stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
jdk-24/jdk/test/sun/security/ssl/StatusStapling/CertStatusReqListV2ExtensionTests.java
Jamil Nimeh e7f31340a0 8046321: OCSP Stapling for TLS 
Initial feature commit for OCSP stapling in JSSE

Reviewed-by: xuelei, mullan
2015-08-05 12:19:38 -07:00

414 lines
19 KiB
Java
Raw Blame History

/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.ssl;
/*
* @test
* @bug 8046321
* @summary OCSP Stapling for TLS (CertStatusReqListV2Extension tests)
* @build CertStatusReqListV2ExtensionTests TestCase TestUtils
* @run main/othervm sun.security.ssl.CertStatusReqListV2ExtensionTests
*/
import java.io.IOException;
import java.util.*;
import java.nio.ByteBuffer;
import javax.net.ssl.*;
/*
* Checks that the hash value for a certificate's issuer name is generated
* correctly. Requires any certificate that is not self-signed.
*
* NOTE: this test uses Sun private classes which are subject to change.
*/
public class CertStatusReqListV2ExtensionTests {
private static final boolean debug = false;
// Default status_request_v2 extension with two items
// 1. Type = ocsp_multi, OCSPStatusRequest is default
// 2. Type = ocsp, OCSPStatusRequest is default
private static final byte[] CSRLV2_DEF = {
0, 14, 2, 0, 4, 0, 0, 0,
0, 1, 0, 4, 0, 0, 0, 0
};
// A status_request_v2 where the item list length is
// longer than the provided data
private static final byte[] CSRLV2_LEN_TOO_LONG = {
0, 18, 2, 0, 4, 0, 0, 0,
0, 1, 0, 4, 0, 0, 0, 0
};
// A status_request_v2 where the item list length is
// shorter than the provided data
private static final byte[] CSRLV2_LEN_TOO_SHORT = {
0, 11, 2, 0, 4, 0, 0, 0,
0, 1, 0, 4, 0, 0, 0, 0
};
// A status_request_v2 extension with a zero-length
// certificate_status_req_list (not allowed by the spec)
private static final byte[] CSRLV2_INVALID_ZEROLEN = {0, 0};
// A status_request_v2 extension with two items (ocsp_multi and ocsp)
// using OCSPStatusRequests with 5 ResponderIds and 1 Extension each.
private static final byte[] CSRLV2_TWO_NON_DEF_ITEMS = {
2, 90, 2, 1, 42, 0, -13, 0,
59, -95, 57, 48, 55, 49, 16, 48,
14, 6, 3, 85, 4, 10, 19, 7,
83, 111, 109, 101, 73, 110, 99, 49,
16, 48, 14, 6, 3, 85, 4, 11,
19, 7, 83, 111, 109, 101, 80, 75,
73, 49, 17, 48, 15, 6, 3, 85,
4, 3, 19, 8, 83, 111, 109, 101,
79, 67, 83, 80, 0, 68, -95, 66,
48, 64, 49, 13, 48, 11, 6, 3,
85, 4, 10, 19, 4, 79, 104, 77,
121, 49, 14, 48, 12, 6, 3, 85,
4, 11, 19, 5, 66, 101, 97, 114,
115, 49, 15, 48, 13, 6, 3, 85,
4, 11, 19, 6, 84, 105, 103, 101,
114, 115, 49, 14, 48, 12, 6, 3,
85, 4, 3, 19, 5, 76, 105, 111,
110, 115, 0, 58, -95, 56, 48, 54,
49, 16, 48, 14, 6, 3, 85, 4,
10, 19, 7, 67, 111, 109, 112, 97,
110, 121, 49, 13, 48, 11, 6, 3,
85, 4, 11, 19, 4, 87, 101, 115,
116, 49, 19, 48, 17, 6, 3, 85,
4, 3, 19, 10, 82, 101, 115, 112,
111, 110, 100, 101, 114, 49, 0, 24,
-94, 22, 4, 20, -67, -36, 114, 121,
92, -79, 116, -1, 102, -107, 7, -21,
18, -113, 64, 76, 96, -7, -66, -63,
0, 24, -94, 22, 4, 20, -51, -69,
107, -82, -39, -87, 45, 25, 41, 28,
-76, -68, -11, -110, -94, -97, 62, 47,
58, -125, 0, 51, 48, 49, 48, 47,
6, 9, 43, 6, 1, 5, 5, 7,
48, 1, 2, 4, 34, 4, 32, -26,
-81, -120, -61, -127, -79, 0, -39, -54,
49, 3, -51, -57, -85, 19, -126, 94,
-2, 21, 26, 98, 6, 105, -35, -37,
-29, -73, 101, 53, 44, 15, -19, 1,
1, 42, 0, -13, 0, 59, -95, 57,
48, 55, 49, 16, 48, 14, 6, 3,
85, 4, 10, 19, 7, 83, 111, 109,
101, 73, 110, 99, 49, 16, 48, 14,
6, 3, 85, 4, 11, 19, 7, 83,
111, 109, 101, 80, 75, 73, 49, 17,
48, 15, 6, 3, 85, 4, 3, 19,
8, 83, 111, 109, 101, 79, 67, 83,
80, 0, 68, -95, 66, 48, 64, 49,
13, 48, 11, 6, 3, 85, 4, 10,
19, 4, 79, 104, 77, 121, 49, 14,
48, 12, 6, 3, 85, 4, 11, 19,
5, 66, 101, 97, 114, 115, 49, 15,
48, 13, 6, 3, 85, 4, 11, 19,
6, 84, 105, 103, 101, 114, 115, 49,
14, 48, 12, 6, 3, 85, 4, 3,
19, 5, 76, 105, 111, 110, 115, 0,
58, -95, 56, 48, 54, 49, 16, 48,
14, 6, 3, 85, 4, 10, 19, 7,
67, 111, 109, 112, 97, 110, 121, 49,
13, 48, 11, 6, 3, 85, 4, 11,
19, 4, 87, 101, 115, 116, 49, 19,
48, 17, 6, 3, 85, 4, 3, 19,
10, 82, 101, 115, 112, 111, 110, 100,
101, 114, 49, 0, 24, -94, 22, 4,
20, -67, -36, 114, 121, 92, -79, 116,
-1, 102, -107, 7, -21, 18, -113, 64,
76, 96, -7, -66, -63, 0, 24, -94,
22, 4, 20, -51, -69, 107, -82, -39,
-87, 45, 25, 41, 28, -76, -68, -11,
-110, -94, -97, 62, 47, 58, -125, 0,
51, 48, 49, 48, 47, 6, 9, 43,
6, 1, 5, 5, 7, 48, 1, 2,
4, 34, 4, 32, -26, -81, -120, -61,
-127, -79, 0, -39, -54, 49, 3, -51,
-57, -85, 19, -126, 94, -2, 21, 26,
98, 6, 105, -35, -37, -29, -73, 101,
53, 44, 15, -19
};
public static void main(String[] args) throws Exception {
Map<String, TestCase> testList =
new LinkedHashMap<String, TestCase>() {{
put("CTOR (default)", testCtorDefault);
put("CTOR (List<CertStatusReqItemV2)", testCtorItemList);
put("CTOR (HandshakeInStream, getRequestList",
testCtorInStream);
}};
TestUtils.runTests(testList);
}
public static final TestCase testCtorDefault = new TestCase() {
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
try {
CertStatusReqListV2Extension csrlV2 =
new CertStatusReqListV2Extension();
HandshakeOutStream hsout = new HandshakeOutStream(null);
csrlV2.send(hsout);
TestUtils.valueCheck(wrapExtData(new byte[0]),
hsout.toByteArray());
// The length should be 4 (2 bytes for the type, 2 for the
// encoding of zero-length
if (csrlV2.length() != 4) {
throw new RuntimeException("Incorrect length from " +
"default object. Expected 4, got " +
csrlV2.length());
}
// Since there's no data, there are no status_type or request
// data fields defined. An empty, unmodifiable list should be
// returned when obtained from the extension.
List<CertStatusReqItemV2> itemList = csrlV2.getRequestItems();
if (!itemList.isEmpty()) {
throw new RuntimeException("Default CSRLV2 returned " +
"non-empty request list");
} else {
try {
itemList.add(new CertStatusReqItemV2(
StatusRequestType.OCSP_MULTI,
new OCSPStatusRequest()));
throw new RuntimeException("Returned itemList is " +
"modifiable!");
} catch (UnsupportedOperationException uoe) { }
}
pass = Boolean.TRUE;
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
public static final TestCase testCtorItemList = new TestCase() {
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
OCSPStatusRequest osr = new OCSPStatusRequest();
List<CertStatusReqItemV2> noItems = Collections.emptyList();
List<CertStatusReqItemV2> defList =
new ArrayList<CertStatusReqItemV2>() {{
add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI, osr));
add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr));
}};
List<CertStatusReqItemV2> unknownTypesList =
new ArrayList<CertStatusReqItemV2>() {{
add(new CertStatusReqItemV2(StatusRequestType.get(8),
new UnknownStatusRequest(new byte[0])));
add(new CertStatusReqItemV2(StatusRequestType.get(12),
new UnknownStatusRequest(new byte[5])));
}};
try {
HandshakeOutStream hsout = new HandshakeOutStream(null);
StatusRequest basicStatReq = new OCSPStatusRequest();
// Create an extension using a default-style OCSPStatusRequest
// (no responder IDs, no extensions).
CertStatusReqListV2Extension csrlv2 =
new CertStatusReqListV2Extension(defList);
csrlv2.send(hsout);
TestUtils.valueCheck(wrapExtData(CSRLV2_DEF),
hsout.toByteArray());
hsout.reset();
// Create the extension using a StatusRequestType not already
// instantiated as a static StatusRequestType
// (e.g. OCSP/OCSP_MULTI)
csrlv2 = new CertStatusReqListV2Extension(unknownTypesList);
List<CertStatusReqItemV2> itemList = csrlv2.getRequestItems();
if (itemList.size() != unknownTypesList.size()) {
throw new RuntimeException("Custom CSRLV2 returned " +
"an incorrect number of items: expected " +
unknownTypesList.size() + ", got " +
itemList.size());
} else {
// Verify that the list is unmodifiable
try {
itemList.add(new CertStatusReqItemV2(
StatusRequestType.OCSP_MULTI,
new OCSPStatusRequest()));
throw new RuntimeException("Returned itemList is " +
"modifiable!");
} catch (UnsupportedOperationException uoe) { }
}
// Pass a null value for the item list. This should throw
// an exception
try {
CertStatusReqListV2Extension csrlv2Null =
new CertStatusReqListV2Extension(null);
throw new RuntimeException("Constructor accepted a " +
"null request list");
} catch (NullPointerException npe) { }
pass = Boolean.TRUE;
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
// Test the constructor that builds the ob ject using data from
// a HandshakeInStream
// This also tests the length, getReqType and getRequest methods
public static final TestCase testCtorInStream = new TestCase() {
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
OCSPStatusRequest osr;
CertStatusReqListV2Extension csrlv2;
try {
// To simulate the extension coming in a ServerHello, the
// type and length would already be read by HelloExtensions
// and there is no extension data
HandshakeInStream hsis = new HandshakeInStream();
hsis.incomingRecord(ByteBuffer.wrap(new byte[0]));
csrlv2 = new CertStatusReqListV2Extension(hsis,
hsis.available());
// Verify length/request list
if (csrlv2.length() != 4) {
throw new RuntimeException("Invalid length: received " +
csrlv2.length() + ", expected 4");
} else {
List<CertStatusReqItemV2> itemList =
csrlv2.getRequestItems();
if (!itemList.isEmpty()) {
throw new RuntimeException("Default CSRLV2 returned " +
"non-empty request list");
} else {
try {
itemList.add(new CertStatusReqItemV2(
StatusRequestType.OCSP_MULTI,
new OCSPStatusRequest()));
throw new RuntimeException("Returned itemList is " +
"modifiable!");
} catch (UnsupportedOperationException uoe) { }
}
}
// Try the an extension with our basic client-generated
// status_request_v2 (2 items, ocsp_multi and ocsp, each with
// a default OCSPStatusRequest
hsis = new HandshakeInStream();
hsis.incomingRecord(ByteBuffer.wrap(CSRLV2_DEF));
csrlv2 = new CertStatusReqListV2Extension(hsis,
hsis.available());
if (csrlv2.length() != (CSRLV2_DEF.length + 4)) {
throw new RuntimeException("Invalid length: received " +
csrlv2.length() + ", expected " +
CSRLV2_DEF.length + 4);
} else {
List<CertStatusReqItemV2> itemList =
csrlv2.getRequestItems();
if (itemList.size() != 2) {
throw new RuntimeException("Unexpected number of " +
"items request list, expected 2, got " +
itemList.size());
} else {
try {
itemList.add(new CertStatusReqItemV2(
StatusRequestType.OCSP_MULTI,
new OCSPStatusRequest()));
throw new RuntimeException("Returned itemList is " +
"modifiable!");
} catch (UnsupportedOperationException uoe) { }
}
}
// Try incoming data with an illegal zero-length
// certificate_status_req_list
try {
hsis = new HandshakeInStream();
hsis.incomingRecord(
ByteBuffer.wrap(CSRLV2_INVALID_ZEROLEN));
csrlv2 = new CertStatusReqListV2Extension(hsis,
hsis.available());
throw new RuntimeException("Unxpected successful " +
"object construction");
} catch (SSLException ssle) { }
// Try extensions where the certificate_status_req_list length
// is either too long or too short
try {
hsis = new HandshakeInStream();
hsis.incomingRecord(ByteBuffer.wrap(CSRLV2_LEN_TOO_LONG));
csrlv2 = new CertStatusReqListV2Extension(hsis,
hsis.available());
throw new RuntimeException("Unxpected successful " +
"object construction");
} catch (SSLException ssle) { }
try {
hsis = new HandshakeInStream();
hsis.incomingRecord(ByteBuffer.wrap(CSRLV2_LEN_TOO_SHORT));
csrlv2 = new CertStatusReqListV2Extension(hsis,
hsis.available());
throw new RuntimeException("Unxpected successful " +
"object construction");
} catch (SSLException ssle) { }
pass = Boolean.TRUE;
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
// Take CSRE extension data and add extension type and length decorations
private static byte[] wrapExtData(byte[] extData) {
int bufferLen = extData.length + 4;
ByteBuffer bb = ByteBuffer.allocate(bufferLen);
bb.putShort((short)ExtensionType.EXT_STATUS_REQUEST_V2.id);
bb.putShort((short)extData.length);
if (extData.length != 0) {
bb.put(extData);
}
return bb.array();
}
}
Reference in New Issue View Git Blame Copy Permalink