Replace ktor with plain socket code.

Closes #14

CHANGELOG

@@ -1,5 +1,8 @@
 vNEXT (in development)
 
+ * Replaced Ktor dependency with custom socket handling, which fixes
+   fatal issue when connecting to servers over TLS that request a
+   client certificate.
  * Added NicknameChangeRequired event for the case when a nickname is
    not allowed during connection and *MUST* be changed
 

README.md

@@ -77,15 +77,6 @@ client.connect()
 
 ## Known issues / FAQ
 
-### `java.lang.IllegalStateException: Check failed` when connecting to some servers
-
-This happens when the IRC server requests an optional client certificate (for use
-in SASL EXTERNAL auth, usually). At present there is no support for client
-certificates in the networking library used by KtIrc. This is fixed in the
-[upstream library](https://github.com/ktorio/ktor/issues/641) and will be included
-as soon as snapshot builds are available. There is no workaround other than using
-an insecure connection.
-
 ### KtIrc connects over IPv4 even when host has IPv6
 
 This is an issue with the Java standard library. You can change its behaviour by

build.gradle.kts

@@ -39,8 +39,8 @@ repositories {
 dependencies {
     implementation(kotlin("stdlib-jdk8", "1.3.21"))
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.1.1")
-    implementation("io.ktor:ktor-network:1.1.3")
-    implementation("io.ktor:ktor-network-tls:1.1.3")
+    implementation("org.jetbrains.kotlinx:kotlinx-coroutines-io-jvm:0.1.7")
+    compile(kotlin("reflect"))
 
     testImplementation("org.junit.jupiter:junit-jupiter-api:5.4.0")
     testImplementation("org.junit.jupiter:junit-jupiter-params:5.4.0")

docs/index.adoc

@@ -1099,7 +1099,7 @@ both events will need to be handled separately.
 
 TODO
 
-==== sendNickChange
+=== sendNickChange
 
 TODO
 

src/itest/kotlin/com/dmdirc/irctest/cases/connection/capabilities/v32/ServerTime.kt

@@ -6,7 +6,7 @@ val serverTime = testCase("connection.capabilities.302.server-time") {
     steps {
         expect("CAP LS 302")
         send("CAP * LS :server-time")
-        expect("CAP REQ :server-time")
+        expect("CAP REQ server-time")
         send("CAP * ACK :server-time")
         expect("CAP END")
     }

src/main/kotlin/com/dmdirc/ktirc/IrcClientImpl.kt

@@ -3,8 +3,8 @@ package com.dmdirc.ktirc
 import com.dmdirc.ktirc.events.*
 import com.dmdirc.ktirc.events.handlers.eventHandlers
 import com.dmdirc.ktirc.events.mutators.eventMutators
-import com.dmdirc.ktirc.io.KtorLineBufferedSocket
 import com.dmdirc.ktirc.io.LineBufferedSocket
+import com.dmdirc.ktirc.io.LineBufferedSocketImpl
 import com.dmdirc.ktirc.io.MessageHandler
 import com.dmdirc.ktirc.io.MessageParser
 import com.dmdirc.ktirc.messages.*
@@ -13,11 +13,9 @@ import com.dmdirc.ktirc.model.*
 import com.dmdirc.ktirc.util.currentTimeProvider
 import com.dmdirc.ktirc.util.generateLabel
 import com.dmdirc.ktirc.util.logger
-import io.ktor.util.KtorExperimentalAPI
 import kotlinx.coroutines.*
 import kotlinx.coroutines.channels.Channel
 import kotlinx.coroutines.channels.map
-import kotlinx.coroutines.time.withTimeoutOrNull
 import java.time.Duration
 import java.util.concurrent.atomic.AtomicBoolean
 import java.util.logging.Level
@@ -35,8 +33,7 @@ internal class IrcClientImpl(private val config: IrcClientConfig) : Experimental
     override val coroutineContext = GlobalScope.newCoroutineContext(Dispatchers.IO)
 
     @ExperimentalCoroutinesApi
-    @KtorExperimentalAPI
-    internal var socketFactory: (CoroutineScope, String, Int, Boolean) -> LineBufferedSocket = ::KtorLineBufferedSocket
+    internal var socketFactory: (CoroutineScope, String, Int, Boolean) -> LineBufferedSocket = ::LineBufferedSocketImpl
 
     internal var asyncTimeout = Duration.ofSeconds(20)
 
@@ -76,7 +73,7 @@ internal class IrcClientImpl(private val config: IrcClientConfig) : Experimental
             send(tags, command, *arguments)
         }
 
-        withTimeoutOrNull(asyncTimeout) {
+        withTimeoutOrNull(asyncTimeout.toMillis()) {
             channel.receive()
         }.also { serverState.asyncResponseState.pendingResponses.remove(label) }
     }

src/main/kotlin/com/dmdirc/ktirc/io/LineBufferedSocket.kt

@@ -1,23 +1,17 @@
 package com.dmdirc.ktirc.io
 
 import com.dmdirc.ktirc.util.logger
-import io.ktor.network.selector.ActorSelectorManager
-import io.ktor.network.sockets.Socket
-import io.ktor.network.sockets.aSocket
-import io.ktor.network.sockets.openReadChannel
-import io.ktor.network.sockets.openWriteChannel
-import io.ktor.network.tls.tls
-import io.ktor.util.KtorExperimentalAPI
 import kotlinx.coroutines.*
 import kotlinx.coroutines.channels.Channel
 import kotlinx.coroutines.channels.ReceiveChannel
 import kotlinx.coroutines.channels.SendChannel
 import kotlinx.coroutines.channels.produce
-import kotlinx.coroutines.io.ByteReadChannel
 import kotlinx.coroutines.io.ByteWriteChannel
 import java.net.InetSocketAddress
+import java.nio.ByteBuffer
 import java.security.SecureRandom
 import java.security.cert.CertificateException
+import javax.net.ssl.SSLContext
 import javax.net.ssl.X509TrustManager
 
 internal interface LineBufferedSocket {
@@ -36,9 +30,8 @@ internal interface LineBufferedSocket {
  * Asynchronous socket that buffers incoming data and emits individual lines.
  */
 // TODO: Expose advanced TLS options
-@KtorExperimentalAPI
 @ExperimentalCoroutinesApi
-internal class KtorLineBufferedSocket(coroutineScope: CoroutineScope, private val host: String, private val port: Int, private val tls: Boolean = false) : CoroutineScope, LineBufferedSocket {
+internal class LineBufferedSocketImpl(coroutineScope: CoroutineScope, private val host: String, private val port: Int, private val tls: Boolean = false) : CoroutineScope, LineBufferedSocket {
 
     companion object {
         const val CARRIAGE_RETURN = '\r'.toByte()
@@ -53,21 +46,22 @@ internal class KtorLineBufferedSocket(coroutineScope: CoroutineScope, private va
     private val log by logger()
 
     private lateinit var socket: Socket
-    private lateinit var readChannel: ByteReadChannel
     private lateinit var writeChannel: ByteWriteChannel
 
     override fun connect() {
+        log.info { "Connecting..." }
+        socket = PlainTextSocket(this)
+
         runBlocking {
-            log.info { "Connecting..." }
-            socket = aSocket(ActorSelectorManager(Dispatchers.IO)).tcp().connect(InetSocketAddress(host, port))
             if (tls) {
-                socket = socket.tls(
-                        coroutineContext = this@KtorLineBufferedSocket.coroutineContext,
-                        randomAlgorithm = SecureRandom.getInstanceStrong().algorithm,
-                        trustManager = tlsTrustManager)
+                with (SSLContext.getInstance("TLSv1.2")) {
+                    init(null, tlsTrustManager?.let { arrayOf(it) }, SecureRandom.getInstanceStrong())
+                    socket = TlsSocket(this@LineBufferedSocketImpl, socket, this, host)
+                }
             }
-            readChannel = socket.openReadChannel()
-            writeChannel = socket.openWriteChannel()
+            socket.connect(InetSocketAddress(host, port))
+            println("connected!")
+            writeChannel = socket.write
         }
         launch { writeLines() }
     }
@@ -82,9 +76,9 @@ internal class KtorLineBufferedSocket(coroutineScope: CoroutineScope, private va
         get() = produce {
             val lineBuffer = ByteArray(16384)
             var nextByteOffset = 0
-            while (!readChannel.isClosedForRead) {
+            while (socket.isOpen) {
                 var lineStart = 0
-                val bytesRead = readChannel.readAvailable(lineBuffer, nextByteOffset, lineBuffer.size - nextByteOffset)
+                val bytesRead = socket.read(ByteBuffer.wrap(lineBuffer).apply { position(nextByteOffset) })
                 for (i in nextByteOffset until nextByteOffset + bytesRead) {
                     if (lineBuffer[i] == CARRIAGE_RETURN || lineBuffer[i] == LINE_FEED) {
                         if (lineStart < i) {

src/main/kotlin/com/dmdirc/ktirc/io/Sockets.kt

@@ -0,0 +1,148 @@
+package com.dmdirc.ktirc.io
+
+import kotlinx.coroutines.CancellableContinuation
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.io.ByteChannel
+import kotlinx.coroutines.io.ByteWriteChannel
+import kotlinx.coroutines.io.close
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.suspendCancellableCoroutine
+import kotlinx.io.pool.DefaultPool
+import java.net.SocketAddress
+import java.nio.ByteBuffer
+import java.nio.channels.*
+import kotlin.coroutines.resume
+import kotlin.coroutines.resumeWithException
+
+internal const val BUFFER_SIZE = 32768
+internal const val POOL_SIZE = 16
+
+internal val defaultPool = ByteBufferPool()
+
+internal class ByteBufferPool : DefaultPool<ByteBuffer>(POOL_SIZE) {
+    override fun produceInstance(): ByteBuffer = ByteBuffer.allocate(BUFFER_SIZE)
+    override fun clearInstance(instance: ByteBuffer): ByteBuffer = instance.apply { clear() }
+
+    inline fun <T> borrow(block: (ByteBuffer) -> T): T {
+        val buffer = borrow()
+        try {
+            return block(buffer)
+        } finally {
+            recycle(buffer)
+        }
+    }
+}
+
+internal interface Socket {
+    fun bind(socketAddress: SocketAddress)
+    suspend fun connect(socketAddress: SocketAddress)
+    suspend fun read(buffer: ByteBuffer): Int
+    fun close()
+    val write: ByteWriteChannel
+    val isOpen: Boolean
+}
+
+internal class PlainTextSocket(private val scope: CoroutineScope) : Socket {
+
+    private val client = AsynchronousSocketChannel.open()
+    private var writeChannel = ByteChannel(autoFlush = true)
+
+    override val write: ByteWriteChannel
+        get() = writeChannel
+
+    override val isOpen: Boolean
+        get() = client.isOpen
+
+    override fun bind(socketAddress: SocketAddress) {
+        client.bind(socketAddress)
+    }
+
+    override suspend fun connect(socketAddress: SocketAddress) {
+        writeChannel = ByteChannel(autoFlush = true)
+
+        suspendCancellableCoroutine<Unit> { continuation ->
+            client.closeOnCancel(continuation)
+            client.connect(socketAddress, continuation, AsyncVoidIOHandler)
+        }
+
+        scope.launch { writeLoop() }
+    }
+
+    override fun close() {
+        writeChannel.close()
+        client.close()
+    }
+
+    override suspend fun read(buffer: ByteBuffer) = try {
+        val bytes = suspendCancellableCoroutine<Int> { continuation ->
+
+            client.closeOnCancel(continuation)
+            client.read(buffer, continuation, asyncIOHandler())
+        }
+
+        if (bytes == -1) {
+            close()
+        }
+        bytes
+    } catch (_: ClosedChannelException) {
+        // Ignore
+        0
+    }
+
+    private suspend fun writeLoop() {
+        while (client.isOpen) {
+            defaultPool.borrow { buffer ->
+                writeChannel.readAvailable(buffer)
+                buffer.flip()
+                try {
+                    suspendCancellableCoroutine<Int> { continuation ->
+                        client.closeOnCancel(continuation)
+                        client.write(buffer, continuation, asyncIOHandler())
+                    }
+                } catch (_: ClosedChannelException) {
+                    // Ignore
+                }
+            }
+        }
+    }
+
+}
+
+private fun Channel.closeOnCancel(cont: CancellableContinuation<*>) {
+    cont.invokeOnCancellation {
+        try {
+            close()
+        } catch (ex: Throwable) {
+            // Specification says that it is Ok to call it any time, but reality is different,
+            // so we have just to ignore exception
+        }
+    }
+}
+
+@Suppress("UNCHECKED_CAST")
+private fun <T> asyncIOHandler(): CompletionHandler<T, CancellableContinuation<T>> =
+        AsyncIOHandlerAny as CompletionHandler<T, CancellableContinuation<T>>
+
+private object AsyncIOHandlerAny : CompletionHandler<Any, CancellableContinuation<Any>> {
+    override fun completed(result: Any, cont: CancellableContinuation<Any>) {
+        cont.resume(result)
+    }
+
+    override fun failed(ex: Throwable, cont: CancellableContinuation<Any>) {
+        // just return if already cancelled and got an expected exception for that case
+        if (ex is AsynchronousCloseException && cont.isCancelled) return
+        cont.resumeWithException(ex)
+    }
+}
+
+private object AsyncVoidIOHandler : CompletionHandler<Void?, CancellableContinuation<Unit>> {
+    override fun completed(result: Void?, cont: CancellableContinuation<Unit>) {
+        cont.resume(Unit)
+    }
+
+    override fun failed(ex: Throwable, cont: CancellableContinuation<Unit>) {
+        // just return if already cancelled and got an expected exception for that case
+        if (ex is AsynchronousCloseException && cont.isCancelled) return
+        cont.resumeWithException(ex)
+    }
+}

src/main/kotlin/com/dmdirc/ktirc/io/Tls.kt

@@ -0,0 +1,196 @@
+package com.dmdirc.ktirc.io
+
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.io.ByteChannel
+import kotlinx.coroutines.io.ByteWriteChannel
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.sync.Mutex
+import kotlinx.coroutines.sync.withLock
+import java.net.SocketAddress
+import java.nio.ByteBuffer
+import java.security.cert.CertificateException
+import java.security.cert.X509Certificate
+import java.util.regex.Pattern
+import javax.naming.ldap.LdapName
+import javax.naming.ldap.Rdn
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.SSLEngineResult
+
+
+internal class TlsSocket(
+        private val scope: CoroutineScope,
+        private val socket: Socket,
+        private val sslContext: SSLContext,
+        private val hostname: String
+) : Socket {
+
+    private var engine: SSLEngine = sslContext.createSSLEngine()
+
+    private var incomingNetBuffer = ByteBuffer.allocate(0)
+    private var outgoingAppBuffer = ByteBuffer.allocate(0)
+    private var incomingAppBuffer = ByteBuffer.allocate(0)
+    private val outgoingAppBufferMutex = Mutex(false)
+
+    private var writeChannel = ByteChannel(autoFlush = true)
+
+    override val write: ByteWriteChannel
+        get() = writeChannel
+
+    override val isOpen: Boolean
+        get() = socket.isOpen
+
+    override fun bind(socketAddress: SocketAddress) {
+        socket.bind(socketAddress)
+    }
+
+    override suspend fun connect(socketAddress: SocketAddress) {
+        writeChannel = ByteChannel(autoFlush = true)
+
+        engine = sslContext.createSSLEngine().apply {
+            useClientMode = true
+        }
+
+        incomingNetBuffer = ByteBuffer.allocate(engine.session.packetBufferSize)
+        outgoingAppBuffer = ByteBuffer.allocate(engine.session.applicationBufferSize)
+        incomingAppBuffer = ByteBuffer.allocate(engine.session.applicationBufferSize)
+
+        socket.connect(socketAddress)
+
+        engine.beginHandshake()
+
+        sslLoop()
+    }
+
+    private suspend fun sslLoop(initialResult: SSLEngineResult? = null) {
+        var result: SSLEngineResult? = initialResult
+        var handshakeStatus = result?.handshakeStatus ?: engine.handshakeStatus
+        while (true) {
+            when (handshakeStatus) {
+                SSLEngineResult.HandshakeStatus.NEED_TASK -> {
+                    engine.delegatedTask.run()
+                    handshakeStatus = engine.handshakeStatus
+                }
+                SSLEngineResult.HandshakeStatus.NEED_WRAP -> {
+                    result = wrap()
+                    handshakeStatus = result?.handshakeStatus
+                }
+
+                SSLEngineResult.HandshakeStatus.NEED_UNWRAP -> {
+                    result = unwrap()
+                    handshakeStatus = result?.handshakeStatus
+                }
+
+                SSLEngineResult.HandshakeStatus.FINISHED -> {
+                    val certs = engine.session.peerCertificates
+                    if (certs.isEmpty() || (certs[0] as? X509Certificate)?.validFor(hostname) == false) {
+                        throw CertificateException("Certificate is not valid for $hostname")
+                    }
+                    scope.launch { readLoop() }
+                    scope.launch { writeLoop() }
+                    return
+                }
+
+                else -> return
+            }
+        }
+    }
+
+    override suspend fun read(buffer: ByteBuffer) = outgoingAppBufferMutex.withLock<Int> {
+        outgoingAppBuffer.flip()
+        val bytes = outgoingAppBuffer.limit()
+        buffer.put(outgoingAppBuffer)
+        outgoingAppBuffer.clear()
+        return bytes
+    }
+
+    private suspend fun wrap(): SSLEngineResult? {
+        var result: SSLEngineResult? = null
+        defaultPool.borrow { netBuffer ->
+            if (engine.handshakeStatus <= SSLEngineResult.HandshakeStatus.FINISHED) {
+                writeChannel.readAvailable(incomingAppBuffer)
+            }
+            incomingAppBuffer.flip()
+            result = engine.wrap(incomingAppBuffer, netBuffer)
+            incomingAppBuffer.compact()
+
+            netBuffer.flip()
+            socket.write.writeFully(netBuffer)
+        }
+        return result
+    }
+
+    private suspend fun unwrap(): SSLEngineResult? {
+        if (incomingNetBuffer.position() == 0) {
+            val bytes = socket.read(incomingNetBuffer.slice())
+            if (bytes == -1) {
+                close()
+                return null
+            }
+            incomingNetBuffer.position(incomingNetBuffer.position() + bytes)
+        }
+
+        incomingNetBuffer.flip()
+        outgoingAppBufferMutex.withLock {
+            val result = engine.unwrap(incomingNetBuffer, outgoingAppBuffer)
+            incomingNetBuffer.compact()
+            return result
+        }
+    }
+
+    override fun close() {
+        socket.close()
+    }
+
+    private suspend fun readLoop() {
+        while (socket.isOpen) {
+            sslLoop(unwrap())
+        }
+    }
+
+    private suspend fun writeLoop() {
+        while (socket.isOpen) {
+            sslLoop(wrap())
+        }
+    }
+
+}
+
+internal fun X509Certificate.validFor(host: String): Boolean {
+    val hostParts = host.split('.')
+    return allNames
+            .map { it.split('.') }
+            .filter { it.size == hostParts.size }
+            .filter { it[0].wildCardMatches(hostParts[0]) }
+            .any { it.zip(hostParts).slice(1 until hostParts.size).all { (part, host) -> part.equals(host, ignoreCase = true) } }
+}
+
+private fun String.wildCardMatches(host: String) =
+        count { it == '*' } <= 1 &&
+                host.matches(Regex(split('*').joinToString(".*") { Pattern.quote(it) }, RegexOption.IGNORE_CASE))
+
+private val X509Certificate.allNames: Sequence<String>
+    get() = sequence {
+        commonName?.let { yield(it) }
+        yieldAll(subjectAlternateNames)
+    }
+
+private val X509Certificate.subjectAlternateNames: Set<String>
+    get() = nullOnThrow {
+        subjectAlternativeNames
+                ?.filter { it[0] == 2 }
+                ?.map { it[1].toString() }
+                ?.toSet()
+    } ?: emptySet()
+
+private val X509Certificate.commonName: String?
+    get() = nullOnThrow { rdns["CN"]?.firstOrNull()?.value?.toString() }
+
+private val X509Certificate.rdns: Map<String, List<Rdn>>
+    get() = LdapName(subjectX500Principal.name).rdns.groupBy { it.type.toUpperCase() }
+
+private inline fun <S> nullOnThrow(block: () -> S?): S? = try {
+    block()
+} catch (ex: Throwable) {
+    null
+}

src/test/kotlin/com/dmdirc/ktirc/IrcClientImplTest.kt

@@ -7,7 +7,6 @@ import com.dmdirc.ktirc.messages.tagMap
 import com.dmdirc.ktirc.model.*
 import com.dmdirc.ktirc.util.currentTimeProvider
 import com.dmdirc.ktirc.util.generateLabel
-import io.ktor.util.KtorExperimentalAPI
 import io.mockk.*
 import kotlinx.coroutines.*
 import kotlinx.coroutines.channels.Channel
@@ -22,7 +21,6 @@ import java.nio.channels.UnresolvedAddressException
 import java.security.cert.CertificateException
 import java.util.concurrent.atomic.AtomicReference
 
-@KtorExperimentalAPI
 @ExperimentalCoroutinesApi
 internal class IrcClientImplTest {
 

src/test/kotlin/com/dmdirc/ktirc/io/KtorLineBufferedSocketTest.kt → src/test/kotlin/com/dmdirc/ktirc/io/LineBufferedSocketImplTest.kt

@@ -1,14 +1,11 @@
 package com.dmdirc.ktirc.io
 
-import io.ktor.network.tls.certificates.generateCertificate
-import io.ktor.util.KtorExperimentalAPI
 import kotlinx.coroutines.*
 import org.junit.jupiter.api.Assertions.assertEquals
 import org.junit.jupiter.api.Assertions.assertNotNull
 import org.junit.jupiter.api.Test
 import org.junit.jupiter.api.parallel.Execution
 import org.junit.jupiter.api.parallel.ExecutionMode
-import java.io.File
 import java.net.ServerSocket
 import java.security.KeyStore
 import java.security.cert.X509Certificate
@@ -16,15 +13,14 @@ import javax.net.ssl.KeyManagerFactory
 import javax.net.ssl.SSLContext
 import javax.net.ssl.X509TrustManager
 
-@KtorExperimentalAPI
 @ExperimentalCoroutinesApi
 @Execution(ExecutionMode.SAME_THREAD)
-internal class KtorLineBufferedSocketTest {
+internal class LineBufferedSocketImplTest {
 
     @Test
     fun `KtorLineBufferedSocket can connect to a server`() = runBlocking {
         ServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321)
             val clientSocketAsync = GlobalScope.async { serverSocket.accept() }
 
             socket.connect()
@@ -36,7 +32,7 @@ internal class KtorLineBufferedSocketTest {
     @Test
     fun `KtorLineBufferedSocket can send a byte array to a server`() = runBlocking {
         ServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321)
             val clientBytesAsync = GlobalScope.async {
                 ByteArray(13).apply {
                     serverSocket.accept().getInputStream().read(this)
@@ -55,7 +51,7 @@ internal class KtorLineBufferedSocketTest {
     @Test
     fun `KtorLineBufferedSocket can send a string to a server over TLS`() = runBlocking {
         tlsServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321, true)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321, true)
             socket.tlsTrustManager = getTrustingManager()
             val clientBytesAsync = GlobalScope.async {
                 ByteArray(13).apply {
@@ -75,7 +71,7 @@ internal class KtorLineBufferedSocketTest {
     @Test
     fun `KtorLineBufferedSocket can receive a line of CRLF delimited text`() = runBlocking {
         ServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321)
             GlobalScope.launch {
                 serverSocket.accept().getOutputStream().write("Hi there\r\n".toByteArray())
             }
@@ -88,7 +84,7 @@ internal class KtorLineBufferedSocketTest {
     @Test
     fun `KtorLineBufferedSocket can receive a line of LF delimited text`() = runBlocking {
         ServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321)
             GlobalScope.launch {
                 serverSocket.accept().getOutputStream().write("Hi there\n".toByteArray())
             }
@@ -101,7 +97,7 @@ internal class KtorLineBufferedSocketTest {
     @Test
     fun `KtorLineBufferedSocket can receive multiple lines of text in one packet`() = runBlocking {
         ServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321)
             GlobalScope.launch {
                 serverSocket.accept().getOutputStream().write("Hi there\nThis is a test\r".toByteArray())
             }
@@ -116,7 +112,7 @@ internal class KtorLineBufferedSocketTest {
     @Test
     fun `KtorLineBufferedSocket can receive multiple long lines of text`() = runBlocking {
         ServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321)
             val line1 = "abcdefghijklmnopqrstuvwxyz".repeat(500)
             val line2 = "1234567890987654321[];'#,.".repeat(500)
             val line3 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ".repeat(500)
@@ -135,7 +131,7 @@ internal class KtorLineBufferedSocketTest {
     @Test
     fun `KtorLineBufferedSocket can receive one line of text over multiple packets`() = runBlocking {
         ServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321)
             GlobalScope.launch {
                 with(serverSocket.accept().getOutputStream()) {
                     write("Hi".toByteArray())
@@ -156,7 +152,7 @@ internal class KtorLineBufferedSocketTest {
     @Test
     fun `KtorLineBufferedSocket returns from readLines when socket is closed`() = runBlocking {
         ServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321)
             GlobalScope.launch {
                 with(serverSocket.accept()) {
                     getOutputStream().write("Hi there\r\n".toByteArray())
@@ -173,7 +169,7 @@ internal class KtorLineBufferedSocketTest {
     @Test
     fun `KtorLineBufferedSocket disconnects from server`() = runBlocking {
         ServerSocket(12321).use { serverSocket ->
-            val socket = KtorLineBufferedSocket(GlobalScope, "localhost", 12321)
+            val socket = LineBufferedSocketImpl(GlobalScope, "localhost", 12321)
             val clientSocketAsync = GlobalScope.async { serverSocket.accept() }
 
             socket.connect()
@@ -184,14 +180,11 @@ internal class KtorLineBufferedSocketTest {
     }
 
     private fun tlsServerSocket(port: Int): ServerSocket {
-        val keyFile = File.createTempFile("selfsigned", "jks")
-        generateCertificate(keyFile)
-
-        val keyStore = KeyStore.getInstance("JKS")
-        keyStore.load(keyFile.inputStream(), "changeit".toCharArray())
+        val keyStore = KeyStore.getInstance("PKCS12")
+        keyStore.load(LineBufferedSocketImplTest::class.java.getResourceAsStream("localhost.p12"), CharArray(0))
 
         val keyManagerFactory = KeyManagerFactory.getInstance("PKIX")
-        keyManagerFactory.init(keyStore, "changeit".toCharArray())
+        keyManagerFactory.init(keyStore, CharArray(0))
 
         val sslContext = SSLContext.getInstance("TLSv1.2")
         sslContext.init(keyManagerFactory.keyManagers, null, null)

src/test/kotlin/com/dmdirc/ktirc/io/TlsTest.kt

@@ -0,0 +1,152 @@
+package com.dmdirc.ktirc.io
+
+import io.mockk.every
+import io.mockk.mockk
+import org.junit.jupiter.api.Assertions.assertFalse
+import org.junit.jupiter.api.Assertions.assertTrue
+import org.junit.jupiter.api.Test
+import java.security.cert.CertificateException
+import java.security.cert.X509Certificate
+
+internal class CertificateValidationTest {
+
+    private val cert = mockk<X509Certificate>()
+
+    @Test
+    fun `checks common name`() {
+        every { cert.subjectX500Principal } returns mockk {
+            every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"
+        }
+
+        assertTrue(cert.validFor("subdomain.test.ktirc"))
+        assertFalse(cert.validFor("subdomain2.test.ktirc"))
+        assertFalse(cert.validFor("testing"))
+    }
+
+    @Test
+    fun `checks common name with suffixed wildcard`() {
+        every { cert.subjectX500Principal } returns mockk {
+            every { name } returns "CN=subdomain*.test.ktirc,O=testing,L=London,C=GB"
+        }
+
+        assertTrue(cert.validFor("subdomain.test.ktirc"))
+        assertTrue(cert.validFor("subdomain2.test.ktirc"))
+        assertFalse(cert.validFor("foo.subdomain.test.ktirc"))
+        assertFalse(cert.validFor("1subdomain.test.ktirc"))
+    }
+
+    @Test
+    fun `checks common name with preixed wildcard`() {
+        every { cert.subjectX500Principal } returns mockk {
+            every { name } returns "CN=*subdomain.test.ktirc,O=testing,L=London,C=GB"
+        }
+
+        assertTrue(cert.validFor("subdomain.test.ktirc"))
+        assertTrue(cert.validFor("1subdomain.test.ktirc"))
+        assertFalse(cert.validFor("foo.subdomain.test.ktirc"))
+        assertFalse(cert.validFor("subdomain1.test.ktirc"))
+    }
+
+    @Test
+    fun `checks common name with infixed wildcard`() {
+        every { cert.subjectX500Principal } returns mockk {
+            every { name } returns "CN=sub*domain.test.ktirc,O=testing,L=London,C=GB"
+        }
+
+        assertTrue(cert.validFor("subdomain.test.ktirc"))
+        assertTrue(cert.validFor("SUB-domain.test.ktirc"))
+        assertFalse(cert.validFor("foo.subdomain.test.ktirc"))
+        assertFalse(cert.validFor("subdomain1.test.ktirc"))
+    }
+
+    @Test
+    fun `ignores wildcards in CN if they're not left-most`() {
+        every { cert.subjectX500Principal } returns mockk {
+            every { name } returns "CN=foo.*domain.test.ktirc,O=testing,L=London,C=GB"
+        }
+
+        assertFalse(cert.validFor("foo.domain.test.ktirc"))
+        assertFalse(cert.validFor("foo-test.domain.test.ktirc"))
+        assertFalse(cert.validFor("foo.test-domain.test.ktirc"))
+    }
+
+    @Test
+    fun `ignores wildcards in CN if there are too many`() {
+        every { cert.subjectX500Principal } returns mockk {
+            every { name } returns "CN=*domain*.test.ktirc,O=testing,L=London,C=GB"
+        }
+
+        assertFalse(cert.validFor("domain.test.ktirc"))
+        assertFalse(cert.validFor("subdomain.test.ktirc"))
+        assertFalse(cert.validFor("domain1.test.ktirc"))
+    }
+
+    @Test
+    fun `checks all sans`() {
+        every { cert.subjectAlternativeNames } returns listOf(
+                listOf(4, "directory.test.ktirc"),
+                listOf(2, "subdomain1.test.ktirc"),
+                listOf(2, "subdomain2.test.ktirc"),
+                listOf(2, "subdomain3.test.ktirc")
+        )
+
+        assertTrue(cert.validFor("subdomain1.test.ktirc"))
+        assertTrue(cert.validFor("subdomain2.test.KTIRC"))
+        assertTrue(cert.validFor("subdomain3.test.ktirc"))
+        assertFalse(cert.validFor("directory.test.ktirc"))
+    }
+
+    @Test
+    fun `checks wildcard sans`() {
+        every { cert.subjectAlternativeNames } returns listOf(
+                listOf(4, "directory.test.ktirc"),
+                listOf(2, "*domain1.test.ktirc"),
+                listOf(2, "subdomain*.test.ktirc"),
+                listOf(2, "*foo*.test.ktirc"),
+                listOf(2, "foo.*.ktirc")
+        )
+
+        assertTrue(cert.validFor("subdomain1.test.ktirc"))
+        assertTrue(cert.validFor("subdomain2.test.ktirc"))
+        assertTrue(cert.validFor("gooddomain1.TEST.ktirc"))
+        assertFalse(cert.validFor("foo.test.ktirc"))
+    }
+
+    @Test
+    fun `still uses CN if sans throws`() {
+        every { cert.subjectX500Principal } returns mockk {
+            every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"
+        }
+        every { cert.subjectAlternativeNames } throws CertificateException("Oops")
+
+        assertTrue(cert.validFor("subdomain.test.ktirc"))
+        assertFalse(cert.validFor("subdomain2.test.ktirc"))
+        assertFalse(cert.validFor("testing"))
+    }
+
+    @Test
+    fun `still uses sans if CN throws`() {
+        every { cert.subjectX500Principal } throws CertificateException("Oops")
+        every { cert.subjectAlternativeNames } returns listOf(
+                listOf(4, "directory.test.ktirc"),
+                listOf(2, "subdomain1.test.ktirc"),
+                listOf(2, "subdomain2.test.ktirc"),
+                listOf(2, "subdomain3.test.ktirc")
+        )
+
+        assertTrue(cert.validFor("subdomain1.test.ktirc"))
+        assertTrue(cert.validFor("subdomain2.test.KTIRC"))
+        assertTrue(cert.validFor("subdomain3.test.ktirc"))
+        assertFalse(cert.validFor("directory.test.ktirc"))
+    }
+
+
+    @Test
+    fun `fails if CN and sans missing`() {
+        assertFalse(cert.validFor("subdomain1.test.ktirc"))
+        assertFalse(cert.validFor("subdomain2.test.KTIRC"))
+        assertFalse(cert.validFor("subdomain3.test.ktirc"))
+        assertFalse(cert.validFor("directory.test.ktirc"))
+    }
+
+}