public virtual void TestReload()
{
KeyPair kp = KeyStoreTestUtil.GenerateKeyPair("RSA");
cert1 = KeyStoreTestUtil.GenerateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
cert2 = KeyStoreTestUtil.GenerateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
string truststoreLocation = Basedir + "/testreload.jks";
KeyStoreTestUtil.CreateTrustStore(truststoreLocation, "password", "cert1", cert1);
ReloadingX509TrustManager tm = new ReloadingX509TrustManager("jks", truststoreLocation
, "password", 10);
try
{
tm.Init();
Assert.Equal(1, tm.GetAcceptedIssuers().Length);
// Wait so that the file modification time is different
Thread.Sleep((tm.GetReloadInterval() + 1000));
// Add another cert
IDictionary <string, X509Certificate> certs = new Dictionary <string, X509Certificate
>();
certs["cert1"] = cert1;
certs["cert2"] = cert2;
KeyStoreTestUtil.CreateTrustStore(truststoreLocation, "password", certs);
// and wait to be sure reload has taken place
Assert.Equal(10, tm.GetReloadInterval());
// Wait so that the file modification time is different
Thread.Sleep((tm.GetReloadInterval() + 200));
Assert.Equal(2, tm.GetAcceptedIssuers().Length);
}
finally
{
tm.Destroy();
}
}
public virtual void TestReloadCorruptTrustStore()
{
KeyPair kp = KeyStoreTestUtil.GenerateKeyPair("RSA");
cert1 = KeyStoreTestUtil.GenerateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
cert2 = KeyStoreTestUtil.GenerateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
string truststoreLocation = Basedir + "/testcorrupt.jks";
KeyStoreTestUtil.CreateTrustStore(truststoreLocation, "password", "cert1", cert1);
ReloadingX509TrustManager tm = new ReloadingX509TrustManager("jks", truststoreLocation
, "password", 10);
try
{
tm.Init();
Assert.Equal(1, tm.GetAcceptedIssuers().Length);
X509Certificate cert = tm.GetAcceptedIssuers()[0];
OutputStream os = new FileOutputStream(truststoreLocation);
os.Write(1);
os.Close();
new FilePath(truststoreLocation).SetLastModified(Runtime.CurrentTimeMillis() - 1000
);
// Wait so that the file modification time is different
Thread.Sleep((tm.GetReloadInterval() + 200));
Assert.Equal(1, tm.GetAcceptedIssuers().Length);
Assert.Equal(cert, tm.GetAcceptedIssuers()[0]);
}
finally
{
tm.Destroy();
}
}
public virtual void TestReloadMissingTrustStore()
{
KeyPair kp = KeyStoreTestUtil.GenerateKeyPair("RSA");
cert1 = KeyStoreTestUtil.GenerateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
cert2 = KeyStoreTestUtil.GenerateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
string truststoreLocation = Basedir + "/testmissing.jks";
KeyStoreTestUtil.CreateTrustStore(truststoreLocation, "password", "cert1", cert1);
ReloadingX509TrustManager tm = new ReloadingX509TrustManager("jks", truststoreLocation
, "password", 10);
try
{
tm.Init();
Assert.Equal(1, tm.GetAcceptedIssuers().Length);
X509Certificate cert = tm.GetAcceptedIssuers()[0];
new FilePath(truststoreLocation).Delete();
// Wait so that the file modification time is different
Thread.Sleep((tm.GetReloadInterval() + 200));
Assert.Equal(1, tm.GetAcceptedIssuers().Length);
Assert.Equal(cert, tm.GetAcceptedIssuers()[0]);
}
finally
{
tm.Destroy();
}
}
/// <exception cref="System.Exception"/>
private Configuration CreateConfiguration(bool clientCert, bool trustStore)
{
Configuration conf = new Configuration();
KeyStoreTestUtil.SetupSSLConfig(KeystoresDir, sslConfsDir, conf, clientCert, trustStore
);
return(conf);
}
/// <summary>
/// Performs complete setup of SSL configuration in preparation for testing an
/// SSLFactory.
/// </summary>
/// <remarks>
/// Performs complete setup of SSL configuration in preparation for testing an
/// SSLFactory. This includes keys, certs, keystores, truststores, the server
/// SSL configuration file, the client SSL configuration file, and the master
/// configuration file read by the SSLFactory.
/// </remarks>
/// <param name="keystoresDir">String directory to save keystores</param>
/// <param name="sslConfDir">String directory to save SSL configuration files</param>
/// <param name="conf">
/// Configuration master configuration to be used by an SSLFactory,
/// which will be mutated by this method
/// </param>
/// <param name="useClientCert">
/// boolean true to make the client present a cert in the
/// SSL handshake
/// </param>
/// <param name="trustStore">boolean true to create truststore, false not to create it
/// </param>
/// <exception cref="System.Exception"/>
public static void SetupSSLConfig(string keystoresDir, string sslConfDir, Configuration
conf, bool useClientCert, bool trustStore)
{
string clientKS = keystoresDir + "/clientKS.jks";
string clientPassword = "******";
string serverKS = keystoresDir + "/serverKS.jks";
string serverPassword = "******";
string trustKS = null;
string trustPassword = "******";
FilePath sslClientConfFile = new FilePath(sslConfDir + "/ssl-client.xml");
FilePath sslServerConfFile = new FilePath(sslConfDir + "/ssl-server.xml");
IDictionary <string, X509Certificate> certs = new Dictionary <string, X509Certificate
>();
if (useClientCert)
{
KeyPair cKP = KeyStoreTestUtil.GenerateKeyPair("RSA");
X509Certificate cCert = KeyStoreTestUtil.GenerateCertificate("CN=localhost, O=client"
, cKP, 30, "SHA1withRSA");
KeyStoreTestUtil.CreateKeyStore(clientKS, clientPassword, "client", cKP.GetPrivate
(), cCert);
certs["client"] = cCert;
}
KeyPair sKP = KeyStoreTestUtil.GenerateKeyPair("RSA");
X509Certificate sCert = KeyStoreTestUtil.GenerateCertificate("CN=localhost, O=server"
, sKP, 30, "SHA1withRSA");
KeyStoreTestUtil.CreateKeyStore(serverKS, serverPassword, "server", sKP.GetPrivate
(), sCert);
certs["server"] = sCert;
if (trustStore)
{
trustKS = keystoresDir + "/trustKS.jks";
KeyStoreTestUtil.CreateTrustStore(trustKS, trustPassword, certs);
}
Configuration clientSSLConf = CreateClientSSLConfig(clientKS, clientPassword, clientPassword
, trustKS);
Configuration serverSSLConf = CreateServerSSLConfig(serverKS, serverPassword, serverPassword
, trustKS);
SaveConfig(sslClientConfFile, clientSSLConf);
SaveConfig(sslServerConfFile, serverSSLConf);
conf.Set(SSLFactory.SslHostnameVerifierKey, "ALLOW_ALL");
conf.Set(SSLFactory.SslClientConfKey, sslClientConfFile.GetName());
conf.Set(SSLFactory.SslServerConfKey, sslServerConfFile.GetName());
conf.SetBoolean(SSLFactory.SslRequireClientCertKey, useClientCert);
}
public virtual void CleanUp()
{
sslConfsDir = KeyStoreTestUtil.GetClasspathDir(typeof(TestSSLFactory));
KeyStoreTestUtil.CleanupSSLConfig(KeystoresDir, sslConfsDir);
}
/// <summary>
/// Checks that SSLFactory initialization is successful with the given
/// arguments.
/// </summary>
/// <remarks>
/// Checks that SSLFactory initialization is successful with the given
/// arguments. This is a helper method for writing test cases that cover
/// different combinations of settings for the store password and key password.
/// It takes care of bootstrapping a keystore, a truststore, and SSL client or
/// server configuration. Then, it initializes an SSLFactory. If no exception
/// is thrown, then initialization was successful.
/// </remarks>
/// <param name="mode">SSLFactory.Mode mode to test</param>
/// <param name="password">String store password to set on keystore</param>
/// <param name="keyPassword">String key password to set on keystore</param>
/// <param name="confPassword">
/// String store password to set in SSL config file, or null
/// to avoid setting in SSL config file
/// </param>
/// <param name="confKeyPassword">
/// String key password to set in SSL config file, or
/// null to avoid setting in SSL config file
/// </param>
/// <param name="useCredProvider">
/// boolean to indicate whether passwords should be set
/// into the config or not. When set to true nulls are set and aliases are
/// expected to be resolved through credential provider API through the
/// Configuration.getPassword method
/// </param>
/// <exception cref="System.Exception">for any error</exception>
private void CheckSSLFactoryInitWithPasswords(SSLFactory.Mode mode, string password
, string keyPassword, string confPassword, string confKeyPassword, bool useCredProvider
)
{
string keystore = new FilePath(KeystoresDir, "keystore.jks").GetAbsolutePath();
string truststore = new FilePath(KeystoresDir, "truststore.jks").GetAbsolutePath(
);
string trustPassword = "******";
// Create keys, certs, keystore, and truststore.
KeyPair keyPair = KeyStoreTestUtil.GenerateKeyPair("RSA");
X509Certificate cert = KeyStoreTestUtil.GenerateCertificate("CN=Test", keyPair, 30
, "SHA1withRSA");
KeyStoreTestUtil.CreateKeyStore(keystore, password, keyPassword, "Test", keyPair.
GetPrivate(), cert);
IDictionary <string, X509Certificate> certs = Collections.SingletonMap("server", cert
);
KeyStoreTestUtil.CreateTrustStore(truststore, trustPassword, certs);
// Create SSL configuration file, for either server or client.
string sslConfFileName;
Configuration sslConf;
// if the passwords are provisioned in a cred provider then don't set them
// in the configuration properly - expect them to be resolved through the
// provider
if (useCredProvider)
{
confPassword = null;
confKeyPassword = null;
}
if (mode == SSLFactory.Mode.Server)
{
sslConfFileName = "ssl-server.xml";
sslConf = KeyStoreTestUtil.CreateServerSSLConfig(keystore, confPassword, confKeyPassword
, truststore);
if (useCredProvider)
{
FilePath testDir = new FilePath(Runtime.GetProperty("test.build.data", "target/test-dir"
));
Path jksPath = new Path(testDir.ToString(), "test.jks");
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri();
sslConf.Set(CredentialProviderFactory.CredentialProviderPath, ourUrl);
}
}
else
{
sslConfFileName = "ssl-client.xml";
sslConf = KeyStoreTestUtil.CreateClientSSLConfig(keystore, confPassword, confKeyPassword
, truststore);
}
KeyStoreTestUtil.SaveConfig(new FilePath(sslConfsDir, sslConfFileName), sslConf);
// Create the master configuration for use by the SSLFactory, which by
// default refers to the ssl-server.xml or ssl-client.xml created above.
Configuration conf = new Configuration();
conf.SetBoolean(SSLFactory.SslRequireClientCertKey, true);
// Try initializing an SSLFactory.
SSLFactory sslFactory = new SSLFactory(mode, conf);
try
{
sslFactory.Init();
}
finally
{
sslFactory.Destroy();
}
}
public virtual void TestServerCredProviderPasswords()
{
KeyStoreTestUtil.ProvisionPasswordsToCredentialProvider();
CheckSSLFactoryInitWithPasswords(SSLFactory.Mode.Server, "storepass", "keypass",
null, null, true);
}
