1 /*
   2  * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  */
  23 
  24 //
  25 // SunJSSE does not support dynamic system properties, no way to re-use
  26 // system properties in samevm/agentvm mode.
  27 //
  28 
  29 /*
  30  * @test
  31  * @bug 4495742
  32  * @summary Demonstrate SSLEngine switch from no client auth to client auth.
  33  * @run main/othervm NoAuthClientAuth SSLv3
  34  * @run main/othervm NoAuthClientAuth TLSv1
  35  * @run main/othervm NoAuthClientAuth TLSv1.1
  36  * @run main/othervm NoAuthClientAuth TLSv1.2
  37  * @author Brad R. Wetmore
  38  */
  39 
  40 /**
  41  * A SSLEngine usage example which simplifies the presentation
  42  * by removing the I/O and multi-threading concerns.
  43  *
  44  * The test creates two SSLEngines, simulating a client and server.
  45  * The "transport" layer consists two byte buffers:  think of them
  46  * as directly connected pipes.
  47  *
  48  * Note, this is a *very* simple example: real code will be much more
  49  * involved.  For example, different threading and I/O models could be
  50  * used, transport mechanisms could close unexpectedly, and so on.
  51  *
  52  * When this application runs, notice that several messages
  53  * (wrap/unwrap) pass before any application data is consumed or
  54  * produced.  (For more information, please see the SSL/TLS
  55  * specifications.)  There may several steps for a successful handshake,
  56  * so it's typical to see the following series of operations:
  57  *
  58  *      client          server          message
  59  *      ======          ======          =======
  60  *      wrap()          ...             ClientHello
  61  *      ...             unwrap()        ClientHello
  62  *      ...             wrap()          ServerHello/Certificate
  63  *      unwrap()        ...             ServerHello/Certificate
  64  *      wrap()          ...             ClientKeyExchange
  65  *      wrap()          ...             ChangeCipherSpec
  66  *      wrap()          ...             Finished
  67  *      ...             unwrap()        ClientKeyExchange
  68  *      ...             unwrap()        ChangeCipherSpec
  69  *      ...             unwrap()        Finished
  70  *      ...             wrap()          ChangeCipherSpec
  71  *      ...             wrap()          Finished
  72  *      unwrap()        ...             ChangeCipherSpec
  73  *      unwrap()        ...             Finished
  74  *
  75  * In this example, we do a rehandshake and make sure that completes
  76  * correctly.
  77  */
  78 
  79 import javax.net.ssl.*;
  80 import javax.net.ssl.SSLEngineResult.*;
  81 import java.io.*;
  82 import java.security.*;
  83 import java.nio.*;
  84 
  85 // Note that this test case depends on JSSE provider implementation details.
  86 public class NoAuthClientAuth {
  87 
  88     /*
  89      * Enables logging of the SSLEngine operations.
  90      */
  91     private static boolean logging = true;
  92 
  93     /*
  94      * Enables the JSSE system debugging system property:
  95      *
  96      *     -Djavax.net.debug=all
  97      *
  98      * This gives a lot of low-level information about operations underway,
  99      * including specific handshake messages, and might be best examined
 100      * after gaining some familiarity with this application.
 101      */
 102     private static boolean debug = true;
 103 
 104     private SSLContext sslc;
 105 
 106     private SSLEngine clientEngine;     // client Engine
 107     private ByteBuffer clientOut;       // write side of clientEngine
 108     private ByteBuffer clientIn;        // read side of clientEngine
 109 
 110     private SSLEngine serverEngine;     // server Engine
 111     private ByteBuffer serverOut;       // write side of serverEngine
 112     private ByteBuffer serverIn;        // read side of serverEngine
 113 
 114     /*
 115      * For data transport, this example uses local ByteBuffers.  This
 116      * isn't really useful, but the purpose of this example is to show
 117      * SSLEngine concepts, not how to do network transport.
 118      */
 119     private ByteBuffer cTOs;            // "reliable" transport client->server
 120     private ByteBuffer sTOc;            // "reliable" transport server->client
 121 
 122     /*
 123      * The following is to set up the keystores.
 124      */
 125     private static String pathToStores = "../etc";
 126     private static String keyStoreFile = "keystore";
 127     private static String trustStoreFile = "truststore";
 128     private static String passwd = "passphrase";
 129 
 130     private static String keyFilename =
 131             System.getProperty("test.src", ".") + "/" + pathToStores +
 132                 "/" + keyStoreFile;
 133     private static String trustFilename =
 134             System.getProperty("test.src", ".") + "/" + pathToStores +
 135                 "/" + trustStoreFile;
 136     // the specified protocol
 137     private static String tlsProtocol;
 138 
 139     /*
 140      * Main entry point for this test.
 141      */
 142     public static void main(String args[]) throws Exception {
 143         Security.setProperty("jdk.tls.disabledAlgorithms", "");
 144 
 145         if (debug) {
 146             System.setProperty("javax.net.debug", "all");
 147         }
 148 
 149         tlsProtocol = args[0];
 150 
 151         NoAuthClientAuth test = new NoAuthClientAuth();
 152         test.runTest();
 153 
 154         System.out.println("Test Passed.");
 155     }
 156 
 157     /*
 158      * Create an initialized SSLContext to use for these tests.
 159      */
 160     public NoAuthClientAuth() throws Exception {
 161 
 162         KeyStore ks = KeyStore.getInstance("JKS");
 163         KeyStore ts = KeyStore.getInstance("JKS");
 164 
 165         char[] passphrase = "passphrase".toCharArray();
 166 
 167         ks.load(new FileInputStream(keyFilename), passphrase);
 168         ts.load(new FileInputStream(trustFilename), passphrase);
 169 
 170         KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
 171         kmf.init(ks, passphrase);
 172 
 173         TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
 174         tmf.init(ts);
 175 
 176         SSLContext sslCtx = SSLContext.getInstance("TLS");
 177 
 178         sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
 179 
 180         sslc = sslCtx;
 181     }
 182 
 183     /*
 184      * Run the test.
 185      *
 186      * Sit in a tight loop, both engines calling wrap/unwrap regardless
 187      * of whether data is available or not.  We do this until both engines
 188      * report back they are closed.
 189      *
 190      * The main loop handles all of the I/O phases of the SSLEngine's
 191      * lifetime:
 192      *
 193      *     initial handshaking
 194      *     application data transfer
 195      *     engine closing
 196      *
 197      * One could easily separate these phases into separate
 198      * sections of code.
 199      */
 200     private void runTest() throws Exception {
 201 
 202         createSSLEngines();
 203         createBuffers();
 204 
 205         SSLEngineResult clientResult;   // results from client's last operation
 206         SSLEngineResult serverResult;   // results from server's last operation
 207 
 208         /*
 209          * Examining the SSLEngineResults could be much more involved,
 210          * and may alter the overall flow of the application.
 211          *
 212          * For example, if we received a BUFFER_OVERFLOW when trying
 213          * to write to the output pipe, we could reallocate a larger
 214          * pipe, but instead we wait for the peer to drain it.
 215          */
 216         int hsCompleted = 0;
 217         while (!isEngineClosed(clientEngine) ||
 218                 !isEngineClosed(serverEngine)) {
 219 
 220             log("================");
 221 
 222             clientResult = clientEngine.wrap(clientOut, cTOs);
 223             log("client wrap: ", clientResult);
 224             runDelegatedTasks(clientResult, clientEngine);
 225             clientOut.rewind();
 226 
 227             serverResult = serverEngine.wrap(serverOut, sTOc);
 228             log("server wrap: ", serverResult);
 229             runDelegatedTasks(serverResult, serverEngine);
 230             serverOut.rewind();
 231 
 232             // Jeanfrancois:
 233             // Here is the main rehandshaking step.
 234             if (serverResult.getHandshakeStatus() ==
 235                     HandshakeStatus.FINISHED) {
 236                 hsCompleted++;
 237                 log("\t" + hsCompleted + " handshake completed");
 238                 if (hsCompleted == 1) {
 239                     try {
 240                         serverEngine.getSession().getPeerCertificates();
 241                         throw new Exception("Should have got exception");
 242                     } catch (SSLPeerUnverifiedException e) {
 243                         System.out.println("Caught proper exception." + e);
 244                     }
 245                     log("\tInvalidating session, setting client auth, " +
 246                         " starting rehandshake");
 247                     serverEngine.getSession().invalidate();
 248                     serverEngine.setNeedClientAuth(true);
 249                     serverEngine.beginHandshake();
 250                 } else if (hsCompleted == 2) {
 251                     java.security.cert.Certificate [] certs =
 252                         serverEngine.getSession().getPeerCertificates();
 253                     System.out.println("Client Certificate(s) received");
 254                     for (java.security.cert.Certificate c : certs) {
 255                         System.out.println(c);
 256                     }
 257 //                    log("Closing server.");
 258 //                    serverEngine.closeOutbound();
 259                 } // nothing.
 260             }
 261 
 262             cTOs.flip();
 263             sTOc.flip();
 264 
 265             log("----");
 266 
 267             if (!clientEngine.isInboundDone()) {
 268                 clientResult = clientEngine.unwrap(sTOc, clientIn);
 269                 log("client unwrap: ", clientResult);
 270                 runDelegatedTasks(clientResult, clientEngine);
 271                 clientIn.clear();
 272                 sTOc.compact();
 273             } else {
 274                 sTOc.clear();
 275             }
 276 
 277             if (!serverEngine.isInboundDone()) {
 278                 serverResult = serverEngine.unwrap(cTOs, serverIn);
 279                 log("server unwrap: ", serverResult);
 280                 runDelegatedTasks(serverResult, serverEngine);
 281                 serverIn.clear();
 282                 cTOs.compact();
 283             } else {
 284                 cTOs.clear();
 285             }
 286 
 287             if (hsCompleted == 2) {
 288                   log("Closing server.");
 289                   serverEngine.closeOutbound();
 290             }
 291         }
 292     }
 293 
 294     /*
 295      * Using the SSLContext created during object creation,
 296      * create/configure the SSLEngines we'll use for this test.
 297      */
 298     private void createSSLEngines() throws Exception {
 299         /*
 300          * Configure the serverEngine to act as a server in the SSL/TLS
 301          * handshake.  Also, require SSL client authentication.
 302          */
 303         serverEngine = sslc.createSSLEngine();
 304         serverEngine.setUseClientMode(false);
 305         serverEngine.setNeedClientAuth(false);
 306 





 307         /*
 308          * Similar to above, but using client mode instead.
 309          */
 310         clientEngine = sslc.createSSLEngine("client", 80);
 311         clientEngine.setUseClientMode(true);
 312         clientEngine.setEnabledProtocols(new String[] { tlsProtocol });
 313     }
 314 
 315     /*
 316      * Create and size the buffers appropriately.
 317      */
 318     private void createBuffers() {
 319 
 320         /*
 321          * We'll assume the buffer sizes are the same
 322          * between client and server.
 323          */
 324         SSLSession session = clientEngine.getSession();
 325         int appBufferMax = session.getApplicationBufferSize();
 326         int netBufferMax = session.getPacketBufferSize();
 327 
 328         /*
 329          * We'll make the input buffers a bit bigger than the max needed
 330          * size, so that unwrap()s following a successful data transfer
 331          * won't generate BUFFER_OVERFLOWS.
 332          *
 333          * We'll use a mix of direct and indirect ByteBuffers for
 334          * tutorial purposes only.  In reality, only use direct
 335          * ByteBuffers when they give a clear performance enhancement.
 336          */
 337         clientIn = ByteBuffer.allocate(appBufferMax + 50);
 338         serverIn = ByteBuffer.allocate(appBufferMax + 50);
 339 
 340         cTOs = ByteBuffer.allocateDirect(netBufferMax);
 341         sTOc = ByteBuffer.allocateDirect(netBufferMax);
 342 
 343         clientOut = ByteBuffer.wrap("Hi Server, I'm Client".getBytes());
 344         serverOut = ByteBuffer.wrap("Hello Client, I'm Server".getBytes());
 345     }
 346 
 347     /*
 348      * If the result indicates that we have outstanding tasks to do,
 349      * go ahead and run them in this thread.
 350      */
 351     private static void runDelegatedTasks(SSLEngineResult result,
 352             SSLEngine engine) throws Exception {
 353 
 354         if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
 355             Runnable runnable;
 356             while ((runnable = engine.getDelegatedTask()) != null) {
 357                 log("\trunning delegated task...");
 358                 runnable.run();
 359             }
 360             HandshakeStatus hsStatus = engine.getHandshakeStatus();
 361             if (hsStatus == HandshakeStatus.NEED_TASK) {
 362                 throw new Exception(
 363                     "handshake shouldn't need additional tasks");
 364             }
 365             log("\tnew HandshakeStatus: " + hsStatus);
 366         }
 367     }
 368 
 369     private static boolean isEngineClosed(SSLEngine engine) {
 370         return (engine.isOutboundDone() && engine.isInboundDone());
 371     }
 372 
 373     /*
 374      * Simple check to make sure everything came across as expected.
 375      */
 376     private static void checkTransfer(ByteBuffer a, ByteBuffer b)
 377             throws Exception {
 378         a.flip();
 379         b.flip();
 380 
 381         if (!a.equals(b)) {
 382             throw new Exception("Data didn't transfer cleanly");
 383         } else {
 384             log("\tData transferred cleanly");
 385         }
 386 
 387         a.position(a.limit());
 388         b.position(b.limit());
 389         a.limit(a.capacity());
 390         b.limit(b.capacity());
 391     }
 392 
 393     /*
 394      * Logging code
 395      */
 396     private static boolean resultOnce = true;
 397 
 398     private static void log(String str, SSLEngineResult result) {
 399         if (!logging) {
 400             return;
 401         }
 402         if (resultOnce) {
 403             resultOnce = false;
 404             System.out.println("The format of the SSLEngineResult is: \n" +
 405                 "\t\"getStatus() / getHandshakeStatus()\" +\n" +
 406                 "\t\"bytesConsumed() / bytesProduced()\"\n");
 407         }
 408         HandshakeStatus hsStatus = result.getHandshakeStatus();
 409         log(str +
 410             result.getStatus() + "/" + hsStatus + ", " +
 411             result.bytesConsumed() + "/" + result.bytesProduced() +
 412             " bytes");
 413         if (hsStatus == HandshakeStatus.FINISHED) {
 414             log("\t...ready for application data");
 415         }
 416     }
 417 
 418     private static void log(String str) {
 419         if (logging) {
 420             System.out.println(str);
 421         }
 422     }
 423 }
--- EOF ---