Search in sources :

Example 6 with SslClient

use of okhttp3.internal.tls.SslClient in project okhttp by square.

the class CertificatePinnerChainValidationTest method pinIntermediatePresentInChain.

/** The pinner should accept an intermediate from the server's chain. */
@Test
public void pinIntermediatePresentInChain() throws Exception {
    HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
    HeldCertificate intermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("2").commonName("intermediate_ca").build();
    HeldCertificate certificate = new HeldCertificate.Builder().issuedBy(intermediateCa).serialNumber("3").commonName(server.getHostName()).build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(intermediateCa.certificate)).build();
    SslClient contextBuilder = new SslClient.Builder().addTrustedCertificate(rootCa.certificate).build();
    OkHttpClient client = defaultClient().newBuilder().sslSocketFactory(contextBuilder.socketFactory, contextBuilder.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    SslClient serverSslContext = new SslClient.Builder().certificateChain(certificate.keyPair, certificate.certificate, intermediateCa.certificate).build();
    server.useHttps(serverSslContext.socketFactory, false);
    // The request should complete successfully.
    server.enqueue(new MockResponse().setBody("abc").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
    Call call1 = client.newCall(new Request.Builder().url(server.url("/")).build());
    Response response1 = call1.execute();
    assertEquals("abc", response1.body().string());
    response1.close();
    // Force a fresh connection for the next request.
    client.connectionPool().evictAll();
    // Confirm that a second request also succeeds. This should detect caching problems.
    server.enqueue(new MockResponse().setBody("def").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
    Call call2 = client.newCall(new Request.Builder().url(server.url("/")).build());
    Response response2 = call2.execute();
    assertEquals("def", response2.body().string());
    response2.close();
}
Also used : Response(okhttp3.Response) MockResponse(okhttp3.mockwebserver.MockResponse) MockResponse(okhttp3.mockwebserver.MockResponse) Call(okhttp3.Call) OkHttpClient(okhttp3.OkHttpClient) CertificatePinner(okhttp3.CertificatePinner) Request(okhttp3.Request) RecordingHostnameVerifier(okhttp3.RecordingHostnameVerifier) Test(org.junit.Test)

Example 7 with SslClient

use of okhttp3.internal.tls.SslClient in project okhttp by square.

the class CertificatePinnerChainValidationTest method unrelatedPinnedLeafCertificateInChain.

@Test
public void unrelatedPinnedLeafCertificateInChain() throws Exception {
    // Start with a trusted root CA certificate.
    HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
    // Add a good intermediate CA, and have that issue a good certificate to localhost. Prepare an
    // SSL context for an HTTP client under attack. It includes the trusted CA and a pinned
    // certificate.
    HeldCertificate goodIntermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("2").commonName("good_intermediate_ca").build();
    HeldCertificate goodCertificate = new HeldCertificate.Builder().issuedBy(goodIntermediateCa).serialNumber("3").commonName(server.getHostName()).build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(goodCertificate.certificate)).build();
    SslClient clientContextBuilder = new SslClient.Builder().addTrustedCertificate(rootCa.certificate).build();
    OkHttpClient client = defaultClient().newBuilder().sslSocketFactory(clientContextBuilder.socketFactory, clientContextBuilder.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    // Add a bad intermediate CA and have that issue a rogue certificate for localhost. Prepare
    // an SSL context for an attacking webserver. It includes both these rogue certificates plus the
    // trusted good certificate above. The attack is that by including the good certificate in the
    // chain, we may trick the certificate pinner into accepting the rouge certificate.
    HeldCertificate compromisedIntermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("4").commonName("bad_intermediate_ca").build();
    HeldCertificate rogueCertificate = new HeldCertificate.Builder().serialNumber("5").issuedBy(compromisedIntermediateCa).commonName(server.getHostName()).build();
    SslClient.Builder sslBuilder = new SslClient.Builder();
    // http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/2c1c21d11e58/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#l596
    if (getPlatform().equals("jdk9")) {
        sslBuilder.keyStoreType("JKS");
    }
    SslClient serverSslContext = sslBuilder.certificateChain(rogueCertificate.keyPair, rogueCertificate.certificate, compromisedIntermediateCa.certificate, goodCertificate.certificate, rootCa.certificate).build();
    server.useHttps(serverSslContext.socketFactory, false);
    server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
    // Make a request from client to server. It should succeed certificate checks (unfortunately the
    // rogue CA is trusted) but it should fail certificate pinning.
    Request request = new Request.Builder().url(server.url("/")).build();
    Call call = client.newCall(request);
    try {
        call.execute();
        fail();
    } catch (SSLPeerUnverifiedException expected) {
        // Certificate pinning fails!
        String message = expected.getMessage();
        assertTrue(message, message.startsWith("Certificate pinning failure!"));
    }
}
Also used : MockResponse(okhttp3.mockwebserver.MockResponse) Call(okhttp3.Call) OkHttpClient(okhttp3.OkHttpClient) CertificatePinner(okhttp3.CertificatePinner) SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException) Request(okhttp3.Request) RecordingHostnameVerifier(okhttp3.RecordingHostnameVerifier) Test(org.junit.Test)

Example 8 with SslClient

use of okhttp3.internal.tls.SslClient in project okhttp by square.

the class CertificatePinnerChainValidationTest method pinRootNotPresentInChain.

/** The pinner should pull the root certificate from the trust manager. */
@Test
public void pinRootNotPresentInChain() throws Exception {
    HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
    HeldCertificate intermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("2").commonName("intermediate_ca").build();
    HeldCertificate certificate = new HeldCertificate.Builder().issuedBy(intermediateCa).serialNumber("3").commonName(server.getHostName()).build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(rootCa.certificate)).build();
    SslClient sslClient = new SslClient.Builder().addTrustedCertificate(rootCa.certificate).build();
    OkHttpClient client = defaultClient().newBuilder().sslSocketFactory(sslClient.socketFactory, sslClient.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    SslClient serverSslClient = new SslClient.Builder().certificateChain(certificate, intermediateCa).build();
    server.useHttps(serverSslClient.socketFactory, false);
    // The request should complete successfully.
    server.enqueue(new MockResponse().setBody("abc").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
    Call call1 = client.newCall(new Request.Builder().url(server.url("/")).build());
    Response response1 = call1.execute();
    assertEquals("abc", response1.body().string());
    // Confirm that a second request also succeeds. This should detect caching problems.
    server.enqueue(new MockResponse().setBody("def").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
    Call call2 = client.newCall(new Request.Builder().url(server.url("/")).build());
    Response response2 = call2.execute();
    assertEquals("def", response2.body().string());
}
Also used : Response(okhttp3.Response) MockResponse(okhttp3.mockwebserver.MockResponse) MockResponse(okhttp3.mockwebserver.MockResponse) Call(okhttp3.Call) OkHttpClient(okhttp3.OkHttpClient) CertificatePinner(okhttp3.CertificatePinner) Request(okhttp3.Request) RecordingHostnameVerifier(okhttp3.RecordingHostnameVerifier) Test(org.junit.Test)

Example 9 with SslClient

use of okhttp3.internal.tls.SslClient in project okhttp by square.

the class CallTest method httpsWithIpAddress.

@Test
public void httpsWithIpAddress() throws Exception {
    String localIpAddress = InetAddress.getLoopbackAddress().getHostAddress();
    // Create a certificate with an IP address in the subject alt name.
    HeldCertificate heldCertificate = new HeldCertificate.Builder().commonName("example.com").subjectAlternativeName(localIpAddress).build();
    SslClient sslClient = new SslClient.Builder().certificateChain(heldCertificate.keyPair, heldCertificate.certificate).addTrustedCertificate(heldCertificate.certificate).build();
    // Use that certificate on the server and trust it on the client.
    server.useHttps(sslClient.socketFactory, false);
    client = client.newBuilder().sslSocketFactory(sslClient.socketFactory, sslClient.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).protocols(Collections.singletonList(Protocol.HTTP_1_1)).build();
    // Make a request.
    server.enqueue(new MockResponse());
    HttpUrl url = server.url("/").newBuilder().host(localIpAddress).build();
    Request request = new Request.Builder().url(url).build();
    executeSynchronously(request).assertCode(200);
    // Confirm that the IP address was used in the host header.
    RecordedRequest recordedRequest = server.takeRequest();
    assertEquals(localIpAddress + ":" + server.getPort(), recordedRequest.getHeader("Host"));
}
Also used : RecordedRequest(okhttp3.mockwebserver.RecordedRequest) MockResponse(okhttp3.mockwebserver.MockResponse) SslClient(okhttp3.internal.tls.SslClient) HeldCertificate(okhttp3.internal.tls.HeldCertificate) RecordedRequest(okhttp3.mockwebserver.RecordedRequest) Test(org.junit.Test)

Example 10 with SslClient

use of okhttp3.internal.tls.SslClient in project okhttp by square.

the class OkUrlFactoryTest method testURLFilterRedirect.

@Test
public void testURLFilterRedirect() throws Exception {
    MockWebServer cleartextServer = new MockWebServer();
    cleartextServer.enqueue(new MockResponse().setBody("Blocked!"));
    final URL blockedURL = cleartextServer.url("/").url();
    SslClient contextBuilder = SslClient.localhost();
    server.useHttps(contextBuilder.socketFactory, false);
    factory.setClient(factory.client().newBuilder().sslSocketFactory(contextBuilder.socketFactory, contextBuilder.trustManager).followSslRedirects(true).build());
    factory.setUrlFilter(new URLFilter() {

        @Override
        public void checkURLPermitted(URL url) throws IOException {
            if (blockedURL.equals(url)) {
                throw new IOException("Blocked");
            }
        }
    });
    server.enqueue(new MockResponse().setResponseCode(302).addHeader("Location: " + blockedURL).setBody("This page has moved"));
    URL destination = server.url("/").url();
    try {
        HttpsURLConnection httpsConnection = (HttpsURLConnection) factory.open(destination);
        httpsConnection.getInputStream();
        fail("Connection was successful");
    } catch (IOException expected) {
    }
}
Also used : MockResponse(okhttp3.mockwebserver.MockResponse) SslClient(okhttp3.internal.tls.SslClient) URLFilter(okhttp3.internal.URLFilter) MockWebServer(okhttp3.mockwebserver.MockWebServer) IOException(java.io.IOException) URL(java.net.URL) HttpsURLConnection(javax.net.ssl.HttpsURLConnection) Test(org.junit.Test)

Aggregations

SslClient (okhttp3.internal.tls.SslClient)11 Test (org.junit.Test)10 MockResponse (okhttp3.mockwebserver.MockResponse)8 OkHttpClient (okhttp3.OkHttpClient)7 Call (okhttp3.Call)5 CertificatePinner (okhttp3.CertificatePinner)4 RecordingHostnameVerifier (okhttp3.RecordingHostnameVerifier)4 Request (okhttp3.Request)4 HostnameVerifier (javax.net.ssl.HostnameVerifier)3 SSLSession (javax.net.ssl.SSLSession)3 SSLSocketFactory (javax.net.ssl.SSLSocketFactory)3 Response (okhttp3.Response)3 IOException (java.io.IOException)2 HttpCookie (java.net.HttpCookie)2 SSLPeerUnverifiedException (javax.net.ssl.SSLPeerUnverifiedException)2 HeldCertificate (okhttp3.internal.tls.HeldCertificate)2 MockWebServer (okhttp3.mockwebserver.MockWebServer)2 RecordedRequest (okhttp3.mockwebserver.RecordedRequest)2 Bootstrap (io.netty.bootstrap.Bootstrap)1 ChannelInitializer (io.netty.channel.ChannelInitializer)1