CoCalc -- DisabledShortDSAKeys.java

GitHub Repository: PojavLauncherTeam/mobile
Path: blob/master/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java
⁴¹¹⁵² views
1
/*
2
 * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
// SunJSSE does not support dynamic system properties, no way to re-use
27
// system properties in samevm/agentvm mode.
28

29
/*
30
 * @test
31
 * @bug 8139565
32
 * @summary Restrict certificates with DSA keys less than 1024 bits
33
 *
34
 * @run main/othervm DisabledShortDSAKeys PKIX TLSv1.2
35
 * @run main/othervm DisabledShortDSAKeys SunX509 TLSv1.2
36
 * @run main/othervm DisabledShortDSAKeys PKIX TLSv1.1
37
 * @run main/othervm DisabledShortDSAKeys SunX509 TLSv1.1
38
 * @run main/othervm DisabledShortDSAKeys PKIX TLSv1
39
 * @run main/othervm DisabledShortDSAKeys SunX509 TLSv1
40
 * @run main/othervm DisabledShortDSAKeys PKIX SSLv3
41
 * @run main/othervm DisabledShortDSAKeys SunX509 SSLv3
42
 */
43

44
import java.net.*;
45
import java.util.*;
46
import java.io.*;
47
import javax.net.ssl.*;
48
import java.security.Security;
49
import java.security.KeyStore;
50
import java.security.KeyFactory;
51
import java.security.cert.Certificate;
52
import java.security.cert.CertificateFactory;
53
import java.security.spec.*;
54
import java.security.interfaces.*;
55
import java.util.Base64;
56

57

58
public class DisabledShortDSAKeys {
59

60
    /*
61
     * =============================================================
62
     * Set the various variables needed for the tests, then
63
     * specify what tests to run on each side.
64
     */
65

66
    /*
67
     * Should we run the client or server in a separate thread?
68
     * Both sides can throw exceptions, but do you have a preference
69
     * as to which side should be the main thread.
70
     */
71
    static boolean separateServerThread = true;
72

73
    /*
74
     * Where do we find the keystores?
75
     */
76
    // Certificates and key used in the test.
77
    static String trustedCertStr =
78
        "-----BEGIN CERTIFICATE-----\n" +
79
        "MIIDDjCCAs2gAwIBAgIJAO5/hbm1ByJOMAkGByqGSM44BAMwHzELMAkGA1UEBhMC\n" +
80
        "VVMxEDAOBgNVBAoTB0V4YW1wbGUwHhcNMTYwMjE2MDQzNTQ2WhcNMzcwMTI2MDQz\n" +
81
        "NTQ2WjAfMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXhhbXBsZTCCAbgwggEsBgcq\n" +
82
        "hkjOOAQBMIIBHwKBgQC4aSK8nBYdWJtuBkz6yoDyjZnNuGFSpDmx1ggKpLpcnPuw\n" +
83
        "YKAbUhqdYhZtaIqQ4aO0T1ZS/HuOM0zvddnMUidFNX3RUvDkvdD/JYOnjqzCm+xW\n" +
84
        "U0NFuPHZdapQY5KFk3ugkqZpHLY1StZbu0qugZOZjbBOMwB7cHAbMDuVpEr8DQIV\n" +
85
        "AOi+ig+h3okFbWEE9MztiI2+DqNrAoGBAKh2EZbuWU9NoHglhVzfDUoz8CeyW6W6\n" +
86
        "rUZuIOQsjWaYOeRPWX0UVAGq9ykIOfamEpurKt4H8ge/pHaL9iazJjonMHOXG12A\n" +
87
        "0lALsMDGv22zVaJzXjOBvdPzc87opr0LIVgHASKOcDYjsICKNYPlS2cL3MJoD+bj\n" +
88
        "NAR67b90VBbEA4GFAAKBgQCGrkRp2tdj2mZF7Qz0tO6p3xSysbEfN6QZxOJYPTvM\n" +
89
        "yIYfLV9Yoy7XaRd/mCpJo/dqmsZMzowtyi+u+enuVpOLKiq/lyCktL+xUzZAjLT+\n" +
90
        "9dafHlS1wR3pDSa1spo9xTEi4Ff/DQDHcdGalBxSXX/UdRtSecIYAp5/fkt3QZ5v\n" +
91
        "0aOBkTCBjjAdBgNVHQ4EFgQUX4qbP5PgBx1J8BJ8qEgfoKVLSnQwTwYDVR0jBEgw\n" +
92
        "RoAUX4qbP5PgBx1J8BJ8qEgfoKVLSnShI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
93
        "VQQKEwdFeGFtcGxlggkA7n+FubUHIk4wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8E\n" +
94
        "BAMCAgQwCQYHKoZIzjgEAwMwADAtAhUAkr5bINXyy/McAx6qwhb6r0/QJUgCFFUP\n" +
95
        "CZokA4/NqJIgq8ThpTQAE8SB\n" +
96
        "-----END CERTIFICATE-----";
97

98
    static String targetCertStr =
99
        "-----BEGIN CERTIFICATE-----\n" +
100
        "MIICUjCCAhGgAwIBAgIJAIiDrs/4W8rtMAkGByqGSM44BAMwHzELMAkGA1UEBhMC\n" +
101
        "VVMxEDAOBgNVBAoTB0V4YW1wbGUwHhcNMTYwMjE2MDQzNTQ2WhcNMzUxMTAzMDQz\n" +
102
        "NTQ2WjA5MQswCQYDVQQGEwJVUzEQMA4GA1UECgwHRXhhbXBsZTEYMBYGA1UEAwwP\n" +
103
        "d3d3LmV4YW1wbGUuY29tMIHwMIGoBgcqhkjOOAQBMIGcAkEAs6A0p3TysTtVXGSv\n" +
104
        "ThR/8GHpbL49KyWRJBMIlmLc5jl/wxJgnL1t07p4YTOEa6ecyTFos04Z8n2GARmp\n" +
105
        "zYlUywIVAJLDcf4JXhZbguRFSQdWwWhZkh+LAkBLCzh3Xvpmc/5CDqU+QHqDcuSk\n" +
106
        "5B8+ZHaHRi2KQ00ejilpF2qZpW5JdHe4m3Pggh0MIuaAGX+leM4JKlnObj14A0MA\n" +
107
        "AkAYb+DYlFgStFhF1ip7rFzY8K6i/3ellkXI2umI/XVwxUQTHSlk5nFOep5Dfzm9\n" +
108
        "pADJwuSe1qGHsHB5LpMZPVpto4GEMIGBMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgPo\n" +
109
        "MB0GA1UdDgQWBBT8nsFyccF4q1dtpWE1dkNK5UiXtTAfBgNVHSMEGDAWgBRfips/\n" +
110
        "k+AHHUnwEnyoSB+gpUtKdDAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIG\n" +
111
        "CCsGAQUFBwMDMAkGByqGSM44BAMDMAAwLQIUIcIlxpIwaZXdpMC+U076unR1Mp8C\n" +
112
        "FQCD/NE8O0xwq57nwFfp7tUvUHYMMA==\n" +
113
        "-----END CERTIFICATE-----";
114

115
    // Private key in the format of PKCS#8, key size is 512 bits.
116
    static String targetPrivateKey =
117
        "MIHGAgEAMIGoBgcqhkjOOAQBMIGcAkEAs6A0p3TysTtVXGSvThR/8GHpbL49KyWR\n" +
118
        "JBMIlmLc5jl/wxJgnL1t07p4YTOEa6ecyTFos04Z8n2GARmpzYlUywIVAJLDcf4J\n" +
119
        "XhZbguRFSQdWwWhZkh+LAkBLCzh3Xvpmc/5CDqU+QHqDcuSk5B8+ZHaHRi2KQ00e\n" +
120
        "jilpF2qZpW5JdHe4m3Pggh0MIuaAGX+leM4JKlnObj14BBYCFHB2Wek2g5hpNj5y\n" +
121
        "RQfCc6CFO0dv";
122

123
    static char passphrase[] = "passphrase".toCharArray();
124

125
    /*
126
     * Is the server ready to serve?
127
     */
128
    volatile static boolean serverReady = false;
129

130
    /*
131
     * Turn on SSL debugging?
132
     */
133
    static boolean debug = false;
134

135
    /*
136
     * Define the server side of the test.
137
     *
138
     * If the server prematurely exits, serverReady will be set to true
139
     * to avoid infinite hangs.
140
     */
141
    void doServerSide() throws Exception {
142
        SSLContext context = generateSSLContext(null, targetCertStr,
143
                                            targetPrivateKey);
144
        SSLServerSocketFactory sslssf = context.getServerSocketFactory();
145
        SSLServerSocket sslServerSocket =
146
            (SSLServerSocket)sslssf.createServerSocket(serverPort);
147
        serverPort = sslServerSocket.getLocalPort();
148

149
        /*
150
         * Signal Client, we're ready for his connect.
151
         */
152
        serverReady = true;
153

154
        try (SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept()) {
155
            try (InputStream sslIS = sslSocket.getInputStream()) {
156
                sslIS.read();
157
            }
158

159
            throw new Exception(
160
                    "DSA keys shorter than 1024 bits should be disabled");
161
        } catch (SSLHandshakeException sslhe) {
162
            // the expected exception, ignore
163
        }
164
    }
165

166
    /*
167
     * Define the client side of the test.
168
     *
169
     * If the server prematurely exits, serverReady will be set to true
170
     * to avoid infinite hangs.
171
     */
172
    void doClientSide() throws Exception {
173

174
        /*
175
         * Wait for server to get started.
176
         */
177
        while (!serverReady) {
178
            Thread.sleep(50);
179
        }
180

181
        SSLContext context = generateSSLContext(trustedCertStr, null, null);
182
        SSLSocketFactory sslsf = context.getSocketFactory();
183

184
        try (SSLSocket sslSocket =
185
            (SSLSocket)sslsf.createSocket("localhost", serverPort)) {
186

187
            // only enable the target protocol
188
            sslSocket.setEnabledProtocols(new String[] {enabledProtocol});
189

190
            // enable a block cipher
191
            sslSocket.setEnabledCipherSuites(
192
                new String[] {"TLS_DHE_DSS_WITH_AES_128_CBC_SHA"});
193

194
            try (OutputStream sslOS = sslSocket.getOutputStream()) {
195
                sslOS.write('B');
196
                sslOS.flush();
197
            }
198

199
            throw new Exception(
200
                    "DSA keys shorter than 1024 bits should be disabled");
201
        } catch (SSLHandshakeException sslhe) {
202
            // the expected exception, ignore
203
        }
204
    }
205

206
    /*
207
     * =============================================================
208
     * The remainder is just support stuff
209
     */
210
    private static String tmAlgorithm;        // trust manager
211
    private static String enabledProtocol;    // the target protocol
212

213
    private static void parseArguments(String[] args) {
214
        tmAlgorithm = args[0];
215
        enabledProtocol = args[1];
216
    }
217

218
    private static SSLContext generateSSLContext(String trustedCertStr,
219
            String keyCertStr, String keySpecStr) throws Exception {
220

221
        // generate certificate from cert string
222
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
223

224
        // create a key store
225
        KeyStore ks = KeyStore.getInstance("JKS");
226
        ks.load(null, null);
227

228
        // import the trused cert
229
        Certificate trusedCert = null;
230
        ByteArrayInputStream is = null;
231
        if (trustedCertStr != null) {
232
            is = new ByteArrayInputStream(trustedCertStr.getBytes());
233
            trusedCert = cf.generateCertificate(is);
234
            is.close();
235

236
            ks.setCertificateEntry("DSA Export Signer", trusedCert);
237
        }
238

239
        if (keyCertStr != null) {
240
            // generate the private key.
241
            PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(
242
                                Base64.getMimeDecoder().decode(keySpecStr));
243
            KeyFactory kf = KeyFactory.getInstance("DSA");
244
            DSAPrivateKey priKey =
245
                    (DSAPrivateKey)kf.generatePrivate(priKeySpec);
246

247
            // generate certificate chain
248
            is = new ByteArrayInputStream(keyCertStr.getBytes());
249
            Certificate keyCert = cf.generateCertificate(is);
250
            is.close();
251

252
            Certificate[] chain = null;
253
            if (trusedCert != null) {
254
                chain = new Certificate[2];
255
                chain[0] = keyCert;
256
                chain[1] = trusedCert;
257
            } else {
258
                chain = new Certificate[1];
259
                chain[0] = keyCert;
260
            }
261

262
            // import the key entry.
263
            ks.setKeyEntry("Whatever", priKey, passphrase, chain);
264
        }
265

266
        // create SSL context
267
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);
268
        tmf.init(ks);
269

270
        SSLContext ctx = SSLContext.getInstance("TLS");
271
        if (keyCertStr != null && !keyCertStr.isEmpty()) {
272
            KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
273
            kmf.init(ks, passphrase);
274

275
            ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
276
            ks = null;
277
        } else {
278
            ctx.init(null, tmf.getTrustManagers(), null);
279
        }
280

281
        return ctx;
282
    }
283

284

285
    // use any free port by default
286
    volatile int serverPort = 0;
287

288
    volatile Exception serverException = null;
289
    volatile Exception clientException = null;
290

291
    public static void main(String[] args) throws Exception {
292
        Security.setProperty("jdk.certpath.disabledAlgorithms",
293
                "DSA keySize < 1024");
294
        Security.setProperty("jdk.tls.disabledAlgorithms",
295
                "DSA keySize < 1024");
296

297
        if (debug) {
298
            System.setProperty("javax.net.debug", "all");
299
        }
300

301
        /*
302
         * Get the customized arguments.
303
         */
304
        parseArguments(args);
305

306
        /*
307
         * Start the tests.
308
         */
309
        new DisabledShortDSAKeys();
310
    }
311

312
    Thread clientThread = null;
313
    Thread serverThread = null;
314

315
    /*
316
     * Primary constructor, used to drive remainder of the test.
317
     *
318
     * Fork off the other side, then do your work.
319
     */
320
    DisabledShortDSAKeys() throws Exception {
321
        Exception startException = null;
322
        try {
323
            if (separateServerThread) {
324
                startServer(true);
325
                startClient(false);
326
            } else {
327
                startClient(true);
328
                startServer(false);
329
            }
330
        } catch (Exception e) {
331
            startException = e;
332
        }
333

334
        /*
335
         * Wait for other side to close down.
336
         */
337
        if (separateServerThread) {
338
            if (serverThread != null) {
339
                serverThread.join();
340
            }
341
        } else {
342
            if (clientThread != null) {
343
                clientThread.join();
344
            }
345
        }
346

347
        /*
348
         * When we get here, the test is pretty much over.
349
         * Which side threw the error?
350
         */
351
        Exception local;
352
        Exception remote;
353

354
        if (separateServerThread) {
355
            remote = serverException;
356
            local = clientException;
357
        } else {
358
            remote = clientException;
359
            local = serverException;
360
        }
361

362
        Exception exception = null;
363

364
        /*
365
         * Check various exception conditions.
366
         */
367
        if ((local != null) && (remote != null)) {
368
            // If both failed, return the curthread's exception.
369
            local.initCause(remote);
370
            exception = local;
371
        } else if (local != null) {
372
            exception = local;
373
        } else if (remote != null) {
374
            exception = remote;
375
        } else if (startException != null) {
376
            exception = startException;
377
        }
378

379
        /*
380
         * If there was an exception *AND* a startException,
381
         * output it.
382
         */
383
        if (exception != null) {
384
            if (exception != startException && startException != null) {
385
                exception.addSuppressed(startException);
386
            }
387
            throw exception;
388
        }
389

390
        // Fall-through: no exception to throw!
391
    }
392

393
    void startServer(boolean newThread) throws Exception {
394
        if (newThread) {
395
            serverThread = new Thread() {
396
                public void run() {
397
                    try {
398
                        doServerSide();
399
                    } catch (Exception e) {
400
                        /*
401
                         * Our server thread just died.
402
                         *
403
                         * Release the client, if not active already...
404
                         */
405
                        System.err.println("Server died...");
406
                        serverReady = true;
407
                        serverException = e;
408
                    }
409
                }
410
            };
411
            serverThread.start();
412
        } else {
413
            try {
414
                doServerSide();
415
            } catch (Exception e) {
416
                serverException = e;
417
            } finally {
418
                serverReady = true;
419
            }
420
        }
421
    }
422

423
    void startClient(boolean newThread) throws Exception {
424
        if (newThread) {
425
            clientThread = new Thread() {
426
                public void run() {
427
                    try {
428
                        doClientSide();
429
                    } catch (Exception e) {
430
                        /*
431
                         * Our client thread just died.
432
                         */
433
                        System.err.println("Client died...");
434
                        clientException = e;
435
                    }
436
                }
437
            };
438
            clientThread.start();
439
        } else {
440
            try {
441
                doClientSide();
442
            } catch (Exception e) {
443
                clientException = e;
444
            }
445
        }
446
    }
447
}
448

449
Product

Resources

Company
