From a9a9e1cb62123475edd733a53ecc00611c2aa764 Mon Sep 17 00:00:00 2001 From: Christof Rabensteiner Date: Thu, 27 Jun 2019 17:39:24 +0200 Subject: Honor & Test TrustAll and LaxHostNameVerification - Print a big scary warning message for everyone who enables "trustAll" - Test TrustAll and LaxHostNameVerification - Describe test case requirements and add key material needed to run these test cases. --- src/test/java/at/gv/egiz/moazs/MsgClientTest.java | 103 ++++++++++++++++++---- 1 file changed, 84 insertions(+), 19 deletions(-) (limited to 'src/test/java/at/gv') diff --git a/src/test/java/at/gv/egiz/moazs/MsgClientTest.java b/src/test/java/at/gv/egiz/moazs/MsgClientTest.java index 7c9bf7d..bd68d9d 100644 --- a/src/test/java/at/gv/egiz/moazs/MsgClientTest.java +++ b/src/test/java/at/gv/egiz/moazs/MsgClientTest.java @@ -4,9 +4,9 @@ import at.gv.egiz.moazs.msg.MsgClientFactory; import at.gv.egiz.moazs.msg.StoreSOAPBodyBinaryInRepositoryInterceptor; import at.gv.egiz.moazs.scheme.Marshaller; import at.gv.zustellung.app2mzs.xsd.ClientType; +import at.gv.zustellung.app2mzs.xsd.KeyStoreType; import at.gv.zustellung.msg.xsd.DeliveryRequestType; import at.gv.zustellung.msg.xsd.ObjectFactory; -import org.junit.Test; import org.junit.runner.RunWith; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -20,6 +20,7 @@ import java.io.FileInputStream; import java.io.IOException; import java.math.BigInteger; +import static at.gv.zustellung.app2mzs.xsd.ClientType.clientTypeBuilder; import static at.gv.zustellung.app2mzs.xsd.KeyStoreType.keyStoreTypeBuilder; import static at.gv.zustellung.app2mzs.xsd.SSLType.SSLTypeBuilder; @@ -43,14 +44,19 @@ public class MsgClientTest { private static final ObjectFactory OF = new ObjectFactory(); - // this test requires that a zusemsg service runs under httpServiceUri! // tmp disabled. todo: set up integration tests + + // Requirements: + // - run zusemsg service under httpServiceURL // @Test public void sendValidMessage() throws IOException { var request = loadFromFile("validDeliveryRequest.xml"); - var httpServiceUri = "http://localhost:8081/services/DeliveryRequest"; - var clientParams = generateClientParams(httpServiceUri); + var httpServiceURL = "http://localhost:8081/services/DeliveryRequest"; + var clientParams = clientTypeBuilder() + .withURL(httpServiceURL) + .build(); + var client = factory.create(clientParams); try{ @@ -61,20 +67,79 @@ public class MsgClientTest { } } + // Requirements: + // - run zusemsg service under httpsServiceURL + // - server trusts client cert (by trusting CA bundle in ssl/trusted-cas-bundle.pem) + // - server uses the server certificate in ssl/server/server.localhost.*.pem + // - server sends certificate chain ssl/server/ca-chain.cert.pem + //@Test + public void sendOverSSLWithClientAuthentication() throws IOException { + + var request = loadFromFile("validDeliveryRequest.xml"); + var httpsServiceURL = "https://localhost/zusemsg/services/DeliveryRequest"; + + var clientParams = generateSSLClientParams(httpsServiceURL, false, false); + var client = factory.create(clientParams); + + var status = client.delivery(request); + log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status))); + } + + // Requirements: + // - run zusemsg service under httpsServiceURL + // - server trusts client cert (by trusting CA bundle in ssl/trusted-cas-bundle.pem) + // - server uses the server certificate in ssl/server/server.localhost.*.pem + // - server sends certificate chain ssl/server/ca-chain.cert.pem //@Test - public void sendValidMessageSSL() throws IOException { + public void sendOverSSLWithTrustAll() throws IOException { var request = loadFromFile("validDeliveryRequest.xml"); var sslServiceUri = "https://localhost/zusemsg/services/DeliveryRequest"; - var clientParams = generateSSLClientParams(sslServiceUri); + + var clientParams = generateSSLClientParams(sslServiceUri, true, false); + var client = factory.create(clientParams); + + var status = client.delivery(request); + log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status))); + } + + // Requirements: + // - run zusemsg service under httpsServiceURL (e.g. by adding notlocalhost to /etc/hosts) + // - server trusts client cert (by trusting CA bundle in ssl/trusted-cas-bundle.pem) + // - server uses the server certificate in ssl/server/server.localhost.*.pem + // - server sends certificate chain ssl/server/ca-chain.cert.pem + //@Test + public void sendOverSSLWithLaxHostnameVerification() throws IOException { + + var request = loadFromFile("validDeliveryRequest.xml"); + var sslServiceUri = "https://notlocalhost/zusemsg/services/DeliveryRequest"; + + var clientParams = generateSSLClientParams(sslServiceUri, false, true); var client = factory.create(clientParams); var status = client.delivery(request); log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status))); + } + + //Requirements: + // - run zusemsg service under httpsServiceURL (e.g. by adding notlocalhost to /etc/hosts) + // - server trusts client cert (by trusting CA bundle in ssl/trusted-cas-bundle.pem) + // - server uses the server certificate in ssl/server/server.localhost.*.pem + // - server sends certificate chain ssl/server/ca-chain.cert.pem + //@Test(expected=SOAPFaultException.class) + public void rejectBecauseHostNameVerificationFails() throws IOException { + + var request = loadFromFile("validDeliveryRequest.xml"); + var sslServiceUri = "https://notlocalhost/zusemsg/services/DeliveryRequest"; + var clientParams = generateSSLClientParams(sslServiceUri, false, false); + var client = factory.create(clientParams); + + var status = client.delivery(request); + log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status))); } - private ClientType generateSSLClientParams(String sslServiceUri) { + private ClientType generateSSLClientParams(String sslServiceUri, boolean trustAll, boolean laxHostNameVerification) { var keystore = keyStoreTypeBuilder() .withFileName("ssl/client.cert.key.p12") @@ -82,20 +147,16 @@ public class MsgClientTest { .withPassword("123456") .build(); - var truststore = keyStoreTypeBuilder() - .withFileName("ssl/truststore.jks") - .withPassword("123456") - .withFileType("JKS") - .build(); + var truststore = trustAll ? null : generateTrustLocalhostStore(); var sslParams = SSLTypeBuilder() - .withLaxHostNameVerification(false) - .withTrustAll(false) + .withLaxHostNameVerification(laxHostNameVerification) + .withTrustAll(trustAll) .withKeyStore(keystore) .withTrustStore(truststore) .build(); - return ClientType.clientTypeBuilder() + return clientTypeBuilder() .withURL(sslServiceUri) .withSSL(sslParams) .withReceiveTimeout(BigInteger.ZERO) @@ -104,6 +165,14 @@ public class MsgClientTest { } + private KeyStoreType generateTrustLocalhostStore() { + return keyStoreTypeBuilder() + .withFileName("ssl/truststore.jks") + .withPassword("123456") + .withFileType("JKS") + .build(); + } + private DeliveryRequestType loadFromFile(String fileName) throws IOException { try (var inputStream = new BufferedInputStream(new FileInputStream(basePath + fileName))) { var request = (JAXBElement) msgMarshaller.unmarshallXml(inputStream); @@ -111,8 +180,4 @@ public class MsgClientTest { } } - private ClientType generateClientParams(String url) { - return ClientType.clientTypeBuilder().withURL(url).build(); - } - } -- cgit v1.2.3