409 lines
13 KiB
Java
409 lines
13 KiB
Java
/*
|
|
* Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/* @test
|
|
* @bug 4938185 7106773
|
|
* @summary KeyStore support for NSS cert/key databases
|
|
* 512 bits RSA key cannot work with SHA384 and SHA512
|
|
* @library /test/lib ..
|
|
* @run testng/othervm ClientAuth
|
|
*/
|
|
|
|
import jtreg.SkippedException;
|
|
import org.testng.SkipException;
|
|
import org.testng.annotations.BeforeClass;
|
|
import org.testng.annotations.Test;
|
|
|
|
import java.io.*;
|
|
import java.net.InetAddress;
|
|
import java.net.InetSocketAddress;
|
|
import java.nio.file.Path;
|
|
import java.security.*;
|
|
import java.util.Arrays;
|
|
import java.util.concurrent.CountDownLatch;
|
|
import javax.net.*;
|
|
import javax.net.ssl.*;
|
|
|
|
public class ClientAuth extends PKCS11Test {
|
|
|
|
/*
|
|
* =============================================================
|
|
* Set the various variables needed for the tests, then
|
|
* specify what tests to run on each side.
|
|
*/
|
|
|
|
private static Provider provider;
|
|
private static final String NSS_PWD = "test12";
|
|
private static final String JKS_PWD = "passphrase";
|
|
private static final String SERVER_KS = "server.keystore";
|
|
private static final String TS = "truststore";
|
|
private static String p11config;
|
|
|
|
private static final Path TEST_DATA_PATH = Path.of(BASE)
|
|
.resolve("ClientAuthData");
|
|
|
|
private static final String DIR = TEST_DATA_PATH.toString();
|
|
|
|
/*
|
|
* Should we run the client or server in a separate thread?
|
|
* Both sides can throw exceptions, but do you have a preference
|
|
* as to which side should be the main thread.
|
|
*/
|
|
static boolean separateServerThread = false;
|
|
|
|
/*
|
|
* Is the server ready to serve?
|
|
*/
|
|
private final CountDownLatch serverReadyLatch = new CountDownLatch(1);
|
|
|
|
/*
|
|
* Turn on SSL debugging?
|
|
*/
|
|
static boolean debug = false;
|
|
|
|
/*
|
|
* If the client or server is doing some kind of object creation
|
|
* that the other side depends on, and that thread prematurely
|
|
* exits, you may experience a hang. The test harness will
|
|
* terminate all hung threads after its timeout has expired,
|
|
* currently 3 minutes by default, but you might try to be
|
|
* smart about it....
|
|
*/
|
|
|
|
@BeforeClass
|
|
public void setUp() throws Exception {
|
|
copyNssCertKeyToClassesDir(TEST_DATA_PATH);
|
|
setCommonSystemProps();
|
|
System.setProperty("CUSTOM_P11_CONFIG",
|
|
TEST_DATA_PATH.resolve("p11-nss.txt").toString());
|
|
Security.setProperty("jdk.tls.disabledAlgorithms", "");
|
|
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
|
|
}
|
|
|
|
@Test
|
|
public void testClientAuthTLSv1() throws Exception {
|
|
String[] args = { "TLSv1" };
|
|
runTest(args);
|
|
}
|
|
|
|
@Test
|
|
public void testClientAuthTLSv11() throws Exception {
|
|
String[] args = { "TLSv1.1" };
|
|
runTest(args);
|
|
}
|
|
|
|
@Test
|
|
public void testClientAuthTLSv12AndCipherSuite() throws Exception {
|
|
String[] args = { "TLSv1.2", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" };
|
|
runTest(args);
|
|
}
|
|
|
|
private void runTest(String[] args) throws Exception {
|
|
System.out.println("Running with args: " + Arrays.toString(args));
|
|
parseArguments(args);
|
|
try {
|
|
main(new ClientAuth());
|
|
} catch (SkippedException se) {
|
|
throw new SkipException("One or more tests are skipped");
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Define the server side of the test.
|
|
*
|
|
* If the server prematurely exits, serverReady will be set to true
|
|
* to avoid infinite hangs.
|
|
*/
|
|
void doServerSide() throws Exception {
|
|
|
|
SSLContext ctx = SSLContext.getInstance("TLS");
|
|
char[] passphrase = JKS_PWD.toCharArray();
|
|
|
|
// server gets KeyStore from JKS keystore
|
|
KeyStore ks = KeyStore.getInstance("JKS");
|
|
ks.load(new FileInputStream(new File(DIR, SERVER_KS)), passphrase);
|
|
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
|
|
kmf.init(ks, passphrase);
|
|
|
|
// server gets TrustStore from PKCS#11 token
|
|
/*
|
|
passphrase = NSS_PWD.toCharArray();
|
|
KeyStore ts = KeyStore.getInstance("PKCS11", "SunPKCS11-nss");
|
|
ts.load(null, passphrase);
|
|
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
|
|
tmf.init(ts);
|
|
*/
|
|
|
|
//ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
|
|
ctx.init(kmf.getKeyManagers(), null, null);
|
|
ServerSocketFactory ssf = ctx.getServerSocketFactory();
|
|
InetSocketAddress socketAddress =
|
|
new InetSocketAddress(InetAddress.getLoopbackAddress(), serverPort);
|
|
SSLServerSocket sslServerSocket = (SSLServerSocket) ssf.createServerSocket();
|
|
sslServerSocket.bind(socketAddress);
|
|
sslServerSocket.setNeedClientAuth(true);
|
|
serverPort = sslServerSocket.getLocalPort();
|
|
System.out.println("serverPort = " + serverPort);
|
|
|
|
/*
|
|
* Signal Client, we're ready for his connect.
|
|
*/
|
|
serverReadyLatch.countDown();
|
|
|
|
SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
|
|
InputStream sslIS = sslSocket.getInputStream();
|
|
OutputStream sslOS = sslSocket.getOutputStream();
|
|
|
|
sslIS.read();
|
|
sslOS.write(85);
|
|
sslOS.flush();
|
|
|
|
sslSocket.close();
|
|
}
|
|
|
|
/*
|
|
* Define the client side of the test.
|
|
*
|
|
* If the server prematurely exits, serverReady will be set to true
|
|
* to avoid infinite hangs.
|
|
*/
|
|
void doClientSide() throws Exception {
|
|
|
|
/*
|
|
* Wait for server to get started.
|
|
*/
|
|
serverReadyLatch.await();
|
|
|
|
SSLContext ctx = SSLContext.getInstance("TLS");
|
|
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
|
|
|
|
// client gets KeyStore from PKCS#11 token,
|
|
// and gets TrustStore from JKS KeyStore (using system properties)
|
|
char[] passphrase = NSS_PWD.toCharArray();
|
|
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nss");
|
|
ks.load(null, passphrase);
|
|
|
|
kmf = KeyManagerFactory.getInstance("SunX509");
|
|
kmf.init(ks, passphrase);
|
|
ctx.init(kmf.getKeyManagers(), null, null);
|
|
|
|
SSLSocketFactory sslsf = ctx.getSocketFactory();
|
|
SSLSocket sslSocket = (SSLSocket)
|
|
sslsf.createSocket("localhost", serverPort);
|
|
|
|
if (clientProtocol != null) {
|
|
sslSocket.setEnabledProtocols(new String[] {clientProtocol});
|
|
}
|
|
|
|
if (clientCiperSuite != null) {
|
|
sslSocket.setEnabledCipherSuites(new String[] {clientCiperSuite});
|
|
}
|
|
|
|
InputStream sslIS = sslSocket.getInputStream();
|
|
OutputStream sslOS = sslSocket.getOutputStream();
|
|
|
|
sslOS.write(280);
|
|
sslOS.flush();
|
|
sslIS.read();
|
|
|
|
sslSocket.close();
|
|
}
|
|
|
|
/*
|
|
* =============================================================
|
|
* The remainder is just support stuff
|
|
*/
|
|
|
|
// use any free port by default
|
|
volatile int serverPort = 0;
|
|
|
|
volatile Exception serverException = null;
|
|
volatile Exception clientException = null;
|
|
|
|
private static String clientProtocol = null;
|
|
private static String clientCiperSuite = null;
|
|
|
|
private static void parseArguments(String[] args) {
|
|
if (args.length > 0) {
|
|
clientProtocol = args[0];
|
|
}
|
|
|
|
if (args.length > 1) {
|
|
clientCiperSuite = args[1];
|
|
}
|
|
}
|
|
|
|
public void main(Provider p) throws Exception {
|
|
// SSL RSA client auth currently needs an RSA cipher
|
|
// (cf. NONEwithRSA hack), which is currently not available in
|
|
// open builds.
|
|
try {
|
|
javax.crypto.Cipher.getInstance("RSA/ECB/PKCS1Padding", p);
|
|
} catch (GeneralSecurityException e) {
|
|
System.out.println("Not supported by provider, skipping");
|
|
return;
|
|
}
|
|
|
|
this.provider = p;
|
|
|
|
System.setProperty("javax.net.ssl.trustStore",
|
|
new File(DIR, TS).toString());
|
|
System.setProperty("javax.net.ssl.trustStoreType", "JKS");
|
|
System.setProperty("javax.net.ssl.trustStoreProvider", "SUN");
|
|
System.setProperty("javax.net.ssl.trustStorePassword", JKS_PWD);
|
|
|
|
// perform Security.addProvider of P11 provider
|
|
Security.addProvider(getSunPKCS11(System.getProperty("CUSTOM_P11_CONFIG")));
|
|
|
|
if (debug) {
|
|
System.setProperty("javax.net.debug", "all");
|
|
}
|
|
|
|
/*
|
|
* Start the tests.
|
|
*/
|
|
go();
|
|
}
|
|
|
|
Thread clientThread = null;
|
|
Thread serverThread = null;
|
|
|
|
/*
|
|
* Fork off the other side, then do your work.
|
|
*/
|
|
private void go() throws Exception {
|
|
try {
|
|
if (separateServerThread) {
|
|
startServer(true);
|
|
startClient(false);
|
|
} else {
|
|
startClient(true);
|
|
startServer(false);
|
|
}
|
|
} catch (Exception e) {
|
|
//swallow for now. Show later
|
|
}
|
|
|
|
/*
|
|
* Wait for other side to close down.
|
|
*/
|
|
if (separateServerThread) {
|
|
serverThread.join();
|
|
} else {
|
|
clientThread.join();
|
|
}
|
|
|
|
/*
|
|
* When we get here, the test is pretty much over.
|
|
* Which side threw the error?
|
|
*/
|
|
Exception local;
|
|
Exception remote;
|
|
String whichRemote;
|
|
|
|
if (separateServerThread) {
|
|
remote = serverException;
|
|
local = clientException;
|
|
whichRemote = "server";
|
|
} else {
|
|
remote = clientException;
|
|
local = serverException;
|
|
whichRemote = "client";
|
|
}
|
|
|
|
/*
|
|
* If both failed, return the curthread's exception, but also
|
|
* print the remote side Exception
|
|
*/
|
|
if ((local != null) && (remote != null)) {
|
|
System.out.println(whichRemote + " also threw:");
|
|
remote.printStackTrace();
|
|
System.out.println();
|
|
throw local;
|
|
}
|
|
|
|
if (remote != null) {
|
|
throw remote;
|
|
}
|
|
|
|
if (local != null) {
|
|
throw local;
|
|
}
|
|
}
|
|
|
|
void startServer (boolean newThread) {
|
|
if (newThread) {
|
|
serverThread = new Thread(() -> {
|
|
try {
|
|
doServerSide();
|
|
} catch (Exception e) {
|
|
/*
|
|
* Our server thread just died.
|
|
*
|
|
* Release the client, if not active already...
|
|
*/
|
|
System.err.println("Server died...");
|
|
serverReadyLatch.countDown();
|
|
serverException = e;
|
|
}
|
|
});
|
|
serverThread.start();
|
|
} else {
|
|
try {
|
|
doServerSide();
|
|
} catch (Exception e) {
|
|
serverException = e;
|
|
} finally {
|
|
serverReadyLatch.countDown();
|
|
}
|
|
}
|
|
}
|
|
|
|
void startClient (boolean newThread) {
|
|
if (newThread) {
|
|
clientThread = new Thread(() -> {
|
|
try {
|
|
doClientSide();
|
|
} catch (Exception e) {
|
|
/*
|
|
* Our client thread just died.
|
|
*/
|
|
System.err.println("Client died...");
|
|
// if the exception is thrown before connecting to the
|
|
// server, the test will time out and the exception will
|
|
// be lost/hidden.
|
|
e.printStackTrace(System.err);
|
|
clientException = e;
|
|
}
|
|
});
|
|
clientThread.start();
|
|
} else {
|
|
try {
|
|
doClientSide();
|
|
} catch (Exception e) {
|
|
clientException = e;
|
|
}
|
|
}
|
|
}
|
|
}
|