ARTEMIS-5599 Support key password in Netty SSL

Author: hyperxpro

artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java

@@ -241,6 +241,8 @@ public class NettyConnector extends AbstractConnector {
 
    private String keyStorePassword;
 
+   private String keyPassword;
+
    private String keyStoreAlias;
 
    private String trustStoreProvider;
@@ -418,6 +420,8 @@ public NettyConnector(final Map<String, Object> configuration,
 
          keyStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec());
 
+         keyPassword = ConfigurationHelper.getPasswordProperty(TransportConstants.KEY_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_KEY_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec());
+
          keyStoreAlias = ConfigurationHelper.getStringProperty(TransportConstants.KEYSTORE_ALIAS_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_ALIAS, configuration);
 
          trustStoreProvider = ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER, configuration);
@@ -456,6 +460,7 @@ public NettyConnector(final Map<String, Object> configuration,
          keyStoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
          keyStorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
          keyStorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
+         keyPassword = TransportConstants.DEFAULT_KEY_PASSWORD;
          keyStoreAlias = TransportConstants.DEFAULT_KEYSTORE_ALIAS;
          crcOptions = TransportConstants.DEFAULT_CRC_OPTIONS;
          ocspResponderURL = TransportConstants.DEFAULT_OCSP_RESPONDER_URL;
@@ -604,6 +609,7 @@ public synchronized void start() {
       final String realKeyStoreProvider;
       final String realKeyStoreType;
       final String realKeyStorePassword;
+      final String realKeyPassword;
       final String realKeyStoreAlias;
       final String realTrustStorePath;
       final String realTrustStoreProvider;
@@ -616,6 +622,7 @@ public synchronized void start() {
             realKeyStoreProvider = keyStoreProvider;
             realKeyStoreType = keyStoreType;
             realKeyStorePassword = keyStorePassword;
+            realKeyPassword = keyPassword;
             realKeyStoreAlias = keyStoreAlias;
             realTrustStorePath = trustStorePath;
             realTrustStoreProvider = trustStoreProvider;
@@ -630,6 +637,7 @@ public synchronized void start() {
                tempKeyStorePassword = processSslPasswordProperty(tempKeyStorePassword, tempPasswordCodecClass);
             }
             realKeyStorePassword = tempKeyStorePassword;
+            realKeyPassword = keyPassword;
             realKeyStoreAlias = keyStoreAlias;
 
             Pair<String, String> keyStoreCompat = SSLSupport.getValidProviderAndType(Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PROVIDER_PROP_NAME), System.getProperty(JAVAX_KEYSTORE_PROVIDER_PROP_NAME), keyStoreProvider).map(v -> useDefaultSslContext ? keyStoreProvider : v).filter(Objects::nonNull).findFirst().orElse(null),
@@ -654,6 +662,7 @@ public synchronized void start() {
          realKeyStoreProvider = null;
          realKeyStoreType = null;
          realKeyStorePassword = null;
+         realKeyPassword = null;
          realKeyStoreAlias = null;
          realTrustStorePath = null;
          realTrustStoreProvider = null;
@@ -690,6 +699,7 @@ public void initChannel(Channel channel) throws Exception {
                   .keystorePath(realKeyStorePath)
                   .keystoreType(realKeyStoreType)
                   .keystorePassword(realKeyStorePassword)
+                  .keyPassword(realKeyPassword)
                   .keystoreAlias(realKeyStoreAlias)
                   .truststoreProvider(realTrustStoreProvider)
                   .truststorePath(realTrustStorePath)

artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java

@@ -112,6 +112,8 @@ public class TransportConstants {
 
    public static final String KEYSTORE_PASSWORD_PROP_NAME = "keyStorePassword";
 
+   public static final String KEY_PASSWORD_PROP_NAME = "keyPassword";
+
    public static final String KEYSTORE_ALIAS_PROP_NAME = "keyStoreAlias";
 
    public static final String TRUSTSTORE_PROVIDER_PROP_NAME = "trustStoreProvider";
@@ -248,6 +250,8 @@ public class TransportConstants {
 
    public static final String DEFAULT_KEYSTORE_PASSWORD = null;
 
+   public static final String DEFAULT_KEY_PASSWORD = null;
+
    public static final String DEFAULT_TRUSTSTORE_PROVIDER = null;
 
    public static final String DEFAULT_TRUSTSTORE_TYPE = "JKS";
@@ -449,6 +453,7 @@ private static int parseDefaultVariable(String variableName, int defaultValue) {
       allowableAcceptorKeys.add(TransportConstants.KEYSTORE_TYPE_PROP_NAME);
       allowableAcceptorKeys.add(TransportConstants.KEYSTORE_PATH_PROP_NAME);
       allowableAcceptorKeys.add(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
+      allowableAcceptorKeys.add(TransportConstants.KEY_PASSWORD_PROP_NAME);
       allowableAcceptorKeys.add(TransportConstants.KEYSTORE_ALIAS_PROP_NAME);
       allowableAcceptorKeys.add(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME);
       allowableAcceptorKeys.add(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME);
@@ -526,6 +531,7 @@ private static int parseDefaultVariable(String variableName, int defaultValue) {
       allowableConnectorKeys.add(TransportConstants.KEYSTORE_TYPE_PROP_NAME);
       allowableConnectorKeys.add(TransportConstants.KEYSTORE_PATH_PROP_NAME);
       allowableConnectorKeys.add(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME);
+      allowableConnectorKeys.add(TransportConstants.KEY_PASSWORD_PROP_NAME);
       allowableConnectorKeys.add(TransportConstants.KEYSTORE_ALIAS_PROP_NAME);
       allowableConnectorKeys.add(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME);
       allowableConnectorKeys.add(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME);

artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java

@@ -80,6 +80,7 @@ public class SSLSupport {
    private String keystoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
    private String keystorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
    private String keystorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
+   private String keyPassword = TransportConstants.DEFAULT_KEY_PASSWORD;
    private String truststoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
    private String truststoreType = TransportConstants.DEFAULT_TRUSTSTORE_TYPE;
    private String truststorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
@@ -100,6 +101,7 @@ public SSLSupport(final SSLContextConfig config) {
       keystorePath = config.getKeystorePath();
       keystoreType = config.getKeystoreType();
       keystorePassword = config.getKeystorePassword();
+      keyPassword = config.getKeyPassword();
       truststoreProvider = config.getTruststoreProvider();
       truststorePath = config.getTruststorePath();
       truststoreType = config.getTruststoreType();
@@ -148,6 +150,15 @@ public SSLSupport setKeystorePassword(String keystorePassword) {
       return this;
    }
 
+   public String getKeyPassword() {
+      return keyPassword;
+   }
+
+   public SSLSupport setKeyPassword(String keyPassword) {
+      this.keyPassword = keyPassword;
+      return this;
+   }
+
    public String getKeystoreAlias() {
       return keystoreAlias;
    }
@@ -262,7 +273,7 @@ public SslContext createNettyContext() throws Exception {
          Pair<PrivateKey, X509Certificate[]> privateKeyAndCertChain = getPrivateKeyAndCertChain(keyStore);
          sslContextBuilder = SslContextBuilder.forServer(privateKeyAndCertChain.getA(), privateKeyAndCertChain.getB());
       } else {
-         sslContextBuilder = SslContextBuilder.forServer(getKeyManagerFactory(keyStore, keystorePassword == null ? null : keystorePassword.toCharArray()));
+         sslContextBuilder = SslContextBuilder.forServer(getKeyManagerFactory(keyStore, getKeyPasswordOrDefault()));
       }
       return sslContextBuilder
          .sslProvider(SslProvider.valueOf(sslProvider))
@@ -280,7 +291,7 @@ public SslContext createNettyClientContext() throws Exception {
          Pair<PrivateKey, X509Certificate[]> privateKeyAndCertChain = getPrivateKeyAndCertChain(keyStore);
          sslContextBuilder.keyManager(privateKeyAndCertChain.getA(), privateKeyAndCertChain.getB());
       } else {
-         sslContextBuilder.keyManager(getKeyManagerFactory(keyStore, keystorePassword == null ? null : keystorePassword.toCharArray()));
+         sslContextBuilder.keyManager(getKeyManagerFactory(keyStore, getKeyPasswordOrDefault()));
       }
 
       return sslContextBuilder.build();
@@ -509,7 +520,7 @@ private KeyManagerFactory loadKeyManagerFactory() throws Exception {
       } else {
          KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
          KeyStore ks = SSLSupport.loadKeystore(keystoreProvider, keystoreType, keystorePath, keystorePassword);
-         kmf.init(ks, keystorePassword == null ? null : keystorePassword.toCharArray());
+         kmf.init(ks, getKeyPasswordOrDefault());
          return kmf;
       }
    }
@@ -545,7 +556,7 @@ private static URL findResource(final String resourceName) {
    }
 
    private Pair<PrivateKey, X509Certificate[]> getPrivateKeyAndCertChain(KeyStore keyStore) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {
-      PrivateKey key = (PrivateKey) keyStore.getKey(keystoreAlias, keystorePassword.toCharArray());
+      PrivateKey key = (PrivateKey) keyStore.getKey(keystoreAlias, getKeyPasswordOrDefault());
       if (key == null) {
          throw ActiveMQClientMessageBundle.BUNDLE.keystoreAliasNotFound(keystoreAlias, keystorePath);
       }
@@ -562,6 +573,13 @@ private KeyManagerFactory getKeyManagerFactory(KeyStore keyStore, char[] keystor
       return keyManagerFactory;
    }
 
+   private char[] getKeyPasswordOrDefault() {
+      if (keyPassword != null) {
+         return keyPassword.toCharArray();
+      }
+      return keystorePassword != null ? keystorePassword.toCharArray() : null;
+   }
+
    /**
     * The changes ARTEMIS-3155 introduced an incompatibility with old clients using the keyStoreProvider and
     * trustStoreProvider URL properties. These old clients use these properties to set the *type* of store (e.g. PKCS12,

artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java

@@ -32,6 +32,7 @@ public static final class Builder {
       private String keystorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
       private String keystoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
       private String keystorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
+      private String keyPassword = TransportConstants.DEFAULT_KEY_PASSWORD;
       private String keystoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
       private String truststorePath = TransportConstants.DEFAULT_TRUSTSTORE_PATH;
       private String truststoreType = TransportConstants.DEFAULT_TRUSTSTORE_TYPE;
@@ -55,6 +56,7 @@ public Builder from(final SSLContextConfig config) {
          keystorePath = config.getKeystorePath();
          keystoreType = config.getKeystoreType();
          keystorePassword = config.getKeystorePassword();
+         keyPassword = config.getKeyPassword();
          keystoreProvider = config.getKeystoreProvider();
          truststorePath = config.getTruststorePath();
          truststoreType = config.getTruststoreType();
@@ -70,7 +72,7 @@ public Builder from(final SSLContextConfig config) {
 
       public SSLContextConfig build() {
          return new SSLContextConfig(
-            keystoreProvider, keystorePath, keystoreType, keystorePassword,
+            keystoreProvider, keystorePath, keystoreType, keystorePassword, keyPassword,
             truststoreProvider, truststorePath, truststoreType, truststorePassword,
             crlPath, trustManagerFactoryPlugin, trustAll, keystoreAlias, crcOptions, ocspResponderURL
          );
@@ -91,6 +93,11 @@ public Builder keystorePassword(final String keystorePassword) {
          return this;
       }
 
+      public Builder keyPassword(final String keyPassword) {
+         this.keyPassword = keyPassword;
+         return this;
+      }
+
       public Builder keystoreProvider(final String keystoreProvider) {
          this.keystoreProvider = keystoreProvider;
          return this;
@@ -154,6 +161,7 @@ public static  Builder builder() {
    private final String keystorePath;
    private final String keystoreType;
    private final String keystorePassword;
+   private final String keyPassword;
    private final String keystoreProvider;
    private final String truststorePath;
    private final String truststoreType;
@@ -171,6 +179,7 @@ private SSLContextConfig(final String keystoreProvider,
                             final String keystorePath,
                             final String keystoreType,
                             final String keystorePassword,
+                            final String keyPassword,
                             final String truststoreProvider,
                             final String truststorePath,
                             final String truststoreType,
@@ -185,6 +194,7 @@ private SSLContextConfig(final String keystoreProvider,
       this.keystoreType = keystoreType;
       this.keystoreProvider = keystoreProvider;
       this.keystorePassword = keystorePassword;
+      this.keyPassword = keyPassword;
       this.truststorePath = truststorePath;
       this.truststoreType = truststoreType;
       this.truststorePassword = truststorePassword;
@@ -233,6 +243,10 @@ public String getKeystorePassword() {
       return keystorePassword;
    }
 
+   public String getKeyPassword() {
+      return keyPassword;
+   }
+
    public String getKeystorePath() {
       return keystorePath;
    }
@@ -293,6 +307,7 @@ public String toString() {
          ", keystorePath=" + keystorePath +
          ", keystoreType=" + keystoreType +
          ", keystorePassword=" + (keystorePassword == null ? null : "******") +
+         ", keyPassword=" + (keyPassword == null ? null : "******") +
          ", truststoreProvider=" + truststoreProvider +
          ", truststorePath=" + truststorePath +
          ", truststoreType=" + truststoreType +

artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java

@@ -173,6 +173,8 @@ public class NettyAcceptor extends AbstractAcceptor {
 
    private final String keyStorePassword;
 
+   private final String keyPassword;
+
    private final String keystoreAlias;
 
    private final String trustStoreProvider;
@@ -332,6 +334,8 @@ public NettyAcceptor(final String name,
 
          keyStorePassword = ConfigurationHelper.getPasswordProperty(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_KEYSTORE_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec());
 
+         keyPassword = ConfigurationHelper.getPasswordProperty(TransportConstants.KEY_PASSWORD_PROP_NAME, TransportConstants.DEFAULT_KEY_PASSWORD, configuration, ActiveMQDefaultConfiguration.getPropMaskPassword(), ActiveMQDefaultConfiguration.getPropPasswordCodec());
+
          Pair<String, String> trustStoreCompat = SSLSupport.getValidProviderAndType(ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER, configuration),
                                                                                     ConfigurationHelper.getStringProperty(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, TransportConstants.DEFAULT_TRUSTSTORE_TYPE, configuration));
 
@@ -372,6 +376,7 @@ public NettyAcceptor(final String name,
             .keystorePath(keyStorePath)
             .keystoreType(keyStoreType)
             .keystorePassword(keyStorePassword)
+            .keyPassword(keyPassword)
             .keystoreAlias(keystoreAlias)
             .truststoreProvider(trustStoreProvider)
             .truststorePath(trustStorePath)
@@ -388,6 +393,7 @@ public NettyAcceptor(final String name,
          keyStoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
          keyStorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
          keyStorePassword = TransportConstants.DEFAULT_KEYSTORE_PASSWORD;
+         keyPassword = TransportConstants.DEFAULT_KEY_PASSWORD;
          keystoreAlias = TransportConstants.DEFAULT_KEYSTORE_ALIAS;
          trustStoreProvider = TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER;
          trustStoreType = TransportConstants.DEFAULT_TRUSTSTORE_TYPE;

docs/user-manual/configuring-transports.adoc

@@ -321,6 +321,15 @@ Although this value can be configured on the server, it is downloaded and used b
 If the client needs to use a different password from that set on the server then it can override the server-side setting by either using the customary "javax.net.ssl.keyStorePassword" system property or the Artemis-specific "org.apache.activemq.ssl.keyStorePassword" system property.
 The Artemis-specific system property is useful if another component on the client is already making use of the standard Java system property.
 
+keyPassword::
+The password used to access the private key within the keystore.
+When not set (the default), `keyStorePassword` is used for both opening the keystore and accessing the private key.
+This is useful when the keystore and its private key have different passwords, which is supported by JKS and JCEKS keystore types.
++
+NOTE: PKCS12 keystores do not support separate key and store passwords.
++
+Default is `null`.
+
 keyStoreType::
 The type of keystore being used.
 For example, `JKS`, `JCEKS`, `PKCS12`, `PEM` etc.