mirror
/
KtIrc
mirror of https://github.com/csmith/KtIrc
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 20 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
161 Commits
2 Branches
Tree: 136329c27d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '136329c27d'
${ noResults }
KtIrc/src/test/kotlin/com/dmdirc/ktirc/io/TlsTest.kt

TlsTest.kt 11KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304 
  1. package com.dmdirc.ktirc.io

  2. 

  3. import io.mockk.every

  4. import io.mockk.mockk

  5. import kotlinx.coroutines.*

  6. import kotlinx.coroutines.io.writeFully

  7. import kotlinx.io.core.String

  8. import org.junit.jupiter.api.AfterEach

  9. import org.junit.jupiter.api.Assertions.*

  10. import org.junit.jupiter.api.BeforeEach

  11. import org.junit.jupiter.api.Test

  12. import org.junit.jupiter.api.parallel.Execution

  13. import org.junit.jupiter.api.parallel.ExecutionMode

  14. import java.net.InetSocketAddress

  15. import java.net.ServerSocket

  16. import java.security.KeyStore

  17. import java.security.cert.CertificateException

  18. import java.security.cert.X509Certificate

  19. import javax.net.ssl.KeyManagerFactory

  20. import javax.net.ssl.SSLContext

  21. import javax.net.ssl.X509TrustManager

  22. import kotlin.coroutines.CoroutineContext

  23. 

  24. internal class CertificateValidationTest {

  25. 

  26.     private val cert = mockk<X509Certificate>()

  27. 

  28.     @Test

  29.     fun `checks common name`() {

  30.         every { cert.subjectX500Principal } returns mockk {

  31.             every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"

  32.         }

  33. 

  34.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  35.         assertFalse(cert.validFor("subdomain2.test.ktirc"))

  36.         assertFalse(cert.validFor("testing"))

  37.     }

  38. 

  39.     @Test

  40.     fun `checks common name with suffixed wildcard`() {

  41.         every { cert.subjectX500Principal } returns mockk {

  42.             every { name } returns "CN=subdomain*.test.ktirc,O=testing,L=London,C=GB"

  43.         }

  44. 

  45.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  46.         assertTrue(cert.validFor("subdomain2.test.ktirc"))

  47.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  48.         assertFalse(cert.validFor("1subdomain.test.ktirc"))

  49.     }

  50. 

  51.     @Test

  52.     fun `checks common name with preixed wildcard`() {

  53.         every { cert.subjectX500Principal } returns mockk {

  54.             every { name } returns "CN=*subdomain.test.ktirc,O=testing,L=London,C=GB"

  55.         }

  56. 

  57.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  58.         assertTrue(cert.validFor("1subdomain.test.ktirc"))

  59.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  60.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  61.     }

  62. 

  63.     @Test

  64.     fun `checks common name with infixed wildcard`() {

  65.         every { cert.subjectX500Principal } returns mockk {

  66.             every { name } returns "CN=sub*domain.test.ktirc,O=testing,L=London,C=GB"

  67.         }

  68. 

  69.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  70.         assertTrue(cert.validFor("SUB-domain.test.ktirc"))

  71.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  72.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  73.     }

  74. 

  75.     @Test

  76.     fun `ignores wildcards in CN if they're not left-most`() {

  77.         every { cert.subjectX500Principal } returns mockk {

  78.             every { name } returns "CN=foo.*domain.test.ktirc,O=testing,L=London,C=GB"

  79.         }

  80. 

  81.         assertFalse(cert.validFor("foo.domain.test.ktirc"))

  82.         assertFalse(cert.validFor("foo-test.domain.test.ktirc"))

  83.         assertFalse(cert.validFor("foo.test-domain.test.ktirc"))

  84.     }

  85. 

  86.     @Test

  87.     fun `ignores wildcards in CN if there are too many`() {

  88.         every { cert.subjectX500Principal } returns mockk {

  89.             every { name } returns "CN=*domain*.test.ktirc,O=testing,L=London,C=GB"

  90.         }

  91. 

  92.         assertFalse(cert.validFor("domain.test.ktirc"))

  93.         assertFalse(cert.validFor("subdomain.test.ktirc"))

  94.         assertFalse(cert.validFor("domain1.test.ktirc"))

  95.     }

  96. 

  97.     @Test

  98.     fun `checks all sans`() {

  99.         every { cert.subjectAlternativeNames } returns listOf(

  100.                 listOf(4, "directory.test.ktirc"),

  101.                 listOf(2, "subdomain1.test.ktirc"),

  102.                 listOf(2, "subdomain2.test.ktirc"),

  103.                 listOf(2, "subdomain3.test.ktirc")

  104.         )

  105. 

  106.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  107.         assertTrue(cert.validFor("subdomain2.test.KTIRC"))

  108.         assertTrue(cert.validFor("subdomain3.test.ktirc"))

  109.         assertFalse(cert.validFor("directory.test.ktirc"))

  110.     }

  111. 

  112.     @Test

  113.     fun `checks wildcard sans`() {

  114.         every { cert.subjectAlternativeNames } returns listOf(

  115.                 listOf(4, "directory.test.ktirc"),

  116.                 listOf(2, "*domain1.test.ktirc"),

  117.                 listOf(2, "subdomain*.test.ktirc"),

  118.                 listOf(2, "*foo*.test.ktirc"),

  119.                 listOf(2, "foo.*.ktirc")

  120.         )

  121. 

  122.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  123.         assertTrue(cert.validFor("subdomain2.test.ktirc"))

  124.         assertTrue(cert.validFor("gooddomain1.TEST.ktirc"))

  125.         assertFalse(cert.validFor("foo.test.ktirc"))

  126.     }

  127. 

  128.     @Test

  129.     fun `still uses CN if sans throws`() {

  130.         every { cert.subjectX500Principal } returns mockk {

  131.             every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"

  132.         }

  133.         every { cert.subjectAlternativeNames } throws CertificateException("Oops")

  134. 

  135.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  136.         assertFalse(cert.validFor("subdomain2.test.ktirc"))

  137.         assertFalse(cert.validFor("testing"))

  138.     }

  139. 

  140.     @Test

  141.     fun `still uses sans if CN throws`() {

  142.         every { cert.subjectX500Principal } throws CertificateException("Oops")

  143.         every { cert.subjectAlternativeNames } returns listOf(

  144.                 listOf(4, "directory.test.ktirc"),

  145.                 listOf(2, "subdomain1.test.ktirc"),

  146.                 listOf(2, "subdomain2.test.ktirc"),

  147.                 listOf(2, "subdomain3.test.ktirc")

  148.         )

  149. 

  150.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  151.         assertTrue(cert.validFor("subdomain2.test.KTIRC"))

  152.         assertTrue(cert.validFor("subdomain3.test.ktirc"))

  153.         assertFalse(cert.validFor("directory.test.ktirc"))

  154.     }

  155. 

  156. 

  157.     @Test

  158.     fun `fails if CN and sans missing`() {

  159.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  160.         assertFalse(cert.validFor("subdomain2.test.KTIRC"))

  161.         assertFalse(cert.validFor("subdomain3.test.ktirc"))

  162.         assertFalse(cert.validFor("directory.test.ktirc"))

  163.     }

  164. 

  165. }

  166. 

  167. @Suppress("BlockingMethodInNonBlockingContext")

  168. @Execution(ExecutionMode.SAME_THREAD)

  169. internal class TlsSocketTest: CoroutineScope {

  170. 

  171.     override var coroutineContext: CoroutineContext = GlobalScope.coroutineContext

  172. 

  173.     @ObsoleteCoroutinesApi

  174.     @BeforeEach

  175.     fun setup() {

  176.         coroutineContext = newFixedThreadPoolContext(4, "tls-test")

  177.     }

  178. 

  179.     @AfterEach

  180.     fun teardown() {

  181.         coroutineContext.cancel()

  182.     }

  183. 

  184.     @Test

  185.     fun `can send a string to a server over TLS`() = runBlocking(coroutineContext) {

  186.         withTimeout(5000) {

  187.             tlsServerSocket(12321).use { serverSocket ->

  188.                 val plainSocket = PlainTextSocket(this@TlsSocketTest)

  189.                 val tlsSocket = TlsSocket(this@TlsSocketTest, plainSocket, getTrustingContext(), "localhost")

  190.                 val clientBytesAsync = this@TlsSocketTest.async {

  191.                     ByteArray(13).apply {

  192.                         serverSocket.accept().getInputStream().read(this)

  193.                     }

  194.                 }

  195. 

  196.                 tlsSocket.connect(InetSocketAddress("localhost", 12321))

  197.                 tlsSocket.write.writeFully("Hello World\r\n".toByteArray())

  198. 

  199.                 val bytes = clientBytesAsync.await()

  200.                 assertNotNull(bytes)

  201.                 assertEquals("Hello World\r\n", String(bytes))

  202.             }

  203.         }

  204.     }

  205. 

  206.     @Test

  207.     fun `can read a string from a server over TLS`() = runBlocking<Unit>(coroutineContext) {

  208.         withTimeout(5000) {

  209.             tlsServerSocket(12321).use { serverSocket ->

  210.                 val plainSocket = PlainTextSocket(this@TlsSocketTest)

  211.                 val tlsSocket = TlsSocket(this@TlsSocketTest, plainSocket, getTrustingContext(), "localhost")

  212.                 val socket = this@TlsSocketTest.async {

  213.                     serverSocket.accept().apply {

  214.                         this@TlsSocketTest.launch {

  215.                             getInputStream().read()

  216.                         }

  217.                     }

  218.                 }

  219. 

  220.                 tlsSocket.connect(InetSocketAddress("localhost", 12321))

  221. 

  222.                 this@TlsSocketTest.launch {

  223.                     with(socket.await().getOutputStream()) {

  224.                         write("Hack the planet!".toByteArray())

  225.                         flush()

  226.                     }

  227.                 }

  228. 

  229.                 val buffer = tlsSocket.read()

  230. 

  231.                 assertNotNull(buffer)

  232.                 buffer?.let {

  233.                     assertEquals("Hack the planet!", String(it.array(), 0, it.limit()))

  234.                 }

  235.             }

  236.         }

  237.     }

  238. 

  239.     @Test

  240.     fun `read returns null after close`() = runBlocking(coroutineContext) {

  241.         withTimeout(5000) {

  242.             tlsServerSocket(12321).use { serverSocket ->

  243.                 val plainSocket = PlainTextSocket(this@TlsSocketTest)

  244.                 val tlsSocket = TlsSocket(this@TlsSocketTest, plainSocket, getTrustingContext(), "localhost")

  245.                 this@TlsSocketTest.launch {

  246.                     serverSocket.accept().getInputStream().read()

  247.                 }

  248. 

  249.                 tlsSocket.connect(InetSocketAddress("localhost", 12321))

  250. 

  251.                 tlsSocket.close()

  252. 

  253.                 val buffer = tlsSocket.read()

  254. 

  255.                 assertNull(buffer)

  256.             }

  257.         }

  258.     }

  259. 

  260.     @Test

  261.     fun `throws if the hostname mismatches`() {

  262.         tlsServerSocket(12321).use { serverSocket ->

  263.             val plainSocket = PlainTextSocket(this@TlsSocketTest)

  264.             val tlsSocket = TlsSocket(this@TlsSocketTest, plainSocket, getTrustingContext(), "127.0.0.1")

  265.             launch {

  266.                 serverSocket.accept().getInputStream().read()

  267.             }

  268. 

  269.             runBlocking(coroutineContext) {

  270.                 withTimeout(5000) {

  271.                     try {

  272.                         tlsSocket.connect(InetSocketAddress("localhost", 12321))

  273.                         fail<Unit>("Expected an exception")

  274.                     } catch (ex: Exception) {

  275.                         assertTrue(ex is CertificateException)

  276.                     }

  277.                 }

  278.             }

  279.         }

  280.     }

  281. }

  282. 

  283. internal fun tlsServerSocket(port: Int): ServerSocket {

  284.     val keyStore = KeyStore.getInstance("PKCS12")

  285.     keyStore.load(CertificateValidationTest::class.java.getResourceAsStream("localhost.p12"), CharArray(0))

  286. 

  287.     val keyManagerFactory = KeyManagerFactory.getInstance("PKIX")

  288.     keyManagerFactory.init(keyStore, CharArray(0))

  289. 

  290.     val sslContext = SSLContext.getInstance("TLSv1.2")

  291.     sslContext.init(keyManagerFactory.keyManagers, null, null)

  292.     return sslContext.serverSocketFactory.createServerSocket(port)

  293. }

  294. 

  295. internal fun getTrustingContext() =

  296.         SSLContext.getInstance("TLSv1.2").apply { init(null, arrayOf(getTrustingManager()), null) }

  297. 

  298. internal fun getTrustingManager() = object : X509TrustManager {

  299.     override fun getAcceptedIssuers(): Array<X509Certificate> = emptyArray()

  300. 

  301.     override fun checkClientTrusted(certs: Array<X509Certificate>, authType: String) {}

  302. 

  303.     override fun checkServerTrusted(certs: Array<X509Certificate>, authType: String) {}

  304. }