From 81315d4515ff79e58de6c5309e3fcfde928799fe Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Wed, 21 Jun 2023 23:11:29 +0200 Subject: [PATCH 1/6] Added new SSLContext --- .../main/java/nl/altindag/ssl/SSLFactory.java | 25 ++--- .../ssl/sslcontext/FenixSSLContext.java | 39 +++++++ .../ssl/sslcontext/FenixSSLContextSpi.java | 104 ++++++++++++++++++ .../java/nl/altindag/ssl/SSLFactoryIT.java | 7 ++ 4 files changed, 161 insertions(+), 14 deletions(-) create mode 100644 sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContext.java create mode 100644 sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java diff --git a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java index 66c53afd..0fe2e92f 100644 --- a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java +++ b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java @@ -20,6 +20,7 @@ import nl.altindag.ssl.model.KeyStoreHolder; import nl.altindag.ssl.model.TrustManagerParameters; import nl.altindag.ssl.model.internal.SSLMaterial; +import nl.altindag.ssl.sslcontext.FenixSSLContext; import nl.altindag.ssl.trustmanager.trustoptions.TrustAnchorTrustOptions; import nl.altindag.ssl.trustmanager.trustoptions.TrustStoreTrustOptions; import nl.altindag.ssl.trustmanager.validator.ChainAndAuthTypeValidator; @@ -31,7 +32,6 @@ import nl.altindag.ssl.util.SSLContextUtils; import nl.altindag.ssl.util.SSLParametersUtils; import nl.altindag.ssl.util.SSLSessionUtils; -import nl.altindag.ssl.util.SSLSocketUtils; import nl.altindag.ssl.util.TrustManagerUtils; import nl.altindag.ssl.util.internal.StringUtils; import nl.altindag.ssl.util.internal.UriUtils; @@ -99,11 +99,11 @@ public SSLContext getSslContext() { } public SSLSocketFactory getSslSocketFactory() { - return SSLSocketUtils.createSslSocketFactory(sslMaterial.getSslContext(), getSslParameters()); + return sslMaterial.getSslContext().getSocketFactory(); } public SSLServerSocketFactory getSslServerSocketFactory() { - return SSLSocketUtils.createSslServerSocketFactory(sslMaterial.getSslContext(), getSslParameters()); + return sslMaterial.getSslContext().getServerSocketFactory(); } public Optional getKeyManager() { @@ -147,19 +147,15 @@ public SSLParameters getSslParameters() { } public SSLEngine getSSLEngine() { - return getSSLEngine(null, null); + return sslMaterial.getSslContext().createSSLEngine(); } public SSLEngine getSSLEngine(String peerHost, Integer peerPort) { - SSLEngine sslEngine; if (nonNull(peerHost) && nonNull(peerPort)) { - sslEngine = sslMaterial.getSslContext().createSSLEngine(peerHost, peerPort); + return sslMaterial.getSslContext().createSSLEngine(peerHost, peerPort); } else { - sslEngine = sslMaterial.getSslContext().createSSLEngine(); + return getSSLEngine(); } - - sslEngine.setSSLParameters(getSslParameters()); - return sslEngine; } public static Builder builder() { @@ -826,7 +822,7 @@ public SSLFactory build() { X509ExtendedKeyManager keyManager = isIdentityMaterialPresent() ? createKeyManager() : null; X509ExtendedTrustManager trustManager = isTrustMaterialPresent() ? createTrustManager() : null; - SSLContext sslContext = SSLContextUtils.createSslContext( + SSLContext baseSslContext = SSLContextUtils.createSslContext( keyManager, trustManager, secureRandom, @@ -836,16 +832,17 @@ public SSLFactory build() { ); if (sessionTimeoutInSeconds >= 0) { - SSLSessionUtils.updateSessionTimeout(sslContext, sessionTimeoutInSeconds); + SSLSessionUtils.updateSessionTimeout(baseSslContext, sessionTimeoutInSeconds); } if (sessionCacheSizeInBytes >= 0) { - SSLSessionUtils.updateSessionCacheSize(sslContext, sessionCacheSizeInBytes); + SSLSessionUtils.updateSessionCacheSize(baseSslContext, sessionCacheSizeInBytes); } sslParameters.setCipherSuites(ciphers.isEmpty() ? null : ciphers.stream().distinct().toArray(String[]::new)); sslParameters.setProtocols(protocols.isEmpty() ? null : protocols.stream().distinct().toArray(String[]::new)); - SSLParameters baseSslParameters = SSLParametersUtils.merge(sslParameters, sslContext.getDefaultSSLParameters()); + SSLParameters baseSslParameters = SSLParametersUtils.merge(sslParameters, baseSslContext.getDefaultSSLParameters()); + SSLContext sslContext = new FenixSSLContext(baseSslContext, baseSslParameters); SSLMaterial sslMaterial = new SSLMaterial.Builder() .withSslContext(sslContext) diff --git a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContext.java b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContext.java new file mode 100644 index 00000000..a2970ee7 --- /dev/null +++ b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContext.java @@ -0,0 +1,39 @@ +/* + * Copyright 2019 Thunderberry. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package nl.altindag.ssl.sslcontext; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLContextSpi; +import javax.net.ssl.SSLParameters; +import java.security.Provider; + +/** + * NOTE: + * Please don't use this class directly as it is part of the internal API. Class name and methods can be changed any time. + * + * @author Hakan Altindag + */ +public class FenixSSLContext extends SSLContext { + + private FenixSSLContext(SSLContextSpi contextSpi, Provider provider, String protocol) { + super(contextSpi, provider, protocol); + } + + public FenixSSLContext(SSLContext baseSslContext, SSLParameters baseSslParameters) { + this(new FenixSSLContextSpi(baseSslContext, baseSslParameters), baseSslContext.getProvider(), baseSslContext.getProtocol()); + } + +} diff --git a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java new file mode 100644 index 00000000..e7b9212a --- /dev/null +++ b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java @@ -0,0 +1,104 @@ +/* + * Copyright 2019 Thunderberry. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package nl.altindag.ssl.sslcontext; + +import nl.altindag.ssl.util.SSLParametersUtils; +import nl.altindag.ssl.util.SSLSocketUtils; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLContextSpi; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLParameters; +import javax.net.ssl.SSLServerSocketFactory; +import javax.net.ssl.SSLSessionContext; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import java.security.SecureRandom; + +import static java.util.Objects.nonNull; + +/** + * @author Hakan Altindag + */ +class FenixSSLContextSpi extends SSLContextSpi { + + private final SSLContext sslContext; + private final SSLParameters sslParameters; + + FenixSSLContextSpi(SSLContext sslContext, SSLParameters sslParameters) { + this.sslContext = sslContext; + this.sslParameters = sslParameters; + } + + @Override + protected void engineInit(KeyManager[] km, TrustManager[] tm, SecureRandom sr) { + // ignore as the base SSLContext has already been initialized; + } + + @Override + protected SSLSocketFactory engineGetSocketFactory() { + return SSLSocketUtils.createSslSocketFactory(sslContext, engineGetSupportedSSLParameters()); + } + + @Override + protected SSLServerSocketFactory engineGetServerSocketFactory() { + return SSLSocketUtils.createSslServerSocketFactory(sslContext, engineGetSupportedSSLParameters()); + } + + @Override + protected SSLEngine engineCreateSSLEngine() { + return getSSLEngine(null, null); + } + + @Override + protected SSLEngine engineCreateSSLEngine(String host, int port) { + return getSSLEngine(host, port); + } + + private SSLEngine getSSLEngine(String peerHost, Integer peerPort) { + SSLEngine sslEngine; + if (nonNull(peerHost) && nonNull(peerPort)) { + sslEngine = sslContext.createSSLEngine(peerHost, peerPort); + } else { + sslEngine = sslContext.createSSLEngine(); + } + + sslEngine.setSSLParameters(engineGetSupportedSSLParameters()); + return sslEngine; + } + + @Override + protected SSLSessionContext engineGetServerSessionContext() { + return sslContext.getServerSessionContext(); + } + + @Override + protected SSLSessionContext engineGetClientSessionContext() { + return sslContext.getClientSessionContext(); + } + + @Override + protected SSLParameters engineGetDefaultSSLParameters() { + return sslContext.getDefaultSSLParameters(); + } + + @Override + protected SSLParameters engineGetSupportedSSLParameters() { + return SSLParametersUtils.copy(sslParameters); + } + +} diff --git a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryIT.java b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryIT.java index b33f6dbd..0a82ff71 100644 --- a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryIT.java +++ b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryIT.java @@ -23,7 +23,9 @@ import org.junit.jupiter.api.Test; import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; import javax.net.ssl.SSLException; +import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.X509ExtendedTrustManager; import java.io.BufferedReader; @@ -56,8 +58,13 @@ void executeHttpsRequestWithMutualAuthentication() throws IOException { .withIdentityMaterial("keystore/client-server/server-one/identity.jks", "secret".toCharArray()) .withTrustMaterial("keystore/client-server/server-one/truststore.jks", "secret".toCharArray()) .withNeedClientAuthentication() + .withProtocols("TLSv1.3") .build(); + SSLContext sslContext = sslFactoryForServer.getSslContext(); + SSLParameters defaultSSLParameters = sslContext.getDefaultSSLParameters(); + SSLParameters supportedSSLParameters = sslContext.getSupportedSSLParameters(); + Server server = Server.createDefault(sslFactoryForServer); SSLFactory sslFactoryForClient = SSLFactory.builder() From 0b8777ab0b881a1c1d6977c84e9e600f00e2a752 Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Wed, 21 Jun 2023 23:14:15 +0200 Subject: [PATCH 2/6] Reverted to initial state --- .../src/main/java/nl/altindag/ssl/SSLFactory.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java index 0fe2e92f..2697f304 100644 --- a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java +++ b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java @@ -147,14 +147,14 @@ public SSLParameters getSslParameters() { } public SSLEngine getSSLEngine() { - return sslMaterial.getSslContext().createSSLEngine(); + return getSSLEngine(null, null); } public SSLEngine getSSLEngine(String peerHost, Integer peerPort) { if (nonNull(peerHost) && nonNull(peerPort)) { return sslMaterial.getSslContext().createSSLEngine(peerHost, peerPort); } else { - return getSSLEngine(); + return sslMaterial.getSslContext().createSSLEngine(); } } From fd42d287073ae9812f9c29359282e2241ea65e83 Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Thu, 22 Jun 2023 00:14:14 +0200 Subject: [PATCH 3/6] Simplified FenixSSLContext and added test --- .../ssl/sslcontext/FenixSSLContext.java | 8 +--- .../ssl/sslcontext/FenixSSLContextSpi.java | 12 ++++-- .../sslcontext/FenixSSLContextSpiShould.java | 39 +++++++++++++++++++ 3 files changed, 48 insertions(+), 11 deletions(-) create mode 100644 sslcontext-kickstart/src/test/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpiShould.java diff --git a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContext.java b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContext.java index a2970ee7..827a25c3 100644 --- a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContext.java +++ b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContext.java @@ -16,9 +16,7 @@ package nl.altindag.ssl.sslcontext; import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLContextSpi; import javax.net.ssl.SSLParameters; -import java.security.Provider; /** * NOTE: @@ -28,12 +26,8 @@ */ public class FenixSSLContext extends SSLContext { - private FenixSSLContext(SSLContextSpi contextSpi, Provider provider, String protocol) { - super(contextSpi, provider, protocol); - } - public FenixSSLContext(SSLContext baseSslContext, SSLParameters baseSslParameters) { - this(new FenixSSLContextSpi(baseSslContext, baseSslParameters), baseSslContext.getProvider(), baseSslContext.getProtocol()); + super(new FenixSSLContextSpi(baseSslContext, baseSslParameters), baseSslContext.getProvider(), baseSslContext.getProtocol()); } } diff --git a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java index e7b9212a..326783ac 100644 --- a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java +++ b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java @@ -17,6 +17,8 @@ import nl.altindag.ssl.util.SSLParametersUtils; import nl.altindag.ssl.util.SSLSocketUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; @@ -36,6 +38,8 @@ */ class FenixSSLContextSpi extends SSLContextSpi { + private static final Logger LOGGER = LoggerFactory.getLogger(FenixSSLContextSpi.class); + private final SSLContext sslContext; private final SSLParameters sslParameters; @@ -46,7 +50,7 @@ class FenixSSLContextSpi extends SSLContextSpi { @Override protected void engineInit(KeyManager[] km, TrustManager[] tm, SecureRandom sr) { - // ignore as the base SSLContext has already been initialized; + LOGGER.debug("The provided parameters are being ignored as the SSLContext has already been initialized"); } @Override @@ -61,7 +65,7 @@ protected SSLServerSocketFactory engineGetServerSocketFactory() { @Override protected SSLEngine engineCreateSSLEngine() { - return getSSLEngine(null, null); + return getSSLEngine(null, 0); } @Override @@ -69,9 +73,9 @@ protected SSLEngine engineCreateSSLEngine(String host, int port) { return getSSLEngine(host, port); } - private SSLEngine getSSLEngine(String peerHost, Integer peerPort) { + private SSLEngine getSSLEngine(String peerHost, int peerPort) { SSLEngine sslEngine; - if (nonNull(peerHost) && nonNull(peerPort)) { + if (nonNull(peerHost)) { sslEngine = sslContext.createSSLEngine(peerHost, peerPort); } else { sslEngine = sslContext.createSSLEngine(); diff --git a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpiShould.java b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpiShould.java new file mode 100644 index 00000000..2da68034 --- /dev/null +++ b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpiShould.java @@ -0,0 +1,39 @@ +/* + * Copyright 2019 Thunderberry. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package nl.altindag.ssl.sslcontext; + +import nl.altindag.log.LogCaptor; +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Hakan Altindag + */ +class FenixSSLContextSpiShould { + + @Test + void ignoreProvidedParametersAndDebugLogWhenEngineInitIsBeingCalled() { + LogCaptor logCaptor = LogCaptor.forClass(FenixSSLContextSpi.class); + + FenixSSLContextSpi sslContextSpi = new FenixSSLContextSpi(null, null); + sslContextSpi.engineInit(null, null, null); + + assertThat(logCaptor.getDebugLogs()) + .containsExactly("The provided parameters are being ignored as the SSLContext has already been initialized"); + } + +} From f3a2d7b0d3c3f42d9051665110f4395ccc60ad64 Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Thu, 22 Jun 2023 00:38:31 +0200 Subject: [PATCH 4/6] Corrected usage of ssl parameters --- .../nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java index 326783ac..f1a5bf1f 100644 --- a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java +++ b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/sslcontext/FenixSSLContextSpi.java @@ -55,12 +55,12 @@ protected void engineInit(KeyManager[] km, TrustManager[] tm, SecureRandom sr) { @Override protected SSLSocketFactory engineGetSocketFactory() { - return SSLSocketUtils.createSslSocketFactory(sslContext, engineGetSupportedSSLParameters()); + return SSLSocketUtils.createSslSocketFactory(sslContext, engineGetDefaultSSLParameters()); } @Override protected SSLServerSocketFactory engineGetServerSocketFactory() { - return SSLSocketUtils.createSslServerSocketFactory(sslContext, engineGetSupportedSSLParameters()); + return SSLSocketUtils.createSslServerSocketFactory(sslContext, engineGetDefaultSSLParameters()); } @Override @@ -81,7 +81,7 @@ private SSLEngine getSSLEngine(String peerHost, int peerPort) { sslEngine = sslContext.createSSLEngine(); } - sslEngine.setSSLParameters(engineGetSupportedSSLParameters()); + sslEngine.setSSLParameters(engineGetDefaultSSLParameters()); return sslEngine; } @@ -97,12 +97,12 @@ protected SSLSessionContext engineGetClientSessionContext() { @Override protected SSLParameters engineGetDefaultSSLParameters() { - return sslContext.getDefaultSSLParameters(); + return SSLParametersUtils.copy(sslParameters); } @Override protected SSLParameters engineGetSupportedSSLParameters() { - return SSLParametersUtils.copy(sslParameters); + return SSLParametersUtils.copy(sslContext.getSupportedSSLParameters()); } } From 8fe4ec14b78702f76d63d119260ab586f9979d77 Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Thu, 22 Jun 2023 10:51:28 +0200 Subject: [PATCH 5/6] Added consistency check --- .../java/nl/altindag/ssl/SSLFactoryIT.java | 6 -- .../nl/altindag/ssl/SSLFactoryShould.java | 69 +++++++++++++++++++ 2 files changed, 69 insertions(+), 6 deletions(-) diff --git a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryIT.java b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryIT.java index 0a82ff71..bae6f1d5 100644 --- a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryIT.java +++ b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryIT.java @@ -23,9 +23,7 @@ import org.junit.jupiter.api.Test; import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLException; -import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.X509ExtendedTrustManager; import java.io.BufferedReader; @@ -61,10 +59,6 @@ void executeHttpsRequestWithMutualAuthentication() throws IOException { .withProtocols("TLSv1.3") .build(); - SSLContext sslContext = sslFactoryForServer.getSslContext(); - SSLParameters defaultSSLParameters = sslContext.getDefaultSSLParameters(); - SSLParameters supportedSSLParameters = sslContext.getSupportedSSLParameters(); - Server server = Server.createDefault(sslFactoryForServer); SSLFactory sslFactoryForClient = SSLFactory.builder() diff --git a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java index 4712460c..b904c5c8 100644 --- a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java +++ b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java @@ -47,7 +47,13 @@ import javax.net.ssl.HostnameVerifier; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLParameters; +import javax.net.ssl.SSLServerSocket; +import javax.net.ssl.SSLServerSocketFactory; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; @@ -1781,6 +1787,69 @@ void createSSLFactoryWithDummyTrustMaterial() { assertThat(sslFactory.getTrustManager().get()).isInstanceOf(DummyX509ExtendedTrustManager.class); } + @Test + void banana() throws IOException { + String configuredProtocol = "TLSv1.2"; + String configuredCipher = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; + boolean configuredNeedClientAuthentication = true; + + SSLFactory sslFactory = SSLFactory.builder() + .withIdentityMaterial(KEYSTORE_LOCATION + IDENTITY_FILE_NAME, IDENTITY_PASSWORD) + .withTrustMaterial(KEYSTORE_LOCATION + TRUSTSTORE_FILE_NAME, TRUSTSTORE_PASSWORD) + .withProtocols(configuredProtocol) + .withNeedClientAuthentication(configuredNeedClientAuthentication) + .withCiphers(configuredCipher) + .build(); + + SSLContext sslContext = sslFactory.getSslContext(); + SSLParameters defaultSSLParameters = sslContext.getDefaultSSLParameters(); + SSLParameters supportedSSLParameters = sslContext.getSupportedSSLParameters(); + + assertThat(defaultSSLParameters.getProtocols()).containsExactly(configuredProtocol); + assertThat(defaultSSLParameters.getCipherSuites()).containsExactly(configuredCipher); + assertThat(defaultSSLParameters.getNeedClientAuth()).isTrue(); + assertThat(defaultSSLParameters.getWantClientAuth()).isFalse(); + + assertThat(supportedSSLParameters.getProtocols()).hasSizeGreaterThan(1).contains(configuredProtocol); + assertThat(supportedSSLParameters.getCipherSuites()).hasSizeGreaterThan(1).contains(configuredCipher); + assertThat(supportedSSLParameters.getNeedClientAuth()).isFalse(); + assertThat(supportedSSLParameters.getWantClientAuth()).isFalse(); + + SSLSocketFactory sslSocketFactory = sslFactory.getSslSocketFactory(); + assertThat(sslSocketFactory.getDefaultCipherSuites()).containsExactly(configuredCipher); + assertThat(sslSocketFactory.getSupportedCipherSuites()).containsExactly(configuredCipher); + + SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(); + assertThat(socket.getEnabledProtocols()).containsExactly(configuredProtocol); + assertThat(socket.getSupportedProtocols()).hasSizeGreaterThan(1).contains(configuredProtocol); + assertThat(socket.getEnabledCipherSuites()).containsExactly(configuredCipher); + assertThat(socket.getSupportedCipherSuites()).hasSizeGreaterThan(1).contains(configuredCipher); + assertThat(socket.getNeedClientAuth()).isTrue(); + assertThat(socket.getWantClientAuth()).isFalse(); + socket.close(); + + SSLServerSocketFactory sslServerSocketFactory = sslFactory.getSslServerSocketFactory(); + assertThat(sslSocketFactory.getDefaultCipherSuites()).containsExactly(configuredCipher); + assertThat(sslSocketFactory.getSupportedCipherSuites()).containsExactly(configuredCipher); + + SSLServerSocket serverSocket = (SSLServerSocket) sslServerSocketFactory.createServerSocket(); + assertThat(serverSocket.getEnabledProtocols()).containsExactly(configuredProtocol); + assertThat(serverSocket.getSupportedProtocols()).hasSizeGreaterThan(1).contains(configuredProtocol); + assertThat(serverSocket.getEnabledCipherSuites()).containsExactly(configuredCipher); + assertThat(serverSocket.getSupportedCipherSuites()).hasSizeGreaterThan(1).contains(configuredCipher); + assertThat(serverSocket.getNeedClientAuth()).isTrue(); + assertThat(serverSocket.getWantClientAuth()).isFalse(); + serverSocket.close(); + + SSLEngine sslEngine = sslFactory.getSSLEngine(); + assertThat(sslEngine.getEnabledProtocols()).containsExactly(configuredProtocol); + assertThat(sslEngine.getSupportedProtocols()).hasSizeGreaterThan(1).contains(configuredProtocol); + assertThat(sslEngine.getEnabledCipherSuites()).containsExactly(configuredCipher); + assertThat(sslEngine.getSupportedCipherSuites()).hasSizeGreaterThan(1).contains(configuredCipher); + assertThat(sslEngine.getNeedClientAuth()).isTrue(); + assertThat(sslEngine.getWantClientAuth()).isFalse(); + } + @Test void throwIllegalArgumentExceptionWhenCertificateIsAbsent() { List certificates = Collections.emptyList(); From 6c9aea6c1cfca8daeb94a841f397cd42d81f4c5e Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Thu, 22 Jun 2023 11:03:47 +0200 Subject: [PATCH 6/6] Adjusted method name --- .../src/test/java/nl/altindag/ssl/SSLFactoryShould.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java index b904c5c8..393080a2 100644 --- a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java +++ b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java @@ -1788,7 +1788,7 @@ void createSSLFactoryWithDummyTrustMaterial() { } @Test - void banana() throws IOException { + void haveConsistentParameterConfiguration() throws IOException { String configuredProtocol = "TLSv1.2"; String configuredCipher = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; boolean configuredNeedClientAuthentication = true;