From 65579624500a4a397faaefaccc353cacbe1282e7 Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Fri, 24 Nov 2023 21:16:59 +0800 Subject: [PATCH 01/12] [improve][security] Support Tls with EC private key algorithm --- .../pulsar/base/MockedPulsarStandalone.java | 145 ++++++++++++++++++ .../tls/ec/TlsWithECCertificateTest.java | 107 +++++++++++++ .../tls/ec/broker_client.cert.pem | 9 ++ .../tls/ec/broker_client.csr.pem | 7 + .../tls/ec/broker_client.key-pk8.pem | 5 + .../tls/ec/broker_client.key.pem | 8 + .../authentication/tls/ec/ca.cert.pem | 10 ++ .../authentication/tls/ec/ca.cert.srl | 1 + .../authentication/tls/ec/ca.key.pem | 8 + .../tls/ec/certificate_generation.txt | 34 ++++ .../authentication/tls/ec/client.cert.pem | 8 + .../authentication/tls/ec/client.csr.pem | 7 + .../authentication/tls/ec/client.key-pk8.pem | 5 + .../authentication/tls/ec/client.key.pem | 8 + .../authentication/tls/ec/server.cert.pem | 13 ++ .../authentication/tls/ec/server.conf | 21 +++ .../authentication/tls/ec/server.csr.pem | 7 + .../authentication/tls/ec/server.key-pk8.pem | 5 + .../authentication/tls/ec/server.key.pem | 8 + .../pulsar/common/util/SecurityUtility.java | 34 +++- 20 files changed, 444 insertions(+), 6 deletions(-) create mode 100644 pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java create mode 100644 pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.cert.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.csr.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key-pk8.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.srl create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/ca.key.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/certificate_generation.txt create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/client.cert.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/client.csr.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/client.key-pk8.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/client.key.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/server.cert.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/server.conf create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/server.csr.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/server.key-pk8.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/server.key.pem diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java b/pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java new file mode 100644 index 0000000000000..9b46103895352 --- /dev/null +++ b/pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java @@ -0,0 +1,145 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.pulsar.base; + +import static java.util.Objects.requireNonNull; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.collect.Sets; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; +import lombok.Getter; +import lombok.SneakyThrows; +import org.apache.pulsar.broker.PulsarService; +import org.apache.pulsar.broker.ServiceConfiguration; +import org.apache.pulsar.broker.authentication.AuthenticationProviderTls; +import org.apache.pulsar.broker.testcontext.PulsarTestContext; +import org.apache.pulsar.client.admin.PulsarAdmin; +import org.apache.pulsar.client.impl.auth.AuthenticationTls; +import org.apache.pulsar.common.policies.data.ClusterData; +import org.apache.pulsar.common.policies.data.TenantInfo; + + +public abstract class MockedPulsarStandalone implements AutoCloseable { + + @Getter + private final ServiceConfiguration serviceConfiguration = new ServiceConfiguration(); + private PulsarTestContext pulsarTestContext; + + @Getter + private PulsarService pulsarService; + private PulsarAdmin serviceInternalAdmin; + + + { + serviceConfiguration.setClusterName(TEST_CLUSTER_NAME); + serviceConfiguration.setBrokerShutdownTimeoutMs(0L); + serviceConfiguration.setBrokerServicePort(Optional.of(0)); + serviceConfiguration.setBrokerServicePortTls(Optional.of(0)); + serviceConfiguration.setAdvertisedAddress("localhost"); + serviceConfiguration.setWebServicePort(Optional.of(0)); + serviceConfiguration.setWebServicePortTls(Optional.of(0)); + serviceConfiguration.setNumExecutorThreadPoolSize(5); + serviceConfiguration.setExposeBundlesMetricsInPrometheus(true); + } + + @SneakyThrows + protected void loadECTlsCertificate() { + serviceConfiguration.setTlsEnabled(true); + serviceConfiguration.setBrokerServicePort(Optional.empty()); + serviceConfiguration.setWebServicePort(Optional.empty()); + serviceConfiguration.setTlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH); + serviceConfiguration.setTlsCertificateFilePath(TLS_EC_SERVER_CERT_PATH); + serviceConfiguration.setTlsKeyFilePath(TLS_EC_SERVER_KEY_PATH); + serviceConfiguration.setBrokerClientTlsEnabled(true); + serviceConfiguration.setBrokerClientTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH); + serviceConfiguration.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName()); + final Map brokerClientAuthParams = new HashMap<>(); + brokerClientAuthParams.put("tlsCertFile", TLS_EC_BROKER_CLIENT_CERT_PATH); + brokerClientAuthParams.put("tlsKeyFile", TLS_EC_BROKER_CLIENT_KEY_PATH); + serviceConfiguration.setBrokerClientAuthenticationParameters(mapper.writeValueAsString(brokerClientAuthParams)); + } + + protected void enableTlsAuthentication() { + serviceConfiguration.setAuthenticationEnabled(true); + serviceConfiguration.setAuthenticationProviders(Sets.newHashSet(AuthenticationProviderTls.class.getName())); + } + + @SneakyThrows + protected void start() { + this.pulsarTestContext = PulsarTestContext.builder() + .spyByDefault() + .config(serviceConfiguration) + .withMockZookeeper(false) + .build(); + this.pulsarService = pulsarTestContext.getPulsarService(); + this.serviceInternalAdmin = pulsarService.getAdminClient(); + setupDefaultTenantAndNamespace(); + } + + private void setupDefaultTenantAndNamespace() throws Exception { + if (!serviceInternalAdmin.clusters().getClusters().contains(TEST_CLUSTER_NAME)) { + serviceInternalAdmin.clusters().createCluster(TEST_CLUSTER_NAME, + ClusterData.builder().serviceUrl(pulsarService.getWebServiceAddress()).build()); + } + if (!serviceInternalAdmin.tenants().getTenants().contains(DEFAULT_TENANT)) { + serviceInternalAdmin.tenants().createTenant(DEFAULT_TENANT, TenantInfo.builder().allowedClusters( + Sets.newHashSet(TEST_CLUSTER_NAME)).build()); + } + if (!serviceInternalAdmin.namespaces().getNamespaces(DEFAULT_TENANT).contains(DEFAULT_NAMESPACE)) { + serviceInternalAdmin.namespaces().createNamespace(DEFAULT_NAMESPACE); + } + } + + + @Override + public void close() throws Exception { + if (pulsarTestContext != null) { + pulsarTestContext.close(); + } + } + + private static String getPathFromResource(String resourceName) { + return requireNonNull(MockedPulsarStandalone.class.getClassLoader().getResource(resourceName)).getPath(); + } + + // Utils + private static final ObjectMapper mapper = new ObjectMapper(); + + // Static name + private static final String DEFAULT_TENANT = "public"; + private static final String DEFAULT_NAMESPACE = "public/default"; + private static final String TEST_CLUSTER_NAME = "test-standalone"; + + // EC certificate + protected static final String TLS_EC_TRUSTED_CERT_PATH = + getPathFromResource("authentication/tls/ec/ca.cert.pem"); + private static final String TLS_EC_SERVER_KEY_PATH = + getPathFromResource("authentication/tls/ec/server.key-pk8.pem"); + private static final String TLS_EC_SERVER_CERT_PATH = + getPathFromResource("authentication/tls/ec/server.cert.pem"); + private static final String TLS_EC_BROKER_CLIENT_KEY_PATH = + getPathFromResource("authentication/tls/ec/broker_client.key-pk8.pem"); + private static final String TLS_EC_BROKER_CLIENT_CERT_PATH = + getPathFromResource("authentication/tls/ec/broker_client.cert.pem"); + protected static final String TLS_EC_CLIENT_KEY_PATH = + getPathFromResource("authentication/tls/ec/client.key-pk8.pem"); + protected static final String TLS_EC_CLIENT_CERT_PATH = + getPathFromResource("authentication/tls/ec/client.cert.pem"); +} diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java new file mode 100644 index 0000000000000..694f99e252dc2 --- /dev/null +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java @@ -0,0 +1,107 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.pulsar.security.tls.ec; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import java.nio.charset.StandardCharsets; +import java.util.UUID; +import lombok.Cleanup; +import lombok.SneakyThrows; +import org.apache.pulsar.base.MockedPulsarStandalone; +import org.apache.pulsar.client.admin.PulsarAdmin; +import org.apache.pulsar.client.api.Consumer; +import org.apache.pulsar.client.api.Message; +import org.apache.pulsar.client.api.MessageId; +import org.apache.pulsar.client.api.Producer; +import org.apache.pulsar.client.api.PulsarClient; +import org.apache.pulsar.client.api.PulsarClientException; +import org.apache.pulsar.client.impl.auth.AuthenticationTls; +import org.testng.annotations.AfterClass; +import org.testng.annotations.BeforeClass; +import org.testng.annotations.Test; + +@Test +public class TlsWithECCertificateTest extends MockedPulsarStandalone { + + @BeforeClass(alwaysRun = true) + public void suitSetup() { + loadECTlsCertificate(); + enableTlsAuthentication(); + super.start(); // start standalone service + } + + @SneakyThrows + @AfterClass(alwaysRun = true) + public void suitShutdown() { + super.close(); // close standalone service + } + + + @Test(expectedExceptions = PulsarClientException.class) + @SneakyThrows + public void testConnectionFailWithoutCertificate() { + @Cleanup final PulsarClient client = PulsarClient.builder() + .serviceUrl(getPulsarService().getBrokerServiceUrlTls()) + .build(); + @Cleanup final Producer producer = client.newProducer() + .topic("should_be_failed") + .create(); + } + + + @Test + @SneakyThrows + public void testConnectionSuccessWithCertificate() { + final AuthenticationTls authentication = new AuthenticationTls(TLS_EC_CLIENT_CERT_PATH, TLS_EC_CLIENT_KEY_PATH); + final String topicName = "persistent://public/default/" + UUID.randomUUID(); + final int testMsgNum = 10; + final PulsarAdmin admin = PulsarAdmin.builder() + .authentication(authentication) + .serviceHttpUrl(getPulsarService().getWebServiceAddressTls()) + .tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH) + .build(); + admin.topics().createNonPartitionedTopic(topicName); + admin.topics().createSubscription(topicName, "sub-1", MessageId.earliest); + @Cleanup final PulsarClient client = PulsarClient.builder() + .serviceUrl(getPulsarService().getBrokerServiceUrlTls()) + .authentication(authentication) + .tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH) + .build(); + @Cleanup final Producer producer = client.newProducer() + .topic(topicName) + .create(); + @Cleanup final Consumer consumer = client.newConsumer() + .topic(topicName) + .subscriptionName("sub-1") + .consumerName("cons-1") + .subscribe(); + for (int i = 0; i < testMsgNum; i++) { + producer.send((i + "").getBytes(StandardCharsets.UTF_8)); + } + + for (int i = 0; i < testMsgNum; i++) { + final Message message = consumer.receive(); + assertNotNull(message); + final byte[] b = message.getValue(); + final String s = new String(b, StandardCharsets.UTF_8); + assertEquals(s, i + ""); + } + } +} diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.cert.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.cert.pem new file mode 100644 index 0000000000000..2993ed41ad9d6 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.cert.pem @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBIjCBygIUSAxJKNrIEmn3SVyw5rcYhwhKulwwCgYIKoZIzj0EAwIwETEPMA0G +A1UEAwwGQ0FSb290MB4XDTIzMTEyNDExNTE1M1oXDTMzMTEyMTExNTE1M1owGDEW +MBQGA1UEAwwNYnJva2VyX2NsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA +BGxRL4naRhrTZ9T2WdMBkCNmiamkrzEiDO55RVjhpHGWIoqPOvzs8i97vCVx39GV +vV/9agDp2nSuXYW8ax3UKnkwCgYIKoZIzj0EAwIDRwAwRAIge8qxnGgmv5h+Yw3Y +Ab/6xFD5QWERGMlfIl4ZCO3o6S0CICS/4jj45GfAPZS9QPfuo15rEa9Rbvvmmi+K +yY0JA0SP +-----END CERTIFICATE----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.csr.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.csr.pem new file mode 100644 index 0000000000000..1f10a3c77f2b6 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.csr.pem @@ -0,0 +1,7 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIHTMHoCAQAwGDEWMBQGA1UEAwwNYnJva2VyX2NsaWVudDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABGxRL4naRhrTZ9T2WdMBkCNmiamkrzEiDO55RVjhpHGWIoqP +Ovzs8i97vCVx39GVvV/9agDp2nSuXYW8ax3UKnmgADAKBggqhkjOPQQDAgNJADBG +AiEA8sGFcbQuUGIUTCXTQ0z9b0eIYFIDVOcGSInQ+0unMJMCIQCmH0GlXZRGB2lx +HtfIz76HNnVu153LsHE11AEx7d/j2g== +-----END CERTIFICATE REQUEST----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key-pk8.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key-pk8.pem new file mode 100644 index 0000000000000..124073b024564 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key-pk8.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgA92tkFXxKHYUJbeB +vvnMaGBnP2IenpF66Fikb06xbUKhRANCAARsUS+J2kYa02fU9lnTAZAjZomppK8x +IgzueUVY4aRxliKKjzr87PIve7wlcd/Rlb1f/WoA6dp0rl2FvGsd1Cp5 +-----END PRIVATE KEY----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key.pem new file mode 100644 index 0000000000000..4d4b5163b1bb4 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIAPdrZBV8Sh2FCW3gb75zGhgZz9iHp6ReuhYpG9OsW1CoAoGCCqGSM49 +AwEHoUQDQgAEbFEvidpGGtNn1PZZ0wGQI2aJqaSvMSIM7nlFWOGkcZYiio86/Ozy +L3u8JXHf0ZW9X/1qAOnadK5dhbxrHdQqeQ== +-----END EC PRIVATE KEY----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.pem new file mode 100644 index 0000000000000..c10385d997e86 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBeDCCAR2gAwIBAgIUKRGzcPm3RVuI7tXdPDAZZ7Vhqs8wCgYIKoZIzj0EAwIw +ETEPMA0GA1UEAwwGQ0FSb290MB4XDTIzMTEyNDExNTExNVoXDTMzMTEyMTExNTEx +NVowETEPMA0GA1UEAwwGQ0FSb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +kOKZaL45B7PUB+G25GLP1PPfTkio/DaHUML+KJjxpdCnSmq+mt/EAQWlqNPB1hJv +6kOJ52vSxKe02BMeuROed6NTMFEwHQYDVR0OBBYEFDkqfvrnJ7PJhxJ7FTA7o8+b +f+CRMB8GA1UdIwQYMBaAFDkqfvrnJ7PJhxJ7FTA7o8+bf+CRMA8GA1UdEwEB/wQF +MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAN9+TWNNbIz8rMdkf4LGoIeQzYcAEyGJ +90ORM5JciBdaAiEA8UsuQBD4wO1t6plnRydkGMTeb1dNDEnhsuXOXBps8fE= +-----END CERTIFICATE----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.srl b/pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.srl new file mode 100644 index 0000000000000..a30f44e979e72 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.srl @@ -0,0 +1 @@ +480C4928DAC81269F7495CB0E6B71887084ABA5D diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/ca.key.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/ca.key.pem new file mode 100644 index 0000000000000..1255354584869 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/ca.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIPT1Jap2sJ7NUGWT6q0fnSRoVRNNryWe/JHPwttyQke4oAoGCCqGSM49 +AwEHoUQDQgAEkOKZaL45B7PUB+G25GLP1PPfTkio/DaHUML+KJjxpdCnSmq+mt/E +AQWlqNPB1hJv6kOJ52vSxKe02BMeuROedw== +-----END EC PRIVATE KEY----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/certificate_generation.txt b/pulsar-broker/src/test/resources/authentication/tls/ec/certificate_generation.txt new file mode 100644 index 0000000000000..7a6caa7b8f4be --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/certificate_generation.txt @@ -0,0 +1,34 @@ +# CA Private Key +openssl ecparam -name secp256r1 -genkey -out ca.key.pem +# Request certificate +openssl req -x509 -new -nodes -key ca.key.pem -subj "/CN=CARoot" -days 3650 -out ca.cert.pem + +# Server Private Key +openssl ecparam -name secp256r1 -genkey -out server.key.pem +# Convert to pkcs8 +openssl pkcs8 -topk8 -inform PEM -outform PEM -in server.key.pem -out server.key-pk8.pem -nocrypt +# Request certificate +openssl req -new -config server.conf -key server.key.pem -out server.csr.pem -sha256 +# Sign with CA +openssl x509 -req -in server.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 3650 -extensions v3_ext -extfile server.conf -sha256 + +# Broker internal client Private Key +openssl ecparam -name secp256r1 -genkey -out broker_client.key.pem +# Convert to pkcs8 +openssl pkcs8 -topk8 -inform PEM -outform PEM -in broker_client.key.pem -out broker_client.key-pk8.pem -nocrypt +# Request certificate +openssl req -new -subj "/CN=broker_client" -key broker_client.key.pem -out broker_client.csr.pem -sha256 +# Sign with CA +openssl x509 -req -in broker_client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out broker_client.cert.pem -days 3650 -sha256 + + +# Client Private Key +openssl ecparam -name secp256r1 -genkey -out client.key.pem +# Convert to pkcs8 +openssl pkcs8 -topk8 -inform PEM -outform PEM -in client.key.pem -out client.key-pk8.pem -nocrypt +# Request certificate +openssl req -new -subj "/CN=client" -key client.key.pem -out client.csr.pem -sha256 +# Sign with CA +openssl x509 -req -in client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 3650 -sha256 + + diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/client.cert.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/client.cert.pem new file mode 100644 index 0000000000000..87701a6938d25 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/client.cert.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE----- +MIIBHDCBwwIUSAxJKNrIEmn3SVyw5rcYhwhKul0wCgYIKoZIzj0EAwIwETEPMA0G +A1UEAwwGQ0FSb290MB4XDTIzMTEyNDExNTIwNVoXDTMzMTEyMTExNTIwNVowETEP +MA0GA1UEAwwGY2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4QZJuqZS +mSDbjkoFGKvtYmSVaJ3IjtmgWsgQio4F5phIXpM6IZZfcLkJToY0b9W2jGhODK55 +jA+zkRxHrICkwTAKBggqhkjOPQQDAgNIADBFAiEA0iGNqg4t16SxFdZJu7o9gK8R +XVXphQ/9XAtw4XqfCUYCIGLoExE9XKdkzZ+sahFOpKD6YLZ1GgPRBPpBJFBGTYu7 +-----END CERTIFICATE----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/client.csr.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/client.csr.pem new file mode 100644 index 0000000000000..4ec08d410f504 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/client.csr.pem @@ -0,0 +1,7 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIHLMHMCAQAwETEPMA0GA1UEAwwGY2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAE4QZJuqZSmSDbjkoFGKvtYmSVaJ3IjtmgWsgQio4F5phIXpM6IZZfcLkJ +ToY0b9W2jGhODK55jA+zkRxHrICkwaAAMAoGCCqGSM49BAMCA0gAMEUCIQDNZOBD +Z/YAWKEeRSVqhPvIpFYob1gmQfDcBJdG8e0K8wIgcfO0PLquIZP9P8VrDkkLQdZ9 +krOKk+F/LF9aqQBHTbU= +-----END CERTIFICATE REQUEST----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/client.key-pk8.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/client.key-pk8.pem new file mode 100644 index 0000000000000..2b07827f21472 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/client.key-pk8.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgrC3O+TuZ82b1bD1M +SI9lMu6aaebqfoggcnaaAyUUstKhRANCAAThBkm6plKZINuOSgUYq+1iZJVonciO +2aBayBCKjgXmmEhekzohll9wuQlOhjRv1baMaE4MrnmMD7ORHEesgKTB +-----END PRIVATE KEY----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/client.key.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/client.key.pem new file mode 100644 index 0000000000000..ac1207fa51c0b --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/client.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKwtzvk7mfNm9Ww9TEiPZTLummnm6n6IIHJ2mgMlFLLSoAoGCCqGSM49 +AwEHoUQDQgAE4QZJuqZSmSDbjkoFGKvtYmSVaJ3IjtmgWsgQio4F5phIXpM6IZZf +cLkJToY0b9W2jGhODK55jA+zkRxHrICkwQ== +-----END EC PRIVATE KEY----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.cert.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/server.cert.pem new file mode 100644 index 0000000000000..184aa882e2828 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/server.cert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB9DCCAZqgAwIBAgIUSAxJKNrIEmn3SVyw5rcYhwhKulswCgYIKoZIzj0EAwIw +ETEPMA0GA1UEAwwGQ0FSb290MB4XDTIzMTEyNDExNTE0MloXDTMzMTEyMTExNTE0 +MlowETEPMA0GA1UEAwwGc2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +8xsai5lXx2Y7TbmzB1sZr2RunBOtzHFelNBmryjgkatf0yIEy9/cCmH+DvJfjvG1 +hfZDvnVFBPaoDFwgmvb26KOBzzCBzDBMBgNVHSMERTBDgBQ5Kn765yezyYcSexUw +O6PPm3/gkaEVpBMwETEPMA0GA1UEAwwGQ0FSb290ghQpEbNw+bdFW4ju1d08MBln +tWGqzzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF +BQcDATAtBgNVHREEJjAkggZwdWxzYXKCDnB1bHNhci5kZWZhdWx0hwR/AAABhwTA +qAECMB0GA1UdDgQWBBQe+uKXtB+I7vfU+mRAMvuNYbWJSTAKBggqhkjOPQQDAgNI +ADBFAiEAlCUpm4I5F6+OPS/lEJKIEQJILHivB3lPYW/OgXlpq5UCIFuUVgYwQ2ca +yildeQibDy/gbxLCFVzDtYrVKf7SZSK+ +-----END CERTIFICATE----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.conf b/pulsar-broker/src/test/resources/authentication/tls/ec/server.conf new file mode 100644 index 0000000000000..e4dbf070c08c4 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/server.conf @@ -0,0 +1,21 @@ +[ req ] +default_bits = 2048 +prompt = no +default_md = sha256 +distinguished_name = dn + +[ v3_ext ] +authorityKeyIdentifier=keyid,issuer:always +basicConstraints=CA:FALSE +keyUsage=critical, digitalSignature, keyEncipherment +extendedKeyUsage=serverAuth +subjectAltName=@alt_names + +[ dn ] +CN = server + +[ alt_names ] +DNS.1 = pulsar +DNS.2 = pulsar.default +IP.1 = 127.0.0.1 +IP.2 = 192.168.1.2 diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.csr.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/server.csr.pem new file mode 100644 index 0000000000000..ac75bb2d1ff64 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/server.csr.pem @@ -0,0 +1,7 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIHLMHMCAQAwETEPMA0GA1UEAwwGc2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAE8xsai5lXx2Y7TbmzB1sZr2RunBOtzHFelNBmryjgkatf0yIEy9/cCmH+ +DvJfjvG1hfZDvnVFBPaoDFwgmvb26KAAMAoGCCqGSM49BAMCA0gAMEUCIFUCpVkb +5u0EEY/4zcXFTHahm4xq/GAziFZsGS3mjwncAiEA2RGraZwclbHwjBiIChd56Xim +SHyZ2voxfe+xJG7uX8g= +-----END CERTIFICATE REQUEST----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.key-pk8.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/server.key-pk8.pem new file mode 100644 index 0000000000000..f30bd1cc58cc7 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/server.key-pk8.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgnYGgcNz49WhMgVPD +LmI1fYtfI/YqWDrd2jtnXFGNawShRANCAATzGxqLmVfHZjtNubMHWxmvZG6cE63M +cV6U0GavKOCRq1/TIgTL39wKYf4O8l+O8bWF9kO+dUUE9qgMXCCa9vbo +-----END PRIVATE KEY----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.key.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/server.key.pem new file mode 100644 index 0000000000000..1725f1be43fb1 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/server.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJ2BoHDc+PVoTIFTwy5iNX2LXyP2Klg63do7Z1xRjWsEoAoGCCqGSM49 +AwEHoUQDQgAE8xsai5lXx2Y7TbmzB1sZr2RunBOtzHFelNBmryjgkatf0yIEy9/c +CmH+DvJfjvG1hfZDvnVFBPaoDFwgmvb26A== +-----END EC PRIVATE KEY----- diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java index 8dfd478cc8fbe..c61969dbf8099 100644 --- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java +++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java @@ -48,10 +48,14 @@ import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; import java.security.spec.KeySpec; import java.security.spec.PKCS8EncodedKeySpec; +import java.util.ArrayList; +import java.util.Arrays; import java.util.Base64; import java.util.Collection; +import java.util.List; import java.util.Set; import java.util.concurrent.ScheduledExecutorService; import javax.net.ssl.HostnameVerifier; @@ -79,6 +83,10 @@ public class SecurityUtility { public static final String BC_NON_FIPS_PROVIDER_CLASS = "org.bouncycastle.jce.provider.BouncyCastleProvider"; public static final String CONSCRYPT_PROVIDER_CLASS = "org.conscrypt.OpenSSLProvider"; public static final Provider CONSCRYPT_PROVIDER = loadConscryptProvider(); + private static final List KEY_FACTORIES = Arrays.asList( + createKeyFactory("RSA"), + createKeyFactory("EC") + ); // Security.getProvider("BC") / Security.getProvider("BCFIPS"). // also used to get Factories. e.g. CertificateFactory.getInstance("X.509", "BCFIPS") @@ -512,15 +520,21 @@ public static PrivateKey loadPrivateKeyFromPemStream(InputStream inStream) throw while ((currentLine = reader.readLine()) != null && !currentLine.startsWith("-----END")) { sb.append(currentLine); } - - KeyFactory kf = KeyFactory.getInstance("RSA"); - KeySpec keySpec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(sb.toString())); - privateKey = kf.generatePrivate(keySpec); - } catch (GeneralSecurityException | IOException e) { + final KeySpec keySpec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(sb.toString())); + final List failedAlgorithm = new ArrayList<>(3); + for (KeyFactory kf : KEY_FACTORIES) { + try { + return kf.generatePrivate(keySpec); + } catch (InvalidKeySpecException ex) { + failedAlgorithm.add(kf.getAlgorithm()); + } + } + throw new KeyManagementException("The private key algorithm is not supported. attempted: " + + StringUtils.join(failedAlgorithm, ",")); + } catch (IOException e) { throw new KeyManagementException("Private key loading error", e); } - return privateKey; } private static void setupTrustCerts(SslContextBuilder builder, boolean allowInsecureConnection, @@ -581,4 +595,12 @@ public static Provider resolveProvider(String providerName) throws NoSuchAlgorit return provider; } + + private static KeyFactory createKeyFactory(String algorithm) { + try { + return KeyFactory.getInstance(algorithm); + } catch (Exception e) { + throw new IllegalArgumentException(String.format("Illegal key factory algorithm " + algorithm), e); + } + } } From 11a0b25c35f41469639c1a9ebdfdc5aeea5a9b86 Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Fri, 24 Nov 2023 21:33:43 +0800 Subject: [PATCH 02/12] Fix checkstyle --- .../pulsar/security/tls/ec/TlsWithECCertificateTest.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java index 694f99e252dc2..4eed65eb34ead 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java @@ -18,8 +18,9 @@ */ package org.apache.pulsar.security.tls.ec; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; + +import static org.testng.Assert.assertEquals; +import static org.testng.Assert.assertNotNull; import java.nio.charset.StandardCharsets; import java.util.UUID; import lombok.Cleanup; @@ -37,6 +38,7 @@ import org.testng.annotations.BeforeClass; import org.testng.annotations.Test; + @Test public class TlsWithECCertificateTest extends MockedPulsarStandalone { From aa3c4c1f0ecebfaa22d11593121b5ce15d14cd21 Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Fri, 24 Nov 2023 23:47:40 +0800 Subject: [PATCH 03/12] Add JKS --- ...java => TlsWithECCertificateFileTest.java} | 2 +- .../security/tls/ec/TlsWithECJKSTest.java | 109 ++++++++++++++++++ .../tls/ec/jks/broker_client.cer | Bin 0 -> 513 bytes .../tls/ec/jks/broker_client.keystore.jks | Bin 0 -> 1234 bytes .../tls/ec/jks/broker_client.truststore.jks | Bin 0 -> 902 bytes .../authentication/tls/ec/jks/client.cer | Bin 0 -> 497 bytes .../tls/ec/jks/client.keystore.jks | Bin 0 -> 1188 bytes .../tls/ec/jks/client.truststore.jks | Bin 0 -> 870 bytes .../authentication/tls/ec/jks/server.cer | Bin 0 -> 498 bytes .../tls/ec/jks/server.keystore.jks | Bin 0 -> 1188 bytes .../tls/ec/jks/server.truststore.jks | Bin 0 -> 870 bytes 11 files changed, 110 insertions(+), 1 deletion(-) rename pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/{TlsWithECCertificateTest.java => TlsWithECCertificateFileTest.java} (99%) create mode 100644 pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECJKSTest.java create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.cer create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.keystore.jks create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.truststore.jks create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.cer create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.keystore.jks create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.truststore.jks create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cer create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.keystore.jks create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.truststore.jks diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java similarity index 99% rename from pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java rename to pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java index 4eed65eb34ead..33262bb75b787 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java @@ -44,7 +44,7 @@ public class TlsWithECCertificateTest extends MockedPulsarStandalone { @BeforeClass(alwaysRun = true) public void suitSetup() { - loadECTlsCertificate(); + loadECTlsCertificateWithFile(); enableTlsAuthentication(); super.start(); // start standalone service } diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECJKSTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECJKSTest.java new file mode 100644 index 0000000000000..b7c6e4939a014 --- /dev/null +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECJKSTest.java @@ -0,0 +1,109 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.pulsar.security.tls.ec; + + +import static org.testng.Assert.assertEquals; +import static org.testng.Assert.assertNotNull; +import java.nio.charset.StandardCharsets; +import java.util.UUID; +import lombok.Cleanup; +import lombok.SneakyThrows; +import org.apache.pulsar.base.MockedPulsarStandalone; +import org.apache.pulsar.client.admin.PulsarAdmin; +import org.apache.pulsar.client.api.Consumer; +import org.apache.pulsar.client.api.Message; +import org.apache.pulsar.client.api.MessageId; +import org.apache.pulsar.client.api.Producer; +import org.apache.pulsar.client.api.PulsarClient; +import org.apache.pulsar.client.api.PulsarClientException; +import org.apache.pulsar.client.impl.auth.AuthenticationTls; +import org.testng.annotations.AfterClass; +import org.testng.annotations.BeforeClass; +import org.testng.annotations.Test; + + +@Test +public class TlsWithECCertificateFileTest extends MockedPulsarStandalone { + + @BeforeClass(alwaysRun = true) + public void suitSetup() { + loadECTlsCertificateWithFile(); + enableTlsAuthentication(); + super.start(); // start standalone service + } + + @SneakyThrows + @AfterClass(alwaysRun = true) + public void suitShutdown() { + super.close(); // close standalone service + } + + + @Test(expectedExceptions = PulsarClientException.class) + @SneakyThrows + public void testConnectionFailWithoutCertificate() { + @Cleanup final PulsarClient client = PulsarClient.builder() + .serviceUrl(getPulsarService().getBrokerServiceUrlTls()) + .build(); + @Cleanup final Producer producer = client.newProducer() + .topic("should_be_failed") + .create(); + } + + + @Test + @SneakyThrows + public void testConnectionSuccessWithCertificate() { + final AuthenticationTls authentication = new AuthenticationTls(TLS_EC_CLIENT_CERT_PATH, TLS_EC_CLIENT_KEY_PATH); + final String topicName = "persistent://public/default/" + UUID.randomUUID(); + final int testMsgNum = 10; + final PulsarAdmin admin = PulsarAdmin.builder() + .authentication(authentication) + .serviceHttpUrl(getPulsarService().getWebServiceAddressTls()) + .tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH) + .build(); + admin.topics().createNonPartitionedTopic(topicName); + admin.topics().createSubscription(topicName, "sub-1", MessageId.earliest); + @Cleanup final PulsarClient client = PulsarClient.builder() + .serviceUrl(getPulsarService().getBrokerServiceUrlTls()) + .authentication(authentication) + .tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH) + .build(); + @Cleanup final Producer producer = client.newProducer() + .topic(topicName) + .create(); + @Cleanup final Consumer consumer = client.newConsumer() + .topic(topicName) + .subscriptionName("sub-1") + .consumerName("cons-1") + .subscribe(); + for (int i = 0; i < testMsgNum; i++) { + producer.send((i + "").getBytes(StandardCharsets.UTF_8)); + } + + for (int i = 0; i < testMsgNum; i++) { + final Message message = consumer.receive(); + assertNotNull(message); + final byte[] b = message.getValue(); + final String s = new String(b, StandardCharsets.UTF_8); + assertEquals(s, i + ""); + } + } +} diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.cer b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.cer new file mode 100644 index 0000000000000000000000000000000000000000..cbc6eac4a1ca66f55029664a72cb8f488c7bd46b GIT binary patch literal 513 zcmXqLV*G2+#JFeyGZP~d6DPy;tB|3&=HzLVQ z&FD_$VeWu7(f0X#9tnPB*I&jzid8yk-+X3gp|;S?I>tGn8=t+{*732vyY~4hd(MZq z7AqRa8^{6!LY9w3j74PO(R+T4A9dH9VV^9gP}Ftqu-wLQ1lvfJ&~u`dOKtsG0la;|hmW?x^&4V$OnT1h{Mc`v@bb)82S%ulvV|)=;CBLu) z%x0M9y-tWtU44RancyGosL2Kv$6GCAKa?+1zh}ER=y_x3@4U`Qt5ull?;G5jeEmwG z>z98!`edpa>%iKGEqU+iPu`@SR9b{`&Q`p(l zS^Q?XZ=S)DDCygo&L*O_u6)`pV#*|wza6=o zCNJpj7MOioTO+dK_1cG*R>~cCS?h50kwI9e&zrm%^;SB8hQ9AgXB6-B4H3KlQTJ25 z-uFHRe}&)AUYOU^-eM0rz~Z=qeb1R1*{9AG(|bSJsB$~r?3d?$dpr5p1-(aI!9Ob% zTKqmJB>%&a+g@9KKVRL_1X6>_ZoHHtx)Kmd%=&V zC#`i_;*6jJze;wm{k1^j^a;VUBB|1EWIkT9nWh&v!`^M>^_S}_0?RAxZ(n0z4Vx12 zETQ+$$3I)1{S*7*E|7VU?H)Iq=7w)N8H*o_|GsVBY?%3Eu9@=mO`m7Psx5hXkWKyq z`>fyn$&L{zEmifG;_%KmQw#Pb8_L2_3UENf)5UEbunap!?U!>E99a}^XeuyQ{J6@To$G6^Jeg=FS!F+I)6@A1 z8Z&ge^H`sLHaxi8Swi+(nZxAy_Zg+)ANJ=@*DKv;kYhM+!am!!?>%iC+ur2c_;!XGi!$pLdWW@^kxdb7VQ;q8oMsXhZ=149E|cur?xWMyDcSg}vD*5TT`ojXp= zHuxZUpY6t(r=PuLCn(HTI{sVJPiiWQNR-pvy53u{#y0JO^`GLL&zvy+e;AY{0EOc6 AUjP6A literal 0 HcmV?d00001 diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.truststore.jks b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..d9d5ac8002dc23f1410a7a6b662510806638a37f GIT binary patch literal 902 zcmXqLVs2t$WHxAG)?wq+YV&CO&dbQoxS)wymZgbV5-2PR#DWMZHlP%fK@-zICPoGz z^&KI@Xpjcyu<{y28dxB>JOy%)QxnG}7eb~#yq%Oe3s9?au z#sRUMiIbJVK$eX&q0NIam6?T6i$&m#+>EL>6@Dpi%+i;hPXAQf(8ScRIorK?xAMuQ zYI*XrL>^j|CjV^UR5iDexgqWN>0{<6Ib){J>iK`KTTAu7`11a5%^QL5GdjzvWZi5^ zXO_3GH>#b!T5dIml))CW%@*qKmEtgd1pkc1XG-i*Sfsl8F%gqld+DZh36#K zk8(AOd2FSpS5*D%|0PvBVV&5gxm~uuZ{67RIqn|MYR^B5Qe;p|&gYO4IC=6@>d(SA z=U=$}*;8z2DKmKw>;}(>(4zWA7}(h&Jjr#@A!8%^$8DWMDldrML(|@ z7cBYnY>G4Mo;&(GDjbeVZ+x~-(jc+ukK3`+Yj3NT9efq^_getJS*PTd7E`IH!_o!4 zAulVMd3N)^ZWpet{&x0StM{CD7q2anOh0h8mf`h`)5*t_@3Q_Co-A}kdSBkRTIulF z@A5K!efBKl)J&~v+w@s#;#I9RznwqdShHe3)24WlO4loIFI3O?8g94BF?_$3O8>Ot z*Re|RS1qUV3rQ*eiWgP9=ENVf?lh@;; zD@s0CE;i3EVwiBzXYqq+3DqwjipyD7q_SvrI%|~kRX+dt$JwsnPgkIUuYsWfFFctt zF|snSD9EmRoOk=Huxre*!Y_O}(!KM}a729$XbV()_V)Z)RU0W55#<*><#V@bJhyee RBy!YbM|}47N_kKg002PAk_`X= literal 0 HcmV?d00001 diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.cer b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.cer new file mode 100644 index 0000000000000000000000000000000000000000..29da29137289a88f89d83ff19c16b83fae1ed7c2 GIT binary patch literal 497 zcmXqLVti}R#5j2YGZP~d6Nfu9TZM+$r7{C9HV&;ek8`#x%uEK^h5`nBY|No7Y{KlJ zdD(gS<#{j>4h#`?3=u925pIMCzX31EWM*Nu1Lqj7ILsKJjW1}c> zUSkl~5Xz;mVg6-J#&2H zIhfWE_P)#lOmotKfFaX}M{HA@qVIZ)WxpovinMT$|HrHN4-C@c)b z{A}D%T|8WjObZ(K8Z_=QNQ0|q<<0Z7DOVnw)mX3u zY{?Y+5>~f0lHcrC%eu|_3!Lp4OBEY62`{Z%!#{FVLR^VSyOH;Zasn7cDu ze<}N1q_KXx6B|d#a*4-fof95}AN(IZOVB+{TC6K?ue@^Fu_rgmx8!mODP)*ta2MNN z+m*HKpl9G8wNo21<)4Y$T)nr|pwl{W$#m@ky|r$)xH&k(yn)MXs&e6 zlpX3xb90_tKXL0X?^%(qv~WwYH+xHcrRrOpjP~qF|F%hY_N0VE`yT{aXfL^RPU8pr zyBq`Nrk6h}n5H;oFju&VYg!u3{&sU&7ss|8%&TG~Hs-iFn3PT2YFqo}5od%)-wcCOIdc z?^i#>_2^Q_ZzhciYZoNu1)bk>%<0py+r67yFS<+1epsw}!C9?RdKd@=)EZ(rkIz<%`WgEM(KPrewZ>HZN8NbYD{$zZqF+4X#ZE~jSD!kCuY zB~SMEel$r8`muFl+G}C|ZSPW-%~9I*i;FobwDHr=PS00Ghm+W~Il?RNFu#1{Dfhhg zkFHz2@t5NVtY)?4NCUpTOMg;>N zHV%m8Oq{F?2C{6N32h#Xsmv^lS}X$IcikDe{I-40;W|9I`e1QmLlaZNf%}q5Ri*{o zGX8tkIN6>yQ2p$$TKTak_WH+bZO7l5P5Y~%!Db>jF`8HNch14TjJ5Z>;)3)JU09~w z!oP>Nas7=OhvYAp{W-laRQWwCzvqJfq?qlqzbOgdJ9fSQDa%rcJ+i)+RaRa~V9Y)H zXj>rPk826SldH{Lmn>0f$>Tj5v?%S7$dA>zq7M^y)&m%Jd!J)cn^gD6uRXm^ap&X=KJ&@1&ONYu zwPnlQGVAH{57^J!8M#hH>dfx)2c`-Qy*7*4d$kTvU*1rA`$6?LhxdDS8h+(Ie|_op zKYOYUEf;dux%=|x#xL)bXH5E}{r~RqQW1gPcY#wLy#3(%uJD77>2;QuEYE(ZUOqnW zb=*E>`|m9q`mbL;GHLsq&@+oK8-Cs6c&a@7`0Jz7I0Akj>Q;O*YgOW3d$+9Y%DA=) z!PT4QdwE=HZhNv}d4JdRJ)+@l5%;TKl}A1){gmSU>(}{3ZF3h)nH(}d(fHf-rngV_aNn51{(AYuu;7)Ru~Yf4?~G$*yZb?K+9alVOZ@93 zv;F5hQSRKl`F)SUDg$2wLjzuTGGt<8WnfWw`|h4Z=f)F9aw5wEcUBm!=9>3PUu)4T o`)BWe8t?M_V8SB8;&kX(ZN}bt0S~9O)XnttZhG~67AT1W0I)QbTL1t6 literal 0 HcmV?d00001 diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cer b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cer new file mode 100644 index 0000000000000000000000000000000000000000..e71c3cfe380c6cc13042d1e1c039ef700ee8b104 GIT binary patch literal 498 zcmXqLVti-N#5j2YGZP~d6NhR{fBCcIPmc_^*f_M>JkHs&Ff$os8wwcku`!3TunDt= z=4I#Qm*>GmI50%mF+{j9M7R+m{06)rlbMCtic^cqQi}}a#CeU34GoP<3{8#9jg6wj zd5u9_LnxQNj)^o7W@8730}~@OK$scXnVlF|4(0v6a&(#5!tfa%zj5o_?tEOOKY|v#{sh^gMk~9B12dG<%O*$l~$HbTN(Pi zO)>BKjgRIxw*O$}c^(bM@8!8rfx;>5kue_}LjIO{F&FOzLf0rAx IyPdrW0P%~LXaE2J literal 0 HcmV?d00001 diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.keystore.jks b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..eec6baf39e14ecfdd4c99062739b8d115c352a66 GIT binary patch literal 1188 zcmXqLVp+h%$ZXKW;>E_P)#lOmotKfFaX}M{HA@qVIZ)WxpovinMT$|HrHN4-C@c)b z{A}D%T|8WjObZ(K8Z_=QNQ0|qTzmflcjrYUiK zkC~X%1(+BW40zZ$Am%Y~vN9ORvT-J~c`&9jvoLD02+WtXG1PfEXI*DZ){;+>DN9%a zp0`Tv3cIg#J4fjKg(b=}I$K>B{4TCKmanu;D|P#_V-*>qs>K4|bo?z_06bSglYh z#JtJO&L;LoS|0m?gBd4|y|~_RH{lCYg3#LK5l$MZh7JbOaL00r81l*SFcdSSG88eC zfk*>IgrumU2#ZiiW^Ss2p}B#9g|VfXsgZ$^kwFtPBU}+X+kz&hPX8DR`wJVMK1wHc}3KRb_cE@l0;j29*#8LQ2_5Te@p=Fw3_8Og^O^faRuHv4Ze)mHB z`-{@2pESQ;{B_yVrpF&&=Pc1aJLz@I#q21>#wK-tSI5xmwp*)gm#(YcygG=3^QE{| zI(t_Cd`roC*CTN^{YtZqJg#k=9nbl*Bu@SG{!4r_`sFXoTay$OUKVKiLTnWn_;Kb#ej`(=BmFv``$Om@+qV4$@e@Mcw~@Sc`smt+BMo z#;bN(Y2>W@qItp|?QP~qctkCNmsmD5^?uNpyUFyQ@#h@-P{kpqEqjmp5w}1)rB3Zwjb}W35 zHLF>HY2)m*X7R4(*Ip;5%yP+^wS`;#?foyy*U6kvE$DWf`zCAB#Ipg5!-T%D@MK9n z?2etfD99j`-EQu51I8UYqCTu<-*`Va_}H)9e}ddM&qU64U%oahgX^JOQu@ym!3REi zxksOTxide8S784ZrL*Omw!G!0>-`-Sb_0-S?c~`SoGNHEWK(7jktg zZH}a;F8-jiMr3)38<%^Lk*R#%-V&88iA&Bm9rz!+>i5)ebiHRg@LHy*wVL}&<615o zrl{#lE3QpUzSZ8F_fPKN;R`D3+``{IU%jhxs_8ugUjst}UU=SRVq|4tQ3$x}ep2?@ zzn;1AZ)-GuvhD7ern=SXy=c~(drAA}C4bUq5#cm`C>p%gaMm%Vb+!d}5=|Wpwm5;3 FJODWu;;#Sz literal 0 HcmV?d00001 diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.truststore.jks b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..d192384fce50707627cc0a420d97a23dd4a4c6a9 GIT binary patch literal 870 zcmXqLVoqXWWHxAG=3(R1YV&CO&dbQoxS)yYFG~~CPlG0=uR#0}A;kuidIS`@$Hd40 zq^=`m7!A_k99CX~NCOK5m&ZVxMTEQH!#N(gxcbHBh9;&2!Tr(~3bVFV zq)Mi8#wyx6UN*JyUnsxtqjrjF$?4g0Y3CF6=-S48pE*0Iz&5xm&}Tul+?}64<{mlf z^?EzYe7Q^Y=UT$1u1KDI{a#TqkL3C@J3l;}!Xh?h;r!Z+uc?)rtDbg0kvZVksSs`> z`0C8d6oY)0yGvypm&X2XwD=avcWmY(Hv@x4zDA489VZu_&HmWR_-jsZ$4B$}oIM4T zJ2Z@4yq3Sq*_|f$pZD&QviX|@<}Z!>r7630o_5l-kG02p_it?YnjW#GvG17A^lU}z z6#Xe0zdlTfTc+P2Zuw{-BnF{B`T?PDuYF7dlgb#QH)%4i zyI-})=?2Lj@Cnrjxwa#4YRLzNVlBt%M_x3!QA zr&;Y@!O6d&cuSW52N%{Z?r+B@t&8*QN-LgyZpG)kmr>7>YYv{6vNN+;Ki0;|i{r{& z9?xIr&&ek5pR?Ka<`So>oQ2OeofJGV&%VsTvE|j@TL1N}X^Sd$^R|5}KOa+}@q>Y* zbWOOII|e{iwj jC3CJx42#I!ql?Yr`dPxg*?9l{YgyfMBz?n2P!b0K;{b$y literal 0 HcmV?d00001 From f76f3960cfe4a9a80f67bd6009f8e5d3a900af7e Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Sat, 25 Nov 2023 15:13:30 +0800 Subject: [PATCH 04/12] Fix test --- ...KSTest.java => TlsWithECKeyStoreTest.java} | 22 ++++++------ .../tls/ec/jks/broker_client.cer | Bin 513 -> 0 bytes .../tls/ec/jks/broker_client.cert.pem | 10 ++++++ .../tls/ec/jks/broker_client.keystore.jks | Bin 1234 -> 2034 bytes .../tls/ec/jks/broker_client.signed.cert.pem | 11 ++++++ .../tls/ec/jks/broker_client.truststore.jks | Bin 902 -> 0 bytes .../authentication/tls/ec/jks/ca.cert.pem | 10 ++++++ .../authentication/tls/ec/jks/ca.cert.srl | 1 + .../authentication/tls/ec/jks/ca.key.pem | 8 +++++ .../tls/ec/jks/ca.truststore.jks | Bin 0 -> 742 bytes .../authentication/tls/ec/jks/client.cer | Bin 497 -> 0 bytes .../authentication/tls/ec/jks/client.cert.pem | 10 ++++++ .../tls/ec/jks/client.keystore.jks | Bin 1188 -> 1988 bytes .../tls/ec/jks/client.signed.cert.pem | 10 ++++++ .../tls/ec/jks/client.truststore.jks | Bin 870 -> 0 bytes .../tls/ec/jks/key_store_generation.txt | 33 ++++++++++++++++++ .../authentication/tls/ec/jks/server.cer | Bin 498 -> 0 bytes .../authentication/tls/ec/jks/server.cert.pem | 10 ++++++ .../tls/ec/jks/server.keystore.jks | Bin 1188 -> 2004 bytes .../tls/ec/jks/server.signed.cert.pem | 10 ++++++ .../tls/ec/jks/server.truststore.jks | Bin 870 -> 0 bytes 21 files changed, 125 insertions(+), 10 deletions(-) rename pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/{TlsWithECJKSTest.java => TlsWithECKeyStoreTest.java} (86%) delete mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.cer create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.cert.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.signed.cert.pem delete mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.truststore.jks create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.srl create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.key.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.truststore.jks delete mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.cer create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.cert.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.signed.cert.pem delete mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.truststore.jks create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/key_store_generation.txt delete mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cer create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cert.pem create mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.signed.cert.pem delete mode 100644 pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.truststore.jks diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECJKSTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java similarity index 86% rename from pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECJKSTest.java rename to pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java index b7c6e4939a014..b7d764c876094 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECJKSTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java @@ -21,8 +21,6 @@ import static org.testng.Assert.assertEquals; import static org.testng.Assert.assertNotNull; -import java.nio.charset.StandardCharsets; -import java.util.UUID; import lombok.Cleanup; import lombok.SneakyThrows; import org.apache.pulsar.base.MockedPulsarStandalone; @@ -33,18 +31,19 @@ import org.apache.pulsar.client.api.Producer; import org.apache.pulsar.client.api.PulsarClient; import org.apache.pulsar.client.api.PulsarClientException; -import org.apache.pulsar.client.impl.auth.AuthenticationTls; import org.testng.annotations.AfterClass; import org.testng.annotations.BeforeClass; import org.testng.annotations.Test; +import java.nio.charset.StandardCharsets; +import java.util.UUID; @Test -public class TlsWithECCertificateFileTest extends MockedPulsarStandalone { +public class TlsWithECJKSTest extends MockedPulsarStandalone { @BeforeClass(alwaysRun = true) public void suitSetup() { - loadECTlsCertificateWithFile(); + loadECTlsCertificateWithJKS(); enableTlsAuthentication(); super.start(); // start standalone service } @@ -71,20 +70,23 @@ public void testConnectionFailWithoutCertificate() { @Test @SneakyThrows public void testConnectionSuccessWithCertificate() { - final AuthenticationTls authentication = new AuthenticationTls(TLS_EC_CLIENT_CERT_PATH, TLS_EC_CLIENT_KEY_PATH); final String topicName = "persistent://public/default/" + UUID.randomUUID(); final int testMsgNum = 10; final PulsarAdmin admin = PulsarAdmin.builder() - .authentication(authentication) + .tlsKeyStorePath(TLS_EC_JKS_CLIENT_STORE) + .tlsKeyStorePassword(TLS_EC_JKS_CLIENT_PASS) + .tlsTrustStorePath(TLS_EC_JKS_TRUST_CLIENT_STORE) + .tlsTrustStorePassword(TLS_EC_JKS_CLIENT_PASS) .serviceHttpUrl(getPulsarService().getWebServiceAddressTls()) - .tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH) .build(); admin.topics().createNonPartitionedTopic(topicName); admin.topics().createSubscription(topicName, "sub-1", MessageId.earliest); @Cleanup final PulsarClient client = PulsarClient.builder() .serviceUrl(getPulsarService().getBrokerServiceUrlTls()) - .authentication(authentication) - .tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH) + .tlsKeyStorePath(TLS_EC_JKS_CLIENT_STORE) + .tlsKeyStorePassword(TLS_EC_JKS_CLIENT_PASS) + .tlsTrustStorePath(TLS_EC_JKS_TRUST_CLIENT_STORE) + .tlsTrustStorePassword(TLS_EC_JKS_CLIENT_PASS) .build(); @Cleanup final Producer producer = client.newProducer() .topic(topicName) diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.cer b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.cer deleted file mode 100644 index cbc6eac4a1ca66f55029664a72cb8f488c7bd46b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 513 zcmXqLV*G2+#JFeyGZP~d6DPy;tB|3&=HzLVQ z&FD_$VeWu7(f0X#9tnPB*I&jzid8yk-+X3gp|;S?I>tGn8=t+{*732vyY~4hd(MZq z7AqRa8^{6!LY9w3j74PO(R+T4A9dH9VV^9gP}Ftqu-wLQ1lvfJ&~u`dOKts4nFoFgrlY9Xy6gGB4-42np67F3isg0PrnU8@(qLaG;B!AlyHf|ppJg632llQ4q zP85KG1+at?&{{KrLKl?H{54-mQ#TVVUc?@V1T#}S-UoLWOM!+Uu_FHr1A0MCHICKv zFQGA;yr^>y*<{f36n>h&VVUV1%m`$ zTVk$Uox84W(tkI~@^8C?jc4r!D2cxKJybNHz zX1*1KHq~sGs8}pcH}`+Lm6(w0O7_JO3s3u-1Nr z#_o^o)}rwACNz{Oyf*sv4$RnCLejOfqHg+0nEzx{tfY;Q8Ic`6ySM=e6rkzyn?scK zxFPQULVpk&n`PJBy7?UN9UdB+#t~ntUZx*oj32%(5ex5xVk|=b;@l2K$Jqp|s&O?O zFY5JNBWDM|C*YoPE~G_zMx%ijIv&vRl1Ik+`^Ut8UNFW%#*GU*P`eVu94|f#TLt2i zgcYv;s$)A9D2L-ISwVAx4XWdVCh!11MW$07KYu1hB~WYWc6kS8%v@WXs$XuB7N(;@ zTvcl5!{H=V0UzbAH-k1nwG{HfvjKdfr7kj`I-b3VcWR4-Qg?7-C8V2=QKaU~ebTXl zxB9i5wE0$$u9!u^T8IOwyf6!d_-_Y{UJqV%-SvPdH8jXi{>!Xde3=(~7 zV}Dew8Hup9^KokqIu@u6HjtcT)|33`kKzx7;9mdG5jA=Bz?NX`$|@ETpdcd zE-+VY^kfS}FF`=+YC)vzp&OA8|47@y_+w?_I8Jm^{C#|Myjp3(5Jm^~FiR_D8ER#0 zPNFFP7p=utA;D))SR$4-m^HkZt%!}AOn)Ixo^;+)F^%;zEikkvRIXiaqH!ovNh}kP zgJw^g*Z1nMSt})Y!^>g>%S6P3{7<~u>|(geEXy5=$rl9{=9UmK9c<|?T3E8=u7@@s zpF8;IwuXMqU7kd@GMbTqC#P?F<|GUP{8^*n_jR3jm<3D7DGZEuDeemULFK(CWPet{ z{{N#vcsDQ6$teoXA~zpf+5GUr{K6&ui`tQ~xPv|_4p)V9SU@tT#kc3dszJN`k4Jon zfZd>k#C(n~ttcT^j||XbS_#wBPn?~GnD^{ODTAhBFXe=TCQ;hPFRR|!i0wRb^FC=z z(xgQ_yHKx|`W~AnEf%+ckJ5T#{(l}EG7I--r>_0+E?}a&$eL2O4O`ewjivv8ETB~k z5OBHtyP-DKk0K8jd^-x)z9#G5`W^4IjPu_oh^h?MGI~>29hYsfa=h-`txL|e4$LcE zQkr4f(Y>Cg)G}QNBLSw2-SKk<7u=-f@mc~(u!ARU1g z3G9*>ztXf`o<1L4p7!^wgjy+l1`s?2lvnuqO#)2?d=atD7_We~&Ez;(8IF6|j1V7{T?QGH(IF@^ z0E5ggpIX>Js4A`(n$-TnU4L|f5uGZ8OLTcq&#qzm4cRjYBBmZqI6Gv_+dQPHb#_{* zPV@=}ouck5D$)p4T9qx?cneDxo`c;OSf)UlaT0Rkk_$MAfAgj(4wq(NvPtf54@eyu zxNMUh-NZ@j>Qdd|0J*25UjD0LEfEE}NR(f^EjCw#H7bWS5k3@hcYhLZ=iRXHWrPbW z7b5JO(G?SEPA2$8kxYgu^gbWX4Wa2n_`kfNed&DNHF%fk!l!?n&w6-2(-~Az{MA9Y z9+)v*yv5!ghwg%9T=_VM2{27CF)$4V31Egu0c8UO0s#d81R&XF>V?Z_6N517uvhk2 wEJQZ9x*${;zylCprytBDZQrQ`6picBbIk=yuft&!YO23cVgCx^4*~)w5DVl;`Tzg` delta 999 zcmV z2cv+30+2Dd#>lR6$Z*d~QnQSfYi9WkT2liz-04!KGr?x2l4LsIdxnC&p7$t$uT)4r z#B1>$8p?UG8-(0B1&HJo+L4cmO`hGY1C5`NMXjJ+nXr1n28AXdxr~W(?59m`Fr-== z+i62I724MKsDG_4J~((k7=%a=)=ndq6YHeC9{vKw)HsxqH2sKevXh{Tix8XJD=1lb z>#gC^sUE=TeL%(HFjk37>~5HUIxJB!P40D=bGc1a7T@tL@_#P(jsQ;}`{w93e0|yn zQosa3s0X~vd>!ROc$baxJS7W3*^eI!?b~De&@SSNQ-Aq+AcRivB5fcU-&C(im~!y} zCigI!KrQ9YEgg{>M;N9jlg|Wu&F@6sfh_K*Ad8*QP7I7@g_dEMQo#CjyRG`5D9gwZ z%@k!D>>TmZJeDqAm_J6T*Xgf#QFnMh+tvUDR+L!gV2%9o{Iur&7W79DX~72G3kE5$ z_AF?l<9`?X+c$$TY2=+YBbT!Cm|Z5M<-rCY&c_AQ- zu!TWVa66$wXYjoI3L-smXm`+-IkDr)L1EYt=PE?MFDNww2>{&`DcE)lYvg8Rf8lA9 zarmzX7F!YE!L>v&1?&u^f=X1;Fla=v+0c4KwSQgjPA<46i@vy>!znbcgTXa4ij?F( zliC)rMR^RLV5nL`2;_<=A_6n%*uThv50^XEouboJPLj$=qBO#lwK*83BL!t?t-&=A zofpR>oVl-j)Z~#i8G1jGvgMy3D3~paZUyD@F~O%p7#;R@K$D-}0UBT7k8hVQb-plc zF?gPkzCDKbjD`rd?D_0N6$S}N!rdVJ7A2EVov~>sm}2a|c3|z8V;YVyO)xPq4F(Bd zhDZTr0|WvA1povfsJJOy%)QxnG}7eb~#yq%Oe3s9?au z#sRUMiIbJVK$eX&q0NIam6?T6i$&m#+>EL>6@Dpi%+i;hPXAQf(8ScRIorK?xAMuQ zYI*XrL>^j|CjV^UR5iDexgqWN>0{<6Ib){J>iK`KTTAu7`11a5%^QL5GdjzvWZi5^ zXO_3GH>#b!T5dIml))CW%@*qKmEtgd1pkc1XG-i*Sfsl8F%gqld+DZh36#K zk8(AOd2FSpS5*D%|0PvBVV&5gxm~uuZ{67RIqn|MYR^B5Qe;p|&gYO4IC=6@>d(SA z=U=$}*;8z2DKmKw>;}(>(4zWA7}(h&Jjr#@A!8%^$8DWMDldrML(|@ z7cBYnY>G4Mo;&(GDjbeVZ+x~-(jc+ukK3`+Yj3NT9efq^_getJS*PTd7E`IH!_o!4 zAulVMd3N)^ZWpet{&x0StM{CD7q2anOh0h8mf`h`)5*t_@3Q_Co-A}kdSBkRTIulF z@A5K!efBKl)J&~v+w@s#;#I9RznwqdShHe3)24WlO4loIFI3O?8g94BF?_$3O8>Ot z*Re|RS1qUV3rQ*eiWgP9=ENVf?lh@;; zD@s0CE;i3EVwiBzXYqq+3DqwjipyD7q_SvrI%|~kRX+dt$JwsnPgkIUuYsWfFFctt zF|snSD9EmRoOk=Huxre*!Y_O}(!KM}a729$XbV()_V)Z)RU0W55#<*><#V@bJhyee RBy!YbM|}47N_kKg002PAk_`X= diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.pem new file mode 100644 index 0000000000000..a235464be7064 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBdjCCAR2gAwIBAgIUfHm94cF84m6FrJVNywJI4qTGZAEwCgYIKoZIzj0EAwIw +ETEPMA0GA1UEAwwGQ0FSb290MB4XDTIzMTEyNTAxMzQzM1oXDTMzMTEyMjAxMzQz +M1owETEPMA0GA1UEAwwGQ0FSb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +Sxvkij8HQ+g07SnOLz1in81iGKY7lOAbJ1r4ihMVnOVjS2A4ZVGXHM2wp5ZB9r3Y +jPByBiaPApm/J17JwlXynqNTMFEwHQYDVR0OBBYEFKqDJwbgz0/Q3EKJ78OVJI5k +8+RYMB8GA1UdIwQYMBaAFKqDJwbgz0/Q3EKJ78OVJI5k8+RYMA8GA1UdEwEB/wQF +MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgEF9RiwV0oBh9x1AvLFPoK5nnUlJ+0MNE +zz8Zw284zkICIDUZOPN/E7ZmTKzfoZ0EkxRrinEZ5M538aNbYFAUYoK+ +-----END CERTIFICATE----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.srl b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.srl new file mode 100644 index 0000000000000..c7b003ddff287 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.srl @@ -0,0 +1 @@ +027AC01DBB95A035042342A2768040F55A94FB5B diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.key.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.key.pem new file mode 100644 index 0000000000000..57e595f139525 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJ/5AX63GN8cadJUCa5Aza5592JS7go9TXNfYemS4Ku4oAoGCCqGSM49 +AwEHoUQDQgAESxvkij8HQ+g07SnOLz1in81iGKY7lOAbJ1r4ihMVnOVjS2A4ZVGX +HM2wp5ZB9r3YjPByBiaPApm/J17JwlXyng== +-----END EC PRIVATE KEY----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.truststore.jks b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..e2a667b21d6ac6593ce22d5796914de120835457 GIT binary patch literal 742 zcmXqLVtT~H$ZXKW)WgQ9)#lOmotKfFaX}MPElU$qB~Z8&hzk)?Y(S|bpimqWBLk2M zN60W5q`^6?yatg576>knfi{asy+Qu6J3Wq54c>_FyJV5sYA4L}j1P=c^HWP%D`of| z#wJgD_SMU2UsH2pjrA;!gvpPrUk04zaNf^zboY@fM_SAHA1wNmxp6;h{`M#GPj(6K z|G3BY{iiiz;wujt2lGyi`l1){U~RyUhz@oYmCrktemE(*@ys{*TkrFhFUqcYVfdpg z=E`aL6@t%t-taH`_ezobQqS$DbHA=DTyJX6x=ZjKcktXL_k)*Yak%lHDxd77@rEU# zjp@#uGK(xTrKkn@QmOkEKGkVa^qt;sDy6XMkiYMto>S$ltwzUnZ1VMFWKZiRH|uIK z9%(agFn#gLH&!IM*gS1kgwqt&`QbV@m&NIGt(IT4AXO{jf2C{Beev`vT@$q$)8cLH zl^s*Fnl~wQ%-X3~vQpcSGy74y=4GF=pDq;nO%k$LSuOEpMYKoX&RI{a|B5bur#ZP~ z=jum6mnIrG)m-0b^WdaIg!iA-N%Qv!i=2^^{Vwp=rJGrIQ&!+ViBg;VT#jPl^8eSP z_&HY_2}G@4);m?_g8^H=nA!z5mxFtbh@RYKV!|rZSoqB0aNUK}2g$wd+a=vi{*;DX z-Rm~DRGKID{Z@f1PgWehcK3pP@I2!KZ&`Yy_w&8>3O~2xd9GXmgLT`96Uo67vi%Mm z^571$-g9%VeZY>~_83ji>2FpX{$BpU@_o61uYsWfFFYAAF|snSDERag9FI*^e%f4h#`?3=u925pIMCzX31EWM*Nu1Lqj7ILsKJjW1}c> zUSkl~5Xz;mVg6-J#&2H zIhfW9XZ|ZXwAnNkem{wKxLg++J_6uchjYRM0xbivd>1#(_xdDE{#!oovq}uk>a4v=KXk>@6oPTbIw(v!DunOR$lYH%|SITVrS!z~BfyOvr5Qkq+F^MRqPV8>0AOIaoe=-^LWB1h8{^AlaoCjUA{ z;B4Em-gWg$OYuMu8i66EHbxx6C%-t}dYK(S{ojiiKH&oukWNCU>esSYd$`pN#8SHR z38hH{oPUEj+(h|x#L%C$rOSgcxQbeXQBT+~D*GGw1Y5lqt8vi_?-sav`Zep;K`j?x zYq<9+VIv{35A-Q5D(-n)z2Z-JWJ~{Ad_{Kf0eAAGL<-i?Lphg zi_FJJv+NyJnH9;d`QZ{g4rJySf%U0!geaBqE`M9NZ`NGMXHMt`KukT6g>IU@&B{w< zQ3}oq@VGJ4RWMz%PSySY`CJv(`ARZTl?JrQK07bRr}`(}&_$0;Am)A$+(-N5e8_2L zmcUB2{x7%R>lZz?`c|qce4UHEk)X+{7;G1UQmMJK90_gq*8;!VYDzxRfqWiT2YDi? zAb$pYLcwwab~|2>L#GVwQ-uLRJ|DFD!~*S?7c4(z@ln@DGu5la-zE&)aZMc=*vZ?A zHgs~dLG#8|DX{t5tXQ-D=fg>OmfrC0$x%_(5-@>y(-5jIzwiN0o)LUVxjHXm008P@QWkX3ENm2OLB%dyvp#Y<&f*> z!y6`BJu2|~w5vgp=JG5ck5*#yM$D1Rp|56o!-Uf*3l-|Gbx4S@YsbYMXhE`NTDp79e8d4FOpY;91a z7&Vgze-gy~*a5993I6rBGxpdVuJ7|PWKlVJ6WdQS(lS1Pcg?Uqu1K@<{M8o_+0Pbu z`UEL{)hKUAFnY$(z{vGx!!7oaQ$#&rLKA(YW2fkZ0wkY_qa!vAo)k0Yr-E^s6@}lu z-OZm`;JPsQXAB@)Xc@LW9Dlc~|NauQenz|}OAiv;lry$udN)Pl{{}+UsxA~ciAtG9 zbC#+Mq&#))v~-yR%a4;b2{}!aL5;j((81=|oW(`Z0ef{nIFdk=WiJV@TE6qd>pMsl z7H+6(KtBh%=xjz?f6pq#jKzERdSLLz9R+OP4c|ORAVF8+#To2;^?u4DeO5q}gpDBv zC1MxY|A6!h%pW|Y+9Hhee)P_$_l^j3bgSr0b) zgs!tMpj$$LRFP@fH5gc8a^XZAb?eSdjV0UF*fNL8dwfcnD-#kfv@(|ydznIyCvf5r zO8Yo-WQ+6$#lsg$)sm?8$&(HNIwmtYHZ?LfGBz-R0|5pJDuzgg_YDCD2B3lh@-Tt| z?g9Y-FoFW-lWqYk6aaURB4;3M2xw3ur)3d@^jOE1VUw)^B!79P69S>mhALz?ja`FA zhR=Y40&wI7k`oPm)gac}L3~^Ed+-`4_SfRVWo&IL}l{{UtLw`fLA5+O!kwqI~E# zM*}enJk{Q{Fo`>1q?apjF0Dq|i&g85HNZ-V;Zyt>K8=%AZ5xb~ zxF=$rY~_GxSu2sU{1tcD*v{C}T zGDhbCzC44}{3flNV#r2%a?!F_=S;*f$M4ebLBMu?G3E~z%%SrLG;GP|zbC>9;?h+6 z0w|EJpnqX*QqR1`Lh{Djjj~12M;jgRqb1NoCU6B5N4{GQ>z(D3tfs)TKmf|0)J$nm zMcdX7pa;eE;LL7pHT=D+pJ4+3#Qz&n@%Oq;cE z2aTrCz;2<;Xa+)TR(Vq9mDna>@uTnQKSCO~>|!h@O=4Il;>5yyCprGT-9thDk8A6S zLPrf~5$f>PkwYY{y(+d$w!`SEpv-LEi*Y z9$1?5Fg8IAagO3JO)xPq4F(BdhDZTr0|WvA1povfcc#vPQv#$$x2s5SD^0@k4m=XU pH55n0Ce^)ud|@n01QZJW5QDn_hzP>Lw^`RxFIUGYS8D)?4NCUpTOMg;>N zHV%m8Oq{F?2C{6N32h#Xsmv^lS}X$IcikDe{I-40;W|9I`e1QmLlaZNf%}q5Ri*{o zGX8tkIN6>yQ2p$$TKTak_WH+bZO7l5P5Y~%!Db>jF`8HNch14TjJ5Z>;)3)JU09~w z!oP>Nas7=OhvYAp{W-laRQWwCzvqJfq?qlqzbOgdJ9fSQDa%rcJ+i)+RaRa~V9Y)H zXj>rPk826SldH{Lmn>0f$>Tj5v?%S7$dA>zq7M^y)&m%Jd!J)cn^gD6uRXm^ap&X=KJ&@1&ONYu zwPnlQGVAH{57^J!8M#hH>dfx)2c`-Qy*7*4d$kTvU*1rA`$6?LhxdDS8h+(Ie|_op zKYOYUEf;dux%=|x#xL)bXH5E}{r~RqQW1gPcY#wLy#3(%uJD77>2;QuEYE(ZUOqnW zb=*E>`|m9q`mbL;GHLsq&@+oK8-Cs6c&a@7`0Jz7I0Akj>Q;O*YgOW3d$+9Y%DA=) z!PT4QdwE=HZhNv}d4JdRJ)+@l5%;TKl}A1){gmSU>(}{3ZF3h)nH(}d(fHf-rngV_aNn51{(AYuu;7)Ru~Yf4?~G$*yZb?K+9alVOZ@93 zv;F5hQSRKl`F)SUDg$2wLjzuTGGt<8WnfWw`|h4Z=f)F9aw5wEcUBm!=9>3PUu)4T o`)BWe8t?M_V8SB8;&kX(ZN}bt0S~9O)XnttZhG~67AT1W0I)QbTL1t6 diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/key_store_generation.txt b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/key_store_generation.txt new file mode 100644 index 0000000000000..62c48e9a089f1 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/key_store_generation.txt @@ -0,0 +1,33 @@ +# CA Private Key +openssl ecparam -name secp256r1 -genkey -out ca.key.pem +# Request certificate +openssl req -x509 -new -nodes -key ca.key.pem -subj "/CN=CARoot" -days 3650 -out ca.cert.pem +# Build Trust Cert +keytool -keystore ca.truststore.jks -alias ca -importcert -file ca.cert.pem -storepass rootpw -keypass rootpw -noprompt + + +# Create server keystore +keytool -keystore server.keystore.jks -alias server -keyalg EC -validity 3600 -genkey -storepass serverpw -keypass serverpw -dname 'CN=server,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown' -noprompt +# Export the certificate from the keystore: +keytool -keystore server.keystore.jks -alias server -certreq -file server.cert.pem -storepass serverpw -keypass serverpw -noprompt +# Sign it with the CA: +openssl x509 -req -in server.cert.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.signed.cert.pem -days 3650 -sha256 +# Import signed cert into key store +keytool -keystore server.keystore.jks -alias ca -importcert -file ca.cert.pem -storepass serverpw -keypass serverpw -noprompt +keytool -keystore server.keystore.jks -alias server -importcert -file server.signed.cert.pem -storepass serverpw -keypass serverpw -noprompt + + +# Create broker client keystore +keytool -keystore broker_client.keystore.jks -alias broker_client -keyalg EC -validity 3600 -genkey -storepass brokerclientpw -keypass brokerclientpw -dname 'CN=broker_client,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown' -noprompt +keytool -keystore broker_client.keystore.jks -alias broker_client -certreq -file broker_client.cert.pem -storepass brokerclientpw -keypass brokerclientpw -noprompt +openssl x509 -req -in broker_client.cert.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out broker_client.signed.cert.pem -days 3650 -sha256 +keytool -keystore broker_client.keystore.jks -alias ca -importcert -file ca.cert.pem -storepass brokerclientpw -keypass brokerclientpw -noprompt +keytool -keystore broker_client.keystore.jks -alias broker_client -importcert -file broker_client.signed.cert.pem -storepass brokerclientpw -keypass brokerclientpw -noprompt + + +# Create client keystore +keytool -keystore client.keystore.jks -alias client -keyalg EC -validity 3600 -genkey -storepass clientpw -keypass clientpw -dname 'CN=client,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown' -noprompt +keytool -keystore client.keystore.jks -alias client -certreq -file client.cert.pem -storepass clientpw -keypass clientpw -noprompt +openssl x509 -req -in client.cert.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.signed.cert.pem -days 3650 -sha256 +keytool -keystore client.keystore.jks -alias ca -importcert -file ca.cert.pem -storepass clientpw -keypass clientpw -noprompt +keytool -keystore client.keystore.jks -alias client -importcert -file client.signed.cert.pem -storepass clientpw -keypass clientpw -noprompt \ No newline at end of file diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cer b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cer deleted file mode 100644 index e71c3cfe380c6cc13042d1e1c039ef700ee8b104..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 498 zcmXqLVti-N#5j2YGZP~d6NhR{fBCcIPmc_^*f_M>JkHs&Ff$os8wwcku`!3TunDt= z=4I#Qm*>GmI50%mF+{j9M7R+m{06)rlbMCtic^cqQi}}a#CeU34GoP<3{8#9jg6wj zd5u9_LnxQNj)^o7W@8730}~@OK$scXnVlF|4(0v6a&(#5!tfa%zj5o_?tEOOKY|v#{sh^gMk~9B12dG<%O*$l~$HbTN(Pi zO)>BKjgRIxw*O$}c^(bM@8!8rfx;>5kue_}LjIO{F&FOzLf0rAx IyPdrW0P%~LXaE2J diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cert.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cert.pem new file mode 100644 index 0000000000000..e63f822f13a99 --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cert.pem @@ -0,0 +1,10 @@ +-----BEGIN NEW CERTIFICATE REQUEST----- +MIIBVzCB/QIBADBrMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3du +MRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdV +bmtub3duMQ8wDQYDVQQDEwZzZXJ2ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAQ0HBuze29SNGa33jTMzNZ+i4ZmQtccZGrGR8SfJPJVENahKSqJnoLgfHmzjfya +XyYr/uwP4LYIqrWw9nsYZmb+oDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQU +af0LXo7UTDd+QWFpoEkvqJPs+I0wCgYIKoZIzj0EAwIDSQAwRgIhANzNFj7zWN22 +uiNcz1EUvD8HS9C7R6Fk6Ps5Z54RNTtDAiEAlcDLOkHcgehHBIi79sfC9ZFj0Acg +kcDY79IQi1k4gsc= +-----END NEW CERTIFICATE REQUEST----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.keystore.jks b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.keystore.jks index eec6baf39e14ecfdd4c99062739b8d115c352a66..25c9eb4d1b07f1700876f9bc4b41843eb8edda72 100644 GIT binary patch delta 1790 zcmVUQWRc} z2h+u8dZzIllBA8!!C0u8?k|(A0VHAss5bWhmQ|hgeeIHZXVp^#Q24$o+xm{d0q8`) zu7EhAn{TpXO>2G)(VTu!n2E=57ZTki$u#+!A-@T26&=L|pwL3yr3*D^TNk-oRzUPT zb$%YL6Xq?-_6kTj>W*srf|CvbIwm+VI5agdIWaJT1~CQ+Duzgg_YDCD2B3llA~1pm z9s&UXFoFgblWqYk6k*wO@=TQm!f76mg|I=uw7_0iB$KTHB!B7%=m%*Ru7TDEfv3Da zrH_Du1)vd_seueq$hv7C(_oexEJ>_$MZ+GaIkUA) z*}8Ha_j6(s?|(l0z5~2C!83j*z)c5LI%_k}!;9q(ib)vLHP7sLE~8~*J&Meaqsjzw z;7gukbBwsGHmcwcWv7TbnPvdj#r!iE{Dv(u?Uo9gmv?h9L$<8bm0#48HU7uex;DEp zOfa3{fGA%QDAZ>*y|Fu5s<%y&EkhSRZK_dJrXG}vo`2-soamEjyiR+}6TPXtqiY!4 zfqZ$|tZGBed(nS(jaxH!V0vrw)9a-udXOl}K{H-9GxA2+bLLEN56z6SC``fFgFlVp z9pTYHN{1ZJ*hS=j3i^1>p2gzpSv5ubJoe?wED!9u9tE~S-mtn<^$arbh@Y}prtfI7(^qClUsjYIuPH{ZOaDCW0KD_%QzNT; z?Zx@DJNL`(g|hHCk*`xFX0>SjvWznPPyIV}1Hv*_$T{u2mJ)OF&<@s7BPv2Si<9C6 zh@Fq3_JE&Y?g@alYnf!i+lGVZAmgz1qg_;Cm4EjTy%l)8PO#;;`-nnBLeCI#p?IaX z8B?jXwiF7P9~EzQJnVx%WBa$11upk~GFv!u5vQx3;Zc}y3XBDLS@Iu3$NOp1B+RX$ zF7f=8p=F*%oGTRwT1_*BrKj1RX}x<9j!IRITd8m>4ois({A~%k@3B72_oy;z%7UgW z&wuEswa(O2Ie@-S>_5hsX)YH)MYa+t-haNI@}Nf(^%{Hh8#vWXaG3Z?^!Mha8ymF1 zX?+UY==sP5Jyf4JOGi=+PhASJ@QubH?`*ua?Qlq#ahUyyOCE;T^69=RgP&ws-5&OA{a%%0rf0P-SlKH65p*YlCEPHUK= zN7Ma9F{dK^9x1fc>hqspxH@e7aM3hRBA49kSN~I#@pM`;B53jZSKw&)ONXoXOdmPP6IZ80%xRC=)oc zb~1%uYS%xVZ63kzzsULtZ*wwmgW$ZKKTa~=SXNjl$%hh04`d+h3?m;Qhky6beGgGs zRu_6`m(!T!E|xQ2U*izd%Czy~s6A{b^M2w~@ugax-!G(RAwnpicw8- z7^*#_><2T1fW9|JJ&HeI^U#sr8XdBGJ`Vj+1>bYjF?tPbLy4l?+p5Ul-hR5x%T6DN z4COk$S#_OY79=A^u2|1GqJJB*q9<-F_^<_l#>}re)Jr+x8~|AHqpaVUqOWc=kTKW|BwiZq(w8GLUGFj6T=Iv_P^Z%xUiW8 zImjO~1{(KV?b%@(^nGq?*h7>&G*>MT#SC&Cw}3xs?#?{xIjGGjQAw7!SPi7J>LRgs z`!G!~F)$4V31Egu0c8UO0s#d81R#@(r}fJ&B7d@~QiT_SmkW+_r7~6)B94A=d8e?p gGX?|{H!dXvqt9!%gAXZWz_OaOo&0`8i2?#A5a{J+x&QzG delta 967 zcmV;&133KD52OhqFoFc20s#Xsf&@wi2`Yw2hW8Bt2LYgh1Um$R1UE2(1T&E$QWR*H zx81*8!4C^nr-Y4FLjsguj^mT90VHCd89Xs8>71^KTxz898DyjcQ0Ijjx>nyJ+iVi= z(4-@niG@S}PSL8yZz8rTWw)lrcsR2=F|4OkN0@*QElk5EaT-)Nf;K)pUD#%B2cW@d z$j0c`fZbs90$>uYr&vNLWs?p8IwmtYHZ?LZGBPlN0|5pJDuzgg_YDCD2B3lh@-Tt| z?g9Y-FoFW-lWqYk6nT6+GynnvnJQ9bfD;0cZ@&{TACs*CB!65~D!r?v^( zfUkgp0&v2)Ev54E?JIdQj}b|4KyhLH0gGR;_)RO6R6!HOd;hQ^Rdy*>KPZXwHFG}w zstcQE-Oyj}(HqO;gYTpDrlo@8@#}1)E6tMYT+wSiGSnozOG+nf zqOA0+MxHS5x9$4=M*Nb%{)WW{WfJEXPKS*Q)kx#9;3p3{B9*J4YAv`Jh^>V9uz#{f z@wRi==?Rk3$Ib#3s=m7bxjNBMvFx2E?al8^QaR-TEq}?0$JdKd2DnX)>gI5xREK3O zcK>GAJ{Azg!7JM@B-%iACw!#+?En+Q4BCSHz1O7kB<|3ni~smL74YjQrE)wx*`Nk1@y~7ao}p2gCGL2o2@oq zMK{*#V`Q2{YMQhQC+*+#r>-2xC2)&Do$P9okG9)77j#Ajur@GPtpr*uXNM{+VX zA8x&LBx)GaL)kzN<3%rwdy}ZvGy@!_XwI zMp#$w=c~GTl{MZlO)xPq4F(BdhDZTr0|WvA1povfP~At#9oGJgonP&IDES7vh?XU_ pLhlu7?A~I(o@4Sa1QZD~;T2Q0F`C8#u03$vVKqQ7v_b*`ClHeMxOo5o diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.signed.cert.pem b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.signed.cert.pem new file mode 100644 index 0000000000000..79a09731735ee --- /dev/null +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.signed.cert.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBdzCCAR0CFAJ6wB27laA1BCNConaAQPValPtQMAoGCCqGSM49BAMCMBExDzAN +BgNVBAMMBkNBUm9vdDAeFw0yMzExMjUwMTQzMDRaFw0zMzExMjIwMTQzMDRaMGsx +EDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vu +a25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDzANBgNV +BAMTBnNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDQcG7N7b1I0Zrfe +NMzM1n6LhmZC1xxkasZHxJ8k8lUQ1qEpKomeguB8ebON/JpfJiv+7A/gtgiqtbD2 +exhmZv4wCgYIKoZIzj0EAwIDSAAwRQIgG4IatfLHoaCGVPDxnYV3XkWzVJpAEdX6 +QIDYgmdogckCIQDpJJle7jw6PNA1o3nSZJ2o2GCOg9nmmNaKVBQfxL2E/g== +-----END CERTIFICATE----- diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.truststore.jks b/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.truststore.jks deleted file mode 100644 index d192384fce50707627cc0a420d97a23dd4a4c6a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 870 zcmXqLVoqXWWHxAG=3(R1YV&CO&dbQoxS)yYFG~~CPlG0=uR#0}A;kuidIS`@$Hd40 zq^=`m7!A_k99CX~NCOK5m&ZVxMTEQH!#N(gxcbHBh9;&2!Tr(~3bVFV zq)Mi8#wyx6UN*JyUnsxtqjrjF$?4g0Y3CF6=-S48pE*0Iz&5xm&}Tul+?}64<{mlf z^?EzYe7Q^Y=UT$1u1KDI{a#TqkL3C@J3l;}!Xh?h;r!Z+uc?)rtDbg0kvZVksSs`> z`0C8d6oY)0yGvypm&X2XwD=avcWmY(Hv@x4zDA489VZu_&HmWR_-jsZ$4B$}oIM4T zJ2Z@4yq3Sq*_|f$pZD&QviX|@<}Z!>r7630o_5l-kG02p_it?YnjW#GvG17A^lU}z z6#Xe0zdlTfTc+P2Zuw{-BnF{B`T?PDuYF7dlgb#QH)%4i zyI-})=?2Lj@Cnrjxwa#4YRLzNVlBt%M_x3!QA zr&;Y@!O6d&cuSW52N%{Z?r+B@t&8*QN-LgyZpG)kmr>7>YYv{6vNN+;Ki0;|i{r{& z9?xIr&&ek5pR?Ka<`So>oQ2OeofJGV&%VsTvE|j@TL1N}X^Sd$^R|5}KOa+}@q>Y* zbWOOII|e{iwj jC3CJx42#I!ql?Yr`dPxg*?9l{YgyfMBz?n2P!b0K;{b$y From b512eac35ad2665a3593eac95e5db53080c138cb Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Sat, 25 Nov 2023 15:28:30 +0800 Subject: [PATCH 05/12] Fix test --- .../pulsar/base/MockedPulsarStandalone.java | 43 ++++++++++++++++++- .../tls/ec/TlsWithECCertificateFileTest.java | 2 +- .../tls/ec/TlsWithECKeyStoreTest.java | 30 ++++++++----- 3 files changed, 62 insertions(+), 13 deletions(-) diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java b/pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java index 9b46103895352..f8fb03fb09fd4 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java @@ -31,6 +31,7 @@ import org.apache.pulsar.broker.authentication.AuthenticationProviderTls; import org.apache.pulsar.broker.testcontext.PulsarTestContext; import org.apache.pulsar.client.admin.PulsarAdmin; +import org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls; import org.apache.pulsar.client.impl.auth.AuthenticationTls; import org.apache.pulsar.common.policies.data.ClusterData; import org.apache.pulsar.common.policies.data.TenantInfo; @@ -60,7 +61,7 @@ public abstract class MockedPulsarStandalone implements AutoCloseable { } @SneakyThrows - protected void loadECTlsCertificate() { + protected void loadECTlsCertificateWithFile() { serviceConfiguration.setTlsEnabled(true); serviceConfiguration.setBrokerServicePort(Optional.empty()); serviceConfiguration.setWebServicePort(Optional.empty()); @@ -76,6 +77,30 @@ protected void loadECTlsCertificate() { serviceConfiguration.setBrokerClientAuthenticationParameters(mapper.writeValueAsString(brokerClientAuthParams)); } + @SneakyThrows + protected void loadECTlsCertificateWithKeyStore() { + serviceConfiguration.setTlsEnabled(true); + serviceConfiguration.setBrokerServicePort(Optional.empty()); + serviceConfiguration.setWebServicePort(Optional.empty()); + serviceConfiguration.setTlsEnabledWithKeyStore(true); + serviceConfiguration.setTlsKeyStore(TLS_EC_KS_SERVER_STORE); + serviceConfiguration.setTlsKeyStorePassword(TLS_EC_KS_SERVER_PASS); + serviceConfiguration.setTlsTrustStore(TLS_EC_KS_TRUSTED_STORE); + serviceConfiguration.setTlsTrustStorePassword(TLS_EC_KS_TRUSTED_STORE_PASS); + serviceConfiguration.setTlsRequireTrustedClientCertOnConnect(true); + serviceConfiguration.setBrokerClientTlsEnabled(true); + serviceConfiguration.setBrokerClientTlsEnabledWithKeyStore(true); + serviceConfiguration.setBrokerClientTlsKeyStore(TLS_EC_KS_BROKER_CLIENT_STORE); + serviceConfiguration.setBrokerClientTlsKeyStorePassword(TLS_EC_KS_BROKER_CLIENT_PASS); + serviceConfiguration.setBrokerClientTlsTrustStore(TLS_EC_KS_TRUSTED_STORE); + serviceConfiguration.setBrokerClientTlsTrustStorePassword(TLS_EC_KS_TRUSTED_STORE_PASS); + serviceConfiguration.setBrokerClientAuthenticationPlugin(AuthenticationKeyStoreTls.class.getName()); + final Map brokerClientAuthParams = new HashMap<>(); + brokerClientAuthParams.put("keyStorePath", TLS_EC_KS_BROKER_CLIENT_STORE); + brokerClientAuthParams.put("keyStorePassword", TLS_EC_KS_BROKER_CLIENT_PASS); + serviceConfiguration.setBrokerClientAuthenticationParameters(mapper.writeValueAsString(brokerClientAuthParams)); + } + protected void enableTlsAuthentication() { serviceConfiguration.setAuthenticationEnabled(true); serviceConfiguration.setAuthenticationProviders(Sets.newHashSet(AuthenticationProviderTls.class.getName())); @@ -120,7 +145,7 @@ private static String getPathFromResource(String resourceName) { } // Utils - private static final ObjectMapper mapper = new ObjectMapper(); + protected static final ObjectMapper mapper = new ObjectMapper(); // Static name private static final String DEFAULT_TENANT = "public"; @@ -142,4 +167,18 @@ private static String getPathFromResource(String resourceName) { getPathFromResource("authentication/tls/ec/client.key-pk8.pem"); protected static final String TLS_EC_CLIENT_CERT_PATH = getPathFromResource("authentication/tls/ec/client.cert.pem"); + + // EC KeyStore + private static final String TLS_EC_KS_SERVER_STORE = + getPathFromResource("authentication/tls/ec/jks/server.keystore.jks"); + private static final String TLS_EC_KS_SERVER_PASS = "serverpw"; + private static final String TLS_EC_KS_BROKER_CLIENT_STORE = + getPathFromResource("authentication/tls/ec/jks/broker_client.keystore.jks"); + private static final String TLS_EC_KS_BROKER_CLIENT_PASS = "brokerclientpw"; + protected static final String TLS_EC_KS_CLIENT_STORE = + getPathFromResource("authentication/tls/ec/jks/client.keystore.jks"); + protected static final String TLS_EC_KS_CLIENT_PASS = "clientpw"; + protected static final String TLS_EC_KS_TRUSTED_STORE = + getPathFromResource("authentication/tls/ec/jks/ca.truststore.jks"); + protected static final String TLS_EC_KS_TRUSTED_STORE_PASS = "rootpw"; } diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java index 33262bb75b787..b7c6e4939a014 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java @@ -40,7 +40,7 @@ @Test -public class TlsWithECCertificateTest extends MockedPulsarStandalone { +public class TlsWithECCertificateFileTest extends MockedPulsarStandalone { @BeforeClass(alwaysRun = true) public void suitSetup() { diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java index b7d764c876094..0f2d944a78537 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java @@ -31,19 +31,22 @@ import org.apache.pulsar.client.api.Producer; import org.apache.pulsar.client.api.PulsarClient; import org.apache.pulsar.client.api.PulsarClientException; +import org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls; import org.testng.annotations.AfterClass; import org.testng.annotations.BeforeClass; import org.testng.annotations.Test; import java.nio.charset.StandardCharsets; +import java.util.HashMap; +import java.util.Map; import java.util.UUID; @Test -public class TlsWithECJKSTest extends MockedPulsarStandalone { +public class TlsWithECKeyStoreTest extends MockedPulsarStandalone { @BeforeClass(alwaysRun = true) public void suitSetup() { - loadECTlsCertificateWithJKS(); + loadECTlsCertificateWithKeyStore(); enableTlsAuthentication(); super.start(); // start standalone service } @@ -72,21 +75,28 @@ public void testConnectionFailWithoutCertificate() { public void testConnectionSuccessWithCertificate() { final String topicName = "persistent://public/default/" + UUID.randomUUID(); final int testMsgNum = 10; + final Map clientAuthParams = new HashMap<>(); + clientAuthParams.put("keyStorePath", TLS_EC_KS_CLIENT_STORE); + clientAuthParams.put("keyStorePassword", TLS_EC_KS_CLIENT_PASS); final PulsarAdmin admin = PulsarAdmin.builder() - .tlsKeyStorePath(TLS_EC_JKS_CLIENT_STORE) - .tlsKeyStorePassword(TLS_EC_JKS_CLIENT_PASS) - .tlsTrustStorePath(TLS_EC_JKS_TRUST_CLIENT_STORE) - .tlsTrustStorePassword(TLS_EC_JKS_CLIENT_PASS) + .useKeyStoreTls(true) + .tlsKeyStorePath(TLS_EC_KS_CLIENT_STORE) + .tlsKeyStorePassword(TLS_EC_KS_CLIENT_PASS) + .tlsTrustStorePath(TLS_EC_KS_TRUSTED_STORE) + .tlsTrustStorePassword(TLS_EC_KS_TRUSTED_STORE_PASS) + .authentication(AuthenticationKeyStoreTls.class.getName(), mapper.writeValueAsString(clientAuthParams)) .serviceHttpUrl(getPulsarService().getWebServiceAddressTls()) .build(); admin.topics().createNonPartitionedTopic(topicName); admin.topics().createSubscription(topicName, "sub-1", MessageId.earliest); @Cleanup final PulsarClient client = PulsarClient.builder() .serviceUrl(getPulsarService().getBrokerServiceUrlTls()) - .tlsKeyStorePath(TLS_EC_JKS_CLIENT_STORE) - .tlsKeyStorePassword(TLS_EC_JKS_CLIENT_PASS) - .tlsTrustStorePath(TLS_EC_JKS_TRUST_CLIENT_STORE) - .tlsTrustStorePassword(TLS_EC_JKS_CLIENT_PASS) + .useKeyStoreTls(true) + .tlsKeyStorePath(TLS_EC_KS_CLIENT_STORE) + .tlsKeyStorePassword(TLS_EC_KS_CLIENT_PASS) + .tlsTrustStorePath(TLS_EC_KS_TRUSTED_STORE) + .tlsTrustStorePassword(TLS_EC_KS_TRUSTED_STORE_PASS) + .authentication(AuthenticationKeyStoreTls.class.getName(), mapper.writeValueAsString(clientAuthParams)) .build(); @Cleanup final Producer producer = client.newProducer() .topic(topicName) From 21d1a3e977da832139ca8884e38065ce8f023fbf Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Sat, 25 Nov 2023 15:38:38 +0800 Subject: [PATCH 06/12] Fix lisence check --- pom.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pom.xml b/pom.xml index f04f3e1d50e6c..af3e3b5457e30 100644 --- a/pom.xml +++ b/pom.xml @@ -1656,6 +1656,8 @@ flexible messaging model and an intuitive client API. **/*.pyc **/*.graffle **/*.hgrm + **/*.jks + **/*.srl **/src/main/java/org/apache/bookkeeper/mledger/proto/MLDataFormats.java **/src/main/java/org/apache/pulsar/transaction/coordinator/proto/PulsarTransactionMetadata.java **/src/main/java/org/apache/pulsar/broker/service/schema/proto/SchemaRegistryFormat.java From 1af1c82457ac7045cf45dde105454af66aeaeda5 Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Sat, 25 Nov 2023 15:40:12 +0800 Subject: [PATCH 07/12] Add license --- .../authentication/tls/ec/server.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.conf b/pulsar-broker/src/test/resources/authentication/tls/ec/server.conf index e4dbf070c08c4..557c2c27202db 100644 --- a/pulsar-broker/src/test/resources/authentication/tls/ec/server.conf +++ b/pulsar-broker/src/test/resources/authentication/tls/ec/server.conf @@ -1,3 +1,22 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + [ req ] default_bits = 2048 prompt = no From 2d2b7f9d48c7e3148aadcdf825974edeeffad6ee Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Sat, 25 Nov 2023 16:11:58 +0800 Subject: [PATCH 08/12] Fix license check --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index af3e3b5457e30..87cc863d8554f 100644 --- a/pom.xml +++ b/pom.xml @@ -1656,8 +1656,6 @@ flexible messaging model and an intuitive client API. **/*.pyc **/*.graffle **/*.hgrm - **/*.jks - **/*.srl **/src/main/java/org/apache/bookkeeper/mledger/proto/MLDataFormats.java **/src/main/java/org/apache/pulsar/transaction/coordinator/proto/PulsarTransactionMetadata.java **/src/main/java/org/apache/pulsar/broker/service/schema/proto/SchemaRegistryFormat.java @@ -1782,6 +1780,8 @@ flexible messaging model and an intuitive client API. **/*.crt **/*.key **/*.csr + **/*.srl + **/*.txt **/*.pem **/*.json **/*.htpasswd From 30e9d6e125e57d7ceb56e565379cf773b542d2fb Mon Sep 17 00:00:00 2001 From: Jiwe Guo Date: Mon, 27 Nov 2023 13:36:41 +0800 Subject: [PATCH 09/12] close PulsarAdmin --- .../pulsar/security/tls/ec/TlsWithECCertificateFileTest.java | 2 +- .../apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java index b7c6e4939a014..e6cb7a92829ae 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java @@ -74,7 +74,7 @@ public void testConnectionSuccessWithCertificate() { final AuthenticationTls authentication = new AuthenticationTls(TLS_EC_CLIENT_CERT_PATH, TLS_EC_CLIENT_KEY_PATH); final String topicName = "persistent://public/default/" + UUID.randomUUID(); final int testMsgNum = 10; - final PulsarAdmin admin = PulsarAdmin.builder() + @Cleanup final PulsarAdmin admin = PulsarAdmin.builder() .authentication(authentication) .serviceHttpUrl(getPulsarService().getWebServiceAddressTls()) .tlsTrustCertsFilePath(TLS_EC_TRUSTED_CERT_PATH) diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java index 0f2d944a78537..017eac7d0bdc8 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java @@ -78,7 +78,7 @@ public void testConnectionSuccessWithCertificate() { final Map clientAuthParams = new HashMap<>(); clientAuthParams.put("keyStorePath", TLS_EC_KS_CLIENT_STORE); clientAuthParams.put("keyStorePassword", TLS_EC_KS_CLIENT_PASS); - final PulsarAdmin admin = PulsarAdmin.builder() + @Cleanup final PulsarAdmin admin = PulsarAdmin.builder() .useKeyStoreTls(true) .tlsKeyStorePath(TLS_EC_KS_CLIENT_STORE) .tlsKeyStorePassword(TLS_EC_KS_CLIENT_PASS) From 109e1f6250f6c848f0549dd72d081942ad370eee Mon Sep 17 00:00:00 2001 From: Qiang Zhao Date: Mon, 27 Nov 2023 17:31:52 +0800 Subject: [PATCH 10/12] Update pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java Co-authored-by: Zixuan Liu --- .../java/org/apache/pulsar/common/util/SecurityUtility.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java index c61969dbf8099..8c1f1f5d8b39c 100644 --- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java +++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java @@ -521,7 +521,7 @@ public static PrivateKey loadPrivateKeyFromPemStream(InputStream inStream) throw sb.append(currentLine); } final KeySpec keySpec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(sb.toString())); - final List failedAlgorithm = new ArrayList<>(3); + final List failedAlgorithm = new ArrayList<>(KEY_FACTORIES.size()); for (KeyFactory kf : KEY_FACTORIES) { try { return kf.generatePrivate(keySpec); From e33b50e0d0f8a5c41af942bd38d2ac6c5a2b2d1d Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Mon, 27 Nov 2023 17:46:37 +0800 Subject: [PATCH 11/12] Move MockedPulsarStandalone to other package --- .../pulsar/{base => security/tls}/MockedPulsarStandalone.java | 2 +- .../pulsar/security/tls/ec/TlsWithECCertificateFileTest.java | 2 +- .../apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) rename pulsar-broker/src/test/java/org/apache/pulsar/{base => security/tls}/MockedPulsarStandalone.java (99%) diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/MockedPulsarStandalone.java similarity index 99% rename from pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java rename to pulsar-broker/src/test/java/org/apache/pulsar/security/tls/MockedPulsarStandalone.java index f8fb03fb09fd4..5650df0165be8 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/base/MockedPulsarStandalone.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/MockedPulsarStandalone.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.pulsar.base; +package org.apache.pulsar.security.tls; import static java.util.Objects.requireNonNull; import com.fasterxml.jackson.databind.ObjectMapper; diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java index e6cb7a92829ae..39d9b7326d104 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECCertificateFileTest.java @@ -25,7 +25,7 @@ import java.util.UUID; import lombok.Cleanup; import lombok.SneakyThrows; -import org.apache.pulsar.base.MockedPulsarStandalone; +import org.apache.pulsar.security.tls.MockedPulsarStandalone; import org.apache.pulsar.client.admin.PulsarAdmin; import org.apache.pulsar.client.api.Consumer; import org.apache.pulsar.client.api.Message; diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java index 017eac7d0bdc8..e39ad67e4a9d1 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/ec/TlsWithECKeyStoreTest.java @@ -23,7 +23,7 @@ import static org.testng.Assert.assertNotNull; import lombok.Cleanup; import lombok.SneakyThrows; -import org.apache.pulsar.base.MockedPulsarStandalone; +import org.apache.pulsar.security.tls.MockedPulsarStandalone; import org.apache.pulsar.client.admin.PulsarAdmin; import org.apache.pulsar.client.api.Consumer; import org.apache.pulsar.client.api.Message; From 7958b2d895d9ae53d6be8d5e9476a56c9b6c54ea Mon Sep 17 00:00:00 2001 From: Mattison Chao Date: Mon, 27 Nov 2023 18:25:12 +0800 Subject: [PATCH 12/12] Move pem to unified directory --- .../security/tls/MockedPulsarStandalone.java | 28 ++++++++---------- .../ec/broker_client.cert.pem | 0 .../ec/broker_client.csr.pem | 0 .../ec/broker_client.key-pk8.pem | 0 .../ec/broker_client.key.pem | 0 .../certificate-authority}/ec/ca.cert.pem | 0 .../certificate-authority}/ec/ca.cert.srl | 0 .../certificate-authority}/ec/ca.key.pem | 0 .../ec/certificate_generation.txt | 0 .../certificate-authority}/ec/client.cert.pem | 0 .../certificate-authority}/ec/client.csr.pem | 0 .../ec/client.key-pk8.pem | 0 .../certificate-authority}/ec/client.key.pem | 0 .../ec/jks/broker_client.cert.pem | 0 .../ec/jks/broker_client.keystore.jks | Bin .../ec/jks/broker_client.signed.cert.pem | 0 .../certificate-authority}/ec/jks/ca.cert.pem | 0 .../certificate-authority}/ec/jks/ca.cert.srl | 0 .../certificate-authority}/ec/jks/ca.key.pem | 0 .../ec/jks/ca.truststore.jks | Bin .../ec/jks/client.cert.pem | 0 .../ec/jks/client.keystore.jks | Bin .../ec/jks/client.signed.cert.pem | 0 .../ec/jks/key_store_generation.txt | 0 .../ec/jks/server.cert.pem | 0 .../ec/jks/server.keystore.jks | Bin .../ec/jks/server.signed.cert.pem | 0 .../certificate-authority}/ec/server.cert.pem | 0 .../certificate-authority}/ec/server.conf | 0 .../certificate-authority}/ec/server.csr.pem | 0 .../ec/server.key-pk8.pem | 0 .../certificate-authority}/ec/server.key.pem | 0 32 files changed, 12 insertions(+), 16 deletions(-) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/broker_client.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/broker_client.csr.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/broker_client.key-pk8.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/broker_client.key.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/ca.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/ca.cert.srl (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/ca.key.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/certificate_generation.txt (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/client.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/client.csr.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/client.key-pk8.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/client.key.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/broker_client.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/broker_client.keystore.jks (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/broker_client.signed.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/ca.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/ca.cert.srl (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/ca.key.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/ca.truststore.jks (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/client.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/client.keystore.jks (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/client.signed.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/key_store_generation.txt (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/server.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/server.keystore.jks (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/jks/server.signed.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/server.cert.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/server.conf (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/server.csr.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/server.key-pk8.pem (100%) rename {pulsar-broker/src/test/resources/authentication/tls => tests/certificate-authority}/ec/server.key.pem (100%) diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/MockedPulsarStandalone.java b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/MockedPulsarStandalone.java index 5650df0165be8..91c2f784cd70e 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/MockedPulsarStandalone.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/security/tls/MockedPulsarStandalone.java @@ -18,7 +18,7 @@ */ package org.apache.pulsar.security.tls; -import static java.util.Objects.requireNonNull; +import static org.apache.pulsar.utils.ResourceUtils.getAbsolutePath; import com.fasterxml.jackson.databind.ObjectMapper; import com.google.common.collect.Sets; import java.util.HashMap; @@ -140,10 +140,6 @@ public void close() throws Exception { } } - private static String getPathFromResource(String resourceName) { - return requireNonNull(MockedPulsarStandalone.class.getClassLoader().getResource(resourceName)).getPath(); - } - // Utils protected static final ObjectMapper mapper = new ObjectMapper(); @@ -154,31 +150,31 @@ private static String getPathFromResource(String resourceName) { // EC certificate protected static final String TLS_EC_TRUSTED_CERT_PATH = - getPathFromResource("authentication/tls/ec/ca.cert.pem"); + getAbsolutePath("certificate-authority/ec/ca.cert.pem"); private static final String TLS_EC_SERVER_KEY_PATH = - getPathFromResource("authentication/tls/ec/server.key-pk8.pem"); + getAbsolutePath("certificate-authority/ec/server.key-pk8.pem"); private static final String TLS_EC_SERVER_CERT_PATH = - getPathFromResource("authentication/tls/ec/server.cert.pem"); + getAbsolutePath("certificate-authority/ec/server.cert.pem"); private static final String TLS_EC_BROKER_CLIENT_KEY_PATH = - getPathFromResource("authentication/tls/ec/broker_client.key-pk8.pem"); + getAbsolutePath("certificate-authority/ec/broker_client.key-pk8.pem"); private static final String TLS_EC_BROKER_CLIENT_CERT_PATH = - getPathFromResource("authentication/tls/ec/broker_client.cert.pem"); + getAbsolutePath("certificate-authority/ec/broker_client.cert.pem"); protected static final String TLS_EC_CLIENT_KEY_PATH = - getPathFromResource("authentication/tls/ec/client.key-pk8.pem"); + getAbsolutePath("certificate-authority/ec/client.key-pk8.pem"); protected static final String TLS_EC_CLIENT_CERT_PATH = - getPathFromResource("authentication/tls/ec/client.cert.pem"); + getAbsolutePath("certificate-authority/ec/client.cert.pem"); // EC KeyStore private static final String TLS_EC_KS_SERVER_STORE = - getPathFromResource("authentication/tls/ec/jks/server.keystore.jks"); + getAbsolutePath("certificate-authority/ec/jks/server.keystore.jks"); private static final String TLS_EC_KS_SERVER_PASS = "serverpw"; private static final String TLS_EC_KS_BROKER_CLIENT_STORE = - getPathFromResource("authentication/tls/ec/jks/broker_client.keystore.jks"); + getAbsolutePath("certificate-authority/ec/jks/broker_client.keystore.jks"); private static final String TLS_EC_KS_BROKER_CLIENT_PASS = "brokerclientpw"; protected static final String TLS_EC_KS_CLIENT_STORE = - getPathFromResource("authentication/tls/ec/jks/client.keystore.jks"); + getAbsolutePath("certificate-authority/ec/jks/client.keystore.jks"); protected static final String TLS_EC_KS_CLIENT_PASS = "clientpw"; protected static final String TLS_EC_KS_TRUSTED_STORE = - getPathFromResource("authentication/tls/ec/jks/ca.truststore.jks"); + getAbsolutePath("certificate-authority/ec/jks/ca.truststore.jks"); protected static final String TLS_EC_KS_TRUSTED_STORE_PASS = "rootpw"; } diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.cert.pem b/tests/certificate-authority/ec/broker_client.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.cert.pem rename to tests/certificate-authority/ec/broker_client.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.csr.pem b/tests/certificate-authority/ec/broker_client.csr.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.csr.pem rename to tests/certificate-authority/ec/broker_client.csr.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key-pk8.pem b/tests/certificate-authority/ec/broker_client.key-pk8.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key-pk8.pem rename to tests/certificate-authority/ec/broker_client.key-pk8.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key.pem b/tests/certificate-authority/ec/broker_client.key.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/broker_client.key.pem rename to tests/certificate-authority/ec/broker_client.key.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.pem b/tests/certificate-authority/ec/ca.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.pem rename to tests/certificate-authority/ec/ca.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.srl b/tests/certificate-authority/ec/ca.cert.srl similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/ca.cert.srl rename to tests/certificate-authority/ec/ca.cert.srl diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/ca.key.pem b/tests/certificate-authority/ec/ca.key.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/ca.key.pem rename to tests/certificate-authority/ec/ca.key.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/certificate_generation.txt b/tests/certificate-authority/ec/certificate_generation.txt similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/certificate_generation.txt rename to tests/certificate-authority/ec/certificate_generation.txt diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/client.cert.pem b/tests/certificate-authority/ec/client.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/client.cert.pem rename to tests/certificate-authority/ec/client.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/client.csr.pem b/tests/certificate-authority/ec/client.csr.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/client.csr.pem rename to tests/certificate-authority/ec/client.csr.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/client.key-pk8.pem b/tests/certificate-authority/ec/client.key-pk8.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/client.key-pk8.pem rename to tests/certificate-authority/ec/client.key-pk8.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/client.key.pem b/tests/certificate-authority/ec/client.key.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/client.key.pem rename to tests/certificate-authority/ec/client.key.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.cert.pem b/tests/certificate-authority/ec/jks/broker_client.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.cert.pem rename to tests/certificate-authority/ec/jks/broker_client.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.keystore.jks b/tests/certificate-authority/ec/jks/broker_client.keystore.jks similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.keystore.jks rename to tests/certificate-authority/ec/jks/broker_client.keystore.jks diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.signed.cert.pem b/tests/certificate-authority/ec/jks/broker_client.signed.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/broker_client.signed.cert.pem rename to tests/certificate-authority/ec/jks/broker_client.signed.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.pem b/tests/certificate-authority/ec/jks/ca.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.pem rename to tests/certificate-authority/ec/jks/ca.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.srl b/tests/certificate-authority/ec/jks/ca.cert.srl similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.cert.srl rename to tests/certificate-authority/ec/jks/ca.cert.srl diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.key.pem b/tests/certificate-authority/ec/jks/ca.key.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.key.pem rename to tests/certificate-authority/ec/jks/ca.key.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.truststore.jks b/tests/certificate-authority/ec/jks/ca.truststore.jks similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/ca.truststore.jks rename to tests/certificate-authority/ec/jks/ca.truststore.jks diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.cert.pem b/tests/certificate-authority/ec/jks/client.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.cert.pem rename to tests/certificate-authority/ec/jks/client.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.keystore.jks b/tests/certificate-authority/ec/jks/client.keystore.jks similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.keystore.jks rename to tests/certificate-authority/ec/jks/client.keystore.jks diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.signed.cert.pem b/tests/certificate-authority/ec/jks/client.signed.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/client.signed.cert.pem rename to tests/certificate-authority/ec/jks/client.signed.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/key_store_generation.txt b/tests/certificate-authority/ec/jks/key_store_generation.txt similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/key_store_generation.txt rename to tests/certificate-authority/ec/jks/key_store_generation.txt diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cert.pem b/tests/certificate-authority/ec/jks/server.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.cert.pem rename to tests/certificate-authority/ec/jks/server.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.keystore.jks b/tests/certificate-authority/ec/jks/server.keystore.jks similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.keystore.jks rename to tests/certificate-authority/ec/jks/server.keystore.jks diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.signed.cert.pem b/tests/certificate-authority/ec/jks/server.signed.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/jks/server.signed.cert.pem rename to tests/certificate-authority/ec/jks/server.signed.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.cert.pem b/tests/certificate-authority/ec/server.cert.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/server.cert.pem rename to tests/certificate-authority/ec/server.cert.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.conf b/tests/certificate-authority/ec/server.conf similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/server.conf rename to tests/certificate-authority/ec/server.conf diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.csr.pem b/tests/certificate-authority/ec/server.csr.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/server.csr.pem rename to tests/certificate-authority/ec/server.csr.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.key-pk8.pem b/tests/certificate-authority/ec/server.key-pk8.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/server.key-pk8.pem rename to tests/certificate-authority/ec/server.key-pk8.pem diff --git a/pulsar-broker/src/test/resources/authentication/tls/ec/server.key.pem b/tests/certificate-authority/ec/server.key.pem similarity index 100% rename from pulsar-broker/src/test/resources/authentication/tls/ec/server.key.pem rename to tests/certificate-authority/ec/server.key.pem