ZKConfig config = new ZKConfig(); try (X509Util x509Util = new ClientX509Util()) { String keyStoreLocation = config.getProperty(x509Util.getSslKeystoreLocationProperty(), ""); String keyStorePassword = config.getProperty(x509Util.getSslKeystorePasswdProperty(), ""); String keyStoreTypeProp = config.getProperty(x509Util.getSslKeystoreTypeProperty()); boolean crlEnabled = Boolean.parseBoolean(config.getProperty(x509Util.getSslCrlEnabledProperty())); boolean ocspEnabled = Boolean.parseBoolean(config.getProperty(x509Util.getSslOcspEnabledProperty())); boolean hostnameVerificationEnabled = Boolean.parseBoolean( config.getProperty(x509Util.getSslHostnameVerificationEnabledProperty())); } else { try { km = X509Util.createKeyManager(keyStoreLocation, keyStorePassword, keyStoreTypeProp); } catch (KeyManagerException e) { LOG.error("Failed to create key manager", e); String trustStoreLocation = config.getProperty(x509Util.getSslTruststoreLocationProperty(), ""); String trustStorePassword = config.getProperty(x509Util.getSslTruststorePasswdProperty(), ""); String trustStoreTypeProp = config.getProperty(x509Util.getSslTruststoreTypeProperty()); } else { try { tm = X509Util.createTrustManager( trustStoreLocation, trustStorePassword, trustStoreTypeProp, crlEnabled, ocspEnabled, hostnameVerificationEnabled, false);
static String[] getDefaultCipherSuites() { return getDefaultCipherSuitesForJavaVersion(System.getProperty("java.specification.version")); }
@Test(timeout = 5000) public void testCreateSSLContextWithoutKeyStoreLocation() throws Exception { System.clearProperty(x509Util.getSslKeystoreLocationProperty()); x509Util.getDefaultSSLContext(); }
private void putSSLProperties(X509Util x509Util) { properties.put(x509Util.getSslProtocolProperty(), System.getProperty(x509Util.getSslProtocolProperty())); properties.put(x509Util.getSslEnabledProtocolsProperty(), System.getProperty(x509Util.getSslEnabledProtocolsProperty())); properties.put(x509Util.getSslCipherSuitesProperty(), System.getProperty(x509Util.getSslCipherSuitesProperty())); properties.put(x509Util.getSslKeystoreLocationProperty(), System.getProperty(x509Util.getSslKeystoreLocationProperty())); properties.put(x509Util.getSslKeystorePasswdProperty(), System.getProperty(x509Util.getSslKeystorePasswdProperty())); properties.put(x509Util.getSslKeystoreTypeProperty(), System.getProperty(x509Util.getSslKeystoreTypeProperty())); properties.put(x509Util.getSslTruststoreLocationProperty(), System.getProperty(x509Util.getSslTruststoreLocationProperty())); properties.put(x509Util.getSslTruststorePasswdProperty(), System.getProperty(x509Util.getSslTruststorePasswdProperty())); properties.put(x509Util.getSslTruststoreTypeProperty(), System.getProperty(x509Util.getSslTruststoreTypeProperty())); properties.put(x509Util.getSslContextSupplierClassProperty(), System.getProperty(x509Util.getSslContextSupplierClassProperty())); properties.put(x509Util.getSslHostnameVerificationEnabledProperty(), System.getProperty(x509Util.getSslHostnameVerificationEnabledProperty())); properties.put(x509Util.getSslCrlEnabledProperty(), System.getProperty(x509Util.getSslCrlEnabledProperty())); properties.put(x509Util.getSslOcspEnabledProperty(), System.getProperty(x509Util.getSslOcspEnabledProperty())); properties.put(x509Util.getSslClientAuthProperty(), System.getProperty(x509Util.getSslClientAuthProperty())); properties.put(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(),
/** * Returns the max amount of time, in milliseconds, that the first UnifiedServerSocket read() operation should * block for when trying to detect the client mode (TLS or PLAINTEXT). * Defaults to {@link X509Util#DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS}. * * @return the handshake detection timeout, in milliseconds. */ public int getSslHandshakeTimeoutMillis() { try { SSLContextAndOptions ctx = getDefaultSSLContextAndOptions(); return ctx.getHandshakeDetectionTimeoutMillis(); } catch (SSLContextException e) { LOG.error("Error creating SSL context and options", e); return DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS; } catch (Exception e) { LOG.error("Error parsing config property " + getSslHandshakeDetectionTimeoutMillisProperty(), e); return DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS; } }
/** * Clears system properties set by * {@link #setSystemProperties(X509Util, KeyStoreFileType, KeyStoreFileType)}. * @param x509Util the X509Util to read property keys from. */ public void clearSystemProperties(X509Util x509Util) { System.clearProperty(x509Util.getSslKeystoreLocationProperty()); System.clearProperty(x509Util.getSslKeystorePasswdProperty()); System.clearProperty(x509Util.getSslKeystoreTypeProperty()); System.clearProperty(x509Util.getSslTruststoreLocationProperty()); System.clearProperty(x509Util.getSslTruststorePasswdProperty()); System.clearProperty(x509Util.getSslTruststoreTypeProperty()); System.clearProperty(x509Util.getSslHostnameVerificationEnabledProperty()); }
LOG.warn(getSslKeystoreLocationProperty() + " not specified"); } else { try { keyManagers = new KeyManager[]{ createKeyManager(keyStoreLocationProp, keyStorePasswordProp, keyStoreTypeProp)}; } catch (KeyManagerException keyManagerException) { throw new SSLContextException("Failed to create KeyManager", keyManagerException); boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty); boolean sslServerHostnameVerificationEnabled = config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true); boolean sslClientHostnameVerificationEnabled = sslServerHostnameVerificationEnabled && shouldVerifyClientHostname(); LOG.warn(getSslTruststoreLocationProperty() + " not specified"); } else { try { trustManagers = new TrustManager[]{ createTrustManager(trustStoreLocationProp, trustStorePasswordProp, trustStoreTypeProp, sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled)}; } catch (TrustManagerException trustManagerException) {
@After public void cleanUp() { x509TestContext.clearSystemProperties(x509Util); System.clearProperty(x509Util.getSslOcspEnabledProperty()); System.clearProperty(x509Util.getSslCrlEnabledProperty()); System.clearProperty(x509Util.getCipherSuitesProperty()); System.clearProperty(x509Util.getSslProtocolProperty()); System.clearProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty()); System.clearProperty("com.sun.net.ssl.checkRevocation"); System.clearProperty("com.sun.security.enableCRLDP"); Security.setProperty("ocsp.enable", Boolean.FALSE.toString()); Security.setProperty("com.sun.security.enableCRLDP", Boolean.FALSE.toString()); System.clearProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY); System.clearProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET); x509Util.close(); }
@Test(expected = X509Exception.KeyManagerException.class) public void testLoadJKSKeyStoreWithWrongPassword() throws Exception { // Attempting to load with the wrong key password should fail X509KeyManager km = X509Util.createKeyManager( x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), "wrong password", KeyStoreFileType.JKS.getPropertyValue()); }
@Test public void testLoadJKSTrustStoreAutodetectStoreFileType() throws Exception { // Make sure we can instantiate a trust manager from the JKS file on disk X509TrustManager tm = X509Util.createTrustManager( x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), x509TestContext.getTrustStorePassword(), null, // null StoreFileType means 'autodetect from file extension' true, true, true, true); }
@Test(timeout = 5000, expected = X509Exception.SSLContextException.class) public void testCreateSSLContextWithoutKeyStorePassword() throws Exception { if (!x509TestContext.isKeyStoreEncrypted()) { throw new X509Exception.SSLContextException(""); } System.clearProperty(x509Util.getSslKeystorePasswdProperty()); x509Util.getDefaultSSLContext(); }
int oldTimeout = -1; int bytesRead = 0; int newTimeout = x509Util.getSslHandshakeTimeoutMillis(); try { oldTimeout = prependableSocket.getSoTimeout(); sslSocket = x509Util.createSSLSocket(prependableSocket, litmus); } catch (X509Exception e) { throw new IOException("failed to create SSL context", e);
@Test(timeout = 5000) public void testCreateSSLContextWithCustomProtocol() throws Exception { final String protocol = "TLSv1.1"; System.setProperty(x509Util.getSslProtocolProperty(), protocol); SSLContext sslContext = x509Util.getDefaultSSLContext(); Assert.assertEquals(protocol, sslContext.getProtocol()); }
@Test(timeout = 5000) public void testCRLEnabled() throws Exception { System.setProperty(x509Util.getSslCrlEnabledProperty(), "true"); x509Util.getDefaultSSLContext(); Assert.assertTrue(Boolean.valueOf(System.getProperty("com.sun.net.ssl.checkRevocation"))); Assert.assertTrue(Boolean.valueOf(System.getProperty("com.sun.security.enableCRLDP"))); Assert.assertFalse(Boolean.valueOf(Security.getProperty("ocsp.enable"))); }
@Test(timeout = 5000) public void testOCSPEnabled() throws Exception { System.setProperty(x509Util.getSslOcspEnabledProperty(), "true"); x509Util.getDefaultSSLContext(); Assert.assertTrue(Boolean.valueOf(System.getProperty("com.sun.net.ssl.checkRevocation"))); Assert.assertTrue(Boolean.valueOf(System.getProperty("com.sun.security.enableCRLDP"))); Assert.assertTrue(Boolean.valueOf(Security.getProperty("ocsp.enable"))); }
@Test public void testGetSslHandshakeDetectionTimeoutMillisProperty() { Assert.assertEquals( X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS, x509Util.getSslHandshakeTimeoutMillis()); // Note: need to create a new ClientX509Util each time to pick up modified property value String newPropertyString = Integer.toString(X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS + 1); System.setProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), newPropertyString); try (X509Util tempX509Util = new ClientX509Util()) { Assert.assertEquals( X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS + 1, tempX509Util.getSslHandshakeTimeoutMillis()); } // 0 value not allowed, will return the default System.setProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), "0"); try (X509Util tempX509Util = new ClientX509Util()) { Assert.assertEquals( X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS, tempX509Util.getSslHandshakeTimeoutMillis()); } // Negative value not allowed, will return the default System.setProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), "-1"); try (X509Util tempX509Util = new ClientX509Util()) { Assert.assertEquals( X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS, tempX509Util.getSslHandshakeTimeoutMillis()); } }
x509Util = new ClientX509Util(); x509TestContext.setSystemProperties(x509Util, KeyStoreFileType.JKS, KeyStoreFileType.JKS); System.setProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), "100"); workerPool = Executors.newCachedThreadPool(); port = PortAssignment.unique(); clientSocket = x509Util.createSSLSocket(); clientSocket.connect(localServerAddress); } else {
LOG.info("using secure socket"); try (X509Util x509Util = new ClientX509Util()) { SSLContext sslContext = x509Util.getDefaultSSLContext(); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); SSLSocket sslSock = (SSLSocket) socketFactory.createSocket();
@Test(timeout = 5000) public void testCreateSSLContextWithCustomCipherSuites() throws Exception { setCustomCipherSuites(); SSLSocket sslSocket = x509Util.createSSLSocket(); Assert.assertArrayEquals(customCipherSuites, sslSocket.getEnabledCipherSuites()); }
@After public void tearDown() throws Exception { x509TestContext.clearSystemProperties(x509Util); System.clearProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty()); forceClose(listeningSocket); forceClose(serverSideSocket); forceClose(clientSocket); workerPool.shutdown(); workerPool.awaitTermination(1000, TimeUnit.MILLISECONDS); x509Util.close(); }