jdk-sandbox: test/jdk/sun/security/ssl/Stapling/java.base/sun/security/ssl/StatusResponseManagerTests.java@68fa3d4026ea (annotated)

50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	2	* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	4	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	7	* published by the Free Software Foundation.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	8	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	9	* This code is distributed in the hope that it will be useful, but WITHOUT
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	10	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	11	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	12	* version 2 for more details (a copy is included in the LICENSE file that
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	13	* accompanied this code).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	14	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	15	* You should have received a copy of the GNU General Public License version
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	16	* 2 along with this work; if not, write to the Free Software Foundation,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	17	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	18	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	19	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	20	* or visit www.oracle.com if you need additional information or have any
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	21	* questions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	22	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	23
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	24	package sun.security.ssl;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	25
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	26	import java.io.IOException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	27	import java.math.BigInteger;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	28	import java.security.cert.*;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	29	import java.util.*;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	30	import java.security.KeyPair;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	31	import java.security.KeyPairGenerator;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	32	import java.security.KeyStore;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	33	import java.security.PublicKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	34	import java.util.concurrent.TimeUnit;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	35
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	36	import sun.security.testlibrary.SimpleOCSPServer;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	37	import sun.security.testlibrary.CertificateBuilder;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	38
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	39	import static sun.security.ssl.CertStatusExtension.*;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	40
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	41	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	42	* Checks that the hash value for a certificate's issuer name is generated
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	43	* correctly. Requires any certificate that is not self-signed.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	44	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	45	* NOTE: this test uses Sun private classes which are subject to change.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	46	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	47	public class StatusResponseManagerTests {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	48
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	49	private static final boolean debug = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	50	private static final boolean ocspDebug = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	51
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	52	// PKI components we will need for this test
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	53	static String passwd = "passphrase";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	54	static String ROOT_ALIAS = "root";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	55	static String INT_ALIAS = "intermediate";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	56	static String SSL_ALIAS = "ssl";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	57	static KeyStore rootKeystore; // Root CA Keystore
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	58	static KeyStore intKeystore; // Intermediate CA Keystore
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	59	static KeyStore serverKeystore; // SSL Server Keystore
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	60	static KeyStore trustStore; // SSL Client trust store
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	61	static X509Certificate rootCert;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	62	static X509Certificate intCert;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	63	static X509Certificate sslCert;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	64	static SimpleOCSPServer rootOcsp; // Root CA OCSP Responder
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	65	static int rootOcspPort; // Port number for root OCSP
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	66	static SimpleOCSPServer intOcsp; // Intermediate CA OCSP Responder
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	67	static int intOcspPort; // Port number for intermed. OCSP
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	68
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	69	static X509Certificate[] chain;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	70
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	71	public static void main(String[] args) throws Exception {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	72	Map<String, TestCase> testList =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	73	new LinkedHashMap<String, TestCase>() {{
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	74	put("Basic OCSP fetch test", testOcspFetch);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	75	put("Clear StatusResponseManager cache", testClearSRM);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	76	put("Basic OCSP_MULTI fetch test", testOcspMultiFetch);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	77	put("Test Cache Expiration", testCacheExpiry);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	78	}};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	79
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	80	// Create the CAs and OCSP responders
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	81	createPKI();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	82
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	83	// Grab the certificates and make a chain we can reuse for tests
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	84	sslCert = (X509Certificate)serverKeystore.getCertificate(SSL_ALIAS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	85	intCert = (X509Certificate)intKeystore.getCertificate(INT_ALIAS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	86	rootCert = (X509Certificate)rootKeystore.getCertificate(ROOT_ALIAS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	87	chain = new X509Certificate[3];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	88	chain[0] = sslCert;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	89	chain[1] = intCert;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	90	chain[2] = rootCert;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	91
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	92	runTests(testList);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	93
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	94	intOcsp.stop();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	95	rootOcsp.stop();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	96	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	97
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	98	// Test a simple RFC 6066 server-side fetch
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	99	public static final TestCase testOcspFetch = new TestCase() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	100	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	101	public Map.Entry<Boolean, String> runTest() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	102	StatusResponseManager srm = new StatusResponseManager();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	103	Boolean pass = Boolean.FALSE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	104	String message = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	105	CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	106
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	107	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	108	// Get OCSP responses for non-root certs in the chain
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	109	Map<X509Certificate, byte[]> responseMap = srm.get(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	110	CertStatusRequestType.OCSP, oReq, chain, 5000,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	111	TimeUnit.MILLISECONDS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	112
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	113	// There should be one entry in the returned map and
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	114	// one entry in the cache when the operation is complete.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	115	if (responseMap.size() != 1) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	116	message = "Incorrect number of responses: expected 1, got "
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	117	+ responseMap.size();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	118	} else if (!responseMap.containsKey(sslCert)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	119	message = "Response map key is incorrect, expected " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	120	sslCert.getSubjectX500Principal().toString();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	121	} else if (srm.size() != 1) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	122	message = "Incorrect number of cache entries: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	123	"expected 1, got " + srm.size();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	124	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	125	pass = Boolean.TRUE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	126	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	127	} catch (Exception e) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	128	e.printStackTrace(System.out);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	129	message = e.getClass().getName();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	130	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	131
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	132	return new AbstractMap.SimpleEntry<>(pass, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	133	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	134	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	135
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	136	// Test clearing the StatusResponseManager cache.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	137	public static final TestCase testClearSRM = new TestCase() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	138	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	139	public Map.Entry<Boolean, String> runTest() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	140	StatusResponseManager srm = new StatusResponseManager();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	141	Boolean pass = Boolean.FALSE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	142	String message = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	143	CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP_MULTI;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	144
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	145	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	146	// Get OCSP responses for non-root certs in the chain
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	147	srm.get(CertStatusRequestType.OCSP_MULTI, oReq, chain, 5000,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	148	TimeUnit.MILLISECONDS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	149
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	150	// There should be two entries in the returned map and
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	151	// two entries in the cache when the operation is complete.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	152	if (srm.size() != 2) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	153	message = "Incorrect number of responses: expected 2, got "
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	154	+ srm.size();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	155	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	156	// Next, clear the SRM, then check the size again
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	157	srm.clear();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	158	if (srm.size() != 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	159	message = "Incorrect number of responses: expected 0," +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	160	" got " + srm.size();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	161	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	162	pass = Boolean.TRUE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	163	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	164	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	165	} catch (Exception e) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	166	e.printStackTrace(System.out);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	167	message = e.getClass().getName();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	168	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	169
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	170	return new AbstractMap.SimpleEntry<>(pass, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	171	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	172	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	173
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	174	// Test a simple RFC 6961 server-side fetch
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	175	public static final TestCase testOcspMultiFetch = new TestCase() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	176	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	177	public Map.Entry<Boolean, String> runTest() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	178	StatusResponseManager srm = new StatusResponseManager();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	179	Boolean pass = Boolean.FALSE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	180	String message = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	181	CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP_MULTI;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	182
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	183	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	184	// Get OCSP responses for non-root certs in the chain
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	185	Map<X509Certificate, byte[]> responseMap = srm.get(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	186	CertStatusRequestType.OCSP_MULTI, oReq, chain, 5000,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	187	TimeUnit.MILLISECONDS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	188
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	189	// There should be two entries in the returned map and
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	190	// two entries in the cache when the operation is complete.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	191	if (responseMap.size() != 2) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	192	message = "Incorrect number of responses: expected 2, got "
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	193	+ responseMap.size();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	194	} else if (!responseMap.containsKey(sslCert) \|\|
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	195	!responseMap.containsKey(intCert)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	196	message = "Response map keys are incorrect, expected " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	197	sslCert.getSubjectX500Principal().toString() +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	198	" and " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	199	intCert.getSubjectX500Principal().toString();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	200	} else if (srm.size() != 2) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	201	message = "Incorrect number of cache entries: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	202	"expected 2, got " + srm.size();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	203	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	204	pass = Boolean.TRUE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	205	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	206	} catch (Exception e) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	207	e.printStackTrace(System.out);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	208	message = e.getClass().getName();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	209	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	210
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	211	return new AbstractMap.SimpleEntry<>(pass, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	212	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	213	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	214
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	215	// Test cache expiration
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	216	public static final TestCase testCacheExpiry = new TestCase() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	217	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	218	public Map.Entry<Boolean, String> runTest() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	219	// For this test, we will set the cache expiry to 5 seconds
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	220	System.setProperty("jdk.tls.stapling.cacheLifetime", "5");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	221	StatusResponseManager srm = new StatusResponseManager();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	222	Boolean pass = Boolean.FALSE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	223	String message = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	224	CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP_MULTI;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	225
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	226	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	227	// Get OCSP responses for non-root certs in the chain
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	228	srm.get(CertStatusRequestType.OCSP_MULTI, oReq, chain, 5000,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	229	TimeUnit.MILLISECONDS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	230
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	231	// There should be two entries in the returned map and
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	232	// two entries in the cache when the operation is complete.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	233	if (srm.size() != 2) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	234	message = "Incorrect number of responses: expected 2, got "
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	235	+ srm.size();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	236	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	237	// Next, wait for more than 5 seconds so the responses
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	238	// in the SRM will expire.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	239	Thread.sleep(7000);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	240	if (srm.size() != 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	241	message = "Incorrect number of responses: expected 0," +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	242	" got " + srm.size();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	243	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	244	pass = Boolean.TRUE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	245	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	246	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	247	} catch (Exception e) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	248	e.printStackTrace(System.out);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	249	message = e.getClass().getName();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	250	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	251
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	252	// Set the cache lifetime back to the default
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	253	System.setProperty("jdk.tls.stapling.cacheLifetime", "");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	254	return new AbstractMap.SimpleEntry<>(pass, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	255	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	256	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	257
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	258	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	259	* Creates the PKI components necessary for this test, including
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	260	* Root CA, Intermediate CA and SSL server certificates, the keystores
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	261	* for each entity, a client trust store, and starts the OCSP responders.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	262	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	263	private static void createPKI() throws Exception {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	264	CertificateBuilder cbld = new CertificateBuilder();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	265	KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	266	keyGen.initialize(2048);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	267	KeyStore.Builder keyStoreBuilder =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	268	KeyStore.Builder.newInstance("PKCS12", null,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	269	new KeyStore.PasswordProtection(passwd.toCharArray()));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	270
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	271	// Generate Root, IntCA, EE keys
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	272	KeyPair rootCaKP = keyGen.genKeyPair();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	273	log("Generated Root CA KeyPair");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	274	KeyPair intCaKP = keyGen.genKeyPair();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	275	log("Generated Intermediate CA KeyPair");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	276	KeyPair sslKP = keyGen.genKeyPair();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	277	log("Generated SSL Cert KeyPair");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	278
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	279	// Set up the Root CA Cert
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	280	cbld.setSubjectName("CN=Root CA Cert, O=SomeCompany");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	281	cbld.setPublicKey(rootCaKP.getPublic());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	282	cbld.setSerialNumber(new BigInteger("1"));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	283	// Make a 3 year validity starting from 60 days ago
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	284	long start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(60);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	285	long end = start + TimeUnit.DAYS.toMillis(1085);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	286	cbld.setValidity(new Date(start), new Date(end));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	287	addCommonExts(cbld, rootCaKP.getPublic(), rootCaKP.getPublic());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	288	addCommonCAExts(cbld);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	289	// Make our Root CA Cert!
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	290	X509Certificate rootCert = cbld.build(null, rootCaKP.getPrivate(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	291	"SHA256withRSA");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	292	log("Root CA Created:\n" + certInfo(rootCert));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	293
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	294	// Now build a keystore and add the keys and cert
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	295	rootKeystore = keyStoreBuilder.getKeyStore();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	296	Certificate[] rootChain = {rootCert};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	297	rootKeystore.setKeyEntry(ROOT_ALIAS, rootCaKP.getPrivate(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	298	passwd.toCharArray(), rootChain);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	299
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	300	// Now fire up the OCSP responder
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	301	rootOcsp = new SimpleOCSPServer(rootKeystore, passwd, ROOT_ALIAS, null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	302	rootOcsp.enableLog(ocspDebug);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	303	rootOcsp.setNextUpdateInterval(3600);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	304	rootOcsp.start();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	305
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	306	// Wait 5 seconds for server ready
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	307	for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	308	Thread.sleep(50);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	309	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	310	if (!rootOcsp.isServerReady()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	311	throw new RuntimeException("Server not ready yet");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	312	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	313
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	314	rootOcspPort = rootOcsp.getPort();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	315	String rootRespURI = "http://localhost:" + rootOcspPort;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	316	log("Root OCSP Responder URI is " + rootRespURI);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	317
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	318	// Now that we have the root keystore and OCSP responder we can
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	319	// create our intermediate CA.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	320	cbld.reset();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	321	cbld.setSubjectName("CN=Intermediate CA Cert, O=SomeCompany");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	322	cbld.setPublicKey(intCaKP.getPublic());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	323	cbld.setSerialNumber(new BigInteger("100"));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	324	// Make a 2 year validity starting from 30 days ago
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	325	start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(30);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	326	end = start + TimeUnit.DAYS.toMillis(730);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	327	cbld.setValidity(new Date(start), new Date(end));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	328	addCommonExts(cbld, intCaKP.getPublic(), rootCaKP.getPublic());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	329	addCommonCAExts(cbld);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	330	cbld.addAIAExt(Collections.singletonList(rootRespURI));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	331	// Make our Intermediate CA Cert!
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	332	X509Certificate intCaCert = cbld.build(rootCert, rootCaKP.getPrivate(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	333	"SHA256withRSA");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	334	log("Intermediate CA Created:\n" + certInfo(intCaCert));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	335
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	336	// Provide intermediate CA cert revocation info to the Root CA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	337	// OCSP responder.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	338	Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	339	new HashMap<>();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	340	revInfo.put(intCaCert.getSerialNumber(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	341	new SimpleOCSPServer.CertStatusInfo(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	342	SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	343	rootOcsp.updateStatusDb(revInfo);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	344
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	345	// Now build a keystore and add the keys, chain and root cert as a TA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	346	intKeystore = keyStoreBuilder.getKeyStore();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	347	Certificate[] intChain = {intCaCert, rootCert};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	348	intKeystore.setKeyEntry(INT_ALIAS, intCaKP.getPrivate(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	349	passwd.toCharArray(), intChain);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	350	intKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	351
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	352	// Now fire up the Intermediate CA OCSP responder
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	353	intOcsp = new SimpleOCSPServer(intKeystore, passwd,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	354	INT_ALIAS, null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	355	intOcsp.enableLog(ocspDebug);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	356	intOcsp.setNextUpdateInterval(3600);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	357	intOcsp.start();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	358
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	359	// Wait 5 seconds for server ready
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	360	for (int i = 0; (i < 100 && !intOcsp.isServerReady()); i++) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	361	Thread.sleep(50);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	362	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	363	if (!intOcsp.isServerReady()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	364	throw new RuntimeException("Server not ready yet");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	365	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	366
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	367	intOcspPort = intOcsp.getPort();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	368	String intCaRespURI = "http://localhost:" + intOcspPort;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	369	log("Intermediate CA OCSP Responder URI is " + intCaRespURI);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	370
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	371	// Last but not least, let's make our SSLCert and add it to its own
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	372	// Keystore
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	373	cbld.reset();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	374	cbld.setSubjectName("CN=SSLCertificate, O=SomeCompany");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	375	cbld.setPublicKey(sslKP.getPublic());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	376	cbld.setSerialNumber(new BigInteger("4096"));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	377	// Make a 1 year validity starting from 7 days ago
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	378	start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(7);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	379	end = start + TimeUnit.DAYS.toMillis(365);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	380	cbld.setValidity(new Date(start), new Date(end));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	381
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	382	// Add extensions
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	383	addCommonExts(cbld, sslKP.getPublic(), intCaKP.getPublic());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	384	boolean[] kuBits = {true, false, true, false, false, false,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	385	false, false, false};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	386	cbld.addKeyUsageExt(kuBits);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	387	List<String> ekuOids = new ArrayList<>();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	388	ekuOids.add("1.3.6.1.5.5.7.3.1");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	389	ekuOids.add("1.3.6.1.5.5.7.3.2");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	390	cbld.addExtendedKeyUsageExt(ekuOids);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	391	cbld.addSubjectAltNameDNSExt(Collections.singletonList("localhost"));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	392	cbld.addAIAExt(Collections.singletonList(intCaRespURI));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	393	// Make our SSL Server Cert!
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	394	X509Certificate sslCert = cbld.build(intCaCert, intCaKP.getPrivate(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	395	"SHA256withRSA");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	396	log("SSL Certificate Created:\n" + certInfo(sslCert));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	397
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	398	// Provide SSL server cert revocation info to the Intermeidate CA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	399	// OCSP responder.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	400	revInfo = new HashMap<>();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	401	revInfo.put(sslCert.getSerialNumber(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	402	new SimpleOCSPServer.CertStatusInfo(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	403	SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	404	intOcsp.updateStatusDb(revInfo);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	405
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	406	// Now build a keystore and add the keys, chain and root cert as a TA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	407	serverKeystore = keyStoreBuilder.getKeyStore();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	408	Certificate[] sslChain = {sslCert, intCaCert, rootCert};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	409	serverKeystore.setKeyEntry(SSL_ALIAS, sslKP.getPrivate(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	410	passwd.toCharArray(), sslChain);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	411	serverKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	412
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	413	// And finally a Trust Store for the client
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	414	trustStore = keyStoreBuilder.getKeyStore();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	415	trustStore.setCertificateEntry(ROOT_ALIAS, rootCert);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	416	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	417
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	418	private static void addCommonExts(CertificateBuilder cbld,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	419	PublicKey subjKey, PublicKey authKey) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	420	cbld.addSubjectKeyIdExt(subjKey);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	421	cbld.addAuthorityKeyIdExt(authKey);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	422	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	423
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	424	private static void addCommonCAExts(CertificateBuilder cbld)
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	425	throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	426	cbld.addBasicConstraintsExt(true, true, -1);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	427	// Set key usage bits for digitalSignature, keyCertSign and cRLSign
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	428	boolean[] kuBitSettings = {true, false, false, false, false, true,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	429	true, false, false};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	430	cbld.addKeyUsageExt(kuBitSettings);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	431	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	432
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	433	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	434	* Helper routine that dumps only a few cert fields rather than
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	435	* the whole toString() output.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	436	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	437	* @param cert An X509Certificate to be displayed
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	438	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	439	* @return The {@link String} output of the issuer, subject and
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	440	* serial number
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	441	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	442	private static String certInfo(X509Certificate cert) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	443	StringBuilder sb = new StringBuilder();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	444	sb.append("Issuer: ").append(cert.getIssuerX500Principal()).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	445	append("\n");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	446	sb.append("Subject: ").append(cert.getSubjectX500Principal()).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	447	append("\n");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	448	sb.append("Serial: ").append(cert.getSerialNumber()).append("\n");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	449	return sb.toString();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	450	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	451
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	452	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	453	* Log a message on stdout
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	454	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	455	* @param message The message to log
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	456	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	457	private static void log(String message) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	458	if (debug) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	459	System.out.println(message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	460	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	461	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	462
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	463	public static void runTests(Map<String, TestCase> testList) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	464	int testNo = 0;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	465	int numberFailed = 0;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	466	Map.Entry<Boolean, String> result;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	467
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	468	System.out.println("============ Tests ============");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	469	for (String testName : testList.keySet()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	470	System.out.println("Test " + ++testNo + ": " + testName);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	471	result = testList.get(testName).runTest();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	472	System.out.print("Result: " + (result.getKey() ? "PASS" : "FAIL"));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	473	System.out.println(" " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	474	(result.getValue() != null ? result.getValue() : ""));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	475	System.out.println("-------------------------------------------");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	476	if (!result.getKey()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	477	numberFailed++;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	478	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	479	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	480
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	481	System.out.println("End Results: " + (testList.size() - numberFailed) +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	482	" Passed" + ", " + numberFailed + " Failed.");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	483	if (numberFailed > 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	484	throw new RuntimeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	485	"One or more tests failed, see test output for details");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	486	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	487	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	488
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	489	public interface TestCase {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	490	Map.Entry<Boolean, String> runTest();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	491	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	492	}

author	xuelei
	Mon, 25 Jun 2018 13:41:39 -0700
changeset 50768	68fa3d4026ea
permissions	-rw-r--r--