io.vertx.core.net.PfxOptions Java Examples

private void applyTlsConfig(final HttpServerOptions httpServerOptions) {
  if (config.getTlsConfiguration().isEmpty()) {
    return;
  }

  final TlsConfiguration tlsConfiguration = config.getTlsConfiguration().get();
  try {
    httpServerOptions
        .setSsl(true)
        .setPfxKeyCertOptions(
            new PfxOptions()
                .setPath(tlsConfiguration.getKeyStorePath().toString())
                .setPassword(tlsConfiguration.getKeyStorePassword()));

    tlsConfiguration
        .getClientAuthConfiguration()
        .ifPresent(
            clientAuthConfiguration ->
                applyTlsClientAuth(clientAuthConfiguration, httpServerOptions));
  } catch (final RuntimeException re) {
    throw new JsonRpcServiceException(
        String.format(
            "TLS options failed to initialize for Ethereum JSON-RPC listener: %s",
            re.getMessage()));
  }
}
 

@Test(timeout = 20000)
public void testConnectWithSslToServerWhileUsingTrustAll(TestContext context) throws Exception {
  Async async = context.async();

  // Create a server that accept a connection and expects a client connection+session+receiver
  ProtonServerOptions serverOptions = new ProtonServerOptions();
  serverOptions.setSsl(true);
  PfxOptions serverPfxOptions = new PfxOptions().setPath(KEYSTORE).setPassword(PASSWORD);
  serverOptions.setPfxKeyCertOptions(serverPfxOptions);

  protonServer = createServer(serverOptions, this::handleClientConnectionSessionReceiverOpen);

  // Try to connect the client and expect it to succeed due to trusting all certs
  ProtonClientOptions clientOptions = new ProtonClientOptions();
  clientOptions.setSsl(true);
  clientOptions.setTrustAll(true);

  ProtonClient client = ProtonClient.create(vertx);
  client.connect(clientOptions, "localhost", protonServer.actualPort(), res -> {
    // Expect connect to succeed
    context.assertTrue(res.succeeded());
    async.complete();
  });

  async.awaitSuccess();
}
 

@Test(timeout = 20000)
public void testConnectWithSslToNonSslServerFails(TestContext context) throws Exception {
  Async async = context.async();

  // Create a server that doesn't use ssl
  ProtonServerOptions serverOptions = new ProtonServerOptions();
  serverOptions.setSsl(false);

  protonServer = createServer(serverOptions, this::handleClientConnectionSessionReceiverOpen);

  // Try to connect the client and expect it to fail
  ProtonClientOptions clientOptions = new ProtonClientOptions();
  clientOptions.setSsl(true);
  PfxOptions pfxOptions = new PfxOptions().setPath(TRUSTSTORE).setPassword(PASSWORD);
  clientOptions.setPfxTrustOptions(pfxOptions);

  ProtonClient client = ProtonClient.create(vertx);
  client.connect(clientOptions, "localhost", protonServer.actualPort(), res -> {
    // Expect connect to fail due to remote peer not doing SSL
    context.assertFalse(res.succeeded());
    async.complete();
  });

  async.awaitSuccess();
}
 

public ClientFactory(Vertx vertx) {

        this.vertx = vertx;


        String path = System.getenv("HOME") + System.getenv("AMQ_NAME") + "/etc";

        JksOptions clientJksOptions = new JksOptions();
        clientJksOptions
            .setPath(path + "/enmasse-keystore.jks")
            .setPassword("enmasse");

        PfxOptions clientPfxOptions = new PfxOptions()
            .setPath(path + "/enmasse-truststore.jks")
            .setPassword("enmasse");

        this.protonClientOptions =  new ProtonClientOptions()
            .setSsl(true)
            .setHostnameVerificationAlgorithm("")
            .setKeyStoreOptions(clientJksOptions)
            .setPfxTrustOptions(clientPfxOptions);

    }
 

@Override
protected WebClient createClient() {
    var options = new WebClientOptions()
            .setSsl(true)
            .setTrustAll(true)
            .setVerifyHost(false);

    if (this.tlsVersions != null && !this.tlsVersions.isEmpty()) {
        // remove all current versions
        options.getEnabledSecureTransportProtocols().forEach(options::removeEnabledSecureTransportProtocol);
        // set new versions
        this.tlsVersions.forEach(options::addEnabledSecureTransportProtocol);
    }

    if (this.keyStoreBuffer != null) {
        options.setPfxKeyCertOptions(
                new PfxOptions()
                        .setValue(this.keyStoreBuffer)
                        .setPassword(KeyStoreCreator.KEY_PASSWORD));
    }

    return WebClient.create(vertx, options);
}
 

private void doClientCertificateTestImpl(TestContext context, boolean supplyClientCert) throws InterruptedException,
                                                                                        ExecutionException {
  Async async = context.async();

  // Create a server that accept a connection and expects a client connection+session+receiver
  ProtonServerOptions serverOptions = new ProtonServerOptions();
  serverOptions.setSsl(true);
  serverOptions.setClientAuth(ClientAuth.REQUIRED);
  PfxOptions serverPfxOptions = new PfxOptions().setPath(KEYSTORE).setPassword(PASSWORD);
  serverOptions.setPfxKeyCertOptions(serverPfxOptions);

  PfxOptions pfxOptions = new PfxOptions().setPath(TRUSTSTORE).setPassword(PASSWORD);
  serverOptions.setPfxTrustOptions(pfxOptions);

  protonServer = createServer(serverOptions, this::handleClientConnectionSessionReceiverOpen);

  // Try to connect the client
  ProtonClientOptions clientOptions = new ProtonClientOptions();
  clientOptions.setSsl(true);
  clientOptions.setPfxTrustOptions(pfxOptions);

  if (supplyClientCert) {
    PfxOptions clientKeyPfxOptions = new PfxOptions().setPath(KEYSTORE_CLIENT).setPassword(PASSWORD);
    clientOptions.setPfxKeyCertOptions(clientKeyPfxOptions);
  }

  ProtonClient client = ProtonClient.create(vertx);
  client.connect(clientOptions, "localhost", protonServer.actualPort(), res -> {
    if (supplyClientCert) {
      // Expect connect to succeed
      context.assertTrue(res.succeeded());
    } else {
      // Expect connect to fail
      context.assertFalse(res.succeeded());
    }
    async.complete();
  });

  async.awaitSuccess();
}
 

@Test(timeout = 20000)
public void testConnectWithSslToServerWithUntrustedKeyFails(TestContext context) throws Exception {
  Async async = context.async();

  // Create a server that accept a connection and expects a client connection+session+receiver
  ProtonServerOptions serverOptions = new ProtonServerOptions();
  serverOptions.setSsl(true);
  PfxOptions serverPfxOptions = new PfxOptions().setPath(KEYSTORE).setPassword(PASSWORD);
  serverOptions.setPfxKeyCertOptions(serverPfxOptions);

  protonServer = createServer(serverOptions, this::handleClientConnectionSessionReceiverOpen);

  // Try to connect the client and expect it to fail due to us not trusting the server
  ProtonClientOptions clientOptions = new ProtonClientOptions();
  clientOptions.setSsl(true);
  PfxOptions pfxOptions = new PfxOptions().setPath(OTHER_CA_TRUSTSTORE).setPassword(PASSWORD);
  clientOptions.setPfxTrustOptions(pfxOptions);

  ProtonClient client = ProtonClient.create(vertx);
  client.connect(clientOptions, "localhost", protonServer.actualPort(), res -> {
    // Expect connect to fail due to remote peer not doing SSL
    context.assertFalse(res.succeeded());
    async.complete();
  });

  async.awaitSuccess();
}
 

@Test
public void shouldSetPfxKeyCert() {
    given(mockSsl.getKeyStoreType()).willReturn("PKCS12");
    given(mockSsl.getKeyStore()).willReturn("/key/store/path");
    given(mockSsl.getKeyStorePassword()).willReturn("pass");

    customizer.apply(mockHttpServerOptions);

    ArgumentCaptor<PfxOptions> captor = ArgumentCaptor.forClass(PfxOptions.class);
    verify(mockHttpServerOptions).setKeyCertOptions(captor.capture());

    PfxOptions pfxOptions = captor.getValue();
    assertThat(pfxOptions.getPath()).isEqualTo("/key/store/path");
    assertThat(pfxOptions.getPassword()).isEqualTo("pass");
}
 

@Test
public void shouldSetPfxTrustOptions() {
    given(mockSsl.getTrustStoreType()).willReturn("PKCS12");
    given(mockSsl.getTrustStore()).willReturn("/trust/store/path");
    given(mockSsl.getTrustStorePassword()).willReturn("pass");

    customizer.apply(mockHttpServerOptions);

    ArgumentCaptor<PfxOptions> captor = ArgumentCaptor.forClass(PfxOptions.class);
    verify(mockHttpServerOptions).setTrustOptions(captor.capture());

    PfxOptions pfxOptions = captor.getValue();
    assertThat(pfxOptions.getPath()).isEqualTo("/trust/store/path");
    assertThat(pfxOptions.getPassword()).isEqualTo("pass");
}
 

private static PfxOptions toPfxOptions(PfxConfiguration configuration) {
    PfxOptions pfxOptions = new PfxOptions();
    if (configuration.path.isPresent()) {
        pfxOptions.setPath(configuration.path.get());
    }
    if (configuration.password.isPresent()) {
        pfxOptions.setPassword(configuration.password.get());
    }
    return pfxOptions;
}
 

@Test(timeout = 20000)
public void testConnectWithSslSucceeds(TestContext context) throws Exception {
  Async async = context.async();

  // Create a server that accept a connection and expects a client connection+session+receiver
  ProtonServerOptions serverOptions = new ProtonServerOptions();
  serverOptions.setSsl(true);
  PfxOptions serverPfxOptions = new PfxOptions().setPath(KEYSTORE).setPassword(PASSWORD);
  serverOptions.setPfxKeyCertOptions(serverPfxOptions);

  protonServer = createServer(serverOptions, this::handleClientConnectionSessionReceiverOpen);

  // Connect the client and open a receiver to verify the connection works
  ProtonClientOptions clientOptions = new ProtonClientOptions();
  clientOptions.setSsl(true);
  PfxOptions clientPfxOptions = new PfxOptions().setPath(TRUSTSTORE).setPassword(PASSWORD);
  clientOptions.setPfxTrustOptions(clientPfxOptions);

  ProtonClient client = ProtonClient.create(vertx);
  client.connect(clientOptions, "localhost", protonServer.actualPort(), res -> {
    // Expect connect to succeed
    context.assertTrue(res.succeeded());
    ProtonConnection connection = res.result();
    connection.open();

    ProtonReceiver receiver = connection.createReceiver("some-address");

    receiver.openHandler(recvResult -> {
      context.assertTrue(recvResult.succeeded());
      LOG.trace("Client reciever open");
      async.complete();
    }).open();
  });

  async.awaitSuccess();
}
 

/**
 * Test a valid PFX configuration.
 */
@Test
public void testPfxConfig() {
    cfg.setKeyStorePath(PREFIX_KEY_PATH + "authServerKeyStore.p12");
    cfg.setKeyStorePassword("authkeys");

    final KeyCertOptions options = cfg.getKeyCertOptions();

    assertThat(options).isNotNull();
    assertThat(options).isInstanceOf(PfxOptions.class);
}
 

@Override
public HttpTermOptions setPfxKeyCertOptions(PfxOptions options) {
  return (HttpTermOptions) super.setPfxKeyCertOptions(options);
}
 

@Override
public ProtonClientOptions setPfxKeyCertOptions(PfxOptions options) {
  super.setPfxKeyCertOptions(options);
  return this;
}
 

@Override
public TelnetTermOptions setPfxTrustOptions(PfxOptions options) {
  return (TelnetTermOptions) super.setPfxTrustOptions(options);
}
 

@Override
public TelnetTermOptions setPfxKeyCertOptions(PfxOptions options) {
  return (TelnetTermOptions) super.setPfxKeyCertOptions(options);
}
 

public MailConfig setPfxTrustOptions(PfxOptions options) {
  super.setPfxTrustOptions(options);
  return this;
}
 

public MailConfig setPfxKeyCertOptions(PfxOptions options) {
  super.setPfxKeyCertOptions(options);
  return this;
}
 

@Override
public HttpTermOptions setPfxTrustOptions(PfxOptions options) {
  return (HttpTermOptions) super.setPfxTrustOptions(options);
}
 

public SSHServer listen(Handler<AsyncResult<Void>> listenHandler) {
  if (!status.compareAndSet(STATUS_STOPPED, STATUS_STARTING)) {
    listenHandler.handle(Future.failedFuture("Invalid state:" + status.get()));
    return this;
  }
  if (options.getAuthOptions() != null) {
    authProvider = ShellAuth.load(vertx, options.getAuthOptions());
  }
  Charset defaultCharset = Charset.forName(options.getDefaultCharset());
  listenContext = (ContextInternal) vertx.getOrCreateContext();
  vertx.executeBlocking(fut -> {

    try {
      KeyCertOptions ksOptions = options.getKeyPairOptions();
      KeyStoreHelper ksHelper = KeyStoreHelper.create((VertxInternal) vertx, ksOptions);
      if (ksHelper == null) {
        throw new VertxException("No key pair store configured");
      }
      KeyStore ks = ksHelper.store();

      String kpPassword = "";
      if (ksOptions instanceof JksOptions) {
        kpPassword = ((JksOptions) ksOptions).getPassword();
      } else if (ksOptions instanceof PfxOptions) {
        kpPassword = ((PfxOptions) ksOptions).getPassword();
      }

      List<KeyPair> keyPairs = new ArrayList<>();
      for (Enumeration<String> it = ks.aliases(); it.hasMoreElements(); ) {
        String alias = it.nextElement();
        Key key = ks.getKey(alias, kpPassword.toCharArray());
        if (key instanceof PrivateKey) {
          Certificate cert = ks.getCertificate(alias);
          PublicKey publicKey = cert.getPublicKey();
          keyPairs.add(new KeyPair(publicKey, (PrivateKey) key));
        }
      }
      KeyPairProvider provider = new AbstractKeyPairProvider() {
        @Override
        public Iterable<KeyPair> loadKeys() {
          return keyPairs;
        }
      };

      Buffer inputrc = Helper.loadResource(vertx.fileSystem(), options.getIntputrc());
      if (inputrc == null) {
        throw new VertxException("Could not load inputrc from " + options.getIntputrc());
      }
      Keymap keymap = new Keymap(new ByteArrayInputStream(inputrc.getBytes()));
      TermConnectionHandler connectionHandler = new TermConnectionHandler(vertx, keymap, termHandler);

      nativeServer = SshServer.setUpDefaultServer();
      nativeServer.setShellFactory(() -> new TtyCommand(defaultCharset, connectionHandler::handle));
      Handler<SSHExec> execHandler = this.execHandler;
      if (execHandler != null) {
        nativeServer.setCommandFactory(command -> new TtyCommand(defaultCharset, conn -> {
          execHandler.handle(new SSHExec(command, conn));
        }));
      }
      nativeServer.setHost(options.getHost());
      nativeServer.setPort(options.getPort());
      nativeServer.setKeyPairProvider(provider);
      nativeServer.setIoServiceFactoryFactory(new NettyIoServiceFactoryFactory(listenContext.nettyEventLoop(), new VertxIoHandlerBridge(listenContext)));
      nativeServer.setServiceFactories(Arrays.asList(ServerConnectionServiceFactory.INSTANCE, AsyncUserAuthServiceFactory.INSTANCE));

      //
      if (authProvider == null) {
        throw new VertxException("No authenticator");
      }

      nativeServer.setPasswordAuthenticator((username, userpass, session) -> {
        AsyncAuth auth = new AsyncAuth();
        listenContext.runOnContext(v -> {
          authProvider.authenticate(new JsonObject().put("username", username).put("password", userpass), ar -> {
            auth.setAuthed(ar.succeeded());
          });
        });
        throw auth;
      });

      //
      nativeServer.start();
      status.set(STATUS_STARTED);
      fut.complete();
    } catch (Exception e) {
      status.set(STATUS_STOPPED);
      fut.fail(e);
    }
  }, listenHandler);
  return this;
}
 

@Override
public ProtonServerOptions setPfxKeyCertOptions(PfxOptions options) {
  super.setPfxKeyCertOptions(options);
  return this;
}
 

@Override
public ProtonServerOptions setPfxTrustOptions(PfxOptions options) {
  super.setPfxTrustOptions(options);
  return this;
}
 

private void doHostnameVerificationTestImpl(TestContext context, boolean verifyHost) throws Exception {

    Async async = context.async();

    // Create a server that accept a connection and expects a client connection+session+receiver
    ProtonServerOptions serverOptions = new ProtonServerOptions();
    serverOptions.setSsl(true);
    PfxOptions serverPfxOptions = new PfxOptions().setPath(WRONG_HOST_KEYSTORE).setPassword(PASSWORD);
    serverOptions.setPfxKeyCertOptions(serverPfxOptions);

    protonServer = createServer(serverOptions, this::handleClientConnectionSessionReceiverOpen);

    // Connect the client and open a receiver to verify the connection works
    ProtonClientOptions clientOptions = new ProtonClientOptions();
    clientOptions.setSsl(true);
    PfxOptions clientPfxOptions = new PfxOptions().setPath(TRUSTSTORE).setPassword(PASSWORD);
    clientOptions.setPfxTrustOptions(clientPfxOptions);

    // Verify/update the hostname verification settings
    context.assertEquals(VERIFY_HTTPS, clientOptions.getHostnameVerificationAlgorithm(),
        "expected host verification to be on by default");
    if (!verifyHost) {
      clientOptions.setHostnameVerificationAlgorithm(NO_VERIFY);
    }

    ProtonClient client = ProtonClient.create(vertx);
    client.connect(clientOptions, "localhost", protonServer.actualPort(), res -> {
      if (verifyHost) {
        // Expect connect to fail as server cert hostname doesn't match.
        context.assertFalse(res.succeeded(), "expected connect to fail");
        LOG.trace("Connect failed");
        async.complete();
      } else {
        // Expect connect to succeed as verification is disabled
        context.assertTrue(res.succeeded(), "expected connect to succeed");
        LOG.trace("Connect succeeded");
        ProtonConnection connection = res.result();
        connection.open();

        ProtonReceiver receiver = connection.createReceiver("some-address");

        receiver.openHandler(recvResult -> {
          context.assertTrue(recvResult.succeeded());
          LOG.trace("Client receiver open");
          async.complete();
        }).open();
      }
    });

    async.awaitSuccess();
  }
 

@Override
public ProtonClientOptions setPfxTrustOptions(PfxOptions options) {
  super.setPfxTrustOptions(options);
  return this;
}
 

private PfxOptions convertFrom(final KeyStoreOptions keyStoreOptions) throws IOException {
  final String password = FileUtil.readFirstLineFromFile(keyStoreOptions.getPasswordFile());
  return new PfxOptions()
      .setPassword(password)
      .setPath(keyStoreOptions.getKeyStoreFile().toString());
}
 

@Override
public S3ClientOptions setPfxKeyCertOptions(final PfxOptions options) {
    super.setPfxKeyCertOptions(options);
    return this;
}
 

public HttpServer create(
    final TlsCertificateDefinition serverCert,
    final TlsCertificateDefinition acceptedClientCerts,
    final Path workDir) {
  try {

    final Path serverFingerprintFile = workDir.resolve("server_known_clients");
    populateFingerprintFile(serverFingerprintFile, acceptedClientCerts, Optional.empty());

    final HttpServerOptions web3HttpServerOptions = new HttpServerOptions();
    web3HttpServerOptions.setSsl(true);
    web3HttpServerOptions.setClientAuth(ClientAuth.REQUIRED);
    web3HttpServerOptions.setTrustOptions(
        VertxTrustOptions.whitelistClients(serverFingerprintFile));
    web3HttpServerOptions.setPort(0);
    web3HttpServerOptions.setPfxKeyCertOptions(
        new PfxOptions()
            .setPath(serverCert.getPkcs12File().toString())
            .setPassword(serverCert.getPassword()));

    final Router router = Router.router(vertx);
    final JsonDecoder jsonDecoder = createJsonDecoder();
    final RequestMapper requestMapper = new RequestMapper(new MockBalanceReporter());
    router
        .route(HttpMethod.POST, "/")
        .produces(HttpHeaderValues.APPLICATION_JSON.toString())
        .handler(BodyHandler.create())
        .handler(ResponseContentTypeHandler.create())
        .failureHandler(new JsonRpcErrorHandler(new HttpResponseFactory(), jsonDecoder))
        .handler(new JsonRpcHandler(null, requestMapper, jsonDecoder));

    final HttpServer web3ProviderHttpServer = vertx.createHttpServer(web3HttpServerOptions);

    final CompletableFuture<Boolean> serverConfigured = new CompletableFuture<>();
    web3ProviderHttpServer
        .requestHandler(router)
        .listen(result -> serverConfigured.complete(true));

    serverConfigured.get();

    serversCreated.add(web3ProviderHttpServer);
    return web3ProviderHttpServer;
  } catch (final KeyStoreException
      | NoSuchAlgorithmException
      | CertificateException
      | IOException
      | ExecutionException
      | InterruptedException e) {
    throw new RuntimeException("Failed to construct a TLS Enabled Server", e);
  }
}
 

private static PfxOptions convertFrom(final Path keystoreFile, final Path keystorePasswordFile)
    throws IOException {
  final String password = readSecretFromFile(keystorePasswordFile);
  return new PfxOptions().setPassword(password).setPath(keystoreFile.toString());
}
 

HttpServer create(
    final TlsCertificateDefinition serverCert,
    final TlsCertificateDefinition acceptedClientCerts,
    final Path workDir,
    final boolean tlsEnabled) {
  try {

    final Path serverFingerprintFile = workDir.resolve("server_known_clients");
    populateFingerprintFile(serverFingerprintFile, acceptedClientCerts, Optional.empty());

    final HttpServerOptions web3HttpServerOptions = new HttpServerOptions();
    web3HttpServerOptions.setPort(0);
    if (tlsEnabled) {
      web3HttpServerOptions.setSsl(true);
      web3HttpServerOptions.setClientAuth(ClientAuth.REQUIRED);
      web3HttpServerOptions.setTrustOptions(
          VertxTrustOptions.whitelistClients(serverFingerprintFile));
      web3HttpServerOptions.setPfxKeyCertOptions(
          new PfxOptions()
              .setPath(serverCert.getPkcs12File().toString())
              .setPassword(serverCert.getPassword()));
    }
    final Router router = Router.router(vertx);
    router
        .route(HttpMethod.GET, "/upcheck")
        .produces(HttpHeaderValues.APPLICATION_JSON.toString())
        .handler(TlsEnabledHttpServerFactory::handleRequest);

    final HttpServer mockOrionHttpServer = vertx.createHttpServer(web3HttpServerOptions);

    final CompletableFuture<Boolean> serverConfigured = new CompletableFuture<>();
    mockOrionHttpServer.requestHandler(router).listen(result -> serverConfigured.complete(true));

    serverConfigured.get();

    serversCreated.add(mockOrionHttpServer);
    return mockOrionHttpServer;
  } catch (final KeyStoreException
      | NoSuchAlgorithmException
      | CertificateException
      | IOException
      | ExecutionException
      | InterruptedException e) {
    throw new RuntimeException("Failed to construct a TLS Enabled Server", e);
  }
}
 

private PfxOptions getPfxOptions(String path, String password) {
    PfxOptions options = new PfxOptions();
    options.setPath(path);
    options.setPassword(password);
    return options;
}