Path: blob/master/test/jdk/javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java
41154 views
/*1* Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223//24// SunJSSE does not support dynamic system properties, no way to re-use25// system properties in samevm/agentvm mode.26//2728/*29* @test30* @bug 7174244 823472831* @summary Test for ciphersuites order32* @run main/othervm CipherSuitesInOrder33*/34import java.util.*;35import javax.net.ssl.*;3637public class CipherSuitesInOrder {3839// Supported ciphersuites40private final static List<String> supportedCipherSuites41= Arrays.<String>asList(42// TLS 1.3 cipher suites.43"TLS_AES_256_GCM_SHA384",44"TLS_AES_128_GCM_SHA256",45"TLS_CHACHA20_POLY1305_SHA256",46// Suite B compliant cipher suites, see RFC 6460.47"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",48"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",49// Not suite B, but we want it to position the suite early50//in the list of 1.2 suites.51"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",52//53// Forward secrecy cipher suites.54//55// AES_256(GCM) - ECDHE56"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",57"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",58// AES_128(GCM) - ECDHE59"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",60// AES_256(GCM) - DHE61"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",62"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",63"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",64// AES_128(GCM) - DHE65"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",66"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",67// AES_256(CBC) - ECDHE68"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",69"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",70// AES_128(CBC) - ECDHE71"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",72"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",73// AES_256(CBC) - DHE74"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",75"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",76// AES_128(CBC) - DHE77"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",78"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",79//80// Not forward secret cipher suites.81//82// AES_256(GCM)83"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",84"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",85// AES_128(GCM)86"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",87"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",88// AES_256(CBC)89"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",90"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",91// AES_128(CBC)92"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",93"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",94//95// Legacy, used for compatibility96//97// AES_256(CBC) - ECDHE - Using SHA98"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",99"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",100// AES_128(CBC) - ECDHE - using SHA101"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",102"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",103// AES_256(CBC) - DHE - Using SHA104"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",105"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",106// AES_128(CBC) - DHE - using SHA107"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",108"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",109// AES_256(CBC) - using SHA, not forward secrecy110"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",111"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",112// AES_128(CBC) - using SHA, not forward secrecy113"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",114"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",115//116// Deprecated, used for compatibility117//118// RSA, AES_256(GCM)119"TLS_RSA_WITH_AES_256_GCM_SHA384",120// RSA, AES_128(GCM)121"TLS_RSA_WITH_AES_128_GCM_SHA256",122// RSA, AES_256(CBC)123"TLS_RSA_WITH_AES_256_CBC_SHA256",124// RSA, AES_128(CBC)125"TLS_RSA_WITH_AES_128_CBC_SHA256",126// RSA, AES_256(CBC) - using SHA, not forward secrecy127"TLS_RSA_WITH_AES_256_CBC_SHA",128// RSA, AES_128(CBC) - using SHA, not forward secrecy129"TLS_RSA_WITH_AES_128_CBC_SHA",130// 3DES_EDE, forward secrecy.131"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",132"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",133"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",134"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",135// 3DES_EDE, not forward secrecy.136"TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",137"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",138"SSL_RSA_WITH_3DES_EDE_CBC_SHA",139// Renegotiation protection request Signalling140// Cipher Suite Value (SCSV).141"TLS_EMPTY_RENEGOTIATION_INFO_SCSV",142// Definition of the Cipher Suites that are supported but not143// enabled by default.144"TLS_DH_anon_WITH_AES_256_GCM_SHA384",145"TLS_DH_anon_WITH_AES_128_GCM_SHA256",146"TLS_DH_anon_WITH_AES_256_CBC_SHA256",147"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",148"TLS_DH_anon_WITH_AES_256_CBC_SHA",149"TLS_DH_anon_WITH_AES_128_CBC_SHA256",150"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",151"TLS_DH_anon_WITH_AES_128_CBC_SHA",152"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",153"SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",154// RC4155"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",156"TLS_ECDHE_RSA_WITH_RC4_128_SHA",157"SSL_RSA_WITH_RC4_128_SHA",158"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",159"TLS_ECDH_RSA_WITH_RC4_128_SHA",160"SSL_RSA_WITH_RC4_128_MD5",161"TLS_ECDH_anon_WITH_RC4_128_SHA",162"SSL_DH_anon_WITH_RC4_128_MD5",163// Weak cipher suites obsoleted in TLS 1.2 [RFC 5246]164"SSL_RSA_WITH_DES_CBC_SHA",165"SSL_DHE_RSA_WITH_DES_CBC_SHA",166"SSL_DHE_DSS_WITH_DES_CBC_SHA",167"SSL_DH_anon_WITH_DES_CBC_SHA",168// Weak cipher suites obsoleted in TLS 1.1 [RFC 4346]169"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",170"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",171"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",172"SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",173"SSL_RSA_EXPORT_WITH_RC4_40_MD5",174"SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",175// No traffic encryption cipher suites176"TLS_RSA_WITH_NULL_SHA256",177"TLS_ECDHE_ECDSA_WITH_NULL_SHA",178"TLS_ECDHE_RSA_WITH_NULL_SHA",179"SSL_RSA_WITH_NULL_SHA",180"TLS_ECDH_ECDSA_WITH_NULL_SHA",181"TLS_ECDH_RSA_WITH_NULL_SHA",182"TLS_ECDH_anon_WITH_NULL_SHA",183"SSL_RSA_WITH_NULL_MD5",184// Definition of the cipher suites that are not supported but the names185// are known.186"TLS_AES_128_CCM_SHA256",187"TLS_AES_128_CCM_8_SHA256"188);189190private final static String[] protocols = {191"", "SSL", "TLS", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"192};193194public static void main(String[] args) throws Exception {195// show all of the supported cipher suites196showSuites(supportedCipherSuites.toArray(new String[0]),197"All supported cipher suites");198199for (String protocol : protocols) {200System.out.println("//");201System.out.println("// "202+ "Testing for SSLContext of " + protocol);203System.out.println("//");204checkForProtocols(protocol);205}206}207208public static void checkForProtocols(String protocol) throws Exception {209SSLContext context;210if (protocol.isEmpty()) {211context = SSLContext.getDefault();212} else {213context = SSLContext.getInstance(protocol);214context.init(null, null, null);215}216217// check the order of default cipher suites of SSLContext218SSLParameters parameters = context.getDefaultSSLParameters();219checkSuites(parameters.getCipherSuites(),220"Default cipher suites in SSLContext");221222// check the order of supported cipher suites of SSLContext223parameters = context.getSupportedSSLParameters();224checkSuites(parameters.getCipherSuites(),225"Supported cipher suites in SSLContext");226227//228// Check the cipher suites order of SSLEngine229//230SSLEngine engine = context.createSSLEngine();231232// check the order of endabled cipher suites233String[] ciphers = engine.getEnabledCipherSuites();234checkSuites(ciphers,235"Enabled cipher suites in SSLEngine");236237// check the order of supported cipher suites238ciphers = engine.getSupportedCipherSuites();239checkSuites(ciphers,240"Supported cipher suites in SSLEngine");241242//243// Check the cipher suites order of SSLSocket244//245SSLSocketFactory factory = context.getSocketFactory();246try (SSLSocket socket = (SSLSocket) factory.createSocket()) {247248// check the order of endabled cipher suites249ciphers = socket.getEnabledCipherSuites();250checkSuites(ciphers,251"Enabled cipher suites in SSLSocket");252253// check the order of supported cipher suites254ciphers = socket.getSupportedCipherSuites();255checkSuites(ciphers,256"Supported cipher suites in SSLSocket");257}258259//260// Check the cipher suites order of SSLServerSocket261//262SSLServerSocketFactory serverFactory = context.getServerSocketFactory();263try (SSLServerSocket serverSocket264= (SSLServerSocket) serverFactory.createServerSocket()) {265// check the order of endabled cipher suites266ciphers = serverSocket.getEnabledCipherSuites();267checkSuites(ciphers,268"Enabled cipher suites in SSLServerSocket");269270// check the order of supported cipher suites271ciphers = serverSocket.getSupportedCipherSuites();272checkSuites(ciphers,273"Supported cipher suites in SSLServerSocket");274}275}276277private static void checkSuites(String[] suites, String title) {278showSuites(suites, title);279280int loc = -1;281int index = 0;282for (String suite : suites) {283index = supportedCipherSuites.indexOf(suite);284if (index <= loc) {285throw new RuntimeException(suite + " is not in order");286}287loc = index;288}289}290291private static void showSuites(String[] suites, String title) {292System.out.println(title + "[" + suites.length + "]:");293for (String suite : suites) {294System.out.println(" " + suite);295}296}297}298299300