163 lines
5.8 KiB
Java
163 lines
5.8 KiB
Java
/*
|
|
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/*
|
|
* @test
|
|
* @bug 8191808
|
|
* @summary check that CRL download is interrupted if it takes too long
|
|
* @library /test/lib
|
|
* @run main/othervm -Dcom.sun.security.crl.readtimeout=1 CRLReadTimeout
|
|
*/
|
|
|
|
import java.io.File;
|
|
import java.io.InputStream;
|
|
import java.io.IOException;
|
|
import java.net.InetSocketAddress;
|
|
import java.net.SocketTimeoutException;
|
|
import java.security.KeyStore;
|
|
import java.security.cert.CertificateFactory;
|
|
import java.security.cert.CertPath;
|
|
import java.security.cert.CertPathValidator;
|
|
import java.security.cert.CertPathValidatorException;
|
|
import java.security.cert.PKIXParameters;
|
|
import java.security.cert.PKIXRevocationChecker;
|
|
import static java.security.cert.PKIXRevocationChecker.Option.*;
|
|
import java.security.cert.TrustAnchor;
|
|
import java.security.cert.X509Certificate;
|
|
import java.util.EnumSet;
|
|
import java.util.List;
|
|
import java.util.Set;
|
|
import com.sun.net.httpserver.HttpServer;
|
|
|
|
import jdk.test.lib.SecurityTools;
|
|
import jdk.test.lib.process.OutputAnalyzer;
|
|
|
|
public class CRLReadTimeout {
|
|
|
|
public static void main(String[] args) throws Exception {
|
|
|
|
String timeout = System.getProperty("com.sun.security.crl.readtimeout");
|
|
if (timeout == null) {
|
|
timeout = "15";
|
|
}
|
|
System.out.println("Testing timeout of " + timeout + " seconds");
|
|
|
|
CrlHttpServer crlServer = new CrlHttpServer(Integer.parseInt(timeout));
|
|
try {
|
|
crlServer.start();
|
|
testTimeout(crlServer.getPort());
|
|
} finally {
|
|
crlServer.stop();
|
|
}
|
|
}
|
|
|
|
private static void testTimeout(int port) throws Exception {
|
|
|
|
// create certificate chain with two certs, root and end-entity
|
|
keytool("-alias duke -dname CN=duke -genkey -keyalg RSA");
|
|
keytool("-alias root -dname CN=root -genkey -keyalg RSA");
|
|
keytool("-certreq -alias duke -file duke.req");
|
|
// set CRL URI to local server
|
|
keytool("-gencert -infile duke.req -alias root -rfc -outfile duke.cert "
|
|
+ "-ext crl=uri:http://localhost:" + port + "/crl");
|
|
keytool("-importcert -file duke.cert -alias duke");
|
|
|
|
KeyStore ks = KeyStore.getInstance(new File("ks"),
|
|
"changeit".toCharArray());
|
|
X509Certificate cert = (X509Certificate)ks.getCertificate("duke");
|
|
X509Certificate root = (X509Certificate)ks.getCertificate("root");
|
|
|
|
// validate chain
|
|
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
|
|
PKIXRevocationChecker prc =
|
|
(PKIXRevocationChecker)cpv.getRevocationChecker();
|
|
prc.setOptions(EnumSet.of(PREFER_CRLS, NO_FALLBACK, SOFT_FAIL));
|
|
PKIXParameters params =
|
|
new PKIXParameters(Set.of(new TrustAnchor(root, null)));
|
|
params.addCertPathChecker(prc);
|
|
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
|
CertPath cp = cf.generateCertPath(List.of(cert));
|
|
cpv.validate(cp, params);
|
|
|
|
// unwrap soft fail exceptions and check for SocketTimeoutException
|
|
boolean expected = false;
|
|
for (CertPathValidatorException softFail:prc.getSoftFailExceptions()) {
|
|
Throwable cause = softFail.getCause();
|
|
while (cause != null) {
|
|
if (cause instanceof SocketTimeoutException) {
|
|
expected = true;
|
|
break;
|
|
}
|
|
cause = cause.getCause();
|
|
}
|
|
if (expected) {
|
|
break;
|
|
}
|
|
}
|
|
if (!expected) {
|
|
throw new Exception("SocketTimeoutException not thrown");
|
|
}
|
|
}
|
|
|
|
private static OutputAnalyzer keytool(String cmd) throws Exception {
|
|
return SecurityTools.keytool("-storepass changeit "
|
|
+ "-keystore ks " + cmd);
|
|
}
|
|
|
|
private static class CrlHttpServer {
|
|
|
|
private final HttpServer server;
|
|
private final int timeout;
|
|
|
|
public CrlHttpServer(int timeout) throws IOException {
|
|
server = HttpServer.create();
|
|
this.timeout = timeout;
|
|
}
|
|
|
|
public void start() throws IOException {
|
|
server.bind(new InetSocketAddress(0), 0);
|
|
server.createContext("/", t -> {
|
|
try (InputStream is = t.getRequestBody()) {
|
|
is.readAllBytes();
|
|
}
|
|
try {
|
|
// sleep for 2 seconds longer to force timeout
|
|
Thread.sleep((timeout + 2)*1000);
|
|
} catch (InterruptedException ie) {
|
|
throw new IOException(ie);
|
|
}
|
|
});
|
|
server.setExecutor(null);
|
|
server.start();
|
|
}
|
|
|
|
public void stop() {
|
|
server.stop(0);
|
|
}
|
|
|
|
int getPort() {
|
|
return server.getAddress().getPort();
|
|
}
|
|
}
|
|
}
|