Fixes #4481 - Fix NeedWantClientAuthTest for OpenJDK 13.0.2/11.0.6.

Updated the keystores to PKCS12 and added the Basic Constraint CA:true
to the server certificate.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>

jetty-client/src/test/java/org/eclipse/jetty/client/AbstractHttpClientServerTest.java

@@ -195,7 +195,7 @@ public SslContextFactory newServerSslContextFactory()
 
         private void configure(SslContextFactory ssl)
         {
-            Path keystorePath = MavenTestingUtils.getTestResourcePath("keystore.jks");
+            Path keystorePath = MavenTestingUtils.getTestResourcePath("keystore.p12");
             ssl.setKeyStorePath(keystorePath.toString());
             ssl.setKeyStorePassword("storepwd");
         }

jetty-client/src/test/java/org/eclipse/jetty/client/HostnameVerificationTest.java

@@ -60,7 +60,7 @@ public void setUp() throws Exception
         server = new Server(serverThreads);
 
         SslContextFactory serverSslContextFactory = new SslContextFactory.Server();
-        serverSslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
+        serverSslContextFactory.setKeyStorePath("src/test/resources/keystore.p12");
         serverSslContextFactory.setKeyStorePassword("storepwd");
         connector = new ServerConnector(server, serverSslContextFactory);
         server.addConnector(connector);
@@ -76,7 +76,7 @@ public void handle(String target, Request baseRequest, HttpServletRequest reques
         server.start();
 
         // keystore contains a hostname which doesn't match localhost
-        clientSslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
+        clientSslContextFactory.setKeyStorePath("src/test/resources/keystore.p12");
         clientSslContextFactory.setKeyStorePassword("storepwd");
 
         QueuedThreadPool clientThreads = new QueuedThreadPool();

jetty-client/src/test/java/org/eclipse/jetty/client/HttpClientTLSTest.java

@@ -122,7 +122,7 @@ private SslContextFactory.Client createClientSslContextFactory()
 
     private void configureSslContextFactory(SslContextFactory sslContextFactory)
     {
-        sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
+        sslContextFactory.setKeyStorePath("src/test/resources/keystore.p12");
         sslContextFactory.setKeyStorePassword("storepwd");
     }
 

jetty-client/src/test/java/org/eclipse/jetty/client/Socks4ProxyTest.java

@@ -199,7 +199,7 @@ public void testSocks4ProxyWithTLSServer() throws Exception
         {
             // The client keystore contains the trustedCertEntry for the
             // self-signed server certificate, so it acts as a truststore.
-            ssl.setTrustStorePath("src/test/resources/client_keystore.jks");
+            ssl.setTrustStorePath("src/test/resources/client_keystore.p12");
             ssl.setTrustStorePassword("storepwd");
             // Disable TLS hostname verification, but
             // enable application hostname verification.
@@ -233,7 +233,7 @@ public void testSocks4ProxyWithTLSServer() throws Exception
 
             // Wrap the socket with TLS.
             SslContextFactory.Server serverTLS = new SslContextFactory.Server();
-            serverTLS.setKeyStorePath("src/test/resources/keystore.jks");
+            serverTLS.setKeyStorePath("src/test/resources/keystore.p12");
             serverTLS.setKeyStorePassword("storepwd");
             serverTLS.start();
             SSLContext sslContext = serverTLS.getSslContext();

jetty-client/src/test/java/org/eclipse/jetty/client/TLSServerConnectionCloseTest.java

@@ -49,7 +49,7 @@ private void startClient() throws Exception
     {
         SslContextFactory sslContextFactory = new SslContextFactory.Client();
         sslContextFactory.setEndpointIdentificationAlgorithm(null);
-        sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
+        sslContextFactory.setKeyStorePath("src/test/resources/keystore.p12");
         sslContextFactory.setKeyStorePassword("storepwd");
 
         QueuedThreadPool clientThreads = new QueuedThreadPool();

jetty-client/src/test/java/org/eclipse/jetty/client/ssl/NeedWantClientAuthTest.java

@@ -82,7 +82,7 @@ private void startClient(SslContextFactory sslContextFactory) throws Exception
     private SslContextFactory.Server createServerSslContextFactory()
     {
         SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
-        sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
+        sslContextFactory.setKeyStorePath("src/test/resources/keystore.p12");
         sslContextFactory.setKeyStorePassword("storepwd");
         return sslContextFactory;
     }
@@ -141,7 +141,7 @@ public void handshakeSucceeded(Event event)
         });
 
         SslContextFactory clientSSL = new SslContextFactory.Client(true);
-        clientSSL.setKeyStorePath("src/test/resources/client_keystore.jks");
+        clientSSL.setKeyStorePath("src/test/resources/client_keystore.p12");
         clientSSL.setKeyStorePassword("storepwd");
         startClient(clientSSL);
 
@@ -232,7 +232,7 @@ public void handshakeSucceeded(Event event)
         });
 
         SslContextFactory clientSSL = new SslContextFactory.Client(true);
-        clientSSL.setKeyStorePath("src/test/resources/client_keystore.jks");
+        clientSSL.setKeyStorePath("src/test/resources/client_keystore.p12");
         clientSSL.setKeyStorePassword("storepwd");
         startClient(clientSSL);
 

jetty-client/src/test/java/org/eclipse/jetty/client/ssl/SslBytesClientTest.java

@@ -72,7 +72,7 @@ public void init() throws Exception
         sslContextFactory = new SslContextFactory.Client(true);
         client = new HttpClient(sslContextFactory);
         client.setMaxConnectionsPerDestination(1);
-        File keyStore = MavenTestingUtils.getTestResourceFile("keystore.jks");
+        File keyStore = MavenTestingUtils.getTestResourceFile("keystore.p12");
         sslContextFactory.setKeyStorePath(keyStore.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("storepwd");
         client.start();

jetty-client/src/test/java/org/eclipse/jetty/client/ssl/SslBytesServerTest.java

@@ -117,7 +117,7 @@ public void init() throws Exception
         httpParses.set(0);
         serverEndPoint.set(null);
 
-        File keyStore = MavenTestingUtils.getTestResourceFile("keystore.jks");
+        File keyStore = MavenTestingUtils.getTestResourceFile("keystore.p12");
         sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keyStore.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("storepwd");

jetty-client/src/test/java/org/eclipse/jetty/client/ssl/SslConnectionTest.java

@@ -42,7 +42,7 @@ public class SslConnectionTest
     @Test
     public void testSslConnectionClosedBeforeFill() throws Exception
     {
-        File keyStore = MavenTestingUtils.getTestResourceFile("keystore.jks");
+        File keyStore = MavenTestingUtils.getTestResourceFile("keystore.p12");
         SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keyStore.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("storepwd");

jetty-client/src/test/resources/readme_keystores.txt

@@ -0,0 +1,27 @@
+Since OpenJDK 13.0.2/11.0.6 it is required that CA certificates have the extension CA=true.
+
+The keystores are generated in the following way:
+
+# Generates the server keystore. Note the BasicConstraint=CA:true extension.
+$ keytool -v -genkeypair -validity 36500 -keyalg RSA -keysize 2048 -keystore keystore.p12 -storetype pkcs12 -dname "CN=server, OU=Jetty, O=Webtide, L=Omaha, S=NE, C=US" -ext BC=CA:true
+
+# Export the server certificate.
+$ keytool -v -export -keystore keystore.p12 -rfc -file server.crt
+
+# Export the server private key.
+$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out server.key
+
+# Generate the client keystore.
+$ keytool -v -genkeypair -validity 36500 -keyalg RSA -keysize 2048 -keystore client_keystore.p12 -storetype pkcs12 -dname "CN=client, OU=Jetty, O=Webtide, L=Omaha, S=NE, C=US"
+
+# Generate the Certificate Signing Request.
+$ keytool -certreq -file client.csr -keystore client_keystore.p12
+
+# Sign the CSR.
+$ openssl x509 -req -days 36500 -in client.csr -CA server.crt -CAkey server.key -CAcreateserial -sha256 -out signed.crt
+
+# Import the server certificate into the client keystore.
+$ keytool -v -import -alias ca -file server.crt -keystore client_keystore.p12
+
+# Import the signed CSR.
+$ keytool -import -file signed.crt -keystore client_keystore.p12