1 /* 2 * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 // SunJSSE does not support dynamic system properties, no way to re-use 25 // system properties in samevm/agentvm mode. 26 27 /* 28 * @test 29 * @bug 4329114 30 * @summary Need better way of reflecting the reason when a chain is 31 * rejected as untrusted. 32 * @ignore JSSE supports algorithm constraints with CR 6916074, 33 * need to update this test case in JDK 7 soon 34 * @run main/othervm CheckMyTrustedKeystore 35 * 36 * @author Brad Wetmore 37 */ 38 39 // This is a serious hack job! 40 41 import java.io.*; 42 import java.net.*; 43 import java.security.*; 44 import javax.net.ssl.*; 45 import java.security.cert.*; 46 47 public class CheckMyTrustedKeystore { 48 49 /* 50 * ============================================================= 51 * Set the various variables needed for the tests, then 52 * specify what tests to run on each side. 53 */ 54 55 /* 56 * Should we run the client or server in a separate thread? 57 * Both sides can throw exceptions, but do you have a preference 58 * as to which side should be the main thread. 59 */ 60 static boolean separateServerThread = true; 61 62 /* 63 * Where do we find the keystores? 64 */ 65 final static String pathToStores = "../etc"; 66 final static String keyStoreFile = "keystore"; 67 final static String trustStoreFile = "truststore"; 68 final static String unknownStoreFile = "unknown_keystore"; 69 final static String passwd = "passphrase"; 70 final static char[] cpasswd = "passphrase".toCharArray(); 71 72 /* 73 * Is the server ready to serve? 74 */ 75 volatile static boolean serverReady = false; 76 77 /* 78 * Turn on SSL debugging? 79 */ 80 final static boolean debug = false; 81 82 /* 83 * If the client or server is doing some kind of object creation 84 * that the other side depends on, and that thread prematurely 85 * exits, you may experience a hang. The test harness will 86 * terminate all hung threads after its timeout has expired, 87 * currently 3 minutes by default, but you might try to be 88 * smart about it.... 89 */ 90 91 /* 92 * Define the server side of the test. 93 * 94 * If the server prematurely exits, serverReady will be set to true 95 * to avoid infinite hangs. 96 */ 97 void doServerSide() throws Exception { 98 KeyStore ks = KeyStore.getInstance("JKS"); 99 com.sun.net.ssl.SSLContext ctx = 100 com.sun.net.ssl.SSLContext.getInstance("TLS"); 101 com.sun.net.ssl.KeyManagerFactory kmf = 102 com.sun.net.ssl.KeyManagerFactory.getInstance("SunX509"); 103 104 ks.load(new FileInputStream(keyFilename), cpasswd); 105 kmf.init(ks, cpasswd); 106 107 com.sun.net.ssl.TrustManager [] tms = 108 new com.sun.net.ssl.TrustManager [] 109 { new MyComX509TrustManager() }; 110 111 ctx.init(kmf.getKeyManagers(), tms, null); 112 113 SSLServerSocketFactory sslssf = 114 (SSLServerSocketFactory) ctx.getServerSocketFactory(); 115 116 SSLServerSocket sslServerSocket = 117 (SSLServerSocket) sslssf.createServerSocket(serverPort); 118 serverPort = sslServerSocket.getLocalPort(); 119 120 sslServerSocket.setNeedClientAuth(true); 121 122 /* 123 * Create using the other type. 124 */ 125 SSLContext ctx1 = 126 SSLContext.getInstance("TLS"); 127 KeyManagerFactory kmf1 = 128 KeyManagerFactory.getInstance("SunX509"); 129 130 TrustManager [] tms1 = 131 new TrustManager [] 132 { new MyJavaxX509TrustManager() }; 133 134 kmf1.init(ks, cpasswd); 135 136 ctx1.init(kmf1.getKeyManagers(), tms1, null); 137 138 sslssf = (SSLServerSocketFactory) ctx1.getServerSocketFactory(); 139 140 SSLServerSocket sslServerSocket1 = 141 (SSLServerSocket) sslssf.createServerSocket(serverPort1); 142 serverPort1 = sslServerSocket1.getLocalPort(); 143 sslServerSocket1.setNeedClientAuth(true); 144 145 /* 146 * Signal Client, we're ready for his connect. 147 */ 148 serverReady = true; 149 150 SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); 151 sslServerSocket.close(); 152 serverReady = false; 153 154 InputStream sslIS = sslSocket.getInputStream(); 155 OutputStream sslOS = sslSocket.getOutputStream(); 156 157 sslIS.read(); 158 sslOS.write(85); 159 sslOS.flush(); 160 sslSocket.close(); 161 162 sslSocket = (SSLSocket) sslServerSocket1.accept(); 163 sslIS = sslSocket.getInputStream(); 164 sslOS = sslSocket.getOutputStream(); 165 166 sslIS.read(); 167 sslOS.write(85); 168 sslOS.flush(); 169 sslSocket.close(); 170 171 System.out.println("Server exiting!"); 172 System.out.flush(); 173 } 174 175 void doTest(SSLSocket sslSocket) throws Exception { 176 InputStream sslIS = sslSocket.getInputStream(); 177 OutputStream sslOS = sslSocket.getOutputStream(); 178 179 System.out.println(" Writing"); 180 sslOS.write(280); 181 sslOS.flush(); 182 System.out.println(" Reading"); 183 sslIS.read(); 184 185 sslSocket.close(); 186 } 187 188 /* 189 * Define the client side of the test. 190 * 191 * If the server prematurely exits, serverReady will be set to true 192 * to avoid infinite hangs. 193 */ 194 void doClientSide() throws Exception { 195 196 /* 197 * Wait for server to get started. 198 */ 199 while (!serverReady) { 200 Thread.sleep(50); 201 } 202 203 /* 204 * See if an unknown keystore actually gets checked ok. 205 */ 206 System.out.println("=============="); 207 System.out.println("Starting test0"); 208 KeyStore uks = KeyStore.getInstance("JKS"); 209 SSLContext ctx = 210 SSLContext.getInstance("TLS"); 211 KeyManagerFactory kmf = 212 KeyManagerFactory.getInstance("SunX509"); 213 214 uks.load(new FileInputStream(unknownFilename), cpasswd); 215 kmf.init(uks, cpasswd); 216 217 TrustManager [] tms = new TrustManager [] 218 { new MyJavaxX509TrustManager() }; 219 220 ctx.init(kmf.getKeyManagers(), tms, null); 221 222 SSLSocketFactory sslsf = 223 (SSLSocketFactory) ctx.getSocketFactory(); 224 225 System.out.println("Trying first socket " + serverPort); 226 SSLSocket sslSocket = (SSLSocket) 227 sslsf.createSocket("localhost", serverPort); 228 229 doTest(sslSocket); 230 231 /* 232 * Now try the other way. 233 */ 234 com.sun.net.ssl.SSLContext ctx1 = 235 com.sun.net.ssl.SSLContext.getInstance("TLS"); 236 com.sun.net.ssl.KeyManagerFactory kmf1 = 237 com.sun.net.ssl.KeyManagerFactory.getInstance("SunX509"); 238 kmf1.init(uks, cpasswd); 239 240 com.sun.net.ssl.TrustManager [] tms1 = 241 new com.sun.net.ssl.TrustManager [] 242 { new MyComX509TrustManager() }; 243 244 ctx1.init(kmf1.getKeyManagers(), tms1, null); 245 246 sslsf = (SSLSocketFactory) ctx1.getSocketFactory(); 247 248 System.out.println("Trying second socket " + serverPort1); 249 sslSocket = (SSLSocket) sslsf.createSocket("localhost", 250 serverPort1); 251 252 doTest(sslSocket); 253 System.out.println("Completed test1"); 254 } 255 256 /* 257 * ============================================================= 258 * The remainder is just support stuff 259 */ 260 261 int serverPort = 0; 262 int serverPort1 = 0; 263 264 volatile Exception serverException = null; 265 volatile Exception clientException = null; 266 267 final static String keyFilename = 268 System.getProperty("test.src", "./") + "/" + pathToStores + 269 "/" + keyStoreFile; 270 final static String unknownFilename = 271 System.getProperty("test.src", "./") + "/" + pathToStores + 272 "/" + unknownStoreFile; 273 274 public static void main(String[] args) throws Exception { 275 276 if (debug) 277 System.setProperty("javax.net.debug", "all"); 278 279 /* 280 * Start the tests. 281 */ 282 new CheckMyTrustedKeystore(); 283 } 284 285 Thread clientThread = null; 286 Thread serverThread = null; 287 288 /* 289 * Primary constructor, used to drive remainder of the test. 290 * 291 * Fork off the other side, then do your work. 292 */ 293 CheckMyTrustedKeystore() throws Exception { 294 if (separateServerThread) { 295 startServer(true); 296 startClient(false); 297 } else { 298 startClient(true); 299 startServer(false); 300 } 301 302 /* 303 * Wait for other side to close down. 304 */ 305 if (separateServerThread) { 306 serverThread.join(); 307 } else { 308 clientThread.join(); 309 } 310 311 /* 312 * When we get here, the test is pretty much over. 313 * 314 * If the main thread excepted, that propagates back 315 * immediately. If the other thread threw an exception, we 316 * should report back. 317 */ 318 if (serverException != null) { 319 System.out.print("Server Exception:"); 320 throw serverException; 321 } 322 if (clientException != null) { 323 System.out.print("Client Exception:"); 324 throw clientException; 325 } 326 } 327 328 void startServer(boolean newThread) throws Exception { 329 if (newThread) { 330 serverThread = new Thread() { 331 public void run() { 332 try { 333 doServerSide(); 334 } catch (Exception e) { 335 /* 336 * Our server thread just died. 337 * 338 * Release the client, if not active already... 339 */ 340 System.err.println("Server died..."); 341 serverReady = true; 342 serverException = e; 343 } 344 } 345 }; 346 serverThread.start(); 347 } else { 348 doServerSide(); 349 } 350 } 351 352 void startClient(boolean newThread) throws Exception { 353 if (newThread) { 354 clientThread = new Thread() { 355 public void run() { 356 try { 357 doClientSide(); 358 } catch (Exception e) { 359 /* 360 * Our client thread just died. 361 */ 362 System.err.println("Client died..."); 363 clientException = e; 364 } 365 } 366 }; 367 clientThread.start(); 368 } else { 369 doClientSide(); 370 } 371 } 372 } 373 374 class MyComX509TrustManager implements com.sun.net.ssl.X509TrustManager { 375 376 public X509Certificate[] getAcceptedIssuers() { 377 return (new X509Certificate[0]); 378 } 379 380 public boolean isClientTrusted(X509Certificate[] chain) { 381 System.out.println(" IsClientTrusted?"); 382 return true; 383 } 384 385 public boolean isServerTrusted(X509Certificate[] chain) { 386 System.out.println(" IsServerTrusted?"); 387 return true; 388 } 389 } 390 391 class MyJavaxX509TrustManager implements X509TrustManager { 392 393 public X509Certificate[] getAcceptedIssuers() { 394 return (new X509Certificate[0]); 395 } 396 397 public void checkClientTrusted(X509Certificate[] chain, String authType) 398 throws CertificateException { 399 System.out.println(" CheckClientTrusted(" + authType + ")?"); 400 } 401 402 public void checkServerTrusted(X509Certificate[] chain, String authType) 403 throws CertificateException { 404 System.out.println(" CheckServerTrusted(" + authType + ")?"); 405 } 406 }