/*
* Copyright 2020 ConsenSys AG.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package tech.pegasys.ethsigner.tests.tls;
import static java.nio.file.Files.writeString;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.ThrowableAssert.catchThrowable;
import tech.pegasys.ethsigner.core.config.TlsOptions;
import tech.pegasys.ethsigner.tests.dsl.http.HttpRequest;
import tech.pegasys.ethsigner.tests.dsl.node.NodeConfigurationBuilder;
import tech.pegasys.ethsigner.tests.dsl.node.NodePorts;
import tech.pegasys.ethsigner.tests.dsl.signer.Signer;
import tech.pegasys.ethsigner.tests.dsl.signer.SignerConfigurationBuilder;
import tech.pegasys.ethsigner.tests.dsl.tls.BasicTlsOptions;
import tech.pegasys.ethsigner.tests.dsl.tls.ClientTlsConfig;
import tech.pegasys.ethsigner.tests.dsl.tls.OkHttpClientHelpers;
import tech.pegasys.ethsigner.tests.dsl.tls.TlsCertificateDefinition;
import tech.pegasys.ethsigner.tests.tls.support.BasicClientAuthConstraints;
import java.nio.file.Path;
import java.util.Optional;
import javax.net.ssl.SSLException;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
public class ServerSideTlsCaClientAcceptanceTest {
private static final TlsCertificateDefinition serverCert =
TlsCertificateDefinition.loadFromResource("tls/cert1.pfx", "password");
private static final TlsCertificateDefinition clientCert =
TlsCertificateDefinition.loadFromResource("tls/cert2.pfx", "password2");
private Signer ethSigner = null;
@AfterEach
void cleanup() {
if (ethSigner != null) {
ethSigner.shutdown();
ethSigner = null;
}
}
private Signer createEthSigner(final TlsCertificateDefinition certInCa, final Path testDir)
throws Exception {
final Path passwordPath = testDir.resolve("keystore.passwd");
writeString(passwordPath, serverCert.getPassword());
final TlsOptions serverOptions =
new BasicTlsOptions(
serverCert.getPkcs12File(),
passwordPath.toFile(),
Optional.of(BasicClientAuthConstraints.caOnly()));
final SignerConfigurationBuilder configBuilder = new SignerConfigurationBuilder();
configBuilder.withServerTlsOptions(serverOptions);
configBuilder.withOverriddenCA(certInCa);
final ClientTlsConfig clientTlsConfig = new ClientTlsConfig(serverCert, clientCert);
return new Signer(
configBuilder.build(),
new NodeConfigurationBuilder().build(),
new NodePorts(1, 2),
clientTlsConfig);
}
@Test
void clientWithCertificateNotInCertificateAuthorityCanConnectAndQueryAccounts(
@TempDir final Path tempDir) throws Exception {
ethSigner = createEthSigner(clientCert, tempDir);
ethSigner.start();
ethSigner.awaitStartupCompletion();
assertThat(ethSigner.accounts().list()).isNotEmpty();
}
@Test
void clientNotInCaFailedToConnectToEthSigner(@TempDir final Path tempDir) throws Exception {
ethSigner = createEthSigner(clientCert, tempDir);
ethSigner.start();
ethSigner.awaitStartupCompletion();
// Create a client which presents the server cert (not in CA) - it should fail to connect.
final ClientTlsConfig clientTlsConfig = new ClientTlsConfig(serverCert, serverCert);
final HttpRequest rawRequests =
new HttpRequest(
ethSigner.getUrl(),
OkHttpClientHelpers.createOkHttpClient(Optional.of(clientTlsConfig)));
final Throwable thrown = catchThrowable(() -> rawRequests.get("/upcheck"));
assertThat(thrown.getCause()).isInstanceOf(SSLException.class);
}
}
