Examples with Handshake okhttp3.Handshake used on opensource projects

Example 6 with Handshake

use of okhttp3.Handshake in project okhttp by square.

the class JavaApiConverterTest method createOkResponseForCacheGet_secure.

@Test
public void createOkResponseForCacheGet_secure() throws Exception {
    final String statusLine = "HTTP/1.1 200 Fantastic";
    final Principal localPrincipal = LOCAL_CERT.getSubjectX500Principal();
    final List<Certificate> localCertificates = Arrays.<Certificate>asList(LOCAL_CERT);
    final Principal serverPrincipal = SERVER_CERT.getSubjectX500Principal();
    final List<Certificate> serverCertificates = Arrays.<Certificate>asList(SERVER_CERT);
    URI uri = new URI("https://foo/bar");
    Request request = new Request.Builder().url(uri.toURL()).build();
    SecureCacheResponse cacheResponse = new SecureCacheResponse() {

        @Override
        public Map<String, List<String>> getHeaders() throws IOException {
            Map<String, List<String>> headers = new LinkedHashMap<>();
            headers.put(null, Collections.singletonList(statusLine));
            headers.put("xyzzy", Arrays.asList("bar", "baz"));
            return headers;
        }

        @Override
        public InputStream getBody() throws IOException {
            return new ByteArrayInputStream("HelloWorld".getBytes(StandardCharsets.UTF_8));
        }

        @Override
        public String getCipherSuite() {
            return "SSL_RSA_WITH_NULL_MD5";
        }

        @Override
        public List<Certificate> getLocalCertificateChain() {
            return localCertificates;
        }

        @Override
        public List<Certificate> getServerCertificateChain() throws SSLPeerUnverifiedException {
            return serverCertificates;
        }

        @Override
        public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
            return serverPrincipal;
        }

        @Override
        public Principal getLocalPrincipal() {
            return localPrincipal;
        }
    };
    Response response = JavaApiConverter.createOkResponseForCacheGet(request, cacheResponse);
    Request cacheRequest = response.request();
    assertEquals(request.url(), cacheRequest.url());
    assertEquals(request.method(), cacheRequest.method());
    assertEquals(0, request.headers().size());
    assertEquals(Protocol.HTTP_1_1, response.protocol());
    assertEquals(200, response.code());
    assertEquals("Fantastic", response.message());
    Headers okResponseHeaders = response.headers();
    assertEquals("baz", okResponseHeaders.get("xyzzy"));
    assertEquals("HelloWorld", response.body().string());
    Handshake handshake = response.handshake();
    assertNotNull(handshake);
    assertNotNullAndEquals(CipherSuite.TLS_RSA_WITH_NULL_MD5, handshake.cipherSuite());
    assertEquals(localPrincipal, handshake.localPrincipal());
    assertEquals(serverPrincipal, handshake.peerPrincipal());
    assertEquals(serverCertificates, handshake.peerCertificates());
    assertEquals(localCertificates, handshake.localCertificates());
}

Example 7 with Handshake

use of okhttp3.Handshake in project okhttp by square.

the class JavaApiConverterTest method createJavaUrlConnection_https_extraHttpsMethods.

@Test
public void createJavaUrlConnection_https_extraHttpsMethods() throws Exception {
    Request okRequest = createArbitraryOkRequest().newBuilder().get().url("https://secure/request").build();
    Handshake handshake = Handshake.get(null, CipherSuite.TLS_RSA_WITH_NULL_MD5, Arrays.<Certificate>asList(SERVER_CERT), Arrays.<Certificate>asList(LOCAL_CERT));
    Response okResponse = createArbitraryOkResponse(okRequest).newBuilder().handshake(handshake).build();
    HttpsURLConnection httpsUrlConnection = (HttpsURLConnection) JavaApiConverter.createJavaUrlConnectionForCachePut(okResponse);
    assertEquals("SSL_RSA_WITH_NULL_MD5", httpsUrlConnection.getCipherSuite());
    assertEquals(SERVER_CERT.getSubjectX500Principal(), httpsUrlConnection.getPeerPrincipal());
    assertArrayEquals(new Certificate[] { LOCAL_CERT }, httpsUrlConnection.getLocalCertificates());
    assertArrayEquals(new Certificate[] { SERVER_CERT }, httpsUrlConnection.getServerCertificates());
    assertEquals(LOCAL_CERT.getSubjectX500Principal(), httpsUrlConnection.getLocalPrincipal());
}

Example 8 with Handshake

use of okhttp3.Handshake in project okhttp by square.

the class JavaApiConverter method createOkResponseForCacheGet.

/**
   * Creates an OkHttp {@link Response} using the supplied {@link Request} and {@link CacheResponse}
   * to supply the data.
   */
static Response createOkResponseForCacheGet(Request request, CacheResponse javaResponse) throws IOException {
    // Build a cache request for the response to use.
    Headers responseHeaders = createHeaders(javaResponse.getHeaders());
    Headers varyHeaders;
    if (HttpHeaders.hasVaryAll(responseHeaders)) {
        // "*" means that this will be treated as uncacheable anyway.
        varyHeaders = new Headers.Builder().build();
    } else {
        varyHeaders = HttpHeaders.varyHeaders(request.headers(), responseHeaders);
    }
    Request cacheRequest = new Request.Builder().url(request.url()).method(request.method(), null).headers(varyHeaders).build();
    Response.Builder okResponseBuilder = new Response.Builder();
    // Request: Use the cacheRequest we built.
    okResponseBuilder.request(cacheRequest);
    // Status line: Java has this as one of the headers.
    StatusLine statusLine = StatusLine.parse(extractStatusLine(javaResponse));
    okResponseBuilder.protocol(statusLine.protocol);
    okResponseBuilder.code(statusLine.code);
    okResponseBuilder.message(statusLine.message);
    // Response headers
    Headers okHeaders = extractOkHeaders(javaResponse, okResponseBuilder);
    okResponseBuilder.headers(okHeaders);
    // Response body
    ResponseBody okBody = createOkBody(okHeaders, javaResponse);
    okResponseBuilder.body(okBody);
    // Handle SSL handshake information as needed.
    if (javaResponse instanceof SecureCacheResponse) {
        SecureCacheResponse javaSecureCacheResponse = (SecureCacheResponse) javaResponse;
        // Handshake doesn't support null lists.
        List<Certificate> peerCertificates;
        try {
            peerCertificates = javaSecureCacheResponse.getServerCertificateChain();
        } catch (SSLPeerUnverifiedException e) {
            peerCertificates = Collections.emptyList();
        }
        List<Certificate> localCertificates = javaSecureCacheResponse.getLocalCertificateChain();
        if (localCertificates == null) {
            localCertificates = Collections.emptyList();
        }
        String cipherSuiteString = javaSecureCacheResponse.getCipherSuite();
        CipherSuite cipherSuite = CipherSuite.forJavaName(cipherSuiteString);
        Handshake handshake = Handshake.get(null, cipherSuite, peerCertificates, localCertificates);
        okResponseBuilder.handshake(handshake);
    }
    return okResponseBuilder.build();
}

Example 9 with Handshake

use of okhttp3.Handshake in project okhttp by square.

the class JavaApiConverter method createJavaCacheResponse.

/**
   * Creates a {@link java.net.CacheResponse} of the correct (sub)type using information gathered
   * from the supplied {@link Response}.
   */
public static CacheResponse createJavaCacheResponse(final Response response) {
    final Headers headers = withSyntheticHeaders(response);
    final ResponseBody body = response.body();
    if (response.request().isHttps()) {
        final Handshake handshake = response.handshake();
        return new SecureCacheResponse() {

            @Override
            public String getCipherSuite() {
                return handshake != null ? handshake.cipherSuite().javaName() : null;
            }

            @Override
            public List<Certificate> getLocalCertificateChain() {
                if (handshake == null)
                    return null;
                // Java requires null, not an empty list here.
                List<Certificate> certificates = handshake.localCertificates();
                return certificates.size() > 0 ? certificates : null;
            }

            @Override
            public List<Certificate> getServerCertificateChain() throws SSLPeerUnverifiedException {
                if (handshake == null)
                    return null;
                // Java requires null, not an empty list here.
                List<Certificate> certificates = handshake.peerCertificates();
                return certificates.size() > 0 ? certificates : null;
            }

            @Override
            public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
                if (handshake == null)
                    return null;
                return handshake.peerPrincipal();
            }

            @Override
            public Principal getLocalPrincipal() {
                if (handshake == null)
                    return null;
                return handshake.localPrincipal();
            }

            @Override
            public Map<String, List<String>> getHeaders() throws IOException {
                // Java requires that the entry with a null key be the status line.
                return JavaNetHeaders.toMultimap(headers, StatusLine.get(response).toString());
            }

            @Override
            public InputStream getBody() throws IOException {
                if (body == null)
                    return null;
                return body.byteStream();
            }
        };
    } else {
        return new CacheResponse() {

            @Override
            public Map<String, List<String>> getHeaders() throws IOException {
                // Java requires that the entry with a null key be the status line.
                return JavaNetHeaders.toMultimap(headers, StatusLine.get(response).toString());
            }

            @Override
            public InputStream getBody() throws IOException {
                if (body == null)
                    return null;
                return body.byteStream();
            }
        };
    }
}

Example 10 with Handshake

use of okhttp3.Handshake in project okhttp by square.

the class CertificatePinnerChainValidationTest method unrelatedPinnedIntermediateCertificateInChain.

@Test
public void unrelatedPinnedIntermediateCertificateInChain() throws Exception {
    // Start with two root CA certificates, one is good and the other is compromised.
    HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
    HeldCertificate compromisedRootCa = new HeldCertificate.Builder().serialNumber("2").ca(3).commonName("compromised_root").build();
    // Add a good intermediate CA, and have that issue a good certificate to localhost. Prepare an
    // SSL context for an HTTP client under attack. It includes the trusted CA and a pinned
    // certificate.
    HeldCertificate goodIntermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("3").commonName("intermediate_ca").build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(goodIntermediateCa.certificate)).build();
    SslClient clientContextBuilder = new SslClient.Builder().addTrustedCertificate(rootCa.certificate).addTrustedCertificate(compromisedRootCa.certificate).build();
    OkHttpClient client = defaultClient().newBuilder().sslSocketFactory(clientContextBuilder.socketFactory, clientContextBuilder.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    // The attacker compromises the root CA, issues an intermediate with the same common name
    // "intermediate_ca" as the good CA. This signs a rogue certificate for localhost. The server
    // serves the good CAs certificate in the chain, which means the certificate pinner sees a
    // different set of certificates than the SSL verifier.
    HeldCertificate compromisedIntermediateCa = new HeldCertificate.Builder().issuedBy(compromisedRootCa).ca(2).serialNumber("4").commonName("intermediate_ca").build();
    HeldCertificate rogueCertificate = new HeldCertificate.Builder().serialNumber("5").issuedBy(compromisedIntermediateCa).commonName(server.getHostName()).build();
    SslClient.Builder sslBuilder = new SslClient.Builder();
    // http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/2c1c21d11e58/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#l596
    if (getPlatform().equals("jdk9")) {
        sslBuilder.keyStoreType("JKS");
    }
    SslClient serverSslContext = sslBuilder.certificateChain(rogueCertificate.keyPair, rogueCertificate.certificate, goodIntermediateCa.certificate, compromisedIntermediateCa.certificate, compromisedRootCa.certificate).build();
    server.useHttps(serverSslContext.socketFactory, false);
    server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
    // Make a request from client to server. It should succeed certificate checks (unfortunately the
    // rogue CA is trusted) but it should fail certificate pinning.
    Request request = new Request.Builder().url(server.url("/")).build();
    Call call = client.newCall(request);
    try {
        call.execute();
        fail();
    } catch (SSLHandshakeException expected) {
        // On Android, the handshake fails before the certificate pinner runs.
        String message = expected.getMessage();
        assertTrue(message, message.contains("Could not validate certificate"));
    } catch (SSLPeerUnverifiedException expected) {
        // On OpenJDK, the handshake succeeds but the certificate pinner fails.
        String message = expected.getMessage();
        assertTrue(message, message.startsWith("Certificate pinning failure!"));
    }
}