Path: blob/master/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java
41155 views
/*1* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 4750141 4895631 8217579 816332626* @summary Check enabled and supported ciphersuites are correct27* @run main/othervm CheckCipherSuites default28* @run main/othervm CheckCipherSuites limited29*/3031import java.util.*;32import java.security.Security;33import javax.net.ssl.*;3435public class CheckCipherSuites {3637// List of enabled cipher suites when the "crypto.policy" security38// property is set to "unlimited" (the default value).39private final static String[] ENABLED_DEFAULT = {40// TLS 1.3 cipher suites41"TLS_AES_256_GCM_SHA384",42"TLS_AES_128_GCM_SHA256",43"TLS_CHACHA20_POLY1305_SHA256",4445// Suite B compliant cipher suites46"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",47"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",4849// Not suite B, but we want it to position the suite early50"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",5152// AES_256(GCM) - ECDHE - forward screcy53"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",54"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",5556// AES_128(GCM) - ECDHE - forward screcy57"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",5859// AES_256(GCM) - DHE - forward screcy60"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",61"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",62"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",6364// AES_128(GCM) - DHE - forward screcy65"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",66"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",6768// AES_256(CBC) - ECDHE - forward screcy69"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",70"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",7172// AES_256(CBC) - ECDHE - forward screcy73"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",74"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",7576// AES_256(CBC) - DHE - forward screcy77"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",78"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",7980// AES_128(CBC) - DHE - forward screcy81"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",82"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",8384// AES_256(GCM) - not forward screcy85"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",86"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",8788// AES_128(GCM) - not forward screcy89"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",90"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",9192// AES_256(CBC) - not forward screcy93"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",94"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",9596// AES_128(CBC) - not forward screcy97"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",98"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",99100// AES_256(CBC) - ECDHE - using SHA101"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",102"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",103104// AES_128(CBC) - ECDHE - using SHA105"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",106"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",107108// AES_256(CBC) - DHE - using SHA109"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",110"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",111112// AES_128(CBC) - DHE - using SHA113"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",114"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",115116// AES_256(CBC) - using SHA, not forward screcy117"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",118"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",119120// AES_128(CBC) - using SHA, not forward screcy121"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",122"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",123124// deprecated125"TLS_RSA_WITH_AES_256_GCM_SHA384",126"TLS_RSA_WITH_AES_128_GCM_SHA256",127"TLS_RSA_WITH_AES_256_CBC_SHA256",128"TLS_RSA_WITH_AES_128_CBC_SHA256",129"TLS_RSA_WITH_AES_256_CBC_SHA",130"TLS_RSA_WITH_AES_128_CBC_SHA",131"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"132};133134// List of enabled cipher suites when the "crypto.policy" security135// property is set to "limited".136private final static String[] ENABLED_LIMITED = {137"TLS_AES_128_GCM_SHA256",138"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",139"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",140"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",141"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",142"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",143"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",144"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",145"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",146"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",147"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",148"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",149"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",150"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",151"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",152"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",153"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",154"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",155"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",156"TLS_RSA_WITH_AES_128_GCM_SHA256",157"TLS_RSA_WITH_AES_128_CBC_SHA256",158"TLS_RSA_WITH_AES_128_CBC_SHA",159"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"160};161162// List of supported cipher suites when the "crypto.policy" security163// property is set to "unlimited" (the default value).164private final static String[] SUPPORTED_DEFAULT = {165// TLS 1.3 cipher suites166"TLS_AES_256_GCM_SHA384",167"TLS_AES_128_GCM_SHA256",168"TLS_CHACHA20_POLY1305_SHA256",169170// Suite B compliant cipher suites171"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",172"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",173174// Not suite B, but we want it to position the suite early175"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",176177// AES_256(GCM) - ECDHE - forward screcy178"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",179"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",180181// AES_128(GCM) - ECDHE - forward screcy182"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",183184// AES_256(GCM) - DHE - forward screcy185"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",186"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",187"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",188189// AES_128(GCM) - DHE - forward screcy190"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",191"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",192193// AES_256(CBC) - ECDHE - forward screcy194"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",195"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",196197// AES_256(CBC) - ECDHE - forward screcy198"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",199"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",200201// AES_256(CBC) - DHE - forward screcy202"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",203"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",204205// AES_128(CBC) - DHE - forward screcy206"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",207"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",208209// AES_256(GCM) - not forward screcy210"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",211"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",212213// AES_128(GCM) - not forward screcy214"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",215"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",216217// AES_256(CBC) - not forward screcy218"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",219"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",220221// AES_128(CBC) - not forward screcy222"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",223"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",224225// AES_256(CBC) - ECDHE - using SHA226"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",227"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",228229// AES_128(CBC) - ECDHE - using SHA230"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",231"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",232233// AES_256(CBC) - DHE - using SHA234"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",235"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",236237// AES_128(CBC) - DHE - using SHA238"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",239"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",240241// AES_256(CBC) - using SHA, not forward screcy242"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",243"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",244245// AES_128(CBC) - using SHA, not forward screcy246"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",247"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",248249// deprecated250"TLS_RSA_WITH_AES_256_GCM_SHA384",251"TLS_RSA_WITH_AES_128_GCM_SHA256",252"TLS_RSA_WITH_AES_256_CBC_SHA256",253"TLS_RSA_WITH_AES_128_CBC_SHA256",254"TLS_RSA_WITH_AES_256_CBC_SHA",255"TLS_RSA_WITH_AES_128_CBC_SHA",256"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"257};258259// List of supported cipher suites when the "crypto.policy" security260// property is set to "limited".261private final static String[] SUPPORTED_LIMITED = {262"TLS_AES_128_GCM_SHA256",263"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",264"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",265"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",266"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",267"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",268"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",269"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",270"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",271"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",272"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",273"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",274"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",275"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",276"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",277"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",278"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",279"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",280"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",281"TLS_RSA_WITH_AES_128_GCM_SHA256",282"TLS_RSA_WITH_AES_128_CBC_SHA256",283"TLS_RSA_WITH_AES_128_CBC_SHA",284"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"285};286287private static void showSuites(String[] suites) {288if ((suites == null) || (suites.length == 0)) {289System.out.println("<none>");290}291for (int i = 0; i < suites.length; i++) {292System.out.println(" " + suites[i]);293}294}295296public static void main(String[] args) throws Exception {297long start = System.currentTimeMillis();298299if (args.length != 1) {300throw new Exception("One arg required");301}302303String[] ENABLED;304String[] SUPPORTED;305if (args[0].equals("default")) {306ENABLED = ENABLED_DEFAULT;307SUPPORTED = SUPPORTED_DEFAULT;308} else if (args[0].equals("limited")) {309Security.setProperty("crypto.policy", "limited");310ENABLED = ENABLED_LIMITED;311SUPPORTED = SUPPORTED_LIMITED;312} else {313throw new Exception("Illegal argument");314}315316SSLSocketFactory factory =317(SSLSocketFactory)SSLSocketFactory.getDefault();318SSLSocket socket = (SSLSocket)factory.createSocket();319String[] enabled = socket.getEnabledCipherSuites();320321System.out.println("Default enabled ciphersuites:");322showSuites(enabled);323324if (Arrays.equals(ENABLED, enabled) == false) {325System.out.println("*** MISMATCH, should be ***");326showSuites(ENABLED);327throw new Exception("Enabled ciphersuite mismatch");328}329System.out.println("OK");330System.out.println();331332String[] supported = socket.getSupportedCipherSuites();333System.out.println("Supported ciphersuites:");334showSuites(supported);335336if (Arrays.equals(SUPPORTED, supported) == false) {337System.out.println("*** MISMATCH, should be ***");338showSuites(SUPPORTED);339throw new Exception("Supported ciphersuite mismatch");340}341System.out.println("OK");342343long end = System.currentTimeMillis();344System.out.println("Done (" + (end - start) + " ms).");345}346}347348349