author | xuelei |
Tue, 31 Oct 2017 00:54:53 +0000 | |
changeset 48581 | 0786897e86b3 |
parent 47216 | 71c04702a3d5 |
permissions | -rw-r--r-- |
703 | 1 |
/* |
48581 | 2 |
* Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved. |
703 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. |
|
8 |
* |
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
13 |
* accompanied this code). |
|
14 |
* |
|
15 |
* You should have received a copy of the GNU General Public License version |
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
18 |
* |
|
5506 | 19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
20 |
* or visit www.oracle.com if you need additional information or have any |
|
21 |
* questions. |
|
703 | 22 |
*/ |
23 |
||
14929
59377f4b9919
7109274: Restrict the use of certificates with RSA keys less than 1024 bits
xuelei
parents:
14342
diff
changeset
|
24 |
// SunJSSE does not support dynamic system properties, no way to re-use |
59377f4b9919
7109274: Restrict the use of certificates with RSA keys less than 1024 bits
xuelei
parents:
14342
diff
changeset
|
25 |
// system properties in samevm/agentvm mode. |
59377f4b9919
7109274: Restrict the use of certificates with RSA keys less than 1024 bits
xuelei
parents:
14342
diff
changeset
|
26 |
|
703 | 27 |
/* |
28 |
* @test |
|
29 |
* @bug 6690018 |
|
30 |
* @summary RSAClientKeyExchange NullPointerException |
|
10328 | 31 |
* @run main/othervm RSAExport |
703 | 32 |
*/ |
33 |
||
34 |
/* |
|
35 |
* Certificates and key used in the test. |
|
36 |
* |
|
37 |
* TLS server certificate: |
|
38 |
* server private key: |
|
39 |
* -----BEGIN RSA PRIVATE KEY----- |
|
40 |
* Proc-Type: 4,ENCRYPTED |
|
41 |
* DEK-Info: DES-EDE3-CBC,97EC03A2D031B7BC |
|
42 |
* |
|
43 |
* 22wrD+DPv3VF8xg9xoeBqHzFnOVbTLQgVulzaCECDF4zWdxElYKy4yYyY6dMDehi |
|
44 |
* XT77NTsq1J14zjJHPp2/U6B5OpZxnf97ZSD0ZC9/DDe/2gjW4fY1Lv0TVP0PdXnm |
|
45 |
* cj84RaDiiSk/cERlFzFJ5L8ULMwxdOtYwXwZ4upITw2lT+8zDlBD2i3zZ4TcWrzE |
|
46 |
* /su5Kpu+Mp3wthfGX+ZGga2T/NS8ZCKZE+gJDPKQZ/x34VBw+YANQGyCJPv1iMaE |
|
47 |
* RyagnpApH9OPSrRIp2iR6uWT6836CET2erbfPaC1odyd8IsbnLldVs9CklH7EgXL |
|
48 |
* Nms+DqrQEbNmvMuQYEFyZEHN9D1fGONeacx+cjI85FyMSHSEO65JJmasAxgQe4nF |
|
49 |
* /yVz3rNQ2qAGqBhjsjP/WaXuB2aLZiAli/HjN17EJws= |
|
50 |
* -----END RSA PRIVATE KEY----- |
|
51 |
* |
|
52 |
* -----BEGIN RSA PRIVATE KEY----- |
|
53 |
* MIIBOQIBAAJBALlfGg/5ZweJcW5zqLdnQ2uyircqDDlENKnv9FABOm/j0wnlPHqX |
|
54 |
* CCqFBLoM7tG8ohci1SPy6fLJ5dqLf5FOH2sCAwEAAQJATO0/hpOMgx8xmJGc2Yeb |
|
55 |
* /gyY7kwfyIAajs9Khw0LcDTYTo2EAI+vMmDpU+dvmOCLUqq/Z2tiKJhGyrmcBlxr |
|
56 |
* kQIhAPYkbYovtvWHslxRb78x4eCrn2p1H7iolNKbyepjCI3zAiEAwMufJlLI9Q0O |
|
57 |
* BIr7fPnUhbs9NyMHLIvIQAf/hXYubqkCIGJZR9NxIT+VyrSMbYQNoF0u9fGJfvU/ |
|
58 |
* lsdYLCOVEnP1AiAsSFjUx50K1CXNG1MqYIPU963W1T/Xln+3XV7ue7esiQIgW2Lu |
|
59 |
* xGvz2dAUsGId+Xr2GZXb7ZucY/cPt4o5qdP1m7c= |
|
60 |
* -----END RSA PRIVATE KEY----- |
|
61 |
* |
|
62 |
* Private-Key: (512 bit) |
|
63 |
* modulus: |
|
64 |
* 00:b9:5f:1a:0f:f9:67:07:89:71:6e:73:a8:b7:67: |
|
65 |
* 43:6b:b2:8a:b7:2a:0c:39:44:34:a9:ef:f4:50:01: |
|
66 |
* 3a:6f:e3:d3:09:e5:3c:7a:97:08:2a:85:04:ba:0c: |
|
67 |
* ee:d1:bc:a2:17:22:d5:23:f2:e9:f2:c9:e5:da:8b: |
|
68 |
* 7f:91:4e:1f:6b |
|
69 |
* publicExponent: 65537 (0x10001) |
|
70 |
* privateExponent: |
|
71 |
* 4c:ed:3f:86:93:8c:83:1f:31:98:91:9c:d9:87:9b: |
|
72 |
* fe:0c:98:ee:4c:1f:c8:80:1a:8e:cf:4a:87:0d:0b: |
|
73 |
* 70:34:d8:4e:8d:84:00:8f:af:32:60:e9:53:e7:6f: |
|
74 |
* 98:e0:8b:52:aa:bf:67:6b:62:28:98:46:ca:b9:9c: |
|
75 |
* 06:5c:6b:91 |
|
76 |
* prime1: |
|
77 |
* 00:f6:24:6d:8a:2f:b6:f5:87:b2:5c:51:6f:bf:31: |
|
78 |
* e1:e0:ab:9f:6a:75:1f:b8:a8:94:d2:9b:c9:ea:63: |
|
79 |
* 08:8d:f3 |
|
80 |
* prime2: |
|
81 |
* 00:c0:cb:9f:26:52:c8:f5:0d:0e:04:8a:fb:7c:f9: |
|
82 |
* d4:85:bb:3d:37:23:07:2c:8b:c8:40:07:ff:85:76: |
|
83 |
* 2e:6e:a9 |
|
84 |
* exponent1: |
|
85 |
* 62:59:47:d3:71:21:3f:95:ca:b4:8c:6d:84:0d:a0: |
|
86 |
* 5d:2e:f5:f1:89:7e:f5:3f:96:c7:58:2c:23:95:12: |
|
87 |
* 73:f5 |
|
88 |
* exponent2: |
|
89 |
* 2c:48:58:d4:c7:9d:0a:d4:25:cd:1b:53:2a:60:83: |
|
90 |
* d4:f7:ad:d6:d5:3f:d7:96:7f:b7:5d:5e:ee:7b:b7: |
|
91 |
* ac:89 |
|
92 |
* coefficient: |
|
93 |
* 5b:62:ee:c4:6b:f3:d9:d0:14:b0:62:1d:f9:7a:f6: |
|
94 |
* 19:95:db:ed:9b:9c:63:f7:0f:b7:8a:39:a9:d3:f5: |
|
95 |
* 9b:b7 |
|
96 |
* |
|
97 |
* |
|
98 |
* server certificate: |
|
99 |
* Data: |
|
100 |
* Version: 3 (0x2) |
|
101 |
* Serial Number: 11 (0xb) |
|
102 |
* Signature Algorithm: sha1WithRSAEncryption |
|
103 |
* Issuer: C=US, ST=Some-State, O=Some Org, CN=Someone |
|
104 |
* Validity |
|
105 |
* Not Before: Apr 18 15:07:30 2008 GMT |
|
106 |
* Not After : Jan 4 15:07:30 2028 GMT |
|
107 |
* Subject: C=US, ST=Some-State, O=Some Org, CN=SomeoneExport |
|
108 |
* Subject Public Key Info: |
|
109 |
* Public Key Algorithm: rsaEncryption |
|
110 |
* RSA Public Key: (512 bit) |
|
111 |
* Modulus (512 bit): |
|
112 |
* 00:b9:5f:1a:0f:f9:67:07:89:71:6e:73:a8:b7:67: |
|
113 |
* 43:6b:b2:8a:b7:2a:0c:39:44:34:a9:ef:f4:50:01: |
|
114 |
* 3a:6f:e3:d3:09:e5:3c:7a:97:08:2a:85:04:ba:0c: |
|
115 |
* ee:d1:bc:a2:17:22:d5:23:f2:e9:f2:c9:e5:da:8b: |
|
116 |
* 7f:91:4e:1f:6b |
|
117 |
* Exponent: 65537 (0x10001) |
|
118 |
* X509v3 extensions: |
|
119 |
* X509v3 Basic Constraints: |
|
120 |
* CA:FALSE |
|
121 |
* X509v3 Key Usage: |
|
122 |
* Digital Signature, Non Repudiation, Key Encipherment |
|
123 |
* X509v3 Subject Key Identifier: |
|
124 |
* F1:30:98:BE:7C:AA:F9:B1:91:38:60:AE:13:5F:67:9C:0A:32:9E:31 |
|
125 |
* X509v3 Authority Key Identifier: |
|
126 |
* keyid:B5:32:43:D7:00:24:92:BA:E9:95:E5:F9:A3:64:6C:84:EE:33:2E:15 |
|
127 |
* |
|
128 |
* -----BEGIN CERTIFICATE----- |
|
129 |
* MIICIDCCAYmgAwIBAgIBCzANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzET |
|
130 |
* MBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIU29tZSBPcmcxEDAOBgNVBAMT |
|
131 |
* B1NvbWVvbmUwHhcNMDgwNDE4MTUwNzMwWhcNMjgwMTA0MTUwNzMwWjBNMQswCQYD |
|
132 |
* VQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIU29tZSBPcmcx |
|
133 |
* FjAUBgNVBAMTDVNvbWVvbmVFeHBvcnQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA |
|
134 |
* uV8aD/lnB4lxbnOot2dDa7KKtyoMOUQ0qe/0UAE6b+PTCeU8epcIKoUEugzu0byi |
|
135 |
* FyLVI/Lp8snl2ot/kU4fawIDAQABo1owWDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF |
|
136 |
* 4DAdBgNVHQ4EFgQU8TCYvnyq+bGROGCuE19nnAoynjEwHwYDVR0jBBgwFoAUtTJD |
|
137 |
* 1wAkkrrpleX5o2RshO4zLhUwDQYJKoZIhvcNAQEFBQADgYEAFU+fP9FSTQNVZOhv |
|
138 |
* eJ+zq6wI/biwzTgPbAq3yu2gb5kT85z4nzqBhPd2LWWFXhUW/D8QyNZ54X30y0Ug |
|
139 |
* 3NfUAvOANW7CgUbHBmm77KQiF4nWdh338qqq9HzLGrPqcxX0dmiq2RBVPy9wb2Ea |
|
140 |
* FTZiU2v+9pkoLoSDnCOfPCg/4Q4= |
|
141 |
* -----END CERTIFICATE----- |
|
142 |
* |
|
143 |
* |
|
144 |
* Trusted CA certificate: |
|
145 |
* Certificate: |
|
146 |
* Data: |
|
147 |
* Version: 3 (0x2) |
|
148 |
* Serial Number: 0 (0x0) |
|
149 |
* Signature Algorithm: md5WithRSAEncryption |
|
150 |
* Issuer: C=US, ST=Some-State, O=Some Org, CN=Someone |
|
151 |
* Validity |
|
152 |
* Not Before: Mar 30 11:44:47 2001 GMT |
|
153 |
* Not After : Apr 27 11:44:47 2028 GMT |
|
154 |
* Subject: C=US, ST=Some-State, O=Some Org, CN=Someone |
|
155 |
* Subject Public Key Info: |
|
156 |
* Public Key Algorithm: rsaEncryption |
|
157 |
* RSA Public Key: (1024 bit) |
|
158 |
* Modulus (1024 bit): |
|
159 |
* 00:c1:98:e4:7a:87:53:0f:94:87:dc:da:f3:59:39: |
|
160 |
* 3e:36:95:e8:77:58:ff:46:8a:81:1b:5e:c5:4c:fa: |
|
161 |
* b6:91:19:30:be:5b:ef:4c:aa:84:30:a4:9a:d4:68: |
|
162 |
* af:ef:fa:b4:2c:76:8b:29:33:46:cf:38:74:7c:79: |
|
163 |
* d5:07:a6:43:39:84:52:39:4f:8a:1c:f3:73:19:12: |
|
164 |
* 40:cf:ee:a1:77:43:01:02:be:8d:32:11:28:70:f4: |
|
165 |
* cf:ab:43:75:e4:fb:74:f1:8c:2e:43:24:ba:85:3f: |
|
166 |
* 66:3a:05:ea:f7:ce:5b:97:e2:34:a3:f0:87:f4:f8: |
|
167 |
* d1:59:12:5a:68:b7:78:64:a9 |
|
168 |
* Exponent: 65537 (0x10001) |
|
169 |
* X509v3 extensions: |
|
170 |
* X509v3 Subject Key Identifier: |
|
171 |
* B5:32:43:D7:00:24:92:BA:E9:95:E5:F9:A3:64:6C:84:EE:33:2E:15 |
|
172 |
* X509v3 Authority Key Identifier: |
|
173 |
* keyid:B5:32:43:D7:00:24:92:BA:E9:95:E5:F9:A3:64:6C:84:EE:33:2E:15 |
|
174 |
* DirName:/C=US/ST=Some-State/O=Some Org/CN=Someone |
|
175 |
* serial:00 |
|
176 |
* |
|
177 |
* X509v3 Basic Constraints: |
|
178 |
* CA:TRUE |
|
179 |
* |
|
180 |
* -----BEGIN CERTIFICATE----- |
|
181 |
* MIICpjCCAg+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBHMQswCQYDVQQGEwJVUzET |
|
182 |
* MBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIU29tZSBPcmcxEDAOBgNVBAMT |
|
183 |
* B1NvbWVvbmUwHhcNMDEwMzMwMTE0NDQ3WhcNMjgwNDI3MTE0NDQ3WjBHMQswCQYD |
|
184 |
* VQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIU29tZSBPcmcx |
|
185 |
* EDAOBgNVBAMTB1NvbWVvbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGY |
|
186 |
* 5HqHUw+Uh9za81k5PjaV6HdY/0aKgRtexUz6tpEZML5b70yqhDCkmtRor+/6tCx2 |
|
187 |
* iykzRs84dHx51QemQzmEUjlPihzzcxkSQM/uoXdDAQK+jTIRKHD0z6tDdeT7dPGM |
|
188 |
* LkMkuoU/ZjoF6vfOW5fiNKPwh/T40VkSWmi3eGSpAgMBAAGjgaEwgZ4wHQYDVR0O |
|
189 |
* BBYEFLUyQ9cAJJK66ZXl+aNkbITuMy4VMG8GA1UdIwRoMGaAFLUyQ9cAJJK66ZXl |
|
190 |
* +aNkbITuMy4VoUukSTBHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0 |
|
191 |
* ZTERMA8GA1UEChMIU29tZSBPcmcxEDAOBgNVBAMTB1NvbWVvbmWCAQAwDAYDVR0T |
|
192 |
* BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBhf3PX0xWxtaUwZlWCO7GfPwCKgBWr |
|
193 |
* CXqlqjtWHCshaaU7wUsDOwxFDWwKjFrMerQLsLuBlhdXEbNfSPjychkQtfezQHcS |
|
194 |
* q0Atq7+KVSmRbDw6oKVRs5v1BBzLCupy+o16fNz3/hwreAWwQnSMtAh/osNS9w1b |
|
195 |
* QeVWU+JV47H+vg== |
|
196 |
* -----END CERTIFICATE----- |
|
197 |
* |
|
198 |
*/ |
|
199 |
||
200 |
import java.io.*; |
|
201 |
import java.net.*; |
|
14929
59377f4b9919
7109274: Restrict the use of certificates with RSA keys less than 1024 bits
xuelei
parents:
14342
diff
changeset
|
202 |
import java.security.Security; |
703 | 203 |
import java.security.KeyStore; |
204 |
import java.security.KeyFactory; |
|
205 |
import java.security.cert.Certificate; |
|
206 |
import java.security.cert.CertificateFactory; |
|
207 |
import java.security.spec.*; |
|
208 |
import java.security.interfaces.*; |
|
209 |
import javax.net.ssl.*; |
|
210 |
import java.math.BigInteger; |
|
211 |
||
212 |
public class RSAExport { |
|
213 |
||
214 |
/* |
|
215 |
* ============================================================= |
|
216 |
* Set the various variables needed for the tests, then |
|
217 |
* specify what tests to run on each side. |
|
218 |
*/ |
|
219 |
||
220 |
||
221 |
/* |
|
222 |
* Should we run the client or server in a separate thread? |
|
223 |
* Both sides can throw exceptions, but do you have a preference |
|
224 |
* as to which side should be the main thread. |
|
225 |
*/ |
|
226 |
static boolean separateServerThread = true; |
|
227 |
||
228 |
/* |
|
229 |
* Where do we find the keystores? |
|
230 |
*/ |
|
231 |
static String trusedCertStr = |
|
232 |
"-----BEGIN CERTIFICATE-----\n" + |
|
233 |
"MIICpjCCAg+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBHMQswCQYDVQQGEwJVUzET\n" + |
|
234 |
"MBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIU29tZSBPcmcxEDAOBgNVBAMT\n" + |
|
235 |
"B1NvbWVvbmUwHhcNMDEwMzMwMTE0NDQ3WhcNMjgwNDI3MTE0NDQ3WjBHMQswCQYD\n" + |
|
236 |
"VQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIU29tZSBPcmcx\n" + |
|
237 |
"EDAOBgNVBAMTB1NvbWVvbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGY\n" + |
|
238 |
"5HqHUw+Uh9za81k5PjaV6HdY/0aKgRtexUz6tpEZML5b70yqhDCkmtRor+/6tCx2\n" + |
|
239 |
"iykzRs84dHx51QemQzmEUjlPihzzcxkSQM/uoXdDAQK+jTIRKHD0z6tDdeT7dPGM\n" + |
|
240 |
"LkMkuoU/ZjoF6vfOW5fiNKPwh/T40VkSWmi3eGSpAgMBAAGjgaEwgZ4wHQYDVR0O\n" + |
|
241 |
"BBYEFLUyQ9cAJJK66ZXl+aNkbITuMy4VMG8GA1UdIwRoMGaAFLUyQ9cAJJK66ZXl\n" + |
|
242 |
"+aNkbITuMy4VoUukSTBHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0\n" + |
|
243 |
"ZTERMA8GA1UEChMIU29tZSBPcmcxEDAOBgNVBAMTB1NvbWVvbmWCAQAwDAYDVR0T\n" + |
|
244 |
"BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBhf3PX0xWxtaUwZlWCO7GfPwCKgBWr\n" + |
|
245 |
"CXqlqjtWHCshaaU7wUsDOwxFDWwKjFrMerQLsLuBlhdXEbNfSPjychkQtfezQHcS\n" + |
|
246 |
"q0Atq7+KVSmRbDw6oKVRs5v1BBzLCupy+o16fNz3/hwreAWwQnSMtAh/osNS9w1b\n" + |
|
247 |
"QeVWU+JV47H+vg==\n" + |
|
248 |
"-----END CERTIFICATE-----"; |
|
249 |
||
250 |
static String serverCertStr = |
|
251 |
"-----BEGIN CERTIFICATE-----\n" + |
|
252 |
"MIICIDCCAYmgAwIBAgIBCzANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzET\n" + |
|
253 |
"MBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIU29tZSBPcmcxEDAOBgNVBAMT\n" + |
|
254 |
"B1NvbWVvbmUwHhcNMDgwNDE4MTUwNzMwWhcNMjgwMTA0MTUwNzMwWjBNMQswCQYD\n" + |
|
255 |
"VQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIU29tZSBPcmcx\n" + |
|
256 |
"FjAUBgNVBAMTDVNvbWVvbmVFeHBvcnQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\n" + |
|
257 |
"uV8aD/lnB4lxbnOot2dDa7KKtyoMOUQ0qe/0UAE6b+PTCeU8epcIKoUEugzu0byi\n" + |
|
258 |
"FyLVI/Lp8snl2ot/kU4fawIDAQABo1owWDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF\n" + |
|
259 |
"4DAdBgNVHQ4EFgQU8TCYvnyq+bGROGCuE19nnAoynjEwHwYDVR0jBBgwFoAUtTJD\n" + |
|
260 |
"1wAkkrrpleX5o2RshO4zLhUwDQYJKoZIhvcNAQEFBQADgYEAFU+fP9FSTQNVZOhv\n" + |
|
261 |
"eJ+zq6wI/biwzTgPbAq3yu2gb5kT85z4nzqBhPd2LWWFXhUW/D8QyNZ54X30y0Ug\n" + |
|
262 |
"3NfUAvOANW7CgUbHBmm77KQiF4nWdh338qqq9HzLGrPqcxX0dmiq2RBVPy9wb2Ea\n" + |
|
263 |
"FTZiU2v+9pkoLoSDnCOfPCg/4Q4=\n" + |
|
264 |
"-----END CERTIFICATE-----"; |
|
265 |
||
266 |
static byte privateExponent[] = { |
|
267 |
(byte)0x4c, (byte)0xed, (byte)0x3f, (byte)0x86, |
|
268 |
(byte)0x93, (byte)0x8c, (byte)0x83, (byte)0x1f, |
|
269 |
(byte)0x31, (byte)0x98, (byte)0x91, (byte)0x9c, |
|
270 |
(byte)0xd9, (byte)0x87, (byte)0x9b, (byte)0xfe, |
|
271 |
(byte)0x0c, (byte)0x98, (byte)0xee, (byte)0x4c, |
|
272 |
(byte)0x1f, (byte)0xc8, (byte)0x80, (byte)0x1a, |
|
273 |
(byte)0x8e, (byte)0xcf, (byte)0x4a, (byte)0x87, |
|
274 |
(byte)0x0d, (byte)0x0b, (byte)0x70, (byte)0x34, |
|
275 |
(byte)0xd8, (byte)0x4e, (byte)0x8d, (byte)0x84, |
|
276 |
(byte)0x00, (byte)0x8f, (byte)0xaf, (byte)0x32, |
|
277 |
(byte)0x60, (byte)0xe9, (byte)0x53, (byte)0xe7, |
|
278 |
(byte)0x6f, (byte)0x98, (byte)0xe0, (byte)0x8b, |
|
279 |
(byte)0x52, (byte)0xaa, (byte)0xbf, (byte)0x67, |
|
280 |
(byte)0x6b, (byte)0x62, (byte)0x28, (byte)0x98, |
|
281 |
(byte)0x46, (byte)0xca, (byte)0xb9, (byte)0x9c, |
|
282 |
(byte)0x06, (byte)0x5c, (byte)0x6b, (byte)0x91 |
|
283 |
}; |
|
284 |
||
285 |
static byte modulus[] = { |
|
286 |
(byte)0x00, |
|
287 |
(byte)0xb9, (byte)0x5f, (byte)0x1a, (byte)0x0f, |
|
288 |
(byte)0xf9, (byte)0x67, (byte)0x07, (byte)0x89, |
|
289 |
(byte)0x71, (byte)0x6e, (byte)0x73, (byte)0xa8, |
|
290 |
(byte)0xb7, (byte)0x67, (byte)0x43, (byte)0x6b, |
|
291 |
(byte)0xb2, (byte)0x8a, (byte)0xb7, (byte)0x2a, |
|
292 |
(byte)0x0c, (byte)0x39, (byte)0x44, (byte)0x34, |
|
293 |
(byte)0xa9, (byte)0xef, (byte)0xf4, (byte)0x50, |
|
294 |
(byte)0x01, (byte)0x3a, (byte)0x6f, (byte)0xe3, |
|
295 |
(byte)0xd3, (byte)0x09, (byte)0xe5, (byte)0x3c, |
|
296 |
(byte)0x7a, (byte)0x97, (byte)0x08, (byte)0x2a, |
|
297 |
(byte)0x85, (byte)0x04, (byte)0xba, (byte)0x0c, |
|
298 |
(byte)0xee, (byte)0xd1, (byte)0xbc, (byte)0xa2, |
|
299 |
(byte)0x17, (byte)0x22, (byte)0xd5, (byte)0x23, |
|
300 |
(byte)0xf2, (byte)0xe9, (byte)0xf2, (byte)0xc9, |
|
301 |
(byte)0xe5, (byte)0xda, (byte)0x8b, (byte)0x7f, |
|
302 |
(byte)0x91, (byte)0x4e, (byte)0x1f, (byte)0x6b |
|
303 |
}; |
|
304 |
||
305 |
static char passphrase[] = "passphrase".toCharArray(); |
|
306 |
||
307 |
/* |
|
308 |
* Is the server ready to serve? |
|
309 |
*/ |
|
310 |
volatile static boolean serverReady = false; |
|
311 |
||
312 |
/* |
|
313 |
* Turn on SSL debugging? |
|
314 |
*/ |
|
315 |
static boolean debug = false; |
|
316 |
||
317 |
/* |
|
318 |
* If the client or server is doing some kind of object creation |
|
319 |
* that the other side depends on, and that thread prematurely |
|
320 |
* exits, you may experience a hang. The test harness will |
|
321 |
* terminate all hung threads after its timeout has expired, |
|
322 |
* currently 3 minutes by default, but you might try to be |
|
323 |
* smart about it.... |
|
324 |
*/ |
|
325 |
||
326 |
/* |
|
327 |
* Define the server side of the test. |
|
328 |
* |
|
329 |
* If the server prematurely exits, serverReady will be set to true |
|
330 |
* to avoid infinite hangs. |
|
331 |
*/ |
|
332 |
void doServerSide() throws Exception { |
|
333 |
SSLServerSocketFactory sslssf = |
|
334 |
getSSLContext(true).getServerSocketFactory(); |
|
335 |
SSLServerSocket sslServerSocket = |
|
336 |
(SSLServerSocket) sslssf.createServerSocket(serverPort); |
|
337 |
||
338 |
serverPort = sslServerSocket.getLocalPort(); |
|
339 |
||
340 |
/* |
|
341 |
* Signal Client, we're ready for this connect. |
|
342 |
*/ |
|
343 |
serverReady = true; |
|
344 |
||
345 |
// Enable RSA_EXPORT cipher suites only. |
|
346 |
try { |
|
347 |
String enabledSuites[] = { |
|
348 |
"SSL_RSA_EXPORT_WITH_RC4_40_MD5", |
|
349 |
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"}; |
|
350 |
sslServerSocket.setEnabledCipherSuites(enabledSuites); |
|
351 |
} catch (IllegalArgumentException iae) { |
|
352 |
// ignore the exception a cipher suite is unsupported. |
|
353 |
} |
|
354 |
||
355 |
SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); |
|
356 |
InputStream sslIS = sslSocket.getInputStream(); |
|
357 |
OutputStream sslOS = sslSocket.getOutputStream(); |
|
358 |
||
359 |
sslIS.read(); |
|
360 |
sslOS.write(85); |
|
361 |
sslOS.flush(); |
|
362 |
||
363 |
||
364 |
sslSocket.close(); |
|
365 |
} |
|
366 |
||
367 |
/* |
|
368 |
* Define the client side of the test. |
|
369 |
* |
|
370 |
* If the server prematurely exits, serverReady will be set to true |
|
371 |
* to avoid infinite hangs. |
|
372 |
*/ |
|
373 |
void doClientSide() throws Exception { |
|
374 |
||
375 |
/* |
|
376 |
* Wait for server to get started. |
|
377 |
*/ |
|
378 |
while (!serverReady) { |
|
379 |
Thread.sleep(50); |
|
380 |
} |
|
381 |
||
382 |
SSLSocketFactory sslsf = |
|
383 |
getSSLContext(false).getSocketFactory(); |
|
384 |
SSLSocket sslSocket = (SSLSocket) |
|
385 |
sslsf.createSocket("localhost", serverPort); |
|
386 |
||
387 |
// Enable RSA_EXPORT cipher suites only. |
|
388 |
try { |
|
389 |
String enabledSuites[] = { |
|
390 |
"SSL_RSA_EXPORT_WITH_RC4_40_MD5", |
|
391 |
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"}; |
|
392 |
sslSocket.setEnabledCipherSuites(enabledSuites); |
|
393 |
} catch (IllegalArgumentException iae) { |
|
394 |
// ignore the exception a cipher suite is unsupported. |
|
395 |
} |
|
396 |
||
397 |
InputStream sslIS = sslSocket.getInputStream(); |
|
398 |
OutputStream sslOS = sslSocket.getOutputStream(); |
|
399 |
||
400 |
sslOS.write(280); |
|
401 |
sslOS.flush(); |
|
402 |
sslIS.read(); |
|
403 |
||
404 |
sslSocket.close(); |
|
405 |
} |
|
406 |
||
407 |
/* |
|
408 |
* ============================================================= |
|
409 |
* The remainder is just support stuff |
|
410 |
*/ |
|
411 |
||
412 |
// use any free port by default |
|
413 |
volatile int serverPort = 0; |
|
414 |
||
415 |
volatile Exception serverException = null; |
|
416 |
volatile Exception clientException = null; |
|
417 |
||
418 |
public static void main(String[] args) throws Exception { |
|
14929
59377f4b9919
7109274: Restrict the use of certificates with RSA keys less than 1024 bits
xuelei
parents:
14342
diff
changeset
|
419 |
// reset the security property to make sure that the algorithms |
59377f4b9919
7109274: Restrict the use of certificates with RSA keys less than 1024 bits
xuelei
parents:
14342
diff
changeset
|
420 |
// and keys used in this test are not disabled. |
59377f4b9919
7109274: Restrict the use of certificates with RSA keys less than 1024 bits
xuelei
parents:
14342
diff
changeset
|
421 |
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); |
48581 | 422 |
Security.setProperty("jdk.tls.disabledAlgorithms", "MD2"); |
14929
59377f4b9919
7109274: Restrict the use of certificates with RSA keys less than 1024 bits
xuelei
parents:
14342
diff
changeset
|
423 |
|
703 | 424 |
if (debug) |
425 |
System.setProperty("javax.net.debug", "all"); |
|
426 |
||
427 |
/* |
|
428 |
* Start the tests. |
|
429 |
*/ |
|
430 |
new RSAExport(); |
|
431 |
} |
|
432 |
||
433 |
Thread clientThread = null; |
|
434 |
Thread serverThread = null; |
|
435 |
||
436 |
/* |
|
437 |
* Primary constructor, used to drive remainder of the test. |
|
438 |
* |
|
439 |
* Fork off the other side, then do your work. |
|
440 |
*/ |
|
441 |
RSAExport() throws Exception { |
|
442 |
if (separateServerThread) { |
|
443 |
startServer(true); |
|
444 |
startClient(false); |
|
445 |
} else { |
|
446 |
startClient(true); |
|
447 |
startServer(false); |
|
448 |
} |
|
449 |
||
450 |
/* |
|
451 |
* Wait for other side to close down. |
|
452 |
*/ |
|
453 |
if (separateServerThread) { |
|
454 |
serverThread.join(); |
|
455 |
} else { |
|
456 |
clientThread.join(); |
|
457 |
} |
|
458 |
||
459 |
/* |
|
460 |
* When we get here, the test is pretty much over. |
|
461 |
* |
|
462 |
* If the main thread excepted, that propagates back |
|
463 |
* immediately. If the other thread threw an exception, we |
|
464 |
* should report back. |
|
465 |
*/ |
|
466 |
if (serverException != null) |
|
467 |
throw serverException; |
|
468 |
if (clientException != null) |
|
469 |
throw clientException; |
|
470 |
} |
|
471 |
||
472 |
void startServer(boolean newThread) throws Exception { |
|
473 |
if (newThread) { |
|
474 |
serverThread = new Thread() { |
|
475 |
public void run() { |
|
476 |
try { |
|
477 |
doServerSide(); |
|
478 |
} catch (Exception e) { |
|
479 |
/* |
|
480 |
* Our server thread just died. |
|
481 |
* |
|
482 |
* Release the client, if not active already... |
|
483 |
*/ |
|
484 |
System.err.println("Server died..." + e); |
|
485 |
serverReady = true; |
|
486 |
serverException = e; |
|
487 |
} |
|
488 |
} |
|
489 |
}; |
|
490 |
serverThread.start(); |
|
491 |
} else { |
|
492 |
doServerSide(); |
|
493 |
} |
|
494 |
} |
|
495 |
||
496 |
void startClient(boolean newThread) throws Exception { |
|
497 |
if (newThread) { |
|
498 |
clientThread = new Thread() { |
|
499 |
public void run() { |
|
500 |
try { |
|
501 |
doClientSide(); |
|
502 |
} catch (Exception e) { |
|
503 |
/* |
|
504 |
* Our client thread just died. |
|
505 |
*/ |
|
506 |
System.err.println("Client died..."); |
|
507 |
clientException = e; |
|
508 |
} |
|
509 |
} |
|
510 |
}; |
|
511 |
clientThread.start(); |
|
512 |
} else { |
|
513 |
doClientSide(); |
|
514 |
} |
|
515 |
} |
|
516 |
||
517 |
// Get the SSL context |
|
518 |
private SSLContext getSSLContext(boolean authnRequired) throws Exception { |
|
519 |
// generate certificate from cert string |
|
520 |
CertificateFactory cf = CertificateFactory.getInstance("X.509"); |
|
521 |
||
522 |
ByteArrayInputStream is = |
|
523 |
new ByteArrayInputStream(trusedCertStr.getBytes()); |
|
524 |
Certificate trustedCert = cf.generateCertificate(is); |
|
525 |
||
526 |
// create a key store |
|
527 |
KeyStore ks = KeyStore.getInstance("JKS"); |
|
528 |
ks.load(null, null); |
|
529 |
||
530 |
// import the trusted cert |
|
531 |
ks.setCertificateEntry("RSA Export Signer", trustedCert); |
|
532 |
||
533 |
if (authnRequired) { |
|
534 |
// generate the private key. |
|
535 |
RSAPrivateKeySpec priKeySpec = new RSAPrivateKeySpec( |
|
536 |
new BigInteger(modulus), |
|
537 |
new BigInteger(privateExponent)); |
|
538 |
KeyFactory kf = KeyFactory.getInstance("RSA"); |
|
539 |
RSAPrivateKey priKey = |
|
540 |
(RSAPrivateKey)kf.generatePrivate(priKeySpec); |
|
541 |
||
542 |
// generate certificate chain |
|
543 |
is = new ByteArrayInputStream(serverCertStr.getBytes()); |
|
544 |
Certificate serverCert = cf.generateCertificate(is); |
|
545 |
||
546 |
Certificate[] chain = new Certificate[2]; |
|
547 |
chain[0] = serverCert; |
|
548 |
chain[1] = trustedCert; |
|
549 |
||
550 |
// import the key entry. |
|
551 |
ks.setKeyEntry("RSA Export", priKey, passphrase, chain); |
|
552 |
} |
|
553 |
||
554 |
// create SSL context |
|
555 |
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); |
|
556 |
tmf.init(ks); |
|
557 |
||
558 |
SSLContext ctx = SSLContext.getInstance("TLS"); |
|
559 |
if (authnRequired) { |
|
560 |
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); |
|
561 |
kmf.init(ks, passphrase); |
|
562 |
||
563 |
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); |
|
564 |
} else { |
|
565 |
ctx.init(null, tmf.getTrustManagers(), null); |
|
566 |
} |
|
567 |
||
568 |
return ctx; |
|
569 |
} |
|
570 |
||
571 |
} |