Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2816 from eclipse/jetty-9.4.x-issue-2881-ssl.dump 

Issue #2811 - Dump fix JreDisabled:java.security to JVM:disabled
This commit is contained in:
Joakim Erdfelt 2018-08-22 11:45:48 -05:00 committed by GitHub
parent 6015ad5ead c640f4a4d5
commit efce43eefc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 103 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
View File

@ -353,28 +353,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
try
{
/* Use a pristine SSLEngine (not one from this SslContextFactory).
* This will allow for proper detection and identification
* of JRE/lib/security/java.security level disabled features
*/
SSLEngine sslEngine = SSLContext.getDefault().createSSLEngine();
List<Object> selections = new ArrayList<>();
// protocols
selections.add(new SslSelectionDump("Protocol",
sslEngine.getSupportedProtocols(),
sslEngine.getEnabledProtocols(),
getExcludeProtocols(),
getIncludeProtocols()));
// ciphers
selections.add(new SslSelectionDump("Cipher Suite",
sslEngine.getSupportedCipherSuites(),
sslEngine.getEnabledCipherSuites(),
getExcludeCipherSuites(),
getIncludeCipherSuites()));
List<SslSelectionDump> selections = selectionDump();
ContainerLifeCycle.dump(out, indent, selections);
}
catch (NoSuchAlgorithmException ignore)
@ -382,6 +361,33 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
LOG.ignore(ignore);
}
}
List<SslSelectionDump> selectionDump() throws NoSuchAlgorithmException
{
/* Use a pristine SSLEngine (not one from this SslContextFactory).
* This will allow for proper detection and identification
* of JRE/lib/security/java.security level disabled features
*/
SSLEngine sslEngine = SSLContext.getDefault().createSSLEngine();
List<SslSelectionDump> selections = new ArrayList<>();
// protocols
selections.add(new SslSelectionDump("Protocol",
sslEngine.getSupportedProtocols(),
sslEngine.getEnabledProtocols(),
getExcludeProtocols(),
getIncludeProtocols()));
// ciphers
selections.add(new SslSelectionDump("Cipher Suite",
sslEngine.getSupportedCipherSuites(),
sslEngine.getEnabledCipherSuites(),
getExcludeCipherSuites(),
getIncludeCipherSuites()));
return selections;
}
@Override
protected void doStop() throws Exception

42
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslSelectionDump.java
View File

@ -30,9 +30,9 @@ import java.util.stream.Collectors;
import org.eclipse.jetty.util.component.ContainerLifeCycle;
import org.eclipse.jetty.util.component.Dumpable;
public class SslSelectionDump extends ContainerLifeCycle implements Dumpable
class SslSelectionDump extends ContainerLifeCycle implements Dumpable
{
private static class CaptionedList extends ArrayList<String> implements Dumpable
static class CaptionedList extends ArrayList<String> implements Dumpable
{
private final String caption;
@ -57,9 +57,9 @@ public class SslSelectionDump extends ContainerLifeCycle implements Dumpable
}
}
private final String type;
private SslSelectionDump.CaptionedList enabled = new SslSelectionDump.CaptionedList("Enabled");
private SslSelectionDump.CaptionedList disabled = new SslSelectionDump.CaptionedList("Disabled");
final String type;
final SslSelectionDump.CaptionedList enabled = new SslSelectionDump.CaptionedList("Enabled");
final SslSelectionDump.CaptionedList disabled = new SslSelectionDump.CaptionedList("Disabled");
public SslSelectionDump(String type,
String[] supportedByJVM,
@ -87,16 +87,7 @@ public class SslSelectionDump extends ContainerLifeCycle implements Dumpable
StringBuilder s = new StringBuilder();
s.append(entry);
if (!jvmEnabled.contains(entry))
{
if (isPresent)
{
s.append(" -");
isPresent = false;
}
s.append(" JreDisabled:java.security");
}
for (Pattern pattern : excludedPatterns)
{
Matcher m = pattern.matcher(entry);
@ -114,10 +105,11 @@ public class SslSelectionDump extends ContainerLifeCycle implements Dumpable
s.append(" ConfigExcluded:'").append(pattern.pattern()).append('\'');
}
}
boolean isIncluded = false;
if (!includedPatterns.isEmpty())
{
boolean isIncluded = false;
for (Pattern pattern : includedPatterns)
{
Matcher m = pattern.matcher(entry);
@ -139,10 +131,22 @@ public class SslSelectionDump extends ContainerLifeCycle implements Dumpable
{
s.append(",");
}
s.append(" ConfigIncluded:NotSpecified");
s.append(" ConfigIncluded:NotSelected");
}
}
if (!isIncluded && !jvmEnabled.contains(entry))
{
if (isPresent)
{
s.append(" -");
isPresent = false;
}
s.append(" JVM:disabled");
}
if (isPresent)
{
enabled.add(s.toString());

53
jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
View File

@ -18,10 +18,14 @@
package org.eclipse.jetty.util.ssl;
import static org.eclipse.jetty.toolchain.test.matchers.RegexMatcher.matchesPattern;
import static org.hamcrest.Matchers.containsInAnyOrder;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.greaterThan;
import static org.hamcrest.Matchers.hasItem;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.not;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertThat;
@ -30,7 +34,12 @@ import static org.junit.Assert.assertTrue;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
@ -70,7 +79,49 @@ public class SslContextFactoryTest
cf.start();
cf.dump(System.out, "");
// cf.dump(System.out, "");
List<SslSelectionDump> dumps = cf.selectionDump();
SslSelectionDump cipherDump = dumps.stream()
.filter((dump)-> dump.type.contains("Cipher Suite"))
.findFirst().get();
for(String enabledCipher : cipherDump.enabled)
{
assertThat("Enabled Cipher Suite", enabledCipher, not(matchesPattern(".*_RSA_.*(SHA1|MD5|SHA)")));
}
}
@Test
public void testDump_IncludeTlsRsa() throws Exception
{
cf.setKeyStorePassword("storepwd");
cf.setKeyManagerPassword("keypwd");
cf.setIncludeCipherSuites("TLS_RSA_.*");
cf.setExcludeCipherSuites("BOGUS"); // just to not exclude anything
cf.start();
// cf.dump(System.out, "");
List<SslSelectionDump> dumps = cf.selectionDump();
SSLEngine ssl = SSLContext.getDefault().createSSLEngine();
List<String> tlsRsaSuites = Stream.of(ssl.getSupportedCipherSuites())
.filter((suite)->suite.startsWith("TLS_RSA_"))
.collect(Collectors.toList());
List<String> selectedSuites = Arrays.asList(cf.getSelectedCipherSuites());
SslSelectionDump cipherDump = dumps.stream()
.filter((dump)-> dump.type.contains("Cipher Suite"))
.findFirst().get();
assertThat("Dump Enabled List size is equal to selected list size", cipherDump.enabled.size(), is(selectedSuites.size()));
for(String expectedCipherSuite: tlsRsaSuites)
{
assertThat("Selected Cipher Suites", selectedSuites, hasItem(expectedCipherSuite));
assertThat("Dump Enabled Cipher Suites", cipherDump.enabled, hasItem(expectedCipherSuite));
}
}
@Test