jdk-sandbox: test/jdk/javax/net/ssl/Stapling/SSLEngineWithStapling.java@56aaa6cb3693 (annotated)

32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1	/*
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	2	* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	4	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	7	* published by the Free Software Foundation.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	8	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	9	* This code is distributed in the hope that it will be useful, but WITHOUT
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	10	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	11	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	12	* version 2 for more details (a copy is included in the LICENSE file that
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	13	* accompanied this code).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	14	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	15	* You should have received a copy of the GNU General Public License version
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	16	* 2 along with this work; if not, write to the Free Software Foundation,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	17	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	18	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	19	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	20	* or visit www.oracle.com if you need additional information or have any
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	21	* questions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	22	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	23
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	24	// SunJSSE does not support dynamic system properties, no way to re-use
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	25	// system properties in samevm/agentvm mode.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	26
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	27	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	28	* @test
37309 8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	29	* @bug 8046321 8153829
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	30	* @summary OCSP Stapling for TLS
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	31	* @library ../../../../java/security/testlibrary
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	32	* @build CertificateBuilder SimpleOCSPServer
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	33	* @run main/othervm SSLEngineWithStapling
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	34	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	35
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	36	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	37	* A SSLEngine usage example which simplifies the presentation
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	38	* by removing the I/O and multi-threading concerns.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	39	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	40	* The test creates two SSLEngines, simulating a client and server.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	41	* The "transport" layer consists two byte buffers: think of them
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	42	* as directly connected pipes.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	43	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	44	* Note, this is a very simple example: real code will be much more
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	45	* involved. For example, different threading and I/O models could be
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	46	* used, transport mechanisms could close unexpectedly, and so on.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	47	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	48	* When this application runs, notice that several messages
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	49	* (wrap/unwrap) pass before any application data is consumed or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	50	* produced. (For more information, please see the SSL/TLS
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	51	* specifications.) There may several steps for a successful handshake,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	52	* so it's typical to see the following series of operations:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	53	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	54	* client server message
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	55	* ====== ====== =======
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	56	* wrap() ... ClientHello
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	57	* ... unwrap() ClientHello
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	58	* ... wrap() ServerHello/Certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	59	* unwrap() ... ServerHello/Certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	60	* wrap() ... ClientKeyExchange
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	61	* wrap() ... ChangeCipherSpec
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	62	* wrap() ... Finished
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	63	* ... unwrap() ClientKeyExchange
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	64	* ... unwrap() ChangeCipherSpec
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	65	* ... unwrap() Finished
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	66	* ... wrap() ChangeCipherSpec
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	67	* ... wrap() Finished
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	68	* unwrap() ... ChangeCipherSpec
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	69	* unwrap() ... Finished
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	70	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	71
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	72	import javax.net.ssl.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	73	import javax.net.ssl.SSLEngineResult.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	74	import java.io.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	75	import java.math.BigInteger;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	76	import java.security.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	77	import java.nio.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	78	import java.security.cert.CertPathValidatorException;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	79	import java.security.cert.PKIXBuilderParameters;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	80	import java.security.cert.X509Certificate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	81	import java.security.cert.X509CertSelector;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	82	import java.util.ArrayList;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	83	import java.util.Collections;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	84	import java.util.Date;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	85	import java.util.HashMap;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	86	import java.util.List;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	87	import java.util.Map;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	88	import java.util.concurrent.TimeUnit;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	89
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	90	import sun.security.testlibrary.SimpleOCSPServer;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	91	import sun.security.testlibrary.CertificateBuilder;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	92
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	93	public class SSLEngineWithStapling {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	94
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	95	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	96	* Enables logging of the SSLEngine operations.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	97	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	98	private static final boolean logging = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	99
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	100	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	101	* Enables the JSSE system debugging system property:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	102	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	103	* -Djavax.net.debug=all
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	104	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	105	* This gives a lot of low-level information about operations underway,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	106	* including specific handshake messages, and might be best examined
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	107	* after gaining some familiarity with this application.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	108	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	109	private static final boolean debug = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	110
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	111	private SSLEngine clientEngine; // client Engine
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	112	private ByteBuffer clientOut; // write side of clientEngine
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	113	private ByteBuffer clientIn; // read side of clientEngine
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	114
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	115	private SSLEngine serverEngine; // server Engine
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	116	private ByteBuffer serverOut; // write side of serverEngine
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	117	private ByteBuffer serverIn; // read side of serverEngine
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	118
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	119	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	120	* For data transport, this example uses local ByteBuffers. This
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	121	* isn't really useful, but the purpose of this example is to show
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	122	* SSLEngine concepts, not how to do network transport.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	123	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	124	private ByteBuffer cTOs; // "reliable" transport client->server
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	125	private ByteBuffer sTOc; // "reliable" transport server->client
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	126
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	127	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	128	* The following is to set up the keystores.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	129	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	130	static final String passwd = "passphrase";
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	131	static final String ROOT_ALIAS = "root";
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	132	static final String INT_ALIAS = "intermediate";
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	133	static final String SSL_ALIAS = "ssl";
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	134
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	135	// PKI components we will need for this test
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	136	static KeyStore rootKeystore; // Root CA Keystore
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	137	static KeyStore intKeystore; // Intermediate CA Keystore
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	138	static KeyStore serverKeystore; // SSL Server Keystore
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	139	static KeyStore trustStore; // SSL Client trust store
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	140	static SimpleOCSPServer rootOcsp; // Root CA OCSP Responder
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	141	static int rootOcspPort; // Port number for root OCSP
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	142	static SimpleOCSPServer intOcsp; // Intermediate CA OCSP Responder
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	143	static int intOcspPort; // Port number for intermed. OCSP
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	144
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	145	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	146	* Main entry point for this test.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	147	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	148	public static void main(String args[]) throws Exception {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	149	if (debug) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	150	System.setProperty("javax.net.debug", "ssl");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	151	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	152
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	153	// Create the PKI we will use for the test and start the OCSP servers
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	154	createPKI();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	155
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	156	// Set the certificate entry in the intermediate OCSP responder
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	157	// with a revocation date of 8 hours ago.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	158	X509Certificate sslCert =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	159	(X509Certificate)serverKeystore.getCertificate(SSL_ALIAS);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	160	Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	161	new HashMap<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	162	revInfo.put(sslCert.getSerialNumber(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	163	new SimpleOCSPServer.CertStatusInfo(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	164	SimpleOCSPServer.CertStatus.CERT_STATUS_REVOKED,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	165	new Date(System.currentTimeMillis() -
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	166	TimeUnit.HOURS.toMillis(8))));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	167	intOcsp.updateStatusDb(revInfo);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	168
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	169	SSLEngineWithStapling test = new SSLEngineWithStapling();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	170	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	171	test.runTest();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	172	throw new RuntimeException("Expected failure due to revocation " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	173	"did not occur");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	174	} catch (Exception e) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	175	if (!checkClientValidationFailure(e,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	176	CertPathValidatorException.BasicReason.REVOKED)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	177	System.out.println("*** Didn't find the exception we wanted");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	178	throw e;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	179	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	180	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	181
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	182	System.out.println("Test Passed.");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	183	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	184
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	185	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	186	* Create an initialized SSLContext to use for these tests.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	187	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	188	public SSLEngineWithStapling() throws Exception {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	189	System.setProperty("javax.net.ssl.keyStore", "");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	190	System.setProperty("javax.net.ssl.keyStorePassword", "");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	191	System.setProperty("javax.net.ssl.trustStore", "");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	192	System.setProperty("javax.net.ssl.trustStorePassword", "");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	193
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	194	// Enable OCSP Stapling on both client and server sides, but turn off
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	195	// client-side OCSP for revocation checking. This ensures that the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	196	// revocation information from the test has to come via stapling.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	197	System.setProperty("jdk.tls.client.enableStatusRequestExtension",
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	198	Boolean.toString(true));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	199	System.setProperty("jdk.tls.server.enableStatusRequestExtension",
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	200	Boolean.toString(true));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	201	Security.setProperty("ocsp.enable", "false");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	202	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	203
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	204	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	205	* Run the test.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	206	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	207	* Sit in a tight loop, both engines calling wrap/unwrap regardless
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	208	* of whether data is available or not. We do this until both engines
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	209	* report back they are closed.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	210	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	211	* The main loop handles all of the I/O phases of the SSLEngine's
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	212	* lifetime:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	213	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	214	* initial handshaking
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	215	* application data transfer
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	216	* engine closing
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	217	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	218	* One could easily separate these phases into separate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	219	* sections of code.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	220	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	221	private void runTest() throws Exception {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	222	boolean dataDone = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	223
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	224	createSSLEngines();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	225	createBuffers();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	226
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	227	SSLEngineResult clientResult; // results from client's last operation
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	228	SSLEngineResult serverResult; // results from server's last operation
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	229
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	230	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	231	* Examining the SSLEngineResults could be much more involved,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	232	* and may alter the overall flow of the application.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	233	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	234	* For example, if we received a BUFFER_OVERFLOW when trying
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	235	* to write to the output pipe, we could reallocate a larger
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	236	* pipe, but instead we wait for the peer to drain it.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	237	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	238	while (!isEngineClosed(clientEngine) \|\|
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	239	!isEngineClosed(serverEngine)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	240
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	241	log("================");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	242
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	243	clientResult = clientEngine.wrap(clientOut, cTOs);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	244	log("client wrap: ", clientResult);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	245	runDelegatedTasks(clientResult, clientEngine);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	246
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	247	serverResult = serverEngine.wrap(serverOut, sTOc);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	248	log("server wrap: ", serverResult);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	249	runDelegatedTasks(serverResult, serverEngine);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	250
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	251	cTOs.flip();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	252	sTOc.flip();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	253
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	254	log("----");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	255
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	256	clientResult = clientEngine.unwrap(sTOc, clientIn);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	257	log("client unwrap: ", clientResult);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	258	runDelegatedTasks(clientResult, clientEngine);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	259
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	260	serverResult = serverEngine.unwrap(cTOs, serverIn);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	261	log("server unwrap: ", serverResult);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	262	runDelegatedTasks(serverResult, serverEngine);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	263
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	264	cTOs.compact();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	265	sTOc.compact();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	266
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	267	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	268	* After we've transfered all application data between the client
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	269	* and server, we close the clientEngine's outbound stream.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	270	* This generates a close_notify handshake message, which the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	271	* server engine receives and responds by closing itself.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	272	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	273	if (!dataDone && (clientOut.limit() == serverIn.position()) &&
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	274	(serverOut.limit() == clientIn.position())) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	275
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	276	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	277	* A sanity check to ensure we got what was sent.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	278	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	279	checkTransfer(serverOut, clientIn);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	280	checkTransfer(clientOut, serverIn);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	281
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	282	log("\tClosing clientEngine's OUTBOUND...");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	283	clientEngine.closeOutbound();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	284	dataDone = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	285	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	286	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	287	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	288
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	289	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	290	* Using the SSLContext created during object creation,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	291	* create/configure the SSLEngines we'll use for this test.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	292	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	293	private void createSSLEngines() throws Exception {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	294	// Initialize the KeyManager and TrustManager for the server
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	295	KeyManagerFactory servKmf = KeyManagerFactory.getInstance("PKIX");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	296	servKmf.init(serverKeystore, passwd.toCharArray());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	297	TrustManagerFactory servTmf =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	298	TrustManagerFactory.getInstance("PKIX");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	299	servTmf.init(trustStore);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	300
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	301	// Initialize the TrustManager for the client with revocation checking
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	302	PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	303	new X509CertSelector());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	304	pkixParams.setRevocationEnabled(true);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	305	ManagerFactoryParameters mfp =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	306	new CertPathTrustManagerParameters(pkixParams);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	307	TrustManagerFactory cliTmf =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	308	TrustManagerFactory.getInstance("PKIX");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	309	cliTmf.init(mfp);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	310
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	311	// Create the SSLContexts from the factories
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	312	SSLContext servCtx = SSLContext.getInstance("TLSv1.2");
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	313	servCtx.init(servKmf.getKeyManagers(), servTmf.getTrustManagers(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	314	null);
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	315	SSLContext cliCtx = SSLContext.getInstance("TLSv1.2");
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	316	cliCtx.init(null, cliTmf.getTrustManagers(), null);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	317
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	318
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	319	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	320	* Configure the serverEngine to act as a server in the SSL/TLS
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	321	* handshake.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	322	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	323	serverEngine = servCtx.createSSLEngine();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	324	serverEngine.setUseClientMode(false);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	325	serverEngine.setNeedClientAuth(false);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	326
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	327	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	328	* Similar to above, but using client mode instead.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	329	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	330	clientEngine = cliCtx.createSSLEngine("client", 80);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	331	clientEngine.setUseClientMode(true);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	332	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	333
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	334	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	335	* Create and size the buffers appropriately.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	336	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	337	private void createBuffers() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	338
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	339	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	340	* We'll assume the buffer sizes are the same
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	341	* between client and server.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	342	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	343	SSLSession session = clientEngine.getSession();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	344	int appBufferMax = session.getApplicationBufferSize();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	345	int netBufferMax = session.getPacketBufferSize();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	346
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	347	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	348	* We'll make the input buffers a bit bigger than the max needed
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	349	* size, so that unwrap()s following a successful data transfer
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	350	* won't generate BUFFER_OVERFLOWS.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	351	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	352	* We'll use a mix of direct and indirect ByteBuffers for
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	353	* tutorial purposes only. In reality, only use direct
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	354	* ByteBuffers when they give a clear performance enhancement.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	355	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	356	clientIn = ByteBuffer.allocate(appBufferMax + 50);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	357	serverIn = ByteBuffer.allocate(appBufferMax + 50);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	358
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	359	cTOs = ByteBuffer.allocateDirect(netBufferMax);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	360	sTOc = ByteBuffer.allocateDirect(netBufferMax);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	361
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	362	clientOut = ByteBuffer.wrap("Hi Server, I'm Client".getBytes());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	363	serverOut = ByteBuffer.wrap("Hello Client, I'm Server".getBytes());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	364	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	365
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	366	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	367	* If the result indicates that we have outstanding tasks to do,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	368	* go ahead and run them in this thread.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	369	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	370	private static void runDelegatedTasks(SSLEngineResult result,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	371	SSLEngine engine) throws Exception {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	372
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	373	if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	374	Runnable runnable;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	375	while ((runnable = engine.getDelegatedTask()) != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	376	log("\trunning delegated task...");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	377	runnable.run();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	378	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	379	HandshakeStatus hsStatus = engine.getHandshakeStatus();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	380	if (hsStatus == HandshakeStatus.NEED_TASK) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	381	throw new Exception(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	382	"handshake shouldn't need additional tasks");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	383	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	384	log("\tnew HandshakeStatus: " + hsStatus);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	385	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	386	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	387
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	388	private static boolean isEngineClosed(SSLEngine engine) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	389	return (engine.isOutboundDone() && engine.isInboundDone());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	390	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	391
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	392	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	393	* Simple check to make sure everything came across as expected.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	394	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	395	private static void checkTransfer(ByteBuffer a, ByteBuffer b)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	396	throws Exception {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	397	a.flip();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	398	b.flip();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	399
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	400	if (!a.equals(b)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	401	throw new Exception("Data didn't transfer cleanly");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	402	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	403	log("\tData transferred cleanly");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	404	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	405
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	406	a.position(a.limit());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	407	b.position(b.limit());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	408	a.limit(a.capacity());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	409	b.limit(b.capacity());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	410	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	411
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	412	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	413	* Logging code
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	414	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	415	private static boolean resultOnce = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	416
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	417	private static void log(String str, SSLEngineResult result) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	418	if (!logging) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	419	return;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	420	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	421	if (resultOnce) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	422	resultOnce = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	423	System.out.println("The format of the SSLEngineResult is: \n" +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	424	"\t\"getStatus() / getHandshakeStatus()\" +\n" +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	425	"\t\"bytesConsumed() / bytesProduced()\"\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	426	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	427	HandshakeStatus hsStatus = result.getHandshakeStatus();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	428	log(str +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	429	result.getStatus() + "/" + hsStatus + ", " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	430	result.bytesConsumed() + "/" + result.bytesProduced() +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	431	" bytes");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	432	if (hsStatus == HandshakeStatus.FINISHED) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	433	log("\t...ready for application data");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	434	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	435	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	436
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	437	private static void log(String str) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	438	if (logging) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	439	System.out.println(str);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	440	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	441	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	442
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	443	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	444	* Creates the PKI components necessary for this test, including
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	445	* Root CA, Intermediate CA and SSL server certificates, the keystores
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	446	* for each entity, a client trust store, and starts the OCSP responders.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	447	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	448	private static void createPKI() throws Exception {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	449	CertificateBuilder cbld = new CertificateBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	450	KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	451	keyGen.initialize(2048);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	452	KeyStore.Builder keyStoreBuilder =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	453	KeyStore.Builder.newInstance("PKCS12", null,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	454	new KeyStore.PasswordProtection(passwd.toCharArray()));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	455
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	456	// Generate Root, IntCA, EE keys
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	457	KeyPair rootCaKP = keyGen.genKeyPair();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	458	log("Generated Root CA KeyPair");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	459	KeyPair intCaKP = keyGen.genKeyPair();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	460	log("Generated Intermediate CA KeyPair");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	461	KeyPair sslKP = keyGen.genKeyPair();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	462	log("Generated SSL Cert KeyPair");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	463
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	464	// Set up the Root CA Cert
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	465	cbld.setSubjectName("CN=Root CA Cert, O=SomeCompany");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	466	cbld.setPublicKey(rootCaKP.getPublic());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	467	cbld.setSerialNumber(new BigInteger("1"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	468	// Make a 3 year validity starting from 60 days ago
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	469	long start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(60);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	470	long end = start + TimeUnit.DAYS.toMillis(1085);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	471	cbld.setValidity(new Date(start), new Date(end));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	472	addCommonExts(cbld, rootCaKP.getPublic(), rootCaKP.getPublic());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	473	addCommonCAExts(cbld);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	474	// Make our Root CA Cert!
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	475	X509Certificate rootCert = cbld.build(null, rootCaKP.getPrivate(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	476	"SHA256withRSA");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	477	log("Root CA Created:\n" + certInfo(rootCert));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	478
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	479	// Now build a keystore and add the keys and cert
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	480	rootKeystore = keyStoreBuilder.getKeyStore();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	481	java.security.cert.Certificate[] rootChain = {rootCert};
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	482	rootKeystore.setKeyEntry(ROOT_ALIAS, rootCaKP.getPrivate(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	483	passwd.toCharArray(), rootChain);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	484
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	485	// Now fire up the OCSP responder
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	486	rootOcsp = new SimpleOCSPServer(rootKeystore, passwd, ROOT_ALIAS, null);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	487	rootOcsp.enableLog(logging);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	488	rootOcsp.setNextUpdateInterval(3600);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	489	rootOcsp.start();
37309 8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	490
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	491	// Wait 5 seconds for server ready
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	492	for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	493	Thread.sleep(50);
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	494	}
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	495	if (!rootOcsp.isServerReady()) {
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	496	throw new RuntimeException("Server not ready yet");
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	497	}
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	498
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	499	rootOcspPort = rootOcsp.getPort();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	500	String rootRespURI = "http://localhost:" + rootOcspPort;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	501	log("Root OCSP Responder URI is " + rootRespURI);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	502
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	503	// Now that we have the root keystore and OCSP responder we can
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	504	// create our intermediate CA.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	505	cbld.reset();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	506	cbld.setSubjectName("CN=Intermediate CA Cert, O=SomeCompany");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	507	cbld.setPublicKey(intCaKP.getPublic());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	508	cbld.setSerialNumber(new BigInteger("100"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	509	// Make a 2 year validity starting from 30 days ago
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	510	start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(30);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	511	end = start + TimeUnit.DAYS.toMillis(730);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	512	cbld.setValidity(new Date(start), new Date(end));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	513	addCommonExts(cbld, intCaKP.getPublic(), rootCaKP.getPublic());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	514	addCommonCAExts(cbld);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	515	cbld.addAIAExt(Collections.singletonList(rootRespURI));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	516	// Make our Intermediate CA Cert!
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	517	X509Certificate intCaCert = cbld.build(rootCert, rootCaKP.getPrivate(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	518	"SHA256withRSA");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	519	log("Intermediate CA Created:\n" + certInfo(intCaCert));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	520
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	521	// Provide intermediate CA cert revocation info to the Root CA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	522	// OCSP responder.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	523	Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	524	new HashMap<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	525	revInfo.put(intCaCert.getSerialNumber(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	526	new SimpleOCSPServer.CertStatusInfo(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	527	SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	528	rootOcsp.updateStatusDb(revInfo);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	529
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	530	// Now build a keystore and add the keys, chain and root cert as a TA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	531	intKeystore = keyStoreBuilder.getKeyStore();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	532	java.security.cert.Certificate[] intChain = {intCaCert, rootCert};
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	533	intKeystore.setKeyEntry(INT_ALIAS, intCaKP.getPrivate(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	534	passwd.toCharArray(), intChain);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	535	intKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	536
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	537	// Now fire up the Intermediate CA OCSP responder
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	538	intOcsp = new SimpleOCSPServer(intKeystore, passwd,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	539	INT_ALIAS, null);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	540	intOcsp.enableLog(logging);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	541	intOcsp.setNextUpdateInterval(3600);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	542	intOcsp.start();
37309 8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	543
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	544	// Wait 5 seconds for server ready
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	545	for (int i = 0; (i < 100 && !intOcsp.isServerReady()); i++) {
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	546	Thread.sleep(50);
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	547	}
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	548	if (!intOcsp.isServerReady()) {
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	549	throw new RuntimeException("Server not ready yet");
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	550	}
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	551
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	552	intOcspPort = intOcsp.getPort();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	553	String intCaRespURI = "http://localhost:" + intOcspPort;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	554	log("Intermediate CA OCSP Responder URI is " + intCaRespURI);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	555
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	556	// Last but not least, let's make our SSLCert and add it to its own
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	557	// Keystore
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	558	cbld.reset();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	559	cbld.setSubjectName("CN=SSLCertificate, O=SomeCompany");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	560	cbld.setPublicKey(sslKP.getPublic());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	561	cbld.setSerialNumber(new BigInteger("4096"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	562	// Make a 1 year validity starting from 7 days ago
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	563	start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(7);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	564	end = start + TimeUnit.DAYS.toMillis(365);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	565	cbld.setValidity(new Date(start), new Date(end));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	566
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	567	// Add extensions
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	568	addCommonExts(cbld, sslKP.getPublic(), intCaKP.getPublic());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	569	boolean[] kuBits = {true, false, true, false, false, false,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	570	false, false, false};
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	571	cbld.addKeyUsageExt(kuBits);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	572	List<String> ekuOids = new ArrayList<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	573	ekuOids.add("1.3.6.1.5.5.7.3.1");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	574	ekuOids.add("1.3.6.1.5.5.7.3.2");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	575	cbld.addExtendedKeyUsageExt(ekuOids);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	576	cbld.addSubjectAltNameDNSExt(Collections.singletonList("localhost"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	577	cbld.addAIAExt(Collections.singletonList(intCaRespURI));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	578	// Make our SSL Server Cert!
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	579	X509Certificate sslCert = cbld.build(intCaCert, intCaKP.getPrivate(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	580	"SHA256withRSA");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	581	log("SSL Certificate Created:\n" + certInfo(sslCert));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	582
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	583	// Provide SSL server cert revocation info to the Intermeidate CA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	584	// OCSP responder.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	585	revInfo = new HashMap<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	586	revInfo.put(sslCert.getSerialNumber(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	587	new SimpleOCSPServer.CertStatusInfo(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	588	SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	589	intOcsp.updateStatusDb(revInfo);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	590
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	591	// Now build a keystore and add the keys, chain and root cert as a TA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	592	serverKeystore = keyStoreBuilder.getKeyStore();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	593	java.security.cert.Certificate[] sslChain = {sslCert, intCaCert, rootCert};
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	594	serverKeystore.setKeyEntry(SSL_ALIAS, sslKP.getPrivate(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	595	passwd.toCharArray(), sslChain);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	596	serverKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	597
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	598	// And finally a Trust Store for the client
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	599	trustStore = keyStoreBuilder.getKeyStore();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	600	trustStore.setCertificateEntry(ROOT_ALIAS, rootCert);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	601	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	602
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	603	private static void addCommonExts(CertificateBuilder cbld,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	604	PublicKey subjKey, PublicKey authKey) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	605	cbld.addSubjectKeyIdExt(subjKey);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	606	cbld.addAuthorityKeyIdExt(authKey);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	607	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	608
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	609	private static void addCommonCAExts(CertificateBuilder cbld)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	610	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	611	cbld.addBasicConstraintsExt(true, true, -1);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	612	// Set key usage bits for digitalSignature, keyCertSign and cRLSign
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	613	boolean[] kuBitSettings = {true, false, false, false, false, true,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	614	true, false, false};
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	615	cbld.addKeyUsageExt(kuBitSettings);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	616	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	617
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	618	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	619	* Helper routine that dumps only a few cert fields rather than
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	620	* the whole toString() output.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	621	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	622	* @param cert an X509Certificate to be displayed
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	623	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	624	* @return the String output of the issuer, subject and
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	625	* serial number
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	626	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	627	private static String certInfo(X509Certificate cert) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	628	StringBuilder sb = new StringBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	629	sb.append("Issuer: ").append(cert.getIssuerX500Principal()).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	630	append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	631	sb.append("Subject: ").append(cert.getSubjectX500Principal()).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	632	append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	633	sb.append("Serial: ").append(cert.getSerialNumber()).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	634	return sb.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	635	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	636
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	637	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	638	* Checks a validation failure to see if it failed for the reason we think
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	639	* it should. This comes in as an SSLException of some sort, but it
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	640	* encapsulates a CertPathValidatorException at some point in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	641	* exception stack.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	642	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	643	* @param e the exception thrown at the top level
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	644	* @param reason the underlying CertPathValidatorException BasicReason
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	645	* we are expecting it to have.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	646	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	647	* @return true if the reason matches up, false otherwise.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	648	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	649	static boolean checkClientValidationFailure(Exception e,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	650	CertPathValidatorException.BasicReason reason) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	651	boolean result = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	652
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	653	// Locate the CertPathValidatorException. If one
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	654	// Does not exist, then it's an automatic failure of
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	655	// the test.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	656	Throwable curExc = e;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	657	CertPathValidatorException cpve = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	658	while (curExc != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	659	if (curExc instanceof CertPathValidatorException) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	660	cpve = (CertPathValidatorException)curExc;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	661	}
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	662	curExc = curExc.getCause();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	663	}
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	664
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	665	// If we get through the loop and cpve is null then we
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	666	// we didn't find CPVE and this is a failure
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	667	if (cpve != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	668	if (cpve.getReason() == reason) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	669	result = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	670	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	671	System.out.println("CPVE Reason Mismatch: Expected = " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	672	reason + ", Actual = " + cpve.getReason());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	673	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	674	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	675	System.out.println("Failed to find an expected CPVE");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	676	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	677
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	678	return result;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	679	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	680	}

author	wetmore
	Fri, 11 May 2018 15:53:12 -0700
branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
parent 47216	71c04702a3d5
child 56606	0cabcf9cb31b
permissions	-rw-r--r--