1
/*
2
 * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
//
27
// SunJSSE does not support dynamic system properties, no way to re-use
28
// system properties in samevm/agentvm mode.
29
//
30

31
/*
32
 * @test
33
 * @bug 4873188
34
 * @summary Support TLS 1.1
35
 * @run main/othervm EmptyCertificateAuthorities
36
 * @modules java.security.jgss
37
 *          java.security.jgss/sun.security.jgss.krb5
38
 *          java.security.jgss/sun.security.krb5:+open
39
 *          java.security.jgss/sun.security.krb5.internal:+open
40
 *          java.security.jgss/sun.security.krb5.internal.ccache
41
 *          java.security.jgss/sun.security.krb5.internal.crypto
42
 *          java.security.jgss/sun.security.krb5.internal.ktab
43
 *          java.base/sun.security.util
44
 * @author Xuelei Fan
45
 */
46

47
import java.io.FileInputStream;
48
import java.io.InputStream;
49
import java.io.OutputStream;
50
import java.security.KeyStore;
51
import java.security.Security;
52
import java.security.cert.CertificateException;
53
import java.security.cert.X509Certificate;
54
import javax.net.ssl.KeyManager;
55
import javax.net.ssl.KeyManagerFactory;
56
import javax.net.ssl.SSLContext;
57
import javax.net.ssl.SSLServerSocket;
58
import javax.net.ssl.SSLServerSocketFactory;
59
import javax.net.ssl.SSLSocket;
60
import javax.net.ssl.SSLSocketFactory;
61
import javax.net.ssl.TrustManager;
62
import javax.net.ssl.TrustManagerFactory;
63
import javax.net.ssl.X509TrustManager;
64

65
public class EmptyCertificateAuthorities {
66

67
    /*
68
     * =============================================================
69
     * Set the various variables needed for the tests, then
70
     * specify what tests to run on each side.
71
     */
72

73
    /*
74
     * Should we run the client or server in a separate thread?
75
     * Both sides can throw exceptions, but do you have a preference
76
     * as to which side should be the main thread.
77
     */
78
    static boolean separateServerThread = false;
79

80
    /*
81
     * Where do we find the keystores?
82
     */
83
    static String pathToStores = "../etc";
84
    static String keyStoreFile = "keystore";
85
    static String trustStoreFile = "truststore";
86
    static String passwd = "passphrase";
87

88
    /*
89
     * Is the server ready to serve?
90
     */
91
    volatile static boolean serverReady = false;
92

93
    /*
94
     * Turn on SSL debugging?
95
     */
96
    static boolean debug = false;
97

98
    /*
99
     * If the client or server is doing some kind of object creation
100
     * that the other side depends on, and that thread prematurely
101
     * exits, you may experience a hang.  The test harness will
102
     * terminate all hung threads after its timeout has expired,
103
     * currently 3 minutes by default, but you might try to be
104
     * smart about it....
105
     */
106

107
    /*
108
     * Define the server side of the test.
109
     *
110
     * If the server prematurely exits, serverReady will be set to true
111
     * to avoid infinite hangs.
112
     */
113
    void doServerSide() throws Exception {
114
        SSLServerSocketFactory sslssf = getSSLServerSF();
115
        SSLServerSocket sslServerSocket =
116
            (SSLServerSocket) sslssf.createServerSocket(serverPort);
117

118
        // require client authentication.
119
        sslServerSocket.setNeedClientAuth(true);
120

121
        serverPort = sslServerSocket.getLocalPort();
122

123
        /*
124
         * Signal Client, we're ready for his connect.
125
         */
126
        serverReady = true;
127

128
        SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
129
        InputStream sslIS = sslSocket.getInputStream();
130
        OutputStream sslOS = sslSocket.getOutputStream();
131

132
        sslIS.read();
133
        sslOS.write('A');
134
        sslOS.flush();
135

136
        sslSocket.close();
137
    }
138

139
    /*
140
     * Define the client side of the test.
141
     *
142
     * If the server prematurely exits, serverReady will be set to true
143
     * to avoid infinite hangs.
144
     */
145
    void doClientSide() throws Exception {
146

147
        /*
148
         * Wait for server to get started.
149
         */
150
        while (!serverReady) {
151
            Thread.sleep(50);
152
        }
153

154
        SSLSocketFactory sslsf =
155
            (SSLSocketFactory) SSLSocketFactory.getDefault();
156
        SSLSocket sslSocket = (SSLSocket)
157
            sslsf.createSocket("localhost", serverPort);
158

159
        // enable TLSv1.1 only
160
        sslSocket.setEnabledProtocols(new String[] {"TLSv1.1"});
161

162
        InputStream sslIS = sslSocket.getInputStream();
163
        OutputStream sslOS = sslSocket.getOutputStream();
164

165
        sslOS.write('B');
166
        sslOS.flush();
167
        sslIS.read();
168

169
        sslSocket.close();
170
    }
171

172
    private SSLServerSocketFactory getSSLServerSF() throws Exception {
173

174
        char [] password =
175
            System.getProperty("javax.net.ssl.keyStorePassword").toCharArray();
176
        String keyFilename = System.getProperty("javax.net.ssl.keyStore");
177

178
        KeyStore ks = KeyStore.getInstance("JKS");
179
        ks.load(new FileInputStream(keyFilename), password);
180

181
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
182
        kmf.init(ks, password);
183

184
        KeyManager[] kms = kmf.getKeyManagers();
185
        TrustManager[] tms = new MyX509TM[] {new MyX509TM()};
186

187
        SSLContext ctx = SSLContext.getInstance("TLS");
188
        ctx.init(kms, tms, null);
189

190
        return ctx.getServerSocketFactory();
191
    }
192

193

194
    static class MyX509TM implements X509TrustManager {
195
        X509TrustManager tm;
196

197
        public void checkClientTrusted(X509Certificate[] chain,
198
            String authType) throws CertificateException {
199
            if (tm == null) {
200
                initialize();
201
            }
202
            tm.checkClientTrusted(chain, authType);
203
        }
204

205
        public void checkServerTrusted(X509Certificate[] chain,
206
            String authType) throws CertificateException {
207
            if (tm == null) {
208
                initialize();
209
            }
210
            tm.checkServerTrusted(chain, authType);
211
        }
212

213
        public X509Certificate[] getAcceptedIssuers() {
214
            // always return empty array
215
            return new X509Certificate[0];
216
        }
217

218
        private void initialize() throws CertificateException {
219
            String passwd =
220
                System.getProperty("javax.net.ssl.trustStorePassword");
221
            char [] password = passwd.toCharArray();
222
            String trustFilename =
223
                System.getProperty("javax.net.ssl.trustStore");
224

225
            try {
226
                KeyStore ks = KeyStore.getInstance("JKS");
227
                ks.load(new FileInputStream(trustFilename), password);
228

229
                TrustManagerFactory tmf =
230
                        TrustManagerFactory.getInstance("PKIX");
231
                tmf.init(ks);
232
                tm = (X509TrustManager)tmf.getTrustManagers()[0];
233
            } catch (Exception e) {
234
                throw new CertificateException("Unable to initialize TM");
235
            }
236

237
        }
238
    }
239

240
    /*
241
     * =============================================================
242
     * The remainder is just support stuff
243
     */
244

245
    // use any free port by default
246
    volatile int serverPort = 0;
247

248
    volatile Exception serverException = null;
249
    volatile Exception clientException = null;
250

251
    public static void main(String[] args) throws Exception {
252
        // MD5 is used in this test case, don't disable MD5 algorithm.
253
        Security.setProperty("jdk.certpath.disabledAlgorithms",
254
                "MD2, RSA keySize < 1024");
255
        Security.setProperty("jdk.tls.disabledAlgorithms",
256
                "SSLv3, RC4, DH keySize < 768");
257

258
        String keyFilename =
259
            System.getProperty("test.src", ".") + "/" + pathToStores +
260
                "/" + keyStoreFile;
261
        String trustFilename =
262
            System.getProperty("test.src", ".") + "/" + pathToStores +
263
                "/" + trustStoreFile;
264

265
        System.setProperty("javax.net.ssl.keyStore", keyFilename);
266
        System.setProperty("javax.net.ssl.keyStorePassword", passwd);
267
        System.setProperty("javax.net.ssl.trustStore", trustFilename);
268
        System.setProperty("javax.net.ssl.trustStorePassword", passwd);
269

270
        if (debug)
271
            System.setProperty("javax.net.debug", "all");
272

273
        /*
274
         * Start the tests.
275
         */
276
        new EmptyCertificateAuthorities();
277
    }
278

279
    Thread clientThread = null;
280
    Thread serverThread = null;
281

282
    /*
283
     * Primary constructor, used to drive remainder of the test.
284
     *
285
     * Fork off the other side, then do your work.
286
     */
287
    EmptyCertificateAuthorities() throws Exception {
288
        try {
289
            if (separateServerThread) {
290
                startServer(true);
291
                startClient(false);
292
            } else {
293
                startClient(true);
294
                startServer(false);
295
            }
296
        } catch (Exception e) {
297
            // swallow for now.  Show later
298
        }
299

300
        /*
301
         * Wait for other side to close down.
302
         */
303
        if (separateServerThread) {
304
            serverThread.join();
305
        } else {
306
            clientThread.join();
307
        }
308

309
        /*
310
         * When we get here, the test is pretty much over.
311
         * Which side threw the error?
312
         */
313
        Exception local;
314
        Exception remote;
315
        String whichRemote;
316

317
        if (separateServerThread) {
318
            remote = serverException;
319
            local = clientException;
320
            whichRemote = "server";
321
        } else {
322
            remote = clientException;
323
            local = serverException;
324
            whichRemote = "client";
325
        }
326

327
        /*
328
         * If both failed, return the curthread's exception, but also
329
         * print the remote side Exception
330
         */
331
        if ((local != null) && (remote != null)) {
332
            System.out.println(whichRemote + " also threw:");
333
            remote.printStackTrace();
334
            System.out.println();
335
            throw local;
336
        }
337

338
        if (remote != null) {
339
            throw remote;
340
        }
341

342
        if (local != null) {
343
            throw local;
344
        }
345
    }
346

347
    void startServer(boolean newThread) throws Exception {
348
        if (newThread) {
349
            serverThread = new Thread() {
350
                public void run() {
351
                    try {
352
                        doServerSide();
353
                    } catch (Exception e) {
354
                        /*
355
                         * Our server thread just died.
356
                         *
357
                         * Release the client, if not active already...
358
                         */
359
                        System.err.println("Server died...");
360
                        serverReady = true;
361
                        serverException = e;
362
                    }
363
                }
364
            };
365
            serverThread.start();
366
        } else {
367
            try {
368
                doServerSide();
369
            } catch (Exception e) {
370
                serverException = e;
371
            } finally {
372
                serverReady = true;
373
            }
374
        }
375
    }
376

377
    void startClient(boolean newThread) throws Exception {
378
        if (newThread) {
379
            clientThread = new Thread() {
380
                public void run() {
381
                    try {
382
                        doClientSide();
383
                    } catch (Exception e) {
384
                        /*
385
                         * Our client thread just died.
386
                         */
387
                        System.err.println("Client died...");
388
                        clientException = e;
389
                    }
390
                }
391
            };
392
            clientThread.start();
393
        } else {
394
            try {
395
                doClientSide();
396
            } catch (Exception e) {
397
                clientException = e;
398
            }
399
        }
400
    }
401
}
402

403