Get more TLS stuff passing on BouncyCastle (#7602)

There's something up with ECDSA on BouncyCastle, and rather than figuring it out I've just switched to RSA signatures with that provider.
2025-08-07 12:42:57 +03:00 · 2022-12-31 20:39:55 -05:00
parent 60d5b73fb8
commit fe6db78647
26 changed files with 123 additions and 124 deletions
--- a/okhttp-testing-support/src/main/kotlin/okhttp3/testing/PlatformRule.kt
+++ b/okhttp-testing-support/src/main/kotlin/okhttp3/testing/PlatformRule.kt
@@ -18,12 +18,18 @@ package okhttp3.testing
 import android.os.Build
 import com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider
 import com.amazon.corretto.crypto.provider.SelfTestStatus
+import java.lang.reflect.Method
+import java.net.InetAddress
+import java.security.Security
 import okhttp3.TestUtil
 import okhttp3.internal.platform.ConscryptPlatform
 import okhttp3.internal.platform.Jdk8WithJettyBootPlatform
 import okhttp3.internal.platform.Jdk9Platform
 import okhttp3.internal.platform.OpenJSSEPlatform
 import okhttp3.internal.platform.Platform
+import okhttp3.tls.HandshakeCertificates
+import okhttp3.tls.HeldCertificate
+import okhttp3.tls.internal.TlsUtil.localhost
 import org.bouncycastle.jce.provider.BouncyCastleProvider
 import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
 import org.conscrypt.Conscrypt
@@ -43,8 +49,6 @@ import org.junit.jupiter.api.extension.InvocationInterceptor
 import org.junit.jupiter.api.extension.ReflectiveInvocationContext
 import org.openjsse.net.ssl.OpenJSSE
 import org.opentest4j.TestAbortedException
-import java.lang.reflect.Method
-import java.security.Security

 /**
 * Marks a test as Platform aware, before the test runs a consistent Platform will be
@@ -323,6 +327,13 @@ open class PlatformRule @JvmOverloads constructor(
    }
  }

+  fun localhostHandshakeCertificates(): HandshakeCertificates {
+    return when {
+      isBouncyCastle() -> localhostHandshakeCertificatesWithRsa2048
+      else -> localhost()
+    }
+  }
+
  val isAndroid: Boolean
    get() = Platform.Companion.isAndroid

@@ -336,6 +347,24 @@ open class PlatformRule @JvmOverloads constructor(
    const val OPENJSSE_PROPERTY = "openjsse"
    const val BOUNCYCASTLE_PROPERTY = "bouncycastle"

+    /**
+     * For whatever reason our BouncyCastle provider doesn't work with ECDSA keys. Just configure it
+     * to use RSA-2048 instead.
+     *
+     * (We otherwise prefer ECDSA because it's faster.)
+     */
+    private val localhostHandshakeCertificatesWithRsa2048: HandshakeCertificates by lazy {
+      val heldCertificate = HeldCertificate.Builder()
+        .commonName("localhost")
+        .addSubjectAlternativeName(InetAddress.getByName("localhost").canonicalHostName)
+        .rsa2048()
+        .build()
+      return@lazy HandshakeCertificates.Builder()
+        .heldCertificate(heldCertificate)
+        .addTrustedCertificate(heldCertificate.certificate)
+        .build()
+    }
+
    init {
      val platformSystemProperty = getPlatformSystemProperty()