/* * Copyright (c) 2020, Azul Systems, Inc. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ /** * @test * @bug 8245527 * @library lib/ /test/lib * @modules java.base/sun.security.util * @run main/othervm LdapCBPropertiesTest true true com.sun.jndi.ldap.tls.cbtype tls-server-end-point * @run main/othervm LdapCBPropertiesTest false false com.sun.jndi.ldap.tls.cbtype tls-server-end-point * @run main/othervm LdapCBPropertiesTest true true com.sun.jndi.ldap.tls.cbtype tls-server-end-point com.sun.jndi.ldap.connect.timeout 2000 * @run main/othervm LdapCBPropertiesTest false false com.sun.jndi.ldap.tls.cbtype tls-server-end-point com.sun.jndi.ldap.connect.timeout 2000 * @run main/othervm LdapCBPropertiesTest false true com.sun.jndi.ldap.tls.cbtype tls-unknown * @run main/othervm LdapCBPropertiesTest false true jdk.internal.sasl.tlschannelbinding value * @summary test new JNDI property to control the Channel Binding data */ import javax.naming.AuthenticationException; import javax.naming.CommunicationException; import javax.naming.Context; import javax.naming.NamingException; import javax.naming.directory.DirContext; import javax.naming.directory.InitialDirContext; import java.net.InetAddress; import java.net.URI; import java.util.Hashtable; import org.ietf.jgss.GSSException; import javax.net.ssl.SSLException; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocketFactory; import javax.security.sasl.SaslException; import jdk.test.lib.net.URIBuilder; import sun.security.util.ChannelBindingException; public class LdapCBPropertiesTest { /* * Where do we find the keystores? */ static String pathToStores = "../../../../javax/net/ssl/etc"; static String keyStoreFile = "keystore"; static String trustStoreFile = "truststore"; static String passwd = "passphrase"; static boolean debug = false; public static void main(String[] args) throws Exception { String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; String trustFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); System.setProperty("javax.net.ssl.trustStorePassword", passwd); if (debug) System.setProperty("javax.net.debug", "all"); /* * Start the tests. */ new LdapCBPropertiesTest(args); } /* * Primary constructor, used to drive remainder of the test. */ LdapCBPropertiesTest(String[] args) throws Exception { InetAddress loopback = InetAddress.getLoopbackAddress(); SSLServerSocketFactory sslssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); SSLServerSocket sslServerSocket = (SSLServerSocket) sslssf.createServerSocket(0, 0, loopback); int serverPort = sslServerSocket.getLocalPort(); try (var ignore = new BaseLdapServer(sslServerSocket).start()) { doClientSide(serverPort, args); } } /* * Define the client side of the test. * * The server should start at this time already */ void doClientSide(int serverPort, String[] args) throws Exception { boolean passed = false; boolean shouldPass = Boolean.parseBoolean(args[0]); boolean shouldConnect = Boolean.parseBoolean(args[1]); // set disableEndpointIdentification to disable hostname verification if (shouldConnect) { System.setProperty( "com.sun.jndi.ldap.object.disableEndpointIdentification", "true"); } // Set up the environment for creating the initial context Hashtable env = new Hashtable(); URI uri = URIBuilder.newBuilder() .scheme("ldaps") .loopback() .port(serverPort) .build(); env.put(Context.PROVIDER_URL, uri.toString()); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); // read properties for (int i = 2; i < args.length; i += 2) { env.put(args[i], args[i + 1]); if (debug) System.out.println("Env=" + args[i] + "=" + args[i + 1]); } try { DirContext ctx = new InitialDirContext(env); passed = shouldPass; ctx.close(); } catch (NamingException ne) { // only NamingException is allowed if (debug) System.out.println("Exception=" + ne + " cause=" + ne.getRootCause()); passed = handleNamingException(ne, shouldPass, shouldConnect); } catch(Exception e) { System.err.println("Failed: caught an unexpected Exception - " + e); throw e; } finally { // test if internal property accessible to application if(shouldPass && env.get("jdk.internal.sasl.tlschannelbinding") != null) { throw new Exception( "Test FAILED: jdk.internal.sasl.tlschannelbinding should not be accessible"); } } if (!passed) { throw new Exception( "Test FAILED: NamingException exception should be thrown"); } System.out.println("Test PASSED"); } private static boolean handleNamingException(NamingException ne, boolean shouldPass, boolean shouldConnect) throws NamingException { if (ne instanceof AuthenticationException && ne.getRootCause() instanceof SaslException) { SaslException saslEx = (SaslException) ne.getRootCause(); if (shouldConnect && saslEx.getCause() instanceof GSSException) { // SSL connection successful, expected exception from SaslClient if (shouldPass) return true; } } if (!shouldConnect) { // SSL handshake fails Exception ex = ne; while(ex != null && !(ex instanceof CommunicationException)) { ex = (Exception)ex.getCause(); } if (ex != null) { if (ex.getCause() instanceof SSLException) { if (!shouldPass) return true; } } } Throwable rc = ne.getRootCause(); if (!shouldPass && (rc == null || rc instanceof ChannelBindingException)) { // Expected exception caused by Channel Binding parameter inconsistency return true; } throw ne; } }