{
if (tm instanceof X509TrustManager)
{
// peer manager is supposed to trust only clients which peers certificates
// are directly in the store. CA signing will not be considered.
peerManager = new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm);
}
}
try
{
// since broker's peerstore contains the client's app1 certificate, the check should succeed
peerManager.checkClientTrusted(this.getClientChain(CLIENT_KEYSTORE_PATH, CERT_ALIAS_APP1), "RSA");
}
catch (CertificateException e)
{
fail("Trusted client's validation against the broker's peer store manager failed.");
}
try
{
// since broker's peerstore does not contain the client's app2 certificate, the check should fail
peerManager.checkClientTrusted(this.getClientChain(CLIENT_KEYSTORE_PATH, CERT_ALIAS_APP2), "RSA");
fail("Untrusted client's validation against the broker's peer store manager succeeded.");
}
catch (CertificateException e)
{
//expected
}
// now let's check that peer manager loaded with the brokers TRUSTstore fails because
// it does not have the clients certificate in it (though it does have a CA-cert that
// would otherwise trust the client cert when using the regular trust manager).
final KeyStore ts = SSLUtil.getInitializedKeyStore(BROKER_TRUSTSTORE_PATH, STORE_PASSWORD, STORE_TYPE);
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
tmf.init(ts);
final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
peerManager = null;
for (final TrustManager tm : delegateTrustManagers)
{
if (tm instanceof X509TrustManager)
{
// peer manager is supposed to trust only clients which peers certificates
// are directly in the store. CA signing will not be considered.
peerManager = new QpidPeersOnlyTrustManager(ts, (X509TrustManager) tm);
}
}
try
{