1 /* 2 * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 // 27 // SunJSSE does not support dynamic system properties, no way to re-use 28 // system properties in samevm/agentvm mode. 29 // 30 31 /* 32 * @test 33 * @bug 7113275 34 * @summary compatibility issue with MD2 trust anchor and old X509TrustManager 35 * @run main/othervm MD2InTrustAnchor PKIX TLSv1.1 36 * @run main/othervm MD2InTrustAnchor SunX509 TLSv1.1 37 * @run main/othervm MD2InTrustAnchor PKIX TLSv1.2 38 * @run main/othervm MD2InTrustAnchor SunX509 TLSv1.2 39 */ 40 import java.io.ByteArrayInputStream; 41 import java.io.InputStream; 42 import java.io.OutputStream; 43 import javax.net.ssl.*; 44 import java.security.Security; 45 import java.security.KeyStore; 46 import java.security.KeyFactory; 47 import java.security.cert.Certificate; 48 import java.security.cert.CertificateFactory; 49 import java.security.interfaces.RSAPrivateKey; 50 import java.security.spec.PKCS8EncodedKeySpec; 51 import java.util.Base64; 52 import java.util.concurrent.CountDownLatch; 53 54 public class MD2InTrustAnchor { 55 56 /* 57 * Certificates and key used in the test. 58 */ 59 // It's a trust anchor signed with MD2 hash function. 60 static final String TRUSTED_CERT_STR 61 = "-----BEGIN CERTIFICATE-----\n" 62 + "MIICkjCCAfugAwIBAgIBADANBgkqhkiG9w0BAQIFADA7MQswCQYDVQQGEwJVUzEN\n" 63 + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" 64 + "MTExMTE4MTExNDA0WhcNMzIxMDI4MTExNDA0WjA7MQswCQYDVQQGEwJVUzENMAsG\n" 65 + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwgZ8wDQYJ\n" 66 + "KoZIhvcNAQEBBQADgY0AMIGJAoGBAPGyB9tugUGgxtdeqe0qJEwf9x1Gy4BOi1yR\n" 67 + "wzDZY4H5LquvIfQ2V3J9X1MQENVsFvkvp65ZcFcy+ObOucXUUPFcd/iw2DVb5QXA\n" 68 + "ffyeVqWD56GPi8Qe37wrJO3L6fBhN9oxp/BbdRLgjU81zx8qLEyPODhPMxV4OkcA\n" 69 + "SDwZTSxxAgMBAAGjgaUwgaIwHQYDVR0OBBYEFLOAtr/YrYj9H04EDLA0fd14jisF\n" 70 + "MGMGA1UdIwRcMFqAFLOAtr/YrYj9H04EDLA0fd14jisFoT+kPTA7MQswCQYDVQQG\n" 71 + "EwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2\n" 72 + "Y2WCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEC\n" 73 + "BQADgYEAr8ExpXu/FTIRiMzPm0ubqwME4lniilwQUiEOD/4DbksNjEIcUyS2hIk1\n" 74 + "qsmjJz3SHBnwhxl9dhJVwk2tZLkPGW86Zn0TPVRsttK4inTgCC9GFGeqQBdrU/uf\n" 75 + "lipBzXWljrfbg4N/kK8m2LabtKUMMnGysM8rN0Fx2PYm5xxGvtM=\n" 76 + "-----END CERTIFICATE-----"; 77 78 // The certificate issued by above trust anchor, signed with MD5 79 static final String TARGET_CERT_STR 80 = "-----BEGIN CERTIFICATE-----\n" 81 + "MIICeDCCAeGgAwIBAgIBAjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" 82 + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" 83 + "MTExMTE4MTExNDA2WhcNMzEwODA1MTExNDA2WjBPMQswCQYDVQQGEwJVUzENMAsG\n" 84 + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxEjAQBgNV\n" 85 + "BAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwDnm96mw\n" 86 + "fXCH4bgXk1US0VcJsQVxUtGMyncAveMuzBzNzOmKZPeqyYX1Fuh4q+cuza03WTJd\n" 87 + "G9nOkNr364e3Rn1aaHjCMcBmFflObnGnhhufNmIGYogJ9dJPmhUVPEVAXrMG+Ces\n" 88 + "NKy2E8woGnLMrqu6yiuTClbLBPK8fWzTXrECAwEAAaN4MHYwCwYDVR0PBAQDAgPo\n" 89 + "MB0GA1UdDgQWBBSdRrpocLPJXyGfDmMWJrcEf29WGDAfBgNVHSMEGDAWgBSzgLa/\n" 90 + "2K2I/R9OBAywNH3deI4rBTAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIG\n" 91 + "CCsGAQUFBwMDMA0GCSqGSIb3DQEBBAUAA4GBAKJ71ZiCUykkJrCLYUxlFlhvUcr9\n" 92 + "sTcOc67QdroW5f412NI15SXWDiley/JOasIiuIFPjaJBjOKoHOvTjG/snVu9wEgq\n" 93 + "YNR8dPsO+NM8r79C6jO+Jx5fYAC7os2XxS75h3NX0ElJcbwIXGBJ6xRrsFh/BGYH\n" 94 + "yvudOlX4BkVR0l1K\n" 95 + "-----END CERTIFICATE-----"; 96 97 // Private key in the format of PKCS#8. 98 static final String TARGET_PRIV_KEY_STR 99 = "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMA55vepsH1wh+G4\n" 100 + "F5NVEtFXCbEFcVLRjMp3AL3jLswczczpimT3qsmF9RboeKvnLs2tN1kyXRvZzpDa\n" 101 + "9+uHt0Z9Wmh4wjHAZhX5Tm5xp4YbnzZiBmKICfXST5oVFTxFQF6zBvgnrDSsthPM\n" 102 + "KBpyzK6rusorkwpWywTyvH1s016xAgMBAAECgYEAn9bF3oRkdDoBU0i/mcww5I+K\n" 103 + "SH9tFt+WQbiojjz9ac49trkvUfu7MO1Jui2+QbrvaSkyj+HYGFOJd1wMsPXeB7ck\n" 104 + "5mOIYV4uZK8jfNMSQ8v0tFEeIPp5lKdw1XnrQfSe+abo2eL5Lwso437Y4s3w37+H\n" 105 + "aY3d76hR5qly+Ys+Ww0CQQDjeOoX89d/xhRqGXKjCx8ImE/dPmsI8O27cwtKrDYJ\n" 106 + "6t0v/xryVIdvOYcRBvKnqEogOH7T1kI+LnWKUTJ2ehJ7AkEA2FVloPVqCehXcc7e\n" 107 + "z3TDpU9w1B0JXklcV5HddYsRqp9RukN/VK4szKE7F1yoarIUtfE9Lr9082Jwyp3M\n" 108 + "L11xwwJBAKsZ+Hur3x0tUY29No2Nf/pnFyvEF57SGwA0uPmiL8Ol9lpz+UDudDEl\n" 109 + "hIM6Rqv12kwCMuQE9i7vo1o3WU3k5KECQEqhg1L49yD935TqiiFFpe0Ur9btQXse\n" 110 + "kdXAA4d2d5zGI7q/aGD9SYU6phkUJSHR16VA2RuUfzMrpb+wmm1IrmMCQFtLoKRT\n" 111 + "A5kokFb+E3Gplu29tJvCUpfwgBFRS+wmkvtiaU/tiyDcVgDO+An5DwedxxdVzqiE\n" 112 + "njWHoKY3axDQ8OU=\n"; 113 114 static final char PASSPHRASE[] = "passphrase".toCharArray(); 115 116 /* 117 * Is the server ready to serve? 118 */ 119 static volatile CountDownLatch sync = new CountDownLatch(1); 120 121 /* 122 * Turn on SSL debugging? 123 */ 124 static final boolean DEBUG = false; 125 126 /* 127 * Define the server side of the test. 128 * 129 * If the server prematurely exits, serverReady will be set to true 130 * to avoid infinite hangs. 131 */ 132 void doServerSide() throws Exception { 133 SSLContext context = generateSSLContext(TRUSTED_CERT_STR, TARGET_CERT_STR, 134 TARGET_PRIV_KEY_STR); 135 SSLServerSocketFactory sslssf = context.getServerSocketFactory(); 136 SSLServerSocket sslServerSocket 137 = (SSLServerSocket) sslssf.createServerSocket(serverPort); 138 sslServerSocket.setNeedClientAuth(true); 139 serverPort = sslServerSocket.getLocalPort(); 140 141 /* 142 * Signal Client, we're ready for his connect. 143 */ 144 System.out.println("Signal server ready"); 145 sync.countDown(); 146 147 System.out.println("Waiting for client connection"); 148 try (SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept()) { 149 InputStream sslIS = sslSocket.getInputStream(); 150 OutputStream sslOS = sslSocket.getOutputStream(); 151 152 sslIS.read(); 153 sslOS.write('A'); 154 sslOS.flush(); 155 } 156 } 157 158 /* 159 * Define the client side of the test. 160 * 161 * If the server prematurely exits, serverReady will be set to true 162 * to avoid infinite hangs. 163 */ 164 void doClientSide() throws Exception { 165 166 /* 167 * Wait for server to get started. 168 */ 169 System.out.println("Waiting for server ready"); 170 sync.await(); 171 172 SSLContext context = generateSSLContext(TRUSTED_CERT_STR, TARGET_CERT_STR, 173 TARGET_PRIV_KEY_STR); 174 SSLSocketFactory sslsf = context.getSocketFactory(); 175 176 System.out.println("Connect to server on port: " + serverPort); 177 try (SSLSocket sslSocket 178 = (SSLSocket) sslsf.createSocket("localhost", serverPort)) { 179 // enable the specified TLS protocol 180 sslSocket.setEnabledProtocols(new String[]{tlsProtocol}); 181 182 InputStream sslIS = sslSocket.getInputStream(); 183 OutputStream sslOS = sslSocket.getOutputStream(); 184 185 sslOS.write('B'); 186 sslOS.flush(); 187 sslIS.read(); 188 } 189 } 190 191 /* 192 * ============================================================= 193 * The remainder is just support stuff 194 */ 195 private static String tmAlgorithm; // trust manager 196 private static String tlsProtocol; // trust manager 197 198 private static void parseArguments(String[] args) { 199 tmAlgorithm = args[0]; 200 tlsProtocol = args[1]; 201 } 202 203 private static SSLContext generateSSLContext(String trustedCertStr, 204 String keyCertStr, String keySpecStr) throws Exception { 205 206 // generate certificate from cert string 207 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 208 209 // create a key store 210 KeyStore ks = KeyStore.getInstance("JKS"); 211 ks.load(null, null); 212 213 // import the trused cert 214 Certificate trusedCert = null; 215 ByteArrayInputStream is = null; 216 if (trustedCertStr != null) { 217 is = new ByteArrayInputStream(trustedCertStr.getBytes()); 218 trusedCert = cf.generateCertificate(is); 219 is.close(); 220 221 ks.setCertificateEntry("RSA Export Signer", trusedCert); 222 } 223 224 if (keyCertStr != null) { 225 // generate the private key. 226 PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec( 227 Base64.getMimeDecoder().decode(keySpecStr)); 228 KeyFactory kf = KeyFactory.getInstance("RSA"); 229 RSAPrivateKey priKey 230 = (RSAPrivateKey) kf.generatePrivate(priKeySpec); 231 232 // generate certificate chain 233 is = new ByteArrayInputStream(keyCertStr.getBytes()); 234 Certificate keyCert = cf.generateCertificate(is); 235 is.close(); 236 237 // It's not allowed to send MD2 signed certificate to peer, 238 // even it may be a trusted certificate. Then we will not 239 // place the trusted certficate in the chain. 240 Certificate[] chain = new Certificate[1]; 241 chain[0] = keyCert; 242 243 // import the key entry. 244 ks.setKeyEntry("Whatever", priKey, PASSPHRASE, chain); 245 } 246 247 // create SSL context 248 TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm); 249 tmf.init(ks); 250 251 SSLContext ctx = SSLContext.getInstance(tlsProtocol); 252 if (keyCertStr != null && !keyCertStr.isEmpty()) { 253 KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509"); 254 kmf.init(ks, PASSPHRASE); 255 256 ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); 257 ks = null; 258 } else { 259 ctx.init(null, tmf.getTrustManagers(), null); 260 } 261 262 return ctx; 263 } 264 265 // use any free port by default 266 volatile int serverPort = 0; 267 268 volatile Exception serverException = null; 269 270 public static void main(String[] args) throws Exception { 271 // MD5 is used in this test case, don't disable MD5 algorithm. 272 Security.setProperty("jdk.certpath.disabledAlgorithms", 273 "MD2, RSA keySize < 1024"); 274 Security.setProperty("jdk.tls.disabledAlgorithms", 275 "SSLv3, RC4, DH keySize < 768"); 276 277 if (DEBUG) { 278 System.setProperty("javax.net.debug", "all"); 279 } 280 281 /* 282 * Get the customized arguments. 283 */ 284 parseArguments(args); 285 /* 286 * Start the tests. 287 */ 288 new MD2InTrustAnchor().runTest(); 289 } 290 291 Thread serverThread = null; 292 293 /* 294 * Used to drive remainder of the test. 295 * 296 * Fork off the other side, then do your work. 297 */ 298 void runTest() throws Exception { 299 startServerThread(); 300 doClientSide(); 301 302 /* 303 * Wait for other side to close down. 304 */ 305 serverThread.join(); 306 307 if (serverException != null) { 308 throw serverException; 309 } 310 } 311 312 void startServerThread() { 313 serverThread = new Thread() { 314 @Override 315 public void run() { 316 try { 317 doServerSide(); 318 } catch (Exception e) { 319 /* 320 * Our server thread just died. 321 * 322 * Release the client, if not active already... 323 */ 324 System.err.println("Server died..."); 325 e.printStackTrace(System.out); 326 serverException = e; 327 sync.countDown(); 328 } 329 } 330 }; 331 332 serverThread.start(); 333 } 334 }