diff --git a/networking/build.gradle b/networking/build.gradle index 74fe4d0d2..0173eadc8 100644 --- a/networking/build.gradle +++ b/networking/build.gradle @@ -41,12 +41,6 @@ dependencies { testAnnotationProcessor deps['com.google.dagger:dagger-compiler'] } -test { - // Temporarily allow non-CA cert as trust anchor (legacy behavior) in tests. - // TODO(weiminyu): generate test cert as a CA cert. - systemProperty 'jdk.security.allowNonCaAnchor', 'true' -} - // Make testing artifacts available to be depended up on by other projects. task testJar(type: Jar) { classifier = 'test' diff --git a/networking/src/main/java/google/registry/networking/module/CertificateSupplierModule.java b/networking/src/main/java/google/registry/networking/module/CertificateSupplierModule.java index ae43d7061..664a653e3 100644 --- a/networking/src/main/java/google/registry/networking/module/CertificateSupplierModule.java +++ b/networking/src/main/java/google/registry/networking/module/CertificateSupplierModule.java @@ -25,7 +25,7 @@ import com.google.common.collect.ImmutableList; import dagger.Lazy; import dagger.Module; import dagger.Provides; -import io.netty.handler.ssl.util.SelfSignedCertificate; +import google.registry.networking.util.SelfSignedCaCertificate; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStreamReader; @@ -163,9 +163,9 @@ public final class CertificateSupplierModule { @Singleton @Provides - static SelfSignedCertificate provideSelfSignedCertificate() { + static SelfSignedCaCertificate provideSelfSignedCertificate() { try { - return new SelfSignedCertificate(); + return SelfSignedCaCertificate.create(); } catch (Exception e) { throw new RuntimeException(e); } @@ -174,7 +174,7 @@ public final class CertificateSupplierModule { @Singleton @Provides @SelfSigned - static Supplier provideSelfSignedPrivateKeySupplier(SelfSignedCertificate ssc) { + static Supplier provideSelfSignedPrivateKeySupplier(SelfSignedCaCertificate ssc) { return Suppliers.ofInstance(ssc.key()); } @@ -182,7 +182,7 @@ public final class CertificateSupplierModule { @Provides @SelfSigned static Supplier> provideSelfSignedCertificatesSupplier( - SelfSignedCertificate ssc) { + SelfSignedCaCertificate ssc) { return Suppliers.ofInstance(ImmutableList.of(ssc.cert())); } diff --git a/networking/src/main/java/google/registry/networking/util/SelfSignedCaCertificate.java b/networking/src/main/java/google/registry/networking/util/SelfSignedCaCertificate.java new file mode 100644 index 000000000..36b36c76b --- /dev/null +++ b/networking/src/main/java/google/registry/networking/util/SelfSignedCaCertificate.java @@ -0,0 +1,112 @@ +// Copyright 2020 The Nomulus Authors. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package google.registry.networking.util; + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PrivateKey; +import java.security.SecureRandom; +import java.security.cert.X509Certificate; +import java.time.Duration; +import java.time.Instant; +import java.util.Date; +import java.util.Random; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; + +/** A self-signed certificate authority (CA) cert for use in tests. */ +// TODO(weiminyu): make this class test-only. Requires refactor in proxy and prober. +public class SelfSignedCaCertificate { + + private static final String DEFAULT_ISSUER_FQDN = "registry-test"; + private static final Date DEFAULT_NOT_BEFORE = + Date.from(Instant.now().minus(Duration.ofHours(1))); + private static final Date DEFAULT_NOT_AFTER = Date.from(Instant.now().plus(Duration.ofDays(1))); + + private static final Random RANDOM = new Random(); + private static final BouncyCastleProvider PROVIDER = new BouncyCastleProvider(); + private static final KeyPairGenerator keyGen = createKeyPairGenerator(); + + private final PrivateKey privateKey; + private final X509Certificate cert; + + public SelfSignedCaCertificate(PrivateKey privateKey, X509Certificate cert) { + this.privateKey = privateKey; + this.cert = cert; + } + + public PrivateKey key() { + return privateKey; + } + + public X509Certificate cert() { + return cert; + } + + public static SelfSignedCaCertificate create() throws Exception { + return create( + keyGen.generateKeyPair(), DEFAULT_ISSUER_FQDN, DEFAULT_NOT_BEFORE, DEFAULT_NOT_AFTER); + } + + public static SelfSignedCaCertificate create(String fqdn) throws Exception { + return create(fqdn, DEFAULT_NOT_BEFORE, DEFAULT_NOT_AFTER); + } + + public static SelfSignedCaCertificate create(String fqdn, Date from, Date to) throws Exception { + return create(keyGen.generateKeyPair(), fqdn, from, to); + } + + public static SelfSignedCaCertificate create(KeyPair keyPair, String fqdn, Date from, Date to) + throws Exception { + return new SelfSignedCaCertificate(keyPair.getPrivate(), createCaCert(keyPair, fqdn, from, to)); + } + + static KeyPairGenerator createKeyPairGenerator() { + try { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", PROVIDER); + keyGen.initialize(2048, new SecureRandom()); + return keyGen; + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + /** Returns a self-signed Certificate Authority (CA) certificate. */ + static X509Certificate createCaCert(KeyPair keyPair, String fqdn, Date from, Date to) + throws Exception { + X500Name owner = new X500Name("CN=" + fqdn); + ContentSigner signer = + new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate()); + X509v3CertificateBuilder builder = + new JcaX509v3CertificateBuilder( + owner, new BigInteger(64, RANDOM), from, to, owner, keyPair.getPublic()); + + // Mark cert as CA by adding basicConstraint with cA=true to the builder + BasicConstraints basicConstraints = new BasicConstraints(true); + builder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints); + + X509CertificateHolder certHolder = builder.build(signer); + return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder); + } +} diff --git a/networking/src/test/java/google/registry/networking/handler/SslClientInitializerTest.java b/networking/src/test/java/google/registry/networking/handler/SslClientInitializerTest.java index 9a9decdf7..584922c7c 100644 --- a/networking/src/test/java/google/registry/networking/handler/SslClientInitializerTest.java +++ b/networking/src/test/java/google/registry/networking/handler/SslClientInitializerTest.java @@ -21,6 +21,7 @@ import static google.registry.networking.handler.SslInitializerTestUtils.signKey import static google.registry.networking.handler.SslInitializerTestUtils.verifySslExcpetion; import com.google.common.collect.ImmutableList; +import google.registry.networking.util.SelfSignedCaCertificate; import io.netty.channel.Channel; import io.netty.channel.ChannelHandler; import io.netty.channel.ChannelPipeline; @@ -35,7 +36,6 @@ import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslHandler; import io.netty.handler.ssl.SslProvider; import io.netty.handler.ssl.util.InsecureTrustManagerFactory; -import io.netty.handler.ssl.util.SelfSignedCertificate; import java.security.KeyPair; import java.security.PrivateKey; import java.security.cert.CertPathBuilderException; @@ -153,7 +153,7 @@ public class SslClientInitializerTest { @Test public void testFailure_defaultTrustManager_rejectSelfSignedCert() throws Exception { - SelfSignedCertificate ssc = new SelfSignedCertificate(SSL_HOST); + SelfSignedCaCertificate ssc = SelfSignedCaCertificate.create(SSL_HOST); LocalAddress localAddress = new LocalAddress("DEFAULT_TRUST_MANAGER_REJECT_SELF_SIGNED_CERT_" + sslProvider); nettyRule.setUpServer(localAddress, getServerHandler(false, ssc.key(), ssc.cert())); @@ -177,7 +177,7 @@ public class SslClientInitializerTest { KeyPair keyPair = getKeyPair(); // Generate a self signed certificate, and use it to sign the key pair. - SelfSignedCertificate ssc = new SelfSignedCertificate(); + SelfSignedCaCertificate ssc = SelfSignedCaCertificate.create(); X509Certificate cert = signKeyPair(ssc, keyPair, SSL_HOST); // Set up the server to use the signed cert and private key to perform handshake; @@ -206,7 +206,7 @@ public class SslClientInitializerTest { KeyPair keyPair = getKeyPair(); // Generate a self signed certificate, and use it to sign the key pair. - SelfSignedCertificate ssc = new SelfSignedCertificate(); + SelfSignedCaCertificate ssc = SelfSignedCaCertificate.create(); X509Certificate cert = signKeyPair( ssc, @@ -240,7 +240,7 @@ public class SslClientInitializerTest { KeyPair keyPair = getKeyPair(); // Generate a self signed certificate, and use it to sign the key pair. - SelfSignedCertificate ssc = new SelfSignedCertificate(); + SelfSignedCaCertificate ssc = SelfSignedCaCertificate.create(); X509Certificate cert = signKeyPair( ssc, @@ -272,8 +272,8 @@ public class SslClientInitializerTest { new LocalAddress( "CUSTOM_TRUST_MANAGER_ACCEPT_SELF_SIGNED_CERT_CLIENT_CERT_REQUIRED_" + sslProvider); - SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST); - SelfSignedCertificate clientSsc = new SelfSignedCertificate(); + SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST); + SelfSignedCaCertificate clientSsc = SelfSignedCaCertificate.create(); // Set up the server to require client certificate. nettyRule.setUpServer(localAddress, getServerHandler(true, serverSsc.key(), serverSsc.cert())); @@ -311,7 +311,7 @@ public class SslClientInitializerTest { KeyPair keyPair = getKeyPair(); // Generate a self signed certificate, and use it to sign the key pair. - SelfSignedCertificate ssc = new SelfSignedCertificate(); + SelfSignedCaCertificate ssc = SelfSignedCaCertificate.create(); X509Certificate cert = signKeyPair(ssc, keyPair, "wrong.com"); // Set up the server to use the signed cert and private key to perform handshake; diff --git a/networking/src/test/java/google/registry/networking/handler/SslInitializerTestUtils.java b/networking/src/test/java/google/registry/networking/handler/SslInitializerTestUtils.java index 935a12e20..6349a340c 100644 --- a/networking/src/test/java/google/registry/networking/handler/SslInitializerTestUtils.java +++ b/networking/src/test/java/google/registry/networking/handler/SslInitializerTestUtils.java @@ -18,15 +18,14 @@ import static com.google.common.truth.Truth.assertThat; import static org.junit.Assert.assertThrows; import com.google.common.base.Throwables; +import google.registry.networking.util.SelfSignedCaCertificate; import io.netty.channel.Channel; import io.netty.channel.ChannelFuture; import io.netty.handler.ssl.SslHandler; -import io.netty.handler.ssl.util.SelfSignedCertificate; import java.math.BigInteger; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.SecureRandom; -import java.security.Security; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; @@ -34,17 +33,13 @@ import java.util.Date; import java.util.concurrent.ExecutionException; import javax.net.ssl.SSLSession; import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.crypto.util.PrivateKeyFactory; +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder; -import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; -import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; /** * Utility class that provides methods used by {@link SslClientInitializerTest} and {@link @@ -52,16 +47,23 @@ import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder; */ public final class SslInitializerTestUtils { - static { - Security.addProvider(new BouncyCastleProvider()); - } + private static final BouncyCastleProvider PROVIDER = new BouncyCastleProvider(); + private static final KeyPairGenerator KEY_PAIR_GENERATOR = getKeyPairGenerator(); private SslInitializerTestUtils() {} + private static KeyPairGenerator getKeyPairGenerator() { + try { + KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", PROVIDER); + keyPairGenerator.initialize(2048, new SecureRandom()); + return keyPairGenerator; + } catch (Exception e) { + throw new RuntimeException(e); + } + } + public static KeyPair getKeyPair() throws Exception { - KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC"); - keyPairGenerator.initialize(2048, new SecureRandom()); - return keyPairGenerator.generateKeyPair(); + return KEY_PAIR_GENERATOR.generateKeyPair(); } /** @@ -71,26 +73,20 @@ public final class SslInitializerTestUtils { * @return signed public key (of the key pair) certificate */ public static X509Certificate signKeyPair( - SelfSignedCertificate ssc, KeyPair keyPair, String hostname, Date from, Date to) + SelfSignedCaCertificate ssc, KeyPair keyPair, String hostname, Date from, Date to) throws Exception { X500Name subjectDnName = new X500Name("CN=" + hostname); BigInteger serialNumber = BigInteger.valueOf(System.currentTimeMillis()); X500Name issuerDnName = new X500Name(ssc.cert().getIssuerDN().getName()); - SubjectPublicKeyInfo subPubKeyInfo = - SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); - AlgorithmIdentifier sigAlgId = - new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WithRSAEncryption"); - AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); - - ContentSigner sigGen = - new BcRSAContentSignerBuilder(sigAlgId, digAlgId) - .build(PrivateKeyFactory.createKey(ssc.key().getEncoded())); + ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(ssc.key()); X509v3CertificateBuilder v3CertGen = - new X509v3CertificateBuilder( - issuerDnName, serialNumber, from, to, subjectDnName, subPubKeyInfo); + new JcaX509v3CertificateBuilder( + issuerDnName, serialNumber, from, to, subjectDnName, keyPair.getPublic()); X509CertificateHolder certificateHolder = v3CertGen.build(sigGen); - return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder); + return new JcaX509CertificateConverter() + .setProvider(PROVIDER) + .getCertificate(certificateHolder); } /** @@ -100,7 +96,7 @@ public final class SslInitializerTestUtils { * @return signed public key (of the key pair) certificate */ public static X509Certificate signKeyPair( - SelfSignedCertificate ssc, KeyPair keyPair, String hostname) throws Exception { + SelfSignedCaCertificate ssc, KeyPair keyPair, String hostname) throws Exception { return signKeyPair( ssc, keyPair, diff --git a/networking/src/test/java/google/registry/networking/handler/SslServerInitializerTest.java b/networking/src/test/java/google/registry/networking/handler/SslServerInitializerTest.java index 13214b2ab..012bcceea 100644 --- a/networking/src/test/java/google/registry/networking/handler/SslServerInitializerTest.java +++ b/networking/src/test/java/google/registry/networking/handler/SslServerInitializerTest.java @@ -23,6 +23,7 @@ import static google.registry.networking.handler.SslServerInitializer.CLIENT_CER import com.google.common.base.Suppliers; import com.google.common.collect.ImmutableList; +import google.registry.networking.util.SelfSignedCaCertificate; import io.netty.channel.ChannelHandler; import io.netty.channel.ChannelInitializer; import io.netty.channel.ChannelPipeline; @@ -33,7 +34,6 @@ import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslHandler; import io.netty.handler.ssl.SslProvider; -import io.netty.handler.ssl.util.SelfSignedCertificate; import java.security.KeyPair; import java.security.PrivateKey; import java.security.cert.CertificateException; @@ -127,7 +127,7 @@ public class SslServerInitializerTest { @Test public void testSuccess_swappedInitializerWithSslHandler() throws Exception { - SelfSignedCertificate ssc = new SelfSignedCertificate(SSL_HOST); + SelfSignedCaCertificate ssc = SelfSignedCaCertificate.create(SSL_HOST); SslServerInitializer sslServerInitializer = new SslServerInitializer<>( true, @@ -147,12 +147,12 @@ public class SslServerInitializerTest { @Test public void testSuccess_trustAnyClientCert() throws Exception { - SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST); + SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST); LocalAddress localAddress = new LocalAddress("TRUST_ANY_CLIENT_CERT_" + sslProvider); nettyRule.setUpServer( localAddress, getServerHandler(true, false, serverSsc.key(), serverSsc.cert())); - SelfSignedCertificate clientSsc = new SelfSignedCertificate(); + SelfSignedCaCertificate clientSsc = SelfSignedCaCertificate.create(); nettyRule.setUpClient( localAddress, getClientHandler(serverSsc.cert(), clientSsc.key(), clientSsc.cert())); @@ -168,13 +168,13 @@ public class SslServerInitializerTest { @Test public void testFailure_clientCertExpired() throws Exception { - SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST); + SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST); LocalAddress localAddress = new LocalAddress("CLIENT_CERT_EXPIRED_" + sslProvider); nettyRule.setUpServer( localAddress, getServerHandler(true, true, serverSsc.key(), serverSsc.cert())); - SelfSignedCertificate clientSsc = - new SelfSignedCertificate( + SelfSignedCaCertificate clientSsc = + SelfSignedCaCertificate.create( "CLIENT", Date.from(Instant.now().minus(Duration.ofDays(2))), Date.from(Instant.now().minus(Duration.ofDays(1)))); @@ -189,13 +189,13 @@ public class SslServerInitializerTest { @Test public void testFailure_clientCertNotYetValid() throws Exception { - SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST); + SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST); LocalAddress localAddress = new LocalAddress("CLIENT_CERT_EXPIRED_" + sslProvider); nettyRule.setUpServer( localAddress, getServerHandler(true, true, serverSsc.key(), serverSsc.cert())); - SelfSignedCertificate clientSsc = - new SelfSignedCertificate( + SelfSignedCaCertificate clientSsc = + SelfSignedCaCertificate.create( "CLIENT", Date.from(Instant.now().plus(Duration.ofDays(1))), Date.from(Instant.now().plus(Duration.ofDays(2)))); @@ -210,7 +210,7 @@ public class SslServerInitializerTest { @Test public void testSuccess_doesNotRequireClientCert() throws Exception { - SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST); + SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST); LocalAddress localAddress = new LocalAddress("DOES_NOT_REQUIRE_CLIENT_CERT_" + sslProvider); nettyRule.setUpServer( @@ -230,7 +230,7 @@ public class SslServerInitializerTest { @Test public void testSuccess_CertSignedByOtherCA() throws Exception { // The self-signed cert of the CA. - SelfSignedCertificate caSsc = new SelfSignedCertificate(); + SelfSignedCaCertificate caSsc = SelfSignedCaCertificate.create(); KeyPair keyPair = getKeyPair(); X509Certificate serverCert = signKeyPair(caSsc, keyPair, SSL_HOST); LocalAddress localAddress = new LocalAddress("CERT_SIGNED_BY_OTHER_CA_" + sslProvider); @@ -244,7 +244,7 @@ public class SslServerInitializerTest { // Serving both the server cert, and the CA cert serverCert, caSsc.cert())); - SelfSignedCertificate clientSsc = new SelfSignedCertificate(); + SelfSignedCaCertificate clientSsc = SelfSignedCaCertificate.create(); nettyRule.setUpClient( localAddress, getClientHandler( @@ -263,7 +263,7 @@ public class SslServerInitializerTest { @Test public void testFailure_requireClientCertificate() throws Exception { - SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST); + SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST); LocalAddress localAddress = new LocalAddress("REQUIRE_CLIENT_CERT_" + sslProvider); nettyRule.setUpServer( @@ -285,12 +285,12 @@ public class SslServerInitializerTest { @Test public void testFailure_wrongHostnameInCertificate() throws Exception { - SelfSignedCertificate serverSsc = new SelfSignedCertificate("wrong.com"); + SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create("wrong.com"); LocalAddress localAddress = new LocalAddress("WRONG_HOSTNAME_" + sslProvider); nettyRule.setUpServer( localAddress, getServerHandler(true, false, serverSsc.key(), serverSsc.cert())); - SelfSignedCertificate clientSsc = new SelfSignedCertificate(); + SelfSignedCaCertificate clientSsc = SelfSignedCaCertificate.create(); nettyRule.setUpClient( localAddress, getClientHandler(serverSsc.cert(), clientSsc.key(), clientSsc.cert())); diff --git a/networking/src/test/java/google/registry/networking/module/CertificateSupplierModuleTest.java b/networking/src/test/java/google/registry/networking/module/CertificateSupplierModuleTest.java index c1c3c7912..38f4ef476 100644 --- a/networking/src/test/java/google/registry/networking/module/CertificateSupplierModuleTest.java +++ b/networking/src/test/java/google/registry/networking/module/CertificateSupplierModuleTest.java @@ -26,7 +26,7 @@ import dagger.Component; import dagger.Module; import dagger.Provides; import google.registry.networking.module.CertificateSupplierModule.Mode; -import io.netty.handler.ssl.util.SelfSignedCertificate; +import google.registry.networking.util.SelfSignedCaCertificate; import java.io.ByteArrayOutputStream; import java.io.OutputStreamWriter; import java.security.KeyPair; @@ -47,7 +47,7 @@ import org.junit.runners.JUnit4; @RunWith(JUnit4.class) public class CertificateSupplierModuleTest { - private SelfSignedCertificate ssc; + private SelfSignedCaCertificate ssc; private PrivateKey key; private Certificate cert; private TestComponent component; @@ -62,7 +62,7 @@ public class CertificateSupplierModuleTest { @Before public void setUp() throws Exception { - ssc = new SelfSignedCertificate(); + ssc = SelfSignedCaCertificate.create(); KeyPair keyPair = getKeyPair(); key = keyPair.getPrivate(); cert = signKeyPair(ssc, keyPair, "example.tld"); diff --git a/proxy/src/test/java/google/registry/proxy/EppProtocolModuleTest.java b/proxy/src/test/java/google/registry/proxy/EppProtocolModuleTest.java index 9290052fd..c568a6667 100644 --- a/proxy/src/test/java/google/registry/proxy/EppProtocolModuleTest.java +++ b/proxy/src/test/java/google/registry/proxy/EppProtocolModuleTest.java @@ -23,6 +23,7 @@ import static java.nio.charset.StandardCharsets.UTF_8; import static org.junit.Assert.assertThrows; import com.google.common.base.Throwables; +import google.registry.networking.util.SelfSignedCaCertificate; import google.registry.proxy.handler.HttpsRelayServiceHandler.NonOkHttpResponseException; import google.registry.testing.FakeClock; import io.netty.buffer.ByteBuf; @@ -34,7 +35,6 @@ import io.netty.handler.codec.http.FullHttpResponse; import io.netty.handler.codec.http.HttpResponseStatus; import io.netty.handler.codec.http.cookie.Cookie; import io.netty.handler.codec.http.cookie.DefaultCookie; -import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.util.concurrent.Promise; import java.security.cert.X509Certificate; import org.junit.Before; @@ -123,7 +123,7 @@ public class EppProtocolModuleTest extends ProtocolModuleTest { @Before public void setUp() throws Exception { testComponent = makeTestComponent(new FakeClock()); - certificate = new SelfSignedCertificate().cert(); + certificate = SelfSignedCaCertificate.create().cert(); initializeChannel( ch -> { ch.attr(REMOTE_ADDRESS_KEY).set(CLIENT_ADDRESS); diff --git a/proxy/src/test/java/google/registry/proxy/handler/EppServiceHandlerTest.java b/proxy/src/test/java/google/registry/proxy/handler/EppServiceHandlerTest.java index 1ec528ca1..0e97db475 100644 --- a/proxy/src/test/java/google/registry/proxy/handler/EppServiceHandlerTest.java +++ b/proxy/src/test/java/google/registry/proxy/handler/EppServiceHandlerTest.java @@ -27,6 +27,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoMoreInteractions; import com.google.common.base.Throwables; +import google.registry.networking.util.SelfSignedCaCertificate; import google.registry.proxy.TestUtils; import google.registry.proxy.handler.HttpsRelayServiceHandler.NonOkHttpResponseException; import google.registry.proxy.metric.FrontendMetrics; @@ -41,7 +42,6 @@ import io.netty.handler.codec.http.HttpResponse; import io.netty.handler.codec.http.HttpResponseStatus; import io.netty.handler.codec.http.cookie.Cookie; import io.netty.handler.codec.http.cookie.DefaultCookie; -import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.util.concurrent.Promise; import java.security.cert.X509Certificate; import org.junit.Before; @@ -114,7 +114,7 @@ public class EppServiceHandlerTest { @Before public void setUp() throws Exception { - clientCertificate = new SelfSignedCertificate().cert(); + clientCertificate = SelfSignedCaCertificate.create().cert(); channel = setUpNewChannel(eppServiceHandler); } @@ -179,7 +179,7 @@ public class EppServiceHandlerTest { HELLO.getBytes(UTF_8), metrics); EmbeddedChannel channel2 = setUpNewChannel(eppServiceHandler2); - X509Certificate clientCertificate2 = new SelfSignedCertificate().cert(); + X509Certificate clientCertificate2 = SelfSignedCaCertificate.create().cert(); setHandshakeSuccess(channel2, clientCertificate2); String certHash2 = getCertificateHash(clientCertificate2);