mirror
/
KtIrc
mirror of https://github.com/csmith/KtIrc
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 20 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
156 Commits
2 Branches
Tree: 445d987345
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '445d987345'
${ noResults }
KtIrc/src/test/kotlin/com/dmdirc/ktirc/io/TlsTest.kt

TlsTest.kt 10KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285 
  1. package com.dmdirc.ktirc.io

  2. 

  3. import io.mockk.every

  4. import io.mockk.mockk

  5. import kotlinx.coroutines.GlobalScope

  6. import kotlinx.coroutines.async

  7. import kotlinx.coroutines.io.writeFully

  8. import kotlinx.coroutines.launch

  9. import kotlinx.coroutines.runBlocking

  10. import kotlinx.io.core.String

  11. import org.junit.jupiter.api.Assertions.*

  12. import org.junit.jupiter.api.Test

  13. import org.junit.jupiter.api.parallel.Execution

  14. import org.junit.jupiter.api.parallel.ExecutionMode

  15. import java.net.InetSocketAddress

  16. import java.net.ServerSocket

  17. import java.security.KeyStore

  18. import java.security.cert.CertificateException

  19. import java.security.cert.X509Certificate

  20. import javax.net.ssl.KeyManagerFactory

  21. import javax.net.ssl.SSLContext

  22. import javax.net.ssl.X509TrustManager

  23. 

  24. internal class CertificateValidationTest {

  25. 

  26.     private val cert = mockk<X509Certificate>()

  27. 

  28.     @Test

  29.     fun `checks common name`() {

  30.         every { cert.subjectX500Principal } returns mockk {

  31.             every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"

  32.         }

  33. 

  34.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  35.         assertFalse(cert.validFor("subdomain2.test.ktirc"))

  36.         assertFalse(cert.validFor("testing"))

  37.     }

  38. 

  39.     @Test

  40.     fun `checks common name with suffixed wildcard`() {

  41.         every { cert.subjectX500Principal } returns mockk {

  42.             every { name } returns "CN=subdomain*.test.ktirc,O=testing,L=London,C=GB"

  43.         }

  44. 

  45.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  46.         assertTrue(cert.validFor("subdomain2.test.ktirc"))

  47.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  48.         assertFalse(cert.validFor("1subdomain.test.ktirc"))

  49.     }

  50. 

  51.     @Test

  52.     fun `checks common name with preixed wildcard`() {

  53.         every { cert.subjectX500Principal } returns mockk {

  54.             every { name } returns "CN=*subdomain.test.ktirc,O=testing,L=London,C=GB"

  55.         }

  56. 

  57.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  58.         assertTrue(cert.validFor("1subdomain.test.ktirc"))

  59.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  60.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  61.     }

  62. 

  63.     @Test

  64.     fun `checks common name with infixed wildcard`() {

  65.         every { cert.subjectX500Principal } returns mockk {

  66.             every { name } returns "CN=sub*domain.test.ktirc,O=testing,L=London,C=GB"

  67.         }

  68. 

  69.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  70.         assertTrue(cert.validFor("SUB-domain.test.ktirc"))

  71.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  72.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  73.     }

  74. 

  75.     @Test

  76.     fun `ignores wildcards in CN if they're not left-most`() {

  77.         every { cert.subjectX500Principal } returns mockk {

  78.             every { name } returns "CN=foo.*domain.test.ktirc,O=testing,L=London,C=GB"

  79.         }

  80. 

  81.         assertFalse(cert.validFor("foo.domain.test.ktirc"))

  82.         assertFalse(cert.validFor("foo-test.domain.test.ktirc"))

  83.         assertFalse(cert.validFor("foo.test-domain.test.ktirc"))

  84.     }

  85. 

  86.     @Test

  87.     fun `ignores wildcards in CN if there are too many`() {

  88.         every { cert.subjectX500Principal } returns mockk {

  89.             every { name } returns "CN=*domain*.test.ktirc,O=testing,L=London,C=GB"

  90.         }

  91. 

  92.         assertFalse(cert.validFor("domain.test.ktirc"))

  93.         assertFalse(cert.validFor("subdomain.test.ktirc"))

  94.         assertFalse(cert.validFor("domain1.test.ktirc"))

  95.     }

  96. 

  97.     @Test

  98.     fun `checks all sans`() {

  99.         every { cert.subjectAlternativeNames } returns listOf(

  100.                 listOf(4, "directory.test.ktirc"),

  101.                 listOf(2, "subdomain1.test.ktirc"),

  102.                 listOf(2, "subdomain2.test.ktirc"),

  103.                 listOf(2, "subdomain3.test.ktirc")

  104.         )

  105. 

  106.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  107.         assertTrue(cert.validFor("subdomain2.test.KTIRC"))

  108.         assertTrue(cert.validFor("subdomain3.test.ktirc"))

  109.         assertFalse(cert.validFor("directory.test.ktirc"))

  110.     }

  111. 

  112.     @Test

  113.     fun `checks wildcard sans`() {

  114.         every { cert.subjectAlternativeNames } returns listOf(

  115.                 listOf(4, "directory.test.ktirc"),

  116.                 listOf(2, "*domain1.test.ktirc"),

  117.                 listOf(2, "subdomain*.test.ktirc"),

  118.                 listOf(2, "*foo*.test.ktirc"),

  119.                 listOf(2, "foo.*.ktirc")

  120.         )

  121. 

  122.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  123.         assertTrue(cert.validFor("subdomain2.test.ktirc"))

  124.         assertTrue(cert.validFor("gooddomain1.TEST.ktirc"))

  125.         assertFalse(cert.validFor("foo.test.ktirc"))

  126.     }

  127. 

  128.     @Test

  129.     fun `still uses CN if sans throws`() {

  130.         every { cert.subjectX500Principal } returns mockk {

  131.             every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"

  132.         }

  133.         every { cert.subjectAlternativeNames } throws CertificateException("Oops")

  134. 

  135.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  136.         assertFalse(cert.validFor("subdomain2.test.ktirc"))

  137.         assertFalse(cert.validFor("testing"))

  138.     }

  139. 

  140.     @Test

  141.     fun `still uses sans if CN throws`() {

  142.         every { cert.subjectX500Principal } throws CertificateException("Oops")

  143.         every { cert.subjectAlternativeNames } returns listOf(

  144.                 listOf(4, "directory.test.ktirc"),

  145.                 listOf(2, "subdomain1.test.ktirc"),

  146.                 listOf(2, "subdomain2.test.ktirc"),

  147.                 listOf(2, "subdomain3.test.ktirc")

  148.         )

  149. 

  150.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  151.         assertTrue(cert.validFor("subdomain2.test.KTIRC"))

  152.         assertTrue(cert.validFor("subdomain3.test.ktirc"))

  153.         assertFalse(cert.validFor("directory.test.ktirc"))

  154.     }

  155. 

  156. 

  157.     @Test

  158.     fun `fails if CN and sans missing`() {

  159.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  160.         assertFalse(cert.validFor("subdomain2.test.KTIRC"))

  161.         assertFalse(cert.validFor("subdomain3.test.ktirc"))

  162.         assertFalse(cert.validFor("directory.test.ktirc"))

  163.     }

  164. 

  165. }

  166. 

  167. @Suppress("BlockingMethodInNonBlockingContext")

  168. @Execution(ExecutionMode.SAME_THREAD)

  169. internal class TlsSocketTest {

  170. 

  171.     @Test

  172.     fun `can send a string to a server over TLS`() = runBlocking {

  173.         tlsServerSocket(12321).use { serverSocket ->

  174.             val plainSocket = PlainTextSocket(GlobalScope)

  175.             val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "localhost")

  176.             val clientBytesAsync = GlobalScope.async {

  177.                 ByteArray(13).apply {

  178.                     serverSocket.accept().getInputStream().read(this)

  179.                 }

  180.             }

  181. 

  182.             tlsSocket.connect(InetSocketAddress("localhost", 12321))

  183.             tlsSocket.write.writeFully("Hello World\r\n".toByteArray())

  184. 

  185.             val bytes = clientBytesAsync.await()

  186.             assertNotNull(bytes)

  187.             assertEquals("Hello World\r\n", String(bytes))

  188.         }

  189.     }

  190. 

  191.     @Test

  192.     fun `can read a string from a server over TLS`() = runBlocking<Unit> {

  193.         tlsServerSocket(12321).use { serverSocket ->

  194.             val plainSocket = PlainTextSocket(GlobalScope)

  195.             val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "localhost")

  196.             val socket = GlobalScope.async {

  197.                 serverSocket.accept().apply {

  198.                     GlobalScope.launch {

  199.                         getInputStream().read()

  200.                     }

  201.                 }

  202.             }

  203. 

  204.             tlsSocket.connect(InetSocketAddress("localhost", 12321))

  205. 

  206.             GlobalScope.launch {

  207.                 with (socket.await().getOutputStream()) {

  208.                     write("Hack the planet!".toByteArray())

  209.                     flush()

  210.                 }

  211.             }

  212. 

  213.             val buffer = tlsSocket.read()

  214. 

  215.             assertNotNull(buffer)

  216.             buffer?.let {

  217.                 assertEquals("Hack the planet!", String(it.array(), 0, it.limit()))

  218.             }

  219.         }

  220.     }

  221. 

  222.     @Test

  223.     fun `read returns null after close`() = runBlocking {

  224.         tlsServerSocket(12321).use { serverSocket ->

  225.             val plainSocket = PlainTextSocket(GlobalScope)

  226.             val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "localhost")

  227.             GlobalScope.launch {

  228.                 serverSocket.accept().getInputStream().read()

  229.             }

  230. 

  231.             tlsSocket.connect(InetSocketAddress("localhost", 12321))

  232. 

  233.             tlsSocket.close()

  234. 

  235.             val buffer = tlsSocket.read()

  236. 

  237.             assertNull(buffer)

  238.         }

  239.     }

  240. 

  241.     @Test

  242.     fun `throws if the hostname mismatches`() {

  243.         tlsServerSocket(12321).use { serverSocket ->

  244.             val plainSocket = PlainTextSocket(GlobalScope)

  245.             val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "127.0.0.1")

  246.             GlobalScope.launch {

  247.                 serverSocket.accept().getInputStream().read()

  248.             }

  249. 

  250.             runBlocking {

  251.                 try {

  252.                     tlsSocket.connect(InetSocketAddress("localhost", 12321))

  253.                     fail<Unit>("Expected an exception")

  254.                 } catch (ex: Exception) {

  255.                     assertTrue(ex is CertificateException)

  256.                 }

  257.             }

  258.         }

  259.     }

  260. 

  261. 

  262. }

  263. 

  264. internal fun tlsServerSocket(port: Int): ServerSocket {

  265.     val keyStore = KeyStore.getInstance("PKCS12")

  266.     keyStore.load(CertificateValidationTest::class.java.getResourceAsStream("localhost.p12"), CharArray(0))

  267. 

  268.     val keyManagerFactory = KeyManagerFactory.getInstance("PKIX")

  269.     keyManagerFactory.init(keyStore, CharArray(0))

  270. 

  271.     val sslContext = SSLContext.getInstance("TLSv1.2")

  272.     sslContext.init(keyManagerFactory.keyManagers, null, null)

  273.     return sslContext.serverSocketFactory.createServerSocket(port)

  274. }

  275. 

  276. internal fun getTrustingContext() =

  277.         SSLContext.getInstance("TLSv1.2").apply { init(null, arrayOf(getTrustingManager()), null) }

  278. 

  279. internal fun getTrustingManager() = object : X509TrustManager {

  280.     override fun getAcceptedIssuers(): Array<X509Certificate> = emptyArray()

  281. 

  282.     override fun checkClientTrusted(certs: Array<X509Certificate>, authType: String) {}

  283. 

  284.     override fun checkServerTrusted(certs: Array<X509Certificate>, authType: String) {}

  285. }