Skip to content

Commit

Permalink
Upgraded TrustManagerImplTest as well as suppressed warnings
Browse files Browse the repository at this point in the history
  • Loading branch information
@d-reidenbach
d-reidenbach committed Aug 10, 2020
1 parent 9634556 commit 202ca98
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 4 deletions.
2 changes: 2 additions & 0 deletions common/src/main/java/org/conscrypt/OkHostnameVerifier.java
View file
Expand Up @@ -109,6 +109,7 @@ private boolean verifyIpAddress(String ipAddress, X509Certificate certificate) {
/**
* Returns true if {@code certificate} matches {@code hostName}.
*/
@SuppressWarnings("UnusedVariable")
private boolean verifyHostName(String hostName, X509Certificate certificate) {
hostName = hostName.toLowerCase(Locale.US);
boolean hasDns = false;
Expand Down Expand Up @@ -144,6 +145,7 @@ public static List<String> allSubjectAltNames(X509Certificate certificate) {
return result;
}

@SuppressWarnings("MixedMutabilityReturnType")
private static List<String> getSubjectAltNames(X509Certificate certificate, int type) {
List<String> result = new ArrayList<>();
try {
Expand Down
54 changes: 50 additions & 4 deletions common/src/test/java/org/conscrypt/TrustManagerImplTest.java
View file
Expand Up @@ -147,18 +147,64 @@ public void testHttpsEndpointIdentification() throws Exception {
// Turn on endpoint identification
params.setEndpointIdentificationAlgorithm("HTTPS");

try { // this should fail
certs = tmi.getTrustedChainForServer(chain, "RSA",
try {
tmi.getTrustedChainForServer(chain, "RSA",
new FakeSSLSocket(new FakeSSLSession(badHostname, chain), params));
assertEquals(Arrays.asList(chain), certs);
fail();
} catch (CertificateException expected) {
}

certs = tmi.getTrustedChainForServer(chain, "RSA",
new FakeSSLSocket(new FakeSSLSession(goodHostname, chain), params));
assertEquals(Arrays.asList(chain), certs);

// Override the global default hostname verifier with a Conscrypt-specific one that
// always passes. Both scenarios should pass.
Conscrypt.setHostnameVerifier(tmi, new ConscryptHostnameVerifier() {
@Override
public boolean verify(X509Certificate[] certificates, String s, SSLSession sslSession) {
return true;
}
});

certs = tmi.getTrustedChainForServer(chain, "RSA",
new FakeSSLSocket(new FakeSSLSession(badHostname, chain), params));
assertEquals(Arrays.asList(chain), certs);

certs = tmi.getTrustedChainForServer(chain, "RSA",
new FakeSSLSocket(new FakeSSLSession(goodHostname, chain), params));
assertEquals(Arrays.asList(chain), certs);

// Now set an instance-specific verifier on the trust manager. The bad hostname should
// fail again.
// Conscrypt.setHostnameVerifier(tmi, new TestHostnameVerifier());
Conscrypt.setHostnameVerifier(tmi, Conscrypt.wrapHostnameVerifier(new org.conscrypt.javax.net.ssl.TestHostnameVerifier()));

try {
tmi.getTrustedChainForServer(chain, "RSA",
new FakeSSLSocket(new FakeSSLSession(badHostname, chain), params));
fail();
} catch (CertificateException expected) {
}

certs = tmi.getTrustedChainForServer(chain, "RSA",
new FakeSSLSocket(new FakeSSLSession(goodHostname, chain), params));
assertEquals(Arrays.asList(chain), certs);

// Remove the instance-specific verifier, and both should pass again.
Conscrypt.setHostnameVerifier(tmi, null);

try {
tmi.getTrustedChainForServer(chain, "RSA",
new FakeSSLSocket(new FakeSSLSession(badHostname, chain), params));
fail();
} catch (CertificateException expected) {
}

certs = tmi.getTrustedChainForServer(chain, "RSA",
new FakeSSLSocket(new FakeSSLSession(goodHostname, chain), params));
assertEquals(Arrays.asList(chain), certs);
} finally { // Still need for protecting future tests
} finally {
Conscrypt.setDefaultHostnameVerifier(null);
}
}
Expand Down

0 comments on commit 202ca98

Please sign in to comment.