From a0ad8dd65c28f1f137ec92be1511052e1e3bb404 Mon Sep 17 00:00:00 2001 From: Qiang Zhao Date: Mon, 27 Nov 2023 20:08:39 +0800 Subject: [PATCH] [improve][sec] Support for Elliptic Curve Cryptography (EC, ECC) (certificates/private keys) (#21621) (cherry picked from commit e1d06b5f54f08c09debab7a9a513b7c173c1779b) --- pom.xml | 2 + .../auth/MockedPulsarServiceBaseTest.java | 64 ++++++-- .../tls/ec/TlsWithECCertificateFileTest.java | 130 ++++++++++++++++ .../tls/ec/TlsWithECKeyStoreTest.java | 141 ++++++++++++++++++ .../pulsar/common/util/SecurityUtility.java | 34 ++++- .../ec/broker_client.cert.pem | 9 ++ .../ec/broker_client.csr.pem | 7 + .../ec/broker_client.key-pk8.pem | 5 + .../ec/broker_client.key.pem | 8 + tests/certificate-authority/ec/ca.cert.pem | 10 ++ tests/certificate-authority/ec/ca.cert.srl | 1 + tests/certificate-authority/ec/ca.key.pem | 8 + .../ec/certificate_generation.txt | 34 +++++ .../certificate-authority/ec/client.cert.pem | 8 + tests/certificate-authority/ec/client.csr.pem | 7 + .../ec/client.key-pk8.pem | 5 + tests/certificate-authority/ec/client.key.pem | 8 + .../ec/jks/broker_client.cert.pem | 10 ++ .../ec/jks/broker_client.keystore.jks | Bin 0 -> 2034 bytes .../ec/jks/broker_client.signed.cert.pem | 11 ++ .../certificate-authority/ec/jks/ca.cert.pem | 10 ++ .../certificate-authority/ec/jks/ca.cert.srl | 1 + tests/certificate-authority/ec/jks/ca.key.pem | 8 + .../ec/jks/ca.truststore.jks | Bin 0 -> 742 bytes .../ec/jks/client.cert.pem | 10 ++ .../ec/jks/client.keystore.jks | Bin 0 -> 1988 bytes .../ec/jks/client.signed.cert.pem | 10 ++ .../ec/jks/key_store_generation.txt | 33 ++++ .../ec/jks/server.cert.pem | 10 ++ .../ec/jks/server.keystore.jks | Bin 0 -> 2004 bytes .../ec/jks/server.signed.cert.pem | 10 ++ .../certificate-authority/ec/server.cert.pem | 13 ++ tests/certificate-authority/ec/server.conf | 40 +++++ tests/certificate-authority/ec/server.csr.pem | 7 + .../ec/server.key-pk8.pem | 5 + tests/certificate-authority/ec/server.key.pem | 8 + 36 files changed, 652 insertions(+), 15 deletions(-) create mode 100644 pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java create mode 100644 pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java create mode 100644 tests/certificate-authority/ec/broker_client.cert.pem create mode 100644 tests/certificate-authority/ec/broker_client.csr.pem create mode 100644 tests/certificate-authority/ec/broker_client.key-pk8.pem create mode 100644 tests/certificate-authority/ec/broker_client.key.pem create mode 100644 tests/certificate-authority/ec/ca.cert.pem create mode 100644 tests/certificate-authority/ec/ca.cert.srl create mode 100644 tests/certificate-authority/ec/ca.key.pem create mode 100644 tests/certificate-authority/ec/certificate_generation.txt create mode 100644 tests/certificate-authority/ec/client.cert.pem create mode 100644 tests/certificate-authority/ec/client.csr.pem create mode 100644 tests/certificate-authority/ec/client.key-pk8.pem create mode 100644 tests/certificate-authority/ec/client.key.pem create mode 100644 tests/certificate-authority/ec/jks/broker_client.cert.pem create mode 100644 tests/certificate-authority/ec/jks/broker_client.keystore.jks create mode 100644 tests/certificate-authority/ec/jks/broker_client.signed.cert.pem create mode 100644 tests/certificate-authority/ec/jks/ca.cert.pem create mode 100644 tests/certificate-authority/ec/jks/ca.cert.srl create mode 100644 tests/certificate-authority/ec/jks/ca.key.pem create mode 100644 tests/certificate-authority/ec/jks/ca.truststore.jks create mode 100644 tests/certificate-authority/ec/jks/client.cert.pem create mode 100644 tests/certificate-authority/ec/jks/client.keystore.jks create mode 100644 tests/certificate-authority/ec/jks/client.signed.cert.pem create mode 100644 tests/certificate-authority/ec/jks/key_store_generation.txt create mode 100644 tests/certificate-authority/ec/jks/server.cert.pem create mode 100644 tests/certificate-authority/ec/jks/server.keystore.jks create mode 100644 tests/certificate-authority/ec/jks/server.signed.cert.pem create mode 100644 tests/certificate-authority/ec/server.cert.pem create mode 100644 tests/certificate-authority/ec/server.conf create mode 100644 tests/certificate-authority/ec/server.csr.pem create mode 100644 tests/certificate-authority/ec/server.key-pk8.pem create mode 100644 tests/certificate-authority/ec/server.key.pem diff --git a/pom.xml b/pom.xml index f5aad4860ec43d..4709238c222e32 100644 --- a/pom.xml +++ b/pom.xml @@ -1488,6 +1488,8 @@ flexible messaging model and an intuitive client API. **/*.crt **/*.key **/*.csr + **/*.srl + **/*.txt **/*.pem **/*.json **/*.htpasswd diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockedPulsarServiceBaseTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockedPulsarServiceBaseTest.java index d88a411be34cf1..64659379b84519 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockedPulsarServiceBaseTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockedPulsarServiceBaseTest.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY @@ -25,9 +25,13 @@ import static org.mockito.Mockito.spy; import static org.mockito.Mockito.when; import static org.testng.Assert.assertEquals; + import com.google.common.collect.Sets; +import com.google.common.io.Resources; import com.google.common.util.concurrent.MoreExecutors; import io.netty.channel.EventLoopGroup; + +import java.io.File; import java.lang.reflect.Field; import java.net.InetSocketAddress; import java.net.URI; @@ -43,6 +47,7 @@ import java.util.concurrent.TimeUnit; import java.util.function.Predicate; import java.util.function.Supplier; + import org.apache.bookkeeper.client.BookKeeper; import org.apache.bookkeeper.client.EnsemblePlacementPolicy; import org.apache.bookkeeper.client.PulsarMockBookKeeper; @@ -79,6 +84,7 @@ import org.awaitility.reflect.WhiteboxImpl; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.testcontainers.shaded.com.fasterxml.jackson.databind.ObjectMapper; import org.testng.annotations.DataProvider; /** @@ -94,7 +100,7 @@ public abstract class MockedPulsarServiceBaseTest extends TestRetrySupport { protected PulsarAdmin admin; protected PulsarClient pulsarClient; protected PortForwarder brokerGateway; - protected boolean enableBrokerGateway = false; + protected boolean enableBrokerGateway = false; protected URL brokerUrl; protected URL brokerUrlTls; @@ -235,7 +241,7 @@ protected final void internalCleanup() throws Exception { mockZooKeeper.shutdown(); mockZooKeeper = null; } - if(sameThreadOrderedSafeExecutor != null) { + if (sameThreadOrderedSafeExecutor != null) { try { sameThreadOrderedSafeExecutor.shutdownNow(); sameThreadOrderedSafeExecutor.awaitTermination(5, TimeUnit.SECONDS); @@ -245,7 +251,7 @@ protected final void internalCleanup() throws Exception { } sameThreadOrderedSafeExecutor = null; } - if(bkExecutor != null) { + if (bkExecutor != null) { try { bkExecutor.shutdownNow(); bkExecutor.awaitTermination(5, TimeUnit.SECONDS); @@ -394,7 +400,7 @@ public static MockZooKeeper createMockZooKeeper() throws Exception { } public static MockZooKeeper createMockZooKeeperGlobal() { - return MockZooKeeper.newInstanceForGlobalZK(MoreExecutors.newDirectExecutorService()); + return MockZooKeeper.newInstanceForGlobalZK(MoreExecutors.newDirectExecutorService()); } public static NonClosableMockBookKeeper createMockBookKeeper(OrderedExecutor executor) throws Exception { @@ -512,7 +518,7 @@ protected void setupDefaultTenantAndNamespace() throws Exception { @DataProvider(name = "invalidPersistentPolicies") public Object[][] incorrectPersistentPolicies() { - return new Object[][] { + return new Object[][]{ {0, 0, 0}, {1, 0, 0}, {0, 0, 1}, @@ -541,7 +547,7 @@ protected void deleteNamespaceWithRetry(String ns, boolean force, PulsarAdmin ad /** * see {@link MockedPulsarServiceBaseTest#deleteNamespaceWithRetry(String, boolean, PulsarAdmin, Collection)} */ - public static void deleteNamespaceWithRetry(String ns, boolean force, PulsarAdmin admin, PulsarService...pulsars) + public static void deleteNamespaceWithRetry(String ns, boolean force, PulsarAdmin admin, PulsarService... pulsars) throws Exception { deleteNamespaceWithRetry(ns, force, admin, Arrays.asList(pulsars)); } @@ -588,4 +594,44 @@ public static class ServiceProducer { } private static final Logger log = LoggerFactory.getLogger(MockedPulsarServiceBaseTest.class); + + + // EC certificate + protected static final String TLS_EC_TRUSTED_CERT_PATH = + getAbsolutePath("certificate-authority/ec/ca.cert.pem"); + protected static final String TLS_EC_SERVER_KEY_PATH = + getAbsolutePath("certificate-authority/ec/server.key-pk8.pem"); + protected static final String TLS_EC_SERVER_CERT_PATH = + getAbsolutePath("certificate-authority/ec/server.cert.pem"); + protected static final String TLS_EC_BROKER_CLIENT_KEY_PATH = + getAbsolutePath("certificate-authority/ec/broker_client.key-pk8.pem"); + protected static final String TLS_EC_BROKER_CLIENT_CERT_PATH = + getAbsolutePath("certificate-authority/ec/broker_client.cert.pem"); + protected static final String TLS_EC_CLIENT_KEY_PATH = + getAbsolutePath("certificate-authority/ec/client.key-pk8.pem"); + protected static final String TLS_EC_CLIENT_CERT_PATH = + getAbsolutePath("certificate-authority/ec/client.cert.pem"); + + // EC KeyStore + protected static final String TLS_EC_KS_SERVER_STORE = + getAbsolutePath("certificate-authority/ec/jks/server.keystore.jks"); + protected static final String TLS_EC_KS_SERVER_PASS = "serverpw"; + protected static final String TLS_EC_KS_BROKER_CLIENT_STORE = + getAbsolutePath("certificate-authority/ec/jks/broker_client.keystore.jks"); + protected static final String TLS_EC_KS_BROKER_CLIENT_PASS = "brokerclientpw"; + protected static final String TLS_EC_KS_CLIENT_STORE = + getAbsolutePath("certificate-authority/ec/jks/client.keystore.jks"); + protected static final String TLS_EC_KS_CLIENT_PASS = "clientpw"; + protected static final String TLS_EC_KS_TRUSTED_STORE = + getAbsolutePath("certificate-authority/ec/jks/ca.truststore.jks"); + protected static final String TLS_EC_KS_TRUSTED_STORE_PASS = "rootpw"; + + public static String getAbsolutePath(String resourceName) { + // On Windows, URL#getPath might return a string that starts with a disk name, e.g. "/C:/" + // It's invalid to use this path to open a file, so we need to get the absolute path via File. + return new File(Resources.getResource(resourceName).getPath()).getAbsolutePath(); + + } + + protected static final ObjectMapper mapper = new ObjectMapper(); } diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java new file mode 100644 index 00000000000000..b36695ad34ddd0 --- /dev/null +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java @@ -0,0 +1,130 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.pulsar.security.tls.ec; + + +import static org.testng.Assert.assertEquals; +import static org.testng.Assert.assertNotNull; +import java.nio.charset.StandardCharsets; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; +import java.util.UUID; +import lombok.Cleanup; +import lombok.SneakyThrows; +import org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest; +import org.apache.pulsar.client.admin.PulsarAdmin; +import org.apache.pulsar.client.api.Consumer; +import org.apache.pulsar.client.api.Message; +import org.apache.pulsar.client.api.MessageId; +import org.apache.pulsar.client.api.Producer; +import org.apache.pulsar.client.api.PulsarClient; +import org.apache.pulsar.client.api.PulsarClientException; +import org.apache.pulsar.client.impl.auth.AuthenticationTls; +import org.testng.annotations.AfterClass; +import org.testng.annotations.BeforeClass; +import org.testng.annotations.Test; + + +@Test +public class TlsWithECCertificateFileTest extends MockedPulsarServiceBaseTest { + + @Override + protected void doInitConf() throws Exception { + super.doInitConf(); + conf.setTlsEnabled(true); + conf.setBrokerServicePort(Optional.empty()); + conf.setWebServicePort(Optional.empty()); + conf.setTlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH); + conf.setTlsCertificateFilePath(TLS_EC_SERVER_CERT_PATH); + conf.setTlsKeyFilePath(TLS_EC_SERVER_KEY_PATH); + conf.setBrokerClientTlsEnabled(true); + conf.setBrokerClientTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH); + conf.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName()); + final Map brokerClientAuthParams = new HashMap<>(); + brokerClientAuthParams.put("tlsCertFile", TLS_EC_BROKER_CLIENT_CERT_PATH); + brokerClientAuthParams.put("tlsKeyFile", TLS_EC_BROKER_CLIENT_KEY_PATH); + conf.setBrokerClientAuthenticationParameters(mapper.writeValueAsString(brokerClientAuthParams)); + conf.setBrokerClientAuthenticationParameters(mapper.writeValueAsString(brokerClientAuthParams)); + } + + @BeforeClass(alwaysRun = true) + @Override + protected void setup() throws Exception { + init(); + admin = pulsar.getAdminClient(); + setupDefaultTenantAndNamespace(); + } + + @AfterClass(alwaysRun = true) + @Override + protected void cleanup() throws Exception { + internalCleanup(); + } + @Test(expectedExceptions = PulsarClientException.class) + @SneakyThrows + public void testConnectionFailWithoutCertificate() { + @Cleanup final PulsarClient client = PulsarClient.builder() + .serviceUrl(pulsar.getBrokerServiceUrlTls()) + .build(); + @Cleanup final Producer producer = client.newProducer() + .topic("should_be_failed") + .create(); + } + + + @Test + @SneakyThrows + public void testConnectionSuccessWithCertificate() { + final AuthenticationTls authentication = new AuthenticationTls(TLS_EC_CLIENT_CERT_PATH, TLS_EC_CLIENT_KEY_PATH); + final String topicName = "persistent://public/default/" + UUID.randomUUID(); + final int testMsgNum = 10; + @Cleanup final PulsarAdmin admin = PulsarAdmin.builder() + .authentication(authentication) + .serviceHttpUrl(pulsar.getWebServiceAddressTls()) + .tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH) + .build(); + admin.topics().createNonPartitionedTopic(topicName); + admin.topics().createSubscription(topicName, "sub-1", MessageId.earliest); + @Cleanup final PulsarClient client = PulsarClient.builder() + .serviceUrl(pulsar.getBrokerServiceUrlTls()) + .authentication(authentication) + .tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH) + .build(); + @Cleanup final Producer producer = client.newProducer() + .topic(topicName) + .create(); + @Cleanup final Consumer consumer = client.newConsumer() + .topic(topicName) + .subscriptionName("sub-1") + .consumerName("cons-1") + .subscribe(); + for (int i = 0; i < testMsgNum; i++) { + producer.send((i + "").getBytes(StandardCharsets.UTF_8)); + } + + for (int i = 0; i < testMsgNum; i++) { + final Message message = consumer.receive(); + assertNotNull(message); + final byte[] b = message.getValue(); + final String s = new String(b, StandardCharsets.UTF_8); + assertEquals(s, i + ""); + } + } +} diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java new file mode 100644 index 00000000000000..fd0e677c41e9df --- /dev/null +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java @@ -0,0 +1,141 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.pulsar.security.tls.ec; + + +import static org.testng.Assert.assertEquals; +import static org.testng.Assert.assertNotNull; +import lombok.Cleanup; +import lombok.SneakyThrows; +import org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest; +import org.apache.pulsar.client.admin.PulsarAdmin; +import org.apache.pulsar.client.api.Consumer; +import org.apache.pulsar.client.api.Message; +import org.apache.pulsar.client.api.MessageId; +import org.apache.pulsar.client.api.Producer; +import org.apache.pulsar.client.api.PulsarClient; +import org.apache.pulsar.client.api.PulsarClientException; +import org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls; +import org.testng.annotations.AfterClass; +import org.testng.annotations.BeforeClass; +import org.testng.annotations.Test; +import java.nio.charset.StandardCharsets; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; +import java.util.UUID; + + +@Test +public class TlsWithECKeyStoreTest extends MockedPulsarServiceBaseTest { + @Override + protected void doInitConf() throws Exception { + super.doInitConf(); + conf.setTlsEnabled(true); + conf.setBrokerServicePort(Optional.empty()); + conf.setWebServicePort(Optional.empty()); + conf.setTlsEnabledWithKeyStore(true); + conf.setTlsKeyStore(TLS_EC_KS_SERVER_STORE); + conf.setTlsKeyStorePassword(TLS_EC_KS_SERVER_PASS); + conf.setTlsTrustStore(TLS_EC_KS_TRUSTED_STORE); + conf.setTlsTrustStorePassword(TLS_EC_KS_TRUSTED_STORE_PASS); + conf.setTlsRequireTrustedClientCertOnConnect(true); + conf.setBrokerClientTlsEnabled(true); + conf.setBrokerClientTlsEnabledWithKeyStore(true); + conf.setBrokerClientTlsTrustStore(TLS_EC_KS_TRUSTED_STORE); + conf.setBrokerClientTlsTrustStorePassword(TLS_EC_KS_TRUSTED_STORE_PASS); + conf.setBrokerClientAuthenticationPlugin(AuthenticationKeyStoreTls.class.getName()); + final Map brokerClientAuthParams = new HashMap<>(); + brokerClientAuthParams.put("keyStorePath", TLS_EC_KS_BROKER_CLIENT_STORE); + brokerClientAuthParams.put("keyStorePassword", TLS_EC_KS_BROKER_CLIENT_PASS); + conf.setBrokerClientAuthenticationParameters(mapper.writeValueAsString(brokerClientAuthParams)); + } + + @BeforeClass(alwaysRun = true) + @Override + protected void setup() throws Exception { + init(); + admin = pulsar.getAdminClient(); + setupDefaultTenantAndNamespace(); + } + + @AfterClass(alwaysRun = true) + @Override + protected void cleanup() throws Exception { + internalCleanup(); + } + + @Test(expectedExceptions = PulsarClientException.class) + @SneakyThrows + public void testConnectionFailWithoutCertificate() { + @Cleanup final PulsarClient client = PulsarClient.builder() + .serviceUrl(pulsar.getBrokerServiceUrlTls()) + .build(); + @Cleanup final Producer producer = client.newProducer() + .topic("should_be_failed") + .create(); + } + + + @Test + @SneakyThrows + public void testConnectionSuccessWithCertificate() { + final String topicName = "persistent://public/default/" + UUID.randomUUID(); + final int testMsgNum = 10; + final Map clientAuthParams = new HashMap<>(); + clientAuthParams.put("keyStorePath", TLS_EC_KS_CLIENT_STORE); + clientAuthParams.put("keyStorePassword", TLS_EC_KS_CLIENT_PASS); + @Cleanup final PulsarAdmin admin = PulsarAdmin.builder() + .useKeyStoreTls(true) + .tlsTrustStorePath(TLS_EC_KS_TRUSTED_STORE) + .tlsTrustStorePassword(TLS_EC_KS_TRUSTED_STORE_PASS) + .authentication(AuthenticationKeyStoreTls.class.getName(), mapper.writeValueAsString(clientAuthParams)) + .serviceHttpUrl(pulsar.getWebServiceAddressTls()) + .build(); + admin.topics().createNonPartitionedTopic(topicName); + admin.topics().createSubscription(topicName, "sub-1", MessageId.earliest); + @Cleanup final PulsarClient client = PulsarClient.builder() + .serviceUrl(pulsar.getBrokerServiceUrlTls()) + .useKeyStoreTls(true) + .tlsTrustStorePath(TLS_EC_KS_TRUSTED_STORE) + .tlsTrustStorePassword(TLS_EC_KS_TRUSTED_STORE_PASS) + .authentication(AuthenticationKeyStoreTls.class.getName(), mapper.writeValueAsString(clientAuthParams)) + .build(); + @Cleanup final Producer producer = client.newProducer() + .topic(topicName) + .create(); + @Cleanup final Consumer consumer = client.newConsumer() + .topic(topicName) + .subscriptionName("sub-1") + .consumerName("cons-1") + .subscribe(); + for (int i = 0; i < testMsgNum; i++) { + producer.send((i + "").getBytes(StandardCharsets.UTF_8)); + } + + for (int i = 0; i < testMsgNum; i++) { + final Message message = consumer.receive(); + assertNotNull(message); + final byte[] b = message.getValue(); + final String s = new String(b, StandardCharsets.UTF_8); + assertEquals(s, i + ""); + } + } + +} diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java index c288c054bb9f22..caa12f20b1be3e 100644 --- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java +++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java @@ -48,10 +48,14 @@ import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; import java.security.spec.KeySpec; import java.security.spec.PKCS8EncodedKeySpec; +import java.util.ArrayList; +import java.util.Arrays; import java.util.Base64; import java.util.Collection; +import java.util.List; import java.util.Set; import java.util.concurrent.ScheduledExecutorService; import javax.net.ssl.HostnameVerifier; @@ -79,6 +83,10 @@ public class SecurityUtility { public static final String BC_NON_FIPS_PROVIDER_CLASS = "org.bouncycastle.jce.provider.BouncyCastleProvider"; public static final String CONSCRYPT_PROVIDER_CLASS = "org.conscrypt.OpenSSLProvider"; public static final Provider CONSCRYPT_PROVIDER = loadConscryptProvider(); + private static final List KEY_FACTORIES = Arrays.asList( + createKeyFactory("RSA"), + createKeyFactory("EC") + ); // Security.getProvider("BC") / Security.getProvider("BCFIPS"). // also used to get Factories. e.g. CertificateFactory.getInstance("X.509", "BCFIPS") @@ -504,15 +512,21 @@ public static PrivateKey loadPrivateKeyFromPemStream(InputStream inStream) throw while ((currentLine = reader.readLine()) != null && !currentLine.startsWith("-----END")) { sb.append(currentLine); } - - KeyFactory kf = KeyFactory.getInstance("RSA"); - KeySpec keySpec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(sb.toString())); - privateKey = kf.generatePrivate(keySpec); - } catch (GeneralSecurityException | IOException e) { + final KeySpec keySpec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(sb.toString())); + final List failedAlgorithm = new ArrayList<>(KEY_FACTORIES.size()); + for (KeyFactory kf : KEY_FACTORIES) { + try { + return kf.generatePrivate(keySpec); + } catch (InvalidKeySpecException ex) { + failedAlgorithm.add(kf.getAlgorithm()); + } + } + throw new KeyManagementException("The private key algorithm is not supported. attempted: " + + StringUtils.join(failedAlgorithm, ",")); + } catch (IOException e) { throw new KeyManagementException("Private key loading error", e); } - return privateKey; } private static void setupTrustCerts(SslContextBuilder builder, boolean allowInsecureConnection, @@ -573,4 +587,12 @@ public static Provider resolveProvider(String providerName) throws NoSuchAlgorit return provider; } + + private static KeyFactory createKeyFactory(String algorithm) { + try { + return KeyFactory.getInstance(algorithm); + } catch (Exception e) { + throw new IllegalArgumentException(String.format("Illegal key factory algorithm " + algorithm), e); + } + } } diff --git a/tests/certificate-authority/ec/broker_client.cert.pem b/tests/certificate-authority/ec/broker_client.cert.pem new file mode 100644 index 00000000000000..2993ed41ad9d62 --- /dev/null +++ b/tests/certificate-authority/ec/broker_client.cert.pem @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBIjCBygIUSAxJKNrIEmn3SVyw5rcYhwhKulwwCgYIKoZIzj0EAwIwETEPMA0G +A1UEAwwGQ0FSb290MB4XDTIzMTEyNDExNTE1M1oXDTMzMTEyMTExNTE1M1owGDEW +MBQGA1UEAwwNYnJva2VyX2NsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA +BGxRL4naRhrTZ9T2WdMBkCNmiamkrzEiDO55RVjhpHGWIoqPOvzs8i97vCVx39GV +vV/9agDp2nSuXYW8ax3UKnkwCgYIKoZIzj0EAwIDRwAwRAIge8qxnGgmv5h+Yw3Y +Ab/6xFD5QWERGMlfIl4ZCO3o6S0CICS/4jj45GfAPZS9QPfuo15rEa9Rbvvmmi+K +yY0JA0SP +-----END CERTIFICATE----- diff --git a/tests/certificate-authority/ec/broker_client.csr.pem b/tests/certificate-authority/ec/broker_client.csr.pem new file mode 100644 index 00000000000000..1f10a3c77f2b67 --- /dev/null +++ b/tests/certificate-authority/ec/broker_client.csr.pem @@ -0,0 +1,7 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIHTMHoCAQAwGDEWMBQGA1UEAwwNYnJva2VyX2NsaWVudDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABGxRL4naRhrTZ9T2WdMBkCNmiamkrzEiDO55RVjhpHGWIoqP +Ovzs8i97vCVx39GVvV/9agDp2nSuXYW8ax3UKnmgADAKBggqhkjOPQQDAgNJADBG +AiEA8sGFcbQuUGIUTCXTQ0z9b0eIYFIDVOcGSInQ+0unMJMCIQCmH0GlXZRGB2lx +HtfIz76HNnVu153LsHE11AEx7d/j2g== +-----END CERTIFICATE REQUEST----- diff --git a/tests/certificate-authority/ec/broker_client.key-pk8.pem b/tests/certificate-authority/ec/broker_client.key-pk8.pem new file mode 100644 index 00000000000000..124073b0245640 --- /dev/null +++ b/tests/certificate-authority/ec/broker_client.key-pk8.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgA92tkFXxKHYUJbeB +vvnMaGBnP2IenpF66Fikb06xbUKhRANCAARsUS+J2kYa02fU9lnTAZAjZomppK8x +IgzueUVY4aRxliKKjzr87PIve7wlcd/Rlb1f/WoA6dp0rl2FvGsd1Cp5 +-----END PRIVATE KEY----- diff --git a/tests/certificate-authority/ec/broker_client.key.pem b/tests/certificate-authority/ec/broker_client.key.pem new file mode 100644 index 00000000000000..4d4b5163b1bb4e --- /dev/null +++ b/tests/certificate-authority/ec/broker_client.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIAPdrZBV8Sh2FCW3gb75zGhgZz9iHp6ReuhYpG9OsW1CoAoGCCqGSM49 +AwEHoUQDQgAEbFEvidpGGtNn1PZZ0wGQI2aJqaSvMSIM7nlFWOGkcZYiio86/Ozy +L3u8JXHf0ZW9X/1qAOnadK5dhbxrHdQqeQ== +-----END EC PRIVATE KEY----- diff --git a/tests/certificate-authority/ec/ca.cert.pem b/tests/certificate-authority/ec/ca.cert.pem new file mode 100644 index 00000000000000..c10385d997e86a --- /dev/null +++ b/tests/certificate-authority/ec/ca.cert.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBeDCCAR2gAwIBAgIUKRGzcPm3RVuI7tXdPDAZZ7Vhqs8wCgYIKoZIzj0EAwIw +ETEPMA0GA1UEAwwGQ0FSb290MB4XDTIzMTEyNDExNTExNVoXDTMzMTEyMTExNTEx +NVowETEPMA0GA1UEAwwGQ0FSb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +kOKZaL45B7PUB+G25GLP1PPfTkio/DaHUML+KJjxpdCnSmq+mt/EAQWlqNPB1hJv +6kOJ52vSxKe02BMeuROed6NTMFEwHQYDVR0OBBYEFDkqfvrnJ7PJhxJ7FTA7o8+b +f+CRMB8GA1UdIwQYMBaAFDkqfvrnJ7PJhxJ7FTA7o8+bf+CRMA8GA1UdEwEB/wQF +MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAN9+TWNNbIz8rMdkf4LGoIeQzYcAEyGJ +90ORM5JciBdaAiEA8UsuQBD4wO1t6plnRydkGMTeb1dNDEnhsuXOXBps8fE= +-----END CERTIFICATE----- diff --git a/tests/certificate-authority/ec/ca.cert.srl b/tests/certificate-authority/ec/ca.cert.srl new file mode 100644 index 00000000000000..a30f44e979e729 --- /dev/null +++ b/tests/certificate-authority/ec/ca.cert.srl @@ -0,0 +1 @@ +480C4928DAC81269F7495CB0E6B71887084ABA5D diff --git a/tests/certificate-authority/ec/ca.key.pem b/tests/certificate-authority/ec/ca.key.pem new file mode 100644 index 00000000000000..1255354584869b --- /dev/null +++ b/tests/certificate-authority/ec/ca.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIPT1Jap2sJ7NUGWT6q0fnSRoVRNNryWe/JHPwttyQke4oAoGCCqGSM49 +AwEHoUQDQgAEkOKZaL45B7PUB+G25GLP1PPfTkio/DaHUML+KJjxpdCnSmq+mt/E +AQWlqNPB1hJv6kOJ52vSxKe02BMeuROedw== +-----END EC PRIVATE KEY----- diff --git a/tests/certificate-authority/ec/certificate_generation.txt b/tests/certificate-authority/ec/certificate_generation.txt new file mode 100644 index 00000000000000..7a6caa7b8f4be0 --- /dev/null +++ b/tests/certificate-authority/ec/certificate_generation.txt @@ -0,0 +1,34 @@ +# CA Private Key +openssl ecparam -name secp256r1 -genkey -out ca.key.pem +# Request certificate +openssl req -x509 -new -nodes -key ca.key.pem -subj "/CN=CARoot" -days 3650 -out ca.cert.pem + +# Server Private Key +openssl ecparam -name secp256r1 -genkey -out server.key.pem +# Convert to pkcs8 +openssl pkcs8 -topk8 -inform PEM -outform PEM -in server.key.pem -out server.key-pk8.pem -nocrypt +# Request certificate +openssl req -new -config server.conf -key server.key.pem -out server.csr.pem -sha256 +# Sign with CA +openssl x509 -req -in server.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 3650 -extensions v3_ext -extfile server.conf -sha256 + +# Broker internal client Private Key +openssl ecparam -name secp256r1 -genkey -out broker_client.key.pem +# Convert to pkcs8 +openssl pkcs8 -topk8 -inform PEM -outform PEM -in broker_client.key.pem -out broker_client.key-pk8.pem -nocrypt +# Request certificate +openssl req -new -subj "/CN=broker_client" -key broker_client.key.pem -out broker_client.csr.pem -sha256 +# Sign with CA +openssl x509 -req -in broker_client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out broker_client.cert.pem -days 3650 -sha256 + + +# Client Private Key +openssl ecparam -name secp256r1 -genkey -out client.key.pem +# Convert to pkcs8 +openssl pkcs8 -topk8 -inform PEM -outform PEM -in client.key.pem -out client.key-pk8.pem -nocrypt +# Request certificate +openssl req -new -subj "/CN=client" -key client.key.pem -out client.csr.pem -sha256 +# Sign with CA +openssl x509 -req -in client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 3650 -sha256 + + diff --git a/tests/certificate-authority/ec/client.cert.pem b/tests/certificate-authority/ec/client.cert.pem new file mode 100644 index 00000000000000..87701a6938d25a --- /dev/null +++ b/tests/certificate-authority/ec/client.cert.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE----- +MIIBHDCBwwIUSAxJKNrIEmn3SVyw5rcYhwhKul0wCgYIKoZIzj0EAwIwETEPMA0G +A1UEAwwGQ0FSb290MB4XDTIzMTEyNDExNTIwNVoXDTMzMTEyMTExNTIwNVowETEP +MA0GA1UEAwwGY2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4QZJuqZS +mSDbjkoFGKvtYmSVaJ3IjtmgWsgQio4F5phIXpM6IZZfcLkJToY0b9W2jGhODK55 +jA+zkRxHrICkwTAKBggqhkjOPQQDAgNIADBFAiEA0iGNqg4t16SxFdZJu7o9gK8R +XVXphQ/9XAtw4XqfCUYCIGLoExE9XKdkzZ+sahFOpKD6YLZ1GgPRBPpBJFBGTYu7 +-----END CERTIFICATE----- diff --git a/tests/certificate-authority/ec/client.csr.pem b/tests/certificate-authority/ec/client.csr.pem new file mode 100644 index 00000000000000..4ec08d410f504d --- /dev/null +++ b/tests/certificate-authority/ec/client.csr.pem @@ -0,0 +1,7 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIHLMHMCAQAwETEPMA0GA1UEAwwGY2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAE4QZJuqZSmSDbjkoFGKvtYmSVaJ3IjtmgWsgQio4F5phIXpM6IZZfcLkJ +ToY0b9W2jGhODK55jA+zkRxHrICkwaAAMAoGCCqGSM49BAMCA0gAMEUCIQDNZOBD +Z/YAWKEeRSVqhPvIpFYob1gmQfDcBJdG8e0K8wIgcfO0PLquIZP9P8VrDkkLQdZ9 +krOKk+F/LF9aqQBHTbU= +-----END CERTIFICATE REQUEST----- diff --git a/tests/certificate-authority/ec/client.key-pk8.pem b/tests/certificate-authority/ec/client.key-pk8.pem new file mode 100644 index 00000000000000..2b07827f214722 --- /dev/null +++ b/tests/certificate-authority/ec/client.key-pk8.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgrC3O+TuZ82b1bD1M +SI9lMu6aaebqfoggcnaaAyUUstKhRANCAAThBkm6plKZINuOSgUYq+1iZJVonciO +2aBayBCKjgXmmEhekzohll9wuQlOhjRv1baMaE4MrnmMD7ORHEesgKTB +-----END PRIVATE KEY----- diff --git a/tests/certificate-authority/ec/client.key.pem b/tests/certificate-authority/ec/client.key.pem new file mode 100644 index 00000000000000..ac1207fa51c0b8 --- /dev/null +++ b/tests/certificate-authority/ec/client.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKwtzvk7mfNm9Ww9TEiPZTLummnm6n6IIHJ2mgMlFLLSoAoGCCqGSM49 +AwEHoUQDQgAE4QZJuqZSmSDbjkoFGKvtYmSVaJ3IjtmgWsgQio4F5phIXpM6IZZf +cLkJToY0b9W2jGhODK55jA+zkRxHrICkwQ== +-----END EC PRIVATE KEY----- diff --git a/tests/certificate-authority/ec/jks/broker_client.cert.pem b/tests/certificate-authority/ec/jks/broker_client.cert.pem new file mode 100644 index 00000000000000..8a12e941d4e43a --- /dev/null +++ b/tests/certificate-authority/ec/jks/broker_client.cert.pem @@ -0,0 +1,10 @@ +-----BEGIN NEW CERTIFICATE REQUEST----- +MIIBXjCCAQQCAQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93 +bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMH +VW5rbm93bjEWMBQGA1UEAwwNYnJva2VyX2NsaWVudDBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABNEOf45UIs53Va887xTFRkZlmCnJUwYeu50pEll1APUwcldIHMXY +EqRqoTOcBtSRx4CpO9LMPFmyCS1E+afXnbKgMDAuBgkqhkiG9w0BCQ4xITAfMB0G +A1UdDgQWBBQFrlAl1jTZMagQVrax+OLTDJAQujAKBggqhkjOPQQDAgNIADBFAiBA +sgj2HrKwxCfoUbBIjYqRcLPRRVBsbYOGk4e2uFTZPwIhAN/AdQn786S/ebnwSUzR +yPyKEH+Qspx9nB08sQNn9N6U +-----END NEW CERTIFICATE REQUEST----- diff --git a/tests/certificate-authority/ec/jks/broker_client.keystore.jks b/tests/certificate-authority/ec/jks/broker_client.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..81ecf4497198c7999b51d3cd24784a1a30fc3b43 GIT binary patch literal 2034 zcma)7c{J1u8=l{o#WENg2G+yytnI_dV}<{&_(LatR6ufDB|lLP&#s zguN~bAc0Z_G7ZK+ChyQmAOkS`KM5ef7=X$St+Z1(gvkG`d6u9G@w!OxwOn(VQ}-QhxDvN zXv;YBTEnauAupi*&FsKFX1kSXu>dfFa>6)w57Ln*>->VQ+}|)+U#8>lvvysa^59PE z*@A@cw+mtP%TRxLVpXd%ecl7L&+;*Rv#t-HAzN*qp&F10O3V@-8j!UWHT`(aCrU882g< z#8zxj=A#78P;3k?jeOFrN;$RWKm>FP(@;09ma+Oeu(P~Vs|(-Q?BRKy^2!H>uSK*P zRma+H@B5c^5)3#K=I!Cn@hooVL~zM}u0^&pGa?f|l+FS}dFCYacv2f`V4OU};+;~BARjxp)ZPQ48saW#wAk3@C1Crahq2bJ z(m>bIYilFH{Wq)?zY%wLT`iZ-%|R`9Z4RZ%t?twEKlWO3s2AR+5NtSEcx^n_`%z;; zE5?YgvR*%Wp4GRMxj0(3@=0}X4xxjz$rBrRPBr5;{Z@8j(<+}I=zOapObErHCyI)~=^~&MC&9A@rUhoF{D18|sM)vKJ zz4E#yA|CLWY?c&_(1lmdi+q zUntLLLP?$r3vj+In^xcSF)B=KzjU=I>2guvX!h3o%o*|IX>b0pgu!Xvn?0i03nlMh zUyr&(dE$VU4{p8`cJbSb9up_Gcn8$V@<^N&pQYy{9|3~ghbw$9OGJKRHh(1(zp zL2Jz**-%=zZJ9bBd;6iQQg^T&RXLZGZ_tr{J2j*5n38Qt?3ANk29Kx>HmW&uyiSxw zsXJO}?YhhivMYSHK40&qsgm%Z-yha*(aYSj>lj<~Z~arNA9wK&EL{3+E?N&4KBwbO z{q+qeg@nIuwDG=~eSXlZ#G*yNAS+R=D)Q{xJt*jwTluT?Q^oQ5aO+0|RC*j?N%$*e zwo@(8rF)xSPDvo^KKX+n{8*Wc_ZZt+>DlU0`S#0rRzoY(L_^FqIfiPgU-hu%U3V>| z{afZ?dTQciDXW)$N%yw8l4~YvIKW-#=~KI+Vs`%eq9uV@>90G>VyZff_vzM6jir7t zj{ay8a*SJHd7$0?PVS~cp_;aIOJXMXjQ_TRyuQeKa24mrZ#cQjp-j>s-@PVM)l7)x#IF78lpRvUfi~R z+$1)j>E&49H~yrvr1CF)FTveFW%}f53h?m*b&Cccz=))z99`*y~H zr#M0Stcj-`r1Tw6VYw6N2(&Rg$93b24b%osmuMK2xs%vD_{NYbd+F?0IvRh~3n82H zL`j_pVGihCcYkhLt--+-{I%WV70Zw))?iu3p0*$2_-%@g5e1bi6>JQR0tY6HD{4-~ zx!2f!5=Io4Eoo|S1)bfmYL6v|SYu0=lQPsw(}F0;=$R`bhG`c*RuaVWf_#6qT8b1u zf|G3x&&EymS}n{wPQHTNtt$84uJhBDfVUmV@#)Yexv~s2QVb+aFwyank?$t!muV~! zO|0@_(G#g%A-1X;mRZNxgij{;$D%jp%s1|J+&DK!pEO9wd*4%ap=jt#!ojDq&JJ56 zlvag&J+F?3Qwk|d44UT`!xSOV2Gj#Zzkfm~0EfU7$AadQ`+wfW1n28rKU1|VNG)xO q&a(Ff&^}cIdm>)ez%UsL+?YYQ^_>TPn9$mL4t{*$8S($TjK2Z!esZ<| literal 0 HcmV?d00001 diff --git a/tests/certificate-authority/ec/jks/broker_client.signed.cert.pem b/tests/certificate-authority/ec/jks/broker_client.signed.cert.pem new file mode 100644 index 00000000000000..b91c69400c5d10 --- /dev/null +++ b/tests/certificate-authority/ec/jks/broker_client.signed.cert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBfTCCASQCFAJ6wB27laA1BCNConaAQPValPtaMAoGCCqGSM49BAMCMBExDzAN +BgNVBAMMBkNBUm9vdDAeFw0yMzExMjUwNzAzNTNaFw0zMzExMjIwNzAzNTNaMHIx +EDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vu +a25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xFjAUBgNV +BAMMDWJyb2tlcl9jbGllbnQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRDn+O +VCLOd1WvPO8UxUZGZZgpyVMGHrudKRJZdQD1MHJXSBzF2BKkaqEznAbUkceAqTvS +zDxZsgktRPmn152yMAoGCCqGSM49BAMCA0cAMEQCIArXdTOx19Nn/a6bsfTYurQW +4cepF5VKKijEjzyV69/BAiBpg60QwoZeSmz6bmil2zSb65jXrTzwhLpUZckVuHKn +og== +-----END CERTIFICATE----- diff --git a/tests/certificate-authority/ec/jks/ca.cert.pem b/tests/certificate-authority/ec/jks/ca.cert.pem new file mode 100644 index 00000000000000..a235464be7064a --- /dev/null +++ b/tests/certificate-authority/ec/jks/ca.cert.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBdjCCAR2gAwIBAgIUfHm94cF84m6FrJVNywJI4qTGZAEwCgYIKoZIzj0EAwIw +ETEPMA0GA1UEAwwGQ0FSb290MB4XDTIzMTEyNTAxMzQzM1oXDTMzMTEyMjAxMzQz +M1owETEPMA0GA1UEAwwGQ0FSb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +Sxvkij8HQ+g07SnOLz1in81iGKY7lOAbJ1r4ihMVnOVjS2A4ZVGXHM2wp5ZB9r3Y +jPByBiaPApm/J17JwlXynqNTMFEwHQYDVR0OBBYEFKqDJwbgz0/Q3EKJ78OVJI5k +8+RYMB8GA1UdIwQYMBaAFKqDJwbgz0/Q3EKJ78OVJI5k8+RYMA8GA1UdEwEB/wQF +MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgEF9RiwV0oBh9x1AvLFPoK5nnUlJ+0MNE +zz8Zw284zkICIDUZOPN/E7ZmTKzfoZ0EkxRrinEZ5M538aNbYFAUYoK+ +-----END CERTIFICATE----- diff --git a/tests/certificate-authority/ec/jks/ca.cert.srl b/tests/certificate-authority/ec/jks/ca.cert.srl new file mode 100644 index 00000000000000..c7b003ddff2872 --- /dev/null +++ b/tests/certificate-authority/ec/jks/ca.cert.srl @@ -0,0 +1 @@ +027AC01DBB95A035042342A2768040F55A94FB5B diff --git a/tests/certificate-authority/ec/jks/ca.key.pem b/tests/certificate-authority/ec/jks/ca.key.pem new file mode 100644 index 00000000000000..57e595f139525a --- /dev/null +++ b/tests/certificate-authority/ec/jks/ca.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJ/5AX63GN8cadJUCa5Aza5592JS7go9TXNfYemS4Ku4oAoGCCqGSM49 +AwEHoUQDQgAESxvkij8HQ+g07SnOLz1in81iGKY7lOAbJ1r4ihMVnOVjS2A4ZVGX +HM2wp5ZB9r3YjPByBiaPApm/J17JwlXyng== +-----END EC PRIVATE KEY----- diff --git a/tests/certificate-authority/ec/jks/ca.truststore.jks b/tests/certificate-authority/ec/jks/ca.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..e2a667b21d6ac6593ce22d5796914de120835457 GIT binary patch literal 742 zcmXqLVtT~H$ZXKW)WgQ9)#lOmotKfFaX}MPElU$qB~Z8&hzk)?Y(S|bpimqWBLk2M zN60W5q`^6?yatg576>knfi{asy+Qu6J3Wq54c>_FyJV5sYA4L}j1P=c^HWP%D`of| z#wJgD_SMU2UsH2pjrA;!gvpPrUk04zaNf^zboY@fM_SAHA1wNmxp6;h{`M#GPj(6K z|G3BY{iiiz;wujt2lGyi`l1){U~RyUhz@oYmCrktemE(*@ys{*TkrFhFUqcYVfdpg z=E`aL6@t%t-taH`_ezobQqS$DbHA=DTyJX6x=ZjKcktXL_k)*Yak%lHDxd77@rEU# zjp@#uGK(xTrKkn@QmOkEKGkVa^qt;sDy6XMkiYMto>S$ltwzUnZ1VMFWKZiRH|uIK z9%(agFn#gLH&!IM*gS1kgwqt&`QbV@m&NIGt(IT4AXO{jf2C{Beev`vT@$q$)8cLH zl^s*Fnl~wQ%-X3~vQpcSGy74y=4GF=pDq;nO%k$LSuOEpMYKoX&RI{a|B5bur#ZP~ z=jum6mnIrG)m-0b^WdaIg!iA-N%Qv!i=2^^{Vwp=rJGrIQ&!+ViBg;VT#jPl^8eSP z_&HY_2}G@4);m?_g8^H=nA!z5mxFtbh@RYKV!|rZSoqB0aNUK}2g$wd+a=vi{*;DX z-Rm~DRGKID{Z@f1PgWehcK3pP@I2!KZ&`Yy_w&8>3O~2xd9GXmgLT`96Uo67vi%Mm z^571$-g9%VeZY>~_83ji>2FpX{$BpU@_o61uYsWfFFYAAF|snSDERag9FI*^e%f{!WCJ>9<518FL*wbjHbTl;hfED3ROTrlhDiE+rHqxg3QZ z?d(u)$&~0~h>*^aE@~{fl^yT%zE3^xU+?+j`+T48=kk5N&*z^nz(ce{z)*mPI1EP; zGZ-05XfOg?#zU}SJcQQ<>;dq=#Q&kdnlK(1zX2<6loDLwzb=$K7*dwj2BZmr&~JJ< zG~feJzK#Y^ZAB~0(n&Q?C%)5)`S z3w92;R9ZNp)TA}qlzu7V{ZrZVYVu~xyhl?|!dVnl!9&Abe6s4+Y5WT|P|$#wuv@;z zFeBRln%|B^;>e0RC{PfH13Cl>0Y!kK0p0JU3K<8({&Xljgh1X602Hbj#gsxe-3{>I z-$e*`84r%#fD|EM&_+Xivm?O&FC;cq`Ae~gAGBq5{n=|!>CHVos!9JOB!^<1!cW6w zg^G)h8jtR`3rgk5<)l^gI;-^^ln-5 zE5*tU43>LLPvOy2v)Lt|J6b7W>)S2(qq|g-tHfd0)-AuIgNmb~{QLlXPqz)*9Ud=j%U zd!d6~k&fGXeD#fUn1e$*SGtvIR7zc6^e(|@u^Co6S+G{CR@E?_pw4lpzUDieAl!?~ z)hDK}KQwRBKYY|wk&4TG-9%joQPRuGUshD8fm)M%^kHm4ewGW5{k5KzD{PT(OyDTa@=gI-wro@7Uy11+y!uhy%W<( z_<$pVCF0L|x=l)-wvmV*;{DpD_r?V?Wxia86B2OjLZ!XD_))B0%n53gtz~ycEohED zCdztvpV9nYdtZ@?sA1(Lc8_B4j9S`aP1H%Ff_W3RAX4nt8|F5Pu=&9%_f*8?JN^AgOw&JHUyyCKxRRHIUXqG$fSFajQ3_4tJCCnsa#+}yw$#;0GmQ~MMBDXZFEw@ZmtH#0e+-rVs)iE>`j~2P-UX_WX$sv;?M|GOMrg&CUBe@>CS=oH;pK+Qk zKK|JKcP{l0=&g&~@;gSC462-jU=NM&! zfg?iJMdK(PJ?Is8^_rq{r_a}C0se^ePl-{HspWOn7V29b?rNo9n0*j?sd`VgWGpk2 zS#zAW#Y6~+*xV_TP#&xqy9_fZw<6!|l&}Xw8@8UGjb@w~3g?fm`jWT{k9y*RRf9(R za*CF9)UVyI3hM~Ymt?+r^K95j=B|=90ndD!KXG?nXgj#H?rry+t1R$47#oUxH3d1M zDO0j|QP8&^?Gcrdc+nbvJ=V_PRdU$^I`!+m=m5HkNlJ3om3d{Q_&^dT{KrZ)vphr! zw)^V{_*Y}(`r>WV&m&q5AEo4A7ByaZY_I8)owU^0{#&#LMzi$G5FRr+pc=Od+m<|J z6zK#c^gM3wT@39aea`i;w+gUTPO1#5o;?ZCzk24Ho;mso&UB`lckHstsmZn%{a1ab zgurqbioiao-eRS7yH2)_ZBBMKT_J$K!>ysLDMt zbNuKc=z|M+=18h*KK)#4;9$qhNXb2iL2zP>HRTtZ{E!{Uo4$9X-R~?JDyk7Tj@Vcu zgtHt+cFF+pUiQ7jrGx-UkG33V5?Hoz4i1L$wR4FZ+}!3Y$cmD6+ix;hhQ z{l%@_NabXYineM@4$ahkDTW$=c(uXbzrB+q){~ zO#F}&w#LHl2ef`ZE31Z8)JB5npkPomDE6-m==~zqv1(8iZ)!xaF4i0X2m~y_#1tT6 z0Tvwla|i)1W5M-*K-v&6=tn{QV!;1Pq!YvRrGo|VPOA2$l==hhP3^}i+y5VtK5Uvn zP*Hc1Um}vZ0-LIfOctzcb5Tt)(o@K%>PP|$wIp zeRtI8EB2H)X@`&>Pfhwh9b&AMoLCuMHjYq_YidcEW)>&BNl@SG$eb_cEmwt2SMPDD zqdPp(<`Nt49USIIqowqdstY#jZ88Ev2cEI3-5qh*f`%78%A8WnaM6&Mie}@CD}#fq zGx{!8_Clk_+)9GzS@-MAYR8mu)foTX#!n(HJ50Rwra z|LS?kH+z6R2yn)km;e>bK!{mugQah6i~Hrhb|{;OTC(>|?fi_A$v4+$@~8rjgg({Q z8bKvZVvbFb>c?D`X)C&gy_;m-!f)0QP4t1$7GFue!x$Ib9dj>GhK2cwkwvv`<; z9YbtV_5^zT`F__6+eAYSlSy*l;`&RvCO#fDby%}noqD=QX_l`IYqlM&=X+0jvvZC6 z1BK!-#-sCFBIj5QnHa}!7U3}(xVWhV`MsUM})*VL7@tLNv!yiY+z(- zo|!iRP2*gwSY?(5&dV~JX;)8mzD{LN>;6%{TIuh7qCl$LsvalssGqvOmS$^jD^iXw zkE?3l>Q!^ESxxS$j{2Ect64TFXssn5W-Mjk{0PyTxwlHj$wg6eS+H|Qmvn4<)~J&0 zeYeYv7uO5QgG(H*?^fUB>yA&U;trQkTN5_txE{{&tBKmJ=$0P!Jdua|i=|T%%wa$@Ant;b}`P!xKp0b=O6Ub;%?z8 zO$F{>j2Of94a4GZZkEx_*0M@NOtG&DVLH?!uN!(~KKpU$*r8bBnTtM3<7{?~TrHHluAYT*pD+c!1q3+o9xyLcJqQpHt1Rk;Z zf#Ug?9)2NrGA)RC2D6SXQLu7pM4q?wM6l~l3Wl{Bh&ySKM?fT#+6AvfwN+Y%7?|59 znzMvN+f7mG^? z2pc4EBD6ae9tyw7o}uHS*kb|?$piP6;zPkaxuD{tbV_#?X`rKbK`KsEB2#=&@u62F zMU%#b_<(>vlqJ1Qixbt>;h1H{g!f{VZ^_$zH$wDmF=cT<Buaq=ut#8aC z@aLIr=1$fbq`+ly?x-f3mtdo~L597h4`AaJ!tK&4Mqbwn-;Of){ZBn~(vVXYZAW7` zfm^m4INqU%h!tAAid~U=zSP5*-Hqzh>wcY_9zD0^YZUWh^s81~t96TA=rLB$#gRY>T|A zp2-&p`<7MI4s7k%@HhSkkA0$3*uyzYVq5m6JRa7FsL$6~efS1)zy2zWDAd8jHKoVq zhEHgIPK=}t+2vcA9NDYXg^WhGFiF(;XI3AH)%_T