644
index 7275fc2..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICuTCCAaECAQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMM
-IHJldm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4D
-NKVfq7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b
-4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqB
-QrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5
-eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpn
-gl4xf+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABoAAwDQYJKoZI
-hvcNAQENBQADggEBAIclK9KXAk1U1l9zzy9FpjqZYXzqCF5vBD9yDDk6DODqLAfa
-twBoA90Ae5z5wEY2Gtj2p39P4FvWHV2tKMe3M6Wnf9b0IE2VYZ8aIuK/dzMY17pX
-caDKJEhG/hVa4qIyKbh5y0gITfoFTx10ip0DoSAzkjbG6fsSplX5x/r0DS1ZVGQj
-aTqKor1pBW9rBGkgDaKetl+0/x9EcwXM8Vlv2uidofK1HRrBijdzj/vaVERatNGf
-IMfBGnTfF+CAKN/kR8F1jhcM4XXOA/lvtWkmmsuBweEM4iTh5T7/L/rbUr7WpFjT
-J8yrjAyUM4e9UR+lif/RXN2zvAvUh9wUin/rvlk=
------END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks
deleted file mode 100644
index 7e0ab14..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt
deleted file mode 100644
index 876f462..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDyTCCArGgAwIBAgIURa7KfSxOy6INMZLGbza+/AKlMMgwDQYJKoZIhvcNAQEN
-BQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRf
-YnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMB4XDTIwMDExNzEyMTQwMloXDTIwMDIx
-NjEyMTQwMlowdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdU
-b3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJl
-dm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVf
-q7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b4fXp
-zNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXh
-lQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfP
-R/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4x
-f+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABo1MwUTAdBgNVHQ4E
-FgQUJBs8fXPCO0HfB5qCdnNIr+LKofAwHwYDVR0jBBgwFoAUJBs8fXPCO0HfB5qC
-dnNIr+LKofAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEAKlMt
-n4ZrNl91i2HJUhy1qQEed6r2IFzTiVCIlV5tL/e3JyOksKxHeoV8JcN4mFNDzVZM
-vk+ZuCty1wJQLs6OOCfdXwSekSJblV/IXqKosvJj+RN6EHLeEYUoVJlKkU1E/wXZ
-LbjioYtv7LAdDXuZro3P5W9IBiNGPitOWqdZYTkYgrDdyn9MBucm7UMTftvS8buK
-sBjOhKQNO4Q34VJlOgKjoPEQr/R/JnNFbFh3dKYfDFABwy3dgp6kehzazb68An+j
-K/qljEqmAGwn92pSQDxNW/opQ3iMMjTiUie7f5PpCphFD/noIXgSyVutV8dFEBtw
-uTTPMl1O2ogZSriu3A==
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key
deleted file mode 100644
index 9576760..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIFZ8yTs+qbG0CAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCIuCWBoRzWlBIIEyEJvOIUqC7LU
-XAcbfwBQgC+6bmxO+2A+KGmMoWua1om7bO7YkzoTesXg1sDN5xO8S0T02/laHE+n
-h4SKtG+Ocvc75hznd2dkz+QrvUHfxYBWS5zayDYvO/V2GjbI/LUhBxTh17KRRGwD
-FvJmfYyQ7C4jguscRrTpnKxknuIbQYQMUlTVquB3htAtf9ORQSC34QiKl6Ahm2F9
-S5iRxOQI3y5+g6BXVTktBjFMg+EIlVgi7UrOtplj/GAC6m0tF+G2Cl2R+IYcU4Uj
-iZO6XBeVGUaDCy6b5jdeiBXTbqYWrLaMrCQabZTfw3utJQHAPFaBE+y25Wq4SdJ7
-/S8BmCDa1x9doH7ShJ8ykync1PfOIaTbzqWMx4zIgAFQ2/azZD2aB6GWo8lpQWOp
-+yRRNQsYQNiVZ8895KVfsLJvf7nEZ0gtrKYxUiwdzIXspNdt2ymzhcKf1bYeG8TX
-XgegkqB2zzp/BviBlGWo5RSGDyaXTHrdWK3yJBkuP4oGMrk71+W/kDUzTCR++AqM
-1TpbYXLIbqMlE5DEHejgYYOclx3pmMBYcJJsPW8mKd2C7G3fj67lUQwXr+iLS1Fl
-Zekh3ZcaQSptQyUaJ6XXaa8A5qx42FpEGIxTLF3YktyT/u3rMsYD62hohR7zCNUK
-J8Wsmjmeu78OoPv68DxD8Hi88rcYg/cKTELjBx+GQOKGite7ogxPcdfFIrprVNTQ
-WLYLk9STn42RhUELKt2uKYmVJ6GzfBf7Lfgmsi9QVIPbswZE02fF/pC5Gcl1FEA8
-X0wcxcv9MAbFm497CMkdw9wxj4rV7XruBrUAB24QRj/r3Hsk4LS/0MI8/OawzaP+
-UAXYExWPuOremVl4/esbXOi5UXPcz/4aDtYyo3/PYOS8TWGnhJ0P3VykdTQ2a6Cq
-A/qI5c1HN0Llg918Eff/Lrw3WDpe7tcuQz0UZDUw9wEdglMTl1xQ9tZPQcMmKc08
-32dUUxPNX+wsKM1k5VBYRx/Vltr+odNaW4eTgVhsQ68D1vvA+AHLrHOUTGMknVTh
-89ZTtycV908axGVot7fz0wpc+n0nF/d6Q75NpqTwGQdwe6LMyYed6dOotYn9rWAV
-rPIxw9gsT3AGFyzos/ZB4RehHWIX/uumPw3H67vG2q+A2q2zzJFmH72mgMIpf/hY
-1SoCO3Uhlv58zbASfchyIFlMNNxSN9+6uffXbB9kR/C3ClKZB9vDwyhpMFU/LMqz
-2/ffsESVa5KSRdzwJuzbHQC/cymQZYoe3SayObmKoTIzo6lQoTCX7yREUFaT346A
-XkjN40YsO4dQ64r4qKdCRmhK1GHo3zXzT/50maVxzUsJafhuARvLxckpidq0mdT9
-2zBl5aM7GTwqCs9eqV1EJJASeBoFdu2iAKOI5O0Y7uVKNRZbiElnroR9IgfINepc
-7OenXrQbwrXD0PYORY04axr3hfM7GEy90TC+9WGLZWBTyKRdTdIdNCTvh1q84OZo
-Qp4zEhWsHT6C1FKmpu+uhPKHEqgqrgWFfsSr21uYFuEybXY2B9euyB222wYjX8K4
-u9C1+YGNQIhDcfqaefLdIBfgUErK/xjTDBP8Xk85NJIxab98aJkhclH0k8qOv6pr
-35/tH3UEUjR1FlIgzU46cg==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt
deleted file mode 100644
index 35b1e6a..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt
+++ /dev/null
@@ -1,80 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4668 (0x123c)
- Signature Algorithm: sha512WithRSAEncryption
- Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
- Validity
- Not Before: Jan 17 12:14:02 2020 GMT
- Not After : Jan 17 12:14:02 2024 GMT
- Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_invalid_crl_path@acme.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:cc:e3:11:32:ee:d9:ba:67:5b:0b:e2:52:4b:9c:
- e7:54:d7:e4:c7:a9:92:7e:6a:39:e0:bb:d3:cc:9f:
- 6f:38:73:96:c5:62:bf:bc:8d:69:e5:e8:67:3f:18:
- d8:aa:ab:67:93:cb:c1:71:ac:7d:1e:7e:40:a7:d6:
- 0a:8a:d2:17:7e:3b:be:d0:0e:1b:54:7c:be:0f:de:
- 46:9b:4c:5a:64:de:87:08:45:b9:4f:32:df:26:6c:
- 42:66:06:bd:61:cb:95:ae:a7:94:ee:4f:61:ff:da:
- 18:b5:4a:41:9a:c5:c4:bd:2b:ae:8f:9d:13:82:04:
- df:23:31:4a:5d:62:2c:0f:83:87:18:4a:7c:ce:12:
- bc:02:67:b4:1e:d9:9b:4c:9a:33:ab:0c:34:eb:dc:
- 8e:36:0a:54:ac:c1:88:84:26:15:9e:a5:08:0b:e2:
- 95:ef:3b:71:29:d9:c7:39:79:05:ef:4e:dd:52:ea:
- 42:05:b3:7b:2b:b4:ee:3e:da:4f:78:a7:e3:39:da:
- 6e:56:2e:74:52:27:7f:e5:e9:c3:11:79:c9:5f:6f:
- ae:58:31:d0:d1:89:b3:01:09:01:5d:44:53:6b:21:
- af:fc:07:e6:68:9e:76:ab:c9:56:b0:20:5d:36:fe:
- e0:06:8c:bb:70:6c:e3:3b:92:a0:5b:0d:e9:ce:e4:
- fb:ff
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 CRL Distribution Points:
-
- Full Name:
- URI:http://localhost:8186/not/a/crl
-
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- Signature Algorithm: sha512WithRSAEncryption
- 70:bd:f9:c8:9e:b5:40:c4:cd:af:33:9a:35:10:25:ef:2d:00:
- c1:e3:7a:b3:54:f3:e7:86:b5:a7:3a:7c:4e:c3:fe:c3:b3:f6:
- e9:e1:4b:48:27:40:dc:36:e1:18:cc:79:93:44:c8:96:78:1c:
- c2:e3:3c:58:a3:3e:4c:d7:68:7e:e3:83:c4:40:f1:2a:d1:17:
- a5:89:5f:5d:72:b9:3f:9e:75:7a:a2:d9:73:82:09:4d:45:40:
- 84:ed:e7:9a:15:81:e2:3e:43:eb:c4:f8:ff:40:a4:b9:1c:d0:
- 3f:e9:c4:17:26:74:10:86:52:c5:34:b8:a7:d4:1c:b5:53:ac:
- af:35:35:61:c7:7c:f0:ce:bb:4e:24:49:01:3b:88:57:70:73:
- ad:19:52:ee:b0:57:5e:01:ac:18:1a:ab:73:d5:12:c1:55:0c:
- 7b:42:33:ad:5c:a9:5a:75:61:dc:65:08:b0:b5:ab:d0:56:2f:
- 1b:fa:88:2f:53:2f:04:bb:e3:d6:42:73:0a:03:a3:28:79:a9:
- ba:45:4e:ac:65:9e:0f:6a:f2:b7:9a:3a:df:fd:07:cb:4b:78:
- 6a:32:91:59:d4:f6:ea:aa:0d:71:da:21:14:cf:b9:73:bd:c6:
- f2:b3:8b:b2:30:7a:83:3a:7f:09:d3:11:ef:13:dd:da:1d:b9:
- 01:11:fe:ad
------BEGIN CERTIFICATE-----
-MIIDhDCCAmygAwIBAgICEjwwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
-EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
-dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowezELMAkGA1UEBhMC
-Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
-MQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRfYnlfY2FfaW52YWxpZF9j
-cmxfcGF0aEBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AMzjETLu2bpnWwviUkuc51TX5Mepkn5qOeC708yfbzhzlsViv7yNaeXoZz8Y2Kqr
-Z5PLwXGsfR5+QKfWCorSF347vtAOG1R8vg/eRptMWmTehwhFuU8y3yZsQmYGvWHL
-la6nlO5PYf/aGLVKQZrFxL0rro+dE4IE3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0ya
-M6sMNOvcjjYKVKzBiIQmFZ6lCAvile87cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in
-4znablYudFInf+XpwxF5yV9vrlgx0NGJswEJAV1EU2shr/wH5miedqvJVrAgXTb+
-4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaNMMEowMAYDVR0fBCkwJzAloCOgIYYfaHR0
-cDovL2xvY2FsaG9zdDo4MTg2L25vdC9hL2NybDAJBgNVHRMEAjAAMAsGA1UdDwQE
-AwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAcL35yJ61QMTNrzOaNRAl7y0AweN6s1Tz
-54a1pzp8TsP+w7P26eFLSCdA3DbhGMx5k0TIlngcwuM8WKM+TNdofuODxEDxKtEX
-pYlfXXK5P551eqLZc4IJTUVAhO3nmhWB4j5D68T4/0CkuRzQP+nEFyZ0EIZSxTS4
-p9QctVOsrzU1Ycd88M67TiRJATuIV3BzrRlS7rBXXgGsGBqrc9USwVUMe0IzrVyp
-WnVh3GUIsLWr0FYvG/qIL1MvBLvj1kJzCgOjKHmpukVOrGWeD2ryt5o63/0Hy0t4
-ajKRWdT26qoNcdohFM+5c73G8rOLsjB6gzp/CdMR7xPd2h25ARH+rQ==
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr
deleted file mode 100644
index 5c04ce9..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICwDCCAagCAQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
-DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMM
-J3Jldm9rZWRfYnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzjETLu2bpnWwviUkuc51TX5Mepkn5q
-OeC708yfbzhzlsViv7yNaeXoZz8Y2KqrZ5PLwXGsfR5+QKfWCorSF347vtAOG1R8
-vg/eRptMWmTehwhFuU8y3yZsQmYGvWHLla6nlO5PYf/aGLVKQZrFxL0rro+dE4IE
-3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0yaM6sMNOvcjjYKVKzBiIQmFZ6lCAvile87
-cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in4znablYudFInf+XpwxF5yV9vrlgx0NGJ
-swEJAV1EU2shr/wH5miedqvJVrAgXTb+4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaAA
-MA0GCSqGSIb3DQEBDQUAA4IBAQAMYJv3za9w6iCfl3/X17EWRpCxfB2uylVoF+Qn
-pk6cAaPZtPNLmzyGGsZ5Vpvm9LuISuU5ZcPCL+ocZ9yjghtiEUg5tslujuuhXyfE
-KhTj0UzSrWAKjm6KJcMu5dtxyM97sToVuU7MBR44KVdSxnzFWgL4afiVULxuJFFb
-DwTDgZZWYSeh2WeQt4bRL8dwhqvh0J+/Xilwh8kvY2yv8TXa0jgbguzPPtfcOJLN
-N9N4VvkrIXgkZSKut2U1G4eESWnCG9PP638I6j9ntA/cHbJ8TC46cEdQcYl1pPPG
-C5FC+aOr2NN/wVME/8Iib5FUKUcHJNZBrBZ3FHf1qjJcbuso
------END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks
deleted file mode 100644
index a61e890..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt
deleted file mode 100644
index c7418d2..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID1zCCAr+gAwIBAgIUBlNXdtg4SxQN24k7fss2AhXXmcQwDQYJKoZIhvcNAQEN
-BQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
-MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRf
-YnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDJa
-Fw0yMDAyMTYxMjE0MDJaMHsxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4G
-A1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MTAwLgYD
-VQQDDCdyZXZva2VkX2J5X2NhX2ludmFsaWRfY3JsX3BhdGhAYWNtZS5vcmcwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM4xEy7tm6Z1sL4lJLnOdU1+TH
-qZJ+ajngu9PMn284c5bFYr+8jWnl6Gc/GNiqq2eTy8FxrH0efkCn1gqK0hd+O77Q
-DhtUfL4P3kabTFpk3ocIRblPMt8mbEJmBr1hy5Wup5TuT2H/2hi1SkGaxcS9K66P
-nROCBN8jMUpdYiwPg4cYSnzOErwCZ7Qe2ZtMmjOrDDTr3I42ClSswYiEJhWepQgL
-4pXvO3Ep2cc5eQXvTt1S6kIFs3srtO4+2k94p+M52m5WLnRSJ3/l6cMReclfb65Y
-MdDRibMBCQFdRFNrIa/8B+ZonnaryVawIF02/uAGjLtwbOM7kqBbDenO5Pv/AgMB
-AAGjUzBRMB0GA1UdDgQWBBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAfBgNVHSMEGDAW
-gBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBDQUAA4IBAQCWVNzJRocgQdD7JYE1X7eoet9ex2luAlu8zZVZfeNKv27QjeRg
-1n3Jz1eXMXoVlcRtuXSX6Pw1qZLtAZ07/vPPHBTnMKi5Tvc+4ho/P+UZ1vhVViV9
-Qg0+qNZ0HqiTX9i/gYhUSj8L28iOW01PYP89WDJYhh8kQJhXQbbwE84Y+r75NX7y
-TUZ+ozXJqM2dxrVVnr46bh0qTmTPlWIBKnlkemWe0VlNFFtJlDOXqEkZBaaTqKrE
-iKcxAy1wrlAyvLS69LzZnt2UrR68oQXAQITtdbY4VWSfyxOh9i56OVgw2E6seUuG
-ZdWX9oXeI01B9vV6EqFLiPn6eTPPYOukkjGg
------END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key
deleted file mode 100644
index cfaeb30..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIkqodAjKk8vECAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAO1t0BIS+B/BIIEyMK0wAf8UrpJ
-YTJ31fURI5LQ44dkuyvRWu/lIRD/kA081HXXm5eFMW3F4CvKpfbKQKHOEWYjlBbo
-tfsbZyPA2rRT3SAWZY1OZw4zLW5hXlX7yrTTEMWzrKF6i8Fia+cVTRR9D4g0aiEu
-/1RKQPoehCJm7QNKG7mxSzmUoZ/WjSmVIYTCH9cXKnbZE18Hlcc+fDIOlAxWO0nt
-n+IK+U8QzCy5Nk2LvVZSQZMPBFM/ZpTSwrTJe9iP6q+LCv59z3bzgX1i1MZJNTp/
-nYt7+C0JnFcIcnuuOWuKCkRK6txu94AxeZq3JQHRgMmdpmKvsOJ54Um2qSIblphH
-F+7D21ag/ebBLDHRnwkPzlhbP8CLR0J4XZ2KvEjhZjFGV+CokeYRcZI1fAqw7C9r
-V9EWCZxsqjPIKZd3W44TWVUrk8ij21sYJ/l3wVLeTUNCiEub1gDpWtlctGEKL6mU
-guCfMIK8ZZ04KQjKHqeiPmSEdJoHWrT6EyFzi+ZOL/bjeJ5uA5jrgYDWuy0Nhii4
-DbMVCm3EItAKDUq0bDJEGkDSiP7gVEiLThc++skeM/kqqECAwFNRiNPCI/XLuUoe
-JEGoubfc4XTfUPwJbfgrXE+QsgP/k5m38LjOITmkIsevzUxDV1ymHE6J9aQFwh6T
-lUeRq9zy7RsGze4letY7OXgoq2ISwPwqvgUfDBE3Upo1ZzLtfwlGkAgbyUmqA0oF
-fC3UU6QZizk1qh/OnjaIpElRjGnEnH0yo/jasypZ2V3zUaAJ1UJh2Q5OQrBkyzGM
-C7LNcRPC1o18LrO19rtgtk6ysHG21oqwXe5W/xxwif5ouL880vJYsq2fEHLHkcfw
-u9tG02p1dtZUSbgBoLRlhP/S5gwf9mzIKgtOL10zliTw0fiklh+dDsWij5s56jLr
-IuIm1s9XrQFaSAJEEw1xtMNGkasKnXDZjvfSqBOLaXn6AhqrJRknTDsJr6bbVTiY
-SL6Gjo9Jpjcqo6rKN0cutFqGx7JfNsjwaVEwi0UkpJ7NuF6AKuHqZP0WWDLOWUgB
-f2ocal3AzCRienQRWhqwIaVnt0jTWwOTx69dHeaHSwsH7B9Ka8w61dcCLnE4bQHQ
-qpxDqDMh1T0G4nwodcR0ZBA88IBbx59lSvvIKFtJJ2CTcwDibhjs14iWopIP6DHR
-aiS8xxjlVhBnn2GuKSKs8hJn0+JxUJquh8C0zp0PWE0HC9gUBNfx4Y1i2qL/dd6n
-5vtWaq7mjpaXR6Nk+EPQ4kGBelx5ELzSbhc2bS0dnyWtGzTrMu3m3J89bBMFPLe1
-QaU5b/1hRDCJdLAnsAg6P6ekpC+NSECRQhd18PQqgWexEM99O31+aWz6+JTXkCxY
-PutnAU4OwcW+80h1Xt0tXrshMEJJ9U6DnvJ30yP0pClp+jhA4mPggMf4Rabo4VGq
-jI2P6l2ksxe8WEquwpw5AbpKS9pYjjo52nFVzKF7G3T88eWcfaX3lYyN13iXh2EA
-BcH+ad2Ux1eOPtSVrCLyWd2MXehZ5gmdeUsOnwccOB3gppTQNAK9Cq2mqfRx0foO
-GDC+Bpl5xdzEkg3YQ9n+aXYmY7vCGO9B3nWDp31J6JVv3x2m1UdCXzr35xIXE2K5
-5nrg58gwOIVCLeQlazWIeA==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks
deleted file mode 100644
index a4648a0..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks
deleted file mode 100644
index 4eebca7..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks
deleted file mode 100644
index c6dd178..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks
deleted file mode 100644
index 6e7fc6c..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks
deleted file mode 100644
index 129593a..0000000
--- a/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh b/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh
deleted file mode 100755
index 636d6d5..0000000
--- a/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh
+++ /dev/null
@@ -1,370 +0,0 @@
-#!/bin/sh
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-MY_PATH="$(dirname "$(readlink -f "$0")")"
-CRL_HTTP_PORT=8186
-PASSWORD=password
-ROOT_CA=MyRootCA
-INTERMEDIATE_CA=intermediate_ca
-OPENSSL_DIR="$MY_PATH/openssl"
-OPENSSL_CONF="$OPENSSL_DIR/openssl.conf"
-CERTIFICATES_DIR="$MY_PATH/certificates"
-VALID_DAYS=1461
-
-CLIENT_KEYSTORE="$CERTIFICATES_DIR/client_keystore.jks"
-CLIENT_TRUSTSTORE="$CERTIFICATES_DIR/client_truststore.jks"
-CLIENT_EXPIRED_KEYSTORE="$CERTIFICATES_DIR/client_expired_keystore.jks"
-CLIENT_EXPIRED_CRT="$CERTIFICATES_DIR/client_expired.crt"
-CLIENT_UNTRUSTED_KEYSTORE="$CERTIFICATES_DIR/client_untrusted_keystore.jks"
-
-BROKER_KEYSTORE="$CERTIFICATES_DIR/broker_keystore.jks"
-BROKER_TRUSTSTORE="$CERTIFICATES_DIR/broker_truststore.jks"
-BROKER_PEERSTORE="$CERTIFICATES_DIR/broker_peerstore.jks"
-BROKER_EXPIRED_TRUSTSTORE="$CERTIFICATES_DIR/broker_expired_truststore.jks"
-BROKER_CRT="$CERTIFICATES_DIR/broker.crt"
-BROKER_CSR="$CERTIFICATES_DIR/broker.csr"
-BROKER_ALIAS="broker"
-
-TEST_KEYSTORE="$CERTIFICATES_DIR/test_keystore.jks"
-TEST_PK_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_pk_only_keystore.jks"
-TEST_CERT_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_cert_only_keystore.jks"
-TEST_SYMMETRIC_KEY_KEYSTORE="$CERTIFICATES_DIR/test_symmetric_key_keystore.jks"
-TEST_EMPTY_KEYSTORE="$CERTIFICATES_DIR/test_empty_keystore.jks"
-
-# set to true for debug
-DEBUG=false
-
-generate_selfsigned_ca()
-{
- echo "Generating selfsigned CA certificate"
- openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$ROOT_CA.key" -out "$CERTIFICATES_DIR/$ROOT_CA.crt" -days 1461 -subj '/C=CA/ST=Ontario/O=ACME/CN=MyRootCA' -passout pass:$PASSWORD -sha512 && \
- keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_KEYSTORE" && \
- keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_TRUSTSTORE" && \
- keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_KEYSTORE" && \
- keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_TRUSTSTORE"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "Selfsigned CA certificate successfully generated"
- else
- echo "Failed to generate selfsigned CA certificate" >&2
- fi
- return $_rc
-}
-
-prepare_openssl_environment()
-{
- echo "Preparing openssl environment"
- rm -rf "$CERTIFICATES_DIR" && \
- mkdir "$CERTIFICATES_DIR" && \
- rm -rf "$OPENSSL_DIR" && \
- mkdir "$OPENSSL_DIR" && \
- cp "$MY_PATH/openssl.conf" "$OPENSSL_DIR" && \
- sed -i "s|^dir = .|dir = $OPENSSL_DIR|" "$OPENSSL_CONF" && \
- echo 1234 > "$OPENSSL_DIR"/serial && \
- echo 1234 > "$OPENSSL_DIR"/crlnumber && \
- touch "$OPENSSL_DIR"/index.txt && \
- echo "unique_subject = no" > "$OPENSSL_DIR"/index.txt.attr && \
- mkdir "$OPENSSL_DIR"/newcerts
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "Openssl environment successfully prepared"
- else
- echo "Failed to prepare openssl environment" >&2
- fi
- return $_rc
-}
-
-# $1 - alias
-generate_signed_certificate()
-{
- _alias=$1
- _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
- echo "Generating CA signed certificate '$_alias'"
- openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
- openssl req -config "$OPENSSL_CONF" -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
- openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
- openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
- keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "CA signed certificate '$_alias' successfully generated"
- else
- echo "Failed to generate CA signed certificate '$_alias'" >&2
- fi
- return $_rc
-}
-
-# $1 - certificate alias
-generate_signed_certificate_with_intermediate_signed_certificate()
-{
- _alias=$1
- _intermediate_ca_subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$INTERMEDIATE_CA@acme.org"
- _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
- echo "Generating CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'"
- openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.crt" -subj "$_intermediate_ca_subject" -sha512 -passout pass:$PASSWORD && \
- openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" -sha512 -subj "$_intermediate_ca_subject" -passin pass:$PASSWORD && \
- openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_ca -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" && \
- openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -inkey "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.jks" -name $INTERMEDIATE_CA -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"
- echo "Generating CA signed certificate for '$_alias'" && \
- openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
- openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
- openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
- cat "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" "$CERTIFICATES_DIR/$ROOT_CA.crt" > "$CERTIFICATES_DIR/chain_with_intermediate.crt"
- openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/chain_with_intermediate.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
- keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA' successfully generated"
- else
- echo "Failed to generate CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'" >&2
- fi
- return $_rc
-}
-
-generate_expired_certificate()
-{
- _alias=user1
- echo "Generating expired certificate '$_alias'"
- keytool -genkeypair -alias $_alias -dname CN=USER1 -startdate "2010/01/01 12:00:00" -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_EXPIRED_KEYSTORE" && \
- keytool -exportcert -keystore "$CLIENT_EXPIRED_KEYSTORE" -storepass "$PASSWORD" -alias $_alias -rfc -file "$CLIENT_EXPIRED_CRT" && \
- keytool -import -alias $_alias -file "$CLIENT_EXPIRED_CRT" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$BROKER_EXPIRED_TRUSTSTORE"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "Expired certificate '$_alias' successfully generated"
- else
- echo "Failed to generate expired certificate '$_alias'" >&2
- fi
- return $_rc
-}
-
-generate_signed_broker_certificate()
-{
- _subject="/C=CA/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost"
- echo "Generating CA signed certificate '$BROKER_ALIAS'"
- openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.self.crt" -subj "$_subject" -passout pass:$PASSWORD && \
- openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$BROKER_CSR" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
- openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$BROKER_CRT" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$BROKER_CSR" && \
- openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$BROKER_CRT" -inkey "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -name $BROKER_ALIAS -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
- keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $BROKER_ALIAS -deststoretype PKCS12 -destkeystore "$BROKER_KEYSTORE"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "CA signed certificate '$BROKER_ALIAS' successfully generated"
- else
- echo "Failed to generate CA signed certificate '$BROKER_ALIAS'" >&2
- fi
- return $_rc
-}
-
-# $1 - certificate alias
-# $2 - keystore where certificate will be imported
-import_to_keystore()
-{
- _alias=$1
- _keystore="$2"
-
- echo "Importing certificate '$_alias' to keystore '$_keystore'"
- keytool -import -alias $_alias -file "$CERTIFICATES_DIR/$_alias.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$_keystore"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "Certificate '$_alias' successfully imported to keystore '$_keystore'"
- else
- echo "Failed to import certificate '$_alias' to keystore '$_keystore'" >&2
- fi
- return $_rc
-}
-
-generate_untrusted_client_certificate()
-{
- _alias=untrusted_client
-
- echo "Generating untrusted certificate '$_alias'"
- keytool -genkeypair -alias $_alias -dname CN=$_alias -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_UNTRUSTED_KEYSTORE"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "Untrusted certificate '$_alias' successfully generated"
- else
- echo "Failed to generate untrusted certificate '$_alias'" >&2
- fi
- return $_rc
-}
-
-add_certificate_crl_distribution_point()
-{
- echo "Add CRL distribution points to openssl configuration"
- sed -i "/\[ v3_req \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF" && \
- sed -i "/\[ v3_ca \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "CRL distribution points successfully addded"
- else
- echo "Failed to add CRL distribution points" >&2
- fi
- return $_rc
-}
-
-set_certificate_crl_distribution_point_to_intermediate_ca()
-{
- echo "Setting CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'"
- sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|" "$OPENSSL_CONF"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA' successfully set"
- else
- echo "Failed to set CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'" >&2
- fi
- return $_rc
-}
-
-set_certificate_crl_distribution_point_to_empty_crl()
-{
- echo "Setting CRL distribution point to empty CRL"
- sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|" "$OPENSSL_CONF"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "CRL distribution point to empty CRL successfully set"
- else
- echo "Failed to set CRL distribution to empty CRL" >&2
- fi
- return $_rc
-}
-
-set_certificate_crl_distribution_point_to_invalid_crl_path()
-{
- echo "Setting CRL distribution point to invalid CRL path"
- sed -i "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/not/a/crl|" "$OPENSSL_CONF"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "CRL distribution point to invalid CRL path successfully set"
- else
- echo "Failed to set CRL distribution to invalid CRL path" >&2
- fi
- return $_rc
-}
-
-generate_intermediate_crl()
-{
- echo "Generating intermediate CA certificate '$INTERMEDIATE_CA' CRL"
- openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" && \
- openssl crl -inform PEM -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" -outform DER -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "Intermediate CA certificate '$INTERMEDIATE_CA' CRL successfully generated"
- else
- echo "Failed to generate intermediate CA certificate '$INTERMEDIATE_CA' CRL" >&2
- fi
- return $_rc
-}
-
-
-# $1 - part of CRL file name
-generate_crl()
-{
- _crl_name_part=$1
- _crl_path_prefix=
- if [ -n "$_crl_name_part" ]; then
- _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA.$_crl_name_part"
- else
- _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA"
- fi
-
- echo "Generating certificate '$ROOT_CA' CRL to '$_crl_path_prefix'"
- openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -out "$_crl_path_prefix.crl.pem" && \
- openssl crl -inform PEM -in "$_crl_path_prefix.crl.pem" -outform DER -out "$_crl_path_prefix.crl"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "Certificate '$ROOT_CA' CRL successfully generated to '$_crl_path_prefix'"
- else
- echo "Failed to generate certificate '$ROOT_CA' CRL to '$_crl_path_prefix'" >&2
- fi
- return $_rc
-}
-
-revoke_certificate()
-{
- _alias=$1
-
- echo "Revoking certificate '$_alias'"
- openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -revoke "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt"
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "Certificate '$_alias' successfully revoked"
- else
- echo "Failed to revoke certificate '$_alias'" >&2
- fi
- return $_rc
-}
-
-prepare_test_keystores()
-{
- echo "Preparing test keystores"
- cp "$BROKER_KEYSTORE" "$TEST_KEYSTORE" && \
- import_to_keystore "app1" "$TEST_KEYSTORE" && \
- import_to_keystore "app2" "$TEST_KEYSTORE" && \
- cp "$BROKER_KEYSTORE" "$TEST_PK_ONLY_KEYSTORE" && \
- keytool -delete -v -alias rootca -storepass password -keystore "$TEST_PK_ONLY_KEYSTORE" && \
- cp "$BROKER_KEYSTORE" "$TEST_CERT_ONLY_KEYSTORE" && \
- keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_CERT_ONLY_KEYSTORE" && \
- cp "$BROKER_KEYSTORE" "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
- keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype PKCS12 -storepass "$PASSWORD" -keystore "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
- cp "$TEST_PK_ONLY_KEYSTORE" "$TEST_EMPTY_KEYSTORE"
- keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_EMPTY_KEYSTORE" && \
- _rc=$?
- if [ $_rc -eq 0 ]; then
- echo "Test keystores prepared"
- else
- echo "Failed to prepare keystores" >&2
- fi
- return $_rc
-}
-
-main()
-{
- prepare_openssl_environment && \
- generate_selfsigned_ca && \
- generate_signed_certificate "app1" && \
- generate_signed_certificate "app2" && \
- generate_expired_certificate && \
- generate_signed_broker_certificate && \
- import_to_keystore "app1" "$BROKER_PEERSTORE" && \
- generate_untrusted_client_certificate && \
- add_certificate_crl_distribution_point && \
- generate_signed_certificate "allowed_by_ca" && \
- generate_signed_certificate "revoked_by_ca" && \
- set_certificate_crl_distribution_point_to_intermediate_ca && \
- generate_signed_certificate_with_intermediate_signed_certificate "allowed_by_ca_with_intermediate" && \
- generate_intermediate_crl && \
- set_certificate_crl_distribution_point_to_empty_crl && \
- generate_signed_certificate "revoked_by_ca_empty_crl" && \
- set_certificate_crl_distribution_point_to_invalid_crl_path && \
- generate_signed_certificate "revoked_by_ca_invalid_crl_path" && \
- generate_crl "empty" && \
- revoke_certificate "$INTERMEDIATE_CA" && \
- revoke_certificate "revoked_by_ca" && \
- revoke_certificate "revoked_by_ca_empty_crl" && \
- revoke_certificate "revoked_by_ca_invalid_crl_path" && \
- generate_crl && \
- prepare_test_keystores
-}
-
-if [ "$DEBUG" = true ]; then
- main
-else
- main 2>/dev/null 1>&2
-fi
diff --git a/qpid-test-utils/src/main/resources/ssl/openssl.conf b/qpid-test-utils/src/main/resources/ssl/openssl.conf
deleted file mode 100644
index ad224d7..0000000
--- a/qpid-test-utils/src/main/resources/ssl/openssl.conf
+++ /dev/null
@@ -1,380 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# Note that you can include other files from the main configuration
-# file using the .include directive.
-#.include filename
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-
-# System default
-openssl_conf = default_conf
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-# Policies used by the TSA examples.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = .
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-#unique_subject = no # Set to 'no' to allow creation of
- # several certs with same subject.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crlnumber = $dir/crlnumber # the current crl number
- # must be commented out to leave a V1 CRL
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem# The private key
-
-x509_extensions = usr_cert # The extensions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = 2048
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extensions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
-string_mask = utf8only
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = AU
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Some-State
-
-localityName = Locality Name (eg, city)
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Common Name (e.g. server FQDN or YOUR name)
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_max = 64
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-challengePassword = A challenge password
-challengePassword_min = 4
-challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This is required for TSA certificates.
-# extendedKeyUsage = critical,timeStamping
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-# Extensions for a typical CA
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer
-
-basicConstraints = critical,CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
-
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
-
-####################################################################
-[ tsa ]
-
-default_tsa = tsa_config1 # the default TSA section
-
-[ tsa_config1 ]
-
-# These are used by the TSA reply generation only.
-dir = ./demoCA # TSA root directory
-serial = $dir/tsaserial # The current serial number (mandatory)
-crypto_device = builtin # OpenSSL engine to use for signing
-signer_cert = $dir/tsacert.pem # The TSA signing certificate
- # (optional)
-certs = $dir/cacert.pem # Certificate chain to include in reply
- # (optional)
-signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
-signer_digest = sha512 # Signing digest to use. (Optional)
-default_policy = tsa_policy1 # Policy if request did not specify it
- # (optional)
-other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
-digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
-accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
-clock_precision_digits = 0 # number of digits after dot. (optional)
-ordering = yes # Is ordering defined for timestamps?
- # (optional, default: no)
-tsa_name = yes # Must the TSA name be included in the reply?
- # (optional, default: no)
-ess_cert_id_chain = no # Must the ESS cert id chain be included?
- # (optional, default: no)
-ess_cert_id_alg = sha1 # algorithm to compute certificate
- # identifier (optional, default: sha1)
-[default_conf]
-ssl_conf = ssl_sect
-
-[ssl_sect]
-system_default = system_default_sect
-
-[system_default_sect]
-MinProtocol = TLSv1.2
-CipherString = DEFAULT@SECLEVEL=2
diff --git a/systests/qpid-systests-http-management/src/main/java/org/apache/qpid/tests/http/HttpTestHelper.java b/systests/qpid-systests-http-management/src/main/java/org/apache/qpid/tests/http/HttpTestHelper.java
index a2b94ad..4addf67 100644
--- a/systests/qpid-systests-http-management/src/main/java/org/apache/qpid/tests/http/HttpTestHelper.java
+++ b/systests/qpid-systests-http-management/src/main/java/org/apache/qpid/tests/http/HttpTestHelper.java
@@ -21,7 +21,6 @@
package org.apache.qpid.tests.http;
import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
import java.io.ByteArrayInputStream;
import java.io.IOException;
@@ -349,11 +348,11 @@
try
{
URL ks = new URL(keystore);
- _keyStore = SSLUtil.getInitializedKeyStore(ks, password, JAVA_KEYSTORE_TYPE);
+ _keyStore = SSLUtil.getInitializedKeyStore(ks, password, KeyStore.getDefaultType());
}
catch (MalformedURLException e)
{
- _keyStore = SSLUtil.getInitializedKeyStore(keystore, password, JAVA_KEYSTORE_TYPE);
+ _keyStore = SSLUtil.getInitializedKeyStore(keystore, password, KeyStore.getDefaultType());
}
}
else
diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java
index ded03df..06d87e2 100644
--- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java
+++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/authentication/PreemptiveAuthenticationTest.java
@@ -23,9 +23,6 @@
import static javax.servlet.http.HttpServletResponse.SC_CREATED;
import static javax.servlet.http.HttpServletResponse.SC_OK;
import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
-import static org.apache.qpid.server.transport.network.security.ssl.SSLUtil.canGenerateCerts;
-import static org.apache.qpid.server.transport.network.security.ssl.SSLUtil.generateSelfSignedCertificate;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.greaterThan;
import static org.hamcrest.Matchers.hasKey;
@@ -34,18 +31,11 @@
import static org.hamcrest.Matchers.startsWith;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.fail;
-import static org.junit.Assume.assumeThat;
-import java.io.ByteArrayOutputStream;
import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.SocketException;
-import java.net.URL;
import java.security.KeyStore;
-import java.security.cert.Certificate;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
import java.util.ArrayDeque;
import java.util.Base64;
import java.util.Collections;
@@ -69,9 +59,13 @@
import org.apache.qpid.server.security.ManagedPeerCertificateTrustStore;
import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil.KeyCertPair;
import org.apache.qpid.server.util.BaseAction;
-import org.apache.qpid.server.util.DataUrlUtils;
+import org.apache.qpid.test.utils.tls.AltNameType;
+import org.apache.qpid.test.utils.tls.AlternativeName;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
import org.apache.qpid.tests.http.HttpTestBase;
import org.apache.qpid.tests.http.HttpTestHelper;
@@ -81,7 +75,7 @@
private static final String STORE_PASSWORD = "password";
private Deque<BaseAction<Void, Exception>> _tearDownActions;
- private String _keyStore;
+
@After
public void tearDown() throws Exception
@@ -111,7 +105,6 @@
@Test
public void clientAuthSuccess() throws Exception
{
- assumeThat(canGenerateCerts(), is(true));
HttpTestHelper helper = configForClientAuth("CN=foo");
String userId = helper.getJson("broker/getUser", STRING_TYPE_REF, SC_OK);
@@ -121,7 +114,6 @@
@Test
public void clientAuthenticationWebManagementConsole() throws Exception
{
- assumeThat(canGenerateCerts(), is(true));
HttpTestHelper helper = configForClientAuth("CN=foo");
HttpURLConnection authenticateConnection = helper.openManagementConnection("/index.html", "GET");
@@ -144,10 +136,9 @@
@Test
public void clientAuthUnrecognisedCert() throws Exception
{
- assumeThat(canGenerateCerts(), is(true));
HttpTestHelper helper = configForClientAuth("CN=foo");
- String keyStore = createKeyStoreDataUrl(getKeyCertPair("CN=bar"), STORE_PASSWORD);
+ String keyStore = createKeyStoreDataUrl(getKeyCertPair("CN=bar"));
helper.setKeyStore(keyStore, STORE_PASSWORD);
try
@@ -252,10 +243,12 @@
private HttpTestHelper configForClientAuth(final String x500Name) throws Exception
{
- final KeyCertPair keyCertPair = getKeyCertPair(x500Name);
- final byte[] cert = keyCertPair.getCertificate().getEncoded();
+ final KeyCertificatePair clientKeyCertPair = getKeyCertPair(x500Name);
+ final byte[] clientCertificate = clientKeyCertPair.getCertificate().getEncoded();
+ final String clientKeyStore = createKeyStoreDataUrl(clientKeyCertPair);
- _keyStore = createKeyStoreDataUrl(keyCertPair, STORE_PASSWORD);
+ final KeyCertificatePair brokerKeyCertPair = getKeyCertPair(x500Name);
+ final String brokerKeyStore = createKeyStoreDataUrl(brokerKeyCertPair);
final Deque<BaseAction<Void,Exception>> deleteActions = new ArrayDeque<>();
@@ -269,16 +262,16 @@
final Map<String, Object> keystoreAttr = new HashMap<>();
keystoreAttr.put(FileKeyStore.TYPE, "FileKeyStore");
- keystoreAttr.put(FileKeyStore.STORE_URL, "classpath:java_broker_keystore.jks");
+ keystoreAttr.put(FileKeyStore.STORE_URL, brokerKeyStore);
keystoreAttr.put(FileKeyStore.PASSWORD, STORE_PASSWORD);
- keystoreAttr.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ keystoreAttr.put(FileKeyStore.KEY_STORE_TYPE, KeyStore.getDefaultType());
getHelper().submitRequest("keystore/mykeystore","PUT", keystoreAttr, SC_CREATED);
deleteActions.add(object -> getHelper().submitRequest("keystore/mykeystore", "DELETE", SC_OK));
final Map<String, Object> truststoreAttr = new HashMap<>();
truststoreAttr.put(ManagedPeerCertificateTrustStore.TYPE, ManagedPeerCertificateTrustStore.TYPE_NAME);
- truststoreAttr.put(ManagedPeerCertificateTrustStore.STORED_CERTIFICATES, Collections.singletonList(Base64.getEncoder().encodeToString(cert)));
+ truststoreAttr.put(ManagedPeerCertificateTrustStore.STORED_CERTIFICATES, Collections.singletonList(Base64.getEncoder().encodeToString(clientCertificate)));
getHelper().submitRequest("truststore/mytruststore","PUT", truststoreAttr, SC_CREATED);
@@ -306,7 +299,7 @@
HttpTestHelper helper = new HttpTestHelper(getBrokerAdmin(), null, boundPort);
helper.setTls(true);
- helper.setKeyStore(_keyStore, STORE_PASSWORD);
+ helper.setKeyStore(clientKeyStore, STORE_PASSWORD);
return helper;
}
@@ -339,35 +332,27 @@
_tearDownActions = deleteActions;
HttpTestHelper helper = new HttpTestHelper(getBrokerAdmin(), null, boundPort);
- helper.setKeyStore(_keyStore, STORE_PASSWORD);
helper.setPassword(null);
helper.setUserName(null);
return helper;
}
- private String createKeyStoreDataUrl(final KeyCertPair keyCertPair, final String password) throws Exception
+ private String createKeyStoreDataUrl(final KeyCertificatePair keyCertPair) throws Exception
{
- final KeyStore keyStore = KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
- keyStore.load(null, null);
- Certificate[] certChain = new Certificate[] {keyCertPair.getCertificate()};
- keyStore.setKeyEntry("key1", keyCertPair.getPrivateKey(), password.toCharArray(), certChain);
- try (ByteArrayOutputStream bos = new ByteArrayOutputStream())
- {
- keyStore.store(bos, password.toCharArray());
- bos.toByteArray();
- return DataUrlUtils.getDataUrlForBytes(bos.toByteArray());
- }
+ return TlsResourceHelper.createKeyStoreAsDataUrl(KeyStore.getDefaultType(),
+ STORE_PASSWORD.toCharArray(),
+ new PrivateKeyEntry("key1",
+ keyCertPair.getPrivateKey(),
+ keyCertPair.getCertificate()));
}
- private KeyCertPair getKeyCertPair(final String x500Name) throws Exception
+ private KeyCertificatePair getKeyCertPair(final String x500Name) throws Exception
{
- return generateSelfSignedCertificate("RSA", "SHA256WithRSA",
- 2048, Instant.now().toEpochMilli(),
- Duration.of(365, ChronoUnit.DAYS).getSeconds(),
- x500Name,
- Collections.emptySet(),
- Collections.singleton(InetAddress.getLoopbackAddress()));
+ final String loopbackAddress = InetAddress.getLoopbackAddress().getHostAddress();
+ return TlsResourceBuilder.createSelfSigned(x500Name,
+ new AlternativeName(AltNameType.IP_ADDRESS,
+ loopbackAddress));
}
}
diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
index 5302ea3..1c5d1de 100644
--- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
+++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
@@ -23,7 +23,6 @@
import static java.nio.charset.StandardCharsets.UTF_8;
import static javax.servlet.http.HttpServletResponse.SC_CREATED;
import static javax.servlet.http.HttpServletResponse.SC_OK;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.instanceOf;
import static org.hamcrest.Matchers.notNullValue;
@@ -34,24 +33,12 @@
import static org.junit.Assume.assumeThat;
import java.io.File;
-import java.io.FileOutputStream;
import java.io.IOException;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
+import java.nio.file.Path;
import java.security.cert.X509Certificate;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.Map;
-import java.util.Set;
import javax.jms.Connection;
import javax.jms.JMSException;
@@ -63,8 +50,8 @@
import javax.naming.NamingException;
import com.fasterxml.jackson.core.type.TypeReference;
-import org.junit.After;
import org.junit.Before;
+import org.junit.ClassRule;
import org.junit.Test;
import org.apache.qpid.server.model.ConfiguredObject;
@@ -73,50 +60,48 @@
import org.apache.qpid.server.model.Transport;
import org.apache.qpid.server.security.NonJavaKeyStore;
import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.systests.ConnectionBuilder;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceHelper;
import org.apache.qpid.tests.http.HttpTestBase;
import org.apache.qpid.tests.http.HttpTestHelper;
public class PortTest extends HttpTestBase
{
- private static final String PASS = "changeit";
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
private static final String QUEUE_NAME = "testQueue";
private static final TypeReference<Boolean> BOOLEAN = new TypeReference<Boolean>()
{
};
+ private static final String CERTIFICATE_ALIAS = "certificate";
private String _portName;
private String _authenticationProvider;
private String _keyStoreName;
- private Set<File> _storeFiles;
+
private File _storeFile;
@Before
public void setUp() throws Exception
{
- assumeThat(SSLUtil.canGenerateCerts(), is(true));
_portName = getTestName();
_authenticationProvider = _portName + "AuthenticationProvider";
_keyStoreName = _portName + "KeyStore";
createAnonymousAuthenticationProvider();
- final SSLUtil.KeyCertPair keyCertPair = createKeyStore(_keyStoreName);
+ final KeyCertificatePair keyCertPair = generateSelfSignedCertificate();
final X509Certificate certificate = keyCertPair.getCertificate();
-
- _storeFiles = new HashSet<>();
- _storeFile = createTrustStore(certificate);
+ submitKeyStoreAttributes(_keyStoreName, SC_CREATED, keyCertPair);
+ _storeFile = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERTIFICATE_ALIAS, certificate)).toFile();
getBrokerAdmin().createQueue(QUEUE_NAME);
}
-
- @After
- public void tearDown()
- {
- _storeFiles.forEach(f -> assertTrue(f.delete()));
- }
-
@Test
public void testSwapKeyStoreAndUpdateTlsOnAmqpPort() throws Exception
{
@@ -128,8 +113,8 @@
final MessageProducer producer = session.createProducer(session.createQueue(QUEUE_NAME));
producer.send(session.createTextMessage("A"));
- final SSLUtil.KeyCertPair keyCertPair = createKeyStoreAndUpdatePortTLS();
- final File storeFile = createTrustStore(keyCertPair.getCertificate());
+ final File storeFile = createNewKeyStoreAndSetItOnPort();
+
final Connection connection2 = createConnection(port, storeFile.getAbsolutePath());
try
{
@@ -164,9 +149,8 @@
final MessageProducer producer = session.createProducer(session.createQueue(QUEUE_NAME));
producer.send(session.createTextMessage("A"));
- final SSLUtil.KeyCertPair keyCertPair = updateKeyStoreAndUpdatePortTLS();
- final File storeFile = createTrustStore(keyCertPair.getCertificate());
- final Connection connection2 = createConnection(port, storeFile.getAbsolutePath());
+ final File trustStoreFile = updateKeyStoreAndUpdatePortTls();
+ final Connection connection2 = createConnection(port, trustStoreFile.getAbsolutePath());
try
{
producer.send(session.createTextMessage("B"));
@@ -202,8 +186,7 @@
final MessageProducer producer = session.createProducer(session.createQueue(QUEUE_NAME));
producer.send(session.createTextMessage("A"));
- final SSLUtil.KeyCertPair keyCertPair = createKeyStoreAndUpdatePortTLS();
- final File storeFile = createTrustStore(keyCertPair.getCertificate());
+ final File storeFile = createNewKeyStoreAndSetItOnPort();
final Connection connection2 = createConnectionBuilder(port, storeFile.getAbsolutePath())
.setTransport("amqpws").build();
try
@@ -235,15 +218,14 @@
HttpTestHelper helper = new HttpTestHelper(getBrokerAdmin(), null, port);
helper.setTls(true);
- helper.setKeyStore(_storeFile.getAbsolutePath(), PASS);
+ helper.setKeyStore(_storeFile.getAbsolutePath(), TLS_RESOURCE.getSecret());
final Map<String, Object> attributes = getHelper().getJsonAsMap("port/" + _portName);
final Map<String, Object> ownAttributes = helper.getJsonAsMap("port/" + _portName);
assertEquals(attributes, ownAttributes);
- final SSLUtil.KeyCertPair keyCertPair = createKeyStoreAndUpdatePortTLS();
- final File storeFile = createTrustStore(keyCertPair.getCertificate());
- helper.setKeyStore(storeFile.getAbsolutePath(), PASS);
+ final File storeFile = createNewKeyStoreAndSetItOnPort();
+ helper.setKeyStore(storeFile.getAbsolutePath(), TLS_RESOURCE.getSecret());
final Map<String, Object> attributes2 = getHelper().getJsonAsMap("port/" + _portName);
final Map<String, Object> ownAttributes2 = helper.getJsonAsMap("port/" + _portName);
@@ -257,25 +239,22 @@
getHelper().submitRequest("authenticationprovider/" + _authenticationProvider, "PUT", data, SC_CREATED);
}
- private SSLUtil.KeyCertPair createKeyStore(final String keyStoreName) throws Exception
+ private void submitKeyStoreAttributes(final String keyStoreName,
+ final int status,
+ final KeyCertificatePair keyCertPair) throws Exception
{
- return submitKeyStoreAttributes(keyStoreName, SC_CREATED);
- }
-
- private SSLUtil.KeyCertPair submitKeyStoreAttributes(final String keyStoreName, final int status) throws Exception
- {
- final SSLUtil.KeyCertPair keyCertPair = generateSelfSignedCertificate();
final Map<String, Object> attributes = new HashMap<>();
attributes.put(NonJavaKeyStore.NAME, keyStoreName);
attributes.put(NonJavaKeyStore.PRIVATE_KEY_URL,
- DataUrlUtils.getDataUrlForBytes(toPEM(keyCertPair.getPrivateKey()).getBytes(UTF_8)));
+ DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(keyCertPair.getPrivateKey())
+ .getBytes(UTF_8)));
attributes.put(NonJavaKeyStore.CERTIFICATE_URL,
- DataUrlUtils.getDataUrlForBytes(toPEM(keyCertPair.getCertificate()).getBytes(UTF_8)));
+ DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(keyCertPair.getCertificate())
+ .getBytes(UTF_8)));
attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
getHelper().submitRequest("keystore/" + keyStoreName, "PUT", attributes, status);
- return keyCertPair;
}
private ConnectionBuilder createConnectionBuilder(final int port, final String absolutePath)
@@ -284,7 +263,7 @@
.setTls(true)
.setVerifyHostName(false)
.setTrustStoreLocation(absolutePath)
- .setTrustStorePassword(PASS);
+ .setTrustStorePassword(TLS_RESOURCE.getSecret());
}
private Connection createConnection(final int port, final String absolutePath)
@@ -327,62 +306,9 @@
return ((Number) attributes.get("boundPort")).intValue();
}
- private File createTrustStore(final X509Certificate certificate)
- throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException
+ private KeyCertificatePair generateSelfSignedCertificate() throws Exception
{
- final java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
- ks.load(null);
- ks.setCertificateEntry("certificate", certificate);
- final File storeFile = File.createTempFile(getTestName(), ".jks");
- try (FileOutputStream fos = new FileOutputStream(storeFile))
- {
- ks.store(fos, PASS.toCharArray());
- }
- finally
- {
- _storeFiles.add(storeFile);
- }
- return storeFile;
- }
-
- private SSLUtil.KeyCertPair generateSelfSignedCertificate() throws Exception
- {
- return SSLUtil.generateSelfSignedCertificate("RSA",
- "SHA256WithRSA",
- 2048,
- Instant.now()
- .minus(1, ChronoUnit.DAYS)
- .toEpochMilli(),
- Duration.of(365, ChronoUnit.DAYS)
- .getSeconds(),
- "CN=foo",
- Collections.emptySet(),
- Collections.emptySet());
- }
-
- private String toPEM(final Certificate pub) throws CertificateEncodingException
- {
- return toPEM(pub.getEncoded(), "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----");
- }
-
- private String toPEM(final PrivateKey key)
- {
- return toPEM(key.getEncoded(), "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----");
- }
-
- private String toPEM(final byte[] bytes, final String header, final String footer)
- {
- StringBuilder pem = new StringBuilder();
- pem.append(header).append("\n");
- String base64encoded = Base64.getEncoder().encodeToString(bytes);
- while (base64encoded.length() > 76)
- {
- pem.append(base64encoded, 0, 76).append("\n");
- base64encoded = base64encoded.substring(76);
- }
- pem.append(base64encoded).append("\n");
- pem.append(footer).append("\n");
- return pem.toString();
+ return TlsResourceBuilder.createSelfSigned("CN=foo");
}
private void assertMessage(final Message messageA, final String a) throws JMSException
@@ -392,29 +318,41 @@
assertThat(((TextMessage) messageA).getText(), is(equalTo(a)));
}
- private SSLUtil.KeyCertPair createKeyStoreAndUpdatePortTLS() throws Exception
+ private File createNewKeyStoreAndSetItOnPort() throws Exception
{
- final SSLUtil.KeyCertPair keyCertPair = createKeyStore(_keyStoreName + "_2");
- final Map<String, Object> data = Collections.singletonMap(Port.KEY_STORE, _keyStoreName + "_2");
- getHelper().submitRequest("port/" + _portName, "POST", data, SC_OK);
- final boolean response = getHelper().postJson("port/" + _portName + "/updateTLS",
- Collections.emptyMap(),
- BOOLEAN,
- SC_OK);
- assertTrue(response);
-
- return keyCertPair;
+ String newKeyStoreName = _keyStoreName + "_2";
+ final KeyCertificatePair keyCertPair = generateSelfSignedCertificate();
+ submitKeyStoreAttributes(newKeyStoreName, SC_CREATED, keyCertPair);
+ getHelper().submitRequest("port/" + _portName, "POST",
+ Collections.<String, Object>singletonMap(Port.KEY_STORE, newKeyStoreName), SC_OK);
+ updatePortTls();
+ return createTrustStore(keyCertPair);
}
- private SSLUtil.KeyCertPair updateKeyStoreAndUpdatePortTLS() throws Exception
+ private File updateKeyStoreAndUpdatePortTls() throws Exception
{
- final SSLUtil.KeyCertPair keyCertPair = submitKeyStoreAttributes(_keyStoreName, SC_OK);
+ final KeyCertificatePair keyCertPair = generateSelfSignedCertificate();
+ submitKeyStoreAttributes(_keyStoreName, SC_OK, keyCertPair);
+ updatePortTls();
+ return createTrustStore(keyCertPair);
+ }
+
+ private File createTrustStore(final KeyCertificatePair keyCertPair) throws Exception
+ {
+ CertificateEntry entry = new CertificateEntry(
+ CERTIFICATE_ALIAS,
+ keyCertPair.getCertificate());
+ Path keyStore = TLS_RESOURCE.createKeyStore(entry);
+ return keyStore.toFile();
+ }
+
+ private void updatePortTls() throws Exception
+ {
final boolean response = getHelper().postJson("port/" + _portName + "/updateTLS",
Collections.emptyMap(),
BOOLEAN,
SC_OK);
assertTrue(response);
- return keyCertPair;
}
}
diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/rest/model/ReadTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/rest/model/ReadTest.java
index ac4e897..7a76363 100644
--- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/rest/model/ReadTest.java
+++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/rest/model/ReadTest.java
@@ -31,13 +31,9 @@
import static org.hamcrest.Matchers.containsInAnyOrder;
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
import static org.hamcrest.Matchers.oneOf;
-import static org.junit.Assume.assumeThat;
import java.io.ByteArrayInputStream;
import java.io.File;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -56,10 +52,10 @@
import org.apache.qpid.server.model.User;
import org.apache.qpid.server.security.NonJavaKeyStore;
import org.apache.qpid.server.security.NonJavaTrustStore;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-import org.apache.qpid.server.transport.network.security.ssl.SSLUtil.KeyCertPair;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.server.util.FileUtils;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
import org.apache.qpid.tests.http.HttpRequestConfig;
import org.apache.qpid.tests.http.HttpTestBase;
@@ -240,9 +236,8 @@
@HttpRequestConfig(useVirtualHostAsHost = false)
public void valueFilteredSecureAttributes() throws Exception
{
- assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
- final KeyCertPair keyCertPair = generateCertKeyPair();
+ final KeyCertificatePair keyCertPair = generateCertKeyPair();
final byte[] privateKey = keyCertPair.getPrivateKey().getEncoded();
final byte[] cert = keyCertPair.getCertificate().getEncoded();
final String privateKeyUrl = DataUrlUtils.getDataUrlForBytes(privateKey);
@@ -295,7 +290,6 @@
@HttpRequestConfig(useVirtualHostAsHost = false)
public void oversizeAttribute() throws Exception
{
- assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
final byte[] encodedCert = generateCertKeyPair().getCertificate().getEncoded();
final String dataUrl = DataUrlUtils.getDataUrlForBytes(encodedCert);
@@ -337,13 +331,8 @@
return ((String) object.get(ConfiguredObject.ID));
}
- private KeyCertPair generateCertKeyPair() throws Exception
+ private KeyCertificatePair generateCertKeyPair() throws Exception
{
- return SSLUtil.generateSelfSignedCertificate("RSA", "SHA256WithRSA",
- 2048, Instant.now().toEpochMilli(),
- Duration.of(365, ChronoUnit.DAYS).getSeconds(),
- "CN=foo",
- Collections.emptySet(),
- Collections.emptySet());
+ return TlsResourceBuilder.createSelfSigned("CN=foo");
}
}
diff --git a/systests/qpid-systests-jms-core/src/main/java/org/apache/qpid/systests/QpidJmsClientConnectionBuilder.java b/systests/qpid-systests-jms-core/src/main/java/org/apache/qpid/systests/QpidJmsClientConnectionBuilder.java
index dc39edb..30cef33 100644
--- a/systests/qpid-systests-jms-core/src/main/java/org/apache/qpid/systests/QpidJmsClientConnectionBuilder.java
+++ b/systests/qpid-systests-jms-core/src/main/java/org/apache/qpid/systests/QpidJmsClientConnectionBuilder.java
@@ -22,6 +22,7 @@
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
+import java.security.KeyStore;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Hashtable;
@@ -39,8 +40,6 @@
import javax.naming.InitialContext;
import javax.naming.NamingException;
-import org.apache.qpid.test.utils.TestSSLConstants;
-
public class QpidJmsClientConnectionBuilder implements ConnectionBuilder
{
private static final AtomicInteger CLIENTID_COUNTER = new AtomicInteger();
@@ -165,7 +164,7 @@
_enableTls = enableTls;
if (enableTls)
{
- _options.put("transport.storeType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ _options.put("transport.storeType", KeyStore.getDefaultType());
}
else
{
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/BrokerManagementHelper.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/BrokerManagementHelper.java
new file mode 100644
index 0000000..33dde20
--- /dev/null
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/BrokerManagementHelper.java
@@ -0,0 +1,283 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.systests.jms_1_1.extensions;
+
+
+import java.io.Closeable;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.jms.Connection;
+import javax.jms.JMSException;
+import javax.jms.Session;
+import javax.naming.NamingException;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.Port;
+import org.apache.qpid.server.model.User;
+import org.apache.qpid.server.security.FileKeyStore;
+import org.apache.qpid.server.security.FileTrustStore;
+import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
+import org.apache.qpid.systests.AmqpManagementFacade;
+import org.apache.qpid.systests.ConnectionBuilder;
+
+public class BrokerManagementHelper implements Closeable
+{
+ private final ConnectionBuilder _connectionBuilder;
+ private final AmqpManagementFacade _managementFacade;
+ private Connection _connection;
+
+ public BrokerManagementHelper(final ConnectionBuilder connectionBuilder,
+ final AmqpManagementFacade managementFacade)
+ {
+ _connectionBuilder = connectionBuilder;
+ _managementFacade = managementFacade;
+ }
+
+ public BrokerManagementHelper openManagementConnection() throws JMSException, NamingException
+ {
+ _connection = _connectionBuilder.setVirtualHost("$management").build();
+ _connection.start();
+ return this;
+ }
+
+ public BrokerManagementHelper createKeyStore(final String keyStoreName,
+ final String keyStoreLocation,
+ final String keyStorePassword)
+ throws JMSException
+ {
+ final Map<String, Object> keyStoreAttributes = new HashMap<>();
+ keyStoreAttributes.put("storeUrl", keyStoreLocation);
+ keyStoreAttributes.put("password", keyStorePassword);
+ keyStoreAttributes.put("keyStoreType", java.security.KeyStore.getDefaultType());
+ return createEntity(keyStoreName, FileKeyStore.class.getName(), keyStoreAttributes);
+ }
+
+ public BrokerManagementHelper createTrustStore(final String trustStoreName,
+ final String trustStoreLocation,
+ final String trustStorePassword) throws JMSException
+ {
+ final Map<String, Object> trustStoreAttributes = new HashMap<>();
+ trustStoreAttributes.put("storeUrl", trustStoreLocation);
+ trustStoreAttributes.put("password", trustStorePassword);
+ trustStoreAttributes.put("trustStoreType", java.security.KeyStore.getDefaultType());
+ return createEntity(trustStoreName, FileTrustStore.class.getName(), trustStoreAttributes);
+ }
+
+ public BrokerManagementHelper createAmqpTlsPort(final String portName,
+ final String authenticationProvider,
+ final String keyStoreName,
+ final boolean plainAndSsl,
+ final boolean needClientAuth,
+ final boolean wantClientAuth,
+ final String... trustStoreName) throws JMSException
+ {
+ try
+ {
+ final Map<String, Object> sslPortAttributes = new HashMap<>();
+ sslPortAttributes.put(Port.TRANSPORTS, plainAndSsl ? "[\"SSL\",\"TCP\"]" : "[\"SSL\"]");
+ sslPortAttributes.put(Port.PORT, 0);
+ sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, authenticationProvider);
+ sslPortAttributes.put(Port.NEED_CLIENT_AUTH, needClientAuth);
+ sslPortAttributes.put(Port.WANT_CLIENT_AUTH, wantClientAuth);
+ sslPortAttributes.put(Port.NAME, portName);
+ sslPortAttributes.put(Port.KEY_STORE, keyStoreName);
+ sslPortAttributes.put(Port.TRUST_STORES, new ObjectMapper().writeValueAsString(trustStoreName));
+ createEntity(portName, "org.apache.qpid.AmqpPort", sslPortAttributes);
+ }
+ catch (JsonProcessingException e)
+ {
+ throw new RuntimeException("Unexpected json processing exception", e);
+ }
+
+ return this;
+ }
+
+ public BrokerManagementHelper createExternalAuthenticationProvider(String providerName, boolean useFullDN)
+ throws JMSException
+ {
+ final Map<String, Object> providerAttributes = new HashMap<>();
+ providerAttributes.put("qpid-type", ExternalAuthenticationManager.PROVIDER_TYPE);
+ providerAttributes.put(ExternalAuthenticationManager.ATTRIBUTE_USE_FULL_DN, useFullDN);
+ return createEntity(providerName,
+ AuthenticationProvider.class.getName(),
+ providerAttributes);
+ }
+
+
+ public BrokerManagementHelper createAuthenticationProvider(final String providerName, final String providerType)
+ throws JMSException
+ {
+ return createEntity(providerName,
+ AuthenticationProvider.class.getName(),
+ Collections.singletonMap("qpid-type", providerType));
+ }
+
+ public BrokerManagementHelper createUser(final String providerName,
+ final String userName,
+ final String userPassword)
+ throws JMSException
+ {
+ final Map<String, Object> userAttributes = new HashMap<>();
+ userAttributes.put("qpid-type", "managed");
+ userAttributes.put(User.PASSWORD, userPassword);
+ userAttributes.put("object-path", providerName);
+ return createEntity(userName, User.class.getName(), userAttributes);
+ }
+
+
+ public BrokerManagementHelper createEntity(final String name,
+ final String type,
+ final Map<String, Object> attributes) throws JMSException
+ {
+ final Session session = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ try
+ {
+
+ _managementFacade.createEntityAndAssertResponse(name, type, attributes, session);
+ }
+ finally
+ {
+ session.close();
+ }
+ return this;
+ }
+
+ public int getAmqpBoundPort(final String portName) throws JMSException
+ {
+ return (int) getEffectiveAttribute(portName, "org.apache.qpid.AmqpPort", "boundPort");
+ }
+
+ public Object getEffectiveAttribute(final String name, final String type, String attributeName) throws JMSException
+ {
+ final Map<String, Object> effectiveAttributes = getEffectiveAttributes(name, type);
+ if (effectiveAttributes.containsKey(attributeName))
+ {
+ return effectiveAttributes.get(attributeName);
+ }
+ throw new RuntimeException(String.format("Attribute '%s' is not found", attributeName));
+ }
+
+ public Map<String, Object> getEffectiveAttributes(final String name, final String type) throws JMSException
+ {
+ final Session session = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ try
+ {
+ return _managementFacade.readEntityUsingAmqpManagement(session, type, name, false);
+ }
+ finally
+ {
+ session.close();
+ }
+ }
+
+ protected List<Map<String, Object>> queryEntitiesUsingAmqpManagement(final String type)
+ throws JMSException
+ {
+ Session session = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ try
+ {
+ return _managementFacade.managementQueryObjects(session, type);
+ }
+ finally
+ {
+ session.close();
+ }
+ }
+
+ public String getConnectionPrincipalByClientId(String portName, String clientId) throws JMSException
+ {
+ final List<Map<String, Object>> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection");
+ for (final Map<String, Object> connection : connections)
+ {
+ final String name = String.valueOf(connection.get(ConfiguredObject.NAME));
+
+ final Map<String, Object> attributes =
+ getEffectiveAttributes(portName + "/" + name, "org.apache.qpid.Connection");
+ if (attributes.get(org.apache.qpid.server.model.Connection.CLIENT_ID).equals(clientId))
+ {
+ return String.valueOf(attributes.get(org.apache.qpid.server.model.Connection.PRINCIPAL));
+ }
+ }
+ return null;
+ }
+
+
+ public void close()
+ {
+ if (_connection != null)
+ {
+ try
+ {
+ _connection.close();
+ }
+ catch (JMSException e)
+ {
+ throw new RuntimeException("Failure to close JMS connection", e);
+ }
+ }
+ }
+
+ public String getAuthenticationProviderNameForAmqpPort(final int brokerPort)
+ throws JMSException
+ {
+ String authenticationProvider = null;
+ Session session = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ try
+ {
+ List<Map<String, Object>> ports =
+ _managementFacade.managementQueryObjects(session, "org.apache.qpid.AmqpPort");
+ for (Map<String, Object> port : ports)
+ {
+ String name = String.valueOf(port.get(Port.NAME));
+
+ Session s = _connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ try
+ {
+ Map<String, Object> attributes = _managementFacade.readEntityUsingAmqpManagement(s,
+ "org.apache.qpid.AmqpPort",
+ name,
+ false);
+ if (attributes.get("boundPort").equals(brokerPort))
+ {
+ authenticationProvider = String.valueOf(attributes.get(Port.AUTHENTICATION_PROVIDER));
+ break;
+ }
+ }
+ finally
+ {
+ s.close();
+ }
+ }
+ }
+ finally
+ {
+ session.close();
+ }
+ return authenticationProvider;
+ }
+}
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/TlsHelper.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/TlsHelper.java
new file mode 100644
index 0000000..0884c4a
--- /dev/null
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/TlsHelper.java
@@ -0,0 +1,134 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.systests.jms_1_1.extensions;
+
+import java.nio.file.Path;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.TlsResource;
+
+public class TlsHelper
+{
+ private static final String DN_CA = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
+ private static final String DN_BROKER = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown";
+ private static final String DN_CLIENT_APP1 = "CN=app1@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_CLIENT_APP2 = "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String CERT_ALIAS_ROOT_CA = "rootca";
+ public static final String CERT_ALIAS_APP1 = "app1";
+ public static final String CERT_ALIAS_APP2 = "app2";
+ private static final String BROKER_ALIAS = "java-broker";
+
+ private Path _brokerKeyStore;
+ private Path _brokerTrustStore;
+ private Path _clientKeyStore;
+ private Path _clientTrustStore;
+ private X509Certificate _caCertificate;
+ private KeyCertificatePair _clientKeyPair1;
+ private final KeyCertificatePair _caPair;
+
+ public TlsHelper(TlsResource tlsResource) throws Exception
+ {
+ _caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+ final KeyPair brokerKeyPair = TlsResourceBuilder.createRSAKeyPair();
+ final KeyPair clientKeyPair1 = TlsResourceBuilder.createRSAKeyPair();
+ final KeyPair clientKeyPair2 = TlsResourceBuilder.createRSAKeyPair();
+
+ final X509Certificate brokerCertificate =
+ TlsResourceBuilder.createCertificateForServerAuthorization(brokerKeyPair, _caPair, DN_BROKER);
+ final X509Certificate clientCertificate1 =
+ TlsResourceBuilder.createCertificateForClientAuthorization(clientKeyPair1, _caPair, DN_CLIENT_APP1);
+ final X509Certificate clientCertificate2 =
+ TlsResourceBuilder.createCertificateForClientAuthorization(clientKeyPair2, _caPair, DN_CLIENT_APP2);
+
+ final PrivateKey privateKey = clientKeyPair1.getPrivate();
+ final X509Certificate certificate = clientCertificate1;
+ _clientKeyPair1 = new KeyCertificatePair(privateKey, certificate);
+ _caCertificate = _caPair.getCertificate();
+
+ _brokerKeyStore = tlsResource.createKeyStore(new PrivateKeyEntry(BROKER_ALIAS,
+ brokerKeyPair.getPrivate(),
+ brokerCertificate,
+ _caCertificate));
+ _brokerTrustStore = tlsResource.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA,
+ _caCertificate));
+ _clientKeyStore =
+ tlsResource.createKeyStore(new PrivateKeyEntry(CERT_ALIAS_APP1,
+ clientKeyPair1.getPrivate(),
+ clientCertificate1,
+ _caCertificate),
+ new PrivateKeyEntry(CERT_ALIAS_APP2,
+ clientKeyPair2.getPrivate(),
+ clientCertificate2,
+ _caCertificate));
+
+ _clientTrustStore = tlsResource.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA,
+ _caCertificate));
+ }
+
+
+ public String getClientKeyStore()
+ {
+ return _clientKeyStore.toFile().getAbsolutePath();
+ }
+
+ public String getClientTrustStore()
+ {
+ return _clientTrustStore.toFile().getAbsolutePath();
+ }
+
+ public X509Certificate getCaCertificate()
+ {
+ return _caCertificate;
+ }
+
+ public PrivateKey getClientPrivateKey()
+ {
+ return _clientKeyPair1.getPrivateKey();
+ }
+
+ public X509Certificate getClientCerificate()
+ {
+ return _clientKeyPair1.getCertificate();
+ }
+
+ public String getBrokerKeyStore()
+ {
+ return _brokerKeyStore.toFile().getAbsolutePath();
+ }
+
+ public String getBrokerTrustStore()
+ {
+ return _brokerTrustStore.toFile().getAbsolutePath();
+ }
+
+ public KeyCertificatePair getCaKeyCertPair()
+ {
+ final PrivateKey privateKey = _caPair.getPrivateKey();
+ final X509Certificate certificate = _caCertificate;
+ return new KeyCertificatePair(privateKey, certificate);
+ }
+}
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
index 6b55c87..1fbb23a 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
@@ -52,9 +52,8 @@
import javax.naming.NamingException;
import com.fasterxml.jackson.databind.ObjectMapper;
-import org.apache.qpid.test.utils.TestSSLConstants;
-import org.junit.AfterClass;
import org.junit.BeforeClass;
+import org.junit.ClassRule;
import org.junit.Test;
import org.apache.qpid.server.exchange.ExchangeDefaults;
@@ -63,11 +62,18 @@
import org.apache.qpid.server.queue.PriorityQueue;
import org.apache.qpid.systests.AmqpManagementFacade;
import org.apache.qpid.systests.JmsTestBase;
-import org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest;
+import org.apache.qpid.systests.jms_1_1.extensions.BrokerManagementHelper;
+import org.apache.qpid.systests.jms_1_1.extensions.TlsHelper;
+import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.tests.utils.BrokerAdmin;
public class AmqpManagementTest extends JmsTestBase
{
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+ private static TlsHelper _tlsHelper;
+
private Session _session;
private Queue _replyAddress;
private MessageConsumer _consumer;
@@ -76,22 +82,7 @@
@BeforeClass
public static void setUp() throws Exception
{
- // legacy client keystore/truststore types can only be configured with JVM settings
- if (getProtocol() != Protocol.AMQP_1_0)
- {
- System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
- System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
- }
- }
-
- @AfterClass
- public static void tearDown() throws Exception
- {
- if (getProtocol() != Protocol.AMQP_1_0)
- {
- System.clearProperty("javax.net.ssl.trustStoreType");
- System.clearProperty("javax.net.ssl.keyStoreType");
- }
+ _tlsHelper = new TlsHelper(TLS_RESOURCE);
}
private void setUp(final Connection connection) throws Exception
@@ -681,18 +672,36 @@
unsecuredConnection.close();
}
- int tlsPort = TlsTest.createTlsPort(getTestName() + "TlsPort",
- false,
- false,
- false,
- getConnectionBuilder(),
- new AmqpManagementFacade(getProtocol()),
- getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getPort());
+ int tlsPort = 0;
+ final String portName = getTestName() + "TlsPort";
+ final String keyStoreName = portName + "KeyStore";
+ final String trustStoreName = portName + "TrustStore";
+ try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+ new AmqpManagementFacade(getProtocol())))
+ {
+ helper.openManagementConnection();
+
+ final String authenticationManager =
+ helper.getAuthenticationProviderNameForAmqpPort(getBrokerAdmin().getBrokerAddress(
+ BrokerAdmin.PortType.AMQP)
+ .getPort());
+ tlsPort = helper.createKeyStore(keyStoreName, _tlsHelper.getBrokerKeyStore(), TLS_RESOURCE.getSecret())
+ .createTrustStore(trustStoreName,
+ _tlsHelper.getBrokerTrustStore(),
+ TLS_RESOURCE.getSecret())
+ .createAmqpTlsPort(portName,
+ authenticationManager,
+ keyStoreName,
+ false,
+ false,
+ false,
+ trustStoreName).getAmqpBoundPort(portName);
+ }
Connection connection = getConnectionBuilder().setTls(true)
.setPort(tlsPort)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.build();
try
{
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
index c808b45..ac74cd7 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
@@ -33,10 +33,12 @@
import java.io.OutputStream;
import java.nio.file.Files;
import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.util.Collections;
+import java.nio.file.StandardCopyOption;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
import java.util.HashMap;
-import java.util.List;
import java.util.Map;
import javax.jms.Connection;
@@ -47,7 +49,6 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.qpid.server.security.FileTrustStoreTest;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
@@ -56,41 +57,82 @@
import org.eclipse.jetty.server.handler.HandlerCollection;
import org.junit.AfterClass;
import org.junit.BeforeClass;
+import org.junit.ClassRule;
import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.apache.qpid.server.model.AuthenticationProvider;
-import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.Protocol;
-import org.apache.qpid.server.model.User;
-import org.apache.qpid.server.security.FileKeyStore;
import org.apache.qpid.server.security.FileTrustStore;
-import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManager;
import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManagerImpl;
import org.apache.qpid.server.security.auth.manager.ScramSHA1AuthenticationManager;
import org.apache.qpid.server.security.auth.manager.ScramSHA256AuthenticationManager;
import org.apache.qpid.server.security.auth.sasl.crammd5.CramMd5HashedNegotiator;
+import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.systests.AmqpManagementFacade;
+import org.apache.qpid.systests.ConnectionBuilder;
import org.apache.qpid.systests.JmsTestBase;
-import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.systests.jms_1_1.extensions.BrokerManagementHelper;
+import org.apache.qpid.test.utils.tls.CertificateEntry;
+import org.apache.qpid.test.utils.tls.KeyCertificatePair;
+import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
+import org.apache.qpid.test.utils.tls.TlsResource;
+import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
public class AuthenticationTest extends JmsTestBase
{
- private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationTest.class);
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+ private static final String DN_CA = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
+ private static final String DN_BROKER = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown";
+ private static final String DN_INTERMEDIATE = "CN=intermediate_ca@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_CLIENT_APP1 = "CN=app1@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_CLIENT_APP2 = "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_CLIENT_INT =
+ "CN=allowed_by_ca_with_intermediate@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_CLIENT_ALLOWED = "CN=allowed_by_ca@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_CLIENT_REVOKED = "CN=revoked_by_ca@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_CLIENT_REVOKED_BY_EMPTY =
+ "CN=revoked_by_ca_empty_crl@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_CLIENT_REVOKED_INVALID_CRL =
+ "CN=revoked_by_ca_invalid_crl_path@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
+ private static final String DN_CLIENT_UNTRUSTED = "CN=untrusted_client";
+ private static final String CERT_ALIAS_ROOT_CA = "rootca";
+ private static final String CERT_ALIAS_APP1 = "app1";
+ private static final String CERT_ALIAS_APP2 = "app2";
+ private static final String CERT_ALIAS_ALLOWED = "allowed_by_ca";
+ private static final String CERT_ALIAS_REVOKED = "revoked_by_ca";
+ private static final String CERT_ALIAS_REVOKED_EMPTY_CRL = "revoked_by_ca_empty_crl";
+ private static final String CERT_ALIAS_REVOKED_INVALID_CRL_PATH = "revoked_by_ca_invalid_crl_path";
+ private static final String CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE = "allowed_by_ca_with_intermediate";
+ private static final String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client";
+
private static final String USER = "user";
private static final String USER_PASSWORD = "user";
- // see how port is specified when certificates are generated in script
- // test-profiles/test_resources/ssl/generate_certificates.sh
- private static final int CRL_HTTP_PORT = 8186;
+
private static final Server CRL_SERVER = new Server();
private static final HandlerCollection HANDLERS = new HandlerCollection();
+ private static final String CRL_TEMPLATE = "http://localhost:%d/%s";
+
+ private static int crlHttpPort = -1;
+ private static String _brokerKeyStore;
+ private static String _brokerTrustStore;
+ private static String _clientKeyStore;
+ private static String _clientTrustStore;
+ private static String _brokerPeerStore;
+ private static String _clientExpiredKeyStore;
+ private static String _clientUntrustedKeyStore;
+ private static Path _crlFile;
+ private static Path _emptyCrlFile;
+ private static Path _intermediateCrlFile;
+
@BeforeClass
public static void setUp() throws Exception
{
- System.setProperty("javax.net.debug", "ssl");
+ _crlFile = TLS_RESOURCE.createFile(".crl");
+ _emptyCrlFile = TLS_RESOURCE.createFile("-empty.crl");
+ _intermediateCrlFile = TLS_RESOURCE.createFile("-intermediate.crl");
// workaround for QPID-8069
if (getProtocol() != Protocol.AMQP_1_0 && getProtocol() != Protocol.AMQP_0_10)
@@ -98,21 +140,168 @@
System.setProperty("amqj.MaximumStateWait", "4000");
}
- // legacy client keystore/truststore types can only be configured with JVM settings
- if (getProtocol() != Protocol.AMQP_1_0)
- {
- System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
- System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
- }
final ServerConnector connector = new ServerConnector(CRL_SERVER);
- connector.setPort(CRL_HTTP_PORT);
+ connector.setPort(0);
connector.setHost("localhost");
+
CRL_SERVER.addConnector(connector);
- createContext(Paths.get(TestSSLConstants.CA_CRL));
- createContext(Paths.get(TestSSLConstants.CA_CRL_EMPTY));
- createContext(Paths.get(TestSSLConstants.INTERMEDIATE_CA_CRL));
+ createContext(_crlFile);
+ createContext(_emptyCrlFile);
+ createContext(_intermediateCrlFile);
CRL_SERVER.setHandler(HANDLERS);
CRL_SERVER.start();
+ crlHttpPort = connector.getLocalPort();
+
+ buildTlsResources();
+
+ System.setProperty("javax.net.debug", "ssl");
+ }
+
+ private static void buildTlsResources() throws Exception
+ {
+ final String crlUri = String.format(CRL_TEMPLATE, crlHttpPort, _crlFile.toFile().getName());
+ final String emptyCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _emptyCrlFile.toFile().getName());
+ final String intermediateCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, _intermediateCrlFile.toFile().getName());
+ final String nonExistingCrlUri = String.format(CRL_TEMPLATE, crlHttpPort, "not/a/crl");
+
+ final KeyCertificatePair caPair = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
+ final KeyPair brokerKeyPair = TlsResourceBuilder.createRSAKeyPair();
+ final X509Certificate brokerCertificate =
+ TlsResourceBuilder.createCertificateForServerAuthorization(brokerKeyPair, caPair, DN_BROKER);
+
+ _brokerKeyStore = TLS_RESOURCE.createKeyStore(new PrivateKeyEntry("java-broker",
+ brokerKeyPair.getPrivate(),
+ brokerCertificate,
+ caPair.getCertificate()),
+ new CertificateEntry(CERT_ALIAS_ROOT_CA,
+ caPair.getCertificate()))
+ .toFile()
+ .getAbsolutePath();
+ _brokerTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA,
+ caPair.getCertificate()))
+ .toFile()
+ .getAbsolutePath();
+
+ final KeyPair clientApp1KeyPair = TlsResourceBuilder.createRSAKeyPair();
+ final X509Certificate clientApp1Certificate =
+ TlsResourceBuilder.createCertificateForClientAuthorization(clientApp1KeyPair,
+ caPair, DN_CLIENT_APP1);
+
+ _brokerPeerStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(DN_CLIENT_APP1,
+ clientApp1Certificate))
+ .toFile()
+ .getAbsolutePath();
+
+ final KeyPair clientApp2KeyPair = TlsResourceBuilder.createRSAKeyPair();
+ final X509Certificate clientApp2Certificate =
+ TlsResourceBuilder.createCertificateForClientAuthorization(clientApp2KeyPair,
+ caPair, DN_CLIENT_APP2);
+
+ final KeyPair clientAllowedKeyPair = TlsResourceBuilder.createRSAKeyPair();
+ final X509Certificate clientAllowedCertificate =
+ TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientAllowedKeyPair,
+ caPair,
+ DN_CLIENT_ALLOWED,
+ crlUri);
+
+ final KeyPair clientRevokedKeyPair = TlsResourceBuilder.createRSAKeyPair();
+ final X509Certificate clientRevokedCertificate =
+ TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientRevokedKeyPair,
+ caPair,
+ DN_CLIENT_REVOKED,
+ crlUri);
+
+ final KeyPair clientKeyPairRevokedByEmpty = TlsResourceBuilder.createRSAKeyPair();
+ final X509Certificate clientCertificateRevokedByEmpty =
+ TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairRevokedByEmpty,
+ caPair,
+ DN_CLIENT_REVOKED_BY_EMPTY,
+ emptyCrlUri);
+
+ final KeyPair clientKeyPairInvalidClr = TlsResourceBuilder.createRSAKeyPair();
+ final X509Certificate clientCertificateInvalidClr =
+ TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairInvalidClr,
+ caPair,
+ DN_CLIENT_REVOKED_INVALID_CRL,
+ nonExistingCrlUri);
+
+ final KeyCertificatePair intermediateCA =
+ TlsResourceBuilder.createKeyPairAndIntermediateCA(DN_INTERMEDIATE, caPair, crlUri);
+ final KeyPair clientKeyPairIntermediate = TlsResourceBuilder.createRSAKeyPair();
+ final X509Certificate clientCertificateIntermediate =
+ TlsResourceBuilder.createCertificateWithCrlDistributionPoint(clientKeyPairIntermediate,
+ intermediateCA,
+ DN_CLIENT_INT,
+ intermediateCrlUri);
+
+ final KeyPair clientKeyPairExpired = TlsResourceBuilder.createRSAKeyPair();
+ final Instant from = Instant.now().minus(10, ChronoUnit.DAYS);
+ final Instant to = Instant.now().minus(5, ChronoUnit.DAYS);
+ final X509Certificate clientCertificateExpired = TlsResourceBuilder.createCertificate(clientKeyPairExpired,
+ caPair,
+ "CN=user1",
+ from,
+ to);
+ _clientExpiredKeyStore =
+ TLS_RESOURCE.createKeyStore(
+ new PrivateKeyEntry("user1",
+ clientKeyPairExpired.getPrivate(),
+ clientCertificateExpired,
+ caPair.getCertificate())).toFile().getAbsolutePath();
+
+ _clientKeyStore = TLS_RESOURCE.createKeyStore(
+ new PrivateKeyEntry(CERT_ALIAS_APP1,
+ clientApp1KeyPair.getPrivate(),
+ clientApp1Certificate,
+ caPair.getCertificate()),
+ new PrivateKeyEntry(CERT_ALIAS_APP2,
+ clientApp2KeyPair.getPrivate(),
+ clientApp2Certificate,
+ caPair.getCertificate()),
+ new PrivateKeyEntry(CERT_ALIAS_ALLOWED,
+ clientAllowedKeyPair.getPrivate(),
+ clientAllowedCertificate,
+ caPair.getCertificate()),
+ new PrivateKeyEntry(CERT_ALIAS_REVOKED,
+ clientRevokedKeyPair.getPrivate(),
+ clientRevokedCertificate,
+ caPair.getCertificate()),
+ new PrivateKeyEntry(CERT_ALIAS_REVOKED_EMPTY_CRL,
+ clientKeyPairRevokedByEmpty.getPrivate(),
+ clientCertificateRevokedByEmpty,
+ caPair.getCertificate()),
+ new PrivateKeyEntry(CERT_ALIAS_REVOKED_INVALID_CRL_PATH,
+ clientKeyPairInvalidClr.getPrivate(),
+ clientCertificateInvalidClr,
+ caPair.getCertificate()),
+ new PrivateKeyEntry(CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE,
+ clientKeyPairIntermediate.getPrivate(),
+ clientCertificateIntermediate,
+ intermediateCA.getCertificate(),
+ caPair.getCertificate()),
+ new CertificateEntry(CERT_ALIAS_ROOT_CA, caPair.getCertificate())).toFile().getAbsolutePath();
+
+ _clientTrustStore = TLS_RESOURCE.createKeyStore(new CertificateEntry(CERT_ALIAS_ROOT_CA,
+ caPair.getCertificate()))
+ .toFile()
+ .getAbsolutePath();
+
+ final Path crl = TLS_RESOURCE.createCrlAsDer(caPair, clientRevokedCertificate, intermediateCA.getCertificate());
+ Files.copy(crl, _crlFile, StandardCopyOption.REPLACE_EXISTING);
+
+ final Path emptyCrl = TLS_RESOURCE.createCrlAsDer(caPair);
+ Files.copy(emptyCrl, _emptyCrlFile, StandardCopyOption.REPLACE_EXISTING);
+
+ final Path intermediateCrl = TLS_RESOURCE.createCrlAsDer(caPair);
+ Files.copy(intermediateCrl, _intermediateCrlFile, StandardCopyOption.REPLACE_EXISTING);
+
+ final KeyCertificatePair clientKeyPairUntrusted = TlsResourceBuilder.createSelfSigned(DN_CLIENT_UNTRUSTED);
+ _clientUntrustedKeyStore = TLS_RESOURCE.createKeyStore(
+ new PrivateKeyEntry(CERT_ALIAS_APP1,
+ clientKeyPairUntrusted.getPrivateKey(),
+ clientKeyPairUntrusted.getCertificate()))
+ .toFile()
+ .getAbsolutePath();
}
@AfterClass
@@ -124,11 +313,6 @@
System.clearProperty("amqj.MaximumStateWait");
}
- if (getProtocol() != Protocol.AMQP_1_0)
- {
- System.clearProperty("javax.net.ssl.trustStoreType");
- System.clearProperty("javax.net.ssl.keyStoreType");
- }
CRL_SERVER.stop();
}
@@ -140,65 +324,45 @@
getProtocol(),
is(not(equalTo(Protocol.AMQP_1_0))));
- final int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5", USER, USER_PASSWORD);
+ final int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5");
- assertPlainConnectivity(port, USER, USER_PASSWORD, CramMd5HashedNegotiator.MECHANISM);
+ assertPlainConnectivity(port, CramMd5HashedNegotiator.MECHANISM);
}
@Test
public void sha256() throws Exception
{
final int port = createAuthenticationProviderAndUserAndPort(getTestName(),
- ScramSHA256AuthenticationManager.PROVIDER_TYPE,
- USER,
- USER_PASSWORD);
+ ScramSHA256AuthenticationManager.PROVIDER_TYPE);
- assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA256AuthenticationManager.MECHANISM);
+ assertPlainConnectivity(port, ScramSHA256AuthenticationManager.MECHANISM);
}
@Test
public void sha1() throws Exception
{
final int port = createAuthenticationProviderAndUserAndPort(getTestName(),
- ScramSHA1AuthenticationManager.PROVIDER_TYPE,
- USER,
- USER_PASSWORD);
+ ScramSHA1AuthenticationManager.PROVIDER_TYPE);
- assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA1AuthenticationManager.MECHANISM);
+ assertPlainConnectivity(port, ScramSHA1AuthenticationManager.MECHANISM);
}
@Test
public void external() throws Exception
{
- final int port = createExternalProviderAndTlsPort();
- Connection connection = getConnectionBuilder().setPort(port)
- .setTls(true)
- .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
- .setKeyStorePassword(TestSSLConstants.PASSWORD)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
- .build();
- try
- {
- final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
- assertNotNull("Temporary queue was not created", session.createTemporaryQueue());
- }
- finally
- {
- connection.close();
- }
+ final int port = createExternalProviderAndTlsPort(getBrokerTrustStoreAttributes(), null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
}
+ @Test
public void externalWithRevocationWithDataUrlCrlFileAndAllowedCertificate() throws Exception
{
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
- FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL));
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, createDataUrlForFile(_crlFile));
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
}
@Test
@@ -206,10 +370,9 @@
{
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
- FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL));
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, createDataUrlForFile(_crlFile));
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertNoTlsConnectivity(port, CERT_ALIAS_REVOKED);
}
@Test
@@ -217,9 +380,9 @@
{
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _crlFile.toFile().getAbsolutePath());
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
}
@Test
@@ -227,10 +390,11 @@
{
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _crlFile.toFile().getAbsolutePath());
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST,
+ false);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertNoTlsConnectivity(port, CERT_ALIAS_ALLOWED);
}
@Test
@@ -238,9 +402,9 @@
{
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _crlFile.toFile().getAbsolutePath());
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertNoTlsConnectivity(port, CERT_ALIAS_REVOKED);
}
@Test
@@ -248,42 +412,37 @@
{
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+ _emptyCrlFile.toFile().getAbsolutePath());
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
}
@Test
public void externalWithRevocationAndAllowedCertificateWithCrlUrl() throws Exception
{
- assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
- CRL_SERVER, is(not(equalTo(null))));
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
}
@Test
public void externalWithRevocationAndRevokedCertificateWithCrlUrl() throws Exception
{
- assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
- CRL_SERVER, is(not(equalTo(null))));
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertNoTlsConnectivity(port, CERT_ALIAS_REVOKED);
}
@Test
public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithEmptyCrl() throws Exception
{
- assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
- CRL_SERVER, is(not(equalTo(null))));
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_EMPTY_CRL);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_REVOKED_EMPTY_CRL);
}
@Test
@@ -291,91 +450,93 @@
{
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, _crlFile.toFile().getAbsolutePath());
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_REVOKED);
}
@Test
public void externalWithRevocationDisabledWithCrlUrlInRevokedCertificate() throws Exception
{
- assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
- CRL_SERVER, is(not(equalTo(null))));
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_REVOKED);
}
@Test
public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithSoftFail() throws Exception
{
- assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
- CRL_SERVER, is(not(equalTo(null))));
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_INVALID_CRL_PATH);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_REVOKED_INVALID_CRL_PATH);
}
@Test
public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrls() throws Exception
{
- assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
- CRL_SERVER, is(not(equalTo(null))));
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST,
+ false);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertNoTlsConnectivity(port, CERT_ALIAS_ALLOWED);
}
@Test
public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrlsWithFallback() throws Exception
{
- assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
- CRL_SERVER, is(not(equalTo(null))));
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
- trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST,
+ false);
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_NO_FALLBACK, false);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_ALLOWED);
}
@Test
public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrl() throws Exception
{
- assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
- CRL_SERVER, is(not(equalTo(null))));
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, false);
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertNoTlsConnectivity(port, CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
}
@Test
public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrlOnlyEndEntity() throws Exception
{
- assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
- CRL_SERVER, is(not(equalTo(null))));
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, true);
trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
}
@Test
public void externalDeniesUntrustedClientCert() throws Exception
{
assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
- final int port = createExternalProviderAndTlsPort();
- assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT);
+
+ final int port = createExternalProviderAndTlsPort(getBrokerTrustStoreAttributes(), null, false);
+
+ try
+ {
+ getConnectionBuilder(port, CERT_ALIAS_UNTRUSTED_CLIENT).setKeyStoreLocation(_clientUntrustedKeyStore)
+ .build()
+ .close();
+ fail("Should not be able to create a connection to the SSL port");
+ }
+ catch (JMSException e)
+ {
+ // pass
+ }
}
@Test
@@ -384,26 +545,26 @@
assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
final Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ trustStoreAttributes.put(FileTrustStore.STORE_URL, _brokerPeerStore);
+ trustStoreAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
trustStoreAttributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
try
{
getConnectionBuilder().setPort(port)
.setTls(true)
.setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE)
- .setKeyStorePassword(TestSSLConstants.PASSWORD)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setKeyStoreLocation(_clientExpiredKeyStore)
+ .setKeyStorePassword(TLS_RESOURCE.getSecret())
+ .setTrustStoreLocation(_clientTrustStore)
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.build();
fail("Connection should not succeed");
}
catch (JMSException e)
{
- e.printStackTrace();
+ // pass
}
}
@@ -411,48 +572,38 @@
public void externalWithPeersOnlyTrustStore() throws Exception
{
final Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ trustStoreAttributes.put(FileTrustStore.STORE_URL, _brokerPeerStore);
+ trustStoreAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true);
- final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ assertTlsConnectivity(port, CERT_ALIAS_APP1);
assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
- assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2);
+ assertNoTlsConnectivity(port, CERT_ALIAS_APP2);
}
@Test
public void externalWithRegularAndPeersOnlyTrustStores() throws Exception
{
final String trustStoreName = getTestName() + "RegularTrustStore";
- final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
- try
- {
- brokerConnection.start();
+ try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+ new AmqpManagementFacade(getProtocol())))
+ {
final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
- trustStoreAttributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
-
- createEntity(trustStoreName,
- FileTrustStore.class.getName(),
- trustStoreAttributes,
- brokerConnection);
-
- }
- finally
- {
- brokerConnection.close();
+ helper.openManagementConnection()
+ .createEntity(trustStoreName, FileTrustStore.class.getName(), trustStoreAttributes);
}
final Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD,TestSSLConstants.PASSWORD);
+ trustStoreAttributes.put(FileTrustStore.STORE_URL, _brokerPeerStore);
+ trustStoreAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true);
final int port = createExternalProviderAndTlsPort(trustStoreAttributes, trustStoreName, false);
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1);
+ assertTlsConnectivity(port, CERT_ALIAS_APP1);
//use the app2 cert, which is NOT in the peerstore (but is signed by the same CA as app1)
- assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2);
+ assertTlsConnectivity(port, CERT_ALIAS_APP2);
}
@Test
@@ -462,19 +613,16 @@
final String clientId = getTestName();
final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, true);
- final Connection connection = getConnectionBuilder().setPort(port)
- .setTls(true)
- .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
- .setKeyStorePassword(TestSSLConstants.PASSWORD)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
- .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
- .setClientId(clientId)
- .build();
+ final Connection connection = getConnectionBuilder(port, CERT_ALIAS_APP2).setClientId(clientId).build();
try
{
- assertConnectionPrincipal( clientId, "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA");
+ try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+ new AmqpManagementFacade(getProtocol())))
+ {
+ String principal =
+ helper.openManagementConnection().getConnectionPrincipalByClientId(getPortName(), clientId);
+ assertEquals("Unexpected principal", "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA", principal);
+ }
}
catch (JMSException e)
{
@@ -493,19 +641,16 @@
final String clientId = getTestName();
final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
- final Connection connection = getConnectionBuilder().setPort(port)
- .setTls(true)
- .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
- .setKeyStorePassword(TestSSLConstants.PASSWORD)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
- .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
- .setClientId(clientId)
- .build();
+ final Connection connection = getConnectionBuilder(port, CERT_ALIAS_APP2).setClientId(clientId).build();
try
{
- assertConnectionPrincipal( clientId, "app2@acme.org");
+ try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+ new AmqpManagementFacade(getProtocol())))
+ {
+ String principal =
+ helper.openManagementConnection().getConnectionPrincipalByClientId(getPortName(), clientId);
+ assertEquals("Unexpected principal", "app2@acme.org", principal);
+ }
}
catch (JMSException e)
{
@@ -517,135 +662,38 @@
}
}
- private void assertConnectionPrincipal(final String clientId, final String expectedPrincipal) throws Exception
- {
- final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
- try
- {
- brokerConnection.start();
-
- String principal = null;
- final List<Map<String, Object>> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection", brokerConnection);
- for (final Map<String, Object> connection : connections)
- {
- final String name = String.valueOf(connection.get(ConfiguredObject.NAME));
- final Map<String, Object> attributes;
- try
- {
- attributes = readEntityUsingAmqpManagement(
- getPortName() + "/" + name,
- "org.apache.qpid.Connection",
- false,
- brokerConnection);
- }
- catch (AmqpManagementFacade.OperationUnsuccessfulException e)
- {
- LOGGER.error("Read operation failed for an existing object '{}' having attributes '{}': {}",
- getPortName() + "/" + name,
- connection,
- e.getMessage(),
- e);
- throw e;
- }
- if (attributes.get(org.apache.qpid.server.model.Connection.CLIENT_ID).equals(clientId))
- {
- principal = String.valueOf(attributes.get(org.apache.qpid.server.model.Connection.PRINCIPAL));
- break;
- }
- }
- assertEquals("Unexpected principal", expectedPrincipal, principal);
- }
- finally
- {
- brokerConnection.close();
- }
- }
-
private Map<String, Object> getBrokerTrustStoreAttributes()
{
final Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ trustStoreAttributes.put(FileTrustStore.STORE_URL, _brokerTrustStore);
+ trustStoreAttributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
+ trustStoreAttributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
return trustStoreAttributes;
}
- private int createExternalProviderAndTlsPort() throws Exception
- {
- return createExternalProviderAndTlsPort(getBrokerTrustStoreAttributes());
- }
-
- private int createExternalProviderAndTlsPort(final Map<String, Object> trustStoreAttributes) throws Exception
- {
- return createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
- }
-
private int createExternalProviderAndTlsPort(final Map<String, Object> trustStoreAttributes,
final String additionalTrustStore,
final boolean useFullDN) throws Exception
{
final String providerName = getTestName();
- final Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
- try
+ final String keyStoreName = providerName + "KeyStore";
+ final String trustStoreName = providerName + "TrustStore";
+ final String portName = getPortName();
+ final Map<String, Object> trustStoreSettings = new HashMap<>(trustStoreAttributes);
+
+ final String[] trustStores = additionalTrustStore == null
+ ? new String[]{trustStoreName}
+ : new String[]{trustStoreName, additionalTrustStore};
+
+ try (BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+ new AmqpManagementFacade(getProtocol())))
{
- connection.start();
-
- final Map<String, Object> providerAttributes = new HashMap<>();
- providerAttributes.put("qpid-type", ExternalAuthenticationManager.PROVIDER_TYPE);
- providerAttributes.put(ExternalAuthenticationManager.ATTRIBUTE_USE_FULL_DN, useFullDN);
- createEntity(providerName,
- AuthenticationProvider.class.getName(),
- providerAttributes,
- connection);
-
- final Map<String, Object> keyStoreAttributes = new HashMap<>();
- keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE);
- keyStoreAttributes.put("password", TestSSLConstants.PASSWORD);
- keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
-
- final String keyStoreName = providerName + "KeyStore";
- createEntity(keyStoreName,
- FileKeyStore.class.getName(),
- keyStoreAttributes,
- connection);
-
- final Map<String, Object> trustStoreSettings = new HashMap<>(trustStoreAttributes);
- trustStoreSettings.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
- final String trustStoreName = providerName + "TrustStore";
- createEntity(trustStoreName,
- FileTrustStore.class.getName(),
- trustStoreSettings,
- connection);
-
- final String portName = getPortName();
- final Map<String, Object> sslPortAttributes = new HashMap<>();
- sslPortAttributes.put(Port.TRANSPORTS, "[\"SSL\"]");
- sslPortAttributes.put(Port.PORT, 0);
- sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
- sslPortAttributes.put(Port.NEED_CLIENT_AUTH, true);
- sslPortAttributes.put(Port.WANT_CLIENT_AUTH, false);
- sslPortAttributes.put(Port.NAME, portName);
- sslPortAttributes.put(Port.KEY_STORE, keyStoreName);
- final String trustStores = additionalTrustStore == null
- ? "[\"" + trustStoreName + "\"]"
- : "[\"" + trustStoreName + "\",\"" + additionalTrustStore + "\"]";
- sslPortAttributes.put(Port.TRUST_STORES, trustStores);
-
- createEntity(portName,
- "org.apache.qpid.AmqpPort",
- sslPortAttributes,
- connection);
-
- final Map<String, Object> portEffectiveAttributes =
- readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection);
- if (portEffectiveAttributes.containsKey("boundPort"))
- {
- return (int) portEffectiveAttributes.get("boundPort");
- }
- throw new RuntimeException("Bound port is not found");
- }
- finally
- {
- connection.close();
+ return helper.openManagementConnection()
+ .createExternalAuthenticationProvider(providerName, useFullDN)
+ .createKeyStore(keyStoreName, _brokerKeyStore, TLS_RESOURCE.getSecret())
+ .createEntity(trustStoreName, FileTrustStore.class.getName(), trustStoreSettings)
+ .createAmqpTlsPort(portName, providerName, keyStoreName, false, true, false, trustStores)
+ .getAmqpBoundPort(portName);
}
}
@@ -655,56 +703,40 @@
}
private int createAuthenticationProviderAndUserAndPort(final String providerName,
- final String providerType,
- final String userName,
- final String userPassword) throws Exception
+ final String providerType) throws Exception
{
- final Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
- try
+
+ final String portName = providerName + "Port";
+ final Map<String, Object> portAttributes = new HashMap<>();
+ portAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
+ portAttributes.put(Port.PORT, 0);
+
+ try (BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+ new AmqpManagementFacade(getProtocol())))
{
- connection.start();
-
- createEntity(providerName,
- AuthenticationProvider.class.getName(),
- Collections.singletonMap("qpid-type", providerType),
- connection);
- final Map<String, Object> userAttributes = new HashMap<>();
- userAttributes.put("qpid-type", "managed");
- userAttributes.put(User.PASSWORD, userPassword);
- userAttributes.put("object-path", providerName);
- createEntity(userName, User.class.getName(), userAttributes, connection);
-
- final String portName = providerName + "Port";
- final Map<String, Object> portAttributes = new HashMap<>();
- portAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
- portAttributes.put(Port.PORT, 0);
- createEntity(portName, "org.apache.qpid.AmqpPort", portAttributes, connection);
-
- final Map<String, Object> portEffectiveAttributes =
- readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection);
- if (portEffectiveAttributes.containsKey("boundPort"))
- {
- return (int) portEffectiveAttributes.get("boundPort");
- }
- throw new RuntimeException("Bound port is not found");
- }
- finally
- {
- connection.close();
+ return helper.openManagementConnection()
+ .createAuthenticationProvider(providerName, providerType)
+ .createUser(providerName, USER, USER_PASSWORD)
+ .createEntity(portName, "org.apache.qpid.AmqpPort", portAttributes)
+ .getAmqpBoundPort(portName);
}
}
private Connection getConnection(int port, String certificateAlias) throws NamingException, JMSException
{
+ return getConnectionBuilder(port, certificateAlias).build();
+ }
+
+ private ConnectionBuilder getConnectionBuilder(int port, String certificateAlias)
+ {
return getConnectionBuilder().setPort(port)
- .setTls(true)
- .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
- .setKeyStorePassword(TestSSLConstants.PASSWORD)
- .setKeyAlias(certificateAlias)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
- .build();
+ .setTls(true)
+ .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
+ .setKeyStoreLocation(_clientKeyStore)
+ .setKeyStorePassword(TLS_RESOURCE.getSecret())
+ .setKeyAlias(certificateAlias)
+ .setTrustStoreLocation(_clientTrustStore)
+ .setTrustStorePassword(TLS_RESOURCE.getSecret());
}
private void assertTlsConnectivity(int port, String certificateAlias) throws NamingException, JMSException
@@ -734,16 +766,15 @@
}
}
+
private void assertPlainConnectivity(final int port,
- final String userName,
- final String userPassword,
final String mechanism) throws Exception
{
final Connection connection = getConnectionBuilder().setPort(port)
- .setUsername(userName)
- .setPassword(userPassword)
- .setSaslMechanisms(mechanism)
- .build();
+ .setUsername(USER)
+ .setPassword(USER_PASSWORD)
+ .setSaslMechanisms(mechanism)
+ .build();
try
{
final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
@@ -758,8 +789,8 @@
try
{
getConnectionBuilder().setPort(port)
- .setUsername(userName)
- .setPassword("invalid" + userPassword)
+ .setUsername(USER)
+ .setPassword("invalid" + USER_PASSWORD)
.setSaslMechanisms(mechanism)
.build();
fail("Connection is established for invalid password");
@@ -772,8 +803,8 @@
try
{
getConnectionBuilder().setPort(port)
- .setUsername("invalid" + userName)
- .setPassword(userPassword)
+ .setUsername("invalid" + AuthenticationTest.USER)
+ .setPassword(USER_PASSWORD)
.setSaslMechanisms(mechanism)
.build();
fail("Connection is established for invalid user name");
@@ -792,10 +823,17 @@
HANDLERS.addHandler(contextHandler);
}
+
+ public static String createDataUrlForFile(Path file) throws IOException
+ {
+ return DataUrlUtils.getDataUrlForBytes(Files.readAllBytes(file));
+ }
+
private static class CrlServerHandler extends AbstractHandler
{
final Path crlPath;
- public CrlServerHandler(Path crlPath)
+
+ CrlServerHandler(Path crlPath)
{
this.crlPath = crlPath;
}
@@ -806,9 +844,10 @@
{
final byte[] crlBytes = Files.readAllBytes(crlPath);
response.setStatus(HttpServletResponse.SC_OK);
- final OutputStream responseBody = response.getOutputStream();
- responseBody.write(crlBytes);
- responseBody.close();
+ try (final OutputStream responseBody = response.getOutputStream())
+ {
+ responseBody.write(crlBytes);
+ }
}
}
}
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
index da61319..ac07103 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
@@ -20,7 +20,6 @@
*/
package org.apache.qpid.systests.jms_1_1.extensions.tls;
-import static java.nio.charset.StandardCharsets.UTF_8;
import static org.hamcrest.CoreMatchers.anyOf;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is;
@@ -30,20 +29,12 @@
import static org.junit.Assume.assumeThat;
import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.InetSocketAddress;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
-import java.security.Key;
-import java.security.cert.Certificate;
-import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
-import java.util.List;
import java.util.Map;
import javax.jms.Connection;
@@ -52,24 +43,29 @@
import org.junit.AfterClass;
import org.junit.BeforeClass;
+import org.junit.ClassRule;
import org.junit.Test;
-import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.Protocol;
-import org.apache.qpid.server.security.FileKeyStore;
-import org.apache.qpid.server.security.FileTrustStore;
+import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.systests.AmqpManagementFacade;
-import org.apache.qpid.systests.ConnectionBuilder;
import org.apache.qpid.systests.JmsTestBase;
-import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.TestSSLUtils;
+import org.apache.qpid.systests.jms_1_1.extensions.BrokerManagementHelper;
+import org.apache.qpid.systests.jms_1_1.extensions.TlsHelper;
import org.apache.qpid.tests.utils.BrokerAdmin;
public class TlsTest extends JmsTestBase
{
+ @ClassRule
+ public static final TlsResource TLS_RESOURCE = new TlsResource();
+
+ private static TlsHelper _tlsHelper;
+
@BeforeClass
- public static void setUp()
+ public static void setUp() throws Exception
{
+ _tlsHelper = new TlsHelper(TLS_RESOURCE);
+
System.setProperty("javax.net.debug", "ssl");
// workaround for QPID-8069
@@ -78,12 +74,6 @@
System.setProperty("amqj.MaximumStateWait", "4000");
}
- // legacy client keystore/truststore types can only be configured with JVM settings
- if (getProtocol() != Protocol.AMQP_1_0)
- {
- System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
- System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
- }
}
@AfterClass
@@ -94,12 +84,6 @@
{
System.clearProperty("amqj.MaximumStateWait");
}
-
- if (getProtocol() != Protocol.AMQP_1_0)
- {
- System.clearProperty("javax.net.ssl.trustStoreType");
- System.clearProperty("javax.net.ssl.keyStoreType");
- }
}
@Test
@@ -112,10 +96,10 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
- .setKeyStorePassword(TestSSLConstants.PASSWORD)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setKeyStoreLocation(_tlsHelper.getClientKeyStore())
+ .setKeyStorePassword(TLS_RESOURCE.getSecret())
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.build();
try
{
@@ -135,7 +119,7 @@
is(not(equalTo(Protocol.AMQP_1_0))));
int port = configureTlsPort(getTestPortName(), false, false, false);
- File trustCertFile = extractCertFileFromTestTrustStore();
+ File trustCertFile = TLS_RESOURCE.saveCertificateAsPem(_tlsHelper.getCaCertificate()).toFile();
InetSocketAddress brokerAddress = getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP);
Connection connection = getConnectionBuilder().setPort(port)
@@ -193,10 +177,10 @@
getConnectionBuilder().setPort(port)
.setHost("127.0.0.1")
.setTls(true)
- .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
- .setKeyStorePassword(TestSSLConstants.PASSWORD)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setKeyStoreLocation(_tlsHelper.getClientKeyStore())
+ .setKeyStorePassword(TLS_RESOURCE.getSecret())
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.build();
fail("Exception not thrown");
}
@@ -208,10 +192,10 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost("127.0.0.1")
.setTls(true)
- .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
- .setKeyStorePassword(TestSSLConstants.PASSWORD)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setKeyStoreLocation(_tlsHelper.getClientKeyStore())
+ .setKeyStorePassword(TLS_RESOURCE.getSecret())
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.setVerifyHostName(false)
.build();
try
@@ -261,7 +245,7 @@
Connection connection = getConnectionBuilder().setClientId(getTestName())
.setPort(port)
.setTls(true)
- .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP1)
+ .setKeyAlias(TlsHelper.CERT_ALIAS_APP1)
.build();
try
{
@@ -274,7 +258,7 @@
Connection connection2 = getConnectionBuilder().setPort(port)
.setTls(true)
- .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
+ .setKeyAlias(TlsHelper.CERT_ALIAS_APP2)
.build();
try
{
@@ -357,8 +341,8 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.build();
try
{
@@ -383,8 +367,8 @@
getConnectionBuilder().setPort(port)
.setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName())
.setTls(true)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.build();
fail("Connection was established successfully");
}
@@ -404,8 +388,8 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.build();
try
{
@@ -429,8 +413,8 @@
getConnectionBuilder().setPort(port)
.setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName())
.setTls(true)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.build();
fail("Connection was established successfully");
}
@@ -451,10 +435,10 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
- .setKeyStorePassword(TestSSLConstants.PASSWORD)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setKeyStoreLocation(_tlsHelper.getClientKeyStore())
+ .setKeyStorePassword(TLS_RESOURCE.getSecret())
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.build();
try
{
@@ -493,16 +477,18 @@
int port = configureTlsPort(getTestPortName(), true, false, false);
clearSslStoreSystemProperties();
- File[] certAndKeyFiles = extractResourcesFromTestKeyStore();
+
final Map<String, String> options = new HashMap<>();
- options.put("client_cert_path", encodePathOption(certAndKeyFiles[1].getCanonicalPath()));
- options.put("client_cert_priv_key_path", encodePathOption(certAndKeyFiles[0].getCanonicalPath()));
+ File keyFile = TLS_RESOURCE.savePrivateKeyAsPem(_tlsHelper.getClientPrivateKey()).toFile();
+ File certificateFile = TLS_RESOURCE.saveCertificateAsPem(_tlsHelper.getClientCerificate(), _tlsHelper.getCaCertificate()).toFile();
+ options.put("client_cert_path", encodePathOption(certificateFile.getCanonicalPath()));
+ options.put("client_cert_priv_key_path", encodePathOption(keyFile.getCanonicalPath()));
InetSocketAddress brokerAddress = getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP);
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
- .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(_tlsHelper.getClientTrustStore())
+ .setTrustStorePassword(TLS_RESOURCE.getSecret())
.setVerifyHostName(false)
.setOptions(options)
.build();
@@ -523,152 +509,33 @@
final boolean samePort) throws Exception
{
- return createTlsPort(portName,
- needClientAuth,
- wantClientAuth,
- samePort,
- getConnectionBuilder(),
- new AmqpManagementFacade(getProtocol()),
- getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getPort());
- }
-
- public static int createTlsPort(final String portName,
- final boolean needClientAuth,
- final boolean wantClientAuth,
- final boolean plainAndSsl,
- final ConnectionBuilder connectionBuilder,
- final AmqpManagementFacade managementFacade,
- final int brokerPort) throws Exception
- {
- Connection connection = connectionBuilder.setVirtualHost("$management").build();
- try
+ final String keyStoreName = portName + "KeyStore";
+ final String trustStoreName = portName + "TrustStore";
+ try (final BrokerManagementHelper helper = new BrokerManagementHelper(getConnectionBuilder(),
+ new AmqpManagementFacade(getProtocol())))
{
- connection.start();
- String keyStoreName = portName + "KeyStore";
- String trustStoreName = portName + "TrustStore";
- String authenticationProvider = null;
+ helper.openManagementConnection();
- Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
- try
- {
- List<Map<String, Object>> ports =
- managementFacade.managementQueryObjects(session, "org.apache.qpid.AmqpPort");
- for (Map<String, Object> port : ports)
- {
- String name = String.valueOf(port.get(Port.NAME));
-
- Session s = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
- try
- {
- Map<String, Object> attributes = managementFacade.readEntityUsingAmqpManagement(s,
- "org.apache.qpid.AmqpPort",
- name,
- false);
- if (attributes.get("boundPort").equals(brokerPort))
- {
- authenticationProvider = String.valueOf(attributes.get(Port.AUTHENTICATION_PROVIDER));
- break;
- }
- }
- finally
- {
- s.close();
- }
- }
- }
- finally
- {
- session.close();
- }
-
- session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
- try
- {
- final Map<String, Object> keyStoreAttributes = new HashMap<>();
- keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE);
- keyStoreAttributes.put("password", TestSSLConstants.PASSWORD);
- keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
- managementFacade.createEntityAndAssertResponse(keyStoreName,
- FileKeyStore.class.getName(),
- keyStoreAttributes,
- session);
- }
- finally
- {
- session.close();
- }
-
- session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
- try
- {
- final Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_TRUSTSTORE);
- trustStoreAttributes.put("password", TestSSLConstants.PASSWORD);
- trustStoreAttributes.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
- managementFacade.createEntityAndAssertResponse(trustStoreName,
- FileTrustStore.class.getName(),
- trustStoreAttributes,
- session);
- }
- finally
- {
- session.close();
- }
-
- session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
- try
- {
- Map<String, Object> sslPortAttributes = new HashMap<>();
- sslPortAttributes.put(Port.TRANSPORTS, plainAndSsl ? "[\"SSL\",\"TCP\"]" : "[\"SSL\"]");
- sslPortAttributes.put(Port.PORT, 0);
- sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, authenticationProvider);
- sslPortAttributes.put(Port.NEED_CLIENT_AUTH, needClientAuth);
- sslPortAttributes.put(Port.WANT_CLIENT_AUTH, wantClientAuth);
- sslPortAttributes.put(Port.NAME, portName);
- sslPortAttributes.put(Port.KEY_STORE, keyStoreName);
- sslPortAttributes.put(Port.TRUST_STORES, "[\"" + trustStoreName + "\"]");
-
- managementFacade.createEntityAndAssertResponse(portName,
- "org.apache.qpid.AmqpPort",
- sslPortAttributes,
- session);
- }
- finally
- {
- session.close();
- }
-
- session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
- try
- {
- Map<String, Object> portEffectiveAttributes =
- managementFacade.readEntityUsingAmqpManagement(session,
- "org.apache.qpid.AmqpPort",
- portName,
- false);
- if (portEffectiveAttributes.containsKey("boundPort"))
- {
- return (int) portEffectiveAttributes.get("boundPort");
- }
- throw new RuntimeException("Bound port is not found");
- }
- finally
- {
- session.close();
- }
- }
- finally
- {
- connection.close();
+ final String authenticationManager = helper.getAuthenticationProviderNameForAmqpPort(getBrokerAdmin().getBrokerAddress(
+ BrokerAdmin.PortType.AMQP).getPort());
+ return helper.createKeyStore(keyStoreName, _tlsHelper.getBrokerKeyStore(), TLS_RESOURCE.getSecret())
+ .createTrustStore(trustStoreName, _tlsHelper.getBrokerTrustStore(), TLS_RESOURCE.getSecret())
+ .createAmqpTlsPort(portName,
+ authenticationManager,
+ keyStoreName,
+ samePort,
+ needClientAuth,
+ wantClientAuth,
+ trustStoreName).getAmqpBoundPort(portName);
}
}
private void setSslStoreSystemProperties()
{
- System.setProperty("javax.net.ssl.keyStore", TestSSLConstants.CLIENT_KEYSTORE);
- System.setProperty("javax.net.ssl.keyStorePassword", TestSSLConstants.PASSWORD);
- System.setProperty("javax.net.ssl.trustStore", TestSSLConstants.CLIENT_TRUSTSTORE);
- System.setProperty("javax.net.ssl.trustStorePassword", TestSSLConstants.PASSWORD);
+ System.setProperty("javax.net.ssl.keyStore", _tlsHelper.getClientKeyStore());
+ System.setProperty("javax.net.ssl.keyStorePassword", TLS_RESOURCE.getSecret());
+ System.setProperty("javax.net.ssl.trustStore", _tlsHelper.getClientTrustStore());
+ System.setProperty("javax.net.ssl.trustStorePassword", TLS_RESOURCE.getSecret());
}
private void clearSslStoreSystemProperties()
@@ -679,69 +546,6 @@
System.clearProperty("javax.net.ssl.trustStorePassword");
}
- private File[] extractResourcesFromTestKeyStore() throws Exception
- {
- java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_KEYSTORE))
- {
- ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
- }
-
- File privateKeyFile = Files.createTempFile(getTestName(), ".private-key.der").toFile();
- try (FileOutputStream kos = new FileOutputStream(privateKeyFile))
- {
- Key pvt = ks.getKey(TestSSLConstants.CERT_ALIAS_APP1, TestSSLConstants.PASSWORD.toCharArray());
- kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8));
- }
-
- File certificateFile = Files.createTempFile(getTestName(), ".certificate.der").toFile();
- try (FileOutputStream cos = new FileOutputStream(certificateFile))
- {
- Certificate[] chain = ks.getCertificateChain(TestSSLConstants.CERT_ALIAS_APP1);
- for (Certificate pub : chain)
- {
- cos.write(TestSSLUtils.certificateToPEM(pub).getBytes(UTF_8));
- }
- cos.flush();
- }
-
- return new File[]{privateKeyFile, certificateFile};
- }
-
- private File extractCertFileFromTestTrustStore() throws Exception
- {
- java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_TRUSTSTORE))
- {
- ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
- }
-
- File certificateFile = Files.createTempFile(getTestName(), ".crt").toFile();
-
- try (FileOutputStream cos = new FileOutputStream(certificateFile))
- {
-
- for (String alias : Collections.list(ks.aliases()))
- {
- Certificate pub = ks.getCertificate(alias);
- cos.write("-----BEGIN CERTIFICATE-----\n".getBytes());
- String base64encoded = Base64.getEncoder().encodeToString(pub.getEncoded());
- while (base64encoded.length() > 76)
- {
- cos.write(base64encoded.substring(0, 76).getBytes());
- cos.write("\n".getBytes());
- base64encoded = base64encoded.substring(76);
- }
- cos.write(base64encoded.getBytes());
-
- cos.write("\n-----END CERTIFICATE-----\n".getBytes());
- }
- cos.flush();
- }
-
- return certificateFile;
- }
-
private String getTestPortName()
{
return getTestName() + "TlsPort";