use of okhttp3.internal.tls.SslClient in project okhttp by square.
the class CertificatePinnerChainValidationTest method pinIntermediatePresentInChain.
/** The pinner should accept an intermediate from the server's chain. */
@Test
public void pinIntermediatePresentInChain() throws Exception {
HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
HeldCertificate intermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("2").commonName("intermediate_ca").build();
HeldCertificate certificate = new HeldCertificate.Builder().issuedBy(intermediateCa).serialNumber("3").commonName(server.getHostName()).build();
CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(intermediateCa.certificate)).build();
SslClient contextBuilder = new SslClient.Builder().addTrustedCertificate(rootCa.certificate).build();
OkHttpClient client = defaultClient().newBuilder().sslSocketFactory(contextBuilder.socketFactory, contextBuilder.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
SslClient serverSslContext = new SslClient.Builder().certificateChain(certificate.keyPair, certificate.certificate, intermediateCa.certificate).build();
server.useHttps(serverSslContext.socketFactory, false);
// The request should complete successfully.
server.enqueue(new MockResponse().setBody("abc").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
Call call1 = client.newCall(new Request.Builder().url(server.url("/")).build());
Response response1 = call1.execute();
assertEquals("abc", response1.body().string());
response1.close();
// Force a fresh connection for the next request.
client.connectionPool().evictAll();
// Confirm that a second request also succeeds. This should detect caching problems.
server.enqueue(new MockResponse().setBody("def").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
Call call2 = client.newCall(new Request.Builder().url(server.url("/")).build());
Response response2 = call2.execute();
assertEquals("def", response2.body().string());
response2.close();
}
use of okhttp3.internal.tls.SslClient in project okhttp by square.
the class CertificatePinnerChainValidationTest method unrelatedPinnedLeafCertificateInChain.
@Test
public void unrelatedPinnedLeafCertificateInChain() throws Exception {
// Start with a trusted root CA certificate.
HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
// Add a good intermediate CA, and have that issue a good certificate to localhost. Prepare an
// SSL context for an HTTP client under attack. It includes the trusted CA and a pinned
// certificate.
HeldCertificate goodIntermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("2").commonName("good_intermediate_ca").build();
HeldCertificate goodCertificate = new HeldCertificate.Builder().issuedBy(goodIntermediateCa).serialNumber("3").commonName(server.getHostName()).build();
CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(goodCertificate.certificate)).build();
SslClient clientContextBuilder = new SslClient.Builder().addTrustedCertificate(rootCa.certificate).build();
OkHttpClient client = defaultClient().newBuilder().sslSocketFactory(clientContextBuilder.socketFactory, clientContextBuilder.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
// Add a bad intermediate CA and have that issue a rogue certificate for localhost. Prepare
// an SSL context for an attacking webserver. It includes both these rogue certificates plus the
// trusted good certificate above. The attack is that by including the good certificate in the
// chain, we may trick the certificate pinner into accepting the rouge certificate.
HeldCertificate compromisedIntermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("4").commonName("bad_intermediate_ca").build();
HeldCertificate rogueCertificate = new HeldCertificate.Builder().serialNumber("5").issuedBy(compromisedIntermediateCa).commonName(server.getHostName()).build();
SslClient.Builder sslBuilder = new SslClient.Builder();
// http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/2c1c21d11e58/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#l596
if (getPlatform().equals("jdk9")) {
sslBuilder.keyStoreType("JKS");
}
SslClient serverSslContext = sslBuilder.certificateChain(rogueCertificate.keyPair, rogueCertificate.certificate, compromisedIntermediateCa.certificate, goodCertificate.certificate, rootCa.certificate).build();
server.useHttps(serverSslContext.socketFactory, false);
server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
// Make a request from client to server. It should succeed certificate checks (unfortunately the
// rogue CA is trusted) but it should fail certificate pinning.
Request request = new Request.Builder().url(server.url("/")).build();
Call call = client.newCall(request);
try {
call.execute();
fail();
} catch (SSLPeerUnverifiedException expected) {
// Certificate pinning fails!
String message = expected.getMessage();
assertTrue(message, message.startsWith("Certificate pinning failure!"));
}
}
use of okhttp3.internal.tls.SslClient in project okhttp by square.
the class CertificatePinnerChainValidationTest method pinRootNotPresentInChain.
/** The pinner should pull the root certificate from the trust manager. */
@Test
public void pinRootNotPresentInChain() throws Exception {
HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
HeldCertificate intermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("2").commonName("intermediate_ca").build();
HeldCertificate certificate = new HeldCertificate.Builder().issuedBy(intermediateCa).serialNumber("3").commonName(server.getHostName()).build();
CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(rootCa.certificate)).build();
SslClient sslClient = new SslClient.Builder().addTrustedCertificate(rootCa.certificate).build();
OkHttpClient client = defaultClient().newBuilder().sslSocketFactory(sslClient.socketFactory, sslClient.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
SslClient serverSslClient = new SslClient.Builder().certificateChain(certificate, intermediateCa).build();
server.useHttps(serverSslClient.socketFactory, false);
// The request should complete successfully.
server.enqueue(new MockResponse().setBody("abc").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
Call call1 = client.newCall(new Request.Builder().url(server.url("/")).build());
Response response1 = call1.execute();
assertEquals("abc", response1.body().string());
// Confirm that a second request also succeeds. This should detect caching problems.
server.enqueue(new MockResponse().setBody("def").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
Call call2 = client.newCall(new Request.Builder().url(server.url("/")).build());
Response response2 = call2.execute();
assertEquals("def", response2.body().string());
}
use of okhttp3.internal.tls.SslClient in project okhttp by square.
the class CallTest method httpsWithIpAddress.
@Test
public void httpsWithIpAddress() throws Exception {
String localIpAddress = InetAddress.getLoopbackAddress().getHostAddress();
// Create a certificate with an IP address in the subject alt name.
HeldCertificate heldCertificate = new HeldCertificate.Builder().commonName("example.com").subjectAlternativeName(localIpAddress).build();
SslClient sslClient = new SslClient.Builder().certificateChain(heldCertificate.keyPair, heldCertificate.certificate).addTrustedCertificate(heldCertificate.certificate).build();
// Use that certificate on the server and trust it on the client.
server.useHttps(sslClient.socketFactory, false);
client = client.newBuilder().sslSocketFactory(sslClient.socketFactory, sslClient.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).protocols(Collections.singletonList(Protocol.HTTP_1_1)).build();
// Make a request.
server.enqueue(new MockResponse());
HttpUrl url = server.url("/").newBuilder().host(localIpAddress).build();
Request request = new Request.Builder().url(url).build();
executeSynchronously(request).assertCode(200);
// Confirm that the IP address was used in the host header.
RecordedRequest recordedRequest = server.takeRequest();
assertEquals(localIpAddress + ":" + server.getPort(), recordedRequest.getHeader("Host"));
}
use of okhttp3.internal.tls.SslClient in project okhttp by square.
the class OkUrlFactoryTest method testURLFilterRedirect.
@Test
public void testURLFilterRedirect() throws Exception {
MockWebServer cleartextServer = new MockWebServer();
cleartextServer.enqueue(new MockResponse().setBody("Blocked!"));
final URL blockedURL = cleartextServer.url("/").url();
SslClient contextBuilder = SslClient.localhost();
server.useHttps(contextBuilder.socketFactory, false);
factory.setClient(factory.client().newBuilder().sslSocketFactory(contextBuilder.socketFactory, contextBuilder.trustManager).followSslRedirects(true).build());
factory.setUrlFilter(new URLFilter() {
@Override
public void checkURLPermitted(URL url) throws IOException {
if (blockedURL.equals(url)) {
throw new IOException("Blocked");
}
}
});
server.enqueue(new MockResponse().setResponseCode(302).addHeader("Location: " + blockedURL).setBody("This page has moved"));
URL destination = server.url("/").url();
try {
HttpsURLConnection httpsConnection = (HttpsURLConnection) factory.open(destination);
httpsConnection.getInputStream();
fail("Connection was successful");
} catch (IOException expected) {
}
}
Aggregations