/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8206925
* @library /javax/net/ssl/templates
* @summary Support the certificate_authorities extension
* @run main/othervm TooManyCAs
* @run main/othervm -Djdk.tls.client.enableCAExtension=true TooManyCAs
*/
import javax.net.ssl.*;
import javax.security.auth.x500.X500Principal;
import java.io.*;
import java.net.InetAddress;
import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
/**
* Check if the connection can be established if the client or server trusts
* more CAs such that it exceeds the size limit of the certificate_authorities
* extension (2^16).
*/
public class TooManyCAs implements SSLContextTemplate {
private static final String[][][] protocols = {
{{"TLSv1.3"}, {"TLSv1.3"}},
{{"TLSv1.3", "TLSv1.2"}, {"TLSv1.3"}},
{{"TLSv1.3"}, {"TLSv1.3", "TLSv1.2"}},
};
private final String[] clientProtocols;
private final String[] serverProtocols;
private final boolean needClientAuth;
TooManyCAs(int index, boolean needClientAuth) {
this.clientProtocols = protocols[index][0];
this.serverProtocols = protocols[index][1];
this.needClientAuth = needClientAuth;
}
// Servers are configured before clients, increment test case after.
void configureClientSocket(SSLSocket clientSocket) {
System.err.print("Setting client protocol(s): ");
Arrays.stream(clientProtocols).forEachOrdered(System.err::print);
System.err.println();
clientSocket.setEnabledProtocols(clientProtocols);
}
void configureServerSocket(SSLServerSocket serverSocket) {
System.err.print("Setting server protocol(s): ");
Arrays.stream(serverProtocols).forEachOrdered(System.err::print);
System.err.println();
serverSocket.setEnabledProtocols(serverProtocols);
if (needClientAuth) {
serverSocket.setNeedClientAuth(true);
}
}
@Override
public TrustManager createClientTrustManager() throws Exception {
TrustManager trustManager =
SSLContextTemplate.super.createClientTrustManager();
return new BogusX509TrustManager(
(X509TrustManager)trustManager);
}
@Override
public TrustManager createServerTrustManager() throws Exception {
TrustManager trustManager =
SSLContextTemplate.super.createServerTrustManager();
return new BogusX509TrustManager(
(X509TrustManager)trustManager);
}
/*
* Run the test case.
*/
public static void main(String[] args) throws Exception {
for (int i = 0; i < protocols.length; i++) {
(new TooManyCAs(i, false)).run();
(new TooManyCAs(i, true)).run();
}
}
private void run() throws Exception {
SSLServerSocket listenSocket = null;
SSLSocket serverSocket = null;
ClientSocket clientSocket = null;
try {
SSLServerSocketFactory serversocketfactory =
createServerSSLContext().getServerSocketFactory();
listenSocket =
(SSLServerSocket)serversocketfactory.createServerSocket(0);
listenSocket.setNeedClientAuth(false);
listenSocket.setEnableSessionCreation(true);
listenSocket.setUseClientMode(false);
configureServerSocket(listenSocket);
System.err.println("Starting client");
clientSocket = new ClientSocket(listenSocket.getLocalPort());
clientSocket.start();
System.err.println("Accepting client requests");
serverSocket = (SSLSocket)listenSocket.accept();
if (!clientSocket.isDone) {
System.err.println("Waiting 3 seconds for client ");
Thread.sleep(3000);
}
System.err.println("Sending data to client ...");
String serverData = "Hi, I am server";
BufferedWriter os = new BufferedWriter(
new OutputStreamWriter(serverSocket.getOutputStream()));
os.write(serverData, 0, serverData.length());
os.newLine();
os.flush();
} finally {
if (listenSocket != null) {
listenSocket.close();
}
if (serverSocket != null) {
serverSocket.close();
}
}
if (clientSocket != null && clientSocket.clientException != null) {
throw clientSocket.clientException;
}
}
private class ClientSocket extends Thread{
boolean isDone = false;
int serverPort = 0;
Exception clientException;
public ClientSocket(int serverPort) {
this.serverPort = serverPort;
}
@Override
public void run() {
SSLSocket clientSocket = null;
String clientData = "Hi, I am client";
try {
System.err.println(
"Connecting to server at port " + serverPort);
SSLSocketFactory sslSocketFactory =
createClientSSLContext().getSocketFactory();
clientSocket = (SSLSocket)sslSocketFactory.createSocket(
InetAddress.getLocalHost(), serverPort);
configureClientSocket(clientSocket);
System.err.println("Sending data to server ...");
BufferedWriter os = new BufferedWriter(
new OutputStreamWriter(clientSocket.getOutputStream()));
os.write(clientData, 0, clientData.length());
os.newLine();
os.flush();
System.err.println("Reading data from server");
BufferedReader is = new BufferedReader(
new InputStreamReader(clientSocket.getInputStream()));
String data = is.readLine();
System.err.println("Received Data from server: " + data);
} catch (Exception e) {
clientException = e;
System.err.println("unexpected client exception: " + e);
} finally {
if (clientSocket != null) {
try {
clientSocket.close();
System.err.println("client socket closed");
} catch (IOException ioe) {
clientException = ioe;
}
}
isDone = true;
}
}
}
// Construct a bogus trust manager which has more CAs such that exceed
// the size limit of the certificate_authorities extension (2^16).
private static final class BogusX509TrustManager
extends X509ExtendedTrustManager implements X509TrustManager {
private final X509ExtendedTrustManager tm;
private BogusX509TrustManager(X509TrustManager trustManager) {
this.tm = (X509ExtendedTrustManager)trustManager;
}
@Override
public void checkClientTrusted(X509Certificate[] chain,
String authType, Socket socket) throws CertificateException {
tm.checkClientTrusted(chain, authType, socket);
}
@Override
public void checkServerTrusted(X509Certificate[] chain,
String authType, Socket socket) throws CertificateException {
tm.checkServerTrusted(chain, authType, socket);
}
@Override
public void checkClientTrusted(X509Certificate[] chain,
String authType, SSLEngine sslEngine) throws CertificateException {
tm.checkClientTrusted(chain, authType, sslEngine);
}
@Override
public void checkServerTrusted(X509Certificate[] chain,
String authType, SSLEngine sslEngine) throws CertificateException {
tm.checkServerTrusted(chain, authType, sslEngine);
}
@Override
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
tm.checkServerTrusted(chain, authType);
}
@Override
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
tm.checkServerTrusted(chain, authType);
}
@Override
public X509Certificate[] getAcceptedIssuers() {
X509Certificate[] trustedCerts = tm.getAcceptedIssuers();
int sizeAccount = 0;
for (X509Certificate cert: trustedCerts) {
X500Principal x500Principal = cert.getSubjectX500Principal();
byte[] encodedPrincipal = x500Principal.getEncoded();
sizeAccount += encodedPrincipal.length;
}
// 0xFFFF: the size limit of the certificate_authorities extension
int duplicated = (0xFFFF + sizeAccount) / sizeAccount;
X509Certificate[] returnedCAs =
new X509Certificate[trustedCerts.length * duplicated];
for (int i = 0; i < duplicated; i++) {
System.arraycopy(trustedCerts, 0,
returnedCAs,
i * trustedCerts.length + 0, trustedCerts.length);
}
return returnedCAs;
}
}
}