ARTEMIS-5340 ensure PEM provider is truly optional

artemis-core-client/pom.xml

@@ -191,6 +191,15 @@
             <filtering>true</filtering>
          </resource>
       </resources>
+      <plugins>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-surefire-plugin</artifactId>
+            <configuration>
+               <argLine>${activemq-surefire-argline} --add-opens java.base/java.lang=ALL-UNNAMED</argLine>
+            </configuration>
+         </plugin>
+      </plugins>
    </build>
 
 </project>

artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/SSLSupport.java

@@ -34,6 +34,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PrivilegedAction;
+import java.security.Provider;
 import java.security.SecureRandom;
 import java.security.Security;
 import java.security.UnrecoverableKeyException;
@@ -68,6 +69,7 @@
 public class SSLSupport {
 
    public static final String NONE = "NONE";
+   public static final String PEM_PROVIDER = "de.dentrassi.crypto.pem.PemKeyStoreProvider";
    private String keystoreProvider = TransportConstants.DEFAULT_KEYSTORE_PROVIDER;
    private String keystoreType = TransportConstants.DEFAULT_KEYSTORE_TYPE;
    private String keystorePath = TransportConstants.DEFAULT_KEYSTORE_PATH;
@@ -352,10 +354,15 @@ public static KeyStore loadKeystore(final String keystoreProvider,
       return ks;
    }
 
-   public static void checkPemProviderLoaded(String keystoreType) {
+   /**
+    * This method uses reflection to load the appropriate java.security.Provider for PEM use-cases. Reflection is used
+    * to avoid a hard dependency on the provider's implementation so that folks who don't use PEM don't have to include
+    * the corresponding dependency.
+    */
+   public static void checkPemProviderLoaded(String keystoreType) throws Exception {
       if (keystoreType != null && keystoreType.startsWith("PEM")) {
          if (Security.getProvider("PEM") == null) {
-            Security.insertProviderAt(new de.dentrassi.crypto.pem.PemKeyStoreProvider(),
+            Security.insertProviderAt((Provider) Class.forName(PEM_PROVIDER).getDeclaredConstructor().newInstance(),
                Integer.parseInt(System.getProperty("artemis.pemProvider.insertAt", "0")));
          }
       }

artemis-core-client/src/test/java/org/apache/activemq/artemis/core/remoting/impl/netty/PEMProviderTest.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.core.remoting.impl.netty;
+
+import java.lang.reflect.Method;
+
+import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+public class PEMProviderTest {
+
+   @Test
+   public void testPEMProviderNotLoaded() throws Exception {
+      // use a method from SSLSupport to force the JVM to load it as well as any hard dependencies it has
+      SSLSupport.parseCommaSeparatedListIntoArray("");
+
+      // verify the actual PEM provider class is not loaded
+      Method findLoadedClassMethod = ClassLoader.class.getDeclaredMethod("findLoadedClass", String.class);
+      findLoadedClassMethod.setAccessible(true);
+      assertNull(findLoadedClassMethod.invoke(ClassLoader.getSystemClassLoader(), SSLSupport.PEM_PROVIDER));
+   }
+}