This is an automated email from the ASF dual-hosted git repository.
zhfeng pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-quarkus.git
The following commit(s) were added to refs/heads/main by this push:
new d291182b09 Http: use FIPS complaiant keystore and truststore (#5968)
d291182b09 is described below
commit d291182b09f0c8a4232749043a16bd229b8e6837
Author: JiriOndrusek <[email protected]>
AuthorDate: Mon Apr 8 13:52:17 2024 +0200
Http: use FIPS complaiant keystore and truststore (#5968)
---
integration-test-groups/http/README.adoc | 6 +-
.../http/common/generate-certs.sh | 67 +++++++++++++++++++++
.../component/http/common/CommonProducers.java | 10 +--
.../src/main/resources/application.properties | 4 +-
.../main/resources/jsse/client-truststore.pkcs12 | Bin 0 -> 2246 bytes
.../common/src/main/resources/jsse/keystore.p12 | Bin 2421 -> 0 bytes
.../main/resources/jsse/localhost-keystore.pkcs12 | Bin 0 -> 3638 bytes
.../common/src/main/resources/jsse/truststore.jks | Bin 1018 -> 0 bytes
integration-test-groups/http/common/v3.ext | 3 +
pom.xml | 2 +
10 files changed, 83 insertions(+), 9 deletions(-)
diff --git a/integration-test-groups/http/README.adoc
b/integration-test-groups/http/README.adoc
index a010749a0c..c1154c278e 100644
--- a/integration-test-groups/http/README.adoc
+++ b/integration-test-groups/http/README.adoc
@@ -1,5 +1,7 @@
== Certificate for HTTPS
-Server keystore has to contain server certificate. It is possible to use
self-signed certificate created by following command:
+Server keystore has to contain server certificate.
-`keytool -genkeypair -keystore keystore.p12 -storetype PKCS12 -storepass
changeit -alias localhost -keyalg RSA -keysize 2048 -validity 99999 -dname
"CN=localhost"'
+=== How to generate new keystore and truststore
+
+Delete folder `common/src/main/resources/jsse` and run the script
`common/generate-certs.sh` to generate new keystore and truststore.
diff --git a/integration-test-groups/http/common/generate-certs.sh
b/integration-test-groups/http/common/generate-certs.sh
new file mode 100755
index 0000000000..c14febd7cf
--- /dev/null
+++ b/integration-test-groups/http/common/generate-certs.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -e
+set -x
+
+invocationDir="$(pwd)"
+workDir="target/openssl-work"
+destinationDir="src/main/resources/jsse"
+keySize=2048
+days=10000
+extFile="$(pwd)/v3.ext"
+encryptionAlgo="aes-256-cbc"
+
+if [[ -n "${JAVA_HOME}" ]] ; then
+ keytool="$JAVA_HOME/bin/keytool"
+elif ! [[ -x "$(command -v keytool)" ]] ; then
+ echo 'Error: Either add keytool to PATH or set JAVA_HOME' >&2
+ exit 1
+else
+ keytool="keytool"
+fi
+
+if ! [[ -x "$(command -v openssl)" ]] ; then
+ echo 'Error: openssl is not installed.' >&2
+ exit 1
+fi
+
+mkdir -p "$workDir"
+mkdir -p "$destinationDir"
+
+# Certificate authority
+openssl genrsa -out "$workDir/ca.key" $keySize
+openssl req -x509 -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca'
-key "$workDir/ca.key" -nodes -out "$workDir/ca.pem" -days $days -extensions
v3_req
+openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=ca' -x509
-key "$workDir/ca.key" -days $days -out "$workDir/ca.crt"
+
+for actor in localhost; do
+ # Generate keys
+ openssl genrsa -out "$workDir/$actor.key" $keySize
+
+ # Generate certificates
+ openssl req -new -subj "/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=$actor"
-key "$workDir/$actor.key" -out "$workDir/$actor.csr"
+ openssl x509 -req -in "$workDir/$actor.csr" -extfile "$extFile" -CA
"$workDir/ca.pem" -CAkey "$workDir/ca.key" -CAcreateserial -days $days -out
"$workDir/$actor.crt"
+
+ # Export keystores
+ openssl pkcs12 -export -in "$workDir/$actor.crt" -inkey
"$workDir/$actor.key" -certfile "$workDir/ca.crt" -name "$actor" -out
"$destinationDir/$actor-keystore.pkcs12" -passout
pass:"${actor}-keystore-password" -keypbe "$encryptionAlgo" -certpbe
"$encryptionAlgo"
+done
+
+
+# Truststore
+"$keytool" -import -file "$workDir/localhost.crt" -alias localhost -noprompt
-keystore "$destinationDir/client-truststore.pkcs12" -storepass
"client-truststore-password"
+"$keytool" -import -file "$workDir/ca.crt" -alias ca -noprompt
-keystore "$destinationDir/client-truststore.pkcs12" -storepass
"client-truststore-password"
diff --git
a/integration-test-groups/http/common/src/main/java/org/apache/camel/quarkus/component/http/common/CommonProducers.java
b/integration-test-groups/http/common/src/main/java/org/apache/camel/quarkus/component/http/common/CommonProducers.java
index e05a911045..5d172a23de 100644
---
a/integration-test-groups/http/common/src/main/java/org/apache/camel/quarkus/component/http/common/CommonProducers.java
+++
b/integration-test-groups/http/common/src/main/java/org/apache/camel/quarkus/component/http/common/CommonProducers.java
@@ -27,12 +27,12 @@ public class CommonProducers {
@Named
public SSLContextParameters sslContextParameters() {
KeyStoreParameters keystoreParameters = new KeyStoreParameters();
- keystoreParameters.setResource("/jsse/keystore.p12");
- keystoreParameters.setPassword("changeit");
+ keystoreParameters.setResource("/jsse/localhost-keystore.pkcs12");
+ keystoreParameters.setPassword("localhost-keystore-password");
KeyStoreParameters truststoreParameters = new KeyStoreParameters();
- truststoreParameters.setResource("/jsse/truststore.jks");
- truststoreParameters.setPassword("changeit");
+ truststoreParameters.setResource("/jsse/client-truststore.pkcs12");
+ truststoreParameters.setPassword("client-truststore-password");
TrustManagersParameters trustManagersParameters = new
TrustManagersParameters();
trustManagersParameters.setKeyStore(truststoreParameters);
@@ -40,7 +40,7 @@ public class CommonProducers {
sslContextParameters.setTrustManagers(trustManagersParameters);
KeyManagersParameters keyManagersParameters = new
KeyManagersParameters();
- keyManagersParameters.setKeyPassword("changeit");
+ keyManagersParameters.setKeyPassword("localhost-keystore-password");
keyManagersParameters.setKeyStore(keystoreParameters);
sslContextParameters.setKeyManagers(keyManagersParameters);
diff --git
a/integration-test-groups/http/common/src/main/resources/application.properties
b/integration-test-groups/http/common/src/main/resources/application.properties
index b04a3f35fd..05e3b20242 100644
---
a/integration-test-groups/http/common/src/main/resources/application.properties
+++
b/integration-test-groups/http/common/src/main/resources/application.properties
@@ -31,7 +31,7 @@ quarkus.security.users.embedded.roles.admin=admin
quarkus.security.users.embedded.roles.noadmin=user
quarkus.http.insecure-requests=enabled
-quarkus.http.ssl.certificate.key-store-file=jsse/keystore.p12
-quarkus.http.ssl.certificate.key-store-password=changeit
+quarkus.http.ssl.certificate.key-store-file=jsse/localhost-keystore.pkcs12
+quarkus.http.ssl.certificate.key-store-password=localhost-keystore-password
quarkus.resteasy.gzip.enabled=true
diff --git
a/integration-test-groups/http/common/src/main/resources/jsse/client-truststore.pkcs12
b/integration-test-groups/http/common/src/main/resources/jsse/client-truststore.pkcs12
new file mode 100644
index 0000000000..f5b3fee8d4
Binary files /dev/null and
b/integration-test-groups/http/common/src/main/resources/jsse/client-truststore.pkcs12
differ
diff --git
a/integration-test-groups/http/common/src/main/resources/jsse/keystore.p12
b/integration-test-groups/http/common/src/main/resources/jsse/keystore.p12
deleted file mode 100644
index 36cc5db567..0000000000
Binary files
a/integration-test-groups/http/common/src/main/resources/jsse/keystore.p12 and
/dev/null differ
diff --git
a/integration-test-groups/http/common/src/main/resources/jsse/localhost-keystore.pkcs12
b/integration-test-groups/http/common/src/main/resources/jsse/localhost-keystore.pkcs12
new file mode 100644
index 0000000000..ae9c588345
Binary files /dev/null and
b/integration-test-groups/http/common/src/main/resources/jsse/localhost-keystore.pkcs12
differ
diff --git
a/integration-test-groups/http/common/src/main/resources/jsse/truststore.jks
b/integration-test-groups/http/common/src/main/resources/jsse/truststore.jks
deleted file mode 100644
index 962450331a..0000000000
Binary files
a/integration-test-groups/http/common/src/main/resources/jsse/truststore.jks
and /dev/null differ
diff --git a/integration-test-groups/http/common/v3.ext
b/integration-test-groups/http/common/v3.ext
new file mode 100644
index 0000000000..632d6d3a6f
--- /dev/null
+++ b/integration-test-groups/http/common/v3.ext
@@ -0,0 +1,3 @@
+authorityKeyIdentifier = keyid, issuer
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index d5635aba27..debcfa713f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -536,6 +536,7 @@
<exclude>**/*.conf</exclude>
<exclude>**/*.csv</exclude>
<exclude>**/*.der</exclude>
+ <exclude>**/*.ext</exclude>
<exclude>**/*.ftl</exclude>
<exclude>**/*.graphql</exclude>
<exclude>**/*.ics</exclude>
@@ -552,6 +553,7 @@
<exclude>**/*.mp4</exclude>
<exclude>**/*.mvel</exclude>
<exclude>**/*.p12</exclude>
+ <exclude>**/*.pkcs12</exclude>
<exclude>**/*.pem</exclude>
<exclude>**/*.pgp</exclude>
<exclude>**/*.proto</exclude>
