Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/test/javax/net/ssl/ciphersuites/ECCurvesconstraints.java
38853 views
/*1* Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425//26// SunJSSE does not support dynamic system properties, no way to re-use27// system properties in samevm/agentvm mode.28//2930/*31* @test32* @bug 814851633* @summary Improve the default strength of EC in JDK34* @run main/othervm ECCurvesconstraints PKIX35* @run main/othervm ECCurvesconstraints SunX50936*/3738import java.io.ByteArrayInputStream;39import java.io.InputStream;40import java.io.OutputStream;41import java.io.IOException;42import java.security.KeyStore;43import java.security.KeyFactory;44import java.security.cert.Certificate;45import java.security.cert.CertificateFactory;46import java.security.interfaces.ECPrivateKey;47import java.security.spec.PKCS8EncodedKeySpec;48import java.util.Base64;49import javax.net.ssl.KeyManagerFactory;50import javax.net.ssl.SSLContext;51import javax.net.ssl.SSLServerSocket;52import javax.net.ssl.SSLServerSocketFactory;53import javax.net.ssl.SSLSocket;54import javax.net.ssl.SSLSocketFactory;55import javax.net.ssl.TrustManagerFactory;5657public class ECCurvesconstraints {5859/*60* =============================================================61* Set the various variables needed for the tests, then62* specify what tests to run on each side.63*/6465/*66* Should we run the client or server in a separate thread?67* Both sides can throw exceptions, but do you have a preference68* as to which side should be the main thread.69*/70static boolean separateServerThread = false;7172/*73* Where do we find the keystores?74*/75// Certificates and key used in the test.76//77// EC curve: secp224k178static String trustedCertStr =79"-----BEGIN CERTIFICATE-----\n" +80"MIIBCzCBugIEVz2lcjAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA93d3cuZXhhbXBs\n" +81"ZS5vcmcwHhcNMTYwNTE5MTEzNzM5WhcNMTcwNTE5MTEzNzM5WjAaMRgwFgYDVQQD\n" +82"DA93d3cuZXhhbXBsZS5vcmcwTjAQBgcqhkjOPQIBBgUrgQQAIAM6AAT68uovMZ8f\n" +83"KARn5NOjvieJaq6h8zHYkM9w5DuN0kkOo4KBhke06EkQj0nvQQcSvppTV6RoDLY4\n" +84"djAKBggqhkjOPQQDAgNAADA9AhwMNIujM0R0llpPH6d89d1S3VRGH/78ovc+zw51\n" +85"Ah0AuZ1YlQkUbrJIzkuPSICxz5UfCWPe+7w4as+wiA==\n" +86"-----END CERTIFICATE-----";8788// Private key in the format of PKCS#889static String targetPrivateKey =90"MIGCAgEAMBAGByqGSM49AgEGBSuBBAAgBGswaQIBAQQdAPbckc86mgW/zexB1Ajq\n" +91"38HntWOjdxL6XSoiAsWgBwYFK4EEACChPAM6AAT68uovMZ8fKARn5NOjvieJaq6h\n" +92"8zHYkM9w5DuN0kkOo4KBhke06EkQj0nvQQcSvppTV6RoDLY4dg==";9394static String[] serverCerts = {trustedCertStr};95static String[] serverKeys = {targetPrivateKey};96static String[] clientCerts = {trustedCertStr};97static String[] clientKeys = {targetPrivateKey};9899static char passphrase[] = "passphrase".toCharArray();100101/*102* Is the server ready to serve?103*/104volatile static boolean serverReady = false;105106/*107* Turn on SSL debugging?108*/109static boolean debug = false;110111/*112* Define the server side of the test.113*114* If the server prematurely exits, serverReady will be set to true115* to avoid infinite hangs.116*/117void doServerSide() throws Exception {118SSLContext context = generateSSLContext(false);119SSLServerSocketFactory sslssf = context.getServerSocketFactory();120SSLServerSocket sslServerSocket =121(SSLServerSocket)sslssf.createServerSocket(serverPort);122serverPort = sslServerSocket.getLocalPort();123124/*125* Signal Client, we're ready for his connect.126*/127serverReady = true;128129SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept();130try {131sslSocket.setSoTimeout(5000);132sslSocket.setSoLinger(true, 5);133134InputStream sslIS = sslSocket.getInputStream();135OutputStream sslOS = sslSocket.getOutputStream();136137sslIS.read();138sslOS.write('A');139sslOS.flush();140141throw new Exception("EC curve secp224k1 should be disabled");142} catch (IOException she) {143// expected exception: no cipher suites in common144System.out.println("Expected exception: " + she);145} finally {146sslSocket.close();147sslServerSocket.close();148}149}150151/*152* Define the client side of the test.153*154* If the server prematurely exits, serverReady will be set to true155* to avoid infinite hangs.156*/157void doClientSide() throws Exception {158159/*160* Wait for server to get started.161*/162while (!serverReady) {163Thread.sleep(50);164}165166SSLContext context = generateSSLContext(true);167SSLSocketFactory sslsf = context.getSocketFactory();168169SSLSocket sslSocket =170(SSLSocket)sslsf.createSocket("localhost", serverPort);171172try {173sslSocket.setSoTimeout(5000);174sslSocket.setSoLinger(true, 5);175176InputStream sslIS = sslSocket.getInputStream();177OutputStream sslOS = sslSocket.getOutputStream();178179sslOS.write('B');180sslOS.flush();181sslIS.read();182183throw new Exception("EC curve secp224k1 should be disabled");184} catch (IOException she) {185// expected exception: Received fatal alert186System.out.println("Expected exception: " + she);187} finally {188sslSocket.close();189}190}191192/*193* =============================================================194* The remainder is just support stuff195*/196private static String tmAlgorithm; // trust manager197198private static void parseArguments(String[] args) {199tmAlgorithm = args[0];200}201202private static SSLContext generateSSLContext(boolean isClient)203throws Exception {204205// generate certificate from cert string206CertificateFactory cf = CertificateFactory.getInstance("X.509");207208// create a key store209KeyStore ks = KeyStore.getInstance("JKS");210ks.load(null, null);211212// import the trused cert213ByteArrayInputStream is =214new ByteArrayInputStream(trustedCertStr.getBytes());215Certificate trusedCert = cf.generateCertificate(is);216is.close();217218ks.setCertificateEntry("Export Signer", trusedCert);219220String[] certStrs = null;221String[] keyStrs = null;222if (isClient) {223certStrs = clientCerts;224keyStrs = clientKeys;225} else {226certStrs = serverCerts;227keyStrs = serverKeys;228}229230for (int i = 0; i < certStrs.length; i++) {231// generate the private key.232String keySpecStr = keyStrs[i];233PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(234Base64.getMimeDecoder().decode(keySpecStr));235KeyFactory kf = KeyFactory.getInstance("EC");236ECPrivateKey priKey =237(ECPrivateKey)kf.generatePrivate(priKeySpec);238239// generate certificate chain240String keyCertStr = certStrs[i];241is = new ByteArrayInputStream(keyCertStr.getBytes());242Certificate keyCert = cf.generateCertificate(is);243is.close();244245Certificate[] chain = new Certificate[2];246chain[0] = keyCert;247chain[1] = trusedCert;248249// import the key entry.250ks.setKeyEntry("key-entry-" + i, priKey, passphrase, chain);251}252253// create SSL context254TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);255tmf.init(ks);256257SSLContext ctx = SSLContext.getInstance("TLS");258KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");259kmf.init(ks, passphrase);260261ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);262ks = null;263264return ctx;265}266267// use any free port by default268volatile int serverPort = 0;269270volatile Exception serverException = null;271volatile Exception clientException = null;272273public static void main(String[] args) throws Exception {274if (debug) {275System.setProperty("javax.net.debug", "all");276}277278/*279* Get the customized arguments.280*/281parseArguments(args);282283/*284* Start the tests.285*/286new ECCurvesconstraints();287}288289Thread clientThread = null;290Thread serverThread = null;291292/*293* Primary constructor, used to drive remainder of the test.294*295* Fork off the other side, then do your work.296*/297ECCurvesconstraints() throws Exception {298try {299if (separateServerThread) {300startServer(true);301startClient(false);302} else {303startClient(true);304startServer(false);305}306} catch (Exception e) {307// swallow for now. Show later308}309310/*311* Wait for other side to close down.312*/313if (separateServerThread) {314serverThread.join();315} else {316clientThread.join();317}318319/*320* When we get here, the test is pretty much over.321* Which side threw the error?322*/323Exception local;324Exception remote;325String whichRemote;326327if (separateServerThread) {328remote = serverException;329local = clientException;330whichRemote = "server";331} else {332remote = clientException;333local = serverException;334whichRemote = "client";335}336337/*338* If both failed, return the curthread's exception, but also339* print the remote side Exception340*/341if ((local != null) && (remote != null)) {342System.out.println(whichRemote + " also threw:");343remote.printStackTrace();344System.out.println();345throw local;346}347348if (remote != null) {349throw remote;350}351352if (local != null) {353throw local;354}355}356357void startServer(boolean newThread) throws Exception {358if (newThread) {359serverThread = new Thread() {360public void run() {361try {362doServerSide();363} catch (Exception e) {364/*365* Our server thread just died.366*367* Release the client, if not active already...368*/369System.err.println("Server died, because of " + e);370serverReady = true;371serverException = e;372}373}374};375serverThread.start();376} else {377try {378doServerSide();379} catch (Exception e) {380serverException = e;381} finally {382serverReady = true;383}384}385}386387void startClient(boolean newThread) throws Exception {388if (newThread) {389clientThread = new Thread() {390public void run() {391try {392doClientSide();393} catch (Exception e) {394/*395* Our client thread just died.396*/397System.err.println("Client died, because of " + e);398clientException = e;399}400}401};402clientThread.start();403} else {404try {405doClientSide();406} catch (Exception e) {407clientException = e;408}409}410}411}412413414