#9397 add trust store config to H3

Signed-off-by: Ludovic Orban <lorban@bitronix.be>
This commit is contained in:
Ludovic Orban 2023-05-16 15:49:21 +02:00
parent e30b23aca6
commit 871022f3b0
20 changed files with 274 additions and 115 deletions

View File

@ -13,8 +13,10 @@
package org.eclipse.jetty.http3.tests;
import java.io.InputStream;
import java.lang.management.ManagementFactory;
import java.net.InetSocketAddress;
import java.security.KeyStore;
import java.util.concurrent.TimeUnit;
import javax.management.MBeanServer;
@ -35,15 +37,21 @@ import org.eclipse.jetty.jmx.MBeanContainer;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDirExtension;
import org.eclipse.jetty.util.component.LifeCycle;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.extension.BeforeTestExecutionCallback;
import org.junit.jupiter.api.extension.ExtendWith;
import org.junit.jupiter.api.extension.RegisterExtension;
@ExtendWith(WorkDirExtension.class)
public class AbstractClientServerTest
{
public WorkDir workDir;
@RegisterExtension
final BeforeTestExecutionCallback printMethodName = context ->
System.err.printf("Running %s.%s() %s%n", context.getRequiredTestClass().getSimpleName(), context.getRequiredTestMethod().getName(), context.getDisplayName());
@ -81,6 +89,7 @@ public class AbstractClientServerTest
serverThreads.setName("server");
server = new Server(serverThreads);
connector = new HTTP3ServerConnector(server, sslContextFactory, serverConnectionFactory);
connector.getQuicConfiguration().setPemWorkDirectory(workDir.getEmptyPathDir());
server.addConnector(connector);
MBeanContainer mbeanContainer = new MBeanContainer(ManagementFactory.getPlatformMBeanServer());
server.addBean(mbeanContainer);
@ -88,8 +97,16 @@ public class AbstractClientServerTest
protected void startClient() throws Exception
{
KeyStore trustStore = KeyStore.getInstance("PKCS12");
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
{
trustStore.load(is, "storepwd".toCharArray());
}
http3Client = new HTTP3Client();
http3Client.getQuicConfiguration().setVerifyPeerCertificates(false);
SslContextFactory.Client clientSslContextFactory = new SslContextFactory.Client();
clientSslContextFactory.setTrustStore(trustStore);
http3Client.getClientConnector().setSslContextFactory(clientSslContextFactory);
httpClient = new HttpClient(new HttpClientTransportDynamic(new ClientConnectionFactoryOverHTTP3.HTTP3(http3Client)));
QueuedThreadPool clientThreads = new QueuedThreadPool();
clientThreads.setName("client");

View File

@ -373,6 +373,7 @@ public class ClientConnector extends ContainerLifeCycle
selectorManager = newSelectorManager();
selectorManager.setConnectTimeout(getConnectTimeout().toMillis());
addBean(selectorManager);
configurator.addBean(this);
super.doStart();
}
@ -381,6 +382,7 @@ public class ClientConnector extends ContainerLifeCycle
{
super.doStop();
removeBean(selectorManager);
configurator.removeBean(this);
}
protected SslContextFactory.Client newSslContextFactory()
@ -588,7 +590,7 @@ public class ClientConnector extends ContainerLifeCycle
/**
* <p>Configures a {@link ClientConnector}.</p>
*/
public static class Configurator
public static class Configurator extends ContainerLifeCycle
{
/**
* <p>Returns whether the connection to a given {@link SocketAddress} is intrinsically secure.</p>

View File

@ -18,6 +18,7 @@ import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.net.SocketTimeoutException;
import java.nio.ByteBuffer;
import java.nio.file.Path;
import java.util.Collection;
import java.util.List;
import java.util.Map;
@ -80,7 +81,10 @@ public class ClientQuicConnection extends QuicConnection
QuicheConfig quicheConfig = new QuicheConfig();
quicheConfig.setApplicationProtos(protocols.toArray(String[]::new));
quicheConfig.setDisableActiveMigration(quicConfiguration.isDisableActiveMigration());
quicheConfig.setVerifyPeer(quicConfiguration.isVerifyPeerCertificates());
quicheConfig.setVerifyPeer(!connector.getSslContextFactory().isTrustAll());
Path trustStorePath = (Path)quicConfiguration.getImplementationSpecifixContext().get(QuicClientConnectorConfigurator.TRUSTSTORE_PATH_KEY);
if (trustStorePath != null)
quicheConfig.setTrustedCertsPemPath(trustStorePath.toString());
// Idle timeouts must not be managed by Quiche.
quicheConfig.setMaxIdleTimeout(0L);
quicheConfig.setInitialMaxData((long)quicConfiguration.getSessionRecvWindow());
@ -147,6 +151,13 @@ public class ClientQuicConnection extends QuicConnection
return null;
}
@Override
protected void onFailure(Throwable failure)
{
pendingSessions.values().forEach(session -> outwardClose(session, failure));
super.onFailure(failure);
}
@Override
public boolean onIdleExpired()
{

View File

@ -19,6 +19,8 @@ import java.nio.channels.DatagramChannel;
import java.nio.channels.SelectableChannel;
import java.nio.channels.SelectionKey;
import java.nio.channels.SocketChannel;
import java.nio.file.Path;
import java.security.KeyStore;
import java.util.Map;
import java.util.Objects;
import java.util.function.UnaryOperator;
@ -30,6 +32,8 @@ import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.io.ManagedSelector;
import org.eclipse.jetty.io.SocketChannelEndPoint;
import org.eclipse.jetty.quic.common.QuicConfiguration;
import org.eclipse.jetty.quic.quiche.PemExporter;
import org.eclipse.jetty.util.ssl.SslContextFactory;
/**
* <p>A QUIC specific {@link ClientConnector.Configurator}.</p>
@ -41,6 +45,8 @@ import org.eclipse.jetty.quic.common.QuicConfiguration;
*/
public class QuicClientConnectorConfigurator extends ClientConnector.Configurator
{
static final String TRUSTSTORE_PATH_KEY = QuicClientConnectorConfigurator.class.getName() + ".trustStorePath";
private final QuicConfiguration configuration = new QuicConfiguration();
private final UnaryOperator<Connection> configurator;
@ -56,7 +62,6 @@ public class QuicClientConnectorConfigurator extends ClientConnector.Configurato
configuration.setSessionRecvWindow(16 * 1024 * 1024);
configuration.setBidirectionalStreamRecvWindow(8 * 1024 * 1024);
configuration.setDisableActiveMigration(true);
configuration.setVerifyPeerCertificates(true);
}
public QuicConfiguration getQuicConfiguration()
@ -64,6 +69,19 @@ public class QuicClientConnectorConfigurator extends ClientConnector.Configurato
return configuration;
}
@Override
protected void doStart() throws Exception
{
ClientConnector clientConnector = getBean(ClientConnector.class);
SslContextFactory.Client sslContextFactory = clientConnector.getSslContextFactory();
KeyStore trustStore = sslContextFactory.getTrustStore();
if (trustStore != null)
{
Path trustStorePath = PemExporter.exportTrustStore(trustStore, Path.of(System.getProperty("java.io.tmpdir")));
configuration.getImplementationSpecifixContext().put(TRUSTSTORE_PATH_KEY, trustStorePath);
}
}
@Override
public boolean isIntrinsicallySecure(ClientConnector clientConnector, SocketAddress address)
{
@ -74,6 +92,7 @@ public class QuicClientConnectorConfigurator extends ClientConnector.Configurato
public ChannelWithAddress newChannelWithAddress(ClientConnector clientConnector, SocketAddress address, Map<String, Object> context) throws IOException
{
context.put(QuicConfiguration.CONTEXT_KEY, configuration);
DatagramChannel channel = DatagramChannel.open();
if (clientConnector.getBindAddress() == null)
{

View File

@ -14,7 +14,9 @@
package org.eclipse.jetty.quic.client;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.security.KeyStore;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
@ -36,18 +38,24 @@ import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.handler.AbstractHandler;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDirExtension;
import org.eclipse.jetty.util.component.LifeCycle;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.core.Is.is;
@ExtendWith(WorkDirExtension.class)
public class End2EndClientTest
{
public WorkDir workDir;
private Server server;
private QuicServerConnector connector;
private HttpClient client;
@ -61,8 +69,14 @@ public class End2EndClientTest
@BeforeEach
public void setUp() throws Exception
{
KeyStore keyStore = KeyStore.getInstance("PKCS12");
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
{
keyStore.load(is, "storepwd".toCharArray());
}
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath("src/test/resources/keystore.p12");
sslContextFactory.setKeyStore(keyStore);
sslContextFactory.setKeyStorePassword("storepwd");
server = new Server();
@ -71,6 +85,7 @@ public class End2EndClientTest
HttpConnectionFactory http1 = new HttpConnectionFactory(httpConfiguration);
HTTP2ServerConnectionFactory http2 = new HTTP2ServerConnectionFactory(httpConfiguration);
connector = new QuicServerConnector(server, sslContextFactory, http1, http2);
connector.getQuicConfiguration().setPemWorkDirectory(workDir.getEmptyPathDir());
server.addConnector(connector);
server.setHandler(new AbstractHandler()
@ -86,11 +101,13 @@ public class End2EndClientTest
server.start();
ClientConnector clientConnector = new ClientConnector(new QuicClientConnectorConfigurator());
SslContextFactory.Client clientSslContextFactory = new SslContextFactory.Client();
clientSslContextFactory.setTrustStore(keyStore);
clientConnector.setSslContextFactory(clientSslContextFactory);
ClientConnectionFactory.Info http1Info = HttpClientConnectionFactory.HTTP11;
ClientConnectionFactoryOverHTTP2.HTTP2 http2Info = new ClientConnectionFactoryOverHTTP2.HTTP2(new HTTP2Client());
QuicClientConnectorConfigurator configurator = new QuicClientConnectorConfigurator();
configurator.getQuicConfiguration().setVerifyPeerCertificates(false);
HttpClientTransportDynamic transport = new HttpClientTransportDynamic(new ClientConnector(configurator), http1Info, http2Info);
ClientConnectionFactoryOverHTTP2.HTTP2 http2Info = new ClientConnectionFactoryOverHTTP2.HTTP2(new HTTP2Client(clientConnector));
HttpClientTransportDynamic transport = new HttpClientTransportDynamic(clientConnector, http1Info, http2Info);
client = new HttpClient(transport);
client.start();
}

View File

@ -13,7 +13,10 @@
package org.eclipse.jetty.quic.common;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* <p>A record that captures QUIC configuration parameters.</p>
@ -24,12 +27,13 @@ public class QuicConfiguration
private List<String> protocols = List.of();
private boolean disableActiveMigration;
private boolean verifyPeerCertificates;
private int maxBidirectionalRemoteStreams;
private int maxUnidirectionalRemoteStreams;
private int sessionRecvWindow;
private int bidirectionalStreamRecvWindow;
private int unidirectionalStreamRecvWindow;
private Path pemWorkDirectory;
private final Map<String, Object> implementationSpecifixContext = new HashMap<>();
public List<String> getProtocols()
{
@ -51,16 +55,6 @@ public class QuicConfiguration
this.disableActiveMigration = disableActiveMigration;
}
public boolean isVerifyPeerCertificates()
{
return verifyPeerCertificates;
}
public void setVerifyPeerCertificates(boolean verifyPeerCertificates)
{
this.verifyPeerCertificates = verifyPeerCertificates;
}
public int getMaxBidirectionalRemoteStreams()
{
return maxBidirectionalRemoteStreams;
@ -110,4 +104,19 @@ public class QuicConfiguration
{
this.unidirectionalStreamRecvWindow = unidirectionalStreamRecvWindow;
}
public Path getPemWorkDirectory()
{
return pemWorkDirectory;
}
public void setPemWorkDirectory(Path pemWorkDirectory)
{
this.pemWorkDirectory = pemWorkDirectory;
}
public Map<String, Object> getImplementationSpecifixContext()
{
return implementationSpecifixContext;
}
}

View File

@ -14,7 +14,6 @@
package org.eclipse.jetty.quic.quiche;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
@ -22,56 +21,62 @@ import java.nio.file.Path;
import java.nio.file.attribute.PosixFilePermission;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.util.Base64;
import java.util.Enumeration;
import java.util.Set;
import org.eclipse.jetty.util.resource.Resource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class SSLKeyPair
public class PemExporter
{
private static final Logger LOG = LoggerFactory.getLogger(SSLKeyPair.class);
private static final Logger LOG = LoggerFactory.getLogger(PemExporter.class);
private static final byte[] BEGIN_KEY = "-----BEGIN PRIVATE KEY-----".getBytes(StandardCharsets.US_ASCII);
private static final byte[] END_KEY = "-----END PRIVATE KEY-----".getBytes(StandardCharsets.US_ASCII);
private static final byte[] BEGIN_CERT = "-----BEGIN CERTIFICATE-----".getBytes(StandardCharsets.US_ASCII);
private static final byte[] END_CERT = "-----END CERTIFICATE-----".getBytes(StandardCharsets.US_ASCII);
private static final byte[] LINE_SEPARATOR = System.getProperty("line.separator").getBytes(StandardCharsets.US_ASCII);
private static final int LINE_LENGTH = 64;
private static final Base64.Encoder ENCODER = Base64.getMimeEncoder(64, LINE_SEPARATOR);
private final Base64.Encoder encoder = Base64.getMimeEncoder(LINE_LENGTH, LINE_SEPARATOR);
private final Key key;
private final Certificate[] certChain;
private final String alias;
public SSLKeyPair(KeyStore keyStore, String alias, char[] keyPassword) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException
private PemExporter()
{
this.alias = alias;
this.key = keyStore.getKey(alias, keyPassword);
this.certChain = keyStore.getCertificateChain(alias);
}
public static Path exportTrustStore(KeyStore keyStore, Path targetFolder) throws Exception
{
if (!Files.isDirectory(targetFolder))
throw new IllegalArgumentException("Target folder is not a directory: " + targetFolder);
Path path = Files.createTempFile(targetFolder, "truststore-", ".crt");
try (OutputStream os = Files.newOutputStream(path))
{
Enumeration<String> aliases = keyStore.aliases();
while (aliases.hasMoreElements())
{
String alias = aliases.nextElement();
Certificate cert = keyStore.getCertificate(alias);
writeAsPEM(os, cert);
}
}
return path;
}
/**
* @return [0] is the key file, [1] is the cert file.
*/
public Path[] export(Path targetFolder) throws Exception
public static Path[] exportKeyPair(KeyStore keyStore, String alias, char[] keyPassword, Path targetFolder) throws Exception
{
if (!Files.isDirectory(targetFolder))
throw new IllegalArgumentException("Target folder is not a directory: " + targetFolder);
Path[] paths = new Path[2];
paths[0] = targetFolder.resolve(alias + ".key");
paths[1] = targetFolder.resolve(alias + ".crt");
try (OutputStream os = Files.newOutputStream(paths[1]))
{
Certificate[] certChain = keyStore.getCertificateChain(alias);
for (Certificate cert : certChain)
writeAsPEM(os, cert);
Files.setPosixFilePermissions(paths[1], Set.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));
@ -82,8 +87,10 @@ public class SSLKeyPair
if (LOG.isDebugEnabled())
LOG.debug("Unable to set Posix file permissions", e);
}
paths[0] = targetFolder.resolve(alias + ".key");
try (OutputStream os = Files.newOutputStream(paths[0]))
{
Key key = keyStore.getKey(alias, keyPassword);
writeAsPEM(os, key);
Files.setPosixFilePermissions(paths[0], Set.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));
}
@ -93,13 +100,12 @@ public class SSLKeyPair
if (LOG.isDebugEnabled())
LOG.debug("Unable to set Posix file permissions", e);
}
return paths;
}
private void writeAsPEM(OutputStream outputStream, Key key) throws IOException
private static void writeAsPEM(OutputStream outputStream, Key key) throws IOException
{
byte[] encoded = encoder.encode(key.getEncoded());
byte[] encoded = ENCODER.encode(key.getEncoded());
outputStream.write(BEGIN_KEY);
outputStream.write(LINE_SEPARATOR);
outputStream.write(encoded);
@ -108,9 +114,9 @@ public class SSLKeyPair
outputStream.write(LINE_SEPARATOR);
}
private void writeAsPEM(OutputStream outputStream, Certificate certificate) throws CertificateEncodingException, IOException
private static void writeAsPEM(OutputStream outputStream, Certificate certificate) throws CertificateEncodingException, IOException
{
byte[] encoded = encoder.encode(certificate.getEncoded());
byte[] encoded = ENCODER.encode(certificate.getEncoded());
outputStream.write(BEGIN_CERT);
outputStream.write(LINE_SEPARATOR);
outputStream.write(encoded);

View File

@ -35,6 +35,7 @@ public class QuicheConfig
private int version = Quiche.QUICHE_PROTOCOL_VERSION;
private Boolean verifyPeer;
private String trustedCertsPemPath;
private String certChainPemPath;
private String privKeyPemPath;
private String[] applicationProtos;
@ -65,6 +66,11 @@ public class QuicheConfig
return verifyPeer;
}
public String getTrustedCertsPemPath()
{
return trustedCertsPemPath;
}
public String getCertChainPemPath()
{
return certChainPemPath;
@ -150,6 +156,11 @@ public class QuicheConfig
this.verifyPeer = verify;
}
public void setTrustedCertsPemPath(String trustedCertsPemPath)
{
this.trustedCertsPemPath = trustedCertsPemPath;
}
public void setCertChainPemPath(String path)
{
this.certChainPemPath = path;

View File

@ -28,6 +28,7 @@ import jdk.incubator.foreign.CLinker;
import jdk.incubator.foreign.MemoryAddress;
import jdk.incubator.foreign.MemorySegment;
import jdk.incubator.foreign.ResourceScope;
import org.eclipse.jetty.quic.quiche.Quiche;
import org.eclipse.jetty.quic.quiche.Quiche.quiche_error;
import org.eclipse.jetty.quic.quiche.QuicheConfig;
import org.eclipse.jetty.quic.quiche.QuicheConnection;
@ -148,7 +149,7 @@ public class ForeignIncubatorQuicheConnection extends QuicheConnection
MemorySegment localSockaddr = sockaddr.convert(local, scope);
MemorySegment peerSockaddr = sockaddr.convert(peer, scope);
MemoryAddress quicheConn = quiche_h.quiche_connect(CLinker.toCString(peer.getHostName(), scope), scid, scid.byteSize(), localSockaddr, localSockaddr.byteSize(), peerSockaddr, peerSockaddr.byteSize(), libQuicheConfig);
MemoryAddress quicheConn = quiche_h.quiche_connect(CLinker.toCString(peer.getHostString(), scope), scid, scid.byteSize(), localSockaddr, localSockaddr.byteSize(), peerSockaddr, peerSockaddr.byteSize(), libQuicheConfig);
ForeignIncubatorQuicheConnection connection = new ForeignIncubatorQuicheConnection(quicheConn, libQuicheConfig, scope);
keepScope = true;
return connection;
@ -170,13 +171,29 @@ public class ForeignIncubatorQuicheConnection extends QuicheConnection
if (verifyPeer != null)
quiche_h.quiche_config_verify_peer(quicheConfig, verifyPeer ? C_TRUE : C_FALSE);
String trustedCertsPemPath = config.getTrustedCertsPemPath();
if (trustedCertsPemPath != null)
{
int rc = quiche_h.quiche_config_load_verify_locations_from_file(quicheConfig, CLinker.toCString(trustedCertsPemPath, scope).address());
if (rc < 0)
throw new IOException("Error loading trusted certificates file " + trustedCertsPemPath + " : " + Quiche.quiche_error.errToString(rc));
}
String certChainPemPath = config.getCertChainPemPath();
if (certChainPemPath != null)
quiche_h.quiche_config_load_cert_chain_from_pem_file(quicheConfig, CLinker.toCString(certChainPemPath, scope).address());
{
int rc = quiche_h.quiche_config_load_cert_chain_from_pem_file(quicheConfig, CLinker.toCString(certChainPemPath, scope).address());
if (rc < 0)
throw new IOException("Error loading certificate chain file " + certChainPemPath + " : " + Quiche.quiche_error.errToString(rc));
}
String privKeyPemPath = config.getPrivKeyPemPath();
if (privKeyPemPath != null)
quiche_h.quiche_config_load_priv_key_from_pem_file(quicheConfig, CLinker.toCString(privKeyPemPath, scope).address());
{
int rc = quiche_h.quiche_config_load_priv_key_from_pem_file(quicheConfig, CLinker.toCString(privKeyPemPath, scope).address());
if (rc < 0)
throw new IOException("Error loading private key file " + privKeyPemPath + " : " + Quiche.quiche_error.errToString(rc));
}
String[] applicationProtos = config.getApplicationProtos();
if (applicationProtos != null)
@ -566,6 +583,9 @@ public class ForeignIncubatorQuicheConnection extends QuicheConnection
received = quiche_h.quiche_conn_recv(quicheConn, bufferSegment.address(), buffer.remaining(), recvInfo.address());
}
}
// If quiche_conn_recv() fails, quiche_conn_local_error() can be called to get the SSL alert; the err_code would contain
// a value from which 100 must be substracted to get one of the codes specified in
// https://datatracker.ietf.org/doc/html/rfc5246#section-7.2 ; see https://github.com/curl/curl/pull/8275 for details.
if (received < 0)
throw new IOException("failed to receive packet; err=" + quiche_error.errToString(received));
buffer.position((int)(buffer.position() + received));

View File

@ -52,6 +52,12 @@ public class quiche_h
FunctionDescriptor.ofVoid(C_POINTER, C_INT)
);
private static final MethodHandle quiche_config_load_verify_locations_from_file$MH = downcallHandle(
"quiche_config_load_verify_locations_from_file",
"(Ljdk/incubator/foreign/MemoryAddress;Ljdk/incubator/foreign/MemoryAddress;)I",
FunctionDescriptor.of(C_INT, C_POINTER, C_POINTER)
);
private static final MethodHandle quiche_config_load_cert_chain_from_pem_file$MH = downcallHandle(
"quiche_config_load_cert_chain_from_pem_file",
"(Ljdk/incubator/foreign/MemoryAddress;Ljdk/incubator/foreign/MemoryAddress;)I",
@ -370,6 +376,18 @@ public class quiche_h
}
}
public static int quiche_config_load_verify_locations_from_file(MemoryAddress config, MemoryAddress path)
{
try
{
return (int) quiche_config_load_verify_locations_from_file$MH.invokeExact(config, path);
}
catch (Throwable ex)
{
throw new AssertionError("should not reach here", ex);
}
}
public static int quiche_config_load_cert_chain_from_pem_file(MemoryAddress config, MemoryAddress path)
{
try

View File

@ -30,7 +30,7 @@ import java.util.Map;
import org.eclipse.jetty.quic.quiche.QuicheConfig;
import org.eclipse.jetty.quic.quiche.QuicheConnection;
import org.eclipse.jetty.quic.quiche.SSLKeyPair;
import org.eclipse.jetty.quic.quiche.PemExporter;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDirExtension;
import org.junit.jupiter.api.AfterEach;
@ -65,10 +65,18 @@ public class LowLevelQuicheTest
clientSocketAddress = new InetSocketAddress("localhost", 9999);
serverSocketAddress = new InetSocketAddress("localhost", 8888);
KeyStore keyStore = KeyStore.getInstance("PKCS12");
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
{
keyStore.load(is, "storepwd".toCharArray());
}
Path targetFolder = workDir.getEmptyPathDir();
clientQuicheConfig = new QuicheConfig();
clientQuicheConfig.setApplicationProtos("http/0.9");
clientQuicheConfig.setDisableActiveMigration(true);
clientQuicheConfig.setVerifyPeer(false);
clientQuicheConfig.setVerifyPeer(true);
clientQuicheConfig.setTrustedCertsPemPath(PemExporter.exportTrustStore(keyStore, targetFolder).toString());
clientQuicheConfig.setMaxIdleTimeout(1_000L);
clientQuicheConfig.setInitialMaxData(10_000_000L);
clientQuicheConfig.setInitialMaxStreamDataBidiLocal(10_000_000L);
@ -78,17 +86,11 @@ public class LowLevelQuicheTest
clientQuicheConfig.setInitialMaxStreamsBidi(100L);
clientQuicheConfig.setCongestionControl(QuicheConfig.CongestionControl.CUBIC);
KeyStore keyStore = KeyStore.getInstance("PKCS12");
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
{
keyStore.load(is, "storepwd".toCharArray());
}
serverCertificateChain = keyStore.getCertificateChain("mykey");
SSLKeyPair serverKeyPair = new SSLKeyPair(keyStore, "mykey", "storepwd".toCharArray());
Path[] pemFiles = serverKeyPair.export(workDir.getEmptyPathDir());
serverQuicheConfig = new QuicheConfig();
serverQuicheConfig.setPrivKeyPemPath(pemFiles[0].toString());
serverQuicheConfig.setCertChainPemPath(pemFiles[1].toString());
Path[] keyPair = PemExporter.exportKeyPair(keyStore, "mykey", "storepwd".toCharArray(), targetFolder);
serverQuicheConfig.setPrivKeyPemPath(keyPair[0].toString());
serverQuicheConfig.setCertChainPemPath(keyPair[1].toString());
serverQuicheConfig.setApplicationProtos("http/0.9");
serverQuicheConfig.setVerifyPeer(false);
serverQuicheConfig.setMaxIdleTimeout(1_000L);

View File

@ -22,6 +22,7 @@ import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.List;
import org.eclipse.jetty.quic.quiche.Quiche;
import org.eclipse.jetty.quic.quiche.Quiche.quiche_error;
import org.eclipse.jetty.quic.quiche.QuicheConfig;
import org.eclipse.jetty.quic.quiche.QuicheConnection;
@ -114,7 +115,7 @@ public class JnaQuicheConnection extends QuicheConnection
SizedStructure<sockaddr> localSockaddr = sockaddr.convert(local);
SizedStructure<sockaddr> peerSockaddr = sockaddr.convert(peer);
LibQuiche.quiche_conn quicheConn = LibQuiche.INSTANCE.quiche_connect(peer.getHostName(), scid, new size_t(scid.length), localSockaddr.getStructure(), localSockaddr.getSize(), peerSockaddr.getStructure(), peerSockaddr.getSize(), libQuicheConfig);
LibQuiche.quiche_conn quicheConn = LibQuiche.INSTANCE.quiche_connect(peer.getHostString(), scid, new size_t(scid.length), localSockaddr.getStructure(), localSockaddr.getSize(), peerSockaddr.getStructure(), peerSockaddr.getSize(), libQuicheConfig);
return new JnaQuicheConnection(quicheConn, libQuicheConfig);
}
@ -128,13 +129,29 @@ public class JnaQuicheConnection extends QuicheConnection
if (verifyPeer != null)
LibQuiche.INSTANCE.quiche_config_verify_peer(quicheConfig, verifyPeer);
String trustedCertsPemPath = config.getTrustedCertsPemPath();
if (trustedCertsPemPath != null)
{
int rc = LibQuiche.INSTANCE.quiche_config_load_verify_locations_from_file(quicheConfig, trustedCertsPemPath);
if (rc != 0)
throw new IOException("Error loading trusted certificates file " + trustedCertsPemPath + " : " + Quiche.quiche_error.errToString(rc));
}
String certChainPemPath = config.getCertChainPemPath();
if (certChainPemPath != null)
LibQuiche.INSTANCE.quiche_config_load_cert_chain_from_pem_file(quicheConfig, certChainPemPath);
{
int rc = LibQuiche.INSTANCE.quiche_config_load_cert_chain_from_pem_file(quicheConfig, certChainPemPath);
if (rc < 0)
throw new IOException("Error loading certificate chain file " + certChainPemPath + " : " + Quiche.quiche_error.errToString(rc));
}
String privKeyPemPath = config.getPrivKeyPemPath();
if (privKeyPemPath != null)
LibQuiche.INSTANCE.quiche_config_load_priv_key_from_pem_file(quicheConfig, privKeyPemPath);
{
int rc = LibQuiche.INSTANCE.quiche_config_load_priv_key_from_pem_file(quicheConfig, privKeyPemPath);
if (rc < 0)
throw new IOException("Error loading private key file " + privKeyPemPath + " : " + Quiche.quiche_error.errToString(rc));
}
String[] applicationProtos = config.getApplicationProtos();
if (applicationProtos != null)
@ -450,6 +467,9 @@ public class JnaQuicheConnection extends QuicheConnection
SizedStructure<sockaddr> peerSockaddr = sockaddr.convert(peer);
info.from = peerSockaddr.getStructure().byReference();
info.from_len = peerSockaddr.getSize();
// If quiche_conn_recv() fails, quiche_conn_local_error() can be called to get the SSL alert; the err_code would contain
// a value from which 100 must be substracted to get one of the codes specified in
// https://datatracker.ietf.org/doc/html/rfc5246#section-7.2 ; see https://github.com/curl/curl/pull/8275 for details.
int received = LibQuiche.INSTANCE.quiche_conn_recv(quicheConn, buffer, new size_t(buffer.remaining()), info).intValue();
if (received < 0)
throw new IOException("failed to receive packet; err=" + quiche_error.errToString(received));

View File

@ -86,6 +86,9 @@ public interface LibQuiche extends Library
// Configures whether to verify the peer's certificate.
void quiche_config_verify_peer(quiche_config config, boolean v);
// Specifies a file where trusted CA certificates are stored for the purposes of certificate verification.
int quiche_config_load_verify_locations_from_file(quiche_config config, String path);
// Configures the list of supported application protocols.
int quiche_config_set_application_protos(quiche_config config, byte[] protos, size_t protos_len);

View File

@ -29,7 +29,7 @@ import java.util.Map;
import org.eclipse.jetty.quic.quiche.QuicheConfig;
import org.eclipse.jetty.quic.quiche.QuicheConnection;
import org.eclipse.jetty.quic.quiche.SSLKeyPair;
import org.eclipse.jetty.quic.quiche.PemExporter;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDirExtension;
import org.junit.jupiter.api.AfterEach;
@ -64,10 +64,18 @@ public class LowLevelQuicheTest
clientSocketAddress = new InetSocketAddress("localhost", 9999);
serverSocketAddress = new InetSocketAddress("localhost", 8888);
KeyStore keyStore = KeyStore.getInstance("PKCS12");
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
{
keyStore.load(is, "storepwd".toCharArray());
}
Path targetFolder = workDir.getEmptyPathDir();
clientQuicheConfig = new QuicheConfig();
clientQuicheConfig.setApplicationProtos("http/0.9");
clientQuicheConfig.setDisableActiveMigration(true);
clientQuicheConfig.setVerifyPeer(false);
clientQuicheConfig.setVerifyPeer(true);
clientQuicheConfig.setTrustedCertsPemPath(PemExporter.exportTrustStore(keyStore, targetFolder).toString());
clientQuicheConfig.setMaxIdleTimeout(1_000L);
clientQuicheConfig.setInitialMaxData(10_000_000L);
clientQuicheConfig.setInitialMaxStreamDataBidiLocal(10_000_000L);
@ -77,17 +85,11 @@ public class LowLevelQuicheTest
clientQuicheConfig.setInitialMaxStreamsBidi(100L);
clientQuicheConfig.setCongestionControl(QuicheConfig.CongestionControl.CUBIC);
KeyStore keyStore = KeyStore.getInstance("PKCS12");
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
{
keyStore.load(is, "storepwd".toCharArray());
}
serverCertificateChain = keyStore.getCertificateChain("mykey");
SSLKeyPair serverKeyPair = new SSLKeyPair(keyStore, "mykey", "storepwd".toCharArray());
Path[] pemFiles = serverKeyPair.export(workDir.getEmptyPathDir());
serverQuicheConfig = new QuicheConfig();
serverQuicheConfig.setPrivKeyPemPath(pemFiles[0].toString());
serverQuicheConfig.setCertChainPemPath(pemFiles[1].toString());
Path[] keyPair = PemExporter.exportKeyPair(keyStore, "mykey", "storepwd".toCharArray(), targetFolder);
serverQuicheConfig.setPrivKeyPemPath(keyPair[0].toString());
serverQuicheConfig.setCertChainPemPath(keyPair[1].toString());
serverQuicheConfig.setApplicationProtos("http/0.9");
serverQuicheConfig.setVerifyPeer(false);
serverQuicheConfig.setMaxIdleTimeout(1_000L);

View File

@ -37,8 +37,8 @@ import org.eclipse.jetty.quic.common.QuicConfiguration;
import org.eclipse.jetty.quic.common.QuicSession;
import org.eclipse.jetty.quic.common.QuicSessionContainer;
import org.eclipse.jetty.quic.common.QuicStreamEndPoint;
import org.eclipse.jetty.quic.quiche.PemExporter;
import org.eclipse.jetty.quic.quiche.QuicheConfig;
import org.eclipse.jetty.quic.quiche.SSLKeyPair;
import org.eclipse.jetty.server.AbstractNetworkConnector;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Server;
@ -90,7 +90,6 @@ public class QuicServerConnector extends AbstractNetworkConnector
// One bidirectional stream to simulate the TCP stream, and no unidirectional streams.
quicConfiguration.setMaxBidirectionalRemoteStreams(1);
quicConfiguration.setMaxUnidirectionalRemoteStreams(0);
quicConfiguration.setVerifyPeerCertificates(false);
}
public QuicConfiguration getQuicConfiguration()
@ -169,31 +168,24 @@ public class QuicServerConnector extends AbstractNetworkConnector
char[] password = keyManagerPassword == null ? sslContextFactory.getKeyStorePassword().toCharArray() : keyManagerPassword.toCharArray();
KeyStore keyStore = sslContextFactory.getKeyStore();
SSLKeyPair keyPair = new SSLKeyPair(
keyStore,
alias,
password
);
Path[] pemFiles = keyPair.export(findTargetPath());
privateKeyPath = pemFiles[0];
certificateChainPath = pemFiles[1];
Path[] keyPair = PemExporter.exportKeyPair(keyStore, alias, password, findCertificateWorkPath());
privateKeyPath = keyPair[0];
certificateChainPath = keyPair[1];
}
private Path findTargetPath() throws IOException
private Path findCertificateWorkPath()
{
Path target;
Path pemWorkDirectory = getQuicConfiguration().getPemWorkDirectory();
if (pemWorkDirectory != null)
return pemWorkDirectory;
String jettyBase = System.getProperty("jetty.base");
if (jettyBase != null)
{
target = Path.of(jettyBase).resolve("work");
pemWorkDirectory = Path.of(jettyBase).resolve("work");
if (Files.exists(pemWorkDirectory))
return pemWorkDirectory;
}
else
{
target = sslContextFactory.getKeyStoreResource().getFile().getParentFile().toPath();
if (!Files.isDirectory(target))
target = Path.of(".");
}
return target;
throw new IllegalStateException("No PEM work directory configured");
}
@Override
@ -231,7 +223,7 @@ public class QuicServerConnector extends AbstractNetworkConnector
QuicheConfig quicheConfig = new QuicheConfig();
quicheConfig.setPrivKeyPemPath(privateKeyPath.toString());
quicheConfig.setCertChainPemPath(certificateChainPath.toString());
quicheConfig.setVerifyPeer(quicConfiguration.isVerifyPeerCertificates());
quicheConfig.setVerifyPeer(false);
// Idle timeouts must not be managed by Quiche.
quicheConfig.setMaxIdleTimeout(0L);
quicheConfig.setInitialMaxData((long)quicConfiguration.getSessionRecvWindow());

View File

@ -23,7 +23,6 @@ import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.nio.file.StandardOpenOption;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Queue;
@ -1141,7 +1140,7 @@ public class DistributionTests extends AbstractJettyHomeTest
assertTrue(run2.awaitConsoleLogsFor("Started Server@", 10, TimeUnit.SECONDS));
HTTP3Client http3Client = new HTTP3Client();
http3Client.getQuicConfiguration().setVerifyPeerCertificates(false);
http3Client.getClientConnector().setSslContextFactory(new SslContextFactory.Client(true));
this.client = new HttpClient(new HttpClientTransportOverHTTP3(http3Client));
this.client.start();
ContentResponse response = this.client.newRequest("localhost", h3Port)

View File

@ -183,7 +183,6 @@ public class HttpChannelAssociationTest extends AbstractTest<TransportScenario>
HTTP3Client http3Client = new HTTP3Client();
http3Client.getClientConnector().setSelectors(1);
http3Client.getClientConnector().setSslContextFactory(scenario.newClientSslContextFactory());
http3Client.getQuicConfiguration().setVerifyPeerCertificates(false);
return new HttpClientTransportOverHTTP3(http3Client)
{
@Override

View File

@ -16,6 +16,7 @@ package org.eclipse.jetty.http.client;
import java.io.IOException;
import java.io.InterruptedIOException;
import java.nio.ByteBuffer;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
@ -56,7 +57,6 @@ import org.eclipse.jetty.util.ProcessorUtils;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.Scheduler;
import org.hamcrest.Matchers;
import org.junit.jupiter.api.Assumptions;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ArgumentsSource;
import org.slf4j.Logger;
@ -389,7 +389,9 @@ public class HttpClientLoadTest extends AbstractTest<HttpClientLoadTest.LoadTran
case FCGI:
return new ServerConnector(server, null, null, byteBufferPool, 1, selectors, provideServerConnectionFactory(transport));
case H3:
return new HTTP3ServerConnector(server, null, null, byteBufferPool, sslContextFactory, provideServerConnectionFactory(transport));
HTTP3ServerConnector http3ServerConnector = new HTTP3ServerConnector(server, null, null, byteBufferPool, sslContextFactory, provideServerConnectionFactory(transport));
http3ServerConnector.getQuicConfiguration().setPemWorkDirectory(Path.of(System.getProperty("java.io.tmpdir")));
return http3ServerConnector;
case UNIX_DOMAIN:
UnixDomainServerConnector unixSocketConnector = new UnixDomainServerConnector(server, null, null, byteBufferPool, 1, selectors, provideServerConnectionFactory(transport));
unixSocketConnector.setUnixDomainPath(unixDomainPath);

View File

@ -47,7 +47,6 @@ import org.eclipse.jetty.http.HttpScheme;
import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.http.HttpURI;
import org.eclipse.jetty.http2.FlowControlStrategy;
import org.eclipse.jetty.http3.client.http.HttpClientTransportOverHTTP3;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.handler.AbstractHandler;
@ -364,15 +363,10 @@ public class HttpClientTest extends AbstractTest<TransportScenario>
clientThreads.setName("client");
scenario.client.setExecutor(clientThreads);
scenario.client.start();
if (transport == Transport.H3)
{
Assumptions.assumeTrue(false, "certificate verification not yet supported in quic");
// TODO: the lines below should be enough, but they don't work. To be investigated.
HttpClientTransportOverHTTP3 http3Transport = (HttpClientTransportOverHTTP3)scenario.client.getTransport();
http3Transport.getHTTP3Client().getQuicConfiguration().setVerifyPeerCertificates(true);
}
assertThrows(ExecutionException.class, () ->
// H3 times out b/c it is QUIC's way of figuring out a connection cannot be established.
Class<? extends Exception> expectedType = transport == Transport.H3 ? TimeoutException.class : ExecutionException.class;
assertThrows(expectedType, () ->
{
// Use an IP address not present in the certificate.
int serverPort = scenario.getServerPort().orElse(0);

View File

@ -14,9 +14,11 @@
package org.eclipse.jetty.http.client;
import java.io.IOException;
import java.io.InputStream;
import java.lang.management.ManagementFactory;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.List;
import java.util.OptionalInt;
@ -122,7 +124,9 @@ public class TransportScenario
case FCGI:
return new ServerConnector(server, 1, 1, provideServerConnectionFactory(transport));
case H3:
return new HTTP3ServerConnector(server, sslContextFactory, provideServerConnectionFactory(transport));
HTTP3ServerConnector http3ServerConnector = new HTTP3ServerConnector(server, sslContextFactory, provideServerConnectionFactory(transport));
http3ServerConnector.getQuicConfiguration().setPemWorkDirectory(Path.of(System.getProperty("java.io.tmpdir")));
return http3ServerConnector;
case UNIX_DOMAIN:
UnixDomainServerConnector connector = new UnixDomainServerConnector(server, provideServerConnectionFactory(transport));
connector.setUnixDomainPath(unixDomainPath);
@ -175,7 +179,6 @@ public class TransportScenario
ClientConnector clientConnector = http3Client.getClientConnector();
clientConnector.setSelectors(1);
clientConnector.setSslContextFactory(sslContextFactory);
http3Client.getQuicConfiguration().setVerifyPeerCertificates(false);
return new HttpClientTransportOverHTTP3(http3Client);
}
case FCGI:
@ -384,11 +387,24 @@ public class TransportScenario
private void configureSslContextFactory(SslContextFactory sslContextFactory)
{
sslContextFactory.setKeyStorePath("src/test/resources/keystore.p12");
try
{
KeyStore keystore = KeyStore.getInstance("PKCS12");
try (InputStream is = Files.newInputStream(Path.of("src/test/resources/keystore.p12")))
{
keystore.load(is, "storepwd".toCharArray());
}
sslContextFactory.setTrustStore(keystore);
sslContextFactory.setKeyStore(keystore);
sslContextFactory.setKeyStorePassword("storepwd");
sslContextFactory.setUseCipherSuitesOrder(true);
sslContextFactory.setCipherComparator(HTTP2Cipher.COMPARATOR);
}
catch (Exception e)
{
throw new RuntimeException(e);
}
}
public void stopClient() throws Exception
{