Qpid
  1. Qpid
  2. QPID-3973

QPID Java SSLUtil does not support non-JKS key store types

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.10, 0.12, 0.14, 0.16, 0.17
    • Fix Version/s: 0.17
    • Component/s: Java Client, Java Common
    • Labels:
    • Environment:

      Java 1.6 in FIPS mode (NSS)

      Description

      We are required to run our system in FIPS-compliant mode, using the NSS library for Java Security. In this mode, we cannot use JKS for private key storage.

      Unfortunately, SSLUtil does not support configurable KeyStore types, and will throw an exception if we attempt to do this.

      1. 2012_05_08_Master_Patch.diff
        18 kB
        Jesse Sightler
      2. qpid-java.diff
        25 kB
        Jesse Sightler

        Activity

        Hide
        Jesse Sightler added a comment -

        Potential fix... accepts java system properties for defining the keystore and truststore type.

        Show
        Jesse Sightler added a comment - Potential fix... accepts java system properties for defining the keystore and truststore type.
        Hide
        Robbie Gemmell added a comment -

        Hi Jesse,

        I don't believe this will have been change since 0.10, but I do know the code your patch updates has been modified significantly since then and as a result there is little to no chance it applies to the current codebase. Qpid 0.16 has long branched for release and should be out in the next couple of weeks, but if you wanted to produce an updated patch against the current trunk we can certainly look to include it in the 0.18 release ~July/Aug.

        (sidenotes: the patch seems to have a scratch file in it, and we need you to grant permission for inclusion when attaching patches to JIRAs in order to actually use them).

        Robbie

        Show
        Robbie Gemmell added a comment - Hi Jesse, I don't believe this will have been change since 0.10, but I do know the code your patch updates has been modified significantly since then and as a result there is little to no chance it applies to the current codebase. Qpid 0.16 has long branched for release and should be out in the next couple of weeks, but if you wanted to produce an updated patch against the current trunk we can certainly look to include it in the 0.18 release ~July/Aug. (sidenotes: the patch seems to have a scratch file in it, and we need you to grant permission for inclusion when attaching patches to JIRAs in order to actually use them). Robbie
        Hide
        Jason Wong added a comment -

        Hi Robbie,

        Thanks for the quick response. We're working with Red Hat MRG-M which has its Java client library based on the 0.10 release. We're also engaging with Red Hat support to get a patch created for the current MRG-M client libraries but wanted to put this out to the community as well. As we get the patch created for the 0.10 release, we can also talk to support and the product team what is the best route of pushing the fix upstream for upcoming releases.

        Thanks,
        Jason

        Show
        Jason Wong added a comment - Hi Robbie, Thanks for the quick response. We're working with Red Hat MRG-M which has its Java client library based on the 0.10 release. We're also engaging with Red Hat support to get a patch created for the current MRG-M client libraries but wanted to put this out to the community as well. As we get the patch created for the 0.10 release, we can also talk to support and the product team what is the best route of pushing the fix upstream for upcoming releases. Thanks, Jason
        Hide
        Robbie Gemmell added a comment -

        Ok Jason thats great, thanks for sharing

        As an update on my earlier sidenote: the icon that usually indicates attachments have been granted for inclusion appears to have disappeared from JIRAs I know I ticked the box myself on previously, so please disregard my comment if you actually did tick the box Jesse. I wonder if a JIRA upgrade has broken the plugin or it has simply been removed, I'll try to take a look about and/or ask the ASF infrastructure team tomorrow.

        Robbie

        Show
        Robbie Gemmell added a comment - Ok Jason thats great, thanks for sharing As an update on my earlier sidenote: the icon that usually indicates attachments have been granted for inclusion appears to have disappeared from JIRAs I know I ticked the box myself on previously, so please disregard my comment if you actually did tick the box Jesse. I wonder if a JIRA upgrade has broken the plugin or it has simply been removed, I'll try to take a look about and/or ask the ASF infrastructure team tomorrow. Robbie
        Hide
        Jesse Sightler added a comment -

        Sorry about the scratch file in the patch. That was a mistake/leftover from my workspace.

        I did check the box to allow ASF inclusion, so I'm not sure why that wouldn't show up.

        Show
        Jesse Sightler added a comment - Sorry about the scratch file in the patch. That was a mistake/leftover from my workspace. I did check the box to allow ASF inclusion, so I'm not sure why that wouldn't show up.
        Hide
        Jesse Sightler added a comment -

        I have now updated the patch based upon the latest code from SVN (and the readonly Git Repo). The pull request is at:
        https://github.com/apache/qpid/pull/2

        Diff is also attached.

        Show
        Jesse Sightler added a comment - I have now updated the patch based upon the latest code from SVN (and the readonly Git Repo). The pull request is at: https://github.com/apache/qpid/pull/2 Diff is also attached.
        Hide
        Jesse Sightler added a comment -

        Updated to apply to trunk.

        Show
        Jesse Sightler added a comment - Updated to apply to trunk.
        Hide
        Rob Godfrey added a comment -

        Applied a lightly modified version of the patch.

        The patch had a bug where the keyStoreType and keyStorePassword fields were passed in the wrong order on creation of the QpidClientX509KeyManager - this was picked up by one of the existing unit tests which failed on inital application of this patch.

        There were also a couple of deviations from our style guidelines.

        Show
        Rob Godfrey added a comment - Applied a lightly modified version of the patch. The patch had a bug where the keyStoreType and keyStorePassword fields were passed in the wrong order on creation of the QpidClientX509KeyManager - this was picked up by one of the existing unit tests which failed on inital application of this patch. There were also a couple of deviations from our style guidelines.

          People

          • Assignee:
            Rob Godfrey
            Reporter:
            Jesse Sightler
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development