author | xuelei |
Mon, 25 Jun 2018 13:41:39 -0700 | |
changeset 50768 | 68fa3d4026ea |
parent 47216 | 71c04702a3d5 |
permissions | -rw-r--r-- |
32032 | 1 |
/* |
44479
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
40390
diff
changeset
|
2 |
* Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. |
32032 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. |
|
8 |
* |
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
13 |
* accompanied this code). |
|
14 |
* |
|
15 |
* You should have received a copy of the GNU General Public License version |
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
18 |
* |
|
19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
20 |
* or visit www.oracle.com if you need additional information or have any |
|
21 |
* questions. |
|
22 |
*/ |
|
23 |
||
24 |
// SunJSSE does not support dynamic system properties, no way to re-use |
|
25 |
// system properties in samevm/agentvm mode. |
|
26 |
||
27 |
/* |
|
28 |
* @test |
|
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
29 |
* @bug 8046321 8153829 |
32032 | 30 |
* @summary OCSP Stapling for TLS |
31 |
* @library ../../../../java/security/testlibrary |
|
32 |
* @build CertificateBuilder SimpleOCSPServer |
|
33 |
* @run main/othervm SSLSocketWithStapling |
|
34 |
*/ |
|
35 |
||
36 |
import java.io.*; |
|
37 |
import java.math.BigInteger; |
|
50768 | 38 |
import java.net.InetAddress; |
39 |
import java.net.Socket; |
|
40 |
import java.net.ServerSocket; |
|
41 |
import java.security.GeneralSecurityException; |
|
32032 | 42 |
import java.security.KeyPair; |
43 |
import java.security.KeyPairGenerator; |
|
44 |
import javax.net.ssl.*; |
|
45 |
import java.security.KeyStore; |
|
46 |
import java.security.PublicKey; |
|
47 |
import java.security.Security; |
|
48 |
import java.security.cert.CertPathValidator; |
|
49 |
import java.security.cert.CertPathValidatorException; |
|
50 |
import java.security.cert.CertPathValidatorException.BasicReason; |
|
51 |
import java.security.cert.Certificate; |
|
52 |
import java.security.cert.PKIXBuilderParameters; |
|
53 |
import java.security.cert.X509CertSelector; |
|
54 |
import java.security.cert.X509Certificate; |
|
55 |
import java.security.cert.PKIXRevocationChecker; |
|
56 |
import java.security.cert.PKIXRevocationChecker.Option; |
|
57 |
import java.util.ArrayList; |
|
58 |
import java.util.Collections; |
|
59 |
import java.util.Date; |
|
60 |
import java.util.EnumSet; |
|
61 |
import java.util.List; |
|
62 |
import java.util.Map; |
|
63 |
import java.util.HashMap; |
|
64 |
import java.util.concurrent.TimeUnit; |
|
65 |
||
66 |
import sun.security.testlibrary.SimpleOCSPServer; |
|
67 |
import sun.security.testlibrary.CertificateBuilder; |
|
68 |
||
69 |
public class SSLSocketWithStapling { |
|
70 |
||
71 |
/* |
|
72 |
* ============================================================= |
|
73 |
* Set the various variables needed for the tests, then |
|
74 |
* specify what tests to run on each side. |
|
75 |
*/ |
|
76 |
||
77 |
// Turn on TLS debugging |
|
50768 | 78 |
static final boolean debug = false; |
32032 | 79 |
|
80 |
/* |
|
81 |
* Should we run the client or server in a separate thread? |
|
82 |
* Both sides can throw exceptions, but do you have a preference |
|
83 |
* as to which side should be the main thread. |
|
84 |
*/ |
|
85 |
static boolean separateServerThread = true; |
|
86 |
Thread clientThread = null; |
|
87 |
Thread serverThread = null; |
|
88 |
||
89 |
static String passwd = "passphrase"; |
|
90 |
static String ROOT_ALIAS = "root"; |
|
91 |
static String INT_ALIAS = "intermediate"; |
|
92 |
static String SSL_ALIAS = "ssl"; |
|
93 |
||
94 |
/* |
|
95 |
* Is the server ready to serve? |
|
96 |
*/ |
|
97 |
volatile static boolean serverReady = false; |
|
98 |
volatile int serverPort = 0; |
|
99 |
||
100 |
volatile Exception serverException = null; |
|
101 |
volatile Exception clientException = null; |
|
102 |
||
103 |
// PKI components we will need for this test |
|
104 |
static KeyStore rootKeystore; // Root CA Keystore |
|
105 |
static KeyStore intKeystore; // Intermediate CA Keystore |
|
106 |
static KeyStore serverKeystore; // SSL Server Keystore |
|
107 |
static KeyStore trustStore; // SSL Client trust store |
|
108 |
static SimpleOCSPServer rootOcsp; // Root CA OCSP Responder |
|
109 |
static int rootOcspPort; // Port number for root OCSP |
|
110 |
static SimpleOCSPServer intOcsp; // Intermediate CA OCSP Responder |
|
111 |
static int intOcspPort; // Port number for intermed. OCSP |
|
112 |
||
50768 | 113 |
// Extra configuration parameters and constants |
114 |
static final String[] TLS13ONLY = new String[] { "TLSv1.3" }; |
|
115 |
static final String[] TLS12MAX = |
|
116 |
new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" }; |
|
117 |
||
32032 | 118 |
/* |
119 |
* If the client or server is doing some kind of object creation |
|
120 |
* that the other side depends on, and that thread prematurely |
|
121 |
* exits, you may experience a hang. The test harness will |
|
122 |
* terminate all hung threads after its timeout has expired, |
|
123 |
* currently 3 minutes by default, but you might try to be |
|
124 |
* smart about it.... |
|
125 |
*/ |
|
126 |
public static void main(String[] args) throws Exception { |
|
127 |
if (debug) { |
|
50768 | 128 |
System.setProperty("javax.net.debug", "ssl:handshake"); |
32032 | 129 |
} |
130 |
||
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
131 |
try { |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
132 |
// Create the PKI we will use for the test and start the OCSP servers |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
133 |
createPKI(); |
32032 | 134 |
|
50768 | 135 |
testAllDefault(false); |
136 |
testAllDefault(true); |
|
137 |
testPKIXParametersRevEnabled(false); |
|
138 |
testPKIXParametersRevEnabled(true); |
|
139 |
testRevokedCertificate(false); |
|
140 |
testRevokedCertificate(true); |
|
141 |
testRevokedIntermediate(false); |
|
142 |
testRevokedIntermediate(true); |
|
143 |
testMissingIntermediate(false); |
|
144 |
testMissingIntermediate(true); |
|
145 |
testHardFailFallback(false); |
|
146 |
testHardFailFallback(true); |
|
147 |
testSoftFailFallback(false); |
|
148 |
testSoftFailFallback(true); |
|
149 |
testLatencyNoStaple(false, false); |
|
150 |
testLatencyNoStaple(false, true); |
|
151 |
testLatencyNoStaple(true, false); |
|
152 |
testLatencyNoStaple(true, true); |
|
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
153 |
} finally { |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
154 |
// shut down the OCSP responders before finishing the test |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
155 |
intOcsp.stop(); |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
156 |
rootOcsp.stop(); |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
157 |
} |
32032 | 158 |
} |
159 |
||
160 |
/** |
|
161 |
* Default test using no externally-configured PKIXBuilderParameters |
|
162 |
*/ |
|
50768 | 163 |
static void testAllDefault(boolean isTls13) throws Exception { |
32032 | 164 |
ClientParameters cliParams = new ClientParameters(); |
165 |
ServerParameters servParams = new ServerParameters(); |
|
50768 | 166 |
if (isTls13) { |
167 |
cliParams.protocols = TLS13ONLY; |
|
168 |
servParams.protocols = TLS13ONLY; |
|
169 |
} else { |
|
170 |
cliParams.protocols = TLS12MAX; |
|
171 |
servParams.protocols = TLS12MAX; |
|
172 |
} |
|
32032 | 173 |
serverReady = false; |
174 |
Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = |
|
175 |
new HashMap<>(); |
|
176 |
||
177 |
// We will prove revocation checking is disabled by marking the SSL |
|
178 |
// certificate as revoked. The test would only pass if revocation |
|
179 |
// checking did not happen. |
|
180 |
X509Certificate sslCert = |
|
181 |
(X509Certificate)serverKeystore.getCertificate(SSL_ALIAS); |
|
182 |
Date fiveMinsAgo = new Date(System.currentTimeMillis() - |
|
183 |
TimeUnit.MINUTES.toMillis(5)); |
|
184 |
revInfo.put(sslCert.getSerialNumber(), |
|
185 |
new SimpleOCSPServer.CertStatusInfo( |
|
186 |
SimpleOCSPServer.CertStatus.CERT_STATUS_REVOKED, |
|
187 |
fiveMinsAgo)); |
|
188 |
intOcsp.updateStatusDb(revInfo); |
|
189 |
||
190 |
System.out.println("======================================="); |
|
191 |
System.out.println("Stapling enabled, default configuration"); |
|
192 |
System.out.println("======================================="); |
|
193 |
||
194 |
SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
195 |
servParams); |
|
196 |
TestResult tr = sslTest.getResult(); |
|
197 |
if (tr.clientExc != null) { |
|
198 |
throw tr.clientExc; |
|
199 |
} else if (tr.serverExc != null) { |
|
200 |
throw tr.serverExc; |
|
201 |
} |
|
202 |
||
203 |
// Return the ssl certificate to non-revoked status |
|
204 |
revInfo.put(sslCert.getSerialNumber(), |
|
205 |
new SimpleOCSPServer.CertStatusInfo( |
|
206 |
SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD)); |
|
207 |
intOcsp.updateStatusDb(revInfo); |
|
208 |
||
209 |
System.out.println(" PASS"); |
|
210 |
System.out.println("=======================================\n"); |
|
211 |
} |
|
212 |
||
213 |
/** |
|
214 |
* Do a basic connection using PKIXParameters with revocation checking |
|
215 |
* enabled and client-side OCSP disabled. It will only pass if all |
|
216 |
* stapled responses are present, valid and have a GOOD status. |
|
217 |
*/ |
|
50768 | 218 |
static void testPKIXParametersRevEnabled(boolean isTls13) throws Exception { |
32032 | 219 |
ClientParameters cliParams = new ClientParameters(); |
220 |
ServerParameters servParams = new ServerParameters(); |
|
50768 | 221 |
if (isTls13) { |
222 |
cliParams.protocols = TLS13ONLY; |
|
223 |
servParams.protocols = TLS13ONLY; |
|
224 |
} else { |
|
225 |
cliParams.protocols = TLS12MAX; |
|
226 |
servParams.protocols = TLS12MAX; |
|
227 |
} |
|
32032 | 228 |
serverReady = false; |
229 |
||
230 |
System.out.println("====================================="); |
|
231 |
System.out.println("Stapling enabled, PKIXParameters with"); |
|
232 |
System.out.println("Revocation checking enabled "); |
|
233 |
System.out.println("====================================="); |
|
234 |
||
235 |
cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
|
236 |
new X509CertSelector()); |
|
237 |
cliParams.pkixParams.setRevocationEnabled(true); |
|
238 |
Security.setProperty("ocsp.enable", "false"); |
|
239 |
||
240 |
SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
241 |
servParams); |
|
242 |
TestResult tr = sslTest.getResult(); |
|
243 |
if (tr.clientExc != null) { |
|
244 |
throw tr.clientExc; |
|
245 |
} else if (tr.serverExc != null) { |
|
246 |
throw tr.serverExc; |
|
247 |
} |
|
248 |
||
249 |
System.out.println(" PASS"); |
|
250 |
System.out.println("=====================================\n"); |
|
251 |
} |
|
252 |
||
253 |
/** |
|
254 |
* Perform a test where the certificate is revoked and placed in the |
|
255 |
* TLS handshake. Client-side OCSP is disabled, so this test will only |
|
256 |
* pass if the OCSP response is found, since we will check the |
|
257 |
* CertPathValidatorException reason for revoked status. |
|
258 |
*/ |
|
50768 | 259 |
static void testRevokedCertificate(boolean isTls13) throws Exception { |
32032 | 260 |
ClientParameters cliParams = new ClientParameters(); |
261 |
ServerParameters servParams = new ServerParameters(); |
|
50768 | 262 |
if (isTls13) { |
263 |
cliParams.protocols = TLS13ONLY; |
|
264 |
servParams.protocols = TLS13ONLY; |
|
265 |
} else { |
|
266 |
cliParams.protocols = TLS12MAX; |
|
267 |
servParams.protocols = TLS12MAX; |
|
268 |
} |
|
32032 | 269 |
serverReady = false; |
270 |
Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = |
|
271 |
new HashMap<>(); |
|
272 |
||
273 |
// We will prove revocation checking is disabled by marking the SSL |
|
274 |
// certificate as revoked. The test would only pass if revocation |
|
275 |
// checking did not happen. |
|
276 |
X509Certificate sslCert = |
|
277 |
(X509Certificate)serverKeystore.getCertificate(SSL_ALIAS); |
|
278 |
Date fiveMinsAgo = new Date(System.currentTimeMillis() - |
|
279 |
TimeUnit.MINUTES.toMillis(5)); |
|
280 |
revInfo.put(sslCert.getSerialNumber(), |
|
281 |
new SimpleOCSPServer.CertStatusInfo( |
|
282 |
SimpleOCSPServer.CertStatus.CERT_STATUS_REVOKED, |
|
283 |
fiveMinsAgo)); |
|
284 |
intOcsp.updateStatusDb(revInfo); |
|
285 |
||
50768 | 286 |
System.out.println("============================================"); |
287 |
System.out.println("Stapling enabled, detect revoked certificate"); |
|
288 |
System.out.println("============================================"); |
|
32032 | 289 |
|
290 |
cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
|
291 |
new X509CertSelector()); |
|
292 |
cliParams.pkixParams.setRevocationEnabled(true); |
|
293 |
Security.setProperty("ocsp.enable", "false"); |
|
294 |
||
295 |
SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
296 |
servParams); |
|
297 |
TestResult tr = sslTest.getResult(); |
|
298 |
if (!checkClientValidationFailure(tr.clientExc, BasicReason.REVOKED)) { |
|
299 |
if (tr.clientExc != null) { |
|
300 |
throw tr.clientExc; |
|
301 |
} else { |
|
302 |
throw new RuntimeException( |
|
303 |
"Expected client failure, but the client succeeded"); |
|
304 |
} |
|
305 |
} |
|
306 |
||
307 |
// Return the ssl certificate to non-revoked status |
|
308 |
revInfo.put(sslCert.getSerialNumber(), |
|
309 |
new SimpleOCSPServer.CertStatusInfo( |
|
310 |
SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD)); |
|
311 |
intOcsp.updateStatusDb(revInfo); |
|
312 |
||
313 |
System.out.println(" PASS"); |
|
314 |
System.out.println("=======================================\n"); |
|
315 |
} |
|
316 |
||
317 |
/** |
|
50768 | 318 |
* Perform a test where the intermediate CA certificate is revoked and |
319 |
* placed in the TLS handshake. Client-side OCSP is disabled, so this |
|
320 |
* test will only pass if the OCSP response for the intermediate CA is |
|
321 |
* found and placed into the CertificateStatus or Certificate message |
|
322 |
* (depending on the protocol version) since we will check |
|
323 |
* the CertPathValidatorException reason for revoked status. |
|
324 |
*/ |
|
325 |
static void testRevokedIntermediate(boolean isTls13) throws Exception { |
|
326 |
ClientParameters cliParams = new ClientParameters(); |
|
327 |
ServerParameters servParams = new ServerParameters(); |
|
328 |
if (isTls13) { |
|
329 |
cliParams.protocols = TLS13ONLY; |
|
330 |
servParams.protocols = TLS13ONLY; |
|
331 |
} else { |
|
332 |
cliParams.protocols = TLS12MAX; |
|
333 |
servParams.protocols = TLS12MAX; |
|
334 |
} |
|
335 |
serverReady = false; |
|
336 |
Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = |
|
337 |
new HashMap<>(); |
|
338 |
||
339 |
// We will prove revocation checking is disabled by marking the SSL |
|
340 |
// certificate as revoked. The test would only pass if revocation |
|
341 |
// checking did not happen. |
|
342 |
X509Certificate intCACert = |
|
343 |
(X509Certificate)intKeystore.getCertificate(INT_ALIAS); |
|
344 |
Date fiveMinsAgo = new Date(System.currentTimeMillis() - |
|
345 |
TimeUnit.MINUTES.toMillis(5)); |
|
346 |
revInfo.put(intCACert.getSerialNumber(), |
|
347 |
new SimpleOCSPServer.CertStatusInfo( |
|
348 |
SimpleOCSPServer.CertStatus.CERT_STATUS_REVOKED, |
|
349 |
fiveMinsAgo)); |
|
350 |
rootOcsp.updateStatusDb(revInfo); |
|
351 |
||
352 |
System.out.println("==============================================="); |
|
353 |
System.out.println("Stapling enabled, detect revoked CA certificate"); |
|
354 |
System.out.println("==============================================="); |
|
355 |
||
356 |
cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
|
357 |
new X509CertSelector()); |
|
358 |
cliParams.pkixParams.setRevocationEnabled(true); |
|
359 |
Security.setProperty("ocsp.enable", "false"); |
|
360 |
||
361 |
SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
362 |
servParams); |
|
363 |
TestResult tr = sslTest.getResult(); |
|
364 |
if (!checkClientValidationFailure(tr.clientExc, BasicReason.REVOKED)) { |
|
365 |
if (tr.clientExc != null) { |
|
366 |
throw tr.clientExc; |
|
367 |
} else { |
|
368 |
throw new RuntimeException( |
|
369 |
"Expected client failure, but the client succeeded"); |
|
370 |
} |
|
371 |
} |
|
372 |
||
373 |
// Return the ssl certificate to non-revoked status |
|
374 |
revInfo.put(intCACert.getSerialNumber(), |
|
375 |
new SimpleOCSPServer.CertStatusInfo( |
|
376 |
SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD)); |
|
377 |
rootOcsp.updateStatusDb(revInfo); |
|
378 |
||
379 |
System.out.println(" PASS"); |
|
380 |
System.out.println("=======================================\n"); |
|
381 |
} |
|
382 |
||
383 |
/** |
|
384 |
* Test a case where OCSP stapling is attempted, but partially occurs |
|
385 |
* because the root OCSP responder is unreachable. This should use a |
|
386 |
* default hard-fail behavior. |
|
387 |
*/ |
|
388 |
static void testMissingIntermediate(boolean isTls13) throws Exception { |
|
389 |
ClientParameters cliParams = new ClientParameters(); |
|
390 |
ServerParameters servParams = new ServerParameters(); |
|
391 |
if (isTls13) { |
|
392 |
cliParams.protocols = TLS13ONLY; |
|
393 |
servParams.protocols = TLS13ONLY; |
|
394 |
} else { |
|
395 |
cliParams.protocols = TLS12MAX; |
|
396 |
servParams.protocols = TLS12MAX; |
|
397 |
} |
|
398 |
serverReady = false; |
|
399 |
||
400 |
// Make the OCSP responder reject connections |
|
401 |
rootOcsp.rejectConnections(); |
|
402 |
||
403 |
System.out.println("======================================="); |
|
404 |
System.out.println("Stapling enbled in client and server,"); |
|
405 |
System.out.println("but root OCSP responder disabled."); |
|
406 |
System.out.println("PKIXParameters with Revocation checking"); |
|
407 |
System.out.println("enabled."); |
|
408 |
System.out.println("======================================="); |
|
409 |
||
410 |
Security.setProperty("ocsp.enable", "false"); |
|
411 |
cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
|
412 |
new X509CertSelector()); |
|
413 |
cliParams.pkixParams.setRevocationEnabled(true); |
|
414 |
||
415 |
SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
416 |
servParams); |
|
417 |
TestResult tr = sslTest.getResult(); |
|
418 |
if (!checkClientValidationFailure(tr.clientExc, |
|
419 |
BasicReason.UNDETERMINED_REVOCATION_STATUS)) { |
|
420 |
if (tr.clientExc != null) { |
|
421 |
throw tr.clientExc; |
|
422 |
} else { |
|
423 |
throw new RuntimeException( |
|
424 |
"Expected client failure, but the client succeeded"); |
|
425 |
} |
|
426 |
} |
|
427 |
||
428 |
System.out.println(" PASS"); |
|
429 |
System.out.println("=======================================\n"); |
|
430 |
||
431 |
// Make root OCSP responder accept connections |
|
432 |
rootOcsp.acceptConnections(); |
|
433 |
||
434 |
// Wait 5 seconds for server ready |
|
435 |
for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) { |
|
436 |
Thread.sleep(50); |
|
437 |
} |
|
438 |
if (!rootOcsp.isServerReady()) { |
|
439 |
throw new RuntimeException("Root OCSP responder not ready yet"); |
|
440 |
} |
|
441 |
} |
|
442 |
||
443 |
/** |
|
32032 | 444 |
* Test a case where client-side stapling is attempted, but does not |
445 |
* occur because OCSP responders are unreachable. This should use a |
|
446 |
* default hard-fail behavior. |
|
447 |
*/ |
|
50768 | 448 |
static void testHardFailFallback(boolean isTls13) throws Exception { |
32032 | 449 |
ClientParameters cliParams = new ClientParameters(); |
450 |
ServerParameters servParams = new ServerParameters(); |
|
50768 | 451 |
if (isTls13) { |
452 |
cliParams.protocols = TLS13ONLY; |
|
453 |
servParams.protocols = TLS13ONLY; |
|
454 |
} else { |
|
455 |
cliParams.protocols = TLS12MAX; |
|
456 |
servParams.protocols = TLS12MAX; |
|
457 |
} |
|
32032 | 458 |
serverReady = false; |
459 |
||
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
460 |
// make OCSP responders reject connections |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
461 |
intOcsp.rejectConnections(); |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
462 |
rootOcsp.rejectConnections(); |
32032 | 463 |
|
464 |
System.out.println("======================================="); |
|
465 |
System.out.println("Stapling enbled in client and server,"); |
|
466 |
System.out.println("but OCSP responders disabled."); |
|
467 |
System.out.println("PKIXParameters with Revocation checking"); |
|
468 |
System.out.println("enabled."); |
|
469 |
System.out.println("======================================="); |
|
470 |
||
471 |
Security.setProperty("ocsp.enable", "true"); |
|
472 |
cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
|
473 |
new X509CertSelector()); |
|
474 |
cliParams.pkixParams.setRevocationEnabled(true); |
|
475 |
||
476 |
SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
477 |
servParams); |
|
478 |
TestResult tr = sslTest.getResult(); |
|
479 |
if (!checkClientValidationFailure(tr.clientExc, |
|
480 |
BasicReason.UNDETERMINED_REVOCATION_STATUS)) { |
|
481 |
if (tr.clientExc != null) { |
|
482 |
throw tr.clientExc; |
|
483 |
} else { |
|
484 |
throw new RuntimeException( |
|
485 |
"Expected client failure, but the client succeeded"); |
|
486 |
} |
|
487 |
} |
|
488 |
||
489 |
System.out.println(" PASS"); |
|
490 |
System.out.println("=======================================\n"); |
|
491 |
||
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
492 |
// Make OCSP responders accept connections |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
493 |
intOcsp.acceptConnections(); |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
494 |
rootOcsp.acceptConnections(); |
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
495 |
|
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
496 |
// Wait 5 seconds for server ready |
50768 | 497 |
for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || |
498 |
!rootOcsp.isServerReady())); i++) { |
|
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
499 |
Thread.sleep(50); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
500 |
} |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
501 |
if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) { |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
502 |
throw new RuntimeException("Server not ready yet"); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
503 |
} |
32032 | 504 |
} |
505 |
||
506 |
/** |
|
507 |
* Test a case where client-side stapling is attempted, but does not |
|
508 |
* occur because OCSP responders are unreachable. Client-side OCSP |
|
509 |
* checking is enabled for this, with SOFT_FAIL. |
|
510 |
*/ |
|
50768 | 511 |
static void testSoftFailFallback(boolean isTls13) throws Exception { |
32032 | 512 |
ClientParameters cliParams = new ClientParameters(); |
513 |
ServerParameters servParams = new ServerParameters(); |
|
50768 | 514 |
if (isTls13) { |
515 |
cliParams.protocols = TLS13ONLY; |
|
516 |
servParams.protocols = TLS13ONLY; |
|
517 |
} else { |
|
518 |
cliParams.protocols = TLS12MAX; |
|
519 |
servParams.protocols = TLS12MAX; |
|
520 |
} |
|
32032 | 521 |
serverReady = false; |
522 |
||
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
523 |
// make OCSP responders reject connections |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
524 |
intOcsp.rejectConnections(); |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
525 |
rootOcsp.rejectConnections(); |
32032 | 526 |
|
527 |
System.out.println("======================================="); |
|
528 |
System.out.println("Stapling enbled in client and server,"); |
|
529 |
System.out.println("but OCSP responders disabled."); |
|
530 |
System.out.println("PKIXParameters with Revocation checking"); |
|
531 |
System.out.println("enabled and SOFT_FAIL."); |
|
532 |
System.out.println("======================================="); |
|
533 |
||
534 |
Security.setProperty("ocsp.enable", "true"); |
|
535 |
cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
|
536 |
new X509CertSelector()); |
|
537 |
cliParams.pkixParams.setRevocationEnabled(true); |
|
538 |
CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); |
|
539 |
cliParams.revChecker = |
|
540 |
(PKIXRevocationChecker)cpv.getRevocationChecker(); |
|
541 |
cliParams.revChecker.setOptions(EnumSet.of(Option.SOFT_FAIL)); |
|
542 |
||
543 |
SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
544 |
servParams); |
|
545 |
TestResult tr = sslTest.getResult(); |
|
546 |
if (tr.clientExc != null) { |
|
547 |
throw tr.clientExc; |
|
548 |
} else if (tr.serverExc != null) { |
|
549 |
throw tr.serverExc; |
|
550 |
} |
|
551 |
||
44479
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
40390
diff
changeset
|
552 |
// make sure getSoftFailExceptions is not empty |
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
40390
diff
changeset
|
553 |
if (cliParams.revChecker.getSoftFailExceptions().isEmpty()) { |
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
40390
diff
changeset
|
554 |
throw new Exception("No soft fail exceptions"); |
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
40390
diff
changeset
|
555 |
} |
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
40390
diff
changeset
|
556 |
|
32032 | 557 |
System.out.println(" PASS"); |
558 |
System.out.println("=======================================\n"); |
|
559 |
||
44479
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
40390
diff
changeset
|
560 |
|
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
561 |
// Make OCSP responders accept connections |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
562 |
intOcsp.acceptConnections(); |
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
563 |
rootOcsp.acceptConnections(); |
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
564 |
|
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
565 |
// Wait 5 seconds for server ready |
50768 | 566 |
for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || |
567 |
!rootOcsp.isServerReady())); i++) { |
|
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
568 |
Thread.sleep(50); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
569 |
} |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
570 |
if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) { |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
571 |
throw new RuntimeException("Server not ready yet"); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
572 |
} |
32032 | 573 |
} |
574 |
||
575 |
/** |
|
576 |
* This test initiates stapling from the client, but the server does not |
|
577 |
* support OCSP stapling for this connection. In this case it happens |
|
578 |
* because the latency of the OCSP responders is longer than the server |
|
579 |
* is willing to wait. To keep the test streamlined, we will set the server |
|
580 |
* latency to a 1 second wait, and set the responder latency to 3 seconds. |
|
581 |
* |
|
582 |
* @param fallback if we allow client-side OCSP fallback, which |
|
583 |
* will change the result from the client failing with CPVE (no fallback) |
|
584 |
* to a pass (fallback active). |
|
585 |
*/ |
|
50768 | 586 |
static void testLatencyNoStaple(Boolean fallback, boolean isTls13) |
587 |
throws Exception { |
|
32032 | 588 |
ClientParameters cliParams = new ClientParameters(); |
589 |
ServerParameters servParams = new ServerParameters(); |
|
50768 | 590 |
if (isTls13) { |
591 |
cliParams.protocols = TLS13ONLY; |
|
592 |
servParams.protocols = TLS13ONLY; |
|
593 |
} else { |
|
594 |
cliParams.protocols = TLS12MAX; |
|
595 |
servParams.protocols = TLS12MAX; |
|
596 |
} |
|
32032 | 597 |
serverReady = false; |
598 |
||
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
599 |
// Give a 1 second delay before running the test. |
32032 | 600 |
intOcsp.setDelay(3000); |
601 |
rootOcsp.setDelay(3000); |
|
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
602 |
Thread.sleep(1000); |
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
603 |
|
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
604 |
// Wait 5 seconds for server ready |
50768 | 605 |
for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || |
606 |
!rootOcsp.isServerReady())); i++) { |
|
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
607 |
Thread.sleep(50); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
608 |
} |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
609 |
if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) { |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
610 |
throw new RuntimeException("Server not ready yet"); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
611 |
} |
32032 | 612 |
|
613 |
System.out.println("========================================"); |
|
614 |
System.out.println("Stapling enbled in client. Server does"); |
|
615 |
System.out.println("not support stapling due to OCSP latency."); |
|
616 |
System.out.println("PKIXParameters with Revocation checking"); |
|
617 |
System.out.println("enabled, client-side OCSP checking is."); |
|
618 |
System.out.println(fallback ? "enabled" : "disabled"); |
|
619 |
System.out.println("========================================"); |
|
620 |
||
621 |
Security.setProperty("ocsp.enable", fallback.toString()); |
|
622 |
cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
|
623 |
new X509CertSelector()); |
|
624 |
cliParams.pkixParams.setRevocationEnabled(true); |
|
625 |
servParams.respTimeout = 1000; |
|
626 |
||
627 |
SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
628 |
servParams); |
|
629 |
TestResult tr = sslTest.getResult(); |
|
630 |
||
631 |
if (fallback) { |
|
632 |
if (tr.clientExc != null) { |
|
633 |
throw tr.clientExc; |
|
634 |
} else if (tr.serverExc != null) { |
|
635 |
throw tr.serverExc; |
|
636 |
} |
|
637 |
} else { |
|
638 |
if (!checkClientValidationFailure(tr.clientExc, |
|
639 |
BasicReason.UNDETERMINED_REVOCATION_STATUS)) { |
|
640 |
if (tr.clientExc != null) { |
|
641 |
throw tr.clientExc; |
|
642 |
} else { |
|
643 |
throw new RuntimeException( |
|
644 |
"Expected client failure, but the client succeeded"); |
|
645 |
} |
|
646 |
} |
|
647 |
} |
|
648 |
System.out.println(" PASS"); |
|
649 |
System.out.println("========================================\n"); |
|
650 |
||
651 |
// Remove the OCSP responder latency |
|
652 |
intOcsp.setDelay(0); |
|
653 |
rootOcsp.setDelay(0); |
|
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
654 |
Thread.sleep(1000); |
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
655 |
|
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
656 |
// Wait 5 seconds for server ready |
50768 | 657 |
for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || |
658 |
!rootOcsp.isServerReady())); i++) { |
|
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
659 |
Thread.sleep(50); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
660 |
} |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
661 |
if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) { |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
662 |
throw new RuntimeException("Server not ready yet"); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
663 |
} |
32032 | 664 |
} |
665 |
||
666 |
/* |
|
667 |
* Define the server side of the test. |
|
668 |
* |
|
669 |
* If the server prematurely exits, serverReady will be set to true |
|
670 |
* to avoid infinite hangs. |
|
671 |
*/ |
|
672 |
void doServerSide(ServerParameters servParams) throws Exception { |
|
673 |
||
674 |
// Selectively enable or disable the feature |
|
675 |
System.setProperty("jdk.tls.server.enableStatusRequestExtension", |
|
676 |
Boolean.toString(servParams.enabled)); |
|
677 |
||
678 |
// Set all the other operating parameters |
|
679 |
System.setProperty("jdk.tls.stapling.cacheSize", |
|
680 |
Integer.toString(servParams.cacheSize)); |
|
681 |
System.setProperty("jdk.tls.stapling.cacheLifetime", |
|
682 |
Integer.toString(servParams.cacheLifetime)); |
|
683 |
System.setProperty("jdk.tls.stapling.responseTimeout", |
|
684 |
Integer.toString(servParams.respTimeout)); |
|
685 |
System.setProperty("jdk.tls.stapling.responderURI", servParams.respUri); |
|
686 |
System.setProperty("jdk.tls.stapling.responderOverride", |
|
687 |
Boolean.toString(servParams.respOverride)); |
|
688 |
System.setProperty("jdk.tls.stapling.ignoreExtensions", |
|
689 |
Boolean.toString(servParams.ignoreExts)); |
|
690 |
||
691 |
// Set keystores and trust stores for the server |
|
692 |
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); |
|
693 |
kmf.init(serverKeystore, passwd.toCharArray()); |
|
694 |
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); |
|
695 |
tmf.init(trustStore); |
|
696 |
||
697 |
SSLContext sslc = SSLContext.getInstance("TLS"); |
|
698 |
sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); |
|
699 |
||
50768 | 700 |
SSLServerSocketFactory sslssf = new CustomizedServerSocketFactory(sslc, |
701 |
servParams.protocols, servParams.ciphers); |
|
32032 | 702 |
|
39317
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
703 |
try (SSLServerSocket sslServerSocket = |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
704 |
(SSLServerSocket) sslssf.createServerSocket(serverPort)) { |
32032 | 705 |
|
39317
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
706 |
serverPort = sslServerSocket.getLocalPort(); |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
707 |
|
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
708 |
/* |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
709 |
* Signal Client, we're ready for his connect. |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
710 |
*/ |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
711 |
serverReady = true; |
32032 | 712 |
|
39317
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
713 |
try (SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
714 |
InputStream sslIS = sslSocket.getInputStream(); |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
715 |
OutputStream sslOS = sslSocket.getOutputStream()) { |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
716 |
int numberIn = sslIS.read(); |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
717 |
int numberSent = 85; |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
718 |
log("Server received number: " + numberIn); |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
719 |
sslOS.write(numberSent); |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
720 |
sslOS.flush(); |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
721 |
log("Server sent number: " + numberSent); |
fbda4d400372
8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died
jnimeh
parents:
37309
diff
changeset
|
722 |
} |
32032 | 723 |
} |
724 |
} |
|
725 |
||
726 |
/* |
|
727 |
* Define the client side of the test. |
|
728 |
* |
|
729 |
* If the server prematurely exits, serverReady will be set to true |
|
730 |
* to avoid infinite hangs. |
|
731 |
*/ |
|
732 |
void doClientSide(ClientParameters cliParams) throws Exception { |
|
733 |
||
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
734 |
// Wait 5 seconds for server ready |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
735 |
for (int i = 0; (i < 100 && !serverReady); i++) { |
32032 | 736 |
Thread.sleep(50); |
737 |
} |
|
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
738 |
if (!serverReady) { |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
739 |
throw new RuntimeException("Server not ready yet"); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
740 |
} |
32032 | 741 |
|
742 |
// Selectively enable or disable the feature |
|
743 |
System.setProperty("jdk.tls.client.enableStatusRequestExtension", |
|
744 |
Boolean.toString(cliParams.enabled)); |
|
745 |
||
746 |
// Create the Trust Manager Factory using the PKIX variant |
|
747 |
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); |
|
748 |
||
749 |
// If we have a customized pkixParameters then use it |
|
750 |
if (cliParams.pkixParams != null) { |
|
751 |
// LIf we have a customized PKIXRevocationChecker, add |
|
752 |
// it to the PKIXBuilderParameters. |
|
753 |
if (cliParams.revChecker != null) { |
|
754 |
cliParams.pkixParams.addCertPathChecker(cliParams.revChecker); |
|
755 |
} |
|
756 |
||
757 |
ManagerFactoryParameters trustParams = |
|
758 |
new CertPathTrustManagerParameters(cliParams.pkixParams); |
|
759 |
tmf.init(trustParams); |
|
760 |
} else { |
|
761 |
tmf.init(trustStore); |
|
762 |
} |
|
763 |
||
764 |
SSLContext sslc = SSLContext.getInstance("TLS"); |
|
765 |
sslc.init(null, tmf.getTrustManagers(), null); |
|
766 |
||
50768 | 767 |
SSLSocketFactory sslsf = new CustomizedSocketFactory(sslc, |
768 |
cliParams.protocols, cliParams.ciphers); |
|
32032 | 769 |
try (SSLSocket sslSocket = (SSLSocket)sslsf.createSocket("localhost", |
770 |
serverPort); |
|
771 |
InputStream sslIS = sslSocket.getInputStream(); |
|
772 |
OutputStream sslOS = sslSocket.getOutputStream()) { |
|
773 |
int numberSent = 80; |
|
774 |
sslOS.write(numberSent); |
|
775 |
sslOS.flush(); |
|
776 |
log("Client sent number: " + numberSent); |
|
777 |
int numberIn = sslIS.read(); |
|
778 |
log("Client received number:" + numberIn); |
|
779 |
} |
|
780 |
} |
|
781 |
||
782 |
/* |
|
783 |
* Primary constructor, used to drive remainder of the test. |
|
784 |
* |
|
785 |
* Fork off the other side, then do your work. |
|
786 |
*/ |
|
787 |
SSLSocketWithStapling(ClientParameters cliParams, |
|
788 |
ServerParameters servParams) throws Exception { |
|
789 |
Exception startException = null; |
|
790 |
try { |
|
791 |
if (separateServerThread) { |
|
792 |
startServer(servParams, true); |
|
793 |
startClient(cliParams, false); |
|
794 |
} else { |
|
795 |
startClient(cliParams, true); |
|
796 |
startServer(servParams, false); |
|
797 |
} |
|
798 |
} catch (Exception e) { |
|
799 |
startException = e; |
|
800 |
} |
|
801 |
||
802 |
/* |
|
803 |
* Wait for other side to close down. |
|
804 |
*/ |
|
805 |
if (separateServerThread) { |
|
806 |
if (serverThread != null) { |
|
807 |
serverThread.join(); |
|
808 |
} |
|
809 |
} else { |
|
810 |
if (clientThread != null) { |
|
811 |
clientThread.join(); |
|
812 |
} |
|
813 |
} |
|
814 |
} |
|
815 |
||
816 |
/** |
|
817 |
* Checks a validation failure to see if it failed for the reason we think |
|
818 |
* it should. This comes in as an SSLException of some sort, but it |
|
819 |
* encapsulates a ValidatorException which in turn encapsulates the |
|
820 |
* CertPathValidatorException we are interested in. |
|
821 |
* |
|
822 |
* @param e the exception thrown at the top level |
|
823 |
* @param reason the underlying CertPathValidatorException BasicReason |
|
824 |
* we are expecting it to have. |
|
825 |
* |
|
826 |
* @return true if the reason matches up, false otherwise. |
|
827 |
*/ |
|
828 |
static boolean checkClientValidationFailure(Exception e, |
|
829 |
BasicReason reason) { |
|
830 |
boolean result = false; |
|
831 |
||
832 |
if (e instanceof SSLException) { |
|
833 |
Throwable valExc = e.getCause(); |
|
834 |
if (valExc instanceof sun.security.validator.ValidatorException) { |
|
835 |
Throwable cause = valExc.getCause(); |
|
836 |
if (cause instanceof CertPathValidatorException) { |
|
837 |
CertPathValidatorException cpve = |
|
838 |
(CertPathValidatorException)cause; |
|
839 |
if (cpve.getReason() == reason) { |
|
840 |
result = true; |
|
841 |
} |
|
842 |
} |
|
843 |
} |
|
844 |
} |
|
845 |
return result; |
|
846 |
} |
|
847 |
||
848 |
TestResult getResult() { |
|
849 |
TestResult tr = new TestResult(); |
|
850 |
tr.clientExc = clientException; |
|
851 |
tr.serverExc = serverException; |
|
852 |
return tr; |
|
853 |
} |
|
854 |
||
855 |
void startServer(ServerParameters servParams, boolean newThread) |
|
856 |
throws Exception { |
|
857 |
if (newThread) { |
|
858 |
serverThread = new Thread() { |
|
859 |
public void run() { |
|
860 |
try { |
|
861 |
doServerSide(servParams); |
|
862 |
} catch (Exception e) { |
|
863 |
/* |
|
864 |
* Our server thread just died. |
|
865 |
* |
|
866 |
* Release the client, if not active already... |
|
867 |
*/ |
|
868 |
System.err.println("Server died..."); |
|
40390
64541737c7f7
8162484: javax/net/ssl/Stapling/SSLSocketWithStapling.java test fails intermittently with "Address already in use" error
asmotrak
parents:
39317
diff
changeset
|
869 |
e.printStackTrace(System.err); |
32032 | 870 |
serverReady = true; |
871 |
serverException = e; |
|
872 |
} |
|
873 |
} |
|
874 |
}; |
|
875 |
serverThread.start(); |
|
876 |
} else { |
|
877 |
try { |
|
878 |
doServerSide(servParams); |
|
879 |
} catch (Exception e) { |
|
880 |
serverException = e; |
|
881 |
} finally { |
|
882 |
serverReady = true; |
|
883 |
} |
|
884 |
} |
|
885 |
} |
|
886 |
||
887 |
void startClient(ClientParameters cliParams, boolean newThread) |
|
888 |
throws Exception { |
|
889 |
if (newThread) { |
|
890 |
clientThread = new Thread() { |
|
891 |
public void run() { |
|
892 |
try { |
|
893 |
doClientSide(cliParams); |
|
894 |
} catch (Exception e) { |
|
895 |
/* |
|
896 |
* Our client thread just died. |
|
897 |
*/ |
|
898 |
System.err.println("Client died..."); |
|
899 |
clientException = e; |
|
900 |
} |
|
901 |
} |
|
902 |
}; |
|
903 |
clientThread.start(); |
|
904 |
} else { |
|
905 |
try { |
|
906 |
doClientSide(cliParams); |
|
907 |
} catch (Exception e) { |
|
908 |
clientException = e; |
|
909 |
} |
|
910 |
} |
|
911 |
} |
|
912 |
||
913 |
/** |
|
914 |
* Creates the PKI components necessary for this test, including |
|
915 |
* Root CA, Intermediate CA and SSL server certificates, the keystores |
|
916 |
* for each entity, a client trust store, and starts the OCSP responders. |
|
917 |
*/ |
|
918 |
private static void createPKI() throws Exception { |
|
919 |
CertificateBuilder cbld = new CertificateBuilder(); |
|
920 |
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); |
|
921 |
keyGen.initialize(2048); |
|
922 |
KeyStore.Builder keyStoreBuilder = |
|
923 |
KeyStore.Builder.newInstance("PKCS12", null, |
|
924 |
new KeyStore.PasswordProtection(passwd.toCharArray())); |
|
925 |
||
926 |
// Generate Root, IntCA, EE keys |
|
927 |
KeyPair rootCaKP = keyGen.genKeyPair(); |
|
928 |
log("Generated Root CA KeyPair"); |
|
929 |
KeyPair intCaKP = keyGen.genKeyPair(); |
|
930 |
log("Generated Intermediate CA KeyPair"); |
|
931 |
KeyPair sslKP = keyGen.genKeyPair(); |
|
932 |
log("Generated SSL Cert KeyPair"); |
|
933 |
||
934 |
// Set up the Root CA Cert |
|
935 |
cbld.setSubjectName("CN=Root CA Cert, O=SomeCompany"); |
|
936 |
cbld.setPublicKey(rootCaKP.getPublic()); |
|
937 |
cbld.setSerialNumber(new BigInteger("1")); |
|
938 |
// Make a 3 year validity starting from 60 days ago |
|
939 |
long start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(60); |
|
940 |
long end = start + TimeUnit.DAYS.toMillis(1085); |
|
941 |
cbld.setValidity(new Date(start), new Date(end)); |
|
942 |
addCommonExts(cbld, rootCaKP.getPublic(), rootCaKP.getPublic()); |
|
943 |
addCommonCAExts(cbld); |
|
944 |
// Make our Root CA Cert! |
|
945 |
X509Certificate rootCert = cbld.build(null, rootCaKP.getPrivate(), |
|
946 |
"SHA256withRSA"); |
|
947 |
log("Root CA Created:\n" + certInfo(rootCert)); |
|
948 |
||
949 |
// Now build a keystore and add the keys and cert |
|
950 |
rootKeystore = keyStoreBuilder.getKeyStore(); |
|
951 |
Certificate[] rootChain = {rootCert}; |
|
952 |
rootKeystore.setKeyEntry(ROOT_ALIAS, rootCaKP.getPrivate(), |
|
953 |
passwd.toCharArray(), rootChain); |
|
954 |
||
955 |
// Now fire up the OCSP responder |
|
956 |
rootOcsp = new SimpleOCSPServer(rootKeystore, passwd, ROOT_ALIAS, null); |
|
957 |
rootOcsp.enableLog(debug); |
|
958 |
rootOcsp.setNextUpdateInterval(3600); |
|
959 |
rootOcsp.start(); |
|
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
960 |
|
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
961 |
// Wait 5 seconds for server ready |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
962 |
for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) { |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
963 |
Thread.sleep(50); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
964 |
} |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
965 |
if (!rootOcsp.isServerReady()) { |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
966 |
throw new RuntimeException("Server not ready yet"); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
967 |
} |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
968 |
|
32032 | 969 |
rootOcspPort = rootOcsp.getPort(); |
970 |
String rootRespURI = "http://localhost:" + rootOcspPort; |
|
971 |
log("Root OCSP Responder URI is " + rootRespURI); |
|
972 |
||
973 |
// Now that we have the root keystore and OCSP responder we can |
|
974 |
// create our intermediate CA. |
|
975 |
cbld.reset(); |
|
976 |
cbld.setSubjectName("CN=Intermediate CA Cert, O=SomeCompany"); |
|
977 |
cbld.setPublicKey(intCaKP.getPublic()); |
|
978 |
cbld.setSerialNumber(new BigInteger("100")); |
|
979 |
// Make a 2 year validity starting from 30 days ago |
|
980 |
start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(30); |
|
981 |
end = start + TimeUnit.DAYS.toMillis(730); |
|
982 |
cbld.setValidity(new Date(start), new Date(end)); |
|
983 |
addCommonExts(cbld, intCaKP.getPublic(), rootCaKP.getPublic()); |
|
984 |
addCommonCAExts(cbld); |
|
985 |
cbld.addAIAExt(Collections.singletonList(rootRespURI)); |
|
986 |
// Make our Intermediate CA Cert! |
|
987 |
X509Certificate intCaCert = cbld.build(rootCert, rootCaKP.getPrivate(), |
|
988 |
"SHA256withRSA"); |
|
989 |
log("Intermediate CA Created:\n" + certInfo(intCaCert)); |
|
990 |
||
991 |
// Provide intermediate CA cert revocation info to the Root CA |
|
992 |
// OCSP responder. |
|
993 |
Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = |
|
994 |
new HashMap<>(); |
|
995 |
revInfo.put(intCaCert.getSerialNumber(), |
|
996 |
new SimpleOCSPServer.CertStatusInfo( |
|
997 |
SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD)); |
|
998 |
rootOcsp.updateStatusDb(revInfo); |
|
999 |
||
1000 |
// Now build a keystore and add the keys, chain and root cert as a TA |
|
1001 |
intKeystore = keyStoreBuilder.getKeyStore(); |
|
1002 |
Certificate[] intChain = {intCaCert, rootCert}; |
|
1003 |
intKeystore.setKeyEntry(INT_ALIAS, intCaKP.getPrivate(), |
|
1004 |
passwd.toCharArray(), intChain); |
|
1005 |
intKeystore.setCertificateEntry(ROOT_ALIAS, rootCert); |
|
1006 |
||
1007 |
// Now fire up the Intermediate CA OCSP responder |
|
1008 |
intOcsp = new SimpleOCSPServer(intKeystore, passwd, |
|
1009 |
INT_ALIAS, null); |
|
1010 |
intOcsp.enableLog(debug); |
|
1011 |
intOcsp.setNextUpdateInterval(3600); |
|
1012 |
intOcsp.start(); |
|
37309
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
1013 |
|
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
1014 |
// Wait 5 seconds for server ready |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
1015 |
for (int i = 0; (i < 100 && !intOcsp.isServerReady()); i++) { |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
1016 |
Thread.sleep(50); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
1017 |
} |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
1018 |
if (!intOcsp.isServerReady()) { |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
1019 |
throw new RuntimeException("Server not ready yet"); |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
1020 |
} |
8f530b9d18f4
8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException
rhalade
parents:
32032
diff
changeset
|
1021 |
|
32032 | 1022 |
intOcspPort = intOcsp.getPort(); |
1023 |
String intCaRespURI = "http://localhost:" + intOcspPort; |
|
1024 |
log("Intermediate CA OCSP Responder URI is " + intCaRespURI); |
|
1025 |
||
1026 |
// Last but not least, let's make our SSLCert and add it to its own |
|
1027 |
// Keystore |
|
1028 |
cbld.reset(); |
|
1029 |
cbld.setSubjectName("CN=SSLCertificate, O=SomeCompany"); |
|
1030 |
cbld.setPublicKey(sslKP.getPublic()); |
|
1031 |
cbld.setSerialNumber(new BigInteger("4096")); |
|
1032 |
// Make a 1 year validity starting from 7 days ago |
|
1033 |
start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(7); |
|
1034 |
end = start + TimeUnit.DAYS.toMillis(365); |
|
1035 |
cbld.setValidity(new Date(start), new Date(end)); |
|
1036 |
||
1037 |
// Add extensions |
|
1038 |
addCommonExts(cbld, sslKP.getPublic(), intCaKP.getPublic()); |
|
1039 |
boolean[] kuBits = {true, false, true, false, false, false, |
|
1040 |
false, false, false}; |
|
1041 |
cbld.addKeyUsageExt(kuBits); |
|
1042 |
List<String> ekuOids = new ArrayList<>(); |
|
1043 |
ekuOids.add("1.3.6.1.5.5.7.3.1"); |
|
1044 |
ekuOids.add("1.3.6.1.5.5.7.3.2"); |
|
1045 |
cbld.addExtendedKeyUsageExt(ekuOids); |
|
1046 |
cbld.addSubjectAltNameDNSExt(Collections.singletonList("localhost")); |
|
1047 |
cbld.addAIAExt(Collections.singletonList(intCaRespURI)); |
|
1048 |
// Make our SSL Server Cert! |
|
1049 |
X509Certificate sslCert = cbld.build(intCaCert, intCaKP.getPrivate(), |
|
1050 |
"SHA256withRSA"); |
|
1051 |
log("SSL Certificate Created:\n" + certInfo(sslCert)); |
|
1052 |
||
1053 |
// Provide SSL server cert revocation info to the Intermeidate CA |
|
1054 |
// OCSP responder. |
|
1055 |
revInfo = new HashMap<>(); |
|
1056 |
revInfo.put(sslCert.getSerialNumber(), |
|
1057 |
new SimpleOCSPServer.CertStatusInfo( |
|
1058 |
SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD)); |
|
1059 |
intOcsp.updateStatusDb(revInfo); |
|
1060 |
||
1061 |
// Now build a keystore and add the keys, chain and root cert as a TA |
|
1062 |
serverKeystore = keyStoreBuilder.getKeyStore(); |
|
1063 |
Certificate[] sslChain = {sslCert, intCaCert, rootCert}; |
|
1064 |
serverKeystore.setKeyEntry(SSL_ALIAS, sslKP.getPrivate(), |
|
1065 |
passwd.toCharArray(), sslChain); |
|
1066 |
serverKeystore.setCertificateEntry(ROOT_ALIAS, rootCert); |
|
1067 |
||
1068 |
// And finally a Trust Store for the client |
|
1069 |
trustStore = keyStoreBuilder.getKeyStore(); |
|
1070 |
trustStore.setCertificateEntry(ROOT_ALIAS, rootCert); |
|
1071 |
} |
|
1072 |
||
1073 |
private static void addCommonExts(CertificateBuilder cbld, |
|
1074 |
PublicKey subjKey, PublicKey authKey) throws IOException { |
|
1075 |
cbld.addSubjectKeyIdExt(subjKey); |
|
1076 |
cbld.addAuthorityKeyIdExt(authKey); |
|
1077 |
} |
|
1078 |
||
1079 |
private static void addCommonCAExts(CertificateBuilder cbld) |
|
1080 |
throws IOException { |
|
1081 |
cbld.addBasicConstraintsExt(true, true, -1); |
|
1082 |
// Set key usage bits for digitalSignature, keyCertSign and cRLSign |
|
1083 |
boolean[] kuBitSettings = {true, false, false, false, false, true, |
|
1084 |
true, false, false}; |
|
1085 |
cbld.addKeyUsageExt(kuBitSettings); |
|
1086 |
} |
|
1087 |
||
1088 |
/** |
|
1089 |
* Helper routine that dumps only a few cert fields rather than |
|
1090 |
* the whole toString() output. |
|
1091 |
* |
|
1092 |
* @param cert an X509Certificate to be displayed |
|
1093 |
* |
|
1094 |
* @return the String output of the issuer, subject and |
|
1095 |
* serial number |
|
1096 |
*/ |
|
1097 |
private static String certInfo(X509Certificate cert) { |
|
1098 |
StringBuilder sb = new StringBuilder(); |
|
1099 |
sb.append("Issuer: ").append(cert.getIssuerX500Principal()). |
|
1100 |
append("\n"); |
|
1101 |
sb.append("Subject: ").append(cert.getSubjectX500Principal()). |
|
1102 |
append("\n"); |
|
1103 |
sb.append("Serial: ").append(cert.getSerialNumber()).append("\n"); |
|
1104 |
return sb.toString(); |
|
1105 |
} |
|
1106 |
||
1107 |
/** |
|
1108 |
* Log a message on stdout |
|
1109 |
* |
|
1110 |
* @param message The message to log |
|
1111 |
*/ |
|
1112 |
private static void log(String message) { |
|
1113 |
if (debug) { |
|
1114 |
System.out.println(message); |
|
1115 |
} |
|
1116 |
} |
|
1117 |
||
1118 |
// The following two classes are Simple nested class to group a handful |
|
1119 |
// of configuration parameters used before starting a client or server. |
|
1120 |
// We'll just access the data members directly for convenience. |
|
1121 |
static class ClientParameters { |
|
1122 |
boolean enabled = true; |
|
1123 |
PKIXBuilderParameters pkixParams = null; |
|
1124 |
PKIXRevocationChecker revChecker = null; |
|
50768 | 1125 |
String[] protocols = null; |
1126 |
String[] ciphers = null; |
|
32032 | 1127 |
|
1128 |
ClientParameters() { } |
|
1129 |
} |
|
1130 |
||
1131 |
static class ServerParameters { |
|
1132 |
boolean enabled = true; |
|
1133 |
int cacheSize = 256; |
|
1134 |
int cacheLifetime = 3600; |
|
1135 |
int respTimeout = 5000; |
|
1136 |
String respUri = ""; |
|
1137 |
boolean respOverride = false; |
|
1138 |
boolean ignoreExts = false; |
|
50768 | 1139 |
String[] protocols = null; |
1140 |
String[] ciphers = null; |
|
32032 | 1141 |
|
1142 |
ServerParameters() { } |
|
1143 |
} |
|
1144 |
||
50768 | 1145 |
static class CustomizedSocketFactory extends SSLSocketFactory { |
1146 |
final SSLContext sslc; |
|
1147 |
final String[] protocols; |
|
1148 |
final String[] cipherSuites; |
|
1149 |
||
1150 |
CustomizedSocketFactory(SSLContext ctx, String[] prots, String[] suites) |
|
1151 |
throws GeneralSecurityException { |
|
1152 |
super(); |
|
1153 |
sslc = (ctx != null) ? ctx : SSLContext.getDefault(); |
|
1154 |
protocols = prots; |
|
1155 |
cipherSuites = suites; |
|
1156 |
||
1157 |
// Create the Trust Manager Factory using the PKIX variant |
|
1158 |
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); |
|
1159 |
} |
|
1160 |
||
1161 |
@Override |
|
1162 |
public Socket createSocket(Socket s, String host, int port, |
|
1163 |
boolean autoClose) throws IOException { |
|
1164 |
Socket sock = sslc.getSocketFactory().createSocket(s, host, port, |
|
1165 |
autoClose); |
|
1166 |
customizeSocket(sock); |
|
1167 |
return sock; |
|
1168 |
} |
|
1169 |
||
1170 |
@Override |
|
1171 |
public Socket createSocket(InetAddress host, int port) |
|
1172 |
throws IOException { |
|
1173 |
Socket sock = sslc.getSocketFactory().createSocket(host, port); |
|
1174 |
customizeSocket(sock); |
|
1175 |
return sock; |
|
1176 |
} |
|
1177 |
||
1178 |
@Override |
|
1179 |
public Socket createSocket(InetAddress host, int port, |
|
1180 |
InetAddress localAddress, int localPort) throws IOException { |
|
1181 |
Socket sock = sslc.getSocketFactory().createSocket(host, port, |
|
1182 |
localAddress, localPort); |
|
1183 |
customizeSocket(sock); |
|
1184 |
return sock; |
|
1185 |
} |
|
1186 |
||
1187 |
@Override |
|
1188 |
public Socket createSocket(String host, int port) |
|
1189 |
throws IOException { |
|
1190 |
Socket sock = sslc.getSocketFactory().createSocket(host, port); |
|
1191 |
customizeSocket(sock); |
|
1192 |
return sock; |
|
1193 |
} |
|
1194 |
||
1195 |
@Override |
|
1196 |
public Socket createSocket(String host, int port, |
|
1197 |
InetAddress localAddress, int localPort) |
|
1198 |
throws IOException { |
|
1199 |
Socket sock = sslc.getSocketFactory().createSocket(host, port, |
|
1200 |
localAddress, localPort); |
|
1201 |
customizeSocket(sock); |
|
1202 |
return sock; |
|
1203 |
} |
|
1204 |
||
1205 |
@Override |
|
1206 |
public String[] getDefaultCipherSuites() { |
|
1207 |
return sslc.getDefaultSSLParameters().getCipherSuites(); |
|
1208 |
} |
|
1209 |
||
1210 |
@Override |
|
1211 |
public String[] getSupportedCipherSuites() { |
|
1212 |
return sslc.getSupportedSSLParameters().getCipherSuites(); |
|
1213 |
} |
|
1214 |
||
1215 |
private void customizeSocket(Socket sock) { |
|
1216 |
if (sock instanceof SSLSocket) { |
|
1217 |
if (protocols != null) { |
|
1218 |
((SSLSocket)sock).setEnabledProtocols(protocols); |
|
1219 |
} |
|
1220 |
if (cipherSuites != null) { |
|
1221 |
((SSLSocket)sock).setEnabledCipherSuites(cipherSuites); |
|
1222 |
} |
|
1223 |
} |
|
1224 |
} |
|
1225 |
} |
|
1226 |
||
1227 |
static class CustomizedServerSocketFactory extends SSLServerSocketFactory { |
|
1228 |
final SSLContext sslc; |
|
1229 |
final String[] protocols; |
|
1230 |
final String[] cipherSuites; |
|
1231 |
||
1232 |
CustomizedServerSocketFactory(SSLContext ctx, String[] prots, String[] suites) |
|
1233 |
throws GeneralSecurityException { |
|
1234 |
super(); |
|
1235 |
sslc = (ctx != null) ? ctx : SSLContext.getDefault(); |
|
1236 |
protocols = prots; |
|
1237 |
cipherSuites = suites; |
|
1238 |
||
1239 |
// Create the Trust Manager Factory using the PKIX variant |
|
1240 |
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); |
|
1241 |
} |
|
1242 |
||
1243 |
@Override |
|
1244 |
public ServerSocket createServerSocket(int port) throws IOException { |
|
1245 |
ServerSocket sock = |
|
1246 |
sslc.getServerSocketFactory().createServerSocket(port); |
|
1247 |
customizeSocket(sock); |
|
1248 |
return sock; |
|
1249 |
} |
|
1250 |
||
1251 |
@Override |
|
1252 |
public ServerSocket createServerSocket(int port, int backlog) |
|
1253 |
throws IOException { |
|
1254 |
ServerSocket sock = |
|
1255 |
sslc.getServerSocketFactory().createServerSocket(port, |
|
1256 |
backlog); |
|
1257 |
customizeSocket(sock); |
|
1258 |
return sock; |
|
1259 |
} |
|
1260 |
||
1261 |
@Override |
|
1262 |
public ServerSocket createServerSocket(int port, int backlog, |
|
1263 |
InetAddress ifAddress) throws IOException { |
|
1264 |
ServerSocket sock = |
|
1265 |
sslc.getServerSocketFactory().createServerSocket(port, |
|
1266 |
backlog, ifAddress); |
|
1267 |
customizeSocket(sock); |
|
1268 |
return sock; |
|
1269 |
} |
|
1270 |
||
1271 |
@Override |
|
1272 |
public String[] getDefaultCipherSuites() { |
|
1273 |
return sslc.getDefaultSSLParameters().getCipherSuites(); |
|
1274 |
} |
|
1275 |
||
1276 |
@Override |
|
1277 |
public String[] getSupportedCipherSuites() { |
|
1278 |
return sslc.getSupportedSSLParameters().getCipherSuites(); |
|
1279 |
} |
|
1280 |
||
1281 |
private void customizeSocket(ServerSocket sock) { |
|
1282 |
if (sock instanceof SSLServerSocket) { |
|
1283 |
if (protocols != null) { |
|
1284 |
((SSLServerSocket)sock).setEnabledProtocols(protocols); |
|
1285 |
} |
|
1286 |
if (cipherSuites != null) { |
|
1287 |
((SSLServerSocket)sock).setEnabledCipherSuites(cipherSuites); |
|
1288 |
} |
|
1289 |
} |
|
1290 |
} |
|
1291 |
} |
|
1292 |
||
1293 |
||
32032 | 1294 |
static class TestResult { |
1295 |
Exception serverExc = null; |
|
1296 |
Exception clientExc = null; |
|
1297 |
} |
|
1298 |
||
1299 |
} |