1
/*
2
 * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
/* @test
25
 * @bug 4938185 7106773
26
 * @summary KeyStore support for NSS cert/key databases
27
 *          512 bits RSA key cannot work with SHA384 and SHA512
28
 * @library /test/lib ..
29
 * @run testng/othervm ClientAuth
30
 */
31

32
import org.testng.annotations.BeforeClass;
33
import org.testng.annotations.Test;
34

35
import java.io.*;
36
import java.net.InetAddress;
37
import java.net.InetSocketAddress;
38
import java.nio.file.Path;
39
import java.security.*;
40
import java.util.Arrays;
41
import java.util.concurrent.CountDownLatch;
42
import javax.net.*;
43
import javax.net.ssl.*;
44

45
public class ClientAuth extends PKCS11Test {
46

47
    /*
48
     * =============================================================
49
     * Set the various variables needed for the tests, then
50
     * specify what tests to run on each side.
51
     */
52

53
    private static Provider provider;
54
    private static final String NSS_PWD = "test12";
55
    private static final String JKS_PWD = "passphrase";
56
    private static final String SERVER_KS = "server.keystore";
57
    private static final String TS = "truststore";
58
    private static String p11config;
59

60
    private static final Path TEST_DATA_PATH = Path.of(BASE)
61
            .resolve("ClientAuthData");
62

63
    private static final String DIR = TEST_DATA_PATH.toString();
64

65
    /*
66
     * Should we run the client or server in a separate thread?
67
     * Both sides can throw exceptions, but do you have a preference
68
     * as to which side should be the main thread.
69
     */
70
    static boolean separateServerThread = false;
71

72
    /*
73
     * Is the server ready to serve?
74
     */
75
    private final CountDownLatch serverReadyLatch = new CountDownLatch(1);
76

77
    /*
78
     * Turn on SSL debugging?
79
     */
80
    static boolean debug = false;
81

82
    /*
83
     * If the client or server is doing some kind of object creation
84
     * that the other side depends on, and that thread prematurely
85
     * exits, you may experience a hang.  The test harness will
86
     * terminate all hung threads after its timeout has expired,
87
     * currently 3 minutes by default, but you might try to be
88
     * smart about it....
89
     */
90

91
    @BeforeClass
92
    public void setUp() throws Exception {
93
        copyNssCertKeyToClassesDir(TEST_DATA_PATH);
94
        setCommonSystemProps();
95
        System.setProperty("CUSTOM_P11_CONFIG",
96
                TEST_DATA_PATH.resolve("p11-nss.txt").toString());
97
        Security.setProperty("jdk.tls.disabledAlgorithms", "");
98
        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
99
    }
100

101
    @Test
102
    public void testClientAuthTLSv1() throws Exception {
103
        String[] args = { "TLSv1" };
104
        runTest(args);
105
    }
106

107
    @Test
108
    public void testClientAuthTLSv11() throws Exception {
109
        String[] args = { "TLSv1.1" };
110
        runTest(args);
111
    }
112

113
    @Test
114
    public void testClientAuthTLSv12AndCipherSuite() throws Exception {
115
        String[] args = { "TLSv1.2", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" };
116
        runTest(args);
117
    }
118

119
    private void runTest(String[] args) throws Exception {
120
        System.out.println("Running with args: " + Arrays.toString(args));
121
        parseArguments(args);
122
        main(new ClientAuth());
123
    }
124

125
    /*
126
     * Define the server side of the test.
127
     *
128
     * If the server prematurely exits, serverReady will be set to true
129
     * to avoid infinite hangs.
130
     */
131
    void doServerSide() throws Exception {
132

133
        SSLContext ctx = SSLContext.getInstance("TLS");
134
        char[] passphrase = JKS_PWD.toCharArray();
135

136
        // server gets KeyStore from JKS keystore
137
        KeyStore ks = KeyStore.getInstance("JKS");
138
        ks.load(new FileInputStream(new File(DIR, SERVER_KS)), passphrase);
139
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
140
        kmf.init(ks, passphrase);
141

142
        // server gets TrustStore from PKCS#11 token
143
/*
144
        passphrase = NSS_PWD.toCharArray();
145
        KeyStore ts = KeyStore.getInstance("PKCS11", "SunPKCS11-nss");
146
        ts.load(null, passphrase);
147
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
148
        tmf.init(ts);
149
*/
150

151
        //ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
152
        ctx.init(kmf.getKeyManagers(), null, null);
153
        ServerSocketFactory ssf = ctx.getServerSocketFactory();
154
        InetSocketAddress socketAddress =
155
                new InetSocketAddress(InetAddress.getLoopbackAddress(), serverPort);
156
        SSLServerSocket sslServerSocket = (SSLServerSocket) ssf.createServerSocket();
157
        sslServerSocket.bind(socketAddress);
158
        sslServerSocket.setNeedClientAuth(true);
159
        serverPort = sslServerSocket.getLocalPort();
160
        System.out.println("serverPort = " + serverPort);
161

162
        /*
163
         * Signal Client, we're ready for his connect.
164
         */
165
        serverReadyLatch.countDown();
166

167
        SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
168
        InputStream sslIS = sslSocket.getInputStream();
169
        OutputStream sslOS = sslSocket.getOutputStream();
170

171
        sslIS.read();
172
        sslOS.write(85);
173
        sslOS.flush();
174

175
        sslSocket.close();
176
    }
177

178
    /*
179
     * Define the client side of the test.
180
     *
181
     * If the server prematurely exits, serverReady will be set to true
182
     * to avoid infinite hangs.
183
     */
184
    void doClientSide() throws Exception {
185

186
        /*
187
         * Wait for server to get started.
188
         */
189
        serverReadyLatch.await();
190

191
        SSLContext ctx = SSLContext.getInstance("TLS");
192
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
193

194
        // client gets KeyStore from PKCS#11 token,
195
        // and gets TrustStore from JKS KeyStore (using system properties)
196
        char[] passphrase = NSS_PWD.toCharArray();
197
        KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nss");
198
        ks.load(null, passphrase);
199

200
        kmf = KeyManagerFactory.getInstance("SunX509");
201
        kmf.init(ks, passphrase);
202
        ctx.init(kmf.getKeyManagers(), null, null);
203

204
        SSLSocketFactory sslsf = ctx.getSocketFactory();
205
        SSLSocket sslSocket = (SSLSocket)
206
            sslsf.createSocket("localhost", serverPort);
207

208
        if (clientProtocol != null) {
209
            sslSocket.setEnabledProtocols(new String[] {clientProtocol});
210
        }
211

212
        if (clientCiperSuite != null) {
213
            sslSocket.setEnabledCipherSuites(new String[] {clientCiperSuite});
214
        }
215

216
        InputStream sslIS = sslSocket.getInputStream();
217
        OutputStream sslOS = sslSocket.getOutputStream();
218

219
        sslOS.write(280);
220
        sslOS.flush();
221
        sslIS.read();
222

223
        sslSocket.close();
224
    }
225

226
    /*
227
     * =============================================================
228
     * The remainder is just support stuff
229
     */
230

231
    // use any free port by default
232
    volatile int serverPort = 0;
233

234
    volatile Exception serverException = null;
235
    volatile Exception clientException = null;
236

237
    private static String clientProtocol = null;
238
    private static String clientCiperSuite = null;
239

240
    private static void parseArguments(String[] args) {
241
        if (args.length > 0) {
242
            clientProtocol = args[0];
243
        }
244

245
        if (args.length > 1) {
246
            clientCiperSuite = args[1];
247
        }
248
    }
249

250
    public void main(Provider p) throws Exception {
251
        // SSL RSA client auth currently needs an RSA cipher
252
        // (cf. NONEwithRSA hack), which is currently not available in
253
        // open builds.
254
        try {
255
            javax.crypto.Cipher.getInstance("RSA/ECB/PKCS1Padding", p);
256
        } catch (GeneralSecurityException e) {
257
            System.out.println("Not supported by provider, skipping");
258
            return;
259
        }
260

261
        this.provider = p;
262

263
        System.setProperty("javax.net.ssl.trustStore",
264
                                        new File(DIR, TS).toString());
265
        System.setProperty("javax.net.ssl.trustStoreType", "JKS");
266
        System.setProperty("javax.net.ssl.trustStoreProvider", "SUN");
267
        System.setProperty("javax.net.ssl.trustStorePassword", JKS_PWD);
268

269
        // perform Security.addProvider of P11 provider
270
        Security.addProvider(getSunPKCS11(System.getProperty("CUSTOM_P11_CONFIG")));
271

272
        if (debug) {
273
            System.setProperty("javax.net.debug", "all");
274
        }
275

276
        /*
277
         * Start the tests.
278
         */
279
        go();
280
    }
281

282
    Thread clientThread = null;
283
    Thread serverThread = null;
284

285
    /*
286
     * Fork off the other side, then do your work.
287
     */
288
    private void go() throws Exception {
289
        try {
290
            if (separateServerThread) {
291
                startServer(true);
292
                startClient(false);
293
            } else {
294
                startClient(true);
295
                startServer(false);
296
            }
297
        } catch (Exception e) {
298
            //swallow for now.  Show later
299
        }
300

301
        /*
302
         * Wait for other side to close down.
303
         */
304
        if (separateServerThread) {
305
            serverThread.join();
306
        } else {
307
            clientThread.join();
308
        }
309

310
        /*
311
         * When we get here, the test is pretty much over.
312
         * Which side threw the error?
313
         */
314
        Exception local;
315
        Exception remote;
316
        String whichRemote;
317

318
        if (separateServerThread) {
319
            remote = serverException;
320
            local = clientException;
321
            whichRemote = "server";
322
        } else {
323
            remote = clientException;
324
            local = serverException;
325
            whichRemote = "client";
326
        }
327

328
        /*
329
         * If both failed, return the curthread's exception, but also
330
         * print the remote side Exception
331
         */
332
        if ((local != null) && (remote != null)) {
333
            System.out.println(whichRemote + " also threw:");
334
            remote.printStackTrace();
335
            System.out.println();
336
            throw local;
337
        }
338

339
        if (remote != null) {
340
            throw remote;
341
        }
342

343
        if (local != null) {
344
            throw local;
345
        }
346
    }
347

348
    void startServer (boolean newThread) {
349
        if (newThread) {
350
            serverThread = new Thread(() -> {
351
                try {
352
                    doServerSide();
353
                } catch (Exception e) {
354
                    /*
355
                     * Our server thread just died.
356
                     *
357
                     * Release the client, if not active already...
358
                     */
359
                    System.err.println("Server died...");
360
                    serverReadyLatch.countDown();
361
                    serverException = e;
362
                }
363
            });
364
            serverThread.start();
365
        } else {
366
            try {
367
                doServerSide();
368
            } catch (Exception e) {
369
                serverException = e;
370
            } finally {
371
                serverReadyLatch.countDown();
372
            }
373
        }
374
    }
375

376
    void startClient (boolean newThread) {
377
        if (newThread) {
378
            clientThread = new Thread(() -> {
379
                try {
380
                    doClientSide();
381
                } catch (Exception e) {
382
                    /*
383
                     * Our client thread just died.
384
                     */
385
                    System.err.println("Client died...");
386
                    clientException = e;
387
                }
388
            });
389
            clientThread.start();
390
        } else {
391
            try {
392
                doClientSide();
393
            } catch (Exception e) {
394
                clientException = e;
395
            }
396
        }
397
    }
398
}
399

400