# HG changeset patch # User coffeys # Date 1472724107 -3600 # Node ID b75806acf7164c8663e9bb529d787955b5a0508d # Parent df9fab06ba9d2b003e01de625e0a688d210be136 8164846: CertificateException missing cause of underlying exception Reviewed-by: xuelei diff -r df9fab06ba9d -r b75806acf716 jdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java --- a/jdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Sep 01 15:02:32 2016 +0530 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Sep 01 11:01:47 2016 +0100 @@ -1496,7 +1496,7 @@ } } catch (CertPathValidatorException cpve) { throw new CertificateException( - "Certificates does not conform to algorithm constraints"); + "Certificates do not conform to algorithm constraints", cpve); } } } diff -r df9fab06ba9d -r b75806acf716 jdk/test/sun/security/ssl/SSLContextImpl/TrustTrustedCert.java --- a/jdk/test/sun/security/ssl/SSLContextImpl/TrustTrustedCert.java Thu Sep 01 15:02:32 2016 +0530 +++ b/jdk/test/sun/security/ssl/SSLContextImpl/TrustTrustedCert.java Thu Sep 01 11:01:47 2016 +0100 @@ -30,12 +30,13 @@ /* * @test - * @bug 7113275 + * @bug 7113275 8164846 * @summary compatibility issue with MD2 trust anchor and old X509TrustManager - * @run main/othervm TrustTrustedCert PKIX TLSv1.1 - * @run main/othervm TrustTrustedCert SunX509 TLSv1.1 - * @run main/othervm TrustTrustedCert PKIX TLSv1.2 - * @run main/othervm TrustTrustedCert SunX509 TLSv1.2 + * @run main/othervm TrustTrustedCert PKIX TLSv1.1 true + * @run main/othervm TrustTrustedCert PKIX TLSv1.1 false + * @run main/othervm TrustTrustedCert SunX509 TLSv1.1 false + * @run main/othervm TrustTrustedCert PKIX TLSv1.2 false + * @run main/othervm TrustTrustedCert SunX509 TLSv1.2 false */ import java.net.*; @@ -181,23 +182,32 @@ Thread.sleep(50); } - SSLContext context = generateSSLContext(); - SSLSocketFactory sslsf = context.getSocketFactory(); + SSLSocket sslSocket = null; + try { + SSLContext context = generateSSLContext(); + SSLSocketFactory sslsf = context.getSocketFactory(); - SSLSocket sslSocket = - (SSLSocket)sslsf.createSocket("localhost", serverPort); + sslSocket = (SSLSocket)sslsf.createSocket("localhost", serverPort); - // enable the specified TLS protocol - sslSocket.setEnabledProtocols(new String[] {tlsProtocol}); + // enable the specified TLS protocol + sslSocket.setEnabledProtocols(new String[] {tlsProtocol}); - InputStream sslIS = sslSocket.getInputStream(); - OutputStream sslOS = sslSocket.getOutputStream(); - - sslOS.write('B'); - sslOS.flush(); - sslIS.read(); - - sslSocket.close(); + InputStream sslIS = sslSocket.getInputStream(); + OutputStream sslOS = sslSocket.getOutputStream(); + sslOS.write('B'); + sslOS.flush(); + sslIS.read(); + } catch (SSLHandshakeException e) { + // focus in on the CertPathValidatorException + Throwable t = e.getCause().getCause(); + if ((t == null) || (expectFail && + !t.toString().contains("MD5withRSA"))) { + throw new RuntimeException( + "Expected to see MD5withRSA in exception output " + t); + } + } finally { + if (sslSocket != null) sslSocket.close(); + } } /* @@ -206,10 +216,13 @@ */ private static String tmAlgorithm; // trust manager private static String tlsProtocol; // trust manager + // set this flag to test context of CertificateException + private static boolean expectFail; private static void parseArguments(String[] args) { tmAlgorithm = args[0]; tlsProtocol = args[1]; + expectFail = Boolean.parseBoolean(args[2]); } private static SSLContext generateSSLContext() throws Exception { @@ -232,7 +245,7 @@ // generate the private key. PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec( - Base64.getMimeDecoder().decode(targetPrivateKey)); + Base64.getMimeDecoder().decode(targetPrivateKey)); KeyFactory kf = KeyFactory.getInstance("RSA"); RSAPrivateKey priKey = (RSAPrivateKey)kf.generatePrivate(priKeySpec); @@ -338,9 +351,19 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { - // MD5 is used in this test case, don't disable MD5 algorithm. - Security.setProperty("jdk.certpath.disabledAlgorithms", + /* + * Get the customized arguments. + */ + parseArguments(args); + + /* + * MD5 is used in this test case, don't disable MD5 algorithm. + * if expectFail is set, we're testing exception message + */ + if (!expectFail) { + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + } Security.setProperty("jdk.tls.disabledAlgorithms", "SSLv3, RC4, DH keySize < 768"); @@ -348,11 +371,6 @@ System.setProperty("javax.net.debug", "all"); /* - * Get the customized arguments. - */ - parseArguments(args); - - /* * Start the tests. */ new TrustTrustedCert(); @@ -376,7 +394,8 @@ startServer(false); } } catch (Exception e) { - // swallow for now. Show later + System.out.println("Unexpected exception: "); + e.printStackTrace(); } /* @@ -440,7 +459,11 @@ */ System.err.println("Server died..."); serverReady = true; - serverException = e; + if (!expectFail) { + // only record if we weren't expecting. + // client side will record exception + serverException = e; + } } } }; @@ -449,7 +472,11 @@ try { doServerSide(); } catch (Exception e) { - serverException = e; + // only record if we weren't expecting. + // client side will record exception + if (!expectFail) { + serverException = e; + } } finally { serverReady = true; }