From 96f5dfb73488b04a94529207a8cbe2f0b7ef88a3 Mon Sep 17 00:00:00 2001 From: "Titirisca Alexandru, B2B-BPN-HLT-DO (EXT)" Date: Wed, 1 Apr 2020 20:05:21 +0300 Subject: [PATCH] add domain validation support to TLSSyslogSenderImpl --- .../audit/protocol/TLSSyslogSenderImpl.java | 48 +++++++++++++++++- .../audit/TLSAuditorIntegrationTest.java | 16 ++++++ .../protocol/TLSSyslogSenderImplTest.java | 2 +- .../src/test/resources/security/ca.keystore | Bin 2224 -> 3123 bytes .../test/resources/security/server.keystore | Bin 3976 -> 6164 bytes 5 files changed, 64 insertions(+), 2 deletions(-) diff --git a/commons/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java b/commons/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java index 92ac9a90ca..4ec9ee4004 100644 --- a/commons/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java +++ b/commons/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java @@ -15,6 +15,7 @@ */ package org.openehealth.ipf.commons.audit.protocol; +import javax.net.ssl.SSLParameters; import org.openehealth.ipf.commons.audit.AuditContext; import org.openehealth.ipf.commons.audit.AuditException; import org.openehealth.ipf.commons.audit.utils.AuditUtils; @@ -59,10 +60,12 @@ public class TLSSyslogSenderImpl extends RFC5424Protocol implements AuditTransmi private static final Logger LOG = LoggerFactory.getLogger(TLSSyslogSenderImpl.class); private static final int MIN_SO_TIMEOUT = 1; private static final Boolean DEFAULT_SOCKET_KEEPALIVE = Boolean.TRUE; + private static final String ENDPOINT_IDENTIFICATION_ALGORITHM_HTTPS = "HTTPS"; private final AtomicReference socket = new AtomicReference<>(); private final SocketFactory socketFactory; private final SocketTestPolicy socketTestPolicy; + private final Boolean performDomainValidation; /** * Constructor which uses default values for all parameters. @@ -75,6 +78,11 @@ public TLSSyslogSenderImpl(SocketTestPolicy socketTestPolicy) { this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), socketTestPolicy); } + public TLSSyslogSenderImpl(Boolean performDomainValidation) { + this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), (SSLSocketFactory)SSLSocketFactory.getDefault(), + SocketTestPolicy.TEST_BEFORE_WRITE, performDomainValidation); + } + /** * @param socketFactory SSL socket factory to be used for creating the TCP * socket. @@ -95,6 +103,18 @@ public TLSSyslogSenderImpl(SSLSocketFactory socketFactory, SocketTestPolicy sock this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), socketFactory, socketTestPolicy); } + /** + * + * @param socketFactory SSL socket factory to be used for creating the TCP + * socket. + * @param socketTestPolicy Determining if and when to test the socket for a + * connection close/reset + * @param performDomainValidation Determining if domain validation should be performed + */ + public TLSSyslogSenderImpl(SSLSocketFactory socketFactory, SocketTestPolicy socketTestPolicy, Boolean performDomainValidation) { + this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), socketFactory, socketTestPolicy, performDomainValidation); + } + /** * @param sendingHost value of the SYSLOG header "HOSTNAME" * @param sendingProcess value of the SYSLOG header "APP-NAME" @@ -113,6 +133,7 @@ public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SocketTest super(sendingHost, sendingProcess); this.socketFactory = SSLSocketFactory.getDefault(); this.socketTestPolicy = socketTestPolicy; + this.performDomainValidation = Boolean.FALSE; } /** @@ -125,6 +146,7 @@ public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SSLSocketF super(sendingHost, sendingProcess); this.socketFactory = Objects.requireNonNull(socketFactory); this.socketTestPolicy = SocketTestPolicy.TEST_BEFORE_WRITE; + this.performDomainValidation = Boolean.FALSE; } /** @@ -140,6 +162,24 @@ public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SSLSocketF super(sendingHost, sendingProcess); this.socketFactory = Objects.requireNonNull(socketFactory); this.socketTestPolicy = socketTestPolicy; + this.performDomainValidation = Boolean.FALSE; + } + + /** + * @param sendingHost value of the SYSLOG header "HOSTNAME" + * @param sendingProcess value of the SYSLOG header "APP-NAME" + * @param socketFactory SSL socket factory to be used for creating the TCP + * socket. + * @param socketTestPolicy Determining if and when to test the socket for a + * connection close/reset + * @param performDomainValidation Determining if domain validation should be performed + */ + public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SSLSocketFactory socketFactory, + SocketTestPolicy socketTestPolicy, Boolean performDomainValidation) { + super(sendingHost, sendingProcess); + this.socketFactory = Objects.requireNonNull(socketFactory); + this.socketTestPolicy = socketTestPolicy; + this.performDomainValidation = performDomainValidation; } @Override @@ -265,9 +305,15 @@ private Socket getTLSSocket(AuditContext auditContext) { * @param socket Socket to configure * @throws SocketException */ - protected void setSocketOptions(final Socket socket) throws SocketException { + protected void setSocketOptions(final SSLSocket socket) throws SocketException { Objects.requireNonNull(socket); socket.setKeepAlive(DEFAULT_SOCKET_KEEPALIVE); + + if(performDomainValidation) { + SSLParameters sslParams = new SSLParameters(); + sslParams.setEndpointIdentificationAlgorithm(ENDPOINT_IDENTIFICATION_ALGORITHM_HTTPS); + socket.setSSLParameters(sslParams); + } } /** diff --git a/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java b/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java index 569787d623..b58ddf8cfc 100644 --- a/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java +++ b/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java @@ -71,4 +71,20 @@ public void testTwoWayTLSInterrupted(TestContext testContext) throws Exception { async.awaitSuccess(WAIT_TIME); } + @Test + public void testTwoWayTLSWithDomainVerification(TestContext testContext) throws Exception { + initTLSSystemProperties(null); + auditContext.setAuditTransmissionProtocol(new TLSSyslogSenderImpl(true)); + int count = 10; + Async async = testContext.async(count); + deploy(testContext, createTCPServerTwoWayTLS(port, + TRUST_STORE, + TRUST_STORE_PASS, + SERVER_KEY_STORE, + SERVER_KEY_STORE_PASS, + async)); + for (int i = 0; i < count; i++) sendAudit(); + async.awaitSuccess(WAIT_TIME); + } + } diff --git a/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java b/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java index 66c29ca4b2..7448ef2a9e 100644 --- a/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java +++ b/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java @@ -252,7 +252,7 @@ public SocketOptionOverrideTLSSyslogSenderImpl(String sendingHost, String sendin } @Override - protected void setSocketOptions(final Socket socket) throws SocketException { + protected void setSocketOptions(final SSLSocket socket) throws SocketException { super.setSocketOptions(socket); socket.setReceiveBufferSize(5); } diff --git a/commons/audit/src/test/resources/security/ca.keystore b/commons/audit/src/test/resources/security/ca.keystore index cfb3ede023d8c2b6aeb56c452d559cfbfa020cf4..e93ae89c46861a6af28e8e51c6c69487af2a0d18 100644 GIT binary patch delta 760 zcmdlWxLJbd-`jt085kItKzJk11P(VahchQXIWZ?Azqo{ffw54?`0!l@)(AaQ14{-5 z=0t-g=2(L!Cf5bbOpHuSEHPXwY7BVUIJMe5+P?ELGIFyr7{pJ$!|G!yWFWxC9LmBh zj4;kXPMp`sz`)qZ)X>n-%+xdr%r!GIhH@b~g|Xm&i>=CY`%o6@XY~J5XU314i&Fhw)PMIp zTp@O8Rz_T@UD0{%Lq>~g6cp~}Smu6y`19ZHBCa`0-s#I)B+1^{<0>r>W>9kM)xyKk zU%uQ-3XJ$a^Mj&o^S$~7-ZI}f->sPBeLOCUS^Jh*;-Oh5_-1BGrmz_1rf&Q2TqVe4 zuGwp@OG{dJYb2W7S`iW+_8@3YPxg|_8ckdJ%&+X9wo3VTt&w$_L+-J4b#9_dPL;2E z>6fI%c0}%7DnshD>g|7jw@wt}(%HDH`|_kKj)$zC#2ocyEw6JvG_}cBo+;CGasstf&r?RFmUX|g0;fh;9!+T@n z;I)j~k6GW-(6hEFJiOKZ$I1E~j{`mZsxz`B*#h3}4V!sZ*MIk{mvW&eu3l=*pBg`N z)Bla>ESBevS6e!&cP8(zP(A3j^Gn>PtA0WyNv@sxzf_*P-Ji^m|4R7Dp5lbxHFgbL z^0U{TciPo8%_nP4#MGQC*&;>fk~>cPdG_1pt7QMl)(%4aG(uQWciiw_DA;N>@&cuB_-r zpjRXoLoc+N%zga2kcRPEksXZ>wC-?nOA3DJ%`+|iGSGb7GAL776B%EZIKuX(3Hg}g zf8F?%O(e6|rP#VqoCxq0rdh6fTl$^*#PJQXFw-kvdJJrWB4B;|ISH)n8GdNQej}i3 z&jW}PW%Fn)YVmz9BSPrL$X>3cLtxxD%xJT$WuWitwsoln85}YIZ&Xl8mHp7qv$JV& zk}>M)9!Z)ebg+Hrgl7WmqZN7Rpjj`0e|*`2$n|{&Ur7G?hsn(oK*Xvhi`cOv7TyP? zE?pkl;nEDgh#>DANE|aC%QNmmzcHT@Q;z0qEUe-bUkR`-q z><~NB@G{-I&sSnj);)=o&~*TdEgDc1vfPrtakvK7&2&TVE%?l`5|#?hhhgJ1e;)d5 z9JA@7clvU54(f^!PImrA+0%1Qo2m&O!`t&a#p_J_Nwu$`0#zUUNh0^4zfo(InR|nf zTO($0l;!8Bng{^rfp<41K8MSAIZm{xU+l_@tSaHh|Lr$-&FyADg@kc2qPT%Hc+$i& z$=bY3+PKRKFC$qAoqq$MwTJ=7e_46&bB>GX;AkNiCW$=3=gF`Fa4gj&uS=sWjsWn& zdq3<;_&=K1`h!bR)1Fc-^g#PEO!9-B-*4_lGdWfQ-IB*KqXsUsDMW9tADSdE_;7lM z5zUF#_~Yskdn|w=#Zl2b`_r3K-W3e(b*tQHTgTs@hWNJ&FSv7>K$`@Ie>FP!F}K{t z5os8YMjL+?L%EuY6!vZ4Qo6yo!{d|y3dU-&&K~HExi*xf3WV-?=1%5+Ek?HeH&eug z53B)>wAapIuw8{K?b_9hUn?mQixxk9<3!3Yg39z{O8XS!4|~ZZosm}0gL$w%F>NlV zjq8(KVHvku5&YNe&Sq`qe;I5bWbVrB0q306>}&s&%i{czfM+TnRs3&pZTU#{X@94T z2nd%b4W5MH1a>BK_3f4jL{!U5ctt9$PBsC7%9nM3ak>L6CoG%EDARgN(u1lDg2#!f z3DUYD`|d2}EcowX3BTrA{S=EKGf;*NZFX|Mm75Z<6baAoK#M{Fe-X`wlb}t?$ly(u zB?UK0F6crMC@R#mCZ%~TtgkLaWbRt!FDZTqZV=CTWxWGHM8`iZeCwR8)Bj=Y!vfAS z&Rx0UQ{qPS5YhZ8!JNsT{Mj)duvI4c4wTzj`Sa6T=Nid?tkc&oiJ%3%vUj&6?{>Li z8Hi+6VVrt~Q{-YneS(~9<=ty@5{(g%jas6#8R5%D{_6k$00966SS~d% zIRF3yVK9ONT`+Y-n$DbTA$l4Kgq=Gcq+XF)=nZHCh)9GB7YUGBYtTF*Y?dS})_-q||!ieK20&sjZ z8w^@-VIp78ZszhOTrU=?ZbtBSRZcSh@`-5p*`j4m=zsS~!*~|bnrL2iK61}1!ZMa`+YJyW9R>qc9S#H*1Qb8y&{M#&yF_Le z^^TA{GMAjyN1>Bo4itZvKk^It(qw|$tyy>l=DZZU^c|c)tt-bmLlSQ1=7p z{Ts;c=B?eUaFGEN4gv>5bda{V)@gBoY5YX%xtf}n52{1pK^slB_4BMsJ;7iI4?p=6 zhYa*y=96=3*i7OX(b~#tm!qm^PtepxaDeYKGgGYrx5hi(C@z0HJaNOdKlsUixZ_bt zPJ3u;83s`9y;hmcEl<0e=^jIYB3hW50MM!A80CUh>sW z5_Doki7)yj=SJU?0B`CO_$B@9n?03=9lRAiR;Mn|ZS`&s}bjb0um1P1YB#U%&M`{DsPtO?@vjiU6*( B6np>x