QPID-8367: Add certificate revocation
This closes #44
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
index 43fe10e..13f951b 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
@@ -35,7 +35,6 @@
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.time.LocalTime;
@@ -64,6 +63,7 @@
import com.google.common.base.Defaults;
import org.apache.qpid.server.model.preferences.GenericPrincipal;
+import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.server.util.Strings;
@@ -192,19 +192,6 @@
static final AttributeValueConverter<Certificate> CERTIFICATE_CONVERTER = new AttributeValueConverter<Certificate>()
{
- private final CertificateFactory _certFactory;
-
- {
- try
- {
- _certFactory = CertificateFactory.getInstance("X.509");
- }
- catch (CertificateException e)
- {
- throw new ServerScopedRuntimeException(e);
- }
- }
-
@Override
public Certificate convert(final Object value, final ConfiguredObject object)
{
@@ -216,7 +203,7 @@
{
try(ByteArrayInputStream is = new ByteArrayInputStream((byte[])value))
{
- return _certFactory.generateCertificate(is);
+ return SSLUtil.getCertificateFactory().generateCertificate(is);
}
catch (IOException | CertificateException e)
{
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
index 768d26a..e35d5da 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/TrustStore.java
@@ -48,23 +48,54 @@
@ManagedContextDefault(name = "qpid.truststore.trustAnchorValidityEnforced")
boolean DEFAULT_TRUST_ANCHOR_VALIDITY_ENFORCED = false;
+ String CERTIFICATE_REVOCATION_CHECK_ENABLED = "certificateRevocationCheckEnabled";
+ String CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES =
+ "certificateRevocationCheckWithIgnoringSoftFailures";
+ String CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST =
+ "certificateRevocationCheckWithPreferringCertificateRevocationList";
+ String CERTIFICATE_REVOCATION_CHECK_WITH_NO_FALLBACK = "certificateRevocationCheckWithNoFallback";
+ String CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES =
+ "certificateRevocationCheckOfOnlyEndEntityCertificates";
+ String CERTIFICATE_REVOCATION_LIST_URL = "certificateRevocationListUrl";
+
@Override
@ManagedAttribute(immutable = true)
String getName();
- @ManagedAttribute( defaultValue = "false", description = "If true the Trust Store will expose its certificates as a special artificial message source.")
+ @ManagedAttribute(defaultValue = "false", description = "If true the Trust Store will expose its certificates as a special artificial message source.")
boolean isExposedAsMessageSource();
- @ManagedAttribute( defaultValue = "[]", description = "If 'exposedAsMessageSource' is true, the trust store will expose its certificates only to VirtualHostNodes in this list or if this list is empty to all VirtualHostNodes who are not in the 'excludedVirtualHostNodeMessageSources' list." )
+ @ManagedAttribute(defaultValue = "[]", description = "If 'exposedAsMessageSource' is true, the trust store will expose its certificates only to VirtualHostNodes in this list or if this list is empty to all VirtualHostNodes who are not in the 'excludedVirtualHostNodeMessageSources' list." )
List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources();
- @ManagedAttribute( defaultValue = "[]", description = "If 'exposedAsMessageSource' is true and 'includedVirtualHostNodeMessageSources' is empty, the trust store will expose its certificates only to VirtualHostNodes who are not in this list." )
+ @ManagedAttribute(defaultValue = "[]", description = "If 'exposedAsMessageSource' is true and 'includedVirtualHostNodeMessageSources' is empty, the trust store will expose its certificates only to VirtualHostNodes who are not in this list." )
List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources();
- @ManagedAttribute( defaultValue = "${qpid.truststore.trustAnchorValidityEnforced}",
+ @ManagedAttribute(defaultValue = "${qpid.truststore.trustAnchorValidityEnforced}",
description = "If true, the trust anchor's validity dates will be enforced.")
boolean isTrustAnchorValidityEnforced();
+ @ManagedAttribute(defaultValue = "false", description = "If true, enable certificates revocation.")
+ boolean isCertificateRevocationCheckEnabled();
+
+ @ManagedAttribute(defaultValue = "false", description = "If true, check the revocation status of only end-entity certificates.")
+ boolean isCertificateRevocationCheckOfOnlyEndEntityCertificates();
+
+ @ManagedAttribute(defaultValue = "true", description = "If true, prefer CRL (specified in certificate distribution points) to OCSP, if false prefer OCSP to CRL.")
+ boolean isCertificateRevocationCheckWithPreferringCertificateRevocationList();
+
+ @ManagedAttribute(defaultValue = "true", description = "If true, disable fallback to CRL/OCSP (if 'certificateRevocationCheckWithPreferringCertificateRevocationList' set to true, disable fallback to OCSP, otherwise disable fallback to CRL in certificate distribution points).")
+ boolean isCertificateRevocationCheckWithNoFallback();
+
+ @ManagedAttribute(defaultValue = "false", description = "If true, revocation check will succeed if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns internalError or tryLater.")
+ boolean isCertificateRevocationCheckWithIgnoringSoftFailures();
+
+ @ManagedAttribute(oversize = true, description = "If set, certificates will be validated only against CRL file (CRL in distribution points and OCSP will be ignored).", oversizedAltText = OVER_SIZED_ATTRIBUTE_ALTERNATIVE_TEXT)
+ String getCertificateRevocationListUrl();
+
+ @DerivedAttribute
+ String getCertificateRevocationListPath();
+
@DerivedAttribute(description = "List of details about the certificates like validity dates, SANs, issuer and subject names, etc.")
List<CertificateDetails> getCertificateDetails();
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
index 4d19ada..7285aa8 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AbstractTrustStore.java
@@ -19,16 +19,35 @@
*/
package org.apache.qpid.server.security;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.SignatureException;
+import java.security.cert.CRL;
+import java.security.cert.CRLException;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertPathParameters;
+import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
+import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
+import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
@@ -39,12 +58,15 @@
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
+import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import com.google.common.collect.Sets;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
+import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -78,6 +100,19 @@
private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;
@ManagedAttributeField
private boolean _trustAnchorValidityEnforced;
+ @ManagedAttributeField
+ private boolean _certificateRevocationCheckEnabled;
+ @ManagedAttributeField
+ private boolean _certificateRevocationCheckOfOnlyEndEntityCertificates;
+ @ManagedAttributeField
+ private boolean _certificateRevocationCheckWithPreferringCertificateRevocationList;
+ @ManagedAttributeField
+ private boolean _certificateRevocationCheckWithNoFallback;
+ @ManagedAttributeField
+ private boolean _certificateRevocationCheckWithIgnoringSoftFailures;
+ @ManagedAttributeField(afterSet = "postSetCertificateRevocationListUrl")
+ private volatile String _certificateRevocationListUrl;
+ private volatile String _certificateRevocationListPath;
private ScheduledFuture<?> _checkExpiryTaskFuture;
@@ -100,6 +135,34 @@
return _eventLogger;
}
+ protected abstract void initialize();
+
+ @Override
+ protected void changeAttributes(final Map<String, Object> attributes)
+ {
+ super.changeAttributes(attributes);
+ if (attributes.containsKey(CERTIFICATE_REVOCATION_LIST_URL))
+ {
+ initialize();
+ }
+ }
+
+ @Override
+ public void onValidate()
+ {
+ super.onValidate();
+ getCRLs();
+ }
+
+ protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
+ {
+ super.validateChange(proxyForValidation, changedAttributes);
+ if (changedAttributes.contains(CERTIFICATE_REVOCATION_LIST_URL))
+ {
+ getCRLs((String) proxyForValidation.getAttribute(CERTIFICATE_REVOCATION_LIST_URL));
+ }
+ }
+
@Override
protected ListenableFuture<Void> onClose()
{
@@ -252,6 +315,106 @@
protected abstract TrustManager[] getTrustManagersInternal() throws GeneralSecurityException;
+ protected TrustManager[] getTrustManagers(KeyStore ts)
+ {
+ try
+ {
+ final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ tmf.init(new CertPathTrustManagerParameters(getParameters(ts)));
+ return tmf.getTrustManagers();
+ }
+ catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e)
+ {
+ throw new IllegalConfigurationException("Cannot create trust manager factory for truststore '" +
+ getName() + "' :" + e, e);
+ }
+ }
+
+ private CertPathParameters getParameters(KeyStore trustStore)
+ {
+ try
+ {
+ final PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustStore, new X509CertSelector());
+ parameters.setRevocationEnabled(_certificateRevocationCheckEnabled);
+ if (_certificateRevocationCheckEnabled)
+ {
+ if (_certificateRevocationListUrl != null)
+ {
+ parameters.addCertStore(
+ CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs())));
+ }
+ final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder
+ .getInstance(TrustManagerFactory.getDefaultAlgorithm()).getRevocationChecker();
+ final Set<PKIXRevocationChecker.Option> options = new HashSet<>();
+ if (_certificateRevocationCheckOfOnlyEndEntityCertificates)
+ {
+ options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
+ }
+ if (_certificateRevocationCheckWithPreferringCertificateRevocationList)
+ {
+ options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
+ }
+ if (_certificateRevocationCheckWithNoFallback)
+ {
+ options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
+ }
+ if (_certificateRevocationCheckWithIgnoringSoftFailures)
+ {
+ options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
+ }
+ revocationChecker.setOptions(options);
+ parameters.addCertPathChecker(revocationChecker);
+ }
+ return parameters;
+ }
+ catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException e)
+ {
+ throw new IllegalConfigurationException("Cannot create trust manager factory parameters for truststore '" +
+ getName() + "' :" + e, e);
+ }
+ }
+
+ private Collection<? extends CRL> getCRLs()
+ {
+ return getCRLs(_certificateRevocationListUrl);
+ }
+
+ /**
+ * Load the collection of CRLs.
+ */
+ private Collection<? extends CRL> getCRLs(String crlUrl)
+ {
+ Collection<? extends CRL> crls = Collections.emptyList();
+ if (crlUrl != null)
+ {
+ try (InputStream is = getUrlFromString(crlUrl).openStream())
+ {
+ crls = SSLUtil.getCertificateFactory().generateCRLs(is);
+ }
+ catch (IOException | CRLException e)
+ {
+ throw new IllegalConfigurationException("Unable to load certificate revocation list '" + crlUrl +
+ "' for truststore '" + getName() + "' :" + e, e);
+ }
+ }
+ return crls;
+ }
+
+ protected static URL getUrlFromString(String urlString) throws MalformedURLException
+ {
+ URL url;
+ try
+ {
+ url = new URL(urlString);
+ }
+ catch (MalformedURLException e)
+ {
+ final File file = new File(urlString);
+ url = file.toURI().toURL();
+ }
+ return url;
+ }
+
@Override
public final int getCertificateExpiryWarnPeriod()
{
@@ -289,6 +452,61 @@
}
@Override
+ public boolean isCertificateRevocationCheckEnabled()
+ {
+ return _certificateRevocationCheckEnabled;
+ }
+
+ @Override
+ public boolean isCertificateRevocationCheckOfOnlyEndEntityCertificates()
+ {
+ return _certificateRevocationCheckOfOnlyEndEntityCertificates;
+ }
+
+ @Override
+ public boolean isCertificateRevocationCheckWithPreferringCertificateRevocationList()
+ {
+ return _certificateRevocationCheckWithPreferringCertificateRevocationList;
+ }
+
+ @Override
+ public boolean isCertificateRevocationCheckWithNoFallback()
+ {
+ return _certificateRevocationCheckWithNoFallback;
+ }
+
+ @Override
+ public boolean isCertificateRevocationCheckWithIgnoringSoftFailures()
+ {
+ return _certificateRevocationCheckWithIgnoringSoftFailures;
+ }
+
+ @Override
+ public String getCertificateRevocationListUrl()
+ {
+ return _certificateRevocationListUrl;
+ }
+
+ @Override
+ public String getCertificateRevocationListPath()
+ {
+ return _certificateRevocationListPath;
+ }
+
+ @SuppressWarnings(value = "unused")
+ private void postSetCertificateRevocationListUrl()
+ {
+ if (_certificateRevocationListUrl != null && !_certificateRevocationListUrl.startsWith("data:"))
+ {
+ _certificateRevocationListPath = _certificateRevocationListUrl;
+ }
+ else
+ {
+ _certificateRevocationListPath = null;
+ }
+ }
+
+ @Override
public boolean isExposedAsMessageSource()
{
return _exposedAsMessageSource;
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
index f5feecf..1ff9803 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.java
@@ -40,7 +40,6 @@
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
@@ -184,8 +183,7 @@
try(ByteArrayInputStream input = new ByteArrayInputStream(certificateEncoded))
{
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- _certificate = (X509Certificate) cf.generateCertificate(input);
+ _certificate = (X509Certificate) SSLUtil.getCertificateFactory().generateCertificate(input);
}
catch (CertificateException | IOException e)
{
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java
index 6842130..9f73700 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStore.java
@@ -22,7 +22,7 @@
import static org.apache.qpid.server.model.Initialization.materialize;
-import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
import org.apache.qpid.server.model.DerivedAttribute;
import org.apache.qpid.server.model.ManagedAttribute;
@@ -42,7 +42,7 @@
String DEFAULT_TRUSTSTORE_TYPE = java.security.KeyStore.getDefaultType();
@ManagedContextDefault(name = "trustStoreFile.trustManagerFactoryAlgorithm")
- String DEFAULT_TRUST_MANAGER_FACTORY_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
+ String DEFAULT_TRUST_MANAGER_FACTORY_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
String PEERS_ONLY = "peersOnly";
@Override
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
index 508e464..161c8d4 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
@@ -259,22 +259,6 @@
return certificates == null ? new Certificate[0] : Arrays.copyOf(certificates, certificates.length);
}
- private static URL getUrlFromString(String urlString) throws MalformedURLException
- {
- URL url;
- try
- {
- url = new URL(urlString);
- }
- catch (MalformedURLException e)
- {
- File file = new File(urlString);
- url = file.toURI().toURL();
-
- }
- return url;
- }
-
@SuppressWarnings(value = "unused")
private void postSetStoreUrl()
{
@@ -288,7 +272,7 @@
}
}
- private void initialize()
+ protected void initialize()
{
try
{
@@ -304,12 +288,9 @@
}
}
- private TrustManager[] createTrustManagers(final KeyStore ts) throws NoSuchAlgorithmException, KeyStoreException
+ private TrustManager[] createTrustManagers(final KeyStore ts) throws KeyStoreException
{
- final TrustManagerFactory tmf = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
- tmf.init(ts);
-
- TrustManager[] delegateManagers = tmf.getTrustManagers();
+ final TrustManager[] delegateManagers = getTrustManagers(ts);
if (delegateManagers.length == 0)
{
throw new IllegalStateException("Truststore " + this + " defines no trust managers");
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
index 5361ba0..616fb2d 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.java
@@ -38,7 +38,6 @@
import java.util.Set;
import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import com.google.common.util.concurrent.Futures;
@@ -64,7 +63,7 @@
private volatile TrustManager[] _trustManagers = new TrustManager[0];
- @ManagedAttributeField( afterSet = "updateTrustManagers")
+ @ManagedAttributeField(afterSet = "initialize")
private final List<Certificate> _storedCertificates = new ArrayList<>();
@ManagedObjectFactoryConstructor
@@ -100,7 +99,7 @@
}
@SuppressWarnings("unused")
- private void updateTrustManagers()
+ protected void initialize()
{
try
{
@@ -114,14 +113,10 @@
inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert);
}
-
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(inMemoryKeyStore);
-
final Collection<TrustManager> trustManagersCol = new ArrayList<>();
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
- TrustManager[] delegateManagers = tmf.getTrustManagers();
- for (TrustManager tm : delegateManagers)
+ final TrustManager[] delegateManagers = getTrustManagers(inMemoryKeyStore);
+ for (final TrustManager tm : delegateManagers)
{
if (tm instanceof X509TrustManager)
{
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
index be0836e..be5a1a7 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
@@ -28,15 +28,10 @@
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
-import java.util.Collections;
-import java.util.Date;
-import java.util.List;
import java.util.Map;
import java.util.Set;
-import java.util.stream.Collectors;
import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
@@ -51,7 +46,6 @@
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.model.VirtualHostNode;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
@@ -66,7 +60,7 @@
Handler.register();
}
- @ManagedAttributeField( afterSet = "updateTrustManagers" )
+ @ManagedAttributeField( afterSet = "initialize" )
private String _certificatesUrl;
private volatile TrustManager[] _trustManagers = new TrustManager[0];
@@ -139,7 +133,7 @@
}
@SuppressWarnings("unused")
- private void updateTrustManagers()
+ protected void initialize()
{
try
{
@@ -155,11 +149,7 @@
inMemoryKeyStore.setCertificateEntry(String.valueOf(i++), cert);
}
-
-
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(inMemoryKeyStore);
- _trustManagers = tmf.getTrustManagers();
+ _trustManagers = getTrustManagers(inMemoryKeyStore);
_certificates = certs;
}
@@ -169,21 +159,4 @@
throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
}
}
-
- private URL getUrlFromString(String urlString) throws MalformedURLException
- {
- URL url;
-
- try
- {
- url = new URL(urlString);
- }
- catch (MalformedURLException e)
- {
- File file = new File(urlString);
- url = file.toURI().toURL();
-
- }
- return url;
- }
}
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
index 983a2a1..211d9e6 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
@@ -29,7 +29,6 @@
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
@@ -42,7 +41,6 @@
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import com.google.common.util.concurrent.FutureCallback;
@@ -85,6 +83,11 @@
super(attributes, broker);
}
+ protected void initialize()
+ {
+ generateTrustManagers();
+ }
+
@Override
public String getSiteUrl()
{
@@ -287,8 +290,7 @@
try(ByteArrayInputStream input = new ByteArrayInputStream(certificateEncoded))
{
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- _x509Certificate = (X509Certificate) cf.generateCertificate(input);
+ _x509Certificate = (X509Certificate) SSLUtil.getCertificateFactory().generateCertificate(input);
}
catch (CertificateException | IOException e)
{
@@ -306,9 +308,7 @@
inMemoryKeyStore.load(null, null);
inMemoryKeyStore.setCertificateEntry("1", _x509Certificate);
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(inMemoryKeyStore);
- _trustManagers = tmf.getTrustManagers();
+ _trustManagers = getTrustManagers(inMemoryKeyStore);;
}
catch (IOException | GeneralSecurityException e)
diff --git a/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java b/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
index 01c11d3..e664c2e 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/transport/network/security/ssl/SSLUtil.java
@@ -75,6 +75,7 @@
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
+import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -106,11 +107,10 @@
private static final Method SET_EXTENSION_METHOD;
private static final Method EXTENSION_GET_NAME_METHOD;
private static final boolean CAN_GENERATE_CERTS;
-
+ private static final CertificateFactory CERTIFICATE_FACTORY;
static
{
-
Constructor<?> constructor = null;
Method generateMethod = null;
Method getPrivateKeyMethod = null;
@@ -125,7 +125,8 @@
Constructor<?> certificateExtensionsConstructor = null;
Method setExtensionMethod = null;
Method extensionGetNameMethod = null;
- boolean canGenerateCerrts = false;
+ boolean canGenerateCerts = false;
+ CertificateFactory certificateFactory = null;
try
{
@@ -160,10 +161,10 @@
certificateExtensionsConstructor = certificateExtensionsClass.getConstructor();
setExtensionMethod = certificateExtensionsClass.getMethod("set", String.class, Object.class);
extensionGetNameMethod = extensionClass.getMethod("getName");
- canGenerateCerrts = true;
-
+ canGenerateCerts = true;
+ certificateFactory = CertificateFactory.getInstance("X.509");
}
- catch (ClassNotFoundException | LinkageError | NoSuchMethodException e)
+ catch (ClassNotFoundException | LinkageError | CertificateException | NoSuchMethodException e)
{
// ignore
}
@@ -181,14 +182,23 @@
CERTIFICATE_EXTENSIONS_CONSTRUCTOR = certificateExtensionsConstructor;
SET_EXTENSION_METHOD = setExtensionMethod;
EXTENSION_GET_NAME_METHOD = extensionGetNameMethod;
- CAN_GENERATE_CERTS = canGenerateCerrts;
+ CAN_GENERATE_CERTS = canGenerateCerts;
+ CERTIFICATE_FACTORY = certificateFactory;
}
-
private SSLUtil()
{
}
+ public static CertificateFactory getCertificateFactory()
+ {
+ if (CERTIFICATE_FACTORY == null)
+ {
+ throw new ServerScopedRuntimeException("Certificate factory is null");
+ }
+ return CERTIFICATE_FACTORY;
+ }
+
public static void verifyHostname(SSLEngine engine,String hostnameExpected)
{
try
@@ -456,8 +466,7 @@
{
do
{
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- crt.add( (X509Certificate) cf.generateCertificate(input));
+ crt.add( (X509Certificate) getCertificateFactory().generateCertificate(input));
} while(input.available() != 0);
}
catch(CertificateException e)
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
index 18b2d37..834531c 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
@@ -20,9 +20,7 @@
package org.apache.qpid.server.security;
-import static org.apache.qpid.server.security.FileTrustStoreTest.SYMMETRIC_KEY_KEYSTORE_RESOURCE;
import static org.apache.qpid.server.security.FileTrustStoreTest.createDataUrlForFile;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertEquals;
@@ -31,80 +29,47 @@
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
import java.io.File;
-import java.net.URL;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.net.ssl.KeyManager;
-import org.junit.Before;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
+import org.apache.qpid.server.model.ConfiguredObjectFactory;
+import org.apache.qpid.test.utils.UnitTestBase;
import org.junit.Test;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
-import org.apache.qpid.server.configuration.updater.TaskExecutor;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.BrokerModel;
-import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.KeyStore;
-import org.apache.qpid.server.model.Model;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.test.utils.TestFileUtils;
import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.UnitTestBase;
public class FileKeyStoreTest extends UnitTestBase
{
- static final String EMPTY_KEYSTORE_RESOURCE = "/ssl/test_empty_keystore.jks";
- private static final String KEYSTORE_CERTIFICATE_ONLY_RESOURCE = "/ssl/test_cert_only_keystore.pkcs12";
- private static final String BROKER_KEYSTORE = "ssl/java_broker_keystore.pkcs12";
- private static final String BROKER_KEYSTORE_PATH = "classpath:" + BROKER_KEYSTORE;
- private static final String BROKER_KEYSTORE_PASSWORD = TestSSLConstants.BROKER_KEYSTORE_PASSWORD;
- private static final String CLIENT_KEYSTORE_PATH = "classpath:ssl/java_client_keystore.pkcs12";
- private static final String CLIENT_KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
- private static final String BROKER_KEYSTORE_ALIAS = TestSSLConstants.BROKER_KEYSTORE_ALIAS;
-
- private final Broker _broker = mock(Broker.class);
- private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
- private final Model _model = BrokerModel.getInstance();
- private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
-
-
- @Before
- public void setUp() throws Exception
- {
-
- when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
- when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
- when(_broker.getModel()).thenReturn(_model);
- when(_broker.getCategoryClass()).thenReturn(Broker.class);
- when(_broker.getEventLogger()).thenReturn(new EventLogger());
- when(_broker.getTypeClass()).thenReturn(Broker.class);
- }
+ private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+ private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
@Test
public void testCreateKeyStoreFromFile_Success() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH);
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker);
+ FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
KeyManager[] keyManager = fileKeyStore.getKeyManagers();
assertNotNull(keyManager);
- assertEquals("Unexpected number of key managers", (long) 1, (long) keyManager.length);
+ assertEquals("Unexpected number of key managers", 1, keyManager.length);
assertNotNull("Key manager unexpected null", keyManager[0]);
}
@@ -113,272 +78,192 @@
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH);
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.CERTIFICATE_ALIAS, BROKER_KEYSTORE_ALIAS);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker);
+ FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
KeyManager[] keyManager = fileKeyStore.getKeyManagers();
assertNotNull(keyManager);
- assertEquals("Unexpected number of key managers", (long) 1, (long) keyManager.length);
+ assertEquals("Unexpected number of key managers", 1, keyManager.length);
assertNotNull("Key manager unexpected null", keyManager[0]);
}
@Test
- public void testCreateKeyStoreFromFile_WrongPassword() throws Exception
+ public void testCreateKeyStoreFromFile_WrongPassword()
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
attributes.put(FileKeyStore.PASSWORD, "wrong");
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("Check key store password"));
-
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "Check key store password");
}
@Test
- public void testCreateKeyStoreFromFile_UnknownAlias() throws Exception
+ public void testCreateKeyStoreFromFile_UnknownAlias()
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, CLIENT_KEYSTORE_PATH);
- attributes.put(FileKeyStore.PASSWORD, CLIENT_KEYSTORE_PASSWORD);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("Cannot find a certificate with alias 'notknown' in key store"));
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "Cannot find a certificate with alias 'notknown' in key store");
}
@Test
- public void testCreateKeyStoreFromFile_NonKeyAlias() throws Exception
+ public void testCreateKeyStoreFromFile_NonKeyAlias()
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, CLIENT_KEYSTORE_PATH);
- attributes.put(FileKeyStore.PASSWORD, CLIENT_KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "rootca");
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.CLIENT_KEYSTORE);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.CERT_ALIAS_ROOT_CA);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("does not identify a private key"));
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "does not identify a private key");
}
@Test
public void testCreateKeyStoreFromDataUrl_Success() throws Exception
{
- String trustStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE);
+ String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker);
+ FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
KeyManager[] keyManagers = fileKeyStore.getKeyManagers();
assertNotNull(keyManagers);
- assertEquals("Unexpected number of key managers", (long) 1, (long) keyManagers.length);
+ assertEquals("Unexpected number of key managers", 1, keyManagers.length);
assertNotNull("Key manager unexpected null", keyManagers[0]);
}
@Test
public void testCreateKeyStoreWithAliasFromDataUrl_Success() throws Exception
{
- String trustStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE);
+ String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
attributes.put(FileKeyStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.CERTIFICATE_ALIAS, BROKER_KEYSTORE_ALIAS);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker);
+ FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
KeyManager[] keyManagers = fileKeyStore.getKeyManagers();
assertNotNull(keyManagers);
- assertEquals("Unexpected number of key managers", (long) 1, (long) keyManagers.length);
+ assertEquals("Unexpected number of key managers", 1, keyManagers.length);
assertNotNull("Key manager unexpected null", keyManagers[0]);
}
@Test
public void testCreateKeyStoreFromDataUrl_WrongPassword() throws Exception
{
- String keyStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE);
+ String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
attributes.put(FileKeyStore.PASSWORD, "wrong");
attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("Check key store password"));
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "Check key store password");
}
@Test
- public void testCreateKeyStoreFromDataUrl_BadKeystoreBytes() throws Exception
+ public void testCreateKeyStoreFromDataUrl_BadKeystoreBytes()
{
String keyStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("Cannot instantiate key store"));
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "Cannot instantiate key store");
}
@Test
public void testCreateKeyStoreFromDataUrl_UnknownAlias() throws Exception
{
- String keyStoreAsDataUrl = createDataUrlForFile(BROKER_KEYSTORE);
+ String keyStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.BROKER_KEYSTORE);
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
attributes.put(FileKeyStore.STORE_URL, keyStoreAsDataUrl);
attributes.put(FileKeyStore.CERTIFICATE_ALIAS, "notknown");
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("Cannot find a certificate with alias 'notknown' in key store"));
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "Cannot find a certificate with alias 'notknown' in key store");
}
@Test
- public void testEmptyKeystoreRejected() throws Exception
+ public void testEmptyKeystoreRejected()
{
- final URL emptyKeystore = getClass().getResource(EMPTY_KEYSTORE_RESOURCE);
- assertNotNull("Empty keystore not found", emptyKeystore);
-
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.STORE_URL, emptyKeystore);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE);
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- // pass
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "must contain at least one private key");
}
@Test
public void testKeystoreWithNoPrivateKeyRejected()
{
- final URL keystoreUrl = getClass().getResource(KEYSTORE_CERTIFICATE_ONLY_RESOURCE);
- assertNotNull("Keystore not found", keystoreUrl);
-
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, getTestName());
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.STORE_URL, keystoreUrl);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_CERT_ONLY_KEYSTORE);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("must contain at least one private key"));
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "must contain at least one private key");
}
@Test
public void testSymmetricKeysIgnored()
{
- final URL keystoreUrl = getClass().getResource(SYMMETRIC_KEY_KEYSTORE_RESOURCE);
- assertNotNull("Keystore not found", keystoreUrl);
-
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.STORE_URL, keystoreUrl);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- KeyStore keyStore = _factory.create(KeyStore.class, attributes, _broker);
+ KeyStore keyStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
assertNotNull(keyStore);
}
@Test
- public void testUpdateKeyStore_Success() throws Exception
+ public void testUpdateKeyStore_Success()
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileKeyStore");
- attributes.put(FileKeyStore.STORE_URL, BROKER_KEYSTORE_PATH);
- attributes.put(FileKeyStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.KEY_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.KEY_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker);
+ FileKeyStoreImpl fileKeyStore = (FileKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
assertNull("Unexpected alias value before change", fileKeyStore.getCertificateAlias());
@@ -390,9 +275,9 @@
fileKeyStore.setAttributes(unacceptableAttributes);
fail("Exception not thrown");
}
- catch (IllegalConfigurationException ice)
+ catch (IllegalConfigurationException e)
{
- String message = ice.getMessage();
+ String message = e.getMessage();
assertTrue("Exception text not as unexpected:" + message,
message.contains("Cannot find a certificate with alias 'notknown' in key store"));
}
@@ -400,13 +285,12 @@
assertNull("Unexpected alias value after failed change", fileKeyStore.getCertificateAlias());
Map<String,Object> changedAttributes = new HashMap<>();
- changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, BROKER_KEYSTORE_ALIAS);
+ changedAttributes.put(FileKeyStore.CERTIFICATE_ALIAS, TestSSLConstants.BROKER_KEYSTORE_ALIAS);
fileKeyStore.setAttributes(changedAttributes);
assertEquals("Unexpected alias value after change that is expected to be successful",
- BROKER_KEYSTORE_ALIAS,
- fileKeyStore.getCertificateAlias());
+ TestSSLConstants.BROKER_KEYSTORE_ALIAS, fileKeyStore.getCertificateAlias());
}
@@ -415,8 +299,8 @@
{
assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
- final SSLUtil.KeyCertPair selfSigned1 = KeystoreTestHelper.generateSelfSigned("CN=foo");
- final SSLUtil.KeyCertPair selfSigned2 = KeystoreTestHelper.generateSelfSigned("CN=bar");
+ final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo");
+ final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar");
final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks");
final String dummy = "changit";
@@ -426,7 +310,7 @@
try
{
final java.security.KeyStore keyStore =
- KeystoreTestHelper.saveKeyStore(selfSigned1, certificateAlias, keyAlias, pass, keyStoreFile);
+ KeyStoreTestHelper.saveKeyStore(selfSigned1, certificateAlias, keyAlias, pass, keyStoreFile);
final Map<String, Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, getTestName());
@@ -434,14 +318,14 @@
attributes.put(FileKeyStore.PASSWORD, dummy);
attributes.put(FileKeyStore.KEY_STORE_TYPE, keyStore.getType());
- final FileKeyStore keyStoreObject = (FileKeyStore) _factory.create(KeyStore.class, attributes, _broker);
+ final FileKeyStore keyStoreObject = (FileKeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
final CertificateDetails certificate = getCertificate(keyStoreObject);
assertEquals("CN=foo", certificate.getIssuerName());
assertTrue(keyStoreFile.delete());
assertTrue(keyStoreFile.createNewFile());keyStoreFile.deleteOnExit();
- KeystoreTestHelper.saveKeyStore(selfSigned2, certificateAlias, keyAlias, pass, keyStoreFile);
+ KeyStoreTestHelper.saveKeyStore(selfSigned2, certificateAlias, keyAlias, pass, keyStoreFile);
keyStoreObject.reload();
@@ -454,7 +338,7 @@
}
}
- public CertificateDetails getCertificate(final FileKeyStore keyStore) throws java.security.GeneralSecurityException
+ public CertificateDetails getCertificate(final FileKeyStore keyStore)
{
final List<CertificateDetails> certificates = keyStore.getCertificateDetails();
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
index 427e0b7..6ca59a8 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
@@ -20,10 +20,8 @@
package org.apache.qpid.server.security;
-import static org.apache.qpid.server.security.FileKeyStoreTest.EMPTY_KEYSTORE_RESOURCE;
import static org.apache.qpid.server.transport.network.security.ssl.SSLUtil.getInitializedKeyStore;
import static org.apache.qpid.test.utils.JvmVendor.IBM;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.CoreMatchers.not;
@@ -32,14 +30,11 @@
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
-import java.net.URL;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@@ -53,99 +48,69 @@
import javax.net.ssl.X509TrustManager;
import com.google.common.io.ByteStreams;
-import org.junit.Before;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
+import org.apache.qpid.server.model.ConfiguredObjectFactory;
+import org.apache.qpid.test.utils.UnitTestBase;
import org.junit.Test;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
-import org.apache.qpid.server.configuration.updater.TaskExecutor;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.BrokerModel;
-import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.server.model.Model;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.test.utils.TestFileUtils;
import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.UnitTestBase;
public class FileTrustStoreTest extends UnitTestBase
{
- static final String SYMMETRIC_KEY_KEYSTORE_RESOURCE = "/ssl/test_symmetric_key_keystore.pkcs12";
- private static final String KEYSTORE_PK_ONLY_RESOURCE = "/ssl/test_pk_only_keystore.pkcs12";
- private static final String TRUSTSTORE_PASSWORD = TestSSLConstants.TRUSTSTORE_PASSWORD;
- private static final String PEER_STORE_PASSWORD = TestSSLConstants.BROKER_PEERSTORE_PASSWORD;
- private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
- private static final String KEYSTORE_RESOURCE = "/ssl/test_keystore.jks";
- private static final String TRUST_STORE_PATH = "classpath:ssl/java_client_truststore.pkcs12";
- private static final String PEER_STORE_PATH = "classpath:ssl/java_broker_peerstore.pkcs12";
- private static final String EXPIRED_TRUST_STORE_PATH = "classpath:ssl/java_broker_expired_truststore.pkcs12";
- private static final String EXPIRED_KEYSTORE_PATH = "ssl/java_client_expired_keystore.pkcs12";
- private static final String TRUST_STORE = "ssl/java_client_truststore.pkcs12";
- private static final String BROKER_TRUST_STORE_PATH = "classpath:ssl/java_broker_truststore.pkcs12";
- private static final String BROKER_TRUST_STORE_PASSWORD = TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD;
- private static final String BROKER_KEYSTORE_PASSWORD = TestSSLConstants.BROKER_KEYSTORE_PASSWORD;
-
-
- private final Broker _broker = mock(Broker.class);
- private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
- private final Model _model = BrokerModel.getInstance();
- private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
-
- @Before
- public void setUp() throws Exception
- {
-
- when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
- when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
-
- when(_broker.getModel()).thenReturn(_model);
- when(_broker.getCategoryClass()).thenReturn(Broker.class);
- when(_broker.getEventLogger()).thenReturn(new EventLogger());
- when(_broker.getTypeClass()).thenReturn(Broker.class);
- }
+ private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+ private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
@Test
public void testCreateTrustStoreFromFile_Success() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TRUST_STORE_PATH);
- attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
- TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes, _broker);
+ TrustStore<?> fileTrustStore = FACTORY.create(TrustStore.class, attributes, BROKER);
TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
assertNotNull(trustManagers);
- assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+ assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertNotNull("Trust manager unexpected null", trustManagers[0]);
}
@Test
- public void testCreateTrustStoreFromFile_WrongPassword() throws Exception
+ public void testCreateTrustStoreFromFile_WrongPassword()
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TRUST_STORE_PATH);
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
attributes.put(FileTrustStore.PASSWORD, "wrong");
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(TrustStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("Check trust store password"));
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "Check trust store password");
+ }
- }
+ @Test
+ public void testCreateTrustStoreFromFile_MissingCrlFile()
+ {
+ Map<String,Object> attributes = new HashMap<>();
+ attributes.put(FileTrustStore.NAME, "myFileTrustStore");
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "Unable to load certificate revocation list '/not/a/crl' for truststore 'myFileTrustStore'");
}
@Test
@@ -153,16 +118,18 @@
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, PEER_STORE_PATH);
- attributes.put(FileTrustStore.PASSWORD, PEER_STORE_PASSWORD);
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
attributes.put(FileTrustStore.PEERS_ONLY, true);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
- TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes, _broker);
+ TrustStore<?> fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
assertNotNull(trustManagers);
- assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+ assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertNotNull("Trust manager unexpected null", trustManagers[0]);
final boolean condition = trustManagers[0] instanceof QpidPeersOnlyTrustManager;
assertTrue("Trust manager unexpected null", condition);
@@ -178,22 +145,22 @@
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, EXPIRED_TRUST_STORE_PATH);
- attributes.put(FileTrustStore.PASSWORD, BROKER_TRUST_STORE_PASSWORD);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+ TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
- assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+ assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
final boolean condition = trustManagers[0] instanceof X509TrustManager;
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
- KeyStore clientStore = getInitializedKeyStore(EXPIRED_KEYSTORE_PATH,
- KEYSTORE_PASSWORD,
- JAVA_KEYSTORE_TYPE);
+ KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
+ TestSSLConstants.PASSWORD,
+ TestSSLConstants.JAVA_KEYSTORE_TYPE);
String alias = clientStore.aliases().nextElement();
X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
@@ -205,23 +172,23 @@
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, EXPIRED_TRUST_STORE_PATH);
- attributes.put(FileTrustStore.PASSWORD, BROKER_TRUST_STORE_PASSWORD);
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_EXPIRED_TRUSTSTORE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
attributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+ TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
- assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+ assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
final boolean condition = trustManagers[0] instanceof X509TrustManager;
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
- KeyStore clientStore = getInitializedKeyStore(EXPIRED_KEYSTORE_PATH,
- KEYSTORE_PASSWORD,
- JAVA_KEYSTORE_TYPE);
+ KeyStore clientStore = getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
+ TestSSLConstants.PASSWORD,
+ TestSSLConstants.JAVA_KEYSTORE_TYPE);
String alias = clientStore.aliases().nextElement();
X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
@@ -248,83 +215,70 @@
@Test
public void testCreateTrustStoreFromDataUrl_Success() throws Exception
{
- String trustStoreAsDataUrl = createDataUrlForFile(TRUST_STORE);
+ String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE);
+ String crlAsDataUrl = createDataUrlForFile(TestSSLConstants.CA_CRL);
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, crlAsDataUrl);
- TrustStore<?> fileTrustStore = _factory.create(TrustStore.class, attributes, _broker);
+ TrustStore<?> fileTrustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
TrustManager[] trustManagers = fileTrustStore.getTrustManagers();
assertNotNull(trustManagers);
- assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+ assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertNotNull("Trust manager unexpected null", trustManagers[0]);
}
@Test
public void testCreateTrustStoreFromDataUrl_WrongPassword() throws Exception
{
- String trustStoreAsDataUrl = createDataUrlForFile(TRUST_STORE);
+ String trustStoreAsDataUrl = createDataUrlForFile(TestSSLConstants.CLIENT_TRUSTSTORE);
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
attributes.put(FileTrustStore.PASSWORD, "wrong");
attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(TrustStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("Check trust store password"));
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "Check trust store password");
}
@Test
- public void testCreateTrustStoreFromDataUrl_BadTruststoreBytes() throws Exception
+ public void testCreateTrustStoreFromDataUrl_BadTruststoreBytes()
{
String trustStoreAsDataUrl = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
attributes.put(FileTrustStore.STORE_URL, trustStoreAsDataUrl);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(TrustStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("Cannot instantiate trust store"));
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "Cannot instantiate trust store");
}
@Test
- public void testUpdateTrustStore_Success() throws Exception
+ public void testUpdateTrustStore_Success()
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, "myFileTrustStore");
- attributes.put(FileTrustStore.STORE_URL, TRUST_STORE_PATH);
- attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.CLIENT_TRUSTSTORE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
- FileTrustStore<?> fileTrustStore = (FileTrustStore<?>) _factory.create(TrustStore.class, attributes, _broker);
+ FileTrustStore<?> fileTrustStore = (FileTrustStore<?>) FACTORY.create(TrustStore.class, attributes, BROKER);
assertEquals("Unexpected path value before change",
- TRUST_STORE_PATH,
+ TestSSLConstants.CLIENT_TRUSTSTORE,
fileTrustStore.getStoreUrl());
@@ -336,114 +290,112 @@
fileTrustStore.setAttributes(unacceptableAttributes);
fail("Exception not thrown");
}
- catch (IllegalConfigurationException ice)
+ catch (IllegalConfigurationException e)
{
- String message = ice.getMessage();
+ String message = e.getMessage();
assertTrue("Exception text not as unexpected:" + message,
message.contains("Cannot instantiate trust store"));
}
- assertEquals("Unexpected path value after failed change",
- TRUST_STORE_PATH,
- fileTrustStore.getStoreUrl());
+ assertEquals("Unexpected keystore path value after failed change",
+ TestSSLConstants.CLIENT_TRUSTSTORE,
+ fileTrustStore.getStoreUrl());
+
+ try
+ {
+ Map<String,Object> unacceptableAttributes = new HashMap<>();
+ unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+ fileTrustStore.setAttributes(unacceptableAttributes);
+ fail("Exception not thrown");
+ }
+ catch (IllegalConfigurationException e)
+ {
+ String message = e.getMessage();
+ assertTrue("Exception text not as unexpected:" + message,
+ message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore " +
+ "'myFileTrustStore'"));
+ }
+
+ assertEquals("Unexpected CRL path value after failed change",
+ TestSSLConstants.CA_CRL,
+ fileTrustStore.getCertificateRevocationListUrl());
Map<String,Object> changedAttributes = new HashMap<>();
- changedAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUST_STORE_PATH);
- changedAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUST_STORE_PASSWORD);
+ changedAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE);
+ changedAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
fileTrustStore.setAttributes(changedAttributes);
- assertEquals("Unexpected path value after change that is expected to be successful",
- BROKER_TRUST_STORE_PATH,
+ assertEquals("Unexpected keystore path value after change that is expected to be successful",
+ TestSSLConstants.BROKER_TRUSTSTORE,
fileTrustStore.getStoreUrl());
+ assertEquals("Unexpected CRL path value after change that is expected to be successful",
+ TestSSLConstants.CA_CRL_EMPTY,
+ fileTrustStore.getCertificateRevocationListUrl());
}
@Test
public void testEmptyTrustStoreRejected()
{
- final URL emptyKeystore = getClass().getResource(EMPTY_KEYSTORE_RESOURCE);
- assertNotNull("Empty keystore not found", emptyKeystore);
-
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileKeyStore.NAME, "myFileTrustStore");
- attributes.put(FileKeyStore.PASSWORD, KEYSTORE_PASSWORD);
- attributes.put(FileKeyStore.STORE_URL, emptyKeystore);
+ attributes.put(FileKeyStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.TEST_EMPTY_KEYSTORE);
attributes.put(FileTrustStore.TRUST_STORE_TYPE, "jks");
- try
- {
- _factory.create(TrustStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- // pass
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "must contain at least one certificate");
}
@Test
public void testTrustStoreWithNoCertificateRejected()
{
- final URL keystoreUrl = getClass().getResource(KEYSTORE_PK_ONLY_RESOURCE);
- assertNotNull("Keystore not found", keystoreUrl);
-
Map<String,Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, getTestName());
- attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
- attributes.put(FileTrustStore.STORE_URL, keystoreUrl);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_PK_ONLY_KEYSTORE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- try
- {
- _factory.create(TrustStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException ice)
- {
- String message = ice.getMessage();
- assertTrue("Exception text not as unexpected:" + message,
- message.contains("must contain at least one certificate"));
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "must contain at least one certificate");
}
@Test
public void testSymmetricKeyEntryIgnored() throws Exception
{
- final URL keystoreUrl = getClass().getResource(SYMMETRIC_KEY_KEYSTORE_RESOURCE);
- assertNotNull("Symmetric key keystore not found", keystoreUrl);
-
Map<String, Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, getTestName());
- attributes.put(FileTrustStore.PASSWORD, TRUSTSTORE_PASSWORD);
- attributes.put(FileTrustStore.STORE_URL, keystoreUrl);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+ TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
Certificate[] certificates = trustStore.getCertificates();
assertEquals("Unexpected number of certificates",
- (long) getNumberOfCertificates(keystoreUrl, JAVA_KEYSTORE_TYPE),
- (long) certificates.length);
+ getNumberOfCertificates(TestSSLConstants.TEST_SYMMETRIC_KEY_KEYSTORE,
+ TestSSLConstants.JAVA_KEYSTORE_TYPE),
+ certificates.length);
}
@Test
public void testPrivateKeyEntryIgnored() throws Exception
{
- final URL keystoreUrl = getClass().getResource(KEYSTORE_RESOURCE);
- assertNotNull("Keystore not found", keystoreUrl);
-
Map<String, Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, getTestName());
- attributes.put(FileTrustStore.PASSWORD, BROKER_KEYSTORE_PASSWORD);
- attributes.put(FileTrustStore.STORE_URL, keystoreUrl);
- attributes.put(FileTrustStore.TRUST_STORE_TYPE, JAVA_KEYSTORE_TYPE);
+ attributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TEST_KEYSTORE);
+ attributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
- TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+ TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
Certificate[] certificates = trustStore.getCertificates();
assertEquals("Unexpected number of certificates",
- (long) getNumberOfCertificates(keystoreUrl, JAVA_KEYSTORE_TYPE),
- (long) certificates.length);
+ getNumberOfCertificates(TestSSLConstants.TEST_KEYSTORE,
+ TestSSLConstants.JAVA_KEYSTORE_TYPE),
+ certificates.length);
}
@Test
@@ -451,8 +403,8 @@
{
assumeThat(SSLUtil.canGenerateCerts(), is(equalTo(true)));
- final SSLUtil.KeyCertPair selfSigned1 = KeystoreTestHelper.generateSelfSigned("CN=foo");
- final SSLUtil.KeyCertPair selfSigned2 = KeystoreTestHelper.generateSelfSigned("CN=bar");
+ final SSLUtil.KeyCertPair selfSigned1 = KeyStoreTestHelper.generateSelfSigned("CN=foo");
+ final SSLUtil.KeyCertPair selfSigned2 = KeyStoreTestHelper.generateSelfSigned("CN=bar");
final File keyStoreFile = TestFileUtils.createTempFile(this, ".ks");
final String dummy = "changit";
@@ -461,7 +413,7 @@
try
{
final java.security.KeyStore keyStore =
- KeystoreTestHelper.saveKeyStore(alias, selfSigned1.getCertificate(), pass, keyStoreFile);
+ KeyStoreTestHelper.saveKeyStore(alias, selfSigned1.getCertificate(), pass, keyStoreFile);
final Map<String, Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, getTestName());
@@ -469,12 +421,12 @@
attributes.put(FileTrustStore.STORE_URL, keyStoreFile.getAbsolutePath());
attributes.put(FileTrustStore.TRUST_STORE_TYPE, keyStore.getType());
- final FileTrustStore trustStore = (FileTrustStore) _factory.create(TrustStore.class, attributes, _broker);
+ final FileTrustStore trustStore = (FileTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
final X509Certificate certificate = getCertificate(trustStore);
assertEquals("CN=foo", certificate.getIssuerX500Principal().getName());
- KeystoreTestHelper.saveKeyStore(alias, selfSigned2.getCertificate(), pass, keyStoreFile);
+ KeyStoreTestHelper.saveKeyStore(alias, selfSigned2.getCertificate(), pass, keyStoreFile);
trustStore.reload();
@@ -499,12 +451,12 @@
return (X509Certificate)certificate;
}
- private int getNumberOfCertificates(URL url, String type) throws Exception
+ private int getNumberOfCertificates(String keystore, String type) throws Exception
{
KeyStore ks = KeyStore.getInstance(type);
- try(InputStream is = url.openStream())
+ try(InputStream is = new FileInputStream(keystore))
{
- ks.load(is, BROKER_KEYSTORE_PASSWORD.toCharArray());
+ ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
}
int result = 0;
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/KeystoreTestHelper.java b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
similarity index 82%
rename from broker-core/src/test/java/org/apache/qpid/server/security/KeystoreTestHelper.java
rename to broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
index 6278f33..d2324dd 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/KeystoreTestHelper.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/KeyStoreTestHelper.java
@@ -32,10 +32,17 @@
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Collections;
+import java.util.Map;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
-public class KeystoreTestHelper
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class KeyStoreTestHelper
{
public static KeyStore saveKeyStore(final String alias,
final X509Certificate certificate,
@@ -78,6 +85,24 @@
Collections.emptySet());
}
+ public static void checkExceptionThrownDuringKeyStoreCreation(ConfiguredObjectFactory factory, Broker broker,
+ Class keystoreClass, Map<String, Object> attributes,
+ String expectedExceptionMessage)
+ {
+ try
+ {
+ factory.create(keystoreClass, attributes, broker);
+ fail("Exception not thrown");
+ }
+ catch (IllegalConfigurationException e)
+ {
+ final String message = e.getMessage();
+ assertTrue("Exception text not as expected:" + message,
+ message.contains(expectedExceptionMessage));
+
+ }
+ }
+
private static File saveKeyStore(final KeyStore ks, final char[] pass, final File storeFile)
throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
index d4d6390..6df02d7 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaKeyStoreTest.java
@@ -21,8 +21,6 @@
import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
-import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD;
import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
@@ -38,6 +36,7 @@
import static org.mockito.internal.verification.VerificationModeFactory.times;
import java.io.File;
+import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.security.Key;
@@ -57,6 +56,12 @@
import javax.net.ssl.KeyManager;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
+import org.apache.qpid.server.model.ConfiguredObjectFactory;
+import org.apache.qpid.test.utils.TestSSLConstants;
+import org.apache.qpid.test.utils.UnitTestBase;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -67,21 +72,16 @@
import org.apache.qpid.server.logging.LogMessage;
import org.apache.qpid.server.logging.MessageLogger;
import org.apache.qpid.server.logging.messages.KeyStoreMessages;
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.BrokerTestHelper;
-import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.test.utils.TestFileUtils;
import org.apache.qpid.test.utils.TestSSLUtils;
-import org.apache.qpid.test.utils.UnitTestBase;
public class NonJavaKeyStoreTest extends UnitTestBase
{
- private static final String KEYSTORE = "/ssl/java_broker_keystore.pkcs12";
- private Broker<?> _broker;
- private ConfiguredObjectFactory _factory;
+ private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+ private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
private List<File> _testResources;
private MessageLogger _messageLogger;
@@ -89,9 +89,7 @@
public void setUp() throws Exception
{
_messageLogger = mock(MessageLogger.class);
- _broker = BrokerTestHelper.createBrokerMock();
- when(_broker.getEventLogger()).thenReturn(new EventLogger(_messageLogger));
- _factory = _broker.getObjectFactory();
+ when(BROKER.getEventLogger()).thenReturn(new EventLogger(_messageLogger));
_testResources = new ArrayList<>();
}
@@ -113,17 +111,17 @@
private File[] extractResourcesFromTestKeyStore(boolean pem, final String storeResource) throws Exception
{
- java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
- try(InputStream is = getClass().getResourceAsStream(storeResource))
+ java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ try(InputStream is = new FileInputStream(storeResource))
{
- ks.load(is, KEYSTORE_PASSWORD.toCharArray() );
+ ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
}
File privateKeyFile = TestFileUtils.createTempFile(this, ".private-key.der");
try(FileOutputStream kos = new FileOutputStream(privateKeyFile))
{
- Key pvt = ks.getKey("java-broker", KEYSTORE_PASSWORD.toCharArray());
+ Key pvt = ks.getKey(TestSSLConstants.BROKER_KEYSTORE_ALIAS, TestSSLConstants.PASSWORD.toCharArray());
if (pem)
{
kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8));
@@ -139,7 +137,7 @@
try(FileOutputStream cos = new FileOutputStream(certificateFile))
{
- Certificate pub = ks.getCertificate("java-broker");
+ Certificate pub = ks.getCertificate(TestSSLConstants.BROKER_KEYSTORE_ALIAS);
if (pem)
{
cos.write(TestSSLUtils.certificateToPEM(pub).getBytes(UTF_8));
@@ -168,7 +166,7 @@
private void runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(boolean isPEM)throws Exception
{
- File[] resources = extractResourcesFromTestKeyStore(isPEM, KEYSTORE);
+ File[] resources = extractResourcesFromTestKeyStore(isPEM, TestSSLConstants.BROKER_KEYSTORE);
_testResources.addAll(Arrays.asList(resources));
Map<String,Object> attributes = new HashMap<>();
@@ -178,18 +176,18 @@
attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
NonJavaKeyStoreImpl fileTrustStore =
- (NonJavaKeyStoreImpl) _factory.create(KeyStore.class, attributes, _broker);
+ (NonJavaKeyStoreImpl) FACTORY.create(KeyStore.class, attributes, BROKER);
KeyManager[] keyManagers = fileTrustStore.getKeyManagers();
assertNotNull(keyManagers);
- assertEquals("Unexpected number of key managers", (long) 1, (long) keyManagers.length);
+ assertEquals("Unexpected number of key managers", 1, keyManagers.length);
assertNotNull("Key manager is null", keyManagers[0]);
}
@Test
public void testCreationOfTrustStoreFromValidPrivateKeyAndInvalidCertificate()throws Exception
{
- File[] resources = extractResourcesFromTestKeyStore(true, KEYSTORE);
+ File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE);
_testResources.addAll(Arrays.asList(resources));
File invalidCertificate = TestFileUtils.createTempFile(this, ".invalid.cert", "content");
@@ -201,21 +199,15 @@
attributes.put("certificateUrl", invalidCertificate.toURI().toURL().toExternalForm());
attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Created key store from invalid certificate");
- }
- catch(IllegalConfigurationException e)
- {
- // pass
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "Cannot load private key or certificate(s): java.security.cert.CertificateException: " +
+ "Could not parse certificate: java.io.IOException: Empty input");
}
@Test
public void testCreationOfTrustStoreFromInvalidPrivateKeyAndValidCertificate()throws Exception
{
- File[] resources = extractResourcesFromTestKeyStore(true, KEYSTORE);
+ File[] resources = extractResourcesFromTestKeyStore(true, TestSSLConstants.BROKER_KEYSTORE);
_testResources.addAll(Arrays.asList(resources));
File invalidPrivateKey = TestFileUtils.createTempFile(this, ".invalid.pk", "content");
@@ -227,15 +219,9 @@
attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Created key store from invalid certificate");
- }
- catch(IllegalConfigurationException e)
- {
- // pass
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "Cannot load private key or certificate(s): java.security.spec.InvalidKeySpecException: " +
+ "Unable to parse key as PKCS#1 format");
}
@Test
@@ -258,15 +244,15 @@
private void doCertExpiryChecking(final int expiryOffset) throws Exception
{
- when(_broker.scheduleHouseKeepingTask(anyLong(), any(TimeUnit.class), any(Runnable.class))).thenReturn(mock(ScheduledFuture.class));
+ when(BROKER.scheduleHouseKeepingTask(anyLong(), any(TimeUnit.class), any(Runnable.class))).thenReturn(mock(ScheduledFuture.class));
- java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
- final String storeLocation = KEYSTORE;
- try(InputStream is = getClass().getResourceAsStream(storeLocation))
+ java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ final String storeLocation = TestSSLConstants.BROKER_KEYSTORE;
+ try(InputStream is = new FileInputStream(storeLocation))
{
- ks.load(is, KEYSTORE_PASSWORD.toCharArray() );
+ ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
}
- X509Certificate cert = (X509Certificate) ks.getCertificate("rootca");
+ X509Certificate cert = (X509Certificate) ks.getCertificate(TestSSLConstants.CERT_ALIAS_ROOT_CA);
int expiryDays = (int)((cert.getNotAfter().getTime() - System.currentTimeMillis()) / (24l * 60l * 60l * 1000l));
File[] resources = extractResourcesFromTestKeyStore(false, storeLocation);
@@ -278,7 +264,7 @@
attributes.put("certificateUrl", resources[1].toURI().toURL().toExternalForm());
attributes.put("context", Collections.singletonMap(KeyStore.CERTIFICATE_EXPIRY_WARN_PERIOD, expiryDays + expiryOffset));
attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
- _factory.create(KeyStore.class, attributes, _broker);
+ FACTORY.create(KeyStore.class, attributes, BROKER);
}
@Test
@@ -297,15 +283,8 @@
DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8)));
attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
- try
- {
- _factory.create(KeyStore.class, attributes, _broker);
- fail("Created key store from invalid certificate");
- }
- catch(IllegalConfigurationException e)
- {
- // pass
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, attributes,
+ "Private key does not match certificate");
}
@Test
@@ -324,7 +303,7 @@
DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair.getCertificate()).getBytes(UTF_8)));
attributes.put(NonJavaKeyStore.TYPE, "NonJavaKeyStore");
- final KeyStore trustStore = _factory.create(KeyStore.class, attributes, _broker);
+ final KeyStore trustStore = (KeyStore) FACTORY.create(KeyStore.class, attributes, BROKER);
try
{
final String certUrl = DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(keyCertPair2.getCertificate()).getBytes(UTF_8));
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
index 69262dc..6ac9699 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/NonJavaTrustStoreTest.java
@@ -19,13 +19,10 @@
package org.apache.qpid.server.security;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
import java.security.KeyStore;
import java.security.cert.CertificateException;
@@ -37,79 +34,101 @@
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
-import org.junit.Before;
-import org.junit.Test;
-
import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
-import org.apache.qpid.server.configuration.updater.TaskExecutor;
-import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.server.model.Model;
+import org.apache.qpid.test.utils.UnitTestBase;
+import org.junit.Test;
+
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.UnitTestBase;
public class NonJavaTrustStoreTest extends UnitTestBase
{
- private static final String EXPIRED_KEYSTORE = "ssl/java_client_expired_keystore.pkcs12";
- private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
- private final Broker<?> _broker = mock(Broker.class);
- private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
- private final Model _model = BrokerModel.getInstance();
- private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
-
- @Before
- public void setUp() throws Exception
- {
-
- when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
- when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
- when(_broker.getModel()).thenReturn(_model);
- when(_broker.getEventLogger()).thenReturn(new EventLogger());
- when(((Broker) _broker).getCategoryClass()).thenReturn(Broker.class);
- }
+ private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+ private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
@Test
public void testCreationOfTrustStoreFromValidCertificate() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
- attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/ssl/java_broker.crt").toExternalForm());
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
- TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+ TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
- assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+ assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
assertNotNull("Trust manager unexpected null", trustManagers[0]);
}
@Test
+ public void testChangeOfCrlInTrustStoreFromValidCertificate()
+ {
+ Map<String,Object> attributes = new HashMap<>();
+ attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
+ attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+
+ TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+
+ try
+ {
+ Map<String,Object> unacceptableAttributes = new HashMap<>();
+ unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+ trustStore.setAttributes(unacceptableAttributes);
+ fail("Exception not thrown");
+ }
+ catch (IllegalConfigurationException e)
+ {
+ String message = e.getMessage();
+ assertTrue("Exception text not as unexpected:" + message,
+ message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'"));
+ }
+
+ assertEquals("Unexpected CRL path value after failed change",
+ TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl());
+
+ Map<String,Object> changedAttributes = new HashMap<>();
+ changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+
+ trustStore.setAttributes(changedAttributes);
+
+ assertEquals("Unexpected CRL path value after change that is expected to be successful",
+ TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl());
+ }
+
+ @Test
public void testUseOfExpiredTrustAnchorDenied() throws Exception
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
- attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/ssl/expired.crt").toExternalForm());
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.CLIENT_EXPIRED_CRT);
attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
- TrustStore trustStore = _factory.create(TrustStore.class, attributes, _broker);
+ TrustStore trustStore = (TrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
- assertEquals("Unexpected number of trust managers", (long) 1, (long) trustManagers.length);
+ assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
final boolean condition = trustManagers[0] instanceof X509TrustManager;
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
- KeyStore clientStore = SSLUtil.getInitializedKeyStore(EXPIRED_KEYSTORE,
- KEYSTORE_PASSWORD,
- JAVA_KEYSTORE_TYPE);
+ KeyStore clientStore = SSLUtil.getInitializedKeyStore(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE,
+ TestSSLConstants.PASSWORD,
+ TestSSLConstants.JAVA_KEYSTORE_TYPE);
String alias = clientStore.aliases().nextElement();
X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
@@ -134,22 +153,28 @@
}
@Test
- public void testCreationOfTrustStoreFromNonCertificate() throws Exception
+ public void testCreationOfTrustStoreFromNonCertificate()
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
- attributes.put(NonJavaTrustStore.CERTIFICATES_URL, getClass().getResource("/ssl/java_broker.req").toExternalForm());
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CSR);
attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
- try
- {
- _factory.create(TrustStore.class, attributes, _broker);
- fail("Trust store is created from certificate request file");
- }
- catch (IllegalConfigurationException e)
- {
- // pass
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "Cannot load certificate(s)");
}
+ @Test
+ public void testCreationOfTrustStoreFromValidCertificate_MissingCrlFile()
+ {
+ Map<String,Object> attributes = new HashMap<>();
+ attributes.put(NonJavaTrustStore.NAME, "myTestTrustStore");
+ attributes.put(NonJavaTrustStore.CERTIFICATES_URL, TestSSLConstants.BROKER_CRT);
+ attributes.put(NonJavaTrustStore.TYPE, "NonJavaTrustStore");
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(NonJavaTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "Unable to load certificate revocation list '/not/a/crl' for truststore 'myTestTrustStore'");
+ }
}
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
index bca9b79..d7a0454 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/SiteSpecificTrustStoreTest.java
@@ -21,13 +21,12 @@
package org.apache.qpid.server.security;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
import java.io.Closeable;
+import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.ServerSocket;
@@ -46,47 +45,34 @@
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocketFactory;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.BrokerTestHelper;
+import org.apache.qpid.server.model.ConfiguredObjectFactory;
+import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.test.utils.UnitTestBase;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
-import org.apache.qpid.server.configuration.IllegalConfigurationException;
-import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
-import org.apache.qpid.server.configuration.updater.TaskExecutor;
-import org.apache.qpid.server.logging.EventLogger;
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.BrokerModel;
-import org.apache.qpid.server.model.ConfiguredObjectFactory;
-import org.apache.qpid.server.model.Model;
-import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.test.utils.TestSSLConstants;
-import org.apache.qpid.test.utils.UnitTestBase;
public class SiteSpecificTrustStoreTest extends UnitTestBase
{
- private static final String EXPECTED_SUBJECT = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown";
+ private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
+ private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
+ private static final String EXPECTED_SUBJECT = "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=CA";
private static final String EXPECTED_ISSUER = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
- private static final String KEYSTORE = "/ssl/java_broker_keystore.pkcs12";
- private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
- private final Broker<?> _broker = mock(Broker.class);
- private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance();
- private final Model _model = BrokerModel.getInstance();
- private final ConfiguredObjectFactory _factory = _model.getObjectFactory();
private TestPeer _testPeer;
@Before
- public void setUp() throws Exception
+ public void setUpSiteSpecificTrustStore()
{
int connectTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.connectTimeout", 1000);
int readTimeout = Integer.getInteger("SiteSpecificTrustStoreTest.readTimeout", 1000);
setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_CONNECT_TIMEOUT, String.valueOf(connectTimeout));
setTestSystemProperty(SiteSpecificTrustStore.TRUST_STORE_SITE_SPECIFIC_READ_TIMEOUT, String.valueOf(readTimeout));
-
- when(_broker.getTaskExecutor()).thenReturn(_taskExecutor);
- when(_broker.getChildExecutor()).thenReturn(_taskExecutor);
- when(_broker.getModel()).thenReturn(_model);
- when(_broker.getEventLogger()).thenReturn(new EventLogger());
- when(((Broker) _broker).getCategoryClass()).thenReturn(Broker.class);
}
@After
@@ -105,41 +91,27 @@
}
@Test
- public void testMalformedSiteUrl() throws Exception
+ public void testMalformedSiteUrl()
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
attributes.put("siteUrl", "notaurl:541");
- try
- {
- _factory.create(TrustStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException e)
- {
- // PASS
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "'notaurl:541' is not a valid URL");
}
@Test
- public void testSiteUrlDoesNotSupplyHostPort() throws Exception
+ public void testSiteUrlDoesNotSupplyHostPort()
{
Map<String,Object> attributes = new HashMap<>();
attributes.put(SiteSpecificTrustStore.NAME, "mySiteSpecificTrustStore");
attributes.put(SiteSpecificTrustStore.TYPE, "SiteSpecificTrustStore");
attributes.put("siteUrl", "file:/not/a/host");
- try
- {
- _factory.create(TrustStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException e)
- {
- // PASS
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "URL 'file:/not/a/host' does not provide a hostname and port number");
}
@Test
@@ -148,18 +120,10 @@
_testPeer = new TestPeer();
_testPeer.setAccept(false);
int listeningPort = _testPeer.start();
-
Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
- try
- {
- _factory.create(TrustStore.class, attributes, _broker);
- fail("Exception not thrown");
- }
- catch (IllegalConfigurationException e)
- {
- // PASS
- }
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "Unable to get certificate for 'mySiteSpecificTrustStore' from");
}
@Test
@@ -169,12 +133,14 @@
int listeningPort = _testPeer.start();
Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
+ attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
final SiteSpecificTrustStore trustStore =
- (SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker);
+ (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
List<CertificateDetails> certDetails = trustStore.getCertificateDetails();
- assertEquals("Unexpected number of certificates", (long) 1, (long) certDetails.size());
+ assertEquals("Unexpected number of certificates", 1, certDetails.size());
CertificateDetails certificateDetails = certDetails.get(0);
assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, certificateDetails.getSubjectName());
@@ -182,6 +148,59 @@
}
@Test
+ public void testChangeOfCrlInValidSiteUrl() throws Exception
+ {
+ _testPeer = new TestPeer();
+ int listeningPort = _testPeer.start();
+
+ Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
+ attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+
+ final SiteSpecificTrustStore trustStore =
+ (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
+
+ try
+ {
+ Map<String,Object> unacceptableAttributes = new HashMap<>();
+ unacceptableAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+ trustStore.setAttributes(unacceptableAttributes);
+ fail("Exception not thrown");
+ }
+ catch (IllegalConfigurationException e)
+ {
+ String message = e.getMessage();
+ assertTrue("Exception text not as unexpected:" + message,
+ message.contains("Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'"));
+ }
+
+ assertEquals("Unexpected CRL path value after failed change",
+ TestSSLConstants.CA_CRL, trustStore.getCertificateRevocationListUrl());
+
+ Map<String,Object> changedAttributes = new HashMap<>();
+ changedAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+
+ trustStore.setAttributes(changedAttributes);
+
+ assertEquals("Unexpected CRL path value after change that is expected to be successful",
+ TestSSLConstants.CA_CRL_EMPTY, trustStore.getCertificateRevocationListUrl());
+ }
+
+ @Test
+ public void testValidSiteUrl_MissingCrlFile() throws Exception
+ {
+ _testPeer = new TestPeer();
+ int listeningPort = _testPeer.start();
+ Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
+ attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ attributes.put(SiteSpecificTrustStore.CERTIFICATE_REVOCATION_LIST_URL, "/not/a/crl");
+
+ KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, attributes,
+ "Unable to load certificate revocation list '/not/a/crl' for truststore 'mySiteSpecificTrustStore'");
+ }
+
+ @Test
public void testRefreshCertificate() throws Exception
{
_testPeer = new TestPeer();
@@ -190,10 +209,10 @@
Map<String, Object> attributes = getTrustStoreAttributes(listeningPort);
final SiteSpecificTrustStore trustStore =
- (SiteSpecificTrustStore) _factory.create(TrustStore.class, attributes, _broker);
+ (SiteSpecificTrustStore) FACTORY.create(TrustStore.class, attributes, BROKER);
List<CertificateDetails> certDetails = trustStore.getCertificateDetails();
- assertEquals("Unexpected number of certificates", (long) 1, (long) certDetails.size());
+ assertEquals("Unexpected number of certificates", 1, certDetails.size());
CertificateDetails certificateDetails = certDetails.get(0);
@@ -260,10 +279,10 @@
private ServerSocket createTestSSLServerSocket() throws Exception
{
- char[] keyPassword = KEYSTORE_PASSWORD.toCharArray();
- try(InputStream inputStream = getClass().getResourceAsStream(KEYSTORE))
+ char[] keyPassword = TestSSLConstants.PASSWORD.toCharArray();
+ try(InputStream inputStream = new FileInputStream(TestSSLConstants.BROKER_KEYSTORE))
{
- KeyStore keyStore = KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
+ KeyStore keyStore = KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyStore.load(inputStream, keyPassword);
keyManagerFactory.init(keyStore, keyPassword);
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
index afd4c4d..0dc987a 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2MockEndpointHolder.java
@@ -21,7 +21,6 @@
package org.apache.qpid.server.security.auth.manager.oauth2;
import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
import java.io.IOException;
import java.util.Arrays;
@@ -37,6 +36,7 @@
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import junit.framework.TestCase;
+import org.apache.qpid.test.utils.TestSSLConstants;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
@@ -49,18 +49,16 @@
class OAuth2MockEndpointHolder
{
- private static final String KEYSTORE_PASSWORD = "password";
- private static final String KEYSTORE_RESOURCE = "ssl/test_keystore.jks";
private final Server _server;
private final ServerConnector _connector;
private volatile Map<String, OAuth2MockEndpoint> _endpoints;
- OAuth2MockEndpointHolder()
+ OAuth2MockEndpointHolder() throws IOException
{
this(Collections.<String, OAuth2MockEndpoint>emptyMap());
}
- OAuth2MockEndpointHolder(final Map<String, OAuth2MockEndpoint> endpoints)
+ OAuth2MockEndpointHolder(final Map<String, OAuth2MockEndpoint> endpoints) throws IOException
{
_endpoints = endpoints;
final List<String> protocolWhiteList =
@@ -87,9 +85,9 @@
SSLUtil.updateEnabledTlsProtocols(sslEngine, protocolWhiteList, protocolBlackList);
}
};
- sslContextFactory.setKeyStorePassword(KEYSTORE_PASSWORD);
- sslContextFactory.setKeyStoreResource(Resource.newClassPathResource(KEYSTORE_RESOURCE));
- sslContextFactory.setKeyStoreType(JAVA_KEYSTORE_TYPE);
+ sslContextFactory.setKeyStorePassword(TestSSLConstants.PASSWORD);
+ sslContextFactory.setKeyStoreResource(Resource.newResource(TestSSLConstants.TEST_KEYSTORE));
+ sslContextFactory.setKeyStoreType(TestSSLConstants.JAVA_KEYSTORE_TYPE);
// override default jetty excludes as valid IBM JDK are excluded
// causing SSL handshake failure (due to default exclude '^SSL_.*$')
diff --git a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
index df2611d..191d7cf 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/ssl/TrustManagerTest.java
@@ -43,27 +43,16 @@
public class TrustManagerTest extends UnitTestBase
{
- private static final String STORE_TYPE = TestSSLConstants.JAVA_KEYSTORE_TYPE;
private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
- private static final String KEYSTORE_PASSWORD = TestSSLConstants.KEYSTORE_PASSWORD;
- private static final String PEER_STORE = "ssl/java_broker_peerstore.pkcs12";
- private static final String PEER_STORE_PASSWORD = TestSSLConstants.BROKER_PEERSTORE_PASSWORD;
- private static final String KEYSTORE = "ssl/java_client_keystore.pkcs12";
- private static final String CERT_ALIAS_APP_1 = TestSSLConstants.CERT_ALIAS_APP1;
- private static final String CERT_ALIAS_APP_2 = TestSSLConstants.CERT_ALIAS_APP2;
- private static final String TRUST_STORE = "ssl/java_broker_truststore.pkcs12";
- private static final String TRUST_STORE_PASSWORD = TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD;
- private static final String CERT_ALIAS_UNTRUSTED_CLIENT = TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT;
- private static final String UNTRUSTED_KEYSTORE = "ssl/java_client_untrusted_keystore.pkcs12";
// retrieves the client certificate's chain from store and returns it as an array
private X509Certificate[] getClientChain(final String storePath, final String alias) throws Exception
{
- final KeyStore ks = SSLUtil.getInitializedKeyStore(storePath, KEYSTORE_PASSWORD, STORE_TYPE);
+ final KeyStore ks = SSLUtil.getInitializedKeyStore(storePath, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
final Certificate[] chain = ks.getCertificateChain(alias);
return Arrays.copyOf(chain, chain.length, X509Certificate[].class);
}
-
+
// verifies that peer store is loaded only with client's (peer's) app1 certificate (no CA)
private void noCAinPeerStore(final KeyStore ps) throws KeyStoreException
{
@@ -71,7 +60,7 @@
while (aliases.hasMoreElements())
{
final String alias = aliases.nextElement();
- if (!alias.equalsIgnoreCase(CERT_ALIAS_APP_1))
+ if (!alias.equalsIgnoreCase(TestSSLConstants.CERT_ALIAS_APP1))
{
fail("Broker's peer store contains other certificate than client's app1 public key");
}
@@ -86,7 +75,7 @@
public void testQpidPeersOnlyTrustManager() throws Exception
{
// first let's check that peer manager loaded with the PEERstore succeeds
- final KeyStore ps = SSLUtil.getInitializedKeyStore(PEER_STORE, PEER_STORE_PASSWORD, STORE_TYPE);
+ final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
this.noCAinPeerStore(ps);
final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
pmf.init(ps);
@@ -106,7 +95,7 @@
try
{
// since broker's peerstore contains the client's app1 certificate, the check should succeed
- peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
+ peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
}
catch (CertificateException e)
{
@@ -116,7 +105,7 @@
try
{
// since broker's peerstore does not contain the client's app2 certificate, the check should fail
- peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
+ peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
fail("Untrusted client's validation against the broker's peer store manager succeeded.");
}
catch (CertificateException e)
@@ -127,7 +116,7 @@
// now let's check that peer manager loaded with the brokers TRUSTstore fails because
// it does not have the clients certificate in it (though it does have a CA-cert that
// would otherwise trust the client cert when using the regular trust manager).
- final KeyStore ts = SSLUtil.getInitializedKeyStore(TRUST_STORE, TRUST_STORE_PASSWORD, STORE_TYPE);
+ final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
tmf.init(ts);
final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
@@ -147,7 +136,7 @@
{
// since broker's truststore doesn't contain the client's app1 certificate, the check should fail
// despite the fact that the truststore does have a CA that would otherwise trust the cert
- peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
+ peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
fail("Client's validation against the broker's peer store manager didn't fail.");
}
catch (CertificateException e)
@@ -159,7 +148,7 @@
{
// since broker's truststore doesn't contain the client's app2 certificate, the check should fail
// despite the fact that the truststore does have a CA that would otherwise trust the cert
- peerManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
+ peerManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
fail("Client's validation against the broker's peer store manager didn't fail.");
}
catch (CertificateException e)
@@ -176,7 +165,7 @@
public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception
{
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
- final KeyStore ts = SSLUtil.getInitializedKeyStore(TRUST_STORE, TRUST_STORE_PASSWORD, STORE_TYPE);
+ final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
tmf.init(ts);
final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
@@ -195,7 +184,7 @@
try
{
// verify the CA-trusted app1 cert (should succeed)
- mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
+ mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
}
catch (CertificateException ex)
{
@@ -205,7 +194,7 @@
try
{
// verify the CA-trusted app2 cert (should succeed)
- mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
+ mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
}
catch (CertificateException ex)
{
@@ -215,8 +204,8 @@
try
{
// verify the untrusted cert (should fail)
- mulTrustManager.checkClientTrusted(this.getClientChain(UNTRUSTED_KEYSTORE,
- CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+ mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
+ TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
}
catch (CertificateException ex)
@@ -233,7 +222,7 @@
public void testQpidMultipleTrustManagerWithPeerStore() throws Exception
{
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
- final KeyStore ps = SSLUtil.getInitializedKeyStore(PEER_STORE, PEER_STORE_PASSWORD, STORE_TYPE);
+ final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
pmf.init(ps);
final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
@@ -252,8 +241,8 @@
try
{
// verify the trusted app1 cert (should succeed as the key is in the peerstore)
- mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE,
- CERT_ALIAS_APP_1), "RSA");
+ mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
+ TestSSLConstants.CERT_ALIAS_APP1), "RSA");
}
catch (CertificateException ex)
{
@@ -263,8 +252,8 @@
try
{
// verify the untrusted app2 cert (should fail as the key is not in the peerstore)
- mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE,
- CERT_ALIAS_APP_2), "RSA");
+ mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
+ TestSSLConstants.CERT_ALIAS_APP2), "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
}
catch (CertificateException ex)
@@ -275,8 +264,8 @@
try
{
// verify the untrusted cert (should fail as the key is not in the peerstore)
- mulTrustManager.checkClientTrusted(this.getClientChain(UNTRUSTED_KEYSTORE,
- CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+ mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
+ TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
}
catch (CertificateException ex)
@@ -294,7 +283,7 @@
public void testQpidMultipleTrustManagerWithTrustAndPeerStores() throws Exception
{
final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
- final KeyStore ts = SSLUtil.getInitializedKeyStore(TRUST_STORE, TRUST_STORE_PASSWORD, STORE_TYPE);
+ final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
tmf.init(ts);
final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
@@ -310,7 +299,7 @@
}
assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
- final KeyStore ps = SSLUtil.getInitializedKeyStore(PEER_STORE, PEER_STORE_PASSWORD, STORE_TYPE);
+ final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.PASSWORD, TestSSLConstants.JAVA_KEYSTORE_TYPE);
final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
pmf.init(ps);
final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
@@ -329,8 +318,8 @@
try
{
// verify the CA-trusted app1 cert (should succeed)
- mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE,
- CERT_ALIAS_APP_1), "RSA");
+ mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
+ TestSSLConstants.CERT_ALIAS_APP1), "RSA");
}
catch (CertificateException ex)
{
@@ -340,8 +329,8 @@
try
{
// verify the CA-trusted app2 cert (should succeed)
- mulTrustManager.checkClientTrusted(this.getClientChain(KEYSTORE,
- CERT_ALIAS_APP_2), "RSA");
+ mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_KEYSTORE,
+ TestSSLConstants.CERT_ALIAS_APP2), "RSA");
}
catch (CertificateException ex)
{
@@ -351,8 +340,8 @@
try
{
// verify the untrusted cert (should fail)
- mulTrustManager.checkClientTrusted(this.getClientChain(UNTRUSTED_KEYSTORE,
- CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
+ mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.CLIENT_UNTRUSTED_KEYSTORE,
+ TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
}
catch (CertificateException ex)
diff --git a/broker-core/src/test/resources/ssl/expired.crt b/broker-core/src/test/resources/ssl/expired.crt
deleted file mode 100644
index 933330a..0000000
--- a/broker-core/src/test/resources/ssl/expired.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICvzCCAaegAwIBAgIEAjtn8zANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV
-U0VSMTAeFw0xMDAxMDEyMjQ0MjVaFw0xMDAxMDIyMjQ0MjVaMBAxDjAMBgNVBAMT
-BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj2wa5um63bXJ
-j7jv3pfhDgkvwE9hfM/DLv1rmkq2Psepefb40VJng61WiTeLNWdXrAJ+ui5iHTCn
-8n+iqaucaPv4mOwH3j57CCLRvFrFSp/cUx2oZ3Zx1DfaSgfIc5F8AJQvYrtCxa6m
-eYCoUJ3BZqARiKc6fk/RtACB1YI9mCDYOgnntNhEwMkRTuPqholyaL1fmw51EDGH
-iGCQwsxj+YMLkuK2aQAs498NcA6fzui0Ey3MJ6LmLYbOSKqZ1cBzC4YfSGH921Ic
-4YDgsvQ1io1zN4AJFHj8ld5rlDCTElgUFmkm2wCLvQAQ9+5MB4fDVLFldpHHBgX2
-0097qFSAEwIDAQABoyEwHzAdBgNVHQ4EFgQUZ30jJvIgSSRkltqIKv7UgEYnlvUw
-DQYJKoZIhvcNAQENBQADggEBABYZ+ZwbRnJvfjnFq9c+GV5/7FJOTlO0SVAVZrYJ
-HzquTr3mFDkhOc6aDlaNGiFAJcs6Udj3MvV7J+Uuai9oJDmVCt94HZL3k09G+z1b
-A3BorBKWDYm2L9CKpjUgD0VY40Tc2yNVyrzCbdjVnBkrLKiAirSrb5NJK2lnJg4Y
-TB7TiAnSydfRWUyUo8/wEMgIo4o0vuB7AnBQFhCd0XRmxBNoBZ19f+R041I6CQ0L
-9jc172XWHL1o111/RS7M8qLcWxi11DN62p6IKNT32DnhVV0RFnfVTQDaQ9qsPFmg
-Dngy+2weYwc6hEKhnunGrv0LNoqp6lQbOZO4c4v0/ynBHf4=
------END CERTIFICATE-----
diff --git a/broker-core/src/test/resources/ssl/java_broker.crt b/broker-core/src/test/resources/ssl/java_broker.crt
deleted file mode 100644
index 4e5c086..0000000
--- a/broker-core/src/test/resources/ssl/java_broker.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDbzCCAlegAwIBAgIFALBcS4MwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDY0M1oXDTI0MDIyNzE2MDY0M1owbjEQMA4GA1UE
-BhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQ
-MA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjESMBAGA1UEAxMJbG9j
-YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1zWGLqSHqno
-In5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllzy4JTCiXBen3l3YhpSxqGYccyEYee
-UlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUirvotaBQP71X1V+05AFxFhWfgdINw
-Kzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj3as0dX2bOu0qbqk4izDqqV1uiyUP
-Udn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pfPxvIw2OsqsKeh+I7RUoGBxDUdDvj
-lbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwcRJYDAq5eBhgK59WcwKPIqlOLismQ
-wjN4ZxxvqQIDAQABo0EwPzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJsw
-CQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC
-AQEAjFSD0UPN7ZqMKA0Sk2oailI+AU11VEmwIw18sXSEFMWSH8uAgkyTOvNQv4Nu
-WHgNOx20r18bYVrTqTznRa9oM7xemtR2pKqJYUQKqvk9vcF8mY7ibK1AH1vlm/gh
-7EfEmobfwHutXyTbUppgqf4QLn9AYLokD/w0la1mxDQ5Qc5FefgxLGaN2DZALFOc
-8lcpA9E2hTau2znxMlqqrG73E6R2XoE7BVMHVemVAAvusBuuP9OW/iC/KTPDFNoy
-NnDViQfIh03aBH2N5XCcnsdsxDULh6pjdZWf9FB+8OBDKyajNdFZku7AFLkt+QIa
-FVo105jdjqfMxt8FRNuQ05vYEQ==
------END CERTIFICATE-----
diff --git a/broker-core/src/test/resources/ssl/java_broker.req b/broker-core/src/test/resources/ssl/java_broker.req
deleted file mode 100644
index c618dd3..0000000
--- a/broker-core/src/test/resources/ssl/java_broker.req
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIC4zCCAcsCAQAwbjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93
-bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH
-VW5rbm93bjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAq1zWGLqSHqnoIn5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllz
-y4JTCiXBen3l3YhpSxqGYccyEYeeUlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUi
-rvotaBQP71X1V+05AFxFhWfgdINwKzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj
-3as0dX2bOu0qbqk4izDqqV1uiyUPUdn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pf
-PxvIw2OsqsKeh+I7RUoGBxDUdDvjlbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwc
-RJYDAq5eBhgK59WcwKPIqlOLismQwjN4ZxxvqQIDAQABoDAwLgYJKoZIhvcNAQkO
-MSEwHzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJswDQYJKoZIhvcNAQEN
-BQADggEBAHsfAScjTeIM+Mkmq7z29wl0+NdWyoDKt0PjG0/WffExGXG1FD6JrbP7
-UEeBY60WdypO9/Nx7I/sw/UOsOH297NuCMkFDitAk5/5XDVSYpywBi85XK72ODmv
-hWYn2MGP9YnfL3qOd75kpNgVBKt9+IVFFNgdUMfzDQpTQgmzdaRepM4HUuxJnNGN
-jcjA6b7rT0XQu7EJqM/Q1beJTVmwtv/3ZsBduJfksr2+fyC7wd344Equ8kfhZtd9
-YocJYdlZ//0RjWMv10hXNMD2Y+Nk4ldoFOXwv93JMcBn4Uy0TeZ9O/eI/jETT5TL
-FZUUWdHvGqN2/9L4EZ0rAyH87HpHV7I=
------END NEW CERTIFICATE REQUEST-----
diff --git a/broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12
deleted file mode 100644
index 9bfe301..0000000
--- a/broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12
deleted file mode 100644
index b45991f..0000000
--- a/broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12
deleted file mode 100644
index a5b307f..0000000
--- a/broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12 b/broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12
deleted file mode 100644
index 4184adf..0000000
--- a/broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12
deleted file mode 100644
index cb9b876..0000000
--- a/broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/java_client_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_keystore.pkcs12
deleted file mode 100644
index 9422d9a..0000000
--- a/broker-core/src/test/resources/ssl/java_client_keystore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/java_client_truststore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_truststore.pkcs12
deleted file mode 100644
index 1b45a23..0000000
--- a/broker-core/src/test/resources/ssl/java_client_truststore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12 b/broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12
deleted file mode 100644
index 8b0b023..0000000
--- a/broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 b/broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12
deleted file mode 100644
index f480819..0000000
--- a/broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/test_empty_keystore.jks b/broker-core/src/test/resources/ssl/test_empty_keystore.jks
deleted file mode 100644
index ed88075..0000000
--- a/broker-core/src/test/resources/ssl/test_empty_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/test_keystore.jks b/broker-core/src/test/resources/ssl/test_keystore.jks
deleted file mode 100644
index afa9d02..0000000
--- a/broker-core/src/test/resources/ssl/test_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 b/broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12
deleted file mode 100644
index 64ca340..0000000
--- a/broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 b/broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12
deleted file mode 100644
index f39dcf4..0000000
--- a/broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12
+++ /dev/null
Binary files differ
diff --git a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js
index 8e5dfcd..9f8e1d1 100644
--- a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js
+++ b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/TrustStore.js
@@ -126,7 +126,11 @@
}
}
- storeNodes(["name", "type", "state", "exposedAsMessageSource", "trustAnchorValidityEnforced"]);
+ storeNodes(["name", "type", "state", "exposedAsMessageSource", "trustAnchorValidityEnforced",
+ "certificateRevocationCheckEnabled", "certificateRevocationCheckOfOnlyEndEntityCertificates",
+ "certificateRevocationCheckWithPreferringCertificateRevocationList",
+ "certificateRevocationCheckWithNoFallback", "certificateRevocationCheckWithIgnoringSoftFailures",
+ "certificateRevocationListUrl"]);
}
@@ -139,6 +143,18 @@
entities.encode(String(this.trustStoreData["exposedAsMessageSource"]));
this.trustAnchorValidityEnforced.innerHTML =
entities.encode(String(this.trustStoreData["trustAnchorValidityEnforced"]));
+ this.certificateRevocationCheckEnabled.innerHTML =
+ entities.encode(String(this.trustStoreData["certificateRevocationCheckEnabled"]));
+ this.certificateRevocationCheckOfOnlyEndEntityCertificates.innerHTML =
+ entities.encode(String(this.trustStoreData["certificateRevocationCheckOfOnlyEndEntityCertificates"]));
+ this.certificateRevocationCheckWithPreferringCertificateRevocationList.innerHTML =
+ entities.encode(String(this.trustStoreData["certificateRevocationCheckWithPreferringCertificateRevocationList"]));
+ this.certificateRevocationCheckWithNoFallback.innerHTML =
+ entities.encode(String(this.trustStoreData["certificateRevocationCheckWithNoFallback"]));
+ this.certificateRevocationCheckWithIgnoringSoftFailures.innerHTML =
+ entities.encode(String(this.trustStoreData["certificateRevocationCheckWithIgnoringSoftFailures"]));
+ this.certificateRevocationListUrl.innerHTML = this.trustStoreData["certificateRevocationListUrl"] ?
+ entities.encode(String(this.trustStoreData["certificateRevocationListUrl"])) : "";
};
KeyStoreUpdater.prototype.update = function (callback)
diff --git a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js
index 42329dd..f98a947 100644
--- a/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js
+++ b/broker-plugins/management-http/src/main/java/resources/js/qpid/management/addStore.js
@@ -114,6 +114,7 @@
this.storeType.set("disabled", !!initialData);
if (!effectiveData)
{
+ this.initialData = {};
this.dialog.set("title", "Add " + this.category);
}
else
@@ -164,7 +165,7 @@
var storeData = util.getFormWidgetValues(this.storeForm, this.initialData);
- if (this.initialData)
+ if (this.initialData && this.initialData.id)
{
// update request
this.management.update(this.modelObj, storeData)
diff --git a/broker-plugins/management-http/src/main/java/resources/showTrustStore.html b/broker-plugins/management-http/src/main/java/resources/showTrustStore.html
index eb82307..e3a5b5c 100644
--- a/broker-plugins/management-http/src/main/java/resources/showTrustStore.html
+++ b/broker-plugins/management-http/src/main/java/resources/showTrustStore.html
@@ -40,6 +40,30 @@
<div class="trustAnchorValidityEnforced"></div>
</div>
<div class="clear">
+ <div class="formLabel-labelCell">Revocation Enabled:</div>
+ <div class="certificateRevocationCheckEnabled"></div>
+ </div>
+ <div class="clear">
+ <div class="formLabel-labelCell">Revocation Check Of Only End Entity:</div>
+ <div class="certificateRevocationCheckOfOnlyEndEntityCertificates"></div>
+ </div>
+ <div class="clear">
+ <div class="formLabel-labelCell">Revocation Check With Preferring CRL:</div>
+ <div class="certificateRevocationCheckWithPreferringCertificateRevocationList"></div>
+ </div>
+ <div class="clear">
+ <div class="formLabel-labelCell">Revocation Check With No Fallback:</div>
+ <div class="certificateRevocationCheckWithNoFallback"></div>
+ </div>
+ <div class="clear">
+ <div class="formLabel-labelCell">Revocation Check With Ignoring Soft Failures:</div>
+ <div class="certificateRevocationCheckWithIgnoringSoftFailures"></div>
+ </div>
+ <div class="clear">
+ <div class="formLabel-labelCell">Certificate Revocation List URL:</div>
+ <div class="certificateRevocationListUrl"></div>
+ </div>
+ <div class="clear">
<div class="typeFieldsContainer"></div>
</div>
<div class="clear">
diff --git a/broker-plugins/management-http/src/main/java/resources/store/truststore.html b/broker-plugins/management-http/src/main/java/resources/store/truststore.html
index 8c3047b..439f7fc 100644
--- a/broker-plugins/management-http/src/main/java/resources/store/truststore.html
+++ b/broker-plugins/management-http/src/main/java/resources/store/truststore.html
@@ -24,8 +24,7 @@
<div class="formLabel-controlCell tableContainer-valueCell">
<input type="text" id="addStore.exposedAsMessageSource"
data-dojo-type="dijit/form/CheckBox"
- data-dojo-props="
- name: 'exposedAsMessageSource'" />
+ data-dojo-props="name: 'exposedAsMessageSource'" />
<div data-dojo-type="dijit/Tooltip"
data-dojo-props="connectId: ['addStore.exposedAsMessageSource'],
label: 'Expose trust store as message source'">
@@ -36,12 +35,95 @@
<div class="formLabel-controlCell tableContainer-valueCell">
<input type="text" id="addStore.trustAnchorValidityEnforced"
data-dojo-type="dijit/form/CheckBox"
- data-dojo-props="
- name: 'trustAnchorValidityEnforced'" />
+ data-dojo-props="name: 'trustAnchorValidityEnforced'" />
<div data-dojo-type="dijit/Tooltip"
data-dojo-props="connectId: ['addStore.trustAnchorValidityEnforced'],
label: 'If true, trust anchor validity dates will be enforced'">
</div>
</div>
</div>
+ <div class="clear formBox">
+ <fieldset>
+ <legend>Revocation</legend>
+ <div class="clear">
+ <div id="addStore.certificateRevocationCheckEnabledLabel"
+ class="formLabel-labelCell tableContainer-labelCell">Enabled:</div>
+ <div class="formLabel-controlCell tableContainer-valueCell">
+ <input type="text" id="addStore.certificateRevocationCheckEnabled"
+ data-dojo-type="dijit/form/CheckBox"
+ data-dojo-props="name: 'certificateRevocationCheckEnabled'" />
+ <div data-dojo-type="dijit/Tooltip"
+ data-dojo-props="connectId: ['addStore.certificateRevocationCheckEnabled'],
+ label: 'If enabled, enable certificates revocation check'">
+ </div>
+ </div>
+ </div>
+ <div class="clear">
+ <div id="addStore.certificateRevocationCheckOfOnlyEndEntityCertificatesLabel"
+ class="formLabel-labelCell tableContainer-labelCell">Only End Entity:</div>
+ <div class="formLabel-controlCell tableContainer-valueCell">
+ <input type="text" id="addStore.certificateRevocationCheckOfOnlyEndEntityCertificates"
+ data-dojo-type="dijit/form/CheckBox"
+ data-dojo-props="name: 'certificateRevocationCheckOfOnlyEndEntityCertificates'" />
+ <div data-dojo-type="dijit/Tooltip"
+ data-dojo-props="connectId: ['addStore.certificateRevocationCheckOfOnlyEndEntityCertificates'],
+ label: 'If enabled, only check the revocation status of end-entity certificates'">
+ </div>
+ </div>
+ </div>
+ <div class="clear">
+ <div id="addStore.certificateRevocationCheckWithPreferringCertificateRevocationListLabel"
+ class="formLabel-labelCell tableContainer-labelCell">Prefer CRLs:</div>
+ <div class="formLabel-controlCell tableContainer-valueCell">
+ <input type="text" id="addStore.certificateRevocationCheckWithPreferringCertificateRevocationList"
+ data-dojo-type="dijit/form/CheckBox"
+ data-dojo-props="name: 'certificateRevocationCheckWithPreferringCertificateRevocationList'" />
+ <div data-dojo-type="dijit/Tooltip"
+ data-dojo-props="connectId: ['addStore.certificateRevocationCheckWithPreferringCertificateRevocationList'],
+ label: 'If enabled, prefer CRL (specified in certificate distribution points) to OCSP, if false prefer OCSP to CRL'">
+ </div>
+ </div>
+ </div>
+ <div class="clear">
+ <div id="addStore.certificateRevocationCheckWithNoFallbackLabel"
+ class="formLabel-labelCell tableContainer-labelCell">No Fallback:</div>
+ <div class="formLabel-controlCell tableContainer-valueCell">
+ <input type="text" id="addStore.certificateRevocationCheckWithNoFallback"
+ data-dojo-type="dijit/form/CheckBox"
+ data-dojo-props="name: 'certificateRevocationCheckWithNoFallback'" />
+ <div data-dojo-type="dijit/Tooltip"
+ data-dojo-props="connectId: ['addStore.certificateRevocationCheckWithNoFallback'],
+ label: 'If enabled, disable fallback to CRL/OCSP (if 'Prefer CRLs' set to true, disable fallback to OCSP, otherwise disable fallback to CRL in certificate distribution points)'">
+ </div>
+ </div>
+ </div>
+ <div class="clear">
+ <div id="addStore.certificateRevocationCheckWithIgnoringSoftFailuresLabel"
+ class="formLabel-labelCell tableContainer-labelCell">Ignore Soft Failures:</div>
+ <div class="formLabel-controlCell tableContainer-valueCell">
+ <input type="text" id="addStore.certificateRevocationCheckWithIgnoringSoftFailures"
+ data-dojo-type="dijit/form/CheckBox"
+ data-dojo-props="name: 'certificateRevocationCheckWithIgnoringSoftFailures'" />
+ <div data-dojo-type="dijit/Tooltip"
+ data-dojo-props="connectId: ['addStore.certificateRevocationCheckWithIgnoringSoftFailures'],
+ label: 'If enabled, revocation check will succeed if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns internalError or tryLater'">
+ </div>
+ </div>
+ </div>
+ <div class="clear">
+ <div id="addStore.certificateRevocationListUrlLabel"
+ class="formLabel-labelCell tableContainer-labelCell">Server CRL Path Or Upload:</div>
+ <div class="formLabel-controlCell tableContainer-valueCell">
+ <input type="text" id="addStore.certificateRevocationListUrl"
+ data-dojo-type="qpid/common/ResourceWidget"
+ data-dojo-props="
+ name: 'certificateRevocationListUrl',
+ placeHolder: 'certificate revocation list file server path',
+ promptMessage: 'Location of the certificate revocation list file on the server (overrides revocation done by CRL distribution points and OCSP)',
+ title: 'Enter the certificate revocation list file path'" />
+ </div>
+ </div>
+ </fieldset>
+ <div class="clear"></div>
+ </div>
</div>
diff --git a/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml b/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml
index 3c03019..18e36c6 100644
--- a/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml
+++ b/doc/java-broker/src/docbkx/management/managing/Java-Broker-Management-Managing-Truststores.xml
@@ -78,7 +78,7 @@
</listitem>
<listitem>
<para><emphasis>Exposed as Message Source</emphasis>. If enabled, the Broker
- will distribute certificates contained within the trustore to clients.
+ will distribute certificates contained within the truststore to clients.
Used by the end to end message encryption feature.</para>
</listitem>
<listitem>
@@ -87,6 +87,38 @@
</listitem>
</itemizedlist>
</para>
+ <para>Revocation attributes.</para>
+ <para>
+ <itemizedlist>
+ <listitem>
+ <para><emphasis>Enabled</emphasis>. If set to true certificate revocation check is performed when
+ client tries to connect.</para>
+ </listitem>
+ <listitem>
+ <para><emphasis>Only End Entity</emphasis>. If enabled, check only the revocation status of
+ end-entity certificates.</para>
+ </listitem>
+ <listitem>
+ <para><emphasis>Prefer CRLs</emphasis>. If enabled, prefer CRL (specified in certificate
+ distribution points) to OCSP, if disabled prefer OCSP to CRL.</para>
+ </listitem>
+ <listitem>
+ <para><emphasis>No Fallback</emphasis>. If enabled, disable fallback to CRL/OCSP (if
+ <emphasis>Prefer CRLs</emphasis> set to true, disable fallback to OCSP,
+ otherwise disable fallback to CRL in certificate distribution points).</para>
+ </listitem>
+ <listitem>
+ <para><emphasis>Ignore Soft Failures</emphasis>. If enabled, revocation check will succeed
+ if CRL/OCSP response cannot be obtained because of network error or OCSP responder returns
+ internalError or tryLater.</para>
+ </listitem>
+ <listitem>
+ <para><emphasis>Server CRL Path Or Upload</emphasis>. Path to Certificate Revocation List file.
+ If set, certificate revocation check uses only set CRL file and ignores CRL Distribution Points
+ in certificate.</para>
+ </listitem>
+ </itemizedlist>
+ </para>
<para>The following attributes apply to <emphasis>File Trust Stores</emphasis> only.</para>
<para>
<itemizedlist>
diff --git a/qpid-test-utils/pom.xml b/qpid-test-utils/pom.xml
index 5e8bd75..d3faf81 100644
--- a/qpid-test-utils/pom.xml
+++ b/qpid-test-utils/pom.xml
@@ -56,5 +56,4 @@
<artifactId>guava</artifactId>
</dependency>
</dependencies>
-
</project>
diff --git a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
index 9bdb282..329920b 100644
--- a/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
+++ b/qpid-test-utils/src/main/java/org/apache/qpid/test/utils/TestSSLConstants.java
@@ -18,27 +18,82 @@
*/
package org.apache.qpid.test.utils;
-public interface TestSSLConstants
+import java.nio.file.Paths;
+
+public final class TestSSLConstants
{
- String KEYSTORE = "test-profiles/test_resources/ssl/java_client_keystore.jks";
- String EXPIRED_KEYSTORE = "test-profiles/test_resources/ssl/java_client_expired_keystore.jks";
- String KEYSTORE_PASSWORD = "password";
- String TRUSTSTORE = "test-profiles/test_resources/ssl/java_client_truststore.jks";
- String TRUSTSTORE_PASSWORD = "password";
+ public static final String JAVA_KEYSTORE_TYPE = "pkcs12";
+ public static final String PASSWORD = "password";
+ private static final String TEST_CERTIFICATES_DIRECTORY;
+ static
+ {
+ final String testCertificatesDirectoryPrefix;
+ if (System.getProperty("user.dir").contains("systests"))
+ {
+ testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..", "..").toString();
+ }
+ else if (System.getProperty("user.dir").contains(".."))
+ {
+ testCertificatesDirectoryPrefix = System.getProperty("user.dir");
+ }
+ else
+ {
+ testCertificatesDirectoryPrefix = Paths.get(System.getProperty("user.dir"), "..").toString();
+ }
+ TEST_CERTIFICATES_DIRECTORY =
+ Paths.get(testCertificatesDirectoryPrefix,
+ "qpid-test-utils", "src", "main", "resources", "ssl", "certificates").toString();
+ }
+ public static final String CLIENT_KEYSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_keystore.jks").toString();
+ public static final String CLIENT_TRUSTSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_truststore.jks").toString();
+ public static final String CLIENT_EXPIRED_KEYSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired_keystore.jks").toString();
+ public static final String CLIENT_EXPIRED_CRT =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_expired.crt").toString();
+ public static final String CLIENT_UNTRUSTED_KEYSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "client_untrusted_keystore.jks").toString();
- String CERT_ALIAS_APP1 = "app1";
- String CERT_ALIAS_APP2 = "app2";
- String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client";
+ public static final String CERT_ALIAS_ROOT_CA = "rootca";
+ public static final String CERT_ALIAS_APP1 = "app1";
+ public static final String CERT_ALIAS_APP2 = "app2";
+ public static final String CERT_ALIAS_ALLOWED = "allowed_by_ca";
+ public static final String CERT_ALIAS_REVOKED = "revoked_by_ca";
+ public static final String CERT_ALIAS_REVOKED_EMPTY_CRL = "revoked_by_ca_empty_crl";
+ public static final String CERT_ALIAS_REVOKED_INVALID_CRL_PATH = "revoked_by_ca_invalid_crl_path";
+ public static final String CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE = "allowed_by_ca_with_intermediate";
+ public static final String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client";
- String BROKER_KEYSTORE = "test-profiles/test_resources/ssl/java_broker_keystore.jks";
- String BROKER_KEYSTORE_PASSWORD = "password";
- String BROKER_KEYSTORE_ALIAS = "java-broker";
+ public static final String BROKER_KEYSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_keystore.jks").toString();
+ public static final String BROKER_CRT =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.crt").toString();
+ public static final String BROKER_CSR =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker.csr").toString();
+ public static final String BROKER_TRUSTSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_truststore.jks").toString();
+ public static final String BROKER_PEERSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_peerstore.jks").toString();
+ public static final String BROKER_EXPIRED_TRUSTSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "broker_expired_truststore.jks").toString();
+ public static final String BROKER_KEYSTORE_ALIAS = "broker";
- String BROKER_PEERSTORE = "test-profiles/test_resources/ssl/java_broker_peerstore.jks";
- String BROKER_PEERSTORE_PASSWORD = "password";
+ public static final String TEST_EMPTY_KEYSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_empty_keystore.jks").toString();
+ public static final String TEST_KEYSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_keystore.jks").toString();
+ public static final String TEST_CERT_ONLY_KEYSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_cert_only_keystore.jks").toString();
+ public static final String TEST_PK_ONLY_KEYSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_pk_only_keystore.jks").toString();
+ public static final String TEST_SYMMETRIC_KEY_KEYSTORE =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "test_symmetric_key_keystore.jks").toString();
- String BROKER_TRUSTSTORE = "test-profiles/test_resources/ssl/java_broker_truststore.jks";
- String BROKER_TRUSTSTORE_PASSWORD = "password";
-
- String JAVA_KEYSTORE_TYPE = "pkcs12";
+ public static final String CA_CRL_EMPTY =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.empty.crl").toString();
+ public static final String CA_CRL =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "MyRootCA.crl").toString();
+ public static final String INTERMEDIATE_CA_CRL =
+ Paths.get(TEST_CERTIFICATES_DIRECTORY, "intermediate_ca.crl").toString();
}
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl
new file mode 100644
index 0000000..2d7b8d9
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem
new file mode 100644
index 0000000..0430e10
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crl.pem
@@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIIB8TCB2gIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE
+CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw
+MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1owVDATAgISOBcNMjAwMTE3MTIxNDAz
+WjATAgISORcNMjAwMTE3MTIxNDAzWjATAgISOxcNMjAwMTE3MTIxNDAzWjATAgIS
+PBcNMjAwMTE3MTIxNDAzWqAPMA0wCwYDVR0UBAQCAhI2MA0GCSqGSIb3DQEBCwUA
+A4IBAQCP9fF88j+7OLHZqq6kkxB8IZSN0lCRXXk590V3rx/NWJYmhGjlOjvEe+dG
+fiTFYUxtYuGU/rsYOezMg2/uO9l+PdPq2blWcYKvDvBK89oHaFnX0U1vCiOLD/H0
+09a70Lo3p7tHRBiPcaximmq3DA2dZRSRlo3oRoHAQ1tdMbbAm+D+N6uEu6xARycH
+OmAkx1ofx1SW+Up02R/56QINfYKG+Teqk+g/2uj+fbCx7Hdt+ocoPH8D3FrPv/QQ
+wmDlvPktb552EyOAHuhv/VSYhBB9yLKeqxb4/K7+lSCibM7gO0aPpzr33eykftbR
+aMRSNPr1t5tw2psBHoQ63U920dXu
+-----END X509 CRL-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt
new file mode 100644
index 0000000..0614c37
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN
+BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD
+TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy
+MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM
+BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4
+UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr
+XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI
+bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif
+9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O
+9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy
+TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/
+5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y
+Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr
+qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B
+eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3
+zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG
+9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo
+VPvWVRUaVA==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl
new file mode 100644
index 0000000..7c4a5df
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem
new file mode 100644
index 0000000..88a02d0
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.empty.crl.pem
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJDQTEQMA4GA1UE
+CAwHT250YXJpbzENMAsGA1UECgwEQUNNRTERMA8GA1UEAwwITXlSb290Q0EXDTIw
+MDExNzEyMTQwM1oXDTIwMDIxNjEyMTQwM1qgDzANMAsGA1UdFAQEAgISNTANBgkq
+hkiG9w0BAQsFAAOCAQEAvXMYfesUZM9b/MRG36pyFXdW6Ntn7KcldzYphHMeUiw9
+L+SI2kSzQrfvMFC5URAMpchnKZWzNcjoERpaFmt/io9W+GxFfrfUDPgu14p3n1b9
+Z4xQx/f+ZbEuw4Xuv5TPdGYzkxtaMCabHrcZbJvYcT+6ogshsxIqduiqx9EEnyYY
+WhrsOyAhjhEAeU+CaNjL0xo+71xpzyRbV2BRxwyNNJEVTc9SGUtwro2jdCSB72KM
+S85RSUshg5aWEXz99jV41w1Zx1UWfwAN9K5aJxwNp3x06C/SxHc2yMfN9h3BIr/f
+kdBgB/Larrwq+luogS4e9JA522/V3yYeYajuxH7JEQ==
+-----END X509 CRL-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key
new file mode 100644
index 0000000..742071d
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/MyRootCA.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIoKxdp44hlPICAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIjUETc4sXyDBIIEyMQ/YTalgLpr
+OcHUsyfkMGThRYoMvDC1TT8SYR5iqm0ARFxIh6tnU1Y0JvWMdzQgR4qzZXbyZLwm
+L/0xeL4ErEkhgfc6UUv7ldv5uja3dKUbTZaxD/Pl/w7ZboVWj62RfiSMmoNmvMaw
+0c7BIFxXACdrVSjBN11cJOYI9nKwqge5WWEgTVYSyKGC0zf6BdSSRmaFX5mQ7E0D
+9tuegWmes57TEZXh9ObzsrKegFC6FJ26DUXZ7h7lAOkHrjRm+5pvY+YOHtGgBLCz
+h1DkssCQ9uyE+39REcdX4cEkY2L4kqirJ69v6YdT6u7NwF2eGCJwANDCI5+1WFO2
+Prc2SNAgA4TtASnwi6vE7z/Vg2Ah+WUx41m4kp5zw4rUIA6w9pvUnuZBhACEcqtt
+HncoVRr0dxX7tN7Hxsw5I2Wx0szuHCpSXt9den/4rcyl4dpVViNOc7lah0C8uS2t
+tt1DE4JdA1gm0uKVUkS+57049R0ojMisjMmJBs3V0+lPvRwHGZ+UGer4lw1FPMXr
+fDLXuOCs5V9pR2d5OtHttFNKVGwcRtPElSKCvJjxvl/frBTfng97S/jIAUJc4NMQ
+tBoI18TeNnALRp/JWtJf5VqQFyNvp/Th/Qk2VgUa6x5jKE6ksLlaVDxZ4rZbFyfl
+WkVbJ3OABNfEzrucOEFoncqHPM8BT1unTkRTOlsJMbgzJYby+RLznMzKwGS20A6P
+f2f4L840zqHSFHfD/HhW0CZ5ZwXbW6Kta6D0+DWDzHzA/6GMFtggpXtMXKbi/2dV
+wPR7sHQwxE+Qbq4SxxAx7CYhiz6L2x/EMX/BehAJic6XTQJEmluaiq3o1954OuTZ
+eUAnOV9iv2iEKf02D06yCJsyLop4CtN88HenGD7EiZ71IuF7U/VDoy2lVcbiW0DT
+efTsbns5euSqe335SHafd9OGIe8p7shsSsoh6smfUpYdYlKq+wG2P+h7CSMoIGh6
+bKq0k3xnyi4CH22Ukyt3IIg0REGTvFgdZGRuwJe2cylzYeuj+KJclVLTmJ2jQJ2D
+xd1M5gNqbZOzihCNOnG6Owik93RJBi6qynhfhOt6YHBeUmeIFx+ygLQqtNjlX/V9
++rsBtovzMZhfFK6ozSm0fQG+2rB5QrnsEw3gzzZ22fBPy+SQ1GPK2FJNNHO3REaD
++5Yt0Iny4jFA9UiveR8pxvYdPwoPEiEii1VfOAkR+0dcEeKX1gQvCF84XNRSiMXw
+ITHOI9QmmYqyjTAv1ZMB7TV3dnxQuyifHZciEFK5R7Kkn0Z78diXxFjWvPVVhsLG
+yzFHArQs0lDUsRlZxJ68SkwJ3dw2m8XpwUPkWlTZ5SoJTSN0JOa9fn5Htm7X1ZYK
+A4x80z3t6oeTGJxmDxQHOL+NCkeRQv1fN/JS4b7I6p9sQT+60gT5dJ0R6/CU2Vpf
+xM+DcHGW8oo8yQ2CjSOaf1Bp+Sp/arcrK0KOP6sbABlnXeTeRgWOb3xwRnwWP0am
+wAooVJgifFOAnEA7rfi7XgnQkALtwki4TPhy2g+eoHDo2PiX5j0QxdVpGlfzZVkC
+9j8fgea3hy5Y78Ju8N/fhZWgYIoyosVnFhXHtHpebPdDpktseOR388PNvMEa+6vT
+nKxFX9Uw8/IoAkO1WGG+rg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt
new file mode 100644
index 0000000..171ec80
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.crt
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4663 (0x1237)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+ Validity
+ Not Before: Jan 17 12:14:00 2020 GMT
+ Not After : Jan 17 12:14:00 2024 GMT
+ Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca@acme.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:ae:43:c8:3b:d5:08:7c:69:6f:48:96:bd:ae:cf:
+ d9:ab:f6:3a:68:64:e6:f5:57:14:45:42:40:e5:c5:
+ 7f:97:6d:13:4f:d1:26:28:14:0d:30:e5:9e:55:67:
+ b8:3a:7d:d8:8d:b4:9e:07:f0:62:e4:95:63:41:b9:
+ 04:2b:53:51:86:46:36:25:6f:82:60:74:e0:81:73:
+ c3:ce:1c:76:3e:97:35:da:82:28:22:cc:ac:62:22:
+ d7:0d:8d:38:44:c0:de:29:ca:15:b9:13:39:81:04:
+ 4b:0d:71:9f:ff:1c:36:4e:2e:57:54:85:83:f4:f4:
+ a8:f9:bb:f5:a5:66:b1:9a:40:a2:1a:33:5e:b2:37:
+ 31:a5:73:fb:f4:39:fe:d1:52:ec:f2:b1:fc:84:1a:
+ c7:2b:98:81:e3:62:ae:51:e6:5b:6e:c4:f9:ff:c0:
+ e4:64:88:3a:c1:a2:20:95:3c:71:c6:eb:da:d3:de:
+ aa:42:98:1f:e9:da:06:fc:f9:0d:23:1c:8b:ae:3e:
+ ee:6c:b8:ac:a1:a3:da:c9:21:8d:c4:48:26:23:8e:
+ 40:44:55:dc:0b:fc:b8:a7:0c:c8:4b:f6:21:7a:1e:
+ 57:ff:1c:ce:a7:e3:8a:c4:26:02:93:f3:e8:4a:45:
+ a5:3e:02:5b:25:6b:f8:58:1b:ce:18:3e:da:62:86:
+ 34:ff
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://localhost:8186/MyRootCA.crl
+
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Signature Algorithm: sha512WithRSAEncryption
+ c8:28:31:d7:11:ba:e1:ea:b0:18:ec:74:6b:66:7d:da:31:1f:
+ 2a:a2:c4:e8:af:a2:ba:92:56:d9:7b:f4:fe:e1:20:5c:5c:5e:
+ 3f:39:31:0a:b3:a5:19:f0:60:86:ef:98:eb:e1:c7:1a:1d:0a:
+ 51:d6:25:9b:29:a4:71:9d:da:d6:cf:96:82:07:ca:38:71:62:
+ 93:6b:b1:44:87:49:42:28:66:53:34:f1:fa:3e:48:49:ed:2a:
+ ed:56:b2:49:cb:5b:0c:46:59:68:2d:d9:95:47:c4:0c:fa:57:
+ 93:e1:0b:52:ed:75:2a:fe:a9:e7:e7:a3:c8:68:7a:fc:14:92:
+ 8b:8b:34:94:28:f1:23:7b:2c:bd:26:48:fe:bf:6e:ec:71:9b:
+ 43:e8:e3:64:48:36:af:9e:8e:bd:e5:c7:b2:76:a5:c6:ca:98:
+ 22:6b:aa:93:82:fd:cf:6b:08:df:40:43:fc:03:1a:12:12:85:
+ 8e:dc:d2:06:80:cd:d9:ba:fd:f8:4e:3f:8a:99:46:db:df:67:
+ c2:67:b5:39:96:a5:71:12:be:03:f1:99:c0:b9:df:51:b5:37:
+ dd:a7:5a:75:32:a0:da:d7:09:83:1b:96:30:81:0e:b4:9d:10:
+ 81:cc:05:65:a8:e6:3f:2a:de:b5:d3:6e:d3:ed:4a:a0:e3:a2:
+ 56:ea:ef:3a
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAl6gAwIBAgICEjcwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr
+9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GG
+RjYlb4JgdOCBc8POHHY+lzXagigizKxiItcNjThEwN4pyhW5EzmBBEsNcZ//HDZO
+LldUhYP09Kj5u/WlZrGaQKIaM16yNzGlc/v0Of7RUuzysfyEGscrmIHjYq5R5ltu
+xPn/wORkiDrBoiCVPHHG69rT3qpCmB/p2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYj
+jkBEVdwL/LinDMhL9iF6Hlf/HM6n44rEJgKT8+hKRaU+Alsla/hYG84YPtpihjT/
+AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4
+Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
+AQENBQADggEBAMgoMdcRuuHqsBjsdGtmfdoxHyqixOivorqSVtl79P7hIFxcXj85
+MQqzpRnwYIbvmOvhxxodClHWJZsppHGd2tbPloIHyjhxYpNrsUSHSUIoZlM08fo+
+SEntKu1WsknLWwxGWWgt2ZVHxAz6V5PhC1LtdSr+qefno8hoevwUkouLNJQo8SN7
+LL0mSP6/buxxm0Po42RINq+ejr3lx7J2pcbKmCJrqpOC/c9rCN9AQ/wDGhIShY7c
+0gaAzdm6/fhOP4qZRtvfZ8JntTmWpXESvgPxmcC531G1N92nWnUyoNrXCYMbljCB
+DrSdEIHMBWWo5j8q3rXTbtPtSqDjolbq7zo=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr
new file mode 100644
index 0000000..f2a51e4
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM
+FmFsbG93ZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCuQ8g71Qh8aW9Ilr2uz9mr9jpoZOb1VxRFQkDlxX+XbRNP0SYoFA0w
+5Z5VZ7g6fdiNtJ4H8GLklWNBuQQrU1GGRjYlb4JgdOCBc8POHHY+lzXagigizKxi
+ItcNjThEwN4pyhW5EzmBBEsNcZ//HDZOLldUhYP09Kj5u/WlZrGaQKIaM16yNzGl
+c/v0Of7RUuzysfyEGscrmIHjYq5R5ltuxPn/wORkiDrBoiCVPHHG69rT3qpCmB/p
+2gb8+Q0jHIuuPu5suKyho9rJIY3ESCYjjkBEVdwL/LinDMhL9iF6Hlf/HM6n44rE
+JgKT8+hKRaU+Alsla/hYG84YPtpihjT/AgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC
+AQEABftyaBKWipsliFRs8LYjFnKbGkc1vOJNHfr1Upa0JhxhEXXOr0fJ+q1moY6a
+9QdYOuZ3iM5M3B3L7aYM9wXSKkSyujRl/S2hDlaMuXVXHYvL+e6t1REe4lSCKZRV
+OfdpPWUCW35WhuE9M0h6hAnb+HLsxc3OPQo8KH4yQkSyh4aPj20X0WXp1QrvfpVL
+fzicwCaxJET8rcu3gduXqysD2IkHnbx4OX0JsqgDuVnjRRtL800UJ/YDJcuobUpp
+/euptiVCaO+q6W2l46GA2e6bQuCxv1+o5M4U2JH0Chldx2yTMnAgFtV+E1JtrzVS
+jObVTUz819aBFrzwL6OIcQEvUw==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks
new file mode 100644
index 0000000..dae314d
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt
new file mode 100644
index 0000000..7129f68
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIUA/JhLTYgfW18ejOVXRiPJdhGoFswDQYJKoZIhvcNAQEN
+BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFmFsbG93ZWRf
+YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq
+MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL
+BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWYWxsb3dlZF9ieV9j
+YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5DyDvV
+CHxpb0iWva7P2av2Omhk5vVXFEVCQOXFf5dtE0/RJigUDTDlnlVnuDp92I20ngfw
+YuSVY0G5BCtTUYZGNiVvgmB04IFzw84cdj6XNdqCKCLMrGIi1w2NOETA3inKFbkT
+OYEESw1xn/8cNk4uV1SFg/T0qPm79aVmsZpAohozXrI3MaVz+/Q5/tFS7PKx/IQa
+xyuYgeNirlHmW27E+f/A5GSIOsGiIJU8ccbr2tPeqkKYH+naBvz5DSMci64+7my4
+rKGj2skhjcRIJiOOQERV3Av8uKcMyEv2IXoeV/8czqfjisQmApPz6EpFpT4CWyVr
++Fgbzhg+2mKGNP8CAwEAAaNTMFEwHQYDVR0OBBYEFBqvhbkUgk3fCKONHHOGxRLU
+FefzMB8GA1UdIwQYMBaAFBqvhbkUgk3fCKONHHOGxRLUFefzMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAEgQYqFZBnZ3PJN/LP/S9dR3PDYp2YkW
+n8DSwpj+cP+Gt4kPydRSKl5DdV+eYd6cZ4xF2P6/peZCKYgYZkmbEWIYD87C7J+T
+rpcT1M4u7ACk5QfwoGAZFbTqy6iK3yFqQ/V7YvTjLAx8wqICqrDoed8GTgJ1AmWE
+GCIz3D/8e/ml+Sp+MVRi4KNVfA6zK/e29oswmQxYXmMCXswwHuAmsDoXKS9PYvX7
+Ho035mFmR+yhBnPHX9deuAsTifiiw1TCczq1K4SPX6exXw38nZwLVHErYnaypqP0
+pJNqTIBGlr6K0tryTA83tQVAIJqL2fVlfNUKxuHPOVyGkJcGlCPxjKw=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key
new file mode 100644
index 0000000..c465086
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIWa+PHUaIhGECAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEV7nV0bqTYVBIIEyNROaXQgS6RZ
+mSJcMeFAINaeZytR/Fq/vdlYE8qsnToVuySFqVft76Q1ZIs5ZsmwAPZxF6rAQZ9z
+9WsIVV7ZTZPCndP7R3/V1h11YGJpklu/wFDNPgkhJiP39A4gv99nWqdjPh3k6rJk
+5rshuHiVuPQ+lQxCJMnNNBzse1NAf7aCq3DONUAYrbxOPQODGAk9ilZtSirVNeCK
+8s9TwPi5vWaxkdgMkb8l+CtXKAYMIGXwslr4cs/02pOSSKMeSYn118aE05yRVI5a
+QrF6yk07huT94ZnVd7DS5sts1/igJk72mGc4zqAP7k2USYkvvzQ6/Lzt6jmdxlaV
+ovTnMpvrnS8Vt/27+XxH64cSC2of8a1N7nHKR/mjwzXwFfCqx36AAKNsnGpbX2vE
+PYgsMCAJrZY8DTgGnBKzJZTSbjfpeVDcWKrZtCIpcUCtHfzibwwo7FoFVi9f4Exq
+S+FkK1VX4JnWWxhNXKbUWWV24se/1NejY5op8TvunrT4xamV81v+Y3rAhORxZzZo
+QooLLY0EZVVGRA0qbg4TQZ87G4wxTKbeLv/vkJYt4+ElEkJZEm+f1U3OBKzBVC2h
+sA0bSo+vB7n322VMZQkGVXi3MCiJBlQYM2Dcp4+gC0GfkJhuNStp/QvfRIjjo+tR
++aP0/8dkdDaUSe7gUp+1du+bA4YhcdX06diHD0VZrFKOhfR9EJ4lGjlObCA/V6aA
+WGtinv/yglGv1ajX1/9PcKsbFh3uP9eDM2U1wGbkJIYbw9ttABS9IEGi2Gr7QcLh
+273v5H346t9aXOCk0D14qEe3fRZCHWYsFkIytSQy9iHFmn67XnROoAicKIktUtSK
+j5rnGz8NcY7lQNElcEdAcogd50vyBy8Xn/Y29vl8CcyP6Mh6WIgnF/QuJo0+A6lH
+T57lmQ7aQYQuqNk3TeSSpRU2ADY6OldxrUIarrhoV+K3CLNhoI/Ch/7jbPfv6Z2s
+IwfOr7uOsA1YoLYHuV4hn8X2EMOONpcH57zNnQdCDzMJO6E92ElpqmyKkos5uDe7
+dIVFEpQ/9oeLgc00izZtQjkiI6ar1Dk7jkqAUAELsPcw8pwklqVy90ku1wgUl4BQ
+TR/Sk+HqOj9epQfUOBWi0zz3F8kkOo6Y/1JtzMFp9xauInr4oFssJ0A+kRypLL4V
+LrPi59SgHwwNTacivYjoeT2UH2mTCc7MfS6z3czwn/Ds/c6WfKYxNA4WLlOTJV+v
+4Y4aE0a9GTlGIXYTyP+l7T40MaDhTLfnhqi74TBN8QQNnxcLLcVY9sUREdJHbDgQ
+o5GjffduqezL94D1ENLO2ekIspjgpsGnFp1Us9A53CeDdo/P0/OcLeNfUlun8yWm
+fKG7vwW/lQw3jc6G5xKTO70HR3V3VLWP297gdMMZBiD1byY6Sk52Xz9hShr7DoEg
+l5L0vkhK1MjGYfxmlL4j94XZ1VhE/xni/rDeq/mK+MjmJ68G1yBn6dv62py3g5Qk
+tnl6Rg2tho6M6IOr9KGJxkooqjj/ruyWqp+NePYqFq9hU0wwQ7kuJ6ASulkJRShD
+fcg59h1HkTkCpnPPA3fmkxdDy3umOW7maZnLVjf0Nmt0BOA+jg2V0KK83kuJCqlz
+cBTyMqk8rkW1zR2YuVr+TQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt
new file mode 100644
index 0000000..f884155
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.crt
@@ -0,0 +1,81 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4666 (0x123a)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
+ Validity
+ Not Before: Jan 17 12:14:01 2020 GMT
+ Not After : Jan 17 12:14:01 2024 GMT
+ Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=allowed_by_ca_with_intermediate@acme.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:c9:ec:61:2e:56:70:b4:b4:32:52:6b:62:c6:cd:
+ 64:87:65:e1:71:3b:87:fb:eb:dd:77:98:8e:44:aa:
+ 6d:df:2d:22:78:0a:9a:54:87:bf:23:28:cd:9e:64:
+ fa:2d:40:ef:e3:09:37:be:12:65:aa:3f:4e:ef:2e:
+ 85:f1:19:42:00:79:51:95:a7:84:7a:9b:be:64:e3:
+ f8:96:a7:5c:7a:ec:4b:4d:89:28:b2:2c:4f:e2:77:
+ fd:26:48:84:07:63:db:e9:70:dc:aa:8e:74:05:23:
+ 89:db:9d:79:20:5a:83:bd:bb:a8:1e:1e:e8:38:8a:
+ c8:2e:19:5d:47:0f:ee:0c:7a:88:d7:15:62:60:73:
+ b0:cb:a7:a0:c2:89:0a:7e:33:89:67:f3:93:3c:d2:
+ 6b:90:f6:a6:6d:af:be:9d:38:2c:ae:b1:af:f0:23:
+ 19:3e:2c:90:a2:ad:77:8e:d6:40:e7:65:40:54:2f:
+ 5d:66:56:77:a1:71:47:13:d1:6d:d9:70:f9:14:c0:
+ b4:5d:5d:32:7f:a2:af:49:45:7b:7c:44:c8:39:53:
+ 61:0d:25:c7:1e:a0:a4:7d:d0:21:60:22:7f:ec:55:
+ 36:af:87:30:fc:27:c5:a1:34:2a:a7:2a:b1:a3:9d:
+ d8:18:88:d0:7e:53:49:2f:ea:6f:03:da:54:79:0c:
+ 26:e3
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://localhost:8186/intermediate_ca.crl
+
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Signature Algorithm: sha512WithRSAEncryption
+ 17:7d:7c:c2:32:03:78:c5:76:87:37:54:38:c6:1f:f1:c6:05:
+ 96:48:fb:f1:ad:da:41:76:7b:d0:cb:ee:7b:5d:78:9d:a6:b3:
+ 75:32:85:37:91:d2:58:aa:a5:27:ac:71:4c:12:01:6c:14:19:
+ 23:52:09:b9:13:3d:17:4d:a2:b0:56:95:38:66:a7:39:f2:b8:
+ 78:50:2a:1d:12:63:46:1f:5e:d4:12:4b:f2:88:72:44:d9:43:
+ 29:da:80:a0:14:0e:dd:d3:69:f3:ad:05:0e:bb:5a:5b:f4:aa:
+ 06:5a:f5:8c:7f:78:ba:d3:50:e0:68:9f:11:b0:33:3c:f9:5c:
+ 22:cd:70:68:ba:8c:39:92:e3:c4:88:1f:85:79:b5:1c:94:e1:
+ 79:c9:56:4e:2c:1e:41:e8:fd:40:0e:61:46:dc:74:4b:f0:bf:
+ 6d:e7:c1:34:fa:6a:fc:51:72:c5:a4:46:e0:db:94:09:4d:14:
+ eb:88:41:bb:82:63:e2:8d:c8:f1:a3:69:49:1b:89:12:d7:f8:
+ c1:7e:cc:90:70:80:2e:9d:e7:69:7f:80:46:f9:af:a2:19:ba:
+ 02:40:1b:dc:b7:9f:ab:3e:06:b5:33:7b:61:57:8a:4a:b0:57:
+ 2b:77:50:13:11:78:5f:62:45:b9:9b:21:2c:28:9b:44:2b:ef:
+ 7f:e0:f4:18
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgICEjowDQYJKoZIhvcNAQENBQAwbDELMAkGA1UEBhMCQ0Ex
+CzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQww
+CgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzAe
+Fw0yMDAxMTcxMjE0MDFaFw0yNDAxMTcxMjE0MDFaMHwxCzAJBgNVBAYTAkNBMQsw
+CQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoG
+A1UECwwDYXJ0MTEwLwYDVQQDDChhbGxvd2VkX2J5X2NhX3dpdGhfaW50ZXJtZWRp
+YXRlQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyexh
+LlZwtLQyUmtixs1kh2XhcTuH++vdd5iORKpt3y0ieAqaVIe/IyjNnmT6LUDv4wk3
+vhJlqj9O7y6F8RlCAHlRlaeEepu+ZOP4lqdceuxLTYkosixP4nf9JkiEB2Pb6XDc
+qo50BSOJ2515IFqDvbuoHh7oOIrILhldRw/uDHqI1xViYHOwy6egwokKfjOJZ/OT
+PNJrkPamba++nTgsrrGv8CMZPiyQoq13jtZA52VAVC9dZlZ3oXFHE9Ft2XD5FMC0
+XV0yf6KvSUV7fETIOVNhDSXHHqCkfdAhYCJ/7FU2r4cw/CfFoTQqpyqxo53YGIjQ
+flNJL+pvA9pUeQwm4wIDAQABo1YwVDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v
+bG9jYWxob3N0OjgxODYvaW50ZXJtZWRpYXRlX2NhLmNybDAJBgNVHRMEAjAAMAsG
+A1UdDwQEAwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAF318wjIDeMV2hzdUOMYf8cYF
+lkj78a3aQXZ70Mvue114naazdTKFN5HSWKqlJ6xxTBIBbBQZI1IJuRM9F02isFaV
+OGanOfK4eFAqHRJjRh9e1BJL8ohyRNlDKdqAoBQO3dNp860FDrtaW/SqBlr1jH94
+utNQ4GifEbAzPPlcIs1waLqMOZLjxIgfhXm1HJTheclWTiweQej9QA5hRtx0S/C/
+befBNPpq/FFyxaRG4NuUCU0U64hBu4Jj4o3I8aNpSRuJEtf4wX7MkHCALp3naX+A
+Rvmvohm6AkAb3Lefqz4GtTN7YVeKSrBXK3dQExF4X2JFuZshLCibRCvvf+D0GA==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr
new file mode 100644
index 0000000..8ddce61
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICwTCCAakCAQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMM
+KGFsbG93ZWRfYnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ7GEuVnC0tDJSa2LGzWSHZeFxO4f7
+6913mI5Eqm3fLSJ4CppUh78jKM2eZPotQO/jCTe+EmWqP07vLoXxGUIAeVGVp4R6
+m75k4/iWp1x67EtNiSiyLE/id/0mSIQHY9vpcNyqjnQFI4nbnXkgWoO9u6geHug4
+isguGV1HD+4MeojXFWJgc7DLp6DCiQp+M4ln85M80muQ9qZtr76dOCyusa/wIxk+
+LJCirXeO1kDnZUBUL11mVnehcUcT0W3ZcPkUwLRdXTJ/oq9JRXt8RMg5U2ENJcce
+oKR90CFgIn/sVTavhzD8J8WhNCqnKrGjndgYiNB+U0kv6m8D2lR5DCbjAgMBAAGg
+ADANBgkqhkiG9w0BAQ0FAAOCAQEAd3e3VVDF9/DEkkN2OblChD35ElxBO10cn9/h
+JdtcDLa6DRK/ke4wpA2GfXdyGTez/tsCaVFLC/D6toxPYYtqW60OqavVNwAB/pwY
+NpdU7b9MNP3m0Xl3Kecevj8l5y+2dqzQdccqpPZxagArbp6Q1Jq9IE/NTFrcJFOl
+3TUK5xlunjLUxc3z9wCInDWAJukLzjhWR4VLMyHSXnI9nrA71rkss0Jnp5CHPk16
+fal0DF35awqwThnHXjtHxxLpNutYdfQNLMc5ROzVPeJkRQ3M4N3nQLmm1Cya3z/B
+GfIKmFM17FRVnpV7UmuStRmvMWAceObm6onE4ZFEIVZKnZgCdw==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks
new file mode 100644
index 0000000..b4e40d8
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt
new file mode 100644
index 0000000..e124e38
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUNnlaQs0dlbECoaCEl6BoAMhbdRYwDQYJKoZIhvcNAQEN
+BQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMTAvBgNVBAMMKGFsbG93ZWRf
+YnlfY2Ffd2l0aF9pbnRlcm1lZGlhdGVAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAx
+WhcNMjAwMjE2MTIxNDAxWjB8MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAO
+BgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDExMC8G
+A1UEAwwoYWxsb3dlZF9ieV9jYV93aXRoX2ludGVybWVkaWF0ZUBhY21lLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnsYS5WcLS0MlJrYsbNZIdl
+4XE7h/vr3XeYjkSqbd8tIngKmlSHvyMozZ5k+i1A7+MJN74SZao/Tu8uhfEZQgB5
+UZWnhHqbvmTj+JanXHrsS02JKLIsT+J3/SZIhAdj2+lw3KqOdAUjidudeSBag727
+qB4e6DiKyC4ZXUcP7gx6iNcVYmBzsMunoMKJCn4ziWfzkzzSa5D2pm2vvp04LK6x
+r/AjGT4skKKtd47WQOdlQFQvXWZWd6FxRxPRbdlw+RTAtF1dMn+ir0lFe3xEyDlT
+YQ0lxx6gpH3QIWAif+xVNq+HMPwnxaE0KqcqsaOd2BiI0H5TSS/qbwPaVHkMJuMC
+AwEAAaNTMFEwHQYDVR0OBBYEFPjCNnLHyR9AJfM6BRMuGgmFF3dPMB8GA1UdIwQY
+MBaAFPjCNnLHyR9AJfM6BRMuGgmFF3dPMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQENBQADggEBAMZES6PIFa3+peqB18Af82We4bxIHDSMnpkU518Uf/cSwKLl
+LKdSGbIX2dr2uiqJuNQwrSbQwe0O24WBeuFnv8VWwjQrHPqX7et7LT3mBthaW3qP
+beRz0CHvYg09plniqWaaxZ0o+XDoG5/vs1rwSXhKdB89hBLBgdXWnIu05ISicj3Q
+wFv7Aad8s+29qd83ZTq3GPiAGAlHzBZoGfORxgw8Zkl5J8wpDY2IzHoFK65TltIg
+vEhmxsaY2q9ogDPU1g3vXOryobUcZXCk6Wmq7/AQ8Yb6pVOHU+B1GBWlDK+88RkI
+sejtPiVWiQixQbZsgjF0kzcXdW+v83vnK9C7Ehs=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key
new file mode 100644
index 0000000..9768e71
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/allowed_by_ca_with_intermediate.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIvh0cf2QI9TkCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECNBC7yqVSYFxBIIEyK44083ll8aW
+4B3wIWPEVbHexUgeHhPnyv8N89VB+sgl5ndKlm60/n83O2COdXEFrbUbyEaxEMII
+VvNVbY4G0BAbsY5qJfmiRNCKRc2OO4HRBI0dLrzcIYETtAtunmta3CbngRpSgNv2
+zPPGp06jEcrh285NGmL6+k4OkDkdOhLBIlSQadibNOWPpRSSmp93pjPUFSVdUarU
+2qZi1Xxd65iu8iNG00E9mYHvIesN2tGvWqH7+pAFWKLz2PxEMBjKS/wz0r2sqpAi
+u605tebtg2mKB16VpPLKHkGHjAJNehfBPAWpjrLLj+cdpAC6gU8hQZseZJRh4kr3
+DZvS6hSNPXKE6+mDosrj1CuyMOfOaqezgixY/3AihqGt/qgZXu5Fs4WepWPACDtH
+hHBPAc0DXFlC4E6B3Xb+HQWI0ADqI//sSip/UsDMpp5Z99EqA/0UgG6xNEcvyMJo
+/jHpSBeJZbKB+UXsPpwQQzMHzlqLZ0b0egB8U2Q383bNctNtWX5GOgs9WzHbrvXe
+Ia29s7kCima1r5JO+/fNzhRlgoENbxa31APNzdNfvHzvRRN7JGE1yS57aL8ZVXv5
+I+rg1ct71nIJ8SpfeP3fmib9NDw8QuwFZ1KfXuEp+Q2nHP7QGIpCbMJJqY7aAr0H
+m2KRUEQqrGv3XycU8VDveOPj2UR9JQANSZK5pwwcgL+jtEYo9AJxtnThePaPLi0f
+KNjkqd1/BictpdNu+o+jQS+REOVxqKR01XcjIsKe9b19qIBgxLwcaOMfaxulOe8e
+SOBUqsHOJmYxZ6IjeEVG2dGxDADdmFPBrfIQnAbRBEwgjSBMCP/h6elo0MRQ3LaX
+lmDmjCNlY1FHuSaAX5xWJ87Ui8y1Sx8vljOOYA6b2zoWoj8pmz7lZy4ChZaFb7sW
+WAE0O0e7DrwLvVfluVwRdQ6KcWBkILzVw+VLrQE1s8yAVc0mPtAyEpjaMpqlWpeE
+CngpUa1yaBcY17R/30aAYXGVxc2qoZBQuGkr4q2TQoElBk7ERyQ51a8TJ+bQ4DAp
+lLED5xLmED1F/TL8PaQhQuDVkaoIUPKwAnXjRWf11DImmuUm8ens9w9np0Na334P
+XcJ5zZq00FyXsUoYnuyvXulqRo+Sps67kcGjlK7t0cpvAaG5CbzEkJ3IcAzOcldA
+Nq1W/yd+RBdCqbcDUIFYWhdtJ6zDg0jTa8vUm/Pn8DZMQOB2tOn5TDvrT+4iy5Ng
+Y5xbvvWyXCWy4JdyoFoXjzXLChQA5YNd+P37UfJUT+R/l7GD84SiGdNtHsxP+Hnr
+KRDu4v0p32jKjY27U2GHRBVNPjR+GUgVcKa4WE84DAPfaJY2mep2gxhmYMg2YNR5
+/evAYC6AfVqrKahnXvAZ6cWLIAbdhOg+dbyj1KITuIZ7VUfpVrIeAx4/IBJ5nJbJ
+EC9/8uaswGXKqPdLM8sR9FEbq9r2WBVSuaVmMqwV7wcQwO+KBemeUPoeY/aEm6bj
+jD7AaMSFl67ouabm2pZdWz8as1qNImn0aR/3AW/Rusi/mVOweGd+WcC/GlIv5T0E
+eKnyOExk94ddyBqasKCewSPx0BV4ki1fX77yUbaDeJ4w8Ppw1dfJCc4VaQhJ5gNn
+uMU30mtTpiOBN9muNRrYCg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt
new file mode 100644
index 0000000..867005d
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.crt
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4660 (0x1234)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+ Validity
+ Not Before: Jan 17 12:13:51 2020 GMT
+ Not After : Jan 17 12:13:51 2024 GMT
+ Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app1@acme.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:d9:72:36:d1:3a:19:ce:4a:c0:58:95:21:1a:9f:
+ 90:e5:48:b9:06:e5:47:0c:8c:59:7d:45:9b:df:a7:
+ 5f:5d:42:e9:62:c6:95:d6:63:e2:03:ae:29:1c:3f:
+ a2:c5:89:32:72:b7:34:22:c8:fa:b5:c8:e4:59:47:
+ 3d:3c:4d:cf:c6:00:bd:76:69:d7:b7:a0:1f:4c:ea:
+ a3:fa:54:4d:cb:d8:c4:af:2c:57:5e:bf:c0:5a:a6:
+ 58:bb:4d:c5:46:41:e3:ec:c8:0e:f3:2c:28:ce:37:
+ 66:b9:7c:02:a1:7c:cd:95:16:96:b6:0d:9a:50:ed:
+ e7:a0:25:c7:88:59:bb:46:dc:9e:61:8c:46:5f:8e:
+ 6b:e4:ac:b2:4f:95:b2:b3:71:e5:5a:b9:2c:52:24:
+ 15:d8:57:98:aa:b5:17:2c:58:61:9f:cb:79:83:1d:
+ 2f:1f:73:37:b9:7a:ce:7d:f6:0c:74:26:24:fd:40:
+ 7e:a9:4d:69:21:30:8f:1d:5d:40:98:54:33:44:4c:
+ ae:14:f2:94:ab:d8:9f:93:9b:43:c4:12:96:0a:89:
+ 65:b7:de:37:0c:69:16:96:89:91:45:85:20:b3:50:
+ 44:89:29:ae:c9:8b:04:4b:a8:85:cd:6b:e6:7b:94:
+ 44:2b:02:ad:8e:42:c3:3a:41:2d:60:d4:13:0c:6a:
+ 47:73
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Signature Algorithm: sha512WithRSAEncryption
+ 48:74:83:6d:ee:96:77:ec:05:03:0d:63:9f:a7:4b:61:f9:c2:
+ c7:06:3e:ca:5f:db:1d:2b:0f:d2:06:5d:13:e7:a6:9b:9c:28:
+ 9a:d9:7b:e2:70:00:6b:f1:7c:a3:ce:82:84:c8:a8:cf:15:0c:
+ b2:03:8e:ab:c1:47:4c:c4:d2:6e:2f:e6:f7:60:f1:f9:92:d2:
+ f7:a5:60:a3:86:6b:a5:3f:95:ba:25:7a:2f:5c:b3:b2:30:44:
+ c5:df:e4:fd:74:c0:44:f3:c6:43:a7:fd:06:ed:b9:ab:a5:fb:
+ ce:9b:f2:5e:64:52:bc:bf:88:df:ca:d4:d5:e2:07:e9:86:15:
+ ea:40:01:4f:6d:e4:ed:5b:25:dc:30:28:c5:e4:98:e3:ba:e5:
+ 90:7a:4c:b5:d4:7c:ee:31:4d:64:bf:e9:c7:94:bb:87:88:3d:
+ c5:e3:6c:ab:96:26:de:a9:a3:af:fa:ca:e0:04:e0:50:d1:a0:
+ 40:79:26:8a:8e:bd:cd:f8:8d:58:14:2f:cf:17:48:5c:62:14:
+ 02:c4:5f:61:18:1a:b3:6e:c4:a0:03:5d:33:00:5a:e7:09:74:
+ 25:c9:9d:4a:cf:d3:5d:fe:4a:33:06:d7:ab:37:02:4f:5e:f3:
+ 8e:82:cc:1a:5b:6e:99:b6:96:0e:b7:f9:d8:03:91:04:a6:f3:
+ 22:84:85:b9
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgICEjQwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTM1MVoXDTI0MDExNzEyMTM1MVowYTELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNtZS5vcmcwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZcjbROhnOSsBYlSEan5DlSLkG5UcMjFl9
+RZvfp19dQulixpXWY+IDrikcP6LFiTJytzQiyPq1yORZRz08Tc/GAL12ade3oB9M
+6qP6VE3L2MSvLFdev8Bapli7TcVGQePsyA7zLCjON2a5fAKhfM2VFpa2DZpQ7eeg
+JceIWbtG3J5hjEZfjmvkrLJPlbKzceVauSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5
+es599gx0JiT9QH6pTWkhMI8dXUCYVDNETK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaW
+iZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQrAq2OQsM6QS1g1BMMakdzAgMBAAGjGjAY
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQBIdINt
+7pZ37AUDDWOfp0th+cLHBj7KX9sdKw/SBl0T56abnCia2XvicABr8XyjzoKEyKjP
+FQyyA46rwUdMxNJuL+b3YPH5ktL3pWCjhmulP5W6JXovXLOyMETF3+T9dMBE88ZD
+p/0G7bmrpfvOm/JeZFK8v4jfytTV4gfphhXqQAFPbeTtWyXcMCjF5JjjuuWQeky1
+1HzuMU1kv+nHlLuHiD3F42yrlibeqaOv+srgBOBQ0aBAeSaKjr3N+I1YFC/PF0hc
+YhQCxF9hGBqzbsSgA10zAFrnCXQlyZ1Kz9Nd/kozBterNwJPXvOOgswaW26ZtpYO
+t/nYA5EEpvMihIW5
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr
new file mode 100644
index 0000000..4fdf611
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM
+DWFwcDFAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ
+cjbROhnOSsBYlSEan5DlSLkG5UcMjFl9RZvfp19dQulixpXWY+IDrikcP6LFiTJy
+tzQiyPq1yORZRz08Tc/GAL12ade3oB9M6qP6VE3L2MSvLFdev8Bapli7TcVGQePs
+yA7zLCjON2a5fAKhfM2VFpa2DZpQ7eegJceIWbtG3J5hjEZfjmvkrLJPlbKzceVa
+uSxSJBXYV5iqtRcsWGGfy3mDHS8fcze5es599gx0JiT9QH6pTWkhMI8dXUCYVDNE
+TK4U8pSr2J+Tm0PEEpYKiWW33jcMaRaWiZFFhSCzUESJKa7JiwRLqIXNa+Z7lEQr
+Aq2OQsM6QS1g1BMMakdzAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAg+tk9HSB
+Gyf0fBAsiIO7+eMbZF0tlefffheB9PpqqiIs1/JodRTGqRVYLbtDCXH1TJwdUOvt
+7Gl/mvsatHtQdjnErBCdJP5y0xCzilv1hUIxWlq2yyu1hkXuPmRzqsUYKGMX0v45
+/U/ZpzMsBMtKi7wJIl66JCmXpYvT81ZVhQgVMhHzmiEpm/4KlTeeEWf7Jxj3UjRf
++9aO2OQuOPSpHr+G6uNqGTWRV7NydA810cjBb18NEg9/XIcJj4/2TarX0SyDzBGv
+r6+gQRbf22hcyaDmcgt9vlw8SFs7TYwNXy4ictWd8MHYxGHiPe9D+MhzkJUTrBma
+1zG8+NNJ0DygLw==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks
new file mode 100644
index 0000000..b421e69
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt
new file mode 100644
index 0000000..63b33ae
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIUYSaDt/eFmu0ZczpaY+2K7kJc4eEwDQYJKoZIhvcNAQEN
+BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDFAYWNt
+ZS5vcmcwHhcNMjAwMTE3MTIxMzUxWhcNMjAwMjE2MTIxMzUxWjBhMQswCQYDVQQG
+EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj
+bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMUBhY21lLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANlyNtE6Gc5KwFiVIRqfkOVIuQblRwyM
+WX1Fm9+nX11C6WLGldZj4gOuKRw/osWJMnK3NCLI+rXI5FlHPTxNz8YAvXZp17eg
+H0zqo/pUTcvYxK8sV16/wFqmWLtNxUZB4+zIDvMsKM43Zrl8AqF8zZUWlrYNmlDt
+56Alx4hZu0bcnmGMRl+Oa+Sssk+VsrNx5Vq5LFIkFdhXmKq1FyxYYZ/LeYMdLx9z
+N7l6zn32DHQmJP1AfqlNaSEwjx1dQJhUM0RMrhTylKvYn5ObQ8QSlgqJZbfeNwxp
+FpaJkUWFILNQRIkprsmLBEuohc1r5nuURCsCrY5CwzpBLWDUEwxqR3MCAwEAAaNT
+MFEwHQYDVR0OBBYEFDYEXqxKZ8d1O/lU0TTKZlwxBGPQMB8GA1UdIwQYMBaAFDYE
+XqxKZ8d1O/lU0TTKZlwxBGPQMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN
+BQADggEBALif7Y38a6ReCr+T/ZinfDpBySzVSFQXIqtz//hevSnkTHeVDlVl3Hn9
+gySwZvZ1pppJJVa8e16ogi1ohZI/EigxL39LxTKF+KdPldM2CCTT9BXu1COacjwD
+nSvwoCHWy9i92H5IUL9OTh5fbpJ4Ju+pwKa/7/1B23azmQ/IPuAHe8/p16pLpcUF
+yYSX+h72gP2MKzKFojMwM4qV0UtJwAk9+F0697laptLuKqO8chAP5BJIRWf9H8nk
+RVXym7gWu5WOrzzqQwsKDQk++QypGrP+TF2CurPPgv2sr2p0SsNjmxvw6D06s/7Z
+PQPRnjhce4CF3krMgMp8Nhp2faQS8Ko=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key
new file mode 100644
index 0000000..8fe81d7
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app1.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIMs/xmAFq910CAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECFQMuA97cPERBIIEyAdrCuP9AqXI
+BbH4JYW+D602QDOVO6xxi2FEhVyhd8k8ClQzSf0/G504i6uJu9WDYytjHYYqK5VR
+ZMIHBnjJQ2DDFRn0A0wrWutzAbN4eYgbCUoMqKOv+GoV6kc6KOXuEXfZIDgPVPGT
+qSD7gBX/UZMRHbs507Z88xHlKvT0bdHfMG0lRryJqKskT7ryx5baWT5uPJKlskx/
+e7xvwmyfLBGiyA2DohXtUZiD+I4/jVdYvf/Fv8+oA1XW8rwhVhFB/+GigOmMHoqG
+CF10bbnlwq2S9/LyuNfnVBGX3qGiWcV6n7gGz0G3dx0hgcGWGzsIsx225DaL2ncO
+4mQ/1y1aUb6xfXdsvI6awyGbqSrkp/55uQGJz91b0s4nPi6wnxQiGKx01WGdb0bO
+wgZJWKS2sfWjOfoBIUe8tuebKbMUH8aZ5eQH1Ltd3PHDaSjRGVLJNSLiTJYmvNvi
+qh+A6zzxtJDLfBRNV0llAliTWXA1R9b/FOZiVS+nTEZGzuhSRt5EWMooLVe9amLf
+NcughTy/WguIQ3YfIsqkBfbMMmGPAf+ZPx25MpLL03vOUP33kZnyWIO+NMDmmhbx
+oHyxdAcVYZOPv2wf5hsEULn3gLNtODBoeYMovlBTni7peYZisgtiwoJGijIHsCYH
+vTnrsZx7yysY02U4PRou6XYt4NWikmPQQO1Jc8IDmfnn6mh0tTJDWRtO2Q7MGvMk
+aZzwB2Im6/+HA78g5uI+gIoTeVyCXfwoMslnfmhfbb5k3V4NdJF/4nyJi1UlpDuY
+rpJxSjbM9vObUcPTV8yM8zk3cOXjClqmWvv7uOW160pYHTjIyGY+RSKoZ4Hw+USo
+igfkucH2EGiDljmRjmfS4qvTxT/4Vexqj7Rxnz7qQ1enOpVtGwM67eKFiY77VXIF
+Ubm+GraXpNdoe+IJOH8ZlH/9fQO2qsu+d3k/7Gd8yl1nlagzDQSf9lGcCAvzWAD0
+FlbPJWxsMV7uAFtwNsk33VGOmVGiat7+E4o2UXa3LMGz9xwj0N5nSwWsUdVpbWtx
+fim2PvcOmDex0ERPkD7I2gI0MF5YEGJ/UQwIeOOfnrgtI87W19yZMBH5CtyKIs4d
+cQLhQUsQpc9QUA0eplH41wDJeSPoLiP1/4drOd/t9tOBU9TQLcOk5SiuTlvL7SII
+gw1clk1LGhDkqbVTG1dDyNFlJ4yiqYJ9SfW1vCTAAQvpa0t1aVISVEDqyAxdgtyL
+710+Nta62J1U2ErX8cXVUA+C1IWSYvR19KIAMArDYEHc7g5nsuOQ2PBKNqYUkXv5
+hBH1L+eYjuvxyy/K2ZizhELaCoZ5PSd18B0FbO2mt2qTe8RHPMgN83iUXoIXpaDw
+67s9h2lrYUWNWjOsDv0r7e7l7TwiODNU9IojKBPmzWcIi4ghmsN15SsvWcVeqm26
+mRK/cs5tChLEtllmzuxzZJ1BRE7XbghuWk9y69mbTaEc0o3zjyJFWHNSNCjq/iKc
+HSIauh/LPnHiFJmRxWwlDqUt1hbjlVp+1nFmMMbHlPZkW9dA+4O7rjG5b+8eA1zw
+cp98RXTesA8Sg45+uwUHr2MlH88TQNenaxW0RsJJALl2zuqUt3VZIu122ccXcj3Q
+Z2GhZP3EKpwXmoQEeiTwFg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt
new file mode 100644
index 0000000..564fd86
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.crt
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4661 (0x1235)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+ Validity
+ Not Before: Jan 17 12:13:52 2020 GMT
+ Not After : Jan 17 12:13:52 2024 GMT
+ Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=app2@acme.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:b7:16:85:6e:de:f5:77:42:63:ec:72:b8:e3:a9:
+ 2f:b3:34:1a:68:5b:39:1b:74:8d:52:08:42:2f:a7:
+ 30:84:10:96:7c:83:13:52:f3:ef:47:23:8e:25:4f:
+ 32:2f:b8:1d:55:ec:fb:fb:95:75:9a:b5:04:83:67:
+ 7b:58:0a:29:71:c7:2d:ee:9c:44:02:90:62:dc:1e:
+ e4:d4:9e:c9:ac:3b:3e:74:cb:97:9f:c0:1b:ff:75:
+ 36:9b:4c:db:da:3f:eb:40:6e:f8:1c:a9:01:54:02:
+ f9:2f:1c:59:51:61:84:51:68:b0:64:2c:11:0c:2b:
+ 08:22:9f:c1:00:06:36:15:02:bb:ad:9c:3b:b8:93:
+ 15:59:cd:d7:62:80:9f:20:a4:a2:7d:46:a5:00:98:
+ 16:20:48:49:be:08:d7:b2:9d:cf:40:3b:e2:a0:2d:
+ be:bb:3d:e1:2b:cc:e4:f8:29:f0:a8:5b:cc:18:35:
+ f7:13:a8:2e:16:32:65:35:94:73:7e:34:a3:97:65:
+ 53:42:41:85:73:eb:36:8f:88:fc:4e:2d:79:ac:12:
+ df:60:fc:49:d9:71:3f:88:f3:b4:21:66:4e:34:91:
+ 6e:ca:5f:93:81:c6:f6:b8:b0:55:fd:73:bb:3f:4b:
+ d3:2a:a9:d9:57:88:d1:4b:14:10:1e:d3:eb:fb:0c:
+ b9:d3
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Signature Algorithm: sha512WithRSAEncryption
+ f0:b6:a8:e1:86:fd:b9:2c:1b:72:d1:0f:8c:10:97:d0:15:e5:
+ cd:aa:4a:c0:71:fd:3d:48:fc:ca:d9:1e:53:06:c2:7f:a6:f8:
+ 57:02:c3:7c:a9:1b:7c:17:d6:2e:48:50:8a:6b:ff:90:2e:19:
+ 03:c7:b7:31:27:04:ce:8c:e0:2d:43:6d:ca:d6:bd:b3:c9:ea:
+ 66:6e:48:d8:ca:1c:ca:ee:2c:41:58:40:08:55:0e:4c:38:4d:
+ f6:16:14:fd:78:30:c6:73:88:cd:ba:ce:5d:25:df:cf:79:45:
+ d7:b8:51:b9:c6:9d:db:8a:82:35:ac:09:ee:2e:73:7e:86:8d:
+ 23:d0:39:16:40:5e:10:4b:ba:d9:63:18:b3:40:43:19:35:49:
+ 5d:7b:55:0a:9e:3a:f3:ae:33:0e:9b:4f:d1:07:16:33:32:d7:
+ 4f:c2:43:35:31:4d:e6:39:f2:8a:12:fa:6b:ab:4b:dc:aa:18:
+ cb:db:df:b5:9f:58:ff:54:bc:de:af:c9:55:04:6a:60:47:68:
+ 4d:18:15:51:2b:87:c3:aa:d9:86:f0:2d:42:ea:23:f8:30:59:
+ c7:4f:5d:84:e9:b0:5c:35:a6:63:c4:e0:66:c7:d8:fa:2c:17:
+ 50:af:59:a9:38:9a:d8:3b:53:e6:3e:ea:bd:c0:51:d3:e3:fd:
+ 9d:3b:94:51
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgICEjUwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTM1MloXDTI0MDExNzEyMTM1MlowYTELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNtZS5vcmcwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1S
+CEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLc
+HuTUnsmsOz50y5efwBv/dTabTNvaP+tAbvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgi
+n8EABjYVArutnDu4kxVZzddigJ8gpKJ9RqUAmBYgSEm+CNeync9AO+KgLb67PeEr
+zOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOXZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I
+87QhZk40kW7KX5OBxva4sFX9c7s/S9MqqdlXiNFLFBAe0+v7DLnTAgMBAAGjGjAY
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQDwtqjh
+hv25LBty0Q+MEJfQFeXNqkrAcf09SPzK2R5TBsJ/pvhXAsN8qRt8F9YuSFCKa/+Q
+LhkDx7cxJwTOjOAtQ23K1r2zyepmbkjYyhzK7ixBWEAIVQ5MOE32FhT9eDDGc4jN
+us5dJd/PeUXXuFG5xp3bioI1rAnuLnN+ho0j0DkWQF4QS7rZYxizQEMZNUlde1UK
+njrzrjMOm0/RBxYzMtdPwkM1MU3mOfKKEvprq0vcqhjL29+1n1j/VLzer8lVBGpg
+R2hNGBVRK4fDqtmG8C1C6iP4MFnHT12E6bBcNaZjxOBmx9j6LBdQr1mpOJrYO1Pm
+Puq9wFHT4/2dO5RR
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr b/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr
new file mode 100644
index 0000000..d97b9ff
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMM
+DWFwcDJAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3
+FoVu3vV3QmPscrjjqS+zNBpoWzkbdI1SCEIvpzCEEJZ8gxNS8+9HI44lTzIvuB1V
+7Pv7lXWatQSDZ3tYCilxxy3unEQCkGLcHuTUnsmsOz50y5efwBv/dTabTNvaP+tA
+bvgcqQFUAvkvHFlRYYRRaLBkLBEMKwgin8EABjYVArutnDu4kxVZzddigJ8gpKJ9
+RqUAmBYgSEm+CNeync9AO+KgLb67PeErzOT4KfCoW8wYNfcTqC4WMmU1lHN+NKOX
+ZVNCQYVz6zaPiPxOLXmsEt9g/EnZcT+I87QhZk40kW7KX5OBxva4sFX9c7s/S9Mq
+qdlXiNFLFBAe0+v7DLnTAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOCAQEAYykrDIFO
+fbRXKcoh07aCAkW2KBX1L+wkCDWBQO2NQH0uvRducLHLQTF7EYjTUQ2WbOXDJLCT
+1NbtANvxU5xNJsforHGTZCGvQqMSMMlwe8mr82ttCMcQwGkmpq8FlGsD+3JpYZPI
+Yb20yvmXk2jIvCK44axyMgHUgHMdoT6BrX5YFC993gjfKu3CpEEIMuFidulM/vEY
+WiNhnlBBpHN3ijrWn8BVc81VI6jP0z23nKMYgayaGIZ7GQOI3Rmk/WIowU68D+Ac
+X4AhDZaofAGejybD2yABPE07/2IPHEXotWgKSHwDJCLU6VpUX3MePqLwDjA8tW8y
+jfmnHdB1vIy8NQ==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks b/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks
new file mode 100644
index 0000000..56d2a8a
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt
new file mode 100644
index 0000000..c472d16
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIULw9lb2weHwTmE11idVFtoGtBm+YwDQYJKoZIhvcNAQEN
+BQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxFjAUBgNVBAMMDWFwcDJAYWNt
+ZS5vcmcwHhcNMjAwMTE3MTIxMzUyWhcNMjAwMjE2MTIxMzUyWjBhMQswCQYDVQQG
+EwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFj
+bWUxDDAKBgNVBAsMA2FydDEWMBQGA1UEAwwNYXBwMkBhY21lLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALcWhW7e9XdCY+xyuOOpL7M0GmhbORt0
+jVIIQi+nMIQQlnyDE1Lz70cjjiVPMi+4HVXs+/uVdZq1BINne1gKKXHHLe6cRAKQ
+Ytwe5NSeyaw7PnTLl5/AG/91NptM29o/60Bu+BypAVQC+S8cWVFhhFFosGQsEQwr
+CCKfwQAGNhUCu62cO7iTFVnN12KAnyCkon1GpQCYFiBISb4I17Kdz0A74qAtvrs9
+4SvM5Pgp8KhbzBg19xOoLhYyZTWUc340o5dlU0JBhXPrNo+I/E4teawS32D8Sdlx
+P4jztCFmTjSRbspfk4HG9riwVf1zuz9L0yqp2VeI0UsUEB7T6/sMudMCAwEAAaNT
+MFEwHQYDVR0OBBYEFGRnSSgAdfPDfjACvy7JWsifafjeMB8GA1UdIwQYMBaAFGRn
+SSgAdfPDfjACvy7JWsifafjeMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN
+BQADggEBADAWS3rkEAo9y3hsXRMy9nfEx0LIRzMILeRSCc87QlUKKxYGph9AQ0QJ
+JWljYjM0Dg11ByrNVBODL7E62MX3hWKxYRPv44J6jQgbg9pBINdxFR1MwvtRSYtz
+069YduP0Ws8FVB35U8dvSFOgOBWhXCh5QTPznkAmopPr/QQxcjQnPWWpmadjNc3x
+EBDwoHyigne+zBcUVQiaKgN2YbvTbB7WzEidHWrPOcXv7JH/PbZNfwGrG4SJLH92
+uvgBwyOi/dwplcTAfDE+PuRDLOBAyht30XCwpWHjG2HINx0N2esvG8g/v5J3USRo
+jU0wSLthobqjv6/mJkIAfdbkPSrY9p0=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key
new file mode 100644
index 0000000..64544a9
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/app2.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIEndyItP4BKwCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECBjmbsUCrUCTBIIEyDtTeDzGARWT
+w5X6wVjcwmvf/Vw2cczX8MUBWNkIHGSNTDHv6IlFxYA6SXCMy12OpaJiHr6CGp9A
+juyBn6C8AsKHxSgoMrImSt5RGRCQSSkq9bCpPGQR7/l6X+Z5yVG9XJYRxK6vXIG4
+mfkcIq2E5sV89v79aISvotXvTeVUfd++6CPahzpf6zZ6rKLp7AWIcZF5qQG+5Gdk
+1q5iOCcZtT04LQsAcEJCM8GQoXNDNTHwDvWi9DZ+yry0kTn0Lz8QMXOhVqf8gJKa
+/vded9cixbXk5QNQgFswZOSeEB7hWpT88VLoKl6VJOCGPERtyUMhwal/IvMX98Ad
+LDUBGd13WjP3EA3yAOI/W4V3TPJVJZD4xKgqhU+gnohfl1XU+evOu5+HxbDczAp1
+QyN0ni325c/jgXfcihN9AZrAviMz4GZLj55uTSmtCUaug8CCwRu5uxdmmA4BJCl1
+iFJmZzZIvqw5R9BIsu63/xHZYiYAvNDdIvBmJqPz2ka+vSWbGRT1bqkrpos/6LtU
+griby3OtfvyvNbWokQymDBHVxYZokio26UIrc4Z2IUsS0354J+GyOiZ0oFe1DfTs
+1taEQGgTWsfJpRs+xNjaImhPN5AJZRKLgzsOqXLZofYiv/Rexq1AaZTGMzr6xt3Y
+QL0+q7KJ3DBAQxkST4ARo6bVNb9MPgOjXDpvvjJOfbuwR1jlgSHBFM4OBEEI5xV3
+avurI3pE+GnXY+lJCeuSwATnxeUJoHzcUn6QmdkB8Li20ovzXJs8PgBq/dD2rG4d
+tkMUnwsd0dwmYaDVstM9awkP1+EvzZ2O3wiHzqE2jE1bRNIj+8bKSWxSCrF9tGi1
+YCDLCGk0BTaNCaaIFFxNTxgE81GsrgqQvfLCsUljF04Lbj/ZvzcLdW82FkFSjUBa
+Z7sXwq8NOJsGjVp8Akwf4Z702PZVnj/lV25PLj53ayRcvnO2PLkLdwdVLJyFt6ES
+CelAz1d2ejww1NKj+ipJuQ9Yun1d+21HBLQGYCnST/rzet+JcuQMw0QIQBvVioLZ
+KS1V/yi/u5Rvos7x3RQyIJITY4HP9tvTKftdIW3M5nEkMNuHHAcZUrv83YJkzt1T
+1Sd/qVOupGHA/DYvUVPn0v48XxRjWF/jpf1Jdd4EeuYIYRmZH0I3wRvuc0qyT6nV
+CxoART7gzaLeWYLx67gaSguojYbCzWRnBSBAq/Wy2fcHMKZ7DywMWJwn0dqofeuM
+ZABB2jWKGuHLrM3wfzcGJLIlaHG0RESn8ThqwMODRaqTgxQP0y4E2CabDSeco6fK
+g8InlTKlHxB6u2AcDpPTeBh9om7AXvs7iT0rWrhEU7FxCr7NjAHaQBMmltS4uv9q
+wNZ0uqg++s5wIr9dzkBNjEJvk89HKtkLwYQgie9OdbaQEz0xV3S06ChvaH0nXtQu
++/K4Gw2yR8mLA3TCHSlNe/q5daRNhjXzmX2erK5u8UsZFU6Ln6M+kvbYvtlG6rSR
+N7njPcUwCa+juvP8LxQEJUE3OgWeLM/0S2LiJz69XnCHz886VAoMETIs7sgfI0lP
+I2qgD/sB7eFgsPPstZyIf41PVssf+03vZ8lCLUqnZuDLLZO/l//CDRdBWIZvJ8pk
+pRdP0ZJdSqZryf9eSBfnRQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt
new file mode 100644
index 0000000..ca6dc2f
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.crt
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4662 (0x1236)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+ Validity
+ Not Before: Jan 17 12:13:57 2020 GMT
+ Not After : Jan 17 12:13:57 2024 GMT
+ Subject: C=CA, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=localhost
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:d2:28:a5:31:6e:85:97:8a:39:c0:8a:21:ab:bf:
+ cf:93:39:03:cb:63:6b:f3:47:6d:3f:50:24:06:bb:
+ 3d:25:14:cc:b2:d3:50:62:1a:71:18:5a:98:97:8f:
+ fa:45:70:ca:b8:98:9c:60:78:03:c8:a7:2a:b2:d7:
+ 53:e3:b2:71:52:b0:7a:0f:12:42:63:a7:2f:d9:c0:
+ bc:50:da:5b:3c:52:ac:bf:fa:6e:c4:80:f7:b7:e2:
+ e9:53:53:55:95:24:72:de:63:2f:59:dd:8e:8a:13:
+ 11:17:44:03:41:c0:95:f9:8b:dc:05:e9:1e:ab:3b:
+ 72:e8:b1:5c:c0:0a:ed:c9:11:6e:30:79:65:71:e8:
+ 3d:2c:c0:0a:5c:dc:92:22:1b:f7:06:2e:f4:7d:1f:
+ ea:c5:a5:57:91:1d:f2:f6:44:f1:bd:25:f2:1d:fe:
+ a0:68:d1:38:7e:5f:0a:5d:37:47:f9:ca:9b:c0:0c:
+ a9:ae:7f:e4:0b:cd:85:e5:8b:91:6e:35:74:f7:6b:
+ 04:a3:10:67:1c:fd:bf:c2:1c:2a:dc:a7:04:93:98:
+ 48:03:cc:8f:fc:d7:65:8c:d1:9f:07:63:0b:04:86:
+ 01:d7:37:c7:a2:6d:4e:04:cb:a0:2f:ea:23:2a:59:
+ ff:f0:b7:16:fc:fb:56:9c:4a:2f:e2:8b:3f:ad:25:
+ 53:19
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Signature Algorithm: sha512WithRSAEncryption
+ dc:c9:fd:ca:91:81:b8:18:33:c5:bb:0d:f0:cf:88:ba:92:21:
+ 73:1f:9d:bb:98:9b:e6:09:fd:92:ff:c2:58:23:01:97:a4:09:
+ 8b:d7:63:b6:63:f4:fd:96:f7:ef:5a:f3:be:15:92:72:15:2c:
+ 7c:e7:d5:e1:13:cc:70:19:87:c5:c9:13:83:7c:28:ad:02:16:
+ 11:6a:ab:b6:80:41:ca:6e:5b:89:48:42:27:74:e3:44:a1:51:
+ 3b:f3:e0:b9:11:45:75:f8:d1:eb:9a:1d:04:7c:e1:26:be:55:
+ b5:98:d5:0b:38:24:67:78:3e:f0:52:5a:2c:72:77:02:0a:78:
+ f5:73:24:26:73:c6:1a:62:8c:e1:5d:61:71:40:e7:1f:de:f6:
+ 39:a4:c5:84:c8:b6:d8:2f:b1:1d:19:bf:25:75:9f:1f:a9:7d:
+ 09:52:80:dc:6c:8a:40:d9:cc:cb:99:db:e8:85:6b:dc:49:fd:
+ 68:2e:71:d1:a8:ad:10:cb:28:1a:cd:04:c6:63:cf:11:30:18:
+ 7c:4f:71:f3:70:84:ed:8d:e8:b8:2e:df:b2:a3:7d:68:64:28:
+ 26:5c:1f:ec:1e:db:90:09:7f:40:cd:55:bd:1b:27:bd:34:6f:
+ 82:9b:a9:83:fb:0a:67:66:50:32:5d:c6:06:82:cc:83:35:22:
+ ee:88:7d:b8
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgICEjYwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTM1N1oXDTI0MDExNzEyMTM1N1owaTELMAkGA1UEBhMC
+Q0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vua25vd24xEDAOBgNVBAoM
+B1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNVBAMMCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANIopTFuhZeKOcCKIau/z5M5
+A8tja/NHbT9QJAa7PSUUzLLTUGIacRhamJeP+kVwyriYnGB4A8inKrLXU+OycVKw
+eg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi6VNTVZUkct5jL1ndjooTERdEA0HAlfmL
+3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzAClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l
+8h3+oGjROH5fCl03R/nKm8AMqa5/5AvNheWLkW41dPdrBKMQZxz9v8IcKtynBJOY
+SAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTLoC/qIypZ//C3Fvz7VpxKL+KLP60lUxkC
+AwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQENBQAD
+ggEBANzJ/cqRgbgYM8W7DfDPiLqSIXMfnbuYm+YJ/ZL/wlgjAZekCYvXY7Zj9P2W
+9+9a874VknIVLHzn1eETzHAZh8XJE4N8KK0CFhFqq7aAQcpuW4lIQid040ShUTvz
+4LkRRXX40euaHQR84Sa+VbWY1Qs4JGd4PvBSWixydwIKePVzJCZzxhpijOFdYXFA
+5x/e9jmkxYTIttgvsR0ZvyV1nx+pfQlSgNxsikDZzMuZ2+iFa9xJ/WgucdGorRDL
+KBrNBMZjzxEwGHxPcfNwhO2N6Lgu37KjfWhkKCZcH+we25AJf0DNVb0bJ700b4Kb
+qYP7CmdmUDJdxgaCzIM1Iu6Ifbg=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr b/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr
new file mode 100644
index 0000000..d459aab
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAO
+BgNVBAcMB1Vua25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25v
+d24xEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANIopTFuhZeKOcCKIau/z5M5A8tja/NHbT9QJAa7PSUUzLLTUGIacRha
+mJeP+kVwyriYnGB4A8inKrLXU+OycVKweg8SQmOnL9nAvFDaWzxSrL/6bsSA97fi
+6VNTVZUkct5jL1ndjooTERdEA0HAlfmL3AXpHqs7cuixXMAK7ckRbjB5ZXHoPSzA
+ClzckiIb9wYu9H0f6sWlV5Ed8vZE8b0l8h3+oGjROH5fCl03R/nKm8AMqa5/5AvN
+heWLkW41dPdrBKMQZxz9v8IcKtynBJOYSAPMj/zXZYzRnwdjCwSGAdc3x6JtTgTL
+oC/qIypZ//C3Fvz7VpxKL+KLP60lUxkCAwEAAaAAMA0GCSqGSIb3DQEBDQUAA4IB
+AQCteBfB/t9udR7E2RYZHdSICnrrXC7oOcMbNXv/eq2FtHV5XnqglvGsyzzHkE2/
+aGqZUvyOJqrA+m2QCg0Qtq6WvDV10Qbaebr921tQMlVQxeLd/AkGBZOC0Z9Wi+ne
+r/9ODUm/MBp3PbiKOdEhb3gXIsa+CqSHl6qaCtwIcGtY2UW/jr078H0eTML0rh6C
++BW275y6ApXSiSS5IKrCd6Dfto7Vh0ZakCIOmz3cCM3+VGTn0cXF6mFDyu7bA6gw
+8QdBET9nzbyrwfnH/vSVh5YxNHIj+A1NZlphHyJslYaW4lg2GAbGsdqAK1dW11Ph
+OGI7Qjr59HrsFYjFRr4+42Se
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks
new file mode 100644
index 0000000..af8d5d2
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt
new file mode 100644
index 0000000..03db86e
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIUOJtin1zcTHJQCk3RtZJyDaL0O+QwDQYJKoZIhvcNAQEL
+BQAwaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu
+a25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNV
+BAMMCWxvY2FsaG9zdDAeFw0yMDAxMTcxMjEzNTdaFw0yMDAyMTYxMjEzNTdaMGkx
+CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdVbmtub3duMRAwDgYDVQQHDAdVbmtub3du
+MRAwDgYDVQQKDAdVbmtub3duMRAwDgYDVQQLDAdVbmtub3duMRIwEAYDVQQDDAls
+b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSKKUxboWX
+ijnAiiGrv8+TOQPLY2vzR20/UCQGuz0lFMyy01BiGnEYWpiXj/pFcMq4mJxgeAPI
+pyqy11PjsnFSsHoPEkJjpy/ZwLxQ2ls8Uqy/+m7EgPe34ulTU1WVJHLeYy9Z3Y6K
+ExEXRANBwJX5i9wF6R6rO3LosVzACu3JEW4weWVx6D0swApc3JIiG/cGLvR9H+rF
+pVeRHfL2RPG9JfId/qBo0Th+XwpdN0f5ypvADKmuf+QLzYXli5FuNXT3awSjEGcc
+/b/CHCrcpwSTmEgDzI/812WM0Z8HYwsEhgHXN8eibU4Ey6Av6iMqWf/wtxb8+1ac
+Si/iiz+tJVMZAgMBAAGjUzBRMB0GA1UdDgQWBBR++4fRzlzZ2FNRkZ4QomvvNKVS
+ITAfBgNVHSMEGDAWgBR++4fRzlzZ2FNRkZ4QomvvNKVSITAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb0ajrigWwT+KZwq2vfuZX8Xt4XQGclH8E
+PoNgT3johckZMmTYUccCPN/+qWbNigmOWpo8VKHAAAqHU+RoGG4/eVdd6Il4Q10b
+wgHVY1JA3LOmDmjGEV6kVNOiIuCEhoiN5YLG9THUY9a/SJj+MGMsKpmdDUmmX02b
+9PHOgc6pAwCm3/hO/XyUjQZxuaB7aDUpaL+pA//6lEVk/n5PzG8IAi33Cp9AEMlZ
++6/eCb/eMZ4yoR5cQNi+l6l3ifONEDe6uJ+Wk7ahSbKTi5Maoddt5BER2jmRCDbr
+yNfRBcK2iMHVtTPMI3P9OOmudEYSFOJOdRUZpmGmAuTeuCganQjb
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key
new file mode 100644
index 0000000..5ccb683
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIuBQNMa898kwCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCeLmeQ7xDnuBIIEyMsJVjaLP/XS
+nEhHrGp0Xr0AkP0ZhqN8ZUPoaL8RQCXe14tYY4LjB3NANSxCLO8i6yKyvlG6KZyK
+e5vyqlH4q41AUG5lo4Q3fDFNMP0ilgKusFE06ju1UhKf4TiElO6xxhq+ZuOsunME
+y2akyYz4khl6YrqQl6vDIN0/WYFprbh0iT66WCwe8/Bc0JBCn053pwWiqUNJXoXn
+EXytxqTYVP2H/H87M/I0vrweu5rZyxnk3HvBoJbyBrJTsZn4VFS+cIC2E4YADjD7
+qfq7iIyv94/EdqvJmQH5XttfZ/7amj+XvxLOoYtyuOOagSWrlDJm6vATSJd7G1mj
+soxHdd5hGZ4lpvFFrXjWR35PeBUUqihfkZ1cnGs4TRJZL3T+bvYdcfAEA3oxdSLh
+QKwbsY3j/LJRqGHIAzE4z82F/nEltHTHohwYKDE0D5nn58wqhD1IImHmd2uQu6SJ
+kGmHLlzbZiFz4mvqk1Tk63zoeKwioQgXj0OA2KJSV7Oz5nPB4O+/5jfu7jiL31Hh
+FEleRvTfBslTwnF6NSR74uVGSQt/CsWDOR/Ok70oSa2Ddy8Lty9e4LXSmhNGqaf1
+fFAt1E35ZQrZ5TIMjwlU2AgOS8znhMBLuAfZdCPogSbmPYMAI5b7yYwPih/2qywc
+Qxq9SBdqGditdyTliBYPpmJrx8lrhcO6aXjFVuUH5X5NGXs+xiY2V6ppFdlVepXa
+c5WfZzLqYrNdGp5nd8n831/7m1LS9zqXSgb3uz3axppIgT94BSamlyBLPv2xKVaZ
+wxZlh5rtgV9Udl2ocFyOUnXBLRapMEje57e44ShcoLr8F1S7Yi5q7gCg7eqfnrm2
+AOqJ3ZpYnDPRvo3PyW1mg6q/k/RF6BEdXcb8lM+KhGBRwufC8ym12RKwjcI8EK5w
+OB5LxjpH6we5RpVdTPnpJl0TvBEqh2LiWMpshHoK7NWCtr7vNI4KAn4nu01uofwC
+lEYFdr57I+0SawADff/ENRNqXgMsAbPvwFsaoq9cLZc71ugu4vrD+drkPrwO9eXR
+ailGVJfdgp6UqreLuVvDuQIQNr3Qagj0ujWw10usrBK9qdtpN60Eeuhch2l4ajLh
+WjwzJrRZ6g1bC5hH9U94XW0mJ7f/6BMzdGKDoBQ7zbxLSrsc/oTpTFaki5ICW9Mv
+WhF9yRCVS0Gcxu+sOZcvjZsVqGV5zqSRtWnjURMDddX79XGPEvAOSubsYjOhK49U
+78R/m/4FfrRQl4pTuTCGYUqDnLXPTxWMJJ5vEDrWTx26cGrBTsiBg7/gbn5CqSAA
+l0vDfpFNCJ9vyHoeEhEc8aBRz9hklHCDm1wIWXfwYnsE4L3V2qp/0WKvj9NHXE5C
+6FWYzr33ImsqEuavLXsFer2ZVF/Y38f8HNj9z5hg77YTbZNCg5jHYfMPunEGikCo
+B5jwen7DSt6zZOH91dncir8XcgGOXY0XocE6aalDGit01lFDPFPNc0aGsyA2m6Be
+4CNxVbfNkHZBtY8A4Q+Invij7vVUG0Afc7vDc595JsJ4m0sHmkQ3xLJVfhV8APXD
+pQXbv9o0HDPjb45irIex8WMitj/lU60FuSMjDd0DElA18ImR+4tBPWjXvxZeRkgd
+k/8a1P4XOl42rFaN1YOWhw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks
new file mode 100644
index 0000000..077274a
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker_expired_truststore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks
new file mode 100644
index 0000000..e789738
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker_keystore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks
new file mode 100644
index 0000000..b306a9f
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker_peerstore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks
new file mode 100644
index 0000000..2bc0f4f
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/broker_truststore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt b/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt
new file mode 100644
index 0000000..f9dd3e3
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/chain_with_intermediate.crt
@@ -0,0 +1,105 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4665 (0x1239)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+ Validity
+ Not Before: Jan 17 12:14:01 2020 GMT
+ Not After : Jan 17 12:14:01 2024 GMT
+ Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8:
+ 31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14:
+ 90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4:
+ 6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95:
+ 47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01:
+ 58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c:
+ fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17:
+ 87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73:
+ 9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39:
+ 02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33:
+ 44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0:
+ 90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af:
+ f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56:
+ 50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b:
+ b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53:
+ 00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf:
+ 82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75:
+ d4:0b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://localhost:8186/MyRootCA.crl
+
+ X509v3 Subject Key Identifier:
+ FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2
+ X509v3 Authority Key Identifier:
+ keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha512WithRSAEncryption
+ 4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72:
+ a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7:
+ cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4:
+ c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32:
+ d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87:
+ c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54:
+ cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4:
+ b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2:
+ 30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2:
+ d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf:
+ 7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e:
+ b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4:
+ 71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97:
+ 68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed:
+ 15:cc:57:ee
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y
+ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY
+MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV
+16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd
+InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO
+iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD
+Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1
+1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
+OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U
+4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB
+AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV
+UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL
+RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En
+hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx
+qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIUAzgWkwkl4wOLx+GiJZVnG3I2cNEwDQYJKoZIhvcNAQEN
+BQAwQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFD
+TUUxETAPBgNVBAMMCE15Um9vdENBMB4XDTIwMDExNzEyMTM0OVoXDTI0MDExNzEy
+MTM0OVowQTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoM
+BEFDTUUxETAPBgNVBAMMCE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA+CXc5ld4yp+N6ns0HA8aPI2AUDPcbhs558F713/amq6KzueuVBJ4
+UBMdFqGI2Ul2RbEJuy/qxYqTDqtPNMorzLgK47NrDnZ0cdE/DlavSyCQmNoE0Ksr
+XBTbIk0uEKKObJSYiW+8ise6cc+5Q83woG5OzUj6E/uX/TFYsSbsaLaG74HY8ajI
+bHDEPOnRlqWV/Z8ADvjpplxXuAXyhA7YYMA/WlXAp3knLFEZTJduVeH+U9gn3lif
+9zjUxuaNBioTJcnHnbanc3z2q5CvTbzhlUjOuWJ28dJ+QHr60bw4EEwM+akavU+O
+9GK2Dh2oqLAOJ/z11I5F6LX7NEOprpt0owIDAQABo1MwUTAdBgNVHQ4EFgQU2DTy
+TKWsAaQ7VGaq99vDwfK/5swwHwYDVR0jBBgwFoAU2DTyTKWsAaQ7VGaq99vDwfK/
+5swwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEA8p51vGg8YT6y
+Aiyeps/ggms5/vkuH3AdI2OqC1RbIIx2Duia1EiH+Vxw0I1B7jJ9tZOsZfJVLmcr
+qlToReTTceGSRt22JvV7vpB/mn7y1z5Pz9Inw/eWTC32frzzLdayGv3/EhArsu+B
+eW6EemnXN4UxRc4rkCcYqz3WJJ/NollBwzqhpmFqo0sArZ7CSkz9+2U6sayZsxA3
+zT+4aj6vIp6Yv/USgX86VrdO1sBhJKlosEOlJqyorpjutv4fl4hR04/yU+Kw/sdG
+9ZA5Q9zrV0ooZ+635K1Z4Xr2rCH/38ltUZnFWD7D0w/z+QhonxXdnwbudtedSybo
+VPvWVRUaVA==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt
new file mode 100644
index 0000000..7bc29f1
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvzCCAaegAwIBAgIETVtknTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV
+U0VSMTAeFw0xMDAxMDExMTAwMDBaFw0xNDAxMDExMTAwMDBaMBAxDjAMBgNVBAMT
+BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmNDDbMbSISBF
+2ztm8e3Gp02s0rW8pjG7sEYKLMgkXNVRMX6nOFQ1Tuj6yuBk/qlBuSyYigfTPjNx
+qjz0pxLXPbFQfzaTzLQx+AIx1JRhdpHxY//M7vfIJaLOj7MvngWvjFX6MwwKlvkG
+z/H6+R4S3QE852XkUQvvxMVa7kHuUdzDUx7ARhsUME28/XzsJldEGiuPJZYLPpdg
+GAvJPO47+gr9zUWksL4fjXgYV2lZiAWcb1WcL6/zssBLnseRkQe/g+b7q0tT0FAX
+rqCfVaVZSRntrLu4AK88JUWfQkEKDRux2XZ5cAYofelZiiIikRBubuHlhlt0bqwo
+AJiAh4ANowIDAQABoyEwHzAdBgNVHQ4EFgQUTHUNeU67sKZ+bWeh521ZpK/wzckw
+DQYJKoZIhvcNAQENBQADggEBAIs6DQA+3v8L+TdVEHlk8eTOUo46Z0e9fpQgSfLb
+0aM/gpdq1ZBxP/RkDouSvZpDBxZnWZNo8I9/cQ2tc7K8rWv4lyq6tDbSgIuRIBk8
+v50ujPMPiKSeTdJXTVi1f2TAsYwnG4cSxDBF0Gu7qXEckRtktDs6uHC0D1Rzcirr
+3gANGDk/S3yS6vumooRKZ22AOiBp6uE0awa1jTZAyLvC+LY47XKfFUTf/9+E0umz
+3a3sIzET20YSf8xrK6kFBIrqAM7sF3303+nHsfx12BIA19tUjlHKBTbCCrL1u2GL
+gD0wA9jYPAhbtKSh8GbZtNhDhJxfopwhIuFFSfcKbO8OeUY=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks
new file mode 100644
index 0000000..a3c29eb
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/client_expired_keystore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks
new file mode 100644
index 0000000..1d21f01
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/client_keystore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks
new file mode 100644
index 0000000..51593d6
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/client_truststore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks
new file mode 100644
index 0000000..b788861
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/client_untrusted_keystore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl
new file mode 100644
index 0000000..d32bdf9
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem
new file mode 100644
index 0000000..ded7194
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIBxjCBrwIBATANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJDQTELMAkGA1UE
+CAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTALBgNVBAoMBGFjbWUxDDAKBgNVBAsM
+A2FydDEhMB8GA1UEAwwYaW50ZXJtZWRpYXRlX2NhQGFjbWUub3JnFw0yMDAxMTcx
+MjE0MDFaFw0yMDAyMTYxMjE0MDFaoA8wDTALBgNVHRQEBAICEjQwDQYJKoZIhvcN
+AQELBQADggEBAI31QLg89gCYaB3yGaPAJG45ENz4L6sKf8X7H6sZfnnEECIfMDeF
+Wuu5ummkvSKyHVDj5m5FT9W6mKj8JkXUfGS64ssR361BixlBfmsVj5y3upXmuEta
+x03Ewqp888NaZyxK749J+1pfo5XOq0OUTe0+J1gTrS+JSWO3194MohtqkOQ11FHc
+9nDqZo49Bi+gqvulu+t1uPfM7i2RHgVl3e+gMc7XuguC1obGyuSoFSCW3IcqjuOt
+d1xTz/p/Cx3TqlMFI0uGzXzl11jLu/CDHtMvax5YJ65lV1wK86z6tpENR3Din4X1
+tHZMxga+hGrJikOeu/WZrw2cC1hx9OZU4Fw=
+-----END X509 CRL-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt
new file mode 100644
index 0000000..19d97a9
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.crt
@@ -0,0 +1,84 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4665 (0x1239)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+ Validity
+ Not Before: Jan 17 12:14:01 2020 GMT
+ Not After : Jan 17 12:14:01 2024 GMT
+ Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=intermediate_ca@acme.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:cd:1b:03:cd:bb:56:19:11:47:00:bd:f2:60:d8:
+ 31:34:9e:06:cf:9c:1e:59:27:c1:99:c0:73:b3:14:
+ 90:09:c5:8b:3c:fa:27:5f:54:fb:0a:0c:49:1c:f4:
+ 6f:7e:82:8b:c9:d8:a3:6b:a3:9b:0d:f4:4c:ec:95:
+ 47:f1:55:d7:a3:e3:61:0f:dd:32:07:cf:d9:ed:01:
+ 58:aa:4f:d8:be:0a:18:cd:08:f6:6c:ee:5b:20:9c:
+ fe:55:97:08:99:52:86:2c:d0:6e:5a:db:6d:14:17:
+ 87:e4:e0:d9:ec:9d:22:7c:04:89:d4:5f:b4:fd:73:
+ 9f:82:29:92:97:30:c7:9c:73:d1:a2:8b:0a:02:39:
+ 02:7e:c2:c6:c7:05:1d:16:97:e7:40:54:8b:cb:33:
+ 44:41:b0:44:5b:64:c6:21:8e:89:75:1d:c2:84:a0:
+ 90:48:c6:9b:ab:36:b5:06:cc:c4:48:d6:64:c6:af:
+ f8:c1:40:ee:10:18:6a:20:ca:ca:d9:11:78:8f:56:
+ 50:8c:04:01:28:a4:da:f4:d4:d1:50:03:47:3f:9b:
+ b5:5b:e6:25:9f:85:4d:2b:b6:ad:21:4d:97:d2:53:
+ 00:bf:51:63:c2:4d:aa:49:04:81:ab:b5:97:c6:bf:
+ 82:02:94:ef:04:b7:bd:43:50:26:cc:53:eb:ab:75:
+ d4:0b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://localhost:8186/MyRootCA.crl
+
+ X509v3 Subject Key Identifier:
+ FF:6A:19:05:FF:1A:9B:17:7C:72:5F:9F:8C:42:B0:15:DC:6F:D4:E2
+ X509v3 Authority Key Identifier:
+ keyid:D8:34:F2:4C:A5:AC:01:A4:3B:54:66:AA:F7:DB:C3:C1:F2:BF:E6:CC
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha512WithRSAEncryption
+ 4a:7b:89:b1:f3:db:79:bf:c6:2d:6c:82:f3:3c:4e:33:ca:72:
+ a8:5c:68:a8:f5:09:81:03:07:90:c1:dc:29:06:17:c4:f4:b7:
+ cb:7b:65:2f:68:23:68:ce:b6:f6:96:2e:6d:84:35:6a:9f:e4:
+ c2:46:50:81:df:e5:cc:fb:2e:73:6b:83:2d:41:9f:92:14:32:
+ d5:52:60:32:13:02:3e:c3:35:0b:fa:58:c2:3b:4a:17:a5:87:
+ c8:ca:ba:c6:11:94:9c:1a:d5:d9:23:22:62:0d:a6:19:b4:54:
+ cb:0f:a4:a4:d0:24:a3:bc:3c:7d:af:e7:cb:45:22:ac:b8:f4:
+ b7:f2:64:09:1a:27:b7:ab:1a:26:3b:f1:b2:8a:5f:36:21:a2:
+ 30:9d:ed:8a:3b:7a:2b:ab:97:99:aa:d0:7d:b6:85:46:11:d2:
+ d7:5b:ba:64:6b:b1:27:85:55:10:be:44:bf:4b:80:75:ff:cf:
+ 7a:6b:65:86:4f:50:40:7c:38:e4:3a:3b:9d:1d:be:79:31:5e:
+ b5:30:ae:b2:2c:bb:de:a0:ae:f1:90:d3:69:f9:d8:3a:82:d4:
+ 71:aa:92:0f:f1:33:60:2b:3c:76:e5:08:4c:e5:32:23:45:97:
+ 68:aa:11:92:88:48:02:bf:e2:59:8d:67:91:a8:8c:b0:3f:ed:
+ 15:cc:57:ee
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgICEjkwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMVoXDTI0MDExNzEyMTQwMVowbDELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVkaWF0ZV9jYUBhY21lLm9y
+ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0bA827VhkRRwC98mDY
+MTSeBs+cHlknwZnAc7MUkAnFizz6J19U+woMSRz0b36Ci8nYo2ujmw30TOyVR/FV
+16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzuWyCc/lWXCJlShizQblrbbRQXh+Tg2eyd
+InwEidRftP1zn4Ipkpcwx5xz0aKLCgI5An7CxscFHRaX50BUi8szREGwRFtkxiGO
+iXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA7hAYaiDKytkReI9WUIwEASik2vTU0VAD
+Rz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JNqkkEgau1l8a/ggKU7wS3vUNQJsxT66t1
+1AsCAwEAAaOBiTCBhjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
+OjgxODYvTXlSb290Q0EuY3JsMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+MQrAV3G/U
+4jAfBgNVHSMEGDAWgBTYNPJMpawBpDtUZqr328PB8r/mzDAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBKe4mx89t5v8YtbILzPE4zynKoXGio9QmB
+AweQwdwpBhfE9LfLe2UvaCNozrb2li5thDVqn+TCRlCB3+XM+y5za4MtQZ+SFDLV
+UmAyEwI+wzUL+ljCO0oXpYfIyrrGEZScGtXZIyJiDaYZtFTLD6Sk0CSjvDx9r+fL
+RSKsuPS38mQJGie3qxomO/Gyil82IaIwne2KO3orq5eZqtB9toVGEdLXW7pka7En
+hVUQvkS/S4B1/896a2WGT1BAfDjkOjudHb55MV61MK6yLLveoK7xkNNp+dg6gtRx
+qpIP8TNgKzx25QhM5TIjRZdoqhGSiEgCv+JZjWeRqIywP+0VzFfu
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr
new file mode 100644
index 0000000..31d625f
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMM
+GGludGVybWVkaWF0ZV9jYUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAM0bA827VhkRRwC98mDYMTSeBs+cHlknwZnAc7MUkAnFizz6J19U
++woMSRz0b36Ci8nYo2ujmw30TOyVR/FV16PjYQ/dMgfP2e0BWKpP2L4KGM0I9mzu
+WyCc/lWXCJlShizQblrbbRQXh+Tg2eydInwEidRftP1zn4Ipkpcwx5xz0aKLCgI5
+An7CxscFHRaX50BUi8szREGwRFtkxiGOiXUdwoSgkEjGm6s2tQbMxEjWZMav+MFA
+7hAYaiDKytkReI9WUIwEASik2vTU0VADRz+btVvmJZ+FTSu2rSFNl9JTAL9RY8JN
+qkkEgau1l8a/ggKU7wS3vUNQJsxT66t11AsCAwEAAaAAMA0GCSqGSIb3DQEBDQUA
+A4IBAQDE2KIYrHiujyjWAJAWkJFwaxjeM0MojdOmdzpTEwwcWIWhSvDIGylAIjs+
+s/xZidCBLlmH5Fu4G/P/ZmAe/PSRULn5RNh+Vr/2rvBwrO6o1tr/iqN+Iu9D9gpD
+xsVqy03M3Dda/4hJ1fd14Nvw/3ipQCX0ODKQQnCEN6YDDMII7NNHhThJ9JXtmsDK
+aCWM5s6V1VcEHmsOaghuuEe0CSLNyIoKGqm/Go/sZ6beXiq6lzPOSW+Ugvb1j+yd
+Kb89oZy871V7c8BQJgYAZNm81TFpwS4XEa7tO12hxrEndMdKqjW5S2E7TVQPcTud
+1T3W7szSBmOf3sPFToLx3oOky0a9
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks
new file mode 100644
index 0000000..251089d
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt
new file mode 100644
index 0000000..d4d1fad
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuTCCAqGgAwIBAgIUU+PWvuydNdPTMUerarnvKb2eT74wDQYJKoZIhvcNAQEN
+BQAwbDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxITAfBgNVBAMMGGludGVybWVk
+aWF0ZV9jYUBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDFaFw0yMDAyMTYxMjE0MDFa
+MGwxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEN
+MAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MSEwHwYDVQQDDBhpbnRlcm1lZGlh
+dGVfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN
+GwPNu1YZEUcAvfJg2DE0ngbPnB5ZJ8GZwHOzFJAJxYs8+idfVPsKDEkc9G9+govJ
+2KNro5sN9EzslUfxVdej42EP3TIHz9ntAViqT9i+ChjNCPZs7lsgnP5VlwiZUoYs
+0G5a220UF4fk4NnsnSJ8BInUX7T9c5+CKZKXMMecc9GiiwoCOQJ+wsbHBR0Wl+dA
+VIvLM0RBsERbZMYhjol1HcKEoJBIxpurNrUGzMRI1mTGr/jBQO4QGGogysrZEXiP
+VlCMBAEopNr01NFQA0c/m7Vb5iWfhU0rtq0hTZfSUwC/UWPCTapJBIGrtZfGv4IC
+lO8Et71DUCbMU+urddQLAgMBAAGjUzBRMB0GA1UdDgQWBBT/ahkF/xqbF3xyX5+M
+QrAV3G/U4jAfBgNVHSMEGDAWgBT/ahkF/xqbF3xyX5+MQrAV3G/U4jAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQBNx3DvYk5rFFz7gtRSMpINJuoI
+thCEsFT43at08M98PrFHmZvfvdxwsIO0aJYVsTnEf4tqjXKQ6c3+eV9u3aWKuJYs
+PHJ4oxLlVwWWZLP/QC5SknscQlu5b6lhje328qKSYFzi8EE75FpG7sehvymNQhLS
+IU4r52VUqzZ6bBaQpPV4psG3yC6ONGppiy2QSP1s0jqmH1EDDp2qAQEME4bPYCAg
+Tryp2EjUmBpCuiwreY3Wsy9Zj6fQdFuxUiE4XWbsoNx1oDj9M8OuAeKQ5magJysm
+j/f2SF6cuNsg5AwuPg3DX+QC+WckLe+3M4uXfZa65bf/EJgKjJc1WjrDG16x
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key
new file mode 100644
index 0000000..f2392c8
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/intermediate_ca.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIrFQQzoVuNVgCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIWesfDR2OA7BIIEyB+WEIidNRox
+k5SvY9Hyi77Y1Jh/u1WJVWmQalZvWOAX8lnhQTDMVlCZ9zOku+0CWPIfEPcTBPbc
+WkTdNFmnlpUwrrjZ+ijwyv9eF6WaIvAyBAlSXDUULkkiaweKT22KGmCKWGY92UJq
+UtnsyZupQ95oWRcJ6x8/83dhaQM9yVf8a2jZzpIkCM5bdNXrSSObM2Oz1WhpcPEg
+yJzVceZTxASB3BnvIayNqFvMMiFQR4QcDTMkudBWGro3q5qm+LINQrG3nXmTwDvp
+u3PXxP8c0nEXxQYB9PPDL3qWQ5QkjaZWm5QUFWvUFGYc3bbuNXkzivBFp9W478wY
+W41x9WI6DVDkcrTv5n5X268xh3Gs5/nYERjuB657rGC3R5mNeL4unohPBsamyhrE
+ZFgzaMB0hhh0w57suFoVbrqkcKWQx7vhNwvOqbyiOg/qLk5sHrNAVdZtKA5iHux3
+JMbzHzG73wduXCWOOJcBYZD5cA7ifNwmNAz7sg9z2CY1XGHRrm+l9QZK5SLrQGIC
+p17ZREm2rnUMmZFqmIdRYyWUmfZmZ1eejT7Nf93GyutdabLNc1ROANY/mElW68qK
+RlEszYEJskw9vclg8PogulnGVND5ES5zxG4qUWJtkvx7QM1NqgUq77rK93Q/1AkC
+tB2A2/wwZmmPQMYR/7qSr0HLkTLYqmtEC5FVXB9STVdHYEgs4G7yNArY1a10ApaS
+Avf+TJD+SH8ZJMc4xVOJwc/NyKqaI+LFc64m/8oC+Mt6wpos5nvPoGqIGW10Oqcv
+N4IREavDgHEcbfRsj4Cdt55YaAk0C7MNn21PvTRI7aS8aWScTD5sMlJZDFe/V2ZL
+IxdW4LnZfyRt/s2qsx6mrbrKsaBB+o4BKC0AQax/o6GNTP89aug4OIUr3h7qGf1C
+oKLGLHjXuZcw0NKK+ufRqimvgHz6segsfgxLBsLoZ2EkhHqdWxyVI6dB/TdB2+Mu
+x3I0iQ/lC22Ky+hGpcb2iU0eB1NYA6/Wns880EJGd6/w6vmJOjG+BG0zoOELgLXH
+j0nGK2gh/2fxg2i+UjMvK7lGLjyiit/rPgH5B0e7QqJrwC0KHkxQO/dIp9aQ5BZD
+7PyGEX3ThaBSXyor3JoRtF0sLFhib2vqws7WNke7kJqDcoi9AZEQJ8gl2DLUqWbl
+ci0s32YNxXKQWB20eKJDhiLOPxZmwfQlyFAnJQrYOEhKG/BJD/O+q7MtBwJ674kG
+TcJ3AxKJhw6rOM8tjvuUfbBBNG8O0ngkbNPN36EYDkWb7ro1W4+MDayFt0P8nXgt
++liJEFp9yFDm3OMiMrHJmihZKGqr7VC9sDm+EjFMpa/Er7KWBBzvWip3pIZslHrv
+HIYILJS8C6OgiwQF24+pW9O7tqUVKrjpZ5Tl/QuR4Qm4L3kWO/63nFMH+PP/ODYQ
+0cB/g8cEGVWClUlxp/2D7IrNh6d59mQuvhrF+fkMoNV8AeU9+IinDlF3ik00n9cF
+5U9shoMgSuyj5d9L2FCJi/t67LiAWsp3aGwcfHPfanSIpS/EvpCyvT9py1zE0IFC
+Hzz76V2V5VrRkYGwT2M8b+RtgHUles5e8sXxkWTW9AvbtfJtADit5mEX0eXJJAfP
+aRZsBte7k0++5afbuVkCug==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt
new file mode 100644
index 0000000..dd4073e
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.crt
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4664 (0x1238)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+ Validity
+ Not Before: Jan 17 12:14:00 2020 GMT
+ Not After : Jan 17 12:14:00 2024 GMT
+ Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca@acme.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:54:29:44:85:72:57:4f:8d:9f:60:77:5c:77:
+ b0:45:bd:34:7a:e5:37:9f:0f:26:ac:e1:68:1a:b3:
+ 86:bf:55:48:82:ad:31:df:ed:89:a9:7e:25:b8:4d:
+ 5c:95:c1:4a:9e:b2:a3:51:57:e8:dd:18:75:e5:db:
+ f0:aa:ea:eb:5f:0f:e0:09:e2:7c:a6:1c:5c:e5:db:
+ 2c:c1:f2:d7:40:21:f7:fa:ef:e0:3e:f5:3d:10:52:
+ ec:b7:cd:9a:d8:3d:36:9a:3f:cd:1a:1f:e7:de:09:
+ c3:8f:08:4f:c1:c4:cb:d3:65:81:c4:e3:28:ed:f4:
+ a9:43:f2:c6:84:d9:16:22:65:55:17:e3:8b:7a:45:
+ 9d:5f:7d:e5:87:d6:a5:fb:fe:0f:86:c0:d4:e0:9b:
+ 2c:3a:99:df:4d:42:df:30:38:56:2d:f3:e5:8b:0f:
+ fc:99:e3:1f:62:cb:85:78:a3:40:43:d6:42:3b:bc:
+ e8:6c:45:19:3d:ca:43:86:1a:4b:ae:e9:3b:51:b0:
+ 0d:0a:bb:de:26:34:b3:cf:dc:fc:99:c8:7e:42:7d:
+ 2c:67:ea:2c:7d:2e:bf:ff:7f:21:9a:17:f1:87:1d:
+ aa:d6:a4:06:bb:c1:65:ac:7d:7a:51:fd:3f:d0:ac:
+ 9b:85:17:51:5b:99:16:b8:c7:72:00:2d:0b:54:78:
+ 16:5b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://localhost:8186/MyRootCA.crl
+
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Signature Algorithm: sha512WithRSAEncryption
+ 3a:d1:40:59:30:54:80:6a:b6:a9:76:f3:d1:05:c9:a1:d7:b0:
+ ff:70:48:65:1d:1c:e5:82:b9:c5:62:78:eb:7a:0f:77:2d:26:
+ 8d:a7:16:34:a5:57:4e:da:51:b5:3e:65:a3:db:a4:ba:43:70:
+ 93:d4:d5:82:e4:c8:59:f0:f9:2c:7f:d6:d9:87:b8:5e:a9:4c:
+ a5:cc:c3:ac:87:c8:3e:46:7e:6d:40:c1:bf:9f:03:68:ea:e1:
+ 97:30:43:bf:d7:a4:1a:58:e2:72:cf:0d:6f:31:1b:4a:72:4d:
+ 42:6d:7b:21:42:23:c0:7a:50:14:b9:f9:a5:95:53:77:c1:89:
+ ff:3e:a0:1a:b2:88:69:13:93:c8:14:c4:c5:24:47:a0:9e:43:
+ 70:9d:ac:0e:7f:a6:b5:45:47:35:f9:e9:6d:32:15:54:26:81:
+ 84:ae:d8:27:c9:f3:65:64:7a:72:14:02:9f:8a:73:cf:04:c0:
+ 53:a8:01:56:a6:a6:b8:fe:06:b1:71:c0:cc:64:07:d5:33:a8:
+ 69:01:5e:06:b8:24:ec:1e:c4:9e:58:45:60:2b:70:d4:db:7a:
+ 8c:42:21:e6:e6:33:c9:66:35:6c:06:ad:0f:47:74:24:cb:65:
+ af:e1:a6:d0:b3:06:4a:97:5f:b2:83:cf:ac:0d:81:c2:07:7a:
+ 06:c1:45:90
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAl6gAwIBAgICEjgwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMFoXDTI0MDExNzEyMTQwMFowajELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRfYnlfY2FAYWNtZS5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrVClEhXJXT42fYHdcd7BF
+vTR65TefDyas4Wgas4a/VUiCrTHf7YmpfiW4TVyVwUqesqNRV+jdGHXl2/Cq6utf
+D+AJ4nymHFzl2yzB8tdAIff67+A+9T0QUuy3zZrYPTaaP80aH+feCcOPCE/BxMvT
+ZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1ffeWH1qX7/g+GwNTgmyw6md9NQt8wOFYt
+8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5C
+fSxn6ix9Lr//fyGaF/GHHarWpAa7wWWsfXpR/T/QrJuFF1FbmRa4x3IALQtUeBZb
+AgMBAAGjTzBNMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3Q6ODE4
+Ni9NeVJvb3RDQS5jcmwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
+AQENBQADggEBADrRQFkwVIBqtql289EFyaHXsP9wSGUdHOWCucVieOt6D3ctJo2n
+FjSlV07aUbU+ZaPbpLpDcJPU1YLkyFnw+Sx/1tmHuF6pTKXMw6yHyD5Gfm1Awb+f
+A2jq4ZcwQ7/XpBpY4nLPDW8xG0pyTUJteyFCI8B6UBS5+aWVU3fBif8+oBqyiGkT
+k8gUxMUkR6CeQ3CdrA5/prVFRzX56W0yFVQmgYSu2CfJ82VkenIUAp+Kc88EwFOo
+AVamprj+BrFxwMxkB9UzqGkBXga4JOwexJ5YRWArcNTbeoxCIebmM8lmNWwGrQ9H
+dCTLZa/hptCzBkqXX7KDz6wNgcIHegbBRZA=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr
new file mode 100644
index 0000000..7a8a730
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrzCCAZcCAQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMM
+FnJldm9rZWRfYnlfY2FAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCrVClEhXJXT42fYHdcd7BFvTR65TefDyas4Wgas4a/VUiCrTHf7Ymp
+fiW4TVyVwUqesqNRV+jdGHXl2/Cq6utfD+AJ4nymHFzl2yzB8tdAIff67+A+9T0Q
+Uuy3zZrYPTaaP80aH+feCcOPCE/BxMvTZYHE4yjt9KlD8saE2RYiZVUX44t6RZ1f
+feWH1qX7/g+GwNTgmyw6md9NQt8wOFYt8+WLD/yZ4x9iy4V4o0BD1kI7vOhsRRk9
+ykOGGkuu6TtRsA0Ku94mNLPP3PyZyH5CfSxn6ix9Lr//fyGaF/GHHarWpAa7wWWs
+fXpR/T/QrJuFF1FbmRa4x3IALQtUeBZbAgMBAAGgADANBgkqhkiG9w0BAQ0FAAOC
+AQEAle9ozcWOV+gW4zVToxUl/Cumqe3zqg7YE1SV4/QssVEVfJjb4s4/2JnjDQvQ
+BExP4yeiLVtIjjEaFy+fu4LZ7Qx7+GlhBCOaBuS/hNRmuJPNv+GwommABYkDvx86
+QeztX5oU/Gcn9tx+IjiBfn6pUsF4tX1Qd9ueucPUDR7xHMAFBBNnC1ahhki6rOVB
+9fxbduViyr2RKl9gDao650PsVn3+9MtKaU/oHluuyOjbCsrdjY5uGTWGJjWXGWBv
+whtYRomEofuvZk7vsmhBtJUixFuo4mVXA3Q6jCH3nre57YsQFR8+oFkIDogtXUNj
+rOtgaueA6Rd50L4j8hoQKBAkFA==
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks
new file mode 100644
index 0000000..cd38ca0
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt
new file mode 100644
index 0000000..47696f6
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIUHVCN1hW4l8SlUG15T552XxvHr4owDQYJKoZIhvcNAQEN
+BQAwajELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxHzAdBgNVBAMMFnJldm9rZWRf
+YnlfY2FAYWNtZS5vcmcwHhcNMjAwMTE3MTIxNDAwWhcNMjAwMjE2MTIxNDAwWjBq
+MQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xDTAL
+BgNVBAoMBGFjbWUxDDAKBgNVBAsMA2FydDEfMB0GA1UEAwwWcmV2b2tlZF9ieV9j
+YUBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtUKUSF
+cldPjZ9gd1x3sEW9NHrlN58PJqzhaBqzhr9VSIKtMd/tial+JbhNXJXBSp6yo1FX
+6N0YdeXb8Krq618P4AnifKYcXOXbLMHy10Ah9/rv4D71PRBS7LfNmtg9Npo/zRof
+594Jw48IT8HEy9NlgcTjKO30qUPyxoTZFiJlVRfji3pFnV995YfWpfv+D4bA1OCb
+LDqZ301C3zA4Vi3z5YsP/JnjH2LLhXijQEPWQju86GxFGT3KQ4YaS67pO1GwDQq7
+3iY0s8/c/JnIfkJ9LGfqLH0uv/9/IZoX8YcdqtakBrvBZax9elH9P9Csm4UXUVuZ
+FrjHcgAtC1R4FlsCAwEAAaNTMFEwHQYDVR0OBBYEFMU9e8zrbXHC342Uby8gqhgM
+YvLxMB8GA1UdIwQYMBaAFMU9e8zrbXHC342Uby8gqhgMYvLxMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQENBQADggEBAB/EApL8yOgY/Moi9zfCG22GRosPydBS
+87rlGBuWieIuHTUjZfo4Cso/Gss7BKNPVpS68g6QXh5t/mlWLes8lXVHj8V2RHUg
+JMJZ6FZVXGaR/3wvRT8i5xag4kYye585P52ovvzI8TyWRf2f4UQhNXIH6If8fYkJ
+CI/bp7Wd+b2+Vrnacx8gc5uzYXSsbUujd0b7X//gAu0YBPVqdkiJGpB1N4XPFhaF
+NPauaic9wtzETHc2ETmvKWoqxW0mwX8AuDY/GVa04s/jiy1JuH0uqfQCiGi1dkRF
+yYXQNXuPWiQ5K8Eg2bPaSSnCpQZgH4DG7315ne6XFaSQK/iJU9p05cA=
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key
new file mode 100644
index 0000000..2bed0ac
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIHVqo76e8ifcCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECKGXAXrxjyphBIIEyEJR6oHjGXr+
+PoIs2CnsQucjXIqQuEltc+xiLetRV6VQ0fytpC1qw6gTcMYYqmXC0oeBZqbux+hj
+Uj91rd2PnIhQ1t3uLkCCwR3hAOrFLHC6eg1HmgAfAI8HUoHeiSQor0rLHA2PKTgT
+LtNV573XyBh0bbrQZnMh2zb+RZ8dFHE5Fu7OiTYYFAIkH3EyB0QRUuskGhmMvgT1
+6LlzmaSRfSx9x6YBW0AH3649hAZj6sf7axXm9sScrIFpha7FJzKV/EUScDfBzTld
+5LqTUoF+W6b95PzvF/ylpbUM43FgTaI0KqyGSxtMr5CQjxuVUD+LsT6vc6lVQ2iQ
+GtqFAooBatfDXlm4HBNTFznDoYa50TUK1af6+0X4uQrETnIWA8iw49L+BownU6+M
+yfuMJ689IggheL9n+EBoJ5+LhjBlcxjcaIZBKgxVAxpSxnVY7H0R5JHYTHSy5GjA
+xtGmOkqGPgRlPXzYtSrih47tUAkO7MTiIUE5Xuned2pTFWAhsS/kpdc6K1IKhDAG
+ARG5dIADIZH+b3dYpxo/MXBQYusm6Q1KaLE1cG98QoiWdTwXNN4jNH6IiUg52Pcg
+nD/AAOdEcCA7wXFXLTBvYMGvetCDkrXf9DSOguGlvgfeZN/6P0QdN/TErTW9lHSV
+DioKOfDSpvS2X3X/1pDBYK29d+JqwW8sgRtyeJtSVzPnm+PFyz/1oDwIk7muhAs5
++Ruf2mh/k01InahsJ9aBwBneCDvRibQGMv8wl/8Lz5NmpPjfYv/Jws0rS7rDNLOi
+yGSNBL8rOfLl3C7z3R+2xJocplccb7S42I8lSHNu7lwKPAPLkTtz+SymtAQJvqoR
+2SmoYtodPttQDXLMVwzQ87sBQ/wN9sw3BCRSL6BfBIsYavLMLnZ8hChpA9RF7Okm
+l8jNSs8HNN851G3XrKnI3CNsTKEQdEDw/Y68hJ0sSFRhICW2vKGJ6Lp1IPF4mngI
+BzGnpQrsOBfrMOpfqwgxFFZRFbBbOl2IPRcvz8GYyfXToGgS53Nz0TkHTtsTFIoo
+afUE6cOm0EzYn4rtNaB5K8gIxLhWZMsS6CH/nfEVi7sOFeUdkxoEUvnRTEy0pj7Q
+h085aWIFHHAtgBCdzqsmu0Q8z7Xp6G+S5nrJCnewRAGKKyGTkZsSjZXpB+nauYDM
+B4ZpoWZTS9AtPmCM9nV13fYTFWXz9DXtYAuMLZhYyBVNBlubpDwzV66+ygLqaTIz
+OkC/EjmA1OOZlaI0TfH5rvFdKsqmXxmvlH9aCOzMxytTSOd52MwJN72nAslKz9xI
+RoO/RE0EYLMOT81S44QzfWGZ2CP7oRTfT3IoktTUm9Snp2qjebcfhRrti8aEZCm+
+mtssZ0IiqLPje6GJ2kOUmU4+KZ+cNswPZmV+zm4NJcu5XBG13wHqyLac6iQPDXie
+4IuzbLEOjYr+ZLGnBpw11jn6R1yxbOiKUbg/eEp8/688XJbVdSaCd4w7JwxL8dlI
+h7y8UTG0BI3nZk4kdpusz5f18F8EoX+RIDP7Ev3qPt/8eYkSZggkrrnIaCIeXEOL
+VwmtXIe7Fo2E7zRTSgJXU42iTYwp4tWmB83qxKVaQQpgmX1hs845GdWbfcSZh9eZ
+50gsztDpcC1mAtp3brgOig==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt
new file mode 100644
index 0000000..7a80d78
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.crt
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4667 (0x123b)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+ Validity
+ Not Before: Jan 17 12:14:02 2020 GMT
+ Not After : Jan 17 12:14:02 2024 GMT
+ Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_empty_crl@acme.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:cd:03:6c:76:ba:58:04:33:52:0c:45:ba:80:87:
+ be:ce:3d:94:76:45:79:29:b1:15:15:c9:95:e0:5e:
+ 03:34:a5:5f:ab:b6:8a:03:57:b4:60:2d:fe:2e:27:
+ c1:51:7f:bd:25:fe:0d:d3:48:72:0a:09:ed:ef:df:
+ 18:98:17:e1:bf:44:07:6f:f5:72:98:73:0a:ca:7c:
+ 7f:a6:8e:1b:e1:f5:e9:cc:d5:37:96:1e:8b:f1:8b:
+ cb:4f:3b:ad:e5:b9:73:b2:6f:2c:e2:70:c9:a7:28:
+ ee:d2:4e:79:02:ef:11:f0:8d:77:41:46:d4:98:72:
+ cd:73:66:a4:f2:ea:81:42:b5:e1:95:0c:d3:23:e7:
+ dc:0e:2c:02:cf:bc:8f:dd:53:ea:2c:08:1d:8b:07:
+ 52:47:25:dd:9d:99:5c:56:86:2d:38:2a:2f:15:57:
+ dd:e2:c0:79:a5:aa:e6:3f:c3:b9:78:97:cf:47:fa:
+ c6:9f:55:73:42:cb:27:17:35:b3:5c:91:bd:f9:f0:
+ 00:a6:d2:5b:eb:34:2e:43:6a:ca:38:f6:14:32:4c:
+ c8:35:92:b7:4c:f7:da:86:70:55:0c:ca:67:82:5e:
+ 31:7f:e1:d2:76:22:d8:92:03:d6:47:df:43:55:33:
+ 29:e3:44:d0:2e:45:b4:e5:fb:78:95:53:3e:21:33:
+ 01:3d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://localhost:8186/MyRootCA.empty.crl
+
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Signature Algorithm: sha512WithRSAEncryption
+ bf:be:61:4f:7a:a3:ff:9f:76:1a:d5:80:57:e8:29:d5:7b:31:
+ f2:15:de:11:a2:f4:67:97:05:70:52:84:0c:6d:aa:bc:b4:f1:
+ ed:92:f7:e3:ca:0f:4e:19:c4:82:38:e2:f1:30:74:42:8e:c8:
+ 7e:9f:b5:df:59:8b:e7:70:84:4d:fc:6b:4e:25:33:65:ac:f6:
+ da:3e:a4:32:fd:cb:f7:dc:f3:5a:3f:e3:8b:85:8d:9b:5a:e1:
+ f4:17:3c:d5:67:13:25:78:d0:3f:9d:cc:b8:1f:3c:9c:55:11:
+ 12:1f:13:2f:55:4b:3d:e0:cf:bf:10:ce:de:04:a3:b1:60:26:
+ 3e:41:bf:8f:3b:86:ef:7f:69:4b:5b:2e:45:a2:5a:b5:34:2e:
+ ff:28:01:81:15:03:53:86:31:77:ac:41:f5:b3:c1:54:e9:ab:
+ cf:d3:3f:36:94:4e:ed:07:39:4e:ad:fb:0c:26:87:62:30:51:
+ da:70:8a:f2:9b:9f:9f:a4:25:d8:df:90:27:ab:0e:b6:81:fc:
+ a1:24:16:4d:aa:91:d7:c9:0b:f0:49:1a:80:7c:86:7f:0f:4e:
+ 32:59:86:41:32:92:00:b1:f0:32:50:84:72:35:f3:b2:7f:c1:
+ 2a:69:6c:9e:74:43:8e:d0:15:b3:0d:ed:34:b9:14:fe:24:17:
+ f7:4c:e0:0f
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAm6gAwIBAgICEjswDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowdDELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRfYnlfY2FfZW1wdHlfY3Js
+QGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpY
+BDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVfq7aKA1e0YC3+LifBUX+9Jf4N00hy
+Cgnt798YmBfhv0QHb/VymHMKynx/po4b4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJ
+pyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdS
+RyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb
+6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4xf+HSdiLYkgPWR99DVTMp40TQLkW0
+5ft4lVM+ITMBPQIDAQABo1UwUzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vbG9j
+YWxob3N0OjgxODYvTXlSb290Q0EuZW1wdHkuY3JsMAkGA1UdEwQCMAAwCwYDVR0P
+BAQDAgXgMA0GCSqGSIb3DQEBDQUAA4IBAQC/vmFPeqP/n3Ya1YBX6CnVezHyFd4R
+ovRnlwVwUoQMbaq8tPHtkvfjyg9OGcSCOOLxMHRCjsh+n7XfWYvncIRN/GtOJTNl
+rPbaPqQy/cv33PNaP+OLhY2bWuH0FzzVZxMleNA/ncy4HzycVRESHxMvVUs94M+/
+EM7eBKOxYCY+Qb+PO4bvf2lLWy5Folq1NC7/KAGBFQNThjF3rEH1s8FU6avP0z82
+lE7tBzlOrfsMJodiMFHacIrym5+fpCXY35Anqw62gfyhJBZNqpHXyQvwSRqAfIZ/
+D04yWYZBMpIAsfAyUIRyNfOyf8EqaWyedEOO0BWzDe00uRT+JBf3TOAP
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr
new file mode 100644
index 0000000..7275fc2
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICuTCCAaECAQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMM
+IHJldm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4D
+NKVfq7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b
+4fXpzNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqB
+QrXhlQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5
+eJfPR/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpn
+gl4xf+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABoAAwDQYJKoZI
+hvcNAQENBQADggEBAIclK9KXAk1U1l9zzy9FpjqZYXzqCF5vBD9yDDk6DODqLAfa
+twBoA90Ae5z5wEY2Gtj2p39P4FvWHV2tKMe3M6Wnf9b0IE2VYZ8aIuK/dzMY17pX
+caDKJEhG/hVa4qIyKbh5y0gITfoFTx10ip0DoSAzkjbG6fsSplX5x/r0DS1ZVGQj
+aTqKor1pBW9rBGkgDaKetl+0/x9EcwXM8Vlv2uidofK1HRrBijdzj/vaVERatNGf
+IMfBGnTfF+CAKN/kR8F1jhcM4XXOA/lvtWkmmsuBweEM4iTh5T7/L/rbUr7WpFjT
+J8yrjAyUM4e9UR+lif/RXN2zvAvUh9wUin/rvlk=
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks
new file mode 100644
index 0000000..7e0ab14
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt
new file mode 100644
index 0000000..876f462
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyTCCArGgAwIBAgIURa7KfSxOy6INMZLGbza+/AKlMMgwDQYJKoZIhvcNAQEN
+BQAwdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJldm9rZWRf
+YnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMB4XDTIwMDExNzEyMTQwMloXDTIwMDIx
+NjEyMTQwMlowdDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdU
+b3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxKTAnBgNVBAMMIHJl
+dm9rZWRfYnlfY2FfZW1wdHlfY3JsQGFjbWUub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAzQNsdrpYBDNSDEW6gIe+zj2UdkV5KbEVFcmV4F4DNKVf
+q7aKA1e0YC3+LifBUX+9Jf4N00hyCgnt798YmBfhv0QHb/VymHMKynx/po4b4fXp
+zNU3lh6L8YvLTzut5blzsm8s4nDJpyju0k55Au8R8I13QUbUmHLNc2ak8uqBQrXh
+lQzTI+fcDiwCz7yP3VPqLAgdiwdSRyXdnZlcVoYtOCovFVfd4sB5parmP8O5eJfP
+R/rGn1VzQssnFzWzXJG9+fAAptJb6zQuQ2rKOPYUMkzINZK3TPfahnBVDMpngl4x
+f+HSdiLYkgPWR99DVTMp40TQLkW05ft4lVM+ITMBPQIDAQABo1MwUTAdBgNVHQ4E
+FgQUJBs8fXPCO0HfB5qCdnNIr+LKofAwHwYDVR0jBBgwFoAUJBs8fXPCO0HfB5qC
+dnNIr+LKofAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQEAKlMt
+n4ZrNl91i2HJUhy1qQEed6r2IFzTiVCIlV5tL/e3JyOksKxHeoV8JcN4mFNDzVZM
+vk+ZuCty1wJQLs6OOCfdXwSekSJblV/IXqKosvJj+RN6EHLeEYUoVJlKkU1E/wXZ
+LbjioYtv7LAdDXuZro3P5W9IBiNGPitOWqdZYTkYgrDdyn9MBucm7UMTftvS8buK
+sBjOhKQNO4Q34VJlOgKjoPEQr/R/JnNFbFh3dKYfDFABwy3dgp6kehzazb68An+j
+K/qljEqmAGwn92pSQDxNW/opQ3iMMjTiUie7f5PpCphFD/noIXgSyVutV8dFEBtw
+uTTPMl1O2ogZSriu3A==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key
new file mode 100644
index 0000000..9576760
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_empty_crl.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIFZ8yTs+qbG0CAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCIuCWBoRzWlBIIEyEJvOIUqC7LU
+XAcbfwBQgC+6bmxO+2A+KGmMoWua1om7bO7YkzoTesXg1sDN5xO8S0T02/laHE+n
+h4SKtG+Ocvc75hznd2dkz+QrvUHfxYBWS5zayDYvO/V2GjbI/LUhBxTh17KRRGwD
+FvJmfYyQ7C4jguscRrTpnKxknuIbQYQMUlTVquB3htAtf9ORQSC34QiKl6Ahm2F9
+S5iRxOQI3y5+g6BXVTktBjFMg+EIlVgi7UrOtplj/GAC6m0tF+G2Cl2R+IYcU4Uj
+iZO6XBeVGUaDCy6b5jdeiBXTbqYWrLaMrCQabZTfw3utJQHAPFaBE+y25Wq4SdJ7
+/S8BmCDa1x9doH7ShJ8ykync1PfOIaTbzqWMx4zIgAFQ2/azZD2aB6GWo8lpQWOp
++yRRNQsYQNiVZ8895KVfsLJvf7nEZ0gtrKYxUiwdzIXspNdt2ymzhcKf1bYeG8TX
+XgegkqB2zzp/BviBlGWo5RSGDyaXTHrdWK3yJBkuP4oGMrk71+W/kDUzTCR++AqM
+1TpbYXLIbqMlE5DEHejgYYOclx3pmMBYcJJsPW8mKd2C7G3fj67lUQwXr+iLS1Fl
+Zekh3ZcaQSptQyUaJ6XXaa8A5qx42FpEGIxTLF3YktyT/u3rMsYD62hohR7zCNUK
+J8Wsmjmeu78OoPv68DxD8Hi88rcYg/cKTELjBx+GQOKGite7ogxPcdfFIrprVNTQ
+WLYLk9STn42RhUELKt2uKYmVJ6GzfBf7Lfgmsi9QVIPbswZE02fF/pC5Gcl1FEA8
+X0wcxcv9MAbFm497CMkdw9wxj4rV7XruBrUAB24QRj/r3Hsk4LS/0MI8/OawzaP+
+UAXYExWPuOremVl4/esbXOi5UXPcz/4aDtYyo3/PYOS8TWGnhJ0P3VykdTQ2a6Cq
+A/qI5c1HN0Llg918Eff/Lrw3WDpe7tcuQz0UZDUw9wEdglMTl1xQ9tZPQcMmKc08
+32dUUxPNX+wsKM1k5VBYRx/Vltr+odNaW4eTgVhsQ68D1vvA+AHLrHOUTGMknVTh
+89ZTtycV908axGVot7fz0wpc+n0nF/d6Q75NpqTwGQdwe6LMyYed6dOotYn9rWAV
+rPIxw9gsT3AGFyzos/ZB4RehHWIX/uumPw3H67vG2q+A2q2zzJFmH72mgMIpf/hY
+1SoCO3Uhlv58zbASfchyIFlMNNxSN9+6uffXbB9kR/C3ClKZB9vDwyhpMFU/LMqz
+2/ffsESVa5KSRdzwJuzbHQC/cymQZYoe3SayObmKoTIzo6lQoTCX7yREUFaT346A
+XkjN40YsO4dQ64r4qKdCRmhK1GHo3zXzT/50maVxzUsJafhuARvLxckpidq0mdT9
+2zBl5aM7GTwqCs9eqV1EJJASeBoFdu2iAKOI5O0Y7uVKNRZbiElnroR9IgfINepc
+7OenXrQbwrXD0PYORY04axr3hfM7GEy90TC+9WGLZWBTyKRdTdIdNCTvh1q84OZo
+Qp4zEhWsHT6C1FKmpu+uhPKHEqgqrgWFfsSr21uYFuEybXY2B9euyB222wYjX8K4
+u9C1+YGNQIhDcfqaefLdIBfgUErK/xjTDBP8Xk85NJIxab98aJkhclH0k8qOv6pr
+35/tH3UEUjR1FlIgzU46cg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt
new file mode 100644
index 0000000..35b1e6a
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.crt
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4668 (0x123c)
+ Signature Algorithm: sha512WithRSAEncryption
+ Issuer: C=CA, ST=Ontario, O=ACME, CN=MyRootCA
+ Validity
+ Not Before: Jan 17 12:14:02 2020 GMT
+ Not After : Jan 17 12:14:02 2024 GMT
+ Subject: C=CA, ST=ON, L=Toronto, O=acme, OU=art, CN=revoked_by_ca_invalid_crl_path@acme.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:cc:e3:11:32:ee:d9:ba:67:5b:0b:e2:52:4b:9c:
+ e7:54:d7:e4:c7:a9:92:7e:6a:39:e0:bb:d3:cc:9f:
+ 6f:38:73:96:c5:62:bf:bc:8d:69:e5:e8:67:3f:18:
+ d8:aa:ab:67:93:cb:c1:71:ac:7d:1e:7e:40:a7:d6:
+ 0a:8a:d2:17:7e:3b:be:d0:0e:1b:54:7c:be:0f:de:
+ 46:9b:4c:5a:64:de:87:08:45:b9:4f:32:df:26:6c:
+ 42:66:06:bd:61:cb:95:ae:a7:94:ee:4f:61:ff:da:
+ 18:b5:4a:41:9a:c5:c4:bd:2b:ae:8f:9d:13:82:04:
+ df:23:31:4a:5d:62:2c:0f:83:87:18:4a:7c:ce:12:
+ bc:02:67:b4:1e:d9:9b:4c:9a:33:ab:0c:34:eb:dc:
+ 8e:36:0a:54:ac:c1:88:84:26:15:9e:a5:08:0b:e2:
+ 95:ef:3b:71:29:d9:c7:39:79:05:ef:4e:dd:52:ea:
+ 42:05:b3:7b:2b:b4:ee:3e:da:4f:78:a7:e3:39:da:
+ 6e:56:2e:74:52:27:7f:e5:e9:c3:11:79:c9:5f:6f:
+ ae:58:31:d0:d1:89:b3:01:09:01:5d:44:53:6b:21:
+ af:fc:07:e6:68:9e:76:ab:c9:56:b0:20:5d:36:fe:
+ e0:06:8c:bb:70:6c:e3:3b:92:a0:5b:0d:e9:ce:e4:
+ fb:ff
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://localhost:8186/not/a/crl
+
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Signature Algorithm: sha512WithRSAEncryption
+ 70:bd:f9:c8:9e:b5:40:c4:cd:af:33:9a:35:10:25:ef:2d:00:
+ c1:e3:7a:b3:54:f3:e7:86:b5:a7:3a:7c:4e:c3:fe:c3:b3:f6:
+ e9:e1:4b:48:27:40:dc:36:e1:18:cc:79:93:44:c8:96:78:1c:
+ c2:e3:3c:58:a3:3e:4c:d7:68:7e:e3:83:c4:40:f1:2a:d1:17:
+ a5:89:5f:5d:72:b9:3f:9e:75:7a:a2:d9:73:82:09:4d:45:40:
+ 84:ed:e7:9a:15:81:e2:3e:43:eb:c4:f8:ff:40:a4:b9:1c:d0:
+ 3f:e9:c4:17:26:74:10:86:52:c5:34:b8:a7:d4:1c:b5:53:ac:
+ af:35:35:61:c7:7c:f0:ce:bb:4e:24:49:01:3b:88:57:70:73:
+ ad:19:52:ee:b0:57:5e:01:ac:18:1a:ab:73:d5:12:c1:55:0c:
+ 7b:42:33:ad:5c:a9:5a:75:61:dc:65:08:b0:b5:ab:d0:56:2f:
+ 1b:fa:88:2f:53:2f:04:bb:e3:d6:42:73:0a:03:a3:28:79:a9:
+ ba:45:4e:ac:65:9e:0f:6a:f2:b7:9a:3a:df:fd:07:cb:4b:78:
+ 6a:32:91:59:d4:f6:ea:aa:0d:71:da:21:14:cf:b9:73:bd:c6:
+ f2:b3:8b:b2:30:7a:83:3a:7f:09:d3:11:ef:13:dd:da:1d:b9:
+ 01:11:fe:ad
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgICEjwwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgMB09udGFyaW8xDTALBgNVBAoMBEFDTUUxETAPBgNVBAMMCE15Um9v
+dENBMB4XDTIwMDExNzEyMTQwMloXDTI0MDExNzEyMTQwMlowezELMAkGA1UEBhMC
+Q0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMQ0wCwYDVQQKDARhY21l
+MQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRfYnlfY2FfaW52YWxpZF9j
+cmxfcGF0aEBhY21lLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMzjETLu2bpnWwviUkuc51TX5Mepkn5qOeC708yfbzhzlsViv7yNaeXoZz8Y2Kqr
+Z5PLwXGsfR5+QKfWCorSF347vtAOG1R8vg/eRptMWmTehwhFuU8y3yZsQmYGvWHL
+la6nlO5PYf/aGLVKQZrFxL0rro+dE4IE3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0ya
+M6sMNOvcjjYKVKzBiIQmFZ6lCAvile87cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in
+4znablYudFInf+XpwxF5yV9vrlgx0NGJswEJAV1EU2shr/wH5miedqvJVrAgXTb+
+4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaNMMEowMAYDVR0fBCkwJzAloCOgIYYfaHR0
+cDovL2xvY2FsaG9zdDo4MTg2L25vdC9hL2NybDAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DANBgkqhkiG9w0BAQ0FAAOCAQEAcL35yJ61QMTNrzOaNRAl7y0AweN6s1Tz
+54a1pzp8TsP+w7P26eFLSCdA3DbhGMx5k0TIlngcwuM8WKM+TNdofuODxEDxKtEX
+pYlfXXK5P551eqLZc4IJTUVAhO3nmhWB4j5D68T4/0CkuRzQP+nEFyZ0EIZSxTS4
+p9QctVOsrzU1Ycd88M67TiRJATuIV3BzrRlS7rBXXgGsGBqrc9USwVUMe0IzrVyp
+WnVh3GUIsLWr0FYvG/qIL1MvBLvj1kJzCgOjKHmpukVOrGWeD2ryt5o63/0Hy0t4
+ajKRWdT26qoNcdohFM+5c73G8rOLsjB6gzp/CdMR7xPd2h25ARH+rQ==
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr
new file mode 100644
index 0000000..5c04ce9
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICwDCCAagCAQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQH
+DAdUb3JvbnRvMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMM
+J3Jldm9rZWRfYnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzjETLu2bpnWwviUkuc51TX5Mepkn5q
+OeC708yfbzhzlsViv7yNaeXoZz8Y2KqrZ5PLwXGsfR5+QKfWCorSF347vtAOG1R8
+vg/eRptMWmTehwhFuU8y3yZsQmYGvWHLla6nlO5PYf/aGLVKQZrFxL0rro+dE4IE
+3yMxSl1iLA+DhxhKfM4SvAJntB7Zm0yaM6sMNOvcjjYKVKzBiIQmFZ6lCAvile87
+cSnZxzl5Be9O3VLqQgWzeyu07j7aT3in4znablYudFInf+XpwxF5yV9vrlgx0NGJ
+swEJAV1EU2shr/wH5miedqvJVrAgXTb+4AaMu3Bs4zuSoFsN6c7k+/8CAwEAAaAA
+MA0GCSqGSIb3DQEBDQUAA4IBAQAMYJv3za9w6iCfl3/X17EWRpCxfB2uylVoF+Qn
+pk6cAaPZtPNLmzyGGsZ5Vpvm9LuISuU5ZcPCL+ocZ9yjghtiEUg5tslujuuhXyfE
+KhTj0UzSrWAKjm6KJcMu5dtxyM97sToVuU7MBR44KVdSxnzFWgL4afiVULxuJFFb
+DwTDgZZWYSeh2WeQt4bRL8dwhqvh0J+/Xilwh8kvY2yv8TXa0jgbguzPPtfcOJLN
+N9N4VvkrIXgkZSKut2U1G4eESWnCG9PP638I6j9ntA/cHbJ8TC46cEdQcYl1pPPG
+C5FC+aOr2NN/wVME/8Iib5FUKUcHJNZBrBZ3FHf1qjJcbuso
+-----END CERTIFICATE REQUEST-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks
new file mode 100644
index 0000000..a61e890
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt
new file mode 100644
index 0000000..c7418d2
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1zCCAr+gAwIBAgIUBlNXdtg4SxQN24k7fss2AhXXmcQwDQYJKoZIhvcNAQEN
+BQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRv
+MQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANhcnQxMDAuBgNVBAMMJ3Jldm9rZWRf
+YnlfY2FfaW52YWxpZF9jcmxfcGF0aEBhY21lLm9yZzAeFw0yMDAxMTcxMjE0MDJa
+Fw0yMDAyMTYxMjE0MDJaMHsxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4G
+A1UEBwwHVG9yb250bzENMAsGA1UECgwEYWNtZTEMMAoGA1UECwwDYXJ0MTAwLgYD
+VQQDDCdyZXZva2VkX2J5X2NhX2ludmFsaWRfY3JsX3BhdGhAYWNtZS5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM4xEy7tm6Z1sL4lJLnOdU1+TH
+qZJ+ajngu9PMn284c5bFYr+8jWnl6Gc/GNiqq2eTy8FxrH0efkCn1gqK0hd+O77Q
+DhtUfL4P3kabTFpk3ocIRblPMt8mbEJmBr1hy5Wup5TuT2H/2hi1SkGaxcS9K66P
+nROCBN8jMUpdYiwPg4cYSnzOErwCZ7Qe2ZtMmjOrDDTr3I42ClSswYiEJhWepQgL
+4pXvO3Ep2cc5eQXvTt1S6kIFs3srtO4+2k94p+M52m5WLnRSJ3/l6cMReclfb65Y
+MdDRibMBCQFdRFNrIa/8B+ZonnaryVawIF02/uAGjLtwbOM7kqBbDenO5Pv/AgMB
+AAGjUzBRMB0GA1UdDgQWBBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAfBgNVHSMEGDAW
+gBQTrfcuZNAq9PBU2mYtEYj4Mx9spDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBDQUAA4IBAQCWVNzJRocgQdD7JYE1X7eoet9ex2luAlu8zZVZfeNKv27QjeRg
+1n3Jz1eXMXoVlcRtuXSX6Pw1qZLtAZ07/vPPHBTnMKi5Tvc+4ho/P+UZ1vhVViV9
+Qg0+qNZ0HqiTX9i/gYhUSj8L28iOW01PYP89WDJYhh8kQJhXQbbwE84Y+r75NX7y
+TUZ+ozXJqM2dxrVVnr46bh0qTmTPlWIBKnlkemWe0VlNFFtJlDOXqEkZBaaTqKrE
+iKcxAy1wrlAyvLS69LzZnt2UrR68oQXAQITtdbY4VWSfyxOh9i56OVgw2E6seUuG
+ZdWX9oXeI01B9vV6EqFLiPn6eTPPYOukkjGg
+-----END CERTIFICATE-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key
new file mode 100644
index 0000000..cfaeb30
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/revoked_by_ca_invalid_crl_path.self.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIkqodAjKk8vECAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAO1t0BIS+B/BIIEyMK0wAf8UrpJ
+YTJ31fURI5LQ44dkuyvRWu/lIRD/kA081HXXm5eFMW3F4CvKpfbKQKHOEWYjlBbo
+tfsbZyPA2rRT3SAWZY1OZw4zLW5hXlX7yrTTEMWzrKF6i8Fia+cVTRR9D4g0aiEu
+/1RKQPoehCJm7QNKG7mxSzmUoZ/WjSmVIYTCH9cXKnbZE18Hlcc+fDIOlAxWO0nt
+n+IK+U8QzCy5Nk2LvVZSQZMPBFM/ZpTSwrTJe9iP6q+LCv59z3bzgX1i1MZJNTp/
+nYt7+C0JnFcIcnuuOWuKCkRK6txu94AxeZq3JQHRgMmdpmKvsOJ54Um2qSIblphH
+F+7D21ag/ebBLDHRnwkPzlhbP8CLR0J4XZ2KvEjhZjFGV+CokeYRcZI1fAqw7C9r
+V9EWCZxsqjPIKZd3W44TWVUrk8ij21sYJ/l3wVLeTUNCiEub1gDpWtlctGEKL6mU
+guCfMIK8ZZ04KQjKHqeiPmSEdJoHWrT6EyFzi+ZOL/bjeJ5uA5jrgYDWuy0Nhii4
+DbMVCm3EItAKDUq0bDJEGkDSiP7gVEiLThc++skeM/kqqECAwFNRiNPCI/XLuUoe
+JEGoubfc4XTfUPwJbfgrXE+QsgP/k5m38LjOITmkIsevzUxDV1ymHE6J9aQFwh6T
+lUeRq9zy7RsGze4letY7OXgoq2ISwPwqvgUfDBE3Upo1ZzLtfwlGkAgbyUmqA0oF
+fC3UU6QZizk1qh/OnjaIpElRjGnEnH0yo/jasypZ2V3zUaAJ1UJh2Q5OQrBkyzGM
+C7LNcRPC1o18LrO19rtgtk6ysHG21oqwXe5W/xxwif5ouL880vJYsq2fEHLHkcfw
+u9tG02p1dtZUSbgBoLRlhP/S5gwf9mzIKgtOL10zliTw0fiklh+dDsWij5s56jLr
+IuIm1s9XrQFaSAJEEw1xtMNGkasKnXDZjvfSqBOLaXn6AhqrJRknTDsJr6bbVTiY
+SL6Gjo9Jpjcqo6rKN0cutFqGx7JfNsjwaVEwi0UkpJ7NuF6AKuHqZP0WWDLOWUgB
+f2ocal3AzCRienQRWhqwIaVnt0jTWwOTx69dHeaHSwsH7B9Ka8w61dcCLnE4bQHQ
+qpxDqDMh1T0G4nwodcR0ZBA88IBbx59lSvvIKFtJJ2CTcwDibhjs14iWopIP6DHR
+aiS8xxjlVhBnn2GuKSKs8hJn0+JxUJquh8C0zp0PWE0HC9gUBNfx4Y1i2qL/dd6n
+5vtWaq7mjpaXR6Nk+EPQ4kGBelx5ELzSbhc2bS0dnyWtGzTrMu3m3J89bBMFPLe1
+QaU5b/1hRDCJdLAnsAg6P6ekpC+NSECRQhd18PQqgWexEM99O31+aWz6+JTXkCxY
+PutnAU4OwcW+80h1Xt0tXrshMEJJ9U6DnvJ30yP0pClp+jhA4mPggMf4Rabo4VGq
+jI2P6l2ksxe8WEquwpw5AbpKS9pYjjo52nFVzKF7G3T88eWcfaX3lYyN13iXh2EA
+BcH+ad2Ux1eOPtSVrCLyWd2MXehZ5gmdeUsOnwccOB3gppTQNAK9Cq2mqfRx0foO
+GDC+Bpl5xdzEkg3YQ9n+aXYmY7vCGO9B3nWDp31J6JVv3x2m1UdCXzr35xIXE2K5
+5nrg58gwOIVCLeQlazWIeA==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks
new file mode 100644
index 0000000..a4648a0
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/test_cert_only_keystore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks
new file mode 100644
index 0000000..4eebca7
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/test_empty_keystore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks
new file mode 100644
index 0000000..c6dd178
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/test_keystore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks
new file mode 100644
index 0000000..6e7fc6c
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/test_pk_only_keystore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks b/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks
new file mode 100644
index 0000000..129593a
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/certificates/test_symmetric_key_keystore.jks
Binary files differ
diff --git a/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh b/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh
new file mode 100755
index 0000000..636d6d5
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/generate_certificates.sh
@@ -0,0 +1,370 @@
+#!/bin/sh
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+MY_PATH="$(dirname "$(readlink -f "$0")")"
+CRL_HTTP_PORT=8186
+PASSWORD=password
+ROOT_CA=MyRootCA
+INTERMEDIATE_CA=intermediate_ca
+OPENSSL_DIR="$MY_PATH/openssl"
+OPENSSL_CONF="$OPENSSL_DIR/openssl.conf"
+CERTIFICATES_DIR="$MY_PATH/certificates"
+VALID_DAYS=1461
+
+CLIENT_KEYSTORE="$CERTIFICATES_DIR/client_keystore.jks"
+CLIENT_TRUSTSTORE="$CERTIFICATES_DIR/client_truststore.jks"
+CLIENT_EXPIRED_KEYSTORE="$CERTIFICATES_DIR/client_expired_keystore.jks"
+CLIENT_EXPIRED_CRT="$CERTIFICATES_DIR/client_expired.crt"
+CLIENT_UNTRUSTED_KEYSTORE="$CERTIFICATES_DIR/client_untrusted_keystore.jks"
+
+BROKER_KEYSTORE="$CERTIFICATES_DIR/broker_keystore.jks"
+BROKER_TRUSTSTORE="$CERTIFICATES_DIR/broker_truststore.jks"
+BROKER_PEERSTORE="$CERTIFICATES_DIR/broker_peerstore.jks"
+BROKER_EXPIRED_TRUSTSTORE="$CERTIFICATES_DIR/broker_expired_truststore.jks"
+BROKER_CRT="$CERTIFICATES_DIR/broker.crt"
+BROKER_CSR="$CERTIFICATES_DIR/broker.csr"
+BROKER_ALIAS="broker"
+
+TEST_KEYSTORE="$CERTIFICATES_DIR/test_keystore.jks"
+TEST_PK_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_pk_only_keystore.jks"
+TEST_CERT_ONLY_KEYSTORE="$CERTIFICATES_DIR/test_cert_only_keystore.jks"
+TEST_SYMMETRIC_KEY_KEYSTORE="$CERTIFICATES_DIR/test_symmetric_key_keystore.jks"
+TEST_EMPTY_KEYSTORE="$CERTIFICATES_DIR/test_empty_keystore.jks"
+
+# set to true for debug
+DEBUG=false
+
+generate_selfsigned_ca()
+{
+ echo "Generating selfsigned CA certificate"
+ openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$ROOT_CA.key" -out "$CERTIFICATES_DIR/$ROOT_CA.crt" -days 1461 -subj '/C=CA/ST=Ontario/O=ACME/CN=MyRootCA' -passout pass:$PASSWORD -sha512 && \
+ keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_KEYSTORE" && \
+ keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$CLIENT_TRUSTSTORE" && \
+ keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_KEYSTORE" && \
+ keytool -import -alias rootca -file "$CERTIFICATES_DIR/$ROOT_CA.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -keystore "$BROKER_TRUSTSTORE"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "Selfsigned CA certificate successfully generated"
+ else
+ echo "Failed to generate selfsigned CA certificate" >&2
+ fi
+ return $_rc
+}
+
+prepare_openssl_environment()
+{
+ echo "Preparing openssl environment"
+ rm -rf "$CERTIFICATES_DIR" && \
+ mkdir "$CERTIFICATES_DIR" && \
+ rm -rf "$OPENSSL_DIR" && \
+ mkdir "$OPENSSL_DIR" && \
+ cp "$MY_PATH/openssl.conf" "$OPENSSL_DIR" && \
+ sed -i "s|^dir = .|dir = $OPENSSL_DIR|" "$OPENSSL_CONF" && \
+ echo 1234 > "$OPENSSL_DIR"/serial && \
+ echo 1234 > "$OPENSSL_DIR"/crlnumber && \
+ touch "$OPENSSL_DIR"/index.txt && \
+ echo "unique_subject = no" > "$OPENSSL_DIR"/index.txt.attr && \
+ mkdir "$OPENSSL_DIR"/newcerts
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "Openssl environment successfully prepared"
+ else
+ echo "Failed to prepare openssl environment" >&2
+ fi
+ return $_rc
+}
+
+# $1 - alias
+generate_signed_certificate()
+{
+ _alias=$1
+ _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
+ echo "Generating CA signed certificate '$_alias'"
+ openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
+ openssl req -config "$OPENSSL_CONF" -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
+ openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
+ openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
+ keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "CA signed certificate '$_alias' successfully generated"
+ else
+ echo "Failed to generate CA signed certificate '$_alias'" >&2
+ fi
+ return $_rc
+}
+
+# $1 - certificate alias
+generate_signed_certificate_with_intermediate_signed_certificate()
+{
+ _alias=$1
+ _intermediate_ca_subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$INTERMEDIATE_CA@acme.org"
+ _subject="/C=CA/ST=ON/L=Toronto/O=acme/OU=art/CN=$_alias@acme.org"
+ echo "Generating CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'"
+ openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.crt" -subj "$_intermediate_ca_subject" -sha512 -passout pass:$PASSWORD && \
+ openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" -sha512 -subj "$_intermediate_ca_subject" -passin pass:$PASSWORD && \
+ openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_ca -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$INTERMEDIATE_CA.csr" && \
+ openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -inkey "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.jks" -name $INTERMEDIATE_CA -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"
+ echo "Generating CA signed certificate for '$_alias'" && \
+ openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.self.crt" -subj "$_subject" -sha512 -passout pass:$PASSWORD && \
+ openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.csr" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
+ openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -days $VALID_DAYS -infiles "$CERTIFICATES_DIR/$_alias.csr" && \
+ cat "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" "$CERTIFICATES_DIR/$ROOT_CA.crt" > "$CERTIFICATES_DIR/chain_with_intermediate.crt"
+ openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/chain_with_intermediate.crt" -in "$CERTIFICATES_DIR/$_alias.crt" -inkey "$CERTIFICATES_DIR/$_alias.self.key" -out "$CERTIFICATES_DIR/$_alias.jks" -name $_alias -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
+ keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$_alias.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $_alias -deststoretype PKCS12 -destkeystore "$CLIENT_KEYSTORE"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA' successfully generated"
+ else
+ echo "Failed to generate CA signed certificate '$_alias' with intermediate CA certificate '$INTERMEDIATE_CA'" >&2
+ fi
+ return $_rc
+}
+
+generate_expired_certificate()
+{
+ _alias=user1
+ echo "Generating expired certificate '$_alias'"
+ keytool -genkeypair -alias $_alias -dname CN=USER1 -startdate "2010/01/01 12:00:00" -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_EXPIRED_KEYSTORE" && \
+ keytool -exportcert -keystore "$CLIENT_EXPIRED_KEYSTORE" -storepass "$PASSWORD" -alias $_alias -rfc -file "$CLIENT_EXPIRED_CRT" && \
+ keytool -import -alias $_alias -file "$CLIENT_EXPIRED_CRT" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$BROKER_EXPIRED_TRUSTSTORE"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "Expired certificate '$_alias' successfully generated"
+ else
+ echo "Failed to generate expired certificate '$_alias'" >&2
+ fi
+ return $_rc
+}
+
+generate_signed_broker_certificate()
+{
+ _subject="/C=CA/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost"
+ echo "Generating CA signed certificate '$BROKER_ALIAS'"
+ openssl req -x509 -newkey rsa:2048 -keyout "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.self.crt" -subj "$_subject" -passout pass:$PASSWORD && \
+ openssl req -config "$OPENSSL_CONF" -verbose -new -key "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$BROKER_CSR" -sha512 -subj "$_subject" -passin pass:$PASSWORD && \
+ openssl ca -config "$OPENSSL_CONF" -md sha512 -extensions v3_req -batch -passin pass:$PASSWORD -out "$BROKER_CRT" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -days $VALID_DAYS -infiles "$BROKER_CSR" && \
+ openssl pkcs12 -export -chain -CAfile "$CERTIFICATES_DIR/$ROOT_CA.crt" -in "$BROKER_CRT" -inkey "$CERTIFICATES_DIR/$BROKER_ALIAS.self.key" -out "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -name $BROKER_ALIAS -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" && \
+ keytool -importkeystore -srckeystore "$CERTIFICATES_DIR/$BROKER_ALIAS.jks" -srcstoretype PKCS12 -storepass "$PASSWORD" -srcstorepass "$PASSWORD" -alias $BROKER_ALIAS -deststoretype PKCS12 -destkeystore "$BROKER_KEYSTORE"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "CA signed certificate '$BROKER_ALIAS' successfully generated"
+ else
+ echo "Failed to generate CA signed certificate '$BROKER_ALIAS'" >&2
+ fi
+ return $_rc
+}
+
+# $1 - certificate alias
+# $2 - keystore where certificate will be imported
+import_to_keystore()
+{
+ _alias=$1
+ _keystore="$2"
+
+ echo "Importing certificate '$_alias' to keystore '$_keystore'"
+ keytool -import -alias $_alias -file "$CERTIFICATES_DIR/$_alias.crt" -storepass "$PASSWORD" -noprompt -deststoretype PKCS12 -sigalg SHA512withRSA -keystore "$_keystore"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "Certificate '$_alias' successfully imported to keystore '$_keystore'"
+ else
+ echo "Failed to import certificate '$_alias' to keystore '$_keystore'" >&2
+ fi
+ return $_rc
+}
+
+generate_untrusted_client_certificate()
+{
+ _alias=untrusted_client
+
+ echo "Generating untrusted certificate '$_alias'"
+ keytool -genkeypair -alias $_alias -dname CN=$_alias -validity $VALID_DAYS -keysize 2048 -keyalg RSA -sigalg SHA512withRSA -keypass "$PASSWORD" -storepass "$PASSWORD" -deststoretype PKCS12 -keystore "$CLIENT_UNTRUSTED_KEYSTORE"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "Untrusted certificate '$_alias' successfully generated"
+ else
+ echo "Failed to generate untrusted certificate '$_alias'" >&2
+ fi
+ return $_rc
+}
+
+add_certificate_crl_distribution_point()
+{
+ echo "Add CRL distribution points to openssl configuration"
+ sed -i "/\[ v3_req \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF" && \
+ sed -i "/\[ v3_ca \]/a crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl" "$OPENSSL_CONF"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "CRL distribution points successfully addded"
+ else
+ echo "Failed to add CRL distribution points" >&2
+ fi
+ return $_rc
+}
+
+set_certificate_crl_distribution_point_to_intermediate_ca()
+{
+ echo "Setting CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'"
+ sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|" "$OPENSSL_CONF"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA' successfully set"
+ else
+ echo "Failed to set CRL distribution point for intermediate CA certificate '$INTERMEDIATE_CA'" >&2
+ fi
+ return $_rc
+}
+
+set_certificate_crl_distribution_point_to_empty_crl()
+{
+ echo "Setting CRL distribution point to empty CRL"
+ sed -i -z "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$INTERMEDIATE_CA.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|" "$OPENSSL_CONF"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "CRL distribution point to empty CRL successfully set"
+ else
+ echo "Failed to set CRL distribution to empty CRL" >&2
+ fi
+ return $_rc
+}
+
+set_certificate_crl_distribution_point_to_invalid_crl_path()
+{
+ echo "Setting CRL distribution point to invalid CRL path"
+ sed -i "s|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/$ROOT_CA.empty.crl|crlDistributionPoints=URI:http://localhost:$CRL_HTTP_PORT/not/a/crl|" "$OPENSSL_CONF"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "CRL distribution point to invalid CRL path successfully set"
+ else
+ echo "Failed to set CRL distribution to invalid CRL path" >&2
+ fi
+ return $_rc
+}
+
+generate_intermediate_crl()
+{
+ echo "Generating intermediate CA certificate '$INTERMEDIATE_CA' CRL"
+ openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$INTERMEDIATE_CA.self.key" -cert "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crt" -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" && \
+ openssl crl -inform PEM -in "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl.pem" -outform DER -out "$CERTIFICATES_DIR/$INTERMEDIATE_CA.crl"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "Intermediate CA certificate '$INTERMEDIATE_CA' CRL successfully generated"
+ else
+ echo "Failed to generate intermediate CA certificate '$INTERMEDIATE_CA' CRL" >&2
+ fi
+ return $_rc
+}
+
+
+# $1 - part of CRL file name
+generate_crl()
+{
+ _crl_name_part=$1
+ _crl_path_prefix=
+ if [ -n "$_crl_name_part" ]; then
+ _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA.$_crl_name_part"
+ else
+ _crl_path_prefix="$CERTIFICATES_DIR/$ROOT_CA"
+ fi
+
+ echo "Generating certificate '$ROOT_CA' CRL to '$_crl_path_prefix'"
+ openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -gencrl -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt" -out "$_crl_path_prefix.crl.pem" && \
+ openssl crl -inform PEM -in "$_crl_path_prefix.crl.pem" -outform DER -out "$_crl_path_prefix.crl"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "Certificate '$ROOT_CA' CRL successfully generated to '$_crl_path_prefix'"
+ else
+ echo "Failed to generate certificate '$ROOT_CA' CRL to '$_crl_path_prefix'" >&2
+ fi
+ return $_rc
+}
+
+revoke_certificate()
+{
+ _alias=$1
+
+ echo "Revoking certificate '$_alias'"
+ openssl ca -config "$OPENSSL_CONF" -passin pass:$PASSWORD -revoke "$CERTIFICATES_DIR/$_alias.crt" -keyfile "$CERTIFICATES_DIR/$ROOT_CA.key" -cert "$CERTIFICATES_DIR/$ROOT_CA.crt"
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "Certificate '$_alias' successfully revoked"
+ else
+ echo "Failed to revoke certificate '$_alias'" >&2
+ fi
+ return $_rc
+}
+
+prepare_test_keystores()
+{
+ echo "Preparing test keystores"
+ cp "$BROKER_KEYSTORE" "$TEST_KEYSTORE" && \
+ import_to_keystore "app1" "$TEST_KEYSTORE" && \
+ import_to_keystore "app2" "$TEST_KEYSTORE" && \
+ cp "$BROKER_KEYSTORE" "$TEST_PK_ONLY_KEYSTORE" && \
+ keytool -delete -v -alias rootca -storepass password -keystore "$TEST_PK_ONLY_KEYSTORE" && \
+ cp "$BROKER_KEYSTORE" "$TEST_CERT_ONLY_KEYSTORE" && \
+ keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_CERT_ONLY_KEYSTORE" && \
+ cp "$BROKER_KEYSTORE" "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
+ keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype PKCS12 -storepass "$PASSWORD" -keystore "$TEST_SYMMETRIC_KEY_KEYSTORE" && \
+ cp "$TEST_PK_ONLY_KEYSTORE" "$TEST_EMPTY_KEYSTORE"
+ keytool -delete -v -alias $BROKER_ALIAS -storepass password -keystore "$TEST_EMPTY_KEYSTORE" && \
+ _rc=$?
+ if [ $_rc -eq 0 ]; then
+ echo "Test keystores prepared"
+ else
+ echo "Failed to prepare keystores" >&2
+ fi
+ return $_rc
+}
+
+main()
+{
+ prepare_openssl_environment && \
+ generate_selfsigned_ca && \
+ generate_signed_certificate "app1" && \
+ generate_signed_certificate "app2" && \
+ generate_expired_certificate && \
+ generate_signed_broker_certificate && \
+ import_to_keystore "app1" "$BROKER_PEERSTORE" && \
+ generate_untrusted_client_certificate && \
+ add_certificate_crl_distribution_point && \
+ generate_signed_certificate "allowed_by_ca" && \
+ generate_signed_certificate "revoked_by_ca" && \
+ set_certificate_crl_distribution_point_to_intermediate_ca && \
+ generate_signed_certificate_with_intermediate_signed_certificate "allowed_by_ca_with_intermediate" && \
+ generate_intermediate_crl && \
+ set_certificate_crl_distribution_point_to_empty_crl && \
+ generate_signed_certificate "revoked_by_ca_empty_crl" && \
+ set_certificate_crl_distribution_point_to_invalid_crl_path && \
+ generate_signed_certificate "revoked_by_ca_invalid_crl_path" && \
+ generate_crl "empty" && \
+ revoke_certificate "$INTERMEDIATE_CA" && \
+ revoke_certificate "revoked_by_ca" && \
+ revoke_certificate "revoked_by_ca_empty_crl" && \
+ revoke_certificate "revoked_by_ca_invalid_crl_path" && \
+ generate_crl && \
+ prepare_test_keystores
+}
+
+if [ "$DEBUG" = true ]; then
+ main
+else
+ main 2>/dev/null 1>&2
+fi
diff --git a/qpid-test-utils/src/main/resources/ssl/openssl.conf b/qpid-test-utils/src/main/resources/ssl/openssl.conf
new file mode 100644
index 0000000..ad224d7
--- /dev/null
+++ b/qpid-test-utils/src/main/resources/ssl/openssl.conf
@@ -0,0 +1,380 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# System default
+openssl_conf = default_conf
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = .
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha512 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = TLSv1.2
+CipherString = DEFAULT@SECLEVEL=2
diff --git a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
index 81d7881..5302ea3 100644
--- a/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
+++ b/systests/qpid-systests-http-management/src/test/java/org/apache/qpid/tests/http/endtoend/port/PortTest.java
@@ -333,7 +333,7 @@
final java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
ks.load(null);
ks.setCertificateEntry("certificate", certificate);
- final File storeFile = File.createTempFile(getTestName(), ".pkcs12");
+ final File storeFile = File.createTempFile(getTestName(), ".jks");
try (FileOutputStream fos = new FileOutputStream(storeFile))
{
ks.store(fos, PASS.toCharArray());
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
index d6aa747..6b55c87 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/management/AmqpManagementTest.java
@@ -22,9 +22,6 @@
import static java.nio.charset.StandardCharsets.UTF_8;
import static org.apache.qpid.server.model.Queue.ALERT_THRESHOLD_QUEUE_DEPTH_MESSAGES;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.TRUSTSTORE;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
-import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD;
import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
@@ -55,6 +52,7 @@
import javax.naming.NamingException;
import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.qpid.test.utils.TestSSLConstants;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
@@ -81,8 +79,8 @@
// legacy client keystore/truststore types can only be configured with JVM settings
if (getProtocol() != Protocol.AMQP_1_0)
{
- System.setProperty("javax.net.ssl.trustStoreType", JAVA_KEYSTORE_TYPE);
- System.setProperty("javax.net.ssl.keyStoreType", JAVA_KEYSTORE_TYPE);
+ System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
}
}
@@ -693,8 +691,8 @@
Connection connection = getConnectionBuilder().setTls(true)
.setPort(tlsPort)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
try
{
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
index e5f033f..c808b45 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/sasl/AuthenticationTest.java
@@ -20,21 +20,6 @@
*/
package org.apache.qpid.systests.jms_1_1.extensions.sasl;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.BROKER_KEYSTORE;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.BROKER_TRUSTSTORE;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.KEYSTORE;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.TEST_PROFILE_RESOURCE_BASE;
-import static org.apache.qpid.systests.jms_1_1.extensions.tls.TlsTest.TRUSTSTORE;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_KEYSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_PEERSTORE;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_PEERSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.CERT_ALIAS_APP1;
-import static org.apache.qpid.test.utils.TestSSLConstants.CERT_ALIAS_APP2;
-import static org.apache.qpid.test.utils.TestSSLConstants.EXPIRED_KEYSTORE;
-import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
import static org.hamcrest.CoreMatchers.anyOf;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is;
@@ -44,6 +29,11 @@
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeThat;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -53,7 +43,17 @@
import javax.jms.JMSException;
import javax.jms.Session;
import javax.jms.TemporaryQueue;
+import javax.naming.NamingException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.qpid.server.security.FileTrustStoreTest;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+import org.eclipse.jetty.server.handler.ContextHandler;
+import org.eclipse.jetty.server.handler.HandlerCollection;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
@@ -81,6 +81,11 @@
private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationTest.class);
private static final String USER = "user";
private static final String USER_PASSWORD = "user";
+ // see how port is specified when certificates are generated in script
+ // test-profiles/test_resources/ssl/generate_certificates.sh
+ private static final int CRL_HTTP_PORT = 8186;
+ private static final Server CRL_SERVER = new Server();
+ private static final HandlerCollection HANDLERS = new HandlerCollection();
@BeforeClass
public static void setUp() throws Exception
@@ -96,9 +101,18 @@
// legacy client keystore/truststore types can only be configured with JVM settings
if (getProtocol() != Protocol.AMQP_1_0)
{
- System.setProperty("javax.net.ssl.trustStoreType", JAVA_KEYSTORE_TYPE);
- System.setProperty("javax.net.ssl.keyStoreType", JAVA_KEYSTORE_TYPE);
+ System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
}
+ final ServerConnector connector = new ServerConnector(CRL_SERVER);
+ connector.setPort(CRL_HTTP_PORT);
+ connector.setHost("localhost");
+ CRL_SERVER.addConnector(connector);
+ createContext(Paths.get(TestSSLConstants.CA_CRL));
+ createContext(Paths.get(TestSSLConstants.CA_CRL_EMPTY));
+ createContext(Paths.get(TestSSLConstants.INTERMEDIATE_CA_CRL));
+ CRL_SERVER.setHandler(HANDLERS);
+ CRL_SERVER.start();
}
@AfterClass
@@ -115,6 +129,7 @@
System.clearProperty("javax.net.ssl.trustStoreType");
System.clearProperty("javax.net.ssl.keyStoreType");
}
+ CRL_SERVER.stop();
}
@@ -125,49 +140,49 @@
getProtocol(),
is(not(equalTo(Protocol.AMQP_1_0))));
- int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5", USER, USER_PASSWORD);
+ final int port = createAuthenticationProviderAndUserAndPort(getTestName(), "MD5", USER, USER_PASSWORD);
- assertConnectivity(port, USER, USER_PASSWORD, CramMd5HashedNegotiator.MECHANISM);
+ assertPlainConnectivity(port, USER, USER_PASSWORD, CramMd5HashedNegotiator.MECHANISM);
}
@Test
public void sha256() throws Exception
{
- int port = createAuthenticationProviderAndUserAndPort(getTestName(),
+ final int port = createAuthenticationProviderAndUserAndPort(getTestName(),
ScramSHA256AuthenticationManager.PROVIDER_TYPE,
USER,
USER_PASSWORD);
- assertConnectivity(port, USER, USER_PASSWORD, ScramSHA256AuthenticationManager.MECHANISM);
+ assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA256AuthenticationManager.MECHANISM);
}
@Test
public void sha1() throws Exception
{
- int port = createAuthenticationProviderAndUserAndPort(getTestName(),
+ final int port = createAuthenticationProviderAndUserAndPort(getTestName(),
ScramSHA1AuthenticationManager.PROVIDER_TYPE,
USER,
USER_PASSWORD);
- assertConnectivity(port, USER, USER_PASSWORD, ScramSHA1AuthenticationManager.MECHANISM);
+ assertPlainConnectivity(port, USER, USER_PASSWORD, ScramSHA1AuthenticationManager.MECHANISM);
}
@Test
public void external() throws Exception
{
- int port = createExternalProviderAndTlsPort();
+ final int port = createExternalProviderAndTlsPort();
Connection connection = getConnectionBuilder().setPort(port)
.setTls(true)
.setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+ .setKeyStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
try
{
- Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
assertNotNull("Temporary queue was not created", session.createTemporaryQueue());
}
finally
@@ -176,30 +191,191 @@
}
}
+ public void externalWithRevocationWithDataUrlCrlFileAndAllowedCertificate() throws Exception
+ {
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+ FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL));
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ }
+
+ @Test
+ public void externalWithRevocationWithDataUrlCrlFileAndRevokedCertificate() throws Exception
+ {
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL,
+ FileTrustStoreTest.createDataUrlForFile(TestSSLConstants.CA_CRL));
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ }
+
+ @Test
+ public void externalWithRevocationWithCrlFileAndAllowedCertificate() throws Exception
+ {
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ }
+
+ @Test
+ public void externalWithRevocationWithCrlFileAndAllowedCertificateWithoutPreferCrls() throws Exception
+ {
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ }
+
+ @Test
+ public void externalWithRevocationWithCrlFileAndRevokedCertificate() throws Exception
+ {
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ }
+
+ @Test
+ public void externalWithRevocationWithEmptyCrlFileAndRevokedCertificate() throws Exception
+ {
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL_EMPTY);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ }
+
+ @Test
+ public void externalWithRevocationAndAllowedCertificateWithCrlUrl() throws Exception
+ {
+ assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+ CRL_SERVER, is(not(equalTo(null))));
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ }
+
+ @Test
+ public void externalWithRevocationAndRevokedCertificateWithCrlUrl() throws Exception
+ {
+ assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+ CRL_SERVER, is(not(equalTo(null))));
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ }
+
+ @Test
+ public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithEmptyCrl() throws Exception
+ {
+ assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+ CRL_SERVER, is(not(equalTo(null))));
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_EMPTY_CRL);
+ }
+
+ @Test
+ public void externalWithRevocationDisabledWithCrlFileAndRevokedCertificate() throws Exception
+ {
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_LIST_URL, TestSSLConstants.CA_CRL);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ }
+
+ @Test
+ public void externalWithRevocationDisabledWithCrlUrlInRevokedCertificate() throws Exception
+ {
+ assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+ CRL_SERVER, is(not(equalTo(null))));
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, false);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED);
+ }
+
+ @Test
+ public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithSoftFail() throws Exception
+ {
+ assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+ CRL_SERVER, is(not(equalTo(null))));
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_REVOKED_INVALID_CRL_PATH);
+ }
+
+ @Test
+ public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrls() throws Exception
+ {
+ assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+ CRL_SERVER, is(not(equalTo(null))));
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ }
+
+ @Test
+ public void externalWithRevocationAndRevokedCertificateWithCrlUrlWithoutPreferCrlsWithFallback() throws Exception
+ {
+ assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+ CRL_SERVER, is(not(equalTo(null))));
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_PREFERRING_CERTIFICATE_REVOCATION_LIST, false);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_NO_FALLBACK, false);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED);
+ }
+
+ @Test
+ public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrl() throws Exception
+ {
+ assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+ CRL_SERVER, is(not(equalTo(null))));
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, false);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
+ }
+
+ @Test
+ public void externalWithRevocationAndRevokedIntermediateCertificateWithCrlUrlOnlyEndEntity() throws Exception
+ {
+ assumeThat("HTTP server failed to bind to port '" + CRL_HTTP_PORT + "'",
+ CRL_SERVER, is(not(equalTo(null))));
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_ENABLED, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_OF_ONLY_END_ENTITY_CERTIFICATES, true);
+ trustStoreAttributes.put(FileTrustStore.CERTIFICATE_REVOCATION_CHECK_WITH_IGNORING_SOFT_FAILURES, true);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_ALLOWED_WITH_INTERMEDIATE);
+ }
+
@Test
public void externalDeniesUntrustedClientCert() throws Exception
{
assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
-
- int port = createExternalProviderAndTlsPort();
-
- try
- {
- getConnectionBuilder().setPort(port)
- .setTls(true)
- .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
- .setKeyAlias(TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT)
- .build();
- fail("Connection should not succeed");
- }
- catch (JMSException e)
- {
- // pass
- }
+ final int port = createExternalProviderAndTlsPort();
+ assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT);
}
@Test
@@ -207,21 +383,21 @@
{
assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
- Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, TEST_PROFILE_RESOURCE_BASE + BROKER_PEERSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_PEERSTORE_PASSWORD);
+ final Map<String, Object> trustStoreAttributes = new HashMap<>();
+ trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
+ trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
trustStoreAttributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
- int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
try
{
getConnectionBuilder().setPort(port)
.setTls(true)
.setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(TEST_PROFILE_RESOURCE_BASE + EXPIRED_KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setKeyStoreLocation(TestSSLConstants.CLIENT_EXPIRED_KEYSTORE)
+ .setKeyStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
fail("Connection should not succeed");
}
@@ -234,64 +410,27 @@
@Test
public void externalWithPeersOnlyTrustStore() throws Exception
{
- Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, TEST_PROFILE_RESOURCE_BASE + BROKER_PEERSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_PEERSTORE_PASSWORD);
+ final Map<String, Object> trustStoreAttributes = new HashMap<>();
+ trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
+ trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true);
- int port = createExternalProviderAndTlsPort(trustStoreAttributes);
-
- Connection connection = getConnectionBuilder().setPort(port)
- .setTls(true)
- .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
- .setKeyAlias(CERT_ALIAS_APP1)
- .build();
- try
- {
- connection.createSession(false, Session.AUTO_ACKNOWLEDGE).close();
- }
- finally
- {
- connection.close();
- }
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1);
assumeThat("QPID-8069", getProtocol(), is(anyOf(equalTo(Protocol.AMQP_1_0), equalTo(Protocol.AMQP_0_10))));
- try
- {
-
- getConnectionBuilder().setPort(port)
- .setTls(true)
- .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
- .setKeyAlias(CERT_ALIAS_APP2)
- .build();
- fail("app2 certificate is NOT in the peerstore");
- }
- catch (JMSException e)
- {
- // pass
- }
-
+ assertNoTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2);
}
@Test
public void externalWithRegularAndPeersOnlyTrustStores() throws Exception
{
- String trustStoreName = getTestName() + "RegularTrustStore";
- Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
+ final String trustStoreName = getTestName() + "RegularTrustStore";
+ final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
try
{
brokerConnection.start();
- Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD);
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
trustStoreAttributes.put(FileTrustStore.TRUST_STORE_TYPE, TestSSLConstants.JAVA_KEYSTORE_TYPE);
createEntity(trustStoreName,
@@ -305,68 +444,32 @@
brokerConnection.close();
}
- Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, TEST_PROFILE_RESOURCE_BASE + BROKER_PEERSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_PEERSTORE_PASSWORD);
+ final Map<String, Object> trustStoreAttributes = new HashMap<>();
+ trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_PEERSTORE);
+ trustStoreAttributes.put(FileTrustStore.PASSWORD,TestSSLConstants.PASSWORD);
trustStoreAttributes.put(FileTrustStore.PEERS_ONLY, true);
- int port = createExternalProviderAndTlsPort(trustStoreAttributes, trustStoreName, false);
-
- Connection connection = getConnectionBuilder().setPort(port)
- .setTls(true)
- .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
- .setKeyAlias(CERT_ALIAS_APP1)
- .build();
- try
- {
- connection.createSession(false, Session.AUTO_ACKNOWLEDGE).close();
- }
- finally
- {
- connection.close();
- }
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, trustStoreName, false);
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP1);
//use the app2 cert, which is NOT in the peerstore (but is signed by the same CA as app1)
- Connection connection2 = getConnectionBuilder().setPort(port)
- .setTls(true)
- .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
- .setKeyAlias(CERT_ALIAS_APP2)
- .build();
-
- try
- {
- connection2.createSession(false, Session.AUTO_ACKNOWLEDGE).createTemporaryQueue();
- }
- finally
- {
- connection2.close();
- }
+ assertTlsConnectivity(port, TestSSLConstants.CERT_ALIAS_APP2);
}
@Test
public void externalUsernameAsDN() throws Exception
{
- Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD);
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
- String clientId = getTestName();
- int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, true);
- Connection connection = getConnectionBuilder().setPort(port)
+ final String clientId = getTestName();
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, true);
+ final Connection connection = getConnectionBuilder().setPort(port)
.setTls(true)
.setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
- .setKeyAlias(CERT_ALIAS_APP2)
+ .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+ .setKeyStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
.setClientId(clientId)
.build();
try
@@ -386,20 +489,18 @@
@Test
public void externalUsernameAsCN() throws Exception
{
- Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD);
+ final Map<String, Object> trustStoreAttributes = getBrokerTrustStoreAttributes();
- String clientId = getTestName();
- int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
- Connection connection = getConnectionBuilder().setPort(port)
+ final String clientId = getTestName();
+ final int port = createExternalProviderAndTlsPort(trustStoreAttributes, null, false);
+ final Connection connection = getConnectionBuilder().setPort(port)
.setTls(true)
.setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
- .setKeyAlias(CERT_ALIAS_APP2)
+ .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+ .setKeyStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .setKeyAlias(TestSSLConstants.CERT_ALIAS_APP2)
.setClientId(clientId)
.build();
try
@@ -418,17 +519,17 @@
private void assertConnectionPrincipal(final String clientId, final String expectedPrincipal) throws Exception
{
- Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
+ final Connection brokerConnection = getConnectionBuilder().setVirtualHost("$management").build();
try
{
brokerConnection.start();
String principal = null;
- List<Map<String, Object>> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection", brokerConnection);
- for (Map<String, Object> connection : connections)
+ final List<Map<String, Object>> connections = queryEntitiesUsingAmqpManagement("org.apache.qpid.Connection", brokerConnection);
+ for (final Map<String, Object> connection : connections)
{
- String name = String.valueOf(connection.get(ConfiguredObject.NAME));
- Map<String, Object> attributes;
+ final String name = String.valueOf(connection.get(ConfiguredObject.NAME));
+ final Map<String, Object> attributes;
try
{
attributes = readEntityUsingAmqpManagement(
@@ -460,12 +561,17 @@
}
}
+ private Map<String, Object> getBrokerTrustStoreAttributes()
+ {
+ final Map<String, Object> trustStoreAttributes = new HashMap<>();
+ trustStoreAttributes.put(FileTrustStore.STORE_URL, TestSSLConstants.BROKER_TRUSTSTORE);
+ trustStoreAttributes.put(FileTrustStore.PASSWORD, TestSSLConstants.PASSWORD);
+ return trustStoreAttributes;
+ }
+
private int createExternalProviderAndTlsPort() throws Exception
{
- Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put(FileTrustStore.STORE_URL, BROKER_TRUSTSTORE);
- trustStoreAttributes.put(FileTrustStore.PASSWORD, BROKER_TRUSTSTORE_PASSWORD);
- return createExternalProviderAndTlsPort(trustStoreAttributes);
+ return createExternalProviderAndTlsPort(getBrokerTrustStoreAttributes());
}
private int createExternalProviderAndTlsPort(final Map<String, Object> trustStoreAttributes) throws Exception
@@ -478,12 +584,12 @@
final boolean useFullDN) throws Exception
{
final String providerName = getTestName();
- Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
+ final Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
try
{
connection.start();
- Map<String, Object> providerAttributes = new HashMap<>();
+ final Map<String, Object> providerAttributes = new HashMap<>();
providerAttributes.put("qpid-type", ExternalAuthenticationManager.PROVIDER_TYPE);
providerAttributes.put(ExternalAuthenticationManager.ATTRIBUTE_USE_FULL_DN, useFullDN);
createEntity(providerName,
@@ -492,8 +598,8 @@
connection);
final Map<String, Object> keyStoreAttributes = new HashMap<>();
- keyStoreAttributes.put("storeUrl", BROKER_KEYSTORE);
- keyStoreAttributes.put("password", BROKER_KEYSTORE_PASSWORD);
+ keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE);
+ keyStoreAttributes.put("password", TestSSLConstants.PASSWORD);
keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
final String keyStoreName = providerName + "KeyStore";
@@ -502,7 +608,7 @@
keyStoreAttributes,
connection);
- Map<String, Object> trustStoreSettings = new HashMap<>(trustStoreAttributes);
+ final Map<String, Object> trustStoreSettings = new HashMap<>(trustStoreAttributes);
trustStoreSettings.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
final String trustStoreName = providerName + "TrustStore";
createEntity(trustStoreName,
@@ -510,8 +616,8 @@
trustStoreSettings,
connection);
- String portName = getPortName();
- Map<String, Object> sslPortAttributes = new HashMap<>();
+ final String portName = getPortName();
+ final Map<String, Object> sslPortAttributes = new HashMap<>();
sslPortAttributes.put(Port.TRANSPORTS, "[\"SSL\"]");
sslPortAttributes.put(Port.PORT, 0);
sslPortAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
@@ -519,7 +625,7 @@
sslPortAttributes.put(Port.WANT_CLIENT_AUTH, false);
sslPortAttributes.put(Port.NAME, portName);
sslPortAttributes.put(Port.KEY_STORE, keyStoreName);
- String trustStores = additionalTrustStore == null
+ final String trustStores = additionalTrustStore == null
? "[\"" + trustStoreName + "\"]"
: "[\"" + trustStoreName + "\",\"" + additionalTrustStore + "\"]";
sslPortAttributes.put(Port.TRUST_STORES, trustStores);
@@ -529,7 +635,7 @@
sslPortAttributes,
connection);
- Map<String, Object> portEffectiveAttributes =
+ final Map<String, Object> portEffectiveAttributes =
readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection);
if (portEffectiveAttributes.containsKey("boundPort"))
{
@@ -553,7 +659,7 @@
final String userName,
final String userPassword) throws Exception
{
- Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
+ final Connection connection = getConnectionBuilder().setVirtualHost("$management").build();
try
{
connection.start();
@@ -568,13 +674,13 @@
userAttributes.put("object-path", providerName);
createEntity(userName, User.class.getName(), userAttributes, connection);
- String portName = providerName + "Port";
+ final String portName = providerName + "Port";
final Map<String, Object> portAttributes = new HashMap<>();
portAttributes.put(Port.AUTHENTICATION_PROVIDER, providerName);
portAttributes.put(Port.PORT, 0);
createEntity(portName, "org.apache.qpid.AmqpPort", portAttributes, connection);
- Map<String, Object> portEffectiveAttributes =
+ final Map<String, Object> portEffectiveAttributes =
readEntityUsingAmqpManagement(portName, "org.apache.qpid.AmqpPort", false, connection);
if (portEffectiveAttributes.containsKey("boundPort"))
{
@@ -588,20 +694,60 @@
}
}
- private void assertConnectivity(final int port,
- final String userName,
- final String userPassword,
- final String mechanism) throws Exception
+ private Connection getConnection(int port, String certificateAlias) throws NamingException, JMSException
{
- Connection connection = getConnectionBuilder().setPort(port)
+ return getConnectionBuilder().setPort(port)
+ .setTls(true)
+ .setSaslMechanisms(ExternalAuthenticationManagerImpl.MECHANISM_NAME)
+ .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+ .setKeyStorePassword(TestSSLConstants.PASSWORD)
+ .setKeyAlias(certificateAlias)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
+ .build();
+ }
+
+ private void assertTlsConnectivity(int port, String certificateAlias) throws NamingException, JMSException
+ {
+ final Connection connection = getConnection(port, certificateAlias);
+ try
+ {
+ Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ assertNotNull("Temporary queue was not created", session.createTemporaryQueue());
+ }
+ finally
+ {
+ connection.close();
+ }
+ }
+
+ private void assertNoTlsConnectivity(int port, String certificateAlias) throws NamingException
+ {
+ try
+ {
+ getConnection(port, certificateAlias);
+ fail("Connection should not succeed");
+ }
+ catch (JMSException e)
+ {
+ // pass
+ }
+ }
+
+ private void assertPlainConnectivity(final int port,
+ final String userName,
+ final String userPassword,
+ final String mechanism) throws Exception
+ {
+ final Connection connection = getConnectionBuilder().setPort(port)
.setUsername(userName)
.setPassword(userPassword)
.setSaslMechanisms(mechanism)
.build();
try
{
- Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
- TemporaryQueue queue = session.createTemporaryQueue();
+ final Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ final TemporaryQueue queue = session.createTemporaryQueue();
assertNotNull("Temporary queue was not created", queue);
}
finally
@@ -637,4 +783,32 @@
// pass
}
}
+
+ private static void createContext(Path crlPath)
+ {
+ final ContextHandler contextHandler = new ContextHandler();
+ contextHandler.setContextPath("/" + crlPath.getFileName());
+ contextHandler.setHandler(new CrlServerHandler(crlPath));
+ HANDLERS.addHandler(contextHandler);
+ }
+
+ private static class CrlServerHandler extends AbstractHandler
+ {
+ final Path crlPath;
+ public CrlServerHandler(Path crlPath)
+ {
+ this.crlPath = crlPath;
+ }
+
+ @Override
+ public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response)
+ throws IOException
+ {
+ final byte[] crlBytes = Files.readAllBytes(crlPath);
+ response.setStatus(HttpServletResponse.SC_OK);
+ final OutputStream responseBody = response.getOutputStream();
+ responseBody.write(crlBytes);
+ responseBody.close();
+ }
+ }
}
diff --git a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
index 01d69f3..da61319 100644
--- a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
+++ b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/tls/TlsTest.java
@@ -21,11 +21,6 @@
package org.apache.qpid.systests.jms_1_1.extensions.tls;
import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.apache.qpid.test.utils.TestSSLConstants.JAVA_KEYSTORE_TYPE;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_KEYSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE_PASSWORD;
-import static org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE_PASSWORD;
import static org.hamcrest.CoreMatchers.anyOf;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is;
@@ -72,18 +67,8 @@
public class TlsTest extends JmsTestBase
{
- public static final String TEST_PROFILE_RESOURCE_BASE = System.getProperty("java.io.tmpdir") + "/";
- public static final String BROKER_KEYSTORE =
- TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.BROKER_KEYSTORE;
- public static final String BROKER_TRUSTSTORE =
- TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.BROKER_TRUSTSTORE;
- public static final String KEYSTORE =
- TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.KEYSTORE;
- public static final String TRUSTSTORE =
- TEST_PROFILE_RESOURCE_BASE + org.apache.qpid.test.utils.TestSSLConstants.TRUSTSTORE;
-
@BeforeClass
- public static void setUp() throws Exception
+ public static void setUp()
{
System.setProperty("javax.net.debug", "ssl");
@@ -96,13 +81,13 @@
// legacy client keystore/truststore types can only be configured with JVM settings
if (getProtocol() != Protocol.AMQP_1_0)
{
- System.setProperty("javax.net.ssl.trustStoreType", JAVA_KEYSTORE_TYPE);
- System.setProperty("javax.net.ssl.keyStoreType", JAVA_KEYSTORE_TYPE);
+ System.setProperty("javax.net.ssl.trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ System.setProperty("javax.net.ssl.keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
}
}
@AfterClass
- public static void tearDown() throws Exception
+ public static void tearDown()
{
System.clearProperty("javax.net.debug");
if (getProtocol() != Protocol.AMQP_1_0)
@@ -127,10 +112,10 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+ .setKeyStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
try
{
@@ -208,10 +193,10 @@
getConnectionBuilder().setPort(port)
.setHost("127.0.0.1")
.setTls(true)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+ .setKeyStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
fail("Exception not thrown");
}
@@ -223,10 +208,10 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost("127.0.0.1")
.setTls(true)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+ .setKeyStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.setVerifyHostName(false)
.build();
try
@@ -372,8 +357,8 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
try
{
@@ -398,8 +383,8 @@
getConnectionBuilder().setPort(port)
.setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName())
.setTls(true)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
fail("Connection was established successfully");
}
@@ -419,8 +404,8 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
try
{
@@ -444,8 +429,8 @@
getConnectionBuilder().setPort(port)
.setHost(getBrokerAdmin().getBrokerAddress(BrokerAdmin.PortType.AMQP).getHostName())
.setTls(true)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
fail("Connection was established successfully");
}
@@ -466,10 +451,10 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setKeyStoreLocation(KEYSTORE)
- .setKeyStorePassword(KEYSTORE_PASSWORD)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setKeyStoreLocation(TestSSLConstants.CLIENT_KEYSTORE)
+ .setKeyStorePassword(TestSSLConstants.PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.build();
try
{
@@ -516,8 +501,8 @@
Connection connection = getConnectionBuilder().setPort(port)
.setHost(brokerAddress.getHostName())
.setTls(true)
- .setTrustStoreLocation(TRUSTSTORE)
- .setTrustStorePassword(TRUSTSTORE_PASSWORD)
+ .setTrustStoreLocation(TestSSLConstants.CLIENT_TRUSTSTORE)
+ .setTrustStorePassword(TestSSLConstants.PASSWORD)
.setVerifyHostName(false)
.setOptions(options)
.build();
@@ -600,9 +585,9 @@
try
{
final Map<String, Object> keyStoreAttributes = new HashMap<>();
- keyStoreAttributes.put("storeUrl", BROKER_KEYSTORE);
- keyStoreAttributes.put("password", BROKER_KEYSTORE_PASSWORD);
- keyStoreAttributes.put("keyStoreType", JAVA_KEYSTORE_TYPE);
+ keyStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_KEYSTORE);
+ keyStoreAttributes.put("password", TestSSLConstants.PASSWORD);
+ keyStoreAttributes.put("keyStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
managementFacade.createEntityAndAssertResponse(keyStoreName,
FileKeyStore.class.getName(),
keyStoreAttributes,
@@ -617,9 +602,9 @@
try
{
final Map<String, Object> trustStoreAttributes = new HashMap<>();
- trustStoreAttributes.put("storeUrl", BROKER_TRUSTSTORE);
- trustStoreAttributes.put("password", BROKER_TRUSTSTORE_PASSWORD);
- trustStoreAttributes.put("trustStoreType", JAVA_KEYSTORE_TYPE);
+ trustStoreAttributes.put("storeUrl", TestSSLConstants.BROKER_TRUSTSTORE);
+ trustStoreAttributes.put("password", TestSSLConstants.PASSWORD);
+ trustStoreAttributes.put("trustStoreType", TestSSLConstants.JAVA_KEYSTORE_TYPE);
managementFacade.createEntityAndAssertResponse(trustStoreName,
FileTrustStore.class.getName(),
trustStoreAttributes,
@@ -680,10 +665,10 @@
private void setSslStoreSystemProperties()
{
- System.setProperty("javax.net.ssl.keyStore", KEYSTORE);
- System.setProperty("javax.net.ssl.keyStorePassword", KEYSTORE_PASSWORD);
- System.setProperty("javax.net.ssl.trustStore", TRUSTSTORE);
- System.setProperty("javax.net.ssl.trustStorePassword", TRUSTSTORE_PASSWORD);
+ System.setProperty("javax.net.ssl.keyStore", TestSSLConstants.CLIENT_KEYSTORE);
+ System.setProperty("javax.net.ssl.keyStorePassword", TestSSLConstants.PASSWORD);
+ System.setProperty("javax.net.ssl.trustStore", TestSSLConstants.CLIENT_TRUSTSTORE);
+ System.setProperty("javax.net.ssl.trustStorePassword", TestSSLConstants.PASSWORD);
}
private void clearSslStoreSystemProperties()
@@ -696,16 +681,16 @@
private File[] extractResourcesFromTestKeyStore() throws Exception
{
- java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
- try (InputStream is = new FileInputStream(KEYSTORE))
+ java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_KEYSTORE))
{
- ks.load(is, KEYSTORE_PASSWORD.toCharArray());
+ ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
}
File privateKeyFile = Files.createTempFile(getTestName(), ".private-key.der").toFile();
try (FileOutputStream kos = new FileOutputStream(privateKeyFile))
{
- Key pvt = ks.getKey(TestSSLConstants.CERT_ALIAS_APP1, KEYSTORE_PASSWORD.toCharArray());
+ Key pvt = ks.getKey(TestSSLConstants.CERT_ALIAS_APP1, TestSSLConstants.PASSWORD.toCharArray());
kos.write(TestSSLUtils.privateKeyToPEM(pvt).getBytes(UTF_8));
}
@@ -725,10 +710,10 @@
private File extractCertFileFromTestTrustStore() throws Exception
{
- java.security.KeyStore ks = java.security.KeyStore.getInstance(JAVA_KEYSTORE_TYPE);
- try (InputStream is = new FileInputStream(TRUSTSTORE))
+ java.security.KeyStore ks = java.security.KeyStore.getInstance(TestSSLConstants.JAVA_KEYSTORE_TYPE);
+ try (InputStream is = new FileInputStream(TestSSLConstants.CLIENT_TRUSTSTORE))
{
- ks.load(is, TRUSTSTORE_PASSWORD.toCharArray());
+ ks.load(is, TestSSLConstants.PASSWORD.toCharArray());
}
File certificateFile = Files.createTempFile(getTestName(), ".crt").toFile();
diff --git a/test-profiles/test_resources/ssl/CA_db/cert9.db b/test-profiles/test_resources/ssl/CA_db/cert9.db
deleted file mode 100644
index 2bed63c..0000000
--- a/test-profiles/test_resources/ssl/CA_db/cert9.db
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/CA_db/key4.db b/test-profiles/test_resources/ssl/CA_db/key4.db
deleted file mode 100644
index 4562b1a..0000000
--- a/test-profiles/test_resources/ssl/CA_db/key4.db
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/CA_db/pkcs11.txt b/test-profiles/test_resources/ssl/CA_db/pkcs11.txt
deleted file mode 100644
index beb8e0f..0000000
--- a/test-profiles/test_resources/ssl/CA_db/pkcs11.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-library=
-name=NSS Internal PKCS #11 Module
-parameters=configdir='CA_db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-
diff --git a/test-profiles/test_resources/ssl/CA_db/rootca.crt b/test-profiles/test_resources/ssl/CA_db/rootca.crt
deleted file mode 100644
index b9356b6..0000000
--- a/test-profiles/test_resources/ssl/CA_db/rootca.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDETCCAfmgAwIBAgIFALBcSiAwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDM1OVoXDTI0MDIyNzE2MDM1OVowQTELMAkGA1UE
-BhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMT
-CE15Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx7wfxIsA
-yM7HhpEfHy0rEBrhfwCTf/dO/x6DFKjYfxKuhbFcHuBWHhq60mn04Wfo0kwCSZSE
-sabJvba5iHAztzHUeLBTyg9fy57tlNs0sQMqXCD3bwa1HBGgMt5A05zSmi9ZklwH
-xrfB8nbSePD/V1tmwjXvWYx/G2xnRHZbs8dS000DteI2yq8O1i/NJst8KrifxgE2
-RzfNqSLxrmEzZAe5lt2eGIxr+UatR/AKXFixfKEK523Rq9CnJ7Fdgzt0WebbhUwg
-4A0AIJk4h6WKTB+RwdWT9Dgzc+qSkjHco9vqToF92QfQOygPjDSjWKHwPyTskuYf
-W9EohouHZWjsXQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUA
-A4IBAQCYi9vsfbIRihVyVQ8R1xBD+v7HZ31Se4v3ODQ9xD4DBE4qcE4kYTmFdRoD
-5WIm9O2w20Iz4icVr1iyOlund9psL3CSklPVUqGIGQXfzxfI9Dgi+NicIWDFhHra
-hfeYl2Tg4lkkodTewVMdiigh7MBdWnr3j/xEIWxcvD3x5ymXPV6PU9mzn8r/tcNC
-A+07I0eCqcAYHDTEQxumiTBObymnnABYr0lDa+baWrW2YuLx+I5I+rHFEnuy9vDn
-rN0kZuG32V5cIAavDZWkUrxR87TsJ0gxv/cbFU+J2x4Z6X8ryI2HhLujxqXmTzSH
-5Bq18bki5O4kqJFY4CA/N+035Yta
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/app1.crt b/test-profiles/test_resources/ssl/app1.crt
deleted file mode 100644
index edc890f..0000000
--- a/test-profiles/test_resources/ssl/app1.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIFALBcS8MwDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDcxNloXDTI0MDIyNzE2MDcxNlowYTELMAkGA1UE
-BhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMQ0wCwYDVQQKEwRh
-Y21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMMDWFwcDFAYWNtZS5vcmcwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXNdGrF7GBnVVvkrwzu9xo7scIEUll
-82cRZ2yQ+Ua4dkg+mmrVwZjSN/fkUNsrecruhfx4jcmaEXwdixuDpCnw1fZ1xfC7
-AO2FdZrGtdFeaBfVyZ6g2hihcWK2FPlJRhvG2Fm6FlZAwQyhfagnA4VBxthFlhGw
-D7su+rp3bVGHXh0RYtc6eCE5FK9/tnGQgLVBVnENmdCg4Xd3WtnPV/boWSUR6Obk
-M7CfDOkFDz4DrJmUEaMMzGScustNsZuU/qZ2ei1eaY0GMnRquW4hyYYw8JXVO3Ji
-JtchVlUo7SL2gDuGmpk+/yceitJWn2e482lgURuVRFSwSgSqEkZrjCSpAgMBAAGj
-QTA/MB0GA1UdDgQWBBTDC6GBKI/QRwIZlVC8SJN6V/6OxDAJBgNVHRMEAjAAMBMG
-A1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBDQUAA4IBAQBjNo/6CYFVU21q
-TWW88eG1J/I6e+vv9hjNWuxtsOuWUzoepNFAa7gY1C5jMHMe1hXl9hK4mHm/D1o2
-5i3FERDyLz5x6a0oQP6T8F+BLfg8YGfbrcCuZPInPKgw5bc2xRVJc8zaZM5EBw1+
-U80+o5Er2XU/MSfJ6vfsNjZ7aGOo/ssQwBarKGHUwQTazgwRy+kVh9aZf+Vadbnx
-u3mtV6md9EMLfRzOKfTrdlHrS1CgUTKn+LmwSsBNomxXJcW0gpWIx4hoCd07vJCj
-WAvAeHdzAVSiAKkJ42ikOd7g5pXUFkpcNlIyfLpJGwTZYNSCx0eXuSUt3cLA+7V/
-2wXQNMED
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/app1.req b/test-profiles/test_resources/ssl/app1.req
deleted file mode 100644
index f1f90e0..0000000
--- a/test-profiles/test_resources/ssl/app1.req
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIC1jCCAb4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQH
-EwdUb3JvbnRvMQ0wCwYDVQQKEwRhY21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMM
-DWFwcDFAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCX
-NdGrF7GBnVVvkrwzu9xo7scIEUll82cRZ2yQ+Ua4dkg+mmrVwZjSN/fkUNsrecru
-hfx4jcmaEXwdixuDpCnw1fZ1xfC7AO2FdZrGtdFeaBfVyZ6g2hihcWK2FPlJRhvG
-2Fm6FlZAwQyhfagnA4VBxthFlhGwD7su+rp3bVGHXh0RYtc6eCE5FK9/tnGQgLVB
-VnENmdCg4Xd3WtnPV/boWSUR6ObkM7CfDOkFDz4DrJmUEaMMzGScustNsZuU/qZ2
-ei1eaY0GMnRquW4hyYYw8JXVO3JiJtchVlUo7SL2gDuGmpk+/yceitJWn2e482lg
-URuVRFSwSgSqEkZrjCSpAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQW
-BBTDC6GBKI/QRwIZlVC8SJN6V/6OxDANBgkqhkiG9w0BAQ0FAAOCAQEAVQ6eZDo+
-aW/JjTsK1duwqkpxWcGWyNApOaEETnunCFUsTYcN3zId7107gNMlKSQrQOztYFNc
-OKjDOicKHSoYoh+qRxprB4CPrhdNMXrtjFUOCDA+eLvf7kHn9hcOzg8XkgDOFVOs
-x61krLsN5jo2pfqdiPj13ilas7lBy4/WjEnazg/g/ckWAbYp2Rec47UnAGi5LB9h
-cgO/+vZUpmCCfHCURBC1qwk9UdbXlaDZcbITszvR86PZ6ztkDO9dxbDDvCHydvcD
-jaEHdvpSlC2WiWc4R/Tjq+xYQkRayPHYzHF1w3YYEbpuQOZwiuzYlQrZnOyH+oVC
-/0qy57VDVqP/HA==
------END NEW CERTIFICATE REQUEST-----
diff --git a/test-profiles/test_resources/ssl/app2.crt b/test-profiles/test_resources/ssl/app2.crt
deleted file mode 100644
index 5693e43..0000000
--- a/test-profiles/test_resources/ssl/app2.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDZTCCAk2gAwIBAgIFALBcS6owDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDcwM1oXDTI0MDIyNzE2MDcwM1owYTELMAkGA1UE
-BhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMQ0wCwYDVQQKEwRh
-Y21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMMDWFwcDJAYWNtZS5vcmcwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXMCZtW+a6JxuA2fN45Ta/0ilUqfme
-r+aGG2yTtwdRkduUssBogCYq1Pxk+l4nDgNWjscgGhtxeY9nw3u+NaxFJxuQrKLu
-nnsdh+htzTUsq/iWKwcU6A4MX1aC++Ic6poTeunv6MHVdujehJOCph6zDEANjT2f
-gHHjxBMPO+fe0mEtsWwezp+xJJAOCAkMivoziQ0OopIqFSF/FhFZDK4bJFruAJJc
-0CZNBM7Ox2sNAK1cX8mxZhzWfUGQs2hfobri9J/GUlnXmN9nk6v5FybDjH6u9jcd
-9bY2f03PC9whclIzar5TiWLfg7MZHctUv2MZZWy1c7hfzktCvjW5Y7R7AgMBAAGj
-RDBCMB0GA1UdDgQWBBTzMIzbe9uahZhnVxRWUyelP3jc9TAMBgNVHRMBAf8EAjAA
-MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBDQUAA4IBAQAJMyC3QdIH
-ZwdUYKiwAl7W89CarMjCEH960fhHAcyliGYTtRj7aMEkWpFvR16yuRHfbiE4XZ71
-ClySvZxVl9DBcpSx69PBiRELd1wpRk5YP/1mxPtS85JlRCMVG92dizL0jSvugDcp
-pfTR9ifCK9skHrHMRvsmh7w4L2YX1IJXSORjzTHTOpqLM1vDERximf16C5ZPMhbJ
-F3jP8+k74/o3gDTttR/89M8bg5Xi/7VW4CWcBZTWnp43y8UlncbWRRwYMnJ7UAva
-7Dg0un/Nu4K/ggALmzsB3x4XBMvzIFf0orhRuFqS7BCqFg5ZavpMPHwDX7dFEjIC
-BsUjFnrzaxHI
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/app2.req b/test-profiles/test_resources/ssl/app2.req
deleted file mode 100644
index 61235b0..0000000
--- a/test-profiles/test_resources/ssl/app2.req
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIC1jCCAb4CAQAwYTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQH
-EwdUb3JvbnRvMQ0wCwYDVQQKEwRhY21lMQwwCgYDVQQLEwNhcnQxFjAUBgNVBAMM
-DWFwcDJAYWNtZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCX
-MCZtW+a6JxuA2fN45Ta/0ilUqfmer+aGG2yTtwdRkduUssBogCYq1Pxk+l4nDgNW
-jscgGhtxeY9nw3u+NaxFJxuQrKLunnsdh+htzTUsq/iWKwcU6A4MX1aC++Ic6poT
-eunv6MHVdujehJOCph6zDEANjT2fgHHjxBMPO+fe0mEtsWwezp+xJJAOCAkMivoz
-iQ0OopIqFSF/FhFZDK4bJFruAJJc0CZNBM7Ox2sNAK1cX8mxZhzWfUGQs2hfobri
-9J/GUlnXmN9nk6v5FybDjH6u9jcd9bY2f03PC9whclIzar5TiWLfg7MZHctUv2MZ
-ZWy1c7hfzktCvjW5Y7R7AgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQW
-BBTzMIzbe9uahZhnVxRWUyelP3jc9TANBgkqhkiG9w0BAQ0FAAOCAQEAKstPTwyn
-rn7dC+5SeP1ww6bMp77+KdQFu7aJ3Ul2xt6ICp0GkH5motvFx+dw5im8la4NH6Y7
-ZQS9eeoT6Zfi76Ve1wSVE2Gu0k9KgGXXW8ZodKml5vK89jf/3Fsy/058coOjsUDI
-iZqGajqiZshpmIpCJP3PPGA1Db30RY93U3iJAEwJCAXhGEd7EXV5iP3HA8wzuwws
-7osIz2oixsM/6Btf0+7FBt7AtqkknuDcw1Z/ZoUc5iIpMnGTtoajXnpNs7VgpngU
-bjMhgJSEOyjZrPn1VxtP23KVWm3+aAs/3gGW058ku3NYXg9H8FLysUNackZlnxqz
-dvTNaLl4FIUgiw==
------END NEW CERTIFICATE REQUEST-----
diff --git a/test-profiles/test_resources/ssl/expired.crt b/test-profiles/test_resources/ssl/expired.crt
deleted file mode 100644
index 933330a..0000000
--- a/test-profiles/test_resources/ssl/expired.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICvzCCAaegAwIBAgIEAjtn8zANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDEwVV
-U0VSMTAeFw0xMDAxMDEyMjQ0MjVaFw0xMDAxMDIyMjQ0MjVaMBAxDjAMBgNVBAMT
-BVVTRVIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj2wa5um63bXJ
-j7jv3pfhDgkvwE9hfM/DLv1rmkq2Psepefb40VJng61WiTeLNWdXrAJ+ui5iHTCn
-8n+iqaucaPv4mOwH3j57CCLRvFrFSp/cUx2oZ3Zx1DfaSgfIc5F8AJQvYrtCxa6m
-eYCoUJ3BZqARiKc6fk/RtACB1YI9mCDYOgnntNhEwMkRTuPqholyaL1fmw51EDGH
-iGCQwsxj+YMLkuK2aQAs498NcA6fzui0Ey3MJ6LmLYbOSKqZ1cBzC4YfSGH921Ic
-4YDgsvQ1io1zN4AJFHj8ld5rlDCTElgUFmkm2wCLvQAQ9+5MB4fDVLFldpHHBgX2
-0097qFSAEwIDAQABoyEwHzAdBgNVHQ4EFgQUZ30jJvIgSSRkltqIKv7UgEYnlvUw
-DQYJKoZIhvcNAQENBQADggEBABYZ+ZwbRnJvfjnFq9c+GV5/7FJOTlO0SVAVZrYJ
-HzquTr3mFDkhOc6aDlaNGiFAJcs6Udj3MvV7J+Uuai9oJDmVCt94HZL3k09G+z1b
-A3BorBKWDYm2L9CKpjUgD0VY40Tc2yNVyrzCbdjVnBkrLKiAirSrb5NJK2lnJg4Y
-TB7TiAnSydfRWUyUo8/wEMgIo4o0vuB7AnBQFhCd0XRmxBNoBZ19f+R041I6CQ0L
-9jc172XWHL1o111/RS7M8qLcWxi11DN62p6IKNT32DnhVV0RFnfVTQDaQ9qsPFmg
-Dngy+2weYwc6hEKhnunGrv0LNoqp6lQbOZO4c4v0/ynBHf4=
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/generate-java-keystores.sh b/test-profiles/test_resources/ssl/generate-java-keystores.sh
deleted file mode 100755
index f6c8e82..0000000
--- a/test-profiles/test_resources/ssl/generate-java-keystores.sh
+++ /dev/null
@@ -1,129 +0,0 @@
-#!/usr/bin/env bash
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-echo "Remove existing keystore for Apache Qpid Broker-J "
-rm java_broker_keystore.jks
-echo "Re-create keystore for Apache Qpid Broker-J by importing RootCA certificate"
-keytool -importcert -v -keystore java_broker_keystore.jks -keysize 2048 -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt
-echo "Generate certificate key 'java-broker'"
-keytool -genkey -alias java-broker -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_broker_keystore.jks -storepass password -dname "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -storetype pkcs12
-echo "Export certificate signing request"
-keytool -certreq -alias java-broker -sigalg SHA512withRSA -keystore java_broker_keystore.jks -storepass password -v -file java_broker.req -storetype pkcs12
-echo "Sign certificate by entering:"
-echo " n for 'Is this a CA certificate [y/N]?'"
-echo " [Enter] for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo " n for 'Is this a critical extension [y/N]?'"
-echo " password which was specified on creation root CA database."
-certutil -C -d CA_db -c "MyRootCA" -a -i java_broker.req -o java_broker.crt -2 -6 --extKeyUsage serverAuth -v 60 -g 4096
-echo "Import signed certificate"
-keytool -importcert -v -alias java-broker -keystore java_broker_keystore.jks -storepass password -file java_broker.crt -storetype pkcs12 -noprompt
-echo "List keystore entries"
-keytool --list --keystore java_broker_keystore.jks -storepass password -storetype pkcs12
-
-read -p "Press [Enter] key to continue..."
-echo "Remove existing client keystore"
-rm java_client_keystore.jks
-echo "Re-create client keystore by importing RootCA certificate"
-keytool -importcert -v -keystore java_client_keystore.jks -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt
-
-echo "Generate key for certificate 'app2'"
-keytool -genkey -alias app2 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password -dname "CN=app2@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA" -storetype pkcs12
-echo "Export certificate signing request for 'app2'"
-keytool -certreq -alias app2 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app2.req -storetype pkcs12
-echo "Sign certificate 'app2' by entering:"
-echo " n for 'Is this a CA certificate [y/N]?'"
-echo " '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo " n for 'Is this a critical extension [y/N]?'"
-echo " password which was specified on creation root CA database."
-certutil -C -d CA_db -c "MyRootCA" -a -i app2.req -o app2.crt -2 -6 --extKeyUsage clientAuth -v 60 -Z SHA512
-echo "Import signed certificate 'app2'"
-keytool -importcert -v -alias app2 -keystore java_client_keystore.jks -storepass password -file app2.crt -storetype pkcs12 -noprompt
-
-echo "Generate key for certificate 'app1'"
-keytool -genkey -alias app1 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password -dname "CN=app1@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA" -storetype pkcs12
-echo "Export certificate signing request for 'app1'"
-keytool -certreq -alias app1 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app1.req
-echo "Sign certificate 'app1' by entering:"
-echo " n for 'Is this a CA certificate [y/N]?'"
-echo " '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo " n for 'Is this a critical extension [y/N]?'"
-echo " password which was specified on creation of root CA database."
-certutil -C -d CA_db -c "MyRootCA" -a -i app1.req -o app1.crt -2 -6 --extKeyUsage clientAuth -v 60 -Z SHA512
-echo "Import signed certificate 'app1'"
-keytool -importcert -v -alias app1 -keystore java_client_keystore.jks -storepass password -file app1.crt -storetype pkcs12 -noprompt
-echo "List entries in client keystore"
-keytool --list --keystore java_client_keystore.jks -storepass password
-
-read -p "Press [Enter] key to continue..."
-echo "Remove existing client truststore"
-rm java_client_truststore.jks
-echo "Re-create client truststore by importing RootCA certificate"
-keytool -importcert -v -keystore java_client_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt
-echo "List entries in client trusttore"
-keytool --list --keystore java_client_truststore.jks -storepass password -storetype pkcs12
-
-read -p "Press [Enter] key to continue..."
-echo "Remove existing broker truststore"
-rm java_broker_truststore.jks
-echo "Re-create broker truststore by importing RootCA certificate"
-keytool -importcert -v -keystore java_broker_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt
-echo "List entries in broker truststore"
-keytool --list --keystore java_broker_truststore.jks -storepass password -storetype pkcs12
-
-read -p "Press [Enter] key to continue..."
-echo "Remove existing broker peerstore"
-rm java_broker_peerstore.jks
-echo "Re-create broker peerstore by importing app1 certificate"
-keytool -importcert -v -keystore java_broker_peerstore.jks -storepass password -alias app1 -file app1.crt -storetype pkcs12 -noprompt
-echo "List entries in broker peerstore"
-keytool --list --keystore java_broker_peerstore.jks -storepass password -storetype pkcs12
-
-cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_keystore.jks
-keytool -importcert -v -alias app1 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app1.crt -storetype pkcs12 -noprompt
-keytool -importcert -v -alias app2 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app2.crt -storetype pkcs12 -noprompt
-
-cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12
-keytool -delete -v -alias rootca -keystore ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 -storepass password
-
-cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12
-keytool -delete -v -alias java-broker -keystore ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 -storepass password
-
-cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12
-keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype pkcs12 -keystore ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 -storepass password
-
-cp java_broker.req ../../../broker-core/src/test/resources/ssl/java_broker.req
-cp java_broker.crt ../../../broker-core/src/test/resources/ssl/java_broker.crt
-
-cp expired.crt ../../../broker-core/src/test/resources/ssl/expired.crt
-cp java_client_expired_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12
-cp java_broker_expired_truststore.jks ../../../broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12
-
-cp java_broker_peerstore.jks ../../../broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12
-cp java_broker_truststore.jks ../../../broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12
-cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12
-cp java_broker_keystore.jks ../../../systests/qpid-systests-http-management/src/main/resources/java_broker_keystore.jks
-cp java_client_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_keystore.pkcs12
-cp java_client_truststore.jks ../../../broker-core/src/test/resources/ssl/java_client_truststore.pkcs12
-
-rm java_client_untrusted_keystore.jks
-keytool -genkey -keystore java_client_untrusted_keystore.jks -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -alias untrusted_client -storepass password -storetype pkcs12 -dname "CN=untrusted_client"
-cp java_client_untrusted_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12
-
-
diff --git a/test-profiles/test_resources/ssl/generate-root-ca.sh b/test-profiles/test_resources/ssl/generate-root-ca.sh
deleted file mode 100755
index 14d760c..0000000
--- a/test-profiles/test_resources/ssl/generate-root-ca.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/env bash
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-echo "Create a new certificate database for root CA"
-rm -fr CA_db; mkdir CA_db
-certutil -N -d CA_db
-
-echo "Create the self-signed Root CA certificate by entering:"
-echo " password which was specified on creation of root CA database."
-echo " y for 'Is this a CA certificate [y/N]?'"
-echo " [Enter] for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo " n for 'Is this a critical extension [y/N]?'"
-certutil -S -d CA_db -n "MyRootCA" -s "CN=MyRootCA,O=ACME,ST=Ontario,C=CA" -t "CT,," -x -2 -Z SHA512 -v 60 -g 2048
-echo "Extract the CA certificate from the CA’s certificate database to a file."
-certutil -L -d CA_db -n "MyRootCA" -a -o CA_db/rootca.crt
-
-
-echo "Create a certificate database for the Qpid Broker."
-rm -fr server_db; mkdir server_db
-certutil -N -d server_db
-echo "Import the CA certificate into the broker’s certificate database"
-certutil -A -d server_db -n "MyRootCA" -t "TC,," -a -i CA_db/rootca.crt
-echo "Create the server certificate request"
-certutil -R -d server_db -s "CN=localhost.localdomain,O=ACME,ST=Ontario,C=CA" -a -o server_db/server.req -Z SHA512
-echo "Sign and issue a new server certificate by entering:"
-echo " n for 'Is this a CA certificate [y/N]?'"
-echo " '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
-echo " n for 'Is this a critical extension [y/N]?'"
-echo " password which was specified on creation of root CA database."
-certutil -C -d CA_db -c "MyRootCA" -a -i server_db/server.req -o server_db/server.crt -2 -6 --extKeyUsage serverAuth -v 60 -Z SHA512 -g 2048
-echo "Import signed certificate to the broker’s certificate database"
-certutil -A -d server_db -n localhost.localdomain -a -i server_db/server.crt -t ",,"
diff --git a/test-profiles/test_resources/ssl/java_broker.crt b/test-profiles/test_resources/ssl/java_broker.crt
deleted file mode 100644
index 4e5c086..0000000
--- a/test-profiles/test_resources/ssl/java_broker.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDbzCCAlegAwIBAgIFALBcS4MwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDY0M1oXDTI0MDIyNzE2MDY0M1owbjEQMA4GA1UE
-BhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQ
-MA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjESMBAGA1UEAxMJbG9j
-YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1zWGLqSHqno
-In5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllzy4JTCiXBen3l3YhpSxqGYccyEYee
-UlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUirvotaBQP71X1V+05AFxFhWfgdINw
-Kzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj3as0dX2bOu0qbqk4izDqqV1uiyUP
-Udn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pfPxvIw2OsqsKeh+I7RUoGBxDUdDvj
-lbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwcRJYDAq5eBhgK59WcwKPIqlOLismQ
-wjN4ZxxvqQIDAQABo0EwPzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJsw
-CQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC
-AQEAjFSD0UPN7ZqMKA0Sk2oailI+AU11VEmwIw18sXSEFMWSH8uAgkyTOvNQv4Nu
-WHgNOx20r18bYVrTqTznRa9oM7xemtR2pKqJYUQKqvk9vcF8mY7ibK1AH1vlm/gh
-7EfEmobfwHutXyTbUppgqf4QLn9AYLokD/w0la1mxDQ5Qc5FefgxLGaN2DZALFOc
-8lcpA9E2hTau2znxMlqqrG73E6R2XoE7BVMHVemVAAvusBuuP9OW/iC/KTPDFNoy
-NnDViQfIh03aBH2N5XCcnsdsxDULh6pjdZWf9FB+8OBDKyajNdFZku7AFLkt+QIa
-FVo105jdjqfMxt8FRNuQ05vYEQ==
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/java_broker.req b/test-profiles/test_resources/ssl/java_broker.req
deleted file mode 100644
index c618dd3..0000000
--- a/test-profiles/test_resources/ssl/java_broker.req
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIC4zCCAcsCAQAwbjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93
-bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH
-VW5rbm93bjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAq1zWGLqSHqnoIn5HjqSLSNQb5TV7qTeoKeVGJdfP13oXMllz
-y4JTCiXBen3l3YhpSxqGYccyEYeeUlMSWH1snv9kW5sh+fF8HjJrabQco+vkUqUi
-rvotaBQP71X1V+05AFxFhWfgdINwKzu6az5i2S6DWJ0Xkseuolo3cM/J+M245NJj
-3as0dX2bOu0qbqk4izDqqV1uiyUPUdn0jICC52ZLd2v9lBbUQD/ZvwMYWIiBw9pf
-PxvIw2OsqsKeh+I7RUoGBxDUdDvjlbNeJV7AmeoszI/3bHkncdCiObFMXdXmUVwc
-RJYDAq5eBhgK59WcwKPIqlOLismQwjN4ZxxvqQIDAQABoDAwLgYJKoZIhvcNAQkO
-MSEwHzAdBgNVHQ4EFgQU8NpCddyhoagntgXuH6eMGKnNxJswDQYJKoZIhvcNAQEN
-BQADggEBAHsfAScjTeIM+Mkmq7z29wl0+NdWyoDKt0PjG0/WffExGXG1FD6JrbP7
-UEeBY60WdypO9/Nx7I/sw/UOsOH297NuCMkFDitAk5/5XDVSYpywBi85XK72ODmv
-hWYn2MGP9YnfL3qOd75kpNgVBKt9+IVFFNgdUMfzDQpTQgmzdaRepM4HUuxJnNGN
-jcjA6b7rT0XQu7EJqM/Q1beJTVmwtv/3ZsBduJfksr2+fyC7wd344Equ8kfhZtd9
-YocJYdlZ//0RjWMv10hXNMD2Y+Nk4ldoFOXwv93JMcBn4Uy0TeZ9O/eI/jETT5TL
-FZUUWdHvGqN2/9L4EZ0rAyH87HpHV7I=
------END NEW CERTIFICATE REQUEST-----
diff --git a/test-profiles/test_resources/ssl/java_broker_expired_truststore.jks b/test-profiles/test_resources/ssl/java_broker_expired_truststore.jks
deleted file mode 100644
index 9bfe301..0000000
--- a/test-profiles/test_resources/ssl/java_broker_expired_truststore.jks
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/java_broker_keystore.jks b/test-profiles/test_resources/ssl/java_broker_keystore.jks
deleted file mode 100644
index b45991f..0000000
--- a/test-profiles/test_resources/ssl/java_broker_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/java_broker_peerstore.jks b/test-profiles/test_resources/ssl/java_broker_peerstore.jks
deleted file mode 100644
index a5b307f..0000000
--- a/test-profiles/test_resources/ssl/java_broker_peerstore.jks
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/java_broker_truststore.jks b/test-profiles/test_resources/ssl/java_broker_truststore.jks
deleted file mode 100644
index 4184adf..0000000
--- a/test-profiles/test_resources/ssl/java_broker_truststore.jks
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/java_client_expired_keystore.jks b/test-profiles/test_resources/ssl/java_client_expired_keystore.jks
deleted file mode 100644
index cb9b876..0000000
--- a/test-profiles/test_resources/ssl/java_client_expired_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/java_client_keystore.jks b/test-profiles/test_resources/ssl/java_client_keystore.jks
deleted file mode 100644
index 9422d9a..0000000
--- a/test-profiles/test_resources/ssl/java_client_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/java_client_truststore.jks b/test-profiles/test_resources/ssl/java_client_truststore.jks
deleted file mode 100644
index 1b45a23..0000000
--- a/test-profiles/test_resources/ssl/java_client_truststore.jks
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks b/test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks
deleted file mode 100644
index 8b0b023..0000000
--- a/test-profiles/test_resources/ssl/java_client_untrusted_keystore.jks
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/pfile b/test-profiles/test_resources/ssl/pfile
deleted file mode 100644
index f3097ab..0000000
--- a/test-profiles/test_resources/ssl/pfile
+++ /dev/null
@@ -1 +0,0 @@
-password
diff --git a/test-profiles/test_resources/ssl/server_db/cert9.db b/test-profiles/test_resources/ssl/server_db/cert9.db
deleted file mode 100644
index 9a5f864..0000000
--- a/test-profiles/test_resources/ssl/server_db/cert9.db
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/server_db/key4.db b/test-profiles/test_resources/ssl/server_db/key4.db
deleted file mode 100644
index f08d318..0000000
--- a/test-profiles/test_resources/ssl/server_db/key4.db
+++ /dev/null
Binary files differ
diff --git a/test-profiles/test_resources/ssl/server_db/pkcs11.txt b/test-profiles/test_resources/ssl/server_db/pkcs11.txt
deleted file mode 100644
index 440f523..0000000
--- a/test-profiles/test_resources/ssl/server_db/pkcs11.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-library=
-name=NSS Internal PKCS #11 Module
-parameters=configdir='server_db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-
diff --git a/test-profiles/test_resources/ssl/server_db/server.crt b/test-profiles/test_resources/ssl/server_db/server.crt
deleted file mode 100644
index fb51ff1..0000000
--- a/test-profiles/test_resources/ssl/server_db/server.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMDCCAhigAwIBAgIFALBcSo0wDQYJKoZIhvcNAQENBQAwQTELMAkGA1UEBhMC
-Q0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxETAPBgNVBAMTCE15
-Um9vdENBMB4XDTE5MDIyNzE2MDQzNFoXDTI0MDIyNzE2MDQzNFowTjELMAkGA1UE
-BhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTALBgNVBAoTBEFDTUUxHjAcBgNVBAMT
-FWxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAMZvr9ZVPPPPgXlL/3tN57SmQRD8KKbK6F2DxPKPpV3FuhPxKRLVbDTp
-VgJ6geTSQXWlcCzZ7pr+J1Z7jU8tFb963i+kpFD21Z4xcaLTaHQvyiXMXgYJ/AU+
-0AQDrQN16Bkx/nbvXCtnfahp6Li3KUffEYjjLleuP5WwUSZJQ3oR74YQOKFZiDMU
-p5iUBiFWJ6Svey5usHOzycAeQVJYF8cdbTo3BL1mNFV8Q0aFD/qOsZoKNHZR8vb1
-ioBs1P9TdNO/fai/YZVkqq3I/wY9JoN7OmSPTtThuwZniSvOqsy2zkkEqG26HOnl
-BlRWshzyPaket8j4CrxZeVB4xmIbHvcCAwEAAaMiMCAwCQYDVR0TBAIwADATBgNV
-HSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQ0FAAOCAQEASvcXQIq2cyhujhoh
-DKZhenA1MqGTpWsrAo41obxVpzch/z7qrQsGUG/7qXm7XIQ8wPXKUJhQd5+ga5U0
-YV/QNu8Kz+5rxgCxv/hqHaajNfeOs8C3Oxk1IIg+9OC2bIRmR9SF84XBM2YrJuTe
-BlGszTNnOXQGoR0gOMl2EH+4kh00vVnRwrsSGHEWNqNprPFgauZ14bvCeeFJhsYd
-IjmrQgbGvt4463Kaw4gUstSrwQGOTGjqhEcUR6MER83HzDu0qoAHtQLNXh1NJ3M0
-BQg6Aaral1kfgWKbB88SgAAPMHBzIqG1ubYmRykEf+G6OOgBACp1CSiCskbJ59Wc
-2tbblQ==
------END CERTIFICATE-----
diff --git a/test-profiles/test_resources/ssl/server_db/server.req b/test-profiles/test_resources/ssl/server_db/server.req
deleted file mode 100644
index f2042ce..0000000
--- a/test-profiles/test_resources/ssl/server_db/server.req
+++ /dev/null
@@ -1,26 +0,0 @@
-
-Certificate request generated by Netscape certutil
-Phone: (not specified)
-
-Common Name: localhost.localdomain
-Email: (not specified)
-Organization: ACME
-State: Ontario
-Country: CA
-
------BEGIN NEW CERTIFICATE REQUEST-----
-MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDTAL
-BgNVBAoTBEFDTUUxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZvr9ZVPPPPgXlL/3tN57SmQRD8
-KKbK6F2DxPKPpV3FuhPxKRLVbDTpVgJ6geTSQXWlcCzZ7pr+J1Z7jU8tFb963i+k
-pFD21Z4xcaLTaHQvyiXMXgYJ/AU+0AQDrQN16Bkx/nbvXCtnfahp6Li3KUffEYjj
-LleuP5WwUSZJQ3oR74YQOKFZiDMUp5iUBiFWJ6Svey5usHOzycAeQVJYF8cdbTo3
-BL1mNFV8Q0aFD/qOsZoKNHZR8vb1ioBs1P9TdNO/fai/YZVkqq3I/wY9JoN7OmSP
-TtThuwZniSvOqsy2zkkEqG26HOnlBlRWshzyPaket8j4CrxZeVB4xmIbHvcCAwEA
-AaAAMA0GCSqGSIb3DQEBDQUAA4IBAQB65l4W5FqmHN0KIPS81qwdpncPw0XLM5Wf
-dVY8Q0GZ9AWm5pTBl472AdoL/2FtQEsLnIfDDR9WFDfREqP2grO+98vbMPofNLPH
-es9dOEXRAGMziqFUhFofyWIXZUBQI9nWn9kuNZRtK2JfftG+eMtT8KlibFgVdaHc
-C8/HwlnmoQVtXQeqnEMYK8hN1+4hp9OzwkiwSMBpTNtB9jejnYQe4U2DnWpWD1ko
-w0kAQpb36zSOkZZ0ZMaT7aTLpDmsOvj6bAj6nUxjcGFvSqVIaxyQb2y0JflM+IN7
-K0PL2I1Wi2AGA3WlBs/nY+Ol2NfcD/nsdZdtVNn6WV9DsfnyfS6L
------END NEW CERTIFICATE REQUEST-----
