Use temporary self signed certificates for JSON-RPC HTTP TLS unit testing #311
Conversation
-- Generate self signed certificates in PKCS12 format with SAN extensions for testing -- Remove pre-generated key stores and trust stores used by TLS tests Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
usmansaleem
changed the title
Signed-off-by: Usman Saleem <usman@usmans.info>
-- required by Tuweni TLS Signed-off-by: Usman Saleem <usman@usmans.info>
...reum/api/src/test-support/java/org/hyperledger/besu/ethereum/api/tls/SelfSignedPfxStore.java
Outdated
Show resolved
Hide resolved
...reum/api/src/test-support/java/org/hyperledger/besu/ethereum/api/tls/SelfSignedPfxStore.java
Outdated
Show resolved
Hide resolved
...reum/api/src/test-support/java/org/hyperledger/besu/ethereum/api/tls/SelfSignedPfxStore.java
Outdated
Show resolved
Hide resolved
...reum/api/src/test-support/java/org/hyperledger/besu/ethereum/api/tls/SelfSignedPfxStore.java
Outdated
Show resolved
Hide resolved
...reum/api/src/test-support/java/org/hyperledger/besu/ethereum/api/tls/SelfSignedPfxStore.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Usman Saleem <usman@usmans.info>
…Jar needs to be exported. Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
|
|
||
| @Before | ||
| public void initServer() throws Exception { | ||
| selfSignedPfxStore = SelfSignedPfxStore.create(); | ||
| selfSignedPfxStoreForHttpClient = SelfSignedPfxStore.create(); | ||
| selfSignedPfxStoreForHttpClientNotTrustedByServer = SelfSignedPfxStore.create(); |
There was a problem hiding this comment.
This seems odd, the same method of creation gives a PfxStore, PfxStoreForHttpClient and PfxStoreForHttpClientNotTrustedByServer.
If there are three different stores, then perhaps separate helper methods to create each of them and their corresponding state (e.g. that makes one trusted and another not trusted), might be an idea?
There was a problem hiding this comment.
The utility class generate both keystore and truststore containing self-sligned certificate. The keystore is used by server/json-rpc and truststore is used by okhttp/client vice-versa is also applicable for testing client-auth. The keystore used by okhttp client, its truststore is used by server. Hence there is a need of having three different instances of self-signed certs. I can wrap them in a method for the sake of reaability, but all it will do is return instances which will again store in three different variables.
...ava/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceTlsMisconfigurationTest.java
Outdated
Show resolved
Hide resolved
ethereum/api/src/test-support/java/org/hyperledger/besu/ethereum/api/tls/TrustStoreUtil.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Usman Saleem <usman@usmans.info>
@CjHare The test code (and the unit under testing) which required self signed certificates was in ethereum/api. I don't mind moving it under crypto/testSupport (I think it make more sense there) |
-- Renaming class to clear intent -- Introducing builder in TlsHttpClient test utility -- cleaning unit tests Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
…r to construct OkHttpClient Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
| final String fingerprint = TLS.certificateHexFingerprint(certificate); | ||
| final String commonName = extractCommonName(certificate); | ||
| final String knownClientsLine = String.format("%s %s", commonName, fingerprint); | ||
| final Path temporaryKnownClientsFile = Files.createTempFile("testKnownClients", ".txt"); |
There was a problem hiding this comment.
nit: I'd remove "test" - you never know if someone wants to make this a general capability in an app/library.
Having said that - having this create a tempFile, when you don't know the use of this function is kinda dangerous.
But am wondering if these two functions should effeictvely exist on the SelfSignedP12Certificate - such taht someone can say:
cert.getFingerPrint();
cert.getCommonName();
writeFile(fingerprint, commonName)
...pi/src/test-support/java/org/hyperledger/besu/ethereum/api/tls/SelfSignedP12Certificate.java
Show resolved
Hide resolved
...pi/src/test-support/java/org/hyperledger/besu/ethereum/api/tls/SelfSignedP12Certificate.java
Outdated
Show resolved
Hide resolved
| private static final NatService natService = new NatService(Optional.empty()); | ||
|
|
||
| private final SelfSignedP12Certificate besuCertificate = SelfSignedP12Certificate.create(); |
There was a problem hiding this comment.
nit: is besuCertificate correct here, or is this the certificate presented by the client?
There was a problem hiding this comment.
besuCertificate contains certificate keystore used by Besu. It also exposes trustStore that can be used by OkHttp client library to trust Besu.
| import okhttp3.OkHttpClient; | ||
|
|
||
| public final class TlsOkHttpClientBuilder { | ||
| private SelfSignedP12Certificate besuCertificate; |
There was a problem hiding this comment.
whats the difference between the besuCertificate and the okHttpCertificate?
There was a problem hiding this comment.
In case of this builder class, we need to trust Besu certificate, okhttpcertificate is optional and required if besu enables client-auth ... OkHttpClient set its keystore exposed by okhttpcertificate.
Signed-off-by: Usman Saleem <usman@usmans.info>
PR description
-- Generate and use temporary self signed certificates in PKCS12 format with SAN extensions for dns and IP to be used by TLS unit/integration tests
-- Remove pre-generated key stores and trust stores used by TLS tests
Signed-off-by: Usman Saleem usman@usmans.info