| /* |
| * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| /* |
| * @test |
| * @bug 8206925 |
| * @library /javax/net/ssl/templates |
| * @summary Support the certificate_authorities extension |
| * @run main/othervm TooManyCAs |
| * @run main/othervm -Djdk.tls.client.enableCAExtension=true TooManyCAs |
| */ |
| import javax.net.ssl.*; |
| import javax.security.auth.x500.X500Principal; |
| import java.io.*; |
| import java.net.InetAddress; |
| import java.net.Socket; |
| import java.security.cert.CertificateException; |
| import java.security.cert.X509Certificate; |
| import java.util.Arrays; |
| |
| /** |
| * Check if the connection can be established if the client or server trusts |
| * more CAs such that it exceeds the size limit of the certificate_authorities |
| * extension (2^16). |
| */ |
| public class TooManyCAs implements SSLContextTemplate { |
| |
| private static final String[][][] protocols = { |
| {{"TLSv1.3"}, {"TLSv1.3"}}, |
| {{"TLSv1.3", "TLSv1.2"}, {"TLSv1.3"}}, |
| {{"TLSv1.3"}, {"TLSv1.3", "TLSv1.2"}}, |
| }; |
| |
| private final String[] clientProtocols; |
| private final String[] serverProtocols; |
| private final boolean needClientAuth; |
| |
| TooManyCAs(int index, boolean needClientAuth) { |
| this.clientProtocols = protocols[index][0]; |
| this.serverProtocols = protocols[index][1]; |
| this.needClientAuth = needClientAuth; |
| } |
| |
| // Servers are configured before clients, increment test case after. |
| void configureClientSocket(SSLSocket clientSocket) { |
| System.err.print("Setting client protocol(s): "); |
| Arrays.stream(clientProtocols).forEachOrdered(System.err::print); |
| System.err.println(); |
| |
| clientSocket.setEnabledProtocols(clientProtocols); |
| } |
| |
| void configureServerSocket(SSLServerSocket serverSocket) { |
| System.err.print("Setting server protocol(s): "); |
| Arrays.stream(serverProtocols).forEachOrdered(System.err::print); |
| System.err.println(); |
| |
| serverSocket.setEnabledProtocols(serverProtocols); |
| if (needClientAuth) { |
| serverSocket.setNeedClientAuth(true); |
| } |
| } |
| |
| @Override |
| public TrustManager createClientTrustManager() throws Exception { |
| TrustManager trustManager = |
| SSLContextTemplate.super.createClientTrustManager(); |
| return new BogusX509TrustManager( |
| (X509TrustManager)trustManager); |
| } |
| |
| @Override |
| public TrustManager createServerTrustManager() throws Exception { |
| TrustManager trustManager = |
| SSLContextTemplate.super.createServerTrustManager(); |
| return new BogusX509TrustManager( |
| (X509TrustManager)trustManager); |
| } |
| |
| /* |
| * Run the test case. |
| */ |
| public static void main(String[] args) throws Exception { |
| for (int i = 0; i < protocols.length; i++) { |
| (new TooManyCAs(i, false)).run(); |
| (new TooManyCAs(i, true)).run(); |
| } |
| } |
| |
| private void run() throws Exception { |
| SSLServerSocket listenSocket = null; |
| SSLSocket serverSocket = null; |
| ClientSocket clientSocket = null; |
| try { |
| SSLServerSocketFactory serversocketfactory = |
| createServerSSLContext().getServerSocketFactory(); |
| listenSocket = |
| (SSLServerSocket)serversocketfactory.createServerSocket(0); |
| listenSocket.setNeedClientAuth(false); |
| listenSocket.setEnableSessionCreation(true); |
| listenSocket.setUseClientMode(false); |
| configureServerSocket(listenSocket); |
| |
| System.err.println("Starting client"); |
| clientSocket = new ClientSocket(listenSocket.getLocalPort()); |
| clientSocket.start(); |
| |
| System.err.println("Accepting client requests"); |
| serverSocket = (SSLSocket)listenSocket.accept(); |
| |
| if (!clientSocket.isDone) { |
| System.err.println("Waiting 3 seconds for client "); |
| Thread.sleep(3000); |
| } |
| |
| System.err.println("Sending data to client ..."); |
| String serverData = "Hi, I am server"; |
| BufferedWriter os = new BufferedWriter( |
| new OutputStreamWriter(serverSocket.getOutputStream())); |
| os.write(serverData, 0, serverData.length()); |
| os.newLine(); |
| os.flush(); |
| } finally { |
| if (listenSocket != null) { |
| listenSocket.close(); |
| } |
| |
| if (serverSocket != null) { |
| serverSocket.close(); |
| } |
| } |
| |
| if (clientSocket != null && clientSocket.clientException != null) { |
| throw clientSocket.clientException; |
| } |
| } |
| |
| private class ClientSocket extends Thread{ |
| boolean isDone = false; |
| int serverPort = 0; |
| Exception clientException; |
| |
| public ClientSocket(int serverPort) { |
| this.serverPort = serverPort; |
| } |
| |
| @Override |
| public void run() { |
| SSLSocket clientSocket = null; |
| String clientData = "Hi, I am client"; |
| try { |
| System.err.println( |
| "Connecting to server at port " + serverPort); |
| SSLSocketFactory sslSocketFactory = |
| createClientSSLContext().getSocketFactory(); |
| clientSocket = (SSLSocket)sslSocketFactory.createSocket( |
| InetAddress.getLocalHost(), serverPort); |
| configureClientSocket(clientSocket); |
| |
| System.err.println("Sending data to server ..."); |
| |
| BufferedWriter os = new BufferedWriter( |
| new OutputStreamWriter(clientSocket.getOutputStream())); |
| os.write(clientData, 0, clientData.length()); |
| os.newLine(); |
| os.flush(); |
| |
| System.err.println("Reading data from server"); |
| BufferedReader is = new BufferedReader( |
| new InputStreamReader(clientSocket.getInputStream())); |
| String data = is.readLine(); |
| System.err.println("Received Data from server: " + data); |
| } catch (Exception e) { |
| clientException = e; |
| System.err.println("unexpected client exception: " + e); |
| } finally { |
| if (clientSocket != null) { |
| try { |
| clientSocket.close(); |
| System.err.println("client socket closed"); |
| } catch (IOException ioe) { |
| clientException = ioe; |
| } |
| } |
| |
| isDone = true; |
| } |
| } |
| } |
| |
| // Construct a bogus trust manager which has more CAs such that exceed |
| // the size limit of the certificate_authorities extension (2^16). |
| private static final class BogusX509TrustManager |
| extends X509ExtendedTrustManager implements X509TrustManager { |
| private final X509ExtendedTrustManager tm; |
| |
| private BogusX509TrustManager(X509TrustManager trustManager) { |
| this.tm = (X509ExtendedTrustManager)trustManager; |
| } |
| |
| @Override |
| public void checkClientTrusted(X509Certificate[] chain, |
| String authType, Socket socket) throws CertificateException { |
| tm.checkClientTrusted(chain, authType, socket); |
| } |
| |
| @Override |
| public void checkServerTrusted(X509Certificate[] chain, |
| String authType, Socket socket) throws CertificateException { |
| tm.checkServerTrusted(chain, authType, socket); |
| } |
| |
| @Override |
| public void checkClientTrusted(X509Certificate[] chain, |
| String authType, SSLEngine sslEngine) throws CertificateException { |
| |
| tm.checkClientTrusted(chain, authType, sslEngine); |
| } |
| |
| @Override |
| public void checkServerTrusted(X509Certificate[] chain, |
| String authType, SSLEngine sslEngine) throws CertificateException { |
| |
| tm.checkServerTrusted(chain, authType, sslEngine); |
| } |
| |
| @Override |
| public void checkClientTrusted(X509Certificate[] chain, |
| String authType) throws CertificateException { |
| tm.checkServerTrusted(chain, authType); |
| } |
| |
| @Override |
| public void checkServerTrusted(X509Certificate[] chain, |
| String authType) throws CertificateException { |
| tm.checkServerTrusted(chain, authType); |
| } |
| |
| @Override |
| public X509Certificate[] getAcceptedIssuers() { |
| X509Certificate[] trustedCerts = tm.getAcceptedIssuers(); |
| int sizeAccount = 0; |
| for (X509Certificate cert: trustedCerts) { |
| X500Principal x500Principal = cert.getSubjectX500Principal(); |
| byte[] encodedPrincipal = x500Principal.getEncoded(); |
| sizeAccount += encodedPrincipal.length; |
| } |
| |
| // 0xFFFF: the size limit of the certificate_authorities extension |
| int duplicated = (0xFFFF + sizeAccount) / sizeAccount; |
| X509Certificate[] returnedCAs = |
| new X509Certificate[trustedCerts.length * duplicated]; |
| for (int i = 0; i < duplicated; i++) { |
| System.arraycopy(trustedCerts, 0, |
| returnedCAs, |
| i * trustedCerts.length + 0, trustedCerts.length); |
| } |
| |
| return returnedCAs; |
| } |
| } |
| } |