jdk-sandbox: comparison test/jdk/javax/net/ssl/Stapling/SSLSocketWithStapling.java

equal deleted inserted replaced

-:afb358e14f29
+:0cabcf9cb31b
 * @run main/othervm SSLSocketWithStapling
 */
 import java.io.*;
 import java.math.BigInteger;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.ServerSocket;
+import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import javax.net.ssl.*;
 import java.security.KeyStore;
 import java.security.PublicKey;
 * Set the various variables needed for the tests, then
 * specify what tests to run on each side.
 */
 // Turn on TLS debugging
-static boolean debug = false;
+static final boolean debug = false;
 /*
 * Should we run the client or server in a separate thread?
 * Both sides can throw exceptions, but do you have a preference
 * as to which side should be the main thread.
 static SimpleOCSPServer rootOcsp;       // Root CA OCSP Responder
 static int rootOcspPort;                // Port number for root OCSP
 static SimpleOCSPServer intOcsp;        // Intermediate CA OCSP Responder
 static int intOcspPort;                 // Port number for intermed. OCSP
+// Extra configuration parameters and constants
+static final String[] TLS13ONLY = new String[] { "TLSv1.3" };
+static final String[] TLS12MAX =
+new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" };
 /*
 * If the client or server is doing some kind of object creation
 * that the other side depends on, and that thread prematurely
 * exits, you may experience a hang.  The test harness will
 * terminate all hung threads after its timeout has expired,
 * currently 3 minutes by default, but you might try to be
 * smart about it....
 */
 public static void main(String[] args) throws Exception {
 if (debug) {
-System.setProperty("javax.net.debug", "ssl");
+System.setProperty("javax.net.debug", "ssl:handshake");
 }
 try {
 // Create the PKI we will use for the test and start the OCSP servers
 createPKI();
-testAllDefault();
+testAllDefault(false);
-testPKIXParametersRevEnabled();
+testAllDefault(true);
-testRevokedCertificate();
+testPKIXParametersRevEnabled(false);
-testHardFailFallback();
+testPKIXParametersRevEnabled(true);
-testSoftFailFallback();
+testRevokedCertificate(false);
-testLatencyNoStaple(false);
+testRevokedCertificate(true);
-testLatencyNoStaple(true);
+testRevokedIntermediate(false);
+testRevokedIntermediate(true);
+testMissingIntermediate(false);
+testMissingIntermediate(true);
+testHardFailFallback(false);
+testHardFailFallback(true);
+testSoftFailFallback(false);
+testSoftFailFallback(true);
+testLatencyNoStaple(false, false);
+testLatencyNoStaple(false, true);
+testLatencyNoStaple(true, false);
+testLatencyNoStaple(true, true);
 } finally {
 // shut down the OCSP responders before finishing the test
 intOcsp.stop();
 rootOcsp.stop();
 }
 }
 /**
 * Default test using no externally-configured PKIXBuilderParameters
 */
-static void testAllDefault() throws Exception {
+static void testAllDefault(boolean isTls13) throws Exception {
 ClientParameters cliParams = new ClientParameters();
 ServerParameters servParams = new ServerParameters();
+if (isTls13) {
+cliParams.protocols = TLS13ONLY;
+servParams.protocols = TLS13ONLY;
+} else {
+cliParams.protocols = TLS12MAX;
+servParams.protocols = TLS12MAX;
+}
 serverReady = false;
 Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
 new HashMap<>();
 // We will prove revocation checking is disabled by marking the SSL
 /**
 * Do a basic connection using PKIXParameters with revocation checking
 * enabled and client-side OCSP disabled.  It will only pass if all
 * stapled responses are present, valid and have a GOOD status.
 */
-static void testPKIXParametersRevEnabled() throws Exception {
+static void testPKIXParametersRevEnabled(boolean isTls13) throws Exception {
 ClientParameters cliParams = new ClientParameters();
 ServerParameters servParams = new ServerParameters();
+if (isTls13) {
+cliParams.protocols = TLS13ONLY;
+servParams.protocols = TLS13ONLY;
+} else {
+cliParams.protocols = TLS12MAX;
+servParams.protocols = TLS12MAX;
+}
 serverReady = false;
 System.out.println("=====================================");
 System.out.println("Stapling enabled, PKIXParameters with");
 System.out.println("Revocation checking enabled ");
 * Perform a test where the certificate is revoked and placed in the
 * TLS handshake.  Client-side OCSP is disabled, so this test will only
 * pass if the OCSP response is found, since we will check the
 * CertPathValidatorException reason for revoked status.
 */
-static void testRevokedCertificate() throws Exception {
+static void testRevokedCertificate(boolean isTls13) throws Exception {
 ClientParameters cliParams = new ClientParameters();
 ServerParameters servParams = new ServerParameters();
+if (isTls13) {
+cliParams.protocols = TLS13ONLY;
+servParams.protocols = TLS13ONLY;
+} else {
+cliParams.protocols = TLS12MAX;
+servParams.protocols = TLS12MAX;
+}
 serverReady = false;
 Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
 new HashMap<>();
 // We will prove revocation checking is disabled by marking the SSL
 System.out.println("                 PASS");
 System.out.println("=======================================\n");
 }
 /**
-* Test a case where client-side stapling is attempted, but does not
+* Perform a test where the intermediate CA certificate is revoked and
-* occur because OCSP responders are unreachable.  This should use a
+* placed in the TLS handshake.  Client-side OCSP is disabled, so this
-* default hard-fail behavior.
+* test will only pass if the OCSP response for the intermediate CA is
-*/
+* found and placed into the CertificateStatus or Certificate message
-static void testHardFailFallback() throws Exception {
+* (depending on the protocol version) since we will check
+* the CertPathValidatorException reason for revoked status.
+*/
+static void testRevokedIntermediate(boolean isTls13) throws Exception {
 ClientParameters cliParams = new ClientParameters();
 ServerParameters servParams = new ServerParameters();
+if (isTls13) {
+cliParams.protocols = TLS13ONLY;
+servParams.protocols = TLS13ONLY;
+} else {
+cliParams.protocols = TLS12MAX;
+servParams.protocols = TLS12MAX;
+}
 serverReady = false;
+Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
-// make OCSP responders reject connections
+new HashMap<>();
-intOcsp.rejectConnections();
+// We will prove revocation checking is disabled by marking the SSL
+// certificate as revoked.  The test would only pass if revocation
+// checking did not happen.
+X509Certificate intCACert =
+(X509Certificate)intKeystore.getCertificate(INT_ALIAS);
+Date fiveMinsAgo = new Date(System.currentTimeMillis() -
+TimeUnit.MINUTES.toMillis(5));
+revInfo.put(intCACert.getSerialNumber(),
+new SimpleOCSPServer.CertStatusInfo(
+SimpleOCSPServer.CertStatus.CERT_STATUS_REVOKED,
+fiveMinsAgo));
+rootOcsp.updateStatusDb(revInfo);
+System.out.println("===============================================");
+System.out.println("Stapling enabled, detect revoked CA certificate");
+System.out.println("===============================================");
+cliParams.pkixParams = new PKIXBuilderParameters(trustStore,
+new X509CertSelector());
+cliParams.pkixParams.setRevocationEnabled(true);
+Security.setProperty("ocsp.enable", "false");
+SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams,
+servParams);
+TestResult tr = sslTest.getResult();
+if (!checkClientValidationFailure(tr.clientExc, BasicReason.REVOKED)) {
+if (tr.clientExc != null) {
+throw tr.clientExc;
+} else {
+throw new RuntimeException(
+"Expected client failure, but the client succeeded");
+}
+}
+// Return the ssl certificate to non-revoked status
+revInfo.put(intCACert.getSerialNumber(),
+new SimpleOCSPServer.CertStatusInfo(
+SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
+rootOcsp.updateStatusDb(revInfo);
+System.out.println("                 PASS");
+System.out.println("=======================================\n");
+}
+/**
+* Test a case where OCSP stapling is attempted, but partially occurs
+* because the root OCSP responder is unreachable.  This should use a
+* default hard-fail behavior.
+*/
+static void testMissingIntermediate(boolean isTls13) throws Exception {
+ClientParameters cliParams = new ClientParameters();
+ServerParameters servParams = new ServerParameters();
+if (isTls13) {
+cliParams.protocols = TLS13ONLY;
+servParams.protocols = TLS13ONLY;
+} else {
+cliParams.protocols = TLS12MAX;
+servParams.protocols = TLS12MAX;
+}
+serverReady = false;
+// Make the OCSP responder reject connections
 rootOcsp.rejectConnections();
 System.out.println("=======================================");
 System.out.println("Stapling enbled in client and server,");
-System.out.println("but OCSP responders disabled.");
+System.out.println("but root OCSP responder disabled.");
 System.out.println("PKIXParameters with Revocation checking");
 System.out.println("enabled.");
 System.out.println("=======================================");
-Security.setProperty("ocsp.enable", "true");
+Security.setProperty("ocsp.enable", "false");
 cliParams.pkixParams = new PKIXBuilderParameters(trustStore,
 new X509CertSelector());
 cliParams.pkixParams.setRevocationEnabled(true);
 SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams,
 }
 System.out.println("                 PASS");
 System.out.println("=======================================\n");
+// Make root OCSP responder accept connections
+rootOcsp.acceptConnections();
+// Wait 5 seconds for server ready
+for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
+Thread.sleep(50);
+}
+if (!rootOcsp.isServerReady()) {
+throw new RuntimeException("Root OCSP responder not ready yet");
+}
+}
+/**
+* Test a case where client-side stapling is attempted, but does not
+* occur because OCSP responders are unreachable.  This should use a
+* default hard-fail behavior.
+*/
+static void testHardFailFallback(boolean isTls13) throws Exception {
+ClientParameters cliParams = new ClientParameters();
+ServerParameters servParams = new ServerParameters();
+if (isTls13) {
+cliParams.protocols = TLS13ONLY;
+servParams.protocols = TLS13ONLY;
+} else {
+cliParams.protocols = TLS12MAX;
+servParams.protocols = TLS12MAX;
+}
+serverReady = false;
+// make OCSP responders reject connections
+intOcsp.rejectConnections();
+rootOcsp.rejectConnections();
+System.out.println("=======================================");
+System.out.println("Stapling enbled in client and server,");
+System.out.println("but OCSP responders disabled.");
+System.out.println("PKIXParameters with Revocation checking");
+System.out.println("enabled.");
+System.out.println("=======================================");
+Security.setProperty("ocsp.enable", "true");
+cliParams.pkixParams = new PKIXBuilderParameters(trustStore,
+new X509CertSelector());
+cliParams.pkixParams.setRevocationEnabled(true);
+SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams,
+servParams);
+TestResult tr = sslTest.getResult();
+if (!checkClientValidationFailure(tr.clientExc,
+BasicReason.UNDETERMINED_REVOCATION_STATUS)) {
+if (tr.clientExc != null) {
+throw tr.clientExc;
+} else {
+throw new RuntimeException(
+"Expected client failure, but the client succeeded");
+}
+}
+System.out.println("                 PASS");
+System.out.println("=======================================\n");
 // Make OCSP responders accept connections
 intOcsp.acceptConnections();
 rootOcsp.acceptConnections();
 // Wait 5 seconds for server ready
-for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) {
+for (int i = 0; (i < 100 && (!intOcsp.isServerReady() ||
+!rootOcsp.isServerReady())); i++) {
 Thread.sleep(50);
 }
 if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) {
 throw new RuntimeException("Server not ready yet");
 }
 /**
 * Test a case where client-side stapling is attempted, but does not
 * occur because OCSP responders are unreachable.  Client-side OCSP
 * checking is enabled for this, with SOFT_FAIL.
 */
-static void testSoftFailFallback() throws Exception {
+static void testSoftFailFallback(boolean isTls13) throws Exception {
 ClientParameters cliParams = new ClientParameters();
 ServerParameters servParams = new ServerParameters();
+if (isTls13) {
+cliParams.protocols = TLS13ONLY;
+servParams.protocols = TLS13ONLY;
+} else {
+cliParams.protocols = TLS12MAX;
+servParams.protocols = TLS12MAX;
+}
 serverReady = false;
 // make OCSP responders reject connections
 intOcsp.rejectConnections();
 rootOcsp.rejectConnections();
 *
 * @param fallback if we allow client-side OCSP fallback, which
 * will change the result from the client failing with CPVE (no fallback)
 * to a pass (fallback active).
 */
-static void testLatencyNoStaple(Boolean fallback) throws Exception {
+static void testLatencyNoStaple(Boolean fallback, boolean isTls13)
+throws Exception {
 ClientParameters cliParams = new ClientParameters();
 ServerParameters servParams = new ServerParameters();
+if (isTls13) {
+cliParams.protocols = TLS13ONLY;
+servParams.protocols = TLS13ONLY;
+} else {
+cliParams.protocols = TLS12MAX;
+servParams.protocols = TLS12MAX;
+}
 serverReady = false;
 // Give a 1 second delay before running the test.
 intOcsp.setDelay(3000);
 rootOcsp.setDelay(3000);
 intOcsp.setDelay(0);
 rootOcsp.setDelay(0);
 Thread.sleep(1000);
 // Wait 5 seconds for server ready
-for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) {
+for (int i = 0; (i < 100 && (!intOcsp.isServerReady() ||
+!rootOcsp.isServerReady())); i++) {
 Thread.sleep(50);
 }
 if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) {
 throw new RuntimeException("Server not ready yet");
 }
 KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
 kmf.init(serverKeystore, passwd.toCharArray());
 TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
 tmf.init(trustStore);
-SSLContext sslc = SSLContext.getInstance("TLSv1.2");
+SSLContext sslc = SSLContext.getInstance("TLS");
 sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
-SSLServerSocketFactory sslssf = sslc.getServerSocketFactory();
+SSLServerSocketFactory sslssf = new CustomizedServerSocketFactory(sslc,
+servParams.protocols, servParams.ciphers);
 try (SSLServerSocket sslServerSocket =
 (SSLServerSocket) sslssf.createServerSocket(serverPort)) {
 serverPort = sslServerSocket.getLocalPort();
 tmf.init(trustParams);
 } else {
 tmf.init(trustStore);
 }
-SSLContext sslc = SSLContext.getInstance("TLSv1.2");
+SSLContext sslc = SSLContext.getInstance("TLS");
 sslc.init(null, tmf.getTrustManagers(), null);
-SSLSocketFactory sslsf = sslc.getSocketFactory();
+SSLSocketFactory sslsf = new CustomizedSocketFactory(sslc,
+cliParams.protocols, cliParams.ciphers);
 try (SSLSocket sslSocket = (SSLSocket)sslsf.createSocket("localhost",
 serverPort);
 InputStream sslIS = sslSocket.getInputStream();
 OutputStream sslOS = sslSocket.getOutputStream()) {
 int numberSent = 80;
 // We'll just access the data members directly for convenience.
 static class ClientParameters {
 boolean enabled = true;
 PKIXBuilderParameters pkixParams = null;
 PKIXRevocationChecker revChecker = null;
+String[] protocols = null;
+String[] ciphers = null;
 ClientParameters() { }
 }
 static class ServerParameters {
 int cacheLifetime = 3600;
 int respTimeout = 5000;
 String respUri = "";
 boolean respOverride = false;
 boolean ignoreExts = false;
+String[] protocols = null;
+String[] ciphers = null;
 ServerParameters() { }
 }
+static class CustomizedSocketFactory extends SSLSocketFactory {
+final SSLContext sslc;
+final String[] protocols;
+final String[] cipherSuites;
+CustomizedSocketFactory(SSLContext ctx, String[] prots, String[] suites)
+throws GeneralSecurityException {
+super();
+sslc = (ctx != null) ? ctx : SSLContext.getDefault();
+protocols = prots;
+cipherSuites = suites;
+// Create the Trust Manager Factory using the PKIX variant
+TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
+}
+@Override
+public Socket createSocket(Socket s, String host, int port,
+boolean autoClose) throws IOException {
+Socket sock =  sslc.getSocketFactory().createSocket(s, host, port,
+autoClose);
+customizeSocket(sock);
+return sock;
+}
+@Override
+public Socket createSocket(InetAddress host, int port)
+throws IOException {
+Socket sock = sslc.getSocketFactory().createSocket(host, port);
+customizeSocket(sock);
+return sock;
+}
+@Override
+public Socket createSocket(InetAddress host, int port,
+InetAddress localAddress, int localPort) throws IOException {
+Socket sock = sslc.getSocketFactory().createSocket(host, port,
+localAddress, localPort);
+customizeSocket(sock);
+return sock;
+}
+@Override
+public Socket createSocket(String host, int port)
+throws IOException {
+Socket sock =  sslc.getSocketFactory().createSocket(host, port);
+customizeSocket(sock);
+return sock;
+}
+@Override
+public Socket createSocket(String host, int port,
+InetAddress localAddress, int localPort)
+throws IOException {
+Socket sock =  sslc.getSocketFactory().createSocket(host, port,
+localAddress, localPort);
+customizeSocket(sock);
+return sock;
+}
+@Override
+public String[] getDefaultCipherSuites() {
+return sslc.getDefaultSSLParameters().getCipherSuites();
+}
+@Override
+public String[] getSupportedCipherSuites() {
+return sslc.getSupportedSSLParameters().getCipherSuites();
+}
+private void customizeSocket(Socket sock) {
+if (sock instanceof SSLSocket) {
+if (protocols != null) {
+((SSLSocket)sock).setEnabledProtocols(protocols);
+}
+if (cipherSuites != null) {
+((SSLSocket)sock).setEnabledCipherSuites(cipherSuites);
+}
+}
+}
+}
+static class CustomizedServerSocketFactory extends SSLServerSocketFactory {
+final SSLContext sslc;
+final String[] protocols;
+final String[] cipherSuites;
+CustomizedServerSocketFactory(SSLContext ctx, String[] prots, String[] suites)
+throws GeneralSecurityException {
+super();
+sslc = (ctx != null) ? ctx : SSLContext.getDefault();
+protocols = prots;
+cipherSuites = suites;
+// Create the Trust Manager Factory using the PKIX variant
+TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
+}
+@Override
+public ServerSocket createServerSocket(int port) throws IOException {
+ServerSocket sock =
+sslc.getServerSocketFactory().createServerSocket(port);
+customizeSocket(sock);
+return sock;
+}
+@Override
+public ServerSocket createServerSocket(int port, int backlog)
+throws IOException {
+ServerSocket sock =
+sslc.getServerSocketFactory().createServerSocket(port,
+backlog);
+customizeSocket(sock);
+return sock;
+}
+@Override
+public ServerSocket createServerSocket(int port, int backlog,
+InetAddress ifAddress) throws IOException {
+ServerSocket sock =
+sslc.getServerSocketFactory().createServerSocket(port,
+backlog, ifAddress);
+customizeSocket(sock);
+return sock;
+}
+@Override
+public String[] getDefaultCipherSuites() {
+return sslc.getDefaultSSLParameters().getCipherSuites();
+}
+@Override
+public String[] getSupportedCipherSuites() {
+return sslc.getSupportedSSLParameters().getCipherSuites();
+}
+private void customizeSocket(ServerSocket sock) {
+if (sock instanceof SSLServerSocket) {
+if (protocols != null) {
+((SSLServerSocket)sock).setEnabledProtocols(protocols);
+}
+if (cipherSuites != null) {
+((SSLServerSocket)sock).setEnabledCipherSuites(cipherSuites);
+}
+}
+}
+}
 static class TestResult {
 Exception serverExc = null;
 Exception clientExc = null;
 }

branch	JDK-8145252-TLS13-branch
changeset 56606	0cabcf9cb31b
parent 56542	56aaa6cb3693