--- a/test/jdk/sun/security/pkcs11/fips/CipherTest.java Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,608 +0,0 @@
-/*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.*;
-import java.net.*;
-import java.util.*;
-import java.util.concurrent.*;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-import javax.net.ssl.*;
-
-/**
- * Test that all ciphersuites work in all versions and all client
- * authentication types. The way this is setup the server is stateless and
- * all checking is done on the client side.
- *
- * The test is multithreaded to speed it up, especially on multiprocessor
- * machines. To simplify debugging, run with -DnumThreads=1.
- *
- * @author Andreas Sterbenz
- */
-public class CipherTest {
-
- // use any available port for the server socket
- static int serverPort = 0;
-
- final int THREADS;
-
- // assume that if we do not read anything for 20 seconds, something
- // has gone wrong
- final static int TIMEOUT = 20 * 1000;
-
- static KeyStore /* trustStore, */ keyStore;
- static X509ExtendedKeyManager keyManager;
- static X509TrustManager trustManager;
- static SecureRandom secureRandom;
-
- private static PeerFactory peerFactory;
-
- static abstract class Server implements Runnable {
-
- final CipherTest cipherTest;
-
- Server(CipherTest cipherTest) throws Exception {
- this.cipherTest = cipherTest;
- }
-
- public abstract void run();
-
- void handleRequest(InputStream in, OutputStream out) throws IOException {
- boolean newline = false;
- StringBuilder sb = new StringBuilder();
- while (true) {
- int ch = in.read();
- if (ch < 0) {
- throw new EOFException();
- }
- sb.append((char)ch);
- if (ch == '\r') {
- // empty
- } else if (ch == '\n') {
- if (newline) {
- // 2nd newline in a row, end of request
- break;
- }
- newline = true;
- } else {
- newline = false;
- }
- }
- String request = sb.toString();
- if (request.startsWith("GET / HTTP/1.") == false) {
- throw new IOException("Invalid request: " + request);
- }
- out.write("HTTP/1.0 200 OK\r\n\r\n".getBytes());
- }
-
- }
-
- public static class TestParameters {
-
- String cipherSuite;
- String protocol;
- String clientAuth;
-
- TestParameters(String cipherSuite, String protocol,
- String clientAuth) {
- this.cipherSuite = cipherSuite;
- this.protocol = protocol;
- this.clientAuth = clientAuth;
- }
-
- boolean isEnabled() {
- return TLSCipherStatus.isEnabled(cipherSuite, protocol);
- }
-
- public String toString() {
- String s = cipherSuite + " in " + protocol + " mode";
- if (clientAuth != null) {
- s += " with " + clientAuth + " client authentication";
- }
- return s;
- }
-
- static enum TLSCipherStatus {
- // cipher suites supported since TLS 1.2
- CS_01("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
- CS_02("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
- CS_03("TLS_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
- CS_04("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
- CS_05("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
- CS_06("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
- CS_07("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
-
- CS_08("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_09("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_10("TLS_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_11("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_12("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_13("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_14("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
-
- CS_15("TLS_DH_anon_WITH_AES_256_CBC_SHA256", 0x0303, 0xFFFF),
- CS_16("TLS_DH_anon_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
- CS_17("TLS_RSA_WITH_NULL_SHA256", 0x0303, 0xFFFF),
-
- CS_20("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_21("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_22("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_23("TLS_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_24("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_25("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_26("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_27("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
-
- CS_28("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_29("TLS_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_30("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_31("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_32("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
- CS_33("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
-
- CS_34("TLS_DH_anon_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
- CS_35("TLS_DH_anon_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
-
- // cipher suites obsoleted since TLS 1.2
- CS_50("SSL_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_51("SSL_DHE_RSA_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_52("SSL_DHE_DSS_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_53("SSL_DH_anon_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_54("TLS_KRB5_WITH_DES_CBC_SHA", 0x0000, 0x0303),
- CS_55("TLS_KRB5_WITH_DES_CBC_MD5", 0x0000, 0x0303),
-
- // cipher suites obsoleted since TLS 1.1
- CS_60("SSL_RSA_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302),
- CS_61("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302),
- CS_62("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
- CS_63("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
- CS_64("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
- CS_65("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", 0x0000, 0x0302),
- CS_66("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", 0x0000, 0x0302),
- CS_67("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", 0x0000, 0x0302),
- CS_68("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", 0x0000, 0x0302),
- CS_69("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", 0x0000, 0x0302),
-
- // ignore TLS_EMPTY_RENEGOTIATION_INFO_SCSV always
- CS_99("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", 0xFFFF, 0x0000);
-
- // the cipher suite name
- final String cipherSuite;
-
- // supported since protocol version
- final int supportedSince;
-
- // obsoleted since protocol version
- final int obsoletedSince;
-
- TLSCipherStatus(String cipherSuite,
- int supportedSince, int obsoletedSince) {
- this.cipherSuite = cipherSuite;
- this.supportedSince = supportedSince;
- this.obsoletedSince = obsoletedSince;
- }
-
- static boolean isEnabled(String cipherSuite, String protocol) {
- int versionNumber = toVersionNumber(protocol);
-
- if (versionNumber < 0) {
- return true; // unlikely to happen
- }
-
- for (TLSCipherStatus status : TLSCipherStatus.values()) {
- if (cipherSuite.equals(status.cipherSuite)) {
- if ((versionNumber < status.supportedSince) ||
- (versionNumber >= status.obsoletedSince)) {
- return false;
- }
-
- return true;
- }
- }
-
- return true;
- }
-
- private static int toVersionNumber(String protocol) {
- int versionNumber = -1;
-
- switch (protocol) {
- case "SSLv2Hello":
- versionNumber = 0x0002;
- break;
- case "SSLv3":
- versionNumber = 0x0300;
- break;
- case "TLSv1":
- versionNumber = 0x0301;
- break;
- case "TLSv1.1":
- versionNumber = 0x0302;
- break;
- case "TLSv1.2":
- versionNumber = 0x0303;
- break;
- default:
- // unlikely to happen
- }
-
- return versionNumber;
- }
- }
- }
-
- private List<TestParameters> tests;
- private Iterator<TestParameters> testIterator;
- private SSLSocketFactory factory;
- private boolean failed;
-
- private CipherTest(PeerFactory peerFactory) throws IOException {
- THREADS = Integer.parseInt(System.getProperty("numThreads", "4"));
- factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
- SSLSocket socket = (SSLSocket)factory.createSocket();
- String[] cipherSuites = socket.getSupportedCipherSuites();
- String[] protocols = socket.getSupportedProtocols();
-// String[] clientAuths = {null, "RSA", "DSA"};
- String[] clientAuths = {null};
- tests = new ArrayList<TestParameters>(
- cipherSuites.length * protocols.length * clientAuths.length);
- for (int i = 0; i < cipherSuites.length; i++) {
- String cipherSuite = cipherSuites[i];
-
- for (int j = 0; j < protocols.length; j++) {
- String protocol = protocols[j];
-
- if (!peerFactory.isSupported(cipherSuite, protocol)) {
- continue;
- }
-
- for (int k = 0; k < clientAuths.length; k++) {
- String clientAuth = clientAuths[k];
- if ((clientAuth != null) &&
- (cipherSuite.indexOf("DH_anon") != -1)) {
- // no client with anonymous ciphersuites
- continue;
- }
- tests.add(new TestParameters(cipherSuite, protocol,
- clientAuth));
- }
- }
- }
- testIterator = tests.iterator();
- }
-
- synchronized void setFailed() {
- failed = true;
- }
-
- public void run() throws Exception {
- Thread[] threads = new Thread[THREADS];
- for (int i = 0; i < THREADS; i++) {
- try {
- threads[i] = new Thread(peerFactory.newClient(this),
- "Client " + i);
- } catch (Exception e) {
- e.printStackTrace();
- return;
- }
- threads[i].start();
- }
- try {
- for (int i = 0; i < THREADS; i++) {
- threads[i].join();
- }
- } catch (InterruptedException e) {
- setFailed();
- e.printStackTrace();
- }
- if (failed) {
- throw new Exception("*** Test '" + peerFactory.getName() +
- "' failed ***");
- } else {
- System.out.println("Test '" + peerFactory.getName() +
- "' completed successfully");
- }
- }
-
- synchronized TestParameters getTest() {
- if (failed) {
- return null;
- }
- if (testIterator.hasNext()) {
- return (TestParameters)testIterator.next();
- }
- return null;
- }
-
- SSLSocketFactory getFactory() {
- return factory;
- }
-
- static abstract class Client implements Runnable {
-
- final CipherTest cipherTest;
-
- Client(CipherTest cipherTest) throws Exception {
- this.cipherTest = cipherTest;
- }
-
- public final void run() {
- while (true) {
- TestParameters params = cipherTest.getTest();
- if (params == null) {
- // no more tests
- break;
- }
- if (params.isEnabled() == false) {
- System.out.println("Skipping disabled test " + params);
- continue;
- }
- try {
- runTest(params);
- System.out.println("Passed " + params);
- } catch (Exception e) {
- cipherTest.setFailed();
- System.out.println("** Failed " + params + "**");
- e.printStackTrace();
- }
- }
- }
-
- abstract void runTest(TestParameters params) throws Exception;
-
- void sendRequest(InputStream in, OutputStream out) throws IOException {
- out.write("GET / HTTP/1.0\r\n\r\n".getBytes());
- out.flush();
- StringBuilder sb = new StringBuilder();
- while (true) {
- int ch = in.read();
- if (ch < 0) {
- break;
- }
- sb.append((char)ch);
- }
- String response = sb.toString();
- if (response.startsWith("HTTP/1.0 200 ") == false) {
- throw new IOException("Invalid response: " + response);
- }
- }
-
- }
-
- // for some reason, ${test.src} has a different value when the
- // test is called from the script and when it is called directly...
- static String pathToStores = ".";
- static String pathToStoresSH = ".";
- static String keyStoreFile = "keystore";
- static String trustStoreFile = "truststore";
- static char[] passwd = "passphrase".toCharArray();
-
- static File PATH;
-
- private static KeyStore readKeyStore(String name) throws Exception {
- File file = new File(PATH, name);
- InputStream in = new FileInputStream(file);
- KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(in, passwd);
- in.close();
- return ks;
- }
-
- public static void main(PeerFactory peerFactory, KeyStore keyStore,
- String[] args) throws Exception {
- long time = System.currentTimeMillis();
- String relPath;
- if ((args != null) && (args.length > 0) && args[0].equals("sh")) {
- relPath = pathToStoresSH;
- } else {
- relPath = pathToStores;
- }
- PATH = new File(System.getProperty("test.src", "."), relPath);
- CipherTest.peerFactory = peerFactory;
- System.out.print(
- "Initializing test '" + peerFactory.getName() + "'...");
-// secureRandom = new SecureRandom();
-// secureRandom.nextInt();
-// trustStore = readKeyStore(trustStoreFile);
- CipherTest.keyStore = keyStore;
-// keyStore = readKeyStore(keyStoreFile);
- KeyManagerFactory keyFactory =
- KeyManagerFactory.getInstance(
- KeyManagerFactory.getDefaultAlgorithm());
- keyFactory.init(keyStore, "test12".toCharArray());
- keyManager = (X509ExtendedKeyManager)keyFactory.getKeyManagers()[0];
-
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(keyStore);
- trustManager = (X509TrustManager)tmf.getTrustManagers()[0];
-
-// trustManager = new AlwaysTrustManager();
- SSLContext context = SSLContext.getInstance("TLS");
- context.init(new KeyManager[] {keyManager},
- new TrustManager[] {trustManager}, null);
- SSLContext.setDefault(context);
-
- CipherTest cipherTest = new CipherTest(peerFactory);
- Thread serverThread = new Thread(peerFactory.newServer(cipherTest),
- "Server");
- serverThread.setDaemon(true);
- serverThread.start();
- System.out.println("Done");
- cipherTest.run();
- time = System.currentTimeMillis() - time;
- System.out.println("Done. (" + time + " ms)");
- }
-
- static abstract class PeerFactory {
-
- abstract String getName();
-
- abstract Client newClient(CipherTest cipherTest) throws Exception;
-
- abstract Server newServer(CipherTest cipherTest) throws Exception;
-
- boolean isSupported(String cipherSuite, String protocol) {
- // skip kerberos cipher suites
- if (cipherSuite.startsWith("TLS_KRB5")) {
- System.out.println("Skipping unsupported test for " +
- cipherSuite + " of " + protocol);
- return false;
- }
-
- // No ECDH-capable certificate in key store. May restructure
- // this in the future.
- if (cipherSuite.contains("ECDHE_ECDSA") ||
- cipherSuite.contains("ECDH_ECDSA") ||
- cipherSuite.contains("ECDH_RSA")) {
- System.out.println("Skipping unsupported test for " +
- cipherSuite + " of " + protocol);
- return false;
- }
-
- // skip SSLv2Hello protocol
- //
- // skip TLSv1.2 protocol, we have not implement "SunTls12Prf" and
- // SunTls12RsaPremasterSecret in SunPKCS11 provider
- if (protocol.equals("SSLv2Hello") || protocol.equals("TLSv1.2")) {
- System.out.println("Skipping unsupported test for " +
- cipherSuite + " of " + protocol);
- return false;
- }
-
- // ignore exportable cipher suite for TLSv1.1
- if (protocol.equals("TLSv1.1")) {
- if (cipherSuite.indexOf("_EXPORT_WITH") != -1) {
- System.out.println("Skipping obsoleted test for " +
- cipherSuite + " of " + protocol);
- return false;
- }
- }
-
- return true;
- }
- }
-
-}
-
-// we currently don't do any chain verification. we assume that works ok
-// and we can speed up the test. we could also just add a plain certificate
-// chain comparision with our trusted certificates.
-class AlwaysTrustManager implements X509TrustManager {
-
- public AlwaysTrustManager() {
-
- }
-
- public void checkClientTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- // empty
- }
-
- public void checkServerTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- // empty
- }
-
- public X509Certificate[] getAcceptedIssuers() {
- return new X509Certificate[0];
- }
-}
-
-class MyX509KeyManager extends X509ExtendedKeyManager {
-
- private final X509ExtendedKeyManager keyManager;
- private String authType;
-
- MyX509KeyManager(X509ExtendedKeyManager keyManager) {
- this.keyManager = keyManager;
- }
-
- void setAuthType(String authType) {
- this.authType = authType;
- }
-
- public String[] getClientAliases(String keyType, Principal[] issuers) {
- if (authType == null) {
- return null;
- }
- return keyManager.getClientAliases(authType, issuers);
- }
-
- public String chooseClientAlias(String[] keyType, Principal[] issuers,
- Socket socket) {
- if (authType == null) {
- return null;
- }
- return keyManager.chooseClientAlias(new String[] {authType},
- issuers, socket);
- }
-
- public String chooseEngineClientAlias(String[] keyType,
- Principal[] issuers, SSLEngine engine) {
- if (authType == null) {
- return null;
- }
- return keyManager.chooseEngineClientAlias(new String[] {authType},
- issuers, engine);
- }
-
- public String[] getServerAliases(String keyType, Principal[] issuers) {
- throw new UnsupportedOperationException("Servers not supported");
- }
-
- public String chooseServerAlias(String keyType, Principal[] issuers,
- Socket socket) {
- throw new UnsupportedOperationException("Servers not supported");
- }
-
- public String chooseEngineServerAlias(String keyType, Principal[] issuers,
- SSLEngine engine) {
- throw new UnsupportedOperationException("Servers not supported");
- }
-
- public X509Certificate[] getCertificateChain(String alias) {
- return keyManager.getCertificateChain(alias);
- }
-
- public PrivateKey getPrivateKey(String alias) {
- return keyManager.getPrivateKey(alias);
- }
-
-}
-
-class DaemonThreadFactory implements ThreadFactory {
-
- final static ThreadFactory INSTANCE = new DaemonThreadFactory();
-
- private final static ThreadFactory DEFAULT = Executors.defaultThreadFactory();
-
- public Thread newThread(Runnable r) {
- Thread t = DEFAULT.newThread(r);
- t.setDaemon(true);
- return t;
- }
-
-}