diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/api/core/management/ManagementHelper.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/api/core/management/ManagementHelper.java index f63a6ea90cf..e5439622798 100644 --- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/api/core/management/ManagementHelper.java +++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/api/core/management/ManagementHelper.java @@ -72,6 +72,8 @@ public final class ManagementHelper { public static final SimpleString HDR_CERT_SUBJECT_DN = SimpleString.of("_AMQ_CertSubjectDN"); + public static final SimpleString HDR_CERT_UPN = SimpleString.of("_AMQ_CertUPN"); + public static final SimpleString HDR_CHECK_TYPE = SimpleString.of("_AMQ_CheckType"); public static final SimpleString HDR_SESSION_NAME = SimpleString.of("_AMQ_SessionName"); diff --git a/artemis-server/pom.xml b/artemis-server/pom.xml index 789c4f28da9..1fc0cd83d4a 100644 --- a/artemis-server/pom.xml +++ b/artemis-server/pom.xml @@ -290,6 +290,11 @@ mockserver-client-java test + + org.bouncycastle + bcpkix-jdk18on + test + diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/Configuration.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/Configuration.java index 67aa0279cc2..a667d655d67 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/Configuration.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/Configuration.java @@ -19,6 +19,7 @@ import java.io.File; import java.net.URL; import java.util.Collection; +import java.util.EnumSet; import java.util.List; import java.util.Map; import java.util.Properties; @@ -43,6 +44,7 @@ import org.apache.activemq.artemis.core.server.plugin.ActiveMQServerQueuePlugin; import org.apache.activemq.artemis.core.server.plugin.ActiveMQServerResourcePlugin; import org.apache.activemq.artemis.core.server.plugin.ActiveMQServerSessionPlugin; +import org.apache.activemq.artemis.core.settings.impl.AuthenticationCacheKeyConfig; import org.apache.activemq.artemis.utils.critical.CriticalAnalyzerPolicy; import org.apache.activemq.artemis.api.core.BroadcastGroupConfiguration; import org.apache.activemq.artemis.api.core.DiscoveryGroupConfiguration; @@ -1565,4 +1567,8 @@ default boolean isUsingDatabasePersistence() { void setFederationDownstreamAuthorization(List roles); Configuration addFederationDownstreamAuthorization(String role); + + Configuration setAuthenticationCacheKey(EnumSet authenticationCacheKey); + + EnumSet getAuthenticationCacheKey(); } diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/impl/ConfigurationImpl.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/impl/ConfigurationImpl.java index 5647b653a30..e2150c1f7cd 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/impl/ConfigurationImpl.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/impl/ConfigurationImpl.java @@ -36,8 +36,11 @@ import java.io.StringWriter; import java.lang.invoke.MethodHandles; import java.lang.reflect.Array; +import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.lang.reflect.ParameterizedType; +import java.lang.reflect.Type; import java.net.URI; import java.net.URL; import java.nio.charset.StandardCharsets; @@ -132,6 +135,7 @@ import org.apache.activemq.artemis.core.server.plugin.ActiveMQServerResourcePlugin; import org.apache.activemq.artemis.core.server.plugin.ActiveMQServerSessionPlugin; import org.apache.activemq.artemis.core.settings.impl.AddressSettings; +import org.apache.activemq.artemis.core.settings.impl.AuthenticationCacheKeyConfig; import org.apache.activemq.artemis.core.settings.impl.ResourceLimitSettings; import org.apache.activemq.artemis.json.JsonArrayBuilder; import org.apache.activemq.artemis.json.JsonObject; @@ -172,6 +176,8 @@ public class ConfigurationImpl extends javax.security.auth.login.Configuration i public static final JournalType DEFAULT_JOURNAL_TYPE = JournalType.ASYNCIO; + public static final EnumSet DEFAULT_AUTHENTICATION_CACHE_KEY = EnumSet.of(AuthenticationCacheKeyConfig.USER, AuthenticationCacheKeyConfig.PASS, AuthenticationCacheKeyConfig.TLS_SUBJECT_DN); + public static final String PROPERTY_CLASS_SUFFIX = ".class"; public static final String REDACTED = "**redacted**"; @@ -491,6 +497,8 @@ public class ConfigurationImpl extends javax.security.auth.login.Configuration i private Map jaasConfigs = new ConcurrentHashMap<>(); + private EnumSet authenticationCacheKey = EnumSet.copyOf(DEFAULT_AUTHENTICATION_CACHE_KEY); + /** * Parent folder for all data folders. */ @@ -646,7 +654,7 @@ public void parsePrefixedProperties(Properties properties, String prefix) throws @Override public void parsePrefixedProperties(Object target, String name, Properties properties, String prefix) throws Exception { - Map beanProperties = new LinkedHashMap<>(); + Map beanProperties = new LinkedHashMap<>(); final Checksum checksum = new Adler32(); synchronized (properties) { String key = null; @@ -706,7 +714,7 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String realm) { } } - public void populateWithProperties(final Object target, final String propsId, Map beanProperties) throws InvocationTargetException, IllegalAccessException { + public void populateWithProperties(final Object target, final String propsId, Map beanProperties) throws InvocationTargetException, IllegalAccessException { CollectionAutoFillPropertiesUtil autoFillCollections = new CollectionAutoFillPropertiesUtil(getBrokerPropertiesRemoveValue(beanProperties)); BeanUtilsBean beanUtils = new BeanUtilsBean(new ConvertUtilsBean(), autoFillCollections) { @@ -1004,15 +1012,17 @@ public T convert(Class type, Object value) { Map errors = new LinkedHashMap<>(); // Loop through the property name/value pairs to be set - for (final Map.Entry entry : beanProperties.entrySet()) { + for (final Map.Entry entry : beanProperties.entrySet()) { // Identify the property name and value(s) to be assigned final String name = entry.getKey(); try { if (logger.isDebugEnabled()) { logger.debug("set property target={}, name = {}, value = {}", target.getClass(), name, entry.getValue()); } - // Perform the assignment for this property - beanUtils.setProperty(target, name, entry.getValue()); + // Perform the assignment for this property with special handling for EnumSet + if (!handleEnumSet(target, name, entry.getValue())) { + beanUtils.setProperty(target, name, entry.getValue()); + } } catch (InvocationTargetException invocationTargetException) { logger.trace("failed to populate property with key: {}", name, invocationTargetException); Throwable toLog = invocationTargetException; @@ -1028,6 +1038,59 @@ public T convert(Class type, Object value) { updateApplyStatus(propsId, errors); } + /* + * Since an EnumSet relies on parameterized typing BeanUtils can't handle them directly. Therefore, we need to handle + * them manually. + */ + private boolean handleEnumSet(Object target, String name, String value) throws IllegalAccessException { + boolean result = false; + Field field = getField(target.getClass(), name); + if (field != null && EnumSet.class.isAssignableFrom(field.getType())) { + // Extract the from EnumSet + Class enumClass = getEnumClassFromField(field); + if (enumClass != null) { + EnumSet enumSet = convertToEnumSet(enumClass, value); + field.setAccessible(true); + field.set(target, enumSet); + result = true; + } + } + return result; + } + + private static Class getEnumClassFromField(Field field) { + if (field.getGenericType() instanceof ParameterizedType parameterizedType) { + Type[] actualTypeArguments = parameterizedType.getActualTypeArguments(); + if (actualTypeArguments.length > 0 && actualTypeArguments[0] instanceof Class) { + return (Class) actualTypeArguments[0]; + } + } + return null; + } + + private static > EnumSet convertToEnumSet(Class enumClass, String csv) { + if (csv == null || csv.trim().isEmpty()) { + return EnumSet.noneOf(enumClass); + } + + return Arrays.stream(csv.split(",")) + .map(String::trim) + .filter(s -> !s.isEmpty()) + .map(s -> Enum.valueOf(enumClass, s)) + .collect(Collectors.toCollection(() -> EnumSet.noneOf(enumClass))); + } + + private static Field getField(Class clazz, String fieldName) { + while (clazz != null) { + try { + return clazz.getDeclaredField(fieldName); + } catch (NoSuchFieldException e) { + clazz = clazz.getSuperclass(); + } + } + return null; + } + @Override public void exportAsProperties(File file) throws Exception { try (FileWriter writer = new FileWriter(file, StandardCharsets.UTF_8)) { @@ -1299,17 +1362,17 @@ private synchronized void updateReadPropertiesStatus(String propsId, long alder3 this.jsonStatus = JsonUtil.mergeAndUpdate(jsonStatus, jsonObjectBuilder.build()); } - private String getBrokerPropertiesKeySurround(Map propertiesToApply) { + private String getBrokerPropertiesKeySurround(Map propertiesToApply) { if (propertiesToApply.containsKey(ActiveMQDefaultConfiguration.BROKER_PROPERTIES_KEY_SURROUND_PROPERTY)) { - return String.valueOf(propertiesToApply.remove(ActiveMQDefaultConfiguration.BROKER_PROPERTIES_KEY_SURROUND_PROPERTY)); + return propertiesToApply.remove(ActiveMQDefaultConfiguration.BROKER_PROPERTIES_KEY_SURROUND_PROPERTY); } else { return System.getProperty(getSystemPropertyPrefix() + ActiveMQDefaultConfiguration.BROKER_PROPERTIES_KEY_SURROUND_PROPERTY, getBrokerPropertiesKeySurround()); } } - private String getBrokerPropertiesRemoveValue(Map propertiesToApply) { + private String getBrokerPropertiesRemoveValue(Map propertiesToApply) { if (propertiesToApply.containsKey(ActiveMQDefaultConfiguration.BROKER_PROPERTIES_REMOVE_VALUE_PROPERTY)) { - return String.valueOf(propertiesToApply.remove(ActiveMQDefaultConfiguration.BROKER_PROPERTIES_REMOVE_VALUE_PROPERTY)); + return propertiesToApply.remove(ActiveMQDefaultConfiguration.BROKER_PROPERTIES_REMOVE_VALUE_PROPERTY); } else { return System.getProperty(getSystemPropertyPrefix() + ActiveMQDefaultConfiguration.BROKER_PROPERTIES_REMOVE_VALUE_PROPERTY, getBrokerPropertiesRemoveValue()); } @@ -3576,6 +3639,17 @@ public Configuration addFederationDownstreamAuthorization(String role) { return this; } + @Override + public Configuration setAuthenticationCacheKey(EnumSet authenticationCacheKey) { + this.authenticationCacheKey = authenticationCacheKey; + return this; + } + + @Override + public EnumSet getAuthenticationCacheKey() { + return authenticationCacheKey; + } + // extend property utils with ability to auto-fill and locate from collections // collection entries are identified by the name() property private static class CollectionAutoFillPropertiesUtil extends PropertyUtilsBean { diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java index 580355d4ac7..1c94e1493a8 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java @@ -23,6 +23,7 @@ import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Collections; +import java.util.EnumSet; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -106,6 +107,7 @@ import org.apache.activemq.artemis.core.server.routing.policies.PolicyFactoryResolver; import org.apache.activemq.artemis.core.settings.impl.AddressFullMessagePolicy; import org.apache.activemq.artemis.core.settings.impl.AddressSettings; +import org.apache.activemq.artemis.core.settings.impl.AuthenticationCacheKeyConfig; import org.apache.activemq.artemis.core.settings.impl.DeletionPolicy; import org.apache.activemq.artemis.core.settings.impl.DiskFullMessagePolicy; import org.apache.activemq.artemis.core.settings.impl.PageFullMessagePolicy; @@ -399,6 +401,8 @@ public final class FileConfigurationParser extends XMLConfigurationUtil { private static final String MQTT_SUBSCRIPTION_PERSISTENCE_ENABLED = "mqtt-subscription-persistence-enabled"; + private static final String AUTHENTICATION_CACHE_KEY = "authentication-cache-key"; + private boolean validateAIO = false; private boolean printPageMaxSizeUsed = false; @@ -516,6 +520,8 @@ public void parseMainConfig(final Element e, final Configuration config) throws config.setMqttSubscriptionPersistenceEnabled(getBoolean(e, MQTT_SUBSCRIPTION_PERSISTENCE_ENABLED, config.isMqttSubscriptionPersistenceEnabled())); + parseAuthenticationCacheKey(e, config); + config.setGlobalMaxSizePercentOfJvmMaxMemory(getInteger(e, GLOBAL_MAX_SIZE_PERCENT_JVM_MAX_MEM, config.getGlobalMaxSizePercentOfJvmMaxMemory(), GT_ZERO)); long globalMaxSize = getTextBytesAsLongBytes(e, GLOBAL_MAX_SIZE, -1, MINUS_ONE_OR_GT_ZERO); @@ -949,6 +955,26 @@ public void parseMainConfig(final Element e, final Configuration config) throws } } + private static void parseAuthenticationCacheKey(Element e, Configuration config) { + NodeList authenticationCachKeyNodes = e.getElementsByTagName(AUTHENTICATION_CACHE_KEY); + + EnumSet authenticationCachKey = EnumSet.noneOf(AuthenticationCacheKeyConfig.class); + + if (authenticationCachKeyNodes.getLength() > 0) { + NodeList parts = authenticationCachKeyNodes.item(0).getChildNodes(); + + for (int i = 0; i < parts.getLength(); i++) { + if ("part".equalsIgnoreCase(parts.item(i).getNodeName())) { + String part = getTrimmedTextContent(parts.item(i)); + authenticationCachKey.add(AuthenticationCacheKeyConfig.valueOf(part)); + } + } + } else { + authenticationCachKey = ConfigurationImpl.DEFAULT_AUTHENTICATION_CACHE_KEY; + } + config.setAuthenticationCacheKey(authenticationCachKey); + } + private void parseLockCoordinator(final Element lockCoordinatorElement, final Configuration mainConfig) throws Exception { String name = lockCoordinatorElement.getAttribute("name"); String lockId = getString(lockCoordinatorElement, "lock-id", name, NO_CHECK); diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java index c07d7bafef7..f016b795342 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java @@ -21,6 +21,7 @@ import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.util.EnumSet; import java.util.Objects; import java.util.Set; import java.util.concurrent.TimeUnit; @@ -44,6 +45,7 @@ import org.apache.activemq.artemis.core.server.management.NotificationService; import org.apache.activemq.artemis.core.settings.HierarchicalRepository; import org.apache.activemq.artemis.core.settings.HierarchicalRepositoryChangeListener; +import org.apache.activemq.artemis.core.settings.impl.AuthenticationCacheKeyConfig; import org.apache.activemq.artemis.logs.AuditLogger; import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection; import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager; @@ -63,8 +65,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import static org.apache.activemq.artemis.utils.CertificateUtil.CERT_SUBJECT_DN_UNAVAILABLE; - /** * The Apache Artemis SecurityStore implementation */ @@ -90,6 +90,8 @@ public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryC private final NotificationService notificationService; + private final EnumSet authenticationCacheKeyConfigs; + private static final AtomicLongFieldUpdater AUTHENTICATION_SUCCESS_COUNT_UPDATER = AtomicLongFieldUpdater.newUpdater(SecurityStoreImpl.class, "authenticationSuccessCount"); private volatile long authenticationSuccessCount; private static final AtomicLongFieldUpdater AUTHENTICATION_FAILURE_COUNT_UPDATER = AtomicLongFieldUpdater.newUpdater(SecurityStoreImpl.class, "authenticationFailureCount"); @@ -113,13 +115,15 @@ public SecurityStoreImpl(final HierarchicalRepository> securityReposit final String managementClusterPassword, final NotificationService notificationService, final long authenticationCacheSize, - final long authorizationCacheSize) throws NoSuchAlgorithmException { + final long authorizationCacheSize, + final EnumSet authenticationCacheKeyConfigs) throws NoSuchAlgorithmException { this.securityRepository = securityRepository; this.securityManager = securityManager; this.securityEnabled = securityEnabled; this.managementClusterUser = managementClusterUser; this.managementClusterPassword = managementClusterPassword; this.notificationService = notificationService; + this.authenticationCacheKeyConfigs = authenticationCacheKeyConfigs; if (securityEnabled) { if (authenticationCacheSize == 0) { authenticationCache = null; @@ -437,12 +441,14 @@ public Subject getSessionSubject(SecurityAuth session) { } private void authenticationFailed(String user, RemotingConnection connection) throws Exception { - String certSubjectDN = CertificateUtil.getCertSubjectDN(connection); + String certSubjectDN = CertificateUtil.getDistinguishedNameForPrint(connection); + String certUpn = CertificateUtil.getUserPrincipalNameForPrint(connection); if (notificationService != null) { TypedProperties props = new TypedProperties(); props.putSimpleStringProperty(ManagementHelper.HDR_USER, SimpleString.of(user)); props.putSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN, SimpleString.of(certSubjectDN)); + props.putSimpleStringProperty(ManagementHelper.HDR_CERT_UPN, SimpleString.of(certUpn)); props.putSimpleStringProperty(ManagementHelper.HDR_REMOTE_ADDRESS, SimpleString.of(connection == null ? "null" : connection.getRemoteAddress())); Notification notification = new Notification(null, CoreNotificationType.SECURITY_AUTHENTICATION_VIOLATION, props); @@ -450,7 +456,7 @@ private void authenticationFailed(String user, RemotingConnection connection) th notificationService.sendNotification(notification); } - Exception e = ActiveMQMessageBundle.BUNDLE.unableToValidateUser(connection == null ? "null" : connection.getRemoteAddress(), user, certSubjectDN); + Exception e = ActiveMQMessageBundle.BUNDLE.unableToValidateUser(connection == null ? "null" : connection.getRemoteAddress(), user, certSubjectDN, certUpn); ActiveMQServerLogger.LOGGER.securityProblemWhileAuthenticating(e.getMessage()); @@ -499,7 +505,7 @@ private void handleNoCacheLoginException(NoCacheLoginException e) { } private void putAuthenticationCacheEntry(String key, Subject subject) { - if (authenticationCache != null) { + if (authenticationCache != null && key != null) { Pair value = new Pair<>(subject != null, subject); authenticationCache.put(key, value); logger.trace("Put into authn cache; key: {}; value: {}", key, value); @@ -507,7 +513,7 @@ private void putAuthenticationCacheEntry(String key, Subject subject) { } private Pair getAuthenticationCacheEntry(String key) { - if (authenticationCache == null) { + if (authenticationCache == null || key == null) { return null; } else { Pair value = authenticationCache.getIfPresent(key); @@ -574,23 +580,45 @@ private boolean checkAuthorizationCache(final SimpleString dest, final String us return granted; } + /** + * Creates a unique cache key for authentication using the provided username, password, and connection information. + * The key is generated by hashing the input data, and optionally includes the User Principal Name (UPN). If all + * input data is null, the method returns null to avoid caching. + * + * @param username the username for authentication; can be null + * @param password the password for authentication; can be null + * @param connection the remoting connection used to retrieve additional security attributes; cannot be null + * @return a hexadecimal string representing the authentication cache key, or null if all input parameters are null + */ protected String createAuthenticationCacheKey(String username, String password, RemotingConnection connection) { - MessageDigest md = getDigestClone(); - if (username != null) { - md.update(username.getBytes(StandardCharsets.UTF_8)); + String user = authenticationCacheKeyConfigs.contains(AuthenticationCacheKeyConfig.USER) ? username : null; + String pass = authenticationCacheKeyConfigs.contains(AuthenticationCacheKeyConfig.PASS) ? password : null; + String dn = authenticationCacheKeyConfigs.contains(AuthenticationCacheKeyConfig.TLS_SUBJECT_DN) ? CertificateUtil.getDistinguishedName(connection) : null; + String upn = authenticationCacheKeyConfigs.contains(AuthenticationCacheKeyConfig.TLS_SAN_UPN) ? CertificateUtil.getUserPrincipalName(connection) : null; + + // Return null so that we don't cache anything if all authentication data is null + if (user == null && pass == null && dn == null && upn == null) { + return null; } + + MessageDigest md = getDigestClone(); + updateDigest(md, user); md.update(CACHE_KEY_SEPARATOR); - if (password != null) { - md.update(password.getBytes(StandardCharsets.UTF_8)); - } + updateDigest(md, pass); md.update(CACHE_KEY_SEPARATOR); - String certSubjectDN = CertificateUtil.getCertSubjectDN(connection); - if (!CERT_SUBJECT_DN_UNAVAILABLE.equals(certSubjectDN)) { - md.update(certSubjectDN.getBytes(StandardCharsets.UTF_8)); - } + updateDigest(md, dn); + md.update(CACHE_KEY_SEPARATOR); + updateDigest(md, upn); + return ByteUtil.bytesToHex(md.digest()); } + private void updateDigest(MessageDigest md, String value) { + if (value != null) { + md.update(value.getBytes(StandardCharsets.UTF_8)); + } + } + private static MessageDigest getDigestClone() { try { return (MessageDigest) SHA256.clone(); diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQMessageBundle.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQMessageBundle.java index 02b532341dd..16581ef81e4 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQMessageBundle.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQMessageBundle.java @@ -142,8 +142,8 @@ public interface ActiveMQMessageBundle { @Message(id = 229030, value = "large-message not initialized on server") ActiveMQIllegalStateException largeMessageNotInitialised(); - @Message(id = 229031, value = "Unable to validate user from {}. Username: {}; SSL certificate subject DN: {}") - ActiveMQSecurityException unableToValidateUser(String remoteAddress, String user, String certMessage); + @Message(id = 229031, value = "Unable to validate user from {}. Username: {}; SSL certificate subject DN: {}; UPN: {}") + ActiveMQSecurityException unableToValidateUser(String remoteAddress, String user, String dn, String upn); @Message(id = 229032, value = "User: {} does not have permission='{}' on address {}") ActiveMQSecurityException userNoPermissions(String username, CheckType checkType, SimpleString address); @@ -541,4 +541,7 @@ IllegalStateException invalidRoutingTypeUpdate(String queueName, @Message(id = 229259, value = "Invalid disk full message policy type {}") IllegalArgumentException invalidDiskFullPolicyType(String val); + @Message(id = 229260, value = "Invalid authentication cache key: {}") + IllegalArgumentException invalidAuthenticationCacheKey(String val); + } diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQServerLogger.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQServerLogger.java index 0956b37172a..7e7b6409dd8 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQServerLogger.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/ActiveMQServerLogger.java @@ -19,6 +19,7 @@ import javax.naming.NamingException; import javax.transaction.xa.Xid; import java.io.File; +import java.security.cert.CertificateParsingException; import java.util.concurrent.ExecutorService; import io.netty.channel.Channel; @@ -1544,4 +1545,7 @@ void slowConsumerDetected(String sessionID, @LogMessage(id = 224163, value = "Failed to clone SHA256 MessageDigest, falling back to getInstance", level = LogMessage.Level.INFO) void sha256CloneNotSupported(CloneNotSupportedException cns); + + @LogMessage(id = 224164, value = "Failed to parse certificate: {}", level = LogMessage.Level.WARN) + void failedToParseCertificate(String cert, CertificateParsingException cps); } \ No newline at end of file diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java index c3db8beead4..639ac5645ef 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java @@ -3378,7 +3378,7 @@ synchronized boolean initialisePart1(boolean scalingDown) throws Exception { ActiveMQServerLogger.LOGGER.clusterSecurityRisk(); } - securityStore = new SecurityStoreImpl(securityRepository, securityManager, configuration.getSecurityInvalidationInterval(), configuration.isSecurityEnabled(), configuration.getClusterUser(), configuration.getClusterPassword(), managementService, configuration.getAuthenticationCacheSize(), configuration.getAuthorizationCacheSize()); + securityStore = new SecurityStoreImpl(securityRepository, securityManager, configuration.getSecurityInvalidationInterval(), configuration.isSecurityEnabled(), configuration.getClusterUser(), configuration.getClusterPassword(), managementService, configuration.getAuthenticationCacheSize(), configuration.getAuthorizationCacheSize(), configuration.getAuthenticationCacheKey()); queueFactory = new QueueFactoryImpl(executorFactory, scheduledPool, addressSettingsRepository, storageManager, this); diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java index 4ec39ed1bfa..44c0ba643bb 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java @@ -19,7 +19,6 @@ import javax.transaction.xa.XAException; import javax.transaction.xa.Xid; import java.lang.invoke.MethodHandles; -import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -644,13 +643,9 @@ public ServerConsumer createConsumer(final long consumerID, props.putSimpleStringProperty(ManagementHelper.HDR_VALIDATED_USER, SimpleString.of(validatedUser)); - String certSubjectDN = "unavailable"; - X509Certificate[] certs = CertificateUtil.getCertsFromConnection(this.remotingConnection); - if (certs != null && certs.length > 0 && certs[0] != null) { - certSubjectDN = certs[0].getSubjectDN().getName(); - } + props.putSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN, SimpleString.of(CertificateUtil.getDistinguishedNameForPrint(this.remotingConnection))); - props.putSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN, SimpleString.of(certSubjectDN)); + props.putSimpleStringProperty(ManagementHelper.HDR_CERT_UPN, SimpleString.of(CertificateUtil.getUserPrincipalNameForPrint(this.remotingConnection))); props.putSimpleStringProperty(ManagementHelper.HDR_REMOTE_ADDRESS, SimpleString.of(this.remotingConnection.getRemoteAddress())); diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/plugin/impl/NotificationActiveMQServerPlugin.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/plugin/impl/NotificationActiveMQServerPlugin.java index 5194c4a259e..38d1e144b76 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/plugin/impl/NotificationActiveMQServerPlugin.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/plugin/impl/NotificationActiveMQServerPlugin.java @@ -168,10 +168,10 @@ private void sendConnectionNotification(final RemotingConnection connection, fin if (managementService != null && sendConnectionNotifications) { try { - String certSubjectDN = CertificateUtil.getCertSubjectDN(connection); final TypedProperties props = new TypedProperties(); props.putSimpleStringProperty(ManagementHelper.HDR_CONNECTION_NAME, SimpleString.of(connection.getID().toString())); - props.putSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN, SimpleString.of(certSubjectDN)); + props.putSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN, SimpleString.of(CertificateUtil.getDistinguishedNameForPrint(connection))); + props.putSimpleStringProperty(ManagementHelper.HDR_CERT_UPN, SimpleString.of(CertificateUtil.getUserPrincipalNameForPrint(connection))); props.putSimpleStringProperty(ManagementHelper.HDR_REMOTE_ADDRESS, SimpleString.of(connection.getRemoteAddress())); managementService.sendNotification(new Notification(null, type, props)); diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/settings/impl/AuthenticationCacheKeyConfig.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/settings/impl/AuthenticationCacheKeyConfig.java new file mode 100644 index 00000000000..8f864ca8d2d --- /dev/null +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/settings/impl/AuthenticationCacheKeyConfig.java @@ -0,0 +1,21 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.artemis.core.settings.impl; + +public enum AuthenticationCacheKeyConfig { + USER, PASS, TLS_SUBJECT_DN, TLS_SAN_UPN; +} diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/CertificateLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/CertificateLoginModule.java index 7bec6c7e807..d9cac23cb09 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/CertificateLoginModule.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/CertificateLoginModule.java @@ -22,16 +22,16 @@ import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginException; -import java.security.cert.X509Certificate; import java.io.IOException; +import java.lang.invoke.MethodHandles; import java.security.Principal; +import java.security.cert.X509Certificate; import java.util.LinkedHashSet; import java.util.Map; import java.util.Set; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.lang.invoke.MethodHandles; /** * A LoginModule that allows for authentication based on SSL certificates. Allows for subclasses to define methods used @@ -81,7 +81,7 @@ public boolean login() throws LoginException { username = getUserNameForCertificates(certificates); if (username == null) { - throw new FailedLoginException("No user for client certificate: " + getDistinguishedName(certificates)); + throw new FailedLoginException("Failed to lookup user with client certificate using: " + getCertificateInfo(certificates)); } if (debug) { @@ -151,7 +151,6 @@ private void clear() { * Should return a unique name corresponding to the certificates given. The name returned will be used to look up * access levels as well as role associations. * - * @param certs The distinguished name. * @return The unique name if the certificate is recognized, null otherwise */ protected abstract String getUserNameForCertificates(X509Certificate[] certs) throws LoginException; @@ -160,18 +159,17 @@ private void clear() { * Should return a set of the roles this user belongs to. The roles returned will be added to the user's * credentials. * - * @param username The username of the client. This is the same name that getUserNameForDn returned for the user's - * DN. + * @param username The username of the client. This is the same name that + * {@link #getUserNameForCertificates(X509Certificate[])} returned. * @return A Set of the names of the roles this user belongs to */ protected abstract Set getUserRoles(String username) throws LoginException; - protected String getDistinguishedName(final X509Certificate[] certs) { - if (certs != null && certs.length > 0 && certs[0] != null) { - return certs[0].getSubjectDN().getName(); - } else { - return null; - } - } - + /** + * Should return the information from the certs that is used to authenticate the user + * + * @param certificates The certificates of the client. This is the same data that + * {@link #getUserNameForCertificates(X509Certificate[])} returned. + */ + protected abstract String getCertificateInfo(X509Certificate[] certificates); } diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/ExternalCertificateLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/ExternalCertificateLoginModule.java index 5813852f7c8..6e3c0b889be 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/ExternalCertificateLoginModule.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/ExternalCertificateLoginModule.java @@ -16,9 +16,6 @@ */ package org.apache.activemq.artemis.spi.core.security.jaas; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - import javax.security.auth.Subject; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; @@ -36,6 +33,10 @@ import java.util.Map; import java.util.Set; +import org.apache.activemq.artemis.utils.CertificateUtil; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + /** * A LoginModule that propagates TLS certificates subject DN as a UserPrincipal. */ @@ -79,9 +80,7 @@ public boolean login() throws LoginException { } X509Certificate[] certificates = ((CertificateCallback) callbacks[0]).getCertificates(); - if (certificates != null && certificates.length > 0 && certificates[0] != null) { - userName = certificates[0].getSubjectDN().getName(); - } + userName = CertificateUtil.getDistinguishedName(certificates); if (userName != null && sanUriRolePrefix != null) { // getSubjectAlternativeNames returns a Collection of Lists diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/TextFileCertificateLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/TextFileCertificateLoginModule.java index 6045bcfac94..d1d8fce1c7c 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/TextFileCertificateLoginModule.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/TextFileCertificateLoginModule.java @@ -26,6 +26,8 @@ import java.util.Set; import java.util.regex.Pattern; +import org.apache.activemq.artemis.utils.CertificateUtil; + /** * A LoginModule allowing for SSL certificate based authentication based on Distinguished Names (DN) stored in text * files. The DNs are parsed using a Properties class where each line is <user_name>=<user_DN>. This class @@ -75,7 +77,7 @@ protected String getUserNameForCertificates(final X509Certificate[] certs) throw if (certs == null) { throw new LoginException("Client certificates not found. Cannot authenticate."); } - String dn = getDistinguishedName(certs); + String dn = getCertificateInfo(certs); return usersByDn.containsKey(dn) ? usersByDn.get(dn) : getUserByRegexp(dn); } @@ -109,4 +111,8 @@ private synchronized String getUserByRegexp(String dn) { return name; } + @Override + protected String getCertificateInfo(X509Certificate[] certificates) { + return CertificateUtil.getDistinguishedName(certificates); + } } diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/TextFileUpnCertificateLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/TextFileUpnCertificateLoginModule.java new file mode 100644 index 00000000000..81b33029031 --- /dev/null +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/TextFileUpnCertificateLoginModule.java @@ -0,0 +1,106 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.artemis.spi.core.security.jaas; + +import javax.security.auth.Subject; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.login.LoginException; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Map; +import java.util.Properties; +import java.util.Set; + +import org.apache.activemq.artemis.utils.CertificateUtil; + +/** + * A LoginModule allowing for SSL certificate based authentication based on User Principal Name (UPN). The UPNs are + * retrieved from the Subject Alternative Name (SAN) extension of the client's certificate. There is no mapping from UPN + * to another name as there is with DN when using the {@link TextFileCertificateLoginModule}. + *

+ * This class uses a role definition file where each line is like: + * 

{@code
+ * =, , etc.
+ * }
+ * The role file's locations must be specified in the {@code org.apache.activemq.jaas.textfileupn.role} property. NOTE: + * This class will re-read the role file if it has been modified and the {@code reload} option is {@code true}. + */ +public class TextFileUpnCertificateLoginModule extends CertificateLoginModule { + + private static final String USER_FILE_PROP_NAME = "org.apache.activemq.jaas.textfileupn.user"; + private static final String ROLE_FILE_PROP_NAME = "org.apache.activemq.jaas.textfileupn.role"; + + private Map> rolesByUser; + private Properties users; + + @Override + public void initialize(Subject subject, + CallbackHandler callbackHandler, + Map sharedState, + Map options) { + super.initialize(subject, callbackHandler, sharedState, options); + users = load(USER_FILE_PROP_NAME, "", options).getProps(); + rolesByUser = load(ROLE_FILE_PROP_NAME, "", options).invertedPropertiesValuesMap(); + } + + /** + * Overriding to allow auth based on the User Principal Name (UPN). + * + * @param certs The certificate the incoming connection provided. + * @return The user's authenticated name or null if unable to authenticate the user. + * @throws LoginException Thrown if unable to find user file or connection certificate. + */ + @Override + protected String getUserNameForCertificates(final X509Certificate[] certs) throws LoginException { + if (certs == null || certs.length == 0) { + throw new LoginException("Client certificates not found. Cannot authenticate."); + } + try { + String upn = getCertificateInfo(certs); + if (upn != null && users.containsKey(upn)) { + return upn; + } else { + return null; + } + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + /** + * Overriding to allow for role discovery based on text files. + * + * @param username The name of the user being examined. This is the same name returned by + * {@link #getUserNameForCertificates(X509Certificate[])} + * @return A Set of name Strings for roles this user belongs to + * @throws LoginException Thrown if unable to find role definition file. + */ + @Override + protected Set getUserRoles(String username) throws LoginException { + Set userRoles = rolesByUser.get(username); + if (userRoles == null) { + userRoles = Collections.emptySet(); + } + + return userRoles; + } + + @Override + protected String getCertificateInfo(X509Certificate[] certificates) { + return CertificateUtil.getUserPrincipalName(certificates); + } +} diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/utils/CertificateUtil.java b/artemis-server/src/main/java/org/apache/activemq/artemis/utils/CertificateUtil.java index 9cf59b824c5..57cfedcf881 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/utils/CertificateUtil.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/utils/CertificateUtil.java @@ -18,21 +18,30 @@ import javax.net.ssl.SSLPeerUnverifiedException; import java.io.ByteArrayInputStream; +import java.lang.invoke.MethodHandles; +import java.nio.charset.StandardCharsets; import java.security.Principal; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; +import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; +import java.util.List; +import java.util.Objects; +import io.netty.buffer.ByteBuf; +import io.netty.buffer.Unpooled; import io.netty.channel.Channel; import io.netty.channel.ChannelHandler; import io.netty.handler.ssl.SslHandler; import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnection; import org.apache.activemq.artemis.core.remoting.impl.netty.NettyServerConnection; +import org.apache.activemq.artemis.core.server.ActiveMQServerLogger; import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection; import org.apache.activemq.artemis.spi.core.remoting.Connection; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.lang.invoke.MethodHandles; public class CertificateUtil { @@ -40,14 +49,41 @@ public class CertificateUtil { private static final String SSL_HANDLER_NAME = "ssl"; - public static final String CERT_SUBJECT_DN_UNAVAILABLE = "unavailable"; + public static final String UPN_OID = "1.3.6.1.4.1.311.20.2.3"; + + private static final byte[] UPN_OID_BYTES = {0x2b, 0x06, 0x01, 0x04, 0x01, (byte) 0x82, 0x37, 0x14, 0x02, 0x03}; + + public static final String CERT_INFO_UNAVAILABLE = "unavailable"; + + /** + * Inspects the input {@code RemotingConnection} and extracts the Distinguished Name (DN) from the associated SSL + * certificate. If this name cannot be retrieved then it returns the value of {@link #CERT_INFO_UNAVAILABLE}. + * This method is suitable when printing the DN to the logs, adding it to a notification message, etc. It will never + * return {@code null}. + * + * @return the Distinguished Name (DN) of the SSL certificate associated with the {@code RemotingConnection} or + * {@link #CERT_INFO_UNAVAILABLE} otherwise + */ + public static String getDistinguishedNameForPrint(RemotingConnection connection) { + return Objects.requireNonNullElse(getDistinguishedName(getCertsFromConnection(connection)), CERT_INFO_UNAVAILABLE); + } + + /** + * {@return the Distinguished Name (DN) of the SSL certificate associated with the {@code RemotingConnection} + * otherwise {@code null}} + */ + public static String getDistinguishedName(RemotingConnection connection) { + return getDistinguishedName(getCertsFromConnection(connection)); + } - public static String getCertSubjectDN(RemotingConnection connection) { - X509Certificate[] certs = getCertsFromConnection(connection); + /** + * {@return the Distinguished Name (DN) from the first SSL certificate in the array otherwise null} + */ + public static String getDistinguishedName(X509Certificate[] certs) { if (certs != null && certs.length > 0 && certs[0] != null) { return certs[0].getSubjectDN().getName(); } else { - return CERT_SUBJECT_DN_UNAVAILABLE; + return null; } } @@ -94,7 +130,7 @@ public static Principal getLocalPrincipalFromConnection(NettyConnection nettyCon public static X509Certificate[] getCertsFromChannel(Channel channel) { Certificate[] plainCerts = null; - ChannelHandler channelHandler = channel.pipeline().get("ssl"); + ChannelHandler channelHandler = channel.pipeline().get(SSL_HANDLER_NAME); if (channelHandler != null && channelHandler instanceof SslHandler sslHandler) { try { plainCerts = sslHandler.engine().getSession().getPeerCertificates(); @@ -132,4 +168,162 @@ public static X509Certificate[] getCertsFromChannel(Channel channel) { return x509Certs; } + + /** + * Extracts the User Principal Name (UPN) from the Subject Alternative Names (SANs) of the first SSL certificate in + * the array. If this name cannot be retrieved then it returns the value of {@link #CERT_INFO_UNAVAILABLE}. + * This method is suitable when printing the UPN to the logs, adding it to a notification message, etc. It will never + * return {@code null}. + * + * @return the User Principal Name (UPN) of the SSL certificate associated with the {@code RemotingConnection} or + * {@link #CERT_INFO_UNAVAILABLE} otherwise + */ + public static String getUserPrincipalNameForPrint(RemotingConnection connection) { + return Objects.requireNonNullElse(getUserPrincipalName(getCertsFromConnection(connection)), CERT_INFO_UNAVAILABLE); + } + + /** + * {@return the User Principal Name (UPN) of the SSL certificate associated with the {@code RemotingConnection} + * otherwise {@code null}} + */ + public static String getUserPrincipalName(RemotingConnection connection) { + return getUserPrincipalName(getCertsFromConnection(connection)); + } + + /** + * Extracts the User Principal Name (UPN) from the Subject Alternative Names (SANs) of the first SSL certificate in + * the array. + * + * @param certs an array of X.509 certificates, where the first certificate is inspected for the UPN. If the array is + * null, empty, or the first certificate is null, the method returns null. + * @return the extracted UPN as a string, or null if the UPN is not found or if the SANs are null for the given + * certificate. + */ + public static String getUserPrincipalName(X509Certificate[] certs) { + if (certs == null || certs.length == 0 || certs[0] == null) { + return null; + } + Collection> sans; + try { + sans = certs[0].getSubjectAlternativeNames(); + } catch (CertificateParsingException e) { + ActiveMQServerLogger.LOGGER.failedToParseCertificate(certs[0].toString(), e); + return null; + } + if (sans == null) { + logger.debug("No SANs found in certificate"); + return null; + } + + for (List san : sans) { + if (san.size() == 4 && san.get(0) instanceof Integer generalName && generalName == 0 && san.get(2) instanceof String oid && oid.equals(UPN_OID)) { + // This works on Java 21+ + return (String) san.get(3); + } else if (san.size() == 2 && san.get(0) instanceof Integer generalName && generalName == 0) { + // Manual parsing is still required before Java 21 + return parseOtherNameForUpn((byte[]) san.get(1)); + } + } + return null; + } + + /** + * Parses a DER-encoded Subject Alternative Name {@code otherName} value and tries to extract a UPN string. + *

+ * The method walks the nested tag-length-value ASN.1/DER structure. It expects an outer context-specific wrapper, + * verifies the embedded UPN OID, then reads the inner wrapped string value (which may be double-wrapped). It accepts + * either UTF8String or IA5String encodings. + * + * @param der the buffer containing the DER bytes to inspect + * @return the decoded UPN string, or {@code null} if the structure does not match the expected layout + */ + protected static String parseOtherNameForUpn(byte[] der) { + ByteBuf buf = Unpooled.wrappedBuffer(der); + try { + // read outer sequence + short outerSequenceTag = buf.readUnsignedByte(); + if (outerSequenceTag != 0x30) { + logger.debug("Unexpected outer sequence tag 0x{}; expected 0x30", String.format("%02X", outerSequenceTag)); + return null; + } + readDerLength(buf); + + // read & validate OID + short oidTag = buf.readUnsignedByte(); + if (oidTag != 0x06) { + logger.debug("Unexpected oid tag 0x{}; expected 0x06", String.format("%02X", oidTag)); + return null; + } + int oidLen = readDerLength(buf); + byte[] oidBytes = new byte[oidLen]; + buf.readBytes(oidBytes); + if (!Arrays.equals(oidBytes, UPN_OID_BYTES)) { + logger.debug("OID mismatch"); + return null; + } + + // read context tag + short upnContextTag = buf.readUnsignedByte(); + if (upnContextTag != 0xA0) { + logger.debug("Unexpected context tag for UPN 0x{}; expected 0xA0", String.format("%02X", upnContextTag)); + return null; + } + readDerLength(buf); + + // handle potential "double wrap" + short nextTag = buf.getUnsignedByte(buf.readerIndex()); + if (nextTag == 0xA0) { + buf.readUnsignedByte(); + readDerLength(buf); + nextTag = buf.getByte(buf.readerIndex()); + } + + if (nextTag != 0x0C && nextTag != 0x16) { + logger.debug("Unexpected string tag 0x{}; expected UTF8String (0x0C) or IA5String (0x16)", String.format("%02X", nextTag)); + return null; + } + buf.readUnsignedByte(); + + // read the string + int upnLen = readDerLength(buf); + byte[] upnBytes = new byte[upnLen]; + buf.readBytes(upnBytes); + return new String(upnBytes, StandardCharsets.UTF_8); + } finally { + buf.release(); + } + } + + /** + * In DER length encoding: + *

    + *
  • if the first length byte has top bit 0
    • + *
      + *
    • it is a short-form length
      • + *
    • the length is stored right there in that byte
      • + *
    + *
  • if the top bit is 1
    • + *
      + *
    • it is a long-form length
      • + *
    • the lower 7 bits tell you how many additional bytes encode the length
      • + *
    + *
+ * + * @param buf the {@code ByteBuf} to read the length value from. It must contain enough bytes to decode the length + * fully according to the encoded format. + * @return the decoded length as an integer. + */ + private static int readDerLength(ByteBuf buf) { + int first = buf.readUnsignedByte(); + if ((first & 0x80) == 0) { + return first; + } + + int numBytes = first & 0x7F; + int len = 0; + for (int i = 0; i < numBytes; i++) { + len = (len << 8) | buf.readUnsignedByte(); + } + return len; + } } diff --git a/artemis-server/src/main/resources/schema/artemis-configuration.xsd b/artemis-server/src/main/resources/schema/artemis-configuration.xsd index 2af3e1b1449..b4b690349a0 100644 --- a/artemis-server/src/main/resources/schema/artemis-configuration.xsd +++ b/artemis-server/src/main/resources/schema/artemis-configuration.xsd @@ -487,6 +487,30 @@ + + + + comma-separated list of what data to include in the key generated by the broker for the authentication + cache; valid values are USER, PASS, TLS_SUBJECT_DN, and TLS_SAN_UPN; any combination is allowed; or + does not matter + + + + + + + + + + + + + + + + + + diff --git a/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/DefaultsFileConfigurationTest.java b/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/DefaultsFileConfigurationTest.java index 8701f6cc31f..5d663e5274d 100644 --- a/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/DefaultsFileConfigurationTest.java +++ b/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/DefaultsFileConfigurationTest.java @@ -165,5 +165,7 @@ public void testDefaults() { assertEquals(ActiveMQDefaultConfiguration.getDefaultSecurityCacheMetrics(), conf.getMetricsConfiguration().isSecurityCaches()); assertEquals(ActiveMQDefaultConfiguration.getDefaultExecutorServiceMetrics(), conf.getMetricsConfiguration().isExecutorServices()); + + assertEquals(ConfigurationImpl.DEFAULT_AUTHENTICATION_CACHE_KEY, conf.getAuthenticationCacheKey()); } } diff --git a/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/FileConfigurationTest.java b/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/FileConfigurationTest.java index b885e6e3fd2..42ce9904797 100644 --- a/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/FileConfigurationTest.java +++ b/artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/FileConfigurationTest.java @@ -80,6 +80,7 @@ import org.apache.activemq.artemis.core.server.plugin.ActiveMQServerBasePlugin; import org.apache.activemq.artemis.core.server.plugin.ActiveMQServerPlugin; import org.apache.activemq.artemis.core.settings.impl.AddressSettings; +import org.apache.activemq.artemis.core.settings.impl.AuthenticationCacheKeyConfig; import org.apache.activemq.artemis.core.settings.impl.DiskFullMessagePolicy; import org.apache.activemq.artemis.core.settings.impl.SlowConsumerPolicy; import org.apache.activemq.artemis.core.settings.impl.SlowConsumerThresholdMeasurementUnit; @@ -253,6 +254,7 @@ private void validateFullConfig(Configuration configInstance, boolean fromProper assertEquals(123456, configInstance.getMqttSessionScanInterval()); assertEquals(567890, configInstance.getMqttSessionStatePersistenceTimeout()); assertFalse(configInstance.isMqttSubscriptionPersistenceEnabled()); + assertEquals(Set.of(AuthenticationCacheKeyConfig.USER, AuthenticationCacheKeyConfig.PASS), configInstance.getAuthenticationCacheKey()); assertEquals(98765, configInstance.getConnectionTtlCheckInterval()); assertEquals(1234567, configInstance.getConfigurationFileRefreshPeriod()); assertEquals("UUID", configInstance.getTemporaryQueueNamespace()); diff --git a/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImplTest.java b/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImplTest.java index 558c4764e8f..c704fa65b86 100644 --- a/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImplTest.java +++ b/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImplTest.java @@ -17,22 +17,29 @@ package org.apache.activemq.artemis.core.security.impl; import javax.security.auth.Subject; +import java.security.NoSuchAlgorithmException; import java.security.Principal; +import java.security.cert.X509Certificate; +import java.util.EnumSet; import java.util.Set; import java.util.concurrent.Callable; import org.apache.activemq.artemis.api.core.ActiveMQSecurityException; import org.apache.activemq.artemis.api.core.SimpleString; +import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl; import org.apache.activemq.artemis.core.management.impl.ManagementRemotingConnection; +import org.apache.activemq.artemis.core.remoting.impl.netty.NettyServerConnection; import org.apache.activemq.artemis.core.security.CheckType; import org.apache.activemq.artemis.core.security.Role; import org.apache.activemq.artemis.core.security.SecurityAuth; +import org.apache.activemq.artemis.core.settings.impl.AuthenticationCacheKeyConfig; import org.apache.activemq.artemis.core.settings.impl.HierarchicalObjectRepository; import org.apache.activemq.artemis.logs.AssertionLoggerHandler; import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection; import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager5; import org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal; import org.apache.activemq.artemis.spi.core.security.jaas.UserPrincipal; +import org.apache.activemq.artemis.utils.CertificateUtilTest; import org.apache.activemq.artemis.utils.RandomUtil; import org.apache.activemq.artemis.utils.sm.SecurityManagerShim; import org.junit.jupiter.api.Test; @@ -41,6 +48,7 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -110,7 +118,7 @@ public boolean validateUserAndRole(String user, String password, Set roles @Test public void zeroCacheSizeTest() throws Exception { final String user = RandomUtil.randomUUIDString(); - SecurityStoreImpl securityStore = new SecurityStoreImpl(new HierarchicalObjectRepository<>(), securityManager, 999, true, "", null, null, 0, 0); + SecurityStoreImpl securityStore = new SecurityStoreImpl(new HierarchicalObjectRepository<>(), securityManager, 999, true, "", null, null, 0, 0, ConfigurationImpl.DEFAULT_AUTHENTICATION_CACHE_KEY); assertNull(securityStore.getAuthenticationCache()); assertEquals(user, securityStore.authenticate(user, RandomUtil.randomUUIDString(), null)); assertEquals(0, securityStore.getAuthenticationCacheSize()); @@ -144,7 +152,7 @@ public String getSecurityDomain() { @Test public void getCaller() throws Exception { - SecurityStoreImpl securityStore = new SecurityStoreImpl(new HierarchicalObjectRepository<>(), securityManager, 999, true, "", null, null, 0, 0); + SecurityStoreImpl securityStore = new SecurityStoreImpl(new HierarchicalObjectRepository<>(), securityManager, 999, true, "", null, null, 0, 0, ConfigurationImpl.DEFAULT_AUTHENTICATION_CACHE_KEY); assertNull(securityStore.getCaller(null, null)); assertEquals("joe", securityStore.getCaller("joe", null)); @@ -176,7 +184,8 @@ public void testManagementAuthorizationAfterNullAuthenticationFailure() throws E null, null, 1000, - 1000); + 1000, + ConfigurationImpl.DEFAULT_AUTHENTICATION_CACHE_KEY); try { securityStore.authenticate(null, null, Mockito.mock(RemotingConnection.class), null); @@ -207,7 +216,7 @@ public void testManagementAuthorizationAfterNullAuthenticationFailure() throws E @Test public void testWrongPrincipal() throws Exception { - SecurityStoreImpl securityStore = new SecurityStoreImpl(new HierarchicalObjectRepository<>(), wrongPrincipalSecurityManager, 999, true, "", null, null, 10, 0); + SecurityStoreImpl securityStore = new SecurityStoreImpl(new HierarchicalObjectRepository<>(), wrongPrincipalSecurityManager, 999, true, "", null, null, 10, 0, ConfigurationImpl.DEFAULT_AUTHENTICATION_CACHE_KEY); try { securityStore.authenticate(null, null, Mockito.mock(RemotingConnection.class), null); fail(); @@ -220,12 +229,109 @@ public void testWrongPrincipal() throws Exception { } @Test - public void testCacheAlgorithm() throws Exception { + public void testPresenceOfCacheAlgorithm() throws Exception { final String user = RandomUtil.randomUUIDString(); - SecurityStoreImpl securityStore = new SecurityStoreImpl(new HierarchicalObjectRepository<>(), securityManager, 999, true, "", null, null, 0, 0); + SecurityStoreImpl securityStore = new SecurityStoreImpl(new HierarchicalObjectRepository<>(), securityManager, 999, true, "", null, null, 0, 0, ConfigurationImpl.DEFAULT_AUTHENTICATION_CACHE_KEY); try (AssertionLoggerHandler handler = new AssertionLoggerHandler()) { securityStore.createAuthenticationCacheKey(user, RandomUtil.randomUUIDString(), null); assertFalse(handler.findText("AMQ224163")); } } + + @Test + // There's no way to conclusively prove a String is a SHA-256 hash, but we can at least check that it's the right length and has the correct format + public void testVerifySha256() throws Exception { + SecurityStoreImpl securityStore = new SecurityStoreImpl(new HierarchicalObjectRepository<>(), securityManager, 999, true, "", null, null, 0, 0, ConfigurationImpl.DEFAULT_AUTHENTICATION_CACHE_KEY); + assertTrue(securityStore.createAuthenticationCacheKey(RandomUtil.randomUUIDString(), RandomUtil.randomUUIDString(), null).matches("^[a-fA-F0-9]{64}$")); + } + + @Test + public void testIncludeUpnInAuthenticationCacheKeyEnabledWithDifferentUpns() throws Exception { + final String user = RandomUtil.randomUUIDString(); + final String password = RandomUtil.randomUUIDString(); + SecurityStoreImpl securityStore = createSecurityStore(true); + String keyOne = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn("user1@domain.com")); + String keyTwo = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn("user2@domain.com")); + assertNotEquals(keyOne, keyTwo); + } + + @Test + public void testIncludeUpnInAuthenticationCacheKeyEnabledWithAndWithoutUpn() throws Exception { + final String user = RandomUtil.randomUUIDString(); + final String password = RandomUtil.randomUUIDString(); + SecurityStoreImpl securityStore = createSecurityStore(true); + String keyOne = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn("user@domain.com")); + String keyTwo = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn(null)); + assertNotEquals(keyOne, keyTwo); + } + + @Test + public void testIncludeUpnInAuthenticationCacheKeyEnabledWithIdenticalUpns() throws Exception { + final String user = RandomUtil.randomUUIDString(); + final String password = RandomUtil.randomUUIDString(); + final String upn = "user@domain.com"; + SecurityStoreImpl securityStore = createSecurityStore(true); + String keyOne = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn(upn)); + String keyTwo = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn(upn)); + assertEquals(keyOne, keyTwo); + } + + @Test + public void testIncludeUpnInAuthenticationCacheKeyEnabledWithNulls() throws Exception { + SecurityStoreImpl securityStore = createSecurityStore(true); + assertNull(securityStore.createAuthenticationCacheKey(null, null, null)); + } + + @Test + public void testIncludeUpnInAuthenticationCacheKeyDisabledWithDifferentUpns() throws Exception { + final String user = RandomUtil.randomUUIDString(); + final String password = RandomUtil.randomUUIDString(); + SecurityStoreImpl securityStore = createSecurityStore(false); + String keyOne = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn("user1@domain.com")); + String keyTwo = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn("user2@domain.com")); + assertEquals(keyOne, keyTwo); + } + + @Test + public void testIncludeUpnInAuthenticationCacheKeyDisabledWithAndWithoutUpn() throws Exception { + final String user = RandomUtil.randomUUIDString(); + final String password = RandomUtil.randomUUIDString(); + SecurityStoreImpl securityStore = createSecurityStore(false); + String keyOne = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn("user@domain.com")); + String keyTwo = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn(null)); + assertEquals(keyOne, keyTwo); + } + + @Test + public void testIncludeUpnInAuthenticationCacheKeyDisabledWithIdenticalUpns() throws Exception { + final String user = RandomUtil.randomUUIDString(); + final String password = RandomUtil.randomUUIDString(); + final String upn = "user@domain.com"; + SecurityStoreImpl securityStore = createSecurityStore(false); + String keyOne = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn(upn)); + String keyTwo = securityStore.createAuthenticationCacheKey(user, password, getConnectionWithUpn(upn)); + assertEquals(keyOne, keyTwo); + } + + @Test + public void testIncludeUpnInAuthenticationCacheKeyDisabledWithNulls() throws Exception { + SecurityStoreImpl securityStore = createSecurityStore(false); + assertNull(securityStore.createAuthenticationCacheKey(null, null, null)); + } + + private static RemotingConnection getConnectionWithUpn(String upn) throws Exception { + RemotingConnection remotingConnection = Mockito.mock(RemotingConnection.class); + NettyServerConnection serverConnection = Mockito.mock(NettyServerConnection.class); + Mockito.when(serverConnection.getPeerCertificates()).thenReturn(new X509Certificate[]{CertificateUtilTest.generateCertificateWithUPN(upn)}); + Mockito.when(remotingConnection.getTransportConnection()).thenReturn(serverConnection); + return remotingConnection; + } + + private SecurityStoreImpl createSecurityStore(boolean includeUpnInAuthenticationCacheKey) throws NoSuchAlgorithmException { + EnumSet authenticationCacheKey = EnumSet.copyOf(ConfigurationImpl.DEFAULT_AUTHENTICATION_CACHE_KEY); + if (includeUpnInAuthenticationCacheKey) { + authenticationCacheKey.add(AuthenticationCacheKeyConfig.TLS_SAN_UPN); + } + return new SecurityStoreImpl(new HierarchicalObjectRepository<>(), securityManager, 999, true, "", null, null, 1, 0, authenticationCacheKey); + } } diff --git a/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/StubCertificateLoginModule.java b/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/StubCertificateLoginModule.java index 48b3642750f..95e651249e6 100644 --- a/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/StubCertificateLoginModule.java +++ b/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/StubCertificateLoginModule.java @@ -46,4 +46,9 @@ protected Set getUserRoles(String username) throws LoginException { lastUserName = username; return this.groupNames; } + + @Override + protected String getCertificateInfo(X509Certificate[] certificates) { + return userName; + } } diff --git a/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/TextFileUpnCertificateLoginModuleTest.java b/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/TextFileUpnCertificateLoginModuleTest.java new file mode 100644 index 00000000000..80084161b35 --- /dev/null +++ b/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/TextFileUpnCertificateLoginModuleTest.java @@ -0,0 +1,140 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.artemis.core.security.jaas; + +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginException; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.lang.invoke.MethodHandles; +import java.net.URL; +import java.net.URLDecoder; +import java.nio.charset.StandardCharsets; +import java.security.Principal; +import java.security.Security; +import java.security.cert.X509Certificate; +import java.util.Map; + +import org.apache.activemq.artemis.spi.core.security.jaas.CertificateCallback; +import org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule; +import org.apache.activemq.artemis.spi.core.security.jaas.JaasCallbackHandler; +import org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoader; +import org.apache.activemq.artemis.spi.core.security.jaas.TextFileUpnCertificateLoginModule; +import org.apache.activemq.artemis.spi.core.security.jaas.UserPrincipal; +import org.apache.activemq.artemis.utils.CertificateUtilTest; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertInstanceOf; + +public class TextFileUpnCertificateLoginModuleTest { + + private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); + + private static final String CERT_USERS_FILE = "upn-cert-users.properties"; + + private static final String CERT_GROUPS_FILE = "upn-cert-roles.properties"; + + static { + String path = System.getProperty("java.security.auth.login.config"); + if (path == null) { + URL resource = TextFileUpnCertificateLoginModuleTest.class.getClassLoader().getResource("login.config"); + if (resource != null) { + try { + path = URLDecoder.decode(resource.getFile(), StandardCharsets.UTF_8.name()); + System.setProperty("java.security.auth.login.config", path); + } catch (UnsupportedEncodingException e) { + logger.error(e.getMessage(), e); + throw new RuntimeException(e); + } + } + } + } + + private CertificateLoginModule loginModule; + + @BeforeAll + static void setupProvider() { + Security.addProvider(new BouncyCastleProvider()); + } + + @AfterAll + static void cleanupProvider() { + Security.removeProvider("BC"); + } + + @BeforeEach + public void setUp() throws Exception { + loginModule = new TextFileUpnCertificateLoginModule(); + } + + @AfterEach + public void tearDown() throws Exception { + PropertiesLoader.resetUsersAndGroupsCache(); + } + + @Test + public void loginTest() throws Exception { + Map options = Map.of("org.apache.activemq.jaas.textfileupn.user", CERT_USERS_FILE, + "org.apache.activemq.jaas.textfileupn.role", CERT_GROUPS_FILE, + "reload", "true"); + + for (int i = 0; i < 10; i++) { + final String user = "user@domain" + (i + 1) + ".com"; + Subject subject = doAuthenticate(options, getJaasCertificateCallbackHandler(user)); + assertEquals(1, subject.getPrincipals().size()); + Principal principal = subject.getPrincipals().iterator().next(); + assertInstanceOf(UserPrincipal.class, principal); + assertEquals(user, principal.getName()); + loginModule.logout(); + } + } + + private JaasCallbackHandler getJaasCertificateCallbackHandler(String user) throws Exception { + X509Certificate cert = CertificateUtilTest.generateCertificateWithUPN(user); + return new JaasCallbackHandler(null, null, null) { + @Override + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (Callback callback : callbacks) { + if (callback instanceof CertificateCallback certCallback) { + certCallback.setCertificates(new X509Certificate[]{cert}); + } else { + throw new UnsupportedCallbackException(callback); + } + } + } + }; + } + + private Subject doAuthenticate(Map options, + JaasCallbackHandler callbackHandler) throws LoginException { + Subject mySubject = new Subject(); + loginModule.initialize(mySubject, callbackHandler, null, options); + loginModule.login(); + loginModule.commit(); + return mySubject; + } +} diff --git a/artemis-server/src/test/java/org/apache/activemq/artemis/utils/CertificateUtilTest.java b/artemis-server/src/test/java/org/apache/activemq/artemis/utils/CertificateUtilTest.java new file mode 100644 index 00000000000..7017961e1b7 --- /dev/null +++ b/artemis-server/src/test/java/org/apache/activemq/artemis/utils/CertificateUtilTest.java @@ -0,0 +1,195 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.artemis.utils; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.cert.X509Certificate; +import java.util.Date; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.DERIA5String; +import org.bouncycastle.asn1.DERPrintableString; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.DERTaggedObject; +import org.bouncycastle.asn1.DERUTF8String; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.OtherName; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.junit.jupiter.api.Test; + +import static org.apache.activemq.artemis.utils.CertificateUtil.UPN_OID; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNull; + +public class CertificateUtilTest { + + private static final String TEST_UPN = "user@domain.com"; + + @Test + void testExtractUpnPositive() throws Exception { + String extractedUpn = CertificateUtil.getUserPrincipalName(new X509Certificate[] {generateCertificateWithUPN(TEST_UPN)}); + assertEquals(TEST_UPN, extractedUpn, "Returned UPN should match the one embedded in the cert."); + } + + @Test + void testExtractUpnNegative() throws Exception { + String extractedUpn = CertificateUtil.getUserPrincipalName(new X509Certificate[] {generateCertificateWithUPN(null)}); + assertNull(extractedUpn, "Should return null when no UPN is present."); + } + + /** + * Helper method to generate a self-signed v3 certificate. If upnValue is provided, it embeds it as an 'otherName' in + * the SAN extension. + */ + public static X509Certificate generateCertificateWithUPN(String upnValue) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(2048); + KeyPair keyPair = keyGen.generateKeyPair(); + + long now = System.currentTimeMillis(); + JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder( + new X500Name("CN=Mock Issuer"), + BigInteger.valueOf(now), + new Date(now - 86400000L), + new Date(now + 86400000L), + new X500Name("CN=Mock Subject"), + keyPair.getPublic() + ); + + // inject the UPN into the Subject Alternative Name extension if provided + if (upnValue != null) { + OtherName otherName = new OtherName(new ASN1ObjectIdentifier(UPN_OID), new DERUTF8String(upnValue)); + GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.otherName, otherName)); + certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); + } + + // sign the certificate + ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate()); + + // convert BouncyCastle builder format to standard java.security.cert.X509Certificate + return new JcaX509CertificateConverter().getCertificate(certBuilder.build(signer)); + } + + @Test + void testParseOtherNameForUpnSingleWrappedUtf8String() throws Exception { + byte[] derEncoded = createUpnDer(TEST_UPN, UPN_OID, DerStringOption.UTF8, false); + String extractedUpn = CertificateUtil.parseOtherNameForUpn(derEncoded); + assertEquals(TEST_UPN, extractedUpn, "Should extract UPN from single-wrapped UTF8String"); + } + + @Test + void testParseOtherNameForUpnSingleWrappedIa5String() throws Exception { + byte[] derEncoded = createUpnDer(TEST_UPN, UPN_OID, DerStringOption.IA5, false); + String extractedUpn = CertificateUtil.parseOtherNameForUpn(derEncoded); + assertEquals(TEST_UPN, extractedUpn, "Should extract UPN from single-wrapped IA5String"); + } + + @Test + void testParseOtherNameForUpnDoubleWrappedUtf8String() throws Exception { + byte[] derEncoded = createUpnDer(TEST_UPN, UPN_OID, DerStringOption.UTF8, true); + String extractedUpn = CertificateUtil.parseOtherNameForUpn(derEncoded); + assertEquals(TEST_UPN, extractedUpn, "Should extract UPN from double-wrapped UTF8String"); + } + + @Test + void testParseOtherNameForUpnDoubleWrappedIa5String() throws Exception { + byte[] derEncoded = createUpnDer(TEST_UPN, UPN_OID, DerStringOption.IA5, true); + String extractedUpn = CertificateUtil.parseOtherNameForUpn(derEncoded); + assertEquals(TEST_UPN, extractedUpn, "Should extract UPN from double-wrapped IA5String"); + } + + @Test + void testParseOtherNameForUpnInvalidOid() throws Exception { + byte[] derEncoded = createUpnDer(TEST_UPN, "2.5.4.3", DerStringOption.UTF8, false); + String extractedUpn = CertificateUtil.parseOtherNameForUpn(derEncoded); + assertNull(extractedUpn, "Should return null when OID doesn't match UPN_OID"); + } + + /** + * A PrintableString is a restricted character string type in the ASN.1 notation. It is used to describe data that + * consists only of a specific printable subset of the ASCII character set. See more at + * https://en.wikipedia.org/wiki/PrintableString. + *

+ * In the context of UPN encoding, PrintableString is not typically used because UPNs can contain non-printable + * characters. Therefore, encountering a PrintableString in a UPN context is considered invalid. + */ + @Test + void testParseOtherNameForUpnInvalidStringTag() throws Exception { + byte[] derEncoded = createUpnDer(TEST_UPN, UPN_OID, DerStringOption.PRINTABLE, false); + String extractedUpn = CertificateUtil.parseOtherNameForUpn(derEncoded); + assertNull(extractedUpn, "Should return null when string tag is not UTF8String or IA5String"); + } + + /** + * Tests the behavior when the DER-encoded byte sequence is missing the outer sequence tag. + */ + @Test + void testParseOtherNameForUpnMissingSequence() throws Exception { + byte[] derEncoded = createUpnDer(TEST_UPN, UPN_OID, DerStringOption.UTF8, false); + byte[] derEncodedSlice = new byte[derEncoded.length - 2]; + System.arraycopy(derEncoded, 2, derEncodedSlice, 0, derEncodedSlice.length); + String extractedUpn = CertificateUtil.parseOtherNameForUpn(derEncodedSlice); + assertNull(extractedUpn, "Should return null when outer sequence tag is missing"); + } + + /** + * Creates a DER-encoded byte array representing a User Principal Name (UPN) entry. + * + * @param upnValue The UPN value to encode as a string. + * @param oid The object identifier (OID) to use for the entry. + * @param derStringOption The string type (e.g., UTF8, IA5, PRINTABLE) to encode the UPN value. + * @param doubleWrap Indicates whether the string value should be wrapped in an additional tag structure. + * @return A DER-encoded byte array representing the UPN entry. + * @throws IOException If an error occurs during encoding. + */ + private static byte[] createUpnDer(String upnValue, String oid, DerStringOption derStringOption, boolean doubleWrap) throws IOException { + ASN1EncodableVector sequence = new ASN1EncodableVector(); + sequence.add(new ASN1ObjectIdentifier(oid)); + ASN1Encodable stringValue = switch (derStringOption) { + case UTF8 -> new DERUTF8String(upnValue); + case IA5 -> new DERIA5String(upnValue); + case PRINTABLE -> new DERPrintableString(upnValue); + default -> throw new IllegalArgumentException("Unsupported DER string option: " + derStringOption); + }; + + DERTaggedObject taggedString; + DERTaggedObject intermediateTaggedString = new DERTaggedObject(true, 0, stringValue); + if (doubleWrap) { + taggedString = new DERTaggedObject(true, 0, intermediateTaggedString); + } else { + taggedString = intermediateTaggedString; + } + sequence.add(taggedString); + + return new DERSequence(sequence).getEncoded(); + } + + private enum DerStringOption { + UTF8, IA5, PRINTABLE + } +} diff --git a/artemis-server/src/test/resources/ConfigurationTest-full-config.xml b/artemis-server/src/test/resources/ConfigurationTest-full-config.xml index ba33b5a739e..fec753b2ea6 100644 --- a/artemis-server/src/test/resources/ConfigurationTest-full-config.xml +++ b/artemis-server/src/test/resources/ConfigurationTest-full-config.xml @@ -60,6 +60,10 @@ 123456 567890 false + + USER + PASS + 98765 1234567 TEMP diff --git a/artemis-server/src/test/resources/ConfigurationTest-xinclude-config.xml b/artemis-server/src/test/resources/ConfigurationTest-xinclude-config.xml index 86274bc7a25..81c6ce3f4f2 100644 --- a/artemis-server/src/test/resources/ConfigurationTest-xinclude-config.xml +++ b/artemis-server/src/test/resources/ConfigurationTest-xinclude-config.xml @@ -61,6 +61,10 @@ 123456 567890 false + + USER + PASS + 98765 1234567 TEMP diff --git a/artemis-server/src/test/resources/ConfigurationTest-xinclude-schema-config.xml b/artemis-server/src/test/resources/ConfigurationTest-xinclude-schema-config.xml index 05c9e062be0..1569554a15c 100644 --- a/artemis-server/src/test/resources/ConfigurationTest-xinclude-schema-config.xml +++ b/artemis-server/src/test/resources/ConfigurationTest-xinclude-schema-config.xml @@ -61,6 +61,10 @@ 123456 567890 false + + USER + PASS + 98765 1234567 TEMP diff --git a/artemis-server/src/test/resources/upn-cert-roles.properties b/artemis-server/src/test/resources/upn-cert-roles.properties new file mode 100644 index 00000000000..aab571c6141 --- /dev/null +++ b/artemis-server/src/test/resources/upn-cert-roles.properties @@ -0,0 +1,16 @@ +## --------------------------------------------------------------------------- +## Licensed to the Apache Software Foundation (ASF) under one or more +## contributor license agreements. See the NOTICE file distributed with +## this work for additional information regarding copyright ownership. +## The ASF licenses this file to You under the Apache License, Version 2.0 +## (the "License"); you may not use this file except in compliance with +## the License. You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. +## --------------------------------------------------------------------------- diff --git a/artemis-server/src/test/resources/upn-cert-users.properties b/artemis-server/src/test/resources/upn-cert-users.properties new file mode 100644 index 00000000000..0023aa746ce --- /dev/null +++ b/artemis-server/src/test/resources/upn-cert-users.properties @@ -0,0 +1,26 @@ +## --------------------------------------------------------------------------- +## Licensed to the Apache Software Foundation (ASF) under one or more +## contributor license agreements. See the NOTICE file distributed with +## this work for additional information regarding copyright ownership. +## The ASF licenses this file to You under the Apache License, Version 2.0 +## (the "License"); you may not use this file except in compliance with +## the License. You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. +## --------------------------------------------------------------------------- +user@domain1.com +user@domain2.com +user@domain3.com +user@domain4.com +user@domain5.com +user@domain6.com +user@domain7.com +user@domain8.com +user@domain9.com +user@domain10.com diff --git a/docs/user-manual/_shared-cert-login-details.adoc b/docs/user-manual/_shared-cert-login-details.adoc new file mode 100644 index 00000000000..1a58034353b --- /dev/null +++ b/docs/user-manual/_shared-cert-login-details.adoc @@ -0,0 +1,9 @@ +This login module must be used in combination with SSL, and the clients must be configured with their own certificate. +In this scenario, authentication is actually performed during the SSL/TLS handshake, not directly by the JAAS certificate authentication plug-in. +The role of the plug-in is as follows: + +* To further constrain the set of acceptable users, because only the users explicitly listed in the relevant properties file are eligible to be authenticated. +* To associate a list of roles with the received user identity, facilitating integration with the authorization. +* To require the presence of an incoming certificate (by default, the SSL/TLS layer is configured to treat the presence of a client certificate as optional). + +It retrieves data from a pair of flat files. \ No newline at end of file diff --git a/docs/user-manual/security.adoc b/docs/user-manual/security.adoc index f2cd498910f..ce0ca3ddbf3 100644 --- a/docs/user-manual/security.adoc +++ b/docs/user-manual/security.adoc @@ -81,6 +81,62 @@ Using `0` will disable the corresponding cache. How long cache entries are valid is controlled by `security-invalidation-interval`, which is in milliseconds. The default is `10000` ms. +=== Authentication Cache Keys + +Authentication cache entries are stored and fetched using a _key_ generated from data that *uniquely identifies an authentication attempt*. +This includes username and password for the most basic use-cases. +It also includes details from the TLS certificate like the subject distinguished name (DN) and user pricipal name (UPN) for use-cases involving mutual TLS. + +By default, the username, password, and TLS certificate subject DN are included. +The TLS certificate UPN is _not_ included by default in order to maintain backwards compatiblity since it wasn't always possible to authenticate with UPN. +To configure the authentication cache key add the `authentication-cache-key` element to `broker.xml` in the `core` element, e.g.: + +[,xml] +---- + + USER + PASS + TLS_SUBJECT_DN + +---- + +Valid values include: + +USER:: +The username provided by the remote client. + +PASS:: +The password provided by the remote client. + +TLS_SUBJECT_DN:: +The subject distinguished name of the TLS certificate provided by the remote client. +This is technically only relevant in use-cases involving mutual TLS. +However, it can be included even if mutual TLS is not in use as it will not impact the ultimate key value. +Ensure this is configured when using the <>. + +TLS_SAN_UPN:: +The user principal name stored in the subject alternative name of the TLS certificate provided by the remote client. +This is technically only relevant in use-cases involving mutual TLS. +However, it can be included even if mutual TLS is not in use as it will not impact the ultimate key value. +Ensure this is configured when using the <>. + +The order of the parameters does not impact the ultimate key value. +Any combinations of parameters is possible. +The default includes `USER`, `PASS`, & `TLS_SUBJECT_DN`. + +All keys are hashed with a cryptographically secure algorithm before being stored in the cache. +This ensures sensitive data is not available in memory. + +[WARNING] +==== +It is *critically* important that the authentication cache key is correctly configured to include all the data being used to authenticate users. + +An incorrect configuration can lead to both positive and negative invalid authentication. +In other words, users who should not be authenticated may be, and users who should be authentication may not be. + +Users are strongly encouraged to verify the configuration before production deployments. +==== + == Tracking the Validated User To assist in security auditing the `populate-validated-user` option exists. @@ -960,65 +1016,38 @@ The fully qualified class name of a custom password codec for decoding masked pa See xref:masking-passwords.adoc#masking-passwords[password masking] for more details. Default is `org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec`. -==== CertificateLoginModule - -The JAAS certificate authentication login module must be used in combination with SSL and the clients must be configured with their own certificate. -In this scenario, authentication is actually performed during the SSL/TLS handshake, not directly by the JAAS certificate authentication plug-in. -The role of the plug-in is as follows: - -* To further constrain the set of acceptable users, because only the user DNs explicitly listed in the relevant properties file are eligible to be authenticated. -* To associate a list of groups with the received user identity, facilitating integration with the authorization feature. -* To require the presence of an incoming certificate (by default, the SSL/TLS layer is configured to treat the presence of a client certificate as optional). +==== TextFileCertificateLoginModule -The JAAS certificate login module stores a collection of certificate DNs in a pair of flat files. -The files associate a username and a list of group IDs with each DN. +include::_shared-cert-login-details.adoc[] +One file associates the valid certificate DNs with usernames. +The other file associates the usernames with roles. -The certificate login module is implemented by the following class: - -[,java] ----- -org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule ----- - -The following `CertLogin` login entry shows how to configure certificate login module in the login.config file: +The following `CertLogin` login entry shows how to configure certificate login module in the `login.config` file: ---- CertLogin { - org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule + org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required debug=true org.apache.activemq.jaas.textfiledn.user="users.properties" org.apache.activemq.jaas.textfiledn.role="roles.properties"; }; ---- -In the preceding example, the JAAS realm is configured to use a single `org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule` login module. -The options supported by this login module are as follows: +===== Options debug:: boolean flag; -if true, enable debugging; +if `true`, enable debugging; this is used only for testing or debugging; normally, it should be set to `false`, or omitted; default is `false` org.apache.activemq.jaas.textfiledn.user:: specifies the location of the user properties file (relative to the directory containing the login configuration file). - -org.apache.activemq.jaas.textfiledn.role:: -specifies the location of the role properties file (relative to the directory containing the login configuration file). - -reload:: -boolean flag; -whether or not to reload the properties files when a modification occurs; -default is `false` - -normalise:: -boolean flag; whether the DN values should be validated and normalised into the X500Name string format used for matching; default is false. -Using this option can avoid the ambiguity around the string form of a DN that is discussed below. When true, the DN string is validated, and then normalised into the internal X500Name format. - -In the context of the certificate login module, the `users.properties` file consists of a list of properties of the form, `UserName=StringifiedSubjectDN` or `UserName=/SubjectDNRegExp/`. ++ +This file consists of a list of properties of the form, `UserName=StringifiedSubjectDN` or `UserName=/SubjectDNRegExp/`. For example, to define the users, `system`, `user` and `guest` as well as a `hosts` user matching several DNs, you could create a file like the following: - ++ [,properties] ---- system=CN=system,O=Progress,C=US @@ -1026,66 +1055,102 @@ user=CN=humble user,O=Progress,C=US guest=CN=anon,O=Progress,C=DE hosts=/CN=host\\d+\\.acme\\.com,O=Acme,C=UK/ ---- - ++ Note that the backslash character has to be escaped because it has a special treatment in properties files. - ++ Each username is mapped to a subject DN, encoded as a string (where the string encoding is specified by RFC 2253). For example, the system username is mapped to the `CN=system,O=Progress,C=US` subject DN. When performing authentication, the plug-in extracts the subject DN from the received certificate, converts it to the standard string format, and compares it with the subject DNs in the `users.properties` file by testing for string equality. Consequently, you must be careful to ensure that the subject DNs appearing in the `users.properties` file are an exact match for the subject DNs extracted from the user certificates. - ++ NOTE: Technically, there is some residual ambiguity in the DN string format. For example, the `domainComponent` attribute could be represented in a string either as the string, `DC`, or as the OID, `0.9.2342.19200300.100.1.25`. Normally, you do not need to worry about this ambiguity. But it could potentially be a problem, if you changed the underlying implementation of the Java security layer. -The easiest way to obtain the subject DNs from the user certificates is by invoking the `keytool` utility to print the certificate contents. -To print the contents of a certificate in a keystore, perform the following steps: - -. Export the certificate from the keystore file into a temporary file. -For example, to export the certificate with alias `broker-localhost` from the `broker.ks` keystore file, enter the following command: +org.apache.activemq.jaas.textfiledn.role:: +specifies the location of the role properties file (relative to the directory containing the login configuration file). + -[,sh] +This file consists of a list of properties of the form, `Role=UserList`, where `UserList` is a comma-separated list of users. +For example, to define the roles `admins`, `users`, and `guests`, you could create a file like the following: ++ +[,properties] ---- -keytool -export -file broker.export -alias broker-localhost -keystore broker.ks -storepass password +admins=system +users=system,user +guests=guest ---- -+ -After running this command, the exported certificate is in the file, `broker.export`. -. Print out the contents of the exported certificate. -For example, to print out the contents of `broker.export`, enter the following command: -+ -[,sh] +reload:: +boolean flag; +whether to reload the properties files when a modification occurs; +default is `false` + +normalise:: +boolean flag; whether the DN values should be validated and normalised into the X500Name string format used for matching; default is `false`. +Using this option can avoid the ambiguity around the string form of a DN that is discussed below. When `true`, the DN string is validated, and then normalised into the internal X500Name format. + +==== TextFileUpnCertificateLoginModule + +include::_shared-cert-login-details.adoc[] +One file lists the valid UPNs. +The other file associates the UPNs with roles. + +The following `CertLogin` login entry shows how to configure certificate login module in the `login.config` file: + ---- -keytool -printcert -file broker.export +UpnCertLogin { + org.apache.activemq.artemis.spi.core.security.jaas.TextFileUpnCertificateLoginModule required + debug=true + org.apache.activemq.jaas.textfileupn.user="users.properties" + org.apache.activemq.jaas.textfileupn.role="roles.properties"; +}; ---- + +[WARNING] +==== +When using the `TextFileUpnCertificateLoginModule` be sure to <> or <>. +==== + +===== Options + +debug:: +boolean flag; +if `true`, enable debugging; +this is used only for testing or debugging; +normally, it should be set to `false`, or omitted; +default is `false` + +org.apache.activemq.jaas.textfileupn.user:: +specifies the location of the user file (relative to the directory containing the login configuration file). + -Which should produce output similar to that shown here: +This file consists of a list of user principal names (UPNs), e.g.: + +[,properties] ---- -Owner: CN=localhost, OU=broker, O=Unknown, L=Unknown, ST=Unknown, C=Unknown -Issuer: CN=localhost, OU=broker, O=Unknown, L=Unknown, ST=Unknown, C=Unknown -Serial number: 4537c82e -Valid from: Thu Oct 19 19:47:10 BST 2006 until: Wed Jan 17 18:47:10 GMT 2007 -Certificate fingerprints: - MD5: 3F:6C:0C:89:A8:80:29:CC:F5:2D:DA:5C:D7:3F:AB:37 - SHA1: F0:79:0D:04:38:5A:46:CE:86:E1:8A:20:1F:7B:AB:3A:46:E4:34:5C +system@domain.com +user@domain.com +guest@domain.com ---- -+ -The string following `Owner:` gives the subject DN. -The format used to enter the subject DN depends on your platform. -The `Owner:` string above could be represented as either `CN=localhost,\ OU=broker,\ O=Unknown,\ L=Unknown,\ ST=Unknown,\ C=Unknown` or `CN=localhost,OU=broker,O=Unknown,L=Unknown,ST=Unknown,C=Unknown`. -The `roles.properties` file consists of a list of properties of the form, `Role=UserList`, where `UserList` is a comma-separated list of users. +org.apache.activemq.jaas.textfileupn.role:: +specifies the location of the role properties file (relative to the directory containing the login configuration file). ++ +This file consists of a list of properties of the form, `Role=UpnList`, where `UpnList` is a comma-separated list of UPNs. For example, to define the roles `admins`, `users`, and `guests`, you could create a file like the following: - ++ [,properties] ---- -admins=system -users=system,user -guests=guest +admins=system@domain.com +users=system@domain.com,user@domain.com +guests=guest@domain.com ---- +reload:: +boolean flag; +whether to reload the properties files when a modification occurs; +default is `false` + ==== SCRAMPropertiesLoginModule The SCRAM properties login module implements the SASL challenge response for the SCRAM-SHA mechanism. @@ -1634,28 +1699,10 @@ The trust store's password. The web console supports authentication with client certificates, see the following steps: -* Add the <> to the `login.config` file, i.e. -+ ----- -activemq-cert { - org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required - debug=true - org.apache.activemq.jaas.textfiledn.user="cert-users.properties" - org.apache.activemq.jaas.textfiledn.role="cert-roles.properties"; -}; ----- - -* Change the hawtio realm to match the realm defined in the `login.config` file for the <>. -This is configured in the `artemis.profile` via the system property `-Dhawtio.realm=activemq-cert`. -* Create a key pair for the client and import the public key in a truststore file. -+ ----- -keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass securepass -keypass securepass -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -ext bc=ca:false -ext eku=cA -keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass securepass -alias client -exportcert -rfc > client.crt -keytool -storetype pkcs12 -keystore client-truststore.p12 -storepass securepass -keypass securepass -importcert -alias client-ca -file client.crt -noprompt ----- - -* Enable secure access using HTTPS protocol with client authentication, use the truststore file created in the previous step to set the `trustStorePath` and `trustStorePassword`: +* Add either the <> or <> certificate login module to `login.config`. +* Change the HawtIO realm to match the realm defined in `login.config` for the aforementioned login module. +This is configured in the `artemis.profile` via the system property `hawtio.realm`. +* Configure the `trustStorePath` and `trustStorePassword` for the embedded web server so that it will trust the client's certificate: + [,xml] ---- @@ -1671,7 +1718,7 @@ keytool -storetype pkcs12 -keystore client-truststore.p12 -storepass securepass ---- -* Use the private key created in the previous step to set up your client, i.e. if the client app is a browser install the private key in the browser. +* Use your private key to set up your client (e.g., if the client app is a browser install the private key in the browser). ## Controlling JMS ObjectMessage deserialization diff --git a/docs/user-manual/versions.adoc b/docs/user-manual/versions.adoc index bec66a0e17a..c24c049a44c 100644 --- a/docs/user-manual/versions.adoc +++ b/docs/user-manual/versions.adoc @@ -744,7 +744,7 @@ Again, this only has potential impact for MQTT 3.x clients using `CleanSession=1 . Due to https://issues.apache.org/jira/browse/ARTEMIS-3892[ARTEMIS-3892] the username assigned to queues will be based on the *validated* user rather than just the username submitted by the client application. This will impact use-cases like the following: .. When `login.config` is configured with the xref:security.adoc#guestloginmodule[`GuestLoginModule`] which causes some users to be assigned a specific username and role during the authentication process. - .. When `login.config` is configured with the xref:security.adoc#certificateloginmodule[`CertificateLoginModule`] which causes users to be assigned a username and role corresponding to the subject DN from their SSL certificate. + .. When `login.config` is configured with the xref:security.adoc#textfilecertificateloginmodule[`TextFileCertificateLoginModule`] which causes users to be assigned a username and role corresponding to the subject DN from their SSL certificate. + In these kinds of situations the broker will use this assigned (i.e. validated) username for any queues created with the connection. @@ -1279,7 +1279,7 @@ https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315920&versio === Highlights -* Support xref:security.adoc#certificateloginmodule[regular expressions for matching client certificates]. +* Support xref:security.adoc#textfilecertificateloginmodule[regular expressions for matching client certificates]. * Support `SASL_EXTERNAL` for AMQP clients. * New examples showing xref:examples.adoc#openwire[virtual topic mapping] and xref:examples.adoc#exclusive-queue[exclusive queue] features. diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/ActiveMQServerControlTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/ActiveMQServerControlTest.java index d6a5925dcea..fe607a45be2 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/ActiveMQServerControlTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/ActiveMQServerControlTest.java @@ -293,7 +293,7 @@ public void registered(ActiveMQServer server) { public void testSecurityCacheSizes() throws Exception { ActiveMQServerControl serverControl = createManagementControl(); - Wait.assertEquals(usingCore() ? 1 : 0, serverControl::getAuthenticationCacheSize); + Wait.assertEquals(0, serverControl::getAuthenticationCacheSize); Wait.assertEquals(0, serverControl::getAuthorizationCacheSize); ServerLocator loc = createInVMNonHALocator(); @@ -311,7 +311,7 @@ public void testSecurityCacheSizes() throws Exception { m.putStringProperty("hello", "world"); producer.send(m); - assertEquals(usingCore() ? 2 : 1, serverControl.getAuthenticationCacheSize()); + assertEquals(1, serverControl.getAuthenticationCacheSize()); Wait.assertEquals(1, () -> serverControl.getAuthorizationCacheSize()); } @@ -344,7 +344,7 @@ public void testClearingSecurityCaches() throws Exception { serverControl.clearAuthenticationCache(); serverControl.clearAuthorizationCache(); - assertEquals(usingCore() ? 1 : 0, serverControl.getAuthenticationCacheSize()); + assertEquals(0, serverControl.getAuthenticationCacheSize()); assertEquals(0, serverControl.getAuthorizationCacheSize()); } diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/NotificationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/NotificationTest.java index e1612ff6373..d91023cb6a7 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/NotificationTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/NotificationTest.java @@ -184,6 +184,7 @@ public void testCONSUMER_CREATED() throws Exception { assertEquals(SimpleString.of("invm:0"), notifications[0].getSimpleStringProperty(ManagementHelper.HDR_REMOTE_ADDRESS)); assertEquals(consumerName, notifications[0].getSimpleStringProperty(ManagementHelper.HDR_SESSION_NAME)); assertEquals(SimpleString.of("unavailable"), notifications[0].getSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN)); + assertEquals(SimpleString.of("unavailable"), notifications[0].getSimpleStringProperty(ManagementHelper.HDR_CERT_UPN)); assertTrue(notifications[0].getTimestamp() >= start); assertTrue((long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP) >= start); assertEquals(notifications[0].getTimestamp(), (long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP)); diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java index 766b2c13547..80328324822 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java @@ -27,7 +27,6 @@ import java.lang.management.ManagementFactory; import java.net.URL; -import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; @@ -83,13 +82,23 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase { private SimpleString notifQueue; @Test - public void testSECURITY_AUTHENTICATION_VIOLATION() throws Exception { + public void testSecurityAuthenticationViolationDn() throws Exception { + testSecurityAuthenticationViolation("CertLogin", "unknown-client-keystore.jks", "CN=ActiveMQ Artemis Unknown Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ", "unavailable"); + } + + @Test + public void testSecurityAuthenticationViolationUpn() throws Exception { + testSecurityAuthenticationViolation("UpnCertLogin", "unknown-upn-client-keystore.jks", "CN=ActiveMQ Artemis Unknown UPN Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AA", "unknown@domain.com"); + } + + private void testSecurityAuthenticationViolation(String configName, String keystore, String dnValue, String upnValue) throws Exception { + createServer(configName); TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY); tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks"); tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass"); - tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown-client-keystore.jks"); + tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, keystore); tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass"); ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)); @@ -103,18 +112,20 @@ public void testSECURITY_AUTHENTICATION_VIOLATION() throws Exception { } catch (Exception e) { } - ClientMessage[] notifications = SSLSecurityNotificationTest.consumeMessages(1, notifConsumer); - assertEquals(SECURITY_AUTHENTICATION_VIOLATION.toString(), notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TYPE).toString()); - assertNull(notifications[0].getObjectProperty(ManagementHelper.HDR_USER)); - assertEquals("CN=ActiveMQ Artemis Unknown Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ", notifications[0].getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN).toString()); - assertTrue(notifications[0].getObjectProperty(ManagementHelper.HDR_REMOTE_ADDRESS).toString().startsWith("127.0.0.1")); - assertTrue(notifications[0].getTimestamp() >= start); - assertTrue((long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP) >= start); - assertEquals(notifications[0].getTimestamp(), (long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP)); + ClientMessage notification = SSLSecurityNotificationTest.consumeMessages(1, notifConsumer)[0]; + assertEquals(SECURITY_AUTHENTICATION_VIOLATION.toString(), notification.getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TYPE).toString()); + assertNull(notification.getObjectProperty(ManagementHelper.HDR_USER)); + assertEquals(dnValue, notification.getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN).toString()); + assertEquals(upnValue, notification.getObjectProperty(ManagementHelper.HDR_CERT_UPN).toString()); + assertTrue(notification.getObjectProperty(ManagementHelper.HDR_REMOTE_ADDRESS).toString().startsWith("127.0.0.1")); + assertTrue(notification.getTimestamp() >= start); + assertTrue((long) notification.getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP) >= start); + assertEquals(notification.getTimestamp(), (long) notification.getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP)); } @Test - public void testCONSUMER_CREATED() throws Exception { + public void testConsumerCreated() throws Exception { + createServer("CertLogin"); SimpleString queue = RandomUtil.randomUUIDSimpleString(); SimpleString address = RandomUtil.randomUUIDSimpleString(); @@ -148,6 +159,7 @@ public void testCONSUMER_CREATED() throws Exception { assertEquals("first", notifications[0].getObjectProperty(ManagementHelper.HDR_VALIDATED_USER).toString()); assertEquals(address.toString(), notifications[0].getObjectProperty(ManagementHelper.HDR_ADDRESS).toString()); assertEquals("CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ", notifications[0].getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN).toString()); + assertEquals("unavailable", notifications[0].getObjectProperty(ManagementHelper.HDR_CERT_UPN).toString()); assertTrue(notifications[0].getTimestamp() >= start); assertTrue((long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP) >= start); assertEquals(notifications[0].getTimestamp(), (long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP)); @@ -156,7 +168,8 @@ public void testCONSUMER_CREATED() throws Exception { } @Test - public void testCONNECTION_CREATED() throws Exception { + public void testConnectionCreated() throws Exception { + createServer("CertLogin"); Role role = new Role("notif", true, true, true, true, false, true, true, true, true, true, false, false); Set roles = new HashSet<>(); roles.add(role); @@ -179,6 +192,8 @@ public void testCONNECTION_CREATED() throws Exception { assertEquals(CONNECTION_CREATED.toString(), notification.getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TYPE).toString()); assertNotNull(notification.getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN)); assertEquals("CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ", notification.getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN).toString()); + assertNotNull(notification.getObjectProperty(ManagementHelper.HDR_CERT_UPN)); + assertEquals("unavailable", notification.getObjectProperty(ManagementHelper.HDR_CERT_UPN).toString()); assertTrue(notification.getObjectProperty(ManagementHelper.HDR_REMOTE_ADDRESS).toString().startsWith("127.0.0.1")); assertTrue(notification.getTimestamp() >= start); assertTrue((long) notification.getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP) >= start); @@ -189,23 +204,24 @@ public void testCONNECTION_CREATED() throws Exception { @BeforeEach public void setUp() throws Exception { super.setUp(); - ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin"); - server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); - Map params = new HashMap<>(); - params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true); - params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks"); - params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass"); - params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks"); - params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass"); - params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true); + } + + private void createServer(String configName) throws Exception { + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(configName); + server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true).setClusterUser("x").setClusterPassword("x"), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); + + Map params = Map.of(TransportConstants.SSL_ENABLED_PROP_NAME, true, + TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks", + TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass", + TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks", + TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass", + TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true); server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params)); ActiveMQServerPlugin plugin = new NotificationActiveMQServerPlugin(); - Map init = new HashMap(); - init.put(NotificationActiveMQServerPlugin.SEND_CONNECTION_NOTIFICATIONS, "true"); - plugin.init(init); + plugin.init(Map.of(NotificationActiveMQServerPlugin.SEND_CONNECTION_NOTIFICATIONS, "true")); server.registerBrokerPlugin(plugin); server.start(); @@ -217,16 +233,9 @@ public void setUp() throws Exception { roles.add(role); server.getSecurityRepository().addMatch(ActiveMQDefaultConfiguration.getDefaultManagementNotificationAddress().toString(), roles); - TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY); - tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); - tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks"); - tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass"); - tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks"); - tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass"); - - ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)); + ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocator("vm://0")); ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator)); - adminSession = sf.createSession(true, true, 1); + adminSession = sf.createSession("x", "x", false, true, true, false, 1); adminSession.start(); adminSession.createQueue(QueueConfiguration.of(notifQueue).setAddress(ActiveMQDefaultConfiguration.getDefaultManagementNotificationAddress()).setDurable(false).setTemporary(true)); @@ -259,6 +268,4 @@ protected static ClientMessage[] consumeMessages(final int expected, return messages; } - - } diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SecurityNotificationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SecurityNotificationTest.java index cc509f940d9..bc661402992 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SecurityNotificationTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SecurityNotificationTest.java @@ -91,6 +91,7 @@ public void testSECURITY_AUTHENTICATION_VIOLATION() throws Exception { assertEquals(SECURITY_AUTHENTICATION_VIOLATION.toString(), notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TYPE).toString()); assertEquals(unknownUser, notifications[0].getObjectProperty(ManagementHelper.HDR_USER).toString()); assertEquals("unavailable", notifications[0].getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN).toString()); + assertEquals("unavailable", notifications[0].getObjectProperty(ManagementHelper.HDR_CERT_UPN).toString()); assertEquals("invm:0", notifications[0].getObjectProperty(ManagementHelper.HDR_REMOTE_ADDRESS).toString()); assertTrue(notifications[0].getTimestamp() >= start); assertTrue((long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP) >= start); @@ -210,6 +211,7 @@ public void testCONSUMER_CREATED() throws Exception { assertEquals("guest", notifications[0].getObjectProperty(ManagementHelper.HDR_VALIDATED_USER).toString()); assertEquals(address.toString(), notifications[0].getObjectProperty(ManagementHelper.HDR_ADDRESS).toString()); assertEquals(SimpleString.of("unavailable"), notifications[0].getSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN)); + assertEquals(SimpleString.of("unavailable"), notifications[0].getSimpleStringProperty(ManagementHelper.HDR_CERT_UPN)); assertTrue(notifications[0].getTimestamp() >= start); assertTrue((long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP) >= start); assertEquals(notifications[0].getTimestamp(), (long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP)); diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java index 21fafdb48fd..5d00cd8a310 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java @@ -269,25 +269,35 @@ public void testJAASSecurityManagerAuthenticationWithValidateUser() throws Excep @Test public void testJAASSecurityManagerAuthenticationWithCerts() throws Exception { - testJAASSecurityManagerAuthenticationWithCerts("CertLogin", TransportConstants.NEED_CLIENT_AUTH_PROP_NAME); + testJAASSecurityManagerAuthenticationWithCerts("CertLogin", TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, "client-keystore.jks"); } @Test public void testJAASSecurityManagerAuthenticationWithCertsWantClientAuth() throws Exception { - testJAASSecurityManagerAuthenticationWithCerts("CertLogin", TransportConstants.WANT_CLIENT_AUTH_PROP_NAME); + testJAASSecurityManagerAuthenticationWithCerts("CertLogin", TransportConstants.WANT_CLIENT_AUTH_PROP_NAME, "client-keystore.jks"); } @Test public void testJAASSecurityManagerAuthenticationWithRegexps() throws Exception { - testJAASSecurityManagerAuthenticationWithCerts("CertLoginWithRegexp", TransportConstants.NEED_CLIENT_AUTH_PROP_NAME); + testJAASSecurityManagerAuthenticationWithCerts("CertLoginWithRegexp", TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, "client-keystore.jks"); } @Test public void testJAASSecurityManagerAuthenticationWithRegexpsWantClientAuth() throws Exception { - testJAASSecurityManagerAuthenticationWithCerts("CertLoginWithRegexp", TransportConstants.WANT_CLIENT_AUTH_PROP_NAME); + testJAASSecurityManagerAuthenticationWithCerts("CertLoginWithRegexp", TransportConstants.WANT_CLIENT_AUTH_PROP_NAME, "client-keystore.jks"); } - protected void testJAASSecurityManagerAuthenticationWithCerts(String secManager, String clientAuthPropName) throws Exception { + @Test + public void testJAASSecurityManagerAuthenticationWithUpnCerts() throws Exception { + testJAASSecurityManagerAuthenticationWithCerts("UpnCertLogin", TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, "upn-client-keystore.jks"); + } + + @Test + public void testJAASSecurityManagerAuthenticationWithUpnCertsWantClientAuth() throws Exception { + testJAASSecurityManagerAuthenticationWithCerts("UpnCertLogin", TransportConstants.WANT_CLIENT_AUTH_PROP_NAME, "upn-client-keystore.jks"); + } + + protected void testJAASSecurityManagerAuthenticationWithCerts(String secManager, String clientAuthPropName, String keystore) throws Exception { ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(secManager); ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); @@ -307,7 +317,7 @@ protected void testJAASSecurityManagerAuthenticationWithCerts(String secManager, tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks"); tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass"); - tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks"); + tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, keystore); tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass"); ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)); ClientSessionFactory cf = createSessionFactory(locator); @@ -495,17 +505,27 @@ public void testJAASSecurityManagerAuthenticationBadPassword() throws Exception } /** - * This test requires a client-side certificate that will be trusted by the server but whose dname will be rejected - * by the CertLogin login module. I created this cert with the follow commands: - * 

{@code
-    * keytool -genkey -keystore bad-client-keystore.jks -storepass securepass -keypass securepass -dname "CN=Bad Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore bad-client-keystore.jks -file activemq-jks.cer -storepass securepass
-    * keytool -import -keystore client-ca-truststore.jks -file activemq-jks.cer -storepass securepass -keypass securepass -noprompt -alias bad
-    * }
+ * This test requires a client-side certificate that will be trusted by the server but whose DN will be rejected + * by the {@code TextFileCertificateLoginModule} login module. */ @Test - public void testJAASSecurityManagerAuthenticationWithBadClientCert() throws Exception { - ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin"); + public void testJAASSecurityManagerAuthenticationWithBadDnClientCert() throws Exception { + testJAASSecurityManagerAuthenticationWithBadClientCert("CertLogin", "unknown-client-keystore.jks"); + } + + + /** + * This test requires a client-side certificate that will be trusted by the server but whose UPN will be rejected + * by the {@code TextFileUpnCertificateLoginModule} login module. + */ + @Test + public void testJAASSecurityManagerAuthenticationWithBadUpnClientCert() throws Exception { + testJAASSecurityManagerAuthenticationWithBadClientCert("UpnCertLogin", "unknown-upn-client-keystore.jks"); + + } + + private void testJAASSecurityManagerAuthenticationWithBadClientCert(String configName, String keystore) throws Exception { + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(configName); ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); Map params = new HashMap<>(); @@ -524,7 +544,7 @@ public void testJAASSecurityManagerAuthenticationWithBadClientCert() throws Exce tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks"); tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass"); - tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown-client-keystore.jks"); + tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, keystore); tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass"); ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)); ClientSessionFactory cf = createSessionFactory(locator); @@ -943,12 +963,21 @@ public void testJAASSecurityManagerFQQNAuthorizationWithJMS() throws Exception { } @Test - public void testJAASSecurityManagerAuthorizationNegativeWithCerts() throws Exception { + public void testJAASSecurityManagerAuthorizationNegativeWithDnCerts() throws Exception { + testJAASSecurityManagerAuthorizationNegativeWithCerts("CertLogin", "client-keystore.jks"); + } + + @Test + public void testJAASSecurityManagerAuthorizationNegativeWithUpnCerts() throws Exception { + testJAASSecurityManagerAuthorizationNegativeWithCerts("UpnCertLogin", "upn-client-keystore.jks"); + } + + private void testJAASSecurityManagerAuthorizationNegativeWithCerts(String configName, String keystore) throws Exception { final SimpleString ADDRESS = SimpleString.of("address"); final SimpleString DURABLE_QUEUE = SimpleString.of("durableQueue"); final SimpleString NON_DURABLE_QUEUE = SimpleString.of("nonDurableQueue"); - ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin"); + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(configName); ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); Map params = new HashMap<>(); @@ -971,7 +1000,7 @@ public void testJAASSecurityManagerAuthorizationNegativeWithCerts() throws Excep tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks"); tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass"); - tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks"); + tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, keystore); tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass"); ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)); ClientSessionFactory cf = createSessionFactory(locator); @@ -1148,21 +1177,31 @@ private void internalTestJAASSecurityManagerAuthorizationPositive(boolean useUui } @Test - public void testJAASSecurityManagerAuthorizationPositiveWithCerts() throws Exception { - testJAASSecurityManagerAuthorizationPositiveWithCerts(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME); + public void testJAASSecurityManagerAuthorizationPositiveWithDnCerts() throws Exception { + testJAASSecurityManagerAuthorizationPositiveWithCerts(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, "CertLogin", "client-keystore.jks"); } @Test - public void testJAASSecurityManagerAuthorizationPositiveWithCertsWantClientAuth() throws Exception { - testJAASSecurityManagerAuthorizationPositiveWithCerts(TransportConstants.WANT_CLIENT_AUTH_PROP_NAME); + public void testJAASSecurityManagerAuthorizationPositiveWithDnCertsWantClientAuth() throws Exception { + testJAASSecurityManagerAuthorizationPositiveWithCerts(TransportConstants.WANT_CLIENT_AUTH_PROP_NAME, "CertLogin", "client-keystore.jks"); } - protected void testJAASSecurityManagerAuthorizationPositiveWithCerts(String clientAuthPropName) throws Exception { + @Test + public void testJAASSecurityManagerAuthorizationPositiveWithUpnCerts() throws Exception { + testJAASSecurityManagerAuthorizationPositiveWithCerts(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, "UpnCertLogin", "upn-client-keystore.jks"); + } + + @Test + public void testJAASSecurityManagerAuthorizationPositiveWithUpnCertsWantClientAuth() throws Exception { + testJAASSecurityManagerAuthorizationPositiveWithCerts(TransportConstants.WANT_CLIENT_AUTH_PROP_NAME, "UpnCertLogin", "upn-client-keystore.jks"); + } + + protected void testJAASSecurityManagerAuthorizationPositiveWithCerts(String clientAuthPropName, String configName, String keystore) throws Exception { final SimpleString ADDRESS = SimpleString.of("address"); final SimpleString DURABLE_QUEUE = SimpleString.of("durableQueue"); final SimpleString NON_DURABLE_QUEUE = SimpleString.of("nonDurableQueue"); - ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin"); + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(configName); ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); Map params = new HashMap<>(); @@ -1184,7 +1223,7 @@ protected void testJAASSecurityManagerAuthorizationPositiveWithCerts(String clie tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks"); tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass"); - tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks"); + tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, keystore); tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass"); ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)); ClientSessionFactory cf = createSessionFactory(locator); diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config index e4156daa8d6..56073defca3 100644 --- a/tests/integration-tests/src/test/resources/login.config +++ b/tests/integration-tests/src/test/resources/login.config @@ -259,6 +259,13 @@ CertLoginWithRegexp { org.apache.activemq.jaas.textfiledn.role="cert-roles.properties"; }; +UpnCertLogin { + org.apache.activemq.artemis.spi.core.security.jaas.TextFileUpnCertificateLoginModule required + debug=true + org.apache.activemq.jaas.textfileupn.user="upn-cert-users.properties" + org.apache.activemq.jaas.textfileupn.role="upn-cert-roles.properties"; +}; + DualAuthenticationCertLogin { org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required debug=true diff --git a/tests/integration-tests/src/test/resources/upn-cert-roles.properties b/tests/integration-tests/src/test/resources/upn-cert-roles.properties new file mode 100644 index 00000000000..f9c8f6aa7a7 --- /dev/null +++ b/tests/integration-tests/src/test/resources/upn-cert-roles.properties @@ -0,0 +1,18 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +programmers=user@domain.com diff --git a/tests/integration-tests/src/test/resources/upn-cert-users.properties b/tests/integration-tests/src/test/resources/upn-cert-users.properties new file mode 100644 index 00000000000..99a23a20207 --- /dev/null +++ b/tests/integration-tests/src/test/resources/upn-cert-users.properties @@ -0,0 +1,18 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +user@domain.com diff --git a/tests/security-resources/build.sh b/tests/security-resources/build.sh index 6aa1e8ea16e..8f3a62cb2d8 100755 --- a/tests/security-resources/build.sh +++ b/tests/security-resources/build.sh @@ -154,6 +154,36 @@ keytool -storetype pkcs12 -keystore unknown-client-keystore.p12 -storepass $STOR keytool -importkeystore -srckeystore unknown-client-keystore.p12 -destkeystore unknown-client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass keytool -importkeystore -srckeystore unknown-client-keystore.p12 -destkeystore unknown-client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass +# Create a key pair for a client using UPN for authentication, and sign it with the CA. +# Use OpenSSL to create the cert since keytool has trouble with setting the UPN. +# ---------------------------------------------------------- +openssl req -new -x509 -newkey rsa:2048 -nodes -keyout upn-client-keystore.key -out upn-client-keystore.crt -days $VALIDITY -subj "/C=AA/ST=AMQ/L=AMQ/O=ActiveMQ/OU=Artemis/CN=ActiveMQ Artemis UPN Client" +openssl pkcs12 -export -in upn-client-keystore.crt -inkey upn-client-keystore.key -out upn-client-keystore.p12 -name "upn-client" -passout pass:$STORE_PASS + +keytool -storetype pkcs12 -keystore upn-client-keystore.p12 -storepass $STORE_PASS -alias upn-client -certreq -file upn-client.csr +openssl x509 -req -in upn-client.csr -CA client-ca.crt -CAkey client-ca.pem -CAcreateserial -out upn-client.crt -days $VALIDITY -sha256 -extfile <(printf "basicConstraints=CA:FALSE\nextendedKeyUsage=clientAuth\nsubjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:user@domain.com,DNS:upn-client.artemis.activemq,DNS:localhost,IP:127.0.0.1") + +keytool -storetype pkcs12 -keystore upn-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt +keytool -storetype pkcs12 -keystore upn-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias upn-client -file upn-client.crt + +keytool -importkeystore -srckeystore upn-client-keystore.p12 -destkeystore upn-client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass $STORE_PASS -deststorepass $STORE_PASS +keytool -importkeystore -srckeystore upn-client-keystore.p12 -destkeystore upn-client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass $STORE_PASS -deststorepass $STORE_PASS + +# Create a key pair for an unknown client using UPN for authentication, and sign it with the CA. +# Use OpenSSL to create the cert since keytool has trouble with setting the UPN. +# ---------------------------------------------------------- +openssl req -new -x509 -newkey rsa:2048 -nodes -keyout unknown-upn-client-keystore.key -out unknown-upn-client-keystore.crt -days $VALIDITY -subj "/C=AA/ST=AMQ/L=AMQ/O=ActiveMQ/OU=Artemis/CN=ActiveMQ Artemis Unknown UPN Client" +openssl pkcs12 -export -in unknown-upn-client-keystore.crt -inkey unknown-upn-client-keystore.key -out unknown-upn-client-keystore.p12 -name "unknown-upn-client" -passout pass:$STORE_PASS + +keytool -storetype pkcs12 -keystore unknown-upn-client-keystore.p12 -storepass $STORE_PASS -alias unknown-upn-client -certreq -file unknown-upn-client.csr +openssl x509 -req -in unknown-upn-client.csr -CA client-ca.crt -CAkey client-ca.pem -CAcreateserial -out unknown-upn-client.crt -days $VALIDITY -sha256 -extfile <(printf "basicConstraints=CA:FALSE\nextendedKeyUsage=clientAuth\nsubjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:unknown@domain.com,DNS:unknown-upn-client.artemis.activemq,DNS:localhost,IP:127.0.0.1") + +keytool -storetype pkcs12 -keystore unknown-upn-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt +keytool -storetype pkcs12 -keystore unknown-upn-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias unknown-upn-client -file unknown-upn-client.crt + +keytool -importkeystore -srckeystore unknown-upn-client-keystore.p12 -destkeystore unknown-upn-client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass $STORE_PASS -deststorepass $STORE_PASS +keytool -importkeystore -srckeystore unknown-upn-client-keystore.p12 -destkeystore unknown-upn-client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass $STORE_PASS -deststorepass $STORE_PASS + # PEM versions ## separate private and public cred pem files combined for the keystore via prop openssl pkcs12 -in server-keystore.p12 -out server-cert.pem -clcerts -nokeys -password pass:$STORE_PASS @@ -192,4 +222,4 @@ keytool -keypasswd -keystore server-keystore-keypass.jceks -storepass $STORE_PAS # Clean up working files # ----------------------- -rm -f *.crt *.csr openssl-* +rm -f *.crt *.csr openssl-* *.key *.srl diff --git a/tests/security-resources/client-and-server-ca-certs.pem b/tests/security-resources/client-and-server-ca-certs.pem index 6b882177dbc..8facfd52d9a 100644 --- a/tests/security-resources/client-and-server-ca-certs.pem +++ b/tests/security-resources/client-and-server-ca-certs.pem @@ -1,42 +1,42 @@ -----BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJAJkUaBwB0GpUMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV -BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN -USBBcnRlbWlzIENsaWVudCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNDAz -MjIxMTUxMjlaGA8zMDIzMDcyNDExNTEyOVowXzERMA8GA1UEChMIQWN0aXZlTVEx -EDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1RIEFydGVtaXMgQ2xp -ZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAl8cFCGopD43ChXIcmEBNREmaFGwY3nlRkvmyhX7X0p+7sMVF -b1oxEkLl0Bv9vluc7faQPC51ikPFE7cFdWvsTAxkDsMC/3lnAveVcaJi+9x+ndNl -sTL3WIZXQ/JBq9WgZb4Xrl1Bwq+xAf58o/pgc8sY6mgXIJgte5HVLZB1N+pqG1Ce -O4siVvVeew74Md5gh3gzwIkq6svEoRR6mvx+ima4y942bqdO/rXzBKkVKPM3Wozg -Oj+5y7oM9oeg8B0x8vH/nO2HZAM5lBhK5o0ZDpDrOa6Q445gZqjcn13fEaNAhTo+ -Ak5x7ZMZkuipZPjIEg/9FwcC0qM2nJhy8lBLSwIDAQABozIwMDAdBgNVHQ4EFgQU -mQHkKAJROOr1cSjoSuMcvR0s0OswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B -AQsFAAOCAQEAdraRmTJvQ4lE+3pg4oz8IZbPhoXQRi/9xMOuDMgaBngxcIy/orT0 -0+rMQDw/UpPvGYzHzxG7F9Euw2HvxF/fGTLrHXLDlPlGmORwWvGR3nRPxCG8wi2b -Zc7d9WUZ5zfIZ346ht/1QuyHHCLU9gaJP1irJA1fJ3ZJdnIDcjG17keM51vF8Jtl -J08WzHQ6BKJy4auR041BxF+wHZBSVF5n5D2DLC+VcBL7MgVXaddyWGkr3UU8U67T -V/o6VEnGTKwZ/a/RAHB8Aex2/GFfEivsaBYe8gbhbzFjCWkoKg0jkjqKDw9Dwk3n -7Lo5GrWoHASyFYB/FM6rjDBW0bT97MVJog== +MIIDdDCCAlygAwIBAgIIVRe7mOWvH7MwDQYJKoZIhvcNAQELBQAwXzERMA8GA1UE +ChMIQWN0aXZlTVExEDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1R +IEFydGVtaXMgQ2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTI2MDQw +NzAyMTE1MloYDzMwMjUwODA4MDIxMTUyWjBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ +MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBDbGll +bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCwoFdWwb9B8tLq7rzoQVecEYLTqBCzoOxw3ToDZz8cJVRg4o4V +4VXXGVyxPslma6SD4PldlyZZT6FYbdta/BUL5gZWXgvML6ZXsV3A7UJFLVO6BJ/8 +lePuCfDzppsb4ru9/8qs2zs0rPmfDmP0dkY8D8lbbXDxJ+ZCxaEn3nfqH/fMwAme ++giZdcOIdidLpWpb6+rFe7L8TuJtG4eHx48L2OdZNNegvAKYcIs/bqRERpbxbsAn +NmnxWKctsnOpsLtqcBtj80qUocxjKkHS5LQPz5mG9ONCUDDaV4jRtqvvYmIJjUnK +eDWfTNIvcAPL51O/Vn8soPn+YEw22TU+Ymk3AgMBAAGjMjAwMB0GA1UdDgQWBBSH +/6+PDDI+NTWJy7Tv65tV9wgo4DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQAhU2bnmHwwrYZRxZOrJ5IuufWs3QqUEGtUomuLYRPrB4/4h6DfMcww +SVUarL8SEuL144kLZMPey0SMtj2mh7qRJJus1y8Vogj/rf3QQ9mWnqo3Cddl8heu +c3mtBgJVN0NJNrFC91blYfJjQ397HbBBBKRH6yL1yMOm2uSSkDqjxc0y6xu8qLFm +WBzC/KSC5ytupsBx3lxMdBK7buYWioVebqRZW0PY3a1T9q0mvtliPHfJCwb8LId8 +y0heN5llCA0qo23KuJtt78YZcfc7OWqoI1yPlGqIjG6+VTZbprccB5WujQN4SAPN +AceTTwfOJPttChhCfXwz1/WdfCqHUPhZ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJAJYwDleGKNA2MA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV +MIIDdTCCAl2gAwIBAgIJANYhjZS5tiuFMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN -USBBcnRlbWlzIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNDAz -MjIxMTUxMTlaGA8zMDIzMDcyNDExNTExOVowXzERMA8GA1UEChMIQWN0aXZlTVEx +USBBcnRlbWlzIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNjA0 +MDcwMjExNDVaGA8zMDI1MDgwODAyMTE0NVowXzERMA8GA1UEChMIQWN0aXZlTVEx EDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1RIEFydGVtaXMgU2Vy dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA6c3CBzuy7/p9EH1OFx2O+bpBsaZLk3dWi9VaGgRhRMqPV/rR -5hOfZ1oECDkP2RhX/rEgaATS3simYXEApuLcEvoFUFZQzomb2dtSZUJnkhaQzYaL -zHaXZxggc9L8bhDqa4eKAatEEkvvT/u+DDq7l/88ATUwDdzwTg7YbcYbAe10rPEQ -vf0pQzuIFHWqMdYkQAjgBPF+gUgWL/DXRmqowtrwy8m5MbiRdRVuQV85nzF8RiV9 -cU0VNW4YMIcRFOsvKGb1muF8BDeXhrbiYLWddESrPtlQAaEqMv3VeU87AApNtwfC -wKHgtwoUa1pjr0hizocKHAJbtvoEyzI+v/tZywIDAQABozIwMDAdBgNVHQ4EFgQU -fI39SB/hKrHFXIQqijOWKIOk6FgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B -AQsFAAOCAQEAgnOTubyCsTUdA0lrInKKBHaXCZLhPhDqbQz6N21Oakh7oG7i8VDi -uzjMsbtKDUCgl65CBQ/YQNrvFRco9I+7/z3fgLmgPnmHX4lqkuKgmmEExNIiQgZs -nRg6eiuWS+5TD6d4FNoUwEcf5N1m5coiDBRh/8Qp53FyZb5gW9xjPoAP0/NmCQO8 -rXglv6sSPe53Aba1M/uxu8ZHGz4JvBEcSHQeMgBHyp8UsbY/u/k0Zxa3u2grOTia -zostUkgSZDfl356UFcpkzsJklAYUzEAzzAd4FksSo+zLKglPk0O1rdqyQAEgasSe -SZp2cdAB9sxCFwbWXoR4OL85AToghSNvRw== +AQ8AMIIBCgKCAQEAplA+qrw8BxO/4oDumvuHZjxbSpUzoypsMI73KPVaZhJjQvJK +8rdQA7lhx8CPz1V/aJmobmWxY4KxkwgiZfXaeuh6wp1/uI4JM5eryAztjpkwQ1bm +Hn3eOOJIIGsVuY9jh0GcJfApgM94+IUkz9uBmLSi1HWUUnL1veKKXPVbKMNlBSVp +myKYn+Yqaa3wzv/QeVANhTDlr/1W3TOZgF1qQvthXImeSC42Yv97BmusbmW0Y5lY +j5ANQf6WnCMRy8wZJrlv4WWQzgtQyr9YG3Wcwey1FKCyeEuyfae7taw3ROXvn/wE +WaMB7Kbwf+COu2Vb1mPAQE/UOW5m6WAkDMNevwIDAQABozIwMDAdBgNVHQ4EFgQU +PbuffkjCWYOlGla0+FG1I05a2X0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAQEAQqrhvmXk4UlRxFeF1+2TbRtccZxYVlsBdrlgmscJxdGoG534ZKf/ +at/OTXvL/G52z27HfSfOtetp0WOwjhvJEJ4/oVcyn8J/oqwrRJjIeUJz3uIq/2nd +JX2lfnltZLzZ+lUcBMRJR5sJoBmVzRmilnIPpUKV4bu5oCADHc0njax4EH6pjtvT +GXtBsjTyvPOqBpu0AOLltyynmzPZkqeU4ZH6U3HeIwZl8nGovn/p05rPYjbU70RA +NOuIBePTWbQB7vebzRjrr1v4POTM3DXfIWkU13ZIHB24RRwo9zY3IpoqmxpQgTaG +DOmX4nJEqWyqHHENos0fhICaa3dEtvkvnQ== -----END CERTIFICATE----- diff --git a/tests/security-resources/client-ca-cert.pem b/tests/security-resources/client-ca-cert.pem index 4815798aa91..374aafbc78c 100644 --- a/tests/security-resources/client-ca-cert.pem +++ b/tests/security-resources/client-ca-cert.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJAJkUaBwB0GpUMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV -BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN -USBBcnRlbWlzIENsaWVudCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNDAz -MjIxMTUxMjlaGA8zMDIzMDcyNDExNTEyOVowXzERMA8GA1UEChMIQWN0aXZlTVEx -EDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1RIEFydGVtaXMgQ2xp -ZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAl8cFCGopD43ChXIcmEBNREmaFGwY3nlRkvmyhX7X0p+7sMVF -b1oxEkLl0Bv9vluc7faQPC51ikPFE7cFdWvsTAxkDsMC/3lnAveVcaJi+9x+ndNl -sTL3WIZXQ/JBq9WgZb4Xrl1Bwq+xAf58o/pgc8sY6mgXIJgte5HVLZB1N+pqG1Ce -O4siVvVeew74Md5gh3gzwIkq6svEoRR6mvx+ima4y942bqdO/rXzBKkVKPM3Wozg -Oj+5y7oM9oeg8B0x8vH/nO2HZAM5lBhK5o0ZDpDrOa6Q445gZqjcn13fEaNAhTo+ -Ak5x7ZMZkuipZPjIEg/9FwcC0qM2nJhy8lBLSwIDAQABozIwMDAdBgNVHQ4EFgQU -mQHkKAJROOr1cSjoSuMcvR0s0OswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B -AQsFAAOCAQEAdraRmTJvQ4lE+3pg4oz8IZbPhoXQRi/9xMOuDMgaBngxcIy/orT0 -0+rMQDw/UpPvGYzHzxG7F9Euw2HvxF/fGTLrHXLDlPlGmORwWvGR3nRPxCG8wi2b -Zc7d9WUZ5zfIZ346ht/1QuyHHCLU9gaJP1irJA1fJ3ZJdnIDcjG17keM51vF8Jtl -J08WzHQ6BKJy4auR041BxF+wHZBSVF5n5D2DLC+VcBL7MgVXaddyWGkr3UU8U67T -V/o6VEnGTKwZ/a/RAHB8Aex2/GFfEivsaBYe8gbhbzFjCWkoKg0jkjqKDw9Dwk3n -7Lo5GrWoHASyFYB/FM6rjDBW0bT97MVJog== +MIIDdDCCAlygAwIBAgIIVRe7mOWvH7MwDQYJKoZIhvcNAQELBQAwXzERMA8GA1UE +ChMIQWN0aXZlTVExEDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1R +IEFydGVtaXMgQ2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTI2MDQw +NzAyMTE1MloYDzMwMjUwODA4MDIxMTUyWjBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ +MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBDbGll +bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCwoFdWwb9B8tLq7rzoQVecEYLTqBCzoOxw3ToDZz8cJVRg4o4V +4VXXGVyxPslma6SD4PldlyZZT6FYbdta/BUL5gZWXgvML6ZXsV3A7UJFLVO6BJ/8 +lePuCfDzppsb4ru9/8qs2zs0rPmfDmP0dkY8D8lbbXDxJ+ZCxaEn3nfqH/fMwAme ++giZdcOIdidLpWpb6+rFe7L8TuJtG4eHx48L2OdZNNegvAKYcIs/bqRERpbxbsAn +NmnxWKctsnOpsLtqcBtj80qUocxjKkHS5LQPz5mG9ONCUDDaV4jRtqvvYmIJjUnK +eDWfTNIvcAPL51O/Vn8soPn+YEw22TU+Ymk3AgMBAAGjMjAwMB0GA1UdDgQWBBSH +/6+PDDI+NTWJy7Tv65tV9wgo4DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQAhU2bnmHwwrYZRxZOrJ5IuufWs3QqUEGtUomuLYRPrB4/4h6DfMcww +SVUarL8SEuL144kLZMPey0SMtj2mh7qRJJus1y8Vogj/rf3QQ9mWnqo3Cddl8heu +c3mtBgJVN0NJNrFC91blYfJjQ397HbBBBKRH6yL1yMOm2uSSkDqjxc0y6xu8qLFm +WBzC/KSC5ytupsBx3lxMdBK7buYWioVebqRZW0PY3a1T9q0mvtliPHfJCwb8LId8 +y0heN5llCA0qo23KuJtt78YZcfc7OWqoI1yPlGqIjG6+VTZbprccB5WujQN4SAPN +AceTTwfOJPttChhCfXwz1/WdfCqHUPhZ -----END CERTIFICATE----- diff --git a/tests/security-resources/client-ca-keystore.p12 b/tests/security-resources/client-ca-keystore.p12 index e9588060ed2..86be4a210f1 100644 Binary files a/tests/security-resources/client-ca-keystore.p12 and b/tests/security-resources/client-ca-keystore.p12 differ diff --git a/tests/security-resources/client-ca-truststore.jceks b/tests/security-resources/client-ca-truststore.jceks index f6fda07a317..8bd0449d6b5 100644 Binary files a/tests/security-resources/client-ca-truststore.jceks and b/tests/security-resources/client-ca-truststore.jceks differ diff --git a/tests/security-resources/client-ca-truststore.jks b/tests/security-resources/client-ca-truststore.jks index feb1f29e516..a6e6df74ca7 100644 Binary files a/tests/security-resources/client-ca-truststore.jks and b/tests/security-resources/client-ca-truststore.jks differ diff --git a/tests/security-resources/client-ca-truststore.p12 b/tests/security-resources/client-ca-truststore.p12 index 30bd31c1738..2e57a6382d7 100644 Binary files a/tests/security-resources/client-ca-truststore.p12 and b/tests/security-resources/client-ca-truststore.p12 differ diff --git a/tests/security-resources/client-ca.pem b/tests/security-resources/client-ca.pem index 0d23aba857e..13963f8d325 100644 --- a/tests/security-resources/client-ca.pem +++ b/tests/security-resources/client-ca.pem @@ -1,32 +1,32 @@ Bag Attributes friendlyName: client-ca - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 38 39 34 37 36 + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 31 32 33 35 37 Key Attributes: -----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCXxwUIaikPjcKF -chyYQE1ESZoUbBjeeVGS+bKFftfSn7uwxUVvWjESQuXQG/2+W5zt9pA8LnWKQ8UT -twV1a+xMDGQOwwL/eWcC95VxomL73H6d02WxMvdYhldD8kGr1aBlvheuXUHCr7EB -/nyj+mBzyxjqaBcgmC17kdUtkHU36mobUJ47iyJW9V57Dvgx3mCHeDPAiSrqy8Sh -FHqa/H6KZrjL3jZup07+tfMEqRUo8zdajOA6P7nLugz2h6DwHTHy8f+c7YdkAzmU -GErmjRkOkOs5rpDjjmBmqNyfXd8Ro0CFOj4CTnHtkxmS6Klk+MgSD/0XBwLSozac -mHLyUEtLAgMBAAECggEAIPYLLUMkzKhsFJ/t/tCEFy7mw8Wf9vygzwrkDqK3yxl+ -YMrOo/qRypX1o6bYibUKlRElTLSIOTEzhO8Lw+7en7tXJW+LYKDkUpwi+80Ysvq1 -EqBcpslbNwHhxLNBOMiJb18DdI3zII0YI0c5mUDgHnV+YTWexCjYQ8wtYBpNookz -utW+pLPJ9T2eQQ5rhZ7GL5UmLhg/ymrQ+uu16iGVNpMCPj9Dzfo434SYv5JaJ81w -vEmyivrVlP8gxym5eeK3sOcDfcoz6WEgW2Yn8yasVULrlPnrGgUh+ptnQb2kqyVS -dqLyBF0FauP38nXCezbfuf+RUcBNb5x+SeKKaQzxMQKBgQC+HKnfCtrOQX2No+JN -/05XqEOjD/XivSocJd2fuH8N4shJQ9NM8CSyEPFB1YQCzOa+OAgYH1C+m4sN2wGR -U0+Y8M+4x42qp+wty7USaZQqn9JBZqLTwPwADq7pKld+uY69mDfKaYX51kyUm5zb -WMm9m7OnM/9UO3Asno+falxq+wKBgQDMYTGP2W9f37HMBp79IoWbDgmW6vitPoTz -5YOXLO3jex/BqhnSh4e7pXFxiLx7ciKRzMad/Ebh8ACO4aHpTqVng9NTHPfd5LaG -BZ/Egu7QYKNvElwvLHp4vRxDfydEZ7Fo+vXLgLKjBwkGVrs+kNTdNZfblmTqDFdL -K6AnlSqv8QKBgDVFWuRA6mb5OvFBhtxMOeueHrXGdyP91ZrlkWB8Fj4R2gWNl9vr -Pp0W2kOUTNVsDQwoLzxzKfD/LMvJHntWWOuGLu6cHDpBq5B5kFeEdhwrhIMG+4FS -hkqN0r1LPBEqdbDywk9Zmk0Tm4nYwO9FxeH3izPDAjzcGual16DX8OWZAoGAJwAd -DxA0+pybNw3EZRWjXTVOiygHkDev80LG26BNPO2P38rv5obKVfp6LWokXYIoKp5j -AF7Vv+Oml51i4jyJv7keKGwMuKEeW3DTThKWM9ldFqLwSGg6brPXouGuwpTu+9N3 -9/91FzsOc9E1JflJRXUmp1aJp0f3mHaYtzT10mECgYBVmuH3T3zcjLcI3VJ6TW+k -E7X40XmpgLLRbB/H5KDyhm4amn6OpXJxcxwv920FBK2C7CVE+FiyfnB0aT/q4I/+ -wNV3m1anzYqAmUFJ7A7ha1eOLxg7jKgfvcN6qfvrSJX43ClWd4bkwdjBfzz6WWAv -dIbe6F+cINGho+JRwdc7Pw== +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwoFdWwb9B8tLq +7rzoQVecEYLTqBCzoOxw3ToDZz8cJVRg4o4V4VXXGVyxPslma6SD4PldlyZZT6FY +bdta/BUL5gZWXgvML6ZXsV3A7UJFLVO6BJ/8lePuCfDzppsb4ru9/8qs2zs0rPmf +DmP0dkY8D8lbbXDxJ+ZCxaEn3nfqH/fMwAme+giZdcOIdidLpWpb6+rFe7L8TuJt +G4eHx48L2OdZNNegvAKYcIs/bqRERpbxbsAnNmnxWKctsnOpsLtqcBtj80qUocxj +KkHS5LQPz5mG9ONCUDDaV4jRtqvvYmIJjUnKeDWfTNIvcAPL51O/Vn8soPn+YEw2 +2TU+Ymk3AgMBAAECggEAEUTD9UQBFooOrBCGYLDOx4AAyf/TDjTsGQbQHrgP+AkA +TG6qFKKQ2XRt1xh76WsZzRkIWGmoQrAh5rrq6OTfi+fD89rDDYYVHdrF/1BTG99Y +IcZE/BWNkN7g83l1Dc9nqqZhIvBWRAqrZy0pgaO0rzed6LX1BmbvwNSAspyyHa4z +hDVQO/kTXIC9vSfL47do0pzIyCBFtfazr6Tvk2N4yLVjWVCrbJ1BSuEGUsFIdf+Y +xPx8k5KSsmyEzY9L/Z/HqapMOc9495nQRGf3/eswIYsFVsF+x9o4r8aQczD13DA3 +WZNRXb4dKTAV2lR2B2z1imNQWKBxId2tbHWbfxislQKBgQC6fFuaahTvlTC/lN1d +E/ZpBk0QzLRZ8PkVFz8UcnYHXvrWTGBhwpPQQ8quh6pSXQeSq8mAg1e/Qi8ugjSZ +GmCQP0E0YQ6d9J1OXiUiUREjRAFRmxDfyP1YAWiZ08vuqsjAGQ/KvKz9QWuN2lX8 +9fj7oAW+AxlXXym1prAQSgr1zQKBgQDydyI7+ablsZUXiGGNhzLPJwLHUTaBDEcN +qol6XJzvSWCNKBPG0lLezZ0LXzn0FP2As/ItCh+9XMo2w5RTTS4JgqRt1DhTPzMk +k10fwFiRWKJ6HI9uZQwbv8XVLAGrn2kgvTk9Frlii5OYqDEV17WcsCbLWkf6vxBC +74cYlK/XEwKBgCoXN3W6y87nlYEoUG5ZuxwpV+uayHokcZPZE1vCGfG/9k24H2jx +SfuP0YdjB4ZfiP4J2Akxm/SHM68DpGuKEJF+NXFlFq+ALqEpjqgYNA4Jo2KP5Vcd +PlFGwB04OKc91OHGxlG0FDd1NJln1lCqE/B3RdSFTorx57AgV0zV6XNhAoGAZVsv +0Gp4PiSR8phsT0FpF/dyzedBJYkAWtIjTidQ4yaFWfya584cHk9NiudvznzHy/lt +Dy7gPcSAM4xmgLwOtqMKIW9JbGNK+cswbol1fKzUnr85pihPe3obNRWETT4CMFFp +kAPj0zINrQ8CFeNqY+mvDerblBIytghzLO9a4kkCgYEArFSgRjzfvT3hMVT9Rbh6 +P82dlv87Ozu9ZEdxDDMjcgtJ588kgE6qX/TEQNhie87mXfXH064zUa9pKjYpmOs+ +8c0nKHg93PLsOpyQadgxqEnOn4bPZQVuK/lLSkW+5q3SD3c9bAm03n8oHMeB4Mo0 +TboqEeTkVvI1muHMgpLyJZ4= -----END PRIVATE KEY----- diff --git a/tests/security-resources/client-key-cert.pem b/tests/security-resources/client-key-cert.pem index bb31733511a..15604592d7a 100644 --- a/tests/security-resources/client-key-cert.pem +++ b/tests/security-resources/client-key-cert.pem @@ -1,112 +1,112 @@ Bag Attributes friendlyName: client - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 39 32 37 38 34 + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 31 34 31 35 37 Key Attributes: -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDABinqOLO9G+8C -jHY0gWiyNcLZEerM1SCvfj4edwyeWOZPfvas6oZde4mfo6y8pZgI4eTDrfIQ+FWI -qxC8l8I8gXfQesNB3YZCY5Y6a18pIzhgKyfGWisw45VR0j0eq50cN6HawA7GLmQi -bA4kAZjRTkbRADUXZ4ILFUa48zWw19t8UCUuWxqc7nKaijNPghKTdPrOwWgdgbwz -GpO93MM//GGmS5DmOKdBOoS1d1rpK8Zk5h56kjfvLm5/cXv2OoBEuZnWQNF1IZpV -qo1e57M/vQWH17/Lhlx5t6+PjzXVlYZcQAmpyqCjFX9CFbBYupArHtpm30X+4YpF -AuqhSMvRAgMBAAECggEAHy+BFCh0TGSievv74IgZzEN96woFY5HDdqzegs0b0AWp -FcUNY8TM4JbFIZeP4K1WFS82m27/DrF+Fq2NkMtmwLPYFRQy7NoAyXxp8//nGwO8 -zqWDlqujMxPq9rhZs8b0Q5ZnY2Loo1f6bDq3SzK1MlzvlFbfyHbHgGxKqZPaJueH -KmdbR2U1Wa7qdNNCC93X9Qq1v3/hIiiBQ0in3plMtikgfC+5hP2DZMR3aJSNTG/n -kWxK4piBIfF3OCHvFusQCAGlRBgonfXLL+6FUlQfzF/xFxeKaBxtCkS+I2a8QPuX -VvLWm5dnGSPrRrqMnPMgZkoE/zFfYozCgEjH2n1Q9wKBgQD3gMuS0BZM68wt6EUJ -okewU5H+5Ls9I6eGxI/4Ab+ygnOpLhZUqGpfK9RM/984FXIAjZ7p6aNnoFGJER6a -7MCzDQkt61DIT7X7NFtkkUF9WAbn3xhB+tqwabD8XETP0ZgQd5kgjTd8myCJLr82 -i5tKuYFpOE8uAtBPHV6VB7FqIwKBgQDGnckm/jRVdRfTiWyfo0wRAPxsoUNUW2GB -JCyDJbX4VAt6IXJMiy5ZWKosSI3txKDFOD+DY1UdSduOsjtHSWEBRuXfAH2Bg0Mp -hXIZ6BV/Sdzge0MX495JUs/7wB6Ye+TrYyys/qdN0iCndQ3gvq9fMZoXi830RNiM -/dUVvy5PewKBgFvIADX2Qn7N5k6T1p4m9qy1oOtECQc4JJS+aaEPjPX2mEuBkrhc -J+4ZA8Z2EGHs2fTIj8iwYm84LWRF2/KZnzAGwoOrwq41mQeJt+aIUx/XN+Beg9Fb -5CMNXpuG3+GtGNXqc/d1RsFHiX41vqTMio7gUdQiFIK8emEMRBnB25G/AoGBAIVB -Y64Xq4ESeJPihdBtPSHDaZhwcb3tOXPtkzfCW15q9PBR9F/KmaQ0Sqg/XYoC/GKV -pHdAc+CcpwQMLJ1dbAnxSVTe/VWhfbQj5jPfdFzcb6bkzFUA+yhyuTwM3/oqVaJf -/Z9rk1AxBNuVO2RoSz0xCFN35wxWDHw76XUXubh1AoGASevvtnKnrzoGfJtaJ903 -YMzFLfdyfDjfES4I06eDjHOLiBVg/tlgcuOpWpXlxlrIsXtR/Q5MM3XnKkASdKIs -MH9jJzyV8dPLOC1U41QO2Be5L+fNn3zTqcz1Lv4mRTwgt/g5YE+dmDDfrRZaGq0M -Fn8JKRZVK59xV5FFH3wqfag= +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCRU3SLQDwxlfPg +Gv8hmmumaQ03LBakkolMJMjh/Eebff1SXlfJTLI4hpF6V/YWfJ+NpvXNiztXQYYN +vwszSGPR5xiv6EA3x1GaSr8ir/zC+pTl+Xl6cB6jfV9EcSt7igb0RFUA7hjzDAOa +5/wDBgyDtep15lSwd5AYdUvgeXsrikfYRMsYFMusPTQkkZhTrGNGnyhGRqhKscbY +1+NwC4eidfdPFgKRZwjGm1yAjAZreh4vxURXtGO0P9NxTIXvJGKY7S3OECQt47sj +HTHyNYQoEeZsH+dT4R+4nMSB8DA+YE7hHeKnn5L4aLm9/ThOAhJHJy0D0F8CgOZr +mcmx22efAgMBAAECggEAFqBTZ+QzZaupfGiXn8gRdKesgBI5ivFUYRTlFeeXz994 +08c5NxqIMQF6oFLA+iqjE4SS2/1j2tJVKHS92K6E+XGtR/i1buR15xDg22oNGjUL +fmwuJrWoKjTjN/PAHQxAyEKPUtq/QFrMK4/COUegJoLp+JCeT5n98bY+1GSgRwc/ +gjna7Ns4Dc3cyQGQtUF4DLIt5b4zFWoOkkN4UPT9uZJLBDS6OFVw5FLMqXhe/Vg3 +PFYmHpyJsFZVyZiIQLzuaggBJ8L3zCYpFbOQgrpQ2oGCYxSPFLbbCmnZnq692w9w +zRDOfK7oYvlyiFD5+7PbCuOdhaMGBhj9XFC6fRYU6QKBgQDCHjzMDqEpEvJEM05e +SBfkGqSrcQpoCZKcoTyagI1niL//3wLrBXByUAruS8nLm5OLpsrdJeIXO5e2TiKY +g9FPgqc77Dl91nNSCOI07F9mbS2GgkL4ID1TmtwHeiuUyldT630zLIAFuv+51t8K +q+IpbGU9b6PzEhfdsly7TGmKgwKBgQC/p1j2jB68dOYl9DslmigSMprGXMn1SAar +hr6jNBYyqz5PhWxjzJFOWtcXA9WUHG8KyAAezVTySaw3iGGv+C2SLjkE8oUDRtbv +Ziq9+aF5IB3/m2k4QzAxejvXTUn5rymXVcMNSxFf6lPtyT2mK0PpDaNor3+d8mRZ +ADRp7xxTtQKBgCeT5q1sJiursz14gHf0lvpo/D4ANDD2ErBgp2yQ3UPIu+y9WWj1 +mPGVpETlquUaeUC15xKj0K8P9WS0FZWm+pwNdW9gQHCJssV9DjHgJ6tIg0mzcVgJ +qrdLEaVsoUoa3yc7EjHG1utULyOCzcLtPJVZhmK6SmEaxUbsQL/nWnVlAoGAMOmu +5M2CEqrrCgi5B7G+RFax9ao8yOLnAOPUx6ZFfA0ETBtLPHU7KHo6pt8NpU1UcbX1 +geb5pRR0ZX/jHpwCVWqCluamV92+gT7b7bxGH7m4rkGlqvxK0nXVy+8n0BeKT9tN +epkMCCSv4uIXX89u943JhLA1q8PvJF/PALJL0nkCgYBdV5aPQzFxHFkihkTm6DdM +13m154WqrvP4zf5/6RQ99799j1ipedACfZTYC6mIoHD4JtzTfLwFg9QNn+JBu6SW +EfZPEM6TkBRrUZLX8/KMzgpO1+lAKgokUHh0do3YnlLrTOHY18innwizA3KEO631 +oFFtb31lE+A+eFESJrqsFA== -----END PRIVATE KEY----- Bag Attributes friendlyName: client - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 39 32 37 38 34 -subject=C = AMQ, ST = AMQ, L = AMQ, O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Client -issuer=O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Client Certification Authority + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 31 34 31 35 37 +subject=C=AMQ, ST=AMQ, L=AMQ, O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Client +issuer=O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Client Certification Authority -----BEGIN CERTIFICATE----- -MIID7jCCAtagAwIBAgIJANaUYBHdNtAQMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV -BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN -USBBcnRlbWlzIENsaWVudCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNDAz -MjIxMTUxMzFaGA8yMTI0MDIyNzExNTEzMVowcTEMMAoGA1UEBhMDQU1RMQwwCgYD -VQQIEwNBTVExDDAKBgNVBAcTA0FNUTERMA8GA1UEChMIQWN0aXZlTVExEDAOBgNV -BAsTB0FydGVtaXMxIDAeBgNVBAMTF0FjdGl2ZU1RIEFydGVtaXMgQ2xpZW50MIIB -IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwAYp6jizvRvvAox2NIFosjXC -2RHqzNUgr34+HncMnljmT372rOqGXXuJn6OsvKWYCOHkw63yEPhViKsQvJfCPIF3 -0HrDQd2GQmOWOmtfKSM4YCsnxlorMOOVUdI9HqudHDeh2sAOxi5kImwOJAGY0U5G -0QA1F2eCCxVGuPM1sNfbfFAlLlsanO5ymoozT4ISk3T6zsFoHYG8MxqTvdzDP/xh -pkuQ5jinQTqEtXda6SvGZOYeepI37y5uf3F79jqARLmZ1kDRdSGaVaqNXuezP70F -h9e/y4Zcebevj4811ZWGXEAJqcqgoxV/QhWwWLqQKx7aZt9F/uGKRQLqoUjL0QID -AQABo4GYMIGVMB0GA1UdDgQWBBQhXlzDqOhheZmJ5hs2zgDKLmGXZDAzBgNVHREE -LDAqghdjbGllbnQuYXJ0ZW1pcy5hY3RpdmVtcYIJbG9jYWxob3N0hwR/AAABMAkG -A1UdEwQCMAAwHwYDVR0jBBgwFoAUmQHkKAJROOr1cSjoSuMcvR0s0OswEwYDVR0l -BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIqZxEeS2TSLoCdaPu3D -i4KaYBKJaUgKNZw/EOeB/kK+yxFEfRxbuQwtrkNt1mg3uEoDvL1GDa/6hZocWsx5 -eWZNQmDmCnsSPzFI/C08XJh4xKe4y05o7jejDnMFWzM6vzRZrGlylEUHXhRdXAKA -TmeZRuysvIwUiZsZksxHGl1dZmFasD7LjzxybSlrkuJLj+vKDHKG9khp7OSXeRA3 -0lQplc20h6SLjbowTjlB/TvebEIaaAgQ4p5nXmKrgt5Aq0aBefqGOmzMbTFxk1nW -Q/hIaO/sLVcmMrAbP802ECg/x6d9P9MPQUZeH6sUwElFr5NN8MDFyVDO46YyC1bg -BLU= +MIID7TCCAtWgAwIBAgIIRtkPjASbSF8wDQYJKoZIhvcNAQELBQAwXzERMA8GA1UE +ChMIQWN0aXZlTVExEDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1R +IEFydGVtaXMgQ2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTI2MDQw +NzAyMTE1M1oYDzIxMjYwMzE0MDIxMTUzWjBxMQwwCgYDVQQGEwNBTVExDDAKBgNV +BAgTA0FNUTEMMAoGA1UEBxMDQU1RMREwDwYDVQQKEwhBY3RpdmVNUTEQMA4GA1UE +CxMHQXJ0ZW1pczEgMB4GA1UEAxMXQWN0aXZlTVEgQXJ0ZW1pcyBDbGllbnQwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCRU3SLQDwxlfPgGv8hmmumaQ03 +LBakkolMJMjh/Eebff1SXlfJTLI4hpF6V/YWfJ+NpvXNiztXQYYNvwszSGPR5xiv +6EA3x1GaSr8ir/zC+pTl+Xl6cB6jfV9EcSt7igb0RFUA7hjzDAOa5/wDBgyDtep1 +5lSwd5AYdUvgeXsrikfYRMsYFMusPTQkkZhTrGNGnyhGRqhKscbY1+NwC4eidfdP +FgKRZwjGm1yAjAZreh4vxURXtGO0P9NxTIXvJGKY7S3OECQt47sjHTHyNYQoEeZs +H+dT4R+4nMSB8DA+YE7hHeKnn5L4aLm9/ThOAhJHJy0D0F8CgOZrmcmx22efAgMB +AAGjgZgwgZUwHQYDVR0OBBYEFEwO7kFtHc2KcjGluOeLGP41MdJSMDMGA1UdEQQs +MCqCF2NsaWVudC5hcnRlbWlzLmFjdGl2ZW1xgglsb2NhbGhvc3SHBH8AAAEwCQYD +VR0TBAIwADAfBgNVHSMEGDAWgBSH/6+PDDI+NTWJy7Tv65tV9wgo4DATBgNVHSUE +DDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAFeYX91Fj+aIHDYVGffFf +sxdiFbWf2aBtODk5SP9o0Qw8Vqh2gfbY5ZiLez/WmGHEjrv2Anp/E19WuXRQ7MSU +5WD5LQiOkUHtnKUBZP4LDLphOV/q6198A6CVLBeVXupQ1ZT6+Bri3rv0tmfIJ20/ +nkcDYuBW4GrLt/d2od0dNgEeinDHbLk7kB8ZmlKy4QcSZwtYWSNE3yMnUFF0aKIm +Eus3TFTHThsoUf8Gja228Sbax8KwWaCk6V/R89P3hP3Xjfo+h081iEqJhIEYbf62 +bsakU11lTmf/99a8432j+4UV9cr13dbD3v756P/9L6nPg8kc1SLnizHXYwzy5ZRG +Og== -----END CERTIFICATE----- Bag Attributes friendlyName: CN=ActiveMQ Artemis Client Certification Authority,OU=Artemis,O=ActiveMQ -subject=O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Client Certification Authority -issuer=O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Client Certification Authority +subject=O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Client Certification Authority +issuer=O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Client Certification Authority -----BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJAJkUaBwB0GpUMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV -BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN -USBBcnRlbWlzIENsaWVudCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNDAz -MjIxMTUxMjlaGA8zMDIzMDcyNDExNTEyOVowXzERMA8GA1UEChMIQWN0aXZlTVEx -EDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1RIEFydGVtaXMgQ2xp -ZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAl8cFCGopD43ChXIcmEBNREmaFGwY3nlRkvmyhX7X0p+7sMVF -b1oxEkLl0Bv9vluc7faQPC51ikPFE7cFdWvsTAxkDsMC/3lnAveVcaJi+9x+ndNl -sTL3WIZXQ/JBq9WgZb4Xrl1Bwq+xAf58o/pgc8sY6mgXIJgte5HVLZB1N+pqG1Ce -O4siVvVeew74Md5gh3gzwIkq6svEoRR6mvx+ima4y942bqdO/rXzBKkVKPM3Wozg -Oj+5y7oM9oeg8B0x8vH/nO2HZAM5lBhK5o0ZDpDrOa6Q445gZqjcn13fEaNAhTo+ -Ak5x7ZMZkuipZPjIEg/9FwcC0qM2nJhy8lBLSwIDAQABozIwMDAdBgNVHQ4EFgQU -mQHkKAJROOr1cSjoSuMcvR0s0OswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B -AQsFAAOCAQEAdraRmTJvQ4lE+3pg4oz8IZbPhoXQRi/9xMOuDMgaBngxcIy/orT0 -0+rMQDw/UpPvGYzHzxG7F9Euw2HvxF/fGTLrHXLDlPlGmORwWvGR3nRPxCG8wi2b -Zc7d9WUZ5zfIZ346ht/1QuyHHCLU9gaJP1irJA1fJ3ZJdnIDcjG17keM51vF8Jtl -J08WzHQ6BKJy4auR041BxF+wHZBSVF5n5D2DLC+VcBL7MgVXaddyWGkr3UU8U67T -V/o6VEnGTKwZ/a/RAHB8Aex2/GFfEivsaBYe8gbhbzFjCWkoKg0jkjqKDw9Dwk3n -7Lo5GrWoHASyFYB/FM6rjDBW0bT97MVJog== +MIIDdDCCAlygAwIBAgIIVRe7mOWvH7MwDQYJKoZIhvcNAQELBQAwXzERMA8GA1UE +ChMIQWN0aXZlTVExEDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1R +IEFydGVtaXMgQ2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTI2MDQw +NzAyMTE1MloYDzMwMjUwODA4MDIxMTUyWjBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ +MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBDbGll +bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCwoFdWwb9B8tLq7rzoQVecEYLTqBCzoOxw3ToDZz8cJVRg4o4V +4VXXGVyxPslma6SD4PldlyZZT6FYbdta/BUL5gZWXgvML6ZXsV3A7UJFLVO6BJ/8 +lePuCfDzppsb4ru9/8qs2zs0rPmfDmP0dkY8D8lbbXDxJ+ZCxaEn3nfqH/fMwAme ++giZdcOIdidLpWpb6+rFe7L8TuJtG4eHx48L2OdZNNegvAKYcIs/bqRERpbxbsAn +NmnxWKctsnOpsLtqcBtj80qUocxjKkHS5LQPz5mG9ONCUDDaV4jRtqvvYmIJjUnK +eDWfTNIvcAPL51O/Vn8soPn+YEw22TU+Ymk3AgMBAAGjMjAwMB0GA1UdDgQWBBSH +/6+PDDI+NTWJy7Tv65tV9wgo4DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQAhU2bnmHwwrYZRxZOrJ5IuufWs3QqUEGtUomuLYRPrB4/4h6DfMcww +SVUarL8SEuL144kLZMPey0SMtj2mh7qRJJus1y8Vogj/rf3QQ9mWnqo3Cddl8heu +c3mtBgJVN0NJNrFC91blYfJjQ397HbBBBKRH6yL1yMOm2uSSkDqjxc0y6xu8qLFm +WBzC/KSC5ytupsBx3lxMdBK7buYWioVebqRZW0PY3a1T9q0mvtliPHfJCwb8LId8 +y0heN5llCA0qo23KuJtt78YZcfc7OWqoI1yPlGqIjG6+VTZbprccB5WujQN4SAPN +AceTTwfOJPttChhCfXwz1/WdfCqHUPhZ -----END CERTIFICATE----- Bag Attributes friendlyName: client-ca - 2.16.840.1.113894.746875.1.1: -subject=O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Client Certification Authority -issuer=O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Client Certification Authority + Trusted key usage (Oracle): Any Extended Key Usage (2.5.29.37.0) +subject=O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Client Certification Authority +issuer=O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Client Certification Authority -----BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJAJkUaBwB0GpUMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV -BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN -USBBcnRlbWlzIENsaWVudCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNDAz -MjIxMTUxMjlaGA8zMDIzMDcyNDExNTEyOVowXzERMA8GA1UEChMIQWN0aXZlTVEx -EDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1RIEFydGVtaXMgQ2xp -ZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAl8cFCGopD43ChXIcmEBNREmaFGwY3nlRkvmyhX7X0p+7sMVF -b1oxEkLl0Bv9vluc7faQPC51ikPFE7cFdWvsTAxkDsMC/3lnAveVcaJi+9x+ndNl -sTL3WIZXQ/JBq9WgZb4Xrl1Bwq+xAf58o/pgc8sY6mgXIJgte5HVLZB1N+pqG1Ce -O4siVvVeew74Md5gh3gzwIkq6svEoRR6mvx+ima4y942bqdO/rXzBKkVKPM3Wozg -Oj+5y7oM9oeg8B0x8vH/nO2HZAM5lBhK5o0ZDpDrOa6Q445gZqjcn13fEaNAhTo+ -Ak5x7ZMZkuipZPjIEg/9FwcC0qM2nJhy8lBLSwIDAQABozIwMDAdBgNVHQ4EFgQU -mQHkKAJROOr1cSjoSuMcvR0s0OswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B -AQsFAAOCAQEAdraRmTJvQ4lE+3pg4oz8IZbPhoXQRi/9xMOuDMgaBngxcIy/orT0 -0+rMQDw/UpPvGYzHzxG7F9Euw2HvxF/fGTLrHXLDlPlGmORwWvGR3nRPxCG8wi2b -Zc7d9WUZ5zfIZ346ht/1QuyHHCLU9gaJP1irJA1fJ3ZJdnIDcjG17keM51vF8Jtl -J08WzHQ6BKJy4auR041BxF+wHZBSVF5n5D2DLC+VcBL7MgVXaddyWGkr3UU8U67T -V/o6VEnGTKwZ/a/RAHB8Aex2/GFfEivsaBYe8gbhbzFjCWkoKg0jkjqKDw9Dwk3n -7Lo5GrWoHASyFYB/FM6rjDBW0bT97MVJog== +MIIDdDCCAlygAwIBAgIIVRe7mOWvH7MwDQYJKoZIhvcNAQELBQAwXzERMA8GA1UE +ChMIQWN0aXZlTVExEDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1R +IEFydGVtaXMgQ2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTI2MDQw +NzAyMTE1MloYDzMwMjUwODA4MDIxMTUyWjBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ +MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBDbGll +bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCwoFdWwb9B8tLq7rzoQVecEYLTqBCzoOxw3ToDZz8cJVRg4o4V +4VXXGVyxPslma6SD4PldlyZZT6FYbdta/BUL5gZWXgvML6ZXsV3A7UJFLVO6BJ/8 +lePuCfDzppsb4ru9/8qs2zs0rPmfDmP0dkY8D8lbbXDxJ+ZCxaEn3nfqH/fMwAme ++giZdcOIdidLpWpb6+rFe7L8TuJtG4eHx48L2OdZNNegvAKYcIs/bqRERpbxbsAn +NmnxWKctsnOpsLtqcBtj80qUocxjKkHS5LQPz5mG9ONCUDDaV4jRtqvvYmIJjUnK +eDWfTNIvcAPL51O/Vn8soPn+YEw22TU+Ymk3AgMBAAGjMjAwMB0GA1UdDgQWBBSH +/6+PDDI+NTWJy7Tv65tV9wgo4DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQAhU2bnmHwwrYZRxZOrJ5IuufWs3QqUEGtUomuLYRPrB4/4h6DfMcww +SVUarL8SEuL144kLZMPey0SMtj2mh7qRJJus1y8Vogj/rf3QQ9mWnqo3Cddl8heu +c3mtBgJVN0NJNrFC91blYfJjQ397HbBBBKRH6yL1yMOm2uSSkDqjxc0y6xu8qLFm +WBzC/KSC5ytupsBx3lxMdBK7buYWioVebqRZW0PY3a1T9q0mvtliPHfJCwb8LId8 +y0heN5llCA0qo23KuJtt78YZcfc7OWqoI1yPlGqIjG6+VTZbprccB5WujQN4SAPN +AceTTwfOJPttChhCfXwz1/WdfCqHUPhZ -----END CERTIFICATE----- diff --git a/tests/security-resources/client-keystore.jceks b/tests/security-resources/client-keystore.jceks index 3d9b5ef8668..60743bb46ff 100644 Binary files a/tests/security-resources/client-keystore.jceks and b/tests/security-resources/client-keystore.jceks differ diff --git a/tests/security-resources/client-keystore.jks b/tests/security-resources/client-keystore.jks index 2c23b236d3e..214fd04c7bd 100644 Binary files a/tests/security-resources/client-keystore.jks and b/tests/security-resources/client-keystore.jks differ diff --git a/tests/security-resources/client-keystore.p12 b/tests/security-resources/client-keystore.p12 index df084e2c089..d5357c951b9 100644 Binary files a/tests/security-resources/client-keystore.p12 and b/tests/security-resources/client-keystore.p12 differ diff --git a/tests/security-resources/other-client-crl.pem b/tests/security-resources/other-client-crl.pem index 81c3fc59fa8..3aac4ae591b 100644 --- a/tests/security-resources/other-client-crl.pem +++ b/tests/security-resources/other-client-crl.pem @@ -1,12 +1,12 @@ -----BEGIN X509 CRL----- -MIIB1zCBwAIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ +MIIB2DCBwQIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBDbGll -bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTI0MDMyMjExNTEzNloYDzIxMjQw -MjI3MTE1MTM2WjAbMBkCCDX8+5iW7sP9Fw0yNDAzMjIxMTUxMzZaoA4wDDAKBgNV -HRQEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAFFLNW5vD8vMv56DqlopUnrSlzfqW -iqUgBOL1WnDhyMjHPvU1TXQg0MH5r/vjBoA+S7hljU1CHb1u8N7MEUY4iBqlGJsy -u77wBQwPviQfJEb6hSByBzbHMgw2YgE+OUvhnnldnDiGnEQkT5ZZl1O9hVH3Fp8Y -AmCF9qjvMNieM3V1HyML3iOHnNmQUyikvSWS+vlIl0AzD47tOXgHrkorbD/nHljP -k/0gcVrKK3VHPxNtgVyhtfv+JhRQqekLWvZOKM+Cz5sdnGqOA2AkOfJmhu7kp/Lx -DAbaTLUNHaLX+H8BG1PZ0iHDgnXQQXAzXfkJlEOp6bl3eaOXlMCC6J+tWA== +bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTI2MDQwNzAyMTE1NloYDzIxMjYw +MzE0MDIxMTU2WjAcMBoCCQCuDk4fIOnhnBcNMjYwNDA3MDIxMTU2WqAOMAwwCgYD +VR0UBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAE8x5PKvFGxVE6VzeDSd1xekb1PU +ZOvrdH4NA1eoSWymrynBKjWZnq63Mnm9wdKGTb3jnON/rgsWYe7xM50x0flJqkia +EYIrDQruLE1aTrhM06AKfRa8+tCzeBDc6QkFrJuHy/1QF2hhoUobKXVwlmj8dDER +/0B0aiNsxIy0vTT7ESBA14y3JNGqZNjgJ8pJy/7JTOULxyEUPa1EAO/3ggBu2VMx +QWartgzOR5Wa2Ybs7yM2yOrLJDTCUnFk8GxMclB5YVq+NcmYNaVaGd2hNXWbDkj3 +wLpiKQSjljTzY3zYnrrb70IQrSXQ9h/82to6NXSpFY2ftjFJqWsPSDecT9k= -----END X509 CRL----- diff --git a/tests/security-resources/other-client-keystore.jceks b/tests/security-resources/other-client-keystore.jceks index 93ebf9886aa..7bfeb59ff7e 100644 Binary files a/tests/security-resources/other-client-keystore.jceks and b/tests/security-resources/other-client-keystore.jceks differ diff --git a/tests/security-resources/other-client-keystore.jks b/tests/security-resources/other-client-keystore.jks index e1e55f0cf2f..75449596324 100644 Binary files a/tests/security-resources/other-client-keystore.jks and b/tests/security-resources/other-client-keystore.jks differ diff --git a/tests/security-resources/other-client-keystore.p12 b/tests/security-resources/other-client-keystore.p12 index 1f724cf0562..3363469512e 100644 Binary files a/tests/security-resources/other-client-keystore.p12 and b/tests/security-resources/other-client-keystore.p12 differ diff --git a/tests/security-resources/other-server-cert.pem b/tests/security-resources/other-server-cert.pem index 52a926e293f..90e24ad4e27 100644 --- a/tests/security-resources/other-server-cert.pem +++ b/tests/security-resources/other-server-cert.pem @@ -1,30 +1,30 @@ Bag Attributes friendlyName: other-server - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 38 34 39 35 33 -subject=C = AMQ, ST = AMQ, L = AMQ, O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Other Server -issuer=O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Server Certification Authority + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 30 39 36 32 34 +subject=C=AMQ, ST=AMQ, L=AMQ, O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Other Server +issuer=O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Server Certification Authority -----BEGIN CERTIFICATE----- -MIIEJzCCAw+gAwIBAgIJAIYtNmfo1IcvMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV -BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN -USBBcnRlbWlzIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNDAz -MjIxMTUxMjRaGA8yMTI0MDIyNzExNTEyNFowdzEMMAoGA1UEBhMDQU1RMQwwCgYD -VQQIEwNBTVExDDAKBgNVBAcTA0FNUTERMA8GA1UEChMIQWN0aXZlTVExEDAOBgNV -BAsTB0FydGVtaXMxJjAkBgNVBAMTHUFjdGl2ZU1RIEFydGVtaXMgT3RoZXIgU2Vy -dmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAupddeWP1OET5W9A3 -UrVz0xYW3wGvmkrlsYjpqENqcaXmcsLXrvfxCoavQpWxrd2OtmTuHA59tWYyd8FW -3Mvp7NnOUZ0Xz5nAgjHwhlfIQ2qhrKV8V+jUdcWsh+09elwO7qRbjllKRW2I4zVx -KFzP3r1Ncojrb8V0wPAKjSWdZn8jptfzsondvlxkkU5CuX+6VTh1P099a4iHO9bT -5UNFjJS9FTgN+ln8Iq5tSUJID1PsTY5Ob/LdEx5TVJ/xr1jwBRI2QrLtM3ju6Dtt -y2eA8G17u/gPIpjCUnAf+xGHDePKJQ014nnSxPlfT/z0Fs4twapt7dBtwlLXIXht -6E5UGQIDAQABo4HLMIHIMB0GA1UdDgQWBBRtzYiKCZfZCX5WUq38rGDHBIZuhTBm -BgNVHREEXzBdgh1vdGhlci1zZXJ2ZXIuYXJ0ZW1pcy5hY3RpdmVtcYIJbG9jYWxo -b3N0ghVsb2NhbGhvc3QubG9jYWxkb21haW6CFGFydGVtaXMubG9jYWx0ZXN0Lm1l -hwR/AAABMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUfI39SB/hKrHFXIQqijOWKIOk -6FgwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAMOoB/kr -yA2zQ4buePXySKyUlcN5XzdyWqDXZI9gRXlyFgoHyOvr8xd6ak+EaxZVd6nZ99V+ -ua96UCuy9eiWi8iupdfTeBH2XJrdFUGmd54W/a9ORKIN0ljW5OLW2bmD3Gb/esJr -sbiWmmgUpGW9CLlQiz8xkHLQvV1pl3xONe0AEr7EVw2Pkr6QhS0tmq36IJXTetPb -Tccnj26YPaAVUozEHLzINakp8UonmFNLnNCjgtqAQ63yaw5BDyqTjb5xAMF4oyt8 -is45SO/2P6TSWc6i6YMA1rCJDM2jCrVIeHk3AZ4gsre/j23ZQc/EGBWTWYbZw6G8 -/nOiLulSd6+ulps= +MIIEJjCCAw6gAwIBAgIIY/KNo0XgDKcwDQYJKoZIhvcNAQELBQAwXzERMA8GA1UE +ChMIQWN0aXZlTVExEDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1R +IEFydGVtaXMgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTI2MDQw +NzAyMTE0OVoYDzIxMjYwMzE0MDIxMTQ5WjB3MQwwCgYDVQQGEwNBTVExDDAKBgNV +BAgTA0FNUTEMMAoGA1UEBxMDQU1RMREwDwYDVQQKEwhBY3RpdmVNUTEQMA4GA1UE +CxMHQXJ0ZW1pczEmMCQGA1UEAxMdQWN0aXZlTVEgQXJ0ZW1pcyBPdGhlciBTZXJ2 +ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEW0Cc8IRQL+YIIvgv +I7NOuJG8p7SQixKlnZWiQAhKUCL9NELlZfVfNy/YmOpsCk2tcMUf+A1M9WDBNhhW +qBwTmDyg6GRZe87ZP3eeVzmTUVg0cHEAn4yi4A5mfuE2/+6aeGVnCz6YetEEDxWP +oVpMLlbVCWvTNQAFmeBmIRN/eAK+tNnPfeVA/ii73bUTgZum69ip+P8ILEJKM2PK +jjwMM6lCF3RIaK7VuvlIBOdgAT7t46KPIlJZVIsH243oA01Ja1JD/tGRqWHdYSLR +D49k/7LFEqGbSe+0ZcxpP5wBKgS2CLPWs4rBK/PkHbChwXdempFCgeux8lgLquhV +3UQNAgMBAAGjgcswgcgwHQYDVR0OBBYEFMkJfNYVWLEAwGXadUeH2NVJ5FBTMGYG +A1UdEQRfMF2CHW90aGVyLXNlcnZlci5hcnRlbWlzLmFjdGl2ZW1xgglsb2NhbGhv +c3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIUYXJ0ZW1pcy5sb2NhbHRlc3QubWWH +BH8AAAEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ9u59+SMJZg6UaVrT4UbUjTlrZ +fTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAeoQnXfEt +1V0XTMTxjy+6PXd51aLuHlfR4kCBn//ARRrxa7SqGPFGg9BIS/nCHIYRfytRNyST +PeCpp8jxgO7wxY1k2VUAMziVmCuybSxsdSlbmtSJvo64EwCHddWGgUBXGO6kqMeZ +gBkej2DzFbLWudwlqpu/n1EFj2+bwfSkTKIaq03QA33l8s5GGXVUuNQySw8HdG2j +brHOeWacyN+AYzwIXLSYBUKBOi6j/25hTY9+SX9YxRDOyQtKf+ajbHy8ftYb8TwW +OGoJKaozL9uhaeMhtjdpW6oSXI+oYo7myGOVVC8z2fGqxmbu42/d10V6cRu4B34S +ycBJK9j/ShG0QQ== -----END CERTIFICATE----- diff --git a/tests/security-resources/other-server-crl.pem b/tests/security-resources/other-server-crl.pem index ecdf96481cd..0a503076e82 100644 --- a/tests/security-resources/other-server-crl.pem +++ b/tests/security-resources/other-server-crl.pem @@ -1,12 +1,12 @@ -----BEGIN X509 CRL----- -MIIB2DCBwQIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ +MIIB1zCBwAIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBTZXJ2 -ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTI0MDMyMjExNTEyNloYDzIxMjQw -MjI3MTE1MTI2WjAcMBoCCQCGLTZn6NSHLxcNMjQwMzIyMTE1MTI2WqAOMAwwCgYD -VR0UBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAKjeovsRpImr/CoS4PdD4Rh5/s0U -lm1dgmK/2HuD5m5K6XvJCBnNkvThkVWK8tgG6t2bjFJnFTQbgIazJtVmpE5kxPdy -sRD/3WQ61vuOc/EYzslwBrgMTujtj6J2JwIBe7JgCYH4KPuG6Lb8nVFCDZ2t8K9p -ca7VQdfLhKxh+5bbIuVv077bY+DllcJRAhza32x6xp6Occ+09O0JCWSiazVjVUi8 -Umt5c7HFI+NJwLWACqbYImrWg6A0hD2lptAFaMaRgEpvcyWYhU3foJmBoFuNve1u -mx894jQ1X/I3t1EHWhTg7vtJSwowjxl2woc3BOxxIO2FQ4rHiSCiG3+XoDc= +ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTI2MDQwNzAyMTE1MFoYDzIxMjYw +MzE0MDIxMTUwWjAbMBkCCGPyjaNF4AynFw0yNjA0MDcwMjExNTBaoA4wDDAKBgNV +HRQEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAlPw8HX5uFu0v/QF5sNsTqtWcfoJd +BcMtzJH3WOJhijt8RNoegZzEDpSPwAalbBoVLopAPFg9v2xX4Nyc2M+k7XQP1ozM ++F34BMwte+Y/bnLABsRG22AiIGk6PXR47DFozBXMZ5iVVKBoM3a4YkvlBXxDsgPb +4iJwP0f3ponNle1YJ7sK4kx4cKfGtL/IDzdYXQMUcf/KzMwA4lwWflNIKaetI5uC +/maaEt16cx09GxplMcssEuXwpoxja594SKdxkn3RyIEsWYzRZSAEXJWQTtFaWpl5 +wuQTxrSckBSv2FgEYM57CoTh/ZJePYZydF033tN2aaeUvesL5bPiZd/9Ug== -----END X509 CRL----- diff --git a/tests/security-resources/other-server-key.pem b/tests/security-resources/other-server-key.pem index 6e3b1f33364..3966004c5cb 100644 --- a/tests/security-resources/other-server-key.pem +++ b/tests/security-resources/other-server-key.pem @@ -1,32 +1,32 @@ Bag Attributes friendlyName: other-server - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 38 34 39 35 33 + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 30 39 36 32 34 Key Attributes: -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6l115Y/U4RPlb -0DdStXPTFhbfAa+aSuWxiOmoQ2pxpeZywteu9/EKhq9ClbGt3Y62ZO4cDn21ZjJ3 -wVbcy+ns2c5RnRfPmcCCMfCGV8hDaqGspXxX6NR1xayH7T16XA7upFuOWUpFbYjj -NXEoXM/evU1yiOtvxXTA8AqNJZ1mfyOm1/Oyid2+XGSRTkK5f7pVOHU/T31riIc7 -1tPlQ0WMlL0VOA36Wfwirm1JQkgPU+xNjk5v8t0THlNUn/GvWPAFEjZCsu0zeO7o -O23LZ4DwbXu7+A8imMJScB/7EYcN48olDTXiedLE+V9P/PQWzi3Bqm3t0G3CUtch -eG3oTlQZAgMBAAECggEAOhXbtenNkRY7r/658iflZg1G0mZSdYwiQ+mUn1pZPQbB -nfEUtnWd1kKGNYqnFLJXdmUmEJrcPEeTp18K/NIHwMEu7o4iNvCsknscXp3eDEqa -CMY9Vpp25TDDnE7YqAoXZefJTp9yNPm7tstQrhlyZmr0vJZuAE3uIg+3oSfX/2tF -loA31evQPLWePIyHUapsctKjnAbsVn5lxBN/Ef0rKh6v++aSrgNRdHBZUhofDedo -oWBd1slUxK18aj1q2Dl3DrSxuX7ygiX+3sZl+RBNDH3PXpR93kRN1Go4AYPnMQfd -ExQ8Lc5RViKCfSVBQv8lKttyOZJ/glzCKTe+8bcp1wKBgQDTf5MwZW9oe49pgxFl -foA4GS4MwOWOsf4CI+xKwEPFrTvibZJWk5S6wCqYs8RIl//DY3RqSR5QEw5/5xOq -bmq/YW2UY/Xem18wT495HkoIafm08KrLCs+xD+oui1M+jI3sGi6FBrwYc/n9zTzm -PI+7BnWK07kqg4aIlPuJ91UsowKBgQDh2im5StYoIj8Zm67PD6w4JCXiEfqgVn1f -XJN4CqmxlZqRNBdYPeuT5ECQJbIVRj9RJxKHcCpd1PMbwJfnMJ0wQR5ZhyT0h9HB -f3PzU+ndhwZj52rmIsNJrfwIxEmIe4Zjt9KcLbfHOQOJ/sdgiPiY3Wrkoe8LhV1+ -ig4ANnAsEwKBgFQ/i2hJ37klDxmepj1hyL2P+jIGXOscp+w+Vw/nypdhzGsD7rki -DKrfhZhSc6vfMHiqk2MLQVHwZWQ5rjHDzi3yJ25m6zgDeEWMS8CZejAj1t5myAId -imIjzss/oKdX4ejc/Q7sgdzTxg99w/aKxU5g4k2szSPMRLj/b7ujlIA1AoGAOVEc -daHAZ78JNH6GBpZ7pmPGGXFmoXpRpvnfkv9hwWeuKluF8ScFuiqbF/n5D90cBIRd -93FHzzhT2h8ubcWwnqZoBWB+yHAPk4O88WvCVi4GOSRpxK3d0b0N0Uu/PZvbp0Ln -eCtCEJUviL3X62/XZzQKBKvz9oCKEasHkpY+MXECgYEAgsUxytP8AyQAEd09lBM8 -n+ZuLSOegJc8lH4NJ/1VLtaADpynEdoRwLp2/5u8U0b8B88zxPZOckVy8CypAlDK -GhqmBjCtqL/wF7uRC4yEkYXDa6bK/Rnawpt98zU0SRv3QVdDexMvYL0XMOBVaq+Z -6E16UwNXcn2l3siaZ1486xc= +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDEW0Cc8IRQL+YI +IvgvI7NOuJG8p7SQixKlnZWiQAhKUCL9NELlZfVfNy/YmOpsCk2tcMUf+A1M9WDB +NhhWqBwTmDyg6GRZe87ZP3eeVzmTUVg0cHEAn4yi4A5mfuE2/+6aeGVnCz6YetEE +DxWPoVpMLlbVCWvTNQAFmeBmIRN/eAK+tNnPfeVA/ii73bUTgZum69ip+P8ILEJK +M2PKjjwMM6lCF3RIaK7VuvlIBOdgAT7t46KPIlJZVIsH243oA01Ja1JD/tGRqWHd +YSLRD49k/7LFEqGbSe+0ZcxpP5wBKgS2CLPWs4rBK/PkHbChwXdempFCgeux8lgL +quhV3UQNAgMBAAECggEAAY85+aUdX+epe4oPj4xIickEe0uXrwgzuzX/sLyydCij +xoAKQfkn1DxDeIRqZDZGvKhnIGRfcquGO7KayeFm667rWFnQJjfKAkazRAIsVmOw +gCYed6NMwiRmaOD8F+w7cGWhZIqd0iczjsUx5iSha3Z4wRNklFZY7DJ3Kkh796iw +Rgfkd9AWy6TjmM4rE7/LdxyWwP5F1A1eniObdt56dc6l3QbAk+D+yEzkZvx77ERd +QcG8s0WNuIa9WKYVAhhGPmAtWqu2dymSGvhUfr0lK7huCqezumNXyMIwJrdvyOHJ +nWZ8fNFn7a5HmzxEVYRG8pNz6QVA2T9fP/NFHGkenwKBgQDzqOhapYPlO1cYGenn +RZ1gQtLdnelWdhJY7vIEvylKtTNu5jXhXsJ4XpFjuNHhTdU8Tq9N/BEaXv7Oiulj +KkqrFoeQFmPQub0Jy1nMXzZcEDOBLiPkwERLrlsUbpGtaorAXoq/U/vMAgdrz3Zg +W4TqGtI9CN5diU6aqe9c7Na31wKBgQDOTQxvkfi3m5JKFOlJipK6VJQBZouwR7yg +EZ2KF3jyLtz6Va0kbmincSyudPEpmwGzYH+aKi58jKzai32GYZvw0YubZeM8arfU ++fXlCvxpQNQuGt7PgD5c51DZeIu/tRSSNIWiOXyajdtaVSVvXco3wfy3V85ox2TJ +Re8oN3uWuwKBgQCfFNQ++nlWnJuMXL7eBBFv27EYiBTkIkpwTfEtMDGhWRSvfxYG +gnutYvDBjtVYqBxkN2s1GzF/ai4qY39lAyOk+Byh8jxQ9jN5xY5nZHJ1QQ6fdKRy +oST11GwatuXdtwXH+vHTYN2woFKADP9YgegRgFlrB/NGVnM/f1uL7AV0GQKBgQDM +0X4pPvl6AQCqgDxlASlPySzwfwjsySwil5qbQVaYy6Ik/+7Ynq1UoG5F/mB4eCam +GoZVXs+sZFYw3BCR3FLgMoqyi+OhViqRTmGtNs0HCpAd/ht8U8yWnCmO37mPaY60 +4WRTfVOSdohzFNoHyUw9M2Fd/dU1/dC4a7BXc05GhQKBgQDq/nhBSzlFTqHd5b47 +mU48P34mIY6bq0Bf+alC61G+C9cyP4UTUW6VanRYpVz9/P0sUAh0315h81yIMqwD +CiZ+CekpaQHd4xYjyaXaPF1a5IWupx2uhU+hLhoegOpxp4CSYZsAV7WU8CUu4K/l +IRl5HHDCvENhu3EFOr6CNG+vbA== -----END PRIVATE KEY----- diff --git a/tests/security-resources/other-server-keystore.jceks b/tests/security-resources/other-server-keystore.jceks index a3248cc2260..4e1934334df 100644 Binary files a/tests/security-resources/other-server-keystore.jceks and b/tests/security-resources/other-server-keystore.jceks differ diff --git a/tests/security-resources/other-server-keystore.jks b/tests/security-resources/other-server-keystore.jks index 9b7d2e6c788..eee243a0550 100644 Binary files a/tests/security-resources/other-server-keystore.jks and b/tests/security-resources/other-server-keystore.jks differ diff --git a/tests/security-resources/other-server-keystore.p12 b/tests/security-resources/other-server-keystore.p12 index de223cb32f9..b1b82c29e12 100644 Binary files a/tests/security-resources/other-server-keystore.p12 and b/tests/security-resources/other-server-keystore.p12 differ diff --git a/tests/security-resources/other-server-truststore.jceks b/tests/security-resources/other-server-truststore.jceks index 56d89057d14..334249c78d8 100644 Binary files a/tests/security-resources/other-server-truststore.jceks and b/tests/security-resources/other-server-truststore.jceks differ diff --git a/tests/security-resources/other-server-truststore.jks b/tests/security-resources/other-server-truststore.jks index 9598d6f62d0..54abca61909 100644 Binary files a/tests/security-resources/other-server-truststore.jks and b/tests/security-resources/other-server-truststore.jks differ diff --git a/tests/security-resources/other-server-truststore.p12 b/tests/security-resources/other-server-truststore.p12 index 5774c7978de..1a4f58ca2c6 100644 Binary files a/tests/security-resources/other-server-truststore.p12 and b/tests/security-resources/other-server-truststore.p12 differ diff --git a/tests/security-resources/san-keystore.p12 b/tests/security-resources/san-keystore.p12 index e54bbbd01a9..0be527420cf 100644 Binary files a/tests/security-resources/san-keystore.p12 and b/tests/security-resources/san-keystore.p12 differ diff --git a/tests/security-resources/server-ca-cert.pem b/tests/security-resources/server-ca-cert.pem index 54027eb2064..546c2368c9d 100644 --- a/tests/security-resources/server-ca-cert.pem +++ b/tests/security-resources/server-ca-cert.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJAJYwDleGKNA2MA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV +MIIDdTCCAl2gAwIBAgIJANYhjZS5tiuFMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN -USBBcnRlbWlzIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNDAz -MjIxMTUxMTlaGA8zMDIzMDcyNDExNTExOVowXzERMA8GA1UEChMIQWN0aXZlTVEx +USBBcnRlbWlzIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNjA0 +MDcwMjExNDVaGA8zMDI1MDgwODAyMTE0NVowXzERMA8GA1UEChMIQWN0aXZlTVEx EDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1RIEFydGVtaXMgU2Vy dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA6c3CBzuy7/p9EH1OFx2O+bpBsaZLk3dWi9VaGgRhRMqPV/rR -5hOfZ1oECDkP2RhX/rEgaATS3simYXEApuLcEvoFUFZQzomb2dtSZUJnkhaQzYaL -zHaXZxggc9L8bhDqa4eKAatEEkvvT/u+DDq7l/88ATUwDdzwTg7YbcYbAe10rPEQ -vf0pQzuIFHWqMdYkQAjgBPF+gUgWL/DXRmqowtrwy8m5MbiRdRVuQV85nzF8RiV9 -cU0VNW4YMIcRFOsvKGb1muF8BDeXhrbiYLWddESrPtlQAaEqMv3VeU87AApNtwfC -wKHgtwoUa1pjr0hizocKHAJbtvoEyzI+v/tZywIDAQABozIwMDAdBgNVHQ4EFgQU -fI39SB/hKrHFXIQqijOWKIOk6FgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B -AQsFAAOCAQEAgnOTubyCsTUdA0lrInKKBHaXCZLhPhDqbQz6N21Oakh7oG7i8VDi -uzjMsbtKDUCgl65CBQ/YQNrvFRco9I+7/z3fgLmgPnmHX4lqkuKgmmEExNIiQgZs -nRg6eiuWS+5TD6d4FNoUwEcf5N1m5coiDBRh/8Qp53FyZb5gW9xjPoAP0/NmCQO8 -rXglv6sSPe53Aba1M/uxu8ZHGz4JvBEcSHQeMgBHyp8UsbY/u/k0Zxa3u2grOTia -zostUkgSZDfl356UFcpkzsJklAYUzEAzzAd4FksSo+zLKglPk0O1rdqyQAEgasSe -SZp2cdAB9sxCFwbWXoR4OL85AToghSNvRw== +AQ8AMIIBCgKCAQEAplA+qrw8BxO/4oDumvuHZjxbSpUzoypsMI73KPVaZhJjQvJK +8rdQA7lhx8CPz1V/aJmobmWxY4KxkwgiZfXaeuh6wp1/uI4JM5eryAztjpkwQ1bm +Hn3eOOJIIGsVuY9jh0GcJfApgM94+IUkz9uBmLSi1HWUUnL1veKKXPVbKMNlBSVp +myKYn+Yqaa3wzv/QeVANhTDlr/1W3TOZgF1qQvthXImeSC42Yv97BmusbmW0Y5lY +j5ANQf6WnCMRy8wZJrlv4WWQzgtQyr9YG3Wcwey1FKCyeEuyfae7taw3ROXvn/wE +WaMB7Kbwf+COu2Vb1mPAQE/UOW5m6WAkDMNevwIDAQABozIwMDAdBgNVHQ4EFgQU +PbuffkjCWYOlGla0+FG1I05a2X0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAQEAQqrhvmXk4UlRxFeF1+2TbRtccZxYVlsBdrlgmscJxdGoG534ZKf/ +at/OTXvL/G52z27HfSfOtetp0WOwjhvJEJ4/oVcyn8J/oqwrRJjIeUJz3uIq/2nd +JX2lfnltZLzZ+lUcBMRJR5sJoBmVzRmilnIPpUKV4bu5oCADHc0njax4EH6pjtvT +GXtBsjTyvPOqBpu0AOLltyynmzPZkqeU4ZH6U3HeIwZl8nGovn/p05rPYjbU70RA +NOuIBePTWbQB7vebzRjrr1v4POTM3DXfIWkU13ZIHB24RRwo9zY3IpoqmxpQgTaG +DOmX4nJEqWyqHHENos0fhICaa3dEtvkvnQ== -----END CERTIFICATE----- diff --git a/tests/security-resources/server-ca-keystore.p12 b/tests/security-resources/server-ca-keystore.p12 index 1b8df3a60e4..1b76554122d 100644 Binary files a/tests/security-resources/server-ca-keystore.p12 and b/tests/security-resources/server-ca-keystore.p12 differ diff --git a/tests/security-resources/server-ca-truststore.jceks b/tests/security-resources/server-ca-truststore.jceks index dde313b4ecd..d5d859a75de 100644 Binary files a/tests/security-resources/server-ca-truststore.jceks and b/tests/security-resources/server-ca-truststore.jceks differ diff --git a/tests/security-resources/server-ca-truststore.jks b/tests/security-resources/server-ca-truststore.jks index 7d7849b94df..bc5b764adef 100644 Binary files a/tests/security-resources/server-ca-truststore.jks and b/tests/security-resources/server-ca-truststore.jks differ diff --git a/tests/security-resources/server-ca-truststore.p12 b/tests/security-resources/server-ca-truststore.p12 index f9241482c96..4247844ea6c 100644 Binary files a/tests/security-resources/server-ca-truststore.p12 and b/tests/security-resources/server-ca-truststore.p12 differ diff --git a/tests/security-resources/server-ca.pem b/tests/security-resources/server-ca.pem index 49b31faf890..9428bcc5c9f 100644 --- a/tests/security-resources/server-ca.pem +++ b/tests/security-resources/server-ca.pem @@ -1,32 +1,32 @@ Bag Attributes friendlyName: server-ca - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 37 39 32 33 38 + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 30 36 30 31 33 Key Attributes: -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDpzcIHO7Lv+n0Q -fU4XHY75ukGxpkuTd1aL1VoaBGFEyo9X+tHmE59nWgQIOQ/ZGFf+sSBoBNLeyKZh -cQCm4twS+gVQVlDOiZvZ21JlQmeSFpDNhovMdpdnGCBz0vxuEOprh4oBq0QSS+9P -+74MOruX/zwBNTAN3PBODthtxhsB7XSs8RC9/SlDO4gUdaox1iRACOAE8X6BSBYv -8NdGaqjC2vDLybkxuJF1FW5BXzmfMXxGJX1xTRU1bhgwhxEU6y8oZvWa4XwEN5eG -tuJgtZ10RKs+2VABoSoy/dV5TzsACk23B8LAoeC3ChRrWmOvSGLOhwocAlu2+gTL -Mj6/+1nLAgMBAAECggEACscGU6kH1ZIZY8Iy8FPXfGF+l77PqwuMPMPn9F0RUsd3 -lhmkxVNQPMZkezCOL3a0z7PAh6r5QXXEXaeE3SyF8oX96rcf4HVtbrxybuKBvbU2 -lZLHLPSmhAUTseMe6b/z3mMQFIWdjK5daLV1DEFE1nvYe0HFZk4x8ZczmNPR+OOv -tu9beDHTTKQR8a4WzVRV7zz4Z/B749pXdPYs+Hy9JxK49/LOmomIE/i+gr/dAkch -sGF1hFTPf4oSylmQk8J7Il/gV0+/fBJkWvnWx6J1IDI7WqvoPicNSwPaEfTfsCRT -ew7TG7vt+vur2R6pD9KUIudYzUzGRL31bycqFGTWqQKBgQD5gAsH5EwJW8+PSWf3 -AvX0Bk/QI/q7NA4kyI2zNHXRG2dynnItAYCWtnpgqsbTSvQeulWxrhf8JoN1m+08 -l2S01IYTx6IdjYaL9wMhvZVbeJkZeuOPNmDVwourO+8U4OD/55ss33Q72P1Rl7Tv -W/FfNns7WsWHsD/jPInQl80obQKBgQDv5QhnoLi1ma8JVrPVowr1tMYOszar4oTT -uBdN4Cdgx5QHkZvNJ6YBOhZPIqObHDbtj5zKglp7lNegFk7XWBCysS0sIFqAzHWF -eKLo7vLFyIqkwWVHRYGgcgsy0JLwOcS/1oQ2wPlMfaUjXQ0+5fiIQZH56uGD0X2y -SLJTPzyYFwKBgFPfTlX90e3HdlPVumRYE3RP9t6iabQqwKJu5OucNAryamkmiH1G -pwKDH0qFvkbjSINX4lzTiG6UR9bububSgeEkHFpj3sSOge9lPyFFiQLx3I2rOPo4 -rn7NYoRSpoFfQ2PjaM/B4mIIBMg79nAMeWyndO+0CPkfL6rk+/MqRKZVAoGBANPK -LVBnyYqyQqEJBb2vsuZXkZ+6wqKfWksctJ5RLhK4QE0qVRWbUmi04qs81poDH889 -wdvbl4yRTIiOCU7+9cb8uvfBHIWnfH24koL5KiZJNXXdM8/nYljHNnHHSGKDbds7 -xQAeADpyls+QwDfuiiupT/oHTs+0rLcwjRcHtjRDAoGBALADaNAULIqFLR94VTrK -D86aEVXX03RW7JnvwGFLV3z6rGB5LthB7u+7Qw/ywQ2sy2bEErf56HS5X87b2rJy -6Px3+GxkobfNJsvKrSKz27NoeVTUtntXqd9tYecNEq2LrpDhV3Yrim32sABTSLNH -jYmA2F+wbHfpeiGJu5XTNzgl +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCmUD6qvDwHE7/i +gO6a+4dmPFtKlTOjKmwwjvco9VpmEmNC8kryt1ADuWHHwI/PVX9omahuZbFjgrGT +CCJl9dp66HrCnX+4jgkzl6vIDO2OmTBDVuYefd444kggaxW5j2OHQZwl8CmAz3j4 +hSTP24GYtKLUdZRScvW94opc9Vsow2UFJWmbIpif5ipprfDO/9B5UA2FMOWv/Vbd +M5mAXWpC+2FciZ5ILjZi/3sGa6xuZbRjmViPkA1B/pacIxHLzBkmuW/hZZDOC1DK +v1gbdZzB7LUUoLJ4S7J9p7u1rDdE5e+f/ARZowHspvB/4I67ZVvWY8BAT9Q5bmbp +YCQMw16/AgMBAAECggEAUeBfeZ6BztoiNVhUH2iFGAfOycD6UvGnoaBAfaGMh4O1 +6lduHl+wvKSfRr++DMyClPRQv0jBM8Q7t67hgGCw1qFtDjKLlkgWr5eTskDrErDH +2d8GGyzMIiUEbTFK2LeGwCfEv8ikJg39+BtULCBchNko8H+SLaT65iiJBYqk/kOn +DFP+yh3n8TohIOVHTHP61zIRwllre1LoEK2EHuCcy7NJaX3tCgAa0epWhv3kYAEN +vhI0kVruI6zaVrMcAkXKJaA9cgYRpPj3DDlUFJJD9wKjlvZ+JUScMOonSILBXcLM +GIulapl3Cl958ljISNRcbfpdMj18izi7W3mnE7NBAQKBgQDnhL0iM/9VcYyPZB+Q +Mxw8raydYNaCzkHLj1fYubIa9bXHUzDFtKhX8+xtKgpLNqA2YdceQqhqp7339t9H +DMb4stKJ7kZAokYYR+ju4znq8y8mDmZA0iwHAvDISrQE9SXjKgeVSvfpGR92LPQb +gwtje/5WJNMLPVs3/v4JNkqScQKBgQC35mO/Uxr+ga2Q56vkb342FEekytOEK1B/ +Blb8aK/JliRc7zM3WNR6UNGbRoqMlsCfVsEAMPqunFLKKYGYryL9Mj+dH9hhihNU +BMVFHkjUdJ17hj5WxMLK2zY4JD2f7lgvymFgFz8cWbrb/9/84zFd9cu2j094/7b2 +pGR/JsA8LwKBgDUn1eDvfVVZz8LwYwrRoU8RNQuhOz8nKhYZoDrDT/A+r/DG2fDa +rLgc6hCaUWi5bwltZ12sQkzSnJw9E0CV320kaZB/o6OdXmiewg1vIFIgaZfcQH/r +gW5Or4fdFv34Zy2D7d/KKadcPEv+wEE80jWSN3AB3m67NKFjq2HkFDURAoGAe0lZ +VcrBLh6B3cNy2ZJlapvt6+yOIO1o6b+2UUFdmCev+R3jmBdVWysTWqXP/LCUMj5W +5WnwpV7noeBxoYrISjaFrzDKP5nxm0IXfl7vNH95lHZLFKCUdqq/jqO9LJr9RAzJ +e0IabUc6noLMBx3I2tUN3TX2cYf9gRx0w0mXVsECgYBVqceRN6+9ArNhk0s2Z7Nj +Zao287c/NAak9S2hRlhKPMgiseh5Ik5PhJhBkXoxQb+qY6i9v0pdqQ4gsiHIJfVC +cTrnUvEynDPkRLJBFs5Vz/2TNxkGwc8luDfnKCgLINfl74jSFtvi3CTubnA3aNzE +/Haikan34tLwL4DTRtLzrA== -----END PRIVATE KEY----- diff --git a/tests/security-resources/server-cert.pem b/tests/security-resources/server-cert.pem index 5beb564c7e6..848f278503f 100644 --- a/tests/security-resources/server-cert.pem +++ b/tests/security-resources/server-cert.pem @@ -1,29 +1,29 @@ Bag Attributes friendlyName: server - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 38 32 34 33 31 -subject=C = AMQ, ST = AMQ, L = AMQ, O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Server -issuer=O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Server Certification Authority + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 30 37 38 38 36 +subject=C=AMQ, ST=AMQ, L=AMQ, O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Server +issuer=O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Server Certification Authority -----BEGIN CERTIFICATE----- -MIIEGzCCAwOgAwIBAgIJAMPESNFBct/0MA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV +MIIEGzCCAwOgAwIBAgIJAMGUahzqNsfZMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN -USBBcnRlbWlzIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNDAz -MjIxMTUxMjFaGA8yMTI0MDIyNzExNTEyMVowcTEMMAoGA1UEBhMDQU1RMQwwCgYD +USBBcnRlbWlzIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNjA0 +MDcwMjExNDdaGA8yMTI2MDMxNDAyMTE0N1owcTEMMAoGA1UEBhMDQU1RMQwwCgYD VQQIEwNBTVExDDAKBgNVBAcTA0FNUTERMA8GA1UEChMIQWN0aXZlTVExEDAOBgNV BAsTB0FydGVtaXMxIDAeBgNVBAMTF0FjdGl2ZU1RIEFydGVtaXMgU2VydmVyMIIB -IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlTbxTDdSdRIrWcO0v2BYBQbN -doEiAM8S0+PyJemqlYqpp43OSdzvoWkwa0lWforogCNljohJYUwQ/omSaDdP0Y16 -SMylgDpw8qm7j1z7uLPbbXKdzRIVSPmOvQPMZDl3FE9QOaUlcJU+6NShIQll/ken -t8+EvHVPz96YduTxY+UROJ9Z0eiwHGmDIHm/2fEiqWXsbhq81DWhvOkzdtYnVST8 -BfZkx2DGiLph94KV8snQJGWnTzicVO9QQWJVQcF6aQOXguxRIW8b53UdcM0d9mQ7 -LjbEl66Pz+wPo7GiBhGRHQ9Gpk+L2fE0iy0Ws1Xr9JNIPpkQyxgFPPbqzPBxMwID -AQABo4HFMIHCMB0GA1UdDgQWBBSrmXLlIK7Xh0xn+dfw4I0q+1nTczBgBgNVHREE +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAon5As9SnPe8dMbu8h2XvHczE +YPGPL1IcsV/5zxN7+9zkS1G657tDEUaTS+6b8NgbeIRYFgXbt+SLq4tUJePAlx1v +7ypiGxPpx5+zoV5JJLPUMcON+DVCMHJx3IsJwqUndVbAaGAC4oJLguaMuzrzJqnn +CmS/6a0q4khpEAqcYtgSiQR4ll9nD0IleYvx0FfD49Ewj911EPmGhPr1lMearhLJ +D14O0uedr35pwQsVDRq58fwQRC6jWilj5OuEHaRuh5/XNztV7qRDLFrPPAuz+TNv +L2FwQF9pOH3cXwTnA1KwSYLjwr0DI0RJ/fj0Cdc8FsrOYmW/u39XUYFHSenPoQID +AQABo4HFMIHCMB0GA1UdDgQWBBR2BoOv3HfR+a/sSux4/MICtDMgGDBgBgNVHREE WTBXghdzZXJ2ZXIuYXJ0ZW1pcy5hY3RpdmVtcYIJbG9jYWxob3N0ghVsb2NhbGhv c3QubG9jYWxkb21haW6CFGFydGVtaXMubG9jYWx0ZXN0Lm1lhwR/AAABMAkGA1Ud -EwQCMAAwHwYDVR0jBBgwFoAUfI39SB/hKrHFXIQqijOWKIOk6FgwEwYDVR0lBAww -CgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBALseu8YBowlLbNfhxVTpdeSt -AJy4geCC53uLe9Pft3UydLDCFaMtciSUuieb25R+vMipRyGUX+2ovTsI3nGIhWV9 -F8jWCTXM9SGe8tUy6+GPkmBRI0Y0eakihDl9FH+JvQJO794cK4mXZFOqVuFadfye -eTT1Bmj0225HrAEV/d6lNcEOxLZkqXy5VYyptejCsV9Ba2S62227KJVixrDuVa23 -bRhP7YHFRz1SjxSKEJJHDyU6jZL9/BDjcviom8QTfaGjjRFyHsR3KGetLKH/9tjS -9g7XLPiRzz/qnqdesoXC1H4pBLViFbxL+FvkDnD1KDEybYmLm4A+A57wEAv0tRw= +EwQCMAAwHwYDVR0jBBgwFoAUPbuffkjCWYOlGla0+FG1I05a2X0wEwYDVR0lBAww +CgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAGg6SHXxY31yT/boAETY2idt +tNtZm3u7lfOhlapyHjGCCwECOp/Wyu3H0517iUjM3xqFeHNrqceaA6vmKv8jhk4D +wiZto1dgtFftf5P6jxR7MG4z4JtygetsZMBIvVfgbaPDRdT0BIMZcKTca7zb2aph +m96lsSxKVcw8vSPQUxY2EuPOw0yiWbzkrdJARRldbFxd6RbjpMbDnDr1UGvkYXWF +bkxUwi0+oDCv1B1/iSN+JVf/5uRPyULKmb7cP1nh6YU4/alj8vxK+GsiP3cwK6L9 +Dm4GAvDGcW9Ew3ZZC7hMzh3gj0upe1WIAGUJ2CyNcWzHYGtKuYVR6V/3bXgB9pw= -----END CERTIFICATE----- diff --git a/tests/security-resources/server-key.pem b/tests/security-resources/server-key.pem index 2370041c27f..5cec107853a 100644 --- a/tests/security-resources/server-key.pem +++ b/tests/security-resources/server-key.pem @@ -1,32 +1,32 @@ Bag Attributes friendlyName: server - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 38 32 34 33 31 + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 30 37 38 38 36 Key Attributes: -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCVNvFMN1J1EitZ -w7S/YFgFBs12gSIAzxLT4/Il6aqViqmnjc5J3O+haTBrSVZ+iuiAI2WOiElhTBD+ -iZJoN0/RjXpIzKWAOnDyqbuPXPu4s9ttcp3NEhVI+Y69A8xkOXcUT1A5pSVwlT7o -1KEhCWX+R6e3z4S8dU/P3ph25PFj5RE4n1nR6LAcaYMgeb/Z8SKpZexuGrzUNaG8 -6TN21idVJPwF9mTHYMaIumH3gpXyydAkZadPOJxU71BBYlVBwXppA5eC7FEhbxvn -dR1wzR32ZDsuNsSXro/P7A+jsaIGEZEdD0amT4vZ8TSLLRazVev0k0g+mRDLGAU8 -9urM8HEzAgMBAAECggEABHWIX301vx7kYcHZ+HAiIUBTSovQXtLRXrisp1pkySRE -LqgrtoReOuYgVsxxw8VV7mJgahKDkt9JkLm+wNOKVJpUQbGv7nWQo4fT/ZRLR3lE -gPBQa+zy6uPeUqK27HXVK6u1G4vmYwdqwl18VTbpL+CnT/RpJJKi6HTf/ImZ9yC5 -JH4F8WJaMDaEuoZjG5NK7j+elxYCaWirf+qimX6vqOSpttH2+hYuMkJpL04ypddU -y+SerLAKJHSDquTwiG0vQugP90FDMELBrO6dpFhfA2jR9+yVglPBY5N6VwUZqUca -cZgjEwbTjQlNVxlvgvv2QTOfb+vNrK9z4qiShUJMdQKBgQC/r01GNTArsbvgW3lq -H65gCGI/hy4WSLDZH+NFaX/gfsrbQ8FScQ1lHd9HVWMZcRGPYWmR4GqQgI3SfCsH -joXQElqj7YHucrfJ9q4dyvITjdIYPcrRB6l5ZZBWxLrXtGEg8ynP+a7WbDx5YEvW -FKk5tf/3AC1ZJBFRHqW94F2YnQKBgQDHR65u7UQsgRGB9IAF/3xnUjA0Ok5K/eGZ -8BK80mntvxvDoNowEUn/ZBw0v1o/ZMULd5Mc6JnIlC48bRoZTVB9S9V5yJ/8Irr9 -BKxCHsNE/wrdf72nwtUWgLo89LxF26/SLArj/ma6SGgmXUx8wgkk25Ow/B5CA0rc -XP/In96ADwKBgHJX6iq1U7Tc4wvkxTqPB3/1wFXRF6bnWcdLhFFFq6iJOg0uD8ZT -9f+ZoDV3NBRbJHR5UXZZfngQl4k11J0/YYdLS5J5/YX2HLh3VEolY95SPT+ErNWg -UnI+Kan41NQTn9T9+LU9ZhQ2oKRu0w4zaPcqIDSBgIuqPkI7m/b2Ph7pAoGAIXjo -07kGunLzfeCToG5JdxFXB27Dt9TtD+5DN3QgVs7C2xkpjOlahItMMY/ymLNUZZiw -HSr0qbw6B+xLdfSGkIUsVkhclv0+a0Fdrb19DxnHuWy7bnJLWHxGy/ZPqWw9HBBJ -xAH3P1LqK4eAUXRGFOrM4+11J6Fl8Z2tWQWBWgECgYEAoeW1KURlRQZAiNs0zfsZ -R/8+t1bo0igvt+wVewfam91GRX9hj2eNYyYHbXJe94Py0/ny+jJniNMCVpJ+mlY9 -kx9d9fd9zLBu0M7G5f6MLRgUzgxFytIc5X42KatoOepKYVycrjHw5BtulakhQmVn -B17jc9DMyEmdIBNvLXegSfQ= +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCifkCz1Kc97x0x +u7yHZe8dzMRg8Y8vUhyxX/nPE3v73ORLUbrnu0MRRpNL7pvw2Bt4hFgWBdu35Iur +i1Ql48CXHW/vKmIbE+nHn7OhXkkks9Qxw434NUIwcnHciwnCpSd1VsBoYALigkuC +5oy7OvMmqecKZL/prSriSGkQCpxi2BKJBHiWX2cPQiV5i/HQV8Pj0TCP3XUQ+YaE ++vWUx5quEskPXg7S552vfmnBCxUNGrnx/BBELqNaKWPk64QdpG6Hn9c3O1XupEMs +Ws88C7P5M28vYXBAX2k4fdxfBOcDUrBJguPCvQMjREn9+PQJ1zwWys5iZb+7f1dR +gUdJ6c+hAgMBAAECggEAIME/9DAd7VFlymhsYsPEvXZRMLSI1zJfZ87vuZMVJ0pZ +96fYPA2mwZT/LKuC4jwB35uX8QqJxaorkG8jzYZ5REzyCx05TPmI4s1ZxaHOrzgT +wltH4zyDJOZw9tLNKyAlEdVksDWIZ1X5+D9Wp4hEyuqtUM5J1EYsspQDn7Dv4MmY +W7OBq6iDTfOLesr4qTf7OPNsgyWvGAUIYkwL1JZQj5Avj3bMl/hgplw7bsNpVKN4 +pxjo/Zy1/QdmcXyIgZTJLpceEi1qXHQAVMi8IwJ6l3/CNxo+zv45D2ffgBEdoqMn +6rBJI6DLheG+id84UWXsiO+4oQDgvpqxRa5pZmrk5QKBgQDiAuS2rm6jeOD0ZWNE +XILySQEwetWo5TTqMPtKrYvn8Q6NHWUX4OoESkn/pVRIsuhj+xcF+u3U13SOHko/ +Zqo5YlhKJvDseIFTN27eatqfgo3ikJWZfp7h+6R3d4tLCavfN5aV44zqZRpbTLFC +6WHTnc62kGNqVOJKsJxrgIRjjQKBgQC4DcnO4GJg/fazTFtD3yoHz8Up7sirJEzU +zx6Co0B2XPu5iXgFcJQ5KeP3GVah39tBIHHxIMXrC4wi+dAevvIhqc0IytR2EctQ +QD5GccpyR0UdVY/mLV92SL5r7NN1ADXYh12FAlsM3Y0dvslVO7gQvtt/ap3oBWsv +108i79ntZQKBgCkjb7AU1gypXwD9R3FVCXzCbxX89dEVT2llWwg/yJyCUyy6cgFD +rjTztL50wH+vGP/B33H2N74rLYsE1mzt6gQh84IjzmysjpWwHF0dxAeOwva/bIuQ +8aienlQkjVUuQHuT6bQExEyR9JczwXw1cNoM+mhepcngA4Sm2wHyVaatAoGAa+9i +FtkNuHWW1EUGDIJ14ojcxh+LPJoYGICyEshsCD21PXQ5l28S7Yb8ci9A18MwkDvX +tiGTD6kA8I3xl+ZAlq8+V1ajS+5ZfeF+487dezECfhZsQf7/yZ0VVrNWunl6GlYf +6N2dyaivle8JoNtZsTBMBqfenG95EWBBv2pLMeUCgYA/TDM6E8CTxmT9V6tqAEu7 +Mq1DSt8oPdj6x7MUo/GEKW4wk2vltk2J/Ka7NFfYHmtxcVQ+UiEx62SANUIQUwbC +9O4e9kFZlAVqjrUekmu1V1A0LcUgzzA+wOf0QhTwlZWa696vrP8mw5KF6+yTaaCS +BbTAIhKbSdUj984T/1T/pw== -----END PRIVATE KEY----- diff --git a/tests/security-resources/server-keystore-keypass.jceks b/tests/security-resources/server-keystore-keypass.jceks index 45a35dc073c..6c3b141b9db 100644 Binary files a/tests/security-resources/server-keystore-keypass.jceks and b/tests/security-resources/server-keystore-keypass.jceks differ diff --git a/tests/security-resources/server-keystore-keypass.jks b/tests/security-resources/server-keystore-keypass.jks index 68fcb6b7e2e..debefc49e35 100644 Binary files a/tests/security-resources/server-keystore-keypass.jks and b/tests/security-resources/server-keystore-keypass.jks differ diff --git a/tests/security-resources/server-keystore-without-ca.p12 b/tests/security-resources/server-keystore-without-ca.p12 index db1c6459d5d..dbb3ba6d870 100644 Binary files a/tests/security-resources/server-keystore-without-ca.p12 and b/tests/security-resources/server-keystore-without-ca.p12 differ diff --git a/tests/security-resources/server-keystore.jceks b/tests/security-resources/server-keystore.jceks index 4950ede5a88..5a415468583 100644 Binary files a/tests/security-resources/server-keystore.jceks and b/tests/security-resources/server-keystore.jceks differ diff --git a/tests/security-resources/server-keystore.jks b/tests/security-resources/server-keystore.jks index f67334a278e..eefe20280b9 100644 Binary files a/tests/security-resources/server-keystore.jks and b/tests/security-resources/server-keystore.jks differ diff --git a/tests/security-resources/server-keystore.p12 b/tests/security-resources/server-keystore.p12 index 677631e33d1..1fb15066848 100644 Binary files a/tests/security-resources/server-keystore.p12 and b/tests/security-resources/server-keystore.p12 differ diff --git a/tests/security-resources/unknown-client-keystore.jceks b/tests/security-resources/unknown-client-keystore.jceks index 21a8dd91be4..3339a37c95a 100644 Binary files a/tests/security-resources/unknown-client-keystore.jceks and b/tests/security-resources/unknown-client-keystore.jceks differ diff --git a/tests/security-resources/unknown-client-keystore.jks b/tests/security-resources/unknown-client-keystore.jks index 02712475093..9559737a431 100644 Binary files a/tests/security-resources/unknown-client-keystore.jks and b/tests/security-resources/unknown-client-keystore.jks differ diff --git a/tests/security-resources/unknown-client-keystore.p12 b/tests/security-resources/unknown-client-keystore.p12 index d4e2d7ea8e2..7c19b230ea3 100644 Binary files a/tests/security-resources/unknown-client-keystore.p12 and b/tests/security-resources/unknown-client-keystore.p12 differ diff --git a/tests/security-resources/unknown-server-cert.pem b/tests/security-resources/unknown-server-cert.pem index baf3c288c79..a1db7f977d2 100644 --- a/tests/security-resources/unknown-server-cert.pem +++ b/tests/security-resources/unknown-server-cert.pem @@ -1,28 +1,29 @@ Bag Attributes friendlyName: unknown-server - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 38 38 31 39 33 -subject=C = AMQ, ST = AMQ, L = AMQ, O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Unknown Server -issuer=O = ActiveMQ, OU = Artemis, CN = ActiveMQ Artemis Server Certification Authority + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 31 31 36 39 33 +subject=C=AMQ, ST=AMQ, L=AMQ, O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Unknown Server +issuer=O=ActiveMQ, OU=Artemis, CN=ActiveMQ Artemis Server Certification Authority -----BEGIN CERTIFICATE----- -MIID7DCCAtSgAwIBAgIIeFmpOanwEvYwDQYJKoZIhvcNAQELBQAwXzERMA8GA1UE -ChMIQWN0aXZlTVExEDAOBgNVBAsTB0FydGVtaXMxODA2BgNVBAMTL0FjdGl2ZU1R -IEFydGVtaXMgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTI0MDMy -MjExNTEyN1oYDzIxMjQwMjI3MTE1MTI3WjB5MQwwCgYDVQQGEwNBTVExDDAKBgNV -BAgTA0FNUTEMMAoGA1UEBxMDQU1RMREwDwYDVQQKEwhBY3RpdmVNUTEQMA4GA1UE -CxMHQXJ0ZW1pczEoMCYGA1UEAxMfQWN0aXZlTVEgQXJ0ZW1pcyBVbmtub3duIFNl -cnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqXcCJgZMxVl8Gl -+XV8plYpVJ8FjGYfo6VfZoE9eDR7gl+w9TzeypyPL8uv2FF9jTpDpHQe/9NOd2hW -qKGo3ZxjU/qTrCE/IcUxUkAa9raS59ZUg2qiqExQ5b981d8JUFnp+EYDqeQbbU4W -uOlRgH+TORHlLMh+D2stvJDpa+XDUR/QjnHktNzrW5LLQ/kjiFqnsyurxN4HaCqL -53kenZewlOpHOt513XuWEe6jdKD1zS4LYwI8keGqhF1p5qB/03vycdODLz0bcUPD -tvLM0ZZrOJ0PlskNN+JCdA/10a+XMzWFti+N4B2rUbmk5k+IXC9C+B4C+xr63Pv5 -AoLXxjcCAwEAAaOBjzCBjDAdBgNVHQ4EFgQUxSGWcqxYAQASz4Mb/qvj7df0VSQw -KgYDVR0RBCMwIYIfdW5rbm93bi1zZXJ2ZXIuYXJ0ZW1pcy5hY3RpdmVtcTAJBgNV -HRMEAjAAMB8GA1UdIwQYMBaAFHyN/Ugf4SqxxVyEKoozliiDpOhYMBMGA1UdJQQM -MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBgMnAetG3I+hYLtf7HFZgz -P3UaIa3iVz97eWsqC9PVdpPUiOFd28NmGsN2otgrPsM8DMEQ34jTDCs8ADzPu/dl -LTz3iBoypbNropHWxX9g/p9evs2KTME8KrkTICyfKy6aQYrYeEmYrPWCZy24uPSq -6LN9vrBEa8JZid6oRUiowTMvjUe/a1RPcexw7KMlqooe9cwgn6Pl1LaWbQ+iCNfw -uTs0Dzu0YUjQDG8wsPl+ZLC/y8CkntzlEt+gz1l7QNi166X0J5sbsNCtDM2L+L+P -43RhW8txIDXo5A0ooxScYbAiHyfwL1VvtH55GbPi4JEplg89Y+K2sAwSENNq8RVO +MIID7TCCAtWgAwIBAgIJALgpBPcTnJ3VMA0GCSqGSIb3DQEBCwUAMF8xETAPBgNV +BAoTCEFjdGl2ZU1RMRAwDgYDVQQLEwdBcnRlbWlzMTgwNgYDVQQDEy9BY3RpdmVN +USBBcnRlbWlzIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yNjA0 +MDcwMjExNTFaGA8yMTI2MDMxNDAyMTE1MVoweTEMMAoGA1UEBhMDQU1RMQwwCgYD +VQQIEwNBTVExDDAKBgNVBAcTA0FNUTERMA8GA1UEChMIQWN0aXZlTVExEDAOBgNV +BAsTB0FydGVtaXMxKDAmBgNVBAMTH0FjdGl2ZU1RIEFydGVtaXMgVW5rbm93biBT +ZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd7OCcaZZnyNRd +0jUtDKp41SoFd10L2B/DrDHyxXN0drQLhx8ckZBfvHX6MmsU6Me2voGWuKohRlLl +rvFjNCGLJM3NpjEaGmCbcBtCgC3xe6w/ztnBX9bQZlYWhPWvkEn4WjhdgzSTHJGs +y2GfrMoeZiMypvKnI4aO9Zbv4PNknkvFDCnMpVarLetXNoNMqySKE4I1+cqMjz+n +FNGG/IpXSxKuuL0GSpBgo/wqqPmMYbChze9aijbMSc78ZVjloB794F4HRT3oVleN +W8sP4Or2g0J++XsPIDFHI8eiGPmt9ckWxEQNPEM5jXY2jLRka4tOcSSxQlnjYtgZ +/MMIup3XAgMBAAGjgY8wgYwwHQYDVR0OBBYEFCaMJdqEmWkqvVUZWCZa6ielnD02 +MCoGA1UdEQQjMCGCH3Vua25vd24tc2VydmVyLmFydGVtaXMuYWN0aXZlbXEwCQYD +VR0TBAIwADAfBgNVHSMEGDAWgBQ9u59+SMJZg6UaVrT4UbUjTlrZfTATBgNVHSUE +DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAHuOXN86Y6nk8fQoVFFel +otuV6XYrqoWJ86Av/PEqWjDkrOXXVKKl84b9GcGhHmbzGcT/WWMInaPQ7BzuMT41 +I4ZwW5fWe9cx1JRUzDfF16KdIQ4sIZOmb8mt8EU/WJAabAn+9rYbUPMtJFVRAirw +cAzo9fnG75QqVxDssIrjw0YwaDQhJxgBJh5XR6ZkNBILgbyFXPiWITkHtpzoQCbI +WxVwY7CrEwYHgFKy/+i7mHVd+yclvM+dcYH6R+d5qyEgtdHFPk8dheweUVMxCvHq +q3GNP/vEMdbDzL8uQiXwhq93WGK9uQ+glWEzGcnyMre/1uoZhyyAdXHzDry12U4d +ZA== -----END CERTIFICATE----- diff --git a/tests/security-resources/unknown-server-key.pem b/tests/security-resources/unknown-server-key.pem index 938a7a1e54c..29631f4088c 100644 --- a/tests/security-resources/unknown-server-key.pem +++ b/tests/security-resources/unknown-server-key.pem @@ -1,32 +1,32 @@ Bag Attributes friendlyName: unknown-server - localKeyID: 54 69 6D 65 20 31 37 31 31 31 30 38 32 38 38 31 39 33 + localKeyID: 54 69 6D 65 20 31 37 37 35 35 32 37 39 31 31 36 39 33 Key Attributes: -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6l3AiYGTMVZfB -pfl1fKZWKVSfBYxmH6OlX2aBPXg0e4JfsPU83sqcjy/Lr9hRfY06Q6R0Hv/TTndo -VqihqN2cY1P6k6whPyHFMVJAGva2kufWVINqoqhMUOW/fNXfCVBZ6fhGA6nkG21O -FrjpUYB/kzkR5SzIfg9rLbyQ6Wvlw1Ef0I5x5LTc61uSy0P5I4hap7Mrq8TeB2gq -i+d5Hp2XsJTqRzredd17lhHuo3Sg9c0uC2MCPJHhqoRdaeagf9N78nHTgy89G3FD -w7byzNGWazidD5bJDTfiQnQP9dGvlzM1hbYvjeAdq1G5pOZPiFwvQvgeAvsa+tz7 -+QKC18Y3AgMBAAECggEAUG2gZyD3seAfFtiNC6hcJn2QPS9uEkMHDexuSb0OSEkI -rGihfMhnu045AupcKtwceQXZKDiIezOyYqYf7/bS92sVMshehMIqs04MLxewSohO -KGOrddaBBsxEC+MqaQYhvXANlVhU7b8owWUn9WItKlByZBVN1WoJCWDgi/IhkRp/ -G2+II+PFNV7f5TrHzEdqGV+joaxEKI9SXGfpkgrQZaj1UKwKzwr/uv/kIcNjVRxv -mdlvwhrFWIE5bJmIhc6/tdAdj+IoYHgcy6xMcNRORJlp8JO2LzIFu14nWK4Zzlo+ -ayaP5xvSdlJxLNW3HVZqwEhdKlrQUH6nEfoMi5pLMQKBgQDD28FoCf2TS7/a2aUN -/7WV988XWMN64GbfLUn4RmRkBSjiYO8X5NQbj9D4jUYf0CoJYqLCFyAO8KX7F+rq -nutbla10F4KZWZjRyLmvtJYJynBEN2yfWFpcJtg5PKUQ3tP76UQNZIbeS3ETQj0L -PEPCB4Tx5W4v0uOfKIj1Gew0KQKBgQDz4zkaZQD1K3RMMDZXZ41fEBCPH/JXMi8T -hIAXuZtT4De5HnqRojpgkKb5l9Cl1jnyTK5+QBVdyJ89JBV2VaqRCHsryfFN3X0M -GlgLWNmsgIowIGLKLM+0RX0b7LQwZSN8jqWWp0Uo+AlCCNHgLUWZJJsO2dE5aZzH -KK0i6vJzXwKBgQCX9cj5j8bOodcZVgRZ+CxLTxm+Y4BHthQa1Giv2O3LLLWr7smT -IFfxioP4VKQzyq7S2VSugoK9FLmzN7tsjiDNzjPl/te1Y27OVY68ZMCEmCzCwL3m -ZAa3uOvKfOMVU83lhfbm7Tg3ARGaf6odLYTk5jCf/gKf2GAC/NBGWvaJAQKBgE0D -iKmsEXRaB3xzkQVivsKxGPmJNgaQ40q/gY98Xe9Lk20SkdPhLZwGsaOJbCqiDmRU -EJnvdI/L5XTyKxDWFml8CyEVwOw8r9sdioXyxbHyWTC/WVLMeb5MXyhtQ60wktcn -WGTNZ0p7oLjIfjXTNfIZHBnBcI83qXk+gAXRuUPzAoGAc+ztGl8U8A+z8HxyMQfD -N8I5+G/bwbaIyCxRJxDlRgjf8fs86TzUcj8e4IhRIw97+WlL/9waJl6iuo7EEnap -aeTViOKjpfBvhpffurtde9/Ql92f0KDg2Lyt08t1NBzNxM9O3XC6rdDJGOZJQzPt -6LEldRv0hMXPf1sHX2qrG3E= +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd7OCcaZZnyNRd +0jUtDKp41SoFd10L2B/DrDHyxXN0drQLhx8ckZBfvHX6MmsU6Me2voGWuKohRlLl +rvFjNCGLJM3NpjEaGmCbcBtCgC3xe6w/ztnBX9bQZlYWhPWvkEn4WjhdgzSTHJGs +y2GfrMoeZiMypvKnI4aO9Zbv4PNknkvFDCnMpVarLetXNoNMqySKE4I1+cqMjz+n +FNGG/IpXSxKuuL0GSpBgo/wqqPmMYbChze9aijbMSc78ZVjloB794F4HRT3oVleN +W8sP4Or2g0J++XsPIDFHI8eiGPmt9ckWxEQNPEM5jXY2jLRka4tOcSSxQlnjYtgZ +/MMIup3XAgMBAAECggEACZGnznJrZaB6lbC9/hvNXIL2B9zCq4wN6KpPYHlsVHs4 +z5YBYZbEW7isoVtat6qfJ0iFy58m19tN/JLMF4m6GpdBTRurz/wXLHPvgukHX6Fx +v3AGK7xl5Ly+rKCjzl58zOqSjb/8eIl7ni+4m5c5q/veWBxbiZsSdSkWWzSTKt6A +NC97byt5mp4Cae4kdp9zNQU7As/+CgUk5Flr3hEgZi1rhH7KxBNmIqxG5ZSfAe+W +7qvE8yu2oc25pZ1us4uSDeNKiTjxiSgA0AZnZocR3WLga4OvPjdjbY/rjghOxOwU +09UIIVNnx7gsGSDIZi5nj/7nsWm2zSCk6qRA1SoP6QKBgQDMQRPBOWO0A9NJRXE8 +vKHMP5yjXrMibhF+Nc3vkDvEnePcBmQK0OmtOdYAbPOpQVbjlL9r4qc66FTJd8y9 +6f2d2TvRaOnAzqcbmTsNcdOwGY2aT2JNu1rYVx8Fv3r3/X27NRCckmD+tk7OptKJ +5DepWhp9R4ylZVMpL8x6Ab5eowKBgQDF7yKoviIPmQCy9rkQ4F5S6OWfmHwLl2uU +3RxR+gqOtsWMiJfKMusG/aXZERh9tOxyAZnJnNkiFhb3gbChn+FST21F/mID9a1N +W6YIJWci+xUhKn2p4nYCz/Syi4fXtMxDyC6ID61cKgZi4mHPzChsiJVWGVtv2Elx +dX3fmJ+7PQKBgQCCYLPkbeaXnK18osfyVhINVzl8CtHbk1i1MFEArxeHnKU66BVp +1gqjGTzhzqoGCwAUivlZOzc14eFlLIRTYY4S+Pw24nn7Ka3/buMD5PmT+euqaSu9 +pG8LkyjpOV2b+IIOQoQU/VbOn75UKKZRgIyLHEm2WDqNxMy9iJZD9uL2cwKBgGYd +mID8DrCDXDP4S8QkLSWTGBw9XAnS5eLYLCsy182HB+YX9k+P82cY5z5UrpD0DWRH +5SJ5tB/8y36HvyuzQ1jmt1Z8Be9LCUy2srLTMSF/7ge9VzWVKxMKXJDcoYmsshFq +Lm9tvx+kYsUTTCkbh+Nul7TiwiSyrjlFx1na8NV1AoGAMNIHrufxPYr0akQeU/ys +MZsLxodxtXB0CbHzcVzM/9FT7gSaoHBw8GJlSCXrnv+o2KtyiL5OKeUGwissc29u +Xx+iiVcBLfWYm0XYzcl4YOAAZeL4/1MngXwOOF8SkWSsK+18kTQlTtPXXMw2pf6j +R65YEwDEsT7HbvCykqV2CUs= -----END PRIVATE KEY----- diff --git a/tests/security-resources/unknown-server-keystore.jceks b/tests/security-resources/unknown-server-keystore.jceks index 041d50f822d..4dc144958b4 100644 Binary files a/tests/security-resources/unknown-server-keystore.jceks and b/tests/security-resources/unknown-server-keystore.jceks differ diff --git a/tests/security-resources/unknown-server-keystore.jks b/tests/security-resources/unknown-server-keystore.jks index 88a23305d24..4cc45b97026 100644 Binary files a/tests/security-resources/unknown-server-keystore.jks and b/tests/security-resources/unknown-server-keystore.jks differ diff --git a/tests/security-resources/unknown-server-keystore.p12 b/tests/security-resources/unknown-server-keystore.p12 index d5b8d543edf..9d5dd898cab 100644 Binary files a/tests/security-resources/unknown-server-keystore.p12 and b/tests/security-resources/unknown-server-keystore.p12 differ diff --git a/tests/security-resources/unknown-upn-client-keystore.jceks b/tests/security-resources/unknown-upn-client-keystore.jceks new file mode 100644 index 00000000000..e58c56235ba Binary files /dev/null and b/tests/security-resources/unknown-upn-client-keystore.jceks differ diff --git a/tests/security-resources/unknown-upn-client-keystore.jks b/tests/security-resources/unknown-upn-client-keystore.jks new file mode 100644 index 00000000000..c499ddb9007 Binary files /dev/null and b/tests/security-resources/unknown-upn-client-keystore.jks differ diff --git a/tests/security-resources/unknown-upn-client-keystore.p12 b/tests/security-resources/unknown-upn-client-keystore.p12 new file mode 100644 index 00000000000..b12d12c4f72 Binary files /dev/null and b/tests/security-resources/unknown-upn-client-keystore.p12 differ diff --git a/tests/security-resources/upn-client-keystore.jceks b/tests/security-resources/upn-client-keystore.jceks new file mode 100644 index 00000000000..2b4c0a3460e Binary files /dev/null and b/tests/security-resources/upn-client-keystore.jceks differ diff --git a/tests/security-resources/upn-client-keystore.jks b/tests/security-resources/upn-client-keystore.jks new file mode 100644 index 00000000000..224798d16f5 Binary files /dev/null and b/tests/security-resources/upn-client-keystore.jks differ diff --git a/tests/security-resources/upn-client-keystore.p12 b/tests/security-resources/upn-client-keystore.p12 new file mode 100644 index 00000000000..d6d2b428d57 Binary files /dev/null and b/tests/security-resources/upn-client-keystore.p12 differ