6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks
Make the critical extension known to end entity checker. Reviewed-by: wetmore, mullan
This commit is contained in:
parent
58ca4c8b87
commit
2dddf4033e
jdk
src/share/classes/sun/security/validator
test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection
@ -87,6 +87,9 @@ class EndEntityChecker {
|
||||
// the Microsoft Server-Gated-Cryptography EKU extension OID
|
||||
private final static String OID_EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3";
|
||||
|
||||
// the recognized extension OIDs
|
||||
private final static String OID_SUBJECT_ALT_NAME = "2.5.29.17";
|
||||
|
||||
private final static String NSCT_SSL_CLIENT =
|
||||
NetscapeCertTypeExtension.SSL_CLIENT;
|
||||
|
||||
@ -171,6 +174,13 @@ class EndEntityChecker {
|
||||
throws CertificateException {
|
||||
// basic constraints irrelevant in EE certs
|
||||
exts.remove(SimpleValidator.OID_BASIC_CONSTRAINTS);
|
||||
|
||||
// If the subject field contains an empty sequence, the subjectAltName
|
||||
// extension MUST be marked critical.
|
||||
// We do not check the validity of the critical extension, just mark
|
||||
// it recognizable here.
|
||||
exts.remove(OID_SUBJECT_ALT_NAME);
|
||||
|
||||
if (!exts.isEmpty()) {
|
||||
throw new CertificateException("Certificate contains unsupported "
|
||||
+ "critical extensions: " + exts);
|
||||
|
262
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java
Normal file
262
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java
Normal file
@ -0,0 +1,262 @@
|
||||
/*
|
||||
* Copyright 2001-2008 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||
* CA 95054 USA or visit www.sun.com if you need additional information or
|
||||
* have any questions.
|
||||
*/
|
||||
|
||||
/*
|
||||
* @test
|
||||
* @bug 6668231
|
||||
* @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
|
||||
* fail trusted checks
|
||||
* @author Xuelei Fan
|
||||
*
|
||||
* This test depends on binary keystore, crisubn.jks and trusted.jks. Because
|
||||
* JAVA keytool cannot generate X509 certificate with SubjectAltName extension,
|
||||
* the certificates are generated with openssl toolkits and then imported into
|
||||
* JAVA keystore.
|
||||
*
|
||||
* The crisubn.jks holds a private key entry and the corresponding X509
|
||||
* certificate issued with an empty Subject field, and a critical
|
||||
* SubjectAltName extension.
|
||||
*
|
||||
* The trusted.jks holds the trusted certificate.
|
||||
*/
|
||||
import java.io.*;
|
||||
import java.net.*;
|
||||
import javax.net.ssl.*;
|
||||
import java.security.cert.Certificate;
|
||||
|
||||
public class CriticalSubjectAltName implements HostnameVerifier {
|
||||
/*
|
||||
* =============================================================
|
||||
* Set the various variables needed for the tests, then
|
||||
* specify what tests to run on each side.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Should we run the client or server in a separate thread?
|
||||
* Both sides can throw exceptions, but do you have a preference
|
||||
* as to which side should be the main thread.
|
||||
*/
|
||||
static boolean separateServerThread = true;
|
||||
|
||||
/*
|
||||
* Where do we find the keystores?
|
||||
*/
|
||||
static String pathToStores = "./";
|
||||
static String keyStoreFile = "crisubn.jks";
|
||||
static String trustStoreFile = "trusted.jks";
|
||||
static String passwd = "passphrase";
|
||||
|
||||
/*
|
||||
* Is the server ready to serve?
|
||||
*/
|
||||
volatile static boolean serverReady = false;
|
||||
|
||||
/*
|
||||
* Turn on SSL debugging?
|
||||
*/
|
||||
static boolean debug = false;
|
||||
|
||||
/*
|
||||
* If the client or server is doing some kind of object creation
|
||||
* that the other side depends on, and that thread prematurely
|
||||
* exits, you may experience a hang. The test harness will
|
||||
* terminate all hung threads after its timeout has expired,
|
||||
* currently 3 minutes by default, but you might try to be
|
||||
* smart about it....
|
||||
*/
|
||||
|
||||
/*
|
||||
* Define the server side of the test.
|
||||
*
|
||||
* If the server prematurely exits, serverReady will be set to true
|
||||
* to avoid infinite hangs.
|
||||
*/
|
||||
void doServerSide() throws Exception {
|
||||
SSLServerSocketFactory sslssf =
|
||||
(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
|
||||
SSLServerSocket sslServerSocket =
|
||||
(SSLServerSocket) sslssf.createServerSocket(serverPort);
|
||||
serverPort = sslServerSocket.getLocalPort();
|
||||
|
||||
/*
|
||||
* Signal Client, we're ready for his connect.
|
||||
*/
|
||||
serverReady = true;
|
||||
|
||||
SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
|
||||
OutputStream sslOS = sslSocket.getOutputStream();
|
||||
BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(sslOS));
|
||||
bw.write("HTTP/1.1 200 OK\r\n\r\n\r\n");
|
||||
bw.flush();
|
||||
Thread.sleep(5000);
|
||||
sslSocket.close();
|
||||
}
|
||||
|
||||
/*
|
||||
* Define the client side of the test.
|
||||
*
|
||||
* If the server prematurely exits, serverReady will be set to true
|
||||
* to avoid infinite hangs.
|
||||
*/
|
||||
void doClientSide() throws Exception {
|
||||
|
||||
/*
|
||||
* Wait for server to get started.
|
||||
*/
|
||||
while (!serverReady) {
|
||||
Thread.sleep(50);
|
||||
}
|
||||
|
||||
URL url = new URL("https://localhost:"+serverPort+"/index.html");
|
||||
HttpsURLConnection urlc = (HttpsURLConnection)url.openConnection();
|
||||
urlc.setHostnameVerifier(this);
|
||||
urlc.getInputStream();
|
||||
|
||||
if (urlc.getResponseCode() == -1) {
|
||||
throw new RuntimeException("getResponseCode() returns -1");
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* =============================================================
|
||||
* The remainder is just support stuff
|
||||
*/
|
||||
|
||||
// use any free port by default
|
||||
volatile int serverPort = 0;
|
||||
|
||||
volatile Exception serverException = null;
|
||||
volatile Exception clientException = null;
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
String keyFilename =
|
||||
System.getProperty("test.src", "./") + "/" + pathToStores +
|
||||
"/" + keyStoreFile;
|
||||
String trustFilename =
|
||||
System.getProperty("test.src", "./") + "/" + pathToStores +
|
||||
"/" + trustStoreFile;
|
||||
|
||||
System.setProperty("javax.net.ssl.keyStore", keyFilename);
|
||||
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
|
||||
System.setProperty("javax.net.ssl.trustStore", trustFilename);
|
||||
System.setProperty("javax.net.ssl.trustStorePassword", passwd);
|
||||
|
||||
if (debug)
|
||||
System.setProperty("javax.net.debug", "all");
|
||||
|
||||
/*
|
||||
* Start the tests.
|
||||
*/
|
||||
new CriticalSubjectAltName();
|
||||
}
|
||||
|
||||
Thread clientThread = null;
|
||||
Thread serverThread = null;
|
||||
|
||||
/*
|
||||
* Primary constructor, used to drive remainder of the test.
|
||||
*
|
||||
* Fork off the other side, then do your work.
|
||||
*/
|
||||
CriticalSubjectAltName() throws Exception {
|
||||
if (separateServerThread) {
|
||||
startServer(true);
|
||||
startClient(false);
|
||||
} else {
|
||||
startClient(true);
|
||||
startServer(false);
|
||||
}
|
||||
|
||||
/*
|
||||
* Wait for other side to close down.
|
||||
*/
|
||||
if (separateServerThread) {
|
||||
serverThread.join();
|
||||
} else {
|
||||
clientThread.join();
|
||||
}
|
||||
|
||||
/*
|
||||
* When we get here, the test is pretty much over.
|
||||
*
|
||||
* If the main thread excepted, that propagates back
|
||||
* immediately. If the other thread threw an exception, we
|
||||
* should report back.
|
||||
*/
|
||||
if (serverException != null)
|
||||
throw serverException;
|
||||
if (clientException != null)
|
||||
throw clientException;
|
||||
}
|
||||
|
||||
void startServer(boolean newThread) throws Exception {
|
||||
if (newThread) {
|
||||
serverThread = new Thread() {
|
||||
public void run() {
|
||||
try {
|
||||
doServerSide();
|
||||
} catch (Exception e) {
|
||||
/*
|
||||
* Our server thread just died.
|
||||
*
|
||||
* Release the client, if not active already...
|
||||
*/
|
||||
System.err.println("Server died...");
|
||||
serverReady = true;
|
||||
serverException = e;
|
||||
}
|
||||
}
|
||||
};
|
||||
serverThread.start();
|
||||
} else {
|
||||
doServerSide();
|
||||
}
|
||||
}
|
||||
|
||||
void startClient(boolean newThread) throws Exception {
|
||||
if (newThread) {
|
||||
clientThread = new Thread() {
|
||||
public void run() {
|
||||
try {
|
||||
doClientSide();
|
||||
} catch (Exception e) {
|
||||
/*
|
||||
* Our client thread just died.
|
||||
*/
|
||||
System.err.println("Client died...");
|
||||
clientException = e;
|
||||
}
|
||||
}
|
||||
};
|
||||
clientThread.start();
|
||||
} else {
|
||||
doClientSide();
|
||||
}
|
||||
}
|
||||
|
||||
// Simple test method to blindly agree that hostname and certname match
|
||||
public boolean verify(String hostname, SSLSession session) {
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
BIN
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks
Normal file
BIN
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks
Normal file
Binary file not shown.
BIN
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks
Normal file
BIN
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks
Normal file
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user