Path: blob/master/test/jdk/sun/security/x509/URICertStore/CRLReadTimeout.java
41153 views
/*1* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 819180826* @summary check that CRL download is interrupted if it takes too long27* @library /test/lib28* @run main/othervm -Dcom.sun.security.crl.readtimeout=1 CRLReadTimeout29*/3031import java.io.File;32import java.io.InputStream;33import java.io.IOException;34import java.net.InetSocketAddress;35import java.net.SocketTimeoutException;36import java.security.KeyStore;37import java.security.cert.CertificateFactory;38import java.security.cert.CertPath;39import java.security.cert.CertPathValidator;40import java.security.cert.CertPathValidatorException;41import java.security.cert.PKIXParameters;42import java.security.cert.PKIXRevocationChecker;43import static java.security.cert.PKIXRevocationChecker.Option.*;44import java.security.cert.TrustAnchor;45import java.security.cert.X509Certificate;46import java.util.EnumSet;47import java.util.List;48import java.util.Set;49import com.sun.net.httpserver.HttpServer;5051import jdk.test.lib.SecurityTools;52import jdk.test.lib.process.OutputAnalyzer;5354public class CRLReadTimeout {5556public static void main(String[] args) throws Exception {5758String timeout = System.getProperty("com.sun.security.crl.readtimeout");59if (timeout == null) {60timeout = "15";61}62System.out.println("Testing timeout of " + timeout + " seconds");6364CrlHttpServer crlServer = new CrlHttpServer(Integer.parseInt(timeout));65try {66crlServer.start();67testTimeout(crlServer.getPort());68} finally {69crlServer.stop();70}71}7273private static void testTimeout(int port) throws Exception {7475// create certificate chain with two certs, root and end-entity76keytool("-alias duke -dname CN=duke -genkey -keyalg RSA");77keytool("-alias root -dname CN=root -genkey -keyalg RSA");78keytool("-certreq -alias duke -file duke.req");79// set CRL URI to local server80keytool("-gencert -infile duke.req -alias root -rfc -outfile duke.cert "81+ "-ext crl=uri:http://localhost:" + port + "/crl");82keytool("-importcert -file duke.cert -alias duke");8384KeyStore ks = KeyStore.getInstance(new File("ks"),85"changeit".toCharArray());86X509Certificate cert = (X509Certificate)ks.getCertificate("duke");87X509Certificate root = (X509Certificate)ks.getCertificate("root");8889// validate chain90CertPathValidator cpv = CertPathValidator.getInstance("PKIX");91PKIXRevocationChecker prc =92(PKIXRevocationChecker)cpv.getRevocationChecker();93prc.setOptions(EnumSet.of(PREFER_CRLS, NO_FALLBACK, SOFT_FAIL));94PKIXParameters params =95new PKIXParameters(Set.of(new TrustAnchor(root, null)));96params.addCertPathChecker(prc);97CertificateFactory cf = CertificateFactory.getInstance("X.509");98CertPath cp = cf.generateCertPath(List.of(cert));99cpv.validate(cp, params);100101// unwrap soft fail exceptions and check for SocketTimeoutException102boolean expected = false;103for (CertPathValidatorException softFail:prc.getSoftFailExceptions()) {104Throwable cause = softFail.getCause();105while (cause != null) {106if (cause instanceof SocketTimeoutException) {107expected = true;108break;109}110cause = cause.getCause();111}112if (expected) {113break;114}115}116if (!expected) {117throw new Exception("SocketTimeoutException not thrown");118}119}120121private static OutputAnalyzer keytool(String cmd) throws Exception {122return SecurityTools.keytool("-storepass changeit "123+ "-keystore ks " + cmd);124}125126private static class CrlHttpServer {127128private final HttpServer server;129private final int timeout;130131public CrlHttpServer(int timeout) throws IOException {132server = HttpServer.create();133this.timeout = timeout;134}135136public void start() throws IOException {137server.bind(new InetSocketAddress(0), 0);138server.createContext("/", t -> {139try (InputStream is = t.getRequestBody()) {140is.readAllBytes();141}142try {143// sleep for 2 seconds longer to force timeout144Thread.sleep((timeout + 2)*1000);145} catch (InterruptedException ie) {146throw new IOException(ie);147}148});149server.setExecutor(null);150server.start();151}152153public void stop() {154server.stop(0);155}156157int getPort() {158return server.getAddress().getPort();159}160}161}162163164