#9397 add trust store config to H3
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
This commit is contained in:
parent
e30b23aca6
commit
871022f3b0
|
@ -13,8 +13,10 @@
|
|||
|
||||
package org.eclipse.jetty.http3.tests;
|
||||
|
||||
import java.io.InputStream;
|
||||
import java.lang.management.ManagementFactory;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.security.KeyStore;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import javax.management.MBeanServer;
|
||||
|
||||
|
@ -35,15 +37,21 @@ import org.eclipse.jetty.jmx.MBeanContainer;
|
|||
import org.eclipse.jetty.server.ConnectionFactory;
|
||||
import org.eclipse.jetty.server.Handler;
|
||||
import org.eclipse.jetty.server.Server;
|
||||
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
|
||||
import org.eclipse.jetty.toolchain.test.jupiter.WorkDirExtension;
|
||||
import org.eclipse.jetty.util.component.LifeCycle;
|
||||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
import org.eclipse.jetty.util.thread.QueuedThreadPool;
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.extension.BeforeTestExecutionCallback;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
import org.junit.jupiter.api.extension.RegisterExtension;
|
||||
|
||||
@ExtendWith(WorkDirExtension.class)
|
||||
public class AbstractClientServerTest
|
||||
{
|
||||
public WorkDir workDir;
|
||||
|
||||
@RegisterExtension
|
||||
final BeforeTestExecutionCallback printMethodName = context ->
|
||||
System.err.printf("Running %s.%s() %s%n", context.getRequiredTestClass().getSimpleName(), context.getRequiredTestMethod().getName(), context.getDisplayName());
|
||||
|
@ -81,6 +89,7 @@ public class AbstractClientServerTest
|
|||
serverThreads.setName("server");
|
||||
server = new Server(serverThreads);
|
||||
connector = new HTTP3ServerConnector(server, sslContextFactory, serverConnectionFactory);
|
||||
connector.getQuicConfiguration().setPemWorkDirectory(workDir.getEmptyPathDir());
|
||||
server.addConnector(connector);
|
||||
MBeanContainer mbeanContainer = new MBeanContainer(ManagementFactory.getPlatformMBeanServer());
|
||||
server.addBean(mbeanContainer);
|
||||
|
@ -88,8 +97,16 @@ public class AbstractClientServerTest
|
|||
|
||||
protected void startClient() throws Exception
|
||||
{
|
||||
KeyStore trustStore = KeyStore.getInstance("PKCS12");
|
||||
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
|
||||
{
|
||||
trustStore.load(is, "storepwd".toCharArray());
|
||||
}
|
||||
|
||||
http3Client = new HTTP3Client();
|
||||
http3Client.getQuicConfiguration().setVerifyPeerCertificates(false);
|
||||
SslContextFactory.Client clientSslContextFactory = new SslContextFactory.Client();
|
||||
clientSslContextFactory.setTrustStore(trustStore);
|
||||
http3Client.getClientConnector().setSslContextFactory(clientSslContextFactory);
|
||||
httpClient = new HttpClient(new HttpClientTransportDynamic(new ClientConnectionFactoryOverHTTP3.HTTP3(http3Client)));
|
||||
QueuedThreadPool clientThreads = new QueuedThreadPool();
|
||||
clientThreads.setName("client");
|
||||
|
|
|
@ -373,6 +373,7 @@ public class ClientConnector extends ContainerLifeCycle
|
|||
selectorManager = newSelectorManager();
|
||||
selectorManager.setConnectTimeout(getConnectTimeout().toMillis());
|
||||
addBean(selectorManager);
|
||||
configurator.addBean(this);
|
||||
super.doStart();
|
||||
}
|
||||
|
||||
|
@ -381,6 +382,7 @@ public class ClientConnector extends ContainerLifeCycle
|
|||
{
|
||||
super.doStop();
|
||||
removeBean(selectorManager);
|
||||
configurator.removeBean(this);
|
||||
}
|
||||
|
||||
protected SslContextFactory.Client newSslContextFactory()
|
||||
|
@ -588,7 +590,7 @@ public class ClientConnector extends ContainerLifeCycle
|
|||
/**
|
||||
* <p>Configures a {@link ClientConnector}.</p>
|
||||
*/
|
||||
public static class Configurator
|
||||
public static class Configurator extends ContainerLifeCycle
|
||||
{
|
||||
/**
|
||||
* <p>Returns whether the connection to a given {@link SocketAddress} is intrinsically secure.</p>
|
||||
|
|
|
@ -18,6 +18,7 @@ import java.net.InetSocketAddress;
|
|||
import java.net.SocketAddress;
|
||||
import java.net.SocketTimeoutException;
|
||||
import java.nio.ByteBuffer;
|
||||
import java.nio.file.Path;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
@ -80,7 +81,10 @@ public class ClientQuicConnection extends QuicConnection
|
|||
QuicheConfig quicheConfig = new QuicheConfig();
|
||||
quicheConfig.setApplicationProtos(protocols.toArray(String[]::new));
|
||||
quicheConfig.setDisableActiveMigration(quicConfiguration.isDisableActiveMigration());
|
||||
quicheConfig.setVerifyPeer(quicConfiguration.isVerifyPeerCertificates());
|
||||
quicheConfig.setVerifyPeer(!connector.getSslContextFactory().isTrustAll());
|
||||
Path trustStorePath = (Path)quicConfiguration.getImplementationSpecifixContext().get(QuicClientConnectorConfigurator.TRUSTSTORE_PATH_KEY);
|
||||
if (trustStorePath != null)
|
||||
quicheConfig.setTrustedCertsPemPath(trustStorePath.toString());
|
||||
// Idle timeouts must not be managed by Quiche.
|
||||
quicheConfig.setMaxIdleTimeout(0L);
|
||||
quicheConfig.setInitialMaxData((long)quicConfiguration.getSessionRecvWindow());
|
||||
|
@ -147,6 +151,13 @@ public class ClientQuicConnection extends QuicConnection
|
|||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void onFailure(Throwable failure)
|
||||
{
|
||||
pendingSessions.values().forEach(session -> outwardClose(session, failure));
|
||||
super.onFailure(failure);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean onIdleExpired()
|
||||
{
|
||||
|
|
|
@ -19,6 +19,8 @@ import java.nio.channels.DatagramChannel;
|
|||
import java.nio.channels.SelectableChannel;
|
||||
import java.nio.channels.SelectionKey;
|
||||
import java.nio.channels.SocketChannel;
|
||||
import java.nio.file.Path;
|
||||
import java.security.KeyStore;
|
||||
import java.util.Map;
|
||||
import java.util.Objects;
|
||||
import java.util.function.UnaryOperator;
|
||||
|
@ -30,6 +32,8 @@ import org.eclipse.jetty.io.EndPoint;
|
|||
import org.eclipse.jetty.io.ManagedSelector;
|
||||
import org.eclipse.jetty.io.SocketChannelEndPoint;
|
||||
import org.eclipse.jetty.quic.common.QuicConfiguration;
|
||||
import org.eclipse.jetty.quic.quiche.PemExporter;
|
||||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
|
||||
/**
|
||||
* <p>A QUIC specific {@link ClientConnector.Configurator}.</p>
|
||||
|
@ -41,6 +45,8 @@ import org.eclipse.jetty.quic.common.QuicConfiguration;
|
|||
*/
|
||||
public class QuicClientConnectorConfigurator extends ClientConnector.Configurator
|
||||
{
|
||||
static final String TRUSTSTORE_PATH_KEY = QuicClientConnectorConfigurator.class.getName() + ".trustStorePath";
|
||||
|
||||
private final QuicConfiguration configuration = new QuicConfiguration();
|
||||
private final UnaryOperator<Connection> configurator;
|
||||
|
||||
|
@ -56,7 +62,6 @@ public class QuicClientConnectorConfigurator extends ClientConnector.Configurato
|
|||
configuration.setSessionRecvWindow(16 * 1024 * 1024);
|
||||
configuration.setBidirectionalStreamRecvWindow(8 * 1024 * 1024);
|
||||
configuration.setDisableActiveMigration(true);
|
||||
configuration.setVerifyPeerCertificates(true);
|
||||
}
|
||||
|
||||
public QuicConfiguration getQuicConfiguration()
|
||||
|
@ -64,6 +69,19 @@ public class QuicClientConnectorConfigurator extends ClientConnector.Configurato
|
|||
return configuration;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doStart() throws Exception
|
||||
{
|
||||
ClientConnector clientConnector = getBean(ClientConnector.class);
|
||||
SslContextFactory.Client sslContextFactory = clientConnector.getSslContextFactory();
|
||||
KeyStore trustStore = sslContextFactory.getTrustStore();
|
||||
if (trustStore != null)
|
||||
{
|
||||
Path trustStorePath = PemExporter.exportTrustStore(trustStore, Path.of(System.getProperty("java.io.tmpdir")));
|
||||
configuration.getImplementationSpecifixContext().put(TRUSTSTORE_PATH_KEY, trustStorePath);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isIntrinsicallySecure(ClientConnector clientConnector, SocketAddress address)
|
||||
{
|
||||
|
@ -74,6 +92,7 @@ public class QuicClientConnectorConfigurator extends ClientConnector.Configurato
|
|||
public ChannelWithAddress newChannelWithAddress(ClientConnector clientConnector, SocketAddress address, Map<String, Object> context) throws IOException
|
||||
{
|
||||
context.put(QuicConfiguration.CONTEXT_KEY, configuration);
|
||||
|
||||
DatagramChannel channel = DatagramChannel.open();
|
||||
if (clientConnector.getBindAddress() == null)
|
||||
{
|
||||
|
|
|
@ -14,7 +14,9 @@
|
|||
package org.eclipse.jetty.quic.client;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.PrintWriter;
|
||||
import java.security.KeyStore;
|
||||
import java.util.concurrent.CompletableFuture;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
@ -36,18 +38,24 @@ import org.eclipse.jetty.server.HttpConnectionFactory;
|
|||
import org.eclipse.jetty.server.Request;
|
||||
import org.eclipse.jetty.server.Server;
|
||||
import org.eclipse.jetty.server.handler.AbstractHandler;
|
||||
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
|
||||
import org.eclipse.jetty.toolchain.test.jupiter.WorkDirExtension;
|
||||
import org.eclipse.jetty.util.component.LifeCycle;
|
||||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Tag;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
|
||||
import static org.hamcrest.MatcherAssert.assertThat;
|
||||
import static org.hamcrest.core.Is.is;
|
||||
|
||||
@ExtendWith(WorkDirExtension.class)
|
||||
public class End2EndClientTest
|
||||
{
|
||||
public WorkDir workDir;
|
||||
|
||||
private Server server;
|
||||
private QuicServerConnector connector;
|
||||
private HttpClient client;
|
||||
|
@ -61,8 +69,14 @@ public class End2EndClientTest
|
|||
@BeforeEach
|
||||
public void setUp() throws Exception
|
||||
{
|
||||
KeyStore keyStore = KeyStore.getInstance("PKCS12");
|
||||
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
|
||||
{
|
||||
keyStore.load(is, "storepwd".toCharArray());
|
||||
}
|
||||
|
||||
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
|
||||
sslContextFactory.setKeyStorePath("src/test/resources/keystore.p12");
|
||||
sslContextFactory.setKeyStore(keyStore);
|
||||
sslContextFactory.setKeyStorePassword("storepwd");
|
||||
|
||||
server = new Server();
|
||||
|
@ -71,6 +85,7 @@ public class End2EndClientTest
|
|||
HttpConnectionFactory http1 = new HttpConnectionFactory(httpConfiguration);
|
||||
HTTP2ServerConnectionFactory http2 = new HTTP2ServerConnectionFactory(httpConfiguration);
|
||||
connector = new QuicServerConnector(server, sslContextFactory, http1, http2);
|
||||
connector.getQuicConfiguration().setPemWorkDirectory(workDir.getEmptyPathDir());
|
||||
server.addConnector(connector);
|
||||
|
||||
server.setHandler(new AbstractHandler()
|
||||
|
@ -86,11 +101,13 @@ public class End2EndClientTest
|
|||
|
||||
server.start();
|
||||
|
||||
ClientConnector clientConnector = new ClientConnector(new QuicClientConnectorConfigurator());
|
||||
SslContextFactory.Client clientSslContextFactory = new SslContextFactory.Client();
|
||||
clientSslContextFactory.setTrustStore(keyStore);
|
||||
clientConnector.setSslContextFactory(clientSslContextFactory);
|
||||
ClientConnectionFactory.Info http1Info = HttpClientConnectionFactory.HTTP11;
|
||||
ClientConnectionFactoryOverHTTP2.HTTP2 http2Info = new ClientConnectionFactoryOverHTTP2.HTTP2(new HTTP2Client());
|
||||
QuicClientConnectorConfigurator configurator = new QuicClientConnectorConfigurator();
|
||||
configurator.getQuicConfiguration().setVerifyPeerCertificates(false);
|
||||
HttpClientTransportDynamic transport = new HttpClientTransportDynamic(new ClientConnector(configurator), http1Info, http2Info);
|
||||
ClientConnectionFactoryOverHTTP2.HTTP2 http2Info = new ClientConnectionFactoryOverHTTP2.HTTP2(new HTTP2Client(clientConnector));
|
||||
HttpClientTransportDynamic transport = new HttpClientTransportDynamic(clientConnector, http1Info, http2Info);
|
||||
client = new HttpClient(transport);
|
||||
client.start();
|
||||
}
|
||||
|
|
|
@ -13,7 +13,10 @@
|
|||
|
||||
package org.eclipse.jetty.quic.common;
|
||||
|
||||
import java.nio.file.Path;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* <p>A record that captures QUIC configuration parameters.</p>
|
||||
|
@ -24,12 +27,13 @@ public class QuicConfiguration
|
|||
|
||||
private List<String> protocols = List.of();
|
||||
private boolean disableActiveMigration;
|
||||
private boolean verifyPeerCertificates;
|
||||
private int maxBidirectionalRemoteStreams;
|
||||
private int maxUnidirectionalRemoteStreams;
|
||||
private int sessionRecvWindow;
|
||||
private int bidirectionalStreamRecvWindow;
|
||||
private int unidirectionalStreamRecvWindow;
|
||||
private Path pemWorkDirectory;
|
||||
private final Map<String, Object> implementationSpecifixContext = new HashMap<>();
|
||||
|
||||
public List<String> getProtocols()
|
||||
{
|
||||
|
@ -51,16 +55,6 @@ public class QuicConfiguration
|
|||
this.disableActiveMigration = disableActiveMigration;
|
||||
}
|
||||
|
||||
public boolean isVerifyPeerCertificates()
|
||||
{
|
||||
return verifyPeerCertificates;
|
||||
}
|
||||
|
||||
public void setVerifyPeerCertificates(boolean verifyPeerCertificates)
|
||||
{
|
||||
this.verifyPeerCertificates = verifyPeerCertificates;
|
||||
}
|
||||
|
||||
public int getMaxBidirectionalRemoteStreams()
|
||||
{
|
||||
return maxBidirectionalRemoteStreams;
|
||||
|
@ -110,4 +104,19 @@ public class QuicConfiguration
|
|||
{
|
||||
this.unidirectionalStreamRecvWindow = unidirectionalStreamRecvWindow;
|
||||
}
|
||||
|
||||
public Path getPemWorkDirectory()
|
||||
{
|
||||
return pemWorkDirectory;
|
||||
}
|
||||
|
||||
public void setPemWorkDirectory(Path pemWorkDirectory)
|
||||
{
|
||||
this.pemWorkDirectory = pemWorkDirectory;
|
||||
}
|
||||
|
||||
public Map<String, Object> getImplementationSpecifixContext()
|
||||
{
|
||||
return implementationSpecifixContext;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,7 +14,6 @@
|
|||
package org.eclipse.jetty.quic.quiche;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.OutputStream;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Files;
|
||||
|
@ -22,56 +21,62 @@ import java.nio.file.Path;
|
|||
import java.nio.file.attribute.PosixFilePermission;
|
||||
import java.security.Key;
|
||||
import java.security.KeyStore;
|
||||
import java.security.KeyStoreException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.UnrecoverableKeyException;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.CertificateEncodingException;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.util.Base64;
|
||||
import java.util.Enumeration;
|
||||
import java.util.Set;
|
||||
|
||||
import org.eclipse.jetty.util.resource.Resource;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
public class SSLKeyPair
|
||||
public class PemExporter
|
||||
{
|
||||
private static final Logger LOG = LoggerFactory.getLogger(SSLKeyPair.class);
|
||||
private static final Logger LOG = LoggerFactory.getLogger(PemExporter.class);
|
||||
|
||||
private static final byte[] BEGIN_KEY = "-----BEGIN PRIVATE KEY-----".getBytes(StandardCharsets.US_ASCII);
|
||||
private static final byte[] END_KEY = "-----END PRIVATE KEY-----".getBytes(StandardCharsets.US_ASCII);
|
||||
private static final byte[] BEGIN_CERT = "-----BEGIN CERTIFICATE-----".getBytes(StandardCharsets.US_ASCII);
|
||||
private static final byte[] END_CERT = "-----END CERTIFICATE-----".getBytes(StandardCharsets.US_ASCII);
|
||||
private static final byte[] LINE_SEPARATOR = System.getProperty("line.separator").getBytes(StandardCharsets.US_ASCII);
|
||||
private static final int LINE_LENGTH = 64;
|
||||
private static final Base64.Encoder ENCODER = Base64.getMimeEncoder(64, LINE_SEPARATOR);
|
||||
|
||||
private final Base64.Encoder encoder = Base64.getMimeEncoder(LINE_LENGTH, LINE_SEPARATOR);
|
||||
private final Key key;
|
||||
private final Certificate[] certChain;
|
||||
private final String alias;
|
||||
|
||||
public SSLKeyPair(KeyStore keyStore, String alias, char[] keyPassword) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException
|
||||
private PemExporter()
|
||||
{
|
||||
this.alias = alias;
|
||||
this.key = keyStore.getKey(alias, keyPassword);
|
||||
this.certChain = keyStore.getCertificateChain(alias);
|
||||
}
|
||||
|
||||
public static Path exportTrustStore(KeyStore keyStore, Path targetFolder) throws Exception
|
||||
{
|
||||
if (!Files.isDirectory(targetFolder))
|
||||
throw new IllegalArgumentException("Target folder is not a directory: " + targetFolder);
|
||||
|
||||
Path path = Files.createTempFile(targetFolder, "truststore-", ".crt");
|
||||
try (OutputStream os = Files.newOutputStream(path))
|
||||
{
|
||||
Enumeration<String> aliases = keyStore.aliases();
|
||||
while (aliases.hasMoreElements())
|
||||
{
|
||||
String alias = aliases.nextElement();
|
||||
Certificate cert = keyStore.getCertificate(alias);
|
||||
writeAsPEM(os, cert);
|
||||
}
|
||||
}
|
||||
return path;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return [0] is the key file, [1] is the cert file.
|
||||
*/
|
||||
public Path[] export(Path targetFolder) throws Exception
|
||||
public static Path[] exportKeyPair(KeyStore keyStore, String alias, char[] keyPassword, Path targetFolder) throws Exception
|
||||
{
|
||||
if (!Files.isDirectory(targetFolder))
|
||||
throw new IllegalArgumentException("Target folder is not a directory: " + targetFolder);
|
||||
|
||||
Path[] paths = new Path[2];
|
||||
paths[0] = targetFolder.resolve(alias + ".key");
|
||||
paths[1] = targetFolder.resolve(alias + ".crt");
|
||||
|
||||
try (OutputStream os = Files.newOutputStream(paths[1]))
|
||||
{
|
||||
Certificate[] certChain = keyStore.getCertificateChain(alias);
|
||||
for (Certificate cert : certChain)
|
||||
writeAsPEM(os, cert);
|
||||
Files.setPosixFilePermissions(paths[1], Set.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));
|
||||
|
@ -82,8 +87,10 @@ public class SSLKeyPair
|
|||
if (LOG.isDebugEnabled())
|
||||
LOG.debug("Unable to set Posix file permissions", e);
|
||||
}
|
||||
paths[0] = targetFolder.resolve(alias + ".key");
|
||||
try (OutputStream os = Files.newOutputStream(paths[0]))
|
||||
{
|
||||
Key key = keyStore.getKey(alias, keyPassword);
|
||||
writeAsPEM(os, key);
|
||||
Files.setPosixFilePermissions(paths[0], Set.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));
|
||||
}
|
||||
|
@ -93,13 +100,12 @@ public class SSLKeyPair
|
|||
if (LOG.isDebugEnabled())
|
||||
LOG.debug("Unable to set Posix file permissions", e);
|
||||
}
|
||||
|
||||
return paths;
|
||||
}
|
||||
|
||||
private void writeAsPEM(OutputStream outputStream, Key key) throws IOException
|
||||
private static void writeAsPEM(OutputStream outputStream, Key key) throws IOException
|
||||
{
|
||||
byte[] encoded = encoder.encode(key.getEncoded());
|
||||
byte[] encoded = ENCODER.encode(key.getEncoded());
|
||||
outputStream.write(BEGIN_KEY);
|
||||
outputStream.write(LINE_SEPARATOR);
|
||||
outputStream.write(encoded);
|
||||
|
@ -108,9 +114,9 @@ public class SSLKeyPair
|
|||
outputStream.write(LINE_SEPARATOR);
|
||||
}
|
||||
|
||||
private void writeAsPEM(OutputStream outputStream, Certificate certificate) throws CertificateEncodingException, IOException
|
||||
private static void writeAsPEM(OutputStream outputStream, Certificate certificate) throws CertificateEncodingException, IOException
|
||||
{
|
||||
byte[] encoded = encoder.encode(certificate.getEncoded());
|
||||
byte[] encoded = ENCODER.encode(certificate.getEncoded());
|
||||
outputStream.write(BEGIN_CERT);
|
||||
outputStream.write(LINE_SEPARATOR);
|
||||
outputStream.write(encoded);
|
|
@ -35,6 +35,7 @@ public class QuicheConfig
|
|||
|
||||
private int version = Quiche.QUICHE_PROTOCOL_VERSION;
|
||||
private Boolean verifyPeer;
|
||||
private String trustedCertsPemPath;
|
||||
private String certChainPemPath;
|
||||
private String privKeyPemPath;
|
||||
private String[] applicationProtos;
|
||||
|
@ -65,6 +66,11 @@ public class QuicheConfig
|
|||
return verifyPeer;
|
||||
}
|
||||
|
||||
public String getTrustedCertsPemPath()
|
||||
{
|
||||
return trustedCertsPemPath;
|
||||
}
|
||||
|
||||
public String getCertChainPemPath()
|
||||
{
|
||||
return certChainPemPath;
|
||||
|
@ -150,6 +156,11 @@ public class QuicheConfig
|
|||
this.verifyPeer = verify;
|
||||
}
|
||||
|
||||
public void setTrustedCertsPemPath(String trustedCertsPemPath)
|
||||
{
|
||||
this.trustedCertsPemPath = trustedCertsPemPath;
|
||||
}
|
||||
|
||||
public void setCertChainPemPath(String path)
|
||||
{
|
||||
this.certChainPemPath = path;
|
||||
|
|
|
@ -28,6 +28,7 @@ import jdk.incubator.foreign.CLinker;
|
|||
import jdk.incubator.foreign.MemoryAddress;
|
||||
import jdk.incubator.foreign.MemorySegment;
|
||||
import jdk.incubator.foreign.ResourceScope;
|
||||
import org.eclipse.jetty.quic.quiche.Quiche;
|
||||
import org.eclipse.jetty.quic.quiche.Quiche.quiche_error;
|
||||
import org.eclipse.jetty.quic.quiche.QuicheConfig;
|
||||
import org.eclipse.jetty.quic.quiche.QuicheConnection;
|
||||
|
@ -148,7 +149,7 @@ public class ForeignIncubatorQuicheConnection extends QuicheConnection
|
|||
|
||||
MemorySegment localSockaddr = sockaddr.convert(local, scope);
|
||||
MemorySegment peerSockaddr = sockaddr.convert(peer, scope);
|
||||
MemoryAddress quicheConn = quiche_h.quiche_connect(CLinker.toCString(peer.getHostName(), scope), scid, scid.byteSize(), localSockaddr, localSockaddr.byteSize(), peerSockaddr, peerSockaddr.byteSize(), libQuicheConfig);
|
||||
MemoryAddress quicheConn = quiche_h.quiche_connect(CLinker.toCString(peer.getHostString(), scope), scid, scid.byteSize(), localSockaddr, localSockaddr.byteSize(), peerSockaddr, peerSockaddr.byteSize(), libQuicheConfig);
|
||||
ForeignIncubatorQuicheConnection connection = new ForeignIncubatorQuicheConnection(quicheConn, libQuicheConfig, scope);
|
||||
keepScope = true;
|
||||
return connection;
|
||||
|
@ -170,13 +171,29 @@ public class ForeignIncubatorQuicheConnection extends QuicheConnection
|
|||
if (verifyPeer != null)
|
||||
quiche_h.quiche_config_verify_peer(quicheConfig, verifyPeer ? C_TRUE : C_FALSE);
|
||||
|
||||
String trustedCertsPemPath = config.getTrustedCertsPemPath();
|
||||
if (trustedCertsPemPath != null)
|
||||
{
|
||||
int rc = quiche_h.quiche_config_load_verify_locations_from_file(quicheConfig, CLinker.toCString(trustedCertsPemPath, scope).address());
|
||||
if (rc < 0)
|
||||
throw new IOException("Error loading trusted certificates file " + trustedCertsPemPath + " : " + Quiche.quiche_error.errToString(rc));
|
||||
}
|
||||
|
||||
String certChainPemPath = config.getCertChainPemPath();
|
||||
if (certChainPemPath != null)
|
||||
quiche_h.quiche_config_load_cert_chain_from_pem_file(quicheConfig, CLinker.toCString(certChainPemPath, scope).address());
|
||||
{
|
||||
int rc = quiche_h.quiche_config_load_cert_chain_from_pem_file(quicheConfig, CLinker.toCString(certChainPemPath, scope).address());
|
||||
if (rc < 0)
|
||||
throw new IOException("Error loading certificate chain file " + certChainPemPath + " : " + Quiche.quiche_error.errToString(rc));
|
||||
}
|
||||
|
||||
String privKeyPemPath = config.getPrivKeyPemPath();
|
||||
if (privKeyPemPath != null)
|
||||
quiche_h.quiche_config_load_priv_key_from_pem_file(quicheConfig, CLinker.toCString(privKeyPemPath, scope).address());
|
||||
{
|
||||
int rc = quiche_h.quiche_config_load_priv_key_from_pem_file(quicheConfig, CLinker.toCString(privKeyPemPath, scope).address());
|
||||
if (rc < 0)
|
||||
throw new IOException("Error loading private key file " + privKeyPemPath + " : " + Quiche.quiche_error.errToString(rc));
|
||||
}
|
||||
|
||||
String[] applicationProtos = config.getApplicationProtos();
|
||||
if (applicationProtos != null)
|
||||
|
@ -566,6 +583,9 @@ public class ForeignIncubatorQuicheConnection extends QuicheConnection
|
|||
received = quiche_h.quiche_conn_recv(quicheConn, bufferSegment.address(), buffer.remaining(), recvInfo.address());
|
||||
}
|
||||
}
|
||||
// If quiche_conn_recv() fails, quiche_conn_local_error() can be called to get the SSL alert; the err_code would contain
|
||||
// a value from which 100 must be substracted to get one of the codes specified in
|
||||
// https://datatracker.ietf.org/doc/html/rfc5246#section-7.2 ; see https://github.com/curl/curl/pull/8275 for details.
|
||||
if (received < 0)
|
||||
throw new IOException("failed to receive packet; err=" + quiche_error.errToString(received));
|
||||
buffer.position((int)(buffer.position() + received));
|
||||
|
|
|
@ -52,6 +52,12 @@ public class quiche_h
|
|||
FunctionDescriptor.ofVoid(C_POINTER, C_INT)
|
||||
);
|
||||
|
||||
private static final MethodHandle quiche_config_load_verify_locations_from_file$MH = downcallHandle(
|
||||
"quiche_config_load_verify_locations_from_file",
|
||||
"(Ljdk/incubator/foreign/MemoryAddress;Ljdk/incubator/foreign/MemoryAddress;)I",
|
||||
FunctionDescriptor.of(C_INT, C_POINTER, C_POINTER)
|
||||
);
|
||||
|
||||
private static final MethodHandle quiche_config_load_cert_chain_from_pem_file$MH = downcallHandle(
|
||||
"quiche_config_load_cert_chain_from_pem_file",
|
||||
"(Ljdk/incubator/foreign/MemoryAddress;Ljdk/incubator/foreign/MemoryAddress;)I",
|
||||
|
@ -370,6 +376,18 @@ public class quiche_h
|
|||
}
|
||||
}
|
||||
|
||||
public static int quiche_config_load_verify_locations_from_file(MemoryAddress config, MemoryAddress path)
|
||||
{
|
||||
try
|
||||
{
|
||||
return (int) quiche_config_load_verify_locations_from_file$MH.invokeExact(config, path);
|
||||
}
|
||||
catch (Throwable ex)
|
||||
{
|
||||
throw new AssertionError("should not reach here", ex);
|
||||
}
|
||||
}
|
||||
|
||||
public static int quiche_config_load_cert_chain_from_pem_file(MemoryAddress config, MemoryAddress path)
|
||||
{
|
||||
try
|
||||
|
|
|
@ -30,7 +30,7 @@ import java.util.Map;
|
|||
|
||||
import org.eclipse.jetty.quic.quiche.QuicheConfig;
|
||||
import org.eclipse.jetty.quic.quiche.QuicheConnection;
|
||||
import org.eclipse.jetty.quic.quiche.SSLKeyPair;
|
||||
import org.eclipse.jetty.quic.quiche.PemExporter;
|
||||
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
|
||||
import org.eclipse.jetty.toolchain.test.jupiter.WorkDirExtension;
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
|
@ -65,10 +65,18 @@ public class LowLevelQuicheTest
|
|||
clientSocketAddress = new InetSocketAddress("localhost", 9999);
|
||||
serverSocketAddress = new InetSocketAddress("localhost", 8888);
|
||||
|
||||
KeyStore keyStore = KeyStore.getInstance("PKCS12");
|
||||
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
|
||||
{
|
||||
keyStore.load(is, "storepwd".toCharArray());
|
||||
}
|
||||
Path targetFolder = workDir.getEmptyPathDir();
|
||||
|
||||
clientQuicheConfig = new QuicheConfig();
|
||||
clientQuicheConfig.setApplicationProtos("http/0.9");
|
||||
clientQuicheConfig.setDisableActiveMigration(true);
|
||||
clientQuicheConfig.setVerifyPeer(false);
|
||||
clientQuicheConfig.setVerifyPeer(true);
|
||||
clientQuicheConfig.setTrustedCertsPemPath(PemExporter.exportTrustStore(keyStore, targetFolder).toString());
|
||||
clientQuicheConfig.setMaxIdleTimeout(1_000L);
|
||||
clientQuicheConfig.setInitialMaxData(10_000_000L);
|
||||
clientQuicheConfig.setInitialMaxStreamDataBidiLocal(10_000_000L);
|
||||
|
@ -78,17 +86,11 @@ public class LowLevelQuicheTest
|
|||
clientQuicheConfig.setInitialMaxStreamsBidi(100L);
|
||||
clientQuicheConfig.setCongestionControl(QuicheConfig.CongestionControl.CUBIC);
|
||||
|
||||
KeyStore keyStore = KeyStore.getInstance("PKCS12");
|
||||
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
|
||||
{
|
||||
keyStore.load(is, "storepwd".toCharArray());
|
||||
}
|
||||
serverCertificateChain = keyStore.getCertificateChain("mykey");
|
||||
SSLKeyPair serverKeyPair = new SSLKeyPair(keyStore, "mykey", "storepwd".toCharArray());
|
||||
Path[] pemFiles = serverKeyPair.export(workDir.getEmptyPathDir());
|
||||
serverQuicheConfig = new QuicheConfig();
|
||||
serverQuicheConfig.setPrivKeyPemPath(pemFiles[0].toString());
|
||||
serverQuicheConfig.setCertChainPemPath(pemFiles[1].toString());
|
||||
Path[] keyPair = PemExporter.exportKeyPair(keyStore, "mykey", "storepwd".toCharArray(), targetFolder);
|
||||
serverQuicheConfig.setPrivKeyPemPath(keyPair[0].toString());
|
||||
serverQuicheConfig.setCertChainPemPath(keyPair[1].toString());
|
||||
serverQuicheConfig.setApplicationProtos("http/0.9");
|
||||
serverQuicheConfig.setVerifyPeer(false);
|
||||
serverQuicheConfig.setMaxIdleTimeout(1_000L);
|
||||
|
|
|
@ -22,6 +22,7 @@ import java.security.SecureRandom;
|
|||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.eclipse.jetty.quic.quiche.Quiche;
|
||||
import org.eclipse.jetty.quic.quiche.Quiche.quiche_error;
|
||||
import org.eclipse.jetty.quic.quiche.QuicheConfig;
|
||||
import org.eclipse.jetty.quic.quiche.QuicheConnection;
|
||||
|
@ -114,7 +115,7 @@ public class JnaQuicheConnection extends QuicheConnection
|
|||
|
||||
SizedStructure<sockaddr> localSockaddr = sockaddr.convert(local);
|
||||
SizedStructure<sockaddr> peerSockaddr = sockaddr.convert(peer);
|
||||
LibQuiche.quiche_conn quicheConn = LibQuiche.INSTANCE.quiche_connect(peer.getHostName(), scid, new size_t(scid.length), localSockaddr.getStructure(), localSockaddr.getSize(), peerSockaddr.getStructure(), peerSockaddr.getSize(), libQuicheConfig);
|
||||
LibQuiche.quiche_conn quicheConn = LibQuiche.INSTANCE.quiche_connect(peer.getHostString(), scid, new size_t(scid.length), localSockaddr.getStructure(), localSockaddr.getSize(), peerSockaddr.getStructure(), peerSockaddr.getSize(), libQuicheConfig);
|
||||
return new JnaQuicheConnection(quicheConn, libQuicheConfig);
|
||||
}
|
||||
|
||||
|
@ -128,13 +129,29 @@ public class JnaQuicheConnection extends QuicheConnection
|
|||
if (verifyPeer != null)
|
||||
LibQuiche.INSTANCE.quiche_config_verify_peer(quicheConfig, verifyPeer);
|
||||
|
||||
String trustedCertsPemPath = config.getTrustedCertsPemPath();
|
||||
if (trustedCertsPemPath != null)
|
||||
{
|
||||
int rc = LibQuiche.INSTANCE.quiche_config_load_verify_locations_from_file(quicheConfig, trustedCertsPemPath);
|
||||
if (rc != 0)
|
||||
throw new IOException("Error loading trusted certificates file " + trustedCertsPemPath + " : " + Quiche.quiche_error.errToString(rc));
|
||||
}
|
||||
|
||||
String certChainPemPath = config.getCertChainPemPath();
|
||||
if (certChainPemPath != null)
|
||||
LibQuiche.INSTANCE.quiche_config_load_cert_chain_from_pem_file(quicheConfig, certChainPemPath);
|
||||
{
|
||||
int rc = LibQuiche.INSTANCE.quiche_config_load_cert_chain_from_pem_file(quicheConfig, certChainPemPath);
|
||||
if (rc < 0)
|
||||
throw new IOException("Error loading certificate chain file " + certChainPemPath + " : " + Quiche.quiche_error.errToString(rc));
|
||||
}
|
||||
|
||||
String privKeyPemPath = config.getPrivKeyPemPath();
|
||||
if (privKeyPemPath != null)
|
||||
LibQuiche.INSTANCE.quiche_config_load_priv_key_from_pem_file(quicheConfig, privKeyPemPath);
|
||||
{
|
||||
int rc = LibQuiche.INSTANCE.quiche_config_load_priv_key_from_pem_file(quicheConfig, privKeyPemPath);
|
||||
if (rc < 0)
|
||||
throw new IOException("Error loading private key file " + privKeyPemPath + " : " + Quiche.quiche_error.errToString(rc));
|
||||
}
|
||||
|
||||
String[] applicationProtos = config.getApplicationProtos();
|
||||
if (applicationProtos != null)
|
||||
|
@ -450,6 +467,9 @@ public class JnaQuicheConnection extends QuicheConnection
|
|||
SizedStructure<sockaddr> peerSockaddr = sockaddr.convert(peer);
|
||||
info.from = peerSockaddr.getStructure().byReference();
|
||||
info.from_len = peerSockaddr.getSize();
|
||||
// If quiche_conn_recv() fails, quiche_conn_local_error() can be called to get the SSL alert; the err_code would contain
|
||||
// a value from which 100 must be substracted to get one of the codes specified in
|
||||
// https://datatracker.ietf.org/doc/html/rfc5246#section-7.2 ; see https://github.com/curl/curl/pull/8275 for details.
|
||||
int received = LibQuiche.INSTANCE.quiche_conn_recv(quicheConn, buffer, new size_t(buffer.remaining()), info).intValue();
|
||||
if (received < 0)
|
||||
throw new IOException("failed to receive packet; err=" + quiche_error.errToString(received));
|
||||
|
|
|
@ -86,6 +86,9 @@ public interface LibQuiche extends Library
|
|||
// Configures whether to verify the peer's certificate.
|
||||
void quiche_config_verify_peer(quiche_config config, boolean v);
|
||||
|
||||
// Specifies a file where trusted CA certificates are stored for the purposes of certificate verification.
|
||||
int quiche_config_load_verify_locations_from_file(quiche_config config, String path);
|
||||
|
||||
// Configures the list of supported application protocols.
|
||||
int quiche_config_set_application_protos(quiche_config config, byte[] protos, size_t protos_len);
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ import java.util.Map;
|
|||
|
||||
import org.eclipse.jetty.quic.quiche.QuicheConfig;
|
||||
import org.eclipse.jetty.quic.quiche.QuicheConnection;
|
||||
import org.eclipse.jetty.quic.quiche.SSLKeyPair;
|
||||
import org.eclipse.jetty.quic.quiche.PemExporter;
|
||||
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
|
||||
import org.eclipse.jetty.toolchain.test.jupiter.WorkDirExtension;
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
|
@ -64,10 +64,18 @@ public class LowLevelQuicheTest
|
|||
clientSocketAddress = new InetSocketAddress("localhost", 9999);
|
||||
serverSocketAddress = new InetSocketAddress("localhost", 8888);
|
||||
|
||||
KeyStore keyStore = KeyStore.getInstance("PKCS12");
|
||||
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
|
||||
{
|
||||
keyStore.load(is, "storepwd".toCharArray());
|
||||
}
|
||||
Path targetFolder = workDir.getEmptyPathDir();
|
||||
|
||||
clientQuicheConfig = new QuicheConfig();
|
||||
clientQuicheConfig.setApplicationProtos("http/0.9");
|
||||
clientQuicheConfig.setDisableActiveMigration(true);
|
||||
clientQuicheConfig.setVerifyPeer(false);
|
||||
clientQuicheConfig.setVerifyPeer(true);
|
||||
clientQuicheConfig.setTrustedCertsPemPath(PemExporter.exportTrustStore(keyStore, targetFolder).toString());
|
||||
clientQuicheConfig.setMaxIdleTimeout(1_000L);
|
||||
clientQuicheConfig.setInitialMaxData(10_000_000L);
|
||||
clientQuicheConfig.setInitialMaxStreamDataBidiLocal(10_000_000L);
|
||||
|
@ -77,17 +85,11 @@ public class LowLevelQuicheTest
|
|||
clientQuicheConfig.setInitialMaxStreamsBidi(100L);
|
||||
clientQuicheConfig.setCongestionControl(QuicheConfig.CongestionControl.CUBIC);
|
||||
|
||||
KeyStore keyStore = KeyStore.getInstance("PKCS12");
|
||||
try (InputStream is = getClass().getResourceAsStream("/keystore.p12"))
|
||||
{
|
||||
keyStore.load(is, "storepwd".toCharArray());
|
||||
}
|
||||
serverCertificateChain = keyStore.getCertificateChain("mykey");
|
||||
SSLKeyPair serverKeyPair = new SSLKeyPair(keyStore, "mykey", "storepwd".toCharArray());
|
||||
Path[] pemFiles = serverKeyPair.export(workDir.getEmptyPathDir());
|
||||
serverQuicheConfig = new QuicheConfig();
|
||||
serverQuicheConfig.setPrivKeyPemPath(pemFiles[0].toString());
|
||||
serverQuicheConfig.setCertChainPemPath(pemFiles[1].toString());
|
||||
Path[] keyPair = PemExporter.exportKeyPair(keyStore, "mykey", "storepwd".toCharArray(), targetFolder);
|
||||
serverQuicheConfig.setPrivKeyPemPath(keyPair[0].toString());
|
||||
serverQuicheConfig.setCertChainPemPath(keyPair[1].toString());
|
||||
serverQuicheConfig.setApplicationProtos("http/0.9");
|
||||
serverQuicheConfig.setVerifyPeer(false);
|
||||
serverQuicheConfig.setMaxIdleTimeout(1_000L);
|
||||
|
|
|
@ -37,8 +37,8 @@ import org.eclipse.jetty.quic.common.QuicConfiguration;
|
|||
import org.eclipse.jetty.quic.common.QuicSession;
|
||||
import org.eclipse.jetty.quic.common.QuicSessionContainer;
|
||||
import org.eclipse.jetty.quic.common.QuicStreamEndPoint;
|
||||
import org.eclipse.jetty.quic.quiche.PemExporter;
|
||||
import org.eclipse.jetty.quic.quiche.QuicheConfig;
|
||||
import org.eclipse.jetty.quic.quiche.SSLKeyPair;
|
||||
import org.eclipse.jetty.server.AbstractNetworkConnector;
|
||||
import org.eclipse.jetty.server.ConnectionFactory;
|
||||
import org.eclipse.jetty.server.Server;
|
||||
|
@ -90,7 +90,6 @@ public class QuicServerConnector extends AbstractNetworkConnector
|
|||
// One bidirectional stream to simulate the TCP stream, and no unidirectional streams.
|
||||
quicConfiguration.setMaxBidirectionalRemoteStreams(1);
|
||||
quicConfiguration.setMaxUnidirectionalRemoteStreams(0);
|
||||
quicConfiguration.setVerifyPeerCertificates(false);
|
||||
}
|
||||
|
||||
public QuicConfiguration getQuicConfiguration()
|
||||
|
@ -169,31 +168,24 @@ public class QuicServerConnector extends AbstractNetworkConnector
|
|||
char[] password = keyManagerPassword == null ? sslContextFactory.getKeyStorePassword().toCharArray() : keyManagerPassword.toCharArray();
|
||||
|
||||
KeyStore keyStore = sslContextFactory.getKeyStore();
|
||||
SSLKeyPair keyPair = new SSLKeyPair(
|
||||
keyStore,
|
||||
alias,
|
||||
password
|
||||
);
|
||||
Path[] pemFiles = keyPair.export(findTargetPath());
|
||||
privateKeyPath = pemFiles[0];
|
||||
certificateChainPath = pemFiles[1];
|
||||
Path[] keyPair = PemExporter.exportKeyPair(keyStore, alias, password, findCertificateWorkPath());
|
||||
privateKeyPath = keyPair[0];
|
||||
certificateChainPath = keyPair[1];
|
||||
}
|
||||
|
||||
private Path findTargetPath() throws IOException
|
||||
private Path findCertificateWorkPath()
|
||||
{
|
||||
Path target;
|
||||
Path pemWorkDirectory = getQuicConfiguration().getPemWorkDirectory();
|
||||
if (pemWorkDirectory != null)
|
||||
return pemWorkDirectory;
|
||||
String jettyBase = System.getProperty("jetty.base");
|
||||
if (jettyBase != null)
|
||||
{
|
||||
target = Path.of(jettyBase).resolve("work");
|
||||
pemWorkDirectory = Path.of(jettyBase).resolve("work");
|
||||
if (Files.exists(pemWorkDirectory))
|
||||
return pemWorkDirectory;
|
||||
}
|
||||
else
|
||||
{
|
||||
target = sslContextFactory.getKeyStoreResource().getFile().getParentFile().toPath();
|
||||
if (!Files.isDirectory(target))
|
||||
target = Path.of(".");
|
||||
}
|
||||
return target;
|
||||
throw new IllegalStateException("No PEM work directory configured");
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -231,7 +223,7 @@ public class QuicServerConnector extends AbstractNetworkConnector
|
|||
QuicheConfig quicheConfig = new QuicheConfig();
|
||||
quicheConfig.setPrivKeyPemPath(privateKeyPath.toString());
|
||||
quicheConfig.setCertChainPemPath(certificateChainPath.toString());
|
||||
quicheConfig.setVerifyPeer(quicConfiguration.isVerifyPeerCertificates());
|
||||
quicheConfig.setVerifyPeer(false);
|
||||
// Idle timeouts must not be managed by Quiche.
|
||||
quicheConfig.setMaxIdleTimeout(0L);
|
||||
quicheConfig.setInitialMaxData((long)quicConfiguration.getSessionRecvWindow());
|
||||
|
|
|
@ -23,7 +23,6 @@ import java.nio.file.Path;
|
|||
import java.nio.file.Paths;
|
||||
import java.nio.file.StandardCopyOption;
|
||||
import java.nio.file.StandardOpenOption;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.Queue;
|
||||
|
@ -1141,7 +1140,7 @@ public class DistributionTests extends AbstractJettyHomeTest
|
|||
assertTrue(run2.awaitConsoleLogsFor("Started Server@", 10, TimeUnit.SECONDS));
|
||||
|
||||
HTTP3Client http3Client = new HTTP3Client();
|
||||
http3Client.getQuicConfiguration().setVerifyPeerCertificates(false);
|
||||
http3Client.getClientConnector().setSslContextFactory(new SslContextFactory.Client(true));
|
||||
this.client = new HttpClient(new HttpClientTransportOverHTTP3(http3Client));
|
||||
this.client.start();
|
||||
ContentResponse response = this.client.newRequest("localhost", h3Port)
|
||||
|
|
|
@ -183,7 +183,6 @@ public class HttpChannelAssociationTest extends AbstractTest<TransportScenario>
|
|||
HTTP3Client http3Client = new HTTP3Client();
|
||||
http3Client.getClientConnector().setSelectors(1);
|
||||
http3Client.getClientConnector().setSslContextFactory(scenario.newClientSslContextFactory());
|
||||
http3Client.getQuicConfiguration().setVerifyPeerCertificates(false);
|
||||
return new HttpClientTransportOverHTTP3(http3Client)
|
||||
{
|
||||
@Override
|
||||
|
|
|
@ -16,6 +16,7 @@ package org.eclipse.jetty.http.client;
|
|||
import java.io.IOException;
|
||||
import java.io.InterruptedIOException;
|
||||
import java.nio.ByteBuffer;
|
||||
import java.nio.file.Path;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
|
@ -56,7 +57,6 @@ import org.eclipse.jetty.util.ProcessorUtils;
|
|||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
import org.eclipse.jetty.util.thread.Scheduler;
|
||||
import org.hamcrest.Matchers;
|
||||
import org.junit.jupiter.api.Assumptions;
|
||||
import org.junit.jupiter.params.ParameterizedTest;
|
||||
import org.junit.jupiter.params.provider.ArgumentsSource;
|
||||
import org.slf4j.Logger;
|
||||
|
@ -389,7 +389,9 @@ public class HttpClientLoadTest extends AbstractTest<HttpClientLoadTest.LoadTran
|
|||
case FCGI:
|
||||
return new ServerConnector(server, null, null, byteBufferPool, 1, selectors, provideServerConnectionFactory(transport));
|
||||
case H3:
|
||||
return new HTTP3ServerConnector(server, null, null, byteBufferPool, sslContextFactory, provideServerConnectionFactory(transport));
|
||||
HTTP3ServerConnector http3ServerConnector = new HTTP3ServerConnector(server, null, null, byteBufferPool, sslContextFactory, provideServerConnectionFactory(transport));
|
||||
http3ServerConnector.getQuicConfiguration().setPemWorkDirectory(Path.of(System.getProperty("java.io.tmpdir")));
|
||||
return http3ServerConnector;
|
||||
case UNIX_DOMAIN:
|
||||
UnixDomainServerConnector unixSocketConnector = new UnixDomainServerConnector(server, null, null, byteBufferPool, 1, selectors, provideServerConnectionFactory(transport));
|
||||
unixSocketConnector.setUnixDomainPath(unixDomainPath);
|
||||
|
|
|
@ -47,7 +47,6 @@ import org.eclipse.jetty.http.HttpScheme;
|
|||
import org.eclipse.jetty.http.HttpStatus;
|
||||
import org.eclipse.jetty.http.HttpURI;
|
||||
import org.eclipse.jetty.http2.FlowControlStrategy;
|
||||
import org.eclipse.jetty.http3.client.http.HttpClientTransportOverHTTP3;
|
||||
import org.eclipse.jetty.server.Request;
|
||||
import org.eclipse.jetty.server.SecureRequestCustomizer;
|
||||
import org.eclipse.jetty.server.handler.AbstractHandler;
|
||||
|
@ -364,15 +363,10 @@ public class HttpClientTest extends AbstractTest<TransportScenario>
|
|||
clientThreads.setName("client");
|
||||
scenario.client.setExecutor(clientThreads);
|
||||
scenario.client.start();
|
||||
if (transport == Transport.H3)
|
||||
{
|
||||
Assumptions.assumeTrue(false, "certificate verification not yet supported in quic");
|
||||
// TODO: the lines below should be enough, but they don't work. To be investigated.
|
||||
HttpClientTransportOverHTTP3 http3Transport = (HttpClientTransportOverHTTP3)scenario.client.getTransport();
|
||||
http3Transport.getHTTP3Client().getQuicConfiguration().setVerifyPeerCertificates(true);
|
||||
}
|
||||
|
||||
assertThrows(ExecutionException.class, () ->
|
||||
// H3 times out b/c it is QUIC's way of figuring out a connection cannot be established.
|
||||
Class<? extends Exception> expectedType = transport == Transport.H3 ? TimeoutException.class : ExecutionException.class;
|
||||
assertThrows(expectedType, () ->
|
||||
{
|
||||
// Use an IP address not present in the certificate.
|
||||
int serverPort = scenario.getServerPort().orElse(0);
|
||||
|
|
|
@ -14,9 +14,11 @@
|
|||
package org.eclipse.jetty.http.client;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.lang.management.ManagementFactory;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.KeyStore;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.OptionalInt;
|
||||
|
@ -122,7 +124,9 @@ public class TransportScenario
|
|||
case FCGI:
|
||||
return new ServerConnector(server, 1, 1, provideServerConnectionFactory(transport));
|
||||
case H3:
|
||||
return new HTTP3ServerConnector(server, sslContextFactory, provideServerConnectionFactory(transport));
|
||||
HTTP3ServerConnector http3ServerConnector = new HTTP3ServerConnector(server, sslContextFactory, provideServerConnectionFactory(transport));
|
||||
http3ServerConnector.getQuicConfiguration().setPemWorkDirectory(Path.of(System.getProperty("java.io.tmpdir")));
|
||||
return http3ServerConnector;
|
||||
case UNIX_DOMAIN:
|
||||
UnixDomainServerConnector connector = new UnixDomainServerConnector(server, provideServerConnectionFactory(transport));
|
||||
connector.setUnixDomainPath(unixDomainPath);
|
||||
|
@ -175,7 +179,6 @@ public class TransportScenario
|
|||
ClientConnector clientConnector = http3Client.getClientConnector();
|
||||
clientConnector.setSelectors(1);
|
||||
clientConnector.setSslContextFactory(sslContextFactory);
|
||||
http3Client.getQuicConfiguration().setVerifyPeerCertificates(false);
|
||||
return new HttpClientTransportOverHTTP3(http3Client);
|
||||
}
|
||||
case FCGI:
|
||||
|
@ -384,11 +387,24 @@ public class TransportScenario
|
|||
|
||||
private void configureSslContextFactory(SslContextFactory sslContextFactory)
|
||||
{
|
||||
sslContextFactory.setKeyStorePath("src/test/resources/keystore.p12");
|
||||
try
|
||||
{
|
||||
KeyStore keystore = KeyStore.getInstance("PKCS12");
|
||||
try (InputStream is = Files.newInputStream(Path.of("src/test/resources/keystore.p12")))
|
||||
{
|
||||
keystore.load(is, "storepwd".toCharArray());
|
||||
}
|
||||
sslContextFactory.setTrustStore(keystore);
|
||||
sslContextFactory.setKeyStore(keystore);
|
||||
sslContextFactory.setKeyStorePassword("storepwd");
|
||||
sslContextFactory.setUseCipherSuitesOrder(true);
|
||||
sslContextFactory.setCipherComparator(HTTP2Cipher.COMPARATOR);
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
public void stopClient() throws Exception
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue