Author: markt Date: Thu Feb 21 14:44:58 2019 New Revision: 1854054 URL: http://svn.apache.org/viewvc?rev=1854054&view=rev Log: Expand the TLS tests to cover RSA and/or EC certificates on the server with clients specifying RSA and/or EC cipher suites
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java?rev=1854054&r1=1854053&r2=1854054&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java Thu Feb 21 14:44:58 2019 @@ -38,6 +38,7 @@ import org.apache.catalina.startup.Tomca import org.apache.catalina.startup.TomcatBaseTest; import org.apache.tomcat.util.buf.ByteChunk; import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type; +import org.apache.tomcat.util.net.TesterSupport.ClientSSLSocketFactory; /* * Tests compatibility of JSSE and OpenSSL settings. @@ -75,31 +76,141 @@ public class TestSSLHostConfigCompat ext @Test public void testHostECPEM() throws Exception { - sslHostConfig.setCertificateFile(getPath(TesterSupport.LOCALHOST_EC_CERT_PEM)); - sslHostConfig.setCertificateKeyFile(getPath(TesterSupport.LOCALHOST_EC_KEY_PEM)); + configureHostECPEM(); doTest(); } @Test public void testHostRSAPEM() throws Exception { - sslHostConfig.setCertificateFile(getPath(TesterSupport.LOCALHOST_RSA_CERT_PEM)); - sslHostConfig.setCertificateKeyFile(getPath(TesterSupport.LOCALHOST_RSA_KEY_PEM)); + configureHostRSAPEM(); doTest(); } @Test - public void testHostRSAandECPEM() throws Exception { + public void testHostRSAandECPEMwithDefaultClient() throws Exception { + configureHostRSAPEM(); + configureHostECPEM(); + doTest(); + } + + + @Test + public void testHostRSAandECPEMwithRSAClient() throws Exception { + configureHostRSAPEM(); + configureHostECPEM(); + + // Configure cipher suite that requires an RSA certificate on the server + ClientSSLSocketFactory clientSSLSocketFactory = TesterSupport.configureClientSsl(); + clientSSLSocketFactory.setCipher(new String[] {"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"}); + + doTest(false); + } + + + @Test + public void testHostRSAandECPEMwithECClient() throws Exception { + configureHostRSAPEM(); + configureHostECPEM(); + + // Configure cipher suite that requires an EC certificate on the server + ClientSSLSocketFactory clientSSLSocketFactory = TesterSupport.configureClientSsl(); + clientSSLSocketFactory.setCipher(new String[] {"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}); + + doTest(false); + } + + + @Test + public void testHostRSAwithRSAClient() throws Exception { + configureHostRSAPEM(); + + // Configure cipher suite that requires an RSA certificate on the server + ClientSSLSocketFactory clientSSLSocketFactory = TesterSupport.configureClientSsl(); + clientSSLSocketFactory.setCipher(new String[] {"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"}); + + doTest(false); + } + + + @Test(expected=javax.net.ssl.SSLHandshakeException.class) + public void testHostRSAwithECClient() throws Exception { + configureHostRSAPEM(); + + // Configure cipher suite that requires an EC certificate on the server + ClientSSLSocketFactory clientSSLSocketFactory = TesterSupport.configureClientSsl(); + clientSSLSocketFactory.setCipher(new String[] {"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}); + + doTest(false); + } + + + @Test + public void testHostRSAwithRSAandECClient() throws Exception { + configureHostRSAPEM(); + + // Configure cipher suite that requires an EC certificate on the server + ClientSSLSocketFactory clientSSLSocketFactory = TesterSupport.configureClientSsl(); + clientSSLSocketFactory.setCipher(new String[] { + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"}); + + doTest(false); + } + + + @Test(expected=javax.net.ssl.SSLHandshakeException.class) + public void testHostECPEMwithRSAClient() throws Exception { + configureHostECPEM(); + + // Configure cipher suite that requires an RSA certificate on the server + ClientSSLSocketFactory clientSSLSocketFactory = TesterSupport.configureClientSsl(); + clientSSLSocketFactory.setCipher(new String[] {"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"}); + + doTest(false); + } + + + @Test + public void testHostECPEMwithECClient() throws Exception { + configureHostECPEM(); + + // Configure cipher suite that requires an EC certificate on the server + ClientSSLSocketFactory clientSSLSocketFactory = TesterSupport.configureClientSsl(); + clientSSLSocketFactory.setCipher(new String[] {"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}); + + doTest(false); + } + + + @Test + public void testHostECPEMwithRSAandECClient() throws Exception { + configureHostECPEM(); + + // Configure cipher suite that requires an RSA certificate on the server + ClientSSLSocketFactory clientSSLSocketFactory = TesterSupport.configureClientSsl(); + clientSSLSocketFactory.setCipher(new String[] { + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}); + + doTest(false); + } + + + private void configureHostRSAPEM() { SSLHostConfigCertificate sslHostConfigCertificateRsa = new SSLHostConfigCertificate(sslHostConfig, Type.RSA); sslHostConfigCertificateRsa.setCertificateFile(getPath(TesterSupport.LOCALHOST_RSA_CERT_PEM)); sslHostConfigCertificateRsa.setCertificateKeyFile(getPath(TesterSupport.LOCALHOST_RSA_KEY_PEM)); sslHostConfig.addCertificate(sslHostConfigCertificateRsa); + } + + + private void configureHostECPEM() { SSLHostConfigCertificate sslHostConfigCertificateEc = new SSLHostConfigCertificate(sslHostConfig, Type.EC); sslHostConfigCertificateEc.setCertificateFile(getPath(TesterSupport.LOCALHOST_EC_CERT_PEM)); sslHostConfigCertificateEc.setCertificateKeyFile(getPath(TesterSupport.LOCALHOST_EC_KEY_PEM)); sslHostConfig.addCertificate(sslHostConfigCertificateEc); - doTest(); } @@ -112,6 +223,16 @@ public class TestSSLHostConfigCompat ext private void doTest() throws Exception { + // Use the default client TLS config + doTest(true); + } + + + private void doTest(boolean configureClientSsl) throws Exception { + if (configureClientSsl) { + TesterSupport.configureClientSsl(); + } + Tomcat tomcat = getTomcatInstance(); tomcat.start(); @@ -134,8 +255,6 @@ public class TestSSLHostConfigCompat ext AprLifecycleListener listener = new AprLifecycleListener(); Assume.assumeTrue(AprLifecycleListener.isAprAvailable()); - TesterSupport.configureClientSsl(); - Tomcat tomcat = getTomcatInstance(); Connector connector = tomcat.getConnector(); @@ -144,6 +263,7 @@ public class TestSSLHostConfigCompat ext connector.setSecure(true); connector.setProperty("SSLEnabled", "true"); connector.setProperty("sslImplementationName", sslImplementationName); + sslHostConfig.setProtocols("TLSv1.2"); connector.addSslHostConfig(sslHostConfig); StandardServer server = (StandardServer) tomcat.getServer(); Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1854054&r1=1854053&r2=1854054&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Thu Feb 21 14:44:58 2019 @@ -20,7 +20,9 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.net.InetAddress; import java.net.Socket; +import java.net.UnknownHostException; import java.security.KeyStore; import java.security.Principal; import java.security.PrivateKey; @@ -31,6 +33,8 @@ import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; @@ -183,16 +187,19 @@ public final class TesterSupport { return tmf.getTrustManagers(); } - protected static void configureClientSsl() { + protected static ClientSSLSocketFactory configureClientSsl() { + ClientSSLSocketFactory clientSSLSocketFactory = null; try { SSLContext sc = SSLContext.getInstance(Constants.SSL_PROTO_TLS); sc.init(TesterSupport.getUser1KeyManagers(), TesterSupport.getTrustManagers(), null); - javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); + clientSSLSocketFactory = new ClientSSLSocketFactory(sc.getSocketFactory()); + javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(clientSSLSocketFactory); } catch (Exception e) { e.printStackTrace(); } + return clientSSLSocketFactory; } private static KeyStore getKeyStore(String keystore) throws Exception { @@ -564,6 +571,82 @@ public final class TesterSupport { } } + + public static class ClientSSLSocketFactory extends SSLSocketFactory { + + private final SSLSocketFactory delegate; + + private String[] ciphers = null; + + + public ClientSSLSocketFactory(SSLSocketFactory delegate) { + this.delegate = delegate; + } + + /** + * Forces the use of the specified cipher. + * + * @param ciphers Array of standard JSSE names of ciphers to use + */ + public void setCipher(String[] ciphers) { + this.ciphers = ciphers; + } + + @Override + public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { + Socket result = delegate.createSocket(s, host, port, autoClose); + reconfigureSocket(result); + return result; + } + + @Override + public String[] getDefaultCipherSuites() { + return delegate.getDefaultCipherSuites(); + } + + @Override + public String[] getSupportedCipherSuites() { + return delegate.getSupportedCipherSuites(); + } + + @Override + public Socket createSocket(String host, int port) throws IOException, UnknownHostException { + Socket result = delegate.createSocket(host, port); + reconfigureSocket(result); + return result; + } + + @Override + public Socket createSocket(InetAddress host, int port) throws IOException { + Socket result = delegate.createSocket(host, port); + reconfigureSocket(result); + return result; + } + + @Override + public Socket createSocket(String host, int port, InetAddress localHost, int localPort) + throws IOException, UnknownHostException { + Socket result = delegate.createSocket(host, port, localHost, localPort); + reconfigureSocket(result); + return result; + } + + @Override + public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) + throws IOException { + Socket result = delegate.createSocket(address, port, localAddress, localPort); + reconfigureSocket(result); + return result; + } + + private Socket reconfigureSocket(Socket socket) { + if (ciphers != null) { + ((SSLSocket) socket).setEnabledCipherSuites(ciphers); + } + return socket; + } + } + /* * We want to use TLS 1.3 where we can but this requires TLS 1.3 to be --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org