andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Return an ExtendSSLSession whenever possible to allow more strict checking when using OpenSSL (#8281)

Browse Source 
Motivation:

When an ExtendedSSLSession is used its possible to do more strict checking of the keys during handshake. We should do this whenever possible.

Modification:

- Return an ExtendedSSLSession when using client-mode and Java7+
- Add unit test
- Simplify unit tests

Result:

More consistent behaviour.
This commit is contained in:
Norman Maurer 2018-09-14 14:33:11 +02:00 committed by GitHub
parent 9eb124bb62
commit 6ed7c6c75d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 514 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

179
handler/src/main/java/io/netty/handler/ssl/ExtendedOpenSslSession.java Normal file
View File

@ -0,0 +1,179 @@
/*
* Copyright 2018 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.util.internal.EmptyArrays;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSessionContext;
import javax.security.cert.X509Certificate;
import java.security.Principal;
import java.security.cert.Certificate;
import java.util.List;
/**
* Delegates all operations to a wrapped {@link OpenSslSession} except the methods defined by {@link ExtendedSSLSession}
* itself.
*/
abstract class ExtendedOpenSslSession extends ExtendedSSLSession implements OpenSslSession {
// TODO: use OpenSSL API to actually fetch the real data but for now just do what Conscrypt does:
// https://github.com/google/conscrypt/blob/1.2.0/common/
// src/main/java/org/conscrypt/Java7ExtendedSSLSession.java#L32
private static final String[] LOCAL_SUPPORTED_SIGNATURE_ALGORITHMS = {
"SHA512withRSA", "SHA512withECDSA", "SHA384withRSA", "SHA384withECDSA", "SHA256withRSA",
"SHA256withECDSA", "SHA224withRSA", "SHA224withECDSA", "SHA1withRSA", "SHA1withECDSA",
};
private final OpenSslSession wrapped;
ExtendedOpenSslSession(OpenSslSession wrapped) {
assert !(wrapped instanceof ExtendedSSLSession);
this.wrapped = wrapped;
}
// Use rawtypes an unchecked override to be able to also work on java7.
@SuppressWarnings({ "unchecked", "rawtypes" })
public abstract List getRequestedServerNames();
@Override
public void handshakeFinished() throws SSLException {
wrapped.handshakeFinished();
}
@Override
public void tryExpandApplicationBufferSize(int packetLengthDataOnly) {
wrapped.tryExpandApplicationBufferSize(packetLengthDataOnly);
}
@Override
public String[] getLocalSupportedSignatureAlgorithms() {
return LOCAL_SUPPORTED_SIGNATURE_ALGORITHMS.clone();
}
@Override
public String[] getPeerSupportedSignatureAlgorithms() {
// Always return empty for now.
return EmptyArrays.EMPTY_STRINGS;
}
@Override
public byte[] getId() {
return wrapped.getId();
}
@Override
public SSLSessionContext getSessionContext() {
return wrapped.getSessionContext();
}
@Override
public long getCreationTime() {
return wrapped.getCreationTime();
}
@Override
public long getLastAccessedTime() {
return wrapped.getLastAccessedTime();
}
@Override
public void invalidate() {
wrapped.invalidate();
}
@Override
public boolean isValid() {
return wrapped.isValid();
}
@Override
public void putValue(String s, Object o) {
wrapped.putValue(s, o);
}
@Override
public Object getValue(String s) {
return wrapped.getValue(s);
}
@Override
public void removeValue(String s) {
wrapped.removeValue(s);
}
@Override
public String[] getValueNames() {
return wrapped.getValueNames();
}
@Override
public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
return wrapped.getPeerCertificates();
}
@Override
public Certificate[] getLocalCertificates() {
return wrapped.getLocalCertificates();
}
@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
return wrapped.getPeerCertificateChain();
}
@Override
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
return wrapped.getPeerPrincipal();
}
@Override
public Principal getLocalPrincipal() {
return wrapped.getLocalPrincipal();
}
@Override
public String getCipherSuite() {
return wrapped.getCipherSuite();
}
@Override
public String getProtocol() {
return wrapped.getProtocol();
}
@Override
public String getPeerHost() {
return wrapped.getPeerHost();
}
@Override
public int getPeerPort() {
return wrapped.getPeerPort();
}
@Override
public int getPacketBufferSize() {
return wrapped.getPacketBufferSize();
}
@Override
public int getApplicationBufferSize() {
return wrapped.getApplicationBufferSize();
}
}

9
handler/src/main/java/io/netty/handler/ssl/Java8SslUtils.java
View File

@ -48,11 +48,18 @@ final class Java8SslUtils {
} }
static void setSniHostNames(SSLParameters sslParameters, List<String> names) { static void setSniHostNames(SSLParameters sslParameters, List<String> names) {
sslParameters.setServerNames(getSniHostNames(names));
}
static List getSniHostNames(List<String> names) {
if (names == null || names.isEmpty()) {
return Collections.emptyList();
}
List<SNIServerName> sniServerNames = new ArrayList<SNIServerName>(names.size()); List<SNIServerName> sniServerNames = new ArrayList<SNIServerName>(names.size());
for (String name: names) { for (String name: names) {
sniServerNames.add(new SNIHostName(name)); sniServerNames.add(new SNIHostName(name));
} }
sslParameters.setServerNames(sniServerNames); return sniServerNames;
} }
static boolean getUseCipherSuitesOrder(SSLParameters sslParameters) { static boolean getUseCipherSuitesOrder(SSLParameters sslParameters) {

36
handler/src/main/java/io/netty/handler/ssl/OpenSslSession.java Normal file
View File

@ -0,0 +1,36 @@
/*
* Copyright 2018 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
interface OpenSslSession extends SSLSession {
/**
* Finish the handshake and so init everything in the {@link OpenSslSession} that should be accessible by
* the user.
*/
void handshakeFinished() throws SSLException;
/**
* Expand (or increase) the value returned by {@link #getApplicationBufferSize()} if necessary.
* <p>
* This is only called in a synchronized block, so no need to use atomic operations.
* @param packetLengthDataOnly The packet size which exceeds the current {@link #getApplicationBufferSize()}.
*/
void tryExpandApplicationBufferSize(int packetLengthDataOnly);
}

37
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
View File

@ -244,8 +244,17 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
OpenSsl.ensureAvailability(); OpenSsl.ensureAvailability();
this.alloc = checkNotNull(alloc, "alloc"); this.alloc = checkNotNull(alloc, "alloc");
apn = (OpenSslApplicationProtocolNegotiator) context.applicationProtocolNegotiator(); apn = (OpenSslApplicationProtocolNegotiator) context.applicationProtocolNegotiator();
session = new OpenSslSession(context.sessionContext());
clientMode = context.isClient(); clientMode = context.isClient();
if (PlatformDependent.javaVersion() >= 7 && context.isClient()) {
session = new ExtendedOpenSslSession(new DefaultOpenSslSession(context.sessionContext())) {
@Override
public List getRequestedServerNames() {
return Java8SslUtils.getSniHostNames(sniHostNames);
}
};
} else {
session = new DefaultOpenSslSession(context.sessionContext());
}
engineMap = context.engineMap; engineMap = context.engineMap;
localCerts = context.keyCertChain; localCerts = context.keyCertChain;
keyMaterialManager = context.keyMaterialManager(); keyMaterialManager = context.keyMaterialManager();
@ -1839,7 +1848,7 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
return Buffer.address(b); return Buffer.address(b);
} }
private final class OpenSslSession implements SSLSession { private final class DefaultOpenSslSession implements OpenSslSession {
private final OpenSslSessionContext sessionContext; private final OpenSslSessionContext sessionContext;
// These are guarded by synchronized(OpenSslEngine.this) as handshakeFinished() may be triggered by any // These are guarded by synchronized(OpenSslEngine.this) as handshakeFinished() may be triggered by any
@ -1855,10 +1864,14 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
// lazy init for memory reasons // lazy init for memory reasons
private Map<String, Object> values; private Map<String, Object> values;
OpenSslSession(OpenSslSessionContext sessionContext) { DefaultOpenSslSession(OpenSslSessionContext sessionContext) {
this.sessionContext = sessionContext; this.sessionContext = sessionContext;
} }
private SSLSessionBindingEvent newSSLSessionBindingEvent(String name) {
return new SSLSessionBindingEvent(session, name);
}
@Override @Override
public byte[] getId() { public byte[] getId() {
synchronized (ReferenceCountedOpenSslEngine.this) { synchronized (ReferenceCountedOpenSslEngine.this) {
@ -1925,7 +1938,8 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
} }
Object old = values.put(name, value); Object old = values.put(name, value);
if (value instanceof SSLSessionBindingListener) { if (value instanceof SSLSessionBindingListener) {
((SSLSessionBindingListener) value).valueBound(new SSLSessionBindingEvent(this, name)); // Use newSSLSessionBindingEvent so we alway use the wrapper if needed.
((SSLSessionBindingListener) value).valueBound(newSSLSessionBindingEvent(name));
} }
notifyUnbound(old, name); notifyUnbound(old, name);
} }
@ -1965,7 +1979,8 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
private void notifyUnbound(Object value, String name) { private void notifyUnbound(Object value, String name) {
if (value instanceof SSLSessionBindingListener) { if (value instanceof SSLSessionBindingListener) {
((SSLSessionBindingListener) value).valueUnbound(new SSLSessionBindingEvent(this, name)); // Use newSSLSessionBindingEvent so we alway use the wrapper if needed.
((SSLSessionBindingListener) value).valueUnbound(newSSLSessionBindingEvent(name));
} }
} }
@ -1973,7 +1988,8 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
* Finish the handshake and so init everything in the {@link OpenSslSession} that should be accessible by * Finish the handshake and so init everything in the {@link OpenSslSession} that should be accessible by
* the user. * the user.
*/ */
void handshakeFinished() throws SSLException { @Override
public void handshakeFinished() throws SSLException {
synchronized (ReferenceCountedOpenSslEngine.this) { synchronized (ReferenceCountedOpenSslEngine.this) {
if (!isDestroyed()) { if (!isDestroyed()) {
id = SSL.getSessionId(ssl); id = SSL.getSessionId(ssl);
@ -2191,13 +2207,8 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
return applicationBufferSize; return applicationBufferSize;
} }
/** @Override
* Expand (or increase) the value returned by {@link #getApplicationBufferSize()} if necessary. public void tryExpandApplicationBufferSize(int packetLengthDataOnly) {
* <p>
* This is only called in a synchronized block, so no need to use atomic operations.
* @param packetLengthDataOnly The packet size which exceeds the current {@link #getApplicationBufferSize()}.
*/
void tryExpandApplicationBufferSize(int packetLengthDataOnly) {
if (packetLengthDataOnly > MAX_PLAINTEXT_LENGTH && applicationBufferSize != MAX_RECORD_SIZE) { if (packetLengthDataOnly > MAX_PLAINTEXT_LENGTH && applicationBufferSize != MAX_RECORD_SIZE) {
applicationBufferSize = MAX_RECORD_SIZE; applicationBufferSize = MAX_RECORD_SIZE;
} }

200
handler/src/test/java/io/netty/handler/ssl/SniClientJava8TestUtil.java
View File

@ -29,14 +29,42 @@ import io.netty.channel.local.LocalChannel;
import io.netty.channel.local.LocalServerChannel; import io.netty.channel.local.LocalServerChannel;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory; import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.handler.ssl.util.SelfSignedCertificate;
import io.netty.handler.ssl.util.SimpleTrustManagerFactory;
import io.netty.util.concurrent.Promise; import io.netty.util.concurrent.Promise;
import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.ThrowableUtil; import io.netty.util.internal.ThrowableUtil;
import org.junit.Assert;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.KeyManagerFactorySpi;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIMatcher; import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName; import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import java.io.IOException;
import java.net.Socket;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.List;
/** /**
* In extra class to be able to run tests with java7 without trying to load classes that not exists in java7. * In extra class to be able to run tests with java7 without trying to load classes that not exists in java7.
@ -125,4 +153,176 @@ final class SniClientJava8TestUtil {
group.shutdownGracefully(); group.shutdownGracefully();
} }
} }
static void assertSSLSession(SSLSession session, String name) {
assertSSLSession(session, new SNIHostName(name));
}
private static void assertSSLSession(SSLSession session, SNIServerName name) {
Assert.assertNotNull(session);
if (session instanceof ExtendedSSLSession) {
ExtendedSSLSession extendedSSLSession = (ExtendedSSLSession) session;
List<SNIServerName> names = extendedSSLSession.getRequestedServerNames();
Assert.assertEquals(1, names.size());
Assert.assertEquals(name, names.get(0));
Assert.assertTrue(extendedSSLSession.getLocalSupportedSignatureAlgorithms().length > 0);
}
}
static TrustManagerFactory newSniX509TrustmanagerFactory(String name) {
return new SniX509TrustmanagerFactory(new SNIHostName(name));
}
private static final class SniX509TrustmanagerFactory extends SimpleTrustManagerFactory {
private final SNIServerName name;
SniX509TrustmanagerFactory(SNIServerName name) {
this.name = name;
}
@Override
protected void engineInit(KeyStore keyStore) throws Exception {
// NOOP
}
@Override
protected void engineInit(ManagerFactoryParameters managerFactoryParameters) throws Exception {
// NOOP
}
@Override
protected TrustManager[] engineGetTrustManagers() {
return new TrustManager[] { new X509ExtendedTrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket)
throws CertificateException {
Assert.fail();
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket)
throws CertificateException {
Assert.fail();
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine)
throws CertificateException {
Assert.fail();
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine)
throws CertificateException {
assertSSLSession(sslEngine.getHandshakeSession(), name);
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
throws CertificateException {
Assert.fail();
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
throws CertificateException {
Assert.fail();
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return EmptyArrays.EMPTY_X509_CERTIFICATES;
}
} };
}
}
static KeyManagerFactory newSniX509KeyManagerFactory(SelfSignedCertificate cert, String hostname)
throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException,
IOException, CertificateException {
return new SniX509KeyManagerFactory(
new SNIHostName(hostname), SslContext.buildKeyManagerFactory(
new X509Certificate[] { cert.cert() }, cert.key(), null, null));
}
private static final class SniX509KeyManagerFactory extends KeyManagerFactory {
SniX509KeyManagerFactory(final SNIServerName name, final KeyManagerFactory factory) {
super(new KeyManagerFactorySpi() {
@Override
protected void engineInit(KeyStore keyStore, char[] chars)
throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
factory.init(keyStore, chars);
}
@Override
protected void engineInit(ManagerFactoryParameters managerFactoryParameters)
throws InvalidAlgorithmParameterException {
factory.init(managerFactoryParameters);
}
@Override
protected KeyManager[] engineGetKeyManagers() {
List<KeyManager> managers = new ArrayList<KeyManager>();
for (final KeyManager km: factory.getKeyManagers()) {
if (km instanceof X509ExtendedKeyManager) {
managers.add(new X509ExtendedKeyManager() {
@Override
public String[] getClientAliases(String s, Principal[] principals) {
return ((X509ExtendedKeyManager) km).getClientAliases(s, principals);
}
@Override
public String chooseClientAlias(String[] strings, Principal[] principals,
Socket socket) {
return ((X509ExtendedKeyManager) km).chooseClientAlias(strings, principals, socket);
}
@Override
public String[] getServerAliases(String s, Principal[] principals) {
return ((X509ExtendedKeyManager) km).getServerAliases(s, principals);
}
@Override
public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
return ((X509ExtendedKeyManager) km).chooseServerAlias(s, principals, socket);
}
@Override
public X509Certificate[] getCertificateChain(String s) {
return ((X509ExtendedKeyManager) km).getCertificateChain(s);
}
@Override
public PrivateKey getPrivateKey(String s) {
return ((X509ExtendedKeyManager) km).getPrivateKey(s);
}
@Override
public String chooseEngineClientAlias(String[] strings, Principal[] principals,
SSLEngine sslEngine) {
return ((X509ExtendedKeyManager) km)
.chooseEngineClientAlias(strings, principals, sslEngine);
}
@Override
public String chooseEngineServerAlias(String s, Principal[] principals,
SSLEngine sslEngine) {
SSLSession session = sslEngine.getHandshakeSession();
assertSSLSession(session, name);
return ((X509ExtendedKeyManager) km)
.chooseEngineServerAlias(s, principals, sslEngine);
}
});
} else {
managers.add(km);
}
}
return managers.toArray(new KeyManager[0]);
}
}, factory.getProvider(), factory.getAlgorithm());
}
}
} }

135
handler/src/test/java/io/netty/handler/ssl/SniClientTest.java
View File

@ -33,97 +33,79 @@ import io.netty.util.internal.PlatformDependent;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Assume; import org.junit.Assume;
import org.junit.Test; import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.junit.runners.Parameterized.Parameters;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
@RunWith(Parameterized.class)
public class SniClientTest { public class SniClientTest {
@Test(timeout = 30000) @Parameters(name = "{index}: serverSslProvider = {0}, clientSslProvider = {1}")
public void testSniClientJdkSslServerJdkSsl() throws Exception { public static Collection<Object[]> parameters() {
testSniClient(SslProvider.JDK, SslProvider.JDK); List<SslProvider> providers = new ArrayList<SslProvider>(Arrays.asList(SslProvider.values()));
if (!OpenSsl.isAvailable()) {
providers.remove(SslProvider.OPENSSL);
providers.remove(SslProvider.OPENSSL_REFCNT);
}
List<Object[]> params = new ArrayList<Object[]>();
for (SslProvider sp: providers) {
for (SslProvider cp: providers) {
params.add(new Object[] { sp, cp });
}
}
return params;
}
private final SslProvider serverProvider;
private final SslProvider clientProvider;
public SniClientTest(SslProvider serverProvider, SslProvider clientProvider) {
this.serverProvider = serverProvider;
this.clientProvider = clientProvider;
} }
@Test(timeout = 30000) @Test(timeout = 30000)
public void testSniClientOpenSslServerOpenSsl() throws Exception { public void testSniClient() throws Exception {
Assume.assumeTrue(OpenSsl.isAvailable()); testSniClient(serverProvider, clientProvider);
testSniClient(SslProvider.OPENSSL, SslProvider.OPENSSL);
} }
@Test(timeout = 30000) @Test(timeout = 30000)
public void testSniClientJdkSslServerOpenSsl() throws Exception { public void testSniSNIMatcherMatchesClient() throws Exception {
Assume.assumeTrue(OpenSsl.isAvailable());
testSniClient(SslProvider.JDK, SslProvider.OPENSSL);
}
@Test(timeout = 30000)
public void testSniClientOpenSslServerJdkSsl() throws Exception {
Assume.assumeTrue(OpenSsl.isAvailable());
testSniClient(SslProvider.OPENSSL, SslProvider.JDK);
}
@Test(timeout = 30000)
public void testSniSNIMatcherMatchesClientJdkSslServerJdkSsl() throws Exception {
Assume.assumeTrue(PlatformDependent.javaVersion() >= 8); Assume.assumeTrue(PlatformDependent.javaVersion() >= 8);
SniClientJava8TestUtil.testSniClient(SslProvider.JDK, SslProvider.JDK, true); SniClientJava8TestUtil.testSniClient(serverProvider, clientProvider, true);
} }
@Test(timeout = 30000, expected = SSLException.class) @Test(timeout = 30000, expected = SSLException.class)
public void testSniSNIMatcherDoesNotMatchClientJdkSslServerJdkSsl() throws Exception { public void testSniSNIMatcherDoesNotMatchClient() throws Exception {
Assume.assumeTrue(PlatformDependent.javaVersion() >= 8); Assume.assumeTrue(PlatformDependent.javaVersion() >= 8);
SniClientJava8TestUtil.testSniClient(SslProvider.JDK, SslProvider.JDK, false); SniClientJava8TestUtil.testSniClient(serverProvider, clientProvider, false);
}
@Test(timeout = 30000)
public void testSniSNIMatcherMatchesClientOpenSslServerOpenSsl() throws Exception {
Assume.assumeTrue(PlatformDependent.javaVersion() >= 8);
Assume.assumeTrue(OpenSsl.isAvailable());
SniClientJava8TestUtil.testSniClient(SslProvider.OPENSSL, SslProvider.OPENSSL, true);
}
@Test(timeout = 30000, expected = SSLException.class)
public void testSniSNIMatcherDoesNotMatchClientOpenSslServerOpenSsl() throws Exception {
Assume.assumeTrue(PlatformDependent.javaVersion() >= 8);
Assume.assumeTrue(OpenSsl.isAvailable());
SniClientJava8TestUtil.testSniClient(SslProvider.OPENSSL, SslProvider.OPENSSL, false);
}
@Test(timeout = 30000)
public void testSniSNIMatcherMatchesClientJdkSslServerOpenSsl() throws Exception {
Assume.assumeTrue(PlatformDependent.javaVersion() >= 8);
Assume.assumeTrue(OpenSsl.isAvailable());
SniClientJava8TestUtil.testSniClient(SslProvider.JDK, SslProvider.OPENSSL, true);
}
@Test(timeout = 30000, expected = SSLException.class)
public void testSniSNIMatcherDoesNotMatchClientJdkSslServerOpenSsl() throws Exception {
Assume.assumeTrue(PlatformDependent.javaVersion() >= 8);
Assume.assumeTrue(OpenSsl.isAvailable());
SniClientJava8TestUtil.testSniClient(SslProvider.JDK, SslProvider.OPENSSL, false);
}
@Test(timeout = 30000)
public void testSniSNIMatcherMatchesClientOpenSslServerJdkSsl() throws Exception {
Assume.assumeTrue(PlatformDependent.javaVersion() >= 8);
Assume.assumeTrue(OpenSsl.isAvailable());
SniClientJava8TestUtil.testSniClient(SslProvider.OPENSSL, SslProvider.JDK, true);
}
@Test(timeout = 30000, expected = SSLException.class)
public void testSniSNIMatcherDoesNotMatchClientOpenSslServerJdkSsl() throws Exception {
Assume.assumeTrue(PlatformDependent.javaVersion() >= 8);
Assume.assumeTrue(OpenSsl.isAvailable());
SniClientJava8TestUtil.testSniClient(SslProvider.OPENSSL, SslProvider.JDK, false);
} }
private static void testSniClient(SslProvider sslClientProvider, SslProvider sslServerProvider) throws Exception { private static void testSniClient(SslProvider sslClientProvider, SslProvider sslServerProvider) throws Exception {
final String sniHost = "sni.netty.io"; String sniHostName = "sni.netty.io";
LocalAddress address = new LocalAddress("test"); LocalAddress address = new LocalAddress("test");
EventLoopGroup group = new DefaultEventLoopGroup(1); EventLoopGroup group = new DefaultEventLoopGroup(1);
Channel sc = null; Channel sc = null;
Channel cc = null; Channel cc = null;
try { try {
SelfSignedCertificate cert = new SelfSignedCertificate(); SelfSignedCertificate cert = new SelfSignedCertificate();
final SslContext sslServerContext = SslContextBuilder.forServer(cert.key(), cert.cert())
KeyManagerFactory kmf = PlatformDependent.javaVersion() >= 8 ?
SniClientJava8TestUtil.newSniX509KeyManagerFactory(cert, sniHostName) :
SslContext.buildKeyManagerFactory(
new X509Certificate[] { cert.cert() }, cert.key(), null, null);
final SslContext sslServerContext = SslContextBuilder.forServer(kmf)
.sslProvider(sslServerProvider).build(); .sslProvider(sslServerProvider).build();
final Promise<String> promise = group.next().newPromise(); final Promise<String> promise = group.next().newPromise();
@ -141,13 +123,26 @@ public class SniClientTest {
} }
}).bind(address).syncUninterruptibly().channel(); }).bind(address).syncUninterruptibly().channel();
SslContext sslContext = SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE) TrustManagerFactory tmf = PlatformDependent.javaVersion() >= 8 ?
SniClientJava8TestUtil.newSniX509TrustmanagerFactory(sniHostName) :
InsecureTrustManagerFactory.INSTANCE;
SslContext sslContext = SslContextBuilder.forClient().trustManager(tmf)
.sslProvider(sslClientProvider).build(); .sslProvider(sslClientProvider).build();
Bootstrap cb = new Bootstrap(); Bootstrap cb = new Bootstrap();
cc = cb.group(group).channel(LocalChannel.class).handler(new SslHandler(
sslContext.newEngine(ByteBufAllocator.DEFAULT, sniHost, -1))) SslHandler handler = new SslHandler(
sslContext.newEngine(ByteBufAllocator.DEFAULT, sniHostName, -1));
cc = cb.group(group).channel(LocalChannel.class).handler(handler)
.connect(address).syncUninterruptibly().channel(); .connect(address).syncUninterruptibly().channel();
Assert.assertEquals(sniHost, promise.syncUninterruptibly().getNow()); Assert.assertEquals(sniHostName, promise.syncUninterruptibly().getNow());
// After we are done with handshaking getHandshakeSession() should return null.
handler.handshakeFuture().syncUninterruptibly();
Assert.assertNull(handler.engine().getHandshakeSession());
if (PlatformDependent.javaVersion() >= 8) {
SniClientJava8TestUtil.assertSSLSession(handler.engine().getSession(), sniHostName);
}
} finally { } finally {
if (cc != null) { if (cc != null) {
cc.close().syncUninterruptibly(); cc.close().syncUninterruptibly();

1
pom.xml
View File

@ -721,6 +721,7 @@
<!-- SSLSession implementation --> <!-- SSLSession implementation -->
<ignore>javax.net.ssl.SSLEngine</ignore> <ignore>javax.net.ssl.SSLEngine</ignore>
<ignore>javax.net.ssl.ExtendedSSLSession</ignore>
<ignore>javax.net.ssl.X509ExtendedTrustManager</ignore> <ignore>javax.net.ssl.X509ExtendedTrustManager</ignore>
<ignore>javax.net.ssl.SSLParameters</ignore> <ignore>javax.net.ssl.SSLParameters</ignore>
<ignore>javax.net.ssl.SNIServerName</ignore> <ignore>javax.net.ssl.SNIServerName</ignore>