2015-04-29 21:37:50 +02:00
|
|
|
/*
|
|
|
|
|
* Copyright 2015 The Netty Project
|
|
|
|
|
*
|
|
|
|
|
* The Netty Project licenses this file to you under the Apache License,
|
|
|
|
|
* version 2.0 (the "License"); you may not use this file except in compliance
|
|
|
|
|
* with the License. You may obtain a copy of the License at:
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
|
|
|
* License for the specific language governing permissions and limitations
|
|
|
|
|
* under the License.
|
|
|
|
|
*/
|
|
|
|
|
package io.netty.handler.ssl;
|
|
|
|
|
|
|
|
|
|
import io.netty.bootstrap.Bootstrap;
|
|
|
|
|
import io.netty.bootstrap.ServerBootstrap;
|
|
|
|
|
import io.netty.buffer.ByteBuf;
|
|
|
|
|
import io.netty.buffer.Unpooled;
|
2015-10-01 22:05:44 +02:00
|
|
|
import io.netty.buffer.UnpooledByteBufAllocator;
|
2015-04-29 21:37:50 +02:00
|
|
|
import io.netty.channel.Channel;
|
|
|
|
|
import io.netty.channel.ChannelFuture;
|
|
|
|
|
import io.netty.channel.ChannelHandlerContext;
|
2015-12-26 19:42:00 +01:00
|
|
|
import io.netty.channel.ChannelInboundHandlerAdapter;
|
2015-04-29 21:37:50 +02:00
|
|
|
import io.netty.channel.ChannelInitializer;
|
|
|
|
|
import io.netty.channel.ChannelPipeline;
|
|
|
|
|
import io.netty.channel.SimpleChannelInboundHandler;
|
|
|
|
|
import io.netty.channel.nio.NioEventLoopGroup;
|
2016-05-28 05:52:56 +02:00
|
|
|
import io.netty.channel.socket.SocketChannel;
|
2015-04-29 21:37:50 +02:00
|
|
|
import io.netty.channel.socket.nio.NioServerSocketChannel;
|
|
|
|
|
import io.netty.channel.socket.nio.NioSocketChannel;
|
2015-09-30 10:14:29 +02:00
|
|
|
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
|
|
|
|
|
import io.netty.handler.ssl.util.SelfSignedCertificate;
|
2015-04-29 21:37:50 +02:00
|
|
|
import io.netty.util.NetUtil;
|
2016-05-28 05:52:56 +02:00
|
|
|
import io.netty.util.ReferenceCountUtil;
|
2015-04-29 21:37:50 +02:00
|
|
|
import io.netty.util.concurrent.Future;
|
|
|
|
|
import org.junit.After;
|
|
|
|
|
import org.junit.Before;
|
|
|
|
|
import org.junit.Test;
|
|
|
|
|
import org.mockito.ArgumentCaptor;
|
|
|
|
|
import org.mockito.Mock;
|
|
|
|
|
import org.mockito.MockitoAnnotations;
|
|
|
|
|
|
|
|
|
|
import java.io.File;
|
|
|
|
|
import java.net.InetSocketAddress;
|
2015-09-30 10:14:29 +02:00
|
|
|
import java.nio.ByteBuffer;
|
2015-12-26 19:42:00 +01:00
|
|
|
import java.security.cert.CertificateException;
|
2015-04-29 21:37:50 +02:00
|
|
|
import java.util.List;
|
|
|
|
|
import java.util.concurrent.CountDownLatch;
|
2016-05-28 05:52:56 +02:00
|
|
|
import java.util.concurrent.ExecutionException;
|
2015-04-29 21:37:50 +02:00
|
|
|
import java.util.concurrent.TimeUnit;
|
|
|
|
|
|
2016-05-28 05:52:56 +02:00
|
|
|
import javax.net.ssl.SSLEngine;
|
|
|
|
|
import javax.net.ssl.SSLEngineResult;
|
|
|
|
|
import javax.net.ssl.SSLException;
|
|
|
|
|
import javax.net.ssl.SSLHandshakeException;
|
|
|
|
|
import javax.net.ssl.SSLSession;
|
|
|
|
|
|
|
|
|
|
import static org.junit.Assert.assertArrayEquals;
|
|
|
|
|
import static org.junit.Assert.assertEquals;
|
|
|
|
|
import static org.junit.Assert.assertFalse;
|
|
|
|
|
import static org.junit.Assert.assertNotEquals;
|
|
|
|
|
import static org.junit.Assert.assertNotNull;
|
|
|
|
|
import static org.junit.Assert.assertTrue;
|
2015-04-29 21:37:50 +02:00
|
|
|
import static org.mockito.Mockito.verify;
|
|
|
|
|
|
|
|
|
|
public abstract class SSLEngineTest {
|
|
|
|
|
|
2016-01-20 22:52:50 +01:00
|
|
|
protected static final String PROTOCOL_TLS_V1_2 = "TLSv1.2";
|
|
|
|
|
protected static final String PROTOCOL_SSL_V2_HELLO = "SSLv2Hello";
|
|
|
|
|
|
2015-04-29 21:37:50 +02:00
|
|
|
@Mock
|
2015-12-29 17:13:07 +01:00
|
|
|
protected MessageReceiver serverReceiver;
|
2015-04-29 21:37:50 +02:00
|
|
|
@Mock
|
2015-12-29 17:13:07 +01:00
|
|
|
protected MessageReceiver clientReceiver;
|
2015-04-29 21:37:50 +02:00
|
|
|
|
|
|
|
|
protected Throwable serverException;
|
|
|
|
|
protected Throwable clientException;
|
|
|
|
|
protected SslContext serverSslCtx;
|
|
|
|
|
protected SslContext clientSslCtx;
|
|
|
|
|
protected ServerBootstrap sb;
|
|
|
|
|
protected Bootstrap cb;
|
|
|
|
|
protected Channel serverChannel;
|
|
|
|
|
protected Channel serverConnectedChannel;
|
|
|
|
|
protected Channel clientChannel;
|
|
|
|
|
protected CountDownLatch serverLatch;
|
|
|
|
|
protected CountDownLatch clientLatch;
|
|
|
|
|
|
2015-12-29 17:13:07 +01:00
|
|
|
interface MessageReceiver {
|
2015-04-29 21:37:50 +02:00
|
|
|
void messageReceived(ByteBuf msg);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected static final class MessageDelegatorChannelHandler extends SimpleChannelInboundHandler<ByteBuf> {
|
2015-12-29 17:13:07 +01:00
|
|
|
private final MessageReceiver receiver;
|
2015-04-29 21:37:50 +02:00
|
|
|
private final CountDownLatch latch;
|
|
|
|
|
|
2015-12-29 17:13:07 +01:00
|
|
|
public MessageDelegatorChannelHandler(MessageReceiver receiver, CountDownLatch latch) {
|
2015-04-29 21:37:50 +02:00
|
|
|
super(false);
|
|
|
|
|
this.receiver = receiver;
|
|
|
|
|
this.latch = latch;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {
|
|
|
|
|
receiver.messageReceived(msg);
|
|
|
|
|
latch.countDown();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Before
|
|
|
|
|
public void setup() {
|
|
|
|
|
MockitoAnnotations.initMocks(this);
|
|
|
|
|
serverLatch = new CountDownLatch(1);
|
|
|
|
|
clientLatch = new CountDownLatch(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@After
|
|
|
|
|
public void tearDown() throws InterruptedException {
|
2016-05-28 05:52:56 +02:00
|
|
|
if (clientChannel != null) {
|
|
|
|
|
clientChannel.close();
|
|
|
|
|
clientChannel = null;
|
|
|
|
|
}
|
|
|
|
|
if (serverConnectedChannel != null) {
|
|
|
|
|
serverConnectedChannel.close();
|
|
|
|
|
serverConnectedChannel = null;
|
|
|
|
|
}
|
2015-04-29 21:37:50 +02:00
|
|
|
if (serverChannel != null) {
|
|
|
|
|
serverChannel.close().sync();
|
2016-05-28 05:52:56 +02:00
|
|
|
serverChannel = null;
|
|
|
|
|
}
|
|
|
|
|
Future<?> serverGroupShutdownFuture = null;
|
|
|
|
|
Future<?> serverChildGroupShutdownFuture = null;
|
|
|
|
|
Future<?> clientGroupShutdownFuture = null;
|
|
|
|
|
if (sb != null) {
|
|
|
|
|
serverGroupShutdownFuture = sb.config().group().shutdownGracefully(0, 0, TimeUnit.MILLISECONDS);
|
|
|
|
|
serverChildGroupShutdownFuture = sb.config().childGroup().shutdownGracefully(0, 0, TimeUnit.MILLISECONDS);
|
|
|
|
|
}
|
|
|
|
|
if (cb != null) {
|
|
|
|
|
clientGroupShutdownFuture = cb.config().group().shutdownGracefully(0, 0, TimeUnit.MILLISECONDS);
|
|
|
|
|
}
|
|
|
|
|
if (serverGroupShutdownFuture != null) {
|
|
|
|
|
serverGroupShutdownFuture.sync();
|
|
|
|
|
serverChildGroupShutdownFuture.sync();
|
|
|
|
|
}
|
|
|
|
|
if (clientGroupShutdownFuture != null) {
|
|
|
|
|
clientGroupShutdownFuture.sync();
|
2015-04-29 21:37:50 +02:00
|
|
|
}
|
|
|
|
|
serverException = null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void testMutualAuthSameCerts() throws Exception {
|
|
|
|
|
mySetupMutualAuth(new File(getClass().getResource("test_unencrypted.pem").getFile()),
|
|
|
|
|
new File(getClass().getResource("test.crt").getFile()),
|
|
|
|
|
null);
|
|
|
|
|
runTest(null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void testMutualAuthDiffCerts() throws Exception {
|
|
|
|
|
File serverKeyFile = new File(getClass().getResource("test_encrypted.pem").getFile());
|
|
|
|
|
File serverCrtFile = new File(getClass().getResource("test.crt").getFile());
|
|
|
|
|
String serverKeyPassword = "12345";
|
|
|
|
|
File clientKeyFile = new File(getClass().getResource("test2_encrypted.pem").getFile());
|
|
|
|
|
File clientCrtFile = new File(getClass().getResource("test2.crt").getFile());
|
|
|
|
|
String clientKeyPassword = "12345";
|
|
|
|
|
mySetupMutualAuth(clientCrtFile, serverKeyFile, serverCrtFile, serverKeyPassword,
|
|
|
|
|
serverCrtFile, clientKeyFile, clientCrtFile, clientKeyPassword);
|
|
|
|
|
runTest(null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void testMutualAuthDiffCertsServerFailure() throws Exception {
|
|
|
|
|
File serverKeyFile = new File(getClass().getResource("test_encrypted.pem").getFile());
|
|
|
|
|
File serverCrtFile = new File(getClass().getResource("test.crt").getFile());
|
|
|
|
|
String serverKeyPassword = "12345";
|
|
|
|
|
File clientKeyFile = new File(getClass().getResource("test2_encrypted.pem").getFile());
|
|
|
|
|
File clientCrtFile = new File(getClass().getResource("test2.crt").getFile());
|
|
|
|
|
String clientKeyPassword = "12345";
|
|
|
|
|
// Client trusts server but server only trusts itself
|
|
|
|
|
mySetupMutualAuth(serverCrtFile, serverKeyFile, serverCrtFile, serverKeyPassword,
|
|
|
|
|
serverCrtFile, clientKeyFile, clientCrtFile, clientKeyPassword);
|
|
|
|
|
assertTrue(serverLatch.await(2, TimeUnit.SECONDS));
|
|
|
|
|
assertTrue(serverException instanceof SSLHandshakeException);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void testMutualAuthDiffCertsClientFailure() throws Exception {
|
|
|
|
|
File serverKeyFile = new File(getClass().getResource("test_unencrypted.pem").getFile());
|
|
|
|
|
File serverCrtFile = new File(getClass().getResource("test.crt").getFile());
|
|
|
|
|
String serverKeyPassword = null;
|
|
|
|
|
File clientKeyFile = new File(getClass().getResource("test2_unencrypted.pem").getFile());
|
|
|
|
|
File clientCrtFile = new File(getClass().getResource("test2.crt").getFile());
|
|
|
|
|
String clientKeyPassword = null;
|
|
|
|
|
// Server trusts client but client only trusts itself
|
|
|
|
|
mySetupMutualAuth(clientCrtFile, serverKeyFile, serverCrtFile, serverKeyPassword,
|
|
|
|
|
clientCrtFile, clientKeyFile, clientCrtFile, clientKeyPassword);
|
|
|
|
|
assertTrue(clientLatch.await(2, TimeUnit.SECONDS));
|
|
|
|
|
assertTrue(clientException instanceof SSLHandshakeException);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private void mySetupMutualAuth(File keyFile, File crtFile, String keyPassword)
|
|
|
|
|
throws SSLException, InterruptedException {
|
|
|
|
|
mySetupMutualAuth(crtFile, keyFile, crtFile, keyPassword, crtFile, keyFile, crtFile, keyPassword);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private void mySetupMutualAuth(
|
|
|
|
|
File servertTrustCrtFile, File serverKeyFile, File serverCrtFile, String serverKeyPassword,
|
|
|
|
|
File clientTrustCrtFile, File clientKeyFile, File clientCrtFile, String clientKeyPassword)
|
|
|
|
|
throws InterruptedException, SSLException {
|
2015-11-26 08:45:56 +01:00
|
|
|
serverSslCtx = SslContextBuilder.forServer(serverCrtFile, serverKeyFile, serverKeyPassword)
|
|
|
|
|
.sslProvider(sslProvider())
|
|
|
|
|
.trustManager(servertTrustCrtFile)
|
|
|
|
|
.ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
|
|
|
|
|
.sessionCacheSize(0)
|
|
|
|
|
.sessionTimeout(0)
|
|
|
|
|
.build();
|
|
|
|
|
|
|
|
|
|
clientSslCtx = SslContextBuilder.forClient()
|
|
|
|
|
.sslProvider(sslProvider())
|
|
|
|
|
.trustManager(clientTrustCrtFile)
|
|
|
|
|
.keyManager(clientCrtFile, clientKeyFile, clientKeyPassword)
|
|
|
|
|
.ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
|
|
|
|
|
.sessionCacheSize(0)
|
|
|
|
|
.sessionTimeout(0)
|
|
|
|
|
.build();
|
2015-04-29 21:37:50 +02:00
|
|
|
|
|
|
|
|
serverConnectedChannel = null;
|
|
|
|
|
sb = new ServerBootstrap();
|
|
|
|
|
cb = new Bootstrap();
|
|
|
|
|
|
|
|
|
|
sb.group(new NioEventLoopGroup(), new NioEventLoopGroup());
|
|
|
|
|
sb.channel(NioServerSocketChannel.class);
|
|
|
|
|
sb.childHandler(new ChannelInitializer<Channel>() {
|
|
|
|
|
@Override
|
|
|
|
|
protected void initChannel(Channel ch) throws Exception {
|
|
|
|
|
ChannelPipeline p = ch.pipeline();
|
|
|
|
|
SSLEngine engine = serverSslCtx.newEngine(ch.alloc());
|
|
|
|
|
engine.setUseClientMode(false);
|
|
|
|
|
engine.setNeedClientAuth(true);
|
|
|
|
|
p.addLast(new SslHandler(engine));
|
|
|
|
|
p.addLast(new MessageDelegatorChannelHandler(serverReceiver, serverLatch));
|
2015-12-26 19:42:00 +01:00
|
|
|
p.addLast(new ChannelInboundHandlerAdapter() {
|
2015-04-29 21:37:50 +02:00
|
|
|
@Override
|
|
|
|
|
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
|
|
|
|
|
if (cause.getCause() instanceof SSLHandshakeException) {
|
|
|
|
|
serverException = cause.getCause();
|
|
|
|
|
serverLatch.countDown();
|
|
|
|
|
} else {
|
|
|
|
|
ctx.fireExceptionCaught(cause);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
serverConnectedChannel = ch;
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
cb.group(new NioEventLoopGroup());
|
|
|
|
|
cb.channel(NioSocketChannel.class);
|
|
|
|
|
cb.handler(new ChannelInitializer<Channel>() {
|
|
|
|
|
@Override
|
|
|
|
|
protected void initChannel(Channel ch) throws Exception {
|
|
|
|
|
ChannelPipeline p = ch.pipeline();
|
|
|
|
|
p.addLast(clientSslCtx.newHandler(ch.alloc()));
|
|
|
|
|
p.addLast(new MessageDelegatorChannelHandler(clientReceiver, clientLatch));
|
2015-12-26 19:42:00 +01:00
|
|
|
p.addLast(new ChannelInboundHandlerAdapter() {
|
2015-04-29 21:37:50 +02:00
|
|
|
@Override
|
|
|
|
|
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
|
|
|
|
|
cause.printStackTrace();
|
|
|
|
|
if (cause.getCause() instanceof SSLHandshakeException) {
|
|
|
|
|
clientException = cause.getCause();
|
|
|
|
|
clientLatch.countDown();
|
|
|
|
|
} else {
|
|
|
|
|
ctx.fireExceptionCaught(cause);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
serverChannel = sb.bind(new InetSocketAddress(0)).sync().channel();
|
|
|
|
|
int port = ((InetSocketAddress) serverChannel.localAddress()).getPort();
|
|
|
|
|
|
|
|
|
|
ChannelFuture ccf = cb.connect(new InetSocketAddress(NetUtil.LOCALHOST, port));
|
|
|
|
|
assertTrue(ccf.awaitUninterruptibly().isSuccess());
|
|
|
|
|
clientChannel = ccf.channel();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected void runTest(String expectedApplicationProtocol) throws Exception {
|
|
|
|
|
final ByteBuf clientMessage = Unpooled.copiedBuffer("I am a client".getBytes());
|
|
|
|
|
final ByteBuf serverMessage = Unpooled.copiedBuffer("I am a server".getBytes());
|
|
|
|
|
try {
|
|
|
|
|
writeAndVerifyReceived(clientMessage.retain(), clientChannel, serverLatch, serverReceiver);
|
|
|
|
|
writeAndVerifyReceived(serverMessage.retain(), serverConnectedChannel, clientLatch, clientReceiver);
|
|
|
|
|
if (expectedApplicationProtocol != null) {
|
|
|
|
|
verifyApplicationLevelProtocol(clientChannel, expectedApplicationProtocol);
|
|
|
|
|
verifyApplicationLevelProtocol(serverConnectedChannel, expectedApplicationProtocol);
|
|
|
|
|
}
|
|
|
|
|
} finally {
|
|
|
|
|
clientMessage.release();
|
|
|
|
|
serverMessage.release();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static void verifyApplicationLevelProtocol(Channel channel, String expectedApplicationProtocol) {
|
|
|
|
|
SslHandler handler = channel.pipeline().get(SslHandler.class);
|
|
|
|
|
assertNotNull(handler);
|
2015-05-30 10:53:46 +02:00
|
|
|
String appProto = handler.applicationProtocol();
|
|
|
|
|
assertEquals(appProto, expectedApplicationProtocol);
|
2015-04-29 21:37:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static void writeAndVerifyReceived(ByteBuf message, Channel sendChannel, CountDownLatch receiverLatch,
|
2015-12-29 17:13:07 +01:00
|
|
|
MessageReceiver receiver) throws Exception {
|
2015-04-29 21:37:50 +02:00
|
|
|
List<ByteBuf> dataCapture = null;
|
|
|
|
|
try {
|
|
|
|
|
sendChannel.writeAndFlush(message);
|
|
|
|
|
receiverLatch.await(5, TimeUnit.SECONDS);
|
|
|
|
|
message.resetReaderIndex();
|
|
|
|
|
ArgumentCaptor<ByteBuf> captor = ArgumentCaptor.forClass(ByteBuf.class);
|
|
|
|
|
verify(receiver).messageReceived(captor.capture());
|
|
|
|
|
dataCapture = captor.getAllValues();
|
|
|
|
|
assertEquals(message, dataCapture.get(0));
|
|
|
|
|
} finally {
|
|
|
|
|
if (dataCapture != null) {
|
|
|
|
|
for (ByteBuf data : dataCapture) {
|
|
|
|
|
data.release();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-01 22:05:44 +02:00
|
|
|
@Test
|
|
|
|
|
public void testGetCreationTime() throws Exception {
|
|
|
|
|
SslContext context = SslContextBuilder.forClient().sslProvider(sslProvider()).build();
|
|
|
|
|
SSLEngine engine = context.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
|
|
|
|
assertTrue(engine.getSession().getCreationTime() <= System.currentTimeMillis());
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-30 10:14:29 +02:00
|
|
|
@Test
|
|
|
|
|
public void testSessionInvalidate() throws Exception {
|
|
|
|
|
final SslContext clientContext = SslContextBuilder.forClient()
|
|
|
|
|
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
|
|
|
|
.sslProvider(sslProvider())
|
|
|
|
|
.build();
|
|
|
|
|
SelfSignedCertificate ssc = new SelfSignedCertificate();
|
|
|
|
|
SslContext serverContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
|
|
|
|
.sslProvider(sslProvider())
|
|
|
|
|
.build();
|
|
|
|
|
SSLEngine clientEngine = clientContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
|
|
|
|
SSLEngine serverEngine = serverContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
|
|
|
|
handshake(clientEngine, serverEngine);
|
|
|
|
|
|
|
|
|
|
SSLSession session = serverEngine.getSession();
|
|
|
|
|
assertTrue(session.isValid());
|
|
|
|
|
session.invalidate();
|
|
|
|
|
assertFalse(session.isValid());
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-15 12:04:29 +02:00
|
|
|
@Test
|
|
|
|
|
public void testSSLSessionId() throws Exception {
|
|
|
|
|
final SslContext clientContext = SslContextBuilder.forClient()
|
|
|
|
|
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
|
|
|
|
.sslProvider(sslProvider())
|
|
|
|
|
.build();
|
|
|
|
|
SelfSignedCertificate ssc = new SelfSignedCertificate();
|
|
|
|
|
SslContext serverContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
|
|
|
|
.sslProvider(sslProvider())
|
|
|
|
|
.build();
|
|
|
|
|
SSLEngine clientEngine = clientContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
|
|
|
|
SSLEngine serverEngine = serverContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
|
|
|
|
|
|
|
|
|
// Before the handshake the id should have length == 0
|
|
|
|
|
assertEquals(0, clientEngine.getSession().getId().length);
|
|
|
|
|
assertEquals(0, serverEngine.getSession().getId().length);
|
|
|
|
|
|
|
|
|
|
handshake(clientEngine, serverEngine);
|
|
|
|
|
|
|
|
|
|
// After the handshake the id should have length > 0
|
|
|
|
|
assertNotEquals(0, clientEngine.getSession().getId().length);
|
|
|
|
|
assertNotEquals(0, serverEngine.getSession().getId().length);
|
|
|
|
|
assertArrayEquals(clientEngine.getSession().getId(), serverEngine.getSession().getId());
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-28 05:52:56 +02:00
|
|
|
@Test(timeout = 3000)
|
|
|
|
|
public void clientInitiatedRenegotiationWithFatalAlertDoesNotInfiniteLoopServer()
|
|
|
|
|
throws CertificateException, SSLException, InterruptedException, ExecutionException {
|
|
|
|
|
final SelfSignedCertificate ssc = new SelfSignedCertificate();
|
|
|
|
|
serverSslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
|
|
|
|
.sslProvider(sslProvider()).build();
|
|
|
|
|
sb = new ServerBootstrap()
|
|
|
|
|
.group(new NioEventLoopGroup(1))
|
|
|
|
|
.channel(NioServerSocketChannel.class)
|
|
|
|
|
.childHandler(new ChannelInitializer<SocketChannel>() {
|
|
|
|
|
@Override
|
|
|
|
|
public void initChannel(SocketChannel ch) {
|
|
|
|
|
ChannelPipeline p = ch.pipeline();
|
|
|
|
|
p.addLast(serverSslCtx.newHandler(ch.alloc()));
|
|
|
|
|
p.addLast(new ChannelInboundHandlerAdapter() {
|
|
|
|
|
@Override
|
|
|
|
|
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
|
|
|
|
|
if (evt instanceof SslHandshakeCompletionEvent &&
|
|
|
|
|
((SslHandshakeCompletionEvent) evt).isSuccess()) {
|
|
|
|
|
// This data will be sent to the client before any of the re-negotiation data can be
|
|
|
|
|
// sent. The client will read this, detect that it is not the response to
|
|
|
|
|
// renegotiation which was expected, and respond with a fatal alert.
|
|
|
|
|
ctx.writeAndFlush(ctx.alloc().buffer(1).writeByte(100));
|
|
|
|
|
}
|
|
|
|
|
ctx.fireUserEventTriggered(evt);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public void channelRead(final ChannelHandlerContext ctx, Object msg) {
|
|
|
|
|
ReferenceCountUtil.release(msg);
|
|
|
|
|
// The server then attempts to trigger a flush operation once the application data is
|
|
|
|
|
// received from the client. The flush will encrypt all data and should not result in
|
|
|
|
|
// deadlock.
|
|
|
|
|
ctx.channel().eventLoop().schedule(new Runnable() {
|
|
|
|
|
@Override
|
|
|
|
|
public void run() {
|
|
|
|
|
ctx.writeAndFlush(ctx.alloc().buffer(1).writeByte(101));
|
|
|
|
|
}
|
|
|
|
|
}, 500, TimeUnit.MILLISECONDS);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public void channelInactive(ChannelHandlerContext ctx) {
|
|
|
|
|
serverLatch.countDown();
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
serverConnectedChannel = ch;
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
serverChannel = sb.bind(new InetSocketAddress(0)).syncUninterruptibly().channel();
|
|
|
|
|
|
|
|
|
|
clientSslCtx = SslContextBuilder.forClient()
|
|
|
|
|
.sslProvider(SslProvider.JDK) // OpenSslEngine doesn't support renegotiation on client side
|
|
|
|
|
.trustManager(InsecureTrustManagerFactory.INSTANCE).build();
|
|
|
|
|
|
|
|
|
|
cb = new Bootstrap();
|
|
|
|
|
cb.group(new NioEventLoopGroup(1))
|
|
|
|
|
.channel(NioSocketChannel.class)
|
|
|
|
|
.handler(new ChannelInitializer<SocketChannel>() {
|
|
|
|
|
@Override
|
|
|
|
|
public void initChannel(SocketChannel ch) {
|
|
|
|
|
ChannelPipeline p = ch.pipeline();
|
|
|
|
|
SslHandler sslHandler = clientSslCtx.newHandler(ch.alloc());
|
|
|
|
|
// The renegotiate is not expected to succeed, so we should stop trying in a timely manner so
|
|
|
|
|
// the unit test can terminate relativley quicly.
|
|
|
|
|
sslHandler.setHandshakeTimeout(1, TimeUnit.SECONDS);
|
|
|
|
|
p.addLast(sslHandler);
|
|
|
|
|
p.addLast(new ChannelInboundHandlerAdapter() {
|
|
|
|
|
private int handshakeCount;
|
|
|
|
|
@Override
|
|
|
|
|
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
|
|
|
|
|
// OpenSSL SSLEngine sends a fatal alert for the renegotiation handshake because the
|
|
|
|
|
// user data read as part of the handshake. The client receives this fatal alert and is
|
|
|
|
|
// expected to shutdown the connection. The "invalid data" during the renegotiation
|
|
|
|
|
// handshake is also delivered to channelRead(..) on the server.
|
|
|
|
|
// JDK SSLEngine completes the renegotiation handshake and delivers the "invalid data"
|
|
|
|
|
// is also delivered to channelRead(..) on the server. JDK SSLEngine does not send a
|
|
|
|
|
// fatal error and so for testing purposes we close the connection after we have
|
|
|
|
|
// completed the first renegotiation handshake (which is the second handshake).
|
|
|
|
|
if (evt instanceof SslHandshakeCompletionEvent && ++handshakeCount == 2) {
|
|
|
|
|
ctx.close();
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
ctx.fireUserEventTriggered(evt);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public void channelRead(ChannelHandlerContext ctx, Object msg) {
|
|
|
|
|
ReferenceCountUtil.release(msg);
|
|
|
|
|
// Simulate a request that the server's application logic will think is invalid.
|
|
|
|
|
ctx.writeAndFlush(ctx.alloc().buffer(1).writeByte(102));
|
|
|
|
|
ctx.pipeline().get(SslHandler.class).renegotiate();
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
ChannelFuture ccf = cb.connect(serverChannel.localAddress());
|
|
|
|
|
assertTrue(ccf.syncUninterruptibly().isSuccess());
|
|
|
|
|
clientChannel = ccf.channel();
|
|
|
|
|
|
|
|
|
|
serverLatch.await();
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-20 22:52:50 +01:00
|
|
|
protected void testEnablingAnAlreadyDisabledSslProtocol(String[] protocols1, String[] protocols2) throws Exception {
|
|
|
|
|
SSLEngine sslEngine = null;
|
|
|
|
|
try {
|
|
|
|
|
File serverKeyFile = new File(getClass().getResource("test_unencrypted.pem").getFile());
|
|
|
|
|
File serverCrtFile = new File(getClass().getResource("test.crt").getFile());
|
|
|
|
|
SslContext sslContext = SslContextBuilder.forServer(serverCrtFile, serverKeyFile)
|
|
|
|
|
.sslProvider(sslProvider())
|
|
|
|
|
.build();
|
|
|
|
|
|
|
|
|
|
sslEngine = sslContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
|
|
|
|
|
|
|
|
|
// Disable all protocols
|
|
|
|
|
sslEngine.setEnabledProtocols(new String[]{});
|
|
|
|
|
|
|
|
|
|
// The only protocol that should be enabled is SSLv2Hello
|
|
|
|
|
String[] enabledProtocols = sslEngine.getEnabledProtocols();
|
|
|
|
|
assertEquals(protocols1.length, enabledProtocols.length);
|
|
|
|
|
assertArrayEquals(protocols1, enabledProtocols);
|
|
|
|
|
|
|
|
|
|
// Enable a protocol that is currently disabled
|
|
|
|
|
sslEngine.setEnabledProtocols(new String[]{PROTOCOL_TLS_V1_2});
|
|
|
|
|
|
|
|
|
|
// The protocol that was just enabled should be returned
|
|
|
|
|
enabledProtocols = sslEngine.getEnabledProtocols();
|
|
|
|
|
assertEquals(protocols2.length, enabledProtocols.length);
|
|
|
|
|
assertArrayEquals(protocols2, enabledProtocols);
|
|
|
|
|
} finally {
|
|
|
|
|
if (sslEngine != null) {
|
|
|
|
|
sslEngine.closeInbound();
|
|
|
|
|
sslEngine.closeOutbound();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-02 14:49:41 +01:00
|
|
|
protected static void handshake(SSLEngine clientEngine, SSLEngine serverEngine) throws SSLException {
|
2015-09-30 10:14:29 +02:00
|
|
|
int netBufferSize = 17 * 1024;
|
|
|
|
|
ByteBuffer cTOs = ByteBuffer.allocateDirect(netBufferSize);
|
|
|
|
|
ByteBuffer sTOc = ByteBuffer.allocateDirect(netBufferSize);
|
|
|
|
|
|
|
|
|
|
ByteBuffer serverAppReadBuffer = ByteBuffer.allocateDirect(
|
|
|
|
|
serverEngine.getSession().getApplicationBufferSize());
|
|
|
|
|
ByteBuffer clientAppReadBuffer = ByteBuffer.allocateDirect(
|
|
|
|
|
clientEngine.getSession().getApplicationBufferSize());
|
|
|
|
|
|
|
|
|
|
clientEngine.beginHandshake();
|
|
|
|
|
serverEngine.beginHandshake();
|
|
|
|
|
|
|
|
|
|
ByteBuffer empty = ByteBuffer.allocate(0);
|
|
|
|
|
|
|
|
|
|
SSLEngineResult clientResult;
|
|
|
|
|
SSLEngineResult serverResult;
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
clientResult = clientEngine.wrap(empty, cTOs);
|
|
|
|
|
runDelegatedTasks(clientResult, clientEngine);
|
|
|
|
|
serverResult = serverEngine.wrap(empty, sTOc);
|
|
|
|
|
runDelegatedTasks(serverResult, serverEngine);
|
|
|
|
|
cTOs.flip();
|
|
|
|
|
sTOc.flip();
|
|
|
|
|
clientResult = clientEngine.unwrap(sTOc, clientAppReadBuffer);
|
|
|
|
|
runDelegatedTasks(clientResult, clientEngine);
|
|
|
|
|
serverResult = serverEngine.unwrap(cTOs, serverAppReadBuffer);
|
|
|
|
|
runDelegatedTasks(serverResult, serverEngine);
|
|
|
|
|
cTOs.compact();
|
|
|
|
|
sTOc.compact();
|
2016-01-26 10:06:31 +01:00
|
|
|
} while (isHandshaking(clientResult) || isHandshaking(serverResult));
|
2015-09-30 10:14:29 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static boolean isHandshaking(SSLEngineResult result) {
|
|
|
|
|
return result.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING &&
|
|
|
|
|
result.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.FINISHED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static void runDelegatedTasks(SSLEngineResult result, SSLEngine engine) {
|
|
|
|
|
if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
|
|
|
|
|
for (;;) {
|
|
|
|
|
Runnable task = engine.getDelegatedTask();
|
|
|
|
|
if (task == null) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
task.run();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-29 21:37:50 +02:00
|
|
|
protected abstract SslProvider sslProvider();
|
2015-12-26 19:42:00 +01:00
|
|
|
|
|
|
|
|
protected void setupHandlers(ApplicationProtocolConfig apn) throws InterruptedException, SSLException,
|
|
|
|
|
CertificateException {
|
|
|
|
|
setupHandlers(apn, apn);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected void setupHandlers(ApplicationProtocolConfig serverApn, ApplicationProtocolConfig clientApn)
|
|
|
|
|
throws InterruptedException, SSLException, CertificateException {
|
|
|
|
|
SelfSignedCertificate ssc = new SelfSignedCertificate();
|
|
|
|
|
|
|
|
|
|
setupHandlers(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey(), null)
|
|
|
|
|
.sslProvider(sslProvider())
|
|
|
|
|
.ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
|
|
|
|
|
.applicationProtocolConfig(serverApn)
|
|
|
|
|
.sessionCacheSize(0)
|
|
|
|
|
.sessionTimeout(0)
|
|
|
|
|
.build(),
|
|
|
|
|
|
|
|
|
|
SslContextBuilder.forClient()
|
|
|
|
|
.sslProvider(sslProvider())
|
|
|
|
|
.applicationProtocolConfig(clientApn)
|
|
|
|
|
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
|
|
|
|
.ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
|
|
|
|
|
.sessionCacheSize(0)
|
|
|
|
|
.sessionTimeout(0)
|
|
|
|
|
.build());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected void setupHandlers(SslContext serverCtx, SslContext clientCtx)
|
|
|
|
|
throws InterruptedException, SSLException, CertificateException {
|
|
|
|
|
|
|
|
|
|
serverSslCtx = serverCtx;
|
|
|
|
|
clientSslCtx = clientCtx;
|
|
|
|
|
|
|
|
|
|
serverConnectedChannel = null;
|
|
|
|
|
sb = new ServerBootstrap();
|
|
|
|
|
cb = new Bootstrap();
|
|
|
|
|
|
|
|
|
|
sb.group(new NioEventLoopGroup(), new NioEventLoopGroup());
|
|
|
|
|
sb.channel(NioServerSocketChannel.class);
|
|
|
|
|
sb.childHandler(new ChannelInitializer<Channel>() {
|
|
|
|
|
@Override
|
|
|
|
|
protected void initChannel(Channel ch) throws Exception {
|
|
|
|
|
ChannelPipeline p = ch.pipeline();
|
|
|
|
|
p.addLast(serverSslCtx.newHandler(ch.alloc()));
|
|
|
|
|
p.addLast(new MessageDelegatorChannelHandler(serverReceiver, serverLatch));
|
|
|
|
|
p.addLast(new ChannelInboundHandlerAdapter() {
|
|
|
|
|
@Override
|
|
|
|
|
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
|
|
|
|
|
if (cause.getCause() instanceof SSLHandshakeException) {
|
|
|
|
|
serverException = cause.getCause();
|
|
|
|
|
serverLatch.countDown();
|
|
|
|
|
} else {
|
|
|
|
|
ctx.fireExceptionCaught(cause);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
serverConnectedChannel = ch;
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
cb.group(new NioEventLoopGroup());
|
|
|
|
|
cb.channel(NioSocketChannel.class);
|
|
|
|
|
cb.handler(new ChannelInitializer<Channel>() {
|
|
|
|
|
@Override
|
|
|
|
|
protected void initChannel(Channel ch) throws Exception {
|
|
|
|
|
ChannelPipeline p = ch.pipeline();
|
|
|
|
|
p.addLast(clientSslCtx.newHandler(ch.alloc()));
|
|
|
|
|
p.addLast(new MessageDelegatorChannelHandler(clientReceiver, clientLatch));
|
|
|
|
|
p.addLast(new ChannelInboundHandlerAdapter() {
|
|
|
|
|
@Override
|
|
|
|
|
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
|
|
|
|
|
if (cause.getCause() instanceof SSLHandshakeException) {
|
|
|
|
|
clientException = cause.getCause();
|
|
|
|
|
clientLatch.countDown();
|
|
|
|
|
} else {
|
|
|
|
|
ctx.fireExceptionCaught(cause);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
serverChannel = sb.bind(new InetSocketAddress(0)).syncUninterruptibly().channel();
|
|
|
|
|
|
|
|
|
|
ChannelFuture ccf = cb.connect(serverChannel.localAddress());
|
|
|
|
|
assertTrue(ccf.syncUninterruptibly().isSuccess());
|
|
|
|
|
clientChannel = ccf.channel();
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-29 21:37:50 +02:00
|
|
|
}
|
