From 79e75303908d2eb41518821be46d4ae65b914c3e Mon Sep 17 00:00:00 2001
From: Piotr Fus <pfs@touk.pl>
Date: Mon, 29 Jan 2018 21:14:11 +0100
Subject: [PATCH] Add https client authentication

Change-Id: Ib04eaa8e534e2ac83fb4c11a169f110a5f3a580d
---
 .../xsd/pl/touk/mockserver/api/common.xsd     |   3 +
 .../tests/MockServerHttpsTest.groovy          |  99 ++++++++++++++++--
 .../src/test/resources/trusted.jks            | Bin 0 -> 2235 bytes
 .../src/test/resources/truststore.jks         | Bin 0 -> 1880 bytes
 .../src/test/resources/untrusted.jks          | Bin 0 -> 2255 bytes
 .../server/HttpServerWrapper.groovy           |  29 ++++-
 .../touk/mockserver/server/HttpsConfig.groovy |  28 +++++
 7 files changed, 145 insertions(+), 14 deletions(-)
 create mode 100644 mockserver-tests/src/test/resources/trusted.jks
 create mode 100644 mockserver-tests/src/test/resources/truststore.jks
 create mode 100644 mockserver-tests/src/test/resources/untrusted.jks
 create mode 100644 mockserver/src/main/groovy/pl/touk/mockserver/server/HttpsConfig.groovy

diff --git a/mockserver-api/src/main/xsd/pl/touk/mockserver/api/common.xsd b/mockserver-api/src/main/xsd/pl/touk/mockserver/api/common.xsd
index 953b839..673be7d 100644
--- a/mockserver-api/src/main/xsd/pl/touk/mockserver/api/common.xsd
+++ b/mockserver-api/src/main/xsd/pl/touk/mockserver/api/common.xsd
@@ -24,6 +24,9 @@
             <xs:element name="keystorePath"  type="xs:string" />
             <xs:element name="keystorePassword" type="xs:string" />
             <xs:element name="keyPassword" type="xs:string" />
+            <xs:element name="truststorePath" type="xs:string" />
+            <xs:element name="truststorePassword" type="xs:string" />
+            <xs:element name="requireClientAuth" type="xs:boolean" />
         </xs:sequence>
     </xs:complexType>
 </xs:schema>
diff --git a/mockserver-tests/src/test/groovy/pl/touk/mockserver/tests/MockServerHttpsTest.groovy b/mockserver-tests/src/test/groovy/pl/touk/mockserver/tests/MockServerHttpsTest.groovy
index 91b851a..0bef47f 100644
--- a/mockserver-tests/src/test/groovy/pl/touk/mockserver/tests/MockServerHttpsTest.groovy
+++ b/mockserver-tests/src/test/groovy/pl/touk/mockserver/tests/MockServerHttpsTest.groovy
@@ -16,8 +16,10 @@ import pl.touk.mockserver.client.Util
 import pl.touk.mockserver.server.HttpMockServer
 import spock.lang.Shared
 import spock.lang.Specification
+import spock.lang.Unroll
 
 import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLHandshakeException
 import java.security.KeyStore
 
 class MockServerHttpsTest extends Specification {
@@ -27,14 +29,20 @@ class MockServerHttpsTest extends Specification {
     HttpMockServer httpMockServer
 
     @Shared
-    SSLContext sslContext = SSLContexts.custom()
+    SSLContext noClientAuthSslContext = SSLContexts.custom()
         .loadTrustMaterial(trustStore())
         .build()
 
     @Shared
-    CloseableHttpClient client = HttpClients.custom()
-        .setHostnameVerifier(SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)
-        .setSslcontext(sslContext)
+    SSLContext trustedCertificateSslContext = SSLContexts.custom()
+        .loadKeyMaterial(trustedCertificateKeystore(), 'changeit'.toCharArray())
+        .loadTrustMaterial(trustStore())
+        .build()
+
+    @Shared
+    SSLContext untrustedCertificateSslContext = SSLContexts.custom()
+        .loadKeyMaterial(untrustedCertificateKeystore(), 'changeit'.toCharArray())
+        .loadTrustMaterial(trustStore())
         .build()
 
     def setup() {
@@ -64,17 +72,90 @@ class MockServerHttpsTest extends Specification {
         when:
             HttpPost restPost = new HttpPost('https://localhost:10443/testEndpoint')
             restPost.entity = new StringEntity('<request/>', ContentType.create("text/xml", "UTF-8"))
-            CloseableHttpResponse response = client.execute(restPost)
+            CloseableHttpResponse response = client(noClientAuthSslContext).execute(restPost)
         then:
             GPathResult restPostResponse = Util.extractXmlResponse(response)
             restPostResponse.name() == 'goodResponse-request'
-        and:
-            remoteMockServer.removeMock('testHttps')?.size() == 1
+    }
+
+    def 'should handle HTTPS server with client auth' () {
+        expect:
+            remoteMockServer.addMock(new AddMock(
+                name: 'testHttps',
+                path: 'testEndpoint',
+                port: 10443,
+                predicate: '''{req -> req.xml.name() == 'request'}''',
+                response: '''{req -> "<goodResponse-${req.xml.name()}/>"}''',
+                https: new Https(
+                    keyPassword: 'changeit',
+                    keystorePassword: 'changeit',
+                    keystorePath: MockServerHttpsTest.classLoader.getResource('keystore.jks').path,
+                    truststorePath: MockServerHttpsTest.classLoader.getResource('truststore.jks').path,
+                    truststorePassword: 'changeit',
+                    requireClientAuth: true
+                ),
+                soap: false
+            ))
+        when:
+            HttpPost restPost = new HttpPost('https://localhost:10443/testEndpoint')
+            restPost.entity = new StringEntity('<request/>', ContentType.create("text/xml", "UTF-8"))
+            CloseableHttpResponse response = client(trustedCertificateSslContext).execute(restPost)
+        then:
+            GPathResult restPostResponse = Util.extractXmlResponse(response)
+            restPostResponse.name() == 'goodResponse-request'
+    }
+
+    @Unroll
+    def 'should handle HTTPS server with wrong client auth' () {
+        expect:
+            remoteMockServer.addMock(new AddMock(
+                name: 'testHttps',
+                path: 'testEndpoint',
+                port: 10443,
+                predicate: '''{req -> req.xml.name() == 'request'}''',
+                response: '''{req -> "<goodResponse-${req.xml.name()}/>"}''',
+                https: new Https(
+                    keyPassword: 'changeit',
+                    keystorePassword: 'changeit',
+                    keystorePath: MockServerHttpsTest.classLoader.getResource('keystore.jks').path,
+                    truststorePath: MockServerHttpsTest.classLoader.getResource('truststore.jks').path,
+                    truststorePassword: 'changeit',
+                    requireClientAuth: true
+                ),
+                soap: false
+            ))
+        when:
+            HttpPost restPost = new HttpPost('https://localhost:10443/testEndpoint')
+            restPost.entity = new StringEntity('<request/>', ContentType.create("text/xml", "UTF-8"))
+            client(sslContext).execute(restPost)
+        then:
+            thrown(SSLHandshakeException)
+        where:
+            sslContext << [noClientAuthSslContext, untrustedCertificateSslContext]
+    }
+
+    private CloseableHttpClient client(SSLContext sslContext) {
+        return HttpClients.custom()
+            .setHostnameVerifier(SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)
+            .setSslcontext(sslContext)
+            .build()
+    }
+
+    private KeyStore trustedCertificateKeystore() {
+        return loadKeystore('trusted.jks')
+    }
+
+    private KeyStore untrustedCertificateKeystore() {
+        return loadKeystore('untrusted.jks')
     }
 
     private KeyStore trustStore() {
-        KeyStore truststore  = KeyStore.getInstance(KeyStore.defaultType)
-        truststore.load(new FileInputStream(MockServerHttpsTest.classLoader.getResource('truststore.jks').path), "changeit".toCharArray());
+        return loadKeystore('truststore.jks')
+    }
+
+    private KeyStore loadKeystore(String fileName) {
+        KeyStore truststore = KeyStore.getInstance(KeyStore.defaultType)
+        truststore.load(new FileInputStream(MockServerHttpsTest.classLoader.getResource(fileName).path), "changeit".toCharArray());
         return truststore
     }
 }
diff --git a/mockserver-tests/src/test/resources/trusted.jks b/mockserver-tests/src/test/resources/trusted.jks
new file mode 100644
index 0000000000000000000000000000000000000000..e6fa704c24008010af9739e39947c464b0c58b26
GIT binary patch
literal 2235
zcmchYc{J1uAI5*PV(j};V=MF8u4WXI?Znu}WQnnBtVv}ZqTH@%2DxO*r7X?R+)IS<
z+V_lTY(+&#BoSjs_7c~7&wJl<&*}g7kLQo)^Vj!0=Q+=JpS#Zm004X_&|l(-jEEvf
z2KXO(AJe3L4gkQw=mh9KS_qENfP<hQb+9N11OuQ6(500VZx{mGJ(CK+DPm?JDY)c}
zdH0=W(=yz)PtG%XyQspfgJ?+J6Y)%kId}?GbhAilJf#vt2y-#)d+K^c<BG&hW9OWu
z6Tua=*k>u(&c?3`1I^X-!<{!80o`vB!m)dhk;X-)Dqj%6NwhwqUmG2C<4WbpMA_SH
zk({wN#6WDxZ0860wzRtYXDb{%MXWE21)$et^KC#Y=gBmt^i$@DsSOUeBX{+v2b-ju
zEPsG>b^_`iw7Cz~>P2-mmhZZ^3BNYvw4bgBAp2`$M<<HDZ=8Ol7N=qqr?^4q>C_rc
zg74$j=)Tbd8GcRygrz)j3myC~Puk(N_4cn7UWH7?ytu_%%@LoQ_bz08kzF5_#IrSZ
z6+PMF{f4yb?#~%K`4hOE_#V65`Gd@siI0(_pwHK9sEnV^H~n!nFUP9-vD>yjtsK9G
znzO=7*M*KzMniQl&ey&;S)5XYoL7^W8bPyP0?D2J)6s!_<Wet-ju_)b_Rq3Kgo*(b
z<v8wdQZ!s?mu2`#+g14flbvJUW4%X%&ot}lf1Ok8SQl*y(uC5E5Qx;mpKnrHue7O^
zD(b%SP?_uL%FGfVgAr!(nO@<JPICEuoY~lu8G>1`_8~v*`I@=Y@dZvES{6b)W$F_j
zvbV;N=aes>(;?3a*m<5?9^KqicJw}DJ&L7jn|FU7#SB-Q$$Gdq;ldsOgR03voH?Gh
zNRHQ|uOfV#jd|NL(XotPl3yK)39(({#kmPLFSLCIW%x(Tq*FC(DZHhm=y@TO2SIX9
zW#HzKI@afcjD~hM_`;{}pH)z)T`<N8zcVKXHd?i;27a1V6*7@Dam>EFq<Hlruf1uF
z#&>6<cpb?GE0O7_Ru6AISIVgy{OWQ2MXkqV?Ny#ITw6};k~Nl=#j|M30z0*KcFkAu
zwZGl<AH462+fAxLOtH#>>;XUT`A5%virK@AaG9eFTm-b5p%xIqKC@$J@Q%9Dn7W8D
zU_1*we_cA4d;Ft5X})Tq@&y<qA(EyShm@F&t=6zdX7i@_g}6`k-l#BU<*1CwKb*=G
z`BE*C8oHV<T`09>DeO?LbWF!~-r7n;#^>?kr4T`%++H!JAyw;NCmAc|XO&xAth5Ic
zWli|B%4-`wIp^D`;rs3uzpdtIa!_w7dtby-@7h$^)i0!Oc1pXfL>M62Dp<+al<a?@
z2&_>ZJ&BMBYH^tqjO5}%EAd8xyJfB!%Z|0eT80GNW0y7cc<xb{1r0RvF=}^O$_CHv
zsS!~+q0#F=frUu!XMxl1lN{;X4#V<JVd=t)!gEEoT;-0q2wYgbVnGK=G#dJ$S*kL3
zt$d5m4zOI;+S6P)$o9)1(aRoo6BIP|BubLzxfL2jF}lUJjb>BW{%niF7MN*|6~$ZT
z7I?mFCyYOdauYMKNi=(V^x00E&A84b7bY)FMK`Gw;u|C2=q6W)I<n?r*kZd=|1@ZZ
zl@+_g@=@OUmdY_Fff$Cl5A@sKnfaOR(+sCB&}NLON(|XWpP5Lc_F8WzvEyOIzmXLO
z??alzx{3ib#<AFz&xGH>-RMqmMrhjOO%6Ef_?Q`9>Ozm!qrmuEc&P3>-$96L{xcsv
zrH$pz=RIJ8-0qx4ajemLGHeRPo%wnq4J5S5x)K8aEF?6IUpDw_8ey(lI%qurfP|wH
zAi?MaFp&lUgTP?uvFP-NXhAridZJb0wjc<^4+GGF7=AP#972S`#liLjjL6}B9vWWp
zzxVZT!t(<`{6P4BAdvqNw7j$+<}@0kt*4DfW3@5v(t_ImvDp9G|KA}AAmx9CaQGu2
z2_Rtrod80B6F?v!N57D`QN)xM9zv956nsh$VSlKZ6_^bb;HUR&O7^gtaL0uLy+i0z
z7un|bnD2K*fBnTAofz}_I#&0*5%osD@=cpPow{k}hp*001C6X>qS%&|=!+8h4K7}h
z7I{TyF;7btM8<8waE$)I{Ue?!cb#Xz7WFnc^+4DKpFaH7J+9HIy{=2-K9bxj<0gkm
zOZ=nvY?ICRxSC3>H~fedZuhN3PbV}Zyol0t<9>-!(vj#3GU2rsi0g#s0uwU{CN7gI
z{w<AN3wy~U<Czj3S;LDD3R4W4(;LmN_iZU9mK&B=?wfqPJgFLiKv{9CB(bUQv8`3A
ztxEQ5Z+H30U<e2Rl_;SV(8$9oAcde(P>I|fGfhNy%kmh0C|<J4r7!P*{_&q79yaMP
zL=d0_!mkSr&5(fd5wy!vWI&?zrEl7crgN9ff{7Nq+)vq`)OK!FQ|_#`&Uer)eb+-w
z7A=ZASST&cZxrtE`wqnXuIu#rY7UuPdJqHicNkjbA9TYiWXp^MD1N-{SJmMX&t6+k
z*Edz_4>t(hSESvc?4lOMQ~*JT(PH%M@6i%`?^X9h15C6UmQXDb@S6GvFYa-PH<HL8
zSG}Sy;TMsiYMIh9a@8++d3;Z&x5I`#aMSqJnYa2;BVjzH?%^h|2K%FvsIl9Mr%ZQ^
zWJd$C(&~+^e--2?+`G3<!LIayh)$D8ne2CRvP)kZYsPrSiSkp4UN!3JuX1G8gnxgi
WWF5@EBRtqnaim9{^Qdz;DE$-r)6BX6

literal 0
HcmV?d00001

diff --git a/mockserver-tests/src/test/resources/truststore.jks b/mockserver-tests/src/test/resources/truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..27a8332bbfb9e1e41f504b7d728b039180ce9aa3
GIT binary patch
literal 1880
zcmezO_TO6u1_mZLW-lo!EiOq-VPIfPbnbZGz`z=zXKG-{z`$H+(8Qc;(8LtFfSHMr
ziHSwIynl%SFB_*;n@8JsUPeZ4RtAG~Lv903Hs(+kHesd!A435HJ`jgP7-lL=gdIbK
z3qyn(LxdSFVjw5ZYiMC$Xk=+*U|?=!7$weY1mc=Qx%6{L6QdGxATY8rFgG#sGZ-{6
zaxpbAGBQlHnj89M-bQi$b6hJY%z4oyaPsk{M?8=6dAJuI`zm_u@J=TczVw8=g?BSf
zy3XAA@TXvRovT4x#nmcvvpCz<+S5u6-hWKD-rxB6SJ=^XThEHplkV#bGDK!?505Qz
zn=#MV@aW>_0yq7b*bJ@C%#x1jniBSa$!(kW)NKp}X^E%2zRi4VYx3t%R`IELsrO48
zUT<8`w*0v7PVc|<o7U;w;O2Vw_DFMEOo+kK!g(z_YiBK1Y?m%ilPKJh7W&!eJkPBM
zO^)HWRa18FIQ0Ba$EBMSMWQENd^vw^m-Vjx9j;ZUzA3h?wpqRIpX1Z)+Zsh&Y94Rb
zi<<X5G~cscV~=9M$2&i{i<y`i85kEU8ps>S0+WI)ABz}^$n+mBI$TF~zq#&pu2FP-
z_^BEH7d}M}L|{q+1|lPa9;4T1zH<-a8CG912!B<Q+UA+{+vuh9lPs6qP&baZFDAdx
z{L#FjrSJWoXZshrCw<OyeCakX`mmaw&hM7D7a#8DdiFEo{^$2oi;GwMuV76HJolda
zY^1sTWQj|u3Qs$e*Y6K+Jo)i+zm>D%=|b!De+mowT7Ig%6jEj24ZOC<;L);j5zdDi
z|MF8E^|rrK+g-%AX<Je3TNRNTqOzG0mh(OpX2|AiP864r+HjeJJ;|bfAM3?vr~6*-
zAKbAjy;Q)yBC61lb$fu!ZMEy23MS4!Z6&XzPU_v};MvXlT7Krt&n@QfPBDgt+?JJ?
zd{0X9)vq0!uCw0^mAl&(yGg76%2bJu{NPN<nUkNKn3IuTTmsIL`ZbP-EZGXol8wMD
znF-C3;)|}@parBsA!?QsG7x}dNrbtEP%(C4OffDjV%%87n32Q~nbXk1$kG6jIicKv
za1x<xx>JY$%-e-#XR}g%{^i~>`Dp0ECCh>gl%z5~evg#AH@Eb7Z@!3Ee~reUPkRzQ
z_V{j@IAM?Eya*Hji>2RQZjiEkBU?RP>5SO=M%`4$xXsMJ6nt+9%s9r%@-UEH>9N*I
zx7wY_>wd7FJ))&4r*&j<){37$mG)cnmwdWcb0%AB+LG4?Z`B1=MSZZ`ax>%emp#v`
znU*atdtV>I<f}C&%Kb@p?vLAV%_kpj;Nfs*o3L5d!7TgOpKS44RpIp>-5RC8?l2sb
z7SfursYqQ)^~IzMS=`Zk{(IY3-#%`-#PL6CVr82R^Y10xUCR<L8cpypbji?_*>8IJ
z)D2fZ1>uPJ!W^GVZ4a?!Q}LH!>n}dJy{Vh+!;Hd%e_u?m*%gYGy1>~~euX|uUT#1_
z@VO72dir53qRq@9bLZ`Nm{PXuihxUum-6*n#s4I%Z(fqkD_D7n`R&K#oJBzaclX-8
zIjLr0sdUV`&CKGUdHTu8g`1C`xcPFzw!EO}j?;}6{Ye$5itRZe>vBTZX_>_8JC7r}
zilSB~HgD;k+4Nmqa!-JfR6<Uf-JaB$jTvt_WR=cN7T==~IctvN{vFkhkFPc-Z~DJt
z&D%W-_=Pv<ZqeoQp8V03{b{K>w~41B^Q*ZpMOoIKRqJRjNesC6^}}At5Gm&K^K!4T
zOtg9V#DB^Tz0bFWIFs}~9-nshsknEF_tAwXA2ofM5O<+;6-)WO`zn@gbFWN2`Xuh;
c-UT~myb*gL`u>sUT7xSMcXgI*(%Ya10Jt*6!~g&Q

literal 0
HcmV?d00001

diff --git a/mockserver-tests/src/test/resources/untrusted.jks b/mockserver-tests/src/test/resources/untrusted.jks
new file mode 100644
index 0000000000000000000000000000000000000000..ca94b454c5d413ac28dbcf921a5b678eb20896a5
GIT binary patch
literal 2255
zcmc(gX*kr29>?cz#xNNBQWQd6hL{<<7(&QSS(6T8h-(?k8D$-eP-Mx3v9?)eLLn^}
zB8@HTpzJ3p3{qySgX5g%-skqB_xHv3#rN~-_k5q<^Zo8E?=6EsAdUk8{|FWt9D$1r
zkMO;GK)g)SSI&Y!oFF6t!bb8#d6c051VC^I0RSfmLV(OGZ&JRCH8R4@^J^DW8`_3_
z6rWi>v{S9NoI!bfsxbh%!D-lhck{xHgzm4F`ofr<k@62;$CKAny}bI37r>$A%t{j5
zdc0=sU3`1phd6T`3$b&HimkERIZfVAy3#GxALgM%6)?5r;%jNw6xJ8k_DcBBwPaVv
zQ?7%r)s=P3^yE8?#e;h>1(c5Tq6j6XS=N%<ovWUkJt?NO(~y|fYQ8?D^u2%(OBw^;
zK5SxI63fU}5sQ)BO5m!<$N2Qz&JYQ;;|f`@R-ct+ctW-P#_E6DZC|Qu>6rP})QE)#
z--?D8&4V3+Z<zAQRIrBp&HDXr5-YeHj%?D?J|XC94<@I#C)JiR^GL9Xfq?Z3pNG(8
zMS&}1Z?^2tN7Hd?-2*$!IyA@vUSQK$S_WTJ-EggJIe|8GF#$%Fg#49K5=Y$rU1d*z
z-CTMC%dnb?<X@CF&g4%FX6Q?8jU$z+o^n-@YI4c(aq*0o!egV7@-GX}7roU8TKKhQ
zUAfn4(ursi{;|AaE75#7tvJX?AgVl5AVPM8`xB0-;vZrq8jts{Mx@fMjuvcD^lHWh
zHPXuk)0|9jQMTs&+Y^2x9MVm-L1QMK2Cf;Trk>FN8_TdqDUz?0qv%rcRhb<^$r9vi
z_dDnEWWa7GcA{ZDZ$wmm#uePdT#MUl-uhyzx)czlPJ@haBC=CxBH?`7{h`RYCUgn+
zB-Vck7mi6;PrMg1FUd9~{n@E`gAkPPCCY-wW7nK``3B~+OU)I7--4Lqzu&K%=KR5;
zR@t5XF#LIZeEMr{i=S-}Z~xQ@TCL%Vs_G&2m->=XH%^FJL91(L4IVjU@v6SX!<Ajh
z&@1mZHxxAP#v<;KlLO*r4(;QsoppLMv<6~*9VSwrW_)YqdZfN?!ssx^#}+=(a28(A
z8*)4*-_7i9Ni90v7sdkgdM|i?S-cr&%v6-ojhPt1sl0n_{t;Cc;x@#k)ymVUIlpft
zR`GshA|Ms}iQ7ULU@th-qvuc+H1gq`0PS`pUq#<Fhm)4`>}e?yC76w~E|)0H8s3&r
zNYd5JE8Z)}UY+jP;=QMc@!%X3c}I&WSw4l6a8&ndR4XA@{;O_5aM`rKH-BiPQeTH~
z!FQ``?DLusjeFY9rcGew`Ki@p94B_Sx<fnZs&$@qk^W$J>T^pgQaA*vx!LdK^vng3
ztP!#z=*|^jN`_|I?`rKEzR-jzxc+!xN%wY?D_@a|-si$;oGfb@|9nX~J&cNH8?%^u
zu%q}lZYbW{$1iPvOv~vJW=TXH?bYMFc-BwtzKqwx9i%*cl$yM__~ClQsC+&h?>WpY
zKGr?W(5Gpw)LsZ%JyVNKxr^}Sz8O^B-gibulwGu+%PNg{>w!l(LP}@i<?P(z5|!0y
z213^jzB@GI@OX+I9BNBq$coo{0FzHVrr@ChSK4|y;_nq&Z&&p6S|`<igca?YHqL(2
z>DXaUWxO}HQDl}GF6R&nF(y3aDf4CyM5d&e=A03)sBDree>QlQP1WwYlZvIXcB#!Y
z`t9%dS*=@-MV#wnwL}WAP8|FxemO6cl<aJ0Ibl+QYsbYpp}KVNnPZ#GdQZufPrHg|
zJt-#xp$L1cjL~A|kpf$=ie~13NBt3<78#R67wV|K5EWFQ`1U{5$my!8iPQywz$r)q
zI1x$U2q*({02~|;iL4q8BpeDu5G{xsZ~)*vD9kVvFA@d?J3*i#9QM{IVWi;ShFj!+
z{rX?V^$W)H3&#5k2L6d5r6u4f9V7~^i$<c5>gw(iaP;3+`#<*oaS{QL`#G3{)c_L!
zfrB{#csK|E0HR*a@y3nEJS<ZNt?Hi>Y^;9)a2fPB+sEbrp5nzoX|`^Qa#+wXjtpyv
zf6r6k6!Ttm6YLoFO1Gq8uw}>ogt1|4<c`ti2;@pT&*j>g)w%SNDf1~O?}owG1BG-e
z0jO3(_A3VEiE%t1$btTQ*#h%Xo)qQcxe7Hl2B0CoB7G_bD*6W>pRVHaa|<$SnWWOG
z8o636{^c&c&4?E}qt91=lrE)F`<ttM497?<yj9}SX+wC{;2#g3A^3)a1^8SNW8-WK
zG3$4qE_XVUIwL&ZI2$K)MGE`7z*50dJXHTSRf3%4d5oWF+_yLnhs%M^KDO3<Yp$$-
zu>#-29AE$h+&zYrK^{GLkE8q$afqn0TPq?%=e9KQbX|(gsBXRbvB;F4Lp=DdgAf6b
z8)ItfjFEyO5j*Q{<RARUI{f;NceRkgn@hoOpjp>CvzNwpy!Ez1wGPD`0i(3LSQmve
z6h-!@kDm-vl7lk2ge$!w^X<N?BEl&HJb9B}&ZXz@T~RyiEsaGy%XVIpjlV?fK3ftO
z)GoM?n>@)nRkv}=b@I5elZ>EM{tI1n%*@B9R#hEpZH`%Cd<oH3UtD%n%QwKGmn@ga
zfqOhpEzW%QuBN>mHN-9^-;H_Artw!Fcc;HOhxwt?)s||HqqyZYN(KMPJDq#mZzvJ!
z6RK-A0_wMsUa3A0&FVv5G80c!ys=TW)_*95(`|27pf8$eNqO8vu5RAv`;yvJAqxuu
WR1{UN&PgWK`+(=#3qkv-?7slilILmw

literal 0
HcmV?d00001

diff --git a/mockserver/src/main/groovy/pl/touk/mockserver/server/HttpServerWrapper.groovy b/mockserver/src/main/groovy/pl/touk/mockserver/server/HttpServerWrapper.groovy
index 9121c6b..0ab3ca2 100644
--- a/mockserver/src/main/groovy/pl/touk/mockserver/server/HttpServerWrapper.groovy
+++ b/mockserver/src/main/groovy/pl/touk/mockserver/server/HttpServerWrapper.groovy
@@ -2,15 +2,16 @@ package pl.touk.mockserver.server
 
 import com.sun.net.httpserver.HttpHandler
 import com.sun.net.httpserver.HttpServer
-import com.sun.net.httpserver.HttpsConfigurator
 import com.sun.net.httpserver.HttpsServer
 import groovy.transform.PackageScope
 import groovy.util.logging.Slf4j
 import pl.touk.mockserver.api.common.Https
 
+import javax.net.ssl.KeyManager
 import javax.net.ssl.KeyManagerFactory
 import javax.net.ssl.SSLContext
 import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
 import java.security.KeyStore
 import java.security.SecureRandom
 import java.util.concurrent.Executor
@@ -36,7 +37,7 @@ class HttpServerWrapper {
     private HttpServer buildServer(InetSocketAddress addr, Https https) {
         if (https) {
             HttpsServer httpsServer = HttpsServer.create(addr, 0)
-            httpsServer.httpsConfigurator = new HttpsConfigurator(buildSslContext(https))
+            httpsServer.httpsConfigurator = new HttpsConfig(buildSslContext(https), https)
             return httpsServer
         } else {
             return HttpServer.create(addr, 0)
@@ -44,14 +45,32 @@ class HttpServerWrapper {
     }
 
     private SSLContext buildSslContext(Https https) {
+        KeyManager[] keyManagers = buildKeyManager(https)
+        TrustManager[] trustManagers = buildTrustManager(https)
+
+        SSLContext ssl = SSLContext.getInstance('TLSv1')
+        ssl.init(keyManagers, trustManagers, new SecureRandom())
+        return ssl
+    }
+
+    private KeyManager[] buildKeyManager(Https https) {
         KeyStore keyStore = KeyStore.getInstance(KeyStore.defaultType)
         keyStore.load(new FileInputStream(https.keystorePath), https.keystorePassword.toCharArray())
         KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.defaultAlgorithm)
         kmf.init(keyStore, https.keyPassword.toCharArray())
+        return kmf.keyManagers
+    }
 
-        SSLContext ssl = SSLContext.getInstance('TLSv1')
-        ssl.init(kmf.keyManagers, [] as TrustManager[], new SecureRandom())
-        return ssl
+    private TrustManager[] buildTrustManager(Https https) {
+        if (https.requireClientAuth) {
+            KeyStore trustStore = KeyStore.getInstance(KeyStore.defaultType)
+            trustStore.load(new FileInputStream(https.truststorePath), https.truststorePassword.toCharArray())
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.defaultAlgorithm)
+            tmf.init(trustStore)
+            return tmf.trustManagers
+        } else {
+            return []
+        }
     }
 
     void createContext(String context, HttpHandler handler) {
diff --git a/mockserver/src/main/groovy/pl/touk/mockserver/server/HttpsConfig.groovy b/mockserver/src/main/groovy/pl/touk/mockserver/server/HttpsConfig.groovy
new file mode 100644
index 0000000..68b5550
--- /dev/null
+++ b/mockserver/src/main/groovy/pl/touk/mockserver/server/HttpsConfig.groovy
@@ -0,0 +1,28 @@
+package pl.touk.mockserver.server
+
+import com.sun.net.httpserver.HttpsConfigurator
+import com.sun.net.httpserver.HttpsParameters
+import groovy.transform.CompileStatic
+import pl.touk.mockserver.api.common.Https
+
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLParameters
+
+@CompileStatic
+class HttpsConfig extends HttpsConfigurator {
+    private final Https https
+
+    HttpsConfig(SSLContext sslContext, Https https) {
+        super(sslContext)
+        this.https = https
+    }
+
+    @Override
+    void configure(HttpsParameters httpsParameters) {
+        SSLContext sslContext = getSSLContext()
+        SSLParameters sslParameters = sslContext.defaultSSLParameters
+        sslParameters.needClientAuth = https.requireClientAuth
+        httpsParameters.needClientAuth = https.requireClientAuth
+        httpsParameters.SSLParameters = sslParameters
+    }
+}