1 /*
2 * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 //
27 // SunJSSE does not support dynamic system properties, no way to re-use
28 // system properties in samevm/agentvm mode.
29 //
30
31 /*
32 * @test
33 * @bug 7113275
34 * @summary compatibility issue with MD2 trust anchor and old X509TrustManager
35 * @run main/othervm MD2InTrustAnchor PKIX TLSv1.1
36 * @run main/othervm MD2InTrustAnchor SunX509 TLSv1.1
37 * @run main/othervm MD2InTrustAnchor PKIX TLSv1.2
38 * @run main/othervm MD2InTrustAnchor SunX509 TLSv1.2
39 */
40 import java.io.ByteArrayInputStream;
41 import java.io.InputStream;
42 import java.io.OutputStream;
43 import javax.net.ssl.*;
44 import java.security.Security;
45 import java.security.KeyStore;
46 import java.security.KeyFactory;
47 import java.security.cert.Certificate;
48 import java.security.cert.CertificateFactory;
49 import java.security.interfaces.RSAPrivateKey;
50 import java.security.spec.PKCS8EncodedKeySpec;
51 import java.util.Base64;
52 import java.util.concurrent.CountDownLatch;
53
54 public class MD2InTrustAnchor {
55
56 /*
57 * Certificates and key used in the test.
58 */
59 // It's a trust anchor signed with MD2 hash function.
60 static final String TRUSTED_CERT_STR
61 = "-----BEGIN CERTIFICATE-----\n"
62 + "MIICkjCCAfugAwIBAgIBADANBgkqhkiG9w0BAQIFADA7MQswCQYDVQQGEwJVUzEN\n"
63 + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n"
64 + "MTExMTE4MTExNDA0WhcNMzIxMDI4MTExNDA0WjA7MQswCQYDVQQGEwJVUzENMAsG\n"
65 + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwgZ8wDQYJ\n"
66 + "KoZIhvcNAQEBBQADgY0AMIGJAoGBAPGyB9tugUGgxtdeqe0qJEwf9x1Gy4BOi1yR\n"
67 + "wzDZY4H5LquvIfQ2V3J9X1MQENVsFvkvp65ZcFcy+ObOucXUUPFcd/iw2DVb5QXA\n"
68 + "ffyeVqWD56GPi8Qe37wrJO3L6fBhN9oxp/BbdRLgjU81zx8qLEyPODhPMxV4OkcA\n"
69 + "SDwZTSxxAgMBAAGjgaUwgaIwHQYDVR0OBBYEFLOAtr/YrYj9H04EDLA0fd14jisF\n"
70 + "MGMGA1UdIwRcMFqAFLOAtr/YrYj9H04EDLA0fd14jisFoT+kPTA7MQswCQYDVQQG\n"
71 + "EwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2\n"
72 + "Y2WCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEC\n"
73 + "BQADgYEAr8ExpXu/FTIRiMzPm0ubqwME4lniilwQUiEOD/4DbksNjEIcUyS2hIk1\n"
74 + "qsmjJz3SHBnwhxl9dhJVwk2tZLkPGW86Zn0TPVRsttK4inTgCC9GFGeqQBdrU/uf\n"
75 + "lipBzXWljrfbg4N/kK8m2LabtKUMMnGysM8rN0Fx2PYm5xxGvtM=\n"
76 + "-----END CERTIFICATE-----";
77
78 // The certificate issued by above trust anchor, signed with MD5
79 static final String TARGET_CERT_STR
80 = "-----BEGIN CERTIFICATE-----\n"
81 + "MIICeDCCAeGgAwIBAgIBAjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n"
82 + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n"
83 + "MTExMTE4MTExNDA2WhcNMzEwODA1MTExNDA2WjBPMQswCQYDVQQGEwJVUzENMAsG\n"
84 + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxEjAQBgNV\n"
85 + "BAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwDnm96mw\n"
86 + "fXCH4bgXk1US0VcJsQVxUtGMyncAveMuzBzNzOmKZPeqyYX1Fuh4q+cuza03WTJd\n"
87 + "G9nOkNr364e3Rn1aaHjCMcBmFflObnGnhhufNmIGYogJ9dJPmhUVPEVAXrMG+Ces\n"
88 + "NKy2E8woGnLMrqu6yiuTClbLBPK8fWzTXrECAwEAAaN4MHYwCwYDVR0PBAQDAgPo\n"
89 + "MB0GA1UdDgQWBBSdRrpocLPJXyGfDmMWJrcEf29WGDAfBgNVHSMEGDAWgBSzgLa/\n"
90 + "2K2I/R9OBAywNH3deI4rBTAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIG\n"
91 + "CCsGAQUFBwMDMA0GCSqGSIb3DQEBBAUAA4GBAKJ71ZiCUykkJrCLYUxlFlhvUcr9\n"
92 + "sTcOc67QdroW5f412NI15SXWDiley/JOasIiuIFPjaJBjOKoHOvTjG/snVu9wEgq\n"
93 + "YNR8dPsO+NM8r79C6jO+Jx5fYAC7os2XxS75h3NX0ElJcbwIXGBJ6xRrsFh/BGYH\n"
94 + "yvudOlX4BkVR0l1K\n"
95 + "-----END CERTIFICATE-----";
96
97 // Private key in the format of PKCS#8.
98 static final String TARGET_PRIV_KEY_STR
99 = "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMA55vepsH1wh+G4\n"
100 + "F5NVEtFXCbEFcVLRjMp3AL3jLswczczpimT3qsmF9RboeKvnLs2tN1kyXRvZzpDa\n"
101 + "9+uHt0Z9Wmh4wjHAZhX5Tm5xp4YbnzZiBmKICfXST5oVFTxFQF6zBvgnrDSsthPM\n"
102 + "KBpyzK6rusorkwpWywTyvH1s016xAgMBAAECgYEAn9bF3oRkdDoBU0i/mcww5I+K\n"
103 + "SH9tFt+WQbiojjz9ac49trkvUfu7MO1Jui2+QbrvaSkyj+HYGFOJd1wMsPXeB7ck\n"
104 + "5mOIYV4uZK8jfNMSQ8v0tFEeIPp5lKdw1XnrQfSe+abo2eL5Lwso437Y4s3w37+H\n"
105 + "aY3d76hR5qly+Ys+Ww0CQQDjeOoX89d/xhRqGXKjCx8ImE/dPmsI8O27cwtKrDYJ\n"
106 + "6t0v/xryVIdvOYcRBvKnqEogOH7T1kI+LnWKUTJ2ehJ7AkEA2FVloPVqCehXcc7e\n"
107 + "z3TDpU9w1B0JXklcV5HddYsRqp9RukN/VK4szKE7F1yoarIUtfE9Lr9082Jwyp3M\n"
108 + "L11xwwJBAKsZ+Hur3x0tUY29No2Nf/pnFyvEF57SGwA0uPmiL8Ol9lpz+UDudDEl\n"
109 + "hIM6Rqv12kwCMuQE9i7vo1o3WU3k5KECQEqhg1L49yD935TqiiFFpe0Ur9btQXse\n"
110 + "kdXAA4d2d5zGI7q/aGD9SYU6phkUJSHR16VA2RuUfzMrpb+wmm1IrmMCQFtLoKRT\n"
111 + "A5kokFb+E3Gplu29tJvCUpfwgBFRS+wmkvtiaU/tiyDcVgDO+An5DwedxxdVzqiE\n"
112 + "njWHoKY3axDQ8OU=\n";
113
114 static final char PASSPHRASE[] = "passphrase".toCharArray();
115
116 /*
117 * Is the server ready to serve?
118 */
119 static volatile CountDownLatch sync = new CountDownLatch(1);
120
121 /*
122 * Turn on SSL debugging?
123 */
124 static final boolean DEBUG = false;
125
126 /*
127 * Define the server side of the test.
128 *
129 * If the server prematurely exits, serverReady will be set to true
130 * to avoid infinite hangs.
131 */
132 void doServerSide() throws Exception {
133 SSLContext context = generateSSLContext(TRUSTED_CERT_STR, TARGET_CERT_STR,
134 TARGET_PRIV_KEY_STR);
135 SSLServerSocketFactory sslssf = context.getServerSocketFactory();
136 SSLServerSocket sslServerSocket
137 = (SSLServerSocket) sslssf.createServerSocket(serverPort);
138 sslServerSocket.setNeedClientAuth(true);
139 serverPort = sslServerSocket.getLocalPort();
140
141 /*
142 * Signal Client, we're ready for his connect.
143 */
144 System.out.println("Signal server ready");
145 sync.countDown();
146
147 System.out.println("Waiting for client connection");
148 try (SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept()) {
149 InputStream sslIS = sslSocket.getInputStream();
150 OutputStream sslOS = sslSocket.getOutputStream();
151
152 sslIS.read();
153 sslOS.write('A');
154 sslOS.flush();
155 }
156 }
157
158 /*
159 * Define the client side of the test.
160 *
161 * If the server prematurely exits, serverReady will be set to true
162 * to avoid infinite hangs.
163 */
164 void doClientSide() throws Exception {
165
166 /*
167 * Wait for server to get started.
168 */
169 System.out.println("Waiting for server ready");
170 sync.await();
171
172 SSLContext context = generateSSLContext(TRUSTED_CERT_STR, TARGET_CERT_STR,
173 TARGET_PRIV_KEY_STR);
174 SSLSocketFactory sslsf = context.getSocketFactory();
175
176 System.out.println("Connect to server on port: " + serverPort);
177 try (SSLSocket sslSocket
178 = (SSLSocket) sslsf.createSocket("localhost", serverPort)) {
179 // enable the specified TLS protocol
180 sslSocket.setEnabledProtocols(new String[]{tlsProtocol});
181
182 InputStream sslIS = sslSocket.getInputStream();
183 OutputStream sslOS = sslSocket.getOutputStream();
184
185 sslOS.write('B');
186 sslOS.flush();
187 sslIS.read();
188 }
189 }
190
191 /*
192 * =============================================================
193 * The remainder is just support stuff
194 */
195 private static String tmAlgorithm; // trust manager
196 private static String tlsProtocol; // trust manager
197
198 private static void parseArguments(String[] args) {
199 tmAlgorithm = args[0];
200 tlsProtocol = args[1];
201 }
202
203 private static SSLContext generateSSLContext(String trustedCertStr,
204 String keyCertStr, String keySpecStr) throws Exception {
205
206 // generate certificate from cert string
207 CertificateFactory cf = CertificateFactory.getInstance("X.509");
208
209 // create a key store
210 KeyStore ks = KeyStore.getInstance("JKS");
211 ks.load(null, null);
212
213 // import the trused cert
214 Certificate trusedCert = null;
215 ByteArrayInputStream is = null;
216 if (trustedCertStr != null) {
217 is = new ByteArrayInputStream(trustedCertStr.getBytes());
218 trusedCert = cf.generateCertificate(is);
219 is.close();
220
221 ks.setCertificateEntry("RSA Export Signer", trusedCert);
222 }
223
224 if (keyCertStr != null) {
225 // generate the private key.
226 PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(
227 Base64.getMimeDecoder().decode(keySpecStr));
228 KeyFactory kf = KeyFactory.getInstance("RSA");
229 RSAPrivateKey priKey
230 = (RSAPrivateKey) kf.generatePrivate(priKeySpec);
231
232 // generate certificate chain
233 is = new ByteArrayInputStream(keyCertStr.getBytes());
234 Certificate keyCert = cf.generateCertificate(is);
235 is.close();
236
237 // It's not allowed to send MD2 signed certificate to peer,
238 // even it may be a trusted certificate. Then we will not
239 // place the trusted certficate in the chain.
240 Certificate[] chain = new Certificate[1];
241 chain[0] = keyCert;
242
243 // import the key entry.
244 ks.setKeyEntry("Whatever", priKey, PASSPHRASE, chain);
245 }
246
247 // create SSL context
248 TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);
249 tmf.init(ks);
250
251 SSLContext ctx = SSLContext.getInstance(tlsProtocol);
252 if (keyCertStr != null && !keyCertStr.isEmpty()) {
253 KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
254 kmf.init(ks, PASSPHRASE);
255
256 ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
257 ks = null;
258 } else {
259 ctx.init(null, tmf.getTrustManagers(), null);
260 }
261
262 return ctx;
263 }
264
265 // use any free port by default
266 volatile int serverPort = 0;
267
268 volatile Exception serverException = null;
269
270 public static void main(String[] args) throws Exception {
271 // MD5 is used in this test case, don't disable MD5 algorithm.
272 Security.setProperty("jdk.certpath.disabledAlgorithms",
273 "MD2, RSA keySize < 1024");
274 Security.setProperty("jdk.tls.disabledAlgorithms",
275 "SSLv3, RC4, DH keySize < 768");
276
277 if (DEBUG) {
278 System.setProperty("javax.net.debug", "all");
279 }
280
281 /*
282 * Get the customized arguments.
283 */
284 parseArguments(args);
285 /*
286 * Start the tests.
287 */
288 new MD2InTrustAnchor().runTest();
289 }
290
291 Thread serverThread = null;
292
293 /*
294 * Used to drive remainder of the test.
295 *
296 * Fork off the other side, then do your work.
297 */
298 void runTest() throws Exception {
299 startServerThread();
300 doClientSide();
301
302 /*
303 * Wait for other side to close down.
304 */
305 serverThread.join();
306
307 if (serverException != null) {
308 throw serverException;
309 }
310 }
311
312 void startServerThread() {
313 serverThread = new Thread() {
314 @Override
315 public void run() {
316 try {
317 doServerSide();
318 } catch (Exception e) {
319 /*
320 * Our server thread just died.
321 *
322 * Release the client, if not active already...
323 */
324 System.err.println("Server died...");
325 e.printStackTrace(System.out);
326 serverException = e;
327 sync.countDown();
328 }
329 }
330 };
331
332 serverThread.start();
333 }
334 }