Support client authentication in MockWebServer

Also expose the handshake in the RecordedResponse.

https://github.com/square/okhttp/issues/3934

mockwebserver/src/main/java/okhttp3/mockwebserver/MockWebServer.java

@@ -102,6 +102,10 @@ public final class MockWebServer extends ExternalResource implements Closeable {
     Internal.initializeInstanceForTests();
   }
 
+  private static final int CLIENT_AUTH_NONE = 0;
+  private static final int CLIENT_AUTH_REQUESTED = 1;
+  private static final int CLIENT_AUTH_REQUIRED = 2;
+
   private static final X509TrustManager UNTRUSTED_TRUST_MANAGER = new X509TrustManager() {
     @Override public void checkClientTrusted(X509Certificate[] chain, String authType)
         throws CertificateException {
@@ -132,6 +136,7 @@ public final class MockWebServer extends ExternalResource implements Closeable {
   private SSLSocketFactory sslSocketFactory;
   private ExecutorService executor;
   private boolean tunnelProxy;
+  private int clientAuth = CLIENT_AUTH_NONE;
   private Dispatcher dispatcher = new QueueDispatcher();
 
   private int port = -1;
@@ -241,6 +246,36 @@ public final class MockWebServer extends ExternalResource implements Closeable {
     this.tunnelProxy = tunnelProxy;
   }
 
+  /**
+   * Configure the server to not perform SSL authentication of the client. This leaves
+   * authentication to another layer such as in an HTTP cookie or header. This is the default and
+   * most common configuration.
+   */
+  public void noClientAuth() {
+    this.clientAuth = CLIENT_AUTH_NONE;
+  }
+
+  /**
+   * Configure the server to {@linkplain SSLSocket#setWantClientAuth want client auth}. If the
+   * client presents a certificate that is {@linkplain TrustManager trusted} the handshake will
+   * proceed normally. The connection will also proceed normally if the client presents no
+   * certificate at all! But if the client presents an untrusted certificate the handshake will fail
+   * and no connection will be established.
+   */
+  public void requestClientAuth() {
+    this.clientAuth = CLIENT_AUTH_REQUESTED;
+  }
+
+  /**
+   * Configure the server to {@linkplain SSLSocket#setNeedClientAuth need client auth}. If the
+   * client presents a certificate that is {@linkplain TrustManager trusted} the handshake will
+   * proceed normally. If the client presents an untrusted certificate or no certificate at all the
+   * handshake will fail and no connection will be established.
+   */
+  public void requireClientAuth() {
+    this.clientAuth = CLIENT_AUTH_REQUIRED;
+  }
+
   /**
    * Awaits the next HTTP request, removes it, and returns it. Callers should use this to verify the
    * request was sent as intended. This method will block until the request is available, possibly
@@ -431,6 +466,11 @@ public final class MockWebServer extends ExternalResource implements Closeable {
               raw.getPort(), true);
           SSLSocket sslSocket = (SSLSocket) socket;
           sslSocket.setUseClientMode(false);
+          if (clientAuth == CLIENT_AUTH_REQUIRED) {
+            sslSocket.setNeedClientAuth(true);
+          } else if (clientAuth == CLIENT_AUTH_REQUESTED) {
+            sslSocket.setWantClientAuth(true);
+          }
           openClientSockets.add(socket);
 
           if (protocolNegotiationEnabled) {

mockwebserver/src/main/java/okhttp3/mockwebserver/RecordedRequest.java

@@ -16,9 +16,11 @@
 
 package okhttp3.mockwebserver;
 
+import java.io.IOException;
 import java.net.Socket;
 import java.util.List;
 import javax.net.ssl.SSLSocket;
+import okhttp3.Handshake;
 import okhttp3.Headers;
 import okhttp3.HttpUrl;
 import okhttp3.TlsVersion;
@@ -30,11 +32,11 @@ public final class RecordedRequest {
   private final String method;
   private final String path;
   private final Headers headers;
+  private final Handshake handshake;
   private final List<Integer> chunkSizes;
   private final long bodySize;
   private final Buffer body;
   private final int sequenceNumber;
-  private final TlsVersion tlsVersion;
   private final HttpUrl requestUrl;
 
   public RecordedRequest(String requestLine, Headers headers, List<Integer> chunkSizes,
@@ -45,9 +47,15 @@ public final class RecordedRequest {
     this.bodySize = bodySize;
     this.body = body;
     this.sequenceNumber = sequenceNumber;
-    this.tlsVersion = socket instanceof SSLSocket
-        ? TlsVersion.forJavaName(((SSLSocket) socket).getSession().getProtocol())
-        : null;
+    if (socket instanceof SSLSocket) {
+      try {
+        this.handshake = Handshake.get(((SSLSocket) socket).getSession());
+      } catch (IOException e) {
+        throw new IllegalArgumentException(e);
+      }
+    } else {
+      this.handshake = null;
+    }
 
     if (requestLine != null) {
       int methodEnd = requestLine.indexOf(' ');
@@ -128,7 +136,15 @@ public final class RecordedRequest {
 
   /** Returns the connection's TLS version or null if the connection doesn't use SSL. */
   public TlsVersion getTlsVersion() {
-    return tlsVersion;
+    return handshake != null ? handshake.tlsVersion() : null;
+  }
+
+  /**
+   * Returns the TLS handshake of the connection that carried this request, or null if the request
+   * was received without TLS.
+   */
+  public Handshake getHandshake() {
+    return handshake;
   }
 
   @Override public String toString() {

mockwebserver/src/main/java/okhttp3/mockwebserver/internal/tls/SslClient.java

@@ -87,6 +87,10 @@ public final class SslClient {
      * Configure the certificate chain to use when serving HTTPS responses. The first certificate is
      * the server's certificate, further certificates are included in the handshake so the client
      * can build a trusted path to a CA certificate.
+     *
+     * <p>The chain should include all intermediate certificates but does not need the root
+     * certificate that we expect to be known by the remote peer. The peer already has that
+     * certificate so transmitting it is unnecessary.
      */
     public Builder certificateChain(HeldCertificate localCert, HeldCertificate... chain) {
       X509Certificate[] certificates = new X509Certificate[chain.length];

mockwebserver/src/test/java/okhttp3/mockwebserver/MockWebServerTest.java

@@ -33,10 +33,14 @@ import java.util.Arrays;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
+import javax.net.ssl.HttpsURLConnection;
+import okhttp3.Handshake;
 import okhttp3.Headers;
 import okhttp3.HttpUrl;
 import okhttp3.Protocol;
+import okhttp3.RecordingHostnameVerifier;
 import okhttp3.internal.Util;
+import okhttp3.mockwebserver.internal.tls.SslClient;
 import org.junit.After;
 import org.junit.Rule;
 import org.junit.Test;
@@ -48,6 +52,7 @@ import static java.util.concurrent.TimeUnit.SECONDS;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
@@ -489,4 +494,77 @@ public final class MockWebServerTest {
     assertEquals(1, server.protocols().size());
     assertEquals(Protocol.H2_PRIOR_KNOWLEDGE, server.protocols().get(0));
   }
+
+  @Test public void https() throws Exception {
+    SslClient sslClient = SslClient.localhost();
+    server.useHttps(sslClient.socketFactory, false);
+    server.enqueue(new MockResponse().setBody("abc"));
+
+    HttpUrl url = server.url("/");
+    HttpsURLConnection connection = (HttpsURLConnection) url.url().openConnection();
+    connection.setSSLSocketFactory(sslClient.socketFactory);
+    connection.setHostnameVerifier(new RecordingHostnameVerifier());
+
+    assertEquals(HttpURLConnection.HTTP_OK, connection.getResponseCode());
+    BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
+    assertEquals("abc", reader.readLine());
+
+    RecordedRequest request = server.takeRequest();
+    assertEquals("https", request.getRequestUrl().scheme());
+    Handshake handshake = request.getHandshake();
+    assertNotNull(handshake.tlsVersion());
+    assertNotNull(handshake.cipherSuite());
+    assertNotNull(handshake.localPrincipal());
+    assertEquals(1, handshake.localCertificates().size());
+    assertNull(handshake.peerPrincipal());
+    assertEquals(0, handshake.peerCertificates().size());
+  }
+
+  @Test public void httpsWithClientAuth() throws Exception {
+    HeldCertificate clientCa = new HeldCertificate.Builder()
+        .certificateAuthority(0)
+        .build();
+    HeldCertificate serverCa = new HeldCertificate.Builder()
+        .certificateAuthority(0)
+        .build();
+    HeldCertificate serverCertificate = new HeldCertificate.Builder()
+        .issuedBy(serverCa)
+        .addSubjectAlternativeName(server.getHostName())
+        .build();
+    SslClient serverSsl = new SslClient.Builder()
+        .addTrustedCertificate(clientCa.certificate())
+        .certificateChain(serverCertificate)
+        .build();
+
+    server.useHttps(serverSsl.socketFactory, false);
+    server.enqueue(new MockResponse().setBody("abc"));
+    server.requestClientAuth();
+
+    HeldCertificate clientCertificate = new HeldCertificate.Builder()
+        .issuedBy(clientCa)
+        .build();
+    SslClient clientSsl = new SslClient.Builder()
+        .addTrustedCertificate(serverCa.certificate())
+        .certificateChain(clientCertificate)
+        .build();
+
+    HttpUrl url = server.url("/");
+    HttpsURLConnection connection = (HttpsURLConnection) url.url().openConnection();
+    connection.setSSLSocketFactory(clientSsl.socketFactory);
+    connection.setHostnameVerifier(new RecordingHostnameVerifier());
+
+    assertEquals(HttpURLConnection.HTTP_OK, connection.getResponseCode());
+    BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
+    assertEquals("abc", reader.readLine());
+
+    RecordedRequest request = server.takeRequest();
+    assertEquals("https", request.getRequestUrl().scheme());
+    Handshake handshake = request.getHandshake();
+    assertNotNull(handshake.tlsVersion());
+    assertNotNull(handshake.cipherSuite());
+    assertNotNull(handshake.localPrincipal());
+    assertEquals(1, handshake.localCertificates().size());
+    assertNotNull(handshake.peerPrincipal());
+    assertEquals(1, handshake.peerCertificates().size());
+  }
 }

okhttp-dnsoverhttps/src/main/java/okhttp3/dnsoverhttps/BootstrapDns.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Square, Inc.
+ * Copyright (C) 2018 Square, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,7 +13,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package okhttp3.dnsoverhttps;
 
 import java.net.InetAddress;

okhttp-dnsoverhttps/src/main/java/okhttp3/dnsoverhttps/DnsOverHttps.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Square, Inc.
+ * Copyright (C) 2018 Square, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

okhttp-dnsoverhttps/src/test/java/okhttp3/dnsoverhttps/DnsOverHttpsTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Square, Inc.
+ * Copyright (C) 2018 Square, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

okhttp-dnsoverhttps/src/test/java/okhttp3/dnsoverhttps/DnsRecordCodecTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Square, Inc.
+ * Copyright (C) 2018 Square, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,7 +13,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package okhttp3.dnsoverhttps;
 
 import java.net.InetAddress;

okhttp-dnsoverhttps/src/test/java/okhttp3/dnsoverhttps/DohProviders.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Square, Inc.
+ * Copyright (C) 2018 Square, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

okhttp-dnsoverhttps/src/test/java/okhttp3/dnsoverhttps/TestDohMain.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Square, Inc.
+ * Copyright (C) 2018 Square, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

okhttp-sse/src/main/java/okhttp3/internal/sse/ServerSentEventReader.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2018 Square, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package okhttp3.internal.sse;
 
 import java.io.IOException;

okhttp-tests/src/test/java/okhttp3/ProtocolTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Square, Inc.
+ * Copyright (C) 2018 Square, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java

@@ -15,24 +15,20 @@
  */
 package okhttp3.internal.tls;
 
-import java.io.IOException;
 import java.net.SocketException;
-import java.security.GeneralSecurityException;
 import java.security.NoSuchAlgorithmException;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import javax.security.auth.x500.X500Principal;
 import okhttp3.Call;
-import okhttp3.DelegatingSSLSocketFactory;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
 import okhttp3.Response;
+import okhttp3.mockwebserver.HeldCertificate;
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
-import okhttp3.mockwebserver.HeldCertificate;
 import okhttp3.mockwebserver.internal.tls.SslClient;
 import org.junit.Before;
 import org.junit.Rule;
@@ -41,16 +37,11 @@ import org.junit.Test;
 import static okhttp3.TestUtil.defaultClient;
 import static okhttp3.internal.platform.PlatformTest.getPlatform;
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
 public final class ClientAuthTest {
   @Rule public final MockWebServer server = new MockWebServer();
 
-  public enum ClientAuth {
-    NONE, WANTS, NEEDS
-  }
-
   private HeldCertificate serverRootCa;
   private HeldCertificate serverIntermediateCa;
   private HeldCertificate serverCert;
@@ -59,7 +50,7 @@ public final class ClientAuthTest {
   private HeldCertificate clientCert;
 
   @Before
-  public void setUp() throws GeneralSecurityException {
+  public void setUp() {
     serverRootCa = new HeldCertificate.Builder()
         .serialNumber(1L)
         .certificateAuthority(3)
@@ -106,9 +97,10 @@ public final class ClientAuthTest {
   @Test public void clientAuthForWants() throws Exception {
     OkHttpClient client = buildClient(clientCert, clientIntermediateCa);
 
-    SSLSocketFactory socketFactory = buildServerSslSocketFactory(ClientAuth.WANTS);
+    SSLSocketFactory socketFactory = buildServerSslSocketFactory();
 
     server.useHttps(socketFactory, false);
+    server.requestClientAuth();
     server.enqueue(new MockResponse().setBody("abc"));
 
     Call call = client.newCall(new Request.Builder().url(server.url("/")).build());
@@ -121,9 +113,10 @@ public final class ClientAuthTest {
   @Test public void clientAuthForNeeds() throws Exception {
     OkHttpClient client = buildClient(clientCert, clientIntermediateCa);
 
-    SSLSocketFactory socketFactory = buildServerSslSocketFactory(ClientAuth.NEEDS);
+    SSLSocketFactory socketFactory = buildServerSslSocketFactory();
 
     server.useHttps(socketFactory, false);
+    server.requireClientAuth();
     server.enqueue(new MockResponse().setBody("abc"));
 
     Call call = client.newCall(new Request.Builder().url(server.url("/")).build());
@@ -136,9 +129,10 @@ public final class ClientAuthTest {
   @Test public void clientAuthSkippedForNone() throws Exception {
     OkHttpClient client = buildClient(clientCert, clientIntermediateCa);
 
-    SSLSocketFactory socketFactory = buildServerSslSocketFactory(ClientAuth.NONE);
+    SSLSocketFactory socketFactory = buildServerSslSocketFactory();
 
     server.useHttps(socketFactory, false);
+    server.noClientAuth();
     server.enqueue(new MockResponse().setBody("abc"));
 
     Call call = client.newCall(new Request.Builder().url(server.url("/")).build());
@@ -151,9 +145,10 @@ public final class ClientAuthTest {
   @Test public void missingClientAuthSkippedForWantsOnly() throws Exception {
     OkHttpClient client = buildClient(null, clientIntermediateCa);
 
-    SSLSocketFactory socketFactory = buildServerSslSocketFactory(ClientAuth.WANTS);
+    SSLSocketFactory socketFactory = buildServerSslSocketFactory();
 
     server.useHttps(socketFactory, false);
+    server.requestClientAuth();
     server.enqueue(new MockResponse().setBody("abc"));
 
     Call call = client.newCall(new Request.Builder().url(server.url("/")).build());
@@ -166,9 +161,10 @@ public final class ClientAuthTest {
   @Test public void missingClientAuthFailsForNeeds() throws Exception {
     OkHttpClient client = buildClient(null, clientIntermediateCa);
 
-    SSLSocketFactory socketFactory = buildServerSslSocketFactory(ClientAuth.NEEDS);
+    SSLSocketFactory socketFactory = buildServerSslSocketFactory();
 
     server.useHttps(socketFactory, false);
+    server.requireClientAuth();
 
     Call call = client.newCall(new Request.Builder().url(server.url("/")).build());
 
@@ -177,8 +173,7 @@ public final class ClientAuthTest {
       fail();
     } catch (SSLHandshakeException expected) {
     } catch (SocketException expected) {
-      // JDK 9
-      assertTrue(getPlatform().equals("jdk9"));
+      assertEquals("jdk9", getPlatform());
     }
   }
 
@@ -192,9 +187,10 @@ public final class ClientAuthTest {
 
     OkHttpClient client = buildClient(clientCert, clientIntermediateCa);
 
-    SSLSocketFactory socketFactory = buildServerSslSocketFactory(ClientAuth.NEEDS);
+    SSLSocketFactory socketFactory = buildServerSslSocketFactory();
 
     server.useHttps(socketFactory, false);
+    server.requireClientAuth();
 
     Call call = client.newCall(new Request.Builder().url(server.url("/")).build());
 
@@ -213,9 +209,10 @@ public final class ClientAuthTest {
 
     OkHttpClient client = buildClient(clientCert2);
 
-    SSLSocketFactory socketFactory = buildServerSslSocketFactory(ClientAuth.NEEDS);
+    SSLSocketFactory socketFactory = buildServerSslSocketFactory();
 
     server.useHttps(socketFactory, false);
+    server.requireClientAuth();
 
     Call call = client.newCall(new Request.Builder().url(server.url("/")).build());
 
@@ -224,12 +221,11 @@ public final class ClientAuthTest {
       fail();
     } catch (SSLHandshakeException expected) {
     } catch (SocketException expected) {
-      // JDK 9
-      assertTrue(getPlatform().equals("jdk9"));
+      assertEquals("jdk9", getPlatform());
     }
   }
 
-  public OkHttpClient buildClient(HeldCertificate cert, HeldCertificate... chain) {
+  private OkHttpClient buildClient(HeldCertificate cert, HeldCertificate... chain) {
     SslClient.Builder sslClientBuilder = new SslClient.Builder()
         .addTrustedCertificate(serverRootCa.certificate());
 
@@ -243,7 +239,7 @@ public final class ClientAuthTest {
         .build();
   }
 
-  public SSLSocketFactory buildServerSslSocketFactory(final ClientAuth clientAuth) {
+  private SSLSocketFactory buildServerSslSocketFactory() {
     // The test uses JDK default SSL Context instead of the Platform provided one
     // as Conscrypt seems to have some differences, we only want to test client side here.
     SslClient serverSslClient = new SslClient.Builder()
@@ -252,18 +248,7 @@ public final class ClientAuthTest {
         .certificateChain(serverCert, serverIntermediateCa)
         .sslContext(getSslContext())
         .build();
-
-    return new DelegatingSSLSocketFactory(serverSslClient.socketFactory) {
-      @Override protected SSLSocket configureSocket(SSLSocket sslSocket) throws IOException {
-        if (clientAuth == ClientAuth.NEEDS) {
-          sslSocket.setNeedClientAuth(true);
-        } else if (clientAuth == ClientAuth.WANTS) {
-          sslSocket.setWantClientAuth(true);
-        }
-
-        return super.configureSocket(sslSocket);
-      }
-    };
+    return serverSslClient.socketFactory;
   }
 
   private SSLContext getSslContext() {