oncrpc: accept SSLParameters to configure SSLEngine

kofemann · kofemann · commit f07892ec134e · 2019-04-11T14:30:45.000+02:00
Motivation:
SSLParameters is used to configure supported ciphers, client auth mode
or protocols to use.

Modification:
add OncRpcSvcBuilder#withSSLParameters method to make use of SSLParameters
baed SSLEngine configuration.

Result:
configurable behavior SSLEngine

Acked-by: Paul Millar
Target: master
diff --git a/oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/OncRpcSvc.java b/oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/OncRpcSvc.java
@@ -72,6 +72,7 @@
 import static com.google.common.base.Throwables.propagateIfPossible;
 import java.net.SocketAddress;
 import java.util.stream.Collectors;
+import javax.net.ssl.SSLParameters;
 import org.dcache.oncrpc4j.grizzly.GrizzlyRpcTransport;
 import static org.dcache.oncrpc4j.grizzly.GrizzlyUtils.getSelectorPoolCfg;
 import static org.dcache.oncrpc4j.grizzly.GrizzlyUtils.rpcMessageReceiverFor;
@@ -105,6 +106,11 @@ public class OncRpcSvc {
      */
     private final SSLContext _sslContext;
 
+    /**
+     * SSL parameters that should be applied to SSL engine.
+     */
+    private final SSLParameters _sslParams;
+
     /**
      * Start TLS only when requested.
      */
@@ -180,6 +186,7 @@ public class OncRpcSvc {
 	_svcName = builder.getServiceName();
         _sslContext = builder.getSSLContext();
         _startTLS = builder.isStartTLS();
+        _sslParams = builder.getSSLParameters();
     }
 
     /**
@@ -319,6 +326,18 @@ public void start() throws IOException {
                 SSLEngineConfigurator clientSSLEngineConfigurator =
                         new SSLEngineConfigurator(_sslContext, true, false, false);
 
+                if (_sslParams != null) {
+                    String[] cipherSuites = _sslParams.getCipherSuites();
+                    serverSSLEngineConfigurator.setEnabledCipherSuites(cipherSuites);
+                    clientSSLEngineConfigurator.setEnabledCipherSuites(cipherSuites);
+
+                    String[] protocols = _sslParams.getProtocols();
+                    serverSSLEngineConfigurator.setEnabledProtocols(protocols);
+                    clientSSLEngineConfigurator.setEnabledProtocols(protocols);
+
+                    serverSSLEngineConfigurator.setNeedClientAuth(_sslParams.getNeedClientAuth());
+                    serverSSLEngineConfigurator.setWantClientAuth(_sslParams.getWantClientAuth());
+                }
                 SSLFilter sslFilter = new SSLFilter(serverSSLEngineConfigurator,
                         clientSSLEngineConfigurator);
                 filterChain.add(_startTLS ? new StartTlsFilter(sslFilter, _isClient) : sslFilter);
diff --git a/oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/OncRpcSvcBuilder.java b/oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/OncRpcSvcBuilder.java
@@ -30,6 +30,7 @@
 import java.util.concurrent.Executors;
 import java.util.concurrent.ThreadFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLParameters;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static org.dcache.oncrpc4j.grizzly.GrizzlyUtils.getDefaultWorkerPoolSize;
@@ -80,6 +81,7 @@ public class OncRpcSvcBuilder {
     private boolean _subjectPropagation = false;
     private SSLContext _sslContext = null;
     private boolean _startTLS = false;
+    private SSLParameters _sslParams;
 
     public OncRpcSvcBuilder withAutoPublish() {
         _autoPublish = true;
@@ -214,6 +216,11 @@ public OncRpcSvcBuilder withSSLContext(SSLContext sslContext) {
         return this;
     }
 
+    public OncRpcSvcBuilder withSSLParameters(SSLParameters sslParams) {
+        _sslParams = sslParams;
+        return this;
+    }
+
     public boolean getSubjectPropagation() {
         return _subjectPropagation;
     }
@@ -302,6 +309,10 @@ public SSLContext getSSLContext() {
         return _sslContext;
     }
 
+    public SSLParameters getSSLParameters() {
+        return _sslParams;
+    }
+
     public OncRpcSvc build() {
 
         if (_protocol == 0 || (((_protocol & TCP) != TCP) && ((_protocol & UDP) != UDP))) {
diff --git a/oncrpc4j-core/src/test/java/org/dcache/oncrpc4j/rpc/ClientServerTLSTest.java b/oncrpc4j-core/src/test/java/org/dcache/oncrpc4j/rpc/ClientServerTLSTest.java
@@ -3,19 +3,22 @@
 import org.dcache.oncrpc4j.rpc.net.IpProtocolType;
 import org.dcache.oncrpc4j.xdr.XdrString;
 
+import java.io.EOFException;
 import java.io.IOException;
 import java.math.BigInteger;
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.KeyStore;
+import java.security.PrivateKey;
 import java.security.SecureRandom;
 import java.security.Security;
 import java.security.cert.Certificate;
 import java.util.Date;
 import java.util.concurrent.TimeUnit;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.TrustManagerFactory;
 
 import org.bouncycastle.asn1.x500.X500Name;
@@ -49,7 +52,8 @@ public class ClientServerTLSTest {
     private OncRpcSvc svc;
     private OncRpcSvc clnt;
     private RpcCall clntCall;
-    private SSLContext sslContext;
+    private SSLContext sslServerContext;
+    private SSLContext sslClientContext;
 
     private RpcDispatchable echo = (RpcCall call) -> {
         switch (call.getProcedure()) {
@@ -88,7 +92,15 @@ public static void setupClass() {
 
     @Before
     public void setUp() throws Exception {
-        sslContext = createSslContext();
+
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
+        keyPairGenerator.initialize(2048, new SecureRandom());
+        KeyPair keyPair = keyPairGenerator.generateKeyPair();
+
+        Certificate certificate = generateSelfSignedCert(keyPair);
+
+        sslServerContext = createServerSslContext(certificate, keyPair.getPrivate());
+        sslClientContext = createClientSslContext(certificate);
     }
 
     @After
@@ -112,7 +124,7 @@ public void shouldCallCorrectProcedure() throws IOException {
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
                 .withRpcService(new OncRpcProgram(PROGNUM, PROGVER), echo)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslServerContext)
                 .withServiceName("svc")
                 .build();
         svc.start();
@@ -125,7 +137,7 @@ public void shouldCallCorrectProcedure() throws IOException {
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
                 .withRpcService(new OncRpcProgram(PROGNUM, PROGVER), upper)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslClientContext)
                 .withServiceName("clnt")
                 .build();
         clnt.start();
@@ -153,7 +165,7 @@ public void shouldTriggerClientCallback() throws IOException {
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
                 .withRpcService(new OncRpcProgram(PROGNUM, PROGVER), echo)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslServerContext)
                 .withServiceName("svc")
                 .build();
         svc.start();
@@ -166,7 +178,7 @@ public void shouldTriggerClientCallback() throws IOException {
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
                 .withRpcService(new OncRpcProgram(PROGNUM, PROGVER), upper)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslClientContext)
                 .withServiceName("clnt")
                 .build();
         clnt.start();
@@ -194,7 +206,7 @@ public void shouldStartTLSHandshake() throws IOException {
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
                 .withRpcService(new OncRpcProgram(PROGNUM, PROGVER), echo)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslServerContext)
                 .withStartTLS()
                 .withServiceName("svc")
                 .build();
@@ -207,7 +219,7 @@ public void shouldStartTLSHandshake() throws IOException {
                 .withWorkerThreadIoStrategy()
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslClientContext)
                 .withStartTLS()
                 .withServiceName("clnt")
                 .build();
@@ -239,7 +251,7 @@ public void shouldFailWhenNoTLSOnClient() throws IOException {
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
                 .withRpcService(new OncRpcProgram(PROGNUM, PROGVER), echo)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslServerContext)
                 .withStartTLS()
                 .withServiceName("svc")
                 .build();
@@ -275,7 +287,7 @@ public void shouldFailSecondStartTLS() throws IOException {
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
                 .withRpcService(new OncRpcProgram(PROGNUM, PROGVER), echo)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslServerContext)
                 .withStartTLS()
                 .withServiceName("svc")
                 .build();
@@ -288,7 +300,7 @@ public void shouldFailSecondStartTLS() throws IOException {
                 .withWorkerThreadIoStrategy()
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslClientContext)
                 .withStartTLS()
                 .withServiceName("clnt")
                 .build();
@@ -324,7 +336,7 @@ public void shouldRejectStartTlsWhenNotConfigured() throws IOException {
                 .withWorkerThreadIoStrategy()
                 .withSelectorThreadPoolSize(1)
                 .withWorkerThreadPoolSize(1)
-                .withSSLContext(sslContext)
+                .withSSLContext(sslClientContext)
                 .withStartTLS()
                 .withServiceName("clnt")
                 .build();
@@ -336,21 +348,81 @@ public void shouldRejectStartTlsWhenNotConfigured() throws IOException {
         clntCall.call(0, XdrVoid.XDR_VOID, XdrVoid.XDR_VOID, new RpcAuthTypeTls());
     }
 
-    public static SSLContext createSslContext() throws Exception {
+
+    @Test(expected = EOFException.class) // rfc8446#section-6.2
+    public void shouldRejectTlsWhenClientCertRequired() throws IOException, Exception {
+
+        SSLParameters parameters = new SSLParameters();
+        parameters.setNeedClientAuth(true);
+
+        svc = new OncRpcSvcBuilder()
+                .withoutAutoPublish()
+                .withTCP()
+                .withWorkerThreadIoStrategy()
+                .withBindAddress("127.0.0.1")
+                .withSelectorThreadPoolSize(1)
+                .withWorkerThreadPoolSize(1)
+                .withRpcService(new OncRpcProgram(PROGNUM, PROGVER), echo)
+                .withSSLContext(sslServerContext)
+                .withSSLParameters(parameters)
+                .withServiceName("svc")
+                .build();
+        svc.start();
+
+        clnt = new OncRpcSvcBuilder()
+                .withoutAutoPublish()
+                .withTCP()
+                .withClientMode()
+                .withWorkerThreadIoStrategy()
+                .withSelectorThreadPoolSize(1)
+                .withWorkerThreadPoolSize(1)
+                .withRpcService(new OncRpcProgram(PROGNUM, PROGVER), upper)
+                .withSSLContext(sslClientContext)
+                .withServiceName("clnt")
+                .build();
+        clnt.start();
+
+        RpcTransport t = clnt.connect(svc.getInetSocketAddress(IpProtocolType.TCP));
+        clntCall = new RpcCall(PROGNUM, PROGVER, new RpcAuthTypeNone(), t);
+
+        XdrString s = new XdrString("hello");
+        XdrString reply = new XdrString();
+        clntCall.call(ECHO, s, reply);
+    }
+
+    public static SSLContext createClientSslContext(Certificate certificate) throws Exception {
 
         char[] password = "password".toCharArray();
 
+        // create emtpy keystore and put certificates into it
+        KeyStore keyStore = createEmptyKeystore();
+        keyStore.setEntry("chain", new KeyStore.TrustedCertificateEntry(certificate),null);
 
-        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
-        keyPairGenerator.initialize(2048, new SecureRandom());
-        KeyPair keyPair = keyPairGenerator.generateKeyPair();
+        KeyManagerFactory keyManagerFactory
+                = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        keyManagerFactory.init(keyStore, password);
+
+        TrustManagerFactory trustManagerFactory
+                = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        trustManagerFactory.init(keyStore);
+
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(keyManagerFactory.getKeyManagers(),
+                trustManagerFactory.getTrustManagers(),
+                new SecureRandom());
+
+        return sslContext;
+    }
+
+    public static SSLContext createServerSslContext(Certificate certificate, PrivateKey privateKey) throws Exception {
+
+        char[] password = "password".toCharArray();
 
-        Certificate certificate = generateSelfSignedCert(keyPair);
         Certificate[] certificateChain = {certificate};
 
         // create emtpy keystore and put certificates into it
         KeyStore keyStore = createEmptyKeystore();
-        keyStore.setKeyEntry("private", keyPair.getPrivate(), password, certificateChain);
+        keyStore.setKeyEntry("private", privateKey, password, certificateChain);
         keyStore.setCertificateEntry("cert", certificate);
 
         KeyManagerFactory keyManagerFactory
