diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/pom.xml b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/pom.xml index 955c5218fb4d..148269bea357 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/pom.xml +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/pom.xml @@ -6,7 +6,7 @@ org.eclipse.jetty jetty-alpn - 12.0.16-SNAPSHOT + 12.0.17-SNAPSHOT jetty-alpn-bouncycastle-client Core :: ALPN :: Bouncy Castle Client diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/module-info.java b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/module-info.java index 910ab12cacf5..e53031e3753c 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/module-info.java +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/module-info.java @@ -11,13 +11,16 @@ // ======================================================================== // +import org.eclipse.jetty.alpn.bouncycastle.client.BouncyCastleClientALPNProcessor; + module org.eclipse.jetty.alpn.bouncycastle.client { requires org.slf4j; requires transitive org.eclipse.jetty.alpn.client; + requires org.bouncycastle.fips.core; requires org.bouncycastle.fips.tls; provides org.eclipse.jetty.io.ssl.ALPNProcessor.Client with - org.eclipse.jetty.alpn.bouncycastle.client.BouncycastleClientALPNProcessor; + BouncyCastleClientALPNProcessor; } diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/org/eclipse/jetty/alpn/bouncycastle/client/BouncycastleClientALPNProcessor.java b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/org/eclipse/jetty/alpn/bouncycastle/client/BouncyCastleClientALPNProcessor.java similarity index 83% rename from jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/org/eclipse/jetty/alpn/bouncycastle/client/BouncycastleClientALPNProcessor.java rename to jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/org/eclipse/jetty/alpn/bouncycastle/client/BouncyCastleClientALPNProcessor.java index 55b1fbf2d34c..558e4a61e63d 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/org/eclipse/jetty/alpn/bouncycastle/client/BouncycastleClientALPNProcessor.java +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/java/org/eclipse/jetty/alpn/bouncycastle/client/BouncyCastleClientALPNProcessor.java @@ -17,6 +17,8 @@ import java.util.List; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; + +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider; import org.eclipse.jetty.alpn.client.ALPNClientConnection; import org.eclipse.jetty.io.Connection; @@ -26,14 +28,21 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class BouncycastleClientALPNProcessor implements ALPNProcessor.Client +public class BouncyCastleClientALPNProcessor implements ALPNProcessor.Client { - private static final Logger LOG = LoggerFactory.getLogger(BouncycastleClientALPNProcessor.class); + private static final Logger LOG = LoggerFactory.getLogger(BouncyCastleClientALPNProcessor.class); @Override public void init() { - if (Security.getProvider("BCJSSE") == null) + /* Required to instantiate a DEFAULT SecureRandom */ + if (Security.getProvider(BouncyCastleFipsProvider.PROVIDER_NAME) == null) + { + Security.addProvider(new BouncyCastleFipsProvider()); + if (LOG.isDebugEnabled()) + LOG.debug("Added BouncyCastle FIPS provider"); + } + if (Security.getProvider(BouncyCastleJsseProvider.PROVIDER_NAME) == null) { Security.addProvider(new BouncyCastleJsseProvider()); if (LOG.isDebugEnabled()) @@ -92,7 +101,7 @@ public void handshakeSucceeded(Event event) } catch (Throwable e) { - LOG.warn("Unable to process Bouncycastle ApplicationProtocol for {}", alpnConnection, e); + LOG.warn("Unable to process BouncyCastle ApplicationProtocol for {}", alpnConnection, e); alpnConnection.selected(null); } } diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/resources/META-INF/services/org.eclipse.jetty.io.ssl.ALPNProcessor$Client b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/resources/META-INF/services/org.eclipse.jetty.io.ssl.ALPNProcessor$Client index af7cfc2b9312..30838a1a343a 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/resources/META-INF/services/org.eclipse.jetty.io.ssl.ALPNProcessor$Client +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/main/resources/META-INF/services/org.eclipse.jetty.io.ssl.ALPNProcessor$Client @@ -1 +1 @@ -org.eclipse.jetty.alpn.bouncycastle.client.BouncycastleClientALPNProcessor +org.eclipse.jetty.alpn.bouncycastle.client.BouncyCastleClientALPNProcessor diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/test/java/org/eclipse/jetty/alpn/java/client/BouncycastleHTTP2ClientTest.java b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/test/java/org/eclipse/jetty/alpn/bouncycastle/client/BouncyCastleHTTP2ClientTest.java similarity index 89% rename from jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/test/java/org/eclipse/jetty/alpn/java/client/BouncycastleHTTP2ClientTest.java rename to jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/test/java/org/eclipse/jetty/alpn/bouncycastle/client/BouncyCastleHTTP2ClientTest.java index e6500b9d42d2..0074c5c831ae 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/test/java/org/eclipse/jetty/alpn/java/client/BouncycastleHTTP2ClientTest.java +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-client/src/test/java/org/eclipse/jetty/alpn/bouncycastle/client/BouncyCastleHTTP2ClientTest.java @@ -11,15 +11,15 @@ // ======================================================================== // -package org.eclipse.jetty.alpn.java.client; - -import static org.junit.jupiter.api.Assertions.assertTrue; +package org.eclipse.jetty.alpn.bouncycastle.client; import java.net.InetSocketAddress; import java.net.Socket; import java.security.Security; import java.util.concurrent.CountDownLatch; import java.util.concurrent.TimeUnit; + +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider; import org.eclipse.jetty.http.HttpFields; import org.eclipse.jetty.http.HttpURI; @@ -37,20 +37,24 @@ import org.junit.jupiter.api.Tag; import org.junit.jupiter.api.Test; -public class BouncycastleHTTP2ClientTest +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class BouncyCastleHTTP2ClientTest { @Tag("external") @Test - public void testBouncycastleHTTP2Client() throws Exception + public void testBouncyCastleHTTP2Client() throws Exception { String host = "webtide.com"; int port = 443; Assumptions.assumeTrue(canConnectTo(host, port)); - Security.insertProviderAt(new BouncyCastleJsseProvider(), 1); + /* Required to instantiate a DEFAULT SecureRandom */ + Security.insertProviderAt(new BouncyCastleFipsProvider(), 1); + Security.insertProviderAt(new BouncyCastleJsseProvider(), 2); SslContextFactory.Client sslContextFactory = new SslContextFactory.Client(); - sslContextFactory.setProvider("BCJSSE"); + sslContextFactory.setProvider(BouncyCastleJsseProvider.PROVIDER_NAME); try (HTTP2Client client = new HTTP2Client()) { diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/pom.xml b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/pom.xml index a6f488e39058..b812c7ea493b 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/pom.xml +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/pom.xml @@ -5,7 +5,7 @@ org.eclipse.jetty jetty-alpn - 12.0.16-SNAPSHOT + 12.0.17-SNAPSHOT jetty-alpn-bouncycastle-server Core :: ALPN :: Bouncy Castle Server @@ -33,7 +33,7 @@ org.eclipse.jetty - jetty-alpn-conscrypt-client + jetty-alpn-bouncycastle-client test diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/module-info.java b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/module-info.java index 14353f4aecc6..4798969ccb22 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/module-info.java +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/module-info.java @@ -11,15 +11,16 @@ // ======================================================================== // -import org.eclipse.jetty.alpn.bouncycastle.server.BouncycastleServerALPNProcessor; +import org.eclipse.jetty.alpn.bouncycastle.server.BouncyCastleServerALPNProcessor; -module org.eclipse.jetty.alpn.conscrypt.server +module org.eclipse.jetty.alpn.bouncycastle.server { requires org.slf4j; requires transitive org.eclipse.jetty.alpn.server; + requires org.bouncycastle.fips.core; requires org.bouncycastle.fips.tls; provides org.eclipse.jetty.io.ssl.ALPNProcessor.Server with - BouncycastleServerALPNProcessor; + BouncyCastleServerALPNProcessor; } diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/org/eclipse/jetty/alpn/bouncycastle/server/BouncycastleServerALPNProcessor.java b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/org/eclipse/jetty/alpn/bouncycastle/server/BouncyCastleServerALPNProcessor.java similarity index 96% rename from jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/org/eclipse/jetty/alpn/bouncycastle/server/BouncycastleServerALPNProcessor.java rename to jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/org/eclipse/jetty/alpn/bouncycastle/server/BouncyCastleServerALPNProcessor.java index 38277a393175..7cb6894deeb7 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/org/eclipse/jetty/alpn/bouncycastle/server/BouncycastleServerALPNProcessor.java +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/java/org/eclipse/jetty/alpn/bouncycastle/server/BouncyCastleServerALPNProcessor.java @@ -16,6 +16,7 @@ import java.util.List; import java.util.function.BiFunction; import javax.net.ssl.SSLEngine; + import org.eclipse.jetty.alpn.server.ALPNServerConnection; import org.eclipse.jetty.io.Connection; import org.eclipse.jetty.io.ssl.ALPNProcessor; @@ -24,9 +25,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class BouncycastleServerALPNProcessor implements ALPNProcessor.Server +public class BouncyCastleServerALPNProcessor implements ALPNProcessor.Server { - private static final Logger LOG = LoggerFactory.getLogger(BouncycastleServerALPNProcessor.class); + private static final Logger LOG = LoggerFactory.getLogger(BouncyCastleServerALPNProcessor.class); @Override public boolean appliesTo(SSLEngine sslEngine) diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/resources/META-INF/services/org.eclipse.jetty.io.ssl.ALPNProcessor$Server b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/resources/META-INF/services/org.eclipse.jetty.io.ssl.ALPNProcessor$Server index 242bac9dde9d..be3c9738e7df 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/resources/META-INF/services/org.eclipse.jetty.io.ssl.ALPNProcessor$Server +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/main/resources/META-INF/services/org.eclipse.jetty.io.ssl.ALPNProcessor$Server @@ -1 +1 @@ -org.eclipse.jetty.alpn.bouncycastle.server.BouncycastleServerALPNProcessor +org.eclipse.jetty.alpn.bouncycastle.server.BouncyCastleServerALPNProcessor diff --git a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/test/java/org/eclipse/jetty/alpn/conscrypt/server/ConscryptHTTP2ServerTest.java b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/test/java/org/eclipse/jetty/alpn/bouncycastle/server/BouncyCastleHTTP2ServerTest.java similarity index 80% rename from jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/test/java/org/eclipse/jetty/alpn/conscrypt/server/ConscryptHTTP2ServerTest.java rename to jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/test/java/org/eclipse/jetty/alpn/bouncycastle/server/BouncyCastleHTTP2ServerTest.java index 576efa632b95..338722541302 100644 --- a/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/test/java/org/eclipse/jetty/alpn/conscrypt/server/ConscryptHTTP2ServerTest.java +++ b/jetty-core/jetty-alpn/jetty-alpn-bouncycastle-server/src/test/java/org/eclipse/jetty/alpn/bouncycastle/server/BouncyCastleHTTP2ServerTest.java @@ -11,14 +11,15 @@ // ======================================================================== // -package org.eclipse.jetty.alpn.conscrypt.server; +package org.eclipse.jetty.alpn.bouncycastle.server; import java.io.File; import java.nio.file.Path; import java.nio.file.Paths; import java.security.Security; -import org.conscrypt.OpenSSLProvider; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; +import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider; import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory; import org.eclipse.jetty.client.ContentResponse; import org.eclipse.jetty.client.HttpClient; @@ -36,24 +37,20 @@ import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.Callback; -import org.eclipse.jetty.util.JavaVersion; import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.condition.DisabledOnOs; import static org.junit.jupiter.api.Assertions.assertEquals; -/** - * Test server that verifies that the Conscrypt ALPN mechanism works for both server and client side - */ -@DisabledOnOs(architectures = "aarch64", disabledReason = "Conscrypt does not provide aarch64 native libs as of version 2.5.2") -public class ConscryptHTTP2ServerTest +public class BouncyCastleHTTP2ServerTest { static { - Security.addProvider(new OpenSSLProvider()); + /* Required to instantiate a DEFAULT SecureRandom */ + Security.insertProviderAt(new BouncyCastleFipsProvider(), 1); + Security.insertProviderAt(new BouncyCastleJsseProvider(), 2); } private final HttpConfiguration httpsConfig = new HttpConfiguration(); @@ -80,12 +77,7 @@ private void configureSslContextFactory(SslContextFactory sslContextFactory) File keys = path.resolve("keystore.p12").toFile(); sslContextFactory.setKeyStorePath(keys.getAbsolutePath()); sslContextFactory.setKeyStorePassword("storepwd"); - sslContextFactory.setProvider("Conscrypt"); - if (JavaVersion.VERSION.getPlatform() < 9) - { - // Conscrypt enables TLSv1.3 by default but it's not supported in Java 8. - sslContextFactory.addExcludeProtocols("TLSv1.3"); - } + sslContextFactory.setProvider(BouncyCastleJsseProvider.PROVIDER_NAME); } @BeforeEach @@ -94,7 +86,7 @@ public void startServer() throws Exception httpsConfig.setSecureScheme("https"); httpsConfig.setSendXPoweredBy(true); httpsConfig.setSendServerVersion(true); - httpsConfig.addCustomizer(new SecureRequestCustomizer()); + httpsConfig.addCustomizer(new SecureRequestCustomizer(false)); HttpConnectionFactory http = new HttpConnectionFactory(httpsConfig); HTTP2ServerConnectionFactory h2 = new HTTP2ServerConnectionFactory(httpsConfig); @@ -140,11 +132,4 @@ public void testSimpleRequest() throws Exception } } - @Test - public void testSNIRequired() throws Exception - { - // The KeyStore contains 1 certificate with two DNS names. - httpsConfig.getCustomizer(SecureRequestCustomizer.class).setSniRequired(true); - testSimpleRequest(); - } } diff --git a/pom.xml b/pom.xml index 44d384d257d7..49ca3f7c50ff 100644 --- a/pom.xml +++ b/pom.xml @@ -645,6 +645,16 @@ ecj ${eclipse.jdt.ecj.version} + + org.eclipse.jetty + jetty-alpn-bouncycastle-client + ${project.version} + + + org.eclipse.jetty + jetty-alpn-bouncycastle-server + ${project.version} + org.eclipse.jetty jetty-alpn-client