Skip to content

Commit

Permalink
Add support for cipher-suite-names of *-ssl-context element.
Browse files Browse the repository at this point in the history
  • Loading branch information
@jstourac
jstourac committed Oct 13, 2020
1 parent 6126b92 commit ffcf73a
Show file tree
Hide file tree
Showing 11 changed files with 149 additions and 52 deletions.
13 changes: 13 additions & 0 deletions ...nds/src/main/java/org/wildfly/extras/creaper/commands/elytron/CreateServerSSLContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ public final class CreateServerSSLContext implements OnlineCommand {
private final String name;
protected final List<String> protocols;
private final String cipherSuiteFilter;
private final String cipherSuiteNames;
private final Boolean needClientAuth;
private final Boolean wantClientAuth;
private final Boolean authenticationOptional;
Expand Down Expand Up @@ -62,6 +63,10 @@ public final class CreateServerSSLContext implements OnlineCommand {
// Multiple usage
private final String algorithm; // keystore manager, truststore manager

// Default set of cipher suites for TLSv1.3 to be set in 'cipher-suite-names' attribute.
public static final String TLS13_CIPHER_SUITE_NAMES =
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";


private CreateServerSSLContext(Builder builder) {
this.name = builder.name;
Expand All @@ -74,6 +79,7 @@ private CreateServerSSLContext(Builder builder) {
this.trustStorePassword = builder.trustStorePassword;
this.protocols = builder.protocols;
this.cipherSuiteFilter = builder.cipherSuiteFilter;
this.cipherSuiteNames = builder.cipherSuiteNames;
this.needClientAuth = builder.needClientAuth;
this.wantClientAuth = builder.wantClientAuth;
this.authenticationOptional = builder.authenticationOptional;
Expand Down Expand Up @@ -145,6 +151,7 @@ public void apply(OnlineCommandContext ctx) throws Exception {
AddServerSSLContext.Builder sslServerContextBuilder = new AddServerSSLContext.Builder(name)
.protocols((protocols == null) ? null : protocols.toArray(new String[protocols.size()]))
.cipherSuiteFilter(cipherSuiteFilter)
.cipherSuiteNames(cipherSuiteNames)
.needClientAuth(needClientAuth)
.sessionTimeout(sessionTimeout)
.maximumSessionCacheSize(maximumSessionCacheSize)
Expand Down Expand Up @@ -239,6 +246,7 @@ public static final class Builder {
private String name;
private List<String> protocols;
private String cipherSuiteFilter;
private String cipherSuiteNames;
private Boolean needClientAuth;
private Boolean wantClientAuth;
private Boolean authenticationOptional;
Expand Down Expand Up @@ -325,6 +333,11 @@ public Builder cipherSuiteFilter(String cipherSuiteFilter) {
return this;
}

public Builder cipherSuiteNames(String cipherSuiteNames) {
this.cipherSuiteNames = cipherSuiteNames;
return this;
}

public Builder needClientAuth(Boolean needClientAuth) {
this.needClientAuth = needClientAuth;
return this;
Expand Down
8 changes: 8 additions & 0 deletions .../src/main/java/org/wildfly/extras/creaper/commands/elytron/tls/AbstractAddSSLContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ abstract class AbstractAddSSLContext implements OnlineCommand, OfflineCommand {

protected final String name;
protected final String cipherSuiteFilter;
protected final String cipherSuiteNames;
protected final List<String> protocols;
protected final String keyManager;
protected final String trustManager;
Expand All @@ -20,6 +21,7 @@ abstract class AbstractAddSSLContext implements OnlineCommand, OfflineCommand {
protected AbstractAddSSLContext(Builder builder) {
this.name = builder.name;
this.cipherSuiteFilter = builder.cipherSuiteFilter;
this.cipherSuiteNames = builder.cipherSuiteNames;
this.protocols = builder.protocols;
this.keyManager = builder.keyManager;
this.trustManager = builder.trustManager;
Expand All @@ -44,6 +46,7 @@ abstract static class Builder<THIS extends Builder> {

protected final String name;
protected String cipherSuiteFilter;
protected String cipherSuiteNames;
protected List<String> protocols;
protected String keyManager;
protected String trustManager;
Expand Down Expand Up @@ -73,6 +76,11 @@ public final THIS cipherSuiteFilter(String cipherSuiteFilter) {
return (THIS) this;
}

public final THIS cipherSuiteNames(String cipherSuiteNames) {
this.cipherSuiteNames = cipherSuiteNames;
return (THIS) this;
}

public final THIS keyManager(String keyManager) {
this.keyManager = keyManager;
return (THIS) this;
Expand Down
10 changes: 10 additions & 0 deletions ...ds/src/main/java/org/wildfly/extras/creaper/commands/elytron/tls/AddClientSSLContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ public void apply(OnlineCommandContext ctx) throws Exception {
throw new AssertionError("Elytron is available since WildFly 11.");
}

if (cipherSuiteNames != null && ctx.version.lessThan(ServerVersion.VERSION_12_0_0)) {
throw new AssertionError("cipher-suite-names attribute is available since WildFly 19");
}

Operations ops = new Operations(ctx.client);
Address clientSSLContextAddress = Address.subsystem("elytron").and("client-ssl-context", name);
if (replaceExisting) {
Expand All @@ -31,6 +35,7 @@ public void apply(OnlineCommandContext ctx) throws Exception {

ops.add(clientSSLContextAddress, Values.empty()
.andOptional("cipher-suite-filter", cipherSuiteFilter)
.andOptional("cipher-suite-names", cipherSuiteNames)
.andOptional("key-manager", keyManager)
.andOptional("trust-manager", trustManager)
.andListOptional(String.class, "protocols", protocols));
Expand All @@ -42,10 +47,15 @@ public void apply(OfflineCommandContext ctx) throws Exception {
throw new AssertionError("Elytron is available since WildFly 11.");
}

if (cipherSuiteNames != null && ctx.version.lessThan(ServerVersion.VERSION_12_0_0)) {
throw new AssertionError("cipher-suite-names attribute is available since WildFly 19");
}

ctx.client.apply(GroovyXmlTransform.of(AddClientSSLContext.class)
.subtree("elytronSubsystem", Subtree.subsystem("elytron"))
.parameter("atrName", name)
.parameter("atrCipherSuiteFilter", cipherSuiteFilter)
.parameter("atrCipherSuiteNames", cipherSuiteNames)
.parameter("atrKeyManager", keyManager)
.parameter("atrTrustManager", trustManager)
.parameter("atrProtocols", protocols != null ? joinList(protocols) : null)
Expand Down
10 changes: 10 additions & 0 deletions ...ds/src/main/java/org/wildfly/extras/creaper/commands/elytron/tls/AddServerSSLContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ public void apply(OnlineCommandContext ctx) throws Exception {
throw new AssertionError("Elytron is available since WildFly 11.");
}

if (cipherSuiteNames != null && ctx.version.lessThan(ServerVersion.VERSION_12_0_0)) {
throw new AssertionError("cipher-suite-names attribute is available since WildFly 19");
}

Operations ops = new Operations(ctx.client);
Address serverSSLContextAddress = Address.subsystem("elytron").and("server-ssl-context", name);
if (replaceExisting) {
Expand All @@ -57,6 +61,7 @@ public void apply(OnlineCommandContext ctx) throws Exception {
ops.add(serverSSLContextAddress, Values.empty()
.and("key-manager", keyManager)
.andOptional("cipher-suite-filter", cipherSuiteFilter)
.andOptional("cipher-suite-names", cipherSuiteNames)
.andOptional("maximum-session-cache-size", maximumSessionCacheSize)
.andOptional("session-timeout", sessionTimeout)
.andOptional("trust-manager", trustManager)
Expand All @@ -81,10 +86,15 @@ public void apply(OfflineCommandContext ctx) throws Exception {
throw new AssertionError("Elytron is available since WildFly 11.");
}

if (cipherSuiteNames != null && ctx.version.lessThan(ServerVersion.VERSION_12_0_0)) {
throw new AssertionError("cipher-suite-names attribute is available since WildFly 19");
}

ctx.client.apply(GroovyXmlTransform.of(AddServerSSLContext.class)
.subtree("elytronSubsystem", Subtree.subsystem("elytron"))
.parameter("atrName", name)
.parameter("atrCipherSuiteFilter", cipherSuiteFilter)
.parameter("atrCipherSuiteNames", cipherSuiteNames)
.parameter("atrMaximumSessionCacheSize", maximumSessionCacheSize)
.parameter("atrSessionTimeout", sessionTimeout)
.parameter("atrKeyManager", keyManager)
Expand Down
1 change: 1 addition & 0 deletions ...main/resources/org/wildfly/extras/creaper/commands/elytron/tls/AddClientSSLContext.groovy
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
sslContextAttrs = ['name': atrName]
if (atrCipherSuiteFilter != null) sslContextAttrs['cipher-suite-filter'] = atrCipherSuiteFilter
if (atrCipherSuiteNames != null) sslContextAttrs['cipher-suite-names'] = atrCipherSuiteNames
if (atrKeyManager != null) sslContextAttrs['key-manager'] = atrKeyManager
if (atrTrustManager != null) sslContextAttrs['trust-manager'] = atrTrustManager
if (atrProtocols != null) sslContextAttrs['protocols'] = atrProtocols
Expand Down
1 change: 1 addition & 0 deletions ...main/resources/org/wildfly/extras/creaper/commands/elytron/tls/AddServerSSLContext.groovy
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
sslContextAttrs = ['name': atrName]
if (atrCipherSuiteFilter != null) sslContextAttrs['cipher-suite-filter'] = atrCipherSuiteFilter
if (atrCipherSuiteNames != null) sslContextAttrs['cipher-suite-names'] = atrCipherSuiteNames
if (atrMaximumSessionCacheSize != null) sslContextAttrs['maximum-session-cache-size'] = atrMaximumSessionCacheSize
if (atrSessionTimeout != null) sslContextAttrs['session-timeout'] = atrSessionTimeout
if (atrKeyManager != null) sslContextAttrs['key-manager'] = atrKeyManager
Expand Down
28 changes: 21 additions & 7 deletions ...st/java/org/wildfly/extras/creaper/commands/elytron/CreateServerSSLContextOnlineTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,21 @@
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.wildfly.extras.creaper.commands.elytron.CreateServerSSLContext.TLS13_CIPHER_SUITE_NAMES;

import java.util.Arrays;

import org.jboss.arquillian.junit.Arquillian;
import org.junit.After;
import org.junit.Test;
import org.junit.runner.RunWith;

import org.wildfly.extras.creaper.commands.elytron.tls.AbstractAddSSLContextOnlineTest;
import org.wildfly.extras.creaper.core.CommandFailedException;
import org.wildfly.extras.creaper.core.ServerVersion;
import org.wildfly.extras.creaper.core.online.operations.Address;

import org.junit.After;
import org.junit.Test;
import org.junit.runner.RunWith;

@RunWith(Arquillian.class)
public class CreateServerSSLContextOnlineTest extends AbstractAddSSLContextOnlineTest {

Expand Down Expand Up @@ -103,7 +107,8 @@ public void addDuplicateServerSSLContextNotAllowed() throws Exception {

@Test
public void addFullServerSSLContext() throws Exception {
CreateServerSSLContext createServerSSLContext = new CreateServerSSLContext.Builder(SERVER_SSL_CONTEXT_NAME)
CreateServerSSLContext.Builder createServerSSLContextBuilder =
new CreateServerSSLContext.Builder(SERVER_SSL_CONTEXT_NAME)
.keyStorePassword(PASSWORD)
.keyPassword(PASSWORD)
.cipherSuiteFilter("ALL")
Expand All @@ -124,12 +129,21 @@ public void addFullServerSSLContext() throws Exception {
.trustStorePassword(PASSWORD)
.trustStorePath("/path")
.trustStoreRelativeTo("jboss.server.config.dir")
.trustStoreRequired(false)
.build();
client.apply(createServerSSLContext);
.trustStoreRequired(false);

if (client.version().greaterThanOrEqualTo(ServerVersion.VERSION_12_0_0)) {
// This attribute has been added in WildFly 19.
createServerSSLContextBuilder.cipherSuiteNames(TLS13_CIPHER_SUITE_NAMES);
}

client.apply(createServerSSLContextBuilder.build());
assertTrue("The server ssl context should be created", ops.exists(SERVER_SSL_CONTEXT_ADDRESS));

checkAttribute(SERVER_SSL_CONTEXT_ADDRESS, "cipher-suite-filter", "ALL");
if (client.version().greaterThanOrEqualTo(ServerVersion.VERSION_12_0_0)) {
// This attribute has been added in WildFly 19.
checkAttribute(SERVER_SSL_CONTEXT_ADDRESS, "cipher-suite-names", TLS13_CIPHER_SUITE_NAMES);
}
checkAttribute(SERVER_SSL_CONTEXT_ADDRESS, "maximum-session-cache-size", "0");
checkAttribute(SERVER_SSL_CONTEXT_ADDRESS, "session-timeout", "0");
checkAttribute(SERVER_SSL_CONTEXT_ADDRESS, "protocols", Arrays.asList(SERVER_SSL_CONTEXT_PROTOCOL));
Expand Down
44 changes: 26 additions & 18 deletions .../java/org/wildfly/extras/creaper/commands/elytron/tls/AddClientSSLContextOfflineTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import static org.junit.Assert.fail;
import static org.wildfly.extras.creaper.XmlAssert.assertXmlIdentical;
import static org.wildfly.extras.creaper.commands.elytron.CreateServerSSLContext.TLS13_CIPHER_SUITE_NAMES;

import java.io.File;

Expand All @@ -12,6 +13,7 @@
import org.junit.rules.TemporaryFolder;
import org.wildfly.extras.creaper.core.CommandFailedException;
import org.wildfly.extras.creaper.core.ManagementClient;
import org.wildfly.extras.creaper.core.ServerVersion;
import org.wildfly.extras.creaper.core.offline.OfflineManagementClient;
import org.wildfly.extras.creaper.core.offline.OfflineOptions;

Expand All @@ -21,27 +23,27 @@
public class AddClientSSLContextOfflineTest {

private static final String SUBSYSTEM_EMPTY = ""
+ "<server xmlns=\"urn:jboss:domain:5.0\">\n"
+ "<server xmlns=\"urn:jboss:domain:13.0\">\n"
+ " <profile>\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:1.0\">\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:10.0\">\n"
+ " </subsystem>\n"
+ " </profile>\n"
+ "</server>";

private static final String SUBSYSTEM_TLS_EMPTY = ""
+ "<server xmlns=\"urn:jboss:domain:5.0\">\n"
+ "<server xmlns=\"urn:jboss:domain:13.0\">\n"
+ " <profile>\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:1.0\">\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:10.0\">\n"
+ " <tls>\n"
+ " </tls>\n"
+ " </subsystem>\n"
+ " </profile>\n"
+ "</server>";

private static final String SUBSYSTEM_CLIENT_SSL_CONTEXTS_EMPTY = ""
+ "<server xmlns=\"urn:jboss:domain:5.0\">\n"
+ "<server xmlns=\"urn:jboss:domain:13.0\">\n"
+ " <profile>\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:1.0\">\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:10.0\">\n"
+ " <tls>\n"
+ " <client-ssl-contexts>\n"
+ " </client-ssl-contexts>\n"
Expand All @@ -51,9 +53,9 @@ public class AddClientSSLContextOfflineTest {
+ "</server>";

private static final String SUBSYSTEM_SIMPLE = ""
+ "<server xmlns=\"urn:jboss:domain:5.0\">\n"
+ "<server xmlns=\"urn:jboss:domain:13.0\">\n"
+ " <profile>\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:1.0\">\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:10.0\">\n"
+ " <tls>\n"
+ " <client-ssl-contexts>\n"
+ " <client-ssl-context name=\"clientSslContext\"/>\n"
Expand All @@ -64,9 +66,9 @@ public class AddClientSSLContextOfflineTest {
+ "</server>";

private static final String SUBSYSTEM_EXPECTED_REPLACE = ""
+ "<server xmlns=\"urn:jboss:domain:5.0\">\n"
+ "<server xmlns=\"urn:jboss:domain:13.0\">\n"
+ " <profile>\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:1.0\">\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:10.0\">\n"
+ " <tls>\n"
+ " <client-ssl-contexts>\n"
+ " <client-ssl-context name=\"clientSslContext\" cipher-suite-filter=\"ALL\"/>\n"
Expand All @@ -77,9 +79,9 @@ public class AddClientSSLContextOfflineTest {
+ "</server>";

private static final String SUBSYSTEM_SECOND_CLIENT_SSL_CONTEXT = ""
+ "<server xmlns=\"urn:jboss:domain:5.0\">\n"
+ "<server xmlns=\"urn:jboss:domain:13.0\">\n"
+ " <profile>\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:1.0\">\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:10.0\">\n"
+ " <tls>\n"
+ " <client-ssl-contexts>\n"
+ " <client-ssl-context name=\"clientSslContext\"/>\n"
Expand All @@ -91,12 +93,13 @@ public class AddClientSSLContextOfflineTest {
+ "</server>";

private static final String SUBSYSTEM_FULL = ""
+ "<server xmlns=\"urn:jboss:domain:5.0\">\n"
+ "<server xmlns=\"urn:jboss:domain:13.0\">\n"
+ " <profile>\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:1.0\">\n"
+ " <subsystem xmlns=\"urn:wildfly:elytron:10.0\">\n"
+ " <tls>\n"
+ " <client-ssl-contexts>\n"
+ " <client-ssl-context name=\"clientSslContext\" cipher-suite-filter=\"ALL\" "
+ " cipher-suite-names=\"" + TLS13_CIPHER_SUITE_NAMES + "\" "
+ " key-manager=\"keyManager\" trust-manager=\"trustManager\""
+ " protocols=\"TLSv1.2 TLSv1.1\" provider-name=\"ksProvider\" providers=\"ksProviderLoader\"/>\n"
+ " </client-ssl-contexts>\n"
Expand Down Expand Up @@ -234,17 +237,22 @@ public void addFullToEmpty() throws Exception {
OfflineManagementClient client = ManagementClient.offline(
OfflineOptions.standalone().configurationFile(cfg).build());

AddClientSSLContext addClientSslContext = new AddClientSSLContext.Builder("clientSslContext")
AddClientSSLContext.Builder addClientSslContextBuilder =
new AddClientSSLContext.Builder("clientSslContext")
.cipherSuiteFilter("ALL")
.keyManager("keyManager")
.trustManager("trustManager")
.protocols("TLSv1.2", "TLSv1.1")
.providerName("ksProvider")
.providers("ksProviderLoader")
.build();
.providers("ksProviderLoader");

if (client.version().greaterThanOrEqualTo(ServerVersion.VERSION_12_0_0)) {
// This attribute has been added in WildFly 19.
addClientSslContextBuilder.cipherSuiteNames(TLS13_CIPHER_SUITE_NAMES);
}

assertXmlIdentical(SUBSYSTEM_EMPTY, Files.toString(cfg, Charsets.UTF_8));
client.apply(addClientSslContext);
client.apply(addClientSslContextBuilder.build());
assertXmlIdentical(SUBSYSTEM_FULL, Files.toString(cfg, Charsets.UTF_8));
}
}
Loading

0 comments on commit ffcf73a

Please sign in to comment.