expose SSLSession from web socket connection

emattheis · emattheis · commit e42789c512fe · 2025-05-29T12:59:52.000-04:00
diff --git a/extensions/websockets-next/deployment/src/test/java/io/quarkus/websockets/next/test/client/MtlsWithP12ClientEndpointTest.java b/extensions/websockets-next/deployment/src/test/java/io/quarkus/websockets/next/test/client/MtlsWithP12ClientEndpointTest.java
@@ -1,6 +1,8 @@
 package io.quarkus.websockets.next.test.client;
 
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.File;
@@ -9,6 +11,9 @@
 import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicReference;
+
+import javax.net.ssl.SSLPeerUnverifiedException;
 
 import jakarta.inject.Inject;
 
@@ -24,6 +29,7 @@
 import io.quarkus.websockets.next.WebSocket;
 import io.quarkus.websockets.next.WebSocketClient;
 import io.quarkus.websockets.next.WebSocketClientConnection;
+import io.quarkus.websockets.next.WebSocketConnection;
 import io.quarkus.websockets.next.WebSocketConnector;
 import io.smallrye.certs.Format;
 import io.smallrye.certs.junit5.Certificate;
@@ -47,6 +53,7 @@ public class MtlsWithP12ClientEndpointTest {
             .overrideConfigKey("quarkus.tls.ws-server.trust-store.p12.path", "server-truststore.p12")
             .overrideConfigKey("quarkus.tls.ws-server.trust-store.p12.password", "secret")
             .overrideConfigKey("quarkus.http.tls-configuration-name", "ws-server")
+            .overrideConfigKey("quarkus.http.ssl.client-auth", "required")
 
             .overrideConfigKey("quarkus.tls.ws-client.key-store.p12.path", "client-keystore.p12")
             .overrideConfigKey("quarkus.tls.ws-client.key-store.p12.password", "secret")
@@ -61,13 +68,34 @@ public class MtlsWithP12ClientEndpointTest {
     URI uri;
 
     @Test
-    void testClient() throws InterruptedException {
+    void testClient() throws InterruptedException, SSLPeerUnverifiedException {
         WebSocketClientConnection connection = connector
                 .baseUri(uri)
                 // The value will be encoded automatically
                 .pathParam("name", "Lu=")
                 .connectAndAwait();
         assertTrue(connection.isSecure());
+        assertNotNull(connection.sslSession());
+        assertNotNull(connection.sslSession().getLocalPrincipal());
+        assertNotNull(connection.sslSession().getLocalCertificates());
+        assertNotNull(connection.sslSession().getPeerPrincipal());
+        assertNotNull(connection.sslSession().getPeerCertificates());
+
+        assertTrue(ServerEndpoint.OPENED_LATCH.await(5, TimeUnit.SECONDS));
+        assertTrue(ServerEndpoint.CONNECTION_REF.get().isSecure());
+        assertNotNull(ServerEndpoint.CONNECTION_REF.get().sslSession());
+        assertNotNull(ServerEndpoint.CONNECTION_REF.get().sslSession().getLocalPrincipal());
+        assertNotNull(ServerEndpoint.CONNECTION_REF.get().sslSession().getLocalCertificates());
+        assertNotNull(ServerEndpoint.CONNECTION_REF.get().sslSession().getPeerPrincipal());
+        assertNotNull(ServerEndpoint.CONNECTION_REF.get().sslSession().getPeerCertificates());
+        assertEquals(connection.sslSession().getPeerPrincipal(),
+                ServerEndpoint.CONNECTION_REF.get().sslSession().getLocalPrincipal());
+        assertArrayEquals(connection.sslSession().getPeerCertificates(),
+                ServerEndpoint.CONNECTION_REF.get().sslSession().getLocalCertificates());
+        assertEquals(connection.sslSession().getLocalPrincipal(),
+                ServerEndpoint.CONNECTION_REF.get().sslSession().getPeerPrincipal());
+        assertArrayEquals(connection.sslSession().getLocalCertificates(),
+                ServerEndpoint.CONNECTION_REF.get().sslSession().getPeerCertificates());
 
         assertEquals("Lu=", connection.pathParam("name"));
         connection.sendTextAndAwait("Hi!");
@@ -84,10 +112,16 @@ void testClient() throws InterruptedException {
     @WebSocket(path = "/endpoint/{name}")
     public static class ServerEndpoint {
 
+        static final AtomicReference<WebSocketConnection> CONNECTION_REF = new AtomicReference<>();
+
+        static final CountDownLatch OPENED_LATCH = new CountDownLatch(1);
+
         static final CountDownLatch CLOSED_LATCH = new CountDownLatch(1);
 
         @OnOpen
-        String open(@PathParam String name) {
+        String open(@PathParam String name, WebSocketConnection connection) {
+            CONNECTION_REF.set(connection);
+            OPENED_LATCH.countDown();
             return "Hello " + name + "!";
         }
 
diff --git a/extensions/websockets-next/deployment/src/test/java/io/quarkus/websockets/next/test/client/TlsClientEndpointTest.java b/extensions/websockets-next/deployment/src/test/java/io/quarkus/websockets/next/test/client/TlsClientEndpointTest.java
@@ -1,6 +1,10 @@
 package io.quarkus.websockets.next.test.client;
 
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.File;
@@ -10,6 +14,9 @@
 import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicReference;
+
+import javax.net.ssl.SSLPeerUnverifiedException;
 
 import jakarta.inject.Inject;
 
@@ -25,6 +32,7 @@
 import io.quarkus.websockets.next.WebSocket;
 import io.quarkus.websockets.next.WebSocketClient;
 import io.quarkus.websockets.next.WebSocketClientConnection;
+import io.quarkus.websockets.next.WebSocketConnection;
 import io.quarkus.websockets.next.WebSocketConnector;
 import io.smallrye.certs.Format;
 import io.smallrye.certs.junit5.Certificate;
@@ -53,20 +61,39 @@ public class TlsClientEndpointTest {
     URI uri;
 
     @Test
-    void testClient() throws InterruptedException, URISyntaxException {
+    void testClient() throws InterruptedException, SSLPeerUnverifiedException, URISyntaxException {
         assertClient(uri);
         URI wssUri = new URI("wss", uri.getUserInfo(), uri.getHost(), uri.getPort(), uri.getPath(), uri.getQuery(),
                 uri.getFragment());
         assertClient(wssUri);
     }
 
-    void assertClient(URI uri) throws InterruptedException, URISyntaxException {
+    void assertClient(URI uri) throws InterruptedException, SSLPeerUnverifiedException {
         WebSocketClientConnection connection = connector
                 .baseUri(uri)
                 // The value will be encoded automatically
                 .pathParam("name", "Lu=")
                 .connectAndAwait();
         assertTrue(connection.isSecure());
+        assertNotNull(connection.sslSession());
+        assertNull(connection.sslSession().getLocalPrincipal());
+        assertNull(connection.sslSession().getLocalCertificates());
+        assertNotNull(connection.sslSession().getPeerPrincipal());
+        assertNotNull(connection.sslSession().getPeerCertificates());
+
+        assertTrue(ServerEndpoint.openedLatch.await(5, TimeUnit.SECONDS));
+        assertTrue(ServerEndpoint.CONNECTION_REF.get().isSecure());
+        assertNotNull(ServerEndpoint.CONNECTION_REF.get().sslSession());
+        assertNotNull(ServerEndpoint.CONNECTION_REF.get().sslSession().getLocalPrincipal());
+        assertNotNull(ServerEndpoint.CONNECTION_REF.get().sslSession().getLocalCertificates());
+        assertThrows(SSLPeerUnverifiedException.class,
+                () -> ServerEndpoint.CONNECTION_REF.get().sslSession().getPeerPrincipal());
+        assertThrows(SSLPeerUnverifiedException.class,
+                () -> ServerEndpoint.CONNECTION_REF.get().sslSession().getPeerCertificates());
+        assertEquals(connection.sslSession().getPeerPrincipal(),
+                ServerEndpoint.CONNECTION_REF.get().sslSession().getLocalPrincipal());
+        assertArrayEquals(connection.sslSession().getPeerCertificates(),
+                ServerEndpoint.CONNECTION_REF.get().sslSession().getLocalCertificates());
 
         assertEquals("Lu=", connection.pathParam("name"));
         connection.sendTextAndAwait("Hi!");
@@ -86,10 +113,16 @@ void assertClient(URI uri) throws InterruptedException, URISyntaxException {
     @WebSocket(path = "/endpoint/{name}")
     public static class ServerEndpoint {
 
+        static final AtomicReference<WebSocketConnection> CONNECTION_REF = new AtomicReference<>();
+
+        static volatile CountDownLatch openedLatch = new CountDownLatch(1);
+
         static volatile CountDownLatch closedLatch = new CountDownLatch(1);
 
         @OnOpen
-        String open(@PathParam String name) {
+        String open(@PathParam String name, WebSocketConnection connection) {
+            CONNECTION_REF.set(connection);
+            openedLatch.countDown();
             return "Hello " + name + "!";
         }
 
@@ -104,6 +137,8 @@ void close() {
         }
 
         static void reset() {
+            CONNECTION_REF.set(null);
+            openedLatch = new CountDownLatch(1);
             closedLatch = new CountDownLatch(1);
         }
 
diff --git a/extensions/websockets-next/runtime/src/main/java/io/quarkus/websockets/next/Connection.java b/extensions/websockets-next/runtime/src/main/java/io/quarkus/websockets/next/Connection.java
@@ -2,6 +2,8 @@
 
 import java.time.Instant;
 
+import javax.net.ssl.SSLSession;
+
 import io.smallrye.common.annotation.CheckReturnValue;
 import io.smallrye.mutiny.Uni;
 
@@ -32,6 +34,12 @@ public interface Connection extends Sender {
      */
     boolean isSecure();
 
+    /**
+     * @return {@link SSLSession} associated with the underlying socket, or {@code null} if connection is not secure.
+     * @see #isSecure()
+     */
+    SSLSession sslSession();
+
     /**
      * @return {@code true} if the WebSocket is closed
      */
diff --git a/extensions/websockets-next/runtime/src/main/java/io/quarkus/websockets/next/runtime/WebSocketConnectionBase.java b/extensions/websockets-next/runtime/src/main/java/io/quarkus/websockets/next/runtime/WebSocketConnectionBase.java
@@ -4,6 +4,8 @@
 import java.util.Map;
 import java.util.UUID;
 
+import javax.net.ssl.SSLSession;
+
 import org.jboss.logging.Logger;
 
 import io.quarkus.vertx.utils.NoBoundChecksBuffer;
@@ -137,6 +139,11 @@ public boolean isSecure() {
         return webSocket().isSsl();
     }
 
+    @Override
+    public SSLSession sslSession() {
+        return webSocket().sslSession();
+    }
+
     @Override
     public boolean isClosed() {
         return webSocket().isClosed();
