9b11bd7f4a
Reviewed-by: mullan
303 lines
12 KiB
Java
303 lines
12 KiB
Java
/*
|
|
* Copyright (c) 2023, 2024, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
//
|
|
// Security properties, once set, cannot revert to unset. To avoid
|
|
// conflicts with tests running in the same VM isolate this test by
|
|
// running it in otherVM mode.
|
|
//
|
|
|
|
/**
|
|
* @test
|
|
* @bug 8179502
|
|
* @summary Enhance OCSP, CRL and Certificate Fetch Timeouts
|
|
* @modules java.base/sun.security.x509
|
|
* java.base/sun.security.provider.certpath
|
|
* java.base/sun.security.util
|
|
* @library ../../../../../java/security/testlibrary
|
|
* @build CertificateBuilder SimpleOCSPServer
|
|
* @run main/othervm -Djava.security.debug=certpath OCSPTimeout 1000 true
|
|
* @run main/othervm -Djava.security.debug=certpath
|
|
* -Dcom.sun.security.ocsp.readtimeout=5 OCSPTimeout 1000 true
|
|
* @run main/othervm -Djava.security.debug=certpath
|
|
* -Dcom.sun.security.ocsp.readtimeout=1 OCSPTimeout 5000 false
|
|
* @run main/othervm -Djava.security.debug=certpath
|
|
* -Dcom.sun.security.ocsp.readtimeout=1s OCSPTimeout 5000 false
|
|
* @run main/othervm -Djava.security.debug=certpath
|
|
* -Dcom.sun.security.ocsp.readtimeout=1500ms OCSPTimeout 5000 false
|
|
* @run main/othervm -Djava.security.debug=certpath
|
|
* -Dcom.sun.security.ocsp.readtimeout=4500ms OCSPTimeout 1000 true
|
|
*/
|
|
|
|
import java.io.*;
|
|
import java.math.BigInteger;
|
|
import java.net.*;
|
|
import java.security.*;
|
|
import java.security.cert.Certificate;
|
|
import java.security.spec.ECGenParameterSpec;
|
|
import java.util.*;
|
|
import java.security.cert.*;
|
|
import java.util.concurrent.TimeUnit;
|
|
|
|
import sun.security.testlibrary.SimpleOCSPServer;
|
|
import sun.security.testlibrary.CertificateBuilder;
|
|
|
|
import static java.security.cert.PKIXRevocationChecker.Option.*;
|
|
|
|
public class OCSPTimeout {
|
|
|
|
static String passwd = "passphrase";
|
|
static String ROOT_ALIAS = "root";
|
|
static String EE_ALIAS = "endentity";
|
|
|
|
// Enable debugging for additional output
|
|
static final boolean debug = true;
|
|
|
|
// PKI components we will need for this test
|
|
static X509Certificate rootCert; // The root CA certificate
|
|
static X509Certificate eeCert; // The end entity certificate
|
|
static KeyStore rootKeystore; // Root CA Keystore
|
|
static KeyStore eeKeystore; // End Entity Keystore
|
|
static KeyStore trustStore; // SSL Client trust store
|
|
static SimpleOCSPServer rootOcsp; // Root CA OCSP Responder
|
|
static int rootOcspPort; // Port number for root OCSP
|
|
|
|
public static void main(String[] args) throws Exception {
|
|
int ocspTimeout = 15000;
|
|
boolean expected = false;
|
|
|
|
createPKI();
|
|
|
|
try {
|
|
if (args[0] != null) {
|
|
ocspTimeout = Integer.parseInt(args[0]);
|
|
}
|
|
rootOcsp.setDelay(ocspTimeout);
|
|
|
|
expected = (args[1] != null && Boolean.parseBoolean(args[1]));
|
|
log("Test case expects to " + (expected ? "pass" : "fail"));
|
|
|
|
// validate chain
|
|
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
|
|
PKIXRevocationChecker prc =
|
|
(PKIXRevocationChecker) cpv.getRevocationChecker();
|
|
prc.setOptions(EnumSet.of(NO_FALLBACK, SOFT_FAIL));
|
|
PKIXParameters params =
|
|
new PKIXParameters(Set.of(new TrustAnchor(rootCert, null)));
|
|
params.addCertPathChecker(prc);
|
|
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
|
CertPath cp = cf.generateCertPath(List.of(eeCert));
|
|
cpv.validate(cp, params);
|
|
|
|
// unwrap soft fail exceptions and check for SocketTimeoutException
|
|
List<CertPathValidatorException> softExc = prc.getSoftFailExceptions();
|
|
if (expected) {
|
|
if (!softExc.isEmpty()) {
|
|
log("Expected to pass, found " + softExc.size() +
|
|
" soft fail exceptions");
|
|
for (CertPathValidatorException cpve : softExc) {
|
|
log("Exception: " + cpve);
|
|
}
|
|
throw new RuntimeException("Expected to pass, found " +
|
|
softExc.size() + " soft fail exceptions");
|
|
}
|
|
} else {
|
|
// If we expect to fail the validation then there should be a
|
|
// SocketTimeoutException
|
|
boolean found = false;
|
|
for (CertPathValidatorException softFail : softExc) {
|
|
log("CPVE: " + softFail);
|
|
Throwable cause = softFail.getCause();
|
|
log("Cause: " + cause);
|
|
while (cause != null) {
|
|
if (cause instanceof SocketTimeoutException) {
|
|
found = true;
|
|
break;
|
|
}
|
|
cause = cause.getCause();
|
|
}
|
|
if (found) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!found) {
|
|
throw new RuntimeException("SocketTimeoutException not thrown");
|
|
}
|
|
}
|
|
} finally {
|
|
rootOcsp.stop();
|
|
rootOcsp.shutdownNow();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Creates the PKI components necessary for this test, including
|
|
* Root CA, Intermediate CA and SSL server certificates, the keystores
|
|
* for each entity, a client trust store, and starts the OCSP responders.
|
|
*/
|
|
private static void createPKI() throws Exception {
|
|
CertificateBuilder cbld = new CertificateBuilder();
|
|
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
|
|
keyGen.initialize(new ECGenParameterSpec("secp256r1"));
|
|
KeyStore.Builder keyStoreBuilder =
|
|
KeyStore.Builder.newInstance("PKCS12", null,
|
|
new KeyStore.PasswordProtection(passwd.toCharArray()));
|
|
|
|
// Generate Root and EE keys
|
|
KeyPair rootCaKP = keyGen.genKeyPair();
|
|
log("Generated Root CA KeyPair");
|
|
KeyPair eeKP = keyGen.genKeyPair();
|
|
log("Generated End Entity KeyPair");
|
|
|
|
// Set up the Root CA Cert
|
|
cbld.setSubjectName("CN=Root CA Cert, O=SomeCompany");
|
|
cbld.setPublicKey(rootCaKP.getPublic());
|
|
cbld.setSerialNumber(new BigInteger("1"));
|
|
// Make a 3 year validity starting from 60 days ago
|
|
long start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(60);
|
|
long end = start + TimeUnit.DAYS.toMillis(1085);
|
|
cbld.setValidity(new Date(start), new Date(end));
|
|
addCommonExts(cbld, rootCaKP.getPublic(), rootCaKP.getPublic());
|
|
addCommonCAExts(cbld);
|
|
// Make our Root CA Cert!
|
|
rootCert = cbld.build(null, rootCaKP.getPrivate(),
|
|
"SHA256withECDSA");
|
|
log("Root CA Created:\n%s", certInfo(rootCert));
|
|
|
|
// Now build a keystore and add the keys and cert
|
|
rootKeystore = keyStoreBuilder.getKeyStore();
|
|
Certificate[] rootChain = {rootCert};
|
|
rootKeystore.setKeyEntry(ROOT_ALIAS, rootCaKP.getPrivate(),
|
|
passwd.toCharArray(), rootChain);
|
|
|
|
// Now fire up the OCSP responder
|
|
rootOcsp = new SimpleOCSPServer(rootKeystore, passwd, ROOT_ALIAS, null);
|
|
rootOcsp.enableLog(debug);
|
|
rootOcsp.setNextUpdateInterval(3600);
|
|
rootOcsp.setDisableContentLength(true);
|
|
rootOcsp.start();
|
|
|
|
// Wait 60 seconds for server ready
|
|
boolean readyStatus = rootOcsp.awaitServerReady(60, TimeUnit.SECONDS);
|
|
if (!readyStatus) {
|
|
throw new RuntimeException("Server not ready");
|
|
}
|
|
|
|
rootOcspPort = rootOcsp.getPort();
|
|
String rootRespURI = "http://localhost:" + rootOcspPort;
|
|
log("Root OCSP Responder URI is %s", rootRespURI);
|
|
|
|
// Now that we have the root keystore and OCSP responder we can
|
|
// create our end entity certificate
|
|
cbld.reset();
|
|
cbld.setSubjectName("CN=SSLCertificate, O=SomeCompany");
|
|
cbld.setPublicKey(eeKP.getPublic());
|
|
cbld.setSerialNumber(new BigInteger("4096"));
|
|
// Make a 1 year validity starting from 7 days ago
|
|
start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(7);
|
|
end = start + TimeUnit.DAYS.toMillis(365);
|
|
cbld.setValidity(new Date(start), new Date(end));
|
|
|
|
// Add extensions
|
|
addCommonExts(cbld, eeKP.getPublic(), rootCaKP.getPublic());
|
|
boolean[] kuBits = {true, false, false, false, false, false,
|
|
false, false, false};
|
|
cbld.addKeyUsageExt(kuBits);
|
|
List<String> ekuOids = new ArrayList<>();
|
|
ekuOids.add("1.3.6.1.5.5.7.3.1");
|
|
ekuOids.add("1.3.6.1.5.5.7.3.2");
|
|
cbld.addExtendedKeyUsageExt(ekuOids);
|
|
cbld.addSubjectAltNameDNSExt(Collections.singletonList("localhost"));
|
|
cbld.addAIAExt(Collections.singletonList(rootRespURI));
|
|
// Make our End Entity Cert!
|
|
eeCert = cbld.build(rootCert, rootCaKP.getPrivate(),
|
|
"SHA256withECDSA");
|
|
log("SSL Certificate Created:\n%s", certInfo(eeCert));
|
|
|
|
// Provide end entity cert revocation info to the Root CA
|
|
// OCSP responder.
|
|
Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
|
|
new HashMap<>();
|
|
revInfo.put(eeCert.getSerialNumber(),
|
|
new SimpleOCSPServer.CertStatusInfo(
|
|
SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
|
|
rootOcsp.updateStatusDb(revInfo);
|
|
|
|
// Now build a keystore and add the keys, chain and root cert as a TA
|
|
eeKeystore = keyStoreBuilder.getKeyStore();
|
|
Certificate[] eeChain = {eeCert, rootCert};
|
|
eeKeystore.setKeyEntry(EE_ALIAS, eeKP.getPrivate(),
|
|
passwd.toCharArray(), eeChain);
|
|
eeKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
|
|
|
|
// And finally a Trust Store for the client
|
|
trustStore = keyStoreBuilder.getKeyStore();
|
|
trustStore.setCertificateEntry(ROOT_ALIAS, rootCert);
|
|
}
|
|
|
|
private static void addCommonExts(CertificateBuilder cbld,
|
|
PublicKey subjKey, PublicKey authKey) throws IOException {
|
|
cbld.addSubjectKeyIdExt(subjKey);
|
|
cbld.addAuthorityKeyIdExt(authKey);
|
|
}
|
|
|
|
private static void addCommonCAExts(CertificateBuilder cbld)
|
|
throws IOException {
|
|
cbld.addBasicConstraintsExt(true, true, -1);
|
|
// Set key usage bits for digitalSignature, keyCertSign and cRLSign
|
|
boolean[] kuBitSettings = {true, false, false, false, false, true,
|
|
true, false, false};
|
|
cbld.addKeyUsageExt(kuBitSettings);
|
|
}
|
|
|
|
/**
|
|
* Helper routine that dumps only a few cert fields rather than
|
|
* the whole toString() output.
|
|
*
|
|
* @param cert an X509Certificate to be displayed
|
|
*
|
|
* @return the String output of the issuer, subject and
|
|
* serial number
|
|
*/
|
|
private static String certInfo(X509Certificate cert) {
|
|
StringBuilder sb = new StringBuilder();
|
|
sb.append("Issuer: ").append(cert.getIssuerX500Principal()).
|
|
append("\n");
|
|
sb.append("Subject: ").append(cert.getSubjectX500Principal()).
|
|
append("\n");
|
|
sb.append("Serial: ").append(cert.getSerialNumber()).append("\n");
|
|
return sb.toString();
|
|
}
|
|
|
|
/**
|
|
* Log a message on stdout
|
|
*
|
|
* @param format the format string for the log entry
|
|
* @param args zero or more arguments corresponding to the format string
|
|
*/
|
|
private static void log(String format, Object ... args) {
|
|
System.out.format(format + "\n", args);
|
|
}
|
|
}
|