tst

Author: rli

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

@@ -267,13 +267,7 @@ private class AmazonQServerInstance(private val project: Project, private val cs
         val rtsTrustChain = TrustChainUtil.getTrustChain(qUri)
         val extraCaCerts = Files.createTempFile("q-extra-ca", ".pem").apply {
             writeText(
-                buildList {
-                    rtsTrustChain.forEach {
-                        add("-----BEGIN CERTIFICATE-----")
-                        add(Base64.getMimeEncoder(64, System.lineSeparator().toByteArray()).encodeToString(it.encoded))
-                        add("-----END CERTIFICATE-----")
-                    }
-                }.joinToString(separator = System.lineSeparator())
+                TrustChainUtil.certsToPem(rtsTrustChain)
             )
         }
 

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/TrustChainUtil.kt

@@ -11,8 +11,10 @@ import org.apache.http.conn.ssl.DefaultHostnameVerifier
 import org.apache.http.impl.client.HttpClientBuilder
 import org.apache.http.impl.client.SystemDefaultCredentialsProvider
 import org.apache.http.impl.conn.SystemDefaultRoutePlanner
+import org.jetbrains.annotations.TestOnly
 import software.aws.toolkits.core.utils.getLogger
 import software.aws.toolkits.core.utils.warn
+import software.aws.toolkits.core.utils.writeText
 import java.net.URI
 import java.security.KeyStore
 import java.security.cert.CertPathBuilder
@@ -23,46 +25,57 @@ import java.security.cert.PKIXBuilderParameters
 import java.security.cert.PKIXCertPathBuilderResult
 import java.security.cert.X509CertSelector
 import java.security.cert.X509Certificate
+import java.util.Base64
 import kotlin.collections.ifEmpty
 
 object TrustChainUtil {
     private val LOG = getLogger<TrustChainUtil>()
 
+    @TestOnly
+    fun resolveTrustChain(certs: Collection<X509Certificate>, trustAnchors: Collection<X509Certificate>) = resolveTrustChain(certs, keystoreFromCertificates(trustAnchors))
+
     /**
      * Build and validate the complete certificate chain
      * @param certs The end-entity certificate
      * @param trustAnchors The truststore containing trusted CA certificates
      * @return The complete certificate chain
      */
     fun resolveTrustChain(certs: Collection<X509Certificate>, trustAnchors: KeyStore): List<X509Certificate> {
-        // Create the selector for the certificate
-        val selector = X509CertSelector()
-        selector.certificate = certs.first()
-
-        // Create the parameters for path validation
-        val pkixParams = PKIXBuilderParameters(trustAnchors, selector)
-
-        // Disable CRL checking since we just want to build the path
-        pkixParams.isRevocationEnabled = false
-
-        // Create a CertStore containing the certificate we want to validate
-        val ccsp = CollectionCertStoreParameters(certs)
-        val certStore = CertStore.getInstance("Collection", ccsp)
-        pkixParams.addCertStore(certStore)
-
-        // Get the certification path
-        val builder = CertPathBuilder.getInstance("PKIX")
-        val result = builder.build(pkixParams) as PKIXCertPathBuilderResult
-        val certPath = result.certPath
-        val chain = (certPath.certificates as List<X509Certificate>).toMutableList()
-
-        // Add the trust anchor (root CA) to complete the chain
-        val trustAnchorCert = result.trustAnchor.trustedCert
-        if (trustAnchorCert != null) {
-            chain.add(trustAnchorCert)
-        }
+        try {
+            // Create the selector for the certificate
+            val selector = X509CertSelector()
+            selector.certificate = certs.first()
+
+            // Create the parameters for path validation
+            val pkixParams = PKIXBuilderParameters(trustAnchors, selector)
+
+            // Disable CRL checking since we just want to build the path
+            pkixParams.isRevocationEnabled = false
+
+            // Create a CertStore containing the certificate we want to validate
+            val ccsp = CollectionCertStoreParameters(certs)
+            val certStore = CertStore.getInstance("Collection", ccsp)
+            pkixParams.addCertStore(certStore)
+
+            // Get the certification path
+            val builder = CertPathBuilder.getInstance("PKIX")
+            val result = builder.build(pkixParams) as PKIXCertPathBuilderResult
+            val certPath = result.certPath
+            val chain = (certPath.certificates as List<X509Certificate>).toMutableList()
+
+            // Add the trust anchor (root CA) to complete the chain
+            val trustAnchorCert = result.trustAnchor.trustedCert
+            if (trustAnchorCert != null) {
+                chain.add(trustAnchorCert)
+            }
 
-        return chain
+            return chain
+        } catch (e: Exception) {
+            // Java PKIX is happy with leaf cert in certification path, but Node.JS will not respect in NODE_CA_CERTS
+            LOG.warn(e) { "Could not build trust anchor via CertPathBuilder? maybe user accepted leaf cert but not intermediate" }
+
+            return emptyList()
+        }
     }
 
     fun getTrustChain(uri: URI): List<X509Certificate> {
@@ -81,7 +94,7 @@ object TrustChainUtil {
             .setSSLContext(CertificateManager.getInstance().sslContext)
 
         // client request will fail if user did not accept cert
-        client.build().execute(RequestBuilder.options(uri).build())
+        client.build().use { it.execute(RequestBuilder.options(uri).build()) }
 
         val certificates = peerCerts as Array<X509Certificate>
 
@@ -95,7 +108,7 @@ object TrustChainUtil {
             resolveTrustChain(certificates.toList(), ks)
         } catch (e: Exception) {
             // Java PKIX is happy with leaf cert in certification path, but Node.JS will not respect in NODE_CA_CERTS
-            LOG.warn(e) { "Passed Apache PKIX verification but could not build trust anchor via CertPathBuilder? maybe user accepted leaf cert but not intermediate" }
+            LOG.warn(e) { "Passed Apache PKIX verification but could not build trust anchor via CertPathBuilder? maybe user accepted leaf cert but not root" }
             emptyList()
         }
 
@@ -106,6 +119,15 @@ object TrustChainUtil {
         }
     }
 
+    fun certsToPem(certs: List<X509Certificate>): String =
+        buildList {
+            certs.forEach {
+                add("-----BEGIN CERTIFICATE-----")
+                add(Base64.getMimeEncoder(64, System.lineSeparator().toByteArray()).encodeToString(it.encoded))
+                add("-----END CERTIFICATE-----")
+            }
+        }.joinToString(separator = System.lineSeparator())
+
     private fun keystoreFromCertificates(certificates: Collection<X509Certificate>): KeyStore {
         val ks = KeyStore.getInstance(KeyStore.getDefaultType())
         ks.load(null, null)

plugins/amazonq/shared/jetbrains-community/tst/software/aws/toolkits/jetbrains/services/amazonq/lsp/TrustChainUtilTest.kt

@@ -7,6 +7,8 @@ import com.github.tomakehurst.wiremock.WireMockServer
 import com.github.tomakehurst.wiremock.common.Slf4jNotifier
 import com.github.tomakehurst.wiremock.core.WireMockConfiguration
 import com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig
+import com.intellij.execution.configurations.GeneralCommandLine
+import com.intellij.execution.util.ExecUtil
 import com.intellij.testFramework.ApplicationExtension
 import com.intellij.util.net.ssl.CertificateManager
 import org.assertj.core.api.Assertions.assertThat
@@ -26,9 +28,11 @@ import org.bouncycastle.asn1.x509.KeyUsage
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder
-import org.junit.jupiter.api.extension.AfterAllCallback
-import org.junit.jupiter.api.extension.ExtensionContext
+import org.junit.jupiter.api.AfterEach
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.TestInstance
 import software.aws.toolkits.core.utils.outputStream
+import software.aws.toolkits.core.utils.writeText
 import java.nio.file.Files
 import java.nio.file.Path
 import java.security.KeyPair
@@ -38,12 +42,15 @@ import java.time.temporal.ChronoUnit
 import java.util.Date
 
 @ExtendWith(ApplicationExtension::class)
-class TrustChainUtilTest : AfterAllCallback {
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+class TrustChainUtilTest {
     companion object {
         private val certs = CertificateGenerator.generateCertificateChain()
     }
 
-    override fun afterAll(context: ExtensionContext) {
+    @BeforeEach
+    @AfterEach
+    fun clearCerts() {
         CertificateManager.getInstance().customTrustManager.apply {
             certificates.toList().forEach { removeCertificate(it) }
         }
@@ -77,7 +84,7 @@ class TrustChainUtilTest : AfterAllCallback {
     }
 
     @Test
-    fun `returns entire chain if CA is trusted`() {
+    fun `returns entire chain if CA is trust anchor`() {
         CertificateManager.getInstance().customTrustManager.addCertificate(certs.keys.last())
 
         mockWithOptions(
@@ -97,16 +104,43 @@ class TrustChainUtilTest : AfterAllCallback {
             }
         ) {
             val trustChain = TrustChainUtil.getTrustChain(URI("https://localhost:${it.httpsPort()}"))
-            // leaf, intermediate, root
+            // leaf, intermediate
             assertThat(trustChain)
                 .isEqualTo(certs.keys.toList())
         }
     }
 
     @Test
-    fun `returns entire chain if CA is trusted but only returns leaf`() {
-        CertificateManager.getInstance().customTrustManager.addCertificate(certs.keys.last())
+    fun `returns empty if CA is trusted but does not provide intermediate`() {
+        val (leaf, _, root) = certs.keys.take(3)
+        assertThat(
+            TrustChainUtil.resolveTrustChain(listOf(leaf), listOf(root))
+        ).isEmpty()
+    }
+
+    @Test
+    fun `returns entire chain if CA is trusted and provides intermediate`() {
+        val (leaf, intermediate, root) = certs.keys.take(3)
+        assertThat(
+            TrustChainUtil.resolveTrustChain(listOf(leaf, intermediate), listOf(root))
+        ).isEqualTo(
+            listOf(leaf, intermediate, root)
+        )
+    }
 
+    @Test
+    fun `returns empty if CA is not trusted`() {
+        val (leaf, intermediate) = certs.keys.take(2)
+        assertThat(
+            TrustChainUtil.resolveTrustChain(
+                listOf(leaf, intermediate),
+                listOf(CertificateManager.getInstance().trustManager.acceptedIssuers.first())
+            )
+        ).isEmpty()
+    }
+
+    @Test
+    fun `node accepts full chain`() {
         mockWithOptions(
             {
                 it.keystorePath(
@@ -116,20 +150,108 @@ class TrustChainUtilTest : AfterAllCallback {
                             CertificateGenerator.saveToKeyStore(
                                 this,
                                 certs.values.first(),
-                                certs.keys.take(1).toTypedArray(),
+                                certs.keys.take(2).toTypedArray(),
                             )
                         }
                         .toString()
                 )
+            },
+            {
+                val pemFile = Files.createTempFile("test", ".pem").apply {
+                    writeText(
+                        TrustChainUtil.certsToPem(certs.keys.toList())
+                    )
+                }
+
+                val output = ExecUtil.execAndGetOutput(
+                    GeneralCommandLine(
+                        "node",
+                        "--use-bundled-ca",
+                        Files.createTempFile("test", ".js").apply { writeText(nodeTest(it.httpsPort())) }.toAbsolutePath().toString(),
+                    ).withEnvironment("NODE_EXTRA_CA_CERTS", pemFile.toAbsolutePath().toString())
+                )
+
+                assertThat(output.exitCode).withFailMessage { "node validation failed: ${output.stdout}\n${output.stderr}" }
+                    .isEqualTo(0)
             }
-        ) {
-            val trustChain = TrustChainUtil.getTrustChain(URI("https://localhost:${it.httpsPort()}"))
-            // leaf, intermediate, root
-            assertThat(trustChain)
-                .isEqualTo(certs.keys.toList())
-        }
+        )
+    }
+
+    @Test
+    fun `node does not accept intermediate only`() {
+        mockWithOptions(
+            {
+                it.keystorePath(
+                    Files.createTempFile("certs", "jks")
+                        .toAbsolutePath()
+                        .apply {
+                            CertificateGenerator.saveToKeyStore(
+                                this,
+                                certs.values.first(),
+                                certs.keys.take(2).toTypedArray(),
+                            )
+                        }
+                        .toString()
+                )
+            },
+            {
+                val pemFile = Files.createTempFile("test", ".pem").apply {
+                    writeText(
+                        TrustChainUtil.certsToPem(certs.keys.take(2).toList())
+                    )
+                }
+
+                // node does not support partial chains
+                val output = ExecUtil.execAndGetOutput(
+                    GeneralCommandLine(
+                        "node",
+                        "--use-bundled-ca",
+                        Files.createTempFile("test", ".js").apply { writeText(nodeTest(it.httpsPort())) }.toAbsolutePath().toString(),
+                    ).withEnvironment("NODE_EXTRA_CA_CERTS", pemFile.toAbsolutePath().toString())
+                )
+
+                assertThat(output.exitCode).withFailMessage { "node validation succeeded instead of failed: ${output.stdout}\n${output.stderr}" }
+                    .isEqualTo(1)
+            }
+        )
     }
 
+    // language=JavaScript
+    private fun nodeTest(port: Int) = """
+        const https = require("https");
+        
+        async function main() {  // Wrapped in async function for better error handling
+            try {
+                const options = {
+                    host: "localhost",
+                    port: $port,
+                    path: "/",
+                    requestCert: true,
+                    rejectUnauthorized: true,
+                };
+        
+                const req = https.get(options, (res) => {
+                    console.log("Certificate authorized:", res.socket.authorized);
+                    const cert = res.socket.getPeerCertificate();
+                    console.log("Certificate details:", cert);
+                    process.exit(0)
+                });
+        
+                req.on("error", (err) => {  // Added error handling
+                    console.error("Request error:", err);
+                    process.exit(1)
+                });
+        
+                req.end();
+            } catch (error) {
+                console.error("Error:", error);
+                process.exit(1)
+            }
+        }
+        
+        main();
+    """.trimIndent()
+
     private fun mockWithOptions(options: (WireMockConfiguration) -> Unit, runnable: (WireMockServer) -> Unit) {
         val server = WireMockServer(
             wireMockConfig()
@@ -251,7 +373,8 @@ class CertificateGenerator {
                 addExtension(
                     Extension.basicConstraints,
                     true,
-                    BasicConstraints(true)
+                    // not allowed to issue sub-CA
+                    BasicConstraints(0)
                 )
                 addExtension(
                     Extension.keyUsage,