Merge remote-tracking branch 'eclipse/develop' into NetworkModule_SPI

Author: Maik Scheibler

org.eclipse.paho.client.mqttv3.test/src/test/java/org/eclipse/paho/client/mqttv3/test/TLSHostnameVerificationTest.java

@@ -0,0 +1,220 @@
+/**
+ * Copyright (c) 2011, 2017 IBM
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * and Eclipse Distribution License v1.0 which accompany this distribution. 
+ *
+ * The Eclipse Public License is available at 
+ *    http://www.eclipse.org/legal/epl-v10.html
+ * and the Eclipse Distribution License is available at 
+ *   http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * Contributors:
+ *   James Sutton - IBM Adding HTTPS Hostname verification tests.
+ */
+
+package org.eclipse.paho.client.mqttv3.test;
+
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.eclipse.paho.client.mqttv3.MqttClient;
+import org.eclipse.paho.client.mqttv3.MqttConnectOptions;
+import org.eclipse.paho.client.mqttv3.test.logging.LoggingUtilities;
+import org.eclipse.paho.client.mqttv3.test.utilities.Utility;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ * This test aims to run some basic SSL functionality tests of the MQTT client
+ */
+
+public class TLSHostnameVerificationTest {
+
+	static final Class<?> cclass = TLSHostnameVerificationTest.class;
+	private static final String className = cclass.getName();
+	private static final Logger log = Logger.getLogger(className);
+
+	private static String serverHost;
+	private static int serverPort;
+	private static String serverIP;
+	private static String certificateName;
+	private static int websocketPort;
+
+	/**
+	 * @throws Exception
+	 */
+	@BeforeClass
+	public static void setUpBeforeClass() throws Exception {
+
+		try {
+			String methodName = Utility.getMethodName();
+			LoggingUtilities.banner(log, cclass, methodName);
+			// Overriding with iot.eclipse.org for the time being.
+			
+			serverHost = "iot.eclipse.org";
+			serverIP = "198.41.30.241";
+			serverPort = 8883;
+			websocketPort = 443;
+			
+			certificateName = "iot.eclipse.org.crt";
+
+		} catch (Exception exception) {
+			log.log(Level.SEVERE, "caught exception:", exception);
+			throw exception;
+		}
+	}
+
+	/**
+	 * This test checks that the Java 7 HTTPS Style Hostname Verification works with
+	 * the Paho Client. This will verify that the Hostname we are connecting to
+	 * matches the one recorded in the Certificate
+	 * 
+	 * @throws Exception
+	 */
+	@Test(timeout = 10000)
+	public void testValidHTTPSStyleHostnameVerification() throws Exception {
+		
+		SSLSocketFactory socketFactory = getSocketFactory(certificateName);
+
+		MqttConnectOptions connOpts = new MqttConnectOptions();
+        connOpts.setHttpsHostnameVerificationEnabled(true);
+        connOpts.setSocketFactory(socketFactory);
+        String serverURI = "ssl://" + serverHost + ":" + serverPort;
+
+		MqttClient mqttClient = new MqttClient(serverURI, MqttClient.generateClientId());
+
+		log.info("Connecting to: " + serverURI);
+		mqttClient.connect(connOpts);
+
+		Thread.sleep(2000);
+
+		log.info("Disconnetting...");
+		mqttClient.disconnect();
+		mqttClient.close();
+
+	}
+	
+	/**
+	 * This test checks that the Java 7 HTTPS Style Hostname Verification works with
+	 * the Paho Client. This will verify that when connecting to a server via the IP
+	 * address, the Hostname verification will fail
+	 * 
+	 * @throws Exception
+	 */
+	@Test(timeout = 10000)
+	public void testInvalidHTTPSStyleHostnameVerification() throws Exception {
+		
+		SSLSocketFactory socketFactory = getSocketFactory(certificateName);
+
+		MqttConnectOptions connOpts = new MqttConnectOptions();
+        connOpts.setHttpsHostnameVerificationEnabled(true);
+        connOpts.setSocketFactory(socketFactory);
+        String serverIPURI =  "ssl://" + serverIP + ":" + serverPort;
+
+		MqttClient mqttClient = new MqttClient(serverIPURI, MqttClient.generateClientId());
+
+		log.info("Connecting to: " + serverIPURI);
+		try {
+		mqttClient.connect(connOpts);
+		} catch (Exception ex) {
+			// We want to make sure that the returned exception is an SSLHandshakeException
+			Assert.assertEquals(SSLHandshakeException.class, ex.getCause().getClass());
+			log.info("Expected Exception thrown: " + ex.getCause().getClass());
+		} finally {
+			mqttClient.close();
+		}
+	}
+	
+	
+	/**
+	 * This test checks that the Java 7 HTTPS Style Hostname Verification works with
+	 * the Paho Client. This will verify that the Hostname we are connecting to
+	 * matches the one recorded in the Certificate
+	 * 
+	 * @throws Exception
+	 */
+	@Test(timeout = 10000)
+	public void testValidWebSocketHTTPSStyleHostnameVerification() throws Exception {
+		
+		SSLSocketFactory socketFactory = getSocketFactory(certificateName);
+
+		MqttConnectOptions connOpts = new MqttConnectOptions();
+        connOpts.setHttpsHostnameVerificationEnabled(true);
+        connOpts.setSocketFactory(socketFactory);
+        String serverURI = "wss://" + serverHost + ":" + websocketPort + "/ws";
+
+		MqttClient mqttClient = new MqttClient(serverURI, MqttClient.generateClientId());
+
+		log.info("Connecting to: " + serverURI);
+		mqttClient.connect(connOpts);
+
+		Thread.sleep(2000);
+
+		log.info("Disconnetting...");
+		mqttClient.disconnect();
+		mqttClient.close();
+
+	}
+	
+	/**
+	 * This test checks that the Java 7 HTTPS Style Hostname Verification works with
+	 * the Paho Client. This will verify that when connecting to a server via the IP
+	 * address, the Hostname verification will fail
+	 * 
+	 * @throws Exception
+	 */
+	@Test(timeout = 10000)
+	public void testInvalidWebSocketHTTPSStyleHostnameVerification() throws Exception {
+		
+		SSLSocketFactory socketFactory = getSocketFactory(certificateName);
+
+		MqttConnectOptions connOpts = new MqttConnectOptions();
+        connOpts.setHttpsHostnameVerificationEnabled(true);
+        connOpts.setSocketFactory(socketFactory);
+        String serverIPURI =  "wss://" + serverIP + ":" + websocketPort + "/ws";
+
+        
+		MqttClient mqttClient = new MqttClient(serverIPURI, MqttClient.generateClientId());
+
+		log.info("Connecting to: " + serverIPURI);
+		try {
+		mqttClient.connect(connOpts);
+		} catch (Exception ex) {
+			// We want to make sure that the returned exception is an SSLHandshakeException
+			Assert.assertEquals(SSLHandshakeException.class, ex.getCause().getClass());
+			log.info("Expected Exception thrown: " + ex.getCause().getClass());
+		} finally {
+			mqttClient.close();
+		}
+	}
+
+	
+
+	 private static SSLSocketFactory getSocketFactory(String certificateName) throws Exception {
+	      // Load the certificate from src/test/resources and create a Certificate object
+	  		InputStream certStream = cclass.getClassLoader().getResourceAsStream(certificateName);
+	  		CertificateFactory certFactory = CertificateFactory.getInstance("X509");
+	      Certificate certificate =  certFactory.generateCertificate(certStream);
+	      SSLContext sslContext = SSLContext.getInstance("TLS");
+	      TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+	  		KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+	  		keyStore.load(null);
+	  		keyStore.setCertificateEntry("alias", certificate);
+	  		trustManagerFactory.init(keyStore);
+	  		sslContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
+	  		return sslContext.getSocketFactory();
+	    }
+}

org.eclipse.paho.client.mqttv3.test/src/test/resources/iot.eclipse.org.crt

@@ -1,26 +1,29 @@
 -----BEGIN CERTIFICATE-----
-MIIEVDCCAwygAwIBAgIEVYPx2jANBgkqhkiG9w0BAQsFADCBhzELMAkGA1UEBhMC
-Q0ExJTAjBgNVBAoTHEVjbGlwc2Uub3JnIEZvdW5kYXRpb24sIEluYy4xFDASBgNV
-BAsTC2lvdC10ZXN0aW5nMQ8wDQYDVQQHEwZOZXBlYW4xEDAOBgNVBAgTB09udGFy
-aW8xGDAWBgNVBAMTD2lvdC5lY2xpcHNlLm9yZzAeFw0xNTA2MTkxMDQxMzFaFw0y
-MDA1MjMxMDQxMzRaMIGHMQswCQYDVQQGEwJDQTElMCMGA1UEChMcRWNsaXBzZS5v
-cmcgRm91bmRhdGlvbiwgSW5jLjEUMBIGA1UECxMLaW90LXRlc3RpbmcxDzANBgNV
-BAcTBk5lcGVhbjEQMA4GA1UECBMHT250YXJpbzEYMBYGA1UEAxMPaW90LmVjbGlw
-c2Uub3JnMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEA0xUc7iXRrDG3
-WBCM6kzBv7eDVJUj8fMt7yhVS+os3QwKXfirzvRn1kj3KQkBzR/Nkeqk4go5EkYI
-ZCvG3svmfbyxJaWxl8VBhhiVf8ytd0CkNbbho5VlV2BrDuMpAMiQ1MZZqXV544wf
-BXAChXPgDjsjP/2QDAR52jJjqwoGm+KFAp9ZTFpHqi1Yajt2J7M1EOacnkasDdcD
-GzgxDIA1oo6XOM1sisOc11d+L1JyOwtSHIaQRO9BChU5CAZCTRF9wITdmBnhb+ha
-mEgHPFIeF8uPXnjvsXJgHM/GqOoIlb671DOVNdZPxDhg+Pp47qGQJrcTz+ptTLw4
-bgcSCbHQXK+TDk2GxUS27PbZ9trK2Rfo6MLe4x0kT8k+9zZkPDKdJzCYDVzfcakf
-Qj8cDxplrwIDAQABo2YwZDAMBgNVHRMBAf8EAjAAMCAGA1UdEQQZMBeCD2lvdC5l
-Y2xpcHNlLm9yZ4cExike8TATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU
-sXXbkSdzImOC1cQcnXOPeGdghvowDQYJKoZIhvcNAQELBQADggExAHueO/jU8LNE
-M5GyA0ENlPLoeBgtsa2HGXGH1vrc9HEESaFLlQX/V0hEa6MtFTtZTGz4J4zfJK0s
-Zb7aMxQqlyDE0tGHb6p4XiyjyEcIpAaRuOdMFvsELBugLQIGyJU+FRhrJ6we0G/9
-aZg+PPhiLRsRQtxgS6zWJ3zQt8Vxj7gnjMjUzuJ30LeborKOZih0By1zY127TbgK
-0+7CjI3kzUzgX5gy6/YKJLoEl7In7GgLCXy4TdRAC4jrmiBZA3xhn2YbpEGG383z
-JL7gwrTxilGPdpUkPqsh3QPFybe//IuZnv0asPY4t9GgVqObomUGkafBcz1kDnlh
-eCQzrplSaCcePR3cawnX/x6ZjnRSfKGJzKYWBVtxLT6TW95AyGyv0bpsH5d3TpKO
-ayb6IYpBphw=
------END CERTIFICATE-----
+MIIFATCCA+mgAwIBAgISBPTNy6fmaq/MmFsgFgDdQI6IMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAxMjYxNDI1MzlaFw0x
+ODA0MjYxNDI1MzlaMBoxGDAWBgNVBAMTD2lvdC5lY2xpcHNlLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANbm+sfVzGMN3ppXf0DGAAtRjiAOzmN5
+htxj8TXSgSq/+dCgf7rC2Iq/pdZXWnfo9Eln+lZGprmvOr5dRSWCucRc4T+itHw7
+wyrsThxvp/yLv0OrmdRlarQM+TDZS/ee/BD65Zt5ByOtzBasJRnfnOiBQEBfsrjR
+yz4XPJn2vJg/0q6XELp3wkZHOy0b8vC73j9zZ6fXIxQ5cBg60jZkvclPmxm+2kDL
+Icw8Hsee/cN9RxtWapyNzW+N8NW1XSRSgiDauYZjrcE4RoUXt1eGJ2IIwTrnGc7l
++ucRKYpAN9tZFA4fPmKzNCCZRJsabwT1KfCfKQKrt3mpgyv/+CyP2ycCAwEAAaOC
+Ag8wggILMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
+BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU/IKAPfc1/rKRW0mYo+V8OHvV
+O38wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
+YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
+b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
+b3JnLzAaBgNVHREEEzARgg9pb3QuZWNsaXBzZS5vcmcwgf4GA1UdIASB9jCB8zAI
+BgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8v
+Y3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRp
+ZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGll
+cyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBv
+bGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5
+LzANBgkqhkiG9w0BAQsFAAOCAQEAaaW5HwoTLMMFsYOYszLwCaZY1j3XlytqYXSI
+hJrPhlBkIKKgN/K5OYr0zbWZl8z1cTFXux9XgLfSaJoxZIv1YW9QKvU3Yqj2GbZz
+k1dasPMJi1pP9fTn2KC3PbbjsRI8boIfgd/9Zw+pQlk5ibFFa7hmtq7zpMGp4CPe
+tRmVDxOmlAOsT40DFdOIh/Q76uGz9XN65SIaHov90yivhQBumx62RNQgMJ4WJwS4
+ElAkOhTYTlsE5fiYsxG+0ddBx8qhqyQcgHCPHiMzT7gc7d/rrY+QHMbqNww852Dn
+mIfsVQ1QxiFKerEC/9qnxaa6YxXorIeBFy/bewiFiOAcULYMYQ==
+-----END CERTIFICATE-----

org.eclipse.paho.client.mqttv3/pom.xml

@@ -19,7 +19,7 @@
 			<plugin>
 				<groupId>org.codehaus.mojo</groupId>
 				<artifactId>templating-maven-plugin</artifactId>
-				<version>1.0-alpha-3</version>
+				<version>1.0.0</version>
 				<executions>
 					<execution>
 						<id>filter-src</id>
@@ -32,7 +32,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-resources-plugin</artifactId>
-				<version>2.4.2</version>
+				<version>3.0.2</version>
 				<executions>
 					<execution>
 						<id>default-copy-resources</id>
@@ -59,7 +59,7 @@
 			<plugin>
 				<groupId>org.eclipse.tycho</groupId>
 				<artifactId>tycho-compiler-plugin</artifactId>
-				<version>0.20.0</version>
+				<version>${tycho.version}</version>
 				<configuration>
 					<source>${mqttclient.java.version}</source>
 					<target>${mqttclient.java.version}</target>
@@ -69,7 +69,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>2.10.4</version>
+				<version>3.0.0</version>
 				<executions>
 					<execution>
 						<id>attach-javadocs</id>

org.eclipse.paho.client.mqttv3/src/main/java/org/eclipse/paho/client/mqttv3/MqttConnectOptions.java

@@ -65,6 +65,7 @@ public class MqttConnectOptions {
 	private char[] password;
 	private SocketFactory socketFactory;
 	private Properties sslClientProps = null;
+	private boolean httpsHostnameVerificationEnabled = false;
 	private HostnameVerifier sslHostnameVerifier = null;
 	private boolean cleanSession = CLEAN_SESSION_DEFAULT;
 	private int connectionTimeout = CONNECTION_TIMEOUT_DEFAULT;
@@ -401,6 +402,14 @@ public Properties getSSLProperties() {
 	public void setSSLProperties(Properties props) {
 		this.sslClientProps = props;
 	}
+	
+	public boolean isHttpsHostnameVerificationEnabled() {
+		return httpsHostnameVerificationEnabled;
+	}
+
+	public void setHttpsHostnameVerificationEnabled(boolean httpsHostnameVerificationEnabled) {
+		this.httpsHostnameVerificationEnabled = httpsHostnameVerificationEnabled;
+	}
 
 	/**
      * Returns the HostnameVerifier for the SSL connection.

org.eclipse.paho.client.mqttv3/src/main/java/org/eclipse/paho/client/mqttv3/internal/SSLNetworkModule.java

@@ -18,6 +18,7 @@
 import java.io.IOException;
 
 import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
@@ -36,6 +37,9 @@ public class SSLNetworkModule extends TCPNetworkModule {
 	private String[] enabledCiphers;
 	private int handshakeTimeoutSecs;
 	private HostnameVerifier hostnameVerifier;
+	private boolean httpsHostnameVerificationEnabled = false;
+
+	
 
 	private String host;
 	private int port;
@@ -108,15 +112,30 @@ public HostnameVerifier getSSLHostnameVerifier() {
 	public void setSSLHostnameVerifier(HostnameVerifier hostnameVerifier) {
 		this.hostnameVerifier = hostnameVerifier;
 	}
+	
+	public boolean isHttpsHostnameVerificationEnabled() {
+		return httpsHostnameVerificationEnabled;
+	}
+
+	public void setHttpsHostnameVerificationEnabled(boolean httpsHostnameVerificationEnabled) {
+		this.httpsHostnameVerificationEnabled = httpsHostnameVerificationEnabled;
+	}
 
 	public void start() throws IOException, MqttException {
 		super.start();
 		setEnabledCiphers(enabledCiphers);
 		int soTimeout = socket.getSoTimeout();
 		// RTC 765: Set a timeout to avoid the SSL handshake being blocked indefinitely
 		socket.setSoTimeout(this.handshakeTimeoutSecs * 1000);
+		
+		// If default Hostname verification is enabled, use the same method that is used with HTTPS
+		if(this.httpsHostnameVerificationEnabled) {
+			SSLParameters sslParams = new SSLParameters();
+			sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+			((SSLSocket) socket).setSSLParameters(sslParams);
+		}
 		((SSLSocket) socket).startHandshake();
-		if (hostnameVerifier != null) {
+		if (hostnameVerifier != null && !this.httpsHostnameVerificationEnabled) {
 			SSLSession session = ((SSLSocket) socket).getSession();
 			hostnameVerifier.verify(host, session);
 		}

org.eclipse.paho.client.mqttv3/src/main/java/org/eclipse/paho/client/mqttv3/internal/SSLNetworkModuleFactory.java

@@ -74,6 +74,7 @@ public NetworkModule createNetworkModule(URI brokerUri, MqttConnectOptions optio
 		SSLNetworkModule netModule = new SSLNetworkModule((SSLSocketFactory) factory, host, port, clientId);
 		netModule.setSSLhandshakeTimeout(options.getConnectionTimeout());
 		netModule.setSSLHostnameVerifier(options.getSSLHostnameVerifier());
+		netModule.setHttpsHostnameVerificationEnabled(options.isHttpsHostnameVerificationEnabled());
 		// Ciphers suites need to be set, if they are available
 		if (factoryFactory != null) {
 			String[] enabledCiphers = factoryFactory.getEnabledCipherSuites(null);