QPID-4636: add support for a broker 'peerStore' that can be used to perform SSL client auth based on specific 'trusted peer' certs existing in it, rather than via use of a trusted CA cert.

Applied patch from Michal Zerola

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1456554 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 49 insertions, 17 deletions

diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/Broker.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/Broker.java
index c2b8b9886f..1d2fdd0452 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/Broker.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/Broker.java
@@ -87,6 +87,8 @@ public interface Broker extends ConfiguredObject
     String KEY_STORE_CERT_ALIAS = "keyStoreCertAlias";
     String TRUST_STORE_PATH = "trustStorePath";
     String TRUST_STORE_PASSWORD = "trustStorePassword";
+    String PEER_STORE_PATH = "peerStorePath";
+    String PEER_STORE_PASSWORD = "peerStorePassword";
 
     /*
      * A temporary attributes to set the broker group file.
@@ -136,6 +138,8 @@ public interface Broker extends ConfiguredObject
                               KEY_STORE_CERT_ALIAS,
                               TRUST_STORE_PATH,
                               TRUST_STORE_PASSWORD,
+                              PEER_STORE_PATH,
+                              PEER_STORE_PASSWORD,
                               GROUP_FILE
                               ));
 
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/TrustStore.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/TrustStore.java
index 0c322ae02f..53498ab431 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/TrustStore.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/TrustStore.java
@@ -38,6 +38,7 @@ public interface TrustStore extends ConfiguredObject
 
     String PATH = "path";
     String PASSWORD = "password";
+    String PEERS_ONLY = "peersOnly";
     String TYPE = "type";
     String KEY_MANAGER_FACTORY_ALGORITHM = "keyManagerFactoryAlgorithm";
 
@@ -55,6 +56,7 @@ public interface TrustStore extends ConfiguredObject
                               DESCRIPTION,
                               PATH,
                               PASSWORD,
+                              PEERS_ONLY,
                               TYPE,
                               KEY_MANAGER_FACTORY_ALGORITHM
                               ));
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractKeyStoreAdapter.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractKeyStoreAdapter.java
index ebd98f915d..80196c395e 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractKeyStoreAdapter.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractKeyStoreAdapter.java
@@ -47,6 +47,7 @@ public abstract class AbstractKeyStoreAdapter extends AbstractAdapter
         _name = MapValueConverter.getStringAttribute(TrustStore.NAME, attributes);
         _password = MapValueConverter.getStringAttribute(TrustStore.PASSWORD, attributes);
         setMandatoryAttribute(TrustStore.PATH, attributes);
+        setOptionalAttribute(TrustStore.PEERS_ONLY, attributes);
         setOptionalAttribute(TrustStore.TYPE, attributes);
         setOptionalAttribute(TrustStore.KEY_MANAGER_FACTORY_ALGORITHM, attributes);
         setOptionalAttribute(TrustStore.DESCRIPTION, attributes);
@@ -190,9 +191,17 @@ public abstract class AbstractKeyStoreAdapter extends AbstractAdapter
 
     private void setOptionalAttribute(String name, Map<String, Object> attributeValues)
     {
-        if (attributeValues.get(name) != null)
+        Object attrValue = attributeValues.get(name);
+        if (attrValue != null)
         {
-            changeAttribute(name, null, MapValueConverter.getStringAttribute(name, attributeValues));
+            if (attrValue instanceof Boolean)
+            {
+                changeAttribute(name, null, MapValueConverter.getBooleanAttribute(name, attributeValues));
+            }
+            else
+            {
+                changeAttribute(name, null, MapValueConverter.getStringAttribute(name, attributeValues));
+            }
         }
     }
 }
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AmqpPortAdapter.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AmqpPortAdapter.java
index 95aafa9ceb..e7057f89d3 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AmqpPortAdapter.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AmqpPortAdapter.java
@@ -24,6 +24,7 @@ import static org.apache.qpid.transport.ConnectionSettings.WILDCARD_ADDRESS;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.security.GeneralSecurityException;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.Map;
@@ -139,8 +140,8 @@ public class AmqpPortAdapter extends PortAdapter
                     + this.getName() + "' but no key store defined");
         }
 
-        TrustStore trustStore = _broker.getDefaultTrustStore();
-        if (((Boolean)getAttribute(NEED_CLIENT_AUTH) || (Boolean)getAttribute(WANT_CLIENT_AUTH)) && trustStore == null)
+        Collection<TrustStore> trustStores = _broker.getTrustStores();
+        if (((Boolean)getAttribute(NEED_CLIENT_AUTH) || (Boolean)getAttribute(WANT_CLIENT_AUTH)) && trustStores.isEmpty())
         {
             throw new IllegalConfigurationException("Client certificate authentication is enabled on AMQP port '"
                     + this.getName() + "' but no trust store defined");
@@ -155,20 +156,20 @@ public class AmqpPortAdapter extends PortAdapter
         final SSLContext sslContext;
         try
         {
-            if(trustStore != null)
+            if(! trustStores.isEmpty())
             {
-                String trustStorePassword = trustStore.getPassword();
-                String trustStoreType = (String)trustStore.getAttribute(TrustStore.TYPE);
-                String trustManagerFactoryAlgorithm = (String)trustStore.getAttribute(TrustStore.KEY_MANAGER_FACTORY_ALGORITHM);
-                String trustStorePath = (String)trustStore.getAttribute(TrustStore.PATH);
-
-                sslContext = SSLContextFactory.buildClientContext(trustStorePath,
-                        trustStorePassword,
-                        trustStoreType,
-                        trustManagerFactoryAlgorithm,
-                        keystorePath,
-                        keystorePassword, keystoreType, keyManagerFactoryAlgorithm,
-                        certAlias);
+                Collection<SSLContextFactory.TrustStoreWrapper> trstWrappers = new ArrayList<SSLContextFactory.TrustStoreWrapper>();
+                for (TrustStore trustStore : trustStores)
+                {
+                    trstWrappers.add(new SSLContextFactory.TrustStoreWrapper((String)trustStore.getAttribute(TrustStore.PATH),
+                                                                             trustStore.getPassword(),
+                                                                             (String)trustStore.getAttribute(TrustStore.TYPE),
+                                                                             (Boolean) trustStore.getAttribute(TrustStore.PEERS_ONLY),
+                                                                             (String)trustStore.getAttribute(TrustStore.KEY_MANAGER_FACTORY_ALGORITHM)));
+                }
+                sslContext = SSLContextFactory.buildClientContext(trstWrappers, keystorePath,
+                                                                  keystorePassword, keystoreType,
+                                                                  keyManagerFactoryAlgorithm, certAlias);
             }
             else
             {
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
index 291f751a5c..8c0ac06fdd 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
@@ -101,6 +101,8 @@ public class BrokerAdapter extends AbstractAdapter implements Broker, Configurat
         put(KEY_STORE_CERT_ALIAS, String.class);
         put(TRUST_STORE_PATH, String.class);
         put(TRUST_STORE_PASSWORD, String.class);
+        put(PEER_STORE_PATH, String.class);
+        put(PEER_STORE_PASSWORD, String.class);
         put(GROUP_FILE, String.class);
     }});
 
@@ -231,6 +233,20 @@ public class BrokerAdapter extends AbstractAdapter implements Broker, Configurat
             TrustStoreAdapter trustStore = new TrustStoreAdapter(_defaultTrustStoreId, this, trsustStoreAttributes);
             addTrustStore(trustStore);
         }
+        String peerStorePath = (String) getAttribute(PEER_STORE_PATH);
+        if (peerStorePath != null)
+        {
+            Map<String, Object> peerStoreAttributes = new HashMap<String, Object>();
+            UUID peerStoreId = UUID.randomUUID();
+            peerStoreAttributes.put(TrustStore.NAME, peerStoreId.toString());
+            peerStoreAttributes.put(TrustStore.PATH, peerStorePath);
+            peerStoreAttributes.put(TrustStore.PEERS_ONLY, Boolean.TRUE);
+            peerStoreAttributes.put(TrustStore.PASSWORD, (String) actualAttributes.get(PEER_STORE_PASSWORD));
+            peerStoreAttributes.put(TrustStore.TYPE, java.security.KeyStore.getDefaultType());
+            peerStoreAttributes.put(TrustStore.KEY_MANAGER_FACTORY_ALGORITHM, KeyManagerFactory.getDefaultAlgorithm());
+            TrustStoreAdapter trustStore = new TrustStoreAdapter(peerStoreId, this, peerStoreAttributes);
+            addTrustStore(trustStore);
+        }
     }
 
     public Collection<VirtualHost> getVirtualHosts()