From ca8367cc5be48b615c1c0a7b6d42c29b507e6d11 Mon Sep 17 00:00:00 2001
From: Michael Marshall <michael.marshall@datastax.com>
Date: Fri, 3 Feb 2023 03:52:22 +0800
Subject: [PATCH 1/2] [security] Proxy to broker and broker to broker hostname
 verification

---
 .../TransactionMarkerChannelInitializer.java  |  24 ++++++++++++---
 .../TransactionMarkerChannelManager.java      |  11 +++++--
 .../handlers/kop/utils/ssl/SSLUtils.java      |   5 ++--
 .../kop/security/KafkaSSLChannelTest.java     |  25 ++++++++++------
 .../KafkaSSLChannelWithClientAuthTest.java    |  28 +++++++-----------
 .../ssl/certificate/broker.keystore.jks       | Bin 3991 -> 2255 bytes
 .../ssl/certificate/broker.truststore.jks     | Bin 944 -> 969 bytes
 .../ssl/certificate/client.keystore.jks       | Bin 3993 -> 2255 bytes
 .../ssl/certificate/client.truststore.jks     | Bin 944 -> 970 bytes
 9 files changed, 59 insertions(+), 34 deletions(-)

diff --git a/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelInitializer.java b/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelInitializer.java
index 8a0d4de326..142c2e9521 100644
--- a/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelInitializer.java
+++ b/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelInitializer.java
@@ -16,6 +16,7 @@
 import static io.streamnative.pulsar.handlers.kop.KafkaChannelInitializer.MAX_FRAME_LENGTH;
 import static io.streamnative.pulsar.handlers.kop.KafkaProtocolHandler.TLS_HANDLER;
 
+import io.netty.channel.Channel;
 import io.netty.channel.ChannelInitializer;
 import io.netty.channel.socket.SocketChannel;
 import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
@@ -23,6 +24,7 @@
 import io.netty.handler.ssl.SslHandler;
 import io.streamnative.pulsar.handlers.kop.KafkaServiceConfiguration;
 import io.streamnative.pulsar.handlers.kop.utils.ssl.SSLUtils;
+import java.util.concurrent.CompletableFuture;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 /**
@@ -50,13 +52,27 @@ public TransactionMarkerChannelInitializer(KafkaServiceConfiguration kafkaConfig
 
     @Override
     protected void initChannel(SocketChannel ch) throws Exception {
-        if (this.enableTls) {
-            ch.pipeline().addLast(TLS_HANDLER,
-                    new SslHandler(SSLUtils.createClientSslEngine(sslContextFactory)));
-        }
         ch.pipeline().addLast(lengthFieldPrepender);
         ch.pipeline().addLast("frameDecoder",
                 new LengthFieldBasedFrameDecoder(MAX_FRAME_LENGTH, 0, 4, 0, 4));
         ch.pipeline().addLast("txnHandler", new TransactionMarkerChannelHandler(transactionMarkerChannelManager));
     }
+
+    protected CompletableFuture<Channel> initTls(Channel ch, String host, int port) {
+        if (this.enableTls) {
+            CompletableFuture<Channel> initTlsFuture = new CompletableFuture<>();
+            ch.eventLoop().execute(() -> {
+                try {
+                    ch.pipeline().addFirst(TLS_HANDLER,
+                            new SslHandler(SSLUtils.createClientSslEngine(sslContextFactory, host, port)));
+                    initTlsFuture.complete(ch);
+                } catch (Throwable t) {
+                    initTlsFuture.completeExceptionally(t);
+                }
+            });
+            return initTlsFuture;
+        } else {
+            return CompletableFuture.completedFuture(ch);
+        }
+    }
 }
diff --git a/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelManager.java b/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelManager.java
index 310a79460b..4f29a3524a 100644
--- a/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelManager.java
+++ b/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/coordinator/transaction/TransactionMarkerChannelManager.java
@@ -77,6 +77,8 @@ public class TransactionMarkerChannelManager {
 
     private final Bootstrap bootstrap;
 
+    private final TransactionMarkerChannelInitializer transactionMarkerChannelInitializer;
+
     private final Map<InetSocketAddress, CompletableFuture<TransactionMarkerChannelHandler>> handlerMap =
             new ConcurrentHashMap<>();
 
@@ -182,7 +184,9 @@ public TransactionMarkerChannelManager(String tenant,
         bootstrap = new Bootstrap();
         bootstrap.group(eventLoopGroup);
         bootstrap.channel(EventLoopUtil.getClientSocketChannelClass(eventLoopGroup));
-        bootstrap.handler(new TransactionMarkerChannelInitializer(kafkaConfig, enableTls, this));
+        transactionMarkerChannelInitializer =
+                new TransactionMarkerChannelInitializer(kafkaConfig, enableTls, this);
+        bootstrap.handler(transactionMarkerChannelInitializer);
     }
 
     public CompletableFuture<TransactionMarkerChannelHandler> getChannel(InetSocketAddress socketAddress) {
@@ -192,7 +196,10 @@ public CompletableFuture<TransactionMarkerChannelHandler> getChannel(InetSocketA
         ensureDrainQueuedTransactionMarkersActivity();
         return handlerMap.computeIfAbsent(socketAddress, address -> {
             CompletableFuture<TransactionMarkerChannelHandler> handlerFuture = new CompletableFuture<>();
-            ChannelFutures.toCompletableFuture(bootstrap.connect(socketAddress))
+            ChannelFutures.toCompletableFuture(bootstrap.register())
+                    .thenCompose(ch -> transactionMarkerChannelInitializer
+                            .initTls(ch, socketAddress.getHostString(), socketAddress.getPort()))
+                    .thenCompose(ch -> ChannelFutures.toCompletableFuture(ch.connect(socketAddress)))
                     .thenAccept(channel -> {
                         handlerFuture.complete(
                                 (TransactionMarkerChannelHandler) channel.pipeline().get("txnHandler"));
diff --git a/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/utils/ssl/SSLUtils.java b/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/utils/ssl/SSLUtils.java
index 616458391d..c8c2cef6bc 100644
--- a/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/utils/ssl/SSLUtils.java
+++ b/kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/utils/ssl/SSLUtils.java
@@ -257,9 +257,10 @@ public static SSLEngine createSslEngine(SslContextFactory.Server sslContextFacto
         return engine;
     }
 
-    public static SSLEngine createClientSslEngine(SslContextFactory.Client sslContextFactory) throws Exception {
+    public static SSLEngine createClientSslEngine(SslContextFactory.Client sslContextFactory,
+                                                  String host, int port) throws Exception {
         sslContextFactory.start();
-        SSLEngine engine  = sslContextFactory.newSSLEngine();
+        SSLEngine engine  = sslContextFactory.newSSLEngine(host, port);
         engine.setUseClientMode(true);
 
         return engine;
diff --git a/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelTest.java b/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelTest.java
index 7d7fbd785e..5a1504e17b 100644
--- a/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelTest.java
+++ b/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelTest.java
@@ -84,20 +84,22 @@ public KafkaSSLChannelTest(final String entryFormat, boolean withCertHost) {
      * @param withCertHost the keystore with certHost or not.
      */
     private void setSslConfigurations(boolean withCertHost) {
-        String path = "./src/test/resources/ssl/certificate" + (withCertHost ? "2" : "") + "/";
-        if (!withCertHost) {
+        String path = "./src/test/resources/ssl/certificate" + (withCertHost ? "" : "2") + "/";
+        if (withCertHost) {
             this.kopSslKeystoreLocation = path + "broker.keystore.jks";
             this.kopSslKeystorePassword = "broker";
             this.kopSslTruststoreLocation = path + "broker.truststore.jks";
             this.kopSslTruststorePassword = "broker";
+            this.kopClientTruststoreLocation = path + "broker.truststore.jks";
+            this.kopClientTruststorePassword = "broker";
         } else {
             this.kopSslKeystoreLocation = path + "server.keystore.jks";
             this.kopSslKeystorePassword = "server";
             this.kopSslTruststoreLocation = path + "server.truststore.jks";
             this.kopSslTruststorePassword = "server";
+            kopClientTruststorePassword = "client";
+            kopClientTruststoreLocation = path + "client.truststore.jks";
         }
-        kopClientTruststoreLocation = path + "client.truststore.jks";
-        kopClientTruststorePassword = "client";
     }
 
     @Factory
@@ -111,6 +113,10 @@ public static Object[] instances() {
     }
 
     protected void sslSetUpForBroker() throws Exception {
+
+        // require TLS verification when hostname is on certificate
+        conf.setTlsHostnameVerificationEnabled(withCertHost);
+
         conf.setKafkaTransactionCoordinatorEnabled(true);
         conf.setKopTlsEnabledWithBroker(true);
         conf.setKopSslKeystoreType("JKS");
@@ -153,7 +159,7 @@ public void testKafkaProduceSSL() throws Exception {
         String messageStrPrefix = "Message_Kop_KafkaProduceKafkaConsume_" + partitionNumber + "_";
 
         @Cleanup
-        SslProducer kProducer = new SslProducer(topicName, getKafkaBrokerPortTls(),
+        SslProducer kProducer = new SslProducer(topicName, getKafkaBrokerPortTls(), withCertHost,
                 kopClientTruststoreLocation, kopClientTruststorePassword);
 
         for (int i = 0; i < totalMsgs; i++) {
@@ -188,7 +194,8 @@ public static class SslProducer implements Closeable {
         private final KafkaProducer<Integer, String> producer;
         private final String topic;
 
-        public SslProducer(String topic, int port, String truststoreLocation, String truststorePassword) {
+        public SslProducer(String topic, int port, boolean withCertHost, String truststoreLocation,
+                           String truststorePassword) {
             Properties props = new Properties();
             props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost" + ":" + port);
             props.put(ProducerConfig.CLIENT_ID_CONFIG, "DemoKafkaOnPulsarProducerSSL");
@@ -201,7 +208,7 @@ public SslProducer(String topic, int port, String truststoreLocation, String tru
             props.put("ssl.truststore.password", truststorePassword);
 
             // default is https, here need to set empty.
-            props.put("ssl.endpoint.identification.algorithm", "");
+            props.put("ssl.endpoint.identification.algorithm", withCertHost ? "HTTPS" : "");
 
             producer = new KafkaProducer<>(props);
             this.topic = topic;
@@ -233,7 +240,7 @@ public void basicProduceAndConsumeWithTxTest() throws Exception {
         producerProps.put("ssl.truststore.password", kopClientTruststorePassword);
 
         // default is https, here need to set empty.
-        producerProps.put("ssl.endpoint.identification.algorithm", "");
+        producerProps.put("ssl.endpoint.identification.algorithm", withCertHost ? "HTTPS" : "");
 
         @Cleanup
         KafkaProducer<Integer, String> producer = new KafkaProducer<>(producerProps);
@@ -292,7 +299,7 @@ private void consumeTxData(String kafkaServer, String topicName, String isolatio
         consumerProps.put("ssl.truststore.password", kopClientTruststorePassword);
 
         // default is https, here need to set empty.
-        consumerProps.put("ssl.endpoint.identification.algorithm", "");
+        consumerProps.put("ssl.endpoint.identification.algorithm", withCertHost ? "HTTPS" : "");
 
         @Cleanup
         KafkaConsumer<Integer, String> consumer = new KafkaConsumer<>(consumerProps);
diff --git a/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelWithClientAuthTest.java b/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelWithClientAuthTest.java
index 57fb22f225..fe7da51497 100644
--- a/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelWithClientAuthTest.java
+++ b/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelWithClientAuthTest.java
@@ -47,14 +47,11 @@ public class KafkaSSLChannelWithClientAuthTest extends KopProtocolHandlerTestBas
     static {
         final HostnameVerifier defaultHostnameVerifier = javax.net.ssl.HttpsURLConnection.getDefaultHostnameVerifier();
 
-        final HostnameVerifier localhostAcceptedHostnameVerifier = new HostnameVerifier() {
-
-            public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
-                if (hostname.equals("localhost")) {
-                    return true;
-                }
-                return defaultHostnameVerifier.verify(hostname, sslSession);
+        final HostnameVerifier localhostAcceptedHostnameVerifier = (hostname, sslSession) -> {
+            if (hostname.equals("localhost")) {
+                return true;
             }
+            return defaultHostnameVerifier.verify(hostname, sslSession);
         };
         javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(localhostAcceptedHostnameVerifier);
     }
@@ -71,13 +68,13 @@ public static Object[] instances() {
         };
     }
 
-    protected void sslSetUpForBroker() throws Exception {
-        ((KafkaServiceConfiguration) conf).setKopSslClientAuth("required");
-        ((KafkaServiceConfiguration) conf).setKopSslKeystoreType("JKS");
-        ((KafkaServiceConfiguration) conf).setKopSslKeystoreLocation(kopSslKeystoreLocation);
-        ((KafkaServiceConfiguration) conf).setKopSslKeystorePassword(kopSslKeystorePassword);
-        ((KafkaServiceConfiguration) conf).setKopSslTruststoreLocation(kopSslTruststoreLocation);
-        ((KafkaServiceConfiguration) conf).setKopSslTruststorePassword(kopSslTruststorePassword);
+    protected void sslSetUpForBroker() {
+        conf.setKopSslClientAuth("required");
+        conf.setKopSslKeystoreType("JKS");
+        conf.setKopSslKeystoreLocation(kopSslKeystoreLocation);
+        conf.setKopSslKeystorePassword(kopSslKeystorePassword);
+        conf.setKopSslTruststoreLocation(kopSslTruststoreLocation);
+        conf.setKopSslTruststorePassword(kopSslTruststorePassword);
     }
 
     @BeforeMethod
@@ -161,9 +158,6 @@ public SslProducer(String topic, int port) {
             props.put("ssl.keystore.location", "./src/test/resources/ssl/certificate/client.keystore.jks");
             props.put("ssl.keystore.password", "client");
 
-            // default is https, here need to set empty.
-            props.put("ssl.endpoint.identification.algorithm", "");
-
             producer = new KafkaProducer<>(props);
             this.topic = topic;
         }
diff --git a/tests/src/test/resources/ssl/certificate/broker.keystore.jks b/tests/src/test/resources/ssl/certificate/broker.keystore.jks
index 063b4f8b6d9355d60aad63d98c052aa8517f6906..ce1bc84a65d37e5c781fc665be06a564029d3108 100644
GIT binary patch
delta 2074
zcmV+#2<7*eAI}kg{_Xzl00002000010000100v@mZ);_80004o642J%000F7FoFdB
zFb)O^D+U1s0V)C!0RaU71cC(W4P#T0Lpq;3wuj)$;@qyamt2_t;;u|Mw)Jc|FD$p8
z!-lvIK-@Za_d#ZhKkf=ZepKY@f-YBQW57!ppXxn>1t#-<#+miU4QRPq>9H9wU4TGN
zA9vp}&S7B&LKY)umSCmAEoEMgH?DCPtGxZ1Tk{s=QZ$idt=rI_Nu`Ex`}#nK_AkUS
zjq1r??K~U1zI29N3hXGWTI#gN#$jx+VxX)?iq+T4@vgSsGh;xUGd{ZV!xa&BQcBc=
zd<5y3U4fN<Ga-+HUiTk5|BVmGGY^^euTnedDe|xd0P+ZQtQ!FE4*m3pX0~qBWCUIC
zNa6OM&-|0(ZKP+;n|gSe<;GO&1%g!|Oc)oTiWt=nyscK>vtla7Iv)$*K^`5QieoHW
zql>ivYy?cn0@%M=O0Jac^-l}lQPE1<at0gV9^QF>#K>a_8ndn3ACJ#AiGj3c3Akea
z`z7E<7&58fi4z$I+2b%7u28mWK1?K>l%qqORH#*n`{v#lri|3Q2c}XfUIZ#~=RmW<
zn~B563ZB$cVu6fF{sLW?1J4m!og2xpe0LMtyt9$CJi4dzKndQ*@;zWFO*B8WQJ@av
z9&^5b-m-<sl-&e)tF!Tgi#=0cmT}EaY>$wcCjT}*d^e>ug9in53x|WOVDGoEE5%(L
zSL7L0oWzsbx;rQ5#3YfTnD9C|zAG1JFeuKUaWdYE?Gt~&a+kneY5$|C*_@L1SGgnw
zb<_h?vvOFuu_=UXl8wmoc20@WQG&?Q+!~30!P;F1m$#iQZ4#PG=k>GIBkVf8m7!9c
z-vv!@AL6yPM?&F?1{xs8tzRWQDnsXE@6f~LjZTJqi_^xAi<H5nr}Kh<_INOSEr4yZ
z8_}*i2;`egKc9;Me-e_0SiKGq)g_F*Wxd&V`&3f2Y`soW5WYdHnCM3PuRqp(RR{ck
zt>HV=8^E^7AukL$3N}}YV=k42B{%*3U}c(}ceYex=JXvIhCYy2lmpR(J0YnKPZr4Y
zBsIgo?$5~K)e1sLQkTrb!P6Fm09=$^>#kqm_dus82@B9Muv)RmTh5U~bv#eNwsCgQ
zsLq(O4G<}tLy27UjJ^}N4-!d8B_m&d2KLA!wK$h4XBme$%Di{OJE}A8?8I?xMqx>L
zpknzEji<r+9yT$F@^4yUK83Ds@>XtrIg2ZD@?;{6!z+g>)J_%#XQV@#^T5JI{C4L#
z=pQ~OnM&BvrE}Y@z5WsgoY2Y_y+}UH1xMBB#p;yIDJGvO`(s`!VK_dKZIc{-h)zuh
zetKYs;-q(XUt+0H+<l4KN)YT}&e0jgU7hzF{O})hWh=Le)JjtuOttbuz>T(+5%lWu
z1aLM&i+;8JJ3Kj&4&*xMu8$w$CW|dB*Q*`7b=h$Hy%;a$5o2r5n!L^v4qV#cmnbJa
zPxm%Y)A3b;OPEJek@ZLnGELckNXdW6UL4vj3|2xOQ(ZZB)ICyw-`2XT?UV+CLH{s5
zRFHL!HQccH5;KYp3+e;*ACH|Ha8p$u-@rf*?o3WZO@jDw`D!B{D)iOItq|Oei>>Nr
z;v8wfT^%AhRrprivhMrDIytZSVu1IEFT?a*@v7p%hT<6YZe{EBi14&%o}f@=ewIK5
zJZ$(lUsfi(EzKt`$G?gypjUdS!)-cgUeA}jNPvP(H}}Ef<N$xW0000100mesH842<
z00V|Ff&+puf&yxw0|Eg80to>6V|yu{@7d)r4F(A+hDe6@4FLfQ1pqK^lU@m1Hxe)q
z1_M<D0}}~sZ)0I>Xm4|LFd!EVGBYqTFfuVUG&nRdS{M&9F)}kSF)%qXH8eOhF<LNg
zlU@m16A~~G1_M<D0}}~sZ)0I>Xm4|LlMMkOf6%4|QA(=+iWe&s)+mCZ?M8vQF><_Z
zC!T=(+J9Daoh~xxz(U~qXgH_N(Vt#mk&OiG2U-y)8v8vX&FmsZJ|dC)%4v&}1$+)9
za;w4CWhcmGx!O%Z8w>Xf4NEj;hIYSy?Qx09i3!w8`-9mx_g$E8JX&gPL_YY#5hZit
ze<tG4DP*-j=MKdw|A<gywPC5!0BS^aFzVur#^c@x;H2;V`bnf@{eqw(kl}E9Uss46
z2Cx!W)}7)QeXi(t=)NaoAN@9NCu*7G6Gmct;n(LbVrEpRTlJdl_zTV$JI+47(iL6d
zcNJa7RDIo7F&yEw9j(4gW0s30x&YH;f0?}k0|5X5qaiRKFdYU1RUHll76cR#1i{)8
za|9SKPmjYDu&7z+M5>Q44F(A+hDe6@4FLfQ1potr0RaGov(Q}L9b&xjxkkCy_guJg
ztPcvo{zZ6odk){+2iily$Kt|<MxRHVxk00q%=Keb=67g#Ur3X+R8y<lIlA1qe|qPQ
zlN+d}w1Nfh{ao%}%K_YAO{ux3dH<$V+Kh18*u5dK0E%XY#U15smZp-;{X~CxM(0nF
zy7g*D_t=REeFc5_J?D6rLP(0>Q{JZ^u@jt8J#fVibds8kRS~iQxKFjbrtcQ2R{UU<
zWK*Rh6l!F}m~M9T$}}i)w1L53RIb7M*8{g(kXSqH{+R-V%EGW3C$cjN`*U41<{D*i
z%qTl%ukk5v#K^Xrj@moP*3YeFyrv{Ld#L7X9$0OtePE-VtH}YV2NMsQO42Zncj2mY
E(NMq67ytkO

literal 3991
zcmeH}X*d*GAHZj`Gz`Ybl08{sjIoR+SyIWGeMv%=v4pV=62jP*A=*SEV=J_fts*<g
zHg?L8NV3hO+)$R+?Y-}P@7sN!_tSlz_sjiop7WgFbIx;~^FROpIlrBiofQB80Q$W#
zyEp~-`Vs&DV6>YDNe;kt7KK3{1pvVQXd>7LO$1rxfk8kJh(}qXkL|Dy*SaV%r)|gC
zhED!m?0|+b?~{$!i(iKUfox0ww2mShdLJ{`3c`#4X<I2G(C}Xetn5$=Umu*j1;L4c
zQxr#w{tBV&{Q7tTE&z`sh}n3$x_c4=#Y_pIVnzg4v=|>uNeQj0h(Tk~SVinPeoiID
zJ%HJ3{{(;4MnvGjKOO<d1OO9(oB%Wt2n7*=K)_vv-RwY3wffT4y3nUo^P);xJXmZU
zS}(uF5Yer@1|nJ3cO4j&((4b?eNCM#@i|fI2<ggF%yd$lz30&CKi9E&-2g$fFb~gn
z>$P5d6@?Slji<V#$Cw94Xt~6dq}>Y@^q$uqDVF73J`&y_edhH@282As6V+w9a+xOJ
z$zbDWc2p2=OLGfG_LXP1ITwn!WD`tstMa1<rr1M_#!AMR6PXN-rp5B#G(8TdkeNiZ
z%jTs^+s@^_B%fJo=e7>bB39uCBg8{mIiHAis+c}-`_#H=Ho@NGHAPw~zv+@9#>;E_
zZT_OKHtr5pbwu)F>!^$Ms?I0)9KG^ZyDta~1ON*x&}L}iy*m@;fbc?ih|_e%!@UWW
z^%HX@Ut|#(fsz$6Kdw|*0>Y2xjr#8sIDcJ_00MU*Ola_4_s6jBWzJsMfq<(9^J6p1
z7{<bB#`)ukIM|aRp&BTyN|5m=ZU0O07ui$Sm$_c>4YP7`-TWm?PXeq&n!iOh{a(G=
z*SSs;epjI>dpKV20;`(P_%h!pl!YTf&_lP*+fmc#O2*)4o$^z_CV0Fgt_}|JoL#js
z%nZIURHeY6Pc%AUliHD(CE=FGqIr4aHt0hgtED#>gRS=pQyWf>3I<}wMY_C;cET$y
zg)hE3GM-fZ5c_tDTM(vs`P!y3nKE%fDJ;1)aGgVeD_yM2)Os;)wmDoT?VhvZjONn;
z&>|?>bB=Fg@tVHz>q%0bQ_C6BcL|7Qr_9<;p7a-+9__47X0l~sgpcB0O#%V?ynS7q
zyghsae=Es6egI&vvWSo^GzT+Oju{96%7Wm)y;Ow|As^E&z+;8pxI9m<nt4l9O%YA-
zId7dv@L&c-8(!2C&sl=zCY@Q05%jY#ayrduVF0vZ+7}*lUtMp0-7xQ!YtqRwCfB~A
z!h*9Oe5RzM#e5Kbh-1J*3De<+{S4|Ir{Zn+o^EYO^2hbPfH+|L`^2ctk|<wPVe>cx
zyB*Px6Hsb8cz;G<!kSJx;nBWy-U91tXcnomT~m4QCi+~(Bk_5yuZ4;WHHV3ii0}HT
zpNA^EBM#LBUoVik*2QIUqkg;Xv00P^w#GCq{kSt(LIS4XAQiWZjbh6OU-WhL7}yG;
zC32kg%Th2L=r!;sy#a>MG~;M~iG2w>?7M|VElL}00ZObF9>337bViEC3?z7P&6N53
z%(-jZ_TIsDwOkU?Z+Wz7F0Q5;YYa_$fU7q8>inhLzxs8{^``f&(+jC%cAaucwR2Ag
zQctB?P9C)BY+905IZE-T(-XHFN7kB`Eqd8!lrt0f#3(&ZcFu1&OZhA&xpxzH>kXvz
z8vKrBA*Wu~uMwiYc8*HmvB#(v-Yy$FkBj1j3mT{fylpO-5s;MQ2)HfV=5!@E*)4S{
zb6~4*Q_5=LgZ9bmaSJ||pA6xT72nA_`fcjr=KgND(<T!4U1@2!Dw=ZLmByRiom_N1
zNh+ht?|2wA`ZTNiC-H_uzSU|;{qf_QXO~MQ#3h5K$w5OSLBZ!fXf#9B(*~Qk^B>Na
zdj^cq;yJbhs*CQMT{T}8<%;qk1rtaqr(R-;1kE9|)=5I>i%MCt9`@j{9qgI?hXsVs
z=c&B8_wD%{IZpck>}3y6ed;}R{$zC74Wt=GvHHC0G}HORCKZWs>x+6?W$W{1Rx1(v
zj1s6;+Cmo2n+(nmpX|h59(-pd{|U9Twy_bO91$k0)fkHAKJI>Ef=t@S<EdP0LN1gX
z)^80<VMm=Zb{HciKYV5$$A9$e(3KFA2Aa9t(<fV$B*v~`S#nK(*$9uz7a<JlwicV4
zgU@({es&ahp?f^aW17NGifMvPNFPaaW~?uNQxa6)Dq_p>n(poK%BlP8BaE?)WYKZ6
z_p^VS8|&FYw+j~>alBMb%DE)nF_h(4AzFY}NPi=J(nF?TSmK&Oq5LD>Ovge=@7lus
zzUjH!Yg~SIMQpgVF=9iTzp>`*)&$j~lEZ4dW6NZ+bQs7b3lNXCWzQklavq;JfNip;
z>Yf;Slm5bR%(Q?+L6+pn1tc76Oi{j}r!{K4t1jO4Dct@Jva6}^>6P#5sF->+T6*$!
z{M5|obQ4%tV}O-{tJNu4$4r-_D@@c~jbr21<aRZ{+R4+!J%Hx^sL3x~(Wi?=ZoKUK
zcvr15)u{8#?b~Rv@U{82L7r)O6Bnd=<pac3`$+aW5SLVkjE-g6(6_a7VBjjpa~rLt
z+mlS5wjnyh?~ZOo*qN?1X7ra|{viBO5c2Z96NgV^kz*qGQqOa(2ZmAIHfv()6Ro#Y
zUeQm^J`)=G_>orUI9pd*Vi!JYRM36qK1}MC(oECT;C*aOTUt~<Ue;LV`5fF)E2ixO
zV#oAs!XULxnh=z?X$33x6S%fx<qQuDk>3gLF*PfC#q;)&oHFqMEzGT_n-UtnLWMeT
zX+{WDF<aty+mQZi*)5|I<a>OX%sj^){Q~dH-M=H>sm-Ta8->HuxIgO-Sh56<{m_-)
z)kJ$wO*Hn@L=wa!c?)*OAam9lh7+)jPYgh|EW399^tb#~vhW{PqH^>nE7=2RUq!CH
zNBW2Uuvp=}@V+7Ve-T#1&xGYq1o|h!_HXi=OMwwk7jI7-o)8p>3)u6N|Lrf`JSSr@
zcT6gTY0adyty~p>P#yU~yZRlkCz#E7!2y&Tr6>S0P>|d-7=jC0+#JHlk8W7QiENtm
zf?bsQ1xc6una$_BD3($rtH2e9Qhm4c)_`{-qg1&RdN(Cbf<F~$L8gm17C)Tr==bAt
zIr26>B1csuSzzFnt!~10PAxtTBaAwyN;g007HhoiftoxJ`C4nXy|j~6M)CQQs6D)|
zF<<La6JzjWAAOg!eJe7%K8ZwKA<d^cbdK5Sj{*2}V>K3RA}W;CuW)Np-}kIunWWZo
zB9&F|VBp`@!`0y_o)84yof{QJZ!!JIMA=$HdLcsG&5$Z%?@~*he)!8z>F`4}LgRm-
zA1u-JuWmn5wXo=Lkd}E-gE<)Duj0g)8d#&UkblEc`ipzHQy8K>s^k3<FQQ8Zntzo^
zMJm$0D>}^Tfa*iH0BN?VV=K6cERw<L(j+g22<z>xvEltbxiduu<hu+{L>f2DU$O)N
zjlR!uB=RaD^|8de<>9l9gA=3!Xv(-utB6X9?xxD}xs+$%fa006A2b&ll{FwRn#BF$
zd!r6FH=ZGy{aH-<#Qc*5AMj4k!F>cmPo*n4Bg!wj%Yp1D74bL88LcTib{QcKXVvPO
zYm?(JYa6k~o#UMvdItuAV0U$^>o(_SOy$|0KFBtb&yve9+d9GLJuA9|TK-$}|JMA!
dHUIyk`HWGDVNl;{#UyGM?iJ(O7%k5;{0}Fcu7&^r

diff --git a/tests/src/test/resources/ssl/certificate/broker.truststore.jks b/tests/src/test/resources/ssl/certificate/broker.truststore.jks
index dc062946bbb258897fdc177f39c9b4855957d8c9..851da10b1f741cf767f7a34212e439b998a106ab 100644
GIT binary patch
literal 969
zcmezO_TO6u1_mY|W(3n*B}JvhCB-HAMX5lcHlYjm92r<6^h^yb85o$`44Rmm44Rm-
z7BDk0GBI&7{7SCYocI3bQv+T$POUbNw(q=*jNGgY26=`827GMHp)72|?4fztdHLmV
z5e^Iyb_@|N3=wXGh>(E*$Yf?=&Yb+@#GH)$;t~S|ab6>110w??LsJtA6T>J8ej`Jm
zfT4jURDkX-YGPDE4irXK2IeM4eg=akMlPl%Mn;AU%h&?FR{if1*A}^^(X{ZbTjNf{
zqCL6l^BVr#st+rkt7r85fYXCt85YaWU7R16FtL~A4SSTJy3}u5<+E>;-0YMl{yCM|
zJ(;zJPo-$}!E34NCsKFb@^zHv{?5(oZIaejw!i*uVdtq%&MV%(n{S$bkDZZk6P1<g
zV)x^)plb0WwMQ2;Q?}Ya=R2zTzat=dYvRgF3|TIv2Cp9V9D96^{lSv=|9*KcN%`Bf
zKxx9mg6jD24jHx$LgCluK9Z<i_oDp8KJ{ezzh-&rSu>vqyCqdWy#8D-DJ^70^w(K$
ze{i3Zus&zE?~-Wj!*bEs;~}+o!wqE~Zk1iT&pUZqx9Tp2%PBMWGBGnUFfLX!kT;M8
z#-=PEix`WDAj`p9Ld7f+`u_cgMK`R7eBrXHA2|?#DGL~gj0~-tFT~uFP1^Her`yi!
z-(z+Zt>Nc7_|LVXw3_e!9rjz!2ai8G)aEwdea=qD#Z%9GO%8cho>39+F?nl9@ao%^
zyYB3$dfq!(dd0FWO|0+!#=MI^&3GrlcjeCImH(H8-0CT~bz`sMMux7mwxhC7bEhqv
zboQ@HeWlxT|B1W4X1RaA(aBlMTKm)XdBt=mkFE#7_m<0V6rK}kTX2-GWYVmjP{B=%
zJN&oqS@vFRRoI_|sVTurl|`~rj?Ty{`*O-eqi9Rx!Gv`Oe_v<b9z7w#`pv(YOf9Dl
zZIDvmWX$!uIM(EuRBFK)4ePY^A2suioY*$I@0Rt+Yv<Rd?pdZ{QN7|>wp>K+irR0j
XTNy9k$hf+M+n{69qaTXw91rXPy`Xo?

literal 944
zcmezO_TO6u1_mY|W(3o0$%#ez`6WPZV_JsPE(X>JJyQcq1_tIrgC^!&gC?fX1<Xv0
zOiUui%ICN>T?M|&H_blsFDd-p+)vBm40zc%wc0$|zVk9Na<eiRxEgXBaI!Invaks=
zIffbv8wi3p96VgX`MIgO!6k_$sfLOM@*qJj9tqF9lGLKS)Dng8%#`%Zl46B`l1c@i
zk`x04ab6=M12aQY0}BHSLyIU0ej`JmfGH3|1gK?E6QdHc7Z_O?n41{+84Q{jxtN+5
z85!p5|DRQCXSHY5$K91X&Ic{se5Z|B;XBtJ-9PW;+_z6=>J8a*O6r=L$AxP5o9FMY
z%yn87&vI&p;iN>X$IIgm7d}1qbBdR6Q*cntqO`MNuTD0k%DT6mPwsCHDyy|mZe7{8
zyiz*nx#QJkT4Ha^Yxb%8-n=@IW$tB>hEoA=tL{i<zUP);i`Q2?(wA1Ib8f?|BS}l-
zl4q6p&)c%7@!~z6a-Zufud{WqdRg|hNK6ZG5L`HyRnBqsbM;k6qUIf+>-+ksP*~-R
zrY(7wY8A^5^KVi(VG^(=?Ze@pfwy_iWZ&z3y<u8%w}O~h<ge#h`Hrb`&YN9T%{qK7
zIqakB2f?TBHcvmA&&15gz_>WrAkaV-7-zD4EMhDoO%L7~YMyQ1yyx~)|Ib>&6N^<h
zYJj6uR+&Y@K&%0~0)CKwVMfOPEUX61Kngk7fhh+V?2HT(yq;fw^v3l4OSkti4jrky
zn=Z?2<GQm&`u(~-(c_AHXWg6fMqsb_6%KxZX<w^7l$nispHH6~@O$gWb0@yvk$t$)
zPD``RBZ0$8=EfWGYh3Jn?a~?UyL000eCj4%`sBL7h4Fx3n`-KAL8i>dAH%&Tl})|8
zMgRS~+xz1zI*;m@zLq_-UVg!X8{q~j$3Cu_`u@`4<x6_@IbV}5wzwg8Drf1xn$01y
zStreJbZ%X1asQr>G_PIN<e$cK7v4@Vs_r^m{GCr<pkHBiK-jC+#|LXP`j#gdKC;_!
zk?9pvW9C!wAFn2R`rW+SyF2laZ|`qq7P}J~U;Zsn{~UhCamER@xgj03xrPq6xU>u0
Ttp2!6V!iD!i&<r|f|>&WiEwik

diff --git a/tests/src/test/resources/ssl/certificate/client.keystore.jks b/tests/src/test/resources/ssl/certificate/client.keystore.jks
index 9d61ecef52eccf2c3ffb842277f9cb957ca3e724..7e5a8561736ccac616441843a56895df074e7d88 100644
GIT binary patch
delta 2008
zcmV;}2PgQMAI}kg{_Xzl00002000010000100v`hX=QG70004o642VC000F6FoFdA
zFb)O^D+U1s0V)C!0RaU71cC(V8f1)h$BO{QPlNdDSy%s9TPte=1a$70cr(0&o_Z91
zQ`+B?_g5wD-z&;hsIBPJ(!pq-VMI%&wm0KA1wE?WJd@CW&QXp&nuza-bn<TvECi-v
z_!g8M2w}b{bm;K2^L^qp`bHNU!{$0d)z7BG-Y>(x0b&#HN4SUIYi&1-3U2b!V;0`e
z7{#1uuL}DXb}98@yx{&8!>Gdr{ERtHs1cCaIps_#ip1n_J$mJOCd}=~CF%~I-*CH3
zvq}7SDV|k-i$E&PKOLk}`sEfxyTDz{Juy~lX&K7bU8k|=^%dbMuFs|@E~bwOg~p)Q
z$+Bt`!6`1)OyApFzd1ZjR{WT0N=@!3ola7Lfzt``EQXMR^S2nreRdo&%vPxS^34*Q
zI3VT%#oD8saKkm3{|1tCi~HjHM1omFzB1rw(zNG)R&MrJb0|+se8HI9q}M3t-5XS4
zzuOnpS<kvBhQ`=GltS396he&lJ3YW*q!jNes+jcLFAj7PBcYgiSZh|2^9nV;ks60i
zBe_qdAdoe!`Z8N$K@z;-bo|@(b0GKk9XW)Ih1h8&1FfCKC4beaRmJp7{FC1rzjxnV
zljlx<a7gdjpTGYogQYW;p){kZbyc$&O-*p|N1T?sO!7cU46xcMEk#}Kp}4;Tk99il
z=Oicb(Od!sXZae_TPJ{;)kf`rI4;Y7u7Jhrr}a;j4KNpQ^4XFY6qK6YafQhRC^1u5
z-NDA_kzQhrygGCC2q~fU_$#fJ9>s-pkusfs7|QglwkzcTgn3ljLS&R<tKf<q-S!i#
zdNRO(m`StBVAib#A!9UUr^1S^rB226;iW>TcRr?YkbQU8iR}wQ7k=Mhh8oPf2--G#
z;6)W}U$9BB1v?5yaT>;-p^$4V;yX-nD(VM6$?s8hd!io3+U-IUwS>7%awZ&2v}gc-
zhI?ihL91^SCcOMwmuhKx<J81k*a0iMeumf;rrQ2;wqGW=&DbY^e^s##7LEXaa2Miy
z<-RoCf0Dm>8ri68%+67_$i1JJvZ^Vjbp`cmOEDeO<PMCVCzP(rN14<&q%mzAC-SVC
zmT5%SgA0uT7+j$kcg<kuM3TL9xPK^r8nwOeqMaxKaq2@2am;jWe*9O<hG_Pd$^SL^
z^_R?bTWm<8;$J(z-4ZZ=69%}8!*Wyo{R#H54c@XZw|J4_;T<nGUt&2q$oD^cOM7|H
zJOSt@$8llgDEetJ#Ku5+{o5`^^m;Fj)!vG(Gvf*^aOa4y<Wfh#UW_Z@;|oN8!(5jF
zUl9wSkqj~JL&OM8^xA*Ve}1mQ&^6~B0kYZxsPIvJJNu>GJr?68K3li1;ik#=4<IdM
zw<Au4$4aX!WU~U<zUM{2k-ON-qT;^?u|}PBp94T0kbkxv5)_8Yo$fhx6xH1g^$B<3
z<w^B5yHaEQid+RQd!kH&a^mrSMT^q66SKw-<TAJ8e|aKmzP<aEdCNasN&%AUtJIx-
z+*Pf@Nnsz@I!aQo{|Rvg)ex^Bsy<Kj;R^@Cvi)tmw#p#F()5Bcu@}Lmto3hDU6}bG
z_Xl>Vz<%*j8P~QNxDagwm55NhhO@q@bV(UTRlDQ6ArXmS+a;07v*pKRP(j=K+}Uep
z>+*HfBHeZs@iib^t8(x4zZ~l2fJL()fe#ENRb~fq_s37URvMiE000311z0XMFgXAK
z1BWnz1A{Pv0&AcH0s#U72nL13AIWO=XD|&02`Yw2hW8Bt0Sg5HlU@mOARreFGBYqT
zFfuVUG&nReS{M&9F)}kSF)%qXH8eOhGLu~ilYhgtDR5jViGv_>Y1uK0M%8P+cDD@|
zgq%)@<Ht1r<{FUYUI(c5GnM?D)iDN-?fmjLKeDmWsExC8-SZr}3_Z`1TN6g~7}NN8
z?GViH0bDK@ErI(8!R*AbWHcbAU$Q$?qa_N^h2%1sq97}?T*#p|G87vPp3n?u`IAKn
zr+*ppxgfwyB4(voTMB=Hq2_J#i1%D;*4Pk2!i2>qC26KY<XU`Pgo8yrkol6k29>@s
zfZ!dhq>tvU?U;8Fult=UdKXEx!y5AEa>c(THskAFRKA@lTMy8$w@h`stW=snck=!p
zA0WQSK$JE1X5`V!98R>XAHR0v`vyO-0xJ5w0s{d60iz)>A21yT163Uk1QrAo4LEgj
zfeL`4j&_WxQZ$8c!!4DHlW`6de^eBm%PxL|6v`^TC7rGU6znT-S^sZmQ6b^nz!luW
znU13$Xo@u-E|KBgI7oKy;AVngt1Y8$AOkBrv-{SF@o$g-z4j`@=a<1ayCLzpL&%@@
z^Az=Ca62s<q-T06B=FtEbyz~#(DsNO;IV`TVh?D!-xnA$;@|mETyJn2f2s6Vk!dSq
zLI{!j1eKG@#!p?HSTB`Dd1cPQ<Vb}eL5cKQ508-0nfe2Ws7**b`yVCWb(A2X&fPH;
zZf}w7J>z76R+|C#k}!w5#JpVP3ix-U*JeTh#xZ)MGJf0P3cUcMyeY7~Y#jchCkz^i
q_y}SaLN5NNR9rDD-x}g87UQ@;%W}D_3UG3yw?d%IZwYe}qFB0APQ)Sr

literal 3993
zcmeH}X*3(y9>9}Ggh(3uT1$%|C`rcN+G}fTX_3TIN=oe+1f%w)mbR#^R8R&{r9~0d
zSc@vEwo*o`N;_&zV;NiN)4qB0`expFpXQwRWj@?<&;6Zy&pr45|KEFm`^)>w0002=
zdt)U!`;$my000>6=KhKw03j%<pfvyh7C&?hiw`;mWK+lj0)jxi-%CE{KpApwipNko
z_g(NS`Kwe%G=h~~F5V=569EKrKmce%3<sK>mBj|k$^+7~!SJBDz6{vlFe{Re>oF^`
zGuah$1TFpr!r+3YzGPQ_UstjO-s9pW4|0HnB{@Xm4EZ8jLI8oqqE#^}XmzwYM%_*j
ziNzcMm4o(A@K<dV13dce5r7Z?OAHVRK*s=Kpco(!a9infZh*FC(_JP#<l(@%(%M(?
zEE1crremKNV#W;_pk(W&Ug5FtOa?=ZCk9@Z`{>_w0{7-%(w#MD%N#rW-apySJjD}Z
zbuR2Dw|?A0Pn4^uar^)=HTGOkxDN43c}iJ`i1(b{C{>PsNiD2J#%y9V4V*v18`W#M
zeEF4-2ZKY9)k*0{XNp^p!t?6fPL~ofVlLUDpzf#Wp(%LqnV01+SrZ|rG*aROZ(8bd
z73D+3^eX0L?snQ0bmyBbc5&lEa$@Ryhr^EqcOV}~JXN-=bo<z`eRdN5%xfxnvHB+Q
zngl<;?arJhNzXNJKy_5wvtx{iV;X+sdcRVe-9-Yi00F>aEA&~k=t0gz4}tl?yfM=&
z7*u~kZPVm?i#0i(v;gTE*{>-Tl>`f-`J?{(1mu_XJV4-QFa*tV(0v>BgUUGwI}mW=
z)ZELNB^AcJ5yL?@(G~Gv<S-5Ps!oJ)KZURRNOSH~<`QSKzza4c=go~!6G;|q@?3Vl
z<!(Lm`P0o;qHk-o<xue^7uYlpk1q*~!Jvl{MBI((-cH(QBGQIe4XaNA+qmMTUFlpP
zk69-Ebb3(MNSzX6WwO;#J*i7UWl{8Tm3U#{I36wagn2iMG2BsBa=pc1Oe8>kT&&l-
zbU&=tTGX>gZ9J*|p8A_9ZV`m`<&5p`^NS`gU_-BV1Z*Bs;!KsOu*5A~nQae~O(}E1
z%xFIx0xf`|J>Cm!Eo7LQPrOd1J3lr{-jxJvKb2kIFO*rsKhw*3%9?MT8192PxRXEt
zyElpG?Cnkp`0YwAY61Wd5IP3Dk3Pf-lV=5jfpQ=&;6bT^W55f3wkj$hbIZ3rw#28G
zHBkI4dp)|<e#fCZMjO|vBIfa)_7%<A#Xr)1`a#@a49iE9+J4%%(@@7RjJOdnS!`q7
zcu(V(q(DOEG&^b1@76}!y>~J%tkY66@t0QeX!U$znRtYq5L*p1s3_h^(a=r7>y76}
z%FRIQhBh@&C=^y=9B5E=*36bT0QUtGPI1`bjm1#S&BjYB2Ac->pC2>s@6&`UpNRJe
z<ap@g2+FiR3#q+h!__yg4Kch%@)(BNMGpKqIlP8=%N(pAT4tm@99&d$y))JXhg!ep
z@P+|(42td|><wto#OZK5xIuQ4>3~h@-KM-$MZc)GtEw#e@8F1b;q4%PSH3~`ahi3(
z8iwX{!`j?<v$-si4#kEKU;Q!IW~e-_g3|Jak$$0IDQuGFZ&oY2Lc`f5Z3u<C_8M5x
zf2C}df+J_kF}6S2=IDQJrA2uPfQ=$tm~|^)gvE>g_CcD}b?^QX_M(dvgULO8{q=xl
zYRg=PX|#D{^Z9$e?<jrqwGbU+W-lUAii%&eY9lccINtO<EM86;{KdSj%XAXjbKWcC
zg|J<D%<k<X)w;kc9=*`F_ns7T+utXM7E1sec=p;tbwLs|2g6#C@DD5s&$Lv+lNx--
z1+JsV-S?fFCC^h!&P{wc(QNr$>>?%0?8NF!SSfXOCH)c8q>|kKBKmx{9d;b233*T&
zRqn^5ddy~MmnNfdG@0pLv6*gv@g)tGK?m!&R<0K`!`e<9ujZK&ga+$e<X`;t5q7v*
zxRScTed9D^W&NYK>8&D-jl-NFsUbP+RF6Siu!BDiM_(rkho8Mhc=1EW-1RDZ(#FGf
z76X3X=KgH+62-nBb{7O6y4ZbkLQ{mU*9j_YVUdxWgGOU2bIvFPs&Iff(h#ugRa4)g
zNv&)#2;obS&F>7!se2zOC6{@!Rebtz>hY^6NF91=mM1r`PdP%H**ld!Ae%JAD*dr`
z7%JT$Y<I@_SyEPl0e!53yN6xDg70~*V|1(?+*I5z!@liuBNpo`_9kSZkq@^QDiX*Y
z#m3$|TOjX4$p`B?I!%&4oYf9fzNL1}ZB%cj6m4+9eeQh9Ex#Gh#_X46E~mCH;^cqU
zV?A4a#L_S2)?#&cibZ>)w33NkUW+~dUK%?Gsc<GgyD<{+)`5M7Qnc8PWgf$q5>zJh
z-~Xzk7iI)->yBfSEjEe>ezl_(g`>uSUUF#d+}%|klk6Q?C8|1@fxIC8Xp2Q)(&Uh2
z&$33#Cp9qtlK+F(KB3BkW8evVDfDr@`rIoWDA)5lkifN5tGCZAw0qC2eAbNSUVorR
z=Y(^1L4gBEIUcvGfp-QfLynV{!}wH@0Ome`y(VC^Zi@{R_+G=&d~VZWt$Us-Y<8^2
zZ3Crg8b-w}o55v(J6vlQuMh?*9-Q?(G%=&xAVW@e(DirOkR7clmA`O-bjBd_ToZ)R
z-<38C1idw4Ymw-0>ue}4tw10Ti<H6%C;RO10Vd+sUCBevldG+V#^@Jdz31=MeIUrm
zr`sLU$VQFI_ft+-ns*&jw57d#T)th(rih7$NOgNZp@(`>-CB#Dp1<@tQB_PkYq?Kz
zRN6>xyC<CE=Y%ZH`Gx6noqVR${IaWVqq{g;pjvnCLY(H(d`{JN?|j=kZFX7fufp=X
zoai0MiPnLfNP~FQmZIY>yM@&RFe7!T`wK!_adT3C_+9=gUHH~ZG%%R|^pY<CO~P;<
zJkwtV2x{Z&<x2|o{TE^5`6Ge;iNO9uIQ~t3vnduH7}49q)t4L?;Oc*1D*xMH8da@x
z-pCijvr{h_Y4|8De8SK%S1C?cGA>zp@vxh(@itW;C8A)HHiy%tgo7BHQhax`u5dN<
zf0lD@Hqd2#EIcebcD1S6CQXY>UaVf1S+D<mEo+F#_h@Ce+6tm{-(%h<_EM#32`^YS
z2-a}ZMfNI^%B)2QB~tPQ;D)4Wq^%fQ50$b71l@5uib#$`*1X<H_uz~z=`KVOXKiz^
z6-PaGB#;S%d1NJ4y0m^?@F<Z`+FK`NDx@I{sTwY&q1hzE3Vu<54Qa`LXjeToDLEwS
z1m$1pl5eqd(Qb!``dc)?-}TF@Bf{wE{&(<c<B3(%IOUQN*K>KpLXuw%<`3oYRW^LD
zS4?G$cX-uh#bdPgZe^AUJ%rl(RVZ%szU$1a4^Y}6t}kULOh4DudlIpKXEZTEMmgQS
z&WgMfNO4!0sENf>tJ2^Q(dmR7#Zca9L2s3l-l#1?L{~23xngp?*d_ne+;YW_cs8n7
zwjA&_u53$F-f@STOBnDN+<JuKh%zyb6bNmo@biD%^2w-GOJg~YB{)FtG$pBZOt~RA
zc4V2g3pc^h>C^$TN>0=Y-mX5OJ7%~L#sGv@k_;ydGxRr^Mk1mTk&$Zd(Iljc^34-q
z!jkt*jP{XOHYzqwtCv$S?uuBvP~QjtpxC#$ce76CEyE)U0~5Ap0v`eP_5K$9zeWFV
d(f|L5J|X?&^z5)My|AP;sX#TCyxJ@({|^fwmW}`b

diff --git a/tests/src/test/resources/ssl/certificate/client.truststore.jks b/tests/src/test/resources/ssl/certificate/client.truststore.jks
index e8b93df69647d8bea7c1f133e523c9a45d13b0bf..5c5b6374fcf0dfe4ff9655e7e72a8ea0b7ce9661 100644
GIT binary patch
literal 970
zcmezO_TO6u1_mY|W(3n*B}JvhCB-HAMX5lcHlYi5GZ<JS^h^yb85o$`4Vsvn4Vsv;
z7cet1GBI(mwH}c_ne{E*fR~L^tIebBJ1-+6H!FidzM+5t9~*Nh3!5-|XkK<+et8~D
zgabo_9Ycf*LxdY4B5WWCGMQPJD>)}KHLs+!IJL+?L7dmf*ucoZ$k5cp!o(;_g5Ssx
zC}3z{2^FBflbRTnkb{Mhm4Ug5k)Oe!iIIz`iII`v@K()&7|qURh2qSchTU#gv-g#4
z=M`_6<Ja-{xXJ%#QWKuWv9I`MJoV3<tA=d-Z~uHUx8Jn!;)>qQ#dkl;?BcOKKPg(+
z?Tf_a9~Ex}&U|2u(G%Bg{LOLj&5?~MCJM{qH(7@)R^__T`ow7FA_eWuF(($98Hq^q
z&bz>q{&TV`=W@wUI~5N2D5WipjOMCuT=*>abI13X>}xj!oDQ`dRaebi=JX`0Cbp&7
z)po+qNxRvm?lWw7AiHKs|FgAkXOs)B|2<c$O5AhnVX05gi;nJBHGBLzE@a<a&1n7$
z>$m%q?pYHu%c1<!KY4kDeJ32In0`xpa`Ci`-<CD<`^z5xX0zYG^lL8@Gb01zVnqXa
z16g2v%JQ*@v54?mlomB|H7x2Y>sc9O(wcu*cWM`MAOh1CFc29TLPX}C)~jm~Ii<Bv
zb?!PQkvG}}k^l440~H_MIUsuH(9FKY@)=#G@_G{=-nH;3d;cJ<DPgtl;yeXrZJW)%
zuXTLPpTMy9o7Umy(+^tgR{Xfr`NaHhpGCeV7g*~`FG;V`Qu%QAXlaDg%?sZ;WFKs7
zVN2rA*m+-E!tl}kpMf#?1=1_OgiXxUPIls$_?u<w<WtA|W9LTbPj#(KJ$LYlN2`Kk
z=a(q{{s|Xm{$lP};p<`ZTVC~k=@f;9=k6Mc=H*X(WBWLzA#66|w@C)=yN>LMdCK*p
zeDU=(Cx&B&Rf~=4Za?JO%dmKl=7zmFGXEB<^GJ36;7Ag4()+hOB*swtzSJY_$2)}7
XHtpx=?avU~9&TMM7u&zE=~e~+Gbn7g

literal 944
zcmezO_TO6u1_mY|W(3o0$%#ez`6WPZV_Jr@I|FNko~eN)0|RrRK@)SXK@(Hx0%j&g
zCMFSM<#XJct^(iXn`R&RmlXbP?x$sO2E1&XT5TR}-+37sxmg(uTn)JmIN6v(S=fY`
z977F-4Fo|P4j!)H{M=OC;F83WR6|7rd5|C%kA!DlNorAEYKcO4W=eWyNwGpeNu`2M
zNs57jIIoeBftjJHfrWvEp+%GgzmXwOz!Zof0@SjoiBSpJ3yiD`%uS5^3<gb%Tue=j
zj12Sj|IaG6v)Z%j<L=5G=Yy7RzSG96@SSUq?w|K^?%O9b^@i*@C3Q{B<3hFj&GUCx
z<~ps4XE`;)a8jbx<K=OO3!fhQImJu3DLANRQQFzCS0@`%W!>A(C-*l8mDSoOx3274
zUMZdP-0|u%EwMM|HT%?kZ(g0qGWW7b!>NF`Rd*ya-*Zc_#p^2`=}RlqIk#cfk)$PZ
z$+JrQ=WSWkc<~-jxzF{L*V#H)y)64$B&G#82rit<D(ATRx%#RjQS*+^^?iL*D6Dcu
z)0VtTwTk73`8O$?FbP<b_Tli)z}q}$vhVf2-Y_k>TR}`L^4IgMe8<!|=gqFFW*xqk
z9QM)mgW%J5o2MVmXJTe#U|bw*5NIF^j5Aq27BLo)rU&l~HP5zh-gEn@|7R`XiN&fL
zHNa6StIQ%{Al86g0Y6B;FeBrC7FGjhAcY+4z?1_Fc1DH?UeB*TdSm+jrQ7=$hmKU<
zO_yc1aoyP>{eE4a=yAopv+hlKBd}Ne3J1Tyw6E13%FIT+&!^7~_`UVxxf9>-$UfX?
zr={8Ek-%XkbK{NpH7<6(cIgcF-8u1gK6Mi>eRAF4!gxTiO*M75AXDb!kKx{v%BEi4
zqW}Kg?fr2Uokw*{U&|g^FTY^Hjc@~%V;@&deShij@+Cd{oUch2TilR4m9z9;&E^o<
ztdr(9I=8O1xPMPbn%Ays@=xQr3vVYFRd*dO{?4Z_(66vMAnaA^<AXICean*!AKC4=
z$n=V-G4rYTk5`jD{chgv-JN*IxA(U)i`@y0FaH*(e-1z6IO7D{+>nmiT*EZ88D*0S
Tt%VOgyBHa6X>!3XH0dD#kRo*W


From 9dbe38926a35b9affa83bdffb828e7ea71fb9e84 Mon Sep 17 00:00:00 2001
From: Demogorgon314 <kwang@streamnative.io>
Date: Fri, 28 Jul 2023 16:40:36 +0800
Subject: [PATCH 2/2] Fix code style

---
 .../handlers/kop/security/KafkaSSLChannelWithClientAuthTest.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelWithClientAuthTest.java b/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelWithClientAuthTest.java
index fe7da51497..01dd5708a4 100644
--- a/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelWithClientAuthTest.java
+++ b/tests/src/test/java/io/streamnative/pulsar/handlers/kop/security/KafkaSSLChannelWithClientAuthTest.java
@@ -15,7 +15,6 @@
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
-import io.streamnative.pulsar.handlers.kop.KafkaServiceConfiguration;
 import io.streamnative.pulsar.handlers.kop.KopProtocolHandlerTestBase;
 import java.io.Closeable;
 import java.util.Properties;