W-16889209: Changes to be FIPS compatible

.gitignore

@@ -29,3 +29,7 @@ testdir/
 hostkey.ser
 *.h2.db
 *.factorypath
+apache-activemq-5.15.9-bin.tar.gz
+FipsUtils.java
+FipsTestCase.xml
+tls-fips140-2.conf

pom.xml

@@ -57,6 +57,11 @@
         <license.maven.plugin.version>4.2</license.maven.plugin.version>
         <licensePath>LICENSE_HEADER_CPAL.txt</licensePath>
         <licenseYear>2023</licenseYear>
+
+        <cert1.type>PKCS12</cert1.type>
+        <cert1.ext>p12</cert1.ext>
+        <cert2.type>JKS</cert2.type>
+        <cert2.ext>jks</cert2.ext>
     </properties>
 
     <dependencies>
@@ -421,7 +426,9 @@
         <profile>
             <id>docker</id>
             <activation>
-                <activeByDefault>true</activeByDefault>
+                <property>
+                    <name>os.name</name>
+                </property>
             </activation>
             <build>
                 <plugins>
@@ -524,6 +531,25 @@
                 </plugins>
             </build>
         </profile>
+
+        <profile>
+            <id>fips140-2</id>
+            <activation>
+                <property>
+                    <name>mule.security.model</name>
+                    <value>fips140-2</value>
+                </property>
+            </activation>
+            <properties>
+                <cert1.type>BCFKS</cert1.type>
+                <cert1.ext>bcfks</cert1.ext>
+                <cert2.type>BCFKS</cert2.type>
+                <cert2.ext>bcfks</cert2.ext>
+            </properties>
+        </profile>
+
+
+
     </profiles>
 
 

src/test/docker/tls/activemq.xml

@@ -123,7 +123,8 @@
             <bean xmlns="http://www.springframework.org/schema/beans" class="org.apache.activemq.hooks.SpringContextHook" />
         </shutdownHooks>
         <sslContext>
-            <sslContext keyStore="file:${activemq.base}/certs/ActiveMq/broker.ks" keyStorePassword="racing" trustStore="file:${activemq.base}/certs/ActiveMq/broker.ts" trustStorePassword="racing"/>
+            <sslContext keyStore="file:${activemq.base}/certs/ActiveMq/broker.ks" keyStorePassword="racing"
+                        trustStore="file:${activemq.base}/certs/ActiveMq/broker.ts" trustStorePassword="racing"/>
         </sslContext>
     </broker>
 

src/test/java/org/mule/extensions/jms/test/ActiveMQSSLServer.java

@@ -16,6 +16,8 @@
  */
 public class ActiveMQSSLServer {
 
+  public static final String FIPS140_2 = "fips140-2";
+  public static final String MULE_SECURITY_MODEL_PROPERTY = "mule.security.model";
   private static final String ACTIVEMQ_PORT = "activemq.port";
   private static BrokerService brokerService;
   private static boolean started = false;
@@ -24,7 +26,11 @@ public static void start(String port) throws Exception {
     if (!started) {
       System.setProperty(ACTIVEMQ_PORT, port);
       try {
-        brokerService = BrokerFactory.createBroker(new URI("xbean:activemq.xml"));
+        if (FIPS140_2.equals(System.getProperty(MULE_SECURITY_MODEL_PROPERTY))) {
+          brokerService = BrokerFactory.createBroker(new URI("xbean:activemq-fips.xml"));
+        } else {
+          brokerService = BrokerFactory.createBroker(new URI("xbean:activemq.xml"));
+        }
         brokerService.start();
       } finally {
         System.clearProperty(ACTIVEMQ_PORT);

src/test/java/org/mule/extensions/jms/test/ssl/ActiveMQSSLServer.java

@@ -16,6 +16,9 @@
  */
 public class ActiveMQSSLServer {
 
+  public static final String FIPS140_2 = "fips140-2";
+  public static final String MULE_SECURITY_MODEL_PROPERTY = "mule.security.model";
+
   private static final String ACTIVEMQ_PORT = "activemq.port";
   private static BrokerService brokerService;
   private static boolean started = false;
@@ -24,7 +27,12 @@ public static void start(String port) throws Exception {
     if (!started) {
       System.setProperty(ACTIVEMQ_PORT, port);
       try {
-        brokerService = BrokerFactory.createBroker(new URI("xbean:activemq.xml"));
+        if (FIPS140_2.equals(System.getProperty(MULE_SECURITY_MODEL_PROPERTY))) {
+          brokerService = BrokerFactory.createBroker(new URI("xbean:activemq-fips.xml"));
+        } else {
+          brokerService = BrokerFactory.createBroker(new URI("xbean:activemq.xml"));
+        }
+
         brokerService.start();
       } finally {
         System.clearProperty(ACTIVEMQ_PORT);

src/test/java/org/mule/extensions/jms/test/ssl/GenericConnectionProviderSecureTestCase.java

@@ -33,6 +33,9 @@
 @PrepareForTest({SSLContext.class, FileInputStream.class, GenericConnectionProvider.class, TrustManagerFactory.class})
 public class GenericConnectionProviderSecureTestCase {
 
+  public static final String FIPS140_2 = "fips140-2";
+  public static final String MULE_SECURITY_MODEL_PROPERTY = "mule.security.model";
+
   @Before
   public void setUp() {
     PowerMockito.mockStatic(SSLContext.class);
@@ -42,7 +45,12 @@ public void setUp() {
   @Test
   public void testGetConnectionFactory_withProperties() throws Exception {
     System.setProperty("mule.jms.generic.additionalCertificatePassword", "changeit");
-    System.setProperty("mule.jms.generic.additionalCertificateFileName", "tls/genericConnectionTests.jks");
+    String ksExt = "jks";
+    if (FIPS140_2.equals(System.getProperty(MULE_SECURITY_MODEL_PROPERTY))) {
+      ksExt = "bcfks";
+    }
+
+    System.setProperty("mule.jms.generic.additionalCertificateFileName", "tls/genericConnectionTests." + ksExt);
 
     SSLContext mockSSLContext = PowerMockito.mock(SSLContext.class);
     SSLParameters mockSSLParameters = PowerMockito.mock(SSLParameters.class);
@@ -61,7 +69,7 @@ public void testGetConnectionFactory_withProperties() throws Exception {
     GenericConnectionProvider connectionProvider = PowerMockito.spy(new GenericConnectionProvider());
     PowerMockito.doReturn(mockKeyStore).when(connectionProvider, "getKeyStoreWithCustomCerts", any(Optional.class), anyString());
 
-    PowerMockito.when(connectionProvider, "getTruststoreFile", "tls/genericConnectionTests.jks")
+    PowerMockito.when(connectionProvider, "getTruststoreFile", "tls/genericConnectionTests." + ksExt)
         .thenReturn(Optional.of(mockTruststoreFile));
 
     FileInputStream mockFileInputStream = PowerMockito.mock(FileInputStream.class);

src/test/munit/activemq-over-ssl-test-case.xml

@@ -3,12 +3,14 @@
       xmlns:jms="http://www.mulesoft.org/schema/mule/jms"
       xmlns:java="http://www.mulesoft.org/schema/mule/java"
       xmlns:munit-tools="http://www.mulesoft.org/schema/mule/munit-tools"
+      xmlns:mtf="http://www.mulesoft.org/schema/mule/mtf"
       xmlns="http://www.mulesoft.org/schema/mule/core"
       xmlns:tls="http://www.mulesoft.org/schema/mule/tls"
       xmlns:munit="http://www.mulesoft.org/schema/mule/munit"
       xsi:schemaLocation="http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
                           http://www.mulesoft.org/schema/mule/jms http://www.mulesoft.org/schema/mule/jms/current/mule-jms.xsd
                           http://www.mulesoft.org/schema/mule/tls http://www.mulesoft.org/schema/mule/tls/current/mule-tls.xsd
+                          http://www.mulesoft.org/schema/mule/mtf  http://www.mulesoft.org/schema/mule/mtf/current/mule-mtf.xsd
                           http://www.mulesoft.org/schema/mule/munit-tools  http://www.mulesoft.org/schema/mule/munit-tools/current/mule-munit-tools.xsd
                           http://www.mulesoft.org/schema/mule/java http://www.mulesoft.org/schema/mule/java/current/mule-java.xsd
                           http://www.mulesoft.org/schema/mule/munit http://www.mulesoft.org/schema/mule/munit/current/mule-munit.xsd">
@@ -38,11 +40,16 @@
 
     <munit:dynamic-port propertyName="activemq.port"/>
 
+    <munit:before-test name="before-activemq-over-ssl-test-case" description="after test">
+        <set-variable variableName="storetype" value="${cert2.type}"/>
+        <set-variable variableName="storePath" value="tls/client.ks.${cert2.ext}"/>
+    </munit:before-test>
+
     <jms:config name="config-with-ssl">
         <jms:active-mq-connection>
             <tls:context >
                 <tls:trust-store insecure="true" />
-                <tls:key-store type="jks" path="tls/client.ks" keyPassword="password" password="password" algorithm="PKIX"/>
+                <tls:key-store type="#[vars.storetype]" path="#[vars.storePath]" keyPassword="password" password="password" algorithm="PKIX"/>
             </tls:context>
             <jms:factory-configuration brokerUrl="${brokerUrl}" />
         </jms:active-mq-connection>
@@ -79,4 +86,20 @@
         </munit:validation>
     </munit:test>
 
+    <munit:test name="test-connectivity">
+        <munit:execution>
+            <mtf:test-connectivity config-ref="config-with-ssl" />
+        </munit:execution>
+    </munit:test>
+
+    <munit:test name="wrong-keystore-type-FIPS"
+                ignore="#[p('mule.security.model')==null or p('mule.security.model')!='fips140-2']"
+                expectedException="java.security.KeyStoreException">
+        <munit:execution>
+            <set-variable variableName="storetype" value="jks"/>
+            <set-variable variableName="storePath" value="tls/client.ks"/>
+            <mtf:test-connectivity config-ref="config-with-ssl" />
+        </munit:execution>
+    </munit:test>
+
 </mule>

src/test/munit/reconnection/activemq-ssl-listener-reconnection-test-case.xml

@@ -22,7 +22,7 @@
                 <reconnect-forever />
             </reconnection>
             <tls:context >
-                <tls:trust-store path="tls/client-truststore.ks" password="racing" type="jks" />
+                <tls:trust-store path="tls/client-truststore.${cert2.ext}" password="racing" type="${cert2.type}" />
             </tls:context>
             <jms:factory-configuration brokerUrl="ssl://localhost:${activemq.ssl.listener.port}" />
         </jms:active-mq-connection>

src/test/munit/xa/activemq-ssl-xa-test-case.xml

@@ -21,7 +21,7 @@
 <jms:config name="JMS_SSL_XA_Config">
     <jms:active-mq-connection username="admin" password="admin" clientId="client1" >
         <tls:context >
-            <tls:trust-store path="tls/client-truststore-new.p12" password="racing" type="pkcs12" />
+            <tls:trust-store path="tls/client-truststore-new.${cert1.ext}" password="racing" type="${cert1.type}" />
         </tls:context>
         <jms:caching-strategy >
             <jms:no-caching />

src/test/resources/activemq-fips.xml

@@ -0,0 +1,118 @@
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- START SNIPPET: example -->
+<beans
+  xmlns="http://www.springframework.org/schema/beans"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+
+
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+    </bean>
+    <!--
+        The <broker> element is used to configure the ActiveMQ broker.
+    -->
+    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="activemq-data">
+
+        <destinationPolicy>
+            <policyMap>
+              <policyEntries>
+                <policyEntry topic=">" >
+                    <!-- The constantPendingMessageLimitStrategy is used to prevent
+                         slow topic consumers to block producers and affect other consumers
+                         by limiting the number of messages that are retained
+                         For more information, see:
+
+                         http://activemq.apache.org/slow-consumer-handling.html
+
+                    -->
+                  <pendingMessageLimitStrategy>
+                    <constantPendingMessageLimitStrategy limit="1000"/>
+                  </pendingMessageLimitStrategy>
+                </policyEntry>
+              </policyEntries>
+            </policyMap>
+        </destinationPolicy>
+
+    <sslContext>
+      <sslContext
+            keyStore="tls/broker.ks.bcfks" keyStorePassword="password" trustStore="tls/client.ks.bcfks" trustStorePassword="password"/>
+    </sslContext>
+
+
+        <!--
+            The managementContext is used to configure how ActiveMQ is exposed in
+            JMX. By default, ActiveMQ uses the MBean server that is started by
+            the JVM. For more information, see:
+
+            http://activemq.apache.org/jmx.html
+        -->
+        <managementContext>
+            <managementContext createConnector="false"/>
+        </managementContext>
+
+        <!--
+            Configure message persistence for the broker. The default persistence
+            mechanism is the KahaDB store (identified by the kahaDB tag).
+            For more information, see:
+
+            http://activemq.apache.org/persistence.html
+        -->
+        <persistenceAdapter>
+            <kahaDB directory="activemq-data/kahadb"/>
+        </persistenceAdapter>
+
+
+          <!--
+            The systemUsage controls the maximum amount of space the broker will
+            use before disabling caching and/or slowing down producers. For more information, see:
+            http://activemq.apache.org/producer-flow-control.html
+          -->
+          <systemUsage>
+            <systemUsage>
+                <memoryUsage>
+                    <memoryUsage percentOfJvmHeap="70" />
+                </memoryUsage>
+                <storeUsage>
+                    <storeUsage limit="100 gb"/>
+                </storeUsage>
+                <tempUsage>
+                    <tempUsage limit="50 gb"/>
+                </tempUsage>
+            </systemUsage>
+        </systemUsage>
+
+        <!--
+            The transport connectors expose ActiveMQ over a given protocol to
+            clients and other brokers. For more information, see:
+
+            http://activemq.apache.org/configuring-transports.html
+        -->
+        <transportConnectors>
+            <transportConnector name="ssl" uri="ssl://0.0.0.0:${activemq.port}?transport.needClientAuth=true&amp;transport.enabledProtocols=TLSv1.2" />
+        </transportConnectors>
+
+        <!-- destroy the spring context on shutdown to stop jetty -->
+        <shutdownHooks>
+            <bean xmlns="http://www.springframework.org/schema/beans" class="org.apache.activemq.hooks.SpringContextHook" />
+        </shutdownHooks>
+
+    </broker>
+
+</beans>
+<!-- END SNIPPET: example -->