Search in sources :

Example 1 with SSLCertificateConfiguration

use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.

the class SSLSNITest method testTLSVersion.

@Test
public void testTLSVersion() throws Exception {
    String nonLocalhost = InetAddress.getLocalHost().getCanonicalHostName();
    String certificate = TestUtils.deployResource("localhost.p12", tmpDir.getRoot());
    stubFor(get(urlEqualTo("/index.html")).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
    TestEndpointMapper mapper = new TestEndpointMapper("localhost", wireMockRule.port(), true);
    // TLS 1.3 support checking
    try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
        server.addCertificate(new SSLCertificateConfiguration(nonLocalhost, certificate, "testproxy", STATIC));
        server.addListener(new NetworkListenerConfiguration(nonLocalhost, 0, true, false, null, nonLocalhost, null, null, "TLSv1.3"));
        server.start();
        int port = server.getLocalPort();
        try (RawHttpClient client = new RawHttpClient(nonLocalhost, port, true, nonLocalhost)) {
            RawHttpClient.HttpResponse resp = client.executeRequest("GET /index.html HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n");
            assertTrue(resp.toString().contains("it <b>works</b> !!"));
            SSLSession session = client.getSSLSocket().getSession();
            assertTrue("TLSv1.3".equals(session.getProtocol()));
        }
    }
    // default ssl protocol version support checking
    for (String proto : DEFAULT_SSL_PROTOCOLS) {
        try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
            server.addCertificate(new SSLCertificateConfiguration(nonLocalhost, certificate, "testproxy", STATIC));
            server.addListener(new NetworkListenerConfiguration(nonLocalhost, 0, true, false, null, nonLocalhost, null, null, proto));
            server.start();
            int port = server.getLocalPort();
            try (RawHttpClient client = new RawHttpClient(nonLocalhost, port, true, nonLocalhost)) {
                RawHttpClient.HttpResponse resp = client.executeRequest("GET /index.html HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n");
                assertTrue(resp.toString().contains("it <b>works</b> !!"));
                SSLSession session = client.getSSLSocket().getSession();
                assertEquals(proto, session.getProtocol());
            }
        }
    }
    try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
        server.addCertificate(new SSLCertificateConfiguration(nonLocalhost, certificate, "testproxy", STATIC));
        server.addListener(new NetworkListenerConfiguration(nonLocalhost, 0, true, false, null, nonLocalhost, null, null));
        server.start();
        int port = server.getLocalPort();
        try (RawHttpClient client = new RawHttpClient(nonLocalhost, port, true, nonLocalhost)) {
            RawHttpClient.HttpResponse resp = client.executeRequest("GET /index.html HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n");
            assertTrue(resp.toString().contains("it <b>works</b> !!"));
            SSLSession session = client.getSSLSocket().getSession();
            assertTrue(DEFAULT_SSL_PROTOCOLS.contains(session.getProtocol()));
        }
    }
    // wrong ssl protocol version checking
    TestUtils.assertThrows(ConfigurationNotValidException.class, () -> {
        try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
            server.addCertificate(new SSLCertificateConfiguration(nonLocalhost, certificate, "testproxy", STATIC));
            server.addListener(new NetworkListenerConfiguration(nonLocalhost, 0, true, false, null, nonLocalhost, null, null, "TLSvWRONG"));
        }
    });
}
Also used : RawHttpClient(org.carapaceproxy.utils.RawHttpClient) SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration) TestEndpointMapper(org.carapaceproxy.utils.TestEndpointMapper) HttpProxyServer(org.carapaceproxy.core.HttpProxyServer) SSLSession(javax.net.ssl.SSLSession) NetworkListenerConfiguration(org.carapaceproxy.server.config.NetworkListenerConfiguration) Test(org.junit.Test)

Example 2 with SSLCertificateConfiguration

use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.

the class CertificatesTest method testUploadTypedCertificatesWithDaysBeforeRenewal.

@Test
@Parameters({ "acme", "manual" })
public void testUploadTypedCertificatesWithDaysBeforeRenewal(String type) throws Exception {
    configureAndStartServer();
    int port = server.getLocalPort();
    DynamicCertificatesManager dynCertsMan = server.getDynamicCertificatesManager();
    KeyPair endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    Certificate[] chain = generateSampleChain(endUserKeyPair, false);
    byte[] chainData = createKeystore(chain, endUserKeyPair.getPrivate());
    try (RawHttpClient client = new RawHttpClient("localhost", DEFAULT_ADMIN_PORT)) {
        // Create
        HttpResponse resp = uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=10", chainData, client, credentials);
        if (type.equals("manual")) {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
        } else {
            CertificateData data = dynCertsMan.getCertificateDataForDomain("localhost2");
            assertNotNull(data);
            assertEquals(10, data.getDaysBeforeRenewal());
        }
        // negative value
        resp = uploadCertificate("localhost-negative", "type=" + type + "&daysbeforerenewal=-10", chainData, client, credentials);
        if (type.equals("manual")) {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
        } else {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' has to be a positive number"));
        }
        // default value
        uploadCertificate("localhost-default", "type=" + type, chainData, client, credentials);
        CertificateData data = dynCertsMan.getCertificateDataForDomain("localhost-default");
        assertNotNull(data);
        assertEquals(type.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
        // Update
        uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=45", chainData, client, credentials);
        if (type.equals("manual")) {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
        } else {
            data = dynCertsMan.getCertificateDataForDomain("localhost2");
            assertNotNull(data);
            assertEquals(45, data.getDaysBeforeRenewal());
        }
        // negative value
        resp = uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=-10", chainData, client, credentials);
        if (type.equals("manual")) {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
        } else {
            assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' has to be a positive number"));
        }
        // default value
        uploadCertificate("localhost2", "type=" + type, chainData, client, credentials);
        data = dynCertsMan.getCertificateDataForDomain("localhost2");
        assertNotNull(data);
        assertEquals(type.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
        // changing the type (acme <-> manual)
        String other = type.equals("manual") ? "acme" : "manual";
        uploadCertificate("localhost2", "type=" + other, chainData, client, credentials);
        data = dynCertsMan.getCertificateDataForDomain("localhost2");
        assertNotNull(data);
        assertEquals(other.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
        SSLCertificateConfiguration config = server.getCurrentConfiguration().getCertificates().get("localhost2");
        assertEquals(other.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, config.getDaysBeforeRenewal());
        // checking for "certificate.X.daysbeforerenewal" property delete
        ConfigurationStore store = server.getDynamicConfigurationStore();
        assertEquals(other.equals("acme"), store.anyPropertyMatches((k, v) -> {
            if (k.matches("certificate\\.[0-9]+\\.hostname") && v.equals("localhost2")) {
                return store.getProperty(k.replace("hostname", "daysbeforerenewal"), null) != null;
            }
            return false;
        }));
    }
}
Also used : RawHttpClient(org.carapaceproxy.utils.RawHttpClient) X509Certificate(java.security.cert.X509Certificate) KeyPair(java.security.KeyPair) Arrays(java.util.Arrays) OcspStaplingManager(org.carapaceproxy.server.certificates.ocsp.OcspStaplingManager) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) Date(java.util.Date) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) CertificatesUtils.createKeystore(org.carapaceproxy.utils.CertificatesUtils.createKeystore) Order(org.shredzone.acme4j.Order) UseAdminServer(org.carapaceproxy.api.UseAdminServer) JUnitParamsRunner(junitparams.JUnitParamsRunner) WireMock.aResponse(com.github.tomakehurst.wiremock.client.WireMock.aResponse) RawHttpClient(org.carapaceproxy.utils.RawHttpClient) BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder) List(java.util.List) Base64(java.util.Base64) Certificate(java.security.cert.Certificate) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) Assert.assertFalse(org.junit.Assert.assertFalse) OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder) Login(org.shredzone.acme4j.Login) ExtendedSSLSession(javax.net.ssl.ExtendedSSLSession) Mockito.mock(org.mockito.Mockito.mock) Parameters(junitparams.Parameters) KeyPairUtils(org.shredzone.acme4j.util.KeyPairUtils) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Whitebox(org.powermock.reflect.Whitebox) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) HttpResponse(org.carapaceproxy.utils.RawHttpClient.HttpResponse) CertificatesUtils(org.carapaceproxy.utils.CertificatesUtils) CertificatesTestUtils.uploadCertificate(org.carapaceproxy.utils.CertificatesTestUtils.uploadCertificate) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) RunWith(org.junit.runner.RunWith) BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider) WireMockRule(com.github.tomakehurst.wiremock.junit.WireMockRule) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) DEFAULT_KEYPAIRS_SIZE(org.carapaceproxy.server.certificates.DynamicCertificatesManager.DEFAULT_KEYPAIRS_SIZE) CertificateData(org.carapaceproxy.configstore.CertificateData) CertificatesTestUtils.generateSampleChain(org.carapaceproxy.utils.CertificatesTestUtils.generateSampleChain) HttpTestUtils(org.carapaceproxy.utils.HttpTestUtils) SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration) WireMock.get(com.github.tomakehurst.wiremock.client.WireMock.get) Properties(java.util.Properties) CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus) TestUtils(org.carapaceproxy.utils.TestUtils) Assert.assertNotNull(org.junit.Assert.assertNotNull) VALID(org.shredzone.acme4j.Status.VALID) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) Assert.assertTrue(org.junit.Assert.assertTrue) DEFAULT_ADMIN_PORT(org.carapaceproxy.api.UseAdminServer.DEFAULT_ADMIN_PORT) Test(org.junit.Test) Mockito.when(org.mockito.Mockito.when) CertificateException(java.security.cert.CertificateException) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) Rule(org.junit.Rule) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) WireMock.stubFor(com.github.tomakehurst.wiremock.client.WireMock.stubFor) WireMock.urlEqualTo(com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo) DEFAULT_DAYS_BEFORE_RENEWAL(org.carapaceproxy.server.certificates.DynamicCertificatesManager.DEFAULT_DAYS_BEFORE_RENEWAL) Assert.assertEquals(org.junit.Assert.assertEquals) KeyPair(java.security.KeyPair) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) HttpResponse(org.carapaceproxy.utils.RawHttpClient.HttpResponse) SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration) CertificateData(org.carapaceproxy.configstore.CertificateData) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) CertificatesTestUtils.uploadCertificate(org.carapaceproxy.utils.CertificatesTestUtils.uploadCertificate) Parameters(junitparams.Parameters) Test(org.junit.Test)

Example 3 with SSLCertificateConfiguration

use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.

the class CacheTest method testBootSslRelativeCertificatePath.

@Test
public void testBootSslRelativeCertificatePath() throws Exception {
    String certificate = TestUtils.deployResource("localhost.p12", tmpDir.getRoot());
    stubFor(get(urlEqualTo("/index.html")).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
    TestEndpointMapper mapper = new TestEndpointMapper("localhost", wireMockRule.port(), true);
    EndpointKey key = new EndpointKey("localhost", wireMockRule.port());
    EndpointStats stats;
    try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
        server.addCertificate(new SSLCertificateConfiguration("localhost", "localhost.p12", "testproxy", STATIC));
        server.addListener(new NetworkListenerConfiguration("localhost", 0, true, false, null, "localhost", null, null));
        server.start();
    }
}
Also used : SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration) TestEndpointMapper(org.carapaceproxy.utils.TestEndpointMapper) HttpProxyServer(org.carapaceproxy.core.HttpProxyServer) EndpointStats(org.carapaceproxy.EndpointStats) EndpointKey(org.carapaceproxy.client.EndpointKey) NetworkListenerConfiguration(org.carapaceproxy.server.config.NetworkListenerConfiguration) Test(org.junit.Test)

Example 4 with SSLCertificateConfiguration

use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.

the class SimpleHTTPProxyTest method testSsl.

@Test
public void testSsl() throws Exception {
    HttpTestUtils.overideJvmWideHttpsVerifier();
    String certificate = TestUtils.deployResource("ia.p12", tmpDir.getRoot());
    String caCertificate = TestUtils.deployResource("ca.p12", tmpDir.getRoot());
    stubFor(get(urlEqualTo("/index.html?redir")).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withBody("it <b>works</b> !!")));
    TestEndpointMapper mapper = new TestEndpointMapper("localhost", wireMockRule.port());
    EndpointKey key = new EndpointKey("localhost", wireMockRule.port());
    try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
        server.addCertificate(new SSLCertificateConfiguration("localhost", certificate, "changeit", STATIC));
        server.addListener(new NetworkListenerConfiguration("localhost", 0, true, false, null, "localhost", caCertificate, "changeit"));
        server.start();
        int port = server.getLocalPort();
        // not found
        try {
            String s = IOUtils.toString(new URL("https://localhost:" + port + "/index.html?not-found").toURI(), "utf-8");
            System.out.println("s:" + s);
            fail();
        } catch (FileNotFoundException ok) {
        }
        // proxy
        {
            String s = IOUtils.toString(new URL("https://localhost:" + port + "/index.html?redir").toURI(), "utf-8");
            System.out.println("s:" + s);
            assertEquals("it <b>works</b> !!", s);
        }
    }
}
Also used : SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration) TestEndpointMapper(org.carapaceproxy.utils.TestEndpointMapper) HttpProxyServer(org.carapaceproxy.core.HttpProxyServer) FileNotFoundException(java.io.FileNotFoundException) EndpointKey(org.carapaceproxy.client.EndpointKey) NetworkListenerConfiguration(org.carapaceproxy.server.config.NetworkListenerConfiguration) URL(java.net.URL) Test(org.junit.Test)

Example 5 with SSLCertificateConfiguration

use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.

the class RawClientTest method testClosedProxy.

@Test
@Parameters({ "http", "https" })
public void testClosedProxy(String scheme) throws Exception {
    String certificate = TestUtils.deployResource("localhost.p12", tmpDir.getRoot());
    // Proxy requests have to use "localhost:port" as endpoint instead of the one in the url (ex yahoo.com)
    // in order to avoid open proxy vulnerability
    TestEndpointMapper mapper = new TestEndpointMapper("localhost", wireMockRule.port(), true);
    EndpointKey key = new EndpointKey("localhost", wireMockRule.port());
    try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
        server.addCertificate(new SSLCertificateConfiguration("localhost", "localhost.p12", "testproxy", STATIC));
        server.addListener(new NetworkListenerConfiguration("localhost", 0, scheme.equals("https"), false, null, "localhost", null, null));
        server.start();
        int port = server.getLocalPort();
        try (RawHttpClient client = new RawHttpClient("localhost", port, scheme.equals("https"))) {
            stubFor(get("/index.html?p1=v1&p2=https://localhost/index.html?p=1").withQueryParams(Map.of("p1", equalTo("v1"), "p2", equalTo("https://localhost/index.html?p=1"))).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
            String s = client.executeRequest("GET " + scheme + "://yahoo.com/index.html?p1=v1&p2=https://localhost/index.html?p=1 HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            s = client.get("/index.html?p1=v1&p2=https://localhost/index.html?p=1").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            stubFor(get("/index.html").willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
            s = client.executeRequest("GET " + scheme + "://yahoo.com/index.html HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            s = client.get("/index.html").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            stubFor(get("/?p1=v1&p2=https://localhost/index.html?p=1").withQueryParams(Map.of("p1", equalTo("v1"), "p2", equalTo("https://localhost/index.html?p=1"))).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
            s = client.executeRequest("GET " + scheme + "://yahoo.com/?p1=v1&p2=https://localhost/index.html?p=1 HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            s = client.get("/?p1=v1&p2=https://localhost/index.html?p=1").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            s = client.executeRequest("GET " + scheme + "://yahoo.com?p1=v1&p2=https://localhost/index.html?p=1 HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            s = client.get("?p1=v1&p2=https://localhost/index.html?p=1").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            stubFor(get("/").willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
            s = client.executeRequest("GET " + scheme + "://yahoo.com/ HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            s = client.get("/").getBodyString();
            assertEquals("it <b>works</b> !!", s);
            s = client.executeRequest("GET " + scheme + "://yahoo.com HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
            assertEquals("it <b>works</b> !!", s);
        }
    }
}
Also used : RawHttpClient(org.carapaceproxy.utils.RawHttpClient) SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration) TestEndpointMapper(org.carapaceproxy.utils.TestEndpointMapper) HttpProxyServer(org.carapaceproxy.core.HttpProxyServer) EndpointKey(org.carapaceproxy.client.EndpointKey) NetworkListenerConfiguration(org.carapaceproxy.server.config.NetworkListenerConfiguration) Parameters(junitparams.Parameters) Test(org.junit.Test)

Aggregations

SSLCertificateConfiguration (org.carapaceproxy.server.config.SSLCertificateConfiguration)14 HttpProxyServer (org.carapaceproxy.core.HttpProxyServer)10 Test (org.junit.Test)9 TestEndpointMapper (org.carapaceproxy.utils.TestEndpointMapper)8 NetworkListenerConfiguration (org.carapaceproxy.server.config.NetworkListenerConfiguration)7 EndpointKey (org.carapaceproxy.client.EndpointKey)6 RawHttpClient (org.carapaceproxy.utils.RawHttpClient)6 Parameters (junitparams.Parameters)4 WireMock.aResponse (com.github.tomakehurst.wiremock.client.WireMock.aResponse)3 WireMock.get (com.github.tomakehurst.wiremock.client.WireMock.get)3 WireMock.stubFor (com.github.tomakehurst.wiremock.client.WireMock.stubFor)3 WireMock.urlEqualTo (com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo)3 WireMockRule (com.github.tomakehurst.wiremock.junit.WireMockRule)3 List (java.util.List)3 Map (java.util.Map)3 JUnitParamsRunner (junitparams.JUnitParamsRunner)3 HttpHeaderNames (io.netty.handler.codec.http.HttpHeaderNames)2 ServerSocket (java.net.ServerSocket)2 X509Certificate (java.security.cert.X509Certificate)2 EndpointStats (org.carapaceproxy.EndpointStats)2