1
/*
2
 * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
/*
25
 * @test
26
 * @bug 4329114
27
 * @summary Need better way of reflecting the reason when a chain is
28
 *      rejected as untrusted.
29
 * @run main/othervm CheckMyTrustedKeystore
30
 *
31
 *     SunJSSE does not support dynamic system properties, no way to re-use
32
 *     system properties in samevm/agentvm mode.
33
 * @ignore JSSE supports algorithm constraints with CR 6916074,
34
 *     need to update this test case in JDK 7 soon
35
 * This is a serious hack job!
36
 * @author Brad Wetmore
37
 */
38

39
import java.io.*;
40
import java.net.*;
41
import java.security.*;
42
import javax.net.ssl.*;
43
import java.security.cert.*;
44

45
public class CheckMyTrustedKeystore {
46

47
    /*
48
     * =============================================================
49
     * Set the various variables needed for the tests, then
50
     * specify what tests to run on each side.
51
     */
52

53
    /*
54
     * Should we run the client or server in a separate thread?
55
     * Both sides can throw exceptions, but do you have a preference
56
     * as to which side should be the main thread.
57
     */
58
    static boolean separateServerThread = true;
59

60
    /*
61
     * Where do we find the keystores?
62
     */
63
    final static String pathToStores = "../etc";
64
    final static String keyStoreFile = "keystore";
65
    final static String trustStoreFile = "truststore";
66
    final static String unknownStoreFile = "unknown_keystore";
67
    final static String passwd = "passphrase";
68
    final static char[] cpasswd = "passphrase".toCharArray();
69

70
    /*
71
     * Is the server ready to serve?
72
     */
73
    volatile static boolean serverReady = false;
74

75
    /*
76
     * Turn on SSL debugging?
77
     */
78
    final static boolean debug = false;
79

80
    /*
81
     * If the client or server is doing some kind of object creation
82
     * that the other side depends on, and that thread prematurely
83
     * exits, you may experience a hang.  The test harness will
84
     * terminate all hung threads after its timeout has expired,
85
     * currently 3 minutes by default, but you might try to be
86
     * smart about it....
87
     */
88

89
    /*
90
     * Define the server side of the test.
91
     *
92
     * If the server prematurely exits, serverReady will be set to true
93
     * to avoid infinite hangs.
94
     */
95
    void doServerSide() throws Exception {
96
        KeyStore ks = KeyStore.getInstance("JKS");
97
        com.sun.net.ssl.SSLContext ctx =
98
            com.sun.net.ssl.SSLContext.getInstance("TLS");
99
        com.sun.net.ssl.KeyManagerFactory kmf =
100
            com.sun.net.ssl.KeyManagerFactory.getInstance("SunX509");
101

102
        ks.load(new FileInputStream(keyFilename), cpasswd);
103
        kmf.init(ks, cpasswd);
104

105
        com.sun.net.ssl.TrustManager [] tms =
106
            new com.sun.net.ssl.TrustManager []
107
            { new MyComX509TrustManager() };
108

109
        ctx.init(kmf.getKeyManagers(), tms, null);
110

111
        SSLServerSocketFactory sslssf =
112
            (SSLServerSocketFactory) ctx.getServerSocketFactory();
113

114
        SSLServerSocket sslServerSocket =
115
            (SSLServerSocket) sslssf.createServerSocket(serverPort);
116
        serverPort = sslServerSocket.getLocalPort();
117

118
        sslServerSocket.setNeedClientAuth(true);
119

120
        /*
121
         * Create using the other type.
122
         */
123
        SSLContext ctx1 =
124
            SSLContext.getInstance("TLS");
125
        KeyManagerFactory kmf1 =
126
            KeyManagerFactory.getInstance("SunX509");
127

128
        TrustManager [] tms1 =
129
            new TrustManager []
130
            { new MyJavaxX509TrustManager() };
131

132
        kmf1.init(ks, cpasswd);
133

134
        ctx1.init(kmf1.getKeyManagers(), tms1, null);
135

136
        sslssf = (SSLServerSocketFactory) ctx1.getServerSocketFactory();
137

138
        SSLServerSocket sslServerSocket1 =
139
            (SSLServerSocket) sslssf.createServerSocket(serverPort1);
140
        serverPort1 = sslServerSocket1.getLocalPort();
141
        sslServerSocket1.setNeedClientAuth(true);
142

143
        /*
144
         * Signal Client, we're ready for his connect.
145
         */
146
        serverReady = true;
147

148
        SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
149
        sslServerSocket.close();
150
        serverReady = false;
151

152
        InputStream sslIS = sslSocket.getInputStream();
153
        OutputStream sslOS = sslSocket.getOutputStream();
154

155
        sslIS.read();
156
        sslOS.write(85);
157
        sslOS.flush();
158
        sslSocket.close();
159

160
        sslSocket = (SSLSocket) sslServerSocket1.accept();
161
        sslIS = sslSocket.getInputStream();
162
        sslOS = sslSocket.getOutputStream();
163

164
        sslIS.read();
165
        sslOS.write(85);
166
        sslOS.flush();
167
        sslSocket.close();
168

169
        System.out.println("Server exiting!");
170
        System.out.flush();
171
    }
172

173
    void doTest(SSLSocket sslSocket) throws Exception {
174
        InputStream sslIS = sslSocket.getInputStream();
175
        OutputStream sslOS = sslSocket.getOutputStream();
176

177
        System.out.println("  Writing");
178
        sslOS.write(280);
179
        sslOS.flush();
180
        System.out.println("  Reading");
181
        sslIS.read();
182

183
        sslSocket.close();
184
    }
185

186
    /*
187
     * Define the client side of the test.
188
     *
189
     * If the server prematurely exits, serverReady will be set to true
190
     * to avoid infinite hangs.
191
     */
192
    void doClientSide() throws Exception {
193

194
        /*
195
         * Wait for server to get started.
196
         */
197
        while (!serverReady) {
198
            Thread.sleep(50);
199
        }
200

201
        /*
202
         * See if an unknown keystore actually gets checked ok.
203
         */
204
        System.out.println("==============");
205
        System.out.println("Starting test0");
206
        KeyStore uks = KeyStore.getInstance("JKS");
207
        SSLContext ctx =
208
            SSLContext.getInstance("TLS");
209
        KeyManagerFactory kmf =
210
            KeyManagerFactory.getInstance("SunX509");
211

212
        uks.load(new FileInputStream(unknownFilename), cpasswd);
213
        kmf.init(uks, cpasswd);
214

215
        TrustManager [] tms = new TrustManager []
216
            { new MyJavaxX509TrustManager() };
217

218
        ctx.init(kmf.getKeyManagers(), tms, null);
219

220
        SSLSocketFactory sslsf =
221
            (SSLSocketFactory) ctx.getSocketFactory();
222

223
        System.out.println("Trying first socket " + serverPort);
224
        SSLSocket sslSocket = (SSLSocket)
225
            sslsf.createSocket("localhost", serverPort);
226

227
        doTest(sslSocket);
228

229
        /*
230
         * Now try the other way.
231
         */
232
        com.sun.net.ssl.SSLContext ctx1 =
233
            com.sun.net.ssl.SSLContext.getInstance("TLS");
234
        com.sun.net.ssl.KeyManagerFactory kmf1 =
235
            com.sun.net.ssl.KeyManagerFactory.getInstance("SunX509");
236
        kmf1.init(uks, cpasswd);
237

238
        com.sun.net.ssl.TrustManager [] tms1 =
239
            new com.sun.net.ssl.TrustManager []
240
            { new MyComX509TrustManager() };
241

242
        ctx1.init(kmf1.getKeyManagers(), tms1, null);
243

244
        sslsf = (SSLSocketFactory) ctx1.getSocketFactory();
245

246
        System.out.println("Trying second socket " + serverPort1);
247
        sslSocket = (SSLSocket) sslsf.createSocket("localhost",
248
            serverPort1);
249

250
        doTest(sslSocket);
251
        System.out.println("Completed test1");
252
    }
253

254
    /*
255
     * =============================================================
256
     * The remainder is just support stuff
257
     */
258

259
    int serverPort = 0;
260
    int serverPort1 = 0;
261

262
    volatile Exception serverException = null;
263
    volatile Exception clientException = null;
264

265
    final static String keyFilename =
266
        System.getProperty("test.src", "./") + "/" + pathToStores +
267
        "/" + keyStoreFile;
268
    final static String unknownFilename =
269
        System.getProperty("test.src", "./") + "/" + pathToStores +
270
        "/" + unknownStoreFile;
271

272
    public static void main(String[] args) throws Exception {
273

274
        if (debug)
275
            System.setProperty("javax.net.debug", "all");
276

277
        /*
278
         * Start the tests.
279
         */
280
        new CheckMyTrustedKeystore();
281
    }
282

283
    Thread clientThread = null;
284
    Thread serverThread = null;
285

286
    /*
287
     * Primary constructor, used to drive remainder of the test.
288
     *
289
     * Fork off the other side, then do your work.
290
     */
291
    CheckMyTrustedKeystore() throws Exception {
292
        if (separateServerThread) {
293
            startServer(true);
294
            startClient(false);
295
        } else {
296
            startClient(true);
297
            startServer(false);
298
        }
299

300
        /*
301
         * Wait for other side to close down.
302
         */
303
        if (separateServerThread) {
304
            serverThread.join();
305
        } else {
306
            clientThread.join();
307
        }
308

309
        /*
310
         * When we get here, the test is pretty much over.
311
         *
312
         * If the main thread excepted, that propagates back
313
         * immediately.  If the other thread threw an exception, we
314
         * should report back.
315
         */
316
        if (serverException != null) {
317
            System.out.print("Server Exception:");
318
            throw serverException;
319
        }
320
        if (clientException != null) {
321
            System.out.print("Client Exception:");
322
            throw clientException;
323
        }
324
    }
325

326
    void startServer(boolean newThread) throws Exception {
327
        if (newThread) {
328
            serverThread = new Thread() {
329
                public void run() {
330
                    try {
331
                        doServerSide();
332
                    } catch (Exception e) {
333
                        /*
334
                         * Our server thread just died.
335
                         *
336
                         * Release the client, if not active already...
337
                         */
338
                        System.err.println("Server died...");
339
                        serverReady = true;
340
                        serverException = e;
341
                    }
342
                }
343
            };
344
            serverThread.start();
345
        } else {
346
            doServerSide();
347
        }
348
    }
349

350
    void startClient(boolean newThread) throws Exception {
351
        if (newThread) {
352
            clientThread = new Thread() {
353
                public void run() {
354
                    try {
355
                        doClientSide();
356
                    } catch (Exception e) {
357
                        /*
358
                         * Our client thread just died.
359
                         */
360
                        System.err.println("Client died...");
361
                        clientException = e;
362
                    }
363
                }
364
            };
365
            clientThread.start();
366
        } else {
367
            doClientSide();
368
        }
369
    }
370
}
371

372
class MyComX509TrustManager implements com.sun.net.ssl.X509TrustManager {
373

374
    public X509Certificate[] getAcceptedIssuers() {
375
        return (new X509Certificate[0]);
376
    }
377

378
    public boolean isClientTrusted(X509Certificate[] chain) {
379
        System.out.println("    IsClientTrusted?");
380
        return true;
381
    }
382

383
    public boolean isServerTrusted(X509Certificate[] chain) {
384
        System.out.println("    IsServerTrusted?");
385
        return true;
386
    }
387
}
388

389
class MyJavaxX509TrustManager implements X509TrustManager {
390

391
    public X509Certificate[] getAcceptedIssuers() {
392
        return (new X509Certificate[0]);
393
    }
394

395
    public void checkClientTrusted(X509Certificate[] chain, String authType)
396
            throws CertificateException {
397
        System.out.println("    CheckClientTrusted(" + authType + ")?");
398
    }
399

400
    public void checkServerTrusted(X509Certificate[] chain, String authType)
401
            throws CertificateException {
402
        System.out.println("    CheckServerTrusted(" + authType + ")?");
403
    }
404
}
405

406