1
/*
2
 * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
/*
25
 * @test
26
 * @bug 8206925
27
 * @library /javax/net/ssl/templates
28
 * @summary Support the certificate_authorities extension
29
 * @run main/othervm TooManyCAs
30
 * @run main/othervm -Djdk.tls.client.enableCAExtension=true TooManyCAs
31
 */
32
import javax.net.ssl.*;
33
import javax.security.auth.x500.X500Principal;
34
import java.io.*;
35
import java.net.InetAddress;
36
import java.net.Socket;
37
import java.security.cert.CertificateException;
38
import java.security.cert.X509Certificate;
39
import java.util.Arrays;
40

41
/**
42
 * Check if the connection can be established if the client or server trusts
43
 * more CAs such that it exceeds the size limit of the certificate_authorities
44
 * extension (2^16).
45
 */
46
public class TooManyCAs implements SSLContextTemplate {
47

48
    private static final String[][][] protocols = {
49
            {{"TLSv1.3"}, {"TLSv1.3"}},
50
            {{"TLSv1.3", "TLSv1.2"}, {"TLSv1.3"}},
51
            {{"TLSv1.3"}, {"TLSv1.3", "TLSv1.2"}},
52
    };
53

54
    private final String[] clientProtocols;
55
    private final String[] serverProtocols;
56
    private final boolean needClientAuth;
57

58
    TooManyCAs(int index, boolean needClientAuth) {
59
        this.clientProtocols = protocols[index][0];
60
        this.serverProtocols = protocols[index][1];
61
        this.needClientAuth = needClientAuth;
62
    }
63

64
    // Servers are configured before clients, increment test case after.
65
    void configureClientSocket(SSLSocket clientSocket) {
66
        System.err.print("Setting client protocol(s): ");
67
        Arrays.stream(clientProtocols).forEachOrdered(System.err::print);
68
        System.err.println();
69

70
        clientSocket.setEnabledProtocols(clientProtocols);
71
    }
72

73
    void configureServerSocket(SSLServerSocket serverSocket) {
74
        System.err.print("Setting server protocol(s): ");
75
        Arrays.stream(serverProtocols).forEachOrdered(System.err::print);
76
        System.err.println();
77

78
        serverSocket.setEnabledProtocols(serverProtocols);
79
        if (needClientAuth) {
80
            serverSocket.setNeedClientAuth(true);
81
        }
82
    }
83

84
    @Override
85
    public TrustManager createClientTrustManager() throws Exception {
86
        TrustManager trustManager =
87
                SSLContextTemplate.super.createClientTrustManager();
88
        return new BogusX509TrustManager(
89
                (X509TrustManager)trustManager);
90
    }
91

92
    @Override
93
    public TrustManager createServerTrustManager() throws Exception {
94
        TrustManager trustManager =
95
                SSLContextTemplate.super.createServerTrustManager();
96
        return new BogusX509TrustManager(
97
                (X509TrustManager)trustManager);
98
    }
99

100
    /*
101
     * Run the test case.
102
     */
103
    public static void main(String[] args) throws Exception {
104
        for (int i = 0; i < protocols.length; i++) {
105
            (new TooManyCAs(i, false)).run();
106
            (new TooManyCAs(i, true)).run();
107
        }
108
    }
109

110
    private void run() throws Exception {
111
        SSLServerSocket listenSocket = null;
112
        SSLSocket serverSocket = null;
113
        ClientSocket clientSocket = null;
114
        try {
115
            SSLServerSocketFactory serversocketfactory =
116
                    createServerSSLContext().getServerSocketFactory();
117
            listenSocket =
118
                    (SSLServerSocket)serversocketfactory.createServerSocket(0);
119
            listenSocket.setNeedClientAuth(false);
120
            listenSocket.setEnableSessionCreation(true);
121
            listenSocket.setUseClientMode(false);
122
            configureServerSocket(listenSocket);
123

124
            System.err.println("Starting client");
125
            clientSocket = new ClientSocket(listenSocket.getLocalPort());
126
            clientSocket.start();
127

128
            System.err.println("Accepting client requests");
129
            serverSocket = (SSLSocket)listenSocket.accept();
130

131
            if (!clientSocket.isDone) {
132
                System.err.println("Waiting 3 seconds for client ");
133
                Thread.sleep(3000);
134
            }
135

136
            System.err.println("Sending data to client ...");
137
            String serverData = "Hi, I am server";
138
            BufferedWriter os = new BufferedWriter(
139
                    new OutputStreamWriter(serverSocket.getOutputStream()));
140
            os.write(serverData, 0, serverData.length());
141
            os.newLine();
142
            os.flush();
143
        } finally {
144
            if (listenSocket != null) {
145
                listenSocket.close();
146
            }
147

148
            if (serverSocket != null) {
149
                serverSocket.close();
150
            }
151
        }
152

153
        if (clientSocket != null && clientSocket.clientException != null) {
154
            throw clientSocket.clientException;
155
        }
156
    }
157

158
    private class ClientSocket extends Thread{
159
        boolean isDone = false;
160
        int serverPort = 0;
161
        Exception clientException;
162

163
        public ClientSocket(int serverPort) {
164
            this.serverPort = serverPort;
165
        }
166

167
        @Override
168
        public void run() {
169
            SSLSocket clientSocket = null;
170
            String clientData = "Hi, I am client";
171
            try {
172
                System.err.println(
173
                        "Connecting to server at port " + serverPort);
174
                SSLSocketFactory sslSocketFactory =
175
                        createClientSSLContext().getSocketFactory();
176
                clientSocket = (SSLSocket)sslSocketFactory.createSocket(
177
                        InetAddress.getLocalHost(), serverPort);
178
                configureClientSocket(clientSocket);
179

180
                System.err.println("Sending data to server ...");
181

182
                BufferedWriter os = new BufferedWriter(
183
                        new OutputStreamWriter(clientSocket.getOutputStream()));
184
                os.write(clientData, 0, clientData.length());
185
                os.newLine();
186
                os.flush();
187

188
                System.err.println("Reading data from server");
189
                BufferedReader is = new BufferedReader(
190
                        new InputStreamReader(clientSocket.getInputStream()));
191
                String data = is.readLine();
192
                System.err.println("Received Data from server: " + data);
193
            } catch (Exception e) {
194
                clientException = e;
195
                System.err.println("unexpected client exception: " + e);
196
            } finally {
197
                if (clientSocket != null) {
198
                    try {
199
                        clientSocket.close();
200
                        System.err.println("client socket closed");
201
                    } catch (IOException ioe) {
202
                        clientException = ioe;
203
                    }
204
                }
205

206
                isDone = true;
207
            }
208
        }
209
    }
210

211
    // Construct a bogus trust manager which has more CAs such that exceed
212
    // the size limit of the certificate_authorities extension (2^16).
213
    private static final class BogusX509TrustManager
214
            extends X509ExtendedTrustManager implements X509TrustManager {
215
        private final X509ExtendedTrustManager tm;
216

217
        private BogusX509TrustManager(X509TrustManager trustManager) {
218
            this.tm = (X509ExtendedTrustManager)trustManager;
219
        }
220

221
        @Override
222
        public void checkClientTrusted(X509Certificate[] chain,
223
               String authType, Socket socket) throws CertificateException {
224
            tm.checkClientTrusted(chain, authType, socket);
225
        }
226

227
        @Override
228
        public void checkServerTrusted(X509Certificate[] chain,
229
               String authType, Socket socket) throws CertificateException {
230
            tm.checkServerTrusted(chain, authType, socket);
231
        }
232

233
        @Override
234
        public void checkClientTrusted(X509Certificate[] chain,
235
            String authType, SSLEngine sslEngine) throws CertificateException {
236

237
            tm.checkClientTrusted(chain, authType, sslEngine);
238
        }
239

240
        @Override
241
        public void checkServerTrusted(X509Certificate[] chain,
242
            String authType, SSLEngine sslEngine) throws CertificateException {
243

244
            tm.checkServerTrusted(chain, authType, sslEngine);
245
        }
246

247
        @Override
248
        public void checkClientTrusted(X509Certificate[] chain,
249
               String authType) throws CertificateException {
250
            tm.checkServerTrusted(chain, authType);
251
        }
252

253
        @Override
254
        public void checkServerTrusted(X509Certificate[] chain,
255
               String authType) throws CertificateException {
256
            tm.checkServerTrusted(chain, authType);
257
        }
258

259
        @Override
260
        public X509Certificate[] getAcceptedIssuers() {
261
            X509Certificate[] trustedCerts = tm.getAcceptedIssuers();
262
            int sizeAccount = 0;
263
            for (X509Certificate cert: trustedCerts) {
264
                X500Principal x500Principal = cert.getSubjectX500Principal();
265
                byte[] encodedPrincipal = x500Principal.getEncoded();
266
                sizeAccount += encodedPrincipal.length;
267
            }
268

269
            // 0xFFFF: the size limit of the certificate_authorities extension
270
            int duplicated = (0xFFFF + sizeAccount) / sizeAccount;
271
            X509Certificate[] returnedCAs =
272
                    new X509Certificate[trustedCerts.length * duplicated];
273
            for (int i = 0; i < duplicated; i++) {
274
                System.arraycopy(trustedCerts, 0,
275
                    returnedCAs,
276
                    i * trustedCerts.length + 0, trustedCerts.length);
277
            }
278

279
            return returnedCAs;
280
        }
281
    }
282
}
283

284