104 static SimpleOCSPServer rootOcsp; // Root CA OCSP Responder |
108 static SimpleOCSPServer rootOcsp; // Root CA OCSP Responder |
105 static int rootOcspPort; // Port number for root OCSP |
109 static int rootOcspPort; // Port number for root OCSP |
106 static SimpleOCSPServer intOcsp; // Intermediate CA OCSP Responder |
110 static SimpleOCSPServer intOcsp; // Intermediate CA OCSP Responder |
107 static int intOcspPort; // Port number for intermed. OCSP |
111 static int intOcspPort; // Port number for intermed. OCSP |
108 |
112 |
|
113 // Extra configuration parameters and constants |
|
114 static final String[] TLS13ONLY = new String[] { "TLSv1.3" }; |
|
115 static final String[] TLS12MAX = |
|
116 new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" }; |
|
117 |
109 /* |
118 /* |
110 * If the client or server is doing some kind of object creation |
119 * If the client or server is doing some kind of object creation |
111 * that the other side depends on, and that thread prematurely |
120 * that the other side depends on, and that thread prematurely |
112 * exits, you may experience a hang. The test harness will |
121 * exits, you may experience a hang. The test harness will |
113 * terminate all hung threads after its timeout has expired, |
122 * terminate all hung threads after its timeout has expired, |
114 * currently 3 minutes by default, but you might try to be |
123 * currently 3 minutes by default, but you might try to be |
115 * smart about it.... |
124 * smart about it.... |
116 */ |
125 */ |
117 public static void main(String[] args) throws Exception { |
126 public static void main(String[] args) throws Exception { |
118 if (debug) { |
127 if (debug) { |
119 System.setProperty("javax.net.debug", "ssl"); |
128 System.setProperty("javax.net.debug", "ssl:handshake"); |
120 } |
129 } |
121 |
130 |
122 try { |
131 try { |
123 // Create the PKI we will use for the test and start the OCSP servers |
132 // Create the PKI we will use for the test and start the OCSP servers |
124 createPKI(); |
133 createPKI(); |
125 |
134 |
126 testAllDefault(); |
135 testAllDefault(false); |
127 testPKIXParametersRevEnabled(); |
136 testAllDefault(true); |
128 testRevokedCertificate(); |
137 testPKIXParametersRevEnabled(false); |
129 testHardFailFallback(); |
138 testPKIXParametersRevEnabled(true); |
130 testSoftFailFallback(); |
139 testRevokedCertificate(false); |
131 testLatencyNoStaple(false); |
140 testRevokedCertificate(true); |
132 testLatencyNoStaple(true); |
141 testRevokedIntermediate(false); |
|
142 testRevokedIntermediate(true); |
|
143 testMissingIntermediate(false); |
|
144 testMissingIntermediate(true); |
|
145 testHardFailFallback(false); |
|
146 testHardFailFallback(true); |
|
147 testSoftFailFallback(false); |
|
148 testSoftFailFallback(true); |
|
149 testLatencyNoStaple(false, false); |
|
150 testLatencyNoStaple(false, true); |
|
151 testLatencyNoStaple(true, false); |
|
152 testLatencyNoStaple(true, true); |
133 } finally { |
153 } finally { |
134 // shut down the OCSP responders before finishing the test |
154 // shut down the OCSP responders before finishing the test |
135 intOcsp.stop(); |
155 intOcsp.stop(); |
136 rootOcsp.stop(); |
156 rootOcsp.stop(); |
137 } |
157 } |
138 } |
158 } |
139 |
159 |
140 /** |
160 /** |
141 * Default test using no externally-configured PKIXBuilderParameters |
161 * Default test using no externally-configured PKIXBuilderParameters |
142 */ |
162 */ |
143 static void testAllDefault() throws Exception { |
163 static void testAllDefault(boolean isTls13) throws Exception { |
144 ClientParameters cliParams = new ClientParameters(); |
164 ClientParameters cliParams = new ClientParameters(); |
145 ServerParameters servParams = new ServerParameters(); |
165 ServerParameters servParams = new ServerParameters(); |
|
166 if (isTls13) { |
|
167 cliParams.protocols = TLS13ONLY; |
|
168 servParams.protocols = TLS13ONLY; |
|
169 } else { |
|
170 cliParams.protocols = TLS12MAX; |
|
171 servParams.protocols = TLS12MAX; |
|
172 } |
146 serverReady = false; |
173 serverReady = false; |
147 Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = |
174 Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = |
148 new HashMap<>(); |
175 new HashMap<>(); |
149 |
176 |
150 // We will prove revocation checking is disabled by marking the SSL |
177 // We will prove revocation checking is disabled by marking the SSL |
186 /** |
213 /** |
187 * Do a basic connection using PKIXParameters with revocation checking |
214 * Do a basic connection using PKIXParameters with revocation checking |
188 * enabled and client-side OCSP disabled. It will only pass if all |
215 * enabled and client-side OCSP disabled. It will only pass if all |
189 * stapled responses are present, valid and have a GOOD status. |
216 * stapled responses are present, valid and have a GOOD status. |
190 */ |
217 */ |
191 static void testPKIXParametersRevEnabled() throws Exception { |
218 static void testPKIXParametersRevEnabled(boolean isTls13) throws Exception { |
192 ClientParameters cliParams = new ClientParameters(); |
219 ClientParameters cliParams = new ClientParameters(); |
193 ServerParameters servParams = new ServerParameters(); |
220 ServerParameters servParams = new ServerParameters(); |
|
221 if (isTls13) { |
|
222 cliParams.protocols = TLS13ONLY; |
|
223 servParams.protocols = TLS13ONLY; |
|
224 } else { |
|
225 cliParams.protocols = TLS12MAX; |
|
226 servParams.protocols = TLS12MAX; |
|
227 } |
194 serverReady = false; |
228 serverReady = false; |
195 |
229 |
196 System.out.println("====================================="); |
230 System.out.println("====================================="); |
197 System.out.println("Stapling enabled, PKIXParameters with"); |
231 System.out.println("Stapling enabled, PKIXParameters with"); |
198 System.out.println("Revocation checking enabled "); |
232 System.out.println("Revocation checking enabled "); |
220 * Perform a test where the certificate is revoked and placed in the |
254 * Perform a test where the certificate is revoked and placed in the |
221 * TLS handshake. Client-side OCSP is disabled, so this test will only |
255 * TLS handshake. Client-side OCSP is disabled, so this test will only |
222 * pass if the OCSP response is found, since we will check the |
256 * pass if the OCSP response is found, since we will check the |
223 * CertPathValidatorException reason for revoked status. |
257 * CertPathValidatorException reason for revoked status. |
224 */ |
258 */ |
225 static void testRevokedCertificate() throws Exception { |
259 static void testRevokedCertificate(boolean isTls13) throws Exception { |
226 ClientParameters cliParams = new ClientParameters(); |
260 ClientParameters cliParams = new ClientParameters(); |
227 ServerParameters servParams = new ServerParameters(); |
261 ServerParameters servParams = new ServerParameters(); |
|
262 if (isTls13) { |
|
263 cliParams.protocols = TLS13ONLY; |
|
264 servParams.protocols = TLS13ONLY; |
|
265 } else { |
|
266 cliParams.protocols = TLS12MAX; |
|
267 servParams.protocols = TLS12MAX; |
|
268 } |
228 serverReady = false; |
269 serverReady = false; |
229 Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = |
270 Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = |
230 new HashMap<>(); |
271 new HashMap<>(); |
231 |
272 |
232 // We will prove revocation checking is disabled by marking the SSL |
273 // We will prove revocation checking is disabled by marking the SSL |
272 System.out.println(" PASS"); |
313 System.out.println(" PASS"); |
273 System.out.println("=======================================\n"); |
314 System.out.println("=======================================\n"); |
274 } |
315 } |
275 |
316 |
276 /** |
317 /** |
277 * Test a case where client-side stapling is attempted, but does not |
318 * Perform a test where the intermediate CA certificate is revoked and |
278 * occur because OCSP responders are unreachable. This should use a |
319 * placed in the TLS handshake. Client-side OCSP is disabled, so this |
279 * default hard-fail behavior. |
320 * test will only pass if the OCSP response for the intermediate CA is |
280 */ |
321 * found and placed into the CertificateStatus or Certificate message |
281 static void testHardFailFallback() throws Exception { |
322 * (depending on the protocol version) since we will check |
|
323 * the CertPathValidatorException reason for revoked status. |
|
324 */ |
|
325 static void testRevokedIntermediate(boolean isTls13) throws Exception { |
282 ClientParameters cliParams = new ClientParameters(); |
326 ClientParameters cliParams = new ClientParameters(); |
283 ServerParameters servParams = new ServerParameters(); |
327 ServerParameters servParams = new ServerParameters(); |
|
328 if (isTls13) { |
|
329 cliParams.protocols = TLS13ONLY; |
|
330 servParams.protocols = TLS13ONLY; |
|
331 } else { |
|
332 cliParams.protocols = TLS12MAX; |
|
333 servParams.protocols = TLS12MAX; |
|
334 } |
284 serverReady = false; |
335 serverReady = false; |
285 |
336 Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = |
286 // make OCSP responders reject connections |
337 new HashMap<>(); |
287 intOcsp.rejectConnections(); |
338 |
|
339 // We will prove revocation checking is disabled by marking the SSL |
|
340 // certificate as revoked. The test would only pass if revocation |
|
341 // checking did not happen. |
|
342 X509Certificate intCACert = |
|
343 (X509Certificate)intKeystore.getCertificate(INT_ALIAS); |
|
344 Date fiveMinsAgo = new Date(System.currentTimeMillis() - |
|
345 TimeUnit.MINUTES.toMillis(5)); |
|
346 revInfo.put(intCACert.getSerialNumber(), |
|
347 new SimpleOCSPServer.CertStatusInfo( |
|
348 SimpleOCSPServer.CertStatus.CERT_STATUS_REVOKED, |
|
349 fiveMinsAgo)); |
|
350 rootOcsp.updateStatusDb(revInfo); |
|
351 |
|
352 System.out.println("==============================================="); |
|
353 System.out.println("Stapling enabled, detect revoked CA certificate"); |
|
354 System.out.println("==============================================="); |
|
355 |
|
356 cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
|
357 new X509CertSelector()); |
|
358 cliParams.pkixParams.setRevocationEnabled(true); |
|
359 Security.setProperty("ocsp.enable", "false"); |
|
360 |
|
361 SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
362 servParams); |
|
363 TestResult tr = sslTest.getResult(); |
|
364 if (!checkClientValidationFailure(tr.clientExc, BasicReason.REVOKED)) { |
|
365 if (tr.clientExc != null) { |
|
366 throw tr.clientExc; |
|
367 } else { |
|
368 throw new RuntimeException( |
|
369 "Expected client failure, but the client succeeded"); |
|
370 } |
|
371 } |
|
372 |
|
373 // Return the ssl certificate to non-revoked status |
|
374 revInfo.put(intCACert.getSerialNumber(), |
|
375 new SimpleOCSPServer.CertStatusInfo( |
|
376 SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD)); |
|
377 rootOcsp.updateStatusDb(revInfo); |
|
378 |
|
379 System.out.println(" PASS"); |
|
380 System.out.println("=======================================\n"); |
|
381 } |
|
382 |
|
383 /** |
|
384 * Test a case where OCSP stapling is attempted, but partially occurs |
|
385 * because the root OCSP responder is unreachable. This should use a |
|
386 * default hard-fail behavior. |
|
387 */ |
|
388 static void testMissingIntermediate(boolean isTls13) throws Exception { |
|
389 ClientParameters cliParams = new ClientParameters(); |
|
390 ServerParameters servParams = new ServerParameters(); |
|
391 if (isTls13) { |
|
392 cliParams.protocols = TLS13ONLY; |
|
393 servParams.protocols = TLS13ONLY; |
|
394 } else { |
|
395 cliParams.protocols = TLS12MAX; |
|
396 servParams.protocols = TLS12MAX; |
|
397 } |
|
398 serverReady = false; |
|
399 |
|
400 // Make the OCSP responder reject connections |
288 rootOcsp.rejectConnections(); |
401 rootOcsp.rejectConnections(); |
289 |
402 |
290 System.out.println("======================================="); |
403 System.out.println("======================================="); |
291 System.out.println("Stapling enbled in client and server,"); |
404 System.out.println("Stapling enbled in client and server,"); |
292 System.out.println("but OCSP responders disabled."); |
405 System.out.println("but root OCSP responder disabled."); |
293 System.out.println("PKIXParameters with Revocation checking"); |
406 System.out.println("PKIXParameters with Revocation checking"); |
294 System.out.println("enabled."); |
407 System.out.println("enabled."); |
295 System.out.println("======================================="); |
408 System.out.println("======================================="); |
296 |
409 |
297 Security.setProperty("ocsp.enable", "true"); |
410 Security.setProperty("ocsp.enable", "false"); |
298 cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
411 cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
299 new X509CertSelector()); |
412 new X509CertSelector()); |
300 cliParams.pkixParams.setRevocationEnabled(true); |
413 cliParams.pkixParams.setRevocationEnabled(true); |
301 |
414 |
302 SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
415 SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
313 } |
426 } |
314 |
427 |
315 System.out.println(" PASS"); |
428 System.out.println(" PASS"); |
316 System.out.println("=======================================\n"); |
429 System.out.println("=======================================\n"); |
317 |
430 |
|
431 // Make root OCSP responder accept connections |
|
432 rootOcsp.acceptConnections(); |
|
433 |
|
434 // Wait 5 seconds for server ready |
|
435 for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) { |
|
436 Thread.sleep(50); |
|
437 } |
|
438 if (!rootOcsp.isServerReady()) { |
|
439 throw new RuntimeException("Root OCSP responder not ready yet"); |
|
440 } |
|
441 } |
|
442 |
|
443 /** |
|
444 * Test a case where client-side stapling is attempted, but does not |
|
445 * occur because OCSP responders are unreachable. This should use a |
|
446 * default hard-fail behavior. |
|
447 */ |
|
448 static void testHardFailFallback(boolean isTls13) throws Exception { |
|
449 ClientParameters cliParams = new ClientParameters(); |
|
450 ServerParameters servParams = new ServerParameters(); |
|
451 if (isTls13) { |
|
452 cliParams.protocols = TLS13ONLY; |
|
453 servParams.protocols = TLS13ONLY; |
|
454 } else { |
|
455 cliParams.protocols = TLS12MAX; |
|
456 servParams.protocols = TLS12MAX; |
|
457 } |
|
458 serverReady = false; |
|
459 |
|
460 // make OCSP responders reject connections |
|
461 intOcsp.rejectConnections(); |
|
462 rootOcsp.rejectConnections(); |
|
463 |
|
464 System.out.println("======================================="); |
|
465 System.out.println("Stapling enbled in client and server,"); |
|
466 System.out.println("but OCSP responders disabled."); |
|
467 System.out.println("PKIXParameters with Revocation checking"); |
|
468 System.out.println("enabled."); |
|
469 System.out.println("======================================="); |
|
470 |
|
471 Security.setProperty("ocsp.enable", "true"); |
|
472 cliParams.pkixParams = new PKIXBuilderParameters(trustStore, |
|
473 new X509CertSelector()); |
|
474 cliParams.pkixParams.setRevocationEnabled(true); |
|
475 |
|
476 SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, |
|
477 servParams); |
|
478 TestResult tr = sslTest.getResult(); |
|
479 if (!checkClientValidationFailure(tr.clientExc, |
|
480 BasicReason.UNDETERMINED_REVOCATION_STATUS)) { |
|
481 if (tr.clientExc != null) { |
|
482 throw tr.clientExc; |
|
483 } else { |
|
484 throw new RuntimeException( |
|
485 "Expected client failure, but the client succeeded"); |
|
486 } |
|
487 } |
|
488 |
|
489 System.out.println(" PASS"); |
|
490 System.out.println("=======================================\n"); |
|
491 |
318 // Make OCSP responders accept connections |
492 // Make OCSP responders accept connections |
319 intOcsp.acceptConnections(); |
493 intOcsp.acceptConnections(); |
320 rootOcsp.acceptConnections(); |
494 rootOcsp.acceptConnections(); |
321 |
495 |
322 // Wait 5 seconds for server ready |
496 // Wait 5 seconds for server ready |
323 for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) { |
497 for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || |
|
498 !rootOcsp.isServerReady())); i++) { |
324 Thread.sleep(50); |
499 Thread.sleep(50); |
325 } |
500 } |
326 if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) { |
501 if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) { |
327 throw new RuntimeException("Server not ready yet"); |
502 throw new RuntimeException("Server not ready yet"); |
328 } |
503 } |
331 /** |
506 /** |
332 * Test a case where client-side stapling is attempted, but does not |
507 * Test a case where client-side stapling is attempted, but does not |
333 * occur because OCSP responders are unreachable. Client-side OCSP |
508 * occur because OCSP responders are unreachable. Client-side OCSP |
334 * checking is enabled for this, with SOFT_FAIL. |
509 * checking is enabled for this, with SOFT_FAIL. |
335 */ |
510 */ |
336 static void testSoftFailFallback() throws Exception { |
511 static void testSoftFailFallback(boolean isTls13) throws Exception { |
337 ClientParameters cliParams = new ClientParameters(); |
512 ClientParameters cliParams = new ClientParameters(); |
338 ServerParameters servParams = new ServerParameters(); |
513 ServerParameters servParams = new ServerParameters(); |
|
514 if (isTls13) { |
|
515 cliParams.protocols = TLS13ONLY; |
|
516 servParams.protocols = TLS13ONLY; |
|
517 } else { |
|
518 cliParams.protocols = TLS12MAX; |
|
519 servParams.protocols = TLS12MAX; |
|
520 } |
339 serverReady = false; |
521 serverReady = false; |
340 |
522 |
341 // make OCSP responders reject connections |
523 // make OCSP responders reject connections |
342 intOcsp.rejectConnections(); |
524 intOcsp.rejectConnections(); |
343 rootOcsp.rejectConnections(); |
525 rootOcsp.rejectConnections(); |
399 * |
581 * |
400 * @param fallback if we allow client-side OCSP fallback, which |
582 * @param fallback if we allow client-side OCSP fallback, which |
401 * will change the result from the client failing with CPVE (no fallback) |
583 * will change the result from the client failing with CPVE (no fallback) |
402 * to a pass (fallback active). |
584 * to a pass (fallback active). |
403 */ |
585 */ |
404 static void testLatencyNoStaple(Boolean fallback) throws Exception { |
586 static void testLatencyNoStaple(Boolean fallback, boolean isTls13) |
|
587 throws Exception { |
405 ClientParameters cliParams = new ClientParameters(); |
588 ClientParameters cliParams = new ClientParameters(); |
406 ServerParameters servParams = new ServerParameters(); |
589 ServerParameters servParams = new ServerParameters(); |
|
590 if (isTls13) { |
|
591 cliParams.protocols = TLS13ONLY; |
|
592 servParams.protocols = TLS13ONLY; |
|
593 } else { |
|
594 cliParams.protocols = TLS12MAX; |
|
595 servParams.protocols = TLS12MAX; |
|
596 } |
407 serverReady = false; |
597 serverReady = false; |
408 |
598 |
409 // Give a 1 second delay before running the test. |
599 // Give a 1 second delay before running the test. |
410 intOcsp.setDelay(3000); |
600 intOcsp.setDelay(3000); |
411 rootOcsp.setDelay(3000); |
601 rootOcsp.setDelay(3000); |
501 KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); |
692 KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); |
502 kmf.init(serverKeystore, passwd.toCharArray()); |
693 kmf.init(serverKeystore, passwd.toCharArray()); |
503 TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); |
694 TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); |
504 tmf.init(trustStore); |
695 tmf.init(trustStore); |
505 |
696 |
506 SSLContext sslc = SSLContext.getInstance("TLSv1.2"); |
697 SSLContext sslc = SSLContext.getInstance("TLS"); |
507 sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); |
698 sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); |
508 |
699 |
509 SSLServerSocketFactory sslssf = sslc.getServerSocketFactory(); |
700 SSLServerSocketFactory sslssf = new CustomizedServerSocketFactory(sslc, |
|
701 servParams.protocols, servParams.ciphers); |
510 |
702 |
511 try (SSLServerSocket sslServerSocket = |
703 try (SSLServerSocket sslServerSocket = |
512 (SSLServerSocket) sslssf.createServerSocket(serverPort)) { |
704 (SSLServerSocket) sslssf.createServerSocket(serverPort)) { |
513 |
705 |
514 serverPort = sslServerSocket.getLocalPort(); |
706 serverPort = sslServerSocket.getLocalPort(); |
939 int cacheLifetime = 3600; |
1134 int cacheLifetime = 3600; |
940 int respTimeout = 5000; |
1135 int respTimeout = 5000; |
941 String respUri = ""; |
1136 String respUri = ""; |
942 boolean respOverride = false; |
1137 boolean respOverride = false; |
943 boolean ignoreExts = false; |
1138 boolean ignoreExts = false; |
|
1139 String[] protocols = null; |
|
1140 String[] ciphers = null; |
944 |
1141 |
945 ServerParameters() { } |
1142 ServerParameters() { } |
946 } |
1143 } |
|
1144 |
|
1145 static class CustomizedSocketFactory extends SSLSocketFactory { |
|
1146 final SSLContext sslc; |
|
1147 final String[] protocols; |
|
1148 final String[] cipherSuites; |
|
1149 |
|
1150 CustomizedSocketFactory(SSLContext ctx, String[] prots, String[] suites) |
|
1151 throws GeneralSecurityException { |
|
1152 super(); |
|
1153 sslc = (ctx != null) ? ctx : SSLContext.getDefault(); |
|
1154 protocols = prots; |
|
1155 cipherSuites = suites; |
|
1156 |
|
1157 // Create the Trust Manager Factory using the PKIX variant |
|
1158 TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); |
|
1159 } |
|
1160 |
|
1161 @Override |
|
1162 public Socket createSocket(Socket s, String host, int port, |
|
1163 boolean autoClose) throws IOException { |
|
1164 Socket sock = sslc.getSocketFactory().createSocket(s, host, port, |
|
1165 autoClose); |
|
1166 customizeSocket(sock); |
|
1167 return sock; |
|
1168 } |
|
1169 |
|
1170 @Override |
|
1171 public Socket createSocket(InetAddress host, int port) |
|
1172 throws IOException { |
|
1173 Socket sock = sslc.getSocketFactory().createSocket(host, port); |
|
1174 customizeSocket(sock); |
|
1175 return sock; |
|
1176 } |
|
1177 |
|
1178 @Override |
|
1179 public Socket createSocket(InetAddress host, int port, |
|
1180 InetAddress localAddress, int localPort) throws IOException { |
|
1181 Socket sock = sslc.getSocketFactory().createSocket(host, port, |
|
1182 localAddress, localPort); |
|
1183 customizeSocket(sock); |
|
1184 return sock; |
|
1185 } |
|
1186 |
|
1187 @Override |
|
1188 public Socket createSocket(String host, int port) |
|
1189 throws IOException { |
|
1190 Socket sock = sslc.getSocketFactory().createSocket(host, port); |
|
1191 customizeSocket(sock); |
|
1192 return sock; |
|
1193 } |
|
1194 |
|
1195 @Override |
|
1196 public Socket createSocket(String host, int port, |
|
1197 InetAddress localAddress, int localPort) |
|
1198 throws IOException { |
|
1199 Socket sock = sslc.getSocketFactory().createSocket(host, port, |
|
1200 localAddress, localPort); |
|
1201 customizeSocket(sock); |
|
1202 return sock; |
|
1203 } |
|
1204 |
|
1205 @Override |
|
1206 public String[] getDefaultCipherSuites() { |
|
1207 return sslc.getDefaultSSLParameters().getCipherSuites(); |
|
1208 } |
|
1209 |
|
1210 @Override |
|
1211 public String[] getSupportedCipherSuites() { |
|
1212 return sslc.getSupportedSSLParameters().getCipherSuites(); |
|
1213 } |
|
1214 |
|
1215 private void customizeSocket(Socket sock) { |
|
1216 if (sock instanceof SSLSocket) { |
|
1217 if (protocols != null) { |
|
1218 ((SSLSocket)sock).setEnabledProtocols(protocols); |
|
1219 } |
|
1220 if (cipherSuites != null) { |
|
1221 ((SSLSocket)sock).setEnabledCipherSuites(cipherSuites); |
|
1222 } |
|
1223 } |
|
1224 } |
|
1225 } |
|
1226 |
|
1227 static class CustomizedServerSocketFactory extends SSLServerSocketFactory { |
|
1228 final SSLContext sslc; |
|
1229 final String[] protocols; |
|
1230 final String[] cipherSuites; |
|
1231 |
|
1232 CustomizedServerSocketFactory(SSLContext ctx, String[] prots, String[] suites) |
|
1233 throws GeneralSecurityException { |
|
1234 super(); |
|
1235 sslc = (ctx != null) ? ctx : SSLContext.getDefault(); |
|
1236 protocols = prots; |
|
1237 cipherSuites = suites; |
|
1238 |
|
1239 // Create the Trust Manager Factory using the PKIX variant |
|
1240 TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); |
|
1241 } |
|
1242 |
|
1243 @Override |
|
1244 public ServerSocket createServerSocket(int port) throws IOException { |
|
1245 ServerSocket sock = |
|
1246 sslc.getServerSocketFactory().createServerSocket(port); |
|
1247 customizeSocket(sock); |
|
1248 return sock; |
|
1249 } |
|
1250 |
|
1251 @Override |
|
1252 public ServerSocket createServerSocket(int port, int backlog) |
|
1253 throws IOException { |
|
1254 ServerSocket sock = |
|
1255 sslc.getServerSocketFactory().createServerSocket(port, |
|
1256 backlog); |
|
1257 customizeSocket(sock); |
|
1258 return sock; |
|
1259 } |
|
1260 |
|
1261 @Override |
|
1262 public ServerSocket createServerSocket(int port, int backlog, |
|
1263 InetAddress ifAddress) throws IOException { |
|
1264 ServerSocket sock = |
|
1265 sslc.getServerSocketFactory().createServerSocket(port, |
|
1266 backlog, ifAddress); |
|
1267 customizeSocket(sock); |
|
1268 return sock; |
|
1269 } |
|
1270 |
|
1271 @Override |
|
1272 public String[] getDefaultCipherSuites() { |
|
1273 return sslc.getDefaultSSLParameters().getCipherSuites(); |
|
1274 } |
|
1275 |
|
1276 @Override |
|
1277 public String[] getSupportedCipherSuites() { |
|
1278 return sslc.getSupportedSSLParameters().getCipherSuites(); |
|
1279 } |
|
1280 |
|
1281 private void customizeSocket(ServerSocket sock) { |
|
1282 if (sock instanceof SSLServerSocket) { |
|
1283 if (protocols != null) { |
|
1284 ((SSLServerSocket)sock).setEnabledProtocols(protocols); |
|
1285 } |
|
1286 if (cipherSuites != null) { |
|
1287 ((SSLServerSocket)sock).setEnabledCipherSuites(cipherSuites); |
|
1288 } |
|
1289 } |
|
1290 } |
|
1291 } |
|
1292 |
947 |
1293 |
948 static class TestResult { |
1294 static class TestResult { |
949 Exception serverExc = null; |
1295 Exception serverExc = null; |
950 Exception clientExc = null; |
1296 Exception clientExc = null; |
951 } |
1297 } |