jdk-sandbox: comparison test/jdk/javax/net/ssl/Stapling/HttpsUrlConnClient.java

equal deleted inserted replaced

-:356eaea05bf0
+:68fa3d4026ea
 /*
-* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 static SimpleOCSPServer rootOcsp;       // Root CA OCSP Responder
 static int rootOcspPort;                // Port number for root OCSP
 static SimpleOCSPServer intOcsp;        // Intermediate CA OCSP Responder
 static int intOcspPort;                 // Port number for intermed. OCSP
+// Extra configuration parameters and constants
+static final String[] TLS13ONLY = new String[] { "TLSv1.3" };
+static final String[] TLS12MAX =
+new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" };
 private static final String SIMPLE_WEB_PAGE = "<HTML>\n" +
 "<HEAD><Title>Web Page!</Title></HEAD>\n" +
 "<BODY><H1>Web Page!</H1></BODY>\n</HTML>";
 private static final SimpleDateFormat utcDateFmt =
 new SimpleDateFormat("E, dd MMM yyyy HH:mm:ss z");
 * currently 3 minutes by default, but you might try to be
 * smart about it....
 */
 public static void main(String[] args) throws Exception {
 if (debug) {
-System.setProperty("javax.net.debug", "ssl");
+System.setProperty("javax.net.debug", "ssl:handshake");
 }
 System.setProperty("javax.net.ssl.keyStore", "");
 System.setProperty("javax.net.ssl.keyStorePassword", "");
 System.setProperty("javax.net.ssl.trustStore", "");
 // Create the PKI we will use for the test and start the OCSP servers
 createPKI();
 utcDateFmt.setTimeZone(TimeZone.getTimeZone("GMT"));
-testPKIXParametersRevEnabled();
+testPKIXParametersRevEnabled(TLS12MAX);
+testPKIXParametersRevEnabled(TLS13ONLY);
 // shut down the OCSP responders before finishing the test
 intOcsp.stop();
 rootOcsp.stop();
 }
 /**
 * Do a basic connection using PKIXParameters with revocation checking
 * enabled and client-side OCSP disabled.  It will only pass if all
 * stapled responses are present, valid and have a GOOD status.
 */
-static void testPKIXParametersRevEnabled() throws Exception {
+static void testPKIXParametersRevEnabled(String[] allowedProts)
+throws Exception {
 ClientParameters cliParams = new ClientParameters();
+cliParams.protocols = allowedProts;
 ServerParameters servParams = new ServerParameters();
 serverReady = false;
 System.out.println("=====================================");
 System.out.println("Stapling enabled, PKIXParameters with");
 // In this case the server should also have thrown an exception
 // because of the client alert
 if (tr.serverExc instanceof SSLHandshakeException) {
 if (!tr.serverExc.getMessage().contains(
-"alert: bad_certificate_status_response")) {
+"bad_certificate_status_response")) {
 throw tr.serverExc;
 }
 }
 System.out.println("                PASS");
 int contentLength = tlsConn.getContentLength();
 if (contentLength == -1) {
 contentLength = Integer.MAX_VALUE;
 }
-byte[] response = new byte[contentLength > 2048 ? 2048 : contentLength];
+byte[] response = new byte[contentLength > 2048 ? 2048 :
+contentLength];
 int total = 0;
 while (total < contentLength) {
 int count = in.read(response, total, response.length - total);
 if (count < 0)
 break;
 }
 /**
 * Checks a validation failure to see if it failed for the reason we think
 * it should.  This comes in as an SSLException of some sort, but it
-* encapsulates a ValidatorException which in turn encapsulates the
+* encapsulates a CertPathValidatorException at some point in the
-* CertPathValidatorException we are interested in.
+* exception stack.
 *
 * @param e the exception thrown at the top level
 * @param reason the underlying CertPathValidatorException BasicReason
 * we are expecting it to have.
 *
 */
 static boolean checkClientValidationFailure(Exception e,
 BasicReason reason) {
 boolean result = false;
-if (e instanceof SSLException) {
+// Locate the CertPathValidatorException.  If one
-Throwable valExc = e.getCause();
+// Does not exist, then it's an automatic failure of
-if (valExc instanceof sun.security.validator.ValidatorException) {
+// the test.
-Throwable cause = valExc.getCause();
+Throwable curExc = e;
-if (cause instanceof CertPathValidatorException) {
+CertPathValidatorException cpve = null;
-CertPathValidatorException cpve =
+while (curExc != null) {
-(CertPathValidatorException)cause;
+if (curExc instanceof CertPathValidatorException) {
-if (cpve.getReason() == reason) {
+cpve = (CertPathValidatorException)curExc;
-result = true;
+}
-}
+curExc = curExc.getCause();
 }
-}
-}
+// If we get through the loop and cpve is null then we
+// we didn't find CPVE and this is a failure
+if (cpve != null) {
+if (cpve.getReason() == reason) {
+result = true;
+} else {
+System.out.println("CPVE Reason Mismatch: Expected = " +
+reason + ", Actual = " + cpve.getReason());
+}
+} else {
+System.out.println("Failed to find an expected CPVE");
+}
 return result;
 }
 TestResult getResult() {
 TestResult tr = new TestResult();
 // We'll just access the data members directly for convenience.
 static class ClientParameters {
 boolean enabled = true;
 PKIXBuilderParameters pkixParams = null;
 PKIXRevocationChecker revChecker = null;
+String[] protocols = null;
+String[] cipherSuites = null;
 ClientParameters() { }
 }
 static class ServerParameters {
 }
 static class TestResult {
 Exception serverExc = null;
 Exception clientExc = null;
+@Override
+public String toString() {
+StringBuilder sb = new StringBuilder();
+sb.append("Test Result:\n").
+append("\tServer Exc = ").append(serverExc).append("\n").
+append("\tClient Exc = ").append(clientExc).append("\n");
+return sb.toString();
+}
 }
 static class HtucSSLSocketFactory extends SSLSocketFactory {
+ClientParameters params;
 SSLContext sslc = SSLContext.getInstance("TLS");
 HtucSSLSocketFactory(ClientParameters cliParams)
 throws GeneralSecurityException {
 super();
 } else {
 tmf.init(trustStore);
 }
 sslc.init(null, tmf.getTrustManagers(), null);
+params = cliParams;
 }
 @Override
 public Socket createSocket(Socket s, String host, int port,
 boolean autoClose) throws IOException {
 Socket sock =  sslc.getSocketFactory().createSocket(s, host, port,
 autoClose);
-setCiphers(sock);
+customizeSocket(sock);
 return sock;
 }
 @Override
 public Socket createSocket(InetAddress host, int port)
 throws IOException {
 Socket sock = sslc.getSocketFactory().createSocket(host, port);
-setCiphers(sock);
+customizeSocket(sock);
 return sock;
 }
 @Override
 public Socket createSocket(InetAddress host, int port,
 InetAddress localAddress, int localPort) throws IOException {
 Socket sock = sslc.getSocketFactory().createSocket(host, port,
 localAddress, localPort);
-setCiphers(sock);
+customizeSocket(sock);
 return sock;
 }
 @Override
 public Socket createSocket(String host, int port)
 throws IOException {
 Socket sock =  sslc.getSocketFactory().createSocket(host, port);
-setCiphers(sock);
+customizeSocket(sock);
 return sock;
 }
 @Override
 public Socket createSocket(String host, int port,
 InetAddress localAddress, int localPort)
 throws IOException {
 Socket sock =  sslc.getSocketFactory().createSocket(host, port,
 localAddress, localPort);
-setCiphers(sock);
+customizeSocket(sock);
 return sock;
 }
 @Override
 public String[] getDefaultCipherSuites() {
 @Override
 public String[] getSupportedCipherSuites() {
 return sslc.getSupportedSSLParameters().getCipherSuites();
 }
-private static void setCiphers(Socket sock) {
+private void customizeSocket(Socket sock) {
 if (sock instanceof SSLSocket) {
-String[] ciphers = { "TLS_RSA_WITH_AES_128_CBC_SHA" };
+SSLSocket sslSock = (SSLSocket)sock;
-((SSLSocket)sock).setEnabledCipherSuites(ciphers);
+if (params.protocols != null) {
+sslSock.setEnabledProtocols(params.protocols);
+}
+if (params.cipherSuites != null) {
+sslSock.setEnabledCipherSuites(params.cipherSuites);
+}
 }
 }
 }
 }

changeset 50768	68fa3d4026ea
parent 47216	71c04702a3d5