Author: markt
Date: Thu Feb 21 14:44:58 2019
New Revision: 1854054
URL: http://svn.apache.org/viewvc?rev=1854054&view=rev
Log:
Expand the TLS tests to cover RSA and/or EC certificates on the server with
clients specifying RSA and/or EC cipher suites
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java?rev=1854054&r1=1854053&r2=1854054&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
(original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
Thu Feb 21 14:44:58 2019
@@ -38,6 +38,7 @@ import org.apache.catalina.startup.Tomca
import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
+import org.apache.tomcat.util.net.TesterSupport.ClientSSLSocketFactory;
/*
* Tests compatibility of JSSE and OpenSSL settings.
@@ -75,31 +76,141 @@ public class TestSSLHostConfigCompat ext
@Test
public void testHostECPEM() throws Exception {
-
sslHostConfig.setCertificateFile(getPath(TesterSupport.LOCALHOST_EC_CERT_PEM));
-
sslHostConfig.setCertificateKeyFile(getPath(TesterSupport.LOCALHOST_EC_KEY_PEM));
+ configureHostECPEM();
doTest();
}
@Test
public void testHostRSAPEM() throws Exception {
-
sslHostConfig.setCertificateFile(getPath(TesterSupport.LOCALHOST_RSA_CERT_PEM));
-
sslHostConfig.setCertificateKeyFile(getPath(TesterSupport.LOCALHOST_RSA_KEY_PEM));
+ configureHostRSAPEM();
doTest();
}
@Test
- public void testHostRSAandECPEM() throws Exception {
+ public void testHostRSAandECPEMwithDefaultClient() throws Exception {
+ configureHostRSAPEM();
+ configureHostECPEM();
+ doTest();
+ }
+
+
+ @Test
+ public void testHostRSAandECPEMwithRSAClient() throws Exception {
+ configureHostRSAPEM();
+ configureHostECPEM();
+
+ // Configure cipher suite that requires an RSA certificate on the
server
+ ClientSSLSocketFactory clientSSLSocketFactory =
TesterSupport.configureClientSsl();
+ clientSSLSocketFactory.setCipher(new String[]
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
+
+ doTest(false);
+ }
+
+
+ @Test
+ public void testHostRSAandECPEMwithECClient() throws Exception {
+ configureHostRSAPEM();
+ configureHostECPEM();
+
+ // Configure cipher suite that requires an EC certificate on the server
+ ClientSSLSocketFactory clientSSLSocketFactory =
TesterSupport.configureClientSsl();
+ clientSSLSocketFactory.setCipher(new String[]
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
+
+ doTest(false);
+ }
+
+
+ @Test
+ public void testHostRSAwithRSAClient() throws Exception {
+ configureHostRSAPEM();
+
+ // Configure cipher suite that requires an RSA certificate on the
server
+ ClientSSLSocketFactory clientSSLSocketFactory =
TesterSupport.configureClientSsl();
+ clientSSLSocketFactory.setCipher(new String[]
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
+
+ doTest(false);
+ }
+
+
+ @Test(expected=javax.net.ssl.SSLHandshakeException.class)
+ public void testHostRSAwithECClient() throws Exception {
+ configureHostRSAPEM();
+
+ // Configure cipher suite that requires an EC certificate on the server
+ ClientSSLSocketFactory clientSSLSocketFactory =
TesterSupport.configureClientSsl();
+ clientSSLSocketFactory.setCipher(new String[]
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
+
+ doTest(false);
+ }
+
+
+ @Test
+ public void testHostRSAwithRSAandECClient() throws Exception {
+ configureHostRSAPEM();
+
+ // Configure cipher suite that requires an EC certificate on the server
+ ClientSSLSocketFactory clientSSLSocketFactory =
TesterSupport.configureClientSsl();
+ clientSSLSocketFactory.setCipher(new String[] {
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+ "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
+
+ doTest(false);
+ }
+
+
+ @Test(expected=javax.net.ssl.SSLHandshakeException.class)
+ public void testHostECPEMwithRSAClient() throws Exception {
+ configureHostECPEM();
+
+ // Configure cipher suite that requires an RSA certificate on the
server
+ ClientSSLSocketFactory clientSSLSocketFactory =
TesterSupport.configureClientSsl();
+ clientSSLSocketFactory.setCipher(new String[]
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
+
+ doTest(false);
+ }
+
+
+ @Test
+ public void testHostECPEMwithECClient() throws Exception {
+ configureHostECPEM();
+
+ // Configure cipher suite that requires an EC certificate on the server
+ ClientSSLSocketFactory clientSSLSocketFactory =
TesterSupport.configureClientSsl();
+ clientSSLSocketFactory.setCipher(new String[]
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
+
+ doTest(false);
+ }
+
+
+ @Test
+ public void testHostECPEMwithRSAandECClient() throws Exception {
+ configureHostECPEM();
+
+ // Configure cipher suite that requires an RSA certificate on the
server
+ ClientSSLSocketFactory clientSSLSocketFactory =
TesterSupport.configureClientSsl();
+ clientSSLSocketFactory.setCipher(new String[] {
+ "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
+
+ doTest(false);
+ }
+
+
+ private void configureHostRSAPEM() {
SSLHostConfigCertificate sslHostConfigCertificateRsa = new
SSLHostConfigCertificate(sslHostConfig, Type.RSA);
sslHostConfigCertificateRsa.setCertificateFile(getPath(TesterSupport.LOCALHOST_RSA_CERT_PEM));
sslHostConfigCertificateRsa.setCertificateKeyFile(getPath(TesterSupport.LOCALHOST_RSA_KEY_PEM));
sslHostConfig.addCertificate(sslHostConfigCertificateRsa);
+ }
+
+
+ private void configureHostECPEM() {
SSLHostConfigCertificate sslHostConfigCertificateEc = new
SSLHostConfigCertificate(sslHostConfig, Type.EC);
sslHostConfigCertificateEc.setCertificateFile(getPath(TesterSupport.LOCALHOST_EC_CERT_PEM));
sslHostConfigCertificateEc.setCertificateKeyFile(getPath(TesterSupport.LOCALHOST_EC_KEY_PEM));
sslHostConfig.addCertificate(sslHostConfigCertificateEc);
- doTest();
}
@@ -112,6 +223,16 @@ public class TestSSLHostConfigCompat ext
private void doTest() throws Exception {
+ // Use the default client TLS config
+ doTest(true);
+ }
+
+
+ private void doTest(boolean configureClientSsl) throws Exception {
+ if (configureClientSsl) {
+ TesterSupport.configureClientSsl();
+ }
+
Tomcat tomcat = getTomcatInstance();
tomcat.start();
@@ -134,8 +255,6 @@ public class TestSSLHostConfigCompat ext
AprLifecycleListener listener = new AprLifecycleListener();
Assume.assumeTrue(AprLifecycleListener.isAprAvailable());
- TesterSupport.configureClientSsl();
-
Tomcat tomcat = getTomcatInstance();
Connector connector = tomcat.getConnector();
@@ -144,6 +263,7 @@ public class TestSSLHostConfigCompat ext
connector.setSecure(true);
connector.setProperty("SSLEnabled", "true");
connector.setProperty("sslImplementationName", sslImplementationName);
+ sslHostConfig.setProtocols("TLSv1.2");
connector.addSslHostConfig(sslHostConfig);
StandardServer server = (StandardServer) tomcat.getServer();
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1854054&r1=1854053&r2=1854054&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Thu Feb 21
14:44:58 2019
@@ -20,7 +20,9 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.net.InetAddress;
import java.net.Socket;
+import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
@@ -31,6 +33,8 @@ import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
@@ -183,16 +187,19 @@ public final class TesterSupport {
return tmf.getTrustManagers();
}
- protected static void configureClientSsl() {
+ protected static ClientSSLSocketFactory configureClientSsl() {
+ ClientSSLSocketFactory clientSSLSocketFactory = null;
try {
SSLContext sc = SSLContext.getInstance(Constants.SSL_PROTO_TLS);
sc.init(TesterSupport.getUser1KeyManagers(),
TesterSupport.getTrustManagers(),
null);
-
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+ clientSSLSocketFactory = new
ClientSSLSocketFactory(sc.getSocketFactory());
+
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(clientSSLSocketFactory);
} catch (Exception e) {
e.printStackTrace();
}
+ return clientSSLSocketFactory;
}
private static KeyStore getKeyStore(String keystore) throws Exception {
@@ -564,6 +571,82 @@ public final class TesterSupport {
}
}
+
+ public static class ClientSSLSocketFactory extends SSLSocketFactory {
+
+ private final SSLSocketFactory delegate;
+
+ private String[] ciphers = null;
+
+
+ public ClientSSLSocketFactory(SSLSocketFactory delegate) {
+ this.delegate = delegate;
+ }
+
+ /**
+ * Forces the use of the specified cipher.
+ *
+ * @param ciphers Array of standard JSSE names of ciphers to use
+ */
+ public void setCipher(String[] ciphers) {
+ this.ciphers = ciphers;
+ }
+
+ @Override
+ public Socket createSocket(Socket s, String host, int port, boolean
autoClose) throws IOException {
+ Socket result = delegate.createSocket(s, host, port, autoClose);
+ reconfigureSocket(result);
+ return result;
+ }
+
+ @Override
+ public String[] getDefaultCipherSuites() {
+ return delegate.getDefaultCipherSuites();
+ }
+
+ @Override
+ public String[] getSupportedCipherSuites() {
+ return delegate.getSupportedCipherSuites();
+ }
+
+ @Override
+ public Socket createSocket(String host, int port) throws IOException,
UnknownHostException {
+ Socket result = delegate.createSocket(host, port);
+ reconfigureSocket(result);
+ return result;
+ }
+
+ @Override
+ public Socket createSocket(InetAddress host, int port) throws
IOException {
+ Socket result = delegate.createSocket(host, port);
+ reconfigureSocket(result);
+ return result;
+ }
+
+ @Override
+ public Socket createSocket(String host, int port, InetAddress
localHost, int localPort)
+ throws IOException, UnknownHostException {
+ Socket result = delegate.createSocket(host, port, localHost,
localPort);
+ reconfigureSocket(result);
+ return result;
+ }
+
+ @Override
+ public Socket createSocket(InetAddress address, int port, InetAddress
localAddress, int localPort)
+ throws IOException {
+ Socket result = delegate.createSocket(address, port, localAddress,
localPort);
+ reconfigureSocket(result);
+ return result;
+ }
+
+ private Socket reconfigureSocket(Socket socket) {
+ if (ciphers != null) {
+ ((SSLSocket) socket).setEnabledCipherSuites(ciphers);
+ }
+ return socket;
+ }
+ }
+
/*
* We want to use TLS 1.3 where we can but this requires TLS 1.3 to be
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
