1
/*
2
 * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
//
27
// SunJSSE does not support dynamic system properties, no way to re-use
28
// system properties in samevm/agentvm mode.
29
//
30

31
/*
32
 * @test
33
 * @bug 8148516
34
 * @summary Improve the default strength of EC in JDK
35
 * @modules jdk.crypto.ec
36
 * @run main/othervm ECCurvesconstraints PKIX
37
 * @run main/othervm ECCurvesconstraints SunX509
38
 */
39

40
import java.io.ByteArrayInputStream;
41
import java.io.InputStream;
42
import java.io.OutputStream;
43
import java.io.IOException;
44
import java.security.KeyStore;
45
import java.security.KeyFactory;
46
import java.security.cert.Certificate;
47
import java.security.cert.CertificateFactory;
48
import java.security.interfaces.ECPrivateKey;
49
import java.security.spec.PKCS8EncodedKeySpec;
50
import java.util.Base64;
51
import javax.net.ssl.KeyManagerFactory;
52
import javax.net.ssl.SSLContext;
53
import javax.net.ssl.SSLServerSocket;
54
import javax.net.ssl.SSLServerSocketFactory;
55
import javax.net.ssl.SSLSocket;
56
import javax.net.ssl.SSLSocketFactory;
57
import javax.net.ssl.TrustManagerFactory;
58

59
public class ECCurvesconstraints {
60

61
    /*
62
     * =============================================================
63
     * Set the various variables needed for the tests, then
64
     * specify what tests to run on each side.
65
     */
66

67
    /*
68
     * Should we run the client or server in a separate thread?
69
     * Both sides can throw exceptions, but do you have a preference
70
     * as to which side should be the main thread.
71
     */
72
    static boolean separateServerThread = false;
73

74
    /*
75
     * Where do we find the keystores?
76
     */
77
    // Certificates and key used in the test.
78
    //
79
    // EC curve: secp224k1
80
    static String trustedCertStr =
81
        "-----BEGIN CERTIFICATE-----\n" +
82
        "MIIBCzCBugIEVz2lcjAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA93d3cuZXhhbXBs\n" +
83
        "ZS5vcmcwHhcNMTYwNTE5MTEzNzM5WhcNMTcwNTE5MTEzNzM5WjAaMRgwFgYDVQQD\n" +
84
        "DA93d3cuZXhhbXBsZS5vcmcwTjAQBgcqhkjOPQIBBgUrgQQAIAM6AAT68uovMZ8f\n" +
85
        "KARn5NOjvieJaq6h8zHYkM9w5DuN0kkOo4KBhke06EkQj0nvQQcSvppTV6RoDLY4\n" +
86
        "djAKBggqhkjOPQQDAgNAADA9AhwMNIujM0R0llpPH6d89d1S3VRGH/78ovc+zw51\n" +
87
        "Ah0AuZ1YlQkUbrJIzkuPSICxz5UfCWPe+7w4as+wiA==\n" +
88
        "-----END CERTIFICATE-----";
89

90
    // Private key in the format of PKCS#8
91
    static String targetPrivateKey =
92
        "MIGCAgEAMBAGByqGSM49AgEGBSuBBAAgBGswaQIBAQQdAPbckc86mgW/zexB1Ajq\n" +
93
        "38HntWOjdxL6XSoiAsWgBwYFK4EEACChPAM6AAT68uovMZ8fKARn5NOjvieJaq6h\n" +
94
        "8zHYkM9w5DuN0kkOo4KBhke06EkQj0nvQQcSvppTV6RoDLY4dg==";
95

96
    static String[] serverCerts = {trustedCertStr};
97
    static String[] serverKeys  = {targetPrivateKey};
98
    static String[] clientCerts = {trustedCertStr};
99
    static String[] clientKeys  = {targetPrivateKey};
100

101
    static char passphrase[] = "passphrase".toCharArray();
102

103
    /*
104
     * Is the server ready to serve?
105
     */
106
    volatile static boolean serverReady = false;
107

108
    /*
109
     * Turn on SSL debugging?
110
     */
111
    static boolean debug = false;
112

113
    /*
114
     * Define the server side of the test.
115
     *
116
     * If the server prematurely exits, serverReady will be set to true
117
     * to avoid infinite hangs.
118
     */
119
    void doServerSide() throws Exception {
120
        SSLContext context = generateSSLContext(false);
121
        SSLServerSocketFactory sslssf = context.getServerSocketFactory();
122
        SSLServerSocket sslServerSocket =
123
            (SSLServerSocket)sslssf.createServerSocket(serverPort);
124
        serverPort = sslServerSocket.getLocalPort();
125

126
        /*
127
         * Signal Client, we're ready for his connect.
128
         */
129
        serverReady = true;
130

131
        SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept();
132
        try {
133
            sslSocket.setSoTimeout(5000);
134
            sslSocket.setSoLinger(true, 5);
135

136
            InputStream sslIS = sslSocket.getInputStream();
137
            OutputStream sslOS = sslSocket.getOutputStream();
138

139
            sslIS.read();
140
            sslOS.write('A');
141
            sslOS.flush();
142

143
            throw new Exception("EC curve secp224k1 should be disabled");
144
        } catch (IOException she) {
145
            // expected exception: no cipher suites in common
146
            System.out.println("Expected exception: " + she);
147
        } finally {
148
            sslSocket.close();
149
            sslServerSocket.close();
150
        }
151
    }
152

153
    /*
154
     * Define the client side of the test.
155
     *
156
     * If the server prematurely exits, serverReady will be set to true
157
     * to avoid infinite hangs.
158
     */
159
    void doClientSide() throws Exception {
160

161
        /*
162
         * Wait for server to get started.
163
         */
164
        while (!serverReady) {
165
            Thread.sleep(50);
166
        }
167

168
        SSLContext context = generateSSLContext(true);
169
        SSLSocketFactory sslsf = context.getSocketFactory();
170

171
        SSLSocket sslSocket =
172
            (SSLSocket)sslsf.createSocket("localhost", serverPort);
173

174
        try {
175
            sslSocket.setSoTimeout(5000);
176
            sslSocket.setSoLinger(true, 5);
177

178
            InputStream sslIS = sslSocket.getInputStream();
179
            OutputStream sslOS = sslSocket.getOutputStream();
180

181
            sslOS.write('B');
182
            sslOS.flush();
183
            sslIS.read();
184

185
            throw new Exception("EC curve secp224k1 should be disabled");
186
        } catch (IOException she) {
187
            // expected exception: Received fatal alert
188
            System.out.println("Expected exception: " + she);
189
        } finally {
190
            sslSocket.close();
191
        }
192
    }
193

194
    /*
195
     * =============================================================
196
     * The remainder is just support stuff
197
     */
198
    private static String tmAlgorithm;             // trust manager
199

200
    private static void parseArguments(String[] args) {
201
        tmAlgorithm = args[0];
202
    }
203

204
    private static SSLContext generateSSLContext(boolean isClient)
205
            throws Exception {
206

207
        // generate certificate from cert string
208
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
209

210
        // create a key store
211
        KeyStore ks = KeyStore.getInstance("JKS");
212
        ks.load(null, null);
213

214
        // import the trused cert
215
        ByteArrayInputStream is =
216
                    new ByteArrayInputStream(trustedCertStr.getBytes());
217
        Certificate trusedCert = cf.generateCertificate(is);
218
        is.close();
219

220
        ks.setCertificateEntry("Export Signer", trusedCert);
221

222
        String[] certStrs = null;
223
        String[] keyStrs = null;
224
        if (isClient) {
225
            certStrs = clientCerts;
226
            keyStrs = clientKeys;
227
        } else {
228
            certStrs = serverCerts;
229
            keyStrs = serverKeys;
230
        }
231

232
        for (int i = 0; i < certStrs.length; i++) {
233
            // generate the private key.
234
            String keySpecStr = keyStrs[i];
235
            PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(
236
                                Base64.getMimeDecoder().decode(keySpecStr));
237
            KeyFactory kf = KeyFactory.getInstance("EC");
238
            ECPrivateKey priKey =
239
                    (ECPrivateKey)kf.generatePrivate(priKeySpec);
240

241
            // generate certificate chain
242
            String keyCertStr = certStrs[i];
243
            is = new ByteArrayInputStream(keyCertStr.getBytes());
244
            Certificate keyCert = cf.generateCertificate(is);
245
            is.close();
246

247
            Certificate[] chain = new Certificate[2];
248
            chain[0] = keyCert;
249
            chain[1] = trusedCert;
250

251
            // import the key entry.
252
            ks.setKeyEntry("key-entry-" + i, priKey, passphrase, chain);
253
        }
254

255
        // create SSL context
256
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);
257
        tmf.init(ks);
258

259
        SSLContext ctx = SSLContext.getInstance("TLS");
260
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
261
        kmf.init(ks, passphrase);
262

263
        ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
264
        ks = null;
265

266
        return ctx;
267
    }
268

269
    // use any free port by default
270
    volatile int serverPort = 0;
271

272
    volatile Exception serverException = null;
273
    volatile Exception clientException = null;
274

275
    public static void main(String[] args) throws Exception {
276
        if (debug) {
277
            System.setProperty("javax.net.debug", "all");
278
        }
279

280
        /*
281
         * Get the customized arguments.
282
         */
283
        parseArguments(args);
284

285
        /*
286
         * Start the tests.
287
         */
288
        new ECCurvesconstraints();
289
    }
290

291
    Thread clientThread = null;
292
    Thread serverThread = null;
293

294
    /*
295
     * Primary constructor, used to drive remainder of the test.
296
     *
297
     * Fork off the other side, then do your work.
298
     */
299
    ECCurvesconstraints() throws Exception {
300
        try {
301
            if (separateServerThread) {
302
                startServer(true);
303
                startClient(false);
304
            } else {
305
                startClient(true);
306
                startServer(false);
307
            }
308
        } catch (Exception e) {
309
            // swallow for now.  Show later
310
        }
311

312
        /*
313
         * Wait for other side to close down.
314
         */
315
        if (separateServerThread) {
316
            serverThread.join();
317
        } else {
318
            clientThread.join();
319
        }
320

321
        /*
322
         * When we get here, the test is pretty much over.
323
         * Which side threw the error?
324
         */
325
        Exception local;
326
        Exception remote;
327
        String whichRemote;
328

329
        if (separateServerThread) {
330
            remote = serverException;
331
            local = clientException;
332
            whichRemote = "server";
333
        } else {
334
            remote = clientException;
335
            local = serverException;
336
            whichRemote = "client";
337
        }
338

339
        /*
340
         * If both failed, return the curthread's exception, but also
341
         * print the remote side Exception
342
         */
343
        if ((local != null) && (remote != null)) {
344
            System.out.println(whichRemote + " also threw:");
345
            remote.printStackTrace();
346
            System.out.println();
347
            throw local;
348
        }
349

350
        if (remote != null) {
351
            throw remote;
352
        }
353

354
        if (local != null) {
355
            throw local;
356
        }
357
    }
358

359
    void startServer(boolean newThread) throws Exception {
360
        if (newThread) {
361
            serverThread = new Thread() {
362
                public void run() {
363
                    try {
364
                        doServerSide();
365
                    } catch (Exception e) {
366
                        /*
367
                         * Our server thread just died.
368
                         *
369
                         * Release the client, if not active already...
370
                         */
371
                        System.err.println("Server died, because of " + e);
372
                        serverReady = true;
373
                        serverException = e;
374
                    }
375
                }
376
            };
377
            serverThread.start();
378
        } else {
379
            try {
380
                doServerSide();
381
            } catch (Exception e) {
382
                serverException = e;
383
            } finally {
384
                serverReady = true;
385
            }
386
        }
387
    }
388

389
    void startClient(boolean newThread) throws Exception {
390
        if (newThread) {
391
            clientThread = new Thread() {
392
                public void run() {
393
                    try {
394
                        doClientSide();
395
                    } catch (Exception e) {
396
                        /*
397
                         * Our client thread just died.
398
                         */
399
                        System.err.println("Client died, because of " + e);
400
                        clientException = e;
401
                    }
402
                }
403
            };
404
            clientThread.start();
405
        } else {
406
            try {
407
                doClientSide();
408
            } catch (Exception e) {
409
                clientException = e;
410
            }
411
        }
412
    }
413
}
414

415