230 lines
8.3 KiB
Java
230 lines
8.3 KiB
Java
/*
|
|
* Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/*
|
|
* @test
|
|
* @bug 8206925
|
|
* @library /javax/net/ssl/templates
|
|
* @summary Support the certificate_authorities extension
|
|
* @run main/othervm TooManyCAs
|
|
* @run main/othervm -Djdk.tls.client.enableCAExtension=true TooManyCAs
|
|
*/
|
|
import javax.net.ssl.*;
|
|
import javax.security.auth.x500.X500Principal;
|
|
import java.io.*;
|
|
import java.net.Socket;
|
|
import java.security.cert.CertificateException;
|
|
import java.security.cert.X509Certificate;
|
|
import java.util.concurrent.CyclicBarrier;
|
|
|
|
/**
|
|
* Check if the connection can be established if the client or server trusts
|
|
* more CAs such that it exceeds the size limit of the certificate_authorities
|
|
* extension (2^16).
|
|
*/
|
|
public class TooManyCAs extends SSLSocketTemplate {
|
|
|
|
private static final String[][][] protocols = {
|
|
{{"TLSv1.3"}, {"TLSv1.3"}},
|
|
{{"TLSv1.3", "TLSv1.2"}, {"TLSv1.3"}},
|
|
{{"TLSv1.3"}, {"TLSv1.3", "TLSv1.2"}},
|
|
};
|
|
|
|
private final String[] clientProtocols;
|
|
private final String[] serverProtocols;
|
|
private final boolean needClientAuth;
|
|
|
|
/*
|
|
* Used to synchronize client and server; there were intermittent
|
|
* failures on Windows due to the connection being killed.
|
|
*/
|
|
private final CyclicBarrier barrier = new CyclicBarrier(2);
|
|
|
|
TooManyCAs(int index, boolean needClientAuth) {
|
|
this.clientProtocols = protocols[index][0];
|
|
this.serverProtocols = protocols[index][1];
|
|
this.needClientAuth = needClientAuth;
|
|
|
|
System.out.printf("Testing%n\tclient protocols: %s%n\t" +
|
|
"server protocols: %s%n\tneed client auth: %s%n",
|
|
String.join(", ", clientProtocols),
|
|
String.join(", ", serverProtocols),
|
|
needClientAuth);
|
|
}
|
|
|
|
@Override
|
|
protected void configureClientSocket(SSLSocket clientSocket) {
|
|
System.out.println("Setting client protocol(s): "
|
|
+ String.join(",", clientProtocols));
|
|
|
|
clientSocket.setEnabledProtocols(clientProtocols);
|
|
}
|
|
|
|
@Override
|
|
protected void configureServerSocket(SSLServerSocket serverSocket) {
|
|
serverSocket.setNeedClientAuth(needClientAuth);
|
|
serverSocket.setEnableSessionCreation(true);
|
|
serverSocket.setUseClientMode(false);
|
|
|
|
System.out.println("Setting server protocol(s): "
|
|
+ String.join(",", serverProtocols));
|
|
|
|
serverSocket.setEnabledProtocols(serverProtocols);
|
|
}
|
|
|
|
@Override
|
|
protected TrustManager createClientTrustManager() throws Exception {
|
|
TrustManager trustManager = super.createClientTrustManager();
|
|
return new BogusX509TrustManager(
|
|
(X509TrustManager)trustManager);
|
|
}
|
|
|
|
@Override
|
|
protected TrustManager createServerTrustManager() throws Exception {
|
|
TrustManager trustManager = super.createServerTrustManager();
|
|
return new BogusX509TrustManager(
|
|
(X509TrustManager)trustManager);
|
|
}
|
|
|
|
/*
|
|
* Run the test case.
|
|
*/
|
|
public static void main(String[] args) throws Exception {
|
|
for (int i = 0; i < protocols.length; i++) {
|
|
(new TooManyCAs(i, false)).run();
|
|
(new TooManyCAs(i, true)).run();
|
|
}
|
|
}
|
|
|
|
@Override
|
|
protected void runServerApplication(SSLSocket socket) throws Exception {
|
|
try {
|
|
System.out.println("Sending data to client ...");
|
|
String serverData = "Hi, I am server";
|
|
BufferedWriter os = new BufferedWriter(
|
|
new OutputStreamWriter(socket.getOutputStream()));
|
|
os.write(serverData, 0, serverData.length());
|
|
os.newLine();
|
|
os.flush();
|
|
} finally {
|
|
barrier.await();
|
|
System.out.println("Server done");
|
|
}
|
|
}
|
|
|
|
@Override
|
|
protected void runClientApplication(SSLSocket socket) throws Exception {
|
|
try {
|
|
String clientData = "Hi, I am client";
|
|
System.out.println("Sending data to server ...");
|
|
|
|
BufferedWriter os = new BufferedWriter(
|
|
new OutputStreamWriter(socket.getOutputStream()));
|
|
os.write(clientData, 0, clientData.length());
|
|
os.newLine();
|
|
os.flush();
|
|
|
|
System.out.println("Reading data from server");
|
|
BufferedReader is = new BufferedReader(
|
|
new InputStreamReader(socket.getInputStream()));
|
|
String data = is.readLine();
|
|
System.out.println("Received Data from server: " + data);
|
|
} finally {
|
|
barrier.await();
|
|
System.out.println("client done.");
|
|
}
|
|
}
|
|
|
|
// Construct a bogus trust manager which has more CAs such that exceed
|
|
// the size limit of the certificate_authorities extension (2^16).
|
|
private static final class BogusX509TrustManager
|
|
extends X509ExtendedTrustManager implements X509TrustManager {
|
|
private final X509ExtendedTrustManager tm;
|
|
|
|
private BogusX509TrustManager(X509TrustManager trustManager) {
|
|
this.tm = (X509ExtendedTrustManager)trustManager;
|
|
}
|
|
|
|
@Override
|
|
public void checkClientTrusted(X509Certificate[] chain,
|
|
String authType, Socket socket) throws CertificateException {
|
|
tm.checkClientTrusted(chain, authType, socket);
|
|
}
|
|
|
|
@Override
|
|
public void checkServerTrusted(X509Certificate[] chain,
|
|
String authType, Socket socket) throws CertificateException {
|
|
tm.checkServerTrusted(chain, authType, socket);
|
|
}
|
|
|
|
@Override
|
|
public void checkClientTrusted(X509Certificate[] chain,
|
|
String authType, SSLEngine sslEngine) throws CertificateException {
|
|
|
|
tm.checkClientTrusted(chain, authType, sslEngine);
|
|
}
|
|
|
|
@Override
|
|
public void checkServerTrusted(X509Certificate[] chain,
|
|
String authType, SSLEngine sslEngine) throws CertificateException {
|
|
|
|
tm.checkServerTrusted(chain, authType, sslEngine);
|
|
}
|
|
|
|
@Override
|
|
public void checkClientTrusted(X509Certificate[] chain,
|
|
String authType) throws CertificateException {
|
|
tm.checkServerTrusted(chain, authType);
|
|
}
|
|
|
|
@Override
|
|
public void checkServerTrusted(X509Certificate[] chain,
|
|
String authType) throws CertificateException {
|
|
tm.checkServerTrusted(chain, authType);
|
|
}
|
|
|
|
@Override
|
|
public X509Certificate[] getAcceptedIssuers() {
|
|
X509Certificate[] trustedCerts = tm.getAcceptedIssuers();
|
|
int sizeAccount = 0;
|
|
for (X509Certificate cert: trustedCerts) {
|
|
X500Principal x500Principal = cert.getSubjectX500Principal();
|
|
byte[] encodedPrincipal = x500Principal.getEncoded();
|
|
sizeAccount += encodedPrincipal.length;
|
|
}
|
|
|
|
// 0xFFFF: the size limit of the certificate_authorities extension
|
|
int duplicated = (0xFFFF + sizeAccount) / sizeAccount;
|
|
X509Certificate[] returnedCAs =
|
|
new X509Certificate[trustedCerts.length * duplicated];
|
|
for (int i = 0; i < duplicated; i++) {
|
|
System.arraycopy(trustedCerts, 0,
|
|
returnedCAs,
|
|
i * trustedCerts.length, trustedCerts.length);
|
|
}
|
|
|
|
return returnedCAs;
|
|
}
|
|
}
|
|
}
|