mirror
/
KtIrc
mirror of https://github.com/csmith/KtIrc
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 20 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
155 Commits
2 Branches
Tree: 28c9400250
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '28c9400250'
${ noResults }
KtIrc/src/test/kotlin/com/dmdirc/ktirc/io/TlsTest.kt

TlsTest.kt 8.7KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236 
  1. package com.dmdirc.ktirc.io

  2. 

  3. import io.mockk.every

  4. import io.mockk.mockk

  5. import kotlinx.coroutines.GlobalScope

  6. import kotlinx.coroutines.async

  7. import kotlinx.coroutines.io.writeFully

  8. import kotlinx.coroutines.launch

  9. import kotlinx.coroutines.runBlocking

  10. import kotlinx.io.core.String

  11. import org.junit.jupiter.api.Assertions

  12. import org.junit.jupiter.api.Assertions.*

  13. import org.junit.jupiter.api.Test

  14. import org.junit.jupiter.api.parallel.Execution

  15. import org.junit.jupiter.api.parallel.ExecutionMode

  16. import java.net.InetSocketAddress

  17. import java.net.ServerSocket

  18. import java.security.KeyStore

  19. import java.security.cert.CertificateException

  20. import java.security.cert.X509Certificate

  21. import javax.net.ssl.KeyManagerFactory

  22. import javax.net.ssl.SSLContext

  23. import javax.net.ssl.X509TrustManager

  24. 

  25. internal class CertificateValidationTest {

  26. 

  27.     private val cert = mockk<X509Certificate>()

  28. 

  29.     @Test

  30.     fun `checks common name`() {

  31.         every { cert.subjectX500Principal } returns mockk {

  32.             every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"

  33.         }

  34. 

  35.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  36.         assertFalse(cert.validFor("subdomain2.test.ktirc"))

  37.         assertFalse(cert.validFor("testing"))

  38.     }

  39. 

  40.     @Test

  41.     fun `checks common name with suffixed wildcard`() {

  42.         every { cert.subjectX500Principal } returns mockk {

  43.             every { name } returns "CN=subdomain*.test.ktirc,O=testing,L=London,C=GB"

  44.         }

  45. 

  46.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  47.         assertTrue(cert.validFor("subdomain2.test.ktirc"))

  48.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  49.         assertFalse(cert.validFor("1subdomain.test.ktirc"))

  50.     }

  51. 

  52.     @Test

  53.     fun `checks common name with preixed wildcard`() {

  54.         every { cert.subjectX500Principal } returns mockk {

  55.             every { name } returns "CN=*subdomain.test.ktirc,O=testing,L=London,C=GB"

  56.         }

  57. 

  58.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  59.         assertTrue(cert.validFor("1subdomain.test.ktirc"))

  60.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  61.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  62.     }

  63. 

  64.     @Test

  65.     fun `checks common name with infixed wildcard`() {

  66.         every { cert.subjectX500Principal } returns mockk {

  67.             every { name } returns "CN=sub*domain.test.ktirc,O=testing,L=London,C=GB"

  68.         }

  69. 

  70.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  71.         assertTrue(cert.validFor("SUB-domain.test.ktirc"))

  72.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  73.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  74.     }

  75. 

  76.     @Test

  77.     fun `ignores wildcards in CN if they're not left-most`() {

  78.         every { cert.subjectX500Principal } returns mockk {

  79.             every { name } returns "CN=foo.*domain.test.ktirc,O=testing,L=London,C=GB"

  80.         }

  81. 

  82.         assertFalse(cert.validFor("foo.domain.test.ktirc"))

  83.         assertFalse(cert.validFor("foo-test.domain.test.ktirc"))

  84.         assertFalse(cert.validFor("foo.test-domain.test.ktirc"))

  85.     }

  86. 

  87.     @Test

  88.     fun `ignores wildcards in CN if there are too many`() {

  89.         every { cert.subjectX500Principal } returns mockk {

  90.             every { name } returns "CN=*domain*.test.ktirc,O=testing,L=London,C=GB"

  91.         }

  92. 

  93.         assertFalse(cert.validFor("domain.test.ktirc"))

  94.         assertFalse(cert.validFor("subdomain.test.ktirc"))

  95.         assertFalse(cert.validFor("domain1.test.ktirc"))

  96.     }

  97. 

  98.     @Test

  99.     fun `checks all sans`() {

  100.         every { cert.subjectAlternativeNames } returns listOf(

  101.                 listOf(4, "directory.test.ktirc"),

  102.                 listOf(2, "subdomain1.test.ktirc"),

  103.                 listOf(2, "subdomain2.test.ktirc"),

  104.                 listOf(2, "subdomain3.test.ktirc")

  105.         )

  106. 

  107.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  108.         assertTrue(cert.validFor("subdomain2.test.KTIRC"))

  109.         assertTrue(cert.validFor("subdomain3.test.ktirc"))

  110.         assertFalse(cert.validFor("directory.test.ktirc"))

  111.     }

  112. 

  113.     @Test

  114.     fun `checks wildcard sans`() {

  115.         every { cert.subjectAlternativeNames } returns listOf(

  116.                 listOf(4, "directory.test.ktirc"),

  117.                 listOf(2, "*domain1.test.ktirc"),

  118.                 listOf(2, "subdomain*.test.ktirc"),

  119.                 listOf(2, "*foo*.test.ktirc"),

  120.                 listOf(2, "foo.*.ktirc")

  121.         )

  122. 

  123.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  124.         assertTrue(cert.validFor("subdomain2.test.ktirc"))

  125.         assertTrue(cert.validFor("gooddomain1.TEST.ktirc"))

  126.         assertFalse(cert.validFor("foo.test.ktirc"))

  127.     }

  128. 

  129.     @Test

  130.     fun `still uses CN if sans throws`() {

  131.         every { cert.subjectX500Principal } returns mockk {

  132.             every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"

  133.         }

  134.         every { cert.subjectAlternativeNames } throws CertificateException("Oops")

  135. 

  136.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  137.         assertFalse(cert.validFor("subdomain2.test.ktirc"))

  138.         assertFalse(cert.validFor("testing"))

  139.     }

  140. 

  141.     @Test

  142.     fun `still uses sans if CN throws`() {

  143.         every { cert.subjectX500Principal } throws CertificateException("Oops")

  144.         every { cert.subjectAlternativeNames } returns listOf(

  145.                 listOf(4, "directory.test.ktirc"),

  146.                 listOf(2, "subdomain1.test.ktirc"),

  147.                 listOf(2, "subdomain2.test.ktirc"),

  148.                 listOf(2, "subdomain3.test.ktirc")

  149.         )

  150. 

  151.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  152.         assertTrue(cert.validFor("subdomain2.test.KTIRC"))

  153.         assertTrue(cert.validFor("subdomain3.test.ktirc"))

  154.         assertFalse(cert.validFor("directory.test.ktirc"))

  155.     }

  156. 

  157. 

  158.     @Test

  159.     fun `fails if CN and sans missing`() {

  160.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  161.         assertFalse(cert.validFor("subdomain2.test.KTIRC"))

  162.         assertFalse(cert.validFor("subdomain3.test.ktirc"))

  163.         assertFalse(cert.validFor("directory.test.ktirc"))

  164.     }

  165. 

  166. }

  167. 

  168. @Suppress("BlockingMethodInNonBlockingContext")

  169. @Execution(ExecutionMode.SAME_THREAD)

  170. internal class TlsSocketTest {

  171. 

  172.     @Test

  173.     fun `can send a string to a server over TLS`() = runBlocking {

  174.         tlsServerSocket(12321).use { serverSocket ->

  175.             val plainSocket = PlainTextSocket(GlobalScope)

  176.             val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "localhost")

  177.             val clientBytesAsync = GlobalScope.async {

  178.                 ByteArray(13).apply {

  179.                     serverSocket.accept().getInputStream().read(this)

  180.                 }

  181.             }

  182. 

  183.             tlsSocket.connect(InetSocketAddress("localhost", 12321))

  184.             tlsSocket.write.writeFully("Hello World\r\n".toByteArray())

  185. 

  186.             val bytes = clientBytesAsync.await()

  187.             Assertions.assertNotNull(bytes)

  188.             Assertions.assertEquals("Hello World\r\n", String(bytes))

  189.         }

  190.     }

  191. 

  192.     @Test

  193.     fun `throws if the hostname mismatches`() {

  194.         tlsServerSocket(12321).use { serverSocket ->

  195.             val plainSocket = PlainTextSocket(GlobalScope)

  196.             val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "127.0.0.1")

  197.             GlobalScope.launch {

  198.                 serverSocket.accept().getInputStream().read()

  199.             }

  200. 

  201.             runBlocking {

  202.                 try {

  203.                     tlsSocket.connect(InetSocketAddress("localhost", 12321))

  204.                     fail<Unit>("Expected an exception")

  205.                 } catch (ex: Exception) {

  206.                     assertTrue(ex is CertificateException)

  207.                 }

  208.             }

  209.         }

  210.     }

  211. 

  212. 

  213. }

  214. 

  215. internal fun tlsServerSocket(port: Int): ServerSocket {

  216.     val keyStore = KeyStore.getInstance("PKCS12")

  217.     keyStore.load(CertificateValidationTest::class.java.getResourceAsStream("localhost.p12"), CharArray(0))

  218. 

  219.     val keyManagerFactory = KeyManagerFactory.getInstance("PKIX")

  220.     keyManagerFactory.init(keyStore, CharArray(0))

  221. 

  222.     val sslContext = SSLContext.getInstance("TLSv1.2")

  223.     sslContext.init(keyManagerFactory.keyManagers, null, null)

  224.     return sslContext.serverSocketFactory.createServerSocket(port)

  225. }

  226. 

  227. internal fun getTrustingContext() =

  228.         SSLContext.getInstance("TLSv1.2").apply { init(null, arrayOf(getTrustingManager()), null) }

  229. 

  230. internal fun getTrustingManager() = object : X509TrustManager {

  231.     override fun getAcceptedIssuers(): Array<X509Certificate> = emptyArray()

  232. 

  233.     override fun checkClientTrusted(certs: Array<X509Certificate>, authType: String) {}

  234. 

  235.     override fun checkServerTrusted(certs: Array<X509Certificate>, authType: String) {}

  236. }