cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf] branch master updated: Checking the TLS truststore properties for the Async conduit as well
Date Fri, 08 Jun 2018 11:25:13 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 0a9c444  Checking the TLS truststore properties for the Async conduit as well
0a9c444 is described below

commit 0a9c444093dcf0fd46b41c4bfa1e082c5d2d0ad1
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Fri Jun 8 12:24:18 2018 +0100

    Checking the TLS truststore properties for the Async conduit as well
---
 .../http/asyncclient/AsyncHTTPConduit.java         |  9 ++-
 .../HostnameVerificationDeprecatedTest.java        | 68 +++++++++++++++++++++-
 .../https/hostname/HostnameVerificationTest.java   | 57 +++++++++++++++++-
 3 files changed, 128 insertions(+), 6 deletions(-)

diff --git a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
index e343e87..74ab1c7 100755
--- a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
+++ b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
@@ -47,6 +47,7 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.common.util.PropertyUtils;
@@ -892,8 +893,12 @@ public class AsyncHTTPConduit extends URLConnectionHTTPConduit {
         org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
             tlsClientParameters, keyManagers);
 
-        ctx.init(keyManagers, tlsClientParameters.getTrustManagers(),
-                 tlsClientParameters.getSecureRandom());
+        TrustManager[] trustManagers = tlsClientParameters.getTrustManagers();
+        if (trustManagers == null) {
+            trustManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultTrustStoreManagers(LOG);
+        }
+
+        ctx.init(keyManagers, trustManagers, tlsClientParameters.getSecureRandom());
 
         sslContext = ctx;
         lastTlsHash = hash;
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/hostname/HostnameVerificationDeprecatedTest.java
b/systests/transports/src/test/java/org/apache/cxf/systest/https/hostname/HostnameVerificationDeprecatedTest.java
index 361b240..9bfcfdf 100644
--- a/systests/transports/src/test/java/org/apache/cxf/systest/https/hostname/HostnameVerificationDeprecatedTest.java
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/hostname/HostnameVerificationDeprecatedTest.java
@@ -28,7 +28,11 @@ import javax.xml.ws.BindingProvider;
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
 import org.apache.hello_world.Greeter;
 import org.apache.hello_world.services.SOAPService;
 
@@ -110,7 +114,7 @@ public class HostnameVerificationDeprecatedTest extends AbstractBusClientServerT
 
         updateAddressPort(port, PORT);
 
-        port.greetMe("Kitty");
+        assertEquals(port.greetMe("Kitty"), "Hello Kitty");
 
         ((java.io.Closeable)port).close();
         bus.shutdown(true);
@@ -151,7 +155,12 @@ public class HostnameVerificationDeprecatedTest extends AbstractBusClientServerT
 
             updateAddressPort(port, PORT);
 
-            port.greetMe("Kitty");
+            assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+            // Enable Async
+            ((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+            assertEquals(port.greetMe("Kitty"), "Hello Kitty");
 
             ((java.io.Closeable)port).close();
             bus.shutdown(true);
@@ -162,6 +171,61 @@ public class HostnameVerificationDeprecatedTest extends AbstractBusClientServerT
         }
     }
 
+    // No Subject Alternative Name, no matching CN - but we are setting the JVM default hostname
verifier to
+    // allow it. It differs to the method above, that we are not using a Spring configuration
file, but
+    // instead are setting a TLSClientParameters on the HTTPConduit
+    @org.junit.Test
+    public void testNoSubjectAlternativeNameNoCNMatchDefaultVerifierNoConfig() throws Exception
{
+        HostnameVerifier hostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier();
+        try {
+            System.setProperty("javax.net.ssl.trustStore", "keys/subjalt.jks");
+            System.setProperty("javax.net.ssl.trustStorePassword", "security");
+            System.setProperty("javax.net.ssl.trustStoreType", "JKS");
+            HttpsURLConnection.setDefaultHostnameVerifier(
+                new javax.net.ssl.HostnameVerifier() {
+                    public boolean verify(String hostName, javax.net.ssl.SSLSession session)
{
+                        return true;
+                    }
+
+                    // Note we need this method as well or else it won't work the with the
+                    // deprecated HostnameVerifier interface
+                    @SuppressWarnings("unused")
+                    public boolean verify(final String host, final String certHostname) {
+                        return true;
+                    }
+                });
+
+            URL url = SOAPService.WSDL_LOCATION;
+            SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+            assertNotNull("Service is null", service);
+            final Greeter port = service.getHttpsPort();
+            assertNotNull("Port is null", port);
+
+            updateAddressPort(port, PORT);
+
+            TLSClientParameters clientParameters = new TLSClientParameters();
+            clientParameters.setUseHttpsURLConnectionDefaultHostnameVerifier(true);
+            Client client = ClientProxy.getClient(port);
+            ((HTTPConduit)client.getConduit()).setTlsClientParameters(clientParameters);
+
+            assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+            // Enable Async
+            ((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+            assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+            ((java.io.Closeable)port).close();
+        } finally {
+            if (hostnameVerifier != null) {
+                HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
+            }
+            System.clearProperty("javax.net.ssl.trustStore");
+            System.clearProperty("javax.net.ssl.trustStorePassword");
+            System.clearProperty("javax.net.ssl.trustStoreType");
+        }
+    }
+
     // No Subject Alternative Name, but the CN matches ("localhost"), so the default HostnameVerifier
     // should work fine
     @org.junit.Test
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/hostname/HostnameVerificationTest.java
b/systests/transports/src/test/java/org/apache/cxf/systest/https/hostname/HostnameVerificationTest.java
index 2e2734b..66ce164 100644
--- a/systests/transports/src/test/java/org/apache/cxf/systest/https/hostname/HostnameVerificationTest.java
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/hostname/HostnameVerificationTest.java
@@ -28,7 +28,11 @@ import javax.xml.ws.BindingProvider;
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.configuration.jsse.TLSClientParameters;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.transport.http.HTTPConduit;
 import org.apache.hello_world.Greeter;
 import org.apache.hello_world.services.SOAPService;
 
@@ -218,7 +222,7 @@ public class HostnameVerificationTest extends AbstractBusClientServerTestBase
{
 
         updateAddressPort(port, PORT4);
 
-        port.greetMe("Kitty");
+        assertEquals(port.greetMe("Kitty"), "Hello Kitty");
 
         ((java.io.Closeable)port).close();
         bus.shutdown(true);
@@ -252,7 +256,7 @@ public class HostnameVerificationTest extends AbstractBusClientServerTestBase
{
 
             updateAddressPort(port, PORT4);
 
-            port.greetMe("Kitty");
+            assertEquals(port.greetMe("Kitty"), "Hello Kitty");
 
             ((java.io.Closeable)port).close();
             bus.shutdown(true);
@@ -263,6 +267,54 @@ public class HostnameVerificationTest extends AbstractBusClientServerTestBase
{
         }
     }
 
+    // No Subject Alternative Name, no matching CN - but we are setting the JVM default hostname
verifier to
+    // allow it. It differs to the method above, that we are not using a Spring configuration
file, but
+    // instead are setting a TLSClientParameters on the HTTPConduit
+    @org.junit.Test
+    public void testNoSubjectAlternativeNameNoCNMatchDefaultVerifierNoConfig() throws Exception
{
+        HostnameVerifier hostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier();
+        try {
+            System.setProperty("javax.net.ssl.trustStore", "keys/subjalt.jks");
+            System.setProperty("javax.net.ssl.trustStorePassword", "security");
+            System.setProperty("javax.net.ssl.trustStoreType", "JKS");
+            HttpsURLConnection.setDefaultHostnameVerifier(
+                new javax.net.ssl.HostnameVerifier() {
+                    public boolean verify(String hostName, javax.net.ssl.SSLSession session)
{
+                        return true;
+                    }
+                });
+
+            URL url = SOAPService.WSDL_LOCATION;
+            SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+            assertNotNull("Service is null", service);
+            final Greeter port = service.getHttpsPort();
+            assertNotNull("Port is null", port);
+
+            updateAddressPort(port, PORT4);
+
+            TLSClientParameters clientParameters = new TLSClientParameters();
+            clientParameters.setUseHttpsURLConnectionDefaultHostnameVerifier(true);
+            Client client = ClientProxy.getClient(port);
+            ((HTTPConduit)client.getConduit()).setTlsClientParameters(clientParameters);
+
+            assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+            // Enable Async
+            ((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+            assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+            ((java.io.Closeable)port).close();
+        } finally {
+            if (hostnameVerifier != null) {
+                HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
+            }
+            System.clearProperty("javax.net.ssl.trustStore");
+            System.clearProperty("javax.net.ssl.trustStorePassword");
+            System.clearProperty("javax.net.ssl.trustStoreType");
+        }
+    }
+
     // No Subject Alternative Name, but the CN wildcard matches
     @org.junit.Test
     public void testNoSubjectAlternativeNameCNWildcardMatch() throws Exception {
@@ -291,4 +343,5 @@ public class HostnameVerificationTest extends AbstractBusClientServerTestBase
{
         ((java.io.Closeable)port).close();
         bus.shutdown(true);
     }
+
 }

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

Mime
View raw message