Repository: kafka Updated Branches: refs/heads/trunk 5aad4999d -> 85039ab43
KAFKA-2850; Fix SSL invalid endpoint validation test Use invalid hostname to ensure that test works in all environments Author: Rajini Sivaram <[email protected]> Reviewers: Ismael Juma <[email protected]>, Jun Rao <[email protected]> Closes #546 from rajinisivaram/KAFKA-2850 Project: http://git-wip-us.apache.org/repos/asf/kafka/repo Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/85039ab4 Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/85039ab4 Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/85039ab4 Branch: refs/heads/trunk Commit: 85039ab43664577524bf99453cf2b972d3724f60 Parents: 5aad499 Author: Rajini Sivaram <[email protected]> Authored: Wed Jan 6 15:01:18 2016 -0800 Committer: Jun Rao <[email protected]> Committed: Wed Jan 6 15:01:18 2016 -0800 ---------------------------------------------------------------------- .../common/network/SslTransportLayerTest.java | 24 +++++++++++--------- .../org/apache/kafka/test/TestSslUtils.java | 9 ++++++-- 2 files changed, 20 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kafka/blob/85039ab4/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java ---------------------------------------------------------------------- diff --git a/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java b/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java index d8a037c..d4f1464 100644 --- a/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java +++ b/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java @@ -67,8 +67,8 @@ public class SslTransportLayerTest { @Before public void setup() throws Exception { // Create certificates for use by client and server. Add server cert to client truststore and vice versa. - serverCertStores = new CertStores(true); - clientCertStores = new CertStores(false); + serverCertStores = new CertStores(true, "localhost"); + clientCertStores = new CertStores(false, "localhost"); sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores); sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores); @@ -102,19 +102,21 @@ public class SslTransportLayerTest { } /** - * Tests that server certificate with invalid IP address is not accepted by - * a client that validates server endpoint. Certificate uses "localhost" as - * common name, test uses host IP to trigger endpoint validation failure. + * Tests that server certificate with invalid host name is not accepted by + * a client that validates server endpoint. Server certificate uses + * wrong hostname as common name to trigger endpoint validation failure. */ @Test public void testInvalidEndpointIdentification() throws Exception { String node = "0"; - String serverHost = InetAddress.getLocalHost().getHostAddress(); - server = new SslEchoServer(sslServerConfigs, serverHost); - server.start(); + serverCertStores = new CertStores(true, "notahost"); + clientCertStores = new CertStores(false, "localhost"); + sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores); + sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores); + createEchoServer(sslServerConfigs); sslClientConfigs.put(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, "HTTPS"); createSelector(sslClientConfigs); - InetSocketAddress addr = new InetSocketAddress(serverHost, server.port); + InetSocketAddress addr = new InetSocketAddress("localhost", server.port); selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE); waitForChannelClose(node); @@ -458,11 +460,11 @@ public class SslTransportLayerTest { Map<String, Object> sslConfig; - CertStores(boolean server) throws Exception { + CertStores(boolean server, String host) throws Exception { String name = server ? "server" : "client"; Mode mode = server ? Mode.SERVER : Mode.CLIENT; File truststoreFile = File.createTempFile(name + "TS", ".jks"); - sslConfig = TestSslUtils.createSslConfig(!server, true, mode, truststoreFile, name); + sslConfig = TestSslUtils.createSslConfig(!server, true, mode, truststoreFile, name, host); if (server) sslConfig.put(SslConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SslConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS)); } http://git-wip-us.apache.org/repos/asf/kafka/blob/85039ab4/clients/src/test/java/org/apache/kafka/test/TestSslUtils.java ---------------------------------------------------------------------- diff --git a/clients/src/test/java/org/apache/kafka/test/TestSslUtils.java b/clients/src/test/java/org/apache/kafka/test/TestSslUtils.java index c389502..2507e59 100644 --- a/clients/src/test/java/org/apache/kafka/test/TestSslUtils.java +++ b/clients/src/test/java/org/apache/kafka/test/TestSslUtils.java @@ -214,6 +214,11 @@ public class TestSslUtils { public static Map<String, Object> createSslConfig(boolean useClientCert, boolean trustStore, Mode mode, File trustStoreFile, String certAlias) throws IOException, GeneralSecurityException { + return createSslConfig(useClientCert, trustStore, mode, trustStoreFile, certAlias, "localhost"); + } + + public static Map<String, Object> createSslConfig(boolean useClientCert, boolean trustStore, Mode mode, File trustStoreFile, String certAlias, String host) + throws IOException, GeneralSecurityException { Map<String, X509Certificate> certs = new HashMap<String, X509Certificate>(); File keyStoreFile; Password password; @@ -228,13 +233,13 @@ public class TestSslUtils { if (useClientCert) { keyStoreFile = File.createTempFile("clientKS", ".jks"); KeyPair cKP = generateKeyPair("RSA"); - X509Certificate cCert = generateCertificate("CN=localhost, O=client", cKP, 30, "SHA1withRSA"); + X509Certificate cCert = generateCertificate("CN=" + host + ", O=client", cKP, 30, "SHA1withRSA"); createKeyStore(keyStoreFile.getPath(), password, "client", cKP.getPrivate(), cCert); certs.put(certAlias, cCert); } else { keyStoreFile = File.createTempFile("serverKS", ".jks"); KeyPair sKP = generateKeyPair("RSA"); - X509Certificate sCert = generateCertificate("CN=localhost, O=server", sKP, 30, + X509Certificate sCert = generateCertificate("CN=" + host + ", O=server", sKP, 30, "SHA1withRSA"); createKeyStore(keyStoreFile.getPath(), password, password, "server", sKP.getPrivate(), sCert); certs.put(certAlias, sCert);
