Mercurial > hg > release > icedtea8-forest-3.0 > jdk
view test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java @ 11716:f94285e53b66
8144773: Further reduce use of MD5
Reviewed-by: mullan, wetmore, jnimeh, ahgross
| author | igerasim |
|---|---|
| date | Tue, 15 Dec 2015 16:20:09 +0300 |
| parents | 1a863c064c33 |
| children |
line wrap: on
line source
/* * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ // // SunJSSE does not support dynamic system properties, no way to re-use // system properties in samevm/agentvm mode. // /* * @test * @bug 6668231 * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to * fail trusted checks * @run main/othervm CriticalSubjectAltName * @author Xuelei Fan */ /* * This test depends on binary keystore, crisubn.jks and trusted.jks. Because * JAVA keytool cannot generate X509 certificate with SubjectAltName extension, * the certificates are generated with openssl toolkits and then imported into * JAVA keystore. * * The crisubn.jks holds a private key entry and the corresponding X509 * certificate issued with an empty Subject field, and a critical * SubjectAltName extension. * * The trusted.jks holds the trusted certificate. */ import java.io.*; import java.net.*; import javax.net.ssl.*; import java.security.Security; import java.security.cert.Certificate; public class CriticalSubjectAltName implements HostnameVerifier { /* * ============================================================= * Set the various variables needed for the tests, then * specify what tests to run on each side. */ /* * Should we run the client or server in a separate thread? * Both sides can throw exceptions, but do you have a preference * as to which side should be the main thread. */ static boolean separateServerThread = true; /* * Where do we find the keystores? */ static String pathToStores = "./"; static String keyStoreFile = "crisubn.jks"; static String trustStoreFile = "trusted.jks"; static String passwd = "passphrase"; /* * Is the server ready to serve? */ volatile static boolean serverReady = false; /* * Turn on SSL debugging? */ static boolean debug = false; /* * If the client or server is doing some kind of object creation * that the other side depends on, and that thread prematurely * exits, you may experience a hang. The test harness will * terminate all hung threads after its timeout has expired, * currently 3 minutes by default, but you might try to be * smart about it.... */ /* * Define the server side of the test. * * If the server prematurely exits, serverReady will be set to true * to avoid infinite hangs. */ void doServerSide() throws Exception { SSLServerSocketFactory sslssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); SSLServerSocket sslServerSocket = (SSLServerSocket) sslssf.createServerSocket(serverPort); serverPort = sslServerSocket.getLocalPort(); /* * Signal Client, we're ready for his connect. */ serverReady = true; SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); OutputStream sslOS = sslSocket.getOutputStream(); BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(sslOS)); bw.write("HTTP/1.1 200 OK\r\n\r\n\r\n"); bw.flush(); Thread.sleep(5000); sslSocket.close(); } /* * Define the client side of the test. * * If the server prematurely exits, serverReady will be set to true * to avoid infinite hangs. */ void doClientSide() throws Exception { /* * Wait for server to get started. */ while (!serverReady) { Thread.sleep(50); } URL url = new URL("https://localhost:"+serverPort+"/index.html"); HttpsURLConnection urlc = (HttpsURLConnection)url.openConnection(); urlc.setHostnameVerifier(this); urlc.getInputStream(); if (urlc.getResponseCode() == -1) { throw new RuntimeException("getResponseCode() returns -1"); } } /* * ============================================================= * The remainder is just support stuff */ // use any free port by default volatile int serverPort = 0; volatile Exception serverException = null; volatile Exception clientException = null; public static void main(String[] args) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); Security.setProperty("jdk.tls.disabledAlgorithms", "SSLv3, RC4, DH keySize < 768"); String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; String trustFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); System.setProperty("javax.net.ssl.trustStore", trustFilename); System.setProperty("javax.net.ssl.trustStorePassword", passwd); if (debug) System.setProperty("javax.net.debug", "all"); /* * Start the tests. */ new CriticalSubjectAltName(); } Thread clientThread = null; Thread serverThread = null; /* * Primary constructor, used to drive remainder of the test. * * Fork off the other side, then do your work. */ CriticalSubjectAltName() throws Exception { if (separateServerThread) { startServer(true); startClient(false); } else { startClient(true); startServer(false); } /* * Wait for other side to close down. */ if (separateServerThread) { serverThread.join(); } else { clientThread.join(); } /* * When we get here, the test is pretty much over. * * If the main thread excepted, that propagates back * immediately. If the other thread threw an exception, we * should report back. */ if (serverException != null) throw serverException; if (clientException != null) throw clientException; } void startServer(boolean newThread) throws Exception { if (newThread) { serverThread = new Thread() { public void run() { try { doServerSide(); } catch (Exception e) { /* * Our server thread just died. * * Release the client, if not active already... */ System.err.println("Server died..."); serverReady = true; serverException = e; } } }; serverThread.start(); } else { doServerSide(); } } void startClient(boolean newThread) throws Exception { if (newThread) { clientThread = new Thread() { public void run() { try { doClientSide(); } catch (Exception e) { /* * Our client thread just died. */ System.err.println("Client died..."); clientException = e; } } }; clientThread.start(); } else { doClientSide(); } } // Simple test method to blindly agree that hostname and certname match public boolean verify(String hostname, SSLSession session) { return true; } }