Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
38853 views
/*1* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 8076221 821188326* @summary Check if weak cipher suites are disabled27* @run main/othervm DisabledAlgorithms default28* @run main/othervm DisabledAlgorithms empty29*/3031import java.io.BufferedInputStream;32import java.io.BufferedOutputStream;33import java.io.IOException;34import java.io.InputStream;35import java.io.OutputStream;36import java.security.NoSuchAlgorithmException;37import java.security.Security;38import java.util.concurrent.TimeUnit;39import javax.net.ssl.SSLContext;40import javax.net.ssl.SSLHandshakeException;41import javax.net.ssl.SSLServerSocket;42import javax.net.ssl.SSLServerSocketFactory;43import javax.net.ssl.SSLSocket;44import javax.net.ssl.SSLSocketFactory;4546public class DisabledAlgorithms {4748private static final String pathToStores = "../etc";49private static final String keyStoreFile = "keystore";50private static final String trustStoreFile = "truststore";51private static final String passwd = "passphrase";5253private static final String keyFilename =54System.getProperty("test.src", "./") + "/" + pathToStores +55"/" + keyStoreFile;5657private static final String trustFilename =58System.getProperty("test.src", "./") + "/" + pathToStores +59"/" + trustStoreFile;6061// supported RC4, NULL, and anon cipher suites62// it does not contain KRB5 cipher suites because they need a KDC63private static final String[] rc4_null_anon_ciphersuites = new String[] {64"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",65"TLS_ECDHE_RSA_WITH_RC4_128_SHA",66"SSL_RSA_WITH_RC4_128_SHA",67"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",68"TLS_ECDH_RSA_WITH_RC4_128_SHA",69"SSL_RSA_WITH_RC4_128_MD5",70"TLS_ECDH_anon_WITH_RC4_128_SHA",71"SSL_DH_anon_WITH_RC4_128_MD5",72"SSL_RSA_WITH_NULL_MD5",73"SSL_RSA_WITH_NULL_SHA",74"TLS_RSA_WITH_NULL_SHA256",75"TLS_ECDH_ECDSA_WITH_NULL_SHA",76"TLS_ECDHE_ECDSA_WITH_NULL_SHA",77"TLS_ECDH_RSA_WITH_NULL_SHA",78"TLS_ECDHE_RSA_WITH_NULL_SHA",79"TLS_ECDH_anon_WITH_NULL_SHA",80"SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",81"SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",82"SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",83"SSL_DH_anon_WITH_DES_CBC_SHA",84"SSL_DH_anon_WITH_RC4_128_MD5",85"TLS_DH_anon_WITH_AES_128_CBC_SHA",86"TLS_DH_anon_WITH_AES_128_CBC_SHA256",87"TLS_DH_anon_WITH_AES_128_GCM_SHA256",88"TLS_DH_anon_WITH_AES_256_CBC_SHA",89"TLS_DH_anon_WITH_AES_256_CBC_SHA256",90"TLS_DH_anon_WITH_AES_256_GCM_SHA384",91"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",92"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",93"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",94"TLS_ECDH_anon_WITH_NULL_SHA",95"TLS_ECDH_anon_WITH_RC4_128_SHA"96};9798public static void main(String[] args) throws Exception {99if (args.length < 1) {100throw new RuntimeException("No parameters specified");101}102103System.setProperty("javax.net.ssl.keyStore", keyFilename);104System.setProperty("javax.net.ssl.keyStorePassword", passwd);105System.setProperty("javax.net.ssl.trustStore", trustFilename);106System.setProperty("javax.net.ssl.trustStorePassword", passwd);107108switch (args[0]) {109case "default":110// use default jdk.tls.disabledAlgorithms111System.out.println("jdk.tls.disabledAlgorithms = "112+ Security.getProperty("jdk.tls.disabledAlgorithms"));113114// check if RC4, NULL, and anon cipher suites115// can't be used by default116checkFailure(rc4_null_anon_ciphersuites);117break;118case "empty":119// reset jdk.tls.disabledAlgorithms120Security.setProperty("jdk.tls.disabledAlgorithms", "");121System.out.println("jdk.tls.disabledAlgorithms = "122+ Security.getProperty("jdk.tls.disabledAlgorithms"));123124// check if RC4, NULL, and anon cipher suites can be used125// if jdk.tls.disabledAlgorithms is empty126checkSuccess(rc4_null_anon_ciphersuites);127break;128default:129throw new RuntimeException("Wrong parameter: " + args[0]);130}131132System.out.println("Test passed");133}134135/*136* Checks if that specified cipher suites cannot be used.137*/138private static void checkFailure(String[] ciphersuites) throws Exception {139try (SSLServer server = SSLServer.init(ciphersuites)) {140startNewThread(server);141while (!server.isRunning()) {142sleep();143}144145int port = server.getPort();146for (String ciphersuite : ciphersuites) {147try (SSLClient client = SSLClient.init(port, ciphersuite)) {148client.connect();149throw new RuntimeException("Expected SSLHandshakeException "150+ "not thrown");151} catch (SSLHandshakeException e) {152System.out.println("Expected exception on client side: "153+ e);154}155}156157while (server.isRunning()) {158sleep();159}160161if (!server.sslError()) {162throw new RuntimeException("Expected SSL exception "163+ "not thrown on server side");164}165}166167}168169/*170* Checks if specified cipher suites can be used.171*/172private static void checkSuccess(String[] ciphersuites) throws Exception {173try (SSLServer server = SSLServer.init(ciphersuites)) {174startNewThread(server);175while (!server.isRunning()) {176sleep();177}178179int port = server.getPort();180for (String ciphersuite : ciphersuites) {181try (SSLClient client = SSLClient.init(port, ciphersuite)) {182client.connect();183String negotiated = client.getNegotiatedCipherSuite();184System.out.println("Negotiated cipher suite: "185+ negotiated);186if (!negotiated.equals(ciphersuite)) {187throw new RuntimeException("Unexpected cipher suite: "188+ negotiated);189}190}191}192193server.stop();194while (server.isRunning()) {195sleep();196}197198if (server.error()) {199throw new RuntimeException("Unexpected error on server side");200}201}202203}204205private static Thread startNewThread(SSLServer server) {206Thread serverThread = new Thread(server, "SSL server thread");207serverThread.setDaemon(true);208serverThread.start();209return serverThread;210}211212private static void sleep() {213try {214TimeUnit.MILLISECONDS.sleep(50);215} catch (InterruptedException e) {216// do nothing217}218}219220static class SSLServer implements Runnable, AutoCloseable {221222private final SSLServerSocket ssocket;223private volatile boolean stopped = false;224private volatile boolean running = false;225private volatile boolean sslError = false;226private volatile boolean otherError = false;227228private SSLServer(SSLServerSocket ssocket) {229this.ssocket = ssocket;230}231232@Override233public void run() {234System.out.println("Server: started");235running = true;236while (!stopped) {237try (SSLSocket socket = (SSLSocket) ssocket.accept()) {238System.out.println("Server: accepted client connection");239InputStream in = socket.getInputStream();240OutputStream out = socket.getOutputStream();241int b = in.read();242if (b < 0) {243throw new IOException("Unexpected EOF");244}245System.out.println("Server: send data: " + b);246out.write(b);247out.flush();248socket.getSession().invalidate();249} catch (SSLHandshakeException e) {250System.out.println("Server: run: " + e);251sslError = true;252stopped = true;253} catch (IOException e) {254if (!stopped) {255System.out.println("Server: run: unexpected exception: "256+ e);257e.printStackTrace();258otherError = true;259stopped = true;260} else {261System.out.println("Server: run: " + e);262System.out.println("The exception above occurred "263+ "because socket was closed, "264+ "please ignore it");265}266}267}268269System.out.println("Server: finished");270running = false;271}272273int getPort() {274return ssocket.getLocalPort();275}276277String[] getEnabledCiperSuites() {278return ssocket.getEnabledCipherSuites();279}280281boolean isRunning() {282return running;283}284285boolean sslError() {286return sslError;287}288289boolean error() {290return sslError || otherError;291}292293void stop() {294stopped = true;295if (!ssocket.isClosed()) {296try {297System.out.println("Server: close socket");298ssocket.close();299} catch (IOException e) {300System.out.println("Server: close: " + e);301}302}303}304305@Override306public void close() {307stop();308}309310static SSLServer init(String[] ciphersuites)311throws IOException {312SSLServerSocketFactory ssf = (SSLServerSocketFactory)313SSLServerSocketFactory.getDefault();314SSLServerSocket ssocket = (SSLServerSocket)315ssf.createServerSocket(0);316317if (ciphersuites != null) {318System.out.println("Server: enable cipher suites: "319+ java.util.Arrays.toString(ciphersuites));320ssocket.setEnabledCipherSuites(ciphersuites);321}322323return new SSLServer(ssocket);324}325}326327static class SSLClient implements AutoCloseable {328329private final SSLSocket socket;330331private SSLClient(SSLSocket socket) {332this.socket = socket;333}334335void connect() throws IOException {336System.out.println("Client: connect to server");337try (338BufferedInputStream bis = new BufferedInputStream(339socket.getInputStream());340BufferedOutputStream bos = new BufferedOutputStream(341socket.getOutputStream())) {342bos.write('x');343bos.flush();344345int read = bis.read();346if (read < 0) {347throw new IOException("Client: couldn't read a response");348}349socket.getSession().invalidate();350}351}352353String[] getEnabledCiperSuites() {354return socket.getEnabledCipherSuites();355}356357String getNegotiatedCipherSuite() {358return socket.getSession().getCipherSuite();359}360361@Override362public void close() throws Exception {363if (!socket.isClosed()) {364try {365socket.close();366} catch (IOException e) {367System.out.println("Client: close: " + e);368}369}370}371372static SSLClient init(int port)373throws NoSuchAlgorithmException, IOException {374return init(port, null);375}376377static SSLClient init(int port, String ciphersuite)378throws NoSuchAlgorithmException, IOException {379SSLContext context = SSLContext.getDefault();380SSLSocketFactory ssf = (SSLSocketFactory)381context.getSocketFactory();382SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port);383384if (ciphersuite != null) {385System.out.println("Client: enable cipher suite: "386+ ciphersuite);387socket.setEnabledCipherSuites(new String[] { ciphersuite });388}389390return new SSLClient(socket);391}392393}394395396}397398399