Refactor common code used by the proxy and the prober (#375)

networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java

@@ -0,0 +1,92 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.networking.handler;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.flogger.FluentLogger;
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelHandler.Sharable;
+import io.netty.channel.ChannelInitializer;
+import io.netty.channel.embedded.EmbeddedChannel;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
+import java.security.cert.X509Certificate;
+import java.util.function.Function;
+import javax.inject.Singleton;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+
+/**
+ * Adds a client side SSL handler to the channel pipeline.
+ *
+ * <p>This <b>must</b> be the first handler provided for any handler provider list, if it is
+ * provided. The type parameter {@code C} is needed so that unit tests can construct this handler
+ * that works with {@link EmbeddedChannel};
+ */
+@Singleton
+@Sharable
+public class SslClientInitializer<C extends Channel> extends ChannelInitializer<C> {
+
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+  private final Function<Channel, String> hostProvider;
+  private final Function<Channel, Integer> portProvider;
+  private final SslProvider sslProvider;
+  private final X509Certificate[] trustedCertificates;
+
+  public SslClientInitializer(
+      SslProvider sslProvider,
+      Function<Channel, String> hostProvider,
+      Function<Channel, Integer> portProvider) {
+    // null uses the system default trust store.
+    this(sslProvider, hostProvider, portProvider, null);
+  }
+
+  @VisibleForTesting
+  SslClientInitializer(
+      SslProvider sslProvider,
+      Function<Channel, String> hostProvider,
+      Function<Channel, Integer> portProvider,
+      X509Certificate[] trustCertificates) {
+    logger.atInfo().log("Client SSL Provider: %s", sslProvider);
+    this.sslProvider = sslProvider;
+    this.hostProvider = hostProvider;
+    this.portProvider = portProvider;
+    this.trustedCertificates = trustCertificates;
+  }
+
+  @Override
+  protected void initChannel(C channel) throws Exception {
+    checkNotNull(hostProvider.apply(channel), "Cannot obtain SSL host for channel: %s", channel);
+    checkNotNull(portProvider.apply(channel), "Cannot obtain SSL port for channel: %s", channel);
+    SslHandler sslHandler =
+        SslContextBuilder.forClient()
+            .sslProvider(sslProvider)
+            .trustManager(trustedCertificates)
+            .build()
+            .newHandler(channel.alloc(), hostProvider.apply(channel), portProvider.apply(channel));
+
+    // Enable hostname verification.
+    SSLEngine sslEngine = sslHandler.engine();
+    SSLParameters sslParameters = sslEngine.getSSLParameters();
+    sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+    sslEngine.setSSLParameters(sslParameters);
+
+    channel.pipeline().addLast(sslHandler);
+  }
+}

networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java

@@ -0,0 +1,106 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.networking.handler;
+
+import com.google.common.flogger.FluentLogger;
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelHandler.Sharable;
+import io.netty.channel.ChannelInitializer;
+import io.netty.channel.embedded.EmbeddedChannel;
+import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import io.netty.util.AttributeKey;
+import io.netty.util.concurrent.Future;
+import io.netty.util.concurrent.Promise;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.function.Supplier;
+
+/**
+ * Adds a server side SSL handler to the channel pipeline.
+ *
+ * <p>This <b>should</b> be the first handler provided for any handler provider list, if it is
+ * provided. Unless you wish to first process the PROXY header with another handler, which should
+ * come before this handler. The type parameter {@code C} is needed so that unit tests can construct
+ * this handler that works with {@link EmbeddedChannel};
+ *
+ * <p>The ssl handler added requires client authentication, but it uses an {@link
+ * InsecureTrustManagerFactory}, which accepts any ssl certificate presented by the client, as long
+ * as the client uses the corresponding private key to establish SSL handshake. The client
+ * certificate hash will be passed along to GAE as an HTTP header for verification (not handled by
+ * this handler).
+ */
+@Sharable
+public class SslServerInitializer<C extends Channel> extends ChannelInitializer<C> {
+
+  /**
+   * Attribute key to the client certificate promise whose value is set when SSL handshake completes
+   * successfully.
+   */
+  public static final AttributeKey<Promise<X509Certificate>> CLIENT_CERTIFICATE_PROMISE_KEY =
+      AttributeKey.valueOf("CLIENT_CERTIFICATE_PROMISE_KEY");
+
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+  private final boolean requireClientCert;
+  private final SslProvider sslProvider;
+  private final Supplier<PrivateKey> privateKeySupplier;
+  private final Supplier<X509Certificate[]> certificatesSupplier;
+
+  public SslServerInitializer(
+      boolean requireClientCert,
+      SslProvider sslProvider,
+      Supplier<PrivateKey> privateKeySupplier,
+      Supplier<X509Certificate[]> certificatesSupplier) {
+    logger.atInfo().log("Server SSL Provider: %s", sslProvider);
+    this.requireClientCert = requireClientCert;
+    this.sslProvider = sslProvider;
+    this.privateKeySupplier = privateKeySupplier;
+    this.certificatesSupplier = certificatesSupplier;
+  }
+
+  @Override
+  protected void initChannel(C channel) throws Exception {
+    SslHandler sslHandler =
+        SslContextBuilder.forServer(privateKeySupplier.get(), certificatesSupplier.get())
+            .sslProvider(sslProvider)
+            .trustManager(InsecureTrustManagerFactory.INSTANCE)
+            .clientAuth(requireClientCert ? ClientAuth.REQUIRE : ClientAuth.NONE)
+            .build()
+            .newHandler(channel.alloc());
+    if (requireClientCert) {
+      Promise<X509Certificate> clientCertificatePromise = channel.eventLoop().newPromise();
+      Future<Channel> unusedFuture =
+          sslHandler
+              .handshakeFuture()
+              .addListener(
+                  future -> {
+                    if (future.isSuccess()) {
+                      Promise<X509Certificate> unusedPromise =
+                          clientCertificatePromise.setSuccess(
+                              (X509Certificate)
+                                  sslHandler.engine().getSession().getPeerCertificates()[0]);
+                    } else {
+                      Promise<X509Certificate> unusedPromise =
+                          clientCertificatePromise.setFailure(future.cause());
+                    }
+                  });
+      channel.attr(CLIENT_CERTIFICATE_PROMISE_KEY).set(clientCertificatePromise);
+    }
+    channel.pipeline().addLast(sslHandler);
+  }
+}

networking/src/test/java/google/registry/networking/handler/NettyRule.java

@@ -0,0 +1,217 @@
+// Copyright 2018 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.networking.handler;
+
+import static com.google.common.base.Preconditions.checkState;
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.testing.JUnitBackports.assertThrows;
+import static java.nio.charset.StandardCharsets.US_ASCII;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.common.base.Throwables;
+import com.google.common.truth.ThrowableSubject;
+import io.netty.bootstrap.Bootstrap;
+import io.netty.bootstrap.ServerBootstrap;
+import io.netty.buffer.ByteBuf;
+import io.netty.buffer.Unpooled;
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelFuture;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelInboundHandlerAdapter;
+import io.netty.channel.ChannelInitializer;
+import io.netty.channel.EventLoopGroup;
+import io.netty.channel.local.LocalAddress;
+import io.netty.channel.local.LocalChannel;
+import io.netty.channel.local.LocalServerChannel;
+import io.netty.channel.nio.NioEventLoopGroup;
+import io.netty.util.ReferenceCountUtil;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.Future;
+import org.junit.rules.ExternalResource;
+
+/**
+ * Helper for setting up and testing client / server connection with netty.
+ *
+ * <p>Used in {@link SslClientInitializerTest} and {@link SslServerInitializerTest}.
+ */
+final class NettyRule extends ExternalResource {
+
+  // All I/O operations are done inside the single thread within this event loop group, which is
+  // different from the main test thread. Therefore synchronizations are required to make sure that
+  // certain I/O activities are finished when assertions are performed.
+  private final EventLoopGroup eventLoopGroup = new NioEventLoopGroup(1);
+
+  // Handler attached to server's channel to record the request received.
+  private EchoHandler echoHandler;
+
+  // Handler attached to client's channel to record the response received.
+  private DumpHandler dumpHandler;
+
+  private Channel channel;
+
+  /** Sets up a server channel bound to the given local address. */
+  void setUpServer(LocalAddress localAddress, ChannelHandler handler) {
+    checkState(echoHandler == null, "Can't call setUpServer twice");
+    echoHandler = new EchoHandler();
+    ChannelInitializer<LocalChannel> serverInitializer =
+        new ChannelInitializer<LocalChannel>() {
+          @Override
+          protected void initChannel(LocalChannel ch) {
+            // Add the given handler
+            ch.pipeline().addLast(handler);
+            // Add the "echoHandler" last to log the incoming message and send it back
+            ch.pipeline().addLast(echoHandler);
+          }
+        };
+    ServerBootstrap sb =
+        new ServerBootstrap()
+            .group(eventLoopGroup)
+            .channel(LocalServerChannel.class)
+            .childHandler(serverInitializer);
+    ChannelFuture unusedFuture = sb.bind(localAddress).syncUninterruptibly();
+  }
+
+  /** Sets up a client channel connecting to the give local address. */
+  void setUpClient(LocalAddress localAddress, ChannelHandler handler) {
+    checkState(echoHandler != null, "Must call setUpServer before setUpClient");
+    checkState(dumpHandler == null, "Can't call setUpClient twice");
+    dumpHandler = new DumpHandler();
+    ChannelInitializer<LocalChannel> clientInitializer =
+        new ChannelInitializer<LocalChannel>() {
+          @Override
+          protected void initChannel(LocalChannel ch) throws Exception {
+            // Add the given handler
+            ch.pipeline().addLast(handler);
+            // Add the "dumpHandler" last to log the incoming message
+            ch.pipeline().addLast(dumpHandler);
+          }
+        };
+    Bootstrap b =
+        new Bootstrap()
+            .group(eventLoopGroup)
+            .channel(LocalChannel.class)
+            .handler(clientInitializer);
+    channel = b.connect(localAddress).syncUninterruptibly().channel();
+  }
+
+  void checkReady() {
+    checkState(channel != null, "Must call setUpClient to finish NettyRule setup");
+  }
+
+  /**
+   * Test that a message can go through, both inbound and outbound.
+   *
+   * <p>The client writes the message to the server, which echos it back and saves the string in its
+   * promise. The client receives the echo and saves it in its promise. All these activities happens
+   * in the I/O thread, and this call itself returns immediately.
+   */
+  void assertThatMessagesWork() throws Exception {
+    checkReady();
+    assertThat(channel.isActive()).isTrue();
+
+    writeToChannelAndFlush(channel, "Hello, world!");
+    assertThat(echoHandler.getRequestFuture().get()).isEqualTo("Hello, world!");
+    assertThat(dumpHandler.getResponseFuture().get()).isEqualTo("Hello, world!");
+  }
+
+  Channel getChannel() {
+    checkReady();
+    return channel;
+  }
+
+  ThrowableSubject assertThatServerRootCause() {
+    checkReady();
+    return assertThat(
+        Throwables.getRootCause(
+            assertThrows(ExecutionException.class, () -> echoHandler.getRequestFuture().get())));
+  }
+
+  ThrowableSubject assertThatClientRootCause() {
+    checkReady();
+    return assertThat(
+        Throwables.getRootCause(
+            assertThrows(ExecutionException.class, () -> dumpHandler.getResponseFuture().get())));
+  }
+
+  /**
+   * A handler that echoes back its inbound message. The message is also saved in a promise for
+   * inspection later.
+   */
+  private static class EchoHandler extends ChannelInboundHandlerAdapter {
+
+    private final CompletableFuture<String> requestFuture = new CompletableFuture<>();
+
+    Future<String> getRequestFuture() {
+      return requestFuture;
+    }
+
+    @Override
+    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
+      // In the test we only send messages of type ByteBuf.
+      assertThat(msg).isInstanceOf(ByteBuf.class);
+      String request = ((ByteBuf) msg).toString(UTF_8);
+      // After the message is written back to the client, fulfill the promise.
+      ChannelFuture unusedFuture =
+          ctx.writeAndFlush(msg).addListener(f -> requestFuture.complete(request));
+    }
+
+    /** Saves any inbound error as the cause of the promise failure. */
+    @Override
+    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
+      ChannelFuture unusedFuture =
+          ctx.channel().closeFuture().addListener(f -> requestFuture.completeExceptionally(cause));
+    }
+  }
+
+  /** A handler that dumps its inbound message to a promise that can be inspected later. */
+  private static class DumpHandler extends ChannelInboundHandlerAdapter {
+
+    private final CompletableFuture<String> responseFuture = new CompletableFuture<>();
+
+    Future<String> getResponseFuture() {
+      return responseFuture;
+    }
+
+    @Override
+    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
+      // In the test we only send messages of type ByteBuf.
+      assertThat(msg).isInstanceOf(ByteBuf.class);
+      String response = ((ByteBuf) msg).toString(UTF_8);
+      // There is no more use of this message, we should release its reference count so that it
+      // can be more effectively garbage collected by Netty.
+      ReferenceCountUtil.release(msg);
+      // Save the string in the promise and make it as complete.
+      responseFuture.complete(response);
+    }
+
+    /** Saves any inbound error into the failure cause of the promise. */
+    @Override
+    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
+      ctx.channel().closeFuture().addListener(f -> responseFuture.completeExceptionally(cause));
+    }
+  }
+
+  @Override
+  protected void after() {
+    Future<?> unusedFuture = eventLoopGroup.shutdownGracefully();
+  }
+
+  private static void writeToChannelAndFlush(Channel channel, String data) {
+    ChannelFuture unusedFuture =
+        channel.writeAndFlush(Unpooled.wrappedBuffer(data.getBytes(US_ASCII)));
+  }
+}

networking/src/test/java/google/registry/networking/handler/SslClientInitializerTest.java

@@ -0,0 +1,210 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.networking.handler;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.networking.handler.SslInitializerTestUtils.getKeyPair;
+import static google.registry.networking.handler.SslInitializerTestUtils.setUpSslChannel;
+import static google.registry.networking.handler.SslInitializerTestUtils.signKeyPair;
+
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelPipeline;
+import io.netty.channel.embedded.EmbeddedChannel;
+import io.netty.channel.local.LocalAddress;
+import io.netty.channel.local.LocalChannel;
+import io.netty.handler.ssl.OpenSsl;
+import io.netty.handler.ssl.SniHandler;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
+import io.netty.handler.ssl.util.SelfSignedCertificate;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.cert.CertPathBuilderException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.function.Function;
+import javax.net.ssl.SSLException;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+import org.junit.runners.Parameterized.Parameters;
+
+/**
+ * Unit tests for {@link SslClientInitializer}.
+ *
+ * <p>To validate that the handler accepts & rejects connections as expected, a test server and a
+ * test client are spun up, and both connect to the {@link LocalAddress} within the JVM. This avoids
+ * the overhead of routing traffic through the network layer, even if it were to go through
+ * loopback. It also alleviates the need to pick a free port to use.
+ *
+ * <p>The local addresses used in each test method must to be different, otherwise tests run in
+ * parallel may interfere with each other.
+ */
+@RunWith(Parameterized.class)
+public class SslClientInitializerTest {
+
+  /** Fake host to test if the SSL engine gets the correct peer host. */
+  private static final String SSL_HOST = "www.example.tld";
+
+  /** Fake port to test if the SSL engine gets the correct peer port. */
+  private static final int SSL_PORT = 12345;
+
+  private static final Function<Channel, String> hostProvider = channel -> SSL_HOST;
+
+  private static final Function<Channel, Integer> portProvider = channel -> SSL_PORT;
+
+  @Rule public NettyRule nettyRule = new NettyRule();
+
+  @Parameter(0)
+  public SslProvider sslProvider;
+
+  // We do our best effort to test all available SSL providers.
+  @Parameters(name = "{0}")
+  public static SslProvider[] data() {
+    return OpenSsl.isAvailable()
+        ? new SslProvider[] {SslProvider.JDK, SslProvider.OPENSSL}
+        : new SslProvider[] {SslProvider.JDK};
+  }
+
+  /** Saves the SNI hostname received by the server, if sent by the client. */
+  private String sniHostReceived;
+
+  private ChannelHandler getServerHandler(PrivateKey privateKey, X509Certificate certificate)
+      throws Exception {
+    SslContext sslContext = SslContextBuilder.forServer(privateKey, certificate).build();
+    return new SniHandler(
+        hostname -> {
+          sniHostReceived = hostname;
+          return sslContext;
+        });
+  }
+
+  @Test
+  public void testSuccess_swappedInitializerWithSslHandler() throws Exception {
+    SslClientInitializer<EmbeddedChannel> sslClientInitializer =
+        new SslClientInitializer<>(sslProvider, hostProvider, portProvider);
+    EmbeddedChannel channel = new EmbeddedChannel();
+    ChannelPipeline pipeline = channel.pipeline();
+    pipeline.addLast(sslClientInitializer);
+    ChannelHandler firstHandler = pipeline.first();
+    assertThat(firstHandler.getClass()).isEqualTo(SslHandler.class);
+    SslHandler sslHandler = (SslHandler) firstHandler;
+    assertThat(sslHandler.engine().getPeerHost()).isEqualTo(SSL_HOST);
+    assertThat(sslHandler.engine().getPeerPort()).isEqualTo(SSL_PORT);
+    assertThat(channel.isActive()).isTrue();
+  }
+
+  @Test
+  public void testSuccess_nullHost() {
+    SslClientInitializer<EmbeddedChannel> sslClientInitializer =
+        new SslClientInitializer<>(sslProvider, channel -> null, portProvider);
+    EmbeddedChannel channel = new EmbeddedChannel();
+    ChannelPipeline pipeline = channel.pipeline();
+    pipeline.addLast(sslClientInitializer);
+    // Channel initializer swallows error thrown, and closes the connection.
+    assertThat(channel.isActive()).isFalse();
+  }
+
+  @Test
+  public void testSuccess_nullPort() {
+    SslClientInitializer<EmbeddedChannel> sslClientInitializer =
+        new SslClientInitializer<>(sslProvider, hostProvider, channel -> null);
+    EmbeddedChannel channel = new EmbeddedChannel();
+    ChannelPipeline pipeline = channel.pipeline();
+    pipeline.addLast(sslClientInitializer);
+    // Channel initializer swallows error thrown, and closes the connection.
+    assertThat(channel.isActive()).isFalse();
+  }
+
+  @Test
+  public void testFailure_defaultTrustManager_rejectSelfSignedCert() throws Exception {
+    SelfSignedCertificate ssc = new SelfSignedCertificate(SSL_HOST);
+    LocalAddress localAddress =
+        new LocalAddress("DEFAULT_TRUST_MANAGER_REJECT_SELF_SIGNED_CERT_" + sslProvider);
+    nettyRule.setUpServer(localAddress, getServerHandler(ssc.key(), ssc.cert()));
+    SslClientInitializer<LocalChannel> sslClientInitializer =
+        new SslClientInitializer<>(sslProvider, hostProvider, portProvider);
+    nettyRule.setUpClient(localAddress, sslClientInitializer);
+    // The connection is now terminated, both the client side and the server side should get
+    // exceptions.
+    nettyRule.assertThatClientRootCause().isInstanceOf(CertPathBuilderException.class);
+    nettyRule.assertThatServerRootCause().isInstanceOf(SSLException.class);
+    assertThat(nettyRule.getChannel().isActive()).isFalse();
+  }
+
+  @Test
+  public void testSuccess_customTrustManager_acceptCertSignedByTrustedCa() throws Exception {
+    LocalAddress localAddress =
+        new LocalAddress("CUSTOM_TRUST_MANAGER_ACCEPT_CERT_SIGNED_BY_TRUSTED_CA_" + sslProvider);
+
+    // Generate a new key pair.
+    KeyPair keyPair = getKeyPair();
+
+    // Generate a self signed certificate, and use it to sign the key pair.
+    SelfSignedCertificate ssc = new SelfSignedCertificate();
+    X509Certificate cert = signKeyPair(ssc, keyPair, SSL_HOST);
+
+    // Set up the server to use the signed cert and private key to perform handshake;
+    PrivateKey privateKey = keyPair.getPrivate();
+    nettyRule.setUpServer(localAddress, getServerHandler(privateKey, cert));
+
+    // Set up the client to trust the self signed cert used to sign the cert that server provides.
+    SslClientInitializer<LocalChannel> sslClientInitializer =
+        new SslClientInitializer<>(
+            sslProvider, hostProvider, portProvider, new X509Certificate[] {ssc.cert()});
+    nettyRule.setUpClient(localAddress, sslClientInitializer);
+
+    setUpSslChannel(nettyRule.getChannel(), cert);
+    nettyRule.assertThatMessagesWork();
+
+    // Verify that the SNI extension is sent during handshake.
+    assertThat(sniHostReceived).isEqualTo(SSL_HOST);
+  }
+
+  @Test
+  public void testFailure_customTrustManager_wrongHostnameInCertificate() throws Exception {
+    LocalAddress localAddress =
+        new LocalAddress("CUSTOM_TRUST_MANAGER_WRONG_HOSTNAME_" + sslProvider);
+
+    // Generate a new key pair.
+    KeyPair keyPair = getKeyPair();
+
+    // Generate a self signed certificate, and use it to sign the key pair.
+    SelfSignedCertificate ssc = new SelfSignedCertificate();
+    X509Certificate cert = signKeyPair(ssc, keyPair, "wrong.com");
+
+    // Set up the server to use the signed cert and private key to perform handshake;
+    PrivateKey privateKey = keyPair.getPrivate();
+    nettyRule.setUpServer(localAddress, getServerHandler(privateKey, cert));
+
+    // Set up the client to trust the self signed cert used to sign the cert that server provides.
+    SslClientInitializer<LocalChannel> sslClientInitializer =
+        new SslClientInitializer<>(
+            sslProvider, hostProvider, portProvider, new X509Certificate[] {ssc.cert()});
+    nettyRule.setUpClient(localAddress, sslClientInitializer);
+
+    // When the client rejects the server cert due to wrong hostname, both the client and server
+    // should throw exceptions.
+    nettyRule.assertThatClientRootCause().isInstanceOf(CertificateException.class);
+    nettyRule.assertThatClientRootCause().hasMessageThat().contains(SSL_HOST);
+    nettyRule.assertThatServerRootCause().isInstanceOf(SSLException.class);
+    assertThat(nettyRule.getChannel().isActive()).isFalse();
+  }
+}

networking/src/test/java/google/registry/networking/handler/SslInitializerTestUtils.java

@@ -0,0 +1,95 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.networking.handler;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import io.netty.channel.Channel;
+import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.util.SelfSignedCertificate;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import javax.net.ssl.SSLSession;
+import javax.security.auth.x500.X500Principal;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.x509.X509V3CertificateGenerator;
+
+/**
+ * Utility class that provides methods used by {@link SslClientInitializerTest} and {@link
+ * SslServerInitializerTest}.
+ */
+@SuppressWarnings("deprecation")
+public final class SslInitializerTestUtils {
+
+  static {
+    Security.addProvider(new BouncyCastleProvider());
+  }
+
+  private SslInitializerTestUtils() {}
+
+  public static KeyPair getKeyPair() throws Exception {
+    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
+    keyPairGenerator.initialize(2048, new SecureRandom());
+    return keyPairGenerator.generateKeyPair();
+  }
+
+  /**
+   * Signs the given key pair with the given self signed certificate.
+   *
+   * @return signed public key (of the key pair) certificate
+   */
+  public static X509Certificate signKeyPair(
+      SelfSignedCertificate ssc, KeyPair keyPair, String hostname) throws Exception {
+    X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
+    X500Principal dnName = new X500Principal("CN=" + hostname);
+    certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
+    certGen.setSubjectDN(dnName);
+    certGen.setIssuerDN(ssc.cert().getSubjectX500Principal());
+    certGen.setNotBefore(Date.from(Instant.now().minus(Duration.ofDays(1))));
+    certGen.setNotAfter(Date.from(Instant.now().plus(Duration.ofDays(1))));
+    certGen.setPublicKey(keyPair.getPublic());
+    certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
+    return certGen.generate(ssc.key(), "BC");
+  }
+
+  /**
+   * Verifies tha the SSL channel is established as expected, and also sends a message to the server
+   * and verifies if it is echoed back correctly.
+   *
+   * @param certs The certificate that the server should provide.
+   * @return The SSL session in current channel, can be used for further validation.
+   */
+  static SSLSession setUpSslChannel(Channel channel, X509Certificate... certs) throws Exception {
+    SslHandler sslHandler = channel.pipeline().get(SslHandler.class);
+    // Wait till the handshake is complete.
+    sslHandler.handshakeFuture().get();
+
+    assertThat(channel.isActive()).isTrue();
+    assertThat(sslHandler.handshakeFuture().isSuccess()).isTrue();
+    assertThat(sslHandler.engine().getSession().isValid()).isTrue();
+    assertThat(sslHandler.engine().getSession().getPeerCertificates())
+        .asList()
+        .containsExactlyElementsIn(certs);
+    // Returns the SSL session for further assertion.
+    return sslHandler.engine().getSession();
+  }
+}

networking/src/test/java/google/registry/networking/handler/SslServerInitializerTest.java

@@ -0,0 +1,247 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.networking.handler;
+
+import static com.google.common.truth.Truth.assertThat;
+import static google.registry.networking.handler.SslInitializerTestUtils.getKeyPair;
+import static google.registry.networking.handler.SslInitializerTestUtils.setUpSslChannel;
+import static google.registry.networking.handler.SslInitializerTestUtils.signKeyPair;
+
+import com.google.common.base.Suppliers;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelInitializer;
+import io.netty.channel.ChannelPipeline;
+import io.netty.channel.embedded.EmbeddedChannel;
+import io.netty.channel.local.LocalAddress;
+import io.netty.channel.local.LocalChannel;
+import io.netty.handler.ssl.OpenSsl;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
+import io.netty.handler.ssl.util.SelfSignedCertificate;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSession;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+import org.junit.runners.Parameterized.Parameters;
+
+/**
+ * Unit tests for {@link SslServerInitializer}.
+ *
+ * <p>To validate that the handler accepts & rejects connections as expected, a test server and a
+ * test client are spun up, and both connect to the {@link LocalAddress} within the JVM. This avoids
+ * the overhead of routing traffic through the network layer, even if it were to go through
+ * loopback. It also alleviates the need to pick a free port to use.
+ *
+ * <p>The local addresses used in each test method must to be different, otherwise tests run in
+ * parallel may interfere with each other.
+ */
+@RunWith(Parameterized.class)
+public class SslServerInitializerTest {
+
+  /** Fake host to test if the SSL engine gets the correct peer host. */
+  private static final String SSL_HOST = "www.example.tld";
+
+  /** Fake port to test if the SSL engine gets the correct peer port. */
+  private static final int SSL_PORT = 12345;
+
+  @Rule public NettyRule nettyRule = new NettyRule();
+
+  @Parameter(0)
+  public SslProvider sslProvider;
+
+  // We do our best effort to test all available SSL providers.
+  @Parameters(name = "{0}")
+  public static SslProvider[] data() {
+    return OpenSsl.isAvailable()
+        ? new SslProvider[] {SslProvider.OPENSSL, SslProvider.JDK}
+        : new SslProvider[] {SslProvider.JDK};
+  }
+
+  private ChannelHandler getServerHandler(
+      boolean requireClientCert, PrivateKey privateKey, X509Certificate... certificates) {
+    return new SslServerInitializer<LocalChannel>(
+        requireClientCert,
+        sslProvider,
+        Suppliers.ofInstance(privateKey),
+        Suppliers.ofInstance(certificates));
+  }
+
+  private ChannelHandler getServerHandler(PrivateKey privateKey, X509Certificate... certificates) {
+    return getServerHandler(true, privateKey, certificates);
+  }
+
+  private ChannelHandler getClientHandler(
+      X509Certificate trustedCertificate, PrivateKey privateKey, X509Certificate certificate) {
+    return new ChannelInitializer<LocalChannel>() {
+      @Override
+      protected void initChannel(LocalChannel ch) throws Exception {
+        SslContextBuilder sslContextBuilder =
+            SslContextBuilder.forClient().trustManager(trustedCertificate).sslProvider(sslProvider);
+        if (privateKey != null && certificate != null) {
+          sslContextBuilder.keyManager(privateKey, certificate);
+        }
+        SslHandler sslHandler =
+            sslContextBuilder.build().newHandler(ch.alloc(), SSL_HOST, SSL_PORT);
+
+        // Enable hostname verification.
+        SSLEngine sslEngine = sslHandler.engine();
+        SSLParameters sslParameters = sslEngine.getSSLParameters();
+        sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+        sslEngine.setSSLParameters(sslParameters);
+
+        ch.pipeline().addLast(sslHandler);
+      }
+    };
+  }
+
+  @Test
+  public void testSuccess_swappedInitializerWithSslHandler() throws Exception {
+    SelfSignedCertificate ssc = new SelfSignedCertificate(SSL_HOST);
+    SslServerInitializer<EmbeddedChannel> sslServerInitializer =
+        new SslServerInitializer<>(
+            true,
+            sslProvider,
+            Suppliers.ofInstance(ssc.key()),
+            Suppliers.ofInstance(new X509Certificate[] {ssc.cert()}));
+    EmbeddedChannel channel = new EmbeddedChannel();
+    ChannelPipeline pipeline = channel.pipeline();
+    pipeline.addLast(sslServerInitializer);
+    ChannelHandler firstHandler = pipeline.first();
+    assertThat(firstHandler.getClass()).isEqualTo(SslHandler.class);
+    SslHandler sslHandler = (SslHandler) firstHandler;
+    assertThat(sslHandler.engine().getNeedClientAuth()).isTrue();
+    assertThat(channel.isActive()).isTrue();
+  }
+
+  @Test
+  public void testSuccess_trustAnyClientCert() throws Exception {
+    SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST);
+    LocalAddress localAddress = new LocalAddress("TRUST_ANY_CLIENT_CERT_" + sslProvider);
+
+    nettyRule.setUpServer(localAddress, getServerHandler(serverSsc.key(), serverSsc.cert()));
+    SelfSignedCertificate clientSsc = new SelfSignedCertificate();
+    nettyRule.setUpClient(
+        localAddress, getClientHandler(serverSsc.cert(), clientSsc.key(), clientSsc.cert()));
+
+    SSLSession sslSession = setUpSslChannel(nettyRule.getChannel(), serverSsc.cert());
+    nettyRule.assertThatMessagesWork();
+
+    // Verify that the SSL session gets the client cert. Note that this SslSession is for the client
+    // channel, therefore its local certificates are the remote certificates of the SslSession for
+    // the server channel, and vice versa.
+    assertThat(sslSession.getLocalCertificates()).asList().containsExactly(clientSsc.cert());
+    assertThat(sslSession.getPeerCertificates()).asList().containsExactly(serverSsc.cert());
+  }
+
+  @Test
+  public void testSuccess_doesNotRequireClientCert() throws Exception {
+    SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST);
+    LocalAddress localAddress = new LocalAddress("DOES_NOT_REQUIRE_CLIENT_CERT_" + sslProvider);
+
+    nettyRule.setUpServer(localAddress, getServerHandler(false, serverSsc.key(), serverSsc.cert()));
+    nettyRule.setUpClient(localAddress, getClientHandler(serverSsc.cert(), null, null));
+
+    SSLSession sslSession = setUpSslChannel(nettyRule.getChannel(), serverSsc.cert());
+    nettyRule.assertThatMessagesWork();
+
+    // Verify that the SSL session does not contain any client cert. Note that this SslSession is
+    // for the client channel, therefore its local certificates are the remote certificates of the
+    // SslSession for the server channel, and vice versa.
+    assertThat(sslSession.getLocalCertificates()).isNull();
+    assertThat(sslSession.getPeerCertificates()).asList().containsExactly(serverSsc.cert());
+  }
+
+  @Test
+  public void testSuccess_CertSignedByOtherCA() throws Exception {
+    // The self-signed cert of the CA.
+    SelfSignedCertificate caSsc = new SelfSignedCertificate();
+    KeyPair keyPair = getKeyPair();
+    X509Certificate serverCert = signKeyPair(caSsc, keyPair, SSL_HOST);
+    LocalAddress localAddress = new LocalAddress("CERT_SIGNED_BY_OTHER_CA_" + sslProvider);
+
+    nettyRule.setUpServer(
+        localAddress,
+        getServerHandler(
+            keyPair.getPrivate(),
+            // Serving both the server cert, and the CA cert
+            serverCert,
+            caSsc.cert()));
+    SelfSignedCertificate clientSsc = new SelfSignedCertificate();
+    nettyRule.setUpClient(
+        localAddress,
+        getClientHandler(
+            // Client trusts the CA cert
+            caSsc.cert(), clientSsc.key(), clientSsc.cert()));
+
+    SSLSession sslSession = setUpSslChannel(nettyRule.getChannel(), serverCert, caSsc.cert());
+    nettyRule.assertThatMessagesWork();
+
+    assertThat(sslSession.getLocalCertificates()).asList().containsExactly(clientSsc.cert());
+    assertThat(sslSession.getPeerCertificates())
+        .asList()
+        .containsExactly(serverCert, caSsc.cert())
+        .inOrder();
+  }
+
+  @Test
+  public void testFailure_requireClientCertificate() throws Exception {
+    SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST);
+    LocalAddress localAddress = new LocalAddress("REQUIRE_CLIENT_CERT_" + sslProvider);
+
+    nettyRule.setUpServer(localAddress, getServerHandler(serverSsc.key(), serverSsc.cert()));
+    nettyRule.setUpClient(
+        localAddress,
+        getClientHandler(
+            serverSsc.cert(),
+            // No client cert/private key used.
+            null,
+            null));
+
+    // When the server rejects the client during handshake due to lack of client certificate, both
+    // should throw exceptions.
+    nettyRule.assertThatServerRootCause().isInstanceOf(SSLHandshakeException.class);
+    nettyRule.assertThatClientRootCause().isInstanceOf(SSLException.class);
+    assertThat(nettyRule.getChannel().isActive()).isFalse();
+  }
+
+  @Test
+  public void testFailure_wrongHostnameInCertificate() throws Exception {
+    SelfSignedCertificate serverSsc = new SelfSignedCertificate("wrong.com");
+    LocalAddress localAddress = new LocalAddress("WRONG_HOSTNAME_" + sslProvider);
+
+    nettyRule.setUpServer(localAddress, getServerHandler(serverSsc.key(), serverSsc.cert()));
+    SelfSignedCertificate clientSsc = new SelfSignedCertificate();
+    nettyRule.setUpClient(
+        localAddress, getClientHandler(serverSsc.cert(), clientSsc.key(), clientSsc.cert()));
+
+    // When the client rejects the server cert due to wrong hostname, both the server and the client
+    // throw exceptions.
+    nettyRule.assertThatClientRootCause().isInstanceOf(CertificateException.class);
+    nettyRule.assertThatClientRootCause().hasMessageThat().contains(SSL_HOST);
+    nettyRule.assertThatServerRootCause().isInstanceOf(SSLException.class);
+    assertThat(nettyRule.getChannel().isActive()).isFalse();
+  }
+}