mirror
/
KtIrc
mirror of https://github.com/csmith/KtIrc
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 20 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
160 Commits
2 Branches
Tree: 8f27a42b4e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8f27a42b4e'
${ noResults }
KtIrc/src/test/kotlin/com/dmdirc/ktirc/io/TlsTest.kt

TlsTest.kt 11KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290 
  1. package com.dmdirc.ktirc.io

  2. 

  3. import io.mockk.every

  4. import io.mockk.mockk

  5. import kotlinx.coroutines.*

  6. import kotlinx.coroutines.io.writeFully

  7. import kotlinx.io.core.String

  8. import org.junit.jupiter.api.Assertions.*

  9. import org.junit.jupiter.api.Test

  10. import org.junit.jupiter.api.parallel.Execution

  11. import org.junit.jupiter.api.parallel.ExecutionMode

  12. import java.net.InetSocketAddress

  13. import java.net.ServerSocket

  14. import java.security.KeyStore

  15. import java.security.cert.CertificateException

  16. import java.security.cert.X509Certificate

  17. import javax.net.ssl.KeyManagerFactory

  18. import javax.net.ssl.SSLContext

  19. import javax.net.ssl.X509TrustManager

  20. 

  21. internal class CertificateValidationTest {

  22. 

  23.     private val cert = mockk<X509Certificate>()

  24. 

  25.     @Test

  26.     fun `checks common name`() {

  27.         every { cert.subjectX500Principal } returns mockk {

  28.             every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"

  29.         }

  30. 

  31.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  32.         assertFalse(cert.validFor("subdomain2.test.ktirc"))

  33.         assertFalse(cert.validFor("testing"))

  34.     }

  35. 

  36.     @Test

  37.     fun `checks common name with suffixed wildcard`() {

  38.         every { cert.subjectX500Principal } returns mockk {

  39.             every { name } returns "CN=subdomain*.test.ktirc,O=testing,L=London,C=GB"

  40.         }

  41. 

  42.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  43.         assertTrue(cert.validFor("subdomain2.test.ktirc"))

  44.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  45.         assertFalse(cert.validFor("1subdomain.test.ktirc"))

  46.     }

  47. 

  48.     @Test

  49.     fun `checks common name with preixed wildcard`() {

  50.         every { cert.subjectX500Principal } returns mockk {

  51.             every { name } returns "CN=*subdomain.test.ktirc,O=testing,L=London,C=GB"

  52.         }

  53. 

  54.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  55.         assertTrue(cert.validFor("1subdomain.test.ktirc"))

  56.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  57.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  58.     }

  59. 

  60.     @Test

  61.     fun `checks common name with infixed wildcard`() {

  62.         every { cert.subjectX500Principal } returns mockk {

  63.             every { name } returns "CN=sub*domain.test.ktirc,O=testing,L=London,C=GB"

  64.         }

  65. 

  66.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  67.         assertTrue(cert.validFor("SUB-domain.test.ktirc"))

  68.         assertFalse(cert.validFor("foo.subdomain.test.ktirc"))

  69.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  70.     }

  71. 

  72.     @Test

  73.     fun `ignores wildcards in CN if they're not left-most`() {

  74.         every { cert.subjectX500Principal } returns mockk {

  75.             every { name } returns "CN=foo.*domain.test.ktirc,O=testing,L=London,C=GB"

  76.         }

  77. 

  78.         assertFalse(cert.validFor("foo.domain.test.ktirc"))

  79.         assertFalse(cert.validFor("foo-test.domain.test.ktirc"))

  80.         assertFalse(cert.validFor("foo.test-domain.test.ktirc"))

  81.     }

  82. 

  83.     @Test

  84.     fun `ignores wildcards in CN if there are too many`() {

  85.         every { cert.subjectX500Principal } returns mockk {

  86.             every { name } returns "CN=*domain*.test.ktirc,O=testing,L=London,C=GB"

  87.         }

  88. 

  89.         assertFalse(cert.validFor("domain.test.ktirc"))

  90.         assertFalse(cert.validFor("subdomain.test.ktirc"))

  91.         assertFalse(cert.validFor("domain1.test.ktirc"))

  92.     }

  93. 

  94.     @Test

  95.     fun `checks all sans`() {

  96.         every { cert.subjectAlternativeNames } returns listOf(

  97.                 listOf(4, "directory.test.ktirc"),

  98.                 listOf(2, "subdomain1.test.ktirc"),

  99.                 listOf(2, "subdomain2.test.ktirc"),

  100.                 listOf(2, "subdomain3.test.ktirc")

  101.         )

  102. 

  103.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  104.         assertTrue(cert.validFor("subdomain2.test.KTIRC"))

  105.         assertTrue(cert.validFor("subdomain3.test.ktirc"))

  106.         assertFalse(cert.validFor("directory.test.ktirc"))

  107.     }

  108. 

  109.     @Test

  110.     fun `checks wildcard sans`() {

  111.         every { cert.subjectAlternativeNames } returns listOf(

  112.                 listOf(4, "directory.test.ktirc"),

  113.                 listOf(2, "*domain1.test.ktirc"),

  114.                 listOf(2, "subdomain*.test.ktirc"),

  115.                 listOf(2, "*foo*.test.ktirc"),

  116.                 listOf(2, "foo.*.ktirc")

  117.         )

  118. 

  119.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  120.         assertTrue(cert.validFor("subdomain2.test.ktirc"))

  121.         assertTrue(cert.validFor("gooddomain1.TEST.ktirc"))

  122.         assertFalse(cert.validFor("foo.test.ktirc"))

  123.     }

  124. 

  125.     @Test

  126.     fun `still uses CN if sans throws`() {

  127.         every { cert.subjectX500Principal } returns mockk {

  128.             every { name } returns "CN=subdomain.test.ktirc,O=testing,L=London,C=GB"

  129.         }

  130.         every { cert.subjectAlternativeNames } throws CertificateException("Oops")

  131. 

  132.         assertTrue(cert.validFor("subdomain.test.ktirc"))

  133.         assertFalse(cert.validFor("subdomain2.test.ktirc"))

  134.         assertFalse(cert.validFor("testing"))

  135.     }

  136. 

  137.     @Test

  138.     fun `still uses sans if CN throws`() {

  139.         every { cert.subjectX500Principal } throws CertificateException("Oops")

  140.         every { cert.subjectAlternativeNames } returns listOf(

  141.                 listOf(4, "directory.test.ktirc"),

  142.                 listOf(2, "subdomain1.test.ktirc"),

  143.                 listOf(2, "subdomain2.test.ktirc"),

  144.                 listOf(2, "subdomain3.test.ktirc")

  145.         )

  146. 

  147.         assertTrue(cert.validFor("subdomain1.test.ktirc"))

  148.         assertTrue(cert.validFor("subdomain2.test.KTIRC"))

  149.         assertTrue(cert.validFor("subdomain3.test.ktirc"))

  150.         assertFalse(cert.validFor("directory.test.ktirc"))

  151.     }

  152. 

  153. 

  154.     @Test

  155.     fun `fails if CN and sans missing`() {

  156.         assertFalse(cert.validFor("subdomain1.test.ktirc"))

  157.         assertFalse(cert.validFor("subdomain2.test.KTIRC"))

  158.         assertFalse(cert.validFor("subdomain3.test.ktirc"))

  159.         assertFalse(cert.validFor("directory.test.ktirc"))

  160.     }

  161. 

  162. }

  163. 

  164. @Suppress("BlockingMethodInNonBlockingContext")

  165. @Execution(ExecutionMode.SAME_THREAD)

  166. internal class TlsSocketTest {

  167. 

  168.     @Test

  169.     fun `can send a string to a server over TLS`() = runBlocking {

  170.         withTimeout(5000) {

  171.             tlsServerSocket(12321).use { serverSocket ->

  172.                 val plainSocket = PlainTextSocket(GlobalScope)

  173.                 val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "localhost")

  174.                 val clientBytesAsync = GlobalScope.async {

  175.                     ByteArray(13).apply {

  176.                         serverSocket.accept().getInputStream().read(this)

  177.                     }

  178.                 }

  179. 

  180.                 tlsSocket.connect(InetSocketAddress("localhost", 12321))

  181.                 tlsSocket.write.writeFully("Hello World\r\n".toByteArray())

  182. 

  183.                 val bytes = clientBytesAsync.await()

  184.                 assertNotNull(bytes)

  185.                 assertEquals("Hello World\r\n", String(bytes))

  186.             }

  187.         }

  188.     }

  189. 

  190.     @Test

  191.     fun `can read a string from a server over TLS`() = runBlocking<Unit> {

  192.         withTimeout(5000) {

  193.             tlsServerSocket(12321).use { serverSocket ->

  194.                 val plainSocket = PlainTextSocket(GlobalScope)

  195.                 val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "localhost")

  196.                 val socket = GlobalScope.async {

  197.                     serverSocket.accept().apply {

  198.                         GlobalScope.launch {

  199.                             getInputStream().read()

  200.                         }

  201.                     }

  202.                 }

  203. 

  204.                 tlsSocket.connect(InetSocketAddress("localhost", 12321))

  205. 

  206.                 GlobalScope.launch {

  207.                     with(socket.await().getOutputStream()) {

  208.                         write("Hack the planet!".toByteArray())

  209.                         flush()

  210.                     }

  211.                 }

  212. 

  213.                 val buffer = tlsSocket.read()

  214. 

  215.                 assertNotNull(buffer)

  216.                 buffer?.let {

  217.                     assertEquals("Hack the planet!", String(it.array(), 0, it.limit()))

  218.                 }

  219.             }

  220.         }

  221.     }

  222. 

  223.     @Test

  224.     fun `read returns null after close`() = runBlocking {

  225.         withTimeout(5000) {

  226.             tlsServerSocket(12321).use { serverSocket ->

  227.                 val plainSocket = PlainTextSocket(GlobalScope)

  228.                 val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "localhost")

  229.                 GlobalScope.launch {

  230.                     serverSocket.accept().getInputStream().read()

  231.                 }

  232. 

  233.                 tlsSocket.connect(InetSocketAddress("localhost", 12321))

  234. 

  235.                 tlsSocket.close()

  236. 

  237.                 val buffer = tlsSocket.read()

  238. 

  239.                 assertNull(buffer)

  240.             }

  241.         }

  242.     }

  243. 

  244.     @Test

  245.     fun `throws if the hostname mismatches`() {

  246.         tlsServerSocket(12321).use { serverSocket ->

  247.             val plainSocket = PlainTextSocket(GlobalScope)

  248.             val tlsSocket = TlsSocket(GlobalScope, plainSocket, getTrustingContext(), "127.0.0.1")

  249.             GlobalScope.launch {

  250.                 serverSocket.accept().getInputStream().read()

  251.             }

  252. 

  253.             runBlocking {

  254.                 withTimeout(5000) {

  255.                     try {

  256.                         tlsSocket.connect(InetSocketAddress("localhost", 12321))

  257.                         fail<Unit>("Expected an exception")

  258.                     } catch (ex: Exception) {

  259.                         assertTrue(ex is CertificateException)

  260.                     }

  261.                 }

  262.             }

  263.         }

  264.     }

  265. 

  266. 

  267. }

  268. 

  269. internal fun tlsServerSocket(port: Int): ServerSocket {

  270.     val keyStore = KeyStore.getInstance("PKCS12")

  271.     keyStore.load(CertificateValidationTest::class.java.getResourceAsStream("localhost.p12"), CharArray(0))

  272. 

  273.     val keyManagerFactory = KeyManagerFactory.getInstance("PKIX")

  274.     keyManagerFactory.init(keyStore, CharArray(0))

  275. 

  276.     val sslContext = SSLContext.getInstance("TLSv1.2")

  277.     sslContext.init(keyManagerFactory.keyManagers, null, null)

  278.     return sslContext.serverSocketFactory.createServerSocket(port)

  279. }

  280. 

  281. internal fun getTrustingContext() =

  282.         SSLContext.getInstance("TLSv1.2").apply { init(null, arrayOf(getTrustingManager()), null) }

  283. 

  284. internal fun getTrustingManager() = object : X509TrustManager {

  285.     override fun getAcceptedIssuers(): Array<X509Certificate> = emptyArray()

  286. 

  287.     override fun checkClientTrusted(certs: Array<X509Certificate>, authType: String) {}

  288. 

  289.     override fun checkServerTrusted(certs: Array<X509Certificate>, authType: String) {}

  290. }