88 lines
3.5 KiB
Java
88 lines
3.5 KiB
Java
/*
|
|
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/*
|
|
* @test
|
|
* @bug 8206925
|
|
* @library /javax/net/ssl/templates
|
|
* @summary Support the certificate_authorities extension
|
|
*/
|
|
import javax.net.ssl.TrustManager;
|
|
import javax.net.ssl.TrustManagerFactory;
|
|
import javax.net.ssl.X509TrustManager;
|
|
import javax.security.auth.x500.X500Principal;
|
|
import java.security.KeyStore;
|
|
import java.security.cert.X509Certificate;
|
|
|
|
public class CacertsLimit {
|
|
public static void main(String[] args) throws Exception {
|
|
for (String algorithm : new String[] {"SunX509", "PKIX"}) {
|
|
CacertsLimit.ensureLimit(algorithm);
|
|
}
|
|
}
|
|
|
|
private static void ensureLimit(String algorithm) throws Exception {
|
|
TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
|
|
tmf.init((KeyStore)null);
|
|
TrustManager[] tms = tmf.getTrustManagers();
|
|
|
|
if (tms == null || tms.length == 0) {
|
|
throw new Exception("No default key store used for trust manager");
|
|
}
|
|
|
|
if (!(tms[0] instanceof X509TrustManager)) {
|
|
throw new Exception(
|
|
"The trust manger is not an instance of X509TrustManager");
|
|
}
|
|
|
|
checkLimit(((X509TrustManager)tms[0]).getAcceptedIssuers());
|
|
}
|
|
|
|
private static void checkLimit(
|
|
X509Certificate[] trustedCerts) throws Exception {
|
|
int sizeAccount = 0;
|
|
for (X509Certificate cert : trustedCerts) {
|
|
X500Principal x500Principal = cert.getSubjectX500Principal();
|
|
byte[] encodedPrincipal = x500Principal.getEncoded();
|
|
sizeAccount += encodedPrincipal.length;
|
|
if (sizeAccount > 0xFFFF) {
|
|
throw new Exception(
|
|
"There are too many trusted CAs in cacerts. The " +
|
|
"certificate_authorities extension cannot be used " +
|
|
"for TLS connections. Please rethink about the size " +
|
|
"of the cacerts, or have a release note for the " +
|
|
"impacted behaviors");
|
|
} else if (sizeAccount > 0x4000) {
|
|
throw new Exception(
|
|
"There are too many trusted CAs in cacerts. The " +
|
|
"certificate_authorities extension cannot be " +
|
|
"packaged in one TLS record, which would result in " +
|
|
"interoperability issues. Please rethink about the " +
|
|
"size of the cacerts, or have a release note for " +
|
|
"the impacted behaviors");
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|