1 /*
2 * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 // SunJSSE does not support dynamic system properties, no way to re-use
25 // system properties in samevm/agentvm mode.
26
27 /*
28 * @test
29 * @bug 4329114
30 * @summary Need better way of reflecting the reason when a chain is
31 * rejected as untrusted.
32 * @ignore JSSE supports algorithm constraints with CR 6916074,
33 * need to update this test case in JDK 7 soon
34 * @run main/othervm CheckMyTrustedKeystore
35 *
36 * @author Brad Wetmore
37 */
38
39 // This is a serious hack job!
40
41 import java.io.*;
42 import java.net.*;
43 import java.security.*;
44 import javax.net.ssl.*;
45 import java.security.cert.*;
46
47 public class CheckMyTrustedKeystore {
48
49 /*
50 * =============================================================
51 * Set the various variables needed for the tests, then
52 * specify what tests to run on each side.
53 */
54
55 /*
56 * Should we run the client or server in a separate thread?
57 * Both sides can throw exceptions, but do you have a preference
58 * as to which side should be the main thread.
59 */
60 static boolean separateServerThread = true;
61
62 /*
63 * Where do we find the keystores?
64 */
65 final static String pathToStores = "../etc";
66 final static String keyStoreFile = "keystore";
67 final static String trustStoreFile = "truststore";
68 final static String unknownStoreFile = "unknown_keystore";
69 final static String passwd = "passphrase";
70 final static char[] cpasswd = "passphrase".toCharArray();
71
72 /*
73 * Is the server ready to serve?
74 */
75 volatile static boolean serverReady = false;
76
77 /*
78 * Turn on SSL debugging?
79 */
80 final static boolean debug = false;
81
82 /*
83 * If the client or server is doing some kind of object creation
84 * that the other side depends on, and that thread prematurely
85 * exits, you may experience a hang. The test harness will
86 * terminate all hung threads after its timeout has expired,
87 * currently 3 minutes by default, but you might try to be
88 * smart about it....
89 */
90
91 /*
92 * Define the server side of the test.
93 *
94 * If the server prematurely exits, serverReady will be set to true
95 * to avoid infinite hangs.
96 */
97 void doServerSide() throws Exception {
98 KeyStore ks = KeyStore.getInstance("JKS");
99 com.sun.net.ssl.SSLContext ctx =
100 com.sun.net.ssl.SSLContext.getInstance("TLS");
101 com.sun.net.ssl.KeyManagerFactory kmf =
102 com.sun.net.ssl.KeyManagerFactory.getInstance("SunX509");
103
104 ks.load(new FileInputStream(keyFilename), cpasswd);
105 kmf.init(ks, cpasswd);
106
107 com.sun.net.ssl.TrustManager [] tms =
108 new com.sun.net.ssl.TrustManager []
109 { new MyComX509TrustManager() };
110
111 ctx.init(kmf.getKeyManagers(), tms, null);
112
113 SSLServerSocketFactory sslssf =
114 (SSLServerSocketFactory) ctx.getServerSocketFactory();
115
116 SSLServerSocket sslServerSocket =
117 (SSLServerSocket) sslssf.createServerSocket(serverPort);
118 serverPort = sslServerSocket.getLocalPort();
119
120 sslServerSocket.setNeedClientAuth(true);
121
122 /*
123 * Create using the other type.
124 */
125 SSLContext ctx1 =
126 SSLContext.getInstance("TLS");
127 KeyManagerFactory kmf1 =
128 KeyManagerFactory.getInstance("SunX509");
129
130 TrustManager [] tms1 =
131 new TrustManager []
132 { new MyJavaxX509TrustManager() };
133
134 kmf1.init(ks, cpasswd);
135
136 ctx1.init(kmf1.getKeyManagers(), tms1, null);
137
138 sslssf = (SSLServerSocketFactory) ctx1.getServerSocketFactory();
139
140 SSLServerSocket sslServerSocket1 =
141 (SSLServerSocket) sslssf.createServerSocket(serverPort1);
142 serverPort1 = sslServerSocket1.getLocalPort();
143 sslServerSocket1.setNeedClientAuth(true);
144
145 /*
146 * Signal Client, we're ready for his connect.
147 */
148 serverReady = true;
149
150 SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
151 sslServerSocket.close();
152 serverReady = false;
153
154 InputStream sslIS = sslSocket.getInputStream();
155 OutputStream sslOS = sslSocket.getOutputStream();
156
157 sslIS.read();
158 sslOS.write(85);
159 sslOS.flush();
160 sslSocket.close();
161
162 sslSocket = (SSLSocket) sslServerSocket1.accept();
163 sslIS = sslSocket.getInputStream();
164 sslOS = sslSocket.getOutputStream();
165
166 sslIS.read();
167 sslOS.write(85);
168 sslOS.flush();
169 sslSocket.close();
170
171 System.out.println("Server exiting!");
172 System.out.flush();
173 }
174
175 void doTest(SSLSocket sslSocket) throws Exception {
176 InputStream sslIS = sslSocket.getInputStream();
177 OutputStream sslOS = sslSocket.getOutputStream();
178
179 System.out.println(" Writing");
180 sslOS.write(280);
181 sslOS.flush();
182 System.out.println(" Reading");
183 sslIS.read();
184
185 sslSocket.close();
186 }
187
188 /*
189 * Define the client side of the test.
190 *
191 * If the server prematurely exits, serverReady will be set to true
192 * to avoid infinite hangs.
193 */
194 void doClientSide() throws Exception {
195
196 /*
197 * Wait for server to get started.
198 */
199 while (!serverReady) {
200 Thread.sleep(50);
201 }
202
203 /*
204 * See if an unknown keystore actually gets checked ok.
205 */
206 System.out.println("==============");
207 System.out.println("Starting test0");
208 KeyStore uks = KeyStore.getInstance("JKS");
209 SSLContext ctx =
210 SSLContext.getInstance("TLS");
211 KeyManagerFactory kmf =
212 KeyManagerFactory.getInstance("SunX509");
213
214 uks.load(new FileInputStream(unknownFilename), cpasswd);
215 kmf.init(uks, cpasswd);
216
217 TrustManager [] tms = new TrustManager []
218 { new MyJavaxX509TrustManager() };
219
220 ctx.init(kmf.getKeyManagers(), tms, null);
221
222 SSLSocketFactory sslsf =
223 (SSLSocketFactory) ctx.getSocketFactory();
224
225 System.out.println("Trying first socket " + serverPort);
226 SSLSocket sslSocket = (SSLSocket)
227 sslsf.createSocket("localhost", serverPort);
228
229 doTest(sslSocket);
230
231 /*
232 * Now try the other way.
233 */
234 com.sun.net.ssl.SSLContext ctx1 =
235 com.sun.net.ssl.SSLContext.getInstance("TLS");
236 com.sun.net.ssl.KeyManagerFactory kmf1 =
237 com.sun.net.ssl.KeyManagerFactory.getInstance("SunX509");
238 kmf1.init(uks, cpasswd);
239
240 com.sun.net.ssl.TrustManager [] tms1 =
241 new com.sun.net.ssl.TrustManager []
242 { new MyComX509TrustManager() };
243
244 ctx1.init(kmf1.getKeyManagers(), tms1, null);
245
246 sslsf = (SSLSocketFactory) ctx1.getSocketFactory();
247
248 System.out.println("Trying second socket " + serverPort1);
249 sslSocket = (SSLSocket) sslsf.createSocket("localhost",
250 serverPort1);
251
252 doTest(sslSocket);
253 System.out.println("Completed test1");
254 }
255
256 /*
257 * =============================================================
258 * The remainder is just support stuff
259 */
260
261 int serverPort = 0;
262 int serverPort1 = 0;
263
264 volatile Exception serverException = null;
265 volatile Exception clientException = null;
266
267 final static String keyFilename =
268 System.getProperty("test.src", "./") + "/" + pathToStores +
269 "/" + keyStoreFile;
270 final static String unknownFilename =
271 System.getProperty("test.src", "./") + "/" + pathToStores +
272 "/" + unknownStoreFile;
273
274 public static void main(String[] args) throws Exception {
275
276 if (debug)
277 System.setProperty("javax.net.debug", "all");
278
279 /*
280 * Start the tests.
281 */
282 new CheckMyTrustedKeystore();
283 }
284
285 Thread clientThread = null;
286 Thread serverThread = null;
287
288 /*
289 * Primary constructor, used to drive remainder of the test.
290 *
291 * Fork off the other side, then do your work.
292 */
293 CheckMyTrustedKeystore() throws Exception {
294 if (separateServerThread) {
295 startServer(true);
296 startClient(false);
297 } else {
298 startClient(true);
299 startServer(false);
300 }
301
302 /*
303 * Wait for other side to close down.
304 */
305 if (separateServerThread) {
306 serverThread.join();
307 } else {
308 clientThread.join();
309 }
310
311 /*
312 * When we get here, the test is pretty much over.
313 *
314 * If the main thread excepted, that propagates back
315 * immediately. If the other thread threw an exception, we
316 * should report back.
317 */
318 if (serverException != null) {
319 System.out.print("Server Exception:");
320 throw serverException;
321 }
322 if (clientException != null) {
323 System.out.print("Client Exception:");
324 throw clientException;
325 }
326 }
327
328 void startServer(boolean newThread) throws Exception {
329 if (newThread) {
330 serverThread = new Thread() {
331 public void run() {
332 try {
333 doServerSide();
334 } catch (Exception e) {
335 /*
336 * Our server thread just died.
337 *
338 * Release the client, if not active already...
339 */
340 System.err.println("Server died...");
341 serverReady = true;
342 serverException = e;
343 }
344 }
345 };
346 serverThread.start();
347 } else {
348 doServerSide();
349 }
350 }
351
352 void startClient(boolean newThread) throws Exception {
353 if (newThread) {
354 clientThread = new Thread() {
355 public void run() {
356 try {
357 doClientSide();
358 } catch (Exception e) {
359 /*
360 * Our client thread just died.
361 */
362 System.err.println("Client died...");
363 clientException = e;
364 }
365 }
366 };
367 clientThread.start();
368 } else {
369 doClientSide();
370 }
371 }
372 }
373
374 class MyComX509TrustManager implements com.sun.net.ssl.X509TrustManager {
375
376 public X509Certificate[] getAcceptedIssuers() {
377 return (new X509Certificate[0]);
378 }
379
380 public boolean isClientTrusted(X509Certificate[] chain) {
381 System.out.println(" IsClientTrusted?");
382 return true;
383 }
384
385 public boolean isServerTrusted(X509Certificate[] chain) {
386 System.out.println(" IsServerTrusted?");
387 return true;
388 }
389 }
390
391 class MyJavaxX509TrustManager implements X509TrustManager {
392
393 public X509Certificate[] getAcceptedIssuers() {
394 return (new X509Certificate[0]);
395 }
396
397 public void checkClientTrusted(X509Certificate[] chain, String authType)
398 throws CertificateException {
399 System.out.println(" CheckClientTrusted(" + authType + ")?");
400 }
401
402 public void checkServerTrusted(X509Certificate[] chain, String authType)
403 throws CertificateException {
404 System.out.println(" CheckServerTrusted(" + authType + ")?");
405 }
406 }