Rewrite TLS test for the rest-client and reactive-rest-client

- Remove the trust store maven plugin which has not be super reliable recently on CI
- Use the cert generator instead
- Make sure the tests are not tainted with a quarkus.tls.trust-all=true

build-parent/pom.xml

@@ -115,7 +115,6 @@
         <asciidoctor-maven-plugin.version>2.0.0</asciidoctor-maven-plugin.version>
         <docker-maven-plugin.version>0.44.0</docker-maven-plugin.version>
         <maven-invoker-plugin.version>3.7.0</maven-invoker-plugin.version>
-        <truststore-maven-plugin.version>3.0.0</truststore-maven-plugin.version>
 
         <!-- revapi API check -->
         <revapi-maven-plugin.version>0.14.7</revapi-maven-plugin.version>

integration-tests/rest-client-reactive/pom.xml

@@ -11,15 +11,6 @@
     <artifactId>quarkus-integration-test-rest-client-reactive</artifactId>
     <name>Quarkus - Integration Tests - REST Client Reactive</name>
 
-    <properties>
-        <self-signed.trust-store>${project.build.directory}/self-signed.p12</self-signed.trust-store>
-        <self-signed.trust-store-password>changeit</self-signed.trust-store-password>
-        <wrong-host.trust-store>${project.build.directory}/wrong-host.p12</wrong-host.trust-store>
-        <wrong-host.trust-store-password>changeit</wrong-host.trust-store-password>
-    </properties>
-
-    <!--todo add ssl tests-->
-
     <dependencies>
         <!-- Client dependencies -->
         <dependency>
@@ -84,6 +75,11 @@
             <artifactId>wiremock-standalone</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.smallrye.certs</groupId>
+            <artifactId>smallrye-certificate-generator</artifactId>
+            <scope>test</scope>
+        </dependency>
 
         <!-- Minimal test dependencies to *-deployment artifacts for consistent build order -->
         <dependency>
@@ -159,48 +155,6 @@
                     </execution>
                 </executions>
             </plugin>
-
-            <plugin>
-                <groupId>uk.co.automatictester</groupId>
-                <artifactId>truststore-maven-plugin</artifactId>
-                <version>${truststore-maven-plugin.version}</version>
-                <executions>
-                    <execution>
-                        <id>self-signed-truststore</id>
-                        <phase>generate-test-resources</phase>
-                        <goals>
-                            <goal>generate-truststore</goal>
-                        </goals>
-                        <configuration>
-                            <truststoreFormat>PKCS12</truststoreFormat>
-                            <truststoreFile>${self-signed.trust-store}</truststoreFile>
-                            <truststorePassword>${self-signed.trust-store-password}</truststorePassword>
-                            <servers>
-                                <server>self-signed.badssl.com:443</server>
-                            </servers>
-                            <trustAllCertificates>true</trustAllCertificates>
-                            <includeCertificates>LEAF</includeCertificates>
-                        </configuration>
-                    </execution>
-                    <execution>
-                        <id>wrong-host-truststore</id>
-                        <phase>generate-test-resources</phase>
-                        <goals>
-                            <goal>generate-truststore</goal>
-                        </goals>
-                        <configuration>
-                            <truststoreFormat>PKCS12</truststoreFormat>
-                            <truststoreFile>${wrong-host.trust-store}</truststoreFile>
-                            <truststorePassword>${wrong-host.trust-store-password}</truststorePassword>
-                            <servers>
-                                <server>wrong.host.badssl.com:443</server>
-                            </servers>
-                            <trustAllCertificates>true</trustAllCertificates>
-                            <includeCertificates>LEAF</includeCertificates>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
         </plugins>
     </build>
 

integration-tests/rest-client-reactive/src/main/java/io/quarkus/it/rest/client/main/selfsigned/ExternalSelfSignedClient.java

@@ -6,7 +6,7 @@
 import org.eclipse.microprofile.faulttolerance.Retry;
 import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
 
-@RegisterRestClient(baseUri = "https://self-signed.badssl.com/", configKey = "self-signed")
+@RegisterRestClient(baseUri = "http://not-available", configKey = "self-signed")
 public interface ExternalSelfSignedClient {
 
     @GET

integration-tests/rest-client-reactive/src/main/resources/application.properties

@@ -5,16 +5,6 @@ correlation/mp-rest/url=${test.url}
 io.quarkus.it.rest.client.main.ParamClient/mp-rest/url=${test.url}
 # global client logging scope
 quarkus.rest-client.logging.scope=request-response
-# Self-Signed client
-quarkus.rest-client.self-signed.trust-store=${self-signed.trust-store}
-quarkus.rest-client.self-signed.trust-store-password=${self-signed.trust-store-password}
-# Wrong Host client (connection accepted, as host verification is turned off)
-quarkus.rest-client.wrong-host.trust-store=${wrong-host.trust-store}
-quarkus.rest-client.wrong-host.trust-store-password=${wrong-host.trust-store-password}
-quarkus.rest-client.wrong-host.verify-host=false
-# Wrong Host client verified (connection rejected, as host verification is turned on by default)
-quarkus.rest-client.wrong-host-rejected.trust-store=${wrong-host.trust-store}
-quarkus.rest-client.wrong-host-rejected.trust-store-password=${wrong-host.trust-store-password}
 
 # speed up build
 quarkus.otel.bsp.schedule.delay=100

integration-tests/rest-client-reactive/src/test/java/io/quarkus/it/rest/client/selfsigned/ExternalSelfSignedTestCase.java

@@ -5,9 +5,13 @@
 
 import org.junit.jupiter.api.Test;
 
+import io.quarkus.it.rest.client.wronghost.BadHostServiceTestResource;
+import io.quarkus.test.common.WithTestResource;
 import io.quarkus.test.junit.QuarkusTest;
 
 @QuarkusTest
+@WithTestResource(SelfSignedServiceTestResource.class)
+@WithTestResource(BadHostServiceTestResource.class)
 public class ExternalSelfSignedTestCase {
 
     @Test

integration-tests/rest-client-reactive/src/test/java/io/quarkus/it/rest/client/selfsigned/SelfSignedServiceTestResource.java

@@ -0,0 +1,58 @@
+package io.quarkus.it.rest.client.selfsigned;
+
+import java.io.File;
+import java.time.Duration;
+import java.util.Map;
+
+import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
+import io.smallrye.certs.CertificateGenerator;
+import io.smallrye.certs.CertificateRequest;
+import io.smallrye.certs.Format;
+import io.vertx.core.Vertx;
+import io.vertx.core.http.HttpServerOptions;
+import io.vertx.core.net.PfxOptions;
+
+public class SelfSignedServiceTestResource implements QuarkusTestResourceLifecycleManager {
+
+    Vertx vertx = Vertx.vertx();
+
+    @Override
+    public Map<String, String> start() {
+        File file = new File("target/certs");
+        file.mkdirs();
+        // Generate self-signed certificate
+        // We do not use the junit 5 plugin to avoid having to annotate all the tests to make sure the certs are
+        // generated before the tests are run
+        CertificateGenerator generator = new CertificateGenerator(file.toPath(), false);
+        CertificateRequest cr = new CertificateRequest()
+                .withName("self-signed")
+                .withFormat(Format.PKCS12)
+                .withPassword("changeit")
+                .withDuration(Duration.ofDays(2))
+                .withCN("localhost");
+        try {
+            generator.generate(cr);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+
+        HttpServerOptions options = new HttpServerOptions()
+                .setSsl(true)
+                .setKeyCertOptions(new PfxOptions()
+                        .setPath("target/certs/self-signed-keystore.p12")
+                        .setPassword("changeit"));
+        var server = vertx.createHttpServer(options)
+                .requestHandler(req -> req.response().end("OK"))
+                .listen(-2).toCompletionStage().toCompletableFuture().join();
+
+        return Map.of(
+                "quarkus.rest-client.self-signed.url", "https://localhost:" + server.actualPort() + "/",
+                "quarkus.rest-client.self-signed.trust-store", "target/certs/self-signed-truststore.p12",
+                "quarkus.rest-client.self-signed.trust-store-password", "changeit");
+    }
+
+    @Override
+    public void stop() {
+        vertx.close().toCompletionStage().toCompletableFuture().join();
+    }
+}

integration-tests/rest-client-reactive/src/test/java/io/quarkus/it/rest/client/wronghost/BadHostServiceTestResource.java

@@ -0,0 +1,75 @@
+package io.quarkus.it.rest.client.wronghost;
+
+import java.io.File;
+import java.time.Duration;
+import java.util.Map;
+
+import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
+import io.smallrye.certs.CertificateGenerator;
+import io.smallrye.certs.CertificateRequest;
+import io.smallrye.certs.Format;
+import io.vertx.core.Vertx;
+import io.vertx.core.http.HttpServerOptions;
+import io.vertx.core.net.PfxOptions;
+
+public class BadHostServiceTestResource implements QuarkusTestResourceLifecycleManager {
+
+    Vertx vertx = Vertx.vertx();
+
+    @Override
+    public Map<String, String> start() {
+        File file = new File("target/certs");
+        file.mkdirs();
+        // Generate self-signed certificate
+        // We do not use the junit 5 plugin to avoid having to annotate all the tests to make sure the certs are
+        // generated before the tests are run
+        CertificateGenerator generator = new CertificateGenerator(file.toPath(), false);
+        CertificateRequest cr = new CertificateRequest()
+                .withName("bad-host")
+                .withFormat(Format.PKCS12)
+                .withPassword("changeit")
+                .withDuration(Duration.ofDays(2))
+                .withCN("bad-host.com")
+                .withSubjectAlternativeName("DNS:bad-host.com");
+        try {
+            generator.generate(cr);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+
+        File f = new File("target/certs/bad-host-keystore.p12");
+        System.out.println(f.getAbsolutePath() + " / " + f.exists());
+        HttpServerOptions options = new HttpServerOptions()
+                .setSsl(true)
+                .setKeyCertOptions(new PfxOptions()
+                        .setPath("target/certs/bad-host-keystore.p12")
+                        .setPassword("changeit"));
+        var server = vertx.createHttpServer(options)
+                .requestHandler(req -> req.response().end("OK"))
+                .listen(-1).toCompletionStage().toCompletableFuture().join();
+
+        // Wrong Host client (connection accepted, as host verification is turned off)
+        // quarkus.rest-client.wrong-host.trust-store=${wrong-host.trust-store}
+        // quarkus.rest-client.wrong-host.trust-store-password=${wrong-host.trust-store-password}
+        // quarkus.rest-client.wrong-host.verify-host=false
+
+        // Wrong Host client verified (connection rejected, as host verification is turned on by default)
+        // quarkus.rest-client.wrong-host-rejected.trust-store=${wrong-host.trust-store}
+        // quarkus.rest-client.wrong-host-rejected.trust-store-password=${wrong-host.trust-store-password}
+
+        return Map.of(
+                "quarkus.rest-client.wrong-host.url", "https://localhost:" + server.actualPort() + "/",
+                "quarkus.rest-client.wrong-host.trust-store", "target/certs/bad-host-truststore.p12",
+                "quarkus.rest-client.wrong-host.trust-store-password", "changeit",
+                "quarkus.rest-client.wrong-host.verify-host", "false",
+
+                "quarkus.rest-client.wrong-host-rejected.url", "https://localhost:" + server.actualPort() + "/",
+                "quarkus.rest-client.wrong-host-rejected.trust-store", "target/certs/bad-host-truststore.p12",
+                "quarkus.rest-client.wrong-host-rejected.trust-store-password", "changeit");
+    }
+
+    @Override
+    public void stop() {
+        vertx.close().toCompletionStage().toCompletableFuture().join();
+    }
+}

integration-tests/rest-client-reactive/src/test/java/io/quarkus/it/rest/client/wronghost/ExternalWrongHostTestCase.java

@@ -6,9 +6,13 @@
 
 import org.junit.jupiter.api.Test;
 
+import io.quarkus.it.rest.client.selfsigned.SelfSignedServiceTestResource;
+import io.quarkus.test.common.WithTestResource;
 import io.quarkus.test.junit.QuarkusTest;
 
 @QuarkusTest
+@WithTestResource(SelfSignedServiceTestResource.class)
+@WithTestResource(BadHostServiceTestResource.class)
 public class ExternalWrongHostTestCase {
     @Test
     public void restClient() {

integration-tests/rest-client/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     <parent>
         <artifactId>quarkus-integration-tests-parent</artifactId>
         <groupId>io.quarkus</groupId>
@@ -12,10 +12,8 @@
     <name>Quarkus - Integration Tests - REST client</name>
 
     <properties>
-        <self-signed.trust-store>${project.build.directory}/self-signed.p12</self-signed.trust-store>
+        <self-signed.trust-store>${project.build.directory}/certs/self-signed-keystore.p12</self-signed.trust-store>
         <self-signed.trust-store-password>changeit</self-signed.trust-store-password>
-        <wrong-host.trust-store>${project.build.directory}/wrong-host.p12</wrong-host.trust-store>
-        <wrong-host.trust-store-password>changeit</wrong-host.trust-store-password>
     </properties>
 
     <dependencies>
@@ -67,6 +65,11 @@
             <artifactId>rest-assured</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.smallrye.certs</groupId>
+            <artifactId>smallrye-certificate-generator-junit5</artifactId>
+            <scope>test</scope>
+        </dependency>
 
         <!-- Minimal test dependencies to *-deployment artifacts for consistent build order -->
         <dependency>
@@ -142,49 +145,6 @@
                     </execution>
                 </executions>
             </plugin>
-
-            <plugin>
-                <groupId>uk.co.automatictester</groupId>
-                <artifactId>truststore-maven-plugin</artifactId>
-                <version>${truststore-maven-plugin.version}</version>
-                <executions>
-                    <execution>
-                        <id>self-signed-truststore</id>
-                        <phase>generate-test-resources</phase>
-                        <goals>
-                            <goal>generate-truststore</goal>
-                        </goals>
-                        <configuration>
-                            <truststoreFormat>PKCS12</truststoreFormat>
-                            <truststoreFile>${self-signed.trust-store}</truststoreFile>
-                            <truststorePassword>${self-signed.trust-store-password}</truststorePassword>
-                            <servers>
-                                <server>self-signed.badssl.com:443</server>
-                            </servers>
-                            <trustAllCertificates>true</trustAllCertificates>
-                            <includeCertificates>LEAF</includeCertificates>
-                        </configuration>
-                    </execution>
-                    <execution>
-                        <id>wrong-host-truststore</id>
-                        <phase>generate-test-resources</phase>
-                        <goals>
-                            <goal>generate-truststore</goal>
-                        </goals>
-                        <configuration>
-                            <truststoreFormat>PKCS12</truststoreFormat>
-                            <truststoreFile>${wrong-host.trust-store}</truststoreFile>
-                            <truststorePassword>${wrong-host.trust-store-password}</truststorePassword>
-                            <servers>
-                                <server>wrong.host.badssl.com:443</server>
-                            </servers>
-                            <trustAllCertificates>true</trustAllCertificates>
-                            <includeCertificates>LEAF</includeCertificates>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
@@ -193,9 +153,8 @@
                         <!-- force the locale as we want to explicitly test message interpolation -->
                         <user.language>en</user.language>
                         <javax.net.ssl.trustStore>${self-signed.trust-store}</javax.net.ssl.trustStore>
-                        <javax.net.ssl.trustStorePassword>${self-signed.trust-store-password}</javax.net.ssl.trustStorePassword>
-                        <rest-client.trustStore>${wrong-host.trust-store}</rest-client.trustStore>
-                        <rest-client.trustStorePassword>${wrong-host.trust-store-password}</rest-client.trustStorePassword>
+                        <javax.net.ssl.trustStorePassword>${self-signed.trust-store-password}
+                        </javax.net.ssl.trustStorePassword>
                     </systemPropertyVariables>
                 </configuration>
             </plugin>
@@ -214,7 +173,8 @@
             <properties>
                 <quarkus.native.enable-https-url-handler>true</quarkus.native.enable-https-url-handler>
                 <quarkus.native.additional-build-args>-J-Djavax.net.ssl.trustStore=${self-signed.trust-store},
-                    -J-Djavax.net.ssl.trustStorePassword=${self-signed.trust-store-password}</quarkus.native.additional-build-args>
+                    -J-Djavax.net.ssl.trustStorePassword=${self-signed.trust-store-password}
+                </quarkus.native.additional-build-args>
             </properties>
             <build>
                 <plugins>
@@ -225,8 +185,6 @@
                             <systemPropertyVariables>
                                 <!-- force the locale as we want to explicitly test message interpolation -->
                                 <user.language>en</user.language>
-                                <rest-client.trustStore>${wrong-host.trust-store}</rest-client.trustStore>
-                                <rest-client.trustStorePassword>${wrong-host.trust-store-password}</rest-client.trustStorePassword>
                             </systemPropertyVariables>
                         </configuration>
                     </plugin>

integration-tests/rest-client/src/main/java/io/quarkus/it/rest/client/selfsigned/ExternalSelfSignedClient.java

@@ -6,7 +6,7 @@
 import org.eclipse.microprofile.faulttolerance.Retry;
 import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
 
-@RegisterRestClient(baseUri = "https://self-signed.badssl.com/", configKey = "self-signed")
+@RegisterRestClient(configKey = "self-signed")
 public interface ExternalSelfSignedClient {
 
     @GET