From f7b100e1fa505e1c34a696bd5f0d543cfcaee93a Mon Sep 17 00:00:00 2001 From: Cameron Rodriguez Date: Fri, 19 Aug 2022 17:03:47 -0400 Subject: [PATCH] [WFCORE-5279] Add Certificate Authorities (Accounts) --- pom.xml | 7 + subsystem/pom.xml | 6 + .../tls/subsystem/AcmeAccountService.java | 150 ++ .../elytron/tls/subsystem/CAParsers.java | 42 + .../elytron/tls/subsystem/Capabilities.java | 1 + ...CertificateAuthorityAccountDefinition.java | 487 ++++ .../CertificateAuthorityDefinition.java | 152 ++ .../tls/subsystem/CredentialStoresParser.java | 16 + .../tls/subsystem/ElytronTlsExtension.java | 1 + .../ElytronTlsSubsystemDefinition.java | 2 + .../ElytronTlsSubsystemParser_1_0.java | 9 + .../subsystem/ExpressionResolverParser.java | 16 + .../KeyManagerAttributeDefinition.java | 16 + .../tls/subsystem/KeyStoreDefinition.java | 2 +- .../elytron/tls/subsystem/KeyStoreParser.java | 16 + .../tls/subsystem/KeyStoreService.java | 2 +- .../elytron/tls/subsystem/ManagerParsers.java | 24 +- .../elytron/tls/subsystem/ProviderParser.java | 1 + .../tls/subsystem/SSLContextParsers.java | 16 +- .../tls/subsystem/SSLContextResource.java | 16 + .../tls/subsystem/TrustManagerBuilder.java | 16 + .../subsystem/_private/ElytronTLSLogger.java | 52 + .../subsystem/_private/WildFlyAcmeClient.java | 91 + .../subsystem/LocalDescriptions.properties | 663 ++--- .../schema/elytron-tls-subsystem_1_0.xsd | 127 + .../tls/subsystem/AcmeMockServerBuilder.java | 257 ++ .../CertificateAuthoritiesTestCase.java | 1009 ++++++++ .../ElytronTlsSubsystemTestCase.java | 1 + .../ExpressionResolutionTestCase.java | 390 +++ .../tls/subsystem/KeyStoresTestCase.java | 2257 +++++++++++++++++ .../ResolveExpressionAttributesTestCase.java | 4 +- .../elytron/tls/subsystem/TlsTestCase.java | 3 + .../tls/subsystem/elytron-tls-expressions.xml | 36 +- .../subsystem/elytron-tls-subsystem-test.xml | 15 + .../tls/subsystem/expression-encryption.xml | 32 + .../extension/elytron/tls/subsystem/tls.xml | 12 +- 36 files changed, 5609 insertions(+), 338 deletions(-) create mode 100644 subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/AcmeAccountService.java create mode 100644 subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CAParsers.java create mode 100644 subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityAccountDefinition.java create mode 100644 subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityDefinition.java create mode 100644 subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/_private/WildFlyAcmeClient.java create mode 100644 subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/AcmeMockServerBuilder.java create mode 100644 subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthoritiesTestCase.java create mode 100644 subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/ExpressionResolutionTestCase.java create mode 100644 subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoresTestCase.java create mode 100644 subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/expression-encryption.xml diff --git a/pom.xml b/pom.xml index 8cfbf37..1d333b1 100644 --- a/pom.xml +++ b/pom.xml @@ -50,6 +50,7 @@ 1.6.0.Final 4.2.8.Final 1.39 + 5.8.1 @@ -336,6 +337,12 @@ ${version.org.jmockit} + org.mock-server + mockserver-netty + ${version.org.mockserver} + test + + org.wildfly.core wildfly-core-test-runner ${version.org.wildfly.core} diff --git a/subsystem/pom.xml b/subsystem/pom.xml index 3638472..31b8898 100644 --- a/subsystem/pom.xml +++ b/subsystem/pom.xml @@ -124,6 +124,11 @@ org.bouncycastle bcprov-jdk15on + + org.mock-server + mockserver-netty + test + org.jmockit jmockit @@ -150,6 +155,7 @@ *.xml + elytron-tls-expressions.xml src/main/resources/schema/elytron-tls-subsystem_1_0.xsd diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/AcmeAccountService.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/AcmeAccountService.java new file mode 100644 index 0000000..c5ef158 --- /dev/null +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/AcmeAccountService.java @@ -0,0 +1,150 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2018 Red Hat, Inc., and individual contributors + * as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.extension.elytron.tls.subsystem; + +import static org.wildfly.extension.elytron.tls.subsystem._private.ElytronTLSLogger.LOGGER; + +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.function.Supplier; + +import org.jboss.as.controller.OperationContext; +import org.jboss.as.controller.OperationFailedException; +import org.jboss.msc.Service; +import org.jboss.msc.service.ServiceRegistry; +import org.jboss.msc.service.StartContext; +import org.jboss.msc.service.StartException; +import org.jboss.msc.service.StopContext; +import org.wildfly.common.function.ExceptionSupplier; +import org.wildfly.security.credential.source.CredentialSource; +import org.wildfly.security.x500.cert.acme.AcmeAccount; +import org.wildfly.security.x500.cert.acme.CertificateAuthority; + +/** + * A {@link Service} responsible for a single {@link AcmeAccount} instance. + * + * @author Farah Juma + */ +class AcmeAccountService implements Service { + + private Supplier keyStoreSupplier; + private ExceptionSupplier credentialSourceSupplier; + private final String certificateAuthorityName; + private final List contactUrlsList; + private final String alias; + private final String keyStoreName; + private volatile AcmeAccount acmeAccount; + + AcmeAccountService(String certificateAuthorityName, List contactUrlsList, String alias, String keyStoreName) { + this.certificateAuthorityName = certificateAuthorityName; + this.contactUrlsList = contactUrlsList; + this.alias = alias; + this.keyStoreName = keyStoreName; + } + + @Override + public void start(StartContext startContext) throws StartException { + try { + final ServiceRegistry serviceRegistry = startContext.getController().getServiceContainer(); + final ModifiableKeyStoreService keyStoreService = CertificateAuthorityAccountDefinition.getModifiableKeyStoreService(serviceRegistry, keyStoreName); + char[] keyPassword = resolveKeyPassword((KeyStoreService) keyStoreService); + KeyStore keyStore = keyStoreSupplier.get(); + CertificateAuthority certificateAuthority; + if (certificateAuthorityName.equalsIgnoreCase(CertificateAuthority.LETS_ENCRYPT.getName())) { + certificateAuthority = CertificateAuthority.LETS_ENCRYPT; + } else { + certificateAuthority = CertificateAuthorityDefinition.getCertificateAuthorityService(serviceRegistry, certificateAuthorityName).getValue(); + } + + AcmeAccount.Builder acmeAccountBuilder = AcmeAccount.builder() + .setServerUrl(certificateAuthority.getUrl()); + if (certificateAuthority.getStagingUrl() != null) { + acmeAccountBuilder.setStagingServerUrl(certificateAuthority.getStagingUrl()); + } + if (! contactUrlsList.isEmpty()) { + acmeAccountBuilder = acmeAccountBuilder.setContactUrls(contactUrlsList.toArray(new String[contactUrlsList.size()])); + } + boolean updateAccountKeyStore = false; + if (keyStore.containsAlias(alias)) { + // use existing account key pair + X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias); + if (certificate == null) { + throw LOGGER.unableToObtainCertificateAuthorityAccountCertificate(alias); + } + PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, keyPassword); + if (privateKey == null) { + throw LOGGER.unableToObtainCertificateAuthorityAccountPrivateKey(alias); + } + acmeAccountBuilder = acmeAccountBuilder.setKey(certificate, privateKey); + } else { + updateAccountKeyStore = true; + } + acmeAccount = acmeAccountBuilder.build(); + if (updateAccountKeyStore) { + saveCertificateAuthorityAccountKey(keyStoreService, keyPassword); // persist the generated key pair + } + } catch (Exception e) { + throw LOGGER.unableToStartService(e); + } + } + + @Override + public void stop(StopContext stopContext) { + acmeAccount = null; + } + + public AcmeAccount getValue() throws IllegalStateException, IllegalArgumentException { + return acmeAccount; + } + + void setKeyStoreSupplier(Supplier keyStoreSupplier) { + this.keyStoreSupplier = keyStoreSupplier; + } + + void setCredentialSourceSupplier(ExceptionSupplier credentialSourceSupplier) { + this.credentialSourceSupplier = credentialSourceSupplier; + } + + char[] resolveKeyPassword(KeyStoreService keyStoreService) throws RuntimeException { + try { + return keyStoreService.resolveKeyPassword(credentialSourceSupplier); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + void saveCertificateAuthorityAccountKey(OperationContext operationContext) throws OperationFailedException { + final ModifiableKeyStoreService keyStoreService = CertificateAuthorityAccountDefinition.getModifiableKeyStoreService(operationContext, keyStoreName); + char[] keyPassword = resolveKeyPassword((KeyStoreService) keyStoreService); + saveCertificateAuthorityAccountKey(keyStoreService, keyPassword); + } + + private void saveCertificateAuthorityAccountKey(ModifiableKeyStoreService keyStoreService, char[] keyPassword) throws OperationFailedException { + KeyStore modifiableAccountkeyStore = keyStoreService.getModifiableValue(); + try { + modifiableAccountkeyStore.setKeyEntry(alias, acmeAccount.getPrivateKey(), keyPassword, new X509Certificate[]{ acmeAccount.getCertificate() }); + } catch (KeyStoreException e) { + throw LOGGER.unableToUpdateCertificateAuthorityAccountKeyStore(e, e.getLocalizedMessage()); + } + ((KeyStoreService) keyStoreService).save(); + } +} diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CAParsers.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CAParsers.java new file mode 100644 index 0000000..39b6cd6 --- /dev/null +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CAParsers.java @@ -0,0 +1,42 @@ + /* + * Copyright 2022 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.extension.elytron.tls.subsystem; + +import static org.wildfly.extension.elytron.tls.subsystem.Constants.CERTIFICATE_AUTHORITIES; +import static org.wildfly.extension.elytron.tls.subsystem.Constants.CERTIFICATE_AUTHORITY; +import static org.wildfly.extension.elytron.tls.subsystem.Constants.CERTIFICATE_AUTHORITY_ACCOUNT; +import static org.wildfly.extension.elytron.tls.subsystem.Constants.CERTIFICATE_AUTHORITY_ACCOUNTS; + +import org.jboss.as.controller.PathElement; +import org.jboss.as.controller.PersistentResourceXMLDescription; + +class CAParsers { + final PersistentResourceXMLDescription certificateAuthorityParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(CERTIFICATE_AUTHORITY)) + .setXmlWrapperElement(CERTIFICATE_AUTHORITIES) + .addAttribute(CertificateAuthorityDefinition.URL) + .addAttribute(CertificateAuthorityDefinition.STAGING_URL) + .build(); + + final PersistentResourceXMLDescription certificateAuthorityAccountParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(CERTIFICATE_AUTHORITY_ACCOUNT)) + .setXmlWrapperElement(CERTIFICATE_AUTHORITY_ACCOUNTS) + .addAttribute(CertificateAuthorityAccountDefinition.CERTIFICATE_AUTHORITY) + .addAttribute(CertificateAuthorityAccountDefinition.CONTACT_URLS) + .addAttribute(CertificateAuthorityAccountDefinition.KEY_STORE) + .addAttribute(CertificateAuthorityAccountDefinition.ALIAS) + .addAttribute(CertificateAuthorityAccountDefinition.CREDENTIAL_REFERENCE) + .build(); +} diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/Capabilities.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/Capabilities.java index 500cd5a..5118ad8 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/Capabilities.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/Capabilities.java @@ -53,6 +53,7 @@ * The capabilities are same as the ones provided by the Elytron subsystem * * @author Martin Mazanek + * @author Cameron Rodriguez */ class Capabilities { diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityAccountDefinition.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityAccountDefinition.java new file mode 100644 index 0000000..779c676 --- /dev/null +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityAccountDefinition.java @@ -0,0 +1,487 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2018 Red Hat, Inc., and individual contributors + * as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.extension.elytron.tls.subsystem; + +import static org.jboss.as.controller.security.CredentialReference.handleCredentialReferenceUpdate; +import static org.jboss.as.controller.security.CredentialReference.rollbackCredentialStoreUpdate; +import static org.wildfly.extension.elytron.tls.subsystem.AdvancedModifiableKeyStoreDecorator.resetAcmeAccount; +import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.CERTIFICATE_AUTHORITY_ACCOUNT_CAPABILITY; +import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.CERTIFICATE_AUTHORITY_ACCOUNT_RUNTIME_CAPABILITY; +import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.CERTIFICATE_AUTHORITY_CAPABILITY; +import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.CERTIFICATE_AUTHORITY_RUNTIME_CAPABILITY; +import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.KEY_STORE_CAPABILITY; +import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.KEY_STORE_RUNTIME_CAPABILITY; +import static org.wildfly.extension.elytron.tls.subsystem.ElytronTlsSubsystemDefinition.commonRequirements; +import static org.wildfly.extension.elytron.tls.subsystem.FileAttributeDefinitions.PATH; +import static org.wildfly.extension.elytron.tls.subsystem.FileAttributeDefinitions.RELATIVE_TO; +import static org.wildfly.extension.elytron.tls.subsystem.ElytronTlsExtension.getRequiredService; +import static org.wildfly.extension.elytron.tls.subsystem.ElytronTlsExtension.isServerOrHostController; +import static org.wildfly.extension.elytron.tls.subsystem._private.ElytronTLSLogger.LOGGER; + +import java.security.KeyStore; +import java.util.ArrayList; +import java.util.List; +import java.util.ServiceLoader; + +import org.jboss.as.controller.AbstractAddStepHandler; +import org.jboss.as.controller.AbstractAttributeDefinitionBuilder; +import org.jboss.as.controller.AttributeDefinition; +import org.jboss.as.controller.ObjectTypeAttributeDefinition; +import org.jboss.as.controller.OperationContext; +import org.jboss.as.controller.OperationFailedException; +import org.jboss.as.controller.OperationStepHandler; +import org.jboss.as.controller.PathAddress; +import org.jboss.as.controller.PathElement; +import org.jboss.as.controller.ResourceDefinition; +import org.jboss.as.controller.SimpleAttributeDefinition; +import org.jboss.as.controller.SimpleAttributeDefinitionBuilder; +import org.jboss.as.controller.SimpleOperationDefinitionBuilder; +import org.jboss.as.controller.SimpleResourceDefinition; +import org.jboss.as.controller.StringListAttributeDefinition; +import org.jboss.as.controller.capability.RuntimeCapability; +import org.jboss.as.controller.descriptions.ResourceDescriptionResolver; +import org.jboss.as.controller.registry.ManagementResourceRegistration; +import org.jboss.as.controller.registry.OperationEntry; +import org.jboss.as.controller.registry.Resource; +import org.jboss.as.controller.security.CredentialReference; +import org.jboss.as.domain.http.server.ConsoleAvailabilityService.LogAdminConsole; +import org.jboss.dmr.ModelNode; +import org.jboss.dmr.ModelType; +import org.jboss.msc.service.ServiceBuilder; +import org.jboss.msc.service.ServiceController; +import org.jboss.msc.service.ServiceName; +import org.jboss.msc.service.ServiceRegistry; +import org.jboss.msc.service.ServiceTarget; +import org.wildfly.common.function.ExceptionSupplier; +import org.wildfly.extension.elytron.tls.subsystem._private.ElytronTLSLogger; +import org.wildfly.security.credential.source.CredentialSource; +import org.wildfly.security.x500.cert.acme.AcmeAccount; +import org.wildfly.security.x500.cert.acme.AcmeClientSpi; +import org.wildfly.security.x500.cert.acme.AcmeException; +import org.wildfly.security.x500.cert.acme.AcmeMetadata; +import org.wildfly.security.x500.cert.acme.CertificateAuthority; + +/** + * A {@link ResourceDefinition} for a single certificate authority account. + * + * @author Farah Juma + */ +class CertificateAuthorityAccountDefinition extends SimpleResourceDefinition { + + static final StringListAttributeDefinition CONTACT_URLS = new StringListAttributeDefinition.Builder(Constants.CONTACT_URLS) + .setRequired(false) + .setAllowExpression(true) + .setMinSize(1) + .setRestartAllServices() + .build(); + + static final SimpleAttributeDefinition CERTIFICATE_AUTHORITY = new CertificateAuthorityDefinitionBuilder(Constants.CERTIFICATE_AUTHORITY, ModelType.STRING, true) + .setDefaultValue(new ModelNode(CertificateAuthority.LETS_ENCRYPT.getName())) + .setAllowExpression(true) + .setRestartAllServices() + .setCapabilityReference(CERTIFICATE_AUTHORITY_CAPABILITY, CERTIFICATE_AUTHORITY_ACCOUNT_RUNTIME_CAPABILITY) + .build(); + + static final SimpleAttributeDefinition KEY_STORE = new SimpleAttributeDefinitionBuilder(Constants.KEY_STORE, ModelType.STRING, false) + .setAttributeGroup(Constants.ACCOUNT_KEY) + .setMinSize(1) + .setAlternatives(Constants.KEY_STORE_OBJECT) + .setRestartAllServices() + .setCapabilityReference(KEY_STORE_CAPABILITY, CERTIFICATE_AUTHORITY_ACCOUNT_CAPABILITY) + .build(); + + static final ObjectTypeAttributeDefinition KEY_STORE_OBJECT = new ObjectTypeAttributeDefinition.Builder(Constants.KEY_STORE_OBJECT, SSLContextDefinitions.TYPE, + PATH, RELATIVE_TO, SSLContextDefinitions.REQUIRED, SSLContextDefinitions.CREDENTIAL_REFERENCE, + SSLContextDefinitions.ALIAS_FILTER, KeyStoreDefinition.PROVIDER_NAME, KeyStoreDefinition.PROVIDERS) + .setAttributeGroup(Constants.ACCOUNT_KEY) + .setMinSize(1) + .setAlternatives(Constants.KEY_STORE) + .setRestartAllServices() + .build(); + + static final SimpleAttributeDefinition ALIAS = new SimpleAttributeDefinitionBuilder(Constants.ALIAS, ModelType.STRING, false) + .setAttributeGroup(Constants.ACCOUNT_KEY) + .setMinSize(1) + .setAllowExpression(true) + .setRestartAllServices() + .build(); + + static final ObjectTypeAttributeDefinition CREDENTIAL_REFERENCE = CredentialReference.getAttributeBuilder(true, true) + .setAttributeGroup(Constants.ACCOUNT_KEY) + .build(); + + private static final AttributeDefinition[] ATTRIBUTES = new AttributeDefinition[] { CERTIFICATE_AUTHORITY, CONTACT_URLS, KEY_STORE, KEY_STORE_OBJECT, ALIAS, CREDENTIAL_REFERENCE }; + + static final SimpleAttributeDefinition AGREE_TO_TERMS_OF_SERVICE = new SimpleAttributeDefinitionBuilder(Constants.AGREE_TO_TERMS_OF_SERVICE, ModelType.BOOLEAN, false) + .setAllowExpression(true) + .build(); + + static final SimpleAttributeDefinition STAGING = new SimpleAttributeDefinitionBuilder(Constants.STAGING, ModelType.BOOLEAN, true) + .setAllowExpression(true) + .setDefaultValue(ModelNode.FALSE) + .build(); + + private static final AcmeClientSpi acmeClient; + static { + acmeClient = loadAcmeClient(); + } + + private static AcmeClientSpi loadAcmeClient() { + for (AcmeClientSpi acmeClient : ServiceLoader.load(AcmeClientSpi.class, ElytronTLSLogger.class.getClassLoader())) { + return acmeClient; + } + throw LOGGER.unableToInstatiateAcmeClientSpiImplementation(); + } + + private static class CertificateAuthorityAttributeDefinition extends SimpleAttributeDefinition { + + CertificateAuthorityAttributeDefinition(AbstractAttributeDefinitionBuilder builder) { + super(builder); + } + + @Override + public void addCapabilityRequirements(OperationContext context, Resource resource, ModelNode attributeValue) { + // Check the existence of certificate authority only if it is not null or LetsEncrypt, since LetsEncrypt does not have to be added + if (attributeValue.asStringOrNull() != null && !attributeValue.asString().equalsIgnoreCase(CertificateAuthority.LETS_ENCRYPT.getName())) { + super.addCapabilityRequirements(context, resource, attributeValue); + } + } + } + + private static class CertificateAuthorityDefinitionBuilder extends AbstractAttributeDefinitionBuilder { + + CertificateAuthorityDefinitionBuilder(String attributeName, ModelType type, boolean optional) { + super(attributeName, type, optional); + } + + @Override + public CertificateAuthorityAttributeDefinition build() { + return new CertificateAuthorityAttributeDefinition(this); + } + } + + private static final AbstractAddStepHandler ADD = new CertificateAuthorityAccountAddHandler(); + + private static class CertificateAuthorityAccountAddHandler extends BaseAddHandler { + + private CertificateAuthorityAccountAddHandler() { + super(CERTIFICATE_AUTHORITY_ACCOUNT_RUNTIME_CAPABILITY, ATTRIBUTES); + } + + @Override + protected void populateModel(final OperationContext context, final ModelNode operation, final Resource resource) throws OperationFailedException { + super.populateModel(context, operation, resource); + handleCredentialReferenceUpdate(context, resource.getModel()); + } + + @Override + protected void performRuntime(OperationContext context, ModelNode operation, Resource resource) throws OperationFailedException { + ModelNode model = resource.getModel(); + String certificateAuthorityName = CERTIFICATE_AUTHORITY.resolveModelAttribute(context, model).asString(); + final String alias = ALIAS.resolveModelAttribute(context, model).asString(); + + String keyStoreName = KEY_STORE.resolveModelAttribute(context, model).asString(); + final ModelNode keyStoreObject = KEY_STORE_OBJECT.resolveModelAttribute(context, model); + if (keyStoreName == null) { + if (keyStoreObject == null) { + LOGGER.missingKeyStoreDefinition(); + } + keyStoreName = keyStoreObject.asStringOrNull(); + } else { + if (keyStoreObject != null) { + LOGGER.multipleKeystoreDefinitions(); + } + } + final String finalKeyStoreName = keyStoreName; + + ExceptionSupplier credentialSourceSupplier = null; + if (CREDENTIAL_REFERENCE.resolveModelAttribute(context, operation).isDefined()) { + credentialSourceSupplier = CredentialReference.getCredentialSourceSupplier(context, CREDENTIAL_REFERENCE, operation, null); + } + final List contactUrls = CONTACT_URLS.resolveModelAttribute(context, model).asListOrEmpty(); + final List contactUrlsList = new ArrayList<>(contactUrls.size()); + for (ModelNode contactUrl : contactUrls) { + contactUrlsList.add(contactUrl.asString()); + } + + AcmeAccountService acmeAccountService = new AcmeAccountService(certificateAuthorityName, contactUrlsList, alias, finalKeyStoreName); + ServiceTarget serviceTarget = context.getServiceTarget(); + RuntimeCapability certificateAuthorityAccountRuntimeCapability = CERTIFICATE_AUTHORITY_ACCOUNT_RUNTIME_CAPABILITY.fromBaseCapability(context.getCurrentAddressValue()); + ServiceName acmeAccountServiceName = certificateAuthorityAccountRuntimeCapability.getCapabilityServiceName(AcmeAccount.class); + ServiceBuilder acmeAccountServiceBuilder = (ServiceBuilder) serviceTarget.addService(acmeAccountServiceName).setInitialMode(ServiceController.Mode.ACTIVE); + + acmeAccountService.setCredentialSourceSupplier(credentialSourceSupplier); + + String keyStoreCapabilityName = RuntimeCapability.buildDynamicCapabilityName(KEY_STORE_CAPABILITY, finalKeyStoreName); + ServiceName keyStoreServiceName = context.getCapabilityServiceName(keyStoreCapabilityName, KeyStore.class); + acmeAccountService.setKeyStoreSupplier(acmeAccountServiceBuilder.requires(keyStoreServiceName)); + + if (certificateAuthorityName.equalsIgnoreCase(CertificateAuthority.LETS_ENCRYPT.getName())) { + commonRequirements(acmeAccountServiceBuilder, true, true).install(); + } else { + acmeAccountServiceBuilder.requires(CERTIFICATE_AUTHORITY_RUNTIME_CAPABILITY.getCapabilityServiceName(certificateAuthorityName)); + commonRequirements(acmeAccountServiceBuilder, true, true).install(); + } + } + + @Override + protected void rollbackRuntime(OperationContext context, final ModelNode operation, final Resource resource) { + rollbackCredentialStoreUpdate(CREDENTIAL_REFERENCE, context, resource); + } + } + + private static final OperationStepHandler REMOVE = new TrivialCapabilityServiceRemoveHandler(ADD, CERTIFICATE_AUTHORITY_ACCOUNT_RUNTIME_CAPABILITY); + + private static final ElytronReloadRequiredWriteAttributeHandler WRITE = new ElytronReloadRequiredWriteAttributeHandler(ATTRIBUTES); + + CertificateAuthorityAccountDefinition() { + super(new Parameters(PathElement.pathElement(Constants.CERTIFICATE_AUTHORITY_ACCOUNT), ElytronTlsExtension.getResourceDescriptionResolver(Constants.CERTIFICATE_AUTHORITY_ACCOUNT)) + .setAddHandler(ADD) + .setRemoveHandler(REMOVE) + .setAddRestartLevel(OperationEntry.Flag.RESTART_RESOURCE_SERVICES) + .setRemoveRestartLevel(OperationEntry.Flag.RESTART_RESOURCE_SERVICES) + .setCapabilities(CERTIFICATE_AUTHORITY_ACCOUNT_RUNTIME_CAPABILITY)); + } + + @Override + public void registerAttributes(ManagementResourceRegistration resourceRegistration) { + for (AttributeDefinition current : ATTRIBUTES) { + resourceRegistration.registerReadWriteAttribute(current, null, WRITE); + } + } + + @Override + public void registerOperations(ManagementResourceRegistration resourceRegistration) { + super.registerOperations(resourceRegistration); + ResourceDescriptionResolver resolver = ElytronTlsExtension.getResourceDescriptionResolver(Constants.CERTIFICATE_AUTHORITY_ACCOUNT); + + if (isServerOrHostController(resourceRegistration)) { // server-only operations + + // Create an account with the certificate authority + CreateAccountHandler.register(resourceRegistration, resolver); + + // Update an account with the certificate authority + UpdateAccountHandler.register(resourceRegistration, resolver); + + // Change the account key + ChangeAccountKeyHandler.register(resourceRegistration, resolver); + + // Deactivate the account key + DeactivateAccountHandler.register(resourceRegistration, resolver); + + // Get the metadata associated with the certificate authority + GetMetadataHandler.register(resourceRegistration, resolver); + } + } + + static class CreateAccountHandler extends ElytronRuntimeOnlyHandler { + + static void register(ManagementResourceRegistration resourceRegistration, ResourceDescriptionResolver descriptionResolver) { + resourceRegistration.registerOperationHandler( + new SimpleOperationDefinitionBuilder(Constants.CREATE_ACCOUNT, descriptionResolver) + .setParameters(AGREE_TO_TERMS_OF_SERVICE, STAGING) + .setRuntimeOnly() + .build(), + new CertificateAuthorityAccountDefinition.CreateAccountHandler()); + } + + @Override + protected void executeRuntimeStep(final OperationContext context, final ModelNode operation) throws OperationFailedException { + boolean agreeToTermsOfService = AGREE_TO_TERMS_OF_SERVICE.resolveModelAttribute(context, operation).asBoolean(); + boolean staging = STAGING.resolveModelAttribute(context, operation).asBoolean(); + AcmeAccount acmeAccount = getAcmeAccount(context, staging); + + try { + acmeAccount.setTermsOfServiceAgreed(agreeToTermsOfService); + boolean created = acmeClient.createAccount(acmeAccount, staging); + if (! created) { + throw LOGGER.certificateAuthorityAccountAlreadyExists(Constants.UPDATE_ACCOUNT, Constants.CHANGE_ACCOUNT_KEY); + } + } catch (AcmeException e) { + throw LOGGER.unableToCreateAccountWithCertificateAuthority(e, e.getLocalizedMessage()); + } + } + } + + static class UpdateAccountHandler extends ElytronRuntimeOnlyHandler { + static final SimpleAttributeDefinition UPDATE_AGREE_TO_TERMS_OF_SERVICE = new SimpleAttributeDefinitionBuilder(Constants.AGREE_TO_TERMS_OF_SERVICE, ModelType.BOOLEAN, true) + .setAllowExpression(true) + .build(); + + static void register(ManagementResourceRegistration resourceRegistration, ResourceDescriptionResolver descriptionResolver) { + resourceRegistration.registerOperationHandler( + new SimpleOperationDefinitionBuilder(Constants.UPDATE_ACCOUNT, descriptionResolver) + .setParameters(AGREE_TO_TERMS_OF_SERVICE, STAGING) + .setRuntimeOnly() + .build(), + new CertificateAuthorityAccountDefinition.UpdateAccountHandler()); + } + + @Override + protected void executeRuntimeStep(final OperationContext context, final ModelNode operation) throws OperationFailedException { + Boolean agreeToTermsOfService = UPDATE_AGREE_TO_TERMS_OF_SERVICE.resolveModelAttribute(context, operation).asBooleanOrNull(); + boolean staging = STAGING.resolveModelAttribute(context, operation).asBoolean(); + AcmeAccount acmeAccount = getAcmeAccount(context, staging); + + try { + if (agreeToTermsOfService != null) { + acmeClient.updateAccount(acmeAccount, staging, agreeToTermsOfService.booleanValue(), acmeAccount.getContactUrls()); + } else { + acmeClient.updateAccount(acmeAccount, staging, acmeAccount.getContactUrls()); + } + } catch (AcmeException e) { + throw LOGGER.unableToUpdateAccountWithCertificateAuthority(e, e.getLocalizedMessage()); + } + } + } + + static class ChangeAccountKeyHandler extends ElytronRuntimeOnlyHandler { + + static void register(ManagementResourceRegistration resourceRegistration, ResourceDescriptionResolver descriptionResolver) { + resourceRegistration.registerOperationHandler( + new SimpleOperationDefinitionBuilder(Constants.CHANGE_ACCOUNT_KEY, descriptionResolver) + .setParameters(STAGING) + .setRuntimeOnly() + .build(), + new CertificateAuthorityAccountDefinition.ChangeAccountKeyHandler()); + } + + @Override + protected void executeRuntimeStep(final OperationContext context, final ModelNode operation) throws OperationFailedException { + boolean staging = STAGING.resolveModelAttribute(context, operation).asBoolean(); + AcmeAccountService acmeAccountService = getAcmeAccountService(context); + AcmeAccount acmeAccount = getAcmeAccount(acmeAccountService, staging); + + try { + acmeClient.changeAccountKey(acmeAccount, staging); + acmeAccountService.saveCertificateAuthorityAccountKey(context); + } catch (AcmeException e) { + throw LOGGER.unableToChangeAccountKeyWithCertificateAuthority(e, e.getLocalizedMessage()); + } + } + } + + static class DeactivateAccountHandler extends ElytronRuntimeOnlyHandler { + + static void register(ManagementResourceRegistration resourceRegistration, ResourceDescriptionResolver descriptionResolver) { + resourceRegistration.registerOperationHandler( + new SimpleOperationDefinitionBuilder(Constants.DEACTIVATE_ACCOUNT, descriptionResolver) + .setParameters(STAGING) + .setRuntimeOnly() + .build(), + new CertificateAuthorityAccountDefinition.DeactivateAccountHandler()); + } + + @Override + protected void executeRuntimeStep(final OperationContext context, final ModelNode operation) throws OperationFailedException { + boolean staging = STAGING.resolveModelAttribute(context, operation).asBoolean(); + AcmeAccount acmeAccount = getAcmeAccount(context, staging); + + try { + acmeClient.deactivateAccount(acmeAccount, staging); + } catch (AcmeException e) { + throw LOGGER.unableToDeactivateAccountWithCertificateAuthority(e, e.getLocalizedMessage()); + } + } + } + + static class GetMetadataHandler extends ElytronRuntimeOnlyHandler { + + static void register(ManagementResourceRegistration resourceRegistration, ResourceDescriptionResolver descriptionResolver) { + resourceRegistration.registerOperationHandler( + new SimpleOperationDefinitionBuilder(Constants.GET_METADATA, descriptionResolver) + .setParameters(STAGING) + .setRuntimeOnly() + .build(), + new CertificateAuthorityAccountDefinition.GetMetadataHandler()); + } + + @Override + protected void executeRuntimeStep(final OperationContext context, final ModelNode operation) throws OperationFailedException { + boolean staging = STAGING.resolveModelAttribute(context, operation).asBoolean(); + AcmeAccount acmeAccount = getAcmeAccount(context, staging); + + try { + AcmeMetadata metadata = acmeClient.getMetadata(acmeAccount, staging); + if (metadata != null) { + ModelNode result = context.getResult(); + if (metadata.getTermsOfServiceUrl() != null) { + result.get(Constants.TERMS_OF_SERVICE).set(new ModelNode(metadata.getTermsOfServiceUrl())); + } + if (metadata.getWebsiteUrl() != null) { + result.get(Constants.WEBSITE).set(new ModelNode(metadata.getWebsiteUrl())); + } + String[] caaIdentitiesArray = metadata.getCAAIdentities(); + ModelNode caaIdentities = new ModelNode(); + if (caaIdentitiesArray != null && caaIdentitiesArray.length != 0) { + for (int i = 0; i < caaIdentitiesArray.length; i++) { + caaIdentities.add(caaIdentitiesArray[i]); + } + result.get(Constants.CAA_IDENTITIES).set(caaIdentities); + } + result.get(Constants.EXTERNAL_ACCOUNT_REQUIRED).set(metadata.isExternalAccountRequired()); + } + } catch (AcmeException e) { + throw LOGGER.unableToGetCertificateAuthorityMetadata(e, e.getLocalizedMessage()); + } + } + } + + static ModifiableKeyStoreService getModifiableKeyStoreService(OperationContext context, String keyStoreName) throws OperationFailedException { + ServiceRegistry serviceRegistry = context.getServiceRegistry(true); + return getModifiableKeyStoreService(serviceRegistry, keyStoreName); + } + + static ModifiableKeyStoreService getModifiableKeyStoreService(ServiceRegistry serviceRegistry, String keyStoreName) throws OperationFailedException { + RuntimeCapability runtimeCapability = KEY_STORE_RUNTIME_CAPABILITY.fromBaseCapability(keyStoreName); + ServiceName serviceName = runtimeCapability.getCapabilityServiceName(); + + ServiceController serviceContainer = getRequiredService(serviceRegistry, serviceName, KeyStore.class); + ServiceController.State serviceState = serviceContainer.getState(); + if (serviceState != ServiceController.State.UP) { + throw LOGGER.requiredServiceNotUp(serviceName, serviceState); + } + + return (ModifiableKeyStoreService) serviceContainer.getService(); + } + + private static AcmeAccountService getAcmeAccountService(OperationContext context) throws OperationFailedException { + ServiceRegistry serviceRegistry = context.getServiceRegistry(true); + PathAddress currentAddress = context.getCurrentAddress(); + RuntimeCapability runtimeCapability = CERTIFICATE_AUTHORITY_ACCOUNT_RUNTIME_CAPABILITY.fromBaseCapability(currentAddress.getLastElement().getValue()); + ServiceName serviceName = runtimeCapability.getCapabilityServiceName(); + + ServiceController serviceContainer = getRequiredService(serviceRegistry, serviceName, AcmeAccount.class); + ServiceController.State serviceState = serviceContainer.getState(); + if (serviceState != ServiceController.State.UP) { + throw LOGGER.requiredServiceNotUp(serviceName, serviceState); + } + + return (AcmeAccountService) serviceContainer.getService(); + } + + private static AcmeAccount getAcmeAccount(final OperationContext context, boolean staging) throws OperationFailedException { + return getAcmeAccount(getAcmeAccountService(context), staging); + } + + private static AcmeAccount getAcmeAccount(AcmeAccountService acmeAccountService, boolean staging) { + AcmeAccount acmeAccount = acmeAccountService.getValue(); + return resetAcmeAccount(acmeAccount, staging); + } +} diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityDefinition.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityDefinition.java new file mode 100644 index 0000000..704c9c6 --- /dev/null +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityDefinition.java @@ -0,0 +1,152 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2019 Red Hat, Inc., and individual contributors + * as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.extension.elytron.tls.subsystem; + +import org.jboss.as.controller.AbstractAddStepHandler; +import org.jboss.as.controller.AttributeDefinition; +import org.jboss.as.controller.OperationContext; +import org.jboss.as.controller.OperationFailedException; +import org.jboss.as.controller.OperationStepHandler; +import org.jboss.as.controller.PathElement; +import org.jboss.as.controller.ResourceDefinition; +import org.jboss.as.controller.SimpleAttributeDefinition; +import org.jboss.as.controller.SimpleAttributeDefinitionBuilder; +import org.jboss.as.controller.SimpleResourceDefinition; +import org.jboss.as.controller.capability.RuntimeCapability; +import org.jboss.as.controller.operations.validation.StringLengthValidator; +import org.jboss.as.controller.registry.ManagementResourceRegistration; +import org.jboss.as.controller.registry.OperationEntry; +import org.jboss.dmr.ModelNode; +import org.jboss.dmr.ModelType; +import org.jboss.msc.service.ServiceBuilder; +import org.jboss.msc.service.ServiceController; +import org.jboss.msc.service.ServiceName; +import org.jboss.msc.service.ServiceRegistry; +import org.jboss.msc.service.ServiceTarget; +import org.wildfly.security.x500.cert.acme.CertificateAuthority; +import org.jboss.msc.service.ServiceController.Mode; + +import java.net.MalformedURLException; +import java.net.URL; + +import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.CERTIFICATE_AUTHORITY_RUNTIME_CAPABILITY; +import static org.wildfly.extension.elytron.tls.subsystem.ElytronTlsSubsystemDefinition.commonRequirements; +import static org.wildfly.extension.elytron.tls.subsystem.ElytronTlsExtension.getRequiredService; +import static org.wildfly.extension.elytron.tls.subsystem._private.ElytronTLSLogger.LOGGER; + +/** + * A {@link ResourceDefinition} for a single certificate authority. + * This resource represents certificate authority that implements Automatic Certificate + * Management Environment (ACME) specification. + * + * @author Diana Vilkolakova + */ +class CertificateAuthorityDefinition extends SimpleResourceDefinition { + + static final SimpleAttributeDefinition URL = new SimpleAttributeDefinitionBuilder(Constants.URL, ModelType.STRING, false) + .setValidator(new URLValidator(false)) + .setAllowExpression(true) + .setRestartAllServices() + .build(); + + static final SimpleAttributeDefinition STAGING_URL = new SimpleAttributeDefinitionBuilder(Constants.STAGING_URL, ModelType.STRING, true) + .setValidator(new URLValidator(false)) + .setAllowExpression(true) + .setRestartAllServices() + .build(); + + private static class URLValidator extends StringLengthValidator { + + private URLValidator(boolean nullable) { + super(1, nullable, false); + } + + @Override + public void validateParameter(String parameterName, ModelNode value) throws OperationFailedException { + super.validateParameter(parameterName, value); + String url = value.asString(); + try { + new URL(url); + } catch (MalformedURLException e) { + throw LOGGER.invalidURL(url, e); + } + } + } + + private static final AttributeDefinition[] ATTRIBUTES = new AttributeDefinition[]{URL, STAGING_URL}; + private static final AbstractAddStepHandler ADD = new CertificateAuthorityAddHandler(); + + private static final OperationStepHandler REMOVE = new TrivialCapabilityServiceRemoveHandler(ADD, CERTIFICATE_AUTHORITY_RUNTIME_CAPABILITY); + private static final ElytronReloadRequiredWriteAttributeHandler WRITE = new ElytronReloadRequiredWriteAttributeHandler(ATTRIBUTES); + + CertificateAuthorityDefinition() { + super(new Parameters(PathElement.pathElement(Constants.CERTIFICATE_AUTHORITY), ElytronTlsExtension.getResourceDescriptionResolver(Constants.CERTIFICATE_AUTHORITY)) + .setAddHandler(ADD) + .setRemoveHandler(REMOVE) + .setAddRestartLevel(OperationEntry.Flag.RESTART_RESOURCE_SERVICES) + .setRemoveRestartLevel(OperationEntry.Flag.RESTART_RESOURCE_SERVICES) + .setCapabilities(CERTIFICATE_AUTHORITY_RUNTIME_CAPABILITY)); + } + + @Override + public void registerAttributes(ManagementResourceRegistration resourceRegistration) { + for (AttributeDefinition current : ATTRIBUTES) { + resourceRegistration.registerReadWriteAttribute(current, null, WRITE); + } + } + + private static class CertificateAuthorityAddHandler extends BaseAddHandler { + private CertificateAuthorityAddHandler() { + super(CERTIFICATE_AUTHORITY_RUNTIME_CAPABILITY, ATTRIBUTES); + } + + @Override + protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model) throws OperationFailedException { + final String certificateAuthorityName = context.getCurrentAddressValue(); + + // Creation of certificate authority with name "LetsEncrypt" is not allowed, because it is used internally as a fallback. + if (certificateAuthorityName.equalsIgnoreCase(CertificateAuthority.LETS_ENCRYPT.getName())) { + throw LOGGER.letsEncryptNameNotAllowed(); + } + commonRequirements(installService(context, model), true, true).setInitialMode(Mode.ACTIVE).install(); + } + + ServiceBuilder installService(OperationContext context, ModelNode model) { + ServiceTarget serviceTarget = context.getServiceTarget(); + TrivialService certificateAuthorityTrivialService = new TrivialService<>(getValueSupplier(context, model)); + return serviceTarget.addService(CERTIFICATE_AUTHORITY_RUNTIME_CAPABILITY.getCapabilityServiceName(context.getCurrentAddressValue()), certificateAuthorityTrivialService); + } + + protected TrivialService.ValueSupplier getValueSupplier(OperationContext context, ModelNode model) { + return () -> { + String certificateAuthorityResourceName = context.getCurrentAddress().getLastElement().getValue(); + return new CertificateAuthority(certificateAuthorityResourceName, + model.get(Constants.URL).asString(), + model.get(Constants.STAGING_URL).asStringOrNull()); + }; + } + } + + static org.jboss.msc.service.Service getCertificateAuthorityService(ServiceRegistry serviceRegistry, String certificateAuthorityName) { + RuntimeCapability runtimeCapability = CERTIFICATE_AUTHORITY_RUNTIME_CAPABILITY.fromBaseCapability(certificateAuthorityName); + ServiceName serviceName = runtimeCapability.getCapabilityServiceName(); + ServiceController serviceContainer = getRequiredService(serviceRegistry, serviceName, CertificateAuthority.class); + return serviceContainer.getService(); + } +} diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CredentialStoresParser.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CredentialStoresParser.java index 53c17fc..c884b38 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CredentialStoresParser.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CredentialStoresParser.java @@ -1,3 +1,19 @@ + /* + * Copyright 2022 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.wildfly.extension.elytron.tls.subsystem; import static org.wildfly.extension.elytron.tls.subsystem.Constants.CREDENTIAL_STORE; diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsExtension.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsExtension.java index bbe465b..5425c01 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsExtension.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsExtension.java @@ -38,6 +38,7 @@ /** * @author Martin Mazanek + * @author Cameron Rodriguez */ public class ElytronTlsExtension implements Extension { diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemDefinition.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemDefinition.java index 555b4d3..1068dec 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemDefinition.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemDefinition.java @@ -135,6 +135,8 @@ public void registerChildren(ManagementResourceRegistration resourceRegistration resourceRegistration.registerSubModel(AdvancedModifiableKeyStoreDecorator.wrap(new KeyStoreDefinition())); resourceRegistration.registerSubModel(SSLContextDefinitions.getKeyManagerDefinition()); resourceRegistration.registerSubModel(SSLContextDefinitions.getTrustManagerDefinition()); + resourceRegistration.registerSubModel(new CertificateAuthorityDefinition()); + resourceRegistration.registerSubModel(new CertificateAuthorityAccountDefinition()); resourceRegistration.registerSubModel(SSLContextDefinitions.getClientSSLContextDefinition(serverOrHostController)); resourceRegistration.registerSubModel(SSLContextDefinitions.getServerSSLContextDefinition(serverOrHostController)); } diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemParser_1_0.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemParser_1_0.java index 4823992..e414db7 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemParser_1_0.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemParser_1_0.java @@ -50,6 +50,13 @@ PersistentResourceXMLDescription getKeyManagerParser() { PersistentResourceXMLDescription getTrustManagerParser() { return new ManagerParsers().trustManagerParser_1_0; } + + PersistentResourceXMLDescription getCertificateAuthorityParser() { + return new CAParsers().certificateAuthorityParser_1_0; + } + PersistentResourceXMLDescription getCertificateAuthorityAccountParser() { + return new CAParsers().certificateAuthorityAccountParser_1_0; + } PersistentResourceXMLDescription getProviderParser() { return new ProviderParser().providerParser_1_0; @@ -70,6 +77,8 @@ PersistentResourceXMLDescription getTlsParser() { .addChild(getKeyStoreParser()) .addChild(getKeyManagerParser()) .addChild(getTrustManagerParser()) + .addChild(getCertificateAuthorityParser()) + .addChild(getCertificateAuthorityAccountParser()) .build(); } diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ExpressionResolverParser.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ExpressionResolverParser.java index 6304d23..7f60a10 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ExpressionResolverParser.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ExpressionResolverParser.java @@ -1,3 +1,19 @@ + /* + * Copyright 2022 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.wildfly.extension.elytron.tls.subsystem; import static org.wildfly.extension.elytron.tls.subsystem.Constants.ENCRYPTION; diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyManagerAttributeDefinition.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyManagerAttributeDefinition.java index 6567408..41dd136 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyManagerAttributeDefinition.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyManagerAttributeDefinition.java @@ -1,3 +1,19 @@ + /* + * Copyright 2022 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.wildfly.extension.elytron.tls.subsystem; import org.jboss.as.controller.ObjectTypeAttributeDefinition; diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreDefinition.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreDefinition.java index 5508ce6..d623d98 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreDefinition.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreDefinition.java @@ -283,7 +283,7 @@ protected void performRuntime(OperationContext context, ModelNode operation, Res } keyStoreService.setCredentialSourceSupplier(CredentialReference.getCredentialSourceSupplier( - context, KeyStoreDefinition.CREDENTIAL_REFERENCE, model, serviceBuilder)); + context, CREDENTIAL_REFERENCE, model, serviceBuilder)); commonRequirements(serviceBuilder, true, true).install(); } diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreParser.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreParser.java index b88ece6..d4f1c6f 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreParser.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreParser.java @@ -1,3 +1,19 @@ + /* + * Copyright 2022 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.wildfly.extension.elytron.tls.subsystem; import static org.wildfly.extension.elytron.tls.subsystem.Constants.KEY_STORE_OBJECT; diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreService.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreService.java index 965deb6..f9f69a5 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreService.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreService.java @@ -265,7 +265,7 @@ void setProvidersSupplier(Supplier providersSupplier) { this.providersSupplier = providersSupplier; } - void setCredentialSourceSupplier (ExceptionSupplier credentialSourceSupplier) { + void setCredentialSourceSupplier(ExceptionSupplier credentialSourceSupplier) { this.credentialSourceSupplier = credentialSourceSupplier; } diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ManagerParsers.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ManagerParsers.java index 25f086a..0e1fe19 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ManagerParsers.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ManagerParsers.java @@ -1,3 +1,19 @@ + /* + * Copyright 2022 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.wildfly.extension.elytron.tls.subsystem; import static org.wildfly.extension.elytron.tls.subsystem.Constants.KEY_MANAGER_OBJECT; @@ -14,8 +30,8 @@ class ManagerParsers { final PersistentResourceXMLDescription keyManagerParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(KEY_MANAGER_OBJECT)) .setXmlWrapperElement(KEY_MANAGERS) .addAttribute(SSLContextDefinitions.ALGORITHM) - .addAttribute(SSLContextDefinitions.KEY_STORE_OBJECT) - .addAttribute(SSLContextDefinitions.KEY_STORE_OBJECT) + .addAttribute(SSLContextDefinitions.KEY_STORE) + // .addAttribute(SSLContextDefinitions.KEY_STORE_OBJECT) .addAttribute(SSLContextDefinitions.ALIAS_FILTER) .addAttribute(SSLContextDefinitions.PROVIDER_NAME) .addAttribute(SSLContextDefinitions.PROVIDERS) @@ -26,8 +42,8 @@ class ManagerParsers { final PersistentResourceXMLDescription trustManagerParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(TRUST_MANAGER_OBJECT)) .setXmlWrapperElement(TRUST_MANAGERS) .addAttribute(SSLContextDefinitions.ALGORITHM) - .addAttribute(SSLContextDefinitions.KEY_STORE_OBJECT) - .addAttribute(SSLContextDefinitions.KEY_STORE_OBJECT) + .addAttribute(SSLContextDefinitions.KEY_STORE) + // .addAttribute(SSLContextDefinitions.KEY_STORE_OBJECT) .addAttribute(SSLContextDefinitions.ALIAS_FILTER) .addAttribute(SSLContextDefinitions.PROVIDERS) .addAttribute(SSLContextDefinitions.PROVIDER_NAME) diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ProviderParser.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ProviderParser.java index b3841e1..fb76eed 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ProviderParser.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ProviderParser.java @@ -15,6 +15,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + package org.wildfly.extension.elytron.tls.subsystem; import static org.wildfly.extension.elytron.tls.subsystem.Constants.AGGREGATE_PROVIDERS; diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextParsers.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextParsers.java index 8695856..3dbeb5c 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextParsers.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextParsers.java @@ -40,10 +40,10 @@ class SSLContextParsers { .addAttribute(SSLContextDefinitions.MAXIMUM_SESSION_CACHE_SIZE) .addAttribute(SSLContextDefinitions.SESSION_TIMEOUT) .addAttribute(SSLContextDefinitions.WRAP) - .addAttribute(SSLContextDefinitions.KEY_MANAGER_OBJECT) -// .addAttribute(SSLContextDefinitions.KEY_MANAGER_OBJECT) - .addAttribute(SSLContextDefinitions.TRUST_MANAGER_OBJECT) -// .addAttribute(SSLContextDefinitions.TRUST_MANAGER_OBJECT) + .addAttribute(SSLContextDefinitions.KEY_MANAGER) + // .addAttribute(SSLContextDefinitions.KEY_MANAGER_OBJECT) + .addAttribute(SSLContextDefinitions.TRUST_MANAGER) + // .addAttribute(SSLContextDefinitions.TRUST_MANAGER_OBJECT) .addAttribute(SSLContextDefinitions.PROVIDERS) .addAttribute(SSLContextDefinitions.PROVIDER_NAME) .build(); @@ -60,10 +60,10 @@ class SSLContextParsers { .addAttribute(SSLContextDefinitions.MAXIMUM_SESSION_CACHE_SIZE) .addAttribute(SSLContextDefinitions.SESSION_TIMEOUT) .addAttribute(SSLContextDefinitions.WRAP) -// .addAttribute(SSLContextDefinitions.KEY_MANAGER_OBJECT) - .addAttribute(SSLContextDefinitions.KEY_MANAGER_OBJECT) -// .addAttribute(SSLContextDefinitions.TRUST_MANAGER_OBJECT) - .addAttribute(SSLContextDefinitions.TRUST_MANAGER_OBJECT) + .addAttribute(SSLContextDefinitions.KEY_MANAGER) + // .addAttribute(SSLContextDefinitions.KEY_MANAGER_OBJECT) + .addAttribute(SSLContextDefinitions.TRUST_MANAGER) + // .addAttribute(SSLContextDefinitions.TRUST_MANAGER_OBJECT) .addAttribute(SSLContextDefinitions.PROVIDERS) .addAttribute(SSLContextDefinitions.PROVIDER_NAME) .build(); diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextResource.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextResource.java index 472889b..b86bdc8 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextResource.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextResource.java @@ -1,3 +1,19 @@ + /* + * Copyright 2022 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.wildfly.extension.elytron.tls.subsystem; import java.nio.charset.StandardCharsets; diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrustManagerBuilder.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrustManagerBuilder.java index f794099..9c4310b 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrustManagerBuilder.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrustManagerBuilder.java @@ -1,3 +1,19 @@ + /* + * Copyright 2022 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.wildfly.extension.elytron.tls.subsystem; import java.security.KeyStore; diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/_private/ElytronTLSLogger.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/_private/ElytronTLSLogger.java index 7557b81..f2c358b 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/_private/ElytronTLSLogger.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/_private/ElytronTLSLogger.java @@ -36,11 +36,13 @@ import org.jboss.msc.service.ServiceController; import org.jboss.msc.service.ServiceName; import org.jboss.msc.service.StartException; +import org.wildfly.security.x500.cert.acme.AcmeException; /** * Log messages for Elytron TLS subsystem * * @author Martin Mazanek + * @author Cameron Rodriguez */ @MessageLogger(projectCode = "ELYTLS", length = 4) public interface ElytronTLSLogger extends BasicLogger { @@ -132,6 +134,9 @@ public interface ElytronTLSLogger extends BasicLogger { @Message(id = 24, value = "Certificate [%s] in KeyStore is not valid") void certificateNotValid(String alias, @Cause Exception cause); + @Message(id = 29, value = "Failed to parse URL '%s'") + OperationFailedException invalidURL(String url, @Cause Exception cause); + @Message(id = 31, value = "Unable to access CRL file.") StartException unableToAccessCRL(@Cause Exception cause); @@ -250,21 +255,64 @@ public interface ElytronTLSLogger extends BasicLogger { @Message(id = 1042, value = "Unable to obtain Entry for alias '%s'") OperationFailedException unableToObtainEntry(String alias); + @Message(id = 1043, value = "Unable to create an account with the certificate authority: %s") + OperationFailedException unableToCreateAccountWithCertificateAuthority(@Cause Exception cause, String causeMessage); + + @Message(id = 1044, value = "Unable to change the account key associated with the certificate authority: %s") + OperationFailedException unableToChangeAccountKeyWithCertificateAuthority(@Cause Exception cause, String causeMessage); + + @Message(id = 1045, value = "Unable to deactivate the account associated with the certificate authority: %s") + OperationFailedException unableToDeactivateAccountWithCertificateAuthority(@Cause Exception cause, String causeMessage); + + @Message(id = 1046, value = "Unable to obtain certificate authority account Certificate for alias '%s'") + StartException unableToObtainCertificateAuthorityAccountCertificate(String alias); + + @Message(id = 1047, value = "Unable to obtain certificate authority account PrivateKey for alias '%s'") + StartException unableToObtainCertificateAuthorityAccountPrivateKey(String alias); + + @Message(id = 1048, value = "Unable to update certificate authority account key store: %s") + OperationFailedException unableToUpdateCertificateAuthorityAccountKeyStore(@Cause Exception cause, String causeMessage); + + @Message(id = 1049, value = "Unable to respond to challenge from certificate authority: %s") + AcmeException unableToRespondToCertificateAuthorityChallenge(@Cause Exception cause, String causeMessage); + + @Message(id = 1050, value = "Invalid certificate authority challenge") + AcmeException invalidCertificateAuthorityChallenge(); + @Message(id = 1051, value = "Invalid certificate revocation reason '%s'") OperationFailedException invalidCertificateRevocationReason(String reason); @Message(id = 1052, value = "Unable to instantiate AcmeClientSpi implementation") IllegalStateException unableToInstatiateAcmeClientSpiImplementation(); + @Message(id = 1053, value = "Unable to update the account with the certificate authority: %s") + OperationFailedException unableToUpdateAccountWithCertificateAuthority(@Cause Exception cause, String causeMessage); + + @Message(id = 1054, value = "Unable to get the metadata associated with the certificate authority: %s") + OperationFailedException unableToGetCertificateAuthorityMetadata(@Cause Exception cause, String causeMessage); + @Message(id = 1055, value = "Invalid key size: %d") OperationFailedException invalidKeySize(int keySize); + @Message(id = 1056, value = "A certificate authority account with this account key already exists. To update the contact" + + " information associated with this existing account, use %s. To change the key associated with this existing account, use %s.") + OperationFailedException certificateAuthorityAccountAlreadyExists(String updateAccount, String changeAccountKey); + + @Message(id = 1057, value = "Failed to create ServerAuthModule [%s] using module '%s'") + RuntimeException failedToCreateServerAuthModule(String className, String module, @Cause Exception cause); + + @Message(id = 1058, value = "Failed to parse PEM public key with kid: %s") + OperationFailedException failedToParsePEMPublicKey(String kid); + @Message(id = 1059, value = "Unable to detect KeyStore '%s'") StartException unableToDetectKeyStore(String path); @Message(id = 1060, value = "Fileless KeyStore needs to have a defined type.") OperationFailedException filelessKeyStoreMissingType(); + @Message(id = 1063, value = "LetsEncrypt certificate authority is configured by default.") + OperationFailedException letsEncryptNameNotAllowed(); + @Message(id = 1064, value = "Failed to load OCSP responder certificate '%s'.") StartException failedToLoadResponderCert(String alias, @Cause Exception exception); @@ -291,6 +339,10 @@ public interface ElytronTLSLogger extends BasicLogger { @LogMessage(level = WARN) void selfSignedCertificateHasBeenCreated(String file, String sha1, String sha256); + + @Message(id = 1088, value = "Missing certificate authority challenge") + AcmeException missingCertificateAuthorityChallenge(); + @Message(id = 1089, value = "Multiple keystore definitions.") OperationFailedException multipleKeystoreDefinitions(); diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/_private/WildFlyAcmeClient.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/_private/WildFlyAcmeClient.java new file mode 100644 index 0000000..975b021 --- /dev/null +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/_private/WildFlyAcmeClient.java @@ -0,0 +1,91 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2018 Red Hat, Inc., and individual contributors + * as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.wildfly.extension.elytron.tls.subsystem._private; + +import static org.wildfly.extension.elytron.tls.subsystem._private.ElytronTLSLogger.LOGGER; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.util.List; + +import org.wildfly.common.Assert; +import org.wildfly.security.manager.WildFlySecurityManager; +import org.wildfly.security.x500.cert.acme.AcmeAccount; +import org.wildfly.security.x500.cert.acme.AcmeChallenge; +import org.wildfly.security.x500.cert.acme.AcmeClientSpi; +import org.wildfly.security.x500.cert.acme.AcmeException; + +/** + * Implementation of the Automatic Certificate Management + * Environment (ACME) protocol. + * + * @author Farah Juma + */ +public final class WildFlyAcmeClient extends AcmeClientSpi { + private static final String ACME_CHALLENGE_PREFIX = "/.well-known/acme-challenge/"; + private static final String TOKEN_REGEX = "[A-Za-z0-9_-]+"; + + public AcmeChallenge proveIdentifierControl(AcmeAccount account, List challenges) throws AcmeException { + Assert.checkNotNullParam("account", account); + Assert.checkNotNullParam("challenges", challenges); + AcmeChallenge selectedChallenge = null; + for (AcmeChallenge challenge : challenges) { + if (challenge.getType() == AcmeChallenge.Type.HTTP_01) { + selectedChallenge = challenge; + break; + } + } + if (selectedChallenge == null) { + throw LOGGER.missingCertificateAuthorityChallenge(); + } + // ensure the token is valid before proceeding + String token = selectedChallenge.getToken(); + if (! token.matches(TOKEN_REGEX)) { + throw LOGGER.invalidCertificateAuthorityChallenge(); + } + + // respond to the http challenge + String responseFilePath = WildFlySecurityManager.getPropertyPrivileged("jboss.home.dir", ".") + ACME_CHALLENGE_PREFIX + token; + try (FileOutputStream fos = new FileOutputStream(responseFilePath)) { + fos.write(selectedChallenge.getKeyAuthorization(account).getBytes(StandardCharsets.US_ASCII)); + } catch (IOException e) { + throw LOGGER.unableToRespondToCertificateAuthorityChallenge(e, e.getLocalizedMessage()); + } + return selectedChallenge; + } + + public void cleanupAfterChallenge(AcmeAccount account, AcmeChallenge challenge) throws AcmeException { + Assert.checkNotNullParam("account", account); + Assert.checkNotNullParam("challenge", challenge); + // ensure the token is valid before proceeding + String token = challenge.getToken(); + if (! token.matches(TOKEN_REGEX)) { + throw LOGGER.invalidCertificateAuthorityChallenge(); + } + + // delete the file that was created to prove identifier control + String responseFilePath = WildFlySecurityManager.getPropertyPrivileged("jboss.home.dir", ".") + ACME_CHALLENGE_PREFIX + token; + File responseFile = new File(responseFilePath); + if (responseFile.exists()) { + responseFile.delete(); + } + } + +} diff --git a/subsystem/src/main/resources/org/wildfly/extension/elytron/tls/subsystem/LocalDescriptions.properties b/subsystem/src/main/resources/org/wildfly/extension/elytron/tls/subsystem/LocalDescriptions.properties index d251827..9ef6aeb 100644 --- a/subsystem/src/main/resources/org/wildfly/extension/elytron/tls/subsystem/LocalDescriptions.properties +++ b/subsystem/src/main/resources/org/wildfly/extension/elytron/tls/subsystem/LocalDescriptions.properties @@ -60,7 +60,7 @@ elytron-tls.provider-loader.loaded-providers.algorithm=The algorithm supported b elytron-tls.provider-loader.loaded-providers.class-name=The class name of the implementation of the service SPI. #################################### -# Expression Resolver (Encryption) # +#expression Resolver (Encryption) # #################################### elytron-tls.expression=Definition of an expression resolver to decrypt encrypted expressions. @@ -106,7 +106,7 @@ elytron-tls.credential-store.path=File name of credential store storage. elytron-tls.credential-store.location=File name of credential store storage. elytron-tls.credential-store.location.deprecated=Use the 'path' attribute instead. elytron-tls.credential-store.modifiable=Specifies whether credential store is modifiable. -elytron-tls.credential-store.create=Specifies whether credential store should create storage when it doesn't exist. +elytron-tls.credential-store.create=Specifies whether credential store should create storage when it does not exist. elytron-tls.credential-store.relative-to=A reference to a previously defined path that the file name is relative to. elytron-tls.credential-store.add=Add another credential store to the configuration. elytron-tls.credential-store.remove=Remove credential store from the configuration. @@ -152,314 +152,383 @@ elytron-tls.credential-store.operations.import-secret-key.key=The previously exp ################## -# TLS / KeyStore # +# KeyStore # ################## -elytron-tls.tls.key-store=A KeyStore definition. +elytron-tls.key-store=A KeyStore definition. # Operations -elytron-tls.tls.key-store.add=Add a new KeyStore definition. -elytron-tls.tls.key-store.remove=Remove the KeyStore definition. -elytron-tls.tls.key-store.load=Load the KeyStore, if the KeyStore is file backed this will involve re-reading the contents of the file. -elytron-tls.tls.key-store.store=Store the KeyStore to file, this operation will fail for any KeyStore instances not backed by a file. If the file does not exist and it was not flagged as required it will be created. +elytron-tls.key-store.add=Add a new KeyStore definition. +elytron-tls.key-store.remove=Remove the KeyStore definition. +elytron-tls.key-store.load=Load the KeyStore, if the KeyStore is file backed this will involve re-reading the contents of the file. +elytron-tls.key-store.store=Store the KeyStore to file, this operation will fail for any KeyStore instances not backed by a file. If the file does not exist and it was not flagged as required it will be created. # Configuration Attributes -elytron-tls.tls.key-store.type=The type of the KeyStore, used when creating the new KeyStore instance. -elytron-tls.tls.key-store.provider-name=The name of the provider to use to load the KeyStore, disables searching for the first Provider that can create a KeyStore of the specified type. -elytron-tls.tls.key-store.credential-reference=The reference to credential stored in CredentialStore under defined alias or clear text password. -elytron-tls.tls.key-store.credential-reference.store=The name of the credential store holding the alias to credential. -elytron-tls.tls.key-store.credential-reference.alias=The alias which denotes stored secret or credential in the store. -elytron-tls.tls.key-store.credential-reference.type=The type of credential this reference is denoting. -elytron-tls.tls.key-store.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. -elytron-tls.tls.key-store.relative-to=The base path this store is relative to. -elytron-tls.tls.key-store.path=The path to the KeyStore file. -elytron-tls.tls.key-store.required=Is the file required to exist at the time the KeyStore service starts? -elytron-tls.tls.key-store.providers=A reference to the providers that should be used to obtain the list of Provider instances to search, if not specified the global list of providers will be used instead. -elytron-tls.tls.key-store.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 +elytron-tls.key-store.type=The type of the KeyStore, used when creating the new KeyStore instance. +elytron-tls.key-store.provider-name=The name of the provider to use to load the KeyStore, disables searching for the first Provider that can create a KeyStore of the specified type. +elytron-tls.key-store.credential-reference=The reference to credential stored in CredentialStore under defined alias or clear text password. +elytron-tls.key-store.credential-reference.store=The name of the credential store holding the alias to credential. +elytron-tls.key-store.credential-reference.alias=The alias which denotes stored secret or credential in the store. +elytron-tls.key-store.credential-reference.type=The type of credential this reference is denoting. +elytron-tls.key-store.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. +elytron-tls.key-store.relative-to=The base path this store is relative to. +elytron-tls.key-store.path=The path to the KeyStore file. +elytron-tls.key-store.required=Is the file required to exist at the time the KeyStore service starts? +elytron-tls.key-store.providers=A reference to the providers that should be used to obtain the list of Provider instances to search, if not specified the global list of providers will be used instead. +elytron-tls.key-store.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 # Runtime Attributes -elytron-tls.tls.key-store.state=The state of the underlying service that represents this KeyStore at runtime, if it is anything other than UP runtime operations will not be available. -elytron-tls.tls.key-store.synchronized=The time this KeyStore was last loaded or saved. Note: Some providers may continue to apply updates after the KeyStore was loaded within the application server. -elytron-tls.tls.key-store.modified=Indicates if the in-memory representation of the KeyStore has been changed since it was last loaded or stored. Note: For some providers updates may be immediate without further load or store calls. -elytron-tls.tls.key-store.loaded-provider=Information about the provider that was used for this KeyStore. -elytron-tls.tls.key-store.loaded-provider.name=The name of the provider used to load the KeyStore. -elytron-tls.tls.key-store.loaded-provider.info=The information string about the provider used to load the KeyStore. -elytron-tls.tls.key-store.loaded-provider.version=The version of the provider used to load the KeyStore. -elytron-tls.tls.key-store.size=The number of entries in the KeyStore. - -elytron-tls.tls.key-store.alias=An individual alias within the KeyStore. -elytron-tls.tls.key-store.alias.remove=Immediately remove the alias from the KeyStore, the success of this operation will be dependent on the underlying KeyStore provider supporting removals. -elytron-tls.tls.key-store.alias.creation-date=The creation date of the entry represented by this alias. -elytron-tls.tls.key-store.alias.entry-type=The type of the entry for this alias. Note: Unrecognised types will be reported as 'Other'. - -elytron-tls.tls.key-store.alias.certificate=The certificate associated with the alias (Note: If the alias has a certificate chain this will always be undefined). -elytron-tls.tls.key-store.alias.certificate-chain=The certificate chain associated with the alias. - -elytron-tls.tls.key-store.alias.certificate.type=The type of the certificate. -elytron-tls.tls.key-store.alias.certificate.algorithm=The algorithm of the public key. -elytron-tls.tls.key-store.alias.certificate.format=The format of the public key. -elytron-tls.tls.key-store.alias.certificate.public-key=The encoded public key associated with the certificate. -elytron-tls.tls.key-store.alias.certificate.sha-1-digest=The SHA-1 digest (finger print) of the certificate. -elytron-tls.tls.key-store.alias.certificate.sha-256-digest=The SHA-256 digest (finger print) of the certificate. -elytron-tls.tls.key-store.alias.certificate.encoded=The encoded value of the certificate. -elytron-tls.tls.key-store.alias.certificate.subject=The subject from the certificate. -elytron-tls.tls.key-store.alias.certificate.issuer=The issuer of the certificate. -elytron-tls.tls.key-store.alias.certificate.not-before=The starting date and time the certificate is valid. -elytron-tls.tls.key-store.alias.certificate.not-after=The expiration date and time of the certificate. -elytron-tls.tls.key-store.alias.certificate.serial-number=The serial number of the certificate. -elytron-tls.tls.key-store.alias.certificate.signature-algorithm=The algorithm used to generate the certificates signature. -elytron-tls.tls.key-store.alias.certificate.signature=The signature of the certificate. -elytron-tls.tls.key-store.alias.certificate.version=The certificate version. - -elytron-tls.tls.key-store.alias.certificate-chain.type=The type of the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.algorithm=The algorithm of the public key. -elytron-tls.tls.key-store.alias.certificate-chain.format=The format of the public key. -elytron-tls.tls.key-store.alias.certificate-chain.public-key=The encoded public key associated with the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.sha-1-digest=The SHA-1 digest (finger print) of the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.sha-256-digest=The SHA-256 digest (finger print) of the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.encoded=The encoded value of the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.subject=The subject from the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.issuer=The issuer of the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.not-before=The starting date and time the certificate is valid. -elytron-tls.tls.key-store.alias.certificate-chain.not-after=The expiration date and time of the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.serial-number=The serial number of the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.signature-algorithm=The algorithm used to generate the certificates signature. -elytron-tls.tls.key-store.alias.certificate-chain.signature=The signature of the certificate. -elytron-tls.tls.key-store.alias.certificate-chain.version=The certificate version. - -elytron-tls.tls.key-manager=A key manager definition for creating the KeyManager as used to create an SSLContext. +elytron-tls.key-store.state=The state of the underlying service that represents this KeyStore at runtime, if it is anything other than UP runtime operations will not be available. +elytron-tls.key-store.synchronized=The time this KeyStore was last loaded or saved. Note: Some providers may continue to apply updates after the KeyStore was loaded within the application server. +elytron-tls.key-store.modified=Indicates if the in-memory representation of the KeyStore has been changed since it was last loaded or stored. Note: For some providers updates may be immediate without further load or store calls. +elytron-tls.key-store.loaded-provider=Information about the provider that was used for this KeyStore. +elytron-tls.key-store.loaded-provider.name=The name of the provider used to load the KeyStore. +elytron-tls.key-store.loaded-provider.info=The information string about the provider used to load the KeyStore. +elytron-tls.key-store.loaded-provider.version=The version of the provider used to load the KeyStore. +elytron-tls.key-store.size=The number of entries in the KeyStore. + +elytron-tls.key-store.alias=An individual alias within the KeyStore. +elytron-tls.key-store.alias.remove=Immediately remove the alias from the KeyStore, the success of this operation will be dependent on the underlying KeyStore provider supporting removals. +elytron-tls.key-store.alias.creation-date=The creation date of the entry represented by this alias. +elytron-tls.key-store.alias.entry-type=The type of the entry for this alias. Note: Unrecognised types will be reported as 'Other'. + +elytron-tls.key-store.alias.certificate=The certificate associated with the alias (Note: If the alias has a certificate chain this will always be undefined). +elytron-tls.key-store.alias.certificate-chain=The certificate chain associated with the alias. + +elytron-tls.key-store.alias.certificate.type=The type of the certificate. +elytron-tls.key-store.alias.certificate.algorithm=The algorithm of the public key. +elytron-tls.key-store.alias.certificate.format=The format of the public key. +elytron-tls.key-store.alias.certificate.public-key=The encoded public key associated with the certificate. +elytron-tls.key-store.alias.certificate.sha-1-digest=The SHA-1 digest (finger print) of the certificate. +elytron-tls.key-store.alias.certificate.sha-256-digest=The SHA-256 digest (finger print) of the certificate. +elytron-tls.key-store.alias.certificate.encoded=The encoded value of the certificate. +elytron-tls.key-store.alias.certificate.subject=The subject from the certificate. +elytron-tls.key-store.alias.certificate.issuer=The issuer of the certificate. +elytron-tls.key-store.alias.certificate.not-before=The starting date and time the certificate is valid. +elytron-tls.key-store.alias.certificate.not-after=The expiration date and time of the certificate. +elytron-tls.key-store.alias.certificate.serial-number=The serial number of the certificate. +elytron-tls.key-store.alias.certificate.signature-algorithm=The algorithm used to generate the certificates signature. +elytron-tls.key-store.alias.certificate.signature=The signature of the certificate. +elytron-tls.key-store.alias.certificate.version=The certificate version. + +elytron-tls.key-store.alias.certificate-chain.type=The type of the certificate. +elytron-tls.key-store.alias.certificate-chain.algorithm=The algorithm of the public key. +elytron-tls.key-store.alias.certificate-chain.format=The format of the public key. +elytron-tls.key-store.alias.certificate-chain.public-key=The encoded public key associated with the certificate. +elytron-tls.key-store.alias.certificate-chain.sha-1-digest=The SHA-1 digest (finger print) of the certificate. +elytron-tls.key-store.alias.certificate-chain.sha-256-digest=The SHA-256 digest (finger print) of the certificate. +elytron-tls.key-store.alias.certificate-chain.encoded=The encoded value of the certificate. +elytron-tls.key-store.alias.certificate-chain.subject=The subject from the certificate. +elytron-tls.key-store.alias.certificate-chain.issuer=The issuer of the certificate. +elytron-tls.key-store.alias.certificate-chain.not-before=The starting date and time the certificate is valid. +elytron-tls.key-store.alias.certificate-chain.not-after=The expiration date and time of the certificate. +elytron-tls.key-store.alias.certificate-chain.serial-number=The serial number of the certificate. +elytron-tls.key-store.alias.certificate-chain.signature-algorithm=The algorithm used to generate the certificates signature. +elytron-tls.key-store.alias.certificate-chain.signature=The signature of the certificate. +elytron-tls.key-store.alias.certificate-chain.version=The certificate version. + + +################## +# Managers # +################## + +elytron-tls.key-manager=A key manager definition for creating the KeyManager as used to create an SSLContext. #operations -elytron-tls.tls.key-manager.add=Add the new key manager definition. -elytron-tls.tls.key-manager.remove=Remove the key manager definition. -elytron-tls.tls.key-manager.init=Reinitialize key manager. +elytron-tls.key-manager.add=Add the new key manager definition. +elytron-tls.key-manager.remove=Remove the key manager definition. +elytron-tls.key-manager.init=Reinitialize key manager. # Attributes -elytron-tls.tls.key-manager.algorithm=The name of the algorithm to use to create the underlying KeyManagerFactory. -elytron-tls.tls.key-manager.providers=Reference to obtain the Provider[] to use when creating the underlying KeyManagerFactory. -elytron-tls.tls.key-manager.provider-name=The name of the provider to use to create the underlying KeyManagerFactory. -elytron-tls.tls.key-manager.credential-reference=The credential reference to decrypt KeyStore item. (Not a password of the KeyStore.) -elytron-tls.tls.key-manager.credential-reference.store=The name of the credential store holding the alias to credential. -elytron-tls.tls.key-manager.credential-reference.alias=The alias which denotes stored secret or credential in the store. -elytron-tls.tls.key-manager.credential-reference.type=The type of credential this reference is denoting. -elytron-tls.tls.key-manager.credential-reference.clear-text=The secret specified using clear text. Check credential store way of supplying credential/secrets to services. -elytron-tls.tls.key-manager.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 -elytron-tls.tls.key-manager.generate-self-signed-certificate-host=If the file that backs the KeyStore does not exist and this attribute is set, then a self-signed certificate will be generated for the specified host name. This is not intended for production use. - -elytron-tls.tls.key-manager.key-store=Reference to the KeyStore to use to initialise the underlying KeyManagerFactory. -elytron-tls.tls.key-manager.key-store-object=KeyStore object to use to initialise the underlying KeyManagerFactory. -elytron-tls.tls.key-manager.key-store-object.type=The type of the KeyStore, used when creating the new KeyStore instance. -elytron-tls.tls.key-manager.key-store-object.provider-name=The name of the provider to use to load the KeyStore, disables searching for the first Provider that can create a KeyStore of the specified type. -elytron-tls.tls.key-manager.key-store-object.credential-reference=The reference to credential stored in CredentialStore under defined alias or clear text password. -elytron-tls.tls.key-manager.key-store-object.credential-reference.store=The name of the credential store holding the alias to credential. -elytron-tls.tls.key-manager.key-store-object.credential-reference.alias=The alias which denotes stored secret or credential in the store. -elytron-tls.tls.key-manager.key-store-object.credential-reference.type=The type of credential this reference is denoting. -elytron-tls.tls.key-manager.key-store-object.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. -elytron-tls.tls.key-manager.key-store-object.relative-to=The base path this store is relative to. -elytron-tls.tls.key-manager.key-store-object.path=The path to the KeyStore file. -elytron-tls.tls.key-manager.key-store-object.required=Is the file required to exist at the time the KeyStore service starts? -elytron-tls.tls.key-manager.key-store-object.providers=A reference to the providers that should be used to obtain the list of Provider instances to search, if not specified the global list of providers will be used instead. -elytron-tls.tls.key-manager.key-store-object.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 - -elytron-tls.tls.trust-manager=A trust manager definition for creating the TrustManager[] as used to create an SSLContext. +elytron-tls.key-manager.algorithm=The name of the algorithm to use to create the underlying KeyManagerFactory. +elytron-tls.key-manager.providers=Reference to obtain the Provider[] to use when creating the underlying KeyManagerFactory. +elytron-tls.key-manager.provider-name=The name of the provider to use to create the underlying KeyManagerFactory. +elytron-tls.key-manager.credential-reference=The credential reference to decrypt KeyStore item. (Not a password of the KeyStore.) +elytron-tls.key-manager.credential-reference.store=The name of the credential store holding the alias to credential. +elytron-tls.key-manager.credential-reference.alias=The alias which denotes stored secret or credential in the store. +elytron-tls.key-manager.credential-reference.type=The type of credential this reference is denoting. +elytron-tls.key-manager.credential-reference.clear-text=The secret specified using clear text. Check credential store way of supplying credential/secrets to services. +elytron-tls.key-manager.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 +elytron-tls.key-manager.generate-self-signed-certificate-host=If the file that backs the KeyStore does not exist and this attribute is set, then a self-signed certificate will be generated for the specified host name. This is not intended for production use. + +elytron-tls.key-manager.key-store=Reference to the KeyStore to use to initialise the underlying KeyManagerFactory. +#elytron-tls.key-manager.key-store-object=KeyStore object to use to initialise the underlying KeyManagerFactory. +#elytron-tls.key-manager.key-store-object.type=The type of the KeyStore, used when creating the new KeyStore instance. +#elytron-tls.key-manager.key-store-object.provider-name=The name of the provider to use to load the KeyStore, disables searching for the first Provider that can create a KeyStore of the specified type. +#elytron-tls.key-manager.key-store-object.credential-reference=The reference to credential stored in CredentialStore under defined alias or clear text password. +#elytron-tls.key-manager.key-store-object.credential-reference.store=The name of the credential store holding the alias to credential. +#elytron-tls.key-manager.key-store-object.credential-reference.alias=The alias which denotes stored secret or credential in the store. +#elytron-tls.key-manager.key-store-object.credential-reference.type=The type of credential this reference is denoting. +#elytron-tls.key-manager.key-store-object.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. +#elytron-tls.key-manager.key-store-object.relative-to=The base path this store is relative to. +#elytron-tls.key-manager.key-store-object.path=The path to the KeyStore file. +#elytron-tls.key-manager.key-store-object.required=Is the file required to exist at the time the KeyStore service starts? +#elytron-tls.key-manager.key-store-object.providers=A reference to the providers that should be used to obtain the list of Provider instances to search, if not specified the global list of providers will be used instead. +#elytron-tls.key-manager.key-store-object.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + +elytron-tls.trust-manager=A trust manager definition for creating the TrustManager[] as used to create an SSLContext. #operations -elytron-tls.tls.trust-manager.add=Add the new trust manager definition. -elytron-tls.tls.trust-manager.remove=Remove the trust manager definition. -elytron-tls.tls.trust-manager.init=Reinitialize trust manager. +elytron-tls.trust-manager.add=Add the new trust manager definition. +elytron-tls.trust-manager.remove=Remove the trust manager definition. +elytron-tls.trust-manager.init=Reinitialize trust manager. # Attributes -elytron-tls.tls.trust-manager.algorithm=The name of the algorithm to use to create the underlying TrustManagerFactory. -elytron-tls.tls.trust-manager.providers=Reference to obtain the Provider[] to use when creating the underlying TrustManagerFactory. -elytron-tls.tls.trust-manager.provider-name=The name of the provider to use to create the underlying TrustManagerFactory. -elytron-tls.tls.trust-manager.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 -elytron-tls.tls.trust-manager.maximum-cert-path=The maximum number of non-self-issued intermediate certificates that may exist in a certification path for OCSP and CRL checks. If neither OCSP and CRL is configured, this attribute has no effect. -elytron-tls.tls.trust-manager.only-leaf-cert=Whether only leaf certificate should be checked for revocation status. -elytron-tls.tls.trust-manager.soft-fail=Whether a certificate with unknown OCSP response should be accepted. -elytron-tls.tls.trust-manager.certificate-revocation-list=Enables certificate revocation list checks to a trust manager. -elytron-tls.tls.trust-manager.certificate-revocation-list.path=The path to the configuration to use to initialise the provider. -elytron-tls.tls.trust-manager.certificate-revocation-list.relative-to=The base path of the certificate revocation list file. -elytron-tls.tls.trust-manager.certificate-revocation-list.maximum-cert-path=The maximum number of non-self-issued intermediate certificates that may exist in a certification path. -elytron-tls.tls.trust-manager.certificate-revocation-list.maximum-cert-path.deprecated=Use 'maximum-cert-path' in trust manager proper. -elytron-tls.tls.trust-manager.ocsp=Enables online certificate status protocol checks to a trust manager. -elytron-tls.tls.trust-manager.ocsp.prefer-crls=Whether a certificate-revocation-list should be preferred over OCSP. -elytron-tls.tls.trust-manager.ocsp.responder=The URL of OCSP responder to use. Keep undefined to use responder from the certificate. -elytron-tls.tls.trust-manager.ocsp.responder-certificate=The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate in validation. -elytron-tls.tls.trust-manager.ocsp.responder-keystore=Reference to the keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object=Keystore object for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.type=The type of the KeyStore, used when creating the new KeyStore instance. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.provider-name=The name of the provider to use to load the KeyStore, disables searching for the first Provider that can create a KeyStore of the specified type. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.credential-reference=The reference to credential stored in CredentialStore under defined alias or clear text password. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.credential-reference.store=The name of the credential store holding the alias to credential. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.credential-reference.alias=The alias which denotes stored secret or credential in the store. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.credential-reference.type=The type of credential this reference is denoting. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.relative-to=The base path this store is relative to. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.path=The path to the KeyStore file. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.required=Is the file required to exist at the time the KeyStore service starts? -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.providers=A reference to the providers that should be used to obtain the list of Provider instances to search, if not specified the global list of providers will be used instead. -elytron-tls.tls.trust-manager.ocsp.responder-keystore-object.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 -elytron-tls.tls.trust-manager.reload-certificate-revocation-list=Notify the trust manager in order to reload the certificate revocation list, if defined. -elytron-tls.tls.trust-manager.certificate-revocation-lists=Enables certificate revocation list checks to a trust manager using multiple certificate revocation lists. -elytron-tls.tls.trust-manager.certificate-revocation-lists.path=The path to the certificate revocation list. -elytron-tls.tls.trust-manager.certificate-revocation-lists.relative-to=The base path of the certificate revocation list file. - -elytron-tls.tls.trust-manager.key-store=Reference to the KeyStore to use to initialise the underlying TrustManagerFactory. -elytron-tls.tls.trust-manager.key-store-object=KeyStore object to use to initialise the underlying TrustManagerFactory. -elytron-tls.tls.trust-manager.key-store-object.type=The type of the KeyStore, used when creating the new KeyStore instance. -elytron-tls.tls.trust-manager.key-store-object.provider-name=The name of the provider to use to load the KeyStore, disables searching for the first Provider that can create a KeyStore of the specified type. -elytron-tls.tls.trust-manager.key-store-object.credential-reference=The reference to credential stored in CredentialStore under defined alias or clear text password. -elytron-tls.tls.trust-manager.key-store-object.credential-reference.store=The name of the credential store holding the alias to credential. -elytron-tls.tls.trust-manager.key-store-object.credential-reference.alias=The alias which denotes stored secret or credential in the store. -elytron-tls.tls.trust-manager.key-store-object.credential-reference.type=The type of credential this reference is denoting. -elytron-tls.tls.trust-manager.key-store-object.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. -elytron-tls.tls.trust-manager.key-store-object.relative-to=The base path this store is relative to. -elytron-tls.tls.trust-manager.key-store-object.path=The path to the KeyStore file. -elytron-tls.tls.trust-manager.key-store-object.required=Is the file required to exist at the time the KeyStore service starts? -elytron-tls.tls.trust-manager.key-store-object.providers=A reference to the providers that should be used to obtain the list of Provider instances to search, if not specified the global list of providers will be used instead. -elytron-tls.tls.trust-manager.key-store-object.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 - -# TODO: trust/key manager objects for SSL context - -elytron-tls.tls.client-ssl-context=An SSLContext for use on the client side of a connection. +elytron-tls.trust-manager.algorithm=The name of the algorithm to use to create the underlying TrustManagerFactory. +elytron-tls.trust-manager.providers=Reference to obtain the Provider[] to use when creating the underlying TrustManagerFactory. +elytron-tls.trust-manager.provider-name=The name of the provider to use to create the underlying TrustManagerFactory. +elytron-tls.trust-manager.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 +elytron-tls.trust-manager.maximum-cert-path=The maximum number of non-self-issued intermediate certificates that may exist in a certification path for OCSP and CRL checks. If neither OCSP and CRL is configured, this attribute has no effect. +elytron-tls.trust-manager.only-leaf-cert=Whether only leaf certificate should be checked for revocation status. +elytron-tls.trust-manager.soft-fail=Whether a certificate with unknown OCSP response should be accepted. +elytron-tls.trust-manager.certificate-revocation-list=Enables certificate revocation list checks to a trust manager. +elytron-tls.trust-manager.certificate-revocation-list.path=The path to the configuration to use to initialise the provider. +elytron-tls.trust-manager.certificate-revocation-list.relative-to=The base path of the certificate revocation list file. +elytron-tls.trust-manager.certificate-revocation-list.maximum-cert-path=The maximum number of non-self-issued intermediate certificates that may exist in a certification path. +elytron-tls.trust-manager.certificate-revocation-list.maximum-cert-path.deprecated=Use 'maximum-cert-path' in trust manager proper. +elytron-tls.trust-manager.ocsp=Enables online certificate status protocol checks to a trust manager. +elytron-tls.trust-manager.ocsp.prefer-crls=Whether a certificate-revocation-list should be preferred over OCSP. +elytron-tls.trust-manager.ocsp.responder=The URL of OCSP responder to use. Keep undefined to use responder from the certificate. +elytron-tls.trust-manager.ocsp.responder-certificate=The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate in validation. +elytron-tls.trust-manager.ocsp.responder-keystore=Reference to the keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined. +#elytron-tls.trust-manager.ocsp.responder-keystore-object=Keystore object for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.type=The type of the KeyStore, used when creating the new KeyStore instance. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.provider-name=The name of the provider to use to load the KeyStore, disables searching for the first Provider that can create a KeyStore of the specified type. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.credential-reference=The reference to credential stored in CredentialStore under defined alias or clear text password. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.credential-reference.store=The name of the credential store holding the alias to credential. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.credential-reference.alias=The alias which denotes stored secret or credential in the store. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.credential-reference.type=The type of credential this reference is denoting. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.relative-to=The base path this store is relative to. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.path=The path to the KeyStore file. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.required=Is the file required to exist at the time the KeyStore service starts? +#elytron-tls.trust-manager.ocsp.responder-keystore-object.providers=A reference to the providers that should be used to obtain the list of Provider instances to search, if not specified the global list of providers will be used instead. +#elytron-tls.trust-manager.ocsp.responder-keystore-object.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 +elytron-tls.trust-manager.reload-certificate-revocation-list=Notify the trust manager in order to reload the certificate revocation list, if defined. +elytron-tls.trust-manager.certificate-revocation-lists=Enables certificate revocation list checks to a trust manager using multiple certificate revocation lists. +elytron-tls.trust-manager.certificate-revocation-lists.path=The path to the certificate revocation list. +elytron-tls.trust-manager.certificate-revocation-lists.relative-to=The base path of the certificate revocation list file. + +elytron-tls.trust-manager.key-store=Reference to the KeyStore to use to initialise the underlying TrustManagerFactory. +#elytron-tls.trust-manager.key-store-object=KeyStore object to use to initialise the underlying TrustManagerFactory. +#elytron-tls.trust-manager.key-store-object.type=The type of the KeyStore, used when creating the new KeyStore instance. +#elytron-tls.trust-manager.key-store-object.provider-name=The name of the provider to use to load the KeyStore, disables searching for the first Provider that can create a KeyStore of the specified type. +#elytron-tls.trust-manager.key-store-object.credential-reference=The reference to credential stored in CredentialStore under defined alias or clear text password. +#elytron-tls.trust-manager.key-store-object.credential-reference.store=The name of the credential store holding the alias to credential. +#elytron-tls.trust-manager.key-store-object.credential-reference.alias=The alias which denotes stored secret or credential in the store. +#elytron-tls.trust-manager.key-store-object.credential-reference.type=The type of credential this reference is denoting. +#elytron-tls.trust-manager.key-store-object.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. +#elytron-tls.trust-manager.key-store-object.relative-to=The base path this store is relative to. +#elytron-tls.trust-manager.key-store-object.path=The path to the KeyStore file. +#elytron-tls.trust-manager.key-store-object.required=Is the file required to exist at the time the KeyStore service starts? +#elytron-tls.trust-manager.key-store-object.providers=A reference to the providers that should be used to obtain the list of Provider instances to search, if not specified the global list of providers will be used instead. +#elytron-tls.trust-manager.key-store-object.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + + +################## +# Certificate Authorities # +################## + +elytron-tls.certificate-authority=A certificate authority definition. +# Operations +elytron-tls.certificate-authority.add=Add a new certificate authority definition. +elytron-tls.certificate-authority.remove=Remove the certificate authority definition. +# Configuration Attributes +elytron-tls.certificate-authority.url=URL of the certificate authority. +elytron-tls.certificate-authority.staging-url=URL of the certificate authority to use in pre-production. + +elytron-tls.certificate-authority-account=A certificate authority account definition. +# Operations +elytron-tls.certificate-authority-account.add=Add a new certificate authority account definition. +elytron-tls.certificate-authority-account.remove=Remove the certificate authority account definition. +elytron-tls.certificate-authority-account.create-account=Create an account with the certificate authority if one does not already exist. +elytron-tls.certificate-authority-account.create-account.agree-to-terms-of-service=Indicates whether or not the user agrees to the certificate authority terms of service. +elytron-tls.certificate-authority-account.create-account.staging=Indicates whether or not the certificate authority staging URL should be used. The default value is false. This should only be set to true for testing purposes. This should never be set to true in a production environment. +elytron-tls.certificate-authority-account.update-account=Update an account with the certificate authority. +elytron-tls.certificate-authority-account.update-account.agree-to-terms-of-service=Indicates whether or not the user agrees to the certificate authority terms of service. +elytron-tls.certificate-authority-account.update-account.staging=Indicates whether or not the certificate authority staging URL should be used. The default value is false. This should only be set to true for testing purposes. This should never be set to true in a production environment. +elytron-tls.certificate-authority-account.change-account-key=Change the key associated with this certificate authority account. +elytron-tls.certificate-authority-account.change-account-key.staging=Indicates whether or not the certificate authority staging URL should be used. The default value is false. This should only be set to true for testing purposes. This should never be set to true in a production environment. +elytron-tls.certificate-authority-account.deactivate-account=Deactivate this certificate authority account. +elytron-tls.certificate-authority-account.deactivate-account.staging=Indicates whether or not the certificate authority staging URL should be used. The default value is false. This should only be set to true for testing purposes. This should never be set to true in a production environment. +elytron-tls.certificate-authority-account.get-metadata=Get the metadata associated with the certificate authority. +elytron-tls.certificate-authority-account.get-metadata.staging=Indicates whether or not the certificate authority staging URL should be used. The default value is false. This should only be set to true for testing purposes. This should never be set to true in a production environment. + +# Configuration Attributes +elytron-tls.certificate-authority-account.certificate-authority=The name of the certificate authority to use. +elytron-tls.certificate-authority-account.contact-urls=A list of URLs that the certificate authority can contact about any issues related to this account. +elytron-tls.certificate-authority-account.alias=The alias of certificate authority account key in the keystore. If the alias does not already exist in the keystore, a certificate authority account key will be automatically generated and stored as a PrivateKeyEntry under the alias. +elytron-tls.certificate-authority-account.credential-reference=Credential to be used when accessing the certificate authority account key. +elytron-tls.certificate-authority-account.credential-reference.store=The name of the credential store holding the alias to credential. +elytron-tls.certificate-authority-account.credential-reference.alias=The alias which denotes stored secret or credential in the store. +elytron-tls.certificate-authority-account.credential-reference.type=The type of credential this reference is denoting. +elytron-tls.certificate-authority-account.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. +elytron-tls.server-ssl-sni-context=A server side SNI Aware SSLContext that selects between an underlying context based on the provided SNI name +elytron-tls.server-ssl-sni-context.add=Adds a SNI context +elytron-tls.server-ssl-sni-context.remove=Removes a SNI context +elytron-tls.server-ssl-sni-context.default-ssl-context=The context to use if no SNI information is present, or if it does not match any mappings +elytron-tls.server-ssl-sni-context.host-context-map=A mapping between a server name and an SSContext + +elytron-tls.certificate-authority-account.key-store=Reference to the keystore that contains the certificate authority account key. +#elytron-tls.certificate-authority-account.key-store-object=KeyStore object that contains the certificate authority account key. +#elytron-tls.certificate-authority-account.key-store-object.type=The type of the KeyStore, used when creating the new KeyStore instance. +#elytron-tls.certificate-authority-account.key-store-object.provider-name=The name of the provider to use to load the KeyStore, disables searching for the first Provider that can create a KeyStore of the specified type. +#elytron-tls.certificate-authority-account.key-store-object.credential-reference=The reference to credential stored in CredentialStore under defined alias or clear text password. +#elytron-tls.certificate-authority-account.key-store-object.credential-reference.store=The name of the credential store holding the alias to credential. +#elytron-tls.certificate-authority-account.key-store-object.credential-reference.alias=The alias which denotes stored secret or credential in the store. +#elytron-tls.certificate-authority-account.key-store-object.credential-reference.type=The type of credential this reference is denoting. +#elytron-tls.certificate-authority-account.key-store-object.credential-reference.clear-text=Secret specified using clear text. Check credential store way of supplying credential/secrets to services. +#elytron-tls.certificate-authority-account.key-store-object.relative-to=The base path this store is relative to. +#elytron-tls.certificate-authority-account.key-store-object.path=The path to the KeyStore file. +#elytron-tls.certificate-authority-account.key-store-object.required=Is the file required to exist at the time the KeyStore service starts? +#elytron-tls.certificate-authority-account.key-store-object.providers=A reference to the providers that should be used to obtain the list of Provider instances to search, if not specified the global list of providers will be used instead. +#elytron-tls.certificate-authority-account.key-store-object.alias-filter=A filter to apply to the aliases returned from the KeyStore, can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + +################## +# SSL Contexts # +################## + +# TODO: enable creating objects for SSL contexts + +elytron-tls.client-ssl-context=An SSLContext for use on the client side of a connection. # operations -elytron-tls.tls.client-ssl-context.add=Add the SSLContext definition. -elytron-tls.tls.client-ssl-context.remove=Remove the SSLContext definition. -#Attributes -elytron-tls.tls.client-ssl-context.cipher-suite-filter=The filter to apply to specify the enabled cipher suites for TLSv1.2 and below. -elytron-tls.tls.client-ssl-context.cipher-suite-names=The filter to apply to specify the enabled cipher suites for TLSv1.3. -elytron-tls.tls.client-ssl-context.protocols=The enabled protocols. -elytron-tls.tls.client-ssl-context.use-cipher-suites-order=To honor local cipher suites preference. -elytron-tls.tls.client-ssl-context.maximum-session-cache-size=The maximum number of SSL sessions in the cache. The default value -1 means use the JVM default value. Value zero means there is no limit. -elytron-tls.tls.client-ssl-context.session-timeout=The timeout for SSL sessions, in seconds. The default value -1 means use the JVM default value. Value zero means there is no limit. -elytron-tls.tls.client-ssl-context.key-manager=Reference to the key manager to use within the SSLContext. -#elytron-tls.tls.client-ssl-context.key-manager-object=Key manager object to use within the SSLContext. -elytron-tls.tls.client-ssl-context.key-refresh=Refresh KeyManager used by SSLContext. -elytron-tls.tls.client-ssl-context.trust-manager=Reference to the trust manager to use within the SSLContext. -#elytron-tls.tls.client-ssl-context.trust-manager-object=Trust manager object to use within the SSLContext. -elytron-tls.tls.client-ssl-context.provider-name=The name of the provider to use. If not specified, all providers from providers will be passed to the SSLContext. -elytron-tls.tls.client-ssl-context.providers=The name of the providers to obtain the Provider[] to use to load the SSLContext. +elytron-tls.client-ssl-context.add=Add the SSLContext definition. +elytron-tls.client-ssl-context.remove=Remove the SSLContext definition. +# Attributes +elytron-tls.client-ssl-context.cipher-suite-filter=The filter to apply to specify the enabled cipher suites for TLSv1.2 and below. +elytron-tls.client-ssl-context.cipher-suite-names=The filter to apply to specify the enabled cipher suites for TLSv1.3. +elytron-tls.client-ssl-context.protocols=The enabled protocols. +elytron-tls.client-ssl-context.use-cipher-suites-order=To honor local cipher suites preference. +elytron-tls.client-ssl-context.maximum-session-cache-size=The maximum number of SSL sessions in the cache. The default value -1 means use the JVM default value. Value zero means there is no limit. +elytron-tls.client-ssl-context.session-timeout=The timeout for SSL sessions, in seconds. The default value -1 means use the JVM default value. Value zero means there is no limit. +elytron-tls.client-ssl-context.key-manager=Reference to the key manager to use within the SSLContext. +#elytron-tls.client-ssl-context.key-manager-object=Key manager object to use within the SSLContext. +elytron-tls.client-ssl-context.key-refresh=Refresh KeyManager used by SSLContext. +elytron-tls.client-ssl-context.trust-manager=Reference to the trust manager to use within the SSLContext. +#elytron-tls.client-ssl-context.trust-manager-object=Trust manager object to use within the SSLContext. +elytron-tls.client-ssl-context.provider-name=The name of the provider to use. If not specified, all providers from providers will be passed to the SSLContext. +elytron-tls.client-ssl-context.providers=The name of the providers to obtain the Provider[] to use to load the SSLContext. # Runtime Attributes -elytron-tls.tls.client-ssl-context.active-session-count=The count of current active sessions. - -elytron-tls.tls.client-ssl-context.ssl-session=A currently established SSL session. -elytron-tls.tls.client-ssl-context.ssl-session.application-buffer-size=The application buffer size as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.cipher-suite=The selected cipher suite as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.creation-time=The creation time as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.last-accessed-time=The last accessed time as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.local-principal=The local principal as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.packet-buffer-size=The packet buffer size as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.peer-host=The peer host as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.peer-port=The peer port as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.peer-principal=The peer principal as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.protocol=The protocol as reported by the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.valid=The validity of the session as reported by the SSLSession. - -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates=The local certificates from the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.type=The type of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.algorithm=The algorithm of the public key. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.format=The format of the public key. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.public-key=The encoded public key associated with the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.sha-1-digest=The SHA-1 digest (finger print) of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.sha-256-digest=The SHA-256 digest (finger print) of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.encoded=The encoded value of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.subject=The subject from the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.issuer=The issuer of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.not-before=The starting date and time the certificate is valid. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.not-after=The expiration date and time of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.serial-number=The serial number of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.signature-algorithm=The algorithm used to generate the certificates signature. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.signature=The signature of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.local-certificates.version=The certificate version. - -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates=The peer certificates from the SSLSession. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.type=The type of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.algorithm=The algorithm of the public key. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.format=The format of the public key. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.public-key=The encoded public key associated with the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.sha-1-digest=The SHA-1 digest (finger print) of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.sha-256-digest=The SHA-256 digest (finger print) of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.encoded=The encoded value of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.subject=The subject from the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.issuer=The issuer of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.not-before=The starting date and time the certificate is valid. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.not-after=The expiration date and time of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.serial-number=The serial number of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.signature-algorithm=The algorithm used to generate the certificates signature. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.signature=The signature of the certificate. -elytron-tls.tls.client-ssl-context.ssl-session.peer-certificates.version=The certificate version. - - -elytron-tls.tls.server-ssl-context=An SSLContext for use on the server side of a connection. +elytron-tls.client-ssl-context.active-session-count=The count of current active sessions. + +elytron-tls.client-ssl-context.ssl-session=A currently established SSL session. +elytron-tls.client-ssl-context.ssl-session.application-buffer-size=The application buffer size as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.cipher-suite=The selected cipher suite as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.creation-time=The creation time as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.last-accessed-time=The last accessed time as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.local-principal=The local principal as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.packet-buffer-size=The packet buffer size as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.peer-host=The peer host as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.peer-port=The peer port as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.peer-principal=The peer principal as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.protocol=The protocol as reported by the SSLSession. +elytron-tls.client-ssl-context.ssl-session.valid=The validity of the session as reported by the SSLSession. + +elytron-tls.client-ssl-context.ssl-session.local-certificates=The local certificates from the SSLSession. +elytron-tls.client-ssl-context.ssl-session.local-certificates.type=The type of the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.algorithm=The algorithm of the public key. +elytron-tls.client-ssl-context.ssl-session.local-certificates.format=The format of the public key. +elytron-tls.client-ssl-context.ssl-session.local-certificates.public-key=The encoded public key associated with the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.sha-1-digest=The SHA-1 digest (finger print) of the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.sha-256-digest=The SHA-256 digest (finger print) of the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.encoded=The encoded value of the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.subject=The subject from the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.issuer=The issuer of the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.not-before=The starting date and time the certificate is valid. +elytron-tls.client-ssl-context.ssl-session.local-certificates.not-after=The expiration date and time of the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.serial-number=The serial number of the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.signature-algorithm=The algorithm used to generate the certificates signature. +elytron-tls.client-ssl-context.ssl-session.local-certificates.signature=The signature of the certificate. +elytron-tls.client-ssl-context.ssl-session.local-certificates.version=The certificate version. + +elytron-tls.client-ssl-context.ssl-session.peer-certificates=The peer certificates from the SSLSession. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.type=The type of the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.algorithm=The algorithm of the public key. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.format=The format of the public key. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.public-key=The encoded public key associated with the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.sha-1-digest=The SHA-1 digest (finger print) of the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.sha-256-digest=The SHA-256 digest (finger print) of the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.encoded=The encoded value of the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.subject=The subject from the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.issuer=The issuer of the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.not-before=The starting date and time the certificate is valid. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.not-after=The expiration date and time of the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.serial-number=The serial number of the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.signature-algorithm=The algorithm used to generate the certificates signature. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.signature=The signature of the certificate. +elytron-tls.client-ssl-context.ssl-session.peer-certificates.version=The certificate version. + + +elytron-tls.server-ssl-context=An SSLContext for use on the server side of a connection. # operations -elytron-tls.tls.server-ssl-context.add=Add the SSLContext definition. -elytron-tls.tls.server-ssl-context.remove=Remove the SSLContext definition. -#Attributes -elytron-tls.tls.server-ssl-context.security-domain=The security domain to use for authentication during SSL session establishment. -elytron-tls.tls.server-ssl-context.cipher-suite-filter=The filter to apply to specify the enabled cipher suites for TLSv1.2 and below. -elytron-tls.tls.server-ssl-context.cipher-suite-names=The filter to apply to specify the enabled cipher suites for TLSv1.3. -elytron-tls.tls.server-ssl-context.protocols=The enabled protocols. -elytron-tls.tls.server-ssl-context.want-client-auth=To request (but not to require) a client certificate on SSL handshake. If a security domain is referenced and supports X509 evidence, this will be set to true automatically. Ignored when need-client-auth is set. -elytron-tls.tls.server-ssl-context.need-client-auth=To require a client certificate on SSL handshake. Connection without trusted client certificate (see trust-manager) will be rejected. -elytron-tls.tls.server-ssl-context.authentication-optional=Rejecting of the client certificate by the security domain will not prevent the connection. Allows a fall through to use other authentication mechanisms (like form login) when the client certificate is rejected by security domain. Has an effect only when the security domain is set. -elytron-tls.tls.server-ssl-context.use-cipher-suites-order=To honor local cipher suites preference. -elytron-tls.tls.server-ssl-context.maximum-session-cache-size=The maximum number of SSL sessions in the cache. The default value -1 means use the JVM default value. Value zero means there is no limit. -elytron-tls.tls.server-ssl-context.session-timeout=The timeout for SSL sessions, in seconds. The default value -1 means use the JVM default value. Value zero means there is no limit. -elytron-tls.tls.server-ssl-context.wrap=Should the SSLEngine, SSLSocket, and SSLServerSocket instances returned be wrapped to protect against further modification. -elytron-tls.tls.server-ssl-context.key-manager=Reference to the key manager to use within the SSLContext. -#elytron-tls.tls.server-ssl-context.key-manager-object=Key manager object to use within the SSLContext. -elytron-tls.tls.server-ssl-context.key-refresh=Refresh KeyManager used by SSLContext. -elytron-tls.tls.server-ssl-context.trust-manager=Reference to the trust manager to use within the SSLContext. -#elytron-tls.tls.server-ssl-context.trust-manager-object=Trust manager object to use within the SSLContext. -elytron-tls.tls.server-ssl-context.pre-realm-principal-transformer=A principal transformer to apply before the realm is selected. -elytron-tls.tls.server-ssl-context.post-realm-principal-transformer=A principal transformer to apply after the realm is selected. -elytron-tls.tls.server-ssl-context.final-principal-transformer=A final principal transformer to apply for this mechanism realm. -elytron-tls.tls.server-ssl-context.realm-mapper=The realm mapper to be used for SSL authentication. -elytron-tls.tls.server-ssl-context.provider-name=The name of the provider to use. If not specified, all providers from providers will be passed to the SSLContext. -elytron-tls.tls.server-ssl-context.providers=The name of the providers to obtain the Provider[] to use to load the SSLContext. +elytron-tls.server-ssl-context.add=Add the SSLContext definition. +elytron-tls.server-ssl-context.remove=Remove the SSLContext definition. +# Attributes +elytron-tls.server-ssl-context.security-domain=The security domain to use for authentication during SSL session establishment. +elytron-tls.server-ssl-context.cipher-suite-filter=The filter to apply to specify the enabled cipher suites for TLSv1.2 and below. +elytron-tls.server-ssl-context.cipher-suite-names=The filter to apply to specify the enabled cipher suites for TLSv1.3. +elytron-tls.server-ssl-context.protocols=The enabled protocols. +elytron-tls.server-ssl-context.want-client-auth=To request (but not to require) a client certificate on SSL handshake. If a security domain is referenced and supports X509 evidence, this will be set to true automatically. Ignored when need-client-auth is set. +elytron-tls.server-ssl-context.need-client-auth=To require a client certificate on SSL handshake. Connection without trusted client certificate (see trust-manager) will be rejected. +elytron-tls.server-ssl-context.authentication-optional=Rejecting of the client certificate by the security domain will not prevent the connection. Allows a fall through to use other authentication mechanisms (like form login) when the client certificate is rejected by security domain. Has an effect only when the security domain is set. +elytron-tls.server-ssl-context.use-cipher-suites-order=To honor local cipher suites preference. +elytron-tls.server-ssl-context.maximum-session-cache-size=The maximum number of SSL sessions in the cache. The default value -1 means use the JVM default value. Value zero means there is no limit. +elytron-tls.server-ssl-context.session-timeout=The timeout for SSL sessions, in seconds. The default value -1 means use the JVM default value. Value zero means there is no limit. +elytron-tls.server-ssl-context.wrap=Should the SSLEngine, SSLSocket, and SSLServerSocket instances returned be wrapped to protect against further modification. +elytron-tls.server-ssl-context.key-manager=Reference to the key manager to use within the SSLContext. +#elytron-tls.server-ssl-context.key-manager-object=Key manager object to use within the SSLContext. +elytron-tls.server-ssl-context.key-refresh=Refresh KeyManager used by SSLContext. +elytron-tls.server-ssl-context.trust-manager=Reference to the trust manager to use within the SSLContext. +#elytron-tls.server-ssl-context.trust-manager-object=Trust manager object to use within the SSLContext. +elytron-tls.server-ssl-context.pre-realm-principal-transformer=A principal transformer to apply before the realm is selected. +elytron-tls.server-ssl-context.post-realm-principal-transformer=A principal transformer to apply after the realm is selected. +elytron-tls.server-ssl-context.final-principal-transformer=A final principal transformer to apply for this mechanism realm. +elytron-tls.server-ssl-context.realm-mapper=The realm mapper to be used for SSL authentication. +elytron-tls.server-ssl-context.provider-name=The name of the provider to use. If not specified, all providers from providers will be passed to the SSLContext. +elytron-tls.server-ssl-context.providers=The name of the providers to obtain the Provider[] to use to load the SSLContext. # Runtime Attributes -elytron-tls.tls.server-ssl-context.active-session-count=The count of current active sessions. - -elytron-tls.tls.server-ssl-context.ssl-session=A currently established SSL session. -elytron-tls.tls.server-ssl-context.ssl-session.application-buffer-size=The application buffer size as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.cipher-suite=The selected cipher suite as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.creation-time=The creation time as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.last-accessed-time=The last accessed time as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.local-principal=The local principal as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.packet-buffer-size=The packet buffer size as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.peer-host=The peer host as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.peer-port=The peer port as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.peer-principal=The peer principal as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.protocol=The protocol as reported by the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.valid=The validity of the session as reported by the SSLSession. - -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates=The local certificates from the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.type=The type of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.algorithm=The algorithm of the public key. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.format=The format of the public key. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.public-key=The encoded public key associated with the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.sha-1-digest=The SHA-1 digest (finger print) of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.sha-256-digest=The SHA-256 digest (finger print) of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.encoded=The encoded value of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.subject=The subject from the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.issuer=The issuer of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.not-before=The starting date and time the certificate is valid. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.not-after=The expiration date and time of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.serial-number=The serial number of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.signature-algorithm=The algorithm used to generate the certificates signature. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.signature=The signature of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.local-certificates.version=The certificate version. - -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates=The peer certificates from the SSLSession. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.type=The type of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.algorithm=The algorithm of the public key. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.format=The format of the public key. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.public-key=The encoded public key associated with the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.sha-1-digest=The SHA-1 digest (finger print) of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.sha-256-digest=The SHA-256 digest (finger print) of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.encoded=The encoded value of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.subject=The subject from the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.issuer=The issuer of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.not-before=The starting date and time the certificate is valid. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.not-after=The expiration date and time of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.serial-number=The serial number of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.signature-algorithm=The algorithm used to generate the certificates signature. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.signature=The signature of the certificate. -elytron-tls.tls.server-ssl-context.ssl-session.peer-certificates.version=The certificate version. +elytron-tls.server-ssl-context.active-session-count=The count of current active sessions. + +elytron-tls.server-ssl-context.ssl-session=A currently established SSL session. +elytron-tls.server-ssl-context.ssl-session.application-buffer-size=The application buffer size as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.cipher-suite=The selected cipher suite as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.creation-time=The creation time as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.last-accessed-time=The last accessed time as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.local-principal=The local principal as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.packet-buffer-size=The packet buffer size as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.peer-host=The peer host as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.peer-port=The peer port as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.peer-principal=The peer principal as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.protocol=The protocol as reported by the SSLSession. +elytron-tls.server-ssl-context.ssl-session.valid=The validity of the session as reported by the SSLSession. + +elytron-tls.server-ssl-context.ssl-session.local-certificates=The local certificates from the SSLSession. +elytron-tls.server-ssl-context.ssl-session.local-certificates.type=The type of the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.algorithm=The algorithm of the public key. +elytron-tls.server-ssl-context.ssl-session.local-certificates.format=The format of the public key. +elytron-tls.server-ssl-context.ssl-session.local-certificates.public-key=The encoded public key associated with the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.sha-1-digest=The SHA-1 digest (finger print) of the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.sha-256-digest=The SHA-256 digest (finger print) of the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.encoded=The encoded value of the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.subject=The subject from the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.issuer=The issuer of the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.not-before=The starting date and time the certificate is valid. +elytron-tls.server-ssl-context.ssl-session.local-certificates.not-after=The expiration date and time of the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.serial-number=The serial number of the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.signature-algorithm=The algorithm used to generate the certificates signature. +elytron-tls.server-ssl-context.ssl-session.local-certificates.signature=The signature of the certificate. +elytron-tls.server-ssl-context.ssl-session.local-certificates.version=The certificate version. + +elytron-tls.server-ssl-context.ssl-session.peer-certificates=The peer certificates from the SSLSession. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.type=The type of the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.algorithm=The algorithm of the public key. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.format=The format of the public key. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.public-key=The encoded public key associated with the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.sha-1-digest=The SHA-1 digest (finger print) of the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.sha-256-digest=The SHA-256 digest (finger print) of the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.encoded=The encoded value of the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.subject=The subject from the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.issuer=The issuer of the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.not-before=The starting date and time the certificate is valid. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.not-after=The expiration date and time of the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.serial-number=The serial number of the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.signature-algorithm=The algorithm used to generate the certificates signature. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.signature=The signature of the certificate. +elytron-tls.server-ssl-context.ssl-session.peer-certificates.version=The certificate version. # Operations -elytron-tls.tls.server-ssl-context.ssl-session.invalidate=Invalidate the SSLSession (Note: This does not terminate current connections, only prevents future connections from joining or resuming this session). +elytron-tls.server-ssl-context.ssl-session.invalidate=Invalidate the SSLSession (Note: This does not terminate current connections, only prevents future connections from joining or resuming this session). diff --git a/subsystem/src/main/resources/schema/elytron-tls-subsystem_1_0.xsd b/subsystem/src/main/resources/schema/elytron-tls-subsystem_1_0.xsd index 57674bf..248e543 100644 --- a/subsystem/src/main/resources/schema/elytron-tls-subsystem_1_0.xsd +++ b/subsystem/src/main/resources/schema/elytron-tls-subsystem_1_0.xsd @@ -211,6 +211,7 @@ + @@ -222,6 +223,8 @@ + + @@ -470,6 +473,130 @@ + + + + + + Container for certificate authority account definitions. + + + + + + + + + + + Definition of a single certificate authority account. + + + + + + + + + The unique name of this certificate authority account. + + + + + + + The reference to certificate authority to use. + + + + + + + A list of URLs that the certificate authority can contact about any issues related to this account. + + + + + + + + + Container for certificate authority definitions. + + + + + + + + + + + Definition of a single certificate authority. + + + + + + The unique name of this certificate authority. + + + + + + + URL of the certificate authority. + + + + + + + URL of the certificate authority to use in pre-production. + + + + + + + + + Definition of a certificate authority account key. + + + + + + + Credential to be used when accessing the certificate authority account key. + + + + + + + + Reference to the KeyStore that contains the certificate authority account key. + + + + + + + KeyStore object to use with the KeyManager. + + + + + + + The alias of the certificate authority account key in the KeyStore. + + + + - - - - - - - - - - - - - - + + + + + + + + + + + + + + + diff --git a/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/elytron-tls-subsystem-test.xml b/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/elytron-tls-subsystem-test.xml index a63d9a7..9b93892 100644 --- a/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/elytron-tls-subsystem-test.xml +++ b/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/elytron-tls-subsystem-test.xml @@ -67,6 +67,21 @@ + + + + + + + + + + + + + + + diff --git a/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/expression-encryption.xml b/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/expression-encryption.xml new file mode 100644 index 0000000..dea21b6 --- /dev/null +++ b/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/expression-encryption.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/tls.xml b/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/tls.xml index eaaae86..304c3fe 100644 --- a/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/tls.xml +++ b/subsystem/src/test/resources/org/wildfly/extension/elytron/tls/subsystem/tls.xml @@ -6,12 +6,6 @@ - - - - @@ -22,6 +16,12 @@ + + + +