Path: blob/master/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java
41152 views
/*1* Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223//24// SunJSSE does not support dynamic system properties, no way to re-use25// system properties in samevm/agentvm mode.26//2728/*29* @test30* @bug 666823131* @summary Presence of a critical subjectAltName causes JSSE's SunX509 to32* fail trusted checks33* @run main/othervm CriticalSubjectAltName34* @author Xuelei Fan35*/3637/*38* This test depends on binary keystore, crisubn.jks and trusted.jks. Because39* JAVA keytool cannot generate X509 certificate with SubjectAltName extension,40* the certificates are generated with openssl toolkits and then imported into41* JAVA keystore.42*43* The crisubn.jks holds a private key entry and the corresponding X50944* certificate issued with an empty Subject field, and a critical45* SubjectAltName extension.46*47* The trusted.jks holds the trusted certificate.48*/49import java.io.*;50import java.net.*;51import javax.net.ssl.*;52import java.security.Security;53import java.security.cert.Certificate;5455public class CriticalSubjectAltName implements HostnameVerifier {56/*57* =============================================================58* Set the various variables needed for the tests, then59* specify what tests to run on each side.60*/6162/*63* Should we run the client or server in a separate thread?64* Both sides can throw exceptions, but do you have a preference65* as to which side should be the main thread.66*/67static boolean separateServerThread = true;6869/*70* Where do we find the keystores?71*/72static String pathToStores = "./";73static String keyStoreFile = "crisubn.jks";74static String trustStoreFile = "trusted.jks";75static String passwd = "passphrase";7677/*78* Is the server ready to serve?79*/80volatile static boolean serverReady = false;8182/*83* Turn on SSL debugging?84*/85static boolean debug = false;8687/*88* If the client or server is doing some kind of object creation89* that the other side depends on, and that thread prematurely90* exits, you may experience a hang. The test harness will91* terminate all hung threads after its timeout has expired,92* currently 3 minutes by default, but you might try to be93* smart about it....94*/9596/*97* Define the server side of the test.98*99* If the server prematurely exits, serverReady will be set to true100* to avoid infinite hangs.101*/102void doServerSide() throws Exception {103SSLServerSocketFactory sslssf =104(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();105SSLServerSocket sslServerSocket =106(SSLServerSocket) sslssf.createServerSocket(serverPort);107serverPort = sslServerSocket.getLocalPort();108109/*110* Signal Client, we're ready for his connect.111*/112serverReady = true;113114SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();115OutputStream sslOS = sslSocket.getOutputStream();116BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(sslOS));117bw.write("HTTP/1.1 200 OK\r\n\r\n\r\n");118bw.flush();119Thread.sleep(5000);120sslSocket.close();121}122123/*124* Define the client side of the test.125*126* If the server prematurely exits, serverReady will be set to true127* to avoid infinite hangs.128*/129void doClientSide() throws Exception {130131/*132* Wait for server to get started.133*/134while (!serverReady) {135Thread.sleep(50);136}137138URL url = new URL("https://localhost:"+serverPort+"/index.html");139HttpsURLConnection urlc = (HttpsURLConnection)url.openConnection();140urlc.setHostnameVerifier(this);141urlc.getInputStream();142143if (urlc.getResponseCode() == -1) {144throw new RuntimeException("getResponseCode() returns -1");145}146}147148/*149* =============================================================150* The remainder is just support stuff151*/152153// use any free port by default154volatile int serverPort = 0;155156volatile Exception serverException = null;157volatile Exception clientException = null;158159public static void main(String[] args) throws Exception {160// MD5 is used in this test case, don't disable MD5 algorithm.161Security.setProperty("jdk.certpath.disabledAlgorithms",162"MD2, RSA keySize < 1024");163Security.setProperty("jdk.tls.disabledAlgorithms",164"SSLv3, RC4, DH keySize < 768");165166String keyFilename =167System.getProperty("test.src", "./") + "/" + pathToStores +168"/" + keyStoreFile;169String trustFilename =170System.getProperty("test.src", "./") + "/" + pathToStores +171"/" + trustStoreFile;172173System.setProperty("javax.net.ssl.keyStore", keyFilename);174System.setProperty("javax.net.ssl.keyStorePassword", passwd);175System.setProperty("javax.net.ssl.trustStore", trustFilename);176System.setProperty("javax.net.ssl.trustStorePassword", passwd);177178if (debug)179System.setProperty("javax.net.debug", "all");180181/*182* Start the tests.183*/184new CriticalSubjectAltName();185}186187Thread clientThread = null;188Thread serverThread = null;189190/*191* Primary constructor, used to drive remainder of the test.192*193* Fork off the other side, then do your work.194*/195CriticalSubjectAltName() throws Exception {196if (separateServerThread) {197startServer(true);198startClient(false);199} else {200startClient(true);201startServer(false);202}203204/*205* Wait for other side to close down.206*/207if (separateServerThread) {208serverThread.join();209} else {210clientThread.join();211}212213/*214* When we get here, the test is pretty much over.215*216* If the main thread excepted, that propagates back217* immediately. If the other thread threw an exception, we218* should report back.219*/220if (serverException != null)221throw serverException;222if (clientException != null)223throw clientException;224}225226void startServer(boolean newThread) throws Exception {227if (newThread) {228serverThread = new Thread() {229public void run() {230try {231doServerSide();232} catch (Exception e) {233/*234* Our server thread just died.235*236* Release the client, if not active already...237*/238System.err.println("Server died...");239serverReady = true;240serverException = e;241}242}243};244serverThread.start();245} else {246doServerSide();247}248}249250void startClient(boolean newThread) throws Exception {251if (newThread) {252clientThread = new Thread() {253public void run() {254try {255doClientSide();256} catch (Exception e) {257/*258* Our client thread just died.259*/260System.err.println("Client died...");261clientException = e;262}263}264};265clientThread.start();266} else {267doClientSide();268}269}270271// Simple test method to blindly agree that hostname and certname match272public boolean verify(String hostname, SSLSession session) {273return true;274}275276}277278279